summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Fix the error handling in X509V3_parse_list(3); it ignored failuresschwarze2024-12-231-6/+9
| | | | | | | | | | | | | of the internal subroutine X509V3_add_value(), which could result in silently losing part of the input data on memory exhaustion. I independently rediscovered this bug while writing the documentation, then noticed after fixing it that Zhou Qingyang <zhou1615 at umn dot edu> fixed it in essentially the same way in OpenSSL 3 (commit bcd5645b on Apr 11 02:05:19 2022 +0800), but it wasn't backported to the OpenSSL 1.1.1 branch. OK tb@
* new manual page X509V3_parse_list(3) written from scratchschwarze2024-12-232-1/+102
|
* Tweak previous wording a bit to avoid suggesting all built-in nidstb2024-12-231-2/+2
| | | | | | correspond to an extension method. ok schwarze
* more precision below CAVEATSschwarze2024-12-231-3/+5
|
* Make the description of i2s_ASN1_ENUMERATED_TABLE(3) more precise,schwarze2024-12-231-9/+12
| | | | | fix the name of its last parameter in the SYNOPSIS to match the DESCRIPTION, and let the .Dt argument match the file name.
* mark six #define'd constants as intentionally undocumentedschwarze2024-12-221-2/+7
|
* Add an EXAMPLES section.schwarze2024-12-211-2/+129
| | | | | | | | | | | | | | | | I admit this is unusually long for a manual page. But that's not my fault as a documentation author. An example in a manual page ought to be minimal to show what needs to be demonstrated, and this example is minimal in that sense. Making it shorter without loosing important aspects does not seem possible. When an API is poorly designed, one of the consequences is that that documentation becomes harder to understand and often longer - in this case to the point of becoming outright intimidating. If people dislike that, they should design better APIs in the first place rather than blasting the poor manual page for being too long or too complicated. OK tb@
* If EVP_CIPHER_CTX_ctrl(3) is called on EVP_chacha20_poly1305(3)schwarze2024-12-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | with an unsupported control command, return -1 rather than 0 to the caller to indicate the error because in general, these control hooks ought to return -1 for unsupported control commands and 0 for other errors, for example other invalid arguments. Not a big deal because this change does not change when operations succeed or fail, and because callers are unlikely to pass unsupported control commands in the first place. The only functional change is that if a calling program inspects the ERR(3) stack after this failure, it will now find the correct error code rather than nothing. Even that wasn't a huge problem because for most EVP_CIPHER control failures, getting no reason for the error is the usual situation. Then again, giving the reason when easily possible may occasionally be useful. OpenSSL also returns -1 in this case, so it also helps compatibility a tiny bit. Found while auditing the return values of all the EVP_CIPHER control hooks in our tree. This was the only fishy one i found. OK tb@
* mlkem regress: garbage collect two global variablestb2024-12-201-4/+1
|
* hidden mlkem.h: add comment to #endiftb2024-12-201-2/+2
|
* Annotate yet another greasy stinky tentacle of xcatb2024-12-201-1/+2
| | | | I'm so tired of this.
* Move the horrific EVP_aes_128_ccm(3) API out of the important,schwarze2024-12-204-75/+357
| | | | | | | | | | | | algorithm-independent EVP_EncryptInit(3) manual as another step in making the latter leaner and more palatable. As a side benefit, the new EVP_aes_128_ccm(3) manual page may provide a better fighting chance to programmers who see themselves forced to support CCM for whatever reason. It documents the mandatory, but so far undocumented EVP_CTRL_CCM_GET_TAG control command and makes the description of the three EVP_CTRL_CCM_SET_* control commands and the numerous related quirks more precise.
