IABSD.fr/src/lib
Branch :
Log
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
 |
14166274 | 2025-02-26 10:48:25 | obj_dat: remove parens from return | |
|
a429d9dd | 2025-02-26 09:52:55 | obj_dat: don't shift a->length into the sign bit For an OID of excessive length >= 2^12, a->length << 20L is undefined, so add a cast to the target type of (unsigned long). From Kenjiro Nakayama | |
|
c18c38bc | 2025-02-26 09:49:54 | obj_dat: don't shift ca->type into the sign bit This is undefined for a ca->type of ADDED_LNAME (2) and ADDED_NID (3) when ca->type << 30L results in a shift into the sign bit, so add a cast to the target type of unsigned long. From Kenjiro Nakayama | |
|
76af2a91 | 2025-02-24 20:07:14 | x_crl.c: remove two NULL checks before *_free() | |
 |
e4e0f029 | 2025-02-21 18:16:45 | create pkg-config files for curses-related libraries makes sense to kettenis & feedback about compiler/linker flags ok tb, millert | |
|
62f4e960 | 2025-02-21 05:44:28 | Remove unused name member from x509_st As far as I can tell this has never been used since the beginning of git history with SSLeay 0.8.1b, so we can simplify the x509_cb() a little. ok jsing miod | |
|
a0f27e02 | 2025-02-20 20:30:12 | Remove unused valid member of x509_st internal_verify() (now x509_vfy_internal_verify()) used to cache the validity of the signature of a cert in this field. This is no longer the case since x509_vfy.c 1.57 (2017). | |
|
80004a11 | 2025-02-19 12:13:10 | sync with upstream This replaces "zconf.h" with <zconf.h> conditionally on whether ZLIB_BUILD is defined or not. Since we don't define ZLIB_BUILD this is a noop for us. | |
|
6065620d | 2025-02-18 06:31:10 | pkey_ec_derive(): simplify keylen calculation ok jsing | |
|
5b7c8fd6 | 2025-02-17 09:25:45 | Simplify ECDH_size() by using BN_num_bytes() ok jsing | |
 |
e8902928 | 2025-02-14 13:29:00 | Add the kern.audio.kbdcontrol sysctl(2) variable If set to 0, the volume keys on multimedia keyboards are handled as regular keys, allowing programs to use them. The default is 1, i.e. the current behavior. ok armani, kettenis, mvs | |
 |
4eb9c9dc | 2025-02-14 12:01:58 | Replace Makefile based SHA*_ASM defines with HAVE_SHA_* defines. Currently, SHA{1,256,512}_ASM defines are used to remove the C implementation of sha{1,256,512}_block_data_order() when it is provided by assembly. However, this prevents the C implementation from being used as a fallback. Rename the C sha*_block_data_order() to sha*_block_generic() and provide a sha*_block_data_order() that calls sha*_block_generic(). Replace the Makefile based SHA*_ASM defines with two HAVE_SHA_* defines that allow these functions to be compiled in or removed, such that machine specific verisons can be provided. This should effectively be a no-op on any platform that defined SHA{1,256,512}_ASM. ok tb@ | |
|
715c64a6 | 2025-02-13 11:19:49 | ec_mont_group_set_curve: convert to BN_MONT_CTX_create() and simplify This removes the penultimate internal call of BN_MONT_CTX_new(). The last one could be removed at the cost of introducing a BN_MONT_CTX_dup(), which probably isn't worth it. ok jsing | |
|
955ad9dd | 2025-02-13 11:18:00 | dsa_gen: convert to BN_MONT_CTX_create() This can now be a single call before the BN_MONT_CTX is actually used rather than two calls separated by 170 lines. ok jsing | |
|
0695c23a | 2025-02-13 11:15:09 | Convert bn_exp to BN_MONT_CTX_create() This simplifies the handling of the BN_MONT_CTX passed in and unifies the exit paths. Also zap some particularly insightful comments by our favorite captain. ok jsing | |
|
cce9f024 | 2025-02-13 11:10:01 | Convert BPSW to BN_MONT_CTX_create() ok jsing | |
|
eda5102e | 2025-02-13 11:09:51 | Convert BN_MONT_CTX_set_locked() to BN_MONT_CTX_create() ok jsing | |
|
