1
0
mirror of https://github.com/openbsd/src.git synced 2024-12-22 16:42:56 -08:00
Commit Graph

22844 Commits

Author SHA1 Message Date
tb
5ad0d35887 Document tls_peer_cert_common_name()
ok beck
2024-12-10 08:42:12 +00:00
tb
4c4812c958 bump minor after symbol addition 2024-12-10 08:41:04 +00:00
tb
7c96010cd4 expose tls_peer_cert_common_name() 2024-12-10 08:40:45 +00:00
tb
26433cb13c Provide tls_peer_cert_common_name()
There is currently no sane way of getting your hands on the common name or
subject alternative name of the peer certificate from libtls. It is possible
to extract it from the peer cert's PEM by hand, but that way lies madness.
While the common name is close to being deprecated in the webpki, it is
still the de facto standard to identify client certs. It would be nice to
have a way to access the subject alternative names as well, but this is a
lot more difficult to expose in a clean and sane C interface due to its
multivaluedness.

Initial diff from henning, with input from beck, jsing and myself
henning and bluhm have plans of using this in syslogd.

ok beck
2024-12-10 08:40:30 +00:00
schwarze
f0955a9c84 insert a forgotten .Dv macro 2024-12-09 11:55:52 +00:00
schwarze
4594425fa5 Mark the constants EVP_PK_*, EVP_PKS_*, and EVP_PKT_* as intentionally
undocumented because they are only used by the function X509_certificate_type()
which is deprecated and will eventually be deleted.
2024-12-09 11:25:25 +00:00
schwarze
380ecedd40 Move the algorithm-specific functions EVP_rc2_*(3) out of EVP_EncryptInit(3)
and document them properly in their own manual page, including the control
commands EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS that were
so far undocumented.

Arguably, the main benefit is another small step making the important,
but still obese EVP_EncryptInit(3) manual page more palatable.
2024-12-08 17:41:23 +00:00
schwarze
60c3061599 Document the low-level rc2.h API.
Not that this would be particularly important, but i had to look
at the code anyway while completing the EVP documentation.
2024-12-07 19:22:15 +00:00
tb
4ccb460550 ec_mult: forgot to make one helper static 2024-12-07 13:49:43 +00:00
tb
08f8d31902 Move initialization of sign out of the middle of bits handling 2024-12-07 13:32:07 +00:00
tb
9d4c47a84d Rename ec_wNAF_mul() to ec_wnaf_mul()
discussed with jsing
2024-12-06 15:49:37 +00:00
tb
2380456e4c ec_mult: manage wNAF data in a struct
This refactors the wNAF multiplication further and introduces a small API
that manages the wNAF digits for bn and the multiples of digit * point in
a single struct that is initialized and freed in two API calls in the main
function, ec_wNAF_mul(). This way the main algorithm is no longer cluttered
with logic to keep various arrays in sync, helper functions calculating the
wNAF splitting of bn and multiples of the point do not need to deal with
memory management, and a pair of accessors obviates previously missing
bounds checking.

At this point we have reached a relatively clean and straightforward wNAF
implementation that fits precisely the purpose needed in libcrypto, i.e.,
ECDSA verification instead of being generalized and optimized to the max
for no good reason apart from endowing the author with an academic degree.

Popper's famous maxim "if you can't say it clearly, keep quiet, and keep
working until you can" very much applies to code as well. In other words,
shut up and hack (and don't pour too much energy into commit messages, tb).

