| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
We already had some checks on both sides, but they were less precise
and differed between the functions. The code here is messy enough, so
any simplification is helpful...
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When decoding a public or a private key, use dsa_check_key() to ensure
consistency of the DSA parameters. We do not always have sufficient
information to do that, so this is not always possible.
This adds new checks and replaces incomplete existing ones. On decoding
the private key we will now only calculate the corresponding public key,
if the sizes are sensible. This avoids potentially expensive operations.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a cheap check that ensures basid parameter consistency per
FIPS 186-4: 1 < g < q, that q has the allowed bit sizes 160, 224, 256
and that p is neither too small nor too large. Unfortunately, enforcing
the three allowed sizes for p is not possible since the default dsa key
generation has not respected this limitation.
Instead of checking that p and q are prime, we only check that they
are odd. Check that public and private keys, if set, are in the proper
range. In particular, disallow zero values.
Various versions of these checks have been added to the dsa code
over time. This consolidates and extends them and in a subsequent
commit wewill replace the incomplete checks. BoringSSL has a similar
function of the same name, thanks to David Benjamin for pointing it
out.
ok beck jsing
|
| |
|
|
|
|
|
| |
This has been missing for a while already and will be used in a
few upcoming commits.
ok beck jsing
|
| |
|
|
|
| |
This is `unifdef -m -DOPENSSL_NO_EC_NISTP_64_GCC_128 -UECP_NISTZ256_ASM`
and some manual tidy up.
|
| |
|
|
|
|
|
|
| |
Rather than pretending that these "generic" variables are used for multiple
things, rename them to reflect their actual usage and use appropriate types
instead of void *.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the BIO_write() in the ASN1_STATE_DATA_COPY state fails, incorrect
error handling will break out of the switch without changing the state,
and the infinite for loop will immediately try the same write again,
which is unlikely to succeed... Clearly this code intended to break out
of the loop instead.
Via OpenSSL 1.1 commit 723f616df81ea05f31407f7417f49eea89bb459a
ok millert
|
| |
|
|
|
|
|
| |
Before do_sign_init(), the ctx is always allocated by EVP_MD_CTX_new()
aka calloc(). There is no point in doing EVP_MD_CTX_init(), aka bzero().
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
BN_get_mem_data() returns a non-positive long on error, so assigning
it to a size_t and displaying that in error messages is incorrect.
|
| |
|
|
|
| |
The verbose evp test actually depends on the evptest binary. Use consistent
spacing and indentation.
|
| | |
|
| |
|
|
| |
the previous commit.
|
| |
|
|
|
| |
Make evptest silent by default: these pages of hexdumps are useless noise.
Add a verbose target for debugging.
|
| | |
|
| | |
|
| |
|
|
|
| |
Allows test to pass with the old version of the wycheproof-testvectors
package.
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
There is no reason for this to call EVP_CIPHER_meth_new(), as the flags
will be copied a line later anyway. Simplify this.
Requested by jsing
|
| |
|
|
|
|
|
| |
OPENSSL_zalloc() -> calloc(), OPENSSL_free() -> free() and a few assorted
cosmetic tweaks to match our style better.
ok jsing
|
| |
|
|
|
|
|
| |
As usual, this will be guarded by LIBRESSL_INTERNAL || LIBRESSL_NEXT_API
until the next bump.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This partially reverts jsing's OpenBSD commit b8185953, but without adding
back the error check that potentialy results in dumb leaks. No cleanup()
method in the wild returns anything but 1. Since that's the signature in
the EVP_CIPHER_meth_* API, we have no choice...
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
Nothing interesting uses them. There's a Debian SSH-1 module and
corresponding ncrack bits. That's not reason enough to have this
garbage.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reinstates the original license on this file. Don't bother bumping
the copyright year. Nothing interesting has happened in here since the
initial commit.
(There was one interesting commit though: "Don't care openssl_zmalloc()",
which is interesting due to the lack of care, not because it's copyright
worthy)
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
This is the file as of OpenSSL 1.1.1 commit 82dfb986. Call the file
cipher_method_lib.c since the short names in this directory are hard
enough to read. This is a first step towards providing the poorly
named EVP_CIPHER_meth_* API which is needed by some projects because
of EVP_CIPHER opacity.
ok jsing
|
| |
|
|
|
|
|
|
| |
Rename BN_from_montgomery_word() to bn_montgomery_reduce() and rewrite it
to be simpler and clearer, moving further towards constant time in the
process. Clean up BN_from_montgomery() in the process.
ok tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
freeing; ok tb@
|
| |
|
|
|
|
| |
macOS aarch64 assembly dialect treats ; as comment instead of a newline
ok tb@, jsing@
|
| |
|
|
|
|
|
| |
By introducing X509_get0_uids(), one can add RPKI profile compliance
checks to conform the absence of the issuerUID and subjectUID.
OK tb@ jsing@
|
| |
|
|
|
|
|
| |
Remedy a case of twitching eyes caused by seeing "Doing ... rsa's for 10s".
If this breaks someone's script, so be it.
ok jsing sthen
|
| |
|
|
| |
ok miod
|
| |
|
|
|
|
|
|
| |
Here we need .rdata with some alignment goo. Fortunately, this was already
present for .pdata and .xdata, so the change is easy. Also, this is a code
path that doesn't affect OpenBSD at all.
ok jsing miod
|
| |
|
|
| |
Requested by tb@
|
| |
|
|
|
|
|
|
| |
Now that bn_sub() handles word arrays with potentially different lengths,
we no longer need bn_sub_part_words() - call bn_sub() instead. This allows
us to entirely remove the unnecessarily complex bn_sub_part_words() code.
ok tb@
|
| |
|
|
|
|
|
|
| |
Rather than working on BIGNUMs, change bn_add()/bn_sub() to operate on word
arrays that potentially differ in length. This matches the behaviour of
s2n-bignum's bignum_add() and bignum_sub().
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL commit 4d524040bc8 changed BN_MONT_CTX_set() so that it computed
a 64 bit N^-1 on both BN_BITS2 == 32 and BN_BITS2 == 64 platforms. However,
the way in which this was done was to duplicate half the code and wrap it
in #ifdef.
Rewrite this code to use a single code path on all platforms, with #ifdef
being limited to setting an additional word in the temporary N and storing
the result on BN_BITS2 == 32 platforms. Also remove stack based BIGNUM in
favour of using the already present BN_CTX.
ok tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
It does not make sense to use code that is slower, currently broken and
prevents the use of assembly Montgomery implementations.
This is the result of `unifdef -m -DMONT_WORD`, followed by some manual
clean up and the removal of the Ni bignum from BN_MONT_CTX (which was only
used in the non-MONT_WORD case).
ok miod@ tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
Rewrite and simplify BN_MONT_CTX_set_locked - in particular, only hold the
lock for a short period of time, rather than holding a write lock for a
module across an expensive operation.
ok tb@
|
