Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| 902bfdca | 2025-01-27 14:02:31 | Mop up RC4_INDEX. The RC4_INDEX define switches between base pointer indexing and per-byte pointer increment. This supposedly made a huge difference to performance on x86 at some point, however compilers have improved somewhat since then. There is no change (or effectively no change) in generated assembly on a the majority of LLVM platforms and even when there is some change (e.g. aarch64), there is no noticable performance difference. Simplify the (still messy) macros/code and mop up RC4_INDEX. ok tb@ | ||
| a6636ef5 | 2025-01-27 10:29:41 | X509_NAME_print(): remove no longer useful length check This was needed to avoid truncation on BIO_write(). With the switch to BIO_printf() in the previous commit this is no longer needed. | ||
| d209baed | 2025-01-27 08:05:02 | X509_NAME_print: NUL-terminate and switch to BIO_printf() This handles the empty string, which ruby-openssl checks. Pointed out by anton | ||
| ffc1d37c | 2025-01-27 04:24:46 | x509_obj.c: be better at sorting | ||
| 819724e5 | 2025-01-26 21:05:19 | x509_obj.c: fix includes | ||
| 9c33610f | 2025-01-26 20:18:26 | Rework X509_NAME_print() This is legacy API that we can unexport since nothing uses it directly. Unfortunately we need to keep the functions because there are plenty of things that use it indirectly by passing XN_FLAG_COMPAT to X509_print_ex(). The old implementation parsed the X509_NAME_oneline() output in order to remove the / preceding the (one or two-uppercase letters) name and to insert ", " afterward. This is just stupid in so many ways, not least because there's basically no limit to the garbage that you can stuff into an X.500 name. So rework this and only include the name entries whose short names are one or two letters long. This way, this becomes slightly saner and less fragile. ok jsing | ||
| 2321e207 | 2025-01-26 20:01:58 | Rewrite X509_NAME_ENTRY_oneline() using CBB and CBS This splits the horrid spaghetti into a few relatively straightforward helpers which do one thing at a time. There are still some spectacular dances around ASN1_GENERALSTRING, but let's blame that one on X.500. In brief, X509_NAME_ENTRY_oneline() iterates over the name entries, and writes out a line /name1=value1,/name2=value2,... which you may have seen variations of in issuer or subject output. The name is the short name or the long name or the textual representation of the OID (truncated to 79 characters) and the value is a string where printable ASCII characters are represented as themselves and otherwise as hexadecimal digits preceded by \x. Except for GENERALSTRING, where the four octet representation is shortened to single-octet representation if none of the top three octets in the entire string is populated. It's the mother of all pretty things. But, hey, you could do worse and try to parse this garbage... ok jsing | ||
| 71585515 | 2025-01-26 13:51:41 | x509_utl.c: use normal order of internal headers | ||
| 515aa502 | 2025-01-25 17:59:44 | Remove #error if OPENSSL_NO_FOO is defined discussed with jsing | ||
| 6d90e046 | 2025-01-25 13:15:21 | Garbage collect field_type member of the EC methods ok jsing | ||
| a9bbc4f7 | 2025-01-25 13:13:57 | Promote a few functions from EC API to garbage bin EC_GROUP_method_of() and EC_METHOD_get_field_type() only ever used chained together as a convoluted means to retrieve the field type of a group. This is no longer useful since the answer will always be NID_X9_62_prime_field. EC_POINT_method_of(), EC_GROUP{,_have}_precompute_mult(): exposed by one of those expose-everything perl XS modules. ok jsing | ||
| 363913fa | 2025-01-25 10:37:50 | Remove now unused internal ec_group_get_field_type() ok jsing | ||
| 46639ee8 | 2025-01-25 10:36:50 | Remove calls to ec_group_get_field_type() from EC_GROUP_cmp() ok jsing | ||
| ff0b5b20 | 2025-01-25 10:34:36 | Make EC_KEY_precompute_mult() return 1 directly This hasn't done anything in a long time. Only dovecot uses an unchecked call to this. With this we can remove EC_GROUP_precompute_mult(). ok jsing | ||
| c2649b15 | 2025-01-25 10:30:17 | Simplify ecpk_print_explicit_parameters() At this point the NID is always NID_X9_62_prime_field, so we can use SN_X9_62_prime_field directly rather than getting the field type from the method and then converting the nid to an sn with OBJ_nid2sn(). ok jsing | ||
