summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* sync CA certificates from newer mozilla list, ok tb@HEADmastersthen11 days1-339/+1
| | | | | | | | | | | | | | | | | | | https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt SHA256 (certdata.txt) = 579f336ace2e5717b8ecc06002ce0cce96f70623d188e1999c34b0f77696d3e9 Removals: - /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root - /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services - /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) - /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA - /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority - /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority - /C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority Addition: + /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
* Speed up bn_{mod,sqr}_mul_words() for specific inputs.jsing12 days1-3/+25
| | | | | | | | Use bn_{mul,sqr}_comba{4,6,8}() and bn_montgomery_reduce_words() for specific input sizes. This is significantly faster than using bn_montgomery_multiply_words(). ok tb@
* Provide bn_sqr_comba6().jsing12 days2-2/+48
| | | | | | This allows for fast squaring of a 6 word array. ok tb@
* Provide bn_mul_comba6().jsing12 days2-2/+63
| | | | | | This allows for fast multiplication of two 6 word arrays. ok tb@
* Mark the inputs to bn_mul_comba{4,8}() as const.jsing12 days3-9/+9
| | | | | | | This makes it consistent with bn_sqr_comba{4,8}() and simplifies an upcoming change. ok tb@
* Sort NAME, RETURN VALUES, ERRORS, and STANDARDS in the same order as SYNOPSIS.schwarze13 days1-16/+16
| | | | | Sort HISTORY chronologically. No text change.
* link illumos oclo test to the treetb14 days1-2/+2
|
* Implement the POSIX-2024 close-on-fork flag, but modified to beguenther14 days2-9/+10
| | | | | | | | | | | | reset on exec as preserving it across exec is not necessary for its original purpose and has security and usability concerns. Many thanks to Ricardo Branco (rbranco (at) suse.de) who did an independent implementation, caught that /dev/fd/* needed to be handled, and provided a port of the illumos test suite. Thanks to tb@ for assistance with that. ok deraadt@
* replace the flockfile backend with a per FILE recursive mutex.dlg14 days1-1/+7
| | | | | | | | | | | | | | | the flockfile implementation in thread/rthread_file.c used an external lock, and associated it with the relevant FILE * as needed. this isn't great for a lot of reasons, complexity being the big one, but the straw that broke the camels back is that it uses a single spinlock to coordinate all of this, which in turn generates a lot of sched_yield syscalls. this avoids all the code complexity and the spinlock by just embedding a small __rctmx in every FILE. tested by and ok tb@ jca@ ok claudio@
* Implement constant time EC scalar multiplication.jsing2025-08-031-16/+103
| | | | | | | | | | | | Replace simplistic non-constant time scalar multiplication with a constant time version. This is actually faster since we compute multiples of the point, then double four times and add once. The multiple to add is selected conditionally, ensuring that the access patterns remain the same regardless of value. Inspired by Go's scalar multiplication code. ok tb@
* Remove duplicate computation for b3.jsing2025-08-031-5/+1
|
* Add prototype for EC_GFp_homogeneous_projective_method().jsing2025-08-031-1/+2
|
* Avoid signed overflow in BN_MONT_CTX_set()tb2025-08-031-2/+3
| | | | | | | | ri is an int, so the check relied on signed overflow (UB). It's not really reachable, but shrug. reported by smatch via jsg ok beck jsing kenjiro
* Avoid signed overflow in BN_mul()tb2025-08-031-3/+4
| | | | | Reported by smatch via jsg. ok beck jsing kenjiro
* Provide benchmarks for EC arithmetic.jsing2025-08-032-1/+212
| | | | | This provides benchmarking for EC_POINT_add(), EC_POINT_dbl() and EC_POINT_mul()'s scalar * generator path.
* Provide bn_mod_sqr_words() and call it from ec_field_element_sqr().jsing2025-08-023-4/+20
| | | | | For now this still calls bn_montgomery_multiply_words(), however it can be optimised further in the future.
