| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Replaced many `#define` based index constants with enums by adding ALGOR_NUM,
DSA_NUM, RSA_NUM, and EC_NUM to the enum definitions.
This makes it easier to add or remove new entries.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the speed implementation, a number of unused variables and
parameters (save_count, c[][], rsa_c, dsa_c, ecdsa_c, ecdh_c, and
the num argument of print_message()/pkey_print_message()) were
still left behind.
These values are no longer referenced and cannot affect the
time-based benchmark logic, so remove them.
Functional behaviour of speed remains unchanged.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Supported by Linux since at least 1997, and FreeBSD since 2017. While
not defined, there's no real good reason to crash when we could just
cope. Indeed, software out there relies on the Linux behavior.
Point out in the manpage that the behavior of getaddrinfo(NULL) isn't
defined and thus isn't portable.
Edge case spotted recently by kn@ in OpenVPN.
ok millert@ djm@ deraadt@ kn@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
PKCS5_pbe_set0_algor() is no longer public, but its parameters are
provided directly via public API, namely the wonderful PKCS8_encrypt()
and PKCS12_pack_p7encdata().
Muppetry abounds. To wit:
If saltlen < 0, the call to ASN1_STRING_set(pbe->salt, NULL, saltlen)
would error. Let's do that up front in a more obvious way. We don't
care about side-effects to pbe->salt since we free it on error anyway.
If saltlen == 0, we default it to PKCS5_PBE1_SALT_LEN. This is
particularly funky in case the caller passed in salt != NULL, in
which case we can only hope and pray this buffer is long enough.
If the caller passed a salt, copy it to pbe->salt via ASN1_STRING_set().
If there's no salt, allocate a buffer of the appropriate length, fill it
with random and transfer ownership to pbe->salt via ASN1_STRING_set0().
There's a change of behavior in that this will not be NUL-terminated
(why should it be?). If we wanted to preserve behavior, we'd just use
calloc(1, saltlen + 1) instead of the malloc().
The exit path is quite special, too, but I didn't want to change this
right now.
tweaks/ok kenjiro
|
| |
|
|
| |
noticed by deraadt@
|
| |
|
|
| |
OK stsp@
|
| | |
|
| |
|
|
| |
It appears that these were only ever used in bn_test.c...
|
| |
|
|
| |
pointed out by kenjiro
|
| |
|
|
|
|
|
|
|
| |
Almost entirely mechanical diff that ensures that for read-only accesses
we use the const correct ASN1_STRING_get0_data(). Arguably, in most
places the better fix would be to reach into ASN1_STRING but then we
have to think and bikeshed...
ok beck kenjiro
|
| |
|
|
|
|
|
|
|
| |
This is a first sweep of reducing the number of terribly named macros
in bn.h More can go away. Those we need internally go to bn_local.h.
Annoyingly bn_internal.h uses some of them, so it includes bn_local.h
now. This can be cleaned up later.
ok jsing kenjiro
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
This has a magic value looking for what happens when we HRR,
more or less assuming it might never change. it now has.
Commenting it out get us by it, unsure if we should change
this or get rid of it.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This does the following:
1) Adds a second key share prediction to the TLS 1.3 handshake.
We only add one as we are unlikely to want to send more than
one PQ one, and one classical one and are unlikely to waste
bytes on a second PQ algorithm (anything that wants something
else that we support can HRR to get it)
2) Adds X25519MLKEM768 (4588) to our list of supported groups.
We add this to our preferred client and server key shares for TLS 1.3
and we now have a separate list for TLS 1.2 which does not do this,
cleaning up the old "full list" from the comments.
3) Updates the golden magic numbers in the regression tests to allow
for the above two things changing the handshake, so the regress
tests pass.
With this you can successfully hybrid PQ with servers and clients
that support it.
ok tb@ kenjiro@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This implements the currently in use MLKEM768_X25519 hybrid
key share as outlined in
https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
This commit does not yet wire this up to anything, that is done
in follow on changes.
ok tb@ jsing@ kenjiro@
|
| |
|
|
|
|
|
|
| |
This makes it easier to read and more in line with other code in
libcrypto. Also add a missing error check for the CMS_set_detached()
call.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
| |
In nref_nos(), nnums must not be freed on error because in the caller it
is not->noticeref->noticenos and hangs off the POLICYQUALINFO qual which
is freed as part of POLICYQUALINFO_free() in the error path.
ok jsing kenjiro
|
| |
|
|
|
|
|
| |
The deprecated ASN1_STRING_data() will be removed in a future release.
