Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| 896a7df4 | 2025-05-22 12:44:14 | Do a clean up pass over the GCM code. Rework some logic, add explicit numerical checks, move assignment out of variable declaration and use post-increment/post-decrement unless there is a specific reason to do pre-increment. ok kenjiro@ tb@ | ||
| 38645cd8 | 2025-05-22 12:33:36 | Use timingsafe_memcmp() in CRYPTO_gcm128_finish(). When checking the GCM tag, use timingsafe_memcmp() instead of memcmp(). ok tb@ | ||
| 52de8363 | 2025-05-21 12:12:42 | Reorder some functions. | ||
| 772bd68a | 2025-05-21 12:11:23 | Remove GHASH_CHUNK and size_t related code from GCM encrypt/decrypt. This adds significant complexity to the code. On amd64 and aarch64 it results in a minimal slowdown for aligned inputs and a performance improvement for unaligned inputs. ok beck@ joshua@ tb@ | ||
| ac7f5714 | 2025-05-21 11:37:07 | Fix wrapping. | ||
| 824f3632 | 2025-05-21 11:03:48 | Remove now unused AES assembly generation scripts. | ||
| 1800984b | 2025-05-21 03:57:59 | Remove more unused code. Discussed with tb@ | ||
| ec8168ae | 2025-05-21 03:53:20 | Add NULL checks to HKDF and TLS1-PRF EVP_PKEY cleanup functions Check if ctx->data is NULL before calling freezero(). Also add HKDF and TLS1-PRF to the EVP_PKEY cleanup regression test, as they no longer crash with this change. ok tb@ | ||
| 9869d7d0 | 2025-05-21 02:18:11 | Fix buffer size in MLKEM1024_marshal_public_key() Initialize the output buffer with MLKEM1024_PUBLIC_KEY_BYTES instead of MLKEM768_PUBLIC_KEY_BYTES. ok tb@ | ||
| 48596faa | 2025-05-20 18:21:34 | Unbreak GHASH on some architectures setting GHASH_ASM The last #else branch in CRYPTO_gcm128_init() doesn't initialize the function pointers for gmult/ghash, which results in a segfault when using GCM on architectures taking this branch, notably sparc64. found by and fix from jca | ||
| c4fd9e40 | 2025-05-20 09:25:40 | Simplify err_build_SYS_str_reasons This is currently done in a rather silly way. Shift the index by 1 and avoid weird pointer dances. Rather than relying on static initialization, use code to obviate a comment. ok beck joshua jsing | ||
| 4d5c6b99 | 2025-05-20 07:47:43 | Fix previous - names use underscores and not hyphens. | ||
| c46aa735 | 2025-05-20 05:42:40 | Add ML-KEM768 Hybrid Kems to obj_mac.num ok tb@, joshua@ | ||
| 95a83615 | 2025-05-20 05:41:47 | Add ML-KEM768 Hybrid Kems to objects.txt ok tb@, joshua@ | ||
| 513d920f | 2025-05-20 00:33:40 | Make MLKEM1024_marshal_private_key consistent with the public_key funcitons Even though this should remain internal, make it the same as the public key marshal function, and make the needed fallout changes in regress. ok kenjiro@, tb@ | ||
| f7309d00 | 2025-05-20 00:30:38 | Whitespace nits from tb ok tb@ | ||
| 2fc058fc | 2025-05-19 07:53:00 | Fix up MLKEM768_marshal_private_key to not use a passed in CBB Even though this should remain internal, make it the same as the public key marshal function, and make the needed fallout changes in regress. This does not yet do the bikeshed of renaming the structure field in the regress ctx, that will wait until a follow on to convert 1024 in a similar manner ok tb@ | ||
| c11128da | 2025-05-19 07:40:17 | Remove the boringssl if || ideom from mlkem ok jsing@, joshua@ | ||