ok jsing
2024-12-06 15:39:59 +00:00
schwarze
3f6360fc06 Adjust the return type and value of EVP_MD_CTX_init(3)
and EVP_CIPHER_CTX_init(3) after tb@ changed these to OpenSSL 1.1 semantics
in evp.h rev. 1.124 on March 2 this year.
2024-12-06 15:01:01 +00:00
schwarze
f1c41952de Delete the manual pages EVP_PKEY_meth_new(3) and EVP_PKEY_meth_get0_info(3)
because tb@ deleted almost all functions documented there from the API
in evp.h 1.127 on March 2 this year, but move the functions
EVP_PKEY_CTX_set_data(3) and EVP_PKEY_CTX_get_data(3) that we still
support to EVP_PKEY_keygen(3), because that page already documents
EVP_PKEY_CTX_set_app_data(3) and EVP_PKEY_CTX_get_app_data(3).
2024-12-06 14:27:49 +00:00
schwarze
cb0afab4d7 Delete the manual page EVP_PKEY_check(3).
All three functions documented in this page were deleted from the API
by tb@ in evp.h rev. 1.136 on August 31 this year.
2024-12-06 13:10:43 +00:00
schwarze
957fef74ea Delete the manual page EVP_PKEY_asn1_new(3).
All the functions documented in this page were deleted from the API
by tb@ in evp.h rev. 1.126 on March 2 this year.
2024-12-06 12:51:13 +00:00
jsing
90c5a28a23 Provide a SHA-1 assembly implementation for amd64 using SHA-NI.
This provides a SHA-1 assembly implementation for amd64, which uses
the Intel SHA Extensions (aka SHA New Instructions or SHA-NI). This
provides a 2-2.5x performance gain on some Intel CPUs and many AMD CPUs.

ok tb@
2024-12-06 11:57:17 +00:00
schwarze
0afdf00682 Explain what "EVP" is supposed to mean.
It's so non-obvious that even i had to do some research to find out.
Source: The file "doc/ssleay.doc" from SSLeay 0.8.1b,
see for example OpenSSL commit d02b48c6 on Dec 21, 1998.
2024-12-06 11:56:21 +00:00
tb
59c41a1786 Fix previous and thus regress failures reported by anton
Looks like I applied the diff to a dirty tree and didn't notice.
2024-12-06 07:10:20 +00:00
tb
ce5fd5cb4f ec_asn1: update a comment to match reality 2024-12-06 05:13:35 +00:00
tb
c9c3f1d69f Set nid on group decoded from EC parameters
We match curve parameters against the builtin curves and only accept
them if they're encoding a curve known to us. After getting rid of the
wtls curves, some of which used to coincide with secp curves (sometimes
the wrong ones), the nid is unambiguous. Setting the nid has no direct
implications on the encoding.

This helps ssh avoid doing ugly computations during the key exchange
for PEM keys using this encoding.

ok djm joshua jsing
2024-12-06 04:35:03 +00:00
tb
f88101f637 Zap a trailing space 2024-12-05 19:57:37 +00:00
tb
fa7ea96644 Make the DSS_prime_checks macro internal
Rename it to DSA_prime_checks and add an XXX comment mentioning that
we could reduce the number of rounds thanks to BPSW. There are no
plans of changing that as DSA is on its way out.

discussed with miod
2024-12-05 19:34:46 +00:00
tb
66be9a589c Remove the undocumented DSA_is_prime() macro
It aliases BN_is_prime(), which was removed in April 2023.

makes sense to miod
2024-12-05 19:29:08 +00:00
schwarze
95240d2fe0 document the #define'd constant PKCS5_SALT_LEN 2024-12-05 15:12:37 +00:00
schwarze
50ad0749e0 drop comments asking for documentation of three ASN1_PKEY_CTRL_CMS_*
constants after these have been marked as intentionally undocumented;
they are internal to the library and unused in the wild
2024-12-05 15:06:27 +00:00
tb
54c494921a Apply a little bit of lipstick to PKCS7
Makes the setting and getting of detached signatures more symmetric
and avoids a NULL access.

ok jsing
2024-12-05 07:35:46 +00:00
tb
aaa88f3d70 Use ASIdentifiers rather than struct ASIdentifiers_st
This matches the other members of X509 and is what's used everywhere else.

ok miod
2024-12-04 20:07:16 +00:00
jsing
550a1cbd21 Another now unused perlasm script can bite the dust. 2024-12-04 13:14:45 +00:00
jsing
a61493a0f2 Provide a replacement assembly implementation for SHA-1 on amd64.
As already done for SHA-256 and SHA-512, replace the perlasm generated
SHA-1 assembly implementation with one that is actually readable. Call the
assembly implementation from a C wrapper that can, in the future, dispatch
to alternate implementations. On a modern CPU the performance is around
5% faster than the base implementation generated by sha1-x86_64.pl, however
it is around 15% slower than the excessively complex SSSE2/AVX version that
is also generated by the same script (a SHA-NI version will greatly
outperform this and is much cleaner/simpler).

