|  | Commit message (Collapse) | Author | Files | Lines | 
|---|
|  |  | 
|  |  | 
|  | I'm so tired of this. | 
|  | algorithm-independent EVP_EncryptInit(3) manual as another step
in making the latter leaner and more palatable.
As a side benefit, the new EVP_aes_128_ccm(3) manual page may provide
a better fighting chance to programmers who see themselves forced to
support CCM for whatever reason.  It documents the mandatory, but so
far undocumented EVP_CTRL_CCM_GET_TAG control command and makes the
description of the three EVP_CTRL_CCM_SET_* control commands and the
numerous related quirks more precise. | 
|  |  | 
|  |  | 
|  | (the mystery of spotting typos right after commit strikes again) | 
|  | Make proper use of CBB and CBS. If a CBS ever owns data, you're holding
it wrong. Ditch gross macros, sscanf, and globals. The use of fgets is
annoying here, so replace it with getline, which be provided by portable
if needed.
Most importantly, make the tests actually signal failure rather than
only printing an error. Fix the state machines in a few of them. Some
tests didn't parse the .txt file at all. Others mostly did but didn't
actually test what they were supposed to be testing. Such failures
were hidden by the way the tests were written.
This basically needed a complete revamp. It still isn't pretty and much
of it could be deduplicated, but I only have so much time alotted on this
blue planet. | 
|  | More work in mlkem is needed and this was premature.
discussed with beck and jsing | 
|  | discussed with beck and jsing | 
|  | As long as is not quite clear what we want to do about the public API
aspect of MLKEM, keep things internal for now.
discussed with beck and jsing | 
|  |  | 
|  | The shift is between 0 and 5 bits, so it doesn't matter, but VS is short
for very st...ubborn as are its users when it comes to reporting non-issues | 
|  |  | 
|  |  | 
|  |  | 
|  | The main benefit is moving the cumbersome and error-prone method of
using EVP_EncryptInit(3) for AES-GCM out of the important, but obese
manual page EVP_EncryptInit(3), and to create a logical place for
pointing readers to the safer and more flexible EVP_AEAD_CTX_init(3).
As a side benefit, document three control commands that were so far
undocumented and make the description of three others more precise.
Feedback and OK tb@. | 
|  | Some versions of Clang compile this to non-constant time
code. The fix is adapted from boring. For full details see:
https://boringssl-review.googlesource.com/c/boringssl/+/74447
ok tb@ | 
|  | From Kenjiro Nakayama | 
|  | There's still CBS holding data in here. Yuck. | 
|  | This needs more thinking. These are void functions that allocate...
Left an XXX for now.
From Kenjiro Nakayama | 
|  |  | 
|  | This had an extra dance to allow a NULL output buffer. The plan was to
use this in i2o_ECPublicKey() to preserve the behavior of avoiding an
allocation if out == NULL. However, when I rewrote the latter I punted
on preserving that complication, as it was already batshit crazy enough.
Thus, remove said dance and make ec_point_to_octets() cleaner.
ok jsing | 
|  |  | 
|  | RCS marker, KNF for comment, fix and sort includes as usual. | 
|  | Changes include conversion from C++, basic KNF, then adaptation to
use our sha3 functions for sha3 and shake instead of the BorinSSL
version. This Adds units tests to run against BoringSSL and NIST test
vectors.
The future public API is the same as Boring's - but is not yet exposed
pending making bytestring.h public (which will happen separately) and
a minor bump
Currently this will just ensure we build and run regress.
ok tb@ to get it into the tree and massage from there. | 
|  |  | 
|  | Changes include conversion from C++, basic KNF, then adaptation to
use our sha3 functions for sha3 and shake instead of the BorinSSL
version. This Adds units tests to run against BoringSSL and NIST test
vectors.
The future public API is the same as Boring's - but is not yet exposed
pending making bytesring.h public (which will happen separately) and
a minor bump
Currently this will just ensure we build and run regress.
ok tb@ to get it into the tree and massage from there. | 
|  |  | 
|  | Now that we only do curves over GF(p) fields, there's no need to use a
weird, confusing name for what we usually call p. Adjust some comments
in the vicinity as well. | 
|  |  | 
|  | ok millert@ schwarze@ | 
|  | The options were already removed from the manual in 91e7614a.
From Renaud Allard (hand-applied since patch was mangled) | 
|  | As explained in a comment, this needs to loop backwards and the last tt--
ends up pointing at &it->templates[-1], which isn't ok. Use a simple way
of looping, which is also ugly and involves some type confusion as pointed
out by claudio. However, type confusion is common in libcrypto's asn1 code
and won't be fixed anytime soon anyway.
ok jsing | 
|  |  | 
|  | It does *not* "work in the same way" as EVP_PKEY_new_raw_private_key(3)
but merely arrives at the same end result after doing lots of
cumbersome and unnecessary work - and on top of that, it only works
for EVP_PKEY_HMAC. | 
|  | parameters that can be controlled with EVP_PKEY_CTX_ctrl(3).
But rather than providing a detailed despription, instead
point to what application programs should use instead and explain
why using the control constant directly would be a particularly bad
idea in this case. | 
|  |  | 
|  | ok beck | 
|  |  | 
|  |  | 
|  | There is currently no sane way of getting your hands on the common name or
subject alternative name of the peer certificate from libtls. It is possible
to extract it from the peer cert's PEM by hand, but that way lies madness.
While the common name is close to being deprecated in the webpki, it is
still the de facto standard to identify client certs. It would be nice to
have a way to access the subject alternative names as well, but this is a
lot more difficult to expose in a clean and sane C interface due to its
multivaluedness.
Initial diff from henning, with input from beck, jsing and myself
henning and bluhm have plans of using this in syslogd.
ok beck | 
|  | because they are intended as internal, and applications are supposed to use
the documented aliases DH, DSA, EC_KEY, and RSA from ossl_typ.h instead. | 
|  | because they are completely unused by anything. | 
|  | that are obsolete after PBE was mostly removed from LibreSSL. | 
|  |  | 
|  | that are only used for GOST. | 
|  | undocumented because they are only used by the function X509_certificate_type()
which is deprecated and will eventually be deleted. | 
|  | because LibreSSL does not support RC5 and because these constants
are almost unused in the wild. | 
|  | and document them properly in their own manual page, including the control
commands EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS that were
so far undocumented.
Arguably, the main benefit is another small step making the important,
but still obese EVP_EncryptInit(3) manual page more palatable. |