f5061072 | 2025-02-13 11:04:20 | bn: add internal BN_MONT_CTX_create() This does what the public BN_MONT_CTX_new() should have done in the first place rather than doing the toolkit thing of returning an invalid object that you need to figure out how to populate and with what because the docs are abysmal. It takes the required arguments and calls BN_MONT_CTX_set(), which all callers do immediately after _new() (except for DSA which managed to squeeze 170 lines of garbage between the two calls). ok jsing | |
|
3ca91234 | 2025-02-12 21:21:34 | Rename BN_mod_exp_recp() to BN_mod_exp_reciprocal() (leaving out a dotasm comment that would become harder to read than it already is) | |
|
d2e1daa0 | 2025-02-08 10:12:00 | Cache CRLs in issuer cache The issuer cache holds a pair of SHA-512 of parent and child cert plus the result of the signature verification. Since CRLs also have a cached hash of their DER, we can easily add them to the same cache. This way we also avoid the cost of repeated signature verification for CRLs. For ordinary workloads the cache is larger than necessary and it won't currently take up more space than ~8M anyway, so the cost of doing this is negligible. For applications like rpki-client where the same (CA, CRL) pair is used to verify multiple EE certs, the gain is significant. In fact, the current worst case is a single pair being used for > 50k EE certs, responsible for about 20-25% of the total runtime of an ordinary rpki-client run if a hw-accelerated version of SHA-2 is available and even more if it isn't. In both cases the cost of processing of this pair is reduced by more than an order of magnitude. The implementation is a translation of x509_verify_parent_signature() to the case of CRLs and is entirely trivial thanks to the cache's design. Found while investigating a performance bottleneck found by job tested by job ok beck | |
|
2347e6ed | 2025-02-08 03:41:36 | Move X509_NAME_print() next to its only internal caller Fix includes while there | |
|
953cafab | 2025-02-08 01:04:56 | x509_verify_parent_signature(): no need to bump pkey's refcount The parent certificate outlives the signature check, so we don't have to take a refcount of its pubkey and then release it again. ok beck | |
|
71686e93 | 2025-02-08 01:01:31 | x509_verify: missing verify error on cached signature mismatch If a signature mismatch is cached, the same error should be passed to the verify callback as if the mismatch was detected by doing the calculation, rather than falling back to the "unable to find the issuer cert locally". ok beck | |
|
9d84dc8a | 2025-02-04 20:22:20 | bn_recp: reformat another ugly comment | |
|
4519f49a | 2025-02-04 14:00:05 | SSL_select_next_proto: fix invalid octal escape by switching to hexadecimal | |
|
38cd2bc9 | 2025-02-04 12:47:58 | Inline BN_reciprocal() in its only caller This is simpler, doesn't need an auxiliary function of dubious value, avouds an auxiliary variable and gets rid of a bunch of comments that are hard to make sense of. This doesn't bother to invalidate recp->shift since on error you should not be reusing the RECP_CTX without reinitializing it. ok jsing | |
|
4dc45f02 | 2025-02-04 05:09:53 | Start cleaning up BN_div_reciprocal() a bit The fast path where no division is performed can be dealt with without BN_CTX, so do that up front so there's no need to clean up before return. Error check BN_CTX_get() on each use asd simplify the logic for optional input parameters. KNF for an ugly comment. ok jsing | |
|
2931bd70 | 2025-02-04 04:51:34 | Error check i2t_ASN1_OBJECT() and tweak warning message CID 532326 ok djm jsing | |
|
f82ad687 | 2025-02-03 19:17:57 | infback.c: fix indent from upstream | |
 |
b78cc03f | 2025-01-30 21:41:37 | Remove the second argument from the call asm instruction. clang doesn't understand this and there's no binary change with gcc. ok kettenis@ | |
|
