IABSD.fr/src/lib/libcrypto

Branch :


Log

Author Commit Date CI Message
21ec3d9e 2026-05-16 07:12:27 x509_prn: zap more than useless comments
23bf55ed 2026-05-16 07:10:30 x509_prn: hoist unknown_ext_print() above its only caller; drop prototype
47603321 2026-05-16 07:06:35 asn1_print_obstring_ctx: cast to const char * rather than char * Another call to BIO_dump_indent() that cast away const for no good reason.
6e75a92b 2026-05-16 06:30:53 unknown_ext_print: avoid casting away const The BIO_dump_indent() API masterpiece expects a const char pointer as input. Don't cast away const when suppressing pointer sign warnings. Prompted by a report by N. Dossche ok kenjiro
d0081f8f 2026-05-16 06:27:05 Ensure X509V3_EXT_print() only returns 0 and 1 In a rare mistake by schwarze, X509V3_EXT_print() is documented to return 0 and 1. This is also what most internal callers expect. However, if either X509V3_EXT_DUMP_UNKNOWN or X509V3_EXT_PARSE_UNKNOWN is set, the extension has an unknown NID or on failure to deserialize the extension value, the return values of BIO_dump_indent() (which is number of bytes written or -1 on error) and ASN1_parse_dump() (which is 0, 1, or 2 on EOC) are propagated. Follow what OpenSSL did and translate to Boolean returns. Error indicators are rather useless here since most errors are ignored anyway. Most callers do if (!X509V3_EXT_print(...)) but they also pass a zero flag. Reported by N. Dossche ok kenjiro
b3e8cfe5 2026-05-16 06:26:28 remove unused ssleay.cnf file; ok tb@
bf8adbcc 2026-05-16 06:17:05 ASN1{,_parse}_dump: document return value 2 on EOC Prompted by a report by N. Dossche ok kenjiro
b089cf41 2026-05-16 06:15:22 BIO_dump: Xr BIO_printf rather than BIO_write/fwrite Prompted by a report by N. Dossche ok kenjiro
0d274ac1 2026-05-14 11:00:10 Sync cert.pem with mozilla roots; quite a few CA certificates were either removed or distrusted for web so are removed here. ok tb@ Common policies (moz, google, ca/b) are now to distrust roots with key material created before a certain time (currently 2008, this rolls forwards by 2 years each April until 2029 when it moves to '15 years from creation'), and also roots used for TLS are not permitted to be shared with other purposes (Secure Email, Code Signing, or others). This removes all root certificates from the following CA operators: -AffirmTrust - /C=US/O=AffirmTrust/CN=AffirmTrust Commercial - /C=US/O=AffirmTrust/CN=AffirmTrust Networking - /C=US/O=AffirmTrust/CN=AffirmTrust Premium - /C=US/O=AffirmTrust/CN=AffirmTrust Premium ECC -Firmaprofesional SA - /C=ES/O=Firmaprofesional SA/2.5.4.97=VATES-A62634068/CN=FIRMAPROFESIONAL CA ROOT-A WEB -SecureTrust Corporation - /C=US/O=SecureTrust Corporation/CN=Secure Global CA - /C=US/O=SecureTrust Corporation/CN=SecureTrust CA -TeliaSonera - /O=TeliaSonera/CN=TeliaSonera Root CA v1 -Trustwave Holdings, Inc. - /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority - /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P256 Certification Authority - /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global ECC P384 Certification Authority -certSIGN - /C=RO/O=certSIGN/OU=certSIGN ROOT CA -e-commerce monitoring GmbH - /C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020 ...and some but not all root certificates from these (the ones without - are still remaining): COMODO CA Limited - /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority Dhimyotis - /C=FR/O=Dhimyotis/CN=Certigna /C=FR/O=Dhimyotis/OU=0002 48146308100036/CN=Certigna Root CA DigiCert Inc - /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root G3 - /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G3 - /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Trusted Root G4 Entrust, Inc. - /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2009 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2 - /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Root Certification Authority - EC1 /C=US/O=Entrust, Inc./OU=www.entrust.net/CPS is incorporated by reference/OU=(c) 2006 Entrust, Inc./CN=Entrust Root Certification Authority Google Trust Services LLC /C=US/O=Google Trust Services LLC/CN=GTS