summaryrefslogtreecommitdiff
path: root/lib/libcrypto
AgeCommit message (Collapse)Author
2018-12-22Document EVP_PKEY_new_mac_key(3);Ingo Schwarze
from Matt Caswell <matt at openssl dot org> via OpenSSL commit d45a97f4 Mar 5 17:41:49 2018 +0000.
2018-12-22Delete irrelevant HISTORY details. Simply use BN_rand(3); thereIngo Schwarze
is no need to know at which time BN_pseudo_rand(3) was made the same as BN_rand(3). Considering that question might even mislead people to attempt ill-advised #ifdef'ing. Pointed out by deraadt@.
2018-12-21The wrong header file was given for EVP_PKEY_CTX_set_signature_md(3).Ingo Schwarze
Also clarify to which algorithms it applies. From Matt Caswell <matt at openssl dot org> via OpenSSL commit d45a97f4 Mar 5 17:41:49 2018 +0000. Document EVP_PKEY_CTX_get_rsa_padding(3), EVP_PKEY_CTX_get_rsa_pss_saltlen(3), EVP_PKEY_CTX_set_rsa_mgf1_md(3), and EVP_PKEY_CTX_get_rsa_mgf1_md(3). From Antoine Salon <asalon at vmware dot com> via OpenSSL commit 87103969 Oct 1 14:11:57 2018 -0700 from the OpenSSL_1_1_1-stable branch, which is still under a free license.
2018-12-21Document the ECDSA_SIG_new(3) return value.Ingo Schwarze
Inspired by OpenSSL commit 6da34cfb Jun 2 16:17:32 2018 -0400 by Ken Goldman <kgoldman at us dot ibm dot com>, but use the same wording as in ASN1_item_new(3) instead.
2018-12-21Clarify behaviour of DH_get0_pqg(3) and DH_get0_key(3) with NULL arguments;Ingo Schwarze
from <Matthias dot St dot Pierre at ncp dash e dot com> via OpenSSL commit 5777254b May 27 09:07:07 2018 +0200.
2018-12-21grammar and style fixes from wesinator at githubIngo Schwarze
via OpenSSL commit 521738e9 Oct 5 14:58:30 2018 -0400
2018-12-21Since OpenBSD 6.1, BN_pseudo_rand*(3) does the same as BN_rand*(3).Ingo Schwarze
Say so, and note that OpenSSL followed suit in 1.1.0 according to OpenSSL commit 5ecff87d Jun 21 13:55:02 2017 +0100.
2018-12-21Mention that some functions call BN_GENCB_call(3) with a secondIngo Schwarze
argument of 3; from Beat Bolli <dev at drbeat dot li> via OpenSSL commit bd93f1ac Jul 28 16:45:22 2018 -0400.
2018-12-19Correctly describe the return values of BN_hex2bn(3) and BN_dec2bn(3).Ingo Schwarze
Inspired by OpenSSL commit a130950d Aug 23 12:06:41 2017 -0400 by Rich Salz <rsalz at openssl dot org>, but using a more explicit wording, and fixing *both* places rather than only half of them.
2018-12-19Specify the return values of some of these functions more precisely;Ingo Schwarze
inspired by OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800 by Paul Yang <yang sot yang at baishancloud dot com>, but without creating a RETURN VALUES section because that makes no sense here: it would either result in a confusing order of information or in duplicate information.
2018-12-19typo;Ingo Schwarze
from Jakub Wilk <jwilk at jwilk dot net> via OpenSSL commit a21285b3 Aug 21 18:30:34 2018 +0200
2018-12-16Regenerate root CA list using updated format-pem.pl. Specifically thisStuart Henderson
drops CA certificates whose validity dates don't comply with the rules on ASN.1 encoding in RFC 5280 (and predecessors - same rule goes back to at least RFC 2459, section 4.1.2.5). LibreSSL strictly enforces this, so attempting to validate certificates signed by these CAs just result in the following: error 13 at 1 depth lookup:format error in certificate's notBefore field "probably" beck@
2018-12-16Add a check that libressl is actually able to verify CA certs.Stuart Henderson
Skip outputting them if invalid (e.g. GENERALIZEDTIME date before 2050).