* Fix whitespace in Makefiletb2024-12-201-22/+22
|
* That works better with a Gtb2024-12-201-2/+2
|
* cant't -> can'ttb2024-12-2010-20/+20
| | | | (the mystery of spotting typos right after commit strikes again)
* Rework and fix the mlkem teststb2024-12-2016-997/+1824
| | | | | | | | | | | | | | | | | Make proper use of CBB and CBS. If a CBS ever owns data, you're holding it wrong. Ditch gross macros, sscanf, and globals. The use of fgets is annoying here, so replace it with getline, which be provided by portable if needed. Most importantly, make the tests actually signal failure rather than only printing an error. Fix the state machines in a few of them. Some tests didn't parse the .txt file at all. Others mostly did but didn't actually test what they were supposed to be testing. Such failures were hidden by the way the tests were written. This basically needed a complete revamp. It still isn't pretty and much of it could be deduplicated, but I only have so much time alotted on this blue planet.
* Do not install mlkem.h and bytestring.h into /usr/include/openssl for nowtb2024-12-191-3/+1
| | | | | | More work in mlkem is needed and this was premature. discussed with beck and jsing
* #ifdef out the inclusion of openssl/mlkem.h for nowtb2024-12-191-3/+4
| | | | discussed with beck and jsing
* Do not assume mlkem.h and bytestring.h are public in libcryptotb2024-12-194-14/+8
| | | | | | | As long as is not quite clear what we want to do about the public API aspect of MLKEM, keep things internal for now. discussed with beck and jsing
* mlkem regress: reach around into bytestring againtb2024-12-191-1/+2
|
* ec_mult: use 1ULL to avoid C4334 warning on Visual Studiotb2024-12-191-2/+2
| | | | | The shift is between 0 and 5 bits, so it doesn't matter, but VS is short for very st...ubborn as are its users when it comes to reporting non-issues
* received form the peer -> received from the peerjmc2024-12-191-3/+3
|
* mlkem: fix whitespacetb2024-12-182-4/+6
|
* kength -> lengthjsg2024-12-181-3/+3
|
* New manual page EVP_aes_128_gcm(3).schwarze2024-12-174-75/+260
| | | | | | | | | | | | The main benefit is moving the cumbersome and error-prone method of using EVP_EncryptInit(3) for AES-GCM out of the important, but obese manual page EVP_EncryptInit(3), and to create a logical place for pointing readers to the safer and more flexible EVP_AEAD_CTX_init(3). As a side benefit, document three control commands that were so far undocumented and make the description of three others more precise. Feedback and OK tb@.
* Avoid a reduce once that can cause Clang misoptomization.beck2024-12-172-22/+54
| | | | | | | | Some versions of Clang compile this to non-constant time code. The fix is adapted from boring. For full details see: https://boringssl-review.googlesource.com/c/boringssl/+/74447 ok tb@
* Close fp before exit since we clean up other stufftb2024-12-174-4/+8
| | | | From Kenjiro Nakayama
* Plug leak coming from debug leftovertb2024-12-172-4/+2
| | | | There's still CBS holding data in here. Yuck.
* Plug two memory leaks in MLKEM*_generate_key_external_entropy()tb2024-12-172-2/+6
| | | | | | | This needs more thinking. These are void functions that allocate... Left an XXX for now. From Kenjiro Nakayama
* mlkem: clean up top matter in headerstb2024-12-172-8/+14
|
* Simplify ec_point_to_octets()tb2024-12-161-8/+3
| | | | | | | | | | | This had an extra dance to allow a NULL output buffer. The plan was to use this in i2o_ECPublicKey() to preserve the behavior of avoiding an allocation if out == NULL. However, when I rewrote the latter I punted on preserving that complication, as it was already batshit crazy enough. Thus, remove said dance and make ec_point_to_octets() cleaner. ok jsing
* Stop reaching into libcrypto/bytestringtb2024-12-141-2/+1
|
* Normalize top of filestb2024-12-1415-109/+138
| | | | RCS marker, KNF for comment, fix and sort includes as usual.
