#
d14f0dd0 |
| 22-May-2024 |
tb <tb@openbsd.org> |
Fix in-place decryption for EVP_chacha20_poly1305()
Take the MAC before clobbering the input value on decryption. Fixes hangs during the QUIC handshake with HAProxy using TLS_CHACHA20_POLY1305_SHA25
Fix in-place decryption for EVP_chacha20_poly1305()
Take the MAC before clobbering the input value on decryption. Fixes hangs during the QUIC handshake with HAProxy using TLS_CHACHA20_POLY1305_SHA256.
Found, issue pinpointed, and initial fix tested by Lucas Gabriel Vuotto: Let me take this opportunity to thank the HAProxy team for going out of their way to keep supporting LibreSSL. It's much appreciated.
See https://github.com/haproxy/haproxy/issues/2569
tweak/ok jsing
show more ...
|
#
9bac3682 |
| 09-Apr-2024 |
beck <beck@openbsd.org> |
Hide public symbols in evp.h
largely mechanically done by the guentherizer 9000
ok tb@
|
#
3ee0c08a |
| 30-Dec-2023 |
tb <tb@openbsd.org> |
Some Australians don't like voids either
|
#
01dc8a73 |
| 15-Dec-2023 |
tb <tb@openbsd.org> |
Fix a return value confusion in chacha20_poly1305_cipher()
On overlong input, chacha20_poly1305_cipher() would return 0, which in EVP_CipherUpdate() and EVP_CipherFinal() signals success with no dat
Fix a return value confusion in chacha20_poly1305_cipher()
On overlong input, chacha20_poly1305_cipher() would return 0, which in EVP_CipherUpdate() and EVP_CipherFinal() signals success with no data written since EVP_CIPH_FLAG_CUSTOM_CIPHER is set. In order to signal an error, we need to return -1. Obviously.
ok jsing
show more ...
|
#
77e08d39 |
| 28-Sep-2023 |
tb <tb@openbsd.org> |
Fix EVP_CIPHER_CTX_iv_length()
In today's episode of "curly nonsense from EVP land" we deal with a quite harmless oversight and a not too bad suboptimal fix, relatively speaking.
At some point EVP_
Fix EVP_CIPHER_CTX_iv_length()
In today's episode of "curly nonsense from EVP land" we deal with a quite harmless oversight and a not too bad suboptimal fix, relatively speaking.
At some point EVP_CIPHER_{CCM,GCM}_SET_IVLEN was added. It modified some object hanging off of EVP_CIPHER. However, EVP_CIPHER_CTX_iv_length() wasn't taught about this and kept returning the hardcoded default value on the EVP_CIPHER. Once it transpired that a doc fix isn't going to cut it, this was fixed. And of course it's easy to fix: you only have to dive through about three layers of EVP, test and set a flag and handle a control in a couple methods.
The upstream fix was done poorly and we begrudgingly have to match the API: the caller is expected to pass a raw pointer next to a 0 length along with EVP_CIPHER_GET_IV_LENGTH and the control handler goes *(int *)ptr = length in full YOLO mode. That's never going to be an issue because of course the caller will always pass a properly aligned pointer backing a sufficient amount of memory. Yes, unlikely to be a real issue, but it could have been done with proper semantics and checks without complicating the code. But why do I even bother to complain? We're used to this.
Of note here is that there was some pushback painting other corners of a bikeshed until the reviewer gave up with a resigned
That kind of changes the semantics and is one extra complexity level, but [shrug] ok...
Anyway, the reason this matters now after so many years is that rust-openssl has an assert, notably added in a +758 -84 commit with the awesome message "Docs" that gets triggered by recent tests added to py-cryptography.
Thanks to Alex Gaynor for reporting this. Let me take the opportunity to point out that pyca contributed to improve rust-openssl, in particular its libressl support, quite a bit. That's much appreciated and very noticeable.
Regress coverage to follow in subsequent commits.
Based on OpenSSL PR #9499 and issue #8330.
ok beck jsing
PS: A few macros were kept internal for now to avoid impact on the release cycle that is about to finish. They will be exposed after release.
show more ...
|
#
229d624c |
| 24-Aug-2023 |
tb <tb@openbsd.org> |
Update references from RFC 7539 to RFC 8439
RFC 7539 was superseded by RFC 8439, incorporating errata and making editorial improvements. Very little of substance changed, in particular section numbe
Update references from RFC 7539 to RFC 8439
RFC 7539 was superseded by RFC 8439, incorporating errata and making editorial improvements. Very little of substance changed, in particular section numbers remain the same.
Prompted by a question from schwarze
show more ...
|
#
1ec3c770 |
| 07-Jul-2023 |
beck <beck@openbsd.org> |
Unbreak the namespace build after a broken mk.conf and tool misfire had me aliasing symbols not in the headers I was procesing.