* Copy EC_FIELD_MODULUS/EC_FIELD_ELEMENTs when copying groups and points.jsing2025-08-021-1/+9
| | | | ok tb@
* Provide constant time conditional selection between EC_FIELD_ELEMENTs.jsing2025-08-022-2/+17
| | | | | | | | Provide a ec_field_element_select() function that allows for constant time conditional selection between two EC_FIELD_ELEMENTs. This will become a building block for constant time point multiplication. ok tb@
* Provide harness to run illumos's oclo tests from libc regresstb2025-08-023-0/+32
| | | | | | | This depends on the illumos-os-tests port I just imported and can be linked to the build once guenther lands the close-on-fork diff. Adapted from an initial diff by Ricardo Branco
* hash_test: remove variable name from prototype and fix a casttb2025-08-021-3/+3
|
* Rework PKCS7_simple_smimecap()tb2025-07-312-27/+36
| | | | | | | | | This is nearly identical to CMS_add_simple_smimecap(). We can reuse its doc comment mutatis mutandis and use the same construction. Maybe this wants deduplicating. Maybe not. ok kenjiro
* Rework PKCS7_add1_attrib_digest()tb2025-07-311-12/+18
| | | | | | | | | | | There's nothing really wrong here (at least when compared to the rest of this file an hour or so ago), but we can make this look somewhat more like code. That there's no bug here is not really related to the fact that it's an add1 function, not an add0 one. In fact, it's kind of surprising that the author had an uncharacteristic moment of lucidity and remembered to free the last argument passed to PKCS7_add_signed_attribute() on failure. ok kenjiro
* Rewrite PKCS7_get_smimecap() to use d2i_X509_ALGORS()tb2025-07-311-6/+9
| | | | | | | | | Since we finally found a use for i2d_X509_ALGORS(), make use of its sibling here. This avoids some ridiculous contortions in not quite peak muppet code (obviously this was a first test run for the grand finale in CMS). ok kenjiro
* Plug leaks due to misuse of PKCS7_add_signed_attribute()tb2025-07-312-26/+52
| | | | | | | | | | | | | | | | | | | | | set0/add0 functions that can fail are the worst. Without fail this trips up both users and authors (by and large these are two identical groups consisting of a single person), resulting in leaks and double frees. In today's episode of spelunking in the gruesome gore provided by the PKCS#7 and Time-Stamp protocol "implementations", we fix a couple of leaks in PKCS7_add_attrib_smimecap() and ESS_add_signing_cert(). We do so by recalling that there is i2d_X509_ALGORS(), so we might as well put it to use instead of inlining it poorly (aka, without error checking). Normalize said error checking and ensure ownership is handled correctly in the usual single-exit idiom. ESS_add_signing_cert() can also make use of proper i2d handling, so it's simpler and correct and in the end looks pretty much the same as PKCS7_add_attrib_smimecap(). ok kenjiro
* curve25519.c: zap trailing whitespace introduced in previoustb2025-07-291-2/+2
|
* PKCS7_add0_attrib_signing_time: tweak commenttb2025-07-281-2/+2
|
* Below STANDARDS, reference the two most relevant sections of RFC 5652.schwarze2025-07-271-1/+5
| | | | | | | | Given that RFC 5652 does not override the earlier (and simpler) standards but instead strives to remain compatible, referencing both the original and the latest versions seems helpful. OK tb@
* openssl certhash: add digest param to certhash_directoryjoshua2025-07-271-13/+9
| | | | | | | This will allow us to call certhash_directory with other digests as required to implement the openssl rehash command, which uses SHA1 or MD5. ok jsing tb
* Remove DES_UNROLL from opensslconf.h.jsing2025-07-2713-156/+0
| | | | | | This is no longer used in the DES code. ok tb@
* Rework DES encryption/decryption loops.jsing2025-07-272-124/+31
| | | | | | | | | Use a slightly unrolled loop, which gets us half way between DES_UNROLL and no DES_UNROLL. While we're not terribly concerned by DES performance, this gets us a small gain on aarch64 and a small loss on arm. But above all, we end up with simpler code. ok tb@
* Inline cms_add1_signingTime() in its only consumertb2025-07-271-31/+9
| | | | | | Why have seven lines if you can have 30... tweak/ok kenjiro
* Update PKCS7_add0_attrib_signing_time() docstb2025-07-271-3/+3
| | | | | | | Document the change of behavor from pk7_attr.c r1.17: the time is now validated to be in correct RFC 5280 time format. ok kenjiro
* Fix PKCS7_add0_attrib_signing_time()tb2025-07-271-5/+24
| | | | | | | | | | If the caller passes in NULL, helpfully a new ASN1_TIME is allocated with X509_gmtime_adj() and leaked if PKCS7_add0_attrib_signing_time() fails afterward. Fix this. Also don't blindly set the signing time to a UTCTime. Validate the usual RFC 5280 format before setting it, as that's what RFC 5652, section 11.3 mandates. ok kenjiro