Root R1 - /C=US/O=Google Trust Services LLC/CN=GTS Root R2 /C=US/O=Google Trust Services LLC/CN=GTS Root R3 /C=US/O=Google Trust Services LLC/CN=GTS Root R4 QuoVadis Limited /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3 - /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3 - /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 3 G3 SwissSign AG - /C=CH/O=SwissSign AG/CN=SwissSign Gold CA - G2 /C=CH/O=SwissSign AG/CN=SwissSign RSA TLS Root CA 2022 - 1 This is based on changes hitting the Mozilla release branch https://raw.githubusercontent.com/mozilla-firefox/firefox/refs/heads/release/security/nss/lib/ckfw/builtins/certdata.txt but the individual commits are easier to see here: https://hg-edge.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt
95317e4b 2026-05-12 15:07:30 Add a guarded .note.GNU-stack section to crypto assembly files. Add a .note.GNU-stack section to avoid ending up with an executable stack on toolchains that believe we should have an executable stack by default. Reported by ruuda on Github. Discussed with tb@
3e8b0da3 2026-05-10 10:35:20 Slightly adjust BUGS section for X509_addr_add_range() Since x509_addr.c r1.95 X509_addr_add_range() clears the unused bits in the maximum, so this is is only true in some implementations.
a1505993 2026-05-09 10:52:02 PKCS#12: fix erroneous error check in PKCS12_newpass() This is an error I introduced in a refactoring two years ago in r1.20. This means that nothing uses this... From Frank Denis via logan
84482c2d 2026-05-09 07:14:42 Use uint32_t instead of SHA_LONG in the SHA-256 code. This is more readable and we already have a compile time assert that they are the same size. ok tb@
f35adb27 2026-05-09 07:12:51 Use W rather than X for the SHA-256 message schedule. This more closely matches the SHA-256 specification in FIPS 180-4. ok tb@
7b35a4fe 2026-05-09 07:11:05 Use consistent variable names in the sha256 code. Use 'ctx' rather than 'c' for the SHA256_CTX and use data/len rather than d/n. ok kenjiro@ tb@
0eb29a10 2026-05-09 07:08:43 Use crypto_add_u32dw_u64() to increment SHA-256 message bit counter. ok kenjiro@ tb@
dcbba1f6 2026-05-09 07:03:49 Correct argument type for SHA context. These are SHA_CTX not SHA256_CTX.
ca56b5a4 2026-05-09 07:02:29 Correct argument type in comments.
68af95de 2026-05-08 05:15:20 remove bogus ifdefs; ok tb@
09c0e9f1 2026-05-08 04:28:28 x509_purp: fix doc comment for check_ca() This comment has gotten out of sync with reality. The "I don't know..." fallback was removed and a special case for netscape CAs was added. Sync from the manual and add some more details. Pointed out by Maximilian Radoy in https://github.com/libressl/portable/issues/1274 ok kenjiro
ef976b65 2026-05-07 15:50:47 Use macros for global functions and objects within SHA assembly. This lets us remove some of the repetitive statements and allows for them to be adjusted for various platforms. ok kenjiro@ tb@
eaa7a734 2026-05-07 15:41:37 Use defines for symbol offsets in aarch64 assembly. These also very between platforms. ok kenjiro@ tb@
94719c1d 2026-05-07 15:40:33 Use defines for text and rodata section names in SHA assembly. These vary between platforms. ok kenjiro@ tb@
c4e88d03 2026-05-07 15:38:03 Use a define based instruction separator in SHA assembly. Unfortunately, not all assemblers use the same instruction separator. In particular, LLVM on macOS uses %% as an instruction separator, while most other assemblers use a semi-colon. ok kenjiro@ tb@
e504a2af 2026-05-04 20:44:36 mlkem: also zero the failure_key from logan https://github.com/libressl/openbsd/pull/154
3aaacd8a 2026-05-04 13:55:20 verifier: re-enable the callback override for depth kirill reported that his nginx reverse proxy setup stopped working with x509_verify.c r1.74 and r1.75. It turns out that nginx relies on a verify callback that always returns 1. In revision 1.74 we removed the possibility of the verify_cb() to override X509_V_ERR_CERT_CHAIN_TOO_LONG, which is what breaks the config in kirill's setup since it used to use the nginx default of setting the depth to 1. Re-enable this to make the new scenario "2a with depth 1 and depth callback" pass. As shown by the other new test scenario "14b with yolo calback" with a "just say yes" cb, the guard added in r1.74 still prevents the overwrite. This makes kirill's reproducer work as verified by kirill and myself. It was also tested by kirill in the real life setup. discussed with beck ok jsing kenjiro