This is one small step towards that.
ok kenjiro
|
| |
|
|
|
|
|
| |
Buy a t: rename hex_prin() to hex_print() and accept an ASN1_STRING so that
we only need to use accessors once. Also avoid a printf %s NULL.
ok kenjiro
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
|
|
|
|
|
| |
An upcoming change requires the inclusion of asn1_local.h in x509_local.h
which doesn't work due to missing header guards. Add guards to all local
headers that don't have them, although reacharounds and multiple inclusions
are unlikely to occur for most of those.
ok jsing
|
| |
|
|
|
|
|
|
| |
Just your average dumb TS code. Instead of handrolling a random ASN.1
integer generator, we can use BN_rand() and convert the resulting bn to
an ASN1_INTEGER. All this then also works without reaching into ASN1_STRING.
ok kenjiro
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The ietf has had a bunch of back and forth over what will happen here.
in the end the previously mentioned draft will not include the TLS hybrids,
so we change this to use reference the correct draft for TLS, and use the
same name everyone else is using, without an OID.
While we will probably end up needing the *other* hybrids for things like
CMS, we will bring them in when we need them and have official OID values
from IANA.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
changes are:
+OISTE Foundation
+ /C=CH/O=OISTE Foundation/CN=OISTE Server Root ECC G1
+ /C=CH/O=OISTE Foundation/CN=OISTE Server Root RSA G1
SwissSign AG
/C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2
+ /C=CH/O=SwissSign AG/CN=SwissSign RSA TLS Root CA 2022 - 1
TrustAsia Technologies, Inc.
/C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia Global Root CA G3
/C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia Global Root CA G4
+ /C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia TLS ECC Root CA
+ /C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia TLS RSA Root CA
|
| | |
|
| |
|
|
|
|
| |
We haven't defined SIXTY_FOUR_BITS in a long time, if ever. The last
#undef SIXTY_FOUR_BITS were removed when we cleaned up opensslconf.h.
Code behind #ifdef SIXTY_FOUR_BITS is therefore dead.
|
| |
|
|
|
|
|
|
|
| |
This is obviously fixed by using calloc(), but it was also observed that
the precalculated storage requirement was higher than what is actually
filled. So all the math has been rewritten to be byte accurate.
Temporarily, a syslog_r check is added to report if we ever get count
inconsistancy again so that can be fixed quickly.
ok claudio
|
| | |
|
| |
|
|
|
|
| |
to the right section and mention the value returned
if X509_VERIFY_PARAM_set_hostflags(3) was never called;
OK tb@ kenjiro@
|
| |
|
|
|
|
|
|
| |
64 bit Windows is a special LLP snowflake and it is currently incorrectly
using 32 bit BN_ULONG, since _LP64 is not defined. Enable 64 bit BN_ULONG
if _LP64 or _WIN64 is defined.
ok tb@
|
| |
|
|
| |
and add a missing Oxford comma
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This was the last user of BN_LONG in code. It had no reason to do so.
BN_mod_word() returns a BN_ULONG and since the largest prime in the
small primes table primes[] is well below 20000, the only return value
that could cause 'mod' to be negative was the error sentinel (BN_ULONG)-1.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
|
|
|
| |
Be specific about width and use uint64_t/uint32_t, rather than using
unsigned int/long/long long, based on platform. Additionally use UINT64_C()
and UINT32_C() for constants, along with PRI*64/PRI*32 for formatting. This
makes the platform responsible for providing the correct types/defines -
all we then need to do is determine is if BN should use a 32 bit or 64 bit
configuration.
With input from and ok tb@
|
| |
|
|
|
|
|
| |
What the tests actually care about is the size of a BN_ULONG, hence
condition on BN_BYTES instead.
Discussed with tb@
|
| |
|
|
|
|
|
| |
(A much bigger problem here is a double free for which I will send
out a diff shortly)
From Niels Dossche
|
| |
|
|
| |
from Niels Dossche
|
| | |
|
| |
|
|
|
|
| |
If CMS_EncryptedData_set1_key() fails, cms is leaked.
From Niels Dossche
|
| | |
|
| | |
|
| |
|
|
| |
From Thorsten Blum
|
| |
|
|
| |
for them.
|
| |
|
|
|
|
|
|
| |
There's no need to pass in the hrr parameter as it is redundant with
the tls13.hrr flag. This avoids boolean blindness in the caller and
removes a leftover from before we had tls13.hrr.
ok jsing kenjiro
|
| | |
|
| |
|
|
| |
ok kenjiro
|
| | |
|
