summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* openssl speed: clean up time_fjoshua2025-05-251-79/+76
| | | | | | | | | Rename Time_F to time_f and tidy up implementation and usage. time_f still uses app_timer_{user,real}, which I will clean up in a future commit. ok jsing
* Provide bn_mod_{add,sub,mul}_words().jsing2025-05-254-5/+94
| | | | | | | These implement constant time modular addition, subtraction and multiplication in the Montegomery domain. ok tb@
* openssl speed: remove whirlpooljoshua2025-05-252-41/+12
| | | | | | | | whirlpool was previously removed from libcrypto, and OPENSSL_NO_WHIRLPOOL will always be defined. Remove whirlpool support from the openssl speed command entirely. ok jsing tb
* Fix previous.jsing2025-05-253-72/+6
|
* Provide additional variants of bn_add_words()/bn_sub_words().jsing2025-05-253-6/+190
| | | | | | | | | | | | | | | | Move bn_add_words() and bn_sub_words() from bn_add.c to bn_add_sub.c. These have effectively been replaced in the previous rewrites. Remove the asserts - if bad lengths are passed the results will be incorrect and things will fail (these should use size_t instead of int, but that is a problem for another day). Provide bn_sub_words_borrow(), which computes a subtraction but only returns the resulting borrow. Provide bn_add_words_masked() and bn_sub_words_masked(), which perform an masked addition or subtraction. These can also be used to implement constant time addition and subtraction, especially for reduction. ok beck@ tb@
* Fix handling of different length inputs in bn_sub().jsing2025-05-251-3/+3
| | | | | | | | | In the diff_len < 0 case, it incorrectly uses 0 - b[0], which mishandles the borrow - fix this by using bn_subw_subw(). Do the same in the diff_len > 0 case for consistency. Note that this is never currently reached since BN_usub() requires a >= b. ok beck@ tb@
* Add tests for the functions in <stdio_ext.h>.yasuoka2025-05-257-2/+455
|
* Include "stdio" in SUBDIR. This should have been done along with theyasuoka2025-05-251-4/+4
| | | | previous commit.
* Create bm->buf from the start to avoid arithmetic on NULLtb2025-05-241-1/+7
| | | | | | | | | This is a different way of avoiding the pointer arithmetic on NULL and avoids test breakage in pyca/cryptography. This is also a gross hack that penalizes existing callers of BIO_s_mem(), but this is rarely called in a hot loop and if so that will most likely be a test. ok kenjiro joshua jsing
* Revert "bio_mem: avoid pointer arithmetic on NULL"tb2025-05-241-4/+2
| | | | This causes a test failure in pyca/cryptography.
* openssl pkcs8: zap an outdated lietb2025-05-241-4/+1
|
* explain more precisely how to initialize malloc_options;schwarze2025-05-241-4/+12
| | | | OK deraadt@
* Add regress/lib/libc/stdio/test_fflush.c to test fflush() behavior foryasuoka2025-05-242-0/+236
| | | | | | reading FILE objects. It will fail until fflush() complies POSIX-2008. ok tb asou
* openssl speed: remove MAX_BLOCK_SIZE definejoshua2025-05-241-8/+2
| | | | ok jsing
* Provide method specific functions for EC POINT infinity.jsing2025-05-243-10/+27
| | | | | | | | Provide method specific functions for EC_POINT_set_to_infinity() and EC_POINT_is_at_infinity(). These are not always the same thing and will depend on the coordinate system in use. ok beck@ tb@
* openssl speed: move key{16,24,32} above speed_mainjoshua2025-05-241-33/+25
| | | | | | Also, reuse the same keys for Camellia instead of having duplicates. ok jsing tb
* Mop up ghash arm assembly remnants.jsing2025-05-241-18/+1
|
* Provide openssl_init_crypto_constructor() and invoke via a constructor.jsing2025-05-241-3/+14
| | | | | | | | | | | | | | There are a very large number of entry points to libcrypto, which means it is easy to run code prior to OPENSSL_init_crypto() being invoked. This means that CPU capability detection will not have been run, leading to poor choices with regards to the use of accelerated implementations. Now that our CPU capability detection code has been cleaned up and is safe, provide an openssl_init_crypto_constructor() that runs CPU capability detection and invoke it as a library constructor. This should only be used to invoke code that does not do memory allocation or trigger signals. ok tb@
* Remove remnants of OPENSSL_cpuid_setup().jsing2025-05-243-20/+10
| | | | This is no longer used.