| 9453f7aa | 2025-01-25 10:27:58 | Simplify ec_asn1_group2fieldid() The field_type is always NID_X9_62_prime_field, no need to encode and retrieve this from the group method. ok jsing | ||
| 2241b000 | 2025-01-24 13:38:28 | Remove now unused perlasm script for MD5 on amd64. | ||
| 82ab76e1 | 2025-01-24 13:35:04 | Provide a readable assembly implementation for MD5 on amd64. This appears to be about 5% faster than the current perlasm version on a modern Intel CPU. While here rename md5_block_asm_data_order to md5_block_data_order, for consistency with other hashes. ok tb@ | ||
| c383f79c | 2025-01-22 12:54:40 | Use simpler (if a bit weird) dup instead of new + copy ok jsing | ||
| b4a69cdb | 2025-01-22 12:53:16 | bn_recp: Avoid complication for negative moduli Instead of doing a weird dance, set the sign on N in BN_RECP_CTX_create(). Since we're not exposing a general purpose calculator API, we can simplify. ok jsing | ||
| 47537ea9 | 2025-01-22 10:12:01 | Rename BN_div_recp() into BN_div_reciprocal() Requested by jsing | ||
| 02fba168 | 2025-01-22 10:08:10 | Split BN_mod_sqr_reciprocal() out of BN_mod_mul_reciprocal() There's no need for BN_mod_mul_reciprocal() to have this complication. The caller knows when x == y, so place the burden on the caller. This simplifies both the caller side and the implementation in bn_recp.c. ok jsing | ||
| 1447fb01 | 2025-01-22 09:56:58 | Remove the mul_generator_ct function pointer from EC_METHOD. There's no need for a separate mul_generator_ct() function pointer - we really only need mul_single_ct() and mul_double_nonct(). And rather than calling ec_mul_ct() and having it figure out which point to use, explicitly pass the generator point when calling mul_single_ct(). ok tb@ | ||
| 077b20bd | 2025-01-22 09:53:16 | Expand the SM4_ROUNDS macro. This macro references variable names that are in the consuming function and are not actually passed to the macro. Expanding it makes the logic clearer. If we wanted to reduce code the middle six group of rounds could be implemented using a for loop (which the compiler can then choose to unroll). ok tb@ | ||
| b6c13eaa | 2025-01-22 09:46:26 | Replace {load,store}_u32_be() with crypto_{load,store}_be32toh(). load_u32_be() and store_u32_be() are not symmetrical, with load_u32_be() having a rather unexpected indexing interface. Fix up the callers to perform their own indexing and use crypto_{load,store}_be32toh() instead. ok tb@ | ||
| 85ca3135 | 2025-01-22 09:42:27 | Pull the family key and constant key tables out of SM4_set_key(). ok tb@ | ||
| e9711763 | 2025-01-22 09:39:56 | BN_mod_mul_reciprocal: remove y == NULL complication No caller ever passes y == NULL, so remove the corresponding contortions and unindent the relevant bits. ok jsing | ||
| 0d1706a1 | 2025-01-22 09:37:07 | Replace rotl() with crypto_rol_u32(). ok tb@ | ||
| ba47179b | 2025-01-21 17:01:25 | EC_GROUP_check(): use accessor rather than reaching into the group The API will be removed soon. This prepares moving it to its only consumer. | ||
| 05328004 | 2025-01-21 15:44:22 | Move BN_RECP_CTX to the heap This introduces a BN_RECP_CTX_create() function that allocates and populates the BN_RECP_CTX in a single call, without taking an unused BN_CTX argument. At the same time, make the N and Nr members BIGNUMs on the heap which are allocated by BN_RECP_CTX_create() and freed by BN_RECP_CTX_free() and remove the unnecessary flags argument. Garbage collect the now unused BN_RECP_CTX_{new,init,set}(). ok jsing | ||
| 295207cc | 2025-01-20 17:50:12 | crypto.h: zap some offensive whitespace | ||
| e05b8d4e | 2025-01-20 12:57:28 | Annotate why EVP_PKEY_CTX_ctrl_str() will stay for a while | ||
| ecb0d0d4 | 2025-01-19 07:51:41 | Improve bit counter handling in MD5. Like most hashes, MD5 needs to keep count of the number of bits in the message being processed. However, rather than using a 64 bit counter this is implemented using two 32 bit values (which is exposed in the public API). Even with this hurdle, we can still use 64 bit math and let the compiler figure out how to best handle the situation (hopefully avoiding compiler warnings on 16 bit platforms in the process!). On amd64 this code now requires two instructions, instead of the previous five. While here remove a comment that is excessively visible and no longer completely accurate (and if you're going to redefine types like MD5_WORD you kinda need to know what you're doing). ok tb@ (who's going to miss the dear diary style comments) | ||
