summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add hkdf_pkey_meth to the standard_methods[]tb2022-05-051-1/+3
| | | | ok beck jsing
* Link kdf/ to the buildtb2022-05-051-1/+7
| | | | ok beck jsing
* Provide EVP_PKEY_HKDF alias for NID_hkdftb2022-05-051-1/+2
| | | | ok beck jsing
* Provide KDFerr() and KDFerror() macrostb2022-05-051-1/+4
| | | | ok beck jsing
* Provide versions of EVP_PKEY_CTX_{str,hex}2ctrl() for internal use.tb2022-05-052-2/+38
| | | | ok beck jsing
* Ditch #defines for tls1_prf and scrypt. Drop unused errors and massagetb2022-05-052-95/+8
| | | | | | some const. ok beck jsing
* Translate from OpenSSL's HKDF API to BoringSSL API.tb2022-05-051-8/+7
| | | | ok beck jsing
* Remove function codes from errors, i.e., KDFerr(A, B) -> KDFerror(B)tb2022-05-051-5/+5
| | | | ok beck jsing
* Fix typo in previous.tb2022-05-051-2/+2
|
* Inline OPENSSL_memdup() using malloc() + memcpy()tb2022-05-051-3/+5
| | | | ok beck jsing
* Translate OPENSSL_{cleanse,clear_free,free,zalloc}() to libc API.tb2022-05-051-11/+11
| | | | ok beck jsing
* Adjust includes for LibreSSLtb2022-05-051-4/+7
| | | | ok beck jsing
* Use C99 initializres for hkdf_pkey_methtb2022-05-051-26/+10
| | | | ok beck jsing
* Remove OpenSSL versions of HKDF*().tb2022-05-051-117/+1
| | | | ok beck jsing
* Fix includes of the removed kdferr.htb2022-05-052-4/+3
|
* Add NID for HKDFtb2022-05-052-0/+4
| | | | ok beck jsing
* remove accidentally duplicated linetb2022-05-041-2/+1
|
* Whitespace nit (knfmt(1) agrees after inserting an empty line after thetb2022-05-041-4/+5
| | | | variable declaration)
* KNF according to knfmt(1)tb2022-05-042-275/+288
|
* Add RCS tagstb2022-05-043-0/+3
|
* Restore copyright years to 2016-2018 as they were before the previoustb2022-05-042-2/+2
| | | | commit.
* Reinstate the licenses that were replaced with license stubs intb2022-05-042-12/+100
| | | | | OpenSSL commits d2e9e320186f0917cc940f46bdf1a7e4120da9b0 and b6cff313cbb1d0381b329fe4f6a8f009cdb270e4
* Bump copyright years to 2016-2018 as it was before the previous commit.tb2022-05-041-1/+1
|
* Reinstate the license that was replaced with a stub in OpenSSL committb2022-05-041-5/+49
| | | | 21dcbebc6e35419f1842f39a125374ea1ba45693
* Inline kdferr.h at the end of kdf.htb2022-05-042-55/+37
|
* Rename hkdf.c to hkdf_evp.c to avoid a name clash with hkdf/hkdf.ctb2022-05-041-0/+0
|
* Import HKDF code from OpenSSL 1.1.1otb2022-05-044-0/+571
| | | | | | | | | | | | | | | | | | | This imports verbatim copies as of the OpenSSL_1_1_1o tag of crypto/kdf/hkdf.c crypto/kdf/hkdf_err.c include/openssl/kdf.h include/openssl/kdferr.h from https://www.github.com/openssl/openssl.git into lib/libcrypto/kdf. We only want the EVP interface to HKDF since some ports need them. Not yet linked to the build since it will not compile. Follow-on commits will add KNF, clean up and make this compile. Tests of an early draft version by abieber and Caspar Schutijser ok jsing
* Rewrite asn1_collect() and asn1_find_end() with CBS.jsing2022-05-041-77/+80
| | | | | | Use more readable variable and arguments names in the process. ok tb@
* Avoid special handling of definite length before calling asn1_find_end().jsing2022-05-041-10/+4
| | | | | | | | The asn1_find_end() function handles definite length ASN.1, which means that there is no point in the only caller having code to explicitly handle definite length - it can just call the function. ok tb@
* Change asn1_check_tag_cbs() out_len from long to size_t.jsing2022-05-041-4/+10