80ba1745 2026-04-26 17:58:58 make_addressRange: unused bits in max must be zero X509v3_addr_add_range() requires that min and max of an address range have network encoding. In the RFC 3779 encoding of an actual address range (as opposed to a prefix) as a SEQUENCE OF two ASN.1 BIT STRINGs, the trailing one bits of the maximum become unused bits and therefore must be DER encoded as zeroes. The DER encoder will clear them via i2d but these trailing ones are annoying. Make a copy in which the unused bits are cleared. ok kenjiro
443952c0 2026-04-26 04:19:11 Fix PKCS7_set_{un,}signed_attributes() In both these functions, if the X509_ATTRIBUTE_dup() fails, the remainder of the sk stack is shared with p7si->{un,}auth_attr and the caller will likely end up freeing it twice. Fix this by writing another sk_deep_copy() patterned after the existing ones in x509_lu.c and x509_vpm.c. PKCS7_set_{un,}signed_attributes() become trivial wrappers of that. ok jsing kenjiro
7da61030 2026-04-25 10:54:30 pkcs7: drop silly use of i in PKCS7_dataVerify() ok jsing kenjiro
b239058e 2026-04-25 10:53:13 pkcs7: don't use i, j for NIDs in PKCS7_dataFinal() Use nid for NIDs and use i only for for loops. ok jsing kenjiro
66e0b98d 2026-04-25 10:50:50 pkcs7: don't use i and j for NIDs in PKCS7_dataDecode() There's no need to assign to i before the switch and j is a terrible name for a NID. Inline the latter and switch directly over the return value of OBJ_obj2nid(). ok jsing kenjiro
69950265 2026-04-25 10:48:59 pkcs7: avoid assignment to i in PKCS7_dataInit() We can switch over the return value of OBJ_obj2nid() rather than using i for an indirection. ok jsing kenjiro
6c5f0280 2026-04-25 10:30:11 pkcs7: Simplify PKCS7_type_is_other() Remove unnecessary isOther and nid variables and use direct returns. The function should probably be removed... ok jsing kenjiro
921eb3c3 2026-04-25 05:47:03 Add FIPS 180-4 references for SHA-256 constants.
a7010633 2026-04-24 15:10:20 Simplify PKCS7_get_issuer_and_serial() The i variable is unused. Likewise for the first assignment to ri. Instead of an incomplete check that idx is in range, which still results in a NULL deref if idx < 0, check if ri is not NULL before accessing, as sk_value() checks the index correctly. ok jsing kenjiro
9ce5d767 2026-04-20 08:14:29 mlkem: use <openssl/mlkem.h> instead of "mlkem.h" patch from portable
e0a2ac41 2026-04-20 04:26:12 ec_pmeth: fix 20yo comment: *outlen -> *keylen
0486237e 2026-04-13 17:04:23 Prior to this we substring matched and allowed a leading . on a SAN DNSname constraint. This is not correct, as with a DNSname constraint, it may exacly match or match zero or more additional components on the front of the candidte to match. Spotted by Haruto Kimura <hkimura2026@gmail.com> ok tb@ kenjiro@
15cb22fd 2026-04-08 05:30:20 Bump LibreSSL version for the release ok deraadt
4b39dd3d 2026-04-07 13:16:41 Rename labellen to label_len Requested by jsing, ok beck
2fc71f32 2026-04-07 13:15:29 Fix NULL deref for malformed OAEP parameters in CMS decryption This converts rsa_cms_decrypt() to use X509_ALGOR_get0() and fixes a NULL deref when a parameter is (invalidly) omitted similar to the fix in ec/ec_ameth.c r1.66 from a couple years back. There is currently an XXX annotating a hairy leak due to trying to be smart and stealing the parameters from the oaep object. Instead, just make a copy of the label string and free it in the exit path. The diff adds an error for labellen == 0 since that is an invalid encoding of pSpecifiedEmpty (see RFC 8017) -- per the DER the default must be omitted. This way we avoid a malloc(0) implementation-defined behavior. This minor issue was assigned CVE-2026-28390 by OpenSSL and was reported by too many to list. The fix is my own. It is similar to OpenSSL's fix only because I rewiewed theirs and suggested an improvement or two. This is the last of the "security fixes" in today's OpenSSL release that "affect" LibreSSL. All the other bugs were already fixed a few years back or we didn't have the code/bugs in the first place. ok beck jsing