ok tb@
2024-12-04 13:13:33 +00:00
tb
04521d92d0 Annotate WTLS7 as being wrong
This should really have been using SECP 160R2, not SECP 160R1. Of course
this means in particular that nobody ever used this curve, at least not
against another implementation than OpenSSL. Quasi-monocultures are
poisonous whether the monopolist is benevolent and competent or not.
2024-12-04 09:50:52 +00:00
tb
a976df8d81 Meant to split the sentence in two 2024-11-30 21:21:40 +00:00
tb
8e3d34b8ce Be a bit more precise on the error conditions of CMS_get1_{certs,crls}() 2024-11-30 21:20:44 +00:00
tb
5c792f2ee6 Explain how to free the stack returned by CMS_get1_{certs,crls}()
with job
2024-11-30 21:15:19 +00:00
tb
9da94e6d4a Inline trivial EC point methods
Like most of the "group" methods these are shared between Montgomery
curves and simple curves. There's no point in five methods hanging off
the EC_METHODS struct whne they can just as well be inlined in the
public API. It makes all files involved shorter...

ok jsing
2024-11-30 21:09:59 +00:00
tb
970efd761c Get BNs Z coordinates from the BN_CTX
While there likely won't be enough BNs already available in the ctx, and
thus it won't greatly reduce the amount of allocated BNs, it simplifies
the exit path quite a bit.

review feedback from jsing
2024-11-30 16:34:34 +00:00
tb
adc6938b1a Improve ec_points_make_affine()
It is unclear how the original code was supposed to work. It clearly
missed a few corner cases (like handling points at infinity correctly)
and the badly mangled comment that was supposed to display a binary
search tree didn't help at all.

Instead do something much more straightforward: multiply all the non-zero
Z coordinates of the points not at infinity together, keeping track of the
intermediate products. Then do a single expensive modular inversion before
working backwards to compute all the inverses. Then the transformation from
Jacobian coordinates to affine coordiantes (x, y, z) -> (x/z^2, y/z^3, 1)
becomes cheap. A little bit of care has to be taken for Montgomery curves
but that's very simple compared to the mess that was there before.

ok jsing

This is a cleaned up version of:

commit 0fe73d6c3641cb175871463bdddbbea3ee0b62ae
Author: Bodo Moeller <bodo@openssl.org>
Date:   Fri Aug 1 17:18:14 2014 +0200

    Simplify and fix ec_GFp_simple_points_make_affine
    (which didn't always handle value 0 correctly).

    Reviewed-by: emilia@openssl.org
2024-11-30 16:18:01 +00:00
tb
3e463d5faa Don't leak the abuf on error in PKCS7_dataFinal()
ok beck miod
2024-11-30 10:01:31 +00:00
tb
1507347831 Remove X9.42 DH rudiments
In the unlikely event that we should ever decide to implement this after
a quarter century of not needing it, we can readily put this back. Until
then this is dead weight.

prompted by a question by djm
ok jsing
2024-11-29 15:59:57 +00:00
schwarze
47aad51186 Provide an example of signing with HMAC-SHA256 or Ed25519
because that makes it easier to see the big picture
of how EVP_PKEY_new_raw_private_key(3) is supposed to be used.
Feedback and OK tb@.
2024-11-29 12:05:06 +00:00
tb
d2a56ad68f Remove weird pad member that was never set to zero after malloc() so
the weird thing it was supposed to be doing couldn't possibly work.

ok jsing
2024-11-29 07:42:35 +00:00
tb
a4ff2ce640 Garbage collect the unused imsg_hdr in imsg_close()
ok claudio
2024-11-29 04:35:13 +00:00
anton
deef986e6c Add ptrace commands used to read/write the XSAVE area of a traced
process. Intended to give debuggers access to xmm/ymm registers.

