| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
discussed with jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The atoi() would also accept the magic negative values and old openssl
releases would expose these as arguments to -pkeyopt rsa_pss_saltlen:-1
in the openssl pkeyutl "app". While modern openssl switched to having
readable alternatives to these, the oseid component of opensc would use
the old syntax until yesterday.
Still, this is our bug and we need to keep accepting the magic values as
such, so do so. Everything below -3 will be rejected by the RSA_ctrl()
handler later.
Debugged by Doug Engert in https://github.com/OpenSC/OpenSC/issues/3317
ok jsing op
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
You can set custom sign and verify handlers on an RSA method (wihch is
used to create RSA private and public key handles). However, even if you
set them explicitly with RSA_meth_set_{sign,verify}(3), these handlers
aren't used for the sake of "backward compatibility" (with what?). In order
to use them, you need to opt your objects into using the custom methods
you set by setting the RSA_FLAG_SIGN_VER flag.
OpenSSL 1.1 dropped this requirement and therefore nobody sets this flag
anyore. Like most of the mechanically added accessors, almost nothing
uses them, but, as found by kn, the yubco-piv-tool does. This resulted
in a public key being passed to rsa_private_encrypt(), which of course
doesn't end well.
So follow OpenSSL 1.1 and drop this muppetry. This makes kn's problem
with yubico-piv-tool go away.
ok jsing kn
|
| |
|
|
|
|
| |
the weird thing it was supposed to be doing couldn't possibly work.
ok jsing
|
| | |
|
| |
|
|
| |
Clean up the other includes while there.
|
| |
|
|
|
|
|
|
| |
This disables the EVP_PKEY_*check() API and makes it fail (more precisely
indicate lack of support) on all key types.
This is an intermediate step to full removal.
Removal is ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a slightly strange combination of OBJ_find_sigid_algs() and the
security level API necessary because OBJ_find_sigid_algs() on its own
isn't smart enough for the special needs of RSA-PSS and EdDSA.
The API extracts the hash's NID and the pubkey's NID from the certificate's
signatureAlgorithm and invokes special handlers for RSA-PSS and EdDSA
for retrieving the corresponding information. This isn't entirely free
for RSA-PSS, but for now we don't cache this information.
The security bits calculation is a bit hand-wavy, but that's something
that comes along with this sort of numerology.
ok jsing
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These constitute the bulk of the remaining global mutable state in
libcrypto. This commit moves most of them into data.rel.ro, leaving
out ERR_str_{functs,libraries,reasons} (which require a slightly
different approach) and SYS_str_reasons which is populated on startup.
The main observation is that if ERR_load_strings() is called with a 0 lib
argument, the ERR_STRING_DATA argument is not actually modified. We could
use this fact to cast away const on the caller side and be done with it.
We can make this cleaner by adding a helper ERR_load_const_strings() which
explicitly avoids the assignment to str->error overriding the error code
already set in the table.
In order for this to work, we need to sprinkle some const in err/err.c.
CMS called ERR_load_strings() with non-0 lib argument, but this didn't
actually modify the error data since it ored in the value already stored
in the table.
Annoyingly, we need to cast const away once, namely in the call to
lh_insert() in int_err_set_item(). Fixing this would require changing
the public API and is going to be tricky since it requires that the
LHASH_DOALL_FN_* types adjust.
ok jsing
|
| |
|
|
| |
feedback and ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
No need for an inconsistently named local variable and a ternary operator.
ok jsing
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
| |
RSA_verify_PKCS1_PSS_mgf1
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A historic blunderfest in the ASN.1 module for RSA-PSS led to very
confusing text in various RFCs. davidben and my current reading of
this is that parameters for SHA-* should be encoded as an ASN.1 NULL
rather than omitted. The use of X509_ALGOR_set_evp_md() leads to them
being omitted, and is therefore counter to the specification (but
allowed. We should fix this. For now, leave a reminder.
See https://boringssl-review.googlesource.com/c/boringssl/+/67088
for a lot more details.
ok davidben
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
It's more explicit and not that much longer.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Every EVP_PKEY_ASN1_METHOD is either an ASN.1 method or an alias.
As such it resolves to an underlying ASN.1 method (in one step).
This information can be stored in a base_method pointer in allusion
to the pkey_base_id, which is the name for the nid (aka pkey_id aka
type) of the underlying method.
For an ASN.1 method, the base method is itself, so the base method
is set as a pointer to itself. For an alias it is of course a pointer
to the underlying method. Then obviously ameth->pkey_base_id is the
same as ameth->base_method->pkey_id, so rework all ASN.1 methods to
follow that.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For some reason DSA, GOST, and RSA had their ASN.1 methods stored in
an array. This is clumsy and the only benefit is that one saves a few
externs in p_lib.c. They were also arranged by ascending NID because
of bsearch() madness.