* Disable libcrypto assembly on arm.jsing2025-05-245-257/+2
| | | | | | | | | | | | | | | | | The arm CPU capability detection is uses SIGILL and is unsafe to call from some contexts. Furthermore, this is only useful to detect NEON support, which is then unused on OpenBSD due to __STRICT_ALIGNMENT. Requiring a minimum of ARMv7+VFP+NEON is also not unreasonable. The SHA-1, SHA-256 and SHA-512 (non-NEON) C code performs within ~5% of the assembly, as does RSA when using the C based Montgomery multiplication. The C versions of AES and GHASH code are around ~40-50% of the assembly, howeer if you care about performance you really want to use Chacha20Poly1305 on this platform. This will enable further clean up to proceed. ok joshua@ kinjiro@ tb@
* Adapt to new maloc_options declarationotto2025-05-241-2/+2
|
* Adapt test to new malloc_options regimeotto2025-05-241-7/+8
|
* Update and improve documentation for pkcs8 -v2tb2025-05-241-12/+8
| | | | with input from jsing
* Crank default salt length of PBE2 to 16 octetstb2025-05-242-4/+13
| | | | | | | | | | FIPS is currently revising their PBKDF2 recommendations and apparently they want to require 16 octets. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok kenjiro joshua jsing
* Switch the default PBMAC to hmacWithSHA256tb2025-05-241-2/+2
| | | | | | | | | | Using hmacWithSHA1 isn't outrageously bad, but newly generated encrypted password files ought to be using something better. Make it so. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok joshua
* Switch default to PBES2 for openssl pkcs8 -topk8tb2025-05-241-3/+3
| | | | | | | | | | | | | | | | | | | | We currently use the glorious default of NID_pbeWithMD5AndDES_CBC which we inherited from OpenSSL. This could have been worse - there is also NID_pbeWithMD2AndDES_CBC... The way this diff works is that the undocumented PKCS8_encrypt() API uses the PKCS#5v2 code path when it's passed a NID of -1 and requires a cipher to succeed, otherwise it uses the PKCS#5v1.5 path. So pass in a sensible cipher, namely AES-CBC-256, and let layers of muppetry cascade to doing something resembling the right thing. This still uses the default of hmacWithSHA1 and a somewhat short salt, which will be improved in a subsequent commit. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok kenjiro joshua jsing
* openssl speed: use single md buffer for digestsjoshua2025-05-241-31/+10
| | | | ok jsing tb
* Add the ability to run individual ruby ssl test for figuring outbeck2025-05-231-1/+16
| | | | | | what is going on when these break ok tb@
* When commons were deprecated, noone noticed that malloc_options in staticderaadt2025-05-232-7/+10
| | | | | | | | binaries had become unlinkable. Change the libc definition to weak to solve that, and to "const char * const" so that noone will try to set it late. It must be stable before the first malloc() call, which could be before main()... discussion with otto, kettenis, tedu
* Do a clean up pass over the GCM code.jsing2025-05-221-92/+86
| | | | | | | | Rework some logic, add explicit numerical checks, move assignment out of variable declaration and use post-increment/post-decrement unless there is a specific reason to do pre-increment. ok kenjiro@ tb@
* Use timingsafe_memcmp() in CRYPTO_gcm128_finish().jsing2025-05-221-2/+2
| | | | | | When checking the GCM tag, use timingsafe_memcmp() instead of memcmp(). ok tb@
* Simplify SSL_alert_desc_stringtb2025-05-221-67/+2