Inspired by FreeBSD which exposes a similar set of ptrace commands.

ok kettenis@
2024-11-27 05:25:56 +00:00
claudio
ff59764deb Adjust the reader callback API to return an ibuf and to also claim the
fd which is passed as argument.

This is needed because on Linux the control messages used to pass fds
are not acting as a barrier and ensuring that the fd is passed with the
first byte of the read call. Instead we need to mark the message that
holds to fd and the scan for that message in the stream.

While there also adjust imsgbuf_set_maxsize() to return an int to
indicate an error if the requested size is out of range.

Problem reported and fix tested by nicm@ on a linux system.
OK tb@
2024-11-26 13:57:31 +00:00
tb
4c69b3de2c Make a comment match reality better
$i386only never existed, it should be $x86only. Replace des asm file
example with an aes one since we're firmly in the third millenium.

ok sthen
2024-11-26 10:10:03 +00:00
tb
b87827a75f Unify checking for the asn1_flag
There are only two flag values that libcrypto understands and the default
value is 1 while, helpfully, the undesirable non-default is 0. The few
existing callers set OPENSSL_EC_NAMED_CURVE or OPENSSL_EC_EXPLICIT_CURVE.
Nevertheless, the flag should be checked properly as a flag. The recent
upstream checks for EC_GROUP_get_asn1_flag(group) == OPENSSL_EC_NAMED_CURVE
don't look right either...

ok jsing
2024-11-25 06:51:39 +00:00
schwarze
58b53999c9 Fix some inaccuracies and gaps in the paragraph i wrote about CMAC
such that it becomes intelligible but not too long or prominent.
In particular, don't talk about EVP_PKEY_CTX_new(3), don't forget to
mention EVP_PKEY_keygen(3), mention EVP_PKEY_OP_KEYGEN, and mention
how to proceed once you have the desired EVP_PKEY object in hand.

Substantial feedback and OK tb@.
2024-11-24 14:48:12 +00:00
tb
e70a400b94 Disable small builtin curves
This disables all the curves over fields < 224 bits and a few others.
Specifically:

SECG: 112r1 112r2 128r1 128r2 160k1 160r1 160r2 192k1 192r1 192v{1,2,3}
WTLS: 6 7 8 9 12
Brainpool: P160r1 P160t1 P192r1 P192t1

These are below or at the limit of what is acceptable nowadays. This is
less aggressive than what some enterprise linux distributions are using
in their patched OpenSSL versions where everything over fields < 256 bits
is disabled with the exception of P-224, so interoperability should not
be a problem.

The curves are left in the tree for now and can be re-enabled by compiling
libcrypto with -DENABLE_SMALL_CURVES. They will be fully removed later.

One nice benefit of doing this is that the incorrect parameters for WTLS 7
are fixed (obviously nobody uses this one) and now all the builtin curves
have a unique corresponding OID (nid).

Something like this was suggested a while back by beck, makes sense to sthen

ok jsing
2024-11-24 10:12:05 +00:00
jsing
45e2a6c14e Simplify endian handling in SHA-3.
Rather than having blocks of code that are conditional on
BYTE_ORDER != LITTLE_ENDIAN, use le64toh() and htole64() unconditionally.
In the case of a little endian platform, the compiler will optimise this
away, while on a big endian platform we'll either end up with better code
or the same code than we have currently.

ok tb@
2024-11-23 15:38:12 +00:00
tb
846d7a9a3b Further refactoring of the wNAF code
The big change is that the "rows" are no longer slices of val[] but
that they actually own the points they contain. The price for this
is an extra allocation for val[] and to piece it together from the
two rows. That's ugly, but less ugly than before.

Add a helper for freeing a row of points. It can deal with a NULL
row so, we can remove a couple of complications.

The second change is that the logic for preparing the rows is pulled
back into ec_wNAF_mul[]. This way the m * G + n * P logic is in the
one function that needs to know about it, the rest just deals with
a pair of a point and a scalar.

This starts resembling actual code...

ok jsing
2024-11-23 12:56:31 +00:00