c74741bd 2026-04-07 13:02:50 Refactor and fix ocsp_find_signer_sk() Instead of reaching deep inside the OCSP_BASICRESP and ignoring its semantics and then try to untangle things in ocsp_find_signer_sk(), pass the OCSP_BASICRESP and use OCSP_resp_get0_id() which has the logic built in. Avoids a crash if you call OCSP_basic_verify() after OCSP_BASICRESP_new() without OCSP_basic_sign(). This cannot happen on a deserialized OCSP object. Prompted by a report by Kamil Frankowicz, Jan Kaminski, Bartosz Michalowski. ok jsing
9ad5b7ec 2026-04-07 12:52:19 Add a few to-do items to the crl_cb() Prompted by the "fix" fighting symptoms of misdesign in Delta CRL processing rather than addressing the root cause. Probably the best fix is to remove support for Indirect CRLs and Delta CRLs outright. ok jsing
842a6bbe 2026-04-07 12:48:37 Stop Delta CRL processing if a CRL number is misssing A malformed Delta CRL could cause a crash. Funnily enough the deserializer recognizes this and marks such a CRL as invalid, but nothing ever checks the EXFLAG_INVALID for CRLs. For certificates this would usually result in verification failure due to x509v3_cache_extensions() failing. This is only reachable if the X509_V_FLAG_USE_DELTAS is used, which only a handful of ports do, plus openssl(1) does if you use the undocumented -use_deltas flag. Reported by Igor Morgenstern to OpenSSL who then sat on this since Jan 8 and assigned CVE-2026-28388. ok jsing
e7e66f06 2026-04-06 08:24:57 x509v3.h: remove pointless #ifdef HEADER_CONF_H x509v3.h has included conf.h since June 20, 1999, OpenSSL commit ba404b5e, so HEADER_CONF_H has been defined since then. Also since then, CONF_VALUE (only available via conf.h) has been used outside of HEADER_CONF_H, making that #ifdef doubly pointless. ok bcook jsing kenjiro
1155ce2f 2026-04-06 08:18:19 cms_local.h: remove #ifdef X509V3_HEADER_H All thirteen files including cms_local.h do that after including cms.h, which already includes x509v3.h, so this is always defined. While here make the cms_local.h a bit more selfstanding by including asn1.h and x509v3.h ok bcook jsing (who had the same diff) kenjiro
63d3a7e3 2026-04-01 14:38:26 Restore the previous behaviour with maximum verification depth. The maximum depth is not expected to include the leaf certificate - restore the decrement prior to checking, which means the previous behaviour is retained for the callback depth and the maximum depth. Reduce the maximum depth by one in order to avoid the overwrite that could previously occur. Thanks to anton@ for flagging the rust-openssl failure in regress. ok tb@
e9af5eb5 2026-03-31 13:58:05 Fix an off-by-one error in the X.509 verifier depth checking. In x509_verify_build_chains(), ensure that we check the current depth against max_depth prior to turning it into a legacy-style depth index. Additionally, add a guard to x509_verify_chain_append() so that we avoid exceeding the maximum certs per chain, even if we fail to handle this correctly elsewhere. Also prevent the legacy callback from being able to override the maximum verification depth. The current off-by-one allows for a 4 byte overwrite to occur on heap allocated memory - this will likely trigger a crash on OpenBSD (but may go unnoticed elsewhere). This is only reachable if a TLS client is talking to a malicious server or if a TLS server has client certificate verification enabled - in both cases the verification depth also needs to be set to the maximum allowed value of 32. It is worth noting that many TLS clients/servers set the maximum verification depth to a value that is much less than the default. A libtls client or server uses a default depth of 6 and is not impacted in this configuration. Thanks to Calif.io in collaboration with Claude and Anthropic Research, for reporting the issue. ok tb@
