| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
This way the file has EVP_Digest*, then EVP_MD_CTX new/free/clean,
then ctrl then the EVP_MD_CTX accessors, then the EVP_MD accessors
and finally the EVP_MD_meth stuff and the order of things starts
making a wee bit of sense.
|
| |
|
|
|
|
| |
This way new/free aka create/destroy are next to each other. reset/cleanup
are the same thing and init will join the club after some other fixing
because two APIs that do the exact same thing aren't enough.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
These are ~200 lines of EVP_MD API that separated two parts of the file
dedicated to EVP_CIPHER thingies.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
EVP_Digest{Init,Update,Final}() move from digest.c to evp_digest.c which
will become the home of all things related to EVP_MD{,_CTX} handling.
EVP_Cipher{Init,Update,Final}() move from evp_enc.c to evp_cipher.c which
will become the home of all things related to EVP_CIPHER{,_CTX} handling.
EVP_Encode{Init,Update,Final}() move from encode.c to evp_encode.c which
already is the home of EVP_ENCODE_CTX_{new,free}().
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a bizarre EVP_CIPHER_CTX_cleanup() call in EVP_CipherInit()
leading to a subtle behavior difference with EVP_CipherInit_ex().
The history is that before EVP_CIPHER_CTX was made opaque, a context would
often live on the stack (hello, MariaDB) and the EVP_CIPHER_CTX_cleanup()
call was in fact an EVP_CIPHER_CTX_init() which just zeroes out the struct.
The problem with doing this is that on context reuse there could be data
hanging off it, causing leaks. Attempts were made to clean up things in
EVP_CipherFinal*(), but that broke applications reaching into the context
afterward, so they were removed again. Later on, opacity allowed changing
the _init() to a _cleanup() since EVP_CIPHER_CTX could no longer live on
the stack, so it would no longer contain garbage. I have to correct myself:
it would no longer contain stack garbage.
Now: EVP_CipherInit_ex() does some extra dances to preserve the AES key
wrap flag, which is cleared unconditionally in EVP_CipherInit(). That's
annoying to document and very likely never going to be an issue in the
wild: you'd need to do key wrap and then use the same context for use
with a cipher that does not allow key wrap for this to make a difference.
This way, all our EVP_{Cipher,Decrypt,Encrypt}*_ex() functions are now
trivially wrapped by their non-_ex() versions.
ok jsing
|
| |
|
|
|
|
|
|
| |
Clean up the cipher context unconditionally if the cipher is being set.
This allows doing the dance to retain the key wrap flag only once and
makes it more obvious that allocating the cipher data doesn't leak.
suggested by/ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
These two functions previously wrapped a pkey_set_type() helper, which
was an utter mess because of ENGINE. With the long awaited departure of
ENGINE, this function became a lot simpler. A further simplification is
obtained by not doing the optimization to avoid an ameth lookup: this
requires walking a list of 11 ameths. We should consider bsearch()...
With this gone and a saner implementation of EVP_PKEY_free_it(), we can
implement these functions with a dozen lines of code each.
ok jsing
|
| |
|
|
|
|
|
|
| |
Use pkey instead of x, remove the pointless variable i, no need to check
for NULL before sk_X509_ATTRIBUTE_pop_free(), switch to freezero() to
leave fewer invalid pointers around.
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
|
|
| |
Rename the variable from x into pkey, make it NULL safe and unindent.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
There is no need for a local variable and a ternary operator here.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
It really makes no sense to have the mess that is EVP_MD_CTX_copy{,_ex}()
live between EVP_Digest{Init{,_ex},Update,Final{,_ex}}() and EVP_Digest(),
the latter being a relatively simple wrapper of Init_ex/Update/Final_ex.
|
| |
|
|
|
|
|
| |
Consistently implement the _ex() version after the non-extended versions,
First Cipher Init/Update/Final, then Encrypt, then Decrypt. This only
switches the order of CipherFinal{,_ex} and move the DecryptInit* down,
so they are no longer somewhere in the middle of the Encrypt* functions.
|
| |
|
|
|
| |
I guess I'm getting old. Next time I'll have to add a reminder not to
forget to remove the reminder.
|
| | |
|
| |
|
|
|
|
|
| |
These remove a few more potential out-of-bounds accesses and ensure in
particular that the padding is between 1 and block_size (inclusive).
ok joshua jsing
|
| |
|
|
|
|
|
|
|
|
| |
Pull up the EVP_R_NO_CIPHER_SET check that was hidden somewhere down in the
middle of the function. Handle the reuse case outside of the big non-NULL
cipher case for now. This looks a bit odd but relies on the invariant that
cipher_data is only set if the cipher is set. It will be reworked in a
subsequent commit.
ok jsing
|
| |
|
|
| |
ok joshua jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The block mask is only used in EVP_{De,En}cryptUpdate(). There's no need to
hang it off the EVP_CIPHER_CTX since it is easy to compute and validate.
ok joshua jsing
|
| |
|
|
|
|
|
| |
Ensure that the nid and key length are non-negative and that the block
size is one of the three sizes 1, 8, or 16 supported by the EVP subsystem.
ok joshua jsing
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Rename the slightly awkward buf_offset into partial_len and rename
buf_avail into partial_needed to match.
suggested by jsing
|
| |
|
|
| |
suggested by jsing
|
| |
|
|
|
|
|
|
|
|
| |
Rework the code to use the usual variable names, return early if we
have block size 1 and unindent the remainder of the code for block
sizes 8 and 16. Rework the padding check to be less acrobatic and
copy the remainder of the plain text into out using memcpy() rather
than a for loop.
input/ok jsing
|
| |
|
|
|
|
|
| |
This switches to the variable names used in other functions, adds a
reminder to add a missing length check and uses memset for the padding.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This time the block size is called b and there's some awful length
fiddling with fix_len, which until recently also served as store
for the return value for do_cipher()...
If we land on a block boundary, we keep the last block decrypted and
don't count it as part of the output. So in the next call we need to
feed it back in. Feeding it back in counts as output written this time
around, so instead of remembering that we need to adjust outl, keep a
tally of the bytes written. This way we can also do some overflow and
underflow checking.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
This was done the worst possible way. It would be much simpler to invert
the logic and use a single #ifdef. jsing prefers keeping the current
logic and suggested we ditch the preprocessor mess altogether.
ok jsing, claudio agreed with the initial diff
|
| |
|
|
|
|
|
|
| |
This is mostly stylistic cleanup, making the control flow a bit more
obvious. There's one user-visible change: we no longer go out of our
way to provide info about the unknown algorithm. The nid is enough.
ok joshua jsing
|
| |
|
|
| |
suggested by millert
|
| |
|
|
|
|
|
|
|
| |
Use more sensible variable names in order to make the logic a bit easier
to follow. The variables may be renamed in a later pass. Unindent a block
that was squeezed too much to the right and make a few minor stylistic
tweaks.
ok jsing
|
| |
|
|
|
|
|
| |
There is no point in having EVP_PBE_CipherInit() between the table and
the lookup functions (which it notably uses).
No code change.
|
| |
|
|
|
|
|
|
|
| |
Split the table of built-in password based encryption algorithms into two
and use a linear scan over the table corresponding to the type specified
in EVP_PBE_find()'s type argument. Use better variable names, make the
API a bit safer and generally reduce the eye bleed in here.
ok jsing
|
| | |
|