| e5d83da7 | 2025-01-18 14:17:05 | Simplify tls1_check_ec_key() It doesn't need to have optional arguments anymore, so we can pass in values and don't need NULL checks and dereferencing. ok jsing | ||
| e0096704 | 2025-01-18 13:26:51 | Rename grp to group like almost everywhere else | ||
| 1271c85a | 2025-01-18 13:15:31 | Remove parentheses in return statements ok cc + sha256 | ||
| 220e3b7c | 2025-01-18 13:11:58 | Remove two pointless NULL checks The only caller ensures that the EC_KEY is not NULL and passes the address of comp_id on its stack, so neither will be NULL. | ||
| 54d00625 | 2025-01-18 13:07:47 | Drop field determination dance If we get here, we're in a server and have managed to load the cert. The public key is therefore a point on a built-in curve, and we know the group is defined over some prime field. Now it is just a matter of figuring out whether we support the group in libssl. ok jsing | ||
| 29c2420e | 2025-01-18 13:03:02 | Stop pretending we support arbirary explicit groups ok jsing | ||
| 1ef70f4f | 2025-01-18 12:20:37 | Remove SSL_DES and SSL_IDEA remnants ok jsing | ||
| a00bfa08 | 2025-01-18 12:20:02 | SSL_CTX_set_cipher_list: stop mentioning ancient ciphers Support was removed nearly a decade ago. No need to mention this anymore. ok jsing | ||
| 2bba40d4 | 2025-01-18 10:53:04 | Remove last uses of SSL_aDSS ok jsing | ||
| 942444cc | 2025-01-18 10:52:09 | ssl_seclevel: remove comment pertaining to DSA certs ok jsing | ||
| de980744 | 2025-01-18 10:45:12 | Stop mentioning DSA/DSS Support for this went away in 2017, but a few things still mentioned DSA in various contexts. Replace DSA with ECDSA where appropriate and otherwise delete this. It won't work. ok jsing | ||
| f6bb4990 | 2025-01-18 02:56:07 | Use name instead of register. | ||
| 66738ebb | 2025-01-17 22:39:42 | ssl_local.h: does not need to include dsa.h | ||
| 457dff42 | 2025-01-17 15:39:19 | rsa_pmeth: unify strcmp return checks ok jsing | ||
| 728db599 | 2025-01-17 11:11:27 | Replace the remaining group->meth->field_{mul,sqr} These somehow escaped a prior pass. | ||
| d6f80948 | 2025-01-17 10:54:03 | ecp_methods: remove p = group->p indirection This helped a bit with readability when we needed to do &group->p, but now that's no longer needed. discussed with jsing | ||
| f6116716 | 2025-01-17 10:41:31 | ecp_methods: rework field_{mul,sqr}() handling Add wrapper functions that call the methods so that we can get rid of inconsistent use of ugly function pointers with massively overlong lines and other ways of reaching into the methods. ok jsing | ||
| ac07061a | 2025-01-17 08:50:07 | Fix two incorrect strtonum() conversions The atoi() would also accept the magic negative values and old openssl releases would expose these as arguments to -pkeyopt rsa_pss_saltlen:-1 in the openssl pkeyutl "app". While modern openssl switched to having readable alternatives to these, the oseid component of opensc would use the old syntax until yesterday. Still, this is our bug and we need to keep accepting the magic values as such, so do so. Everything below -3 will be rejected by the RSA_ctrl() handler later. Debugged by Doug Engert in https://github.com/OpenSC/OpenSC/issues/3317 ok jsing op | ||
| 10f20e90 | 2025-01-17 05:04:25 | dh_ameth: explcitly -> explicitly | ||
| c5925a46 | 2025-01-17 05:02:18 | asn_mime: deteched -> detached + a knf nit | ||
| 1aa737dc | 2025-01-16 04:02:08 | pcap_open_dead returns pcap_t *, not pcap_t. | ||
| c852d338 | 2025-01-11 21:20:39 | Fix another awful comment in ec_point_cmp() | ||
| f30d1591 | 2025-01-11 21:13:21 | Align vertical backslashes in a macro | ||
| 7b995231 | 2025-01-11 21:07:25 | ec_point_cmp: tidy up an ugly comment | ||
| ca57bd65 | 2025-01-11 20:57:03 | ec_key_gen() is unused outside ec_key.c, so make it static | ||
| 316bbdac | 2025-01-11 20:55:08 | Move EC_KEY_METHOD_DYNAMIC next to the two methods using it Only EC_KEY_METHOD_{new,free}() need to know about this flag, so make that more obvious. | ||
| 989de271 | 2025-01-11 15:32:36 | Remove a weird comment | ||
| 4fb59ff9 | 2025-01-11 15:26:07 | Rename the is_on_curve() method to point_is_on_curve() Rename ec_is_on_curve() to ec_point_is_on_curve() and ec_cmp() to ec_point_cmp(). | ||
