| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SEC 1, section 2.3.5, is explicit that the encoding of an element of the
field of definition for an elliptic curve needs to be a zero-padded octet
string whose length matches the byte size of the field's degree. So use
BN_bn2binpad() to fix this. Factor things into a simple helper to avoid
copy-pasting.
This gets rid of some of the most grotesque code in this file.
ok jsing
|
| |
|
|
|
|
| |
Also remove a pointless cast.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
No idea how anyone would think that tmp_1 and tmp_2 are better suited for
this.
ok jsing
|
| |
|
|
|
|
|
|
| |
This drops some unnecessary freeing that was turned into a double free
reachable via public API in OpenSSL 1.1. Other than that it unindents
code and uses better variable names.
ok jsing
|
| |
|
|
|
|
|
| |
Only check for the OPENSSL_EC_NAMED_CURVE being set to treat the curve
parameters as named curve parameters.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
The callers already ensure that params != NULL.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Use better variable names and do things in a slightly more sensible order.
This way the code becomes almost self-documenting.
ok jsing
|
| |
|
|
|
|
|
| |
Its only caller passes NULL, so we can simplify the entry point and the
exit of this function a bit.
ok jsing
|
| |
|
|
|
|
|
| |
The parameters argument is always NULL, so we can simplify this helper
accordingly.
ok jsing
|
| |
|
|
|
|
|
|
| |
priv_key->parameters is always NULL at this point, since its corresponding
entry in the ASN.1 template has ASN1_TFLG_OPTIONAL set, so there is no point
in pretending to pass it to ec_asn1_group2pkparameters().
ok jsing
|
| |
|
|
|
|
|
|
| |
Use better variable names and turn it into single-exit. This changes the
behavior slightly in that an error is pushed onto the stack also for
i2d_ECPKPARAMETERS() return values < 0.
ok jsing
|
| |
|
|
|
|
|
|
| |
This was only used by the NIST method. For all other group methods it's
an uninitialized pointer (as EC_GROUP_new() still uses the malloc + set
all members to 0 idiom).
ok jsing
|
| |
|
|
| |
They aren't used outside of this file.
|
| |
|
|
|
|
|
| |
Same issue/leak as for BN_to_ASN1_INTEGER(). Stop reusing the elliptic
curve parameters a and b for order and cofacter. It's confusing.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
You can either let this API reuse an existing ASN1_INTEGER or you can let
it allocate a new one. If you try to do both at the same time, you'll leak.
ok jsing
|
| |
|
|
|
|
|
|
| |
This disables the EVP_PKEY_*check() API and makes it fail (more precisely
indicate lack of support) on all key types.
This is an intermediate step to full removal.
Removal is ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a slightly strange combination of OBJ_find_sigid_algs() and the
security level API necessary because OBJ_find_sigid_algs() on its own
isn't smart enough for the special needs of RSA-PSS and EdDSA.
The API extracts the hash's NID and the pubkey's NID from the certificate's
signatureAlgorithm and invokes special handlers for RSA-PSS and EdDSA
for retrieving the corresponding information. This isn't entirely free
for RSA-PSS, but for now we don't cache this information.
The security bits calculation is a bit hand-wavy, but that's something
that comes along with this sort of numerology.
ok jsing
|
| | |
|
| |
|
|
|
|
| |
Unbreaks ssh's t-agent-pkcs11-cert regress reported by anton.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These constitute the bulk of the remaining global mutable state in
libcrypto. This commit moves most of them into data.rel.ro, leaving
out ERR_str_{functs,libraries,reasons} (which require a slightly
different approach) and SYS_str_reasons which is populated on startup.
The main observation is that if ERR_load_strings() is called with a 0 lib
argument, the ERR_STRING_DATA argument is not actually modified. We could
use this fact to cast away const on the caller side and be done with it.
We can make this cleaner by adding a helper ERR_load_const_strings() which
explicitly avoids the assignment to str->error overriding the error code
already set in the table.
In order for this to work, we need to sprinkle some const in err/err.c.
CMS called ERR_load_strings() with non-0 lib argument, but this didn't
actually modify the error data since it ored in the value already stored
in the table.
Annoyingly, we need to cast const away once, namely in the call to
lh_insert() in int_err_set_item(). Fixing this would require changing
the public API and is going to be tricky since it requires that the
LHASH_DOALL_FN_* types adjust.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
While eckey_from_explicit_params() frees *out_eckey, eckey_from_object()
and eckey_from_params() do not. These functions are currently all callled
with a NULL *out_eckey, but the latter two would leak if that should ever
change.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
The case in point is the incompatibility of the very ergonomic X509_ALGOR
API with the RC2-derived API massacre that is EVP_CIPHER_asn1_to_param()
and its "inverse".
ok jsing
|
| |
|
|
|
|
|
|
| |
This makes things slightly less gross since it involves less reaching
into nested ASN.1 structures. But don't get the idea that this means
the code is now clean.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
Another stroke of the already very dirty brush eliminates more traces
of ADHD and/or crack.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This manually constructs an X509_ALGOR because the (now internal) legacy
interface EVP_CIPHER_param_to_asn1() (which is an unwelcome complication
thanks to RC2) is entirely incompatible with X509_ALGOR_set0() since
the ASN1_TYPE can't be pulled apart nicely (because the ASN1_TYPE API
is incomplete as well).
Once we got this far, we get to DER-encode the inner AlgorithmIdentifier
and set that blob as the parameters of another one. The same variables
are reused of course and needless to say an unchecked X509_ALGOR_set0()
would leak this blob on failure. So fix this by switching to the usual
error checked X509_ALGOR_set0_by_nid().
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Again the getting and the setting were interrupted by ten lines of
completely unrelated code.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
It is much simpler to avoid the key_type variable altogether and inline
its use. Also it makes no sense to have 15 unrelated lines between the
getting of the kdf type, checking its content, and then actually setting
it to EVP_PKEY_ECDH_KDF_X9_63.
ok jsing
|
| |
|
|
|
|
|
|
| |
While setting the parameters to type V_ASN1_UNDEF can't actually fail,
it is cleaner to just do the check. Using the by_nid() variant also
removes the need for an unchecked nested OBJ_nid2obj() call.
ok jsing
|
| |
|
|
|
|
|
| |
The pkey is only used in one scope. i2o allocates if passed a pointer
to NULL, so use that to drop two unnecessary local variables.
ok jsing
|
| |
|
|
|
|
|
| |
This looks like a use after free, but setting the unused bits to 0
can't actually fail.
ok jsing
|
| |
|
|
|
|
| |
Also use ret instead of rv.
ok jsing
|
| |
|
|
|
|
|
|
| |
ASN1_TYPE_get() returns V_ASN1_* constants. Checking the return for
NID_undef instead means that we actually check for V_ASN1_EOC, which
makes absolutely no sense here. Clearly V_ASN1_UNDEF was intended.
ok jsing
|
| |
|
|
|
|
| |
We only need the ASN.1 items.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
pointed out by jsing
|
| |
|
|
|
|
|
|
|
|
| |
These are four versions of near identical code: PKCS#7 and CMS controls
for DSA and EC. The checks are rather incomplete and should probably be
merged somehow (see the Ed25519 version in ecx_methods(). For now, only
replace X509_ALGOR_set0() with its internal by_nid() version and, while
there, spell NULL correctly.
ok jca
|
| |
|
|
|
|
| |
use LCRYPTO_UNUSED and remove the LIBRESSL_INTERNAL guard
ok tb@
|
