| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
and add a missing Oxford comma
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This was the last user of BN_LONG in code. It had no reason to do so.
BN_mod_word() returns a BN_ULONG and since the largest prime in the
small primes table primes[] is well below 20000, the only return value
that could cause 'mod' to be negative was the error sentinel (BN_ULONG)-1.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
|
|
| |
Be specific about width and use uint64_t/uint32_t, rather than using
unsigned int/long/long long, based on platform. Additionally use UINT64_C()
and UINT32_C() for constants, along with PRI*64/PRI*32 for formatting. This
makes the platform responsible for providing the correct types/defines -
all we then need to do is determine is if BN should use a 32 bit or 64 bit
configuration.
With input from and ok tb@
|
| |
|
|
|
|
|
| |
What the tests actually care about is the size of a BN_ULONG, hence
condition on BN_BYTES instead.
Discussed with tb@
|
| |
|
|
|
|
|
| |
(A much bigger problem here is a double free for which I will send
out a diff shortly)
From Niels Dossche
|
| |
|
|
| |
from Niels Dossche
|
| | |
|
| |
|
|
|
|
| |
If CMS_EncryptedData_set1_key() fails, cms is leaked.
From Niels Dossche
|
| | |
|
| | |
|
| |
|
|
| |
From Thorsten Blum
|
| |
|
|
| |
for them.
|
| |
|
|
|
|
|
|
| |
There's no need to pass in the hrr parameter as it is redundant with
the tls13.hrr flag. This avoids boolean blindness in the caller and
removes a leftover from before we had tls13.hrr.
ok jsing kenjiro
|
| | |
|
| |
|
|
| |
ok kenjiro
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
|
|
|
| |
As reported by ajacoutot and sthen, an update to net/neon is blocked on
that missing symbol.
ok kenjiro
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is needed by Python 3.14, extending the urllib3 nonsense further.
This is a trivial getter and it is exercised by the libssl unit test
I added for urllib3 (which can now use dynamic linking for libcrypto).
Fixes https://github.com/libressl/portable/issues/1202
Thanks to @orbea for the report.
ok kenjiro
PS: X509_VERIFY_PARAM_get_flags() and X509_VERIFY_PARAM_get_peername()
aren't const correct. Fixing this will require some doing...
|
| |
|
|
|
|
| |
now that all archs use at least gcc4.
ffsl() and ffsll() are now part of POSIX.
OK deraadt@, input from miod@ and jsg@
|
| |
|
|
|
|
|
|
|
| |
This allows a const correct SSL_SESSION_dup() implementation at the cost
of casting away const due to the const incorrect CRYPTO_dup_ex_data()...
(I should look into fixing that, but things like rust-openssl make that
hard at this point in the release cycle.)
ok kenjiro (as part of a larger diff)
|
| |
|
|
| |
set to "gcc3".
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing the client supported groups and key shares extensions,
the group selection is currently based on client preference. However,
when building a HRR the preferred group is identified by calling
tls1_get_supported_group(). If SSL_OP_CIPHER_SERVER_PREFERENCE is enabled,
group selection will be based on server instead of client preference. This
in turn can result in the server sending a HRR for a group that the client
has already provided a key share for, violating the RFC.
Avoid this issue by storing the client preferred group when processing
the key share extension, then using this group when creating the HRR.
Thanks to dzwdz for identifying and reporting the issue.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
This generates a host-order number, so the ntohs() for getservbyport()
was wrong, that should always have been htons(). The transform is
the same, but misleading.
ok tb
|
| |
|
|
|
|
|
| |
This is currently an internal helper only used by a regress test.
We'll have to expose in the public API for Python 3.14:
https://github.com/libressl/portable/issues/1202
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To allow binary search for looking up if a cert was revoked in a CRL,
the list of revoked serial numbers is sorted in crl_lookup(). On the
other hand, to be able to output the DER that was actually signed by
the issuer, the original order needs to be remembered.
Before the encoding was cached, there was a mechanism that would restore
the original order on serialization using the .sequence member. This was
done without a lock and was thus racy (hilarity would ensue if one thread
performed a CRL lookup while another thread serialized the same CRL). When
the racy mechanism was removed in 2004, the only reader of .sequence,
X509_REVOKED_seq_cmp(), was also removed, and this piece of dead code was
left behind. Garbage collect it.
ok kenjiro
|
| | |
|
| |
|
|
|
| |
Windows is super picky when it comes to paths, so it needs some special
massaging. Will let us avoid a patch or hack in portable.
|
| |
|
|
|
|
|
|
|
|
| |
An incorrect length check can result in a 4-byte overwrite and an
8-byte overread.
From Stanislav Fort and Viktor Dukhovni via OpenSSL.
CVE-2025-9230.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is required in NIST Special Publication 800-56B Revision 2
"Recommendation for Pair-Wise Key Establishment Using Integer
Factorization Cryptography":
6 RSA Key Pairs
6.2 Criteria for RSA Key Pairs for Key Establishment
6.2.1 Definition of a Key Pair
3. The prime factors p and q shall be generated using one of
the methods specified in Appendix B.3 of FIPS 186 such that:
c. |p – q| > 2nBits/2−100
ok djm@, tb@
|
| |
|
|
|
| |
The version check will break the rust-openssl regress unless you have
rust-openssl-tests-20250927p0.
|
| |
|
|
|
|
|
|
|
|
|
| |
This wasn't part of the initial proposal and causes issues in curl downstream.
We could pile more hacks on top of this, but at some point this is getting too
silly.
Relatedly, most of the FOOerr() could be removed, although PEMerr(), RSAerr()
and SSLerr() are used by some downstreams and probably not worth patching out.
Discussed with @vszakats in https://github.com/libressl/portable/issues/1154
|
| |
|
|
|
|
| |
This exercises the cofactor guessing code with a large cofactor. Thanks to
Daniel Bleichenbacher for pointing out this example. This contains a hack
to use a bogus OID since this curve has none.
|
| |
|
|
|
| |
Skip the tests for now since they increase the test's runtime by ~50%.
A later commit will gate these tests behind REGRESS_SKIP_SLOW.
|
| | |
|
| |
|
|
|
|
|
| |
This removes two unnecessary variables in each of these functions,
normalizes the sizeof() use and undoes unnecessary line wraps.
ok deraadt djm kenjiro
|
| | |
|
| |
|
|
|
|
| |
CID 621601 621602
ok djm jsg jsing miod
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
After the guts of MLKEM_public_key were changed from a union to a struct,
the aligner grew the struct, leaking as many bytes of private key data as
the struct grew (on normal platforms that would be 2).
Ideally this would all be a bit more robust.
CID 621603 621604
ok jsing kenjiro
|
| | |
|