* Add ML-KEM 1024 from BoringSSLbeck2024-12-1318-5/+6552
| | | | | | | | | | | | | | | Changes include conversion from C++, basic KNF, then adaptation to use our sha3 functions for sha3 and shake instead of the BorinSSL version. This Adds units tests to run against BoringSSL and NIST test vectors. The future public API is the same as Boring's - but is not yet exposed pending making bytestring.h public (which will happen separately) and a minor bump Currently this will just ensure we build and run regress. ok tb@ to get it into the tree and massage from there.
* KNF nit tb wanted me to fixbeck2024-12-131-2/+4
|
* Add ML-KEM 768 from BoringSSLbeck2024-12-1321-2/+6838
| | | | | | | | | | | | | | | Changes include conversion from C++, basic KNF, then adaptation to use our sha3 functions for sha3 and shake instead of the BorinSSL version. This Adds units tests to run against BoringSSL and NIST test vectors. The future public API is the same as Boring's - but is not yet exposed pending making bytesring.h public (which will happen separately) and a minor bump Currently this will just ensure we build and run regress. ok tb@ to get it into the tree and massage from there.
* Rewrite a comment to use p rather than qtb2024-12-121-10/+10
|
* Rename group->field to group->ptb2024-12-124-52/+46
| | | | | | Now that we only do curves over GF(p) fields, there's no need to use a weird, confusing name for what we usually call p. Adjust some comments in the vicinity as well.
* sm3: fix ugly whitespacetb2024-12-121-5/+5
|
* appeared in 4.3BSD before 4.3BSD-Tahoejsg2024-12-1111-33/+33
| | | | ok millert@ schwarze@
* ciphers: remove tls1 and tls1_1 leftoverstb2024-12-111-16/+2
| | | | | | The options were already removed from the manual in 91e7614a. From Renaud Allard (hand-applied since patch was mangled)
* Avoid an oob access in asn1_item_free()tb2024-12-111-4/+3
| | | | | | | | | | As explained in a comment, this needs to loop backwards and the last tt-- ends up pointing at &it->templates[-1], which isn't ok. Use a simple way of looping, which is also ugly and involves some type confusion as pointed out by claudio. However, type confusion is common in libcrypto's asn1 code and won't be fixed anytime soon anyway. ok jsing
* Drop a pair of useless parenthesestb2024-12-111-2/+2
|
* Improve a rather misleading sentence about EVP_PKEY_new_mac_key(3).schwarze2024-12-101-4/+8
| | | | | | | It does *not* "work in the same way" as EVP_PKEY_new_raw_private_key(3) but merely arrives at the same end result after doing lots of cumbersome and unnecessary work - and on top of that, it only works for EVP_PKEY_HMAC.
* Add a paragraph about HMAC because that algorithm also involvesschwarze2024-12-101-3/+15
| | | | | | | | parameters that can be controlled with EVP_PKEY_CTX_ctrl(3). But rather than providing a detailed despription, instead point to what application programs should use instead and explain why using the control constant directly would be a particularly bad idea in this case.
* Add regress coverage for tls_peer_cert_common_name()tb2024-12-102-0/+17
|
* Document tls_peer_cert_common_name()tb2024-12-101-2/+13
| | | | ok beck
* bump minor after symbol additiontb2024-12-101-1/+1
|
* expose tls_peer_cert_common_name()tb2024-12-101-0/+1
|
* Provide tls_peer_cert_common_name()tb2024-12-105-24/+105
| | | | | | | | | | | | | | | | There is currently no sane way of getting your hands on the common name or subject alternative name of the peer certificate from libtls. It is possible to extract it from the peer cert's PEM by hand, but that way lies madness. While the common name is close to being deprecated in the webpki, it is still the de facto standard to identify client certs. It would be nice to have a way to access the subject alternative names as well, but this is a lot more difficult to expose in a clean and sane C interface due to its multivaluedness. Initial diff from henning, with input from beck, jsing and myself henning and bluhm have plans of using this in syslogd. ok beck
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-27 19:35:37 +0000