| c0402f88 | 2025-05-19 06:47:40 | API changes for ML-KEM - Get rid of CBB/CBS usage in public api - Make void functions return int that can fail if malloc fails. Along with some fallout and resulting bikeshedding in the regress tests. ok jsing@, tb@ | ||
| db896637 | 2025-05-19 04:32:51 | Simplify EVP AES code for ECB. AES_ecb_encrypt() does not really do ECB - provide an aes_ecb_encrypt_internal that actually does multiple blocks and call this from aes_ecb_cipher(). Provide ECB with its own key initialisation function, which allows aes_init_key() to be simplified considerably. The block function pointer is now unused, so mop this up. ok joshua@ tb@ | ||
| a151dcdd | 2025-05-19 04:01:07 | Remove block128_f function casts. Provide aes_{en,de}crypt_block128() which have correct function signatures and use these when calling the various mode functions. ok joshua@ tb@ | ||
| b7c26f81 | 2025-05-19 03:55:09 | Simplify EVP AES code for OFB. Provide AES-NI with its own aesni_ofb_cipher() and switch aes_ofb_cipher() to call AES_ofb128_encrypt() directly. ok joshua@ tb@ | ||
| 1184d9e8 | 2025-05-19 01:49:23 | Simplify EVP AES code for CFB. Provide AES-NI with its own aesni_cfb*_cipher() functions, which then allows us to change the existing aes_cfb*_cipher() functions to () to call AES_cfb*_encrypt() directly. ok beck@ tb@ | ||
| 3094a09a | 2025-05-18 20:44:30 | EC_POINT_new: wording tweaks in the BUGS section | ||
| 79839f6c | 2025-05-18 11:11:12 | Simplify EVP AES code for CTR. Provide AES-NI with its own aesni_ctr_cipher(), which then allows us to change aes_ctr_cipher() to call AES_ctr128_encrypt() directly. The stream.ctr function pointer is now unused and can be mopped up. ok beck@ tb@ | ||
| 8562f4b1 | 2025-05-18 11:07:45 | Unifdef AES_CTR_ASM. This is a remnant from s390x assembly. | ||
| f0ec6e16 | 2025-05-18 09:47:38 | Simplify EVP code for AES CBC. Change aes_cbc_cipher() to call AES_cbc_encrypt() directly, rather than via the stream.cbc function pointer. Remove stream.cbc since it is no longer used. Also provide a separate aes_cbc_init_key() function which makes this standalone and does not require checking mode flags. ok joshua@ tb@ | ||
| 3f7d12af | 2025-05-18 09:21:29 | add missing u64/uint64_t conversion ok jsing@ | ||
| 6da293ff | 2025-05-18 09:05:59 | Use stdint types instead of u64/u32/u8. No change in generated assembly. | ||
| 5b96f810 | 2025-05-18 07:26:09 | Remove contortions with the rem_4bit table. Instead of using size_t and a PACK macro, store the entries as uint16_t and then uncondtionally left shift 48 bits. This gives a small performance gain on some architectures and has the advantage of reducing the size of the table from 1024 bits to 256 bits. ok beck@ joshua@ tb@ | ||
| 6decc3d5 | 2025-05-18 07:13:48 | Inline REDUCE1BIT macro. The REDUCE1BIT macro is now only used in one place, so just inline it. Additionally we do not need separate 32 bit and 64 bit versions - just use the 64 bit version and let the compiler deal with it (we effectively get the same code on i386). ok beck@ joshua@ | ||
| 21b9f6be | 2025-05-18 06:38:11 | bio_mem: avoid pointer arithmetic on NULL Prompted by a diff by Kenjiro Nakayama ok jsing | ||
| 656fe457 | 2025-05-18 06:32:36 | rc2: two files escaped the lure of the attic, set these poor souls free | ||
| 8c960797 | 2025-05-17 14:43:17 | Remove TABLE_BITS from gcm128. TABLE_BITS is always currently defined as 4 - 8 is considered to be insecure due to timing leaks and 1 is considerably slower. Remove code that is not regularly tested, does not serve a lot of purpose and is making clean up harder than it needs to be. ok tb@ | ||