6b1826a5 2026-03-29 06:31:07 ML-KEM: ensure that key_768 is only dereferenced with 768-bit keys This looks like a NULL dereference that should crash, but for some reason it doesn't, even with -O0 with all compilers i tried. At the very least it may result in compilers deducing that key_768 != NULL and lead to incorrect optimizations. ok claudio jsing kenjiro miod
b39c1312 2026-03-28 13:11:28 Include crypto_assembly.h instead of manually ensuring _CET_ENDBR exists. ok kenjiro@ tb@
8a6c24b7 2026-03-28 13:09:55 Provide a crypto_assembly.h internal header. This will contain defines and macros that we need for assembly code, without polluting other headers that are primarily used for C code. For now, this just unconditionally provides _CET_ENDBR on amd64. ok kenjiro@ tb@
679f4ad7 2026-03-18 21:50:06 sync with Mozilla root CA store, ok tb@ - remove CommScope CA (they requested it themselves; https://bugzilla.mozilla.org/show_bug.cgi?id=1994866) - add new cert: /C=HU/L=Budapest/O=Microsec Ltd./2.5.4.97=VATHU-23584497/CN=e-Szigno TLS Root CA 2023
011d0bee 2026-03-18 08:02:40 libcrypto: prefix EC_KEY methods with ec_key_ We received reports that the too generic internal ecdsa_{sign,verify}() symbol names clash in some static links. The naming here is annoying because the EC_KEY_METHOD amalgamated the no longer existing ECDH and ECDSA methods which themselves had poorly chosen method names, still reflected in public API. There are various messes here. The ECDSA verify methods are declared in ec_local.h, whereas the ECDSA sign methods are in ecdsa_local.h (which is itself pretty useless and really only about EC_KEY_METHOD). I therefore merged the ECDSA method declarations into ec_local.h and deleted ecdsa_local.h since I see no real benefit to the latter. ecdsa.c needs ec_local.h anyway. Having the method declarations next to EC_KEY_METHOD seems sensible. I left the order as it was, matching ecdsa.c. The eckey_compute_pubkey() prototype should probably be moved down. With one exception I just added an ec_key_ prefix. This leads to a a repetition of 'key' in ec_key_ecdh_compute_key() which I chose to live with because it matches the public ECDH_compute_key() (mostly used by SSH implementations). The exception is ec_key_generate_key() where I expanded the gen() leading to another _key repetition but this then matches EC_KEY_generate_key(). Thanks to Rosen Penev for reporting and sending an initial diff. See also https://github.com/gsliepen/tinc/issues/478 ok jsing
abd14a70 2026-03-16 22:19:32 Move ECDSA_SIG_st definition to its only consumer, ecdsa.c
c1cc2b6b 2026-03-10 05:50:11 Fix BIO_get_mem_data(3) return value documentation pointed out by/ok dlg
ade1f424 2026-03-10 05:28:31 use the "e" flag with fopen() for O_CLOEXEC; ok tb
23930336 2026-03-10 05:26:04 use O_CLOEXEC; ok tb
b5238f8b 2026-03-06 09:22:29 mlkem: use timingsafe_memcmp() in decapsulation Replace memcmp() with timingsafe_memcmp() when comparing the re-encrypted ciphertext. FIPS 203 Section 6.3 defines this comparison result as a secret piece of intermediate data that must not be revealed in any form. ok tb
9645f12e 2026-02-08 17:17:03 a_bitstr.c: fix includes
ecdf382f 2026-02-08 12:34:05 More ec_point_cmp() turd polishing jsing prefers doing all computations first and comparing at the end. This means we do more work when we fail and no longer (ab)use err as an out label. Also split out one more helper. ok jsing
69569129 2026-02-08 10:27:00 Make truncation in ASN1_BIT_STRING_set_bit() explicit Instead of relying on i2c_ASN1_BIT_STRING() to determine the "unused" bits on encoding, set them explicitly in abs->flags via a call to asn1_abs_set_unused_bits(). This means ASN1_STRING_FLAGS_BITS_LEFT is now set on a bit string, which was previously explicitly cleared. This also means that the encoding of a non-zero ASN1_BIT_STRING populated by setting the bits individually will now go through the if (a->flags & ASN1_STRING_FLAG_BITS_LEFT) path in i2c_ASN1_BIT_STRING(). The most prominent usage of this function is in X.509 for the keyUsage extension or the CRL reason codes. There's also the NS cert type, TS PKIFailureInfo and general BITLIST config strings. The reason for the truncation logic comes from the DER for NamedBitLists X.690, 11.2.2 