I admit this is unusually long for a manual page. But that's not my fault
as a documentation author. An example in a manual page ought to be minimal
to show what needs to be demonstrated, and this example is minimal in that
sense. Making it shorter without loosing important aspects does not seem
possible.
When an API is poorly designed, one of the consequences is that that
documentation becomes harder to understand and often longer - in this
case to the point of becoming outright intimidating. If people dislike
that, they should design better APIs in the first place rather than
blasting the poor manual page for being too long or too complicated.
OK tb@
with an unsupported control command, return -1 rather than 0
to the caller to indicate the error because in general, these
control hooks ought to return -1 for unsupported control commands
and 0 for other errors, for example other invalid arguments.
Not a big deal because this change does not change when operations
succeed or fail, and because callers are unlikely to pass unsupported
control commands in the first place. The only functional change is that
if a calling program inspects the ERR(3) stack after this failure,
it will now find the correct error code rather than nothing.
Even that wasn't a huge problem because for most EVP_CIPHER control
failures, getting no reason for the error is the usual situation.
Then again, giving the reason when easily possible may occasionally
be useful. OpenSSL also returns -1 in this case, so it also helps
compatibility a tiny bit.
Found while auditing the return values of all the EVP_CIPHER
control hooks in our tree. This was the only fishy one i found.
OK tb@
algorithm-independent EVP_EncryptInit(3) manual as another step
in making the latter leaner and more palatable.
As a side benefit, the new EVP_aes_128_ccm(3) manual page may provide
a better fighting chance to programmers who see themselves forced to
support CCM for whatever reason. It documents the mandatory, but so
far undocumented EVP_CTRL_CCM_GET_TAG control command and makes the
description of the three EVP_CTRL_CCM_SET_* control commands and the
numerous related quirks more precise.
The main benefit is moving the cumbersome and error-prone method of
using EVP_EncryptInit(3) for AES-GCM out of the important, but obese
manual page EVP_EncryptInit(3), and to create a logical place for
pointing readers to the safer and more flexible EVP_AEAD_CTX_init(3).
As a side benefit, document three control commands that were so far
undocumented and make the description of three others more precise.
Feedback and OK tb@.
This had an extra dance to allow a NULL output buffer. The plan was to
use this in i2o_ECPublicKey() to preserve the behavior of avoiding an
allocation if out == NULL. However, when I rewrote the latter I punted
on preserving that complication, as it was already batshit crazy enough.
Thus, remove said dance and make ec_point_to_octets() cleaner.
ok jsing
Changes include conversion from C++, basic KNF, then adaptation to
use our sha3 functions for sha3 and shake instead of the BorinSSL
version. This Adds units tests to run against BoringSSL and NIST test
vectors.
The future public API is the same as Boring's - but is not yet exposed
pending making bytestring.h public (which will happen separately) and
a minor bump
Currently this will just ensure we build and run regress.
ok tb@ to get it into the tree and massage from there.
Changes include conversion from C++, basic KNF, then adaptation to
use our sha3 functions for sha3 and shake instead of the BorinSSL
version. This Adds units tests to run against BoringSSL and NIST test
vectors.
The future public API is the same as Boring's - but is not yet exposed
pending making bytesring.h public (which will happen separately) and
a minor bump
Currently this will just ensure we build and run regress.
ok tb@ to get it into the tree and massage from there.
Now that we only do curves over GF(p) fields, there's no need to use a
weird, confusing name for what we usually call p. Adjust some comments
in the vicinity as well.
As explained in a comment, this needs to loop backwards and the last tt--
ends up pointing at &it->templates[-1], which isn't ok. Use a simple way
of looping, which is also ugly and involves some type confusion as pointed
out by claudio. However, type confusion is common in libcrypto's asn1 code
and won't be fixed anytime soon anyway.
ok jsing
It does *not* "work in the same way" as EVP_PKEY_new_raw_private_key(3)
but merely arrives at the same end result after doing lots of
cumbersome and unnecessary work - and on top of that, it only works
for EVP_PKEY_HMAC.
parameters that can be controlled with EVP_PKEY_CTX_ctrl(3).
But rather than providing a detailed despription, instead
point to what application programs should use instead and explain
why using the control constant directly would be a particularly bad
idea in this case.
There is currently no sane way of getting your hands on the common name or
subject alternative name of the peer certificate from libtls. It is possible
to extract it from the peer cert's PEM by hand, but that way lies madness.
While the common name is close to being deprecated in the webpki, it is
still the de facto standard to identify client certs. It would be nice to
have a way to access the subject alternative names as well, but this is a
lot more difficult to expose in a clean and sane C interface due to its
multivaluedness.
Initial diff from henning, with input from beck, jsing and myself
henning and bluhm have plans of using this in syslogd.
ok beck
and document them properly in their own manual page, including the control
commands EVP_CTRL_SET_RC2_KEY_BITS and EVP_CTRL_GET_RC2_KEY_BITS that were
so far undocumented.
Arguably, the main benefit is another small step making the important,
but still obese EVP_EncryptInit(3) manual page more palatable.
This refactors the wNAF multiplication further and introduces a small API
that manages the wNAF digits for bn and the multiples of digit * point in
a single struct that is initialized and freed in two API calls in the main
function, ec_wNAF_mul(). This way the main algorithm is no longer cluttered
with logic to keep various arrays in sync, helper functions calculating the
wNAF splitting of bn and multiples of the point do not need to deal with
memory management, and a pair of accessors obviates previously missing
bounds checking.
At this point we have reached a relatively clean and straightforward wNAF
implementation that fits precisely the purpose needed in libcrypto, i.e.,
ECDSA verification instead of being generalized and optimized to the max
for no good reason apart from endowing the author with an academic degree.
Popper's famous maxim "if you can't say it clearly, keep quiet, and keep
working until you can" very much applies to code as well. In other words,
shut up and hack (and don't pour too much energy into commit messages, tb).
ok jsing
because tb@ deleted almost all functions documented there from the API
in evp.h 1.127 on March 2 this year, but move the functions
EVP_PKEY_CTX_set_data(3) and EVP_PKEY_CTX_get_data(3) that we still
support to EVP_PKEY_keygen(3), because that page already documents
EVP_PKEY_CTX_set_app_data(3) and EVP_PKEY_CTX_get_app_data(3).
This provides a SHA-1 assembly implementation for amd64, which uses
the Intel SHA Extensions (aka SHA New Instructions or SHA-NI). This
provides a 2-2.5x performance gain on some Intel CPUs and many AMD CPUs.
ok tb@
It's so non-obvious that even i had to do some research to find out.
Source: The file "doc/ssleay.doc" from SSLeay 0.8.1b,
see for example OpenSSL commit d02b48c6 on Dec 21, 1998.
We match curve parameters against the builtin curves and only accept
them if they're encoding a curve known to us. After getting rid of the
wtls curves, some of which used to coincide with secp curves (sometimes
the wrong ones), the nid is unambiguous. Setting the nid has no direct
implications on the encoding.
This helps ssh avoid doing ugly computations during the key exchange
for PEM keys using this encoding.
ok djm joshua jsing