| 007267a8 | 2025-05-16 15:09:26 | Replace GCM_MUL/GHASH defines with static inline functions. Rather than having defines for GCM_MUL/GHASH (along with the wonder that is GCM_FUNCREF_4BIT) then conditioning on their availability, provide and call gcm_mul()/gcm_ghash() unconditionally. This simplifies all of the call sites. ok tb@ | ||
| 836be986 | 2025-05-10 19:01:16 | Increase default PKCS12_SALT_LEN from 8 to 16 bytes Currently PKCS12_setup_mac() function uses salt length of 8 bytes / 64 bits when no salt length is specified. Increase this fallback default to 16 bytes / 128 bits, as recommended by NIST SP 800-132. Note this is for interoperability purposes. Some FIPS implementations enforce minimum salt length of 16 bytes. Examples of such FIPS implemenations are Bouncycastle FIPS Java API and Chainguard FIPS Provider for OpenSSL. Also future v3.6 release of OpenSSL will also increase the default salt length to 16 bytes. From Dimitri John Ledkov, thanks | ||
| 9ae92282 | 2025-05-10 11:51:01 | asn_moid: move inclusion of err_local.h to the proper place | ||
| ef68f023 | 2025-05-10 06:45:46 | Sort FOOerror() in ASCII order | ||
| 5ec83552 | 2025-05-10 06:35:22 | Simplify the remaining FOOerror() Redirect through an additional macro that adds the repeated function, file and line macros. Reduces the eyesore and makes the whole thing much more redable. similar to a suggestion by jsing a while back | ||
| e223f0a4 | 2025-05-10 06:22:08 | Remove unused internal FOOerror() pointed out by djm a while back | ||
| a0eb9462 | 2025-05-10 06:17:09 | Remove error macros except PEMerr(), RSAerr() and SSLerr() These three are still used in about half a dozen ports. All the others are unused. ok jsing | ||
| 3e51b078 | 2025-05-10 06:03:38 | Move the internal FOOerror() to err_local.h These are now only used in libcrypto. They should never have been in a public header in the first place. ok jsing | ||
| 27854fe4 | 2025-05-10 05:54:38 | Use err_local.h rather than err.h in most places ok jsing | ||
| fa4c866e | 2025-05-09 13:24:37 | Garbage collect docs of BIO_dump{,_indent}_{cb,fp}() The _cb() variants were only documented as intentionally undocumented. Be that as it may, they left the building more than a year ago. | ||
| 11b3a765 | 2025-05-09 13:05:03 | bss_log.c: don't rely on err.h pulling in bio.h ok jsing | ||
| c4e503b4 | 2025-05-04 15:58:48 | Fix up two markup mistakes with .Fn and .Xr | ||
| 7639f023 | 2025-05-04 05:10:14 | Remove the X9.62 prime239v{1,2,3} curves While RFC 3279 allows these curves for use in X.509 certificates (*), no one actually does this. Certs using these curves cannot be used for TLS and the curves aren't accepted by FIPS either. codesearch shows no actual uses of these curves, only their OIDs are listed. At this point these have become useless historical baggage. ok jsing (*) Of the 27 curves listed in RFC 3279 the only one that seems to have seen actual use in certificates is P-256. | ||
| 8077efd2 | 2025-05-04 04:57:48 | Move P-256 where it belongs ok jsing | ||
| 53b64951 | 2025-05-03 10:15:50 | Fix typo in curve comment: P224r2 -> P224t1 | ||
| d84d1dff | 2025-05-03 08:39:33 | CTASSERT that internal pub/priv keys match the sizes exposed in mlkem.h This will need reworking (especially deduplicating) anyway, but it doesn't hurt now. From Kenjiro Nakayama | ||