| bbf457e4 | 2025-01-11 15:20:23 | Move is_on_curve() and (point) cmp() up These were in the middle of the methods responsible for curve operations, which makes little sense. | ||
| 69100aa7 | 2025-01-11 15:02:42 | Move compressed coordinate setting into public API Now that it is method-agnostic, we can remove the method and move the implementation to the body of the public API function. And another method goes away. We're soon down to the ones we really need. discussed with jsing | ||
| 9868a3fe | 2025-01-11 14:53:46 | Rework ec_point_set_compressed_coordinates() While this is nicely done, it is a bit too clever. We can do the calculation in the normal domain rather than the Montgomery domain and this way the method becomes method agnostic. This will be a bit slower but since a couple of field operations are nothing compared to the cost of BN_mod_sqrt() this isn't a concern. ok jsing | ||
| 44d65b39 | 2025-01-11 14:48:20 | Move ec_points_make_affine() to the right place discussed with jsing | ||
| c21af703 | 2025-01-11 14:38:57 | Move the EC_POINTs API into the garbage bin | ||
| 9581610f | 2025-01-11 13:58:31 | Neuter the EC_POINTs_* API EC_POINTs_mul() was only ever used by Ruby and they stopped doing so for LibreSSL when we incorporated the constant time multiplication work of Brumley et al and restricted the length of the points array to 1, making this API effectively useless. The only real reason you want to have an API to calculate \sum n_i P_i is for ECDSA where you want m * G + n * P. Whether something like his needs to be in the public API is doubtful. EC_POINTs_make_affine() is an implementation detail of EC_POINTs_mul(). As such it never really belonged into the public API. ok jsing | ||
| 830575bd | 2025-01-11 13:41:17 | Remove a pointless check about Z == 1 ok jsing | ||
| 07ff836a | 2025-01-11 13:38:42 | Inline ec_point_make_affine() in the public API Whatever the EC_METHOD, this will always be equivalent to getting and setting the affine coordinates, so this needs no dedicated method. Also, this is a function that makes no real sense since a caller should never need to care about this... As always, our favorite language bindings thought they might have users who care. This time it's Ruby and Perl. ok jsing | ||
| 07d65f05 | 2025-01-11 03:00:04 | Remove seven pairs of unnecessary parentheses ok millert operator(7) | ||
| f0e1d484 | 2025-01-09 23:18:08 | When describing v3 crypt, be specific as to which machine was simulated. feedback jmc@ ok deraadt@ schwarze@ | ||
| e0bc670b | 2025-01-09 11:35:46 | ec_lib.c: zap stray empty line at end of file | ||
| 742574bf | 2025-01-09 06:51:11 | check_discriminant: make the assumptions on p, a, b more explicit requested by jsing | ||
| 04728449 | 2025-01-08 20:21:28 | Improve order of things in BN_RECP_CTX_set() + some whitespace cosmetics | ||
| 59c697bf | 2025-01-08 20:18:12 | Remove parentheses in return statements | ||
| 7e42737e | 2025-01-08 20:13:52 | Add a space after comma | ||
| 6415b2b8 | 2025-01-08 20:12:18 | Remove superfluous parentheses | ||
| 9bf17825 | 2025-01-08 00:08:02 | X509_NAME_print() also fails to indent | ||
| e850f124 | 2025-01-07 18:58:32 | X509_NAME_print: remove lie about multiple lines being used OpenSSL commit 92ada7cc (2007) removed some dead code with flawed logic attempting to print multiple lines if the line exceeded 80 characters. Said flawed logic was there since the start of the git history importing SSLeay 0.8.1b in 1998 and never worked. Rumor has it that it did work prior to that. Be that as it may, it's just wrongly documented since Henson added the docs in commit 0711be16 (2002). Prompted by OpenSSL issue #18004 by davidben https://github.com/quictls/quictls/pull/168 https://github.com/quictls/quictls/issues/75 | ||
| 6d253f95 | 2025-01-07 14:22:19 | Rewrite TS_ASN1_INTEGER_print_bio() This eliminates another stupid BN_free(&bn) and uses BIO_printf() rather than a ludicrously silly result dance. In fact it appears that this dance was so hard to grok that OpenSSL misread it and made this function return the value -1 on ASN1_INTEGER_to_BN() failure, a value that it had never returned before. It doesn't matter anyway. The only uses of this function are internal to OpenSSL's code and since TS fully conforms to OpenSSL's high QA standards, no caller checks the return of TS_ASN1_INTEGER_print_bio(). ok jsing | ||
| f0238de6 | 2025-01-07 08:52:17 | Remove stale comment about methods and members | ||