2018-11-30Restore function prototype for ASN1_dup, fixing usage on I32LP64 platforms.Jeremy Evans
This prototype was removed inadvertantly in r1.50. OK jsing@
2018-11-28Correct lock initialisation for libcrypto.Joel Sing
The current crypto_lock_init() function is not called early enough, meaning that locks are already in use before it gets called. Worse, locks could be in use when they are then initialised. Furthermore, since functions like CRYPTO_lock() are public API, these could be called directly bypassing initialisation. Avoid these issues by using static initialisers. ok bcook@
2018-11-25spelling; from miodJason McIntyre
2018-11-24zap 10 tab leading whitespace before 'struct evp_pkey_ctx_st {'Theo Buehler
2018-11-24Store and return the locking callbacks, restoring previous behaviour.Joel Sing
The previous code meant that a caller could set the locking callback, after which CRYPTO_get_locking_callback() would return non-NULL. Some existing code depends on this behaviour, specifically to identify if lock handling has been configured. As such, always returning NULL from CRYPTO_get_locking_callback() can result in unexpected application behaviour. ok bcook@
2018-11-20Saw a mention somewhere a while back that the gotdata() function inTheo de Raadt
here could creates non-uniformity since very short fetches of 0 would be excluded. blocks of 0 are just as random as any other data, including blocks of 4 4 4.. This is a misguided attempt to identify errors from the entropy churn/gather code doesn't make sense, errors don't happen. ok bcook
2018-11-17Fix whitespace around assignment operators.Theo Buehler
2018-11-15Port OpenSSL commit 99540ec79491f59ed8b46b4edf130e17dc907f52 -- mitigationTheo Buehler
for a timing vullnerability in ECDSA signature generation (CVE-2018-0735). Note that the blinding that we introduced back in June for ECDSA and DSA should mitigate this and related issues. This simply adds an additional layer of protection. discussed with jsing
2018-11-12Missing initialization for pub_key. CID 184303.Theo Buehler
ok bcook
2018-11-11Add back a few missing compatibility stubsBrent Cook
ok beck@
2018-11-11Add EVP_sm3() to OpenSSL_add_all_digests_internal().Theo Buehler
ok beck inoguchi
2018-11-11bump minors after symbol addition.Theo Buehler
2018-11-11Add Ribose Inc's implementation of the SM3 hashing function withTheo Buehler
tweaks from jsing and myself. The SM2/SM3/SM4 algorithms are mandatory for legal use of cryptography within China and [are] widely applied in the country, covering identification/financial cards, contactless, TPM 2.0 and PKI. ok beck inoguchi jsing
2018-11-11Add automatic threading initialization for libcrypto.Brent Cook
This implements automatic thread support initialization in libcrypto. This does not remove any functions from the ABI, but does turn them into no-ops. Stub implementations of pthread_mutex_(init|lock|unlock) are provided for ramdisks. This does not implement the new OpenSSL 1.1 thread API internally, keeping the original CRYTPO_lock / CRYPTO_add_lock functions for library locking. For -portable, crypto_lock.c can be reimplemented with OS-specific primitives as needed. ok beck@, tb@, looks sane guenther@
2018-11-11include crypto.h from the correct path, remove unused variableBrent Cook
2018-11-09Initialize priv_key and pub_key on first use instead of at the top.Theo Buehler
While there, eliminate a flag that was only used once. ok beck jsing mestre
2018-11-09Initialize priv_key and pub_key on first use instead of at the top.Theo Buehler
ok beck jsing mestre
2018-11-09Avoid dereferencing eckey before checking it for NULL.Theo Buehler
CID 184282 ok beck jsing mestre
2018-11-09Avoid leaking memory that was already allocated in ASN1_item_new().Theo Buehler
From Ben L <bobsayshilol () live ! co ! uk>
2018-11-09Fix a buffer overrun in asn1_parse2().Theo Buehler
From Ben L bobsayshilol () live ! co ! uk Similar fixes in BoringSSL and OpensSSL.