| 4a539f7d | 2025-05-01 07:27:11 | More space around .Dl + a typo on top | ||
| fe009f23 | 2025-05-01 00:35:23 | lhash: add missing spaces before assignment operator | ||
| fc8da380 | 2025-04-28 17:42:42 | EC_GROUP_check.3: rephrase a sentence to avoid a word repetition | ||
| 487be35a | 2025-04-28 17:41:55 | EC_GROUP_new_by_curve_name.3: escape a - in code. | ||
| a436290e | 2025-04-26 09:03:03 | EC_POINT_point2oct: remove in_ prefix in RETURN VALUES | ||
| d1a18d55 | 2025-04-26 07:07:29 | EC_GROUP_new_curve_GFp: some fixes in the RETURN VALUE section | ||
| 104763b8 | 2025-04-26 05:31:27 | Fix markup for EC_GROUP_set_point_conversion_form | ||
| 5df3696e | 2025-04-25 20:04:09 | Fix up a few dangling references | ||
| 4f0d0653 | 2025-04-25 19:57:12 | Rework EC documentation This replaces the giant, poor quality and outdated EC_GROUP_copy.3, EC_GROUP_new.3, and EC_POINT_new.3 manuals with seven new manuals written from scratch. * EC_GROUP_new_by_curve_name() is the entry point for builtin curves, * EC_GROUP_new_curve_GFp() describes lower level API that should not usually be needed apart from a handful of accessors. * EC_GROUP_check() contains two functions that applications should not need because either you know for certain something is an elliptic curve (so these checks are pointless) or you should not use it. * EC_GROUP_get_curve_name() describes some low level ASN.1 footguns and corresponding getters. * EC_POINT_new() contains the simple EC_POINT allocation and freeing API * EC_POINT_get_affine_coordinates() contains the coordinate accessors * EC_POINT_point2oct() is about encoding elliptic curve points While all this is quite far from perfect, the diff is getting too big and it will be easier to improve this in tree. It is definitely more repetitive than I would like it to be. Reviews, tweaks and general feedback are of course welcome. discussed with jsing | ||
| 8431d98b | 2025-04-25 12:11:17 | BN_new: zap an anachronistic admonition -This type should be considered opaque and fields should not be modified -or accessed directly. The type has long been opaque and reasonable people will not do things that permit them to access the fields of opaque types directly. Of course, in the vicinity of OpenSSL code and API all sorts of insanity actually exist. | ||
| 46ec9d37 | 2025-04-25 12:08:53 | Restore two #if defined(GHASH) that were incorrectly removed. Also condition on defined(GHASH_CHUNK) since this is used within these blocks. This makes the conditionals consistent with other usage. Fixes build with TABLE_BITS == 1. | ||
| b55deaa6 | 2025-04-25 08:26:57 | Unifdef OPENSSL_SMALL_FOOTPRINT. ok tb@ | ||
| e4cddd55 | 2025-04-25 08:19:22 | Use the OPENSSL_SMALL_FOOTPRINT code in gcm_init_4bit(). A modern compiler will unroll these loops - LLVM produces identical code (at least on arm64). Drop the manually unrolled version and have code that is more readable and maintainable. ok tb@ | ||
| 99b9efbb | 2025-04-23 14:15:19 | Mop up all of the GETU32/BSWAP4/BSWAP8 macros since they're now unused. ok beck@ tb@ | ||
| b2c8f86f | 2025-04-23 14:12:38 | Rewrite gcm_gmult_1bit() to avoid sizeof(long) hacks. We're already using 64 bit variables, so just continue to do so and let the compiler deal with code generation. While here, use unsigned right shifts instead of relying on signed right shifts and implementation-defined behaviour (which the original code did). Feedback from lucas@ ok beck@ tb@ | ||
