summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Avoid malloc(0) in EVP_PKEY_CTX_set1_hkdf_key()tb2022-05-051-2/+2
| | | | ok jsing
* Securely wipe the entire HKDF_PKEY_CTX instead of only taking care oftb2022-05-051-5/+3
| | | | | | a piece of the embedded info array. ok jsing
* Use size_t for ASN.1 lengths.jsing2022-05-054-16/+20
| | | | | | | | Change asn1_get_length_cbs() and asn1_get_object_cbs() to handle and return a length as a size_t rather than a uint32_t. This makes it simpler and less error prone in the callers. Suggested by and ok tb@
* Switch wycheproof.go to using the EVP HKDF API.tb2022-05-051-6/+67
| | | | | | | Gotta love EVP... Instead of a single, obvious call to HKDF(), you now need to call eight EVP functions with plenty of allocations and pointless copying internally. If you want to suffer even more, you could consider using the gorgeous string interface instead.
* Fix HMAC() with NULL keytb2022-05-051-2/+7
| | | | | | | | | | | | | | | | | If a NULL key is passed to HMAC_Init_ex(), it tries to reuse the previous key. This makes no sense inside HMAC() since the HMAC_CTX has no key set yet. This is hit by HKDF() with NULL salt() via the EVP API and results in a few Wycheproof test failures. If key is NULL, use a zero length dummy key. This was not hit from wycheproof.go since we pass a []byte with a single NUL from Go. Matches OpenSSL if key is NULL and key_len is 0. If key_len != 0, OpenSSL will still fail by passing a NULL key which makes no sense, so set key_len to 0 instead. ok beck jsing
* Fix argument order in HKDF and HKDF_extract().tb2022-05-051-5/+5
|
* Add hkdf_pkey_meth to the standard_methods[]tb2022-05-051-1/+3
| | | | ok beck jsing
* Link kdf/ to the buildtb2022-05-051-1/+7
| | | | ok beck jsing
* Provide EVP_PKEY_HKDF alias for NID_hkdftb2022-05-051-1/+2
| | | | ok beck jsing
* Provide KDFerr() and KDFerror() macrostb2022-05-051-1/+4
| | | | ok beck jsing
* Provide versions of EVP_PKEY_CTX_{str,hex}2ctrl() for internal use.tb2022-05-052-2/+38
| | | | ok beck jsing
* Ditch #defines for tls1_prf and scrypt. Drop unused errors and massagetb2022-05-052-95/+8
| | | | | | some const. ok beck jsing
* Translate from OpenSSL's HKDF API to BoringSSL API.tb2022-05-051-8/+7
| | | | ok beck jsing
* Remove function codes from errors, i.e., KDFerr(A, B) -> KDFerror(B)tb2022-05-051-5/+5
| | | | ok beck jsing
* Fix typo in previous.tb2022-05-051-2/+2
|
* Inline OPENSSL_memdup() using malloc() + memcpy()tb2022-05-051-3/+5
| | | | ok beck jsing
* Translate OPENSSL_{cleanse,clear_free,free,zalloc}() to libc API.tb2022-05-051-11/+11
| | | | ok beck jsing
* Adjust includes for LibreSSLtb2022-05-051-4/+7
| | | | ok beck jsing
* Use C99 initializres for hkdf_pkey_methtb2022-05-051-26/+10
| | | | ok beck jsing
* Remove OpenSSL versions of HKDF*().tb2022-05-051-117/+1
| | | | ok beck jsing
* Fix includes of the removed kdferr.htb2022-05-052-4/+3
|
* Add NID for HKDFtb2022-05-052-0/+4
| | | | ok beck jsing
* remove accidentally duplicated linetb2022-05-041-2/+1
|
* Whitespace nit (knfmt(1) agrees after inserting an empty line after thetb2022-05-041-4/+5
| | | | variable declaration)
* KNF according to knfmt(1)tb2022-05-042-275/+288
|
* Add RCS tagstb2022-05-043-0/+3
|
* Restore copyright years to 2016-2018 as they were before the previoustb2022-05-042-2/+2
| | | | commit.
* Reinstate the licenses that were replaced with license stubs intb2022-05-042-12/+100
| | | | | OpenSSL commits d2e9e320186f0917cc940f46bdf1a7e4120da9b0 and b6cff313cbb1d0381b329fe4f6a8f009cdb270e4
* Bump copyright years to 2016-2018 as it was before the previous commit.tb2022-05-041-1/+1
|
* Reinstate the license that was replaced with a stub in OpenSSL committb2022-05-041-5/+49
| | | | 21dcbebc6e35419f1842f39a125374ea1ba45693
* Inline kdferr.h at the end of kdf.htb2022-05-042-55/+37
|
* Rename hkdf.c to hkdf_evp.c to avoid a name clash with hkdf/hkdf.ctb2022-05-041-0/+0
|
* Import HKDF code from OpenSSL 1.1.1otb2022-05-044-0/+571
| | | | | | | | | | | | | | | | | | | This imports verbatim copies as of the OpenSSL_1_1_1o tag of crypto/kdf/hkdf.c crypto/kdf/hkdf_err.c include/openssl/kdf.h include/openssl/kdferr.h from https://www.github.com/openssl/openssl.git into lib/libcrypto/kdf. We only want the EVP interface to HKDF since some ports need them. Not yet linked to the build since it will not compile. Follow-on commits will add KNF, clean up and make this compile. Tests of an early draft version by abieber and Caspar Schutijser ok jsing
* Rewrite asn1_collect() and asn1_find_end() with CBS.jsing2022-05-041-77/+80
| | | | | | Use more readable variable and arguments names in the process. ok tb@
* Avoid special handling of definite length before calling asn1_find_end().jsing2022-05-041-10/+4
| | | | | | | | The asn1_find_end() function handles definite length ASN.1, which means that there is no point in the only caller having code to explicitly handle definite length - it can just call the function. ok tb@
* Change asn1_check_tag_cbs() out_len from long to size_t.jsing2022-05-041-4/+10
| | | | | | | | The long vs size_t checks can be handled in the asn1_check_tag() wrapper and this will help to avoid propagating long vs size_t issues into new code. ok tb@
* Add tests that decode sequences into ASN.1 strings.jsing2022-04-281-1/+97
| | | | | | | | | | | Test decoding of sequences with length and indefinite length into an ASN.1 string - in this case the ASN.1 is not decoded, rather the octets are stored directly as the content of the string. This exercises a specific path through the ASN.1 decoder. (you know asn1complex is living up to its name when you have to import openssl/asn1t.h directly...)
