summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Avoid strict aliasing violations in BN_nist_mod_*()jsing2022-05-071-86/+137
| | | | | | | | | | | | | | | | | | | | | | | The optimised code path switches from processing data via unsigned long to processing data via unsigned int, which requires type punning. This is currently attempted via a union (for one case), however this fails since a pointer to a union member is passed to another function (these unions were added to "fix strict-aliasing compiler warning" - it would seem the warnings stopped but the undefined behaviour remained). The second case does not use a union and simply casts from one type to another. Undefined behaviour is currently triggered when compiling with clang 14 using -03 and -fstrict-aliasing, while disabling assembly (in order to use this C code). The resulting binary produces incorrect results. Avoid strict aliasing violations by copying from an unsigned long array to an unsigned int array, then copying back the result. Any sensible compiler will omit the copies, while avoiding undefined behaviour that would result from unsafe type punning via pointer type casting. Thanks to Guido Vranken for reporting the issue and testing the fix. ok tb@
* Add missing ERR_load_{COMP,CT,KDF}_strings()tb2022-05-061-1/+11
| | | | ok beck
* Also check EVP_PKEY_CTX_new_id() return in example code. Letting thistb2022-05-061-2/+4
| | | | | be caught by the error check of EVP_PKEY_derive_init() is a dubious pattern.
* Install EVP_PKEY_CTX_set_hkdf_md.3tb2022-05-061-1/+2
|
* Document the EVP HKDF APItb2022-05-061-0/+251
| | | | | | Manual from OpenSSL 1.1.1o with minimal tweaks. input/ok schwarze
* Simplify: freezero() is NULL safe; assign + test in one go, as usual.tb2022-05-051-11/+5
| | | | ok jsing
* Avoid malloc(0) in EVP_PKEY_CTX_set1_hkdf_key()tb2022-05-051-2/+2
| | | | ok jsing
* Securely wipe the entire HKDF_PKEY_CTX instead of only taking care oftb2022-05-051-5/+3
| | | | | | a piece of the embedded info array. ok jsing
* Use size_t for ASN.1 lengths.jsing2022-05-054-16/+20
| | | | | | | | Change asn1_get_length_cbs() and asn1_get_object_cbs() to handle and return a length as a size_t rather than a uint32_t. This makes it simpler and less error prone in the callers. Suggested by and ok tb@
* Switch wycheproof.go to using the EVP HKDF API.tb2022-05-051-6/+67
| | | | | | | Gotta love EVP... Instead of a single, obvious call to HKDF(), you now need to call eight EVP functions with plenty of allocations and pointless copying internally. If you want to suffer even more, you could consider using the gorgeous string interface instead.
* Fix HMAC() with NULL keytb2022-05-051-2/+7
| | | | | | | | | | | | | | | | | If a NULL key is passed to HMAC_Init_ex(), it tries to reuse the previous key. This makes no sense inside HMAC() since the HMAC_CTX has no key set yet. This is hit by HKDF() with NULL salt() via the EVP API and results in a few Wycheproof test failures. If key is NULL, use a zero length dummy key. This was not hit from wycheproof.go since we pass a []byte with a single NUL from Go. Matches OpenSSL if key is NULL and key_len is 0. If key_len != 0, OpenSSL will still fail by passing a NULL key which makes no sense, so set key_len to 0 instead. ok beck jsing
* Fix argument order in HKDF and HKDF_extract().tb2022-05-051-5/+5
|
* Add hkdf_pkey_meth to the standard_methods[]tb2022-05-051-1/+3
| | | | ok beck jsing
* Link kdf/ to the buildtb2022-05-051-1/+7
| | | | ok beck jsing
* Provide EVP_PKEY_HKDF alias for NID_hkdftb2022-05-051-1/+2
| | | | ok beck jsing
* Provide KDFerr() and KDFerror() macrostb2022-05-051-1/+4
| | | | ok beck jsing
* Provide versions of EVP_PKEY_CTX_{str,hex}2ctrl() for internal use.tb2022-05-052-2/+38
| | | | ok beck jsing
* Ditch #defines for tls1_prf and scrypt. Drop unused errors and massagetb2022-05-052-95/+8
| | | | | | some const. ok beck jsing
* Translate from OpenSSL's HKDF API to BoringSSL API.tb2022-05-051-8/+7
| | | | ok beck jsing
* Remove function codes from errors, i.e., KDFerr(A, B) -> KDFerror(B)tb2022-05-051-5/+5
| | | | ok beck jsing
* Fix typo in previous.tb2022-05-051-2/+2
|
* Inline OPENSSL_memdup() using malloc() + memcpy()tb2022-05-051-3/+5
| | | | ok beck jsing
* Translate OPENSSL_{cleanse,clear_free,free,zalloc}() to libc API.tb2022-05-051-11/+11
| | | | ok beck jsing
* Adjust includes for LibreSSLtb2022-05-051-4/+7
| | | | ok beck jsing
* Use C99 initializres for hkdf_pkey_methtb2022-05-051-26/+10
| | | | ok beck jsing
* Remove OpenSSL versions of HKDF*().tb2022-05-051-117/+1
| | | | ok beck jsing
* Fix includes of the removed kdferr.htb2022-05-052-4/+3
|
* Add NID for HKDFtb2022-05-052-0/+4
| | | | ok beck jsing
* remove accidentally duplicated linetb2022-05-041-2/+1
|
* Whitespace nit (knfmt(1) agrees after inserting an empty line after thetb2022-05-041-4/+5
| | | | variable declaration)
* KNF according to knfmt(1)tb2022-05-042-275/+288
|
* Add RCS tagstb2022-05-043-0/+3
|
* Restore copyright years to 2016-2018 as they were before the previoustb2022-05-042-2/+2
| | | | commit.