Split them up and arrange the methods by name, which is much saner
and simpler.
ok jsing
|
| |
|
|
|
| |
These aren't particularly helpful and should probably both be expanded.
For now move them to the only place where they are actually used.
|
| |
|
|
|
|
|
|
|
| |
As usual, make the function single exit. Initialize the pkey callback
pointer and the BN_GENCB on the stack at the top rather than relying
on the weird trans_cb() in evp_pkey_set_cb_translate() to do so.
Greatly simplify the control flow and add missing error checks.
ok jsing
|
| |
|
|
|
|
|
| |
Turn the function into single exit and error check EVP_PKEY_assign()
for style.
ok jsing
|
| |
|
|
|
|
|
| |
Again change this function into the single exit idiom, and error check
EVP_PKEY_assign().
ok jsing
|
| |
|
|
|
|
|
|
| |
This removes the remaining ENGINE members from various internal structs
and functions. Any ENGINE passed into a public API is now completely
ignored functions returning an ENGINE always return NULL.
ok jsing
|
| |
|
|
|
|
|
| |
This is mechanical apart from a few manual edits to avoid doubled empty
lines.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Replace X509_ALGOR_set0() with X509_ALGOR_set0_by_nid(). This way there
is no missing error checking for OBJ_nid2obj() and no nested functions.
Slightly more importantly, this plugs two long standing potential leaks
in this function (or previously rsa_cms_encrypt()) due to missing error
checking: in the unlikely event that X509_ALGOR_set0() failed, astr/ostr
would leak.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
| |
Test and assign one more instance replace a useless comment by an empty
line.
|
| |
|
|
|
|
|
|
| |
In rsa_alg_set_oaep_padding() rename los to ostr for consistency with
astr, make it have function scope, free ostr in the error path and assume
X509_ALGOR_set0() success.
ok jca
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Rename rv into ret and split it on its own line, move labellen a bit down
add some empty lines. To match style elsewhere.
Most of this was requested by jsing
|
| |
|
|
|
|
|
|
| |
This matches what is done for PKCS#1 1.5 and PSS. This function needs a
lot of work still, but it's easier to do that without having to tiptoe
around a lot of other garbage.
ok jsing
|
| |
|
|
| |
error check
|
| | |
|
| |
|
|
|
|
| |
After previous refactoring, rsa_all_set_pss_padding() is the last remaining
caller of the weirdly named and ugly rsa_all_set_pss_padding(). This can be
handled in a few simple lines now that this mess has slightly cleaner code.
|
| | |
|
| |
|
|
|
| |
Check and assign the EVP_PKEY_CTX and move the extraction of the algorithm
identifier from the signer info a few lines down.
|
| |
|
|
|
|
|
|
|
|
| |
The current convoluted mess can be handled with two calls to the new
rsa_alg_set_pss_padding() helper. Not that this would be obvious at
all.
This fixes two more leaks in case of X509_ALGOR_set0() failure.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This sets the AlgorithmIdentifier's algorithm to id-RSASSA-PSS with
appropriate RSASSA-PSS parameters. This pulls a chunk of code out of
rsa_cms_sign() and rewrites it with proper error checking, thereby
fixing a long-standing leak.
This helper can also be used in rsa_item_sign(), but that part is a
bit special, and will therefore be commmitted separately.
ok jsing
|
| |
|
|
|
|
|
|
| |
This removes a few duplicated and unchecked X509_ALGOR_set0() calls and
factors them into a helper function that sets the AlgorithmIdentifier on
the recipient info or signer info to rsaEncryption with null parameters.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This streamlines the code to use safer idioms, do proper error checking
and be slightly less convoluted. Sprinkle a few references to RFC 8017
and explain better what we are doing and why. Clarify ownership and use
more consistent style.
This removes the last internal use of X509_ALGOR_set_md().
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
rsa_param_encode() allocates the PSS parameters in an ASN1_STRING which
is leaked if any error occurs later in rsa_pub_encode(). Convert the rest
of the code to follow our ordinary idioms more closely.
ok jsing
|
| |
|
|
|
|
| |
Change the code to use safer idioms and avoid nested function calls.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
Instead of CRYPTO_THREADID, which passes pthread_via through unsigned long,
we can use pthread_self() and pthread_equal() directly. This commit keeps
using the awkward 'local' nomenclature as that is used throughout the rsa
code. This will be changed after the blinding code will have been fully
merged into rsa_blinding.c.
ok jsing
|
