| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
EVP_Digest{Init,Update,Final}() move from digest.c to evp_digest.c which
will become the home of all things related to EVP_MD{,_CTX} handling.
EVP_Cipher{Init,Update,Final}() move from evp_enc.c to evp_cipher.c which
will become the home of all things related to EVP_CIPHER{,_CTX} handling.
EVP_Encode{Init,Update,Final}() move from encode.c to evp_encode.c which
already is the home of EVP_ENCODE_CTX_{new,free}().
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a bizarre EVP_CIPHER_CTX_cleanup() call in EVP_CipherInit()
leading to a subtle behavior difference with EVP_CipherInit_ex().
The history is that before EVP_CIPHER_CTX was made opaque, a context would
often live on the stack (hello, MariaDB) and the EVP_CIPHER_CTX_cleanup()
call was in fact an EVP_CIPHER_CTX_init() which just zeroes out the struct.
The problem with doing this is that on context reuse there could be data
hanging off it, causing leaks. Attempts were made to clean up things in
EVP_CipherFinal*(), but that broke applications reaching into the context
afterward, so they were removed again. Later on, opacity allowed changing
the _init() to a _cleanup() since EVP_CIPHER_CTX could no longer live on
the stack, so it would no longer contain garbage. I have to correct myself:
it would no longer contain stack garbage.
Now: EVP_CipherInit_ex() does some extra dances to preserve the AES key
wrap flag, which is cleared unconditionally in EVP_CipherInit(). That's
annoying to document and very likely never going to be an issue in the
wild: you'd need to do key wrap and then use the same context for use
with a cipher that does not allow key wrap for this to make a difference.
This way, all our EVP_{Cipher,Decrypt,Encrypt}*_ex() functions are now
trivially wrapped by their non-_ex() versions.
ok jsing
|
| |
|
|
|
|
|
|
| |
Clean up the cipher context unconditionally if the cipher is being set.
This allows doing the dance to retain the key wrap flag only once and
makes it more obvious that allocating the cipher data doesn't leak.
suggested by/ok jsing
|
| |
|
|
|
|
|
| |
Consistently implement the _ex() version after the non-extended versions,
First Cipher Init/Update/Final, then Encrypt, then Decrypt. This only
switches the order of CipherFinal{,_ex} and move the DecryptInit* down,
so they are no longer somewhere in the middle of the Encrypt* functions.
|
| |
|
|
|
| |
I guess I'm getting old. Next time I'll have to add a reminder not to
forget to remove the reminder.
|
| |
|
|
|
|
|
| |
These remove a few more potential out-of-bounds accesses and ensure in
particular that the padding is between 1 and block_size (inclusive).
ok joshua jsing
|
| |
|
|
|
|
|
|
|
|
| |
Pull up the EVP_R_NO_CIPHER_SET check that was hidden somewhere down in the
middle of the function. Handle the reuse case outside of the big non-NULL
cipher case for now. This looks a bit odd but relies on the invariant that
cipher_data is only set if the cipher is set. It will be reworked in a
subsequent commit.
ok jsing
|
| |
|
|
| |
ok joshua jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The block mask is only used in EVP_{De,En}cryptUpdate(). There's no need to
hang it off the EVP_CIPHER_CTX since it is easy to compute and validate.
ok joshua jsing
|
| |
|
|
|
|
|
| |
Rename the slightly awkward buf_offset into partial_len and rename
buf_avail into partial_needed to match.
suggested by jsing
|
| |
|
|
| |
suggested by jsing
|
| |
|
|
|
|
|
|
|
|
| |
Rework the code to use the usual variable names, return early if we
have block size 1 and unindent the remainder of the code for block
sizes 8 and 16. Rework the padding check to be less acrobatic and
copy the remainder of the plain text into out using memcpy() rather
than a for loop.
input/ok jsing
|
| |
|
|
|
|
|
| |
This switches to the variable names used in other functions, adds a
reminder to add a missing length check and uses memset for the padding.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This time the block size is called b and there's some awful length
fiddling with fix_len, which until recently also served as store
for the return value for do_cipher()...
If we land on a block boundary, we keep the last block decrypted and
don't count it as part of the output. So in the next call we need to
feed it back in. Feeding it back in counts as output written this time
around, so instead of remembering that we need to adjust outl, keep a
tally of the bytes written. This way we can also do some overflow and
underflow checking.
ok jsing
|
| |
|
|
| |
suggested by millert
|
| |
|
|
|
|
|
|
|
| |
Use more sensible variable names in order to make the logic a bit easier
to follow. The variables may be renamed in a later pass. Unindent a block
that was squeezed too much to the right and make a few minor stylistic
tweaks.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of using five different idioms for eight callers of the do_cipher()
method in EVP_{Decrypt,Encrypt}{Update,Final_ex}(), wrap the API insanity
in an evp_cipher() function that calls do_cipher() as appropriate depending
on the EVP_CIPH_FLAG_CUSTOM_CIPHER being set or not. This wrapper has the
usual OpenSSL calling conventions.
There is one complication in EVP_EncryptUpdate() in the case a previous
call wrote only a partial buffer. In that case, the evp_cipher() call is
made twice and the lengths have to be added. Add overflow checks and only
set outl (the number of bytes written) to out on success.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
EVP_Cipher() is an implementation detail of EVP_Cipher{Update,Final}().
Behavior depends on EVP_CIPH_FLAG_CUSTOM_CIPHER being set on ctx->cipher.
If the flag is set, do_cipher() operates in update mode if in != NULL and
in final mode if in == NULL. It returns the number of bytes written to out
(which may be 0) or -1 on error.
