| Age | Commit message (Collapse) | Author |
|---|
|
A historic blunderfest in the ASN.1 module for RSA-PSS led to very
confusing text in various RFCs. davidben and my current reading of
this is that parameters for SHA-* should be encoded as an ASN.1 NULL
rather than omitted. The use of X509_ALGOR_set_evp_md() leads to them
being omitted, and is therefore counter to the specification (but
allowed. We should fix this. For now, leave a reminder.
See https://boringssl-review.googlesource.com/c/boringssl/+/67088
for a lot more details.
ok davidben
|
|
ok jsing
|
|
It's more explicit and not that much longer.
ok jsing
|
|
Every EVP_PKEY_ASN1_METHOD is either an ASN.1 method or an alias.
As such it resolves to an underlying ASN.1 method (in one step).
This information can be stored in a base_method pointer in allusion
to the pkey_base_id, which is the name for the nid (aka pkey_id aka
type) of the underlying method.
For an ASN.1 method, the base method is itself, so the base method
is set as a pointer to itself. For an alias it is of course a pointer
to the underlying method. Then obviously ameth->pkey_base_id is the
same as ameth->base_method->pkey_id, so rework all ASN.1 methods to
follow that.
ok jsing
|
|
For some reason DSA, GOST, and RSA had their ASN.1 methods stored in
an array. This is clumsy and the only benefit is that one saves a few
externs in p_lib.c. They were also arranged by ascending NID because
of bsearch() madness.
Split them up and arrange the methods by name, which is much saner
and simpler.
ok jsing
|
|
These aren't particularly helpful and should probably both be expanded.
For now move them to the only place where they are actually used.
|
|
As usual, make the function single exit. Initialize the pkey callback
pointer and the BN_GENCB on the stack at the top rather than relying
on the weird trans_cb() in evp_pkey_set_cb_translate() to do so.
Greatly simplify the control flow and add missing error checks.
ok jsing
|
|
Turn the function into single exit and error check EVP_PKEY_assign()
for style.
ok jsing
|
|
Again change this function into the single exit idiom, and error check
EVP_PKEY_assign().
ok jsing
|
|
This removes the remaining ENGINE members from various internal structs
and functions. Any ENGINE passed into a public API is now completely
ignored functions returning an ENGINE always return NULL.
ok jsing
|
|
This is mechanical apart from a few manual edits to avoid doubled empty
lines.
ok jsing
|
|
Replace X509_ALGOR_set0() with X509_ALGOR_set0_by_nid(). This way there
is no missing error checking for OBJ_nid2obj() and no nested functions.
Slightly more importantly, this plugs two long standing potential leaks
in this function (or previously rsa_cms_encrypt()) due to missing error
checking: in the unlikely event that X509_ALGOR_set0() failed, astr/ostr
would leak.
ok jsing
|
|
ok jsing
|
|
Test and assign one more instance replace a useless comment by an empty
line.
|
|
In rsa_alg_set_oaep_padding() rename los to ostr for consistency with
astr, make it have function scope, free ostr in the error path and assume
X509_ALGOR_set0() success.
ok jca
|
|
|
|
|
|
|
|
Rename rv into ret and split it on its own line, move labellen a bit down
add some empty lines. To match style elsewhere.
Most of this was requested by jsing
|
|
This matches what is done for PKCS#1 1.5 and PSS. This function needs a
lot of work still, but it's easier to do that without having to tiptoe
around a lot of other garbage.
ok jsing
|
|
error check
|
|
|
|
After previous refactoring, rsa_all_set_pss_padding() is the last remaining
caller of the weirdly named and ugly rsa_all_set_pss_padding(). This can be
handled in a few simple lines now that this mess has slightly cleaner code.
|
|
|
|
Check and assign the EVP_PKEY_CTX and move the extraction of the algorithm
identifier from the signer info a few lines down.
|
|
The current convoluted mess can be handled with two calls to the new
rsa_alg_set_pss_padding() helper. Not that this would be obvious at
all.
This fixes two more leaks in case of X509_ALGOR_set0() failure.
ok jsing
|
|
This sets the AlgorithmIdentifier's algorithm to id-RSASSA-PSS with
appropriate RSASSA-PSS parameters. This pulls a chunk of code out of
rsa_cms_sign() and rewrites it with proper error checking, thereby
fixing a long-standing leak.
This helper can also be used in rsa_item_sign(), but that part is a
bit special, and will therefore be commmitted separately.
ok jsing
|
|
This removes a few duplicated and unchecked X509_ALGOR_set0() calls and
factors them into a helper function that sets the AlgorithmIdentifier on
the recipient info or signer info to rsaEncryption with null parameters.
ok jsing
|
|
This streamlines the code to use safer idioms, do proper error checking
and be slightly less convoluted. Sprinkle a few references to RFC 8017
and explain better what we are doing and why. Clarify ownership and use
more consistent style.
This removes the last internal use of X509_ALGOR_set_md().
ok jsing
|
|
|
|
rsa_param_encode() allocates the PSS parameters in an ASN1_STRING which
is leaked if any error occurs later in rsa_pub_encode(). Convert the rest
of the code to follow our ordinary idioms more closely.
ok jsing
|
|
Change the code to use safer idioms and avoid nested function calls.
ok jsing
|
|
Instead of CRYPTO_THREADID, which passes pthread_via through unsigned long,
we can use pthread_self() and pthread_equal() directly. This commit keeps
using the awkward 'local' nomenclature as that is used throughout the rsa
code. This will be changed after the blinding code will have been fully
merged into rsa_blinding.c.
ok jsing
|
|
Most of these are one line wrappers around methods implemented in rsa_eay.c
by default.
|
|
|
|
|
|
discussed with jsing
|
|
|
|
|
|
Make this look a bit more like other code we cleaned up avoiding nesting
and unnecessary else branches.
ok jsing
|
|
|
|
RSA is pretty bad. In my most optimistic moments I dream of a world that
stopped using it. That won't happen during my lifetime, unfortunately.
Blinding is one way of making it a little less leaky. Unfortunately this
side-channel leak mitigation leaked out of the library for no good reason.
Let's at least fix that aspect of it.
ok jsing
|
|
discussed with jsing
|
|
ok tb@
|
|
Rename all of the RSA_eay_* functions to rsa_*, as well as changing the
method name (and naming). Reorder things slightly so that we can remove
all of the prototypes for static functions.
ok tb@
|
|
This removes lots of silly buffers and will allow us to make this API
go away.
ok jsing
|
|
Prompted by a report by Steffen Ullrich on libressl@openbsd.org
ok jsing
|
|
|
|
This makes the custom stalt stack work again.
Tested by robert as part of a larger diff
ok jsing
|
|
Nothing should be using this anymore, except that salt decided to use
it in its home-cooked protocol, which already had its share of issues.
Hopefully the efforts to switch salt to something more reasonable and
standardized like mTLS will succeed sooner rather than later.
tested as part of a larger patch by robert
ok jsing
|
