summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* simplify makefileanton2022-11-221-8/+2
|
* Be more helpful and provide details on what the time conversion testsanton2022-11-221-9/+6
| | | | | | need in order to run. Also, output the expected SKIPPED string as dictated by bsd.regress.mk.
* Tweak a printf.tb2022-11-221-3/+3
|
* Add a unit test that crashes without bn_print.c r1.34.tb2022-11-222-1/+95
|
* Fix segfaults in BN_dec2bn() and BN_hex2bn()tb2022-11-221-3/+3
| | | | | | | | | bn_print.c r1.29 added length checks to avoid overflowing the BIGNUM. If these checks are hit in length-only mode, i.e., bn is NULL, the error path dereferences bn. Change goto err to an early return to avoid this. ok jsing
* document BN_nist_mod_521(3) and their four siblingsschwarze2022-11-213-3/+118
|
* Fix a surprising quirk in BN_GF2m_mod(3).schwarze2022-11-202-16/+14
| | | | | | | | | | | | | | | | | | | | | | | | All other wrappers in the same file that use a temporary array of degrees size that array dynamically, such that they are able to handle reducing polynomials of arbitrary lengths. BN_GF2m_mod(3) was the only one that used a static array of size 6 instead, limiting it to trinomials and pentanomials and causing it to fail for longer reducing polynomials. Make this more uniform and less surprising by using exactly the same code as in all the other wrappers, such that BN_GF2m_mod(3) works with reducing polynomials of arbitrary length, too, just like the others. Again, tb@ points out this quirk is very unlikely to cause vulnerabilities in practice because cryptographic applications do not use longer reducing polynomials. This patch is not expected to significantly impact performance because the relevant caller, BN_GF2m_mod_div(3), already uses dynamic allocation via BN_GF2m_mod_mul(3). OK tb@
* Fix an off-by-one bug in BN_GF2m_poly2arr(3).schwarze2022-11-201-4/+3
| | | | | | | | | | | | | | | | | | | | | If the last argument, the size of the output array, is too small to contain all degrees present in the input polynomial plus one for the terminating -1, the function is documented to return the size of the output array that would be needed (in comments in the source code, in the new manual page, and by the way how the function is used by other functions in the same file). However, in case of overflow, the existing code failed to include the element needed for the terminating -1 in the return value, wrongly indicating success if everything but the -1 did fit and reporting failure with a size that was still too small otherwise. According to tb@, this is very unlikely to cause vulnerabilities in practical applications because there is no real reason to pick a reducing polynomial longer than a pentanomial, because all known callers use either fixed size arrays of size 6 or dynamic allocation, because use of GF(2^m) is rare in practice, and GF(2^m) with custom reducing polynomials even more so. OK tb@
* Fix comment describing BN_mod_sqrt()tb2022-11-191-7/+9
| | | | | It was placed and formatted weirdly. Fix the title of the book referenced and complete the reference's information.
* Rework pkey_dsa_sign() and pkey_dsa_verify()tb2022-11-191-21/+25
| | | | | | | | | | Since DSA_sign() and DSA_verify() ignore their type argument, don't bother to determine it here. Check all size_t for overflow before passing them as int arguments. Follow OpenSSL and add a check to see if the tbs blob's length matches the one of the md, in case it is set on the EVP_PKEY_CTX. Fix return value check of DSA_sign(). ok jsing
* Rework DSA_sign() and DSA_verify()tb2022-11-191-20/+31
| | | | | | | | | | | Change DSA_sign() to single exit and check the signed i2d_DSA_SIG() return value before assigning it to an unsigned int. In DSA_verify() let d2i_DSA_SIG() handle the allocation, split error check of i2d_DSA_SIG() from signature check and change an unnecessary freezero() to free. ok jsing
* Fix an annoying quirk in the EC codetb2022-11-1920-243/+243
| | | | | | Dealing with elliptic curves makes some people think that it would be kind of neat to multiply types with variable names. Sometimes. Only in function definitions.