below: X.680, 22.7: When a "NamedBitList" is used in defining a bitstring type ASN.1 encoding rules are free to add (or remove) arbitrarily any trailing 0 bits to (or from) values that are being encoded or decoded. Application designers should therefore ensure that different semantics are not associated with such values which differ only in the number of trailing 0 bits. X.690, 11.2.2 Where ITU-T Rec. X.680 | ISO/IEC 8824-1, 22.7, applies, the bitstring shall have all trailing 0 bits removed before it is encoded. Note 1 - In the case where a size constraint has been applied, the abstract value delivered by a decoder to the application will be one of those satisfying the size constraint and differing from the transmitted value only in the number of trailing zero bits. Note 2 - If a bitstring value has no 1 bits, then an encoder shall encode the value with a length of 1 and an initial octet set to 0. ok kenjiro (on an earlier version) jsing
6a5ee414 2026-02-07 17:12:47 replace buggy strncmp with strcmp found with clang-tidy Found the same fix from davidben in BoringSSL as well (https://boringssl-review.googlesource.com/c/boringssl/+/87927). OpenSSL appears to have accidentally changed the semantics here with the HAS_PREFIX macro, which appears to be incorrect. discussed w/ tb@ & beck@
ffeb3c47 2026-01-30 14:33:33 EVP_SealInit.3: fix RETURN VALUES section While normal calls return 0 for error and npubk for success, there is a case where it returns the usual 1/0 thing. Make that explicit. Prompted by a report by Niels Dossche ok jsing kenjiro
30acd038 2026-01-30 14:26:04 EVP_OpenInit.3: fix RETURN VALUES section This has been incorrectly documented since forever. The function only ever returned 0/1. ok jsing kenjiro
738b7c03 2026-01-30 13:57:13 EVP_SealInit(): clear random key on exit ok jsing kenjiro
c155467f 2026-01-30 13:54:28 EVP_{Open,Seal}Init(): remove redundant EVP_CIPHER_CTX_reset() calls The subsequent EVP_{Decrypt,Encrypt}Init_ex() calls already do that. pointed out by jsing
77cc332b 2026-01-30 13:51:44 EVP_SealInit(): minor cleanup. Explicitly compare pointers against NULL, turn the function into single exit, add hint at why npubk <= 0 or pubk == NULL are a success path: The documentation briefly explains that EVP_OpenInit() and EVP_SealInit() is able to initialize the EVP_CIPHER_CTX in two steps exactly like the EVP_CipherInit_ex() API they wrap: the first call with non-NULL cipher (aka type) only sets the cipher on the ctx, then it returns to allow callers to customize the EVP_CIPHER_CTX, and a second call with cipher == NULL skips the initialization and finishes the ctx setup by setting key and iv. Prompted by a report by Niels Dossche. ok jsing kenjiro
0904d53e 2026-01-30 13:47:22 EVP_SealInit: do not return -1 on error It is documented that EVP_SealInit() returns 0 on error. So -1 is wrong. Reported by Niels Dossche ok jsing kenjiro
ad2d97e1 2026-01-30 13:42:46 EVP_OpenInit(): minor cleanup Explicitly compare pointers against NULL, turn the function into single exit and explain why priv == NULL is a success (hint: muppet API). Prompted by a report by Niels Dossche. ok jsing kenjiro
2cb4d48e 2026-01-27 14:18:32 Avoid type confusion in the timestamp response parsing A malformed v2 signing cert can lead to a type confusion, and the result is a read from an invalid memory address or NULL, so a crash. Unlike for OpenSSL, v1 signing certs aren't affected since miod fixed this in '14. Reported by Luigino Camastra, fix by Bob Beck, via OpenSSL, CVE 2025-69420. ok jsing
b99e5615 2026-01-27 14:14:20 Avoid type confusion in PKCS#12 parsing A type confusion can lead to a 1-byte read at address 0x00-0xff, so a crash. Reported by Luigino Camastra, fix by Bob Beck, via OpenSSL, CVE 2025-22795 ok jsing
7a3d6f69 2026-01-27 14:03:01 Add NULL pointer check to PKCS12_item_decrypt_d2i() Avoids a NULL pointer dereference triggerable by a malformed PCKS#12 file. From Luigino Camastra via OpenSSL (CVE-2025-69421) ok jsing
