| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
also remove a few NULL checks before free and drop a cryptic comment about
not needing to free x - hard to free what's not there...
ok jsing
|
| |
|
|
|
|
| |
Split main into two helper functions since having a few ML-KEM key blobs
on the stack makes Emscripten's stack explode, leading to inscrutable
silent failures unles ASAN is enabled. Go figure.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a file parser that drives a state machine to extract the test data
from the .txt files and manages the parsed data. Comments and empty lines are
ignored. The code currently assumes that instruction lines are at the start
of the file (which isn't generally true) and only supports two line types for
now. This is good enough for all the ML-KEM tests but should be easy enough
to extend.
Once all data for a test case is parsed in the expected order, a test handler
is called which can retrieve the test data via a simple API and throw warnings
and errors with information on the test case line number, etc.
Merge the tests into three programs: one parsing the .txt files and running
the corresponding test cases, a unit test and the iteration tests. Deduplicate
the actual test code and let the caller pass in an object containing the
API functions, private keys and arrays that need to be different between the
768 version and the 1024 version. This way we don't have two sets of half a
dozen .c files differing only in 3 or 4 occurrences of 768 and 1024.
All this will also make it a lot easier to hook these tests into portable.
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
|
| |
Now that it lives in a .c file, there's no need to point out that it is
non-public...
|
| | |
|
| |
|
|
|
|
|
|
|
| |
forgotten in rev. 1.3 on July 13 this year.
No library bump and no ABI change because libcrypto.so.55.0 did not
export the symbol because it wasn't in Symbols.list.
Found in a partial code audit focusing on X509V3_EXT_METHOD objects.
|
| | |
|
| |
|
|
|
|
|
|
| |
Unclear why this ever had to be made public since it's only used in a
single file. Anyway, nothing uses this, so remove it.
This went through a full bulk
pointed out by/ok schwarze
|
| |
|
|
|
|
|
|
| |
These were used in x509_bitst.c and x509_ia5.c for populating tables that
have been expanded a long time ago. Nothing uses them, so remove them.
This went through a full bulk
pointed out by/ok schwarze
|
| |
|
|
|
| |
Only security/xca uses it for no good rean. It can use BIT_STRING_BITNAME
if it really needs to.
|
| |
|
|
|
|
|
|
|
|
| |
LibreSSL has removed support for dynamically allocated custom extension
methods. The mysterious CTX_DEP define was part of an experimental code
dump and that part of the experimental code was never shown hence never
reviewed.
This went through a full amd64 bulk
noticed by/ok schwarze
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
of the internal subroutine X509V3_add_value(), which could result
in silently losing part of the input data on memory exhaustion.
I independently rediscovered this bug while writing the documentation,
then noticed after fixing it that Zhou Qingyang <zhou1615 at umn dot edu>
fixed it in essentially the same way in OpenSSL 3 (commit bcd5645b
on Apr 11 02:05:19 2022 +0800), but it wasn't backported to the
OpenSSL 1.1.1 branch.
OK tb@
|
| | |
|
| |
|
|
|
|
| |
correspond to an extension method.
ok schwarze
|
| | |
|
| |
|
|
|
| |
fix the name of its last parameter in the SYNOPSIS to match the DESCRIPTION,
and let the .Dt argument match the file name.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I admit this is unusually long for a manual page. But that's not my fault
as a documentation author. An example in a manual page ought to be minimal
to show what needs to be demonstrated, and this example is minimal in that
sense. Making it shorter without loosing important aspects does not seem
possible.
When an API is poorly designed, one of the consequences is that that
documentation becomes harder to understand and often longer - in this
case to the point of becoming outright intimidating. If people dislike
that, they should design better APIs in the first place rather than
blasting the poor manual page for being too long or too complicated.
OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
with an unsupported control command, return -1 rather than 0
to the caller to indicate the error because in general, these
control hooks ought to return -1 for unsupported control commands
and 0 for other errors, for example other invalid arguments.
Not a big deal because this change does not change when operations
succeed or fail, and because callers are unlikely to pass unsupported
control commands in the first place. The only functional change is that
if a calling program inspects the ERR(3) stack after this failure,
it will now find the correct error code rather than nothing.