* whitespacetb2022-11-1916-134/+134
|
* Fix whitespacetb2022-11-1911-63/+62
|
* Unindent and check some pointers explicitly against NULLtb2022-11-191-7/+9
|
* Remove HMAC PRIVATE KEY supporttb2022-11-191-64/+1
| | | | | | | | This is an undocumented feature of openssl genpkey for testing purposes. Emilia removed support for this 'bogus private key format' from OpenSSL in 2017 in commit c26f655fdd18ac19016c1c0496105f5256a1e84d. ok jsing
* Check os for NULL before dereferencing ittb2022-11-181-5/+5
| | | | | | Avoids a segfault when both priv == NULL and os == NULL. ok miod
* zap a stray semicolontb2022-11-181-2/+2
|
* Include bytestring.h directly rather than pulling it in via asn1_locl.htb2022-11-181-1/+2
|
* Wire up HMAC to raw private key methodstb2022-11-181-2/+61
| | | | | | | | | | | | | | | Obviously, the brilliant API design kitchen decided that an interface carrying public and private key in its name (so that every sane person thinks of asymmetric cryptography), is also perfectly suitable for MACs. Wire up HMAC since Ruby's OpenSSL gem uses these bindings if the build system detects that EVP_PKEY_new_raw_public_key() is available in evp.h. While there, also add the missing pub_cmp() ameth, which obviously treats two things as equal by returning 1. Reported by jeremy and anton, fixes regress/lib/libssl/openssl-ruby tests ok jsing
* Change the pkey.ptr from char * to void *tb2022-11-186-16/+13
| | | | | | | | Now that EVP_PKEY is opaque, there is no reason to keep the ptr member of the pkey union as a weird char pointer, a void pointer will do. This avoids a few stupid casts and simplifies an upcoming diff. ok jsing
* group -> fieldtb2022-11-181-5/+5
| | | | discussed with schwarze
* polynominal -> polynomialtb2022-11-181-18/+18
| | | | ok schwarze
* new manual page BN_GF2m_add(3)schwarze2022-11-183-3/+527
| | | | concerning arithmetic in Galois fields of power-of-2 order
* Avoid a few unnecessary contortionstb2022-11-171-35/+12
| | | | | Turns out that after ~40 years of practice I still can't do addition with carry correctly :S
* Use a fixed-size array for the message and simplify a few other curlytb2022-11-171-14/+16
| | | | things.
* Add initial Wycheproof EdDSA test coveragetb2022-11-171-1/+111
|
* Add a regression test for curve25519.c r1.14tb2022-11-171-2/+132
| | | | | | | | Generate random signatures of random messages and verify them. Then check that the signature modified by adding the edwards25519 group order to the upper half are rejected. This would not always be accepted without the check in curve25519.c r1.14, but often enough that a few iterations suffice to expose the missing check.