| | | | | | | | The long vs size_t checks can be handled in the asn1_check_tag() wrapper and this will help to avoid propagating long vs size_t issues into new code. ok tb@
* Rewrite asn1_check_tlen() using CBS.jsing2022-04-283-63/+113
| | | | | | | | | | | | | | | Rather than calling asn1_get_object_cbs(), call asn1_get_identifier_cbs(), then immediately proceed with the tag number and tag class check. Only if that succeeds (or it is not required) do we call asn1_get_length_cbs(). This avoids incurring the overhead of decoding the length in the case where the tag number and tag class do not match. While here rename asn1_check_tlen() to asn1_check_tag() - while we decode the length, what we are normally checking is the tag number and tag class. Also rename the arguments for readability. For now the argument types and encoding remain unchanged. ok inoguchi@ tb@
* Refactor ASN1_TIME_adj_internal()tb2022-04-281-84/+82
| | | | | | | | | | | | | | | | | | ASN1_TIME_adj_internal() does some strange dances with remembering allocations in a boolean and using strlen(p) to deduce what happened inside *_string_from_tm(). It also (mis)translates a NULL p to an illegal time value error. This can be streamlined by converting directly from a struct tm into an ASN1_TIME and setting the errors when they occur instead of trying to deduce them from a NULL return. This is made a bit uglier than necessary due to the reuse-or-allocate semantics of the public API. At the cost of a little code duplication, ASN1_TIME_adj_internal() becomes very easy and ASN1_TIME_to_generalizedtime() is also simplified somewhat. ok inoguchi jsing
* Decode via c2i_ASN1_INTEGER_cbs() from asn1_ex_c2i().jsing2022-04-272-5/+5
|
* Rewrite c2i_ASN1_INTEGER() using CBS.jsing2022-04-271-84/+129
| | | | | | | | This also makes validation stricter and inline with X.690 - we now reject zero length inputs (rather than treating them as zero values) and enforce minimal encoding. ok tb@
* Remove the ASN.1 decoder tag/length cache (TLC).jsing2022-04-271-90/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | Currently, every time an ASN.1 identifier and length is decoded it is stored in a tag/length cache for potential reuse. However, the only time this is actually of benefit is when decoding CHOICE or SEQUENCE with OPTIONAL fields (or MSTRING and ANY due to less than ideal implementation). For CHOICE and SEQUENCE with OPTIONAL fields the current code attempts to decode the first option and if that fails, it moves onto the next option and attempts to decode it, repeating until it succeeds (or runs out of options). There are a number of problems with the cache. Firstly, it adds complexity to the ASN.1 decoder since it has to be passed up and down through the various layers. Secondly, there is nothing that keeps the cached data in synchronisation with the input stream. This makes it fragile and a potential security risk. Thirdly, the type is in the public headers and API, meaning that we cannot readily change the types or fields to improve the code. Testing also suggests that in typical decoding cases we actually get a small performance increase by removing the cache. There are also several other options that would improve decoding performance, which we can visit once we have simpler and more robust code. ok beck@ inoguchi@ tb@
* ASN1_{,const_}check_infinite_end(3) were removed in the last major bump,tb2022-04-271-5/+2
| | | | so there's no longer a need to document that they are undocumented.