Even that wasn't a huge problem because for most EVP_CIPHER control
failures, getting no reason for the error is the usual situation.
Then again, giving the reason when easily possible may occasionally
be useful. OpenSSL also returns -1 in this case, so it also helps
compatibility a tiny bit.
Found while auditing the return values of all the EVP_CIPHER
control hooks in our tree. This was the only fishy one i found.
OK tb@
|
| | |
|
| | |
|
| |
|
|
| |
I'm so tired of this.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
algorithm-independent EVP_EncryptInit(3) manual as another step
in making the latter leaner and more palatable.
As a side benefit, the new EVP_aes_128_ccm(3) manual page may provide
a better fighting chance to programmers who see themselves forced to
support CCM for whatever reason. It documents the mandatory, but so
far undocumented EVP_CTRL_CCM_GET_TAG control command and makes the
description of the three EVP_CTRL_CCM_SET_* control commands and the
numerous related quirks more precise.
|
| | |
|
| | |
|
| |
|
|
| |
(the mystery of spotting typos right after commit strikes again)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make proper use of CBB and CBS. If a CBS ever owns data, you're holding
it wrong. Ditch gross macros, sscanf, and globals. The use of fgets is
annoying here, so replace it with getline, which be provided by portable
if needed.
Most importantly, make the tests actually signal failure rather than
only printing an error. Fix the state machines in a few of them. Some
tests didn't parse the .txt file at all. Others mostly did but didn't
actually test what they were supposed to be testing. Such failures
were hidden by the way the tests were written.
This basically needed a complete revamp. It still isn't pretty and much
of it could be deduplicated, but I only have so much time alotted on this
blue planet.
|
| |
|
|
|
|
| |
More work in mlkem is needed and this was premature.
discussed with beck and jsing
|
| |
|
|
| |
discussed with beck and jsing
|
| |
|
|
|
|
|
| |
As long as is not quite clear what we want to do about the public API
aspect of MLKEM, keep things internal for now.
discussed with beck and jsing
|
| | |
|
| |
|
|
|
| |
The shift is between 0 and 5 bits, so it doesn't matter, but VS is short
for very st...ubborn as are its users when it comes to reporting non-issues
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The main benefit is moving the cumbersome and error-prone method of
using EVP_EncryptInit(3) for AES-GCM out of the important, but obese
manual page EVP_EncryptInit(3), and to create a logical place for
pointing readers to the safer and more flexible EVP_AEAD_CTX_init(3).
As a side benefit, document three control commands that were so far
undocumented and make the description of three others more precise.
Feedback and OK tb@.
|
| |
|
|
|
|
|
|
| |
Some versions of Clang compile this to non-constant time
code. The fix is adapted from boring. For full details see:
https://boringssl-review.googlesource.com/c/boringssl/+/74447
ok tb@
|
| |
|
|
| |
From Kenjiro Nakayama
|
| |
|
|
| |
There's still CBS holding data in here. Yuck.
|
| |
|
|
|
|
|
| |
This needs more thinking. These are void functions that allocate...
Left an XXX for now.
From Kenjiro Nakayama
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This had an extra dance to allow a NULL output buffer. The plan was to
use this in i2o_ECPublicKey() to preserve the behavior of avoiding an
allocation if out == NULL. However, when I rewrote the latter I punted
on preserving that complication, as it was already batshit crazy enough.
Thus, remove said dance and make ec_point_to_octets() cleaner.
ok jsing
|
| | |
|
| |
|
|
| |
RCS marker, KNF for comment, fix and sort includes as usual.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes include conversion from C++, basic KNF, then adaptation to
use our sha3 functions for sha3 and shake instead of the BorinSSL
version. This Adds units tests to run against BoringSSL and NIST test
vectors.
The future public API is the same as Boring's - but is not yet exposed
pending making bytestring.h public (which will happen separately) and
a minor bump
Currently this will just ensure we build and run regress.
ok tb@ to get it into the tree and massage from there.
|
