Clean up use of EVP_MD_CTX_{legacy_clear,cleanup} in PKCS1_MGF1

ok tb@

Use EVP_MD_CTX_legacy_clear() internally

ok jsing

Hide symbols in rsa

ok tb@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_l

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

show more ...

Fix a buffer overread in OAEP padding removal

This only occurs on very small payloads and tightly allocated buffers
that don't usually occur in practice.

This is OpenSSL f61c6804

ok inoguchi jsing

Include evp_locl.h where it will be needed once most structs from
evp.h will be moved to evp_locl.h in an upcoming bump.

ok inoguchi

Sync RSA_padding_check_PKCS1_OAEP_mgf1().

Update RSA_padding_check_PKCS1_OAEP_mgf1() with code from OpenSSL 1.1.1d
(with some improvements/corrections to comments).

This brings in code to make the

Sync RSA_padding_check_PKCS1_OAEP_mgf1().

Update RSA_padding_check_PKCS1_OAEP_mgf1() with code from OpenSSL 1.1.1d
(with some improvements/corrections to comments).

This brings in code to make the padding check constant time.

ok inoguchi@ tb@

show more ...

Use EVP_MAX_MD_SIZE instead of SHA_DIGEST_LENGTH and remove OPENSSL_NO_SHA*
conditionals, now that this code handles arbitrary message digests.

ok inoguchi@ tb@

Provide internal RSA_padding_{add,check}_PKCS1_OAEP_mgf1() functions.

These are internal only for now and will be made public at a later date.
The RSA_padding_{add,check}_PKCS1_OAEP() functions beco

Provide internal RSA_padding_{add,check}_PKCS1_OAEP_mgf1() functions.

These are internal only for now and will be made public at a later date.
The RSA_padding_{add,check}_PKCS1_OAEP() functions become wrappers around
the *_mgf1() variant.

ok tb@ inoguchi@ (as part of a larger diff)

show more ...

Move towards making RSA OAEP functions handle arbitrary message digests.

Based on OpenSSL 1.1.1.

ok tb@, inoguchi@ (on an earlier/larger diff)

whitespace fix

Don't leak db on error in RSA_padding_check_PKCS1_OAEP().
CID #183499.

input & ok jsing, ok mestre on first version

In RSA_padding_add_PKCS1_OAEP, dbmask needs to be freed on failure.

ok tb@

Send the function codes from the error functions to the bit bucket,
as was done earlier in libssl. Thanks inoguchi@ for noticing
libssl had more reacharounds into this.
ok jsing@ inoguchi@

Replace remaining CRYPTO_memcmp() calls with timingsafe_memcmp().

ok doug@ deraadt@

Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random_buf() is guaranteed to always succeed - it is worth noting
that a number of the replaced function calls were already m

Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random_buf() is guaranteed to always succeed - it is worth noting
that a number of the replaced function calls were already missing return
value checks.

ok deraadt@

show more ...

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need t

Only import cryptlib.h in the four source files that actually need it.
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.

ok beck@ miod@

show more ...

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifn

Explicitly include <openssl/opensslconf.h> in every file that references
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.

This also includes some miscellaneous sorting/tidying of headers.

show more ...

Stop including standard headers via cryptlib.h - pull in the headers that
are needed in the source files that actually require them.

ok beck@ miod@

delete some casts. ok miod

More KNF.

Unifdef -UPKCS_TESTVECT - we don't want the random data used in OAEP padding
to get overwritten by a known value, ever.

KNF

tags as requested by miod and tedu

more: no need to null check before free; ok guenther