If the flag is not set, do_cipher() assumes properly aligned data and that
padding is handled correctly by the caller. Most do_cipher() methods will
silently produce garbage and succeed. Returns 1 on success, 0 on error.
ok jsing
|
| |
|
|
|
|
|
|
| |
EVP_Cipher() is a dangerous thin wrapper of the do_cipher() method set on
the EVP_CIPHER_CTX's cipher. It implements (part of) the update and final
step of the EVP_Cipher* API. Its behavior is nuts and will be documented
in a comment in a subsequent commit. schwarze has a manpage diff that will
fix the incorrect documentation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
They make no sense. These are thin wrappers of EVP_*Final_ex() and behave
exactly the same way. The minor behavior difference of Init and Init_ex is
likely a historical artefact of this abomination of an API. Deprecation of
the Init functions was recently removed from the manpage. The only reason
to prefer the _ex versions over the normal versions is ENGINE. This is no
longer an argument.
The warnings were added in an attempt at adding automatic cleanup. This
broke stuff and was therefore backed out. The warnings remained.
discussed with schwarze
|
| |
|
|
|
|
| |
The correct way of wrapping foo() is 'int ret; ret = foo(); return ret;'
because 'return foo();' would be too simple... Also unify branching from
EVP_Cipher* into EVP_Encrypt* EVP_Decrypt*.
|
| |
|
|
|
|
|
|
| |
This removes the remaining ENGINE members from various internal structs
and functions. Any ENGINE passed into a public API is now completely
ignored functions returning an ENGINE always return NULL.
ok jsing
|
| |
|
|
|
|
|
| |
This is mechanical apart from a few manual edits to avoid doubled empty
lines.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
A recent change in EVP_CIPHER_CTX_iv_length() made it possible in principle
that this function returns -1. This can only happen for an incorrectly set
up EVP_CIPHER. Still it is better form to check for negative lengths before
stuffing it into a memcpy().
It would probably be desirable to cap the iv_length to something large
enough. This can be done another time.
ok beck
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before EVP_CIPHER_CTX was opaque, callers could pass an uninitialized
ctx into EVP_CipherInit() and calling EVP_CIPHER_CTX_cleanup() on such
a ctx would end in tears.
The only way to initialize a ctx is by way of EVP_CIPHER_CTX_new(), on
which we can call EVP_CIPHER_CTX_cleanup() and avoid silly leaks on ctx
reuse. This also allows some simplifications in the documentation.
There are more changes of this kind that should be done all over libcrypto.
They will be tackled in subsequent commits.
"makes a lot of sense" schwarze
ok jsing
|
| |
|
|
|
|
|
|
| |
me aliasing symbols not in the headers I was procesing.
This unbreaks the namespace build so it will pass again
ok tb@
|
| |
|
|
|
|
| |
(part 2 of commit)
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
This partially reverts jsing's OpenBSD commit b8185953, but without adding
back the error check that potentialy results in dumb leaks. No cleanup()
method in the wild returns anything but 1. Since that's the signature in
the EVP_CIPHER_meth_* API, we have no choice...
ok jsing
|
| |
|
|
|
|
|
| |
i removed the arithmetics -> arithmetic changes, as i felt they
were not clearly correct
ok tb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
| |
|
|
|
|
|
| |
Now that EVP_CIPHER is opaque, stop pretending that EVP_CIPHER cleanup can
fail.
ok tb@
|
| |
|
|
| |
Only change in generated assembly is due to line numbers.
|
| |
|
|
|
|
|
|
|
|
| |
Input length < 0 is an error and input length == 0 can result in
strange effects in some ciphers, except in CCM mode, which is extra
special.
Based on OpenSSL 420cb707 by Matt Caswell and Richard Levitte
found by & ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
ok inoguchi
commit 6a51b9e1d0cf0bf8515f7201b68fb0a3482b3dc1
Author: Matt Caswell <matt@openssl.org>
Date: Tue Feb 2 17:17:23 2021 +0000
Don't overflow the output length in EVP_CipherUpdate calls
CVE-2021-23840
Reviewed-by: Paul Dale <pauli@openssl.org>
|
| |
|
|
|
|
| |
Avoids use of uninitialised memory.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
In the case of a cipher with a custom copy control, if that control fails
we may still have pointers that we do not own in the previously copied
cipher data. Avoid potential double-frees by zeroing and freeing the
copied cipher data in this case.
Issue reported by Guido Vranken.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
implementation based on the one in OpenSSL 1.0.2r which is
still freely licensed.
The functions are undocumented in OpenSSL. To use them, one
needs to set the undocumented EVP_CIPHER_CTX_FLAG_WRAP_ALLOW
flag on the EVP_CIPHER_CTX.
resolves #505
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
OpenSSL commit 7c96dbcdab9 by Rich Salz.
This cleans up the caller side quite a bit and reduces the number of
lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net
shows that almost nothing checks the return value of ENGINE_finish().
While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'.
ok jsing, tested by & ok inoguchi
|
| |
|
|
| |
Rides previous minor bump.
|
| |
|
|
|
|
|
|
| |
with "warning: " since 2003, so the messages themselves need not
contain the prefix anymore.
From Scott Cheloha
ok jca, deraadt
|
| |
|
|
|
|
| |
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@
|
| |
|
|
|
| |
Software that refers to ctx after calling Final breaks with these changes.
revert parts of 1.31 and 1.32
|
| |
|
|
| |
corrected by deraadt@ / guenther@
|
| | |
|