| | | | | | | | | | SSL_alert_desc_string() is only used by our good old friends M2Crypto and Net::SSLeay. While some of the two-letter combinations can be made sense of without looking at the switch, I guess, this is just a completely useless interface. The same level of uselessness can be acchieved in a single line matching BoringSSL. ok joshua kenjiro
* Fix HTTP CONNECT proxy support to not treat responses likedjm2025-05-221-5/+5
| | | | "HTTP/1.0 200poo" as success; patch from Spiros Thanasoulas
* asn1: merge invalid generalized time tests into invalid time testsjoshua2025-05-221-16/+10
| | | | | | | | | | | Previously, invalid generalized time tests were split into a separate set of test vectors and a flag was used when calling the test function to indicate they should be tested as generalized only. This simplifies the code a bit, and makes converting to the new test framework easier. ok jsing
* Convert sha_test to use new test frameworkjoshua2025-05-222-153/+141
| | | | ok beck
* Convert md_test to use new test frameworkjoshua2025-05-222-122/+106
| | | | ok jsing tb beck
* Fix test_errorf macro expanding to two linesjoshua2025-05-221-4/+8
| | | | | This caused test_fail to always be called when used in certain conditions, and wrapping with do {} while (0) fixes this.
* Add basic HKDF test using EVP_PKEY_HKDFkenjiro2025-05-221-1/+81
| | | | | | | | Add a basic test case for HKDF using EVP_PKEY_HKDF to evp_test.c. This test verifies the correct derivation of output keying material using SHA-256, matching the test vector from RFC 5869 Appendix A.1. ok tb@ joshua@
* Reorder some functions.jsing2025-05-211-20/+20
|
* Remove GHASH_CHUNK and size_t related code from GCM encrypt/decrypt.jsing2025-05-211-220/+1
| | | | | | | | This adds significant complexity to the code. On amd64 and aarch64 it results in a minimal slowdown for aligned inputs and a performance improvement for unaligned inputs. ok beck@ joshua@ tb@
* Fix wrapping.jsing2025-05-211-13/+9
|
* Remove now unused AES assembly generation scripts.jsing2025-05-213-5256/+0
|
* for SOCKS4A don't perform a local hostname lookup that we're not goingdjm2025-05-211-4/+6
| | | | to use; spotted by lucas@
* Add initial regress test frameworkjoshua2025-05-213-0/+408
| | | | | | | | | | Add a test framework for use in LibreSSL regression tests. This test framework aims to be as lightweight and as simple to use as possible. The design is mostly inspired by Go's test system, and aims to be a drop-in utility in most existing regress tests. ok jsing tb beck
* add SOCKS4A to help textdjm2025-05-211-2/+2
|
* add SOCKS4A support to nc(1)'s proxy (-X) modedjm2025-05-213-7/+27
| | | | | | | | | | | SOCKS4A is a fairly obscure extension to the olde SOCKS4 protocol that allows passing the destination as a string rather than a literal IPv4 address, which is the only thing that vanilla SOCKS4 supports. The motivation for adding something so niche is to test the SOCKS4A server code in ssh(1)'s dynamic forwarding (-D) support. ok tb@
* Remove more unused code.jsing2025-05-211-95/+1
| | | | Discussed with tb@
* Add NULL checks to HKDF and TLS1-PRF EVP_PKEY cleanup functionskenjiro2025-05-213-3/+11
| | | | | | | | Check if ctx->data is NULL before calling freezero(). Also add HKDF and TLS1-PRF to the EVP_PKEY cleanup regression test, as they no longer crash with this change. ok tb@
* mlkem_unittest: fix typo in commenttb2025-05-211-2/+2
|
* Fix buffer size in MLKEM1024_marshal_public_key()kenjiro2025-05-211-2/+2
| | | | | | | Initialize the output buffer with MLKEM1024_PUBLIC_KEY_BYTES instead of MLKEM768_PUBLIC_KEY_BYTES. ok tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-17 00:22:40 +0000