| d68c0f8c | 2025-04-23 10:58:48 | Fix CRYPTO_gcm128_decrypt() when compiled with TABLE_BITS == 1. This appears to have been broken since 2013 when OpenSSL commit 3b4be0018b5 landed. This added in_t and out_t variables, but continued to use in and out instead. Yet another reason why untested conditional code is a bad thing. ok beck@ tb@ | ||
| 917643c9 | 2025-04-23 10:09:08 | Unifdef OPENSSL_SMALL_FOOTPRINT. We do not build with OPENSSL_SMALL_FOOTPRINT and it removes more untested code paths. Request by tb@ (and it was already on my TODO list!) | ||
| f3dd4eeb | 2025-04-23 10:08:20 | Unifdef OPENSSL_SMALL_FOOTPRINT. We do not build with OPENSSL_SMALL_FOOTPRINT and it removes more untested code paths. Request by tb@ (and it was already on my TODO list!) | ||
| 6e00e926 | 2025-04-22 14:09:20 | Mop up OPENSSL_FIPSAPI define. | ||
| b002cf96 | 2025-04-22 14:08:24 | Use OPENSSL_assert() instead of assert(). While here, tidy up the assignment of n and test directly. ok tb@ | ||
| 729143ef | 2025-04-22 14:03:05 | Remove now unused PUTU32 macros from modes_local.h. ok tb@ | ||
| 5474eaba | 2025-04-22 14:01:07 | Use crypto_load_be32toh()/crypto_store_htobe32() instead of GETU32/PUTU32. ok tb@ | ||
| e3757882 | 2025-04-21 16:01:18 | Mop up unused MODES_DEBUG. | ||
| 96f14f6c | 2025-04-21 16:00:14 | Fix another #include that was hiding. | ||
| c93b9566 | 2025-04-21 15:54:32 | Tidy includes. | ||
| b21238fd | 2025-04-21 12:23:09 | Use standard integer types rather than custom typedefs. Replace u32 with uint32_t, remove unused u16 and replace u8 with uint8_t. ok tb@ | ||
| 4b40278a | 2025-04-20 09:17:53 | Move AES public functions from aes_core.c to aes.c. This is where almost all of the public functions exist. ok beck@ tb@ | ||
| ebe9080c | 2025-04-18 13:25:03 | Fix indentation and line wrapping. | ||
| 9b6d233a | 2025-04-18 13:19:39 | Remove BS-AES and VP-AES from EVP. The bitsliced and vector permutation AES implementations were created around 2009, in attempts to speed up AES on Intel hardware. Both require SSSE3 which existed from around 2006. Intel introduced AES-NI in 2008 and a large percentage of Intel/AMD CPUs made in the last 15 years include it. AES-NI is significantly faster and requires less code. Furthermore, the BS-AES and VP-AES implementations are wired directly into EVP (as is AES-NI currently), which means that any consumers of the AES_* API are not able to benefit from acceleration. Removing these greatly simplifies the EVP AES code - if you just happen to have a CPU that supports SSSE3 but not AES-NI, then you'll now use the regular AES assembly implementations instead. ok kettenis@ tb@ | ||
| f2f8d78d | 2025-04-18 07:36:11 | Use 'ctx' for sha3_ctx variables, rather than the less readable 'c'. ok tb@ | ||
| 2b08fe26 | 2025-04-18 07:27:42 | Pull casts from void * to uint8_t * up to variables, rather than inline. ok tb@ | ||
| 80598ffc | 2025-04-18 07:23:53 | Use two temporary variables in sha3_keccakf(), rather than reusing bc[0]. ok tb@ | ||
| aca95e1c | 2025-04-18 07:19:48 | Use crypto_rol_u64() instead of a separate ROTL64 define. ok tb@ | ||
| d8bca26c | 2025-04-17 14:58:09 | Use hyphenated spelling for the SHAs except for the API The mix of SHA256 and SHA-256 is jarring, so use FIPS's spelling. Leave HMAC-SHA256 as it is and fix a nearby RIPEMD-160. | ||
| 879b1444 | 2025-03-28 13:11:57 | x509_policy: zap an extra s | ||