877296eb 2026-01-25 08:22:17 Make SHA aarch64 assembly build with gcc. gcc is extremely fussy about register naming and insists on q and s naming for the ARM CE SHA instructions, even though they're referring to the same register (while LLVM just figures it out). Work around this by mapping registers to their required variant at usage and defining a handful of mappings between v registers and alternate names/views. This is still somewhat ugly, but seems to be one of the cleaner options that will allow portable to enable SHA assembly on platforms that use gcc. ok kenjiro@ tb@
09f01e6f 2026-01-24 14:20:52 Tidy instruction separators in SHA assembly. Remove unnecessary separators and add a few to macros that call other macros (instead of expecting them to exist).
cd5380a6 2026-01-23 08:32:22 DH_check: teach this DoS vector about RFC 7919 primes ok beck
70527ff1 2026-01-23 08:29:04 bn_const: add RFC 7919 primes There is no intention to expose these via public API or to use them in TLS. For now these will only be used for short-circuiting pointless expensive computations in DH_check(). ok beck
9ac14cf7 2026-01-23 08:21:52 Scapy special for DH_check() The latest release of Scapy calls DH_check() on all the well-known Diffie-Hellman parameters for RFCs 2409, 3526, and 7919. It does this via pyca/cryptography at startup. Every single time. This is obviously very expensive, due to our 64 MR rounds (which are complete overkill now that we have BPSW). Instead of pondering the ideal number of rounds for BPSW with FFDH, simply skip the check if the parameter matches a well-known prime. These are known to be safe primes, so we can skip those super-expensive and pointless checks without any risk. This is only done for the public dh->p parameter. It could be further optimized, but with the follow-up commit adding the RFC 7919 primes this reduces the startup time to what it was before Scapy 2.7.0: < 1s. Reverting from 64 MR rounds to BN_check_primes rounds, we would still have ~8s startup time without this optimization, which isn't great for an interactive tool. Clearly, it's not entirely our fault, it's also Scapy and cryptography that do something ... suboptimal, but I think we're better off if DH_check() isn't a complete DoS vector. If you're using non-standard parameters with FFDH, you deserve it. We could consider adding a flag for non-well-known p and thus making DH_check() indicate failure for candidate primes larger than, say, 4k. https://github.com/pyca/cryptography/issues/14048 ok beck kenjiro
3d382964 2026-01-18 10:07:44 Rewrite ec_point_cmp() This removes some complications due to handling the fast path for affine points and general points at the same time. The result is a bit more code but both paths should be much easier to follow. ok jsing kenjiro
ed05f7f1 2026-01-18 08:58:31 mlkem: fix mklem_{generate_key,encap}_external_entropy() declarations The prototypes used sized arrays appropriate only for MLKEM768 while the declarations used pointers. For some reason clang doesn't flag this but gcc does. In any case it was wrong. The callers of these functions check that they pass in the correct size. Which is weird but the mlkem directory has an unbelievable amount of mess and bad code. found by/ok jsing
37562c15 2026-01-18 08:49:42 mlkem: garbage collect the unusd mlkem_{generate_key,encap}() These are flagged by more recent gcc since declarations and definitions don't match (sized array vs pointer). Also an array was checked for NULL. found by/ok jsing
6903f049 2026-01-17 16:18:31 Provide LIBRESSL_USE_.*_ASSEMBLY defines. Make life easier for portable by providing LIBRESSL_USE_.*_ASSEMBLY defines, which enable/disable assembly for a specific algorithm. This means that selected platforms can include the assembly files and specify a define, rather than having to try to patch the crypto_arch.h headers. Discussed with tb@
f5df22e6 2026-01-17 14:53:09 Replace MD5_ASM with function specific defines. Use the same pattern that is now used for most other code - provide HAVE_MD5_BLOCK_DATA_ORDER and use this to selectively enable source code.
aab30bc8 2026-01-17 14:30:37 Replace GHASH_ASM with function specific defines. Use the same pattern that is now used for most other code - provide HAVE_* defines for functions and use these to selectively enable source code.