This unbreaks the namespace build so it will pass again
ok tb@
|
#
ea2baf45 |
| 07-Jul-2023 |
beck <beck@openbsd.org> |
Hide symbols in hkdf, evp, err, ecdsa, and ec
(part 2 of commit)
ok jsing@
|
#
d8fdceda |
| 01-Mar-2023 |
tb <tb@openbsd.org> |
Make the cleanup() method return an int again
This partially reverts jsing's OpenBSD commit b8185953, but without adding back the error check that potentialy results in dumb leaks. No cleanup() meth
Make the cleanup() method return an int again
This partially reverts jsing's OpenBSD commit b8185953, but without adding back the error check that potentialy results in dumb leaks. No cleanup() method in the wild returns anything but 1. Since that's the signature in the EVP_CIPHER_meth_* API, we have no choice...
ok jsing
show more ...
|
#
c9675a23 |
| 26-Nov-2022 |
tb <tb@openbsd.org> |
Make internal header file names consistent
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_l
Make internal header file names consistent
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually.
discussed with jsing, no objection bcook
show more ...
|
#
b8185953 |
| 13-Sep-2022 |
jsing <jsing@openbsd.org> |
Stop pretending that EVP_CIPHER cleanup can fail.
Now that EVP_CIPHER is opaque, stop pretending that EVP_CIPHER cleanup can fail.
ok tb@
|
#
9a36bc94 |
| 30-Aug-2022 |
tb <tb@openbsd.org> |
chacha20_poly1305_cleanup() should return 1
Otherwise EVP_CIPHER_CTX_cleanup() leaks, as spotted by the ASAN CI.
ok jsing
|
#
87758528 |
| 21-Aug-2022 |
tb <tb@openbsd.org> |
fix indent and zap trailing whitespace
|
#
0f60abb7 |
| 20-Aug-2022 |
jsing <jsing@openbsd.org> |
Provide EVP_chacha20_poly1305()
EVP_chacha20_poly1305() is an EVP_CIPHER implementation of the ChaCha20-Poly1305 AEAD. This is potentially used to provide encryption for the QUIC transport layer.
W
Provide EVP_chacha20_poly1305()
EVP_chacha20_poly1305() is an EVP_CIPHER implementation of the ChaCha20-Poly1305 AEAD. This is potentially used to provide encryption for the QUIC transport layer.
Where possible, this should be avoided in favour of the significantly saner EVP_AEAD interface.
ok tb@
show more ...
|
#
1e3a1835 |
| 20-Aug-2022 |
jsing <jsing@openbsd.org> |
Remove bogus length checks from EVP_aead_chacha20_poly1305()
The length checks for EVP_aead_chacha20_poly1305() seal/open were incorrect and are no longer necessary (not to mention that the comment
Remove bogus length checks from EVP_aead_chacha20_poly1305()
The length checks for EVP_aead_chacha20_poly1305() seal/open were incorrect and are no longer necessary (not to mention that the comment failed to match the code). Remove these since the underlying ChaCha implementation will now handle the same sized inputs at these functions can.
Issue flagged by and ok tb@
show more ...
|
#
24705918 |
| 27-Mar-2019 |
jsing <jsing@openbsd.org> |
Cast nonce bytes to avoid undefined behaviour when left shifting.
Reported by oss-fuzz, really fixes issue #13805.
ok beck@ tb@
|
#
2cb6f6e1 |
| 24-Mar-2019 |
jsing <jsing@openbsd.org> |
Cast nonce bytes to avoid undefined behaviour when left shifting.
Reported by oss-fuzz, fixes issue #13805.
ok beck@ tb@
|
#
64bf2397 |
| 22-Jan-2019 |
dlg <dlg@openbsd.org> |
add support for xchacha20 and xchacha20-poly1305
xchacha is a chacha stream that allows for an extended nonce, which in turn makes it feasible to use random nonces.
ok tb@
|
#
6bd9a561 |
| 28-Aug-2017 |
jsing <jsing@openbsd.org> |
Remove EVP_aead_chacha20_poly1305_old() now that the original/old chacha20-poly1305 cipher suites have been removed from libssl.
|
#
d49cbda5 |
| 11-May-2017 |
jsg <jsg@openbsd.org> |
Fix a problem introduced in freezero() conversion and use sizeof(struct) not sizeof(pointer).
otto@ points out that on OpenBSD currently freezero() would have still zeroed the entire allocation, but
Fix a problem introduced in freezero() conversion and use sizeof(struct) not sizeof(pointer).
otto@ points out that on OpenBSD currently freezero() would have still zeroed the entire allocation, but this is not documented behaviour and may change in future.
ok tom@
show more ...
|
#
7de8a684 |
| 02-May-2017 |
deraadt <deraadt@openbsd.org> |
use freezero() instead of memset/explicit_bzero + free. Substantially reduces conditional logic (-218, +82).
MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite
use freezero() instead of memset/explicit_bzero + free. Substantially reduces conditional logic (-218, +82).
MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely.
Passes regress. ok beck
show more ...
|
#
5067ae9f |
| 29-Jan-2017 |
beck <beck@openbsd.org> |
Send the function codes from the error functions to the bit bucket, as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
|
#
685a9ab6 |
| 28-Apr-2016 |
jsing <jsing@openbsd.org> |
Rename EVP_aead_chacha20_poly1305() to EVP_aead_chacha20_poly1305_old() and replace with EVP_aead_chacha20_poly1305_ietf(). The IETF version will become the standard version.
Discussed with many.
|
#
263e54b2 |
| 13-Apr-2016 |
jsing <jsing@openbsd.org> |
Use the correct iv and counter when decrypting the ciphertext for EVP_aead_chacha20_poly1305_ietf().
|
#
cb91e3c0 |
| 02-Nov-2015 |
reyk <reyk@openbsd.org> |
Fix typo in comment of previous commit: "that that".
|