902bfdca | 2025-01-27 14:02:31 | Mop up RC4_INDEX. The RC4_INDEX define switches between base pointer indexing and per-byte pointer increment. This supposedly made a huge difference to performance on x86 at some point, however compilers have improved somewhat since then. There is no change (or effectively no change) in generated assembly on a the majority of LLVM platforms and even when there is some change (e.g. aarch64), there is no noticable performance difference. Simplify the (still messy) macros/code and mop up RC4_INDEX. ok tb@ | |
|
a6636ef5 | 2025-01-27 10:29:41 | X509_NAME_print(): remove no longer useful length check This was needed to avoid truncation on BIO_write(). With the switch to BIO_printf() in the previous commit this is no longer needed. | |
|
d209baed | 2025-01-27 08:05:02 | X509_NAME_print: NUL-terminate and switch to BIO_printf() This handles the empty string, which ruby-openssl checks. Pointed out by anton | |
|
ffc1d37c | 2025-01-27 04:24:46 | x509_obj.c: be better at sorting | |
|
819724e5 | 2025-01-26 21:05:19 | x509_obj.c: fix includes | |
|
9c33610f | 2025-01-26 20:18:26 | Rework X509_NAME_print() This is legacy API that we can unexport since nothing uses it directly. Unfortunately we need to keep the functions because there are plenty of things that use it indirectly by passing XN_FLAG_COMPAT to X509_print_ex(). The old implementation parsed the X509_NAME_oneline() output in order to remove the / preceding the (one or two-uppercase letters) name and to insert ", " afterward. This is just stupid in so many ways, not least because there's basically no limit to the garbage that you can stuff into an X.500 name. So rework this and only include the name entries whose short names are one or two letters long. This way, this becomes slightly saner and less fragile. ok jsing | |
|
2321e207 | 2025-01-26 20:01:58 | Rewrite X509_NAME_ENTRY_oneline() using CBB and CBS This splits the horrid spaghetti into a few relatively straightforward helpers which do one thing at a time. There are still some spectacular dances around ASN1_GENERALSTRING, but let's blame that one on X.500. In brief, X509_NAME_ENTRY_oneline() iterates over the name entries, and writes out a line /name1=value1,/name2=value2,... which you may have seen variations of in issuer or subject output. The name is the short name or the long name or the textual representation of the OID (truncated to 79 characters) and the value is a string where printable ASCII characters are represented as themselves and otherwise as hexadecimal digits preceded by \x. Except for GENERALSTRING, where the four octet representation is shortened to single-octet representation if none of the top three octets in the entire string is populated. It's the mother of all pretty things. But, hey, you could do worse and try to parse this garbage... ok jsing | |
|
71585515 | 2025-01-26 13:51:41 | x509_utl.c: use normal order of internal headers | |
|
515aa502 | 2025-01-25 17:59:44 | Remove #error if OPENSSL_NO_FOO is defined discussed with jsing | |
|
6d90e046 | 2025-01-25 13:15:21 | Garbage collect field_type member of the EC methods ok jsing | |
|
a9bbc4f7 | 2025-01-25 13:13:57 | Promote a few functions from EC API to garbage bin EC_GROUP_method_of() and EC_METHOD_get_field_type() only ever used chained together as a convoluted means to retrieve the field type of a group. This is no longer useful since the answer will always be NID_X9_62_prime_field. EC_POINT_method_of(), EC_GROUP{,_have}_precompute_mult(): exposed by one of those expose-everything perl XS modules. ok jsing | |
|
363913fa | 2025-01-25 10:37:50 | Remove now unused internal ec_group_get_field_type() ok jsing | |
|
46639ee8 | 2025-01-25 10:36:50 | Remove calls to ec_group_get_field_type() from EC_GROUP_cmp() ok jsing | |
|