2a97c3df 2026-01-17 13:55:30 Mop up unused AES_ASM and RSA_ASM defines. These have not been used for quite some time.
14fe603b 2026-01-17 06:31:45 Use .section before .rodata to appease gas. gas dislikes bare .rodata - add .section before .rodata to make it happier (LLVM does not care and is happy with either). For consistency, do the same with .text.
ef798222 2026-01-17 06:23:42 Use local label prefix for loop labels.
f49d58ab 2026-01-16 18:31:12 mlkem_internal.h: formate -> format
7f11c9d6 2026-01-16 18:29:58 mlkem_internal.h: some very basic copy editing
84603685 2026-01-16 18:28:04 mlkem.h: Thie -> This (2x)
5ea2c472 2026-01-16 18:27:22 mlkem.c: becuase -> because
8105fbd9 2026-01-16 09:25:15 asn1t.h: whitespace tweaks Add missing space after commas, shorten a couple comments in structs, reflow weirdly wrapped long comments and improve the random line breaks in typedefs and prototypes.
36d72730 2026-01-16 09:21:48 asn1t.h: Otherwiser -> Otherwise
cbcd6175 2026-01-16 09:19:20 asn1t.h: more macro cleanup, add missing C99 initializers for ADB_ENTRY() ok kenjiro
2365de6b 2026-01-14 17:43:49 stack.c: avoid arithmetic on pointers to void In stack.c r1.34 I converted one 'char *' too many to 'void *', thereby relying on a gcc/clang extension which interprets the fictional void type as a type of size 1 (that's what the stack code wants, fortunately). As pointed out in the link below, -Wpointer-arith would have caught this: https://gcc.gnu.org/onlinedocs/gcc/Pointer-Arith.html MSVC flags this as follows: D:\a\portable\portable\crypto\stack\stack.c(211,23): error C2036: 'const void *': unknown size [D:\a\portable\portable\build\crypto\crypto_obj.vcxproj]. Pull in workaround from the portable repo which undoes the char * -> void * conversion. ok jsing millert
c53725c2 2026-01-12 22:08:34 x509_utl.c: zap two useless comments
ca901737 2026-01-11 07:52:34 More asn1t.h cleanup This converts more macros to C99 initializers. Rename flags and tags arguments by appending val because they collide with the field names. The remainder are whitespace changes. ok kenjiro
ce6dd5f9 2026-01-09 03:46:44 asn1t.h: add C99 initializers for some ASN.1 templates This is a first pass at tidying up the unsightly mess that is asn1t.h. For better or worse, we have expanded the macros internally, and in base only rpki-client uses the templates. They are generally rarely used. Fortunately. Having C99 initializers helps a lot with debugging templated ASN.1 by combining cc -E with clang-format. They make the macros more readable, look tidier and help with grep. ok kenjiro
2bce6ca4 2026-01-09 03:34:30 asn1t.h: whitespace nit
33bd6bfb 2026-01-07 10:18:35 Fix ASN1_ADB_END macro, make it compatible with OpenSSL In asn1t.h r1.18 (commit 9b72422d) I removed the app_items member from ASN1_ADB and failed to fix up the ASN1_ADB_END() macro that populates the ASN1_ADB. This means ASN1_ADB_END() tried to initialize one member too many and would thus cause a compilation failure, so nobody uses this with LibreSSL. Internally, we have expanded all its uses. We could leave it broken or fix it up. Take the opportunity to add an unused adb_cb() argument instead, making the macro invocation compatible with OpenSSL. ok jsing kenjiro
5f4d5fda 2026-01-05 05:23:56 ASN.1 templates: make internal *_PUBKEY_it static