| 2ac6a2dd | 2025-03-28 12:34:19 | x509_policy: certificats -> certificates | ||
| b47c4dc6 | 2025-03-28 12:17:16 | typos: us -> is, te -> the (twice) | ||
| f2cb3ef3 | 2025-03-28 12:13:03 | typo: primtive -> primitive | ||
| 299b7b17 | 2025-03-25 11:54:34 | Fix RETURN VALUES for EVP_CIPHER_CTX_ctrl(3) The current documentation was clearly incorrect since a return of -1 from the methods is explicitly intercepted and translated to 0. schwarze and I both audited the tree and concluded that only 0 and 1 is possible. OpenSSL 3 broke this API contract and now has explicit return -1 in the convoluted 200-line maze this simple function has become with recent provider improvements. So add a small sentence hinting at that. Nobody will be surprised to read that with OpenSSL's characteristic penchant for needless inconsistency the return value checks in their tree are all over the place and sometimes incorrect. ok schwarze (with two tweaks) | ||
| 0327bf4b | 2025-03-24 13:07:04 | Explicitly pass group generator to mul_double_nonct() from EC_POINT_mul(). EC_POINT_mul() has a complex multi-use interface - there are effectively three different ways it will behave, depending on which arguments are NULL. In the case where we compute g_scalar * generator + p_scalar * point, the mul_double_nonct() function pointer is called, however only g_scalar, p_scalar and point are passed - it is expected that the lower level implementation (in this case ec_wnaf_mul()) will use the generator from the group. Change mul_double_nonct(), ec_mul_double_nonct() and ec_wnaf_mul() so that they take scalar1, point1, scalar2 and point2. This removes all knowledge of g_scalar and the generator from the multiplication code, keeping it limited to EC_POINT_mul(). While here also consistently pass scalar then point, rather than a mix of scalar/point and point/scalar. ok tb@ | ||
| b6109242 | 2025-03-24 12:49:13 | Check group generator in EC_POINT_mul(). When a non-NULL generator scalar is passed to EC_POINT_mul(), the group's generator will be used in multiplication. Add a check that ensures that the group generator is non-NULL, in order to avoid needing to handle this elsewhere (currently in the lower level point multiplication code). ok tb@ | ||
| e56f916f | 2025-03-20 09:41:47 | Plug a memory leak in x509_name_encode() This is nearly identical to a leak fixed by miod 10 years ago in x509_name_canon() but was missed in r1.30. This entire file needs a metric ton of bleach, but my head currently spins too much for tackling this, so go with the cheap one-liner. From Niels Dossche | ||
| e97de139 | 2025-03-19 17:11:21 | x509_param_set_hosts_internal: rename vpm to param for consistency | ||
| 877c6114 | 2025-03-19 16:35:11 | X509_VERIFY_PARAM_lookup(): avoid passing stack garbage around ok jsing | ||
| 2679f5f9 | 2025-03-19 16:33:59 | Rename pm to param, fix the type of idx and unindent ok jsing | ||
| 5791dff3 | 2025-03-19 16:33:24 | Introduce and use N_DEFAULT_VERIFY_PARAMS ok jsing | ||
| f1e4d1a0 | 2025-03-19 16:31:47 | X509_VERIFY_PARAM_get0(): use consistent idiom for default_table access ok jsing | ||
| b819b031 | 2025-03-19 16:30:44 | X509_VERIFY_PARAM_lookup(): remove unnecessary braces and add empty line ok jsing | ||
| 662af18e | 2025-03-19 16:29:37 | X509_VERIFY_PARAM_get_count(): make NULL check explicit ok jsing | ||
| a4e7a958 | 2025-03-19 16:26:20 | X509_VERIFY_PARAM_get0: avoid out of bounds access when id < 0 ok jsing |