ff0b5b20 | 2025-01-25 10:34:36 | Make EC_KEY_precompute_mult() return 1 directly This hasn't done anything in a long time. Only dovecot uses an unchecked call to this. With this we can remove EC_GROUP_precompute_mult(). ok jsing | |
|
c2649b15 | 2025-01-25 10:30:17 | Simplify ecpk_print_explicit_parameters() At this point the NID is always NID_X9_62_prime_field, so we can use SN_X9_62_prime_field directly rather than getting the field type from the method and then converting the nid to an sn with OBJ_nid2sn(). ok jsing | |
|
9453f7aa | 2025-01-25 10:27:58 | Simplify ec_asn1_group2fieldid() The field_type is always NID_X9_62_prime_field, no need to encode and retrieve this from the group method. ok jsing | |
|
2241b000 | 2025-01-24 13:38:28 | Remove now unused perlasm script for MD5 on amd64. | |
|
82ab76e1 | 2025-01-24 13:35:04 | Provide a readable assembly implementation for MD5 on amd64. This appears to be about 5% faster than the current perlasm version on a modern Intel CPU. While here rename md5_block_asm_data_order to md5_block_data_order, for consistency with other hashes. ok tb@ | |
|
c383f79c | 2025-01-22 12:54:40 | Use simpler (if a bit weird) dup instead of new + copy ok jsing | |
|
b4a69cdb | 2025-01-22 12:53:16 | bn_recp: Avoid complication for negative moduli Instead of doing a weird dance, set the sign on N in BN_RECP_CTX_create(). Since we're not exposing a general purpose calculator API, we can simplify. ok jsing | |
|
47537ea9 | 2025-01-22 10:12:01 | Rename BN_div_recp() into BN_div_reciprocal() Requested by jsing | |
|
02fba168 | 2025-01-22 10:08:10 | Split BN_mod_sqr_reciprocal() out of BN_mod_mul_reciprocal() There's no need for BN_mod_mul_reciprocal() to have this complication. The caller knows when x == y, so place the burden on the caller. This simplifies both the caller side and the implementation in bn_recp.c. ok jsing | |
|
1447fb01 | 2025-01-22 09:56:58 | Remove the mul_generator_ct function pointer from EC_METHOD. There's no need for a separate mul_generator_ct() function pointer - we really only need mul_single_ct() and mul_double_nonct(). And rather than calling ec_mul_ct() and having it figure out which point to use, explicitly pass the generator point when calling mul_single_ct(). ok tb@ | |
|
077b20bd | 2025-01-22 09:53:16 | Expand the SM4_ROUNDS macro. This macro references variable names that are in the consuming function and are not actually passed to the macro. Expanding it makes the logic clearer. If we wanted to reduce code the middle six group of rounds could be implemented using a for loop (which the compiler can then choose to unroll). ok tb@ | |
|
b6c13eaa | 2025-01-22 09:46:26 | Replace {load,store}_u32_be() with crypto_{load,store}_be32toh(). load_u32_be() and store_u32_be() are not symmetrical, with load_u32_be() having a rather unexpected indexing interface. Fix up the callers to perform their own indexing and use crypto_{load,store}_be32toh() instead. ok tb@ | |
|
85ca3135 | 2025-01-22 09:42:27 | Pull the family key and constant key tables out of SM4_set_key(). ok tb@ | |
|
e9711763 | 2025-01-22 09:39:56 | BN_mod_mul_reciprocal: remove y == NULL complication No caller ever passes y == NULL, so remove the corresponding contortions and unindent the relevant bits. ok jsing | |
|
0d1706a1 | 2025-01-22 09:37:07 | Replace rotl() with crypto_rol_u32(). ok tb@ | |
|
ba47179b | 2025-01-21 17:01:25 | EC_GROUP_check(): use accessor rather than reaching into the group The API will be removed soon. This prepares moving it to its only consumer. | |
|
05328004 | 2025-01-21 15:44:22 | Move BN_RECP_CTX to the heap This introduces a BN_RECP_CTX_create() function that allocates and populates the BN_RECP_CTX in a single call, without taking an unused BN_CTX argument. At the same time, make the N and Nr members BIGNUMs on the heap which are allocated by BN_RECP_CTX_create() and freed by BN_RECP_CTX_free() and remove the unnecessary flags argument. Garbage collect the now unused BN_RECP_CTX_{new,init,set}(). ok jsing | |