* Prevent Ed25519 signature malleabilitytb2022-11-171-1/+28
| | | | | | | | | | | | Add a check that ensures that the upper half s of an Ed25519 signature is bounded by the group order, i.e, 0 <= s < order. This is required by the Verify procedure in RFC 8032, section 5.1.7, step 1, and prevents simple modifications of signatures such as adding (a multiple of) the group order to the upper half of the signature. Found with EdDSA testcase 63 of project Wycheproof. ok beck jsing
* Revert "Check certificate extensions in trusted certificates"beck2022-11-173-64/+8
| | | | | | | | There are some possible strange side effects noticed by the openssl cms regress tests that I missed. Backing this out until I untangle it ok tb@
* tolower(3) guarantees to return its argument unchanged if it's notflorian2022-11-161-10/+3
| | | | | | | uppercase. While here use the correct idiom of casting to unsigned char. OK millert, farewell to ultrix deraadt
* mark BN_X931_derive_prime_ex, BN_X931_generate_prime_ex,schwarze2022-11-161-2/+8
| | | | | and BN_X931_generate_Xpq as intentionally undocumented because they are unused outside OpenSSL/LibreSSL and deprecated in OpenSSL 3.0
* expose the documentation of X509_STORE_CTX_verify_fn(3)schwarze2022-11-162-42/+26
| | | | | and X509_STORE_set_verify(3) and document X509_STORE_get_verify(3) which tb@ all provided with x509_vfy.h revisions 1.48 and 1.49
* document X509_STORE_CTX_verify_cb(3) and X509_STORE_get_verify_cb(3)schwarze2022-11-162-13/+40
| | | | which tb@ provided with x509_vfy.h revisions 1.48 and 1.49
* Mark BN_mod_exp2_mont() as intentionally undocumented.schwarze2022-11-161-3/+4
| | | | | | | | | | | It appears to be intended for internal use by DSA_do_verify(3) and using codesearch.debian.net, i found nothing outside OpenSSL/LibreSSL using it. In April 2018, jsing@ questioned whether the five related functions BN_mod_exp_mont() and friends should even be exposed by <openssl/bn.h>, so we decided to not document them. Now tb@ agrees that there is no reason to document BN_mod_exp2_mont() as long as we don't want to document BN_mod_exp_mont().
* Remove an outdated TODOtb2022-11-161-4/+1
|
* document BN_mod_sqrt(3)schwarze2022-11-154-5/+119
|
* document BN_kronecker(3)schwarze2022-11-143-3/+61
|
* document BN_reciprocal(3)schwarze2022-11-141-10/+55
|
* Hide public symbols in libcrypto/x509 .c filesbeck2022-11-1455-52/+2073
| | | | ok tb@
* Fix comment styletb2022-11-131-3/+3
|
* Various improvements; joint work with beck@:schwarze2022-11-131-64/+72
| | | | | | | | | | | 1. Explain up front what "ASN1_TIME" is (suggested by beck@, wording by me). 2. For opaque structs, use the generic term "object", like we already do it in many other LibreSSL manual pages. 3. Drop some redundant phrases. 4. Improve the EXAMPLES section (by beck@, with fixes by me). 6. Add a STANDARDS section. ...and some other minor polishing. OK beck@
* Check certificate extensions in trusted certificates.beck2022-11-133-8/+64
| | | | | | | | | | | | | | | | | | Historically the standards let the implementation decide to either check or ignore the certificate properties of trust anchors. You could either use them simply as a source of a public key which was trusted for everything, or you were also permitted to check the certificate properties and fully enforce them. Hooray for freedumb. OpenSSL changed to checking these with : commit 0daccd4dc1f1ac62181738a91714f35472e50f3c Author: Viktor Dukhovni <openssl-users@dukhovni.org> Date: Thu Jan 28 03:01:45 2016 -0500 BoringSSL currently does not check them, as it also inherited the previous OpenSSL behaviour. It will change to check them in the future. (https://bugs.chromium.org/p/boringssl/issues/detail?id=533)
* Bump libtls minor to match libcrypto and libssltb2022-11-131-1/+1
|
* Bump libssl minor to match libcryptotb2022-11-131-1/+1
|
* Bump minor after symbol additiontb2022-11-131-1/+1
|
* Update Symbols.listtb2022-11-131-0/+8
|
* Expose direct access API for Ed25519.tb2022-11-131-3/+1
|
* Expose various EVP hooks for Ed25519 and X25519tb2022-11-131-6/+3
| | | | | | | | This adds the EVP_PKEY_ED25519 and EVP_PKEY_X25519 aliases for the NIDs and exposes the raw public key API. The ED25519_KEYLEN and X25519_KEYLEN defines are still kept internal for now to match what OpenSSL have. We may want to expose those later.
* Add ED25519 aliases for NID, SN and OBJtb2022-11-131-3/+1
| | | | The Ed25519 versions already existed, but OpenSSL chose to uppercase the D.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-25 03:46:44 +0000