* Rewrite asn1_check_tlen() using CBS.jsing2022-04-283-63/+113
| | | | | | | | | | | | | | | Rather than calling asn1_get_object_cbs(), call asn1_get_identifier_cbs(), then immediately proceed with the tag number and tag class check. Only if that succeeds (or it is not required) do we call asn1_get_length_cbs(). This avoids incurring the overhead of decoding the length in the case where the tag number and tag class do not match. While here rename asn1_check_tlen() to asn1_check_tag() - while we decode the length, what we are normally checking is the tag number and tag class. Also rename the arguments for readability. For now the argument types and encoding remain unchanged. ok inoguchi@ tb@
* Refactor ASN1_TIME_adj_internal()tb2022-04-281-84/+82
| | | | | | | | | | | | | | | | | | ASN1_TIME_adj_internal() does some strange dances with remembering allocations in a boolean and using strlen(p) to deduce what happened inside *_string_from_tm(). It also (mis)translates a NULL p to an illegal time value error. This can be streamlined by converting directly from a struct tm into an ASN1_TIME and setting the errors when they occur instead of trying to deduce them from a NULL return. This is made a bit uglier than necessary due to the reuse-or-allocate semantics of the public API. At the cost of a little code duplication, ASN1_TIME_adj_internal() becomes very easy and ASN1_TIME_to_generalizedtime() is also simplified somewhat. ok inoguchi jsing
* Fix comparison in openssl(1) pkcs12inoguchi2022-04-281-3/+3
| | | | comment from tb@
* Compare pointer value with NULL in openssl(1) pkcs12inoguchi2022-04-281-31/+31
| | | | ok tb@
* Decode via c2i_ASN1_INTEGER_cbs() from asn1_ex_c2i().jsing2022-04-272-5/+5
|
* Ensure we clear the error stack before running tests that print errors.jsing2022-04-272-2/+10
|
* Enable ASN.1 INTEGER tests with invalid lengths/encodings.jsing2022-04-271-3/+1
|
* Rewrite c2i_ASN1_INTEGER() using CBS.jsing2022-04-271-84/+129
| | | | | | | | This also makes validation stricter and inline with X.690 - we now reject zero length inputs (rather than treating them as zero values) and enforce minimal encoding. ok tb@
* Remove the ASN.1 decoder tag/length cache (TLC).jsing2022-04-271-90/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | Currently, every time an ASN.1 identifier and length is decoded it is stored in a tag/length cache for potential reuse. However, the only time this is actually of benefit is when decoding CHOICE or SEQUENCE with OPTIONAL fields (or MSTRING and ANY due to less than ideal implementation). For CHOICE and SEQUENCE with OPTIONAL fields the current code attempts to decode the first option and if that fails, it moves onto the next option and attempts to decode it, repeating until it succeeds (or runs out of options). There are a number of problems with the cache. Firstly, it adds complexity to the ASN.1 decoder since it has to be passed up and down through the various layers. Secondly, there is nothing that keeps the cached data in synchronisation with the input stream. This makes it fragile and a potential security risk. Thirdly, the type is in the public headers and API, meaning that we cannot readily change the types or fields to improve the code. Testing also suggests that in typical decoding cases we actually get a small performance increase by removing the cache. There are also several other options that would improve decoding performance, which we can visit once we have simpler and more robust code. ok beck@ inoguchi@ tb@
* ASN1_{,const_}check_infinite_end(3) were removed in the last major bump,tb2022-04-271-5/+2
| | | | so there's no longer a need to document that they are undocumented.
* Decode via c2i_ASN1_BIT_STRING_cbs() from asn1_ex_c2i().jsing2022-04-263-9/+14
| | | | ok inoguchi@ tb@
* Rewrite c2i_ASN1_BIT_STRING() using CBS.jsing2022-04-231-44/+83
| | | | | | | | | Also switch to freeing and allocating, rather than attempting to recycle. While here, factor out the flags ASN1_STRING_FLAG_BITS_LEFT bit bashing and use the name "unused bits" rather than "bits left", to be more inline with X.690 wording. ok inoguchi@ tb@
* Convert asn1_ex_c2i() to CBS.jsing2022-04-233-24/+43
| | | | | | This allows us to make direct use of c2i_ASN1_OBJECT_cbs(). ok inoguchi@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-04 04:37:18 +0000