|
295207cc | 2025-01-20 17:50:12 | crypto.h: zap some offensive whitespace | |
|
e05b8d4e | 2025-01-20 12:57:28 | Annotate why EVP_PKEY_CTX_ctrl_str() will stay for a while | |
|
ecb0d0d4 | 2025-01-19 07:51:41 | Improve bit counter handling in MD5. Like most hashes, MD5 needs to keep count of the number of bits in the message being processed. However, rather than using a 64 bit counter this is implemented using two 32 bit values (which is exposed in the public API). Even with this hurdle, we can still use 64 bit math and let the compiler figure out how to best handle the situation (hopefully avoiding compiler warnings on 16 bit platforms in the process!). On amd64 this code now requires two instructions, instead of the previous five. While here remove a comment that is excessively visible and no longer completely accurate (and if you're going to redefine types like MD5_WORD you kinda need to know what you're doing). ok tb@ (who's going to miss the dear diary style comments) | |
|
e5d83da7 | 2025-01-18 14:17:05 | Simplify tls1_check_ec_key() It doesn't need to have optional arguments anymore, so we can pass in values and don't need NULL checks and dereferencing. ok jsing | |
|
e0096704 | 2025-01-18 13:26:51 | Rename grp to group like almost everywhere else | |
|
1271c85a | 2025-01-18 13:15:31 | Remove parentheses in return statements ok cc + sha256 | |
|
220e3b7c | 2025-01-18 13:11:58 | Remove two pointless NULL checks The only caller ensures that the EC_KEY is not NULL and passes the address of comp_id on its stack, so neither will be NULL. | |
|
54d00625 | 2025-01-18 13:07:47 | Drop field determination dance If we get here, we're in a server and have managed to load the cert. The public key is therefore a point on a built-in curve, and we know the group is defined over some prime field. Now it is just a matter of figuring out whether we support the group in libssl. ok jsing | |
|
29c2420e | 2025-01-18 13:03:02 | Stop pretending we support arbirary explicit groups ok jsing | |
|
1ef70f4f | 2025-01-18 12:20:37 | Remove SSL_DES and SSL_IDEA remnants ok jsing | |
|
a00bfa08 | 2025-01-18 12:20:02 | SSL_CTX_set_cipher_list: stop mentioning ancient ciphers Support was removed nearly a decade ago. No need to mention this anymore. ok jsing | |
|
2bba40d4 | 2025-01-18 10:53:04 | Remove last uses of SSL_aDSS ok jsing | |
|
942444cc | 2025-01-18 10:52:09 | ssl_seclevel: remove comment pertaining to DSA certs ok jsing | |
|
de980744 | 2025-01-18 10:45:12 | Stop mentioning DSA/DSS Support for this went away in 2017, but a few things still mentioned DSA in various contexts. Replace DSA with ECDSA where appropriate and otherwise delete this. It won't work. ok jsing | |
|
f6bb4990 | 2025-01-18 02:56:07 | Use name instead of register. | |
|
66738ebb | 2025-01-17 22:39:42 | ssl_local.h: does not need to include dsa.h | |
|
457dff42 | 2025-01-17 15:39:19 | rsa_pmeth: unify strcmp return checks ok jsing | |
|
728db599 | 2025-01-17 11:11:27 | Replace the remaining group->meth->field_{mul,sqr} These somehow escaped a prior pass. | |
|
d6f80948 | 2025-01-17 10:54:03 | ecp_methods: remove p = group->p indirection This helped a bit with readability when we needed to do &group->p, but now that's no longer needed. discussed with jsing | |
|
f6116716 | 2025-01-17 10:41:31 | ecp_methods: rework field_{mul,sqr}() handling Add wrapper functions that call the methods so that we can get rid of inconsistent use of ugly function pointers with massively overlong lines and other ways of reaching into the methods. ok jsing | |
|