2018-11-09Add const to the data argument of ASN1_set{,_int}_octetstring().Theo Buehler
From Ben L bobsayshilol () live ! co ! uk ok jsing
2018-11-08Remove some function prototypes that should have been removed in theJoel Sing
previous clean up. Spotted by bcook@
2018-11-08LibreSSL 2.9.0Brent Cook
2018-11-07Use memmove() instead of memcpy() to get rid of the need forTheo Buehler
non-overlapping *in and *out buffers as we're already implementing the "in place (un)wrapping" algorithms as given in RFC 3394. This removes a gratuitous API difference to OpenSSLin these undocumented functions. Found while working on wycheproof regress tests. ok beck jsing
2018-11-06unrevert the use of bn_rand_interval().Theo Buehler
ok beck jsing
2018-11-06Unset Z_is_zero after applying coordinate blinding andTheo Buehler
re-enable coordinate blinding. ok jsing
2018-11-06Flip reversed test in bn_rand_interval().Theo Buehler
ok jsing
2018-11-06disable EC_POINT coordinate blinding due to failures in ECDHE and TLSTheo Buehler
2018-11-06revert use of bn_rand_interval due to failures with ECDHE and TLSTheo Buehler
2018-11-06Start working towards adding feature flags (rather than anti-feature flags)Joel Sing
for LibreSSL. Add a (commented out) feature flag for TLSv1.3 and define the OPENSSL_NO_TLS1_3 anti-feature flag based on the feature flag. ok beck@ bluhm@ tb@
2018-11-05Make use of bn_rand_interval() where appropriate.Theo Buehler
ok beck jsing
2018-11-05Introduce bn_rand_interval() that allows specifying an interval [a, b)Theo Buehler
from which a a BIGNUM is chosen uniformly at random. ok beck jsing
2018-11-05Eliminate a few "} else" branches, a few unneeded NULL checks beforeTheo Buehler
freeing and indent nearby labels. ok beck jsing
2018-11-05Remove two unnecessary BN_FLG_CONSTTIME dances: BN_mod_exp_ct() alreadyTheo Buehler
takes care of this internally. ok beck jsing
2018-11-05Implement coordinate blinding for EC_POINT.Theo Buehler
Based on OpenSSL commit 875ba8b21ecc65ad9a6bdc66971e50 by Billy Brumley, Sohaib ul Hassan and Nicola Tuveri. ok beck jsing commit 875ba8b21ecc65ad9a6bdc66971e50461660fcbb Author: Sohaib ul Hassan <soh.19.hassan@gmail.com> Date: Sat Jun 16 17:07:40 2018 +0300 Implement coordinate blinding for EC_POINT This commit implements coordinate blinding, i.e., it randomizes the representative of an elliptic curve point in its equivalence class, for prime curves implemented through EC_GFp_simple_method, EC_GFp_mont_method, and EC_GFp_nist_method. This commit is derived from the patch https://marc.info/?l=openssl-dev&m=131194808413635 by Billy Brumley. Coordinate blinding is a generally useful side-channel countermeasure and is (mostly) free. The function itself takes a few field multiplicationss, but is usually only necessary at the beginning of a scalar multiplication (as implemented in the patch). When used this way, it makes the values that variables take (i.e., field elements in an algorithm state) unpredictable. For instance, this mitigates chosen EC point side-channel attacks for settings such as ECDH and EC private key decryption, for the aforementioned curves. For EC_METHODs using different coordinate representations this commit does nothing, but the corresponding coordinate blinding function can be easily added in the future to extend these changes to such curves. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6526)
2018-11-04Define OPENSSL_NO_ASYNC - our libcryptosink does not have built in asyncJoel Sing
features (and possibly never will).
2018-11-04Update the opensslfeatures.h to include all of the OPENSSL_NO_* flags thatJoel Sing
currently exist in OpenSSL - comment out that ones that we do not already define. Some OPENSSL_NO_* flags that we define have been removed from OpenSSL (and code that depended on these to know when features are not available now think that the features have been enabled...). We keep these defined but in their own separate group. ok bluhm@ tb@