* Decode via c2i_ASN1_BIT_STRING_cbs() from asn1_ex_c2i().jsing2022-04-263-9/+14
| | | | ok inoguchi@ tb@
* Rewrite c2i_ASN1_BIT_STRING() using CBS.jsing2022-04-231-44/+83
| | | | | | | | | Also switch to freeing and allocating, rather than attempting to recycle. While here, factor out the flags ASN1_STRING_FLAG_BITS_LEFT bit bashing and use the name "unused bits" rather than "bits left", to be more inline with X.690 wording. ok inoguchi@ tb@
* Convert asn1_ex_c2i() to CBS.jsing2022-04-233-24/+43
| | | | | | This allows us to make direct use of c2i_ASN1_OBJECT_cbs(). ok inoguchi@ tb@
* Clarify comments at the start of {asid,addr}_validate_path_internal()tb2022-04-212-7/+7
| | | | Requested by jsing
* Avoid expensive RFC 3779 checks during cert verificationtb2022-04-213-16/+22
| | | | | | | | | | | | | | | X509v3_{addr,asid}_is_canonical() check that the ipAddrBlocks and autonomousSysIds extension conform to RFC 3779. These checks are not cheap. Certs containing non-conformant extensions should not be considered valid, so mark them with EXFLAG_INVALID while caching the extension information in x509v3_cache_extensions(). This way the expensive check while walking the chains during X509_verify_cert() is replaced with a cheap check of the extension flags. This avoids a lot of superfluous work when validating numerous certs with similar chains against the same roots as is done in rpki-client. Issue noticed and fix suggested by claudio ok claudio inoguchi jsing
* Fix X509_get_extension_flags()tb2022-04-211-2/+2
| | | | | | Ensure that EXFLAG_INVALID is set on X509_get_purpose() failure. ok inoguchi jsing
* Avoid use of uninitialized in BN_mod_exp_recp()tb2022-04-201-2/+3
| | | | | | | | | | If either of the two initial BN_CTX_get() fails, we will call BN_RECP_CTX_free() on the uninitialized recp, which won't end well, so hoist the BN_RECP_CTX_init() call a few lines up. From Pauli, OpenSSL ad249412 ok inoguchi jsing
* KNF for a brace and zap trailing blank linetb2022-04-121-3/+3
|
* Set ASN1_OBJECT_FLAG_DYNAMIC_DATA flag with t2i_ASN1_OBJECT_internalinoguchi2022-04-101-1/+2
| | | | | | | 'flags' should have ASN1_OBJECT_FLAG_DYNAMIC_DATA bit to free 'data' by ASN1_OBJECT_free as c2i_ASN1_OBJECT_cbs does. ok jsing@ tb@
* Avoid infinite loop on parsing DSA private keystb2022-04-071-3/+24
| | | | | | | | | | | | | | DSA private keys with ill-chosen g could cause an infinite loop on deserializing. Add a few sanity checks that ensure that g is according to the FIPS 186-4: check 1 < g < p and g^q == 1 (mod p). This is enough to ascertain that g is a generator of a multiplicative group of order q once we know that q is prime (which is checked a bit later). Issue reported with reproducers by Hanno Boeck. Additional variants and analysis by David Benjamin. ok beck jsing
* Avoid infinite loop for custom curves of order 1tb2022-04-072-4/+9
| | | | | | | | | | | | If a private key encoded with EC parameters happens to have order 1 and is used for ECDSA signatures, this causes an infinite loop since a random integer x in the interval [0,1) will be 0, so do ... while (x == 0); will loop indefinitely. Found and reported with a reproducer by Hanno Boeck. Helpful comments and analysis from David Benjamin. ok beck jsing
* man pages: fix some typos found while looking for other issuesnaddy2022-03-311-2/+2
|
* man pages: add missing commas between subordinate and main clausesnaddy2022-03-3130-103/+103
| | | | | | | jmc@ dislikes a comma before "then" in a conditional, so leave those untouched. ok jmc@
* Fix leak in ASN1_TIME_adj_internal()tb2022-03-311-3/+5
| | | | | | | | | p is allocated by asprintf() in one of the *_from_tm() functions, so it needs to be freed as in the other error path below. CID 346194 ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 17:58:32 +0000