| a537a13e | 2025-01-07 08:30:52 | Check discriminant directly in EC_GROUP_set_discriminant() After possibly decoding a and b in EC_GROUP_get_curve(), this is a pure calculation in GFp and as such doesn't make use of any method-specifics. Let's perform this calculation directly in the public API implementation rather than redirecting through the methods and remove yet another method handler. ok jsing | ||
| 00e52b80 | 2025-01-06 23:35:25 | unitialized -> uninitialized | ||
| c9edc1b9 | 2025-01-06 19:23:25 | ec_lib: create a garbage bin at the end, throw Jprojective stuff in there | ||
| de420f14 | 2025-01-06 18:43:27 | Inline the last two uses of ec_mont_group_clear() | ||
| 169e56b9 | 2025-01-06 17:42:39 | typo: slighty -> slightly | ||
| 5e6e829d | 2025-01-06 14:34:47 | group_copy() is no longer a thing... | ||
| be018b2c | 2025-01-06 14:29:33 | Remove get_order_bits() and get_degree() methods The degree made some sense when EC2M was a thing in libcrypto. Fortunately that's not the case anymore. The order handler never made sense. ok jsing | ||
| cb86d051 | 2025-01-06 14:25:10 | More dest -> dst renaming missed in previous requested by jsing | ||
| 428f68d0 | 2025-01-06 14:24:12 | Rename dest into dst requested by jsing | ||
| 2ab5ac8d | 2025-01-06 14:22:55 | Inline the copy handlers in EC_GROUP_copy() This is another bit of indirection that makes this code so hard to follow. ok jsing | ||
| 549c4806 | 2025-01-06 14:10:32 | Use a slightly more sensible order in ec_local.h | ||
| 9d6e4a9a | 2025-01-06 13:47:37 | BN_div_recp() can't be static since it is directly exercised by bn_test.c | ||
| c29635eb | 2025-01-06 13:15:08 | fix ugly whitespace | ||
| 1cc088a1 | 2025-01-06 12:36:41 | Revise comments to note that these are Jacobian projective coordinates. | ||
| abfe84ec | 2025-01-06 12:35:27 | Shuffle functions into a more sensible order BN_reciprocal() is only called by BN_div_recp() which in turn is only called by BN_mod_mul_reciprocal(). So use this order and make the first two static. | ||
| a680ff0c | 2025-01-06 12:35:14 | Remove indirection for coordinate blinding. This is usually method specific, so remove the indirection and call the appropriate blinding function directly. ok tb@ | ||
| 1c80ffcf | 2025-01-06 11:59:02 | Stop caching one in the Montgomery domain This is only used by ec_points_make_affine(), which is only used by the wNAF multiplication, which is only used by ECDSA. We can afford computing that one once per ECDSA verification given the cost of the rest of this. Thus, the field_set_to_one() member disappears from the EC_METHOD and the mont_one member disappears from EC_GROUP and with it all the complications when setting/copying/freeing the group. ok jsing | ||
| e2762cb6 | 2025-01-06 10:56:46 | Prepare removal accessors for Jprojective coordinates That the BN-driven EC code uses Jacobian projective coordinates as an optimization is an implementation detail. As such this should never have leaked out of the library as part of the public API. No consumer should ever care and if they do they're doing it wrong. The only port that cares is one of those stupid little perl modules that expose all the things and transform terrible OpenSSL regress tests into similarly horrible Perl. In practice, only affine coordinates matter (perhaps in compressed form). This prunes two more function pointers from EC_GROUP and prepares the removal of the field_set_to_one() method which is now only used in ec_points_make_affine(). ok jsing sthen | ||
| 3c2cb882 | 2025-01-05 16:07:08 | Move BIGNUMs in EC_GROUP and EC_POINT to the heap The only way to get an EC_GROUP or an EC_POINT is by calling the relevant _new() function and to get rid of it, something must call _free(). Thus we can establish the invariant that every group has Weierstrass coefficients p, a, b as well as order and cofactor hanging off it. Similarly, Every point has allocated BIGNUMs for its Jacobian projective coordinates. Unfortunately, a group has the generator as an optional component in addition to seed and montgomery context/one (where optionality makes more sense). This is a mostly mechanical diff and only drops a few silly comments and a couple of unnecessary NULL checks since in our part of the wrold the word invariant has a meaning. This should also appease Coverity who likes to throw fits at calling BN_free() for BIGNUM on the stack (yes, this is actually a thing). ok jsing |