|  | Commit message (Collapse) | Author | Files | Lines | 
|---|
|  | ASN1_time_parse() was useful while OpenSSL didn't have something sort of
equivalent, but now they do. Let's retire ASN1_time_parse() to internal.
This will require some patching in ports, but shrug.
ok beck | 
|  | ok beck | 
|  | Like in libtls, we use ASN1_GENERALIZEDTIME_check() to ensure we actually
have a GeneralizedTime.
ok beck | 
|  | This one is slightly annoying since ASN1_TIME_to_tm(3) doesn't provide a
direct check for a GeneralizedTime, so call ASN1_GENERALIZEDTIME_check()
as well. This means LibreSSL parses the time twice. Shrug.
ok beck | 
|  | During r2k22 ported some of the missing OpenSSL ASN.1 time API. This is
a step towards removing the dependency of libtls on ASN1_time_parse().
The latter grew a dependency on CBS/CBB, and thus the choice is to pull
in all this code or to use a no longer maintained version of the API.
Both options are unappealing.
ok beck | 
|  | timegm(3) is not available on some operating systems we support in
portable. We currently use musl's implementation, for which gcc-13
decided to emit warnings (which seem incorrect in general and are
irrelevant in this case anyway). Instead of patching this up and
diverge from upstream, we can avoid reports about compiler warnings
by simply not depending on this function.
Rework the caching of notBefore and notAfter by replacing timegm(3)
with asn1_time_tm_to_time_t(3). Also make this API properly error
checkable since at the time x509v3_cache_extensions(3) is called,
nothing is known about the cert, in particular not whether it isn't
malformed one way or the other.
suggested by and ok beck | 
|  | ok tb@ | 
|  | These 'builder' functions, usually used together, can result in corrupt
ASIdentifiers on failure. In general, no caller should ever try to recover
from OpenSSL API failure. There are simply too many traps. We can still
make an effort to leave the objects in unmodified state on failure. This
is tricky because ownership transfer happens. Unfortunately a really
clean version of this seems impossible, maybe a future iteration will
bring improvements...
The nasty bit here is that the caller of X509v3_asid_add_id_or_range()
can't know from the return value whether ownership of min and max was
transferred or not. An inspection of (*choice)->u.range is required.
If a caller frees min and max after sk_ASIdOrRange_push() failed, there
is a double free.
All these complications could have been avoided if the API interface
had simply used uint32_t instead of ASN1_INTEGERs. The entire RFC 3779
API was clearly written without proper review. I don't know if there
ever was an actual consumer before rpki-client. If it existed, nobody
with the requisite skill set looked at it in depth.
ok beck for the general direction
with a lot of input and ok jsing | 
|  |  | 
|  | This is a straightforward conversion because I'm not going to start a
cleanup here. Explain why this is not using X509_ALGOR_set_md(). See
below.
ok jca
Let me include a beautiful note from RFC 5754 in its entirety:
   NOTE: There are two possible encodings for the AlgorithmIdentifier
   parameters field associated with these object identifiers.  The two
   alternatives arise from the loss of the OPTIONAL associated with the
   algorithm identifier parameters when the 1988 syntax for
   AlgorithmIdentifier was translated into the 1997 syntax.  Later, the
   OPTIONAL was recovered via a defect report, but by then many people
   thought that algorithm parameters were mandatory.  Because of this
   history, some implementations encode parameters as a NULL element
   while others omit them entirely.  The correct encoding is to omit the
   parameters field; however, when some uses of these algorithms were
   defined, it was done using the NULL parameters rather than absent
   parameters.  For example, PKCS#1 [RFC3447] requires that the padding
   used for RSA signatures (EMSA-PKCS1-v1_5) MUST use SHA2
   AlgorithmIdentifiers with NULL parameters (to clarify, the
   requirement "MUST generate SHA2 AlgorithmIdentifiers with absent
   parameters" in the previous paragraph does not apply to this
   padding). | 
|  | ok jca | 
|  | ok jca | 
|  | Replace X509_ALGOR_set0() with X509_ALGOR_set0_by_nid(). This way there
is no missing error checking for OBJ_nid2obj() and no nested functions.