* Fix incorrect ownership handling in add_attribute()tb2025-07-271-34/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | This little gem has a number of issues. On failure, the caller can't know whether ownership of value was taken or not, so to avoid a double free, the only option is to leak value on failure. As X509_ATTRIBUTE_create() takes ownership on success, this call must be the last one that can fail. This way ownership is only taken on success. Next, if X509_ATTRIBUTE_create() fails in the case that the input stack already contains an attribute of type nid, that attr is freed and the caller freeing the stack with pop_free() will double free. So, rework this in a few ways. Make this transactional, so we don't fail with a modified *in_sk, so work with a local sk as usual. Then walk the stack and see if we have an attribute with the appropriate nid already. If not, make sure there's room to place the new attribute. Create the new attribute, free the old attribute if necessary and replace it with the new one. Finally assign the local sk to *in_sk and return success. On error unwind all we did. The behavior now matches OpenSSL 3's new behavior, except that we don't leave an empty stack around on error. ok kenjiro
* Retire interop tests with OpenSSL 3.3 and 3.4tb2025-07-259-141/+11
|
* Remove BN_LLONG defines/undefs from opensslconf.h.jsing2025-07-2313-65/+0
| | | | | | | These have been ineffective since r1.19 of bn.h, when BN_LLONG/BN_ULLONG defines/undefs were added based on _LP64. ok tb@
* regress/libcrypto/x509/bettertls: switch to eopenssl35tb2025-07-231-4/+4
|
* regress/libcrypto/ec: switch to openssl35tb2025-07-231-4/+4
|
* ec_asn1_test: fix includestb2025-07-231-1/+5
|
* ectest: fix includestb2025-07-231-6/+3
|
* c2sp: unhook openssl 3.3 and 3.4tb2025-07-231-2/+2
|
* Remove unused function pointer from struct aead_aes_gcm_ctx.jsing2025-07-221-2/+1
|
* Remove remaining block128_f casts from EVP AES.jsing2025-07-222-5/+8
| | | | Use aes_encrypt_block128() instead of AES_encrypt(), avoiding risky casts.
* Remove crypto_cpu_caps_ia32()jsing2025-07-226-30/+6
| | | | | | There are no more consumers of crypto_cpu_caps_ia32(), so remove it. ok bcook@ joshua@ tb@
* Move AES-NI for ECB out of EVP.jsing2025-07-226-87/+58
| | | | | | | | | | Make aes_ecb_encrypt_internal() replaceable and provide machine dependent versions for amd64 and i386, which dispatch to AES-NI if appropriate. Remove the AES-NI specific EVP methods for ECB. This removes the last of the machine dependent code from EVP AES. ok bcook@ joshua@ tb@
* Move AES-NI from EVP to AES for CCM mode.jsing2025-07-217-112/+145
| | | | | | | | | | | | | | | | | The mode implementation for CCM has two variants - one takes the block function, while the other takes a "ccm64" function. The latter is expected to handle the lower 64 bits of the IV/counter but only for 16 byte blocks. The AES-NI implementation for CCM currently uses the second variant. Provide aes_ccm64_encrypt_internal() as a function that can be replaced on a machine dependent basis, along with an aes_ccm64_encrypt_generic() function that provides the default implementation and can be used as a fallback. Wire up the AES-NI version for amd64 and i386, change EVP's aes_ccm_cipher() to use CRYPTO_ctr128_{en,de}crypt_ccm64() with aes_ccm64_encrypt_internal()) and remove the various AES-NI specific EVP_CIPHER methods for CCM. ok tb@
* Zero stack based IV and buffer when aes_ctr32_encrypt_generic() completes.jsing2025-07-201-1/+4
| | | | ok tb@
* Rename the file PEM_X509_INFO_read.3 to PEM_X509_INFO_read_bio.3schwarze2025-07-172-5/+5
| | | | | because PEM_X509_INFO_read(3) no longer exists. Requested by tb@.
* avoid undefined behavior when shifting into sign bitkenjiro2025-07-171-116/+127
| | | | | | | | | | | | | | | | | | Shifting a signed int64_t into the sign bit is undefined behavior in C. /dev/portable/crypto/curve25519/curve25519.c:3900:18: runtime error: left shift of negative value -222076011 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /dev/portable To avoid this, import int64_lshift21() from BoringSSL, a helper function that casts the input to uint64_t before shifting and back to int64_t afterward. This ensures defined behavior when shifting left by 21 bits, avoiding undefined behavior in expressions like `carry << 21`. This change addresses potential runtime issues detected by sanitizers when shifting signed values with high bits set. ok tb beck
* Remove BIO_s_log() prototype, pointed out by schwarzetb2025-07-161-14/+13
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-17 19:00:52 +0000