* Reinstate the licenses that were replaced with license stubs intb2022-05-042-12/+100
| | | | | OpenSSL commits d2e9e320186f0917cc940f46bdf1a7e4120da9b0 and b6cff313cbb1d0381b329fe4f6a8f009cdb270e4
* Bump copyright years to 2016-2018 as it was before the previous commit.tb2022-05-041-1/+1
|
* Reinstate the license that was replaced with a stub in OpenSSL committb2022-05-041-5/+49
| | | | 21dcbebc6e35419f1842f39a125374ea1ba45693
* Inline kdferr.h at the end of kdf.htb2022-05-042-55/+37
|
* Rename hkdf.c to hkdf_evp.c to avoid a name clash with hkdf/hkdf.ctb2022-05-041-0/+0
|
* Import HKDF code from OpenSSL 1.1.1otb2022-05-044-0/+571
| | | | | | | | | | | | | | | | | | | This imports verbatim copies as of the OpenSSL_1_1_1o tag of crypto/kdf/hkdf.c crypto/kdf/hkdf_err.c include/openssl/kdf.h include/openssl/kdferr.h from https://www.github.com/openssl/openssl.git into lib/libcrypto/kdf. We only want the EVP interface to HKDF since some ports need them. Not yet linked to the build since it will not compile. Follow-on commits will add KNF, clean up and make this compile. Tests of an early draft version by abieber and Caspar Schutijser ok jsing
* Rewrite asn1_collect() and asn1_find_end() with CBS.jsing2022-05-041-77/+80
| | | | | | Use more readable variable and arguments names in the process. ok tb@
* Avoid special handling of definite length before calling asn1_find_end().jsing2022-05-041-10/+4
| | | | | | | | The asn1_find_end() function handles definite length ASN.1, which means that there is no point in the only caller having code to explicitly handle definite length - it can just call the function. ok tb@
* Change asn1_check_tag_cbs() out_len from long to size_t.jsing2022-05-041-4/+10
| | | | | | | | The long vs size_t checks can be handled in the asn1_check_tag() wrapper and this will help to avoid propagating long vs size_t issues into new code. ok tb@
* Add tests that decode sequences into ASN.1 strings.jsing2022-04-281-1/+97
| | | | | | | | | | | Test decoding of sequences with length and indefinite length into an ASN.1 string - in this case the ASN.1 is not decoded, rather the octets are stored directly as the content of the string. This exercises a specific path through the ASN.1 decoder. (you know asn1complex is living up to its name when you have to import openssl/asn1t.h directly...)
* Rewrite asn1_check_tlen() using CBS.jsing2022-04-283-63/+113
| | | | | | | | | | | | | | | Rather than calling asn1_get_object_cbs(), call asn1_get_identifier_cbs(), then immediately proceed with the tag number and tag class check. Only if that succeeds (or it is not required) do we call asn1_get_length_cbs(). This avoids incurring the overhead of decoding the length in the case where the tag number and tag class do not match. While here rename asn1_check_tlen() to asn1_check_tag() - while we decode the length, what we are normally checking is the tag number and tag class. Also rename the arguments for readability. For now the argument types and encoding remain unchanged. ok inoguchi@ tb@
* Refactor ASN1_TIME_adj_internal()tb2022-04-281-84/+82
| | | | | | | | | | | | | | | | | | ASN1_TIME_adj_internal() does some strange dances with remembering allocations in a boolean and using strlen(p) to deduce what happened inside *_string_from_tm(). It also (mis)translates a NULL p to an illegal time value error. This can be streamlined by converting directly from a struct tm into an ASN1_TIME and setting the errors when they occur instead of trying to deduce them from a NULL return. This is made a bit uglier than necessary due to the reuse-or-allocate semantics of the public API. At the cost of a little code duplication, ASN1_TIME_adj_internal() becomes very easy and ASN1_TIME_to_generalizedtime() is also simplified somewhat. ok inoguchi jsing
* Fix comparison in openssl(1) pkcs12inoguchi2022-04-281-3/+3
| | | | comment from tb@
* Compare pointer value with NULL in openssl(1) pkcs12inoguchi2022-04-281-31/+31
| | | | ok tb@
* Decode via c2i_ASN1_INTEGER_cbs() from asn1_ex_c2i().jsing2022-04-272-5/+5
|
* Ensure we clear the error stack before running tests that print errors.jsing2022-04-272-2/+10
|
* Enable ASN.1 INTEGER tests with invalid lengths/encodings.jsing2022-04-271-3/+1
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-04 23:03:42 +0000