ac07061a | 2025-01-17 08:50:07 | Fix two incorrect strtonum() conversions The atoi() would also accept the magic negative values and old openssl releases would expose these as arguments to -pkeyopt rsa_pss_saltlen:-1 in the openssl pkeyutl "app". While modern openssl switched to having readable alternatives to these, the oseid component of opensc would use the old syntax until yesterday. Still, this is our bug and we need to keep accepting the magic values as such, so do so. Everything below -3 will be rejected by the RSA_ctrl() handler later. Debugged by Doug Engert in https://github.com/OpenSC/OpenSC/issues/3317 ok jsing op | |
|
10f20e90 | 2025-01-17 05:04:25 | dh_ameth: explcitly -> explicitly | |
|
c5925a46 | 2025-01-17 05:02:18 | asn_mime: deteched -> detached + a knf nit | |
 |
1aa737dc | 2025-01-16 04:02:08 | pcap_open_dead returns pcap_t *, not pcap_t. | |
|
c852d338 | 2025-01-11 21:20:39 | Fix another awful comment in ec_point_cmp() | |
|
f30d1591 | 2025-01-11 21:13:21 | Align vertical backslashes in a macro | |
|
7b995231 | 2025-01-11 21:07:25 | ec_point_cmp: tidy up an ugly comment | |
|
ca57bd65 | 2025-01-11 20:57:03 | ec_key_gen() is unused outside ec_key.c, so make it static | |
|
316bbdac | 2025-01-11 20:55:08 | Move EC_KEY_METHOD_DYNAMIC next to the two methods using it Only EC_KEY_METHOD_{new,free}() need to know about this flag, so make that more obvious. | |
|
989de271 | 2025-01-11 15:32:36 | Remove a weird comment | |
|
4fb59ff9 | 2025-01-11 15:26:07 | Rename the is_on_curve() method to point_is_on_curve() Rename ec_is_on_curve() to ec_point_is_on_curve() and ec_cmp() to ec_point_cmp(). | |
|
bbf457e4 | 2025-01-11 15:20:23 | Move is_on_curve() and (point) cmp() up These were in the middle of the methods responsible for curve operations, which makes little sense. | |
|
69100aa7 | 2025-01-11 15:02:42 | Move compressed coordinate setting into public API Now that it is method-agnostic, we can remove the method and move the implementation to the body of the public API function. And another method goes away. We're soon down to the ones we really need. discussed with jsing | |
|
9868a3fe | 2025-01-11 14:53:46 | Rework ec_point_set_compressed_coordinates() While this is nicely done, it is a bit too clever. We can do the calculation in the normal domain rather than the Montgomery domain and this way the method becomes method agnostic. This will be a bit slower but since a couple of field operations are nothing compared to the cost of BN_mod_sqrt() this isn't a concern. ok jsing | |
|
44d65b39 | 2025-01-11 14:48:20 | Move ec_points_make_affine() to the right place discussed with jsing | |
|
c21af703 | 2025-01-11 14:38:57 | Move the EC_POINTs API into the garbage bin | |
|
9581610f | 2025-01-11 13:58:31 | Neuter the EC_POINTs_* API EC_POINTs_mul() was only ever used by Ruby and they stopped doing so for LibreSSL when we incorporated the constant time multiplication work of Brumley et al and restricted the length of the points array to 1, making this API effectively useless. The only real reason you want to have an API to calculate \sum n_i P_i is for ECDSA where you want m * G + n * P. Whether something like his needs to be in the public API is doubtful. EC_POINTs_make_affine() is an implementation detail of EC_POINTs_mul(). As such it never really belonged into the public API. ok jsing | |
|
830575bd | 2025-01-11 13:41:17 | Remove a pointless check about Z == 1 ok jsing | |
|
07ff836a | 2025-01-11 13:38:42 | Inline ec_point_make_affine() in the public API Whatever the EC_METHOD, this will always be equivalent to getting and setting the affine coordinates, so this needs no dedicated method. Also, this is a function that makes no real sense since a caller should never need to care about this... As always, our favorite language bindings thought they might have users who care. This time it's Ruby and Perl. ok jsing | |
|
07d65f05 | 2025-01-11 03:00:04 | Remove seven pairs of unnecessary parentheses ok millert operator(7) |