Slightly more importantly, this plugs two long standing potential leaks
in this function (or previously rsa_cms_encrypt()) due to missing error
checking: in the unlikely event that X509_ALGOR_set0() failed, astr/ostr
would leak.
ok jsing | 
|  | ok jsing | 
|  | Test and assign one more instance replace a useless comment by an empty
line. | 
|  | In rsa_alg_set_oaep_padding() rename los to ostr for consistency with
astr, make it have function scope, free ostr in the error path and assume
X509_ALGOR_set0() success.
ok jca | 
|  |  | 
|  |  | 
|  |  | 
|  | Rename rv into ret and split it on its own line, move labellen a bit down
add some empty lines. To match style elsewhere.
Most of this was requested by jsing | 
|  | This matches what is done for PKCS#1 1.5 and PSS. This function needs a
lot of work still, but it's easier to do that without having to tiptoe
around a lot of other garbage.
ok jsing | 
|  | error check | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | The hex decoding is only done from the JSON files provided by the
wycheproof-testvectors package. Failure is always fatal. So there
is no need for repeated error checks, and we can use an ergonomic
wrapper.
Also rework the calculation of the message digest from input data
this had a similar deficit.
All in all this shaves off about 10% of the code and removes a lot
of tedious repetition. | 
|  |  | 
|  |  | 
|  | This simplifies and unifies a lot of error messages. | 
|  | After previous refactoring, rsa_all_set_pss_padding() is the last remaining
caller of the weirdly named and ugly rsa_all_set_pss_padding(). This can be
handled in a few simple lines now that this mess has slightly cleaner code. | 
|  |  | 
|  | Check and assign the EVP_PKEY_CTX and move the extraction of the algorithm
identifier from the signer info a few lines down. | 
|  | The current convoluted mess can be handled with two calls to the new
rsa_alg_set_pss_padding() helper. Not that this would be obvious at
all.
This fixes two more leaks in case of X509_ALGOR_set0() failure.
ok jsing | 
|  | This sets the AlgorithmIdentifier's algorithm to id-RSASSA-PSS with
appropriate RSASSA-PSS parameters. This pulls a chunk of code out of
rsa_cms_sign() and rewrites it with proper error checking, thereby
fixing a long-standing leak.
This helper can also be used in rsa_item_sign(), but that part is a
bit special, and will therefore be commmitted separately.
ok jsing | 
|  | This removes a few duplicated and unchecked X509_ALGOR_set0() calls and
factors them into a helper function that sets the AlgorithmIdentifier on
the recipient info or signer info to rsaEncryption with null parameters.
ok jsing | 
|  | The determination of the test group type and the JSON unmarshalling can be
done before the closure without performance impact. This is more readable
and eliminates the need of a temporary variable again.
Suggested by jsing | 
|  | This factors another ugly switch into a helper function. This should
probably become a map eventually, but for now keep things straightforward. | 
|  | This allows us to use a simpler way of running the individual test groups
and gets rid of an ugly mostly copy-pasted switch inside a closure. | 
|  | These used the wycheproofTestGroupAead type but an upcoming change requires
to change this. Introduce the aliases now to make the next diff cleaner. | 
|  | Due to Go's idiosyncratic semantics of for loops, tests would only run
some of the test groups in the JSON file because by the time the closure
is called, the array index could be changed. For example, on fast 8 core
machines, the CMAC tests would run the last test group with key size 320
eight times rather than each of the eight test groups once.
Make a copy of the pointer before passing it to the closure to avoid this
issue.
Simpler version of my initial fix from jsing | 
|  |  | 
|  | not real problems) | 
|  |  | 
|  | ok jsing | 
|  | X509_ALGOR_set0() is annoyingly unergonomic since it takes an ASN1_OBJECT
rather than a nid.  This means that almost all callers call OBJ_obj2nid()
and they often do this inline without error checking so that the resulting
X509_ALGOR object is corrupted and may lead to incorrect encodings.
Provide an internal alternative X509_ALGOR_set0_by_nid() that takes a nid
instead of an ASN1_OBJECT and performs proper error checking. This will be
used to convert callers of X509_ALGOR_set0() in the library.
ok jsing | 
|  |  | 
|  | ok jsing | 
|  | ok jsing |