)]}' { "commit": "9d0e7fb6e7a0e22a6f507fc260fb96cdc8a3e3b9", "tree": "bc1dbf55f8169736dac8017b5547a9ed29c97b91", "parents": [ "314d81420c7aae3495d59d590b39d8d1b222ebba" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Fri Dec 30 02:17:24 2016 -0500" }, "committer": { "name": "Adam Langley", "email": "alangley@gmail.com", "time": "Wed Jan 11 01:25:14 2017 +0000" }, "message": "Rework PKCS{5,8,12} code.\n\nAvoid the X509_ALGOR dependency entirely. The public API is still using\nthe legacy ASN.1 structures for now, but the conversions are lifted to\nthe API boundary. Once we resolve that and the OID table dependency,\nthis module will no longer block unshipping crypto/asn1 and friends from\nChromium.\n\nThis changes the calling convention around the two kinds of PBE suites\nwe support. Each PBE suite provides a free-form encrypt_init function to\nsetup an EVP_CIPHER_CTX and write the AlgorithmIdentifer to a CBB. It\nthen provides a common decrypt_init function which sets up an\nEVP_CIPHER_CTX given a CBS of the parameter. The common encrypt code\ndetermines how to call which encrypt_init function. The common decrypt\ncode parses the OID out of the AlgorithmIdentifer and then dispatches to\ndecrypt_init.\n\nNote this means the encryption codepath no longer involves parsing back\nout a AlgorithmIdentifier it just serialized. We don\u0027t have a good story\nto access an already serialized piece of a CBB in progress (reallocs can\ninvalidate the pointer in a CBS), so it\u0027s easier to cut this step out\nentirely.\n\nAlso note this renames the \"PBES1\" schemes from PKCS#5 to PKCS#12. This\nmakes it easier to get at the PKCS#12 key derivation hooks. Although\nPKCS#12 claims these are variants of PKCS#5\u0027s PBES1, they\u0027re not very\nrelated. PKCS#12 swaps out the key derivation and even defines its own\nAlgorithmIdentifier parameter structure (identical to the PKCS#5 PBES1\none). The only thing of PBES1 that survives is the CBC mode padding\nscheme, which is deep in EVP_CIPHER for us. (Of course, all this musing\non layering is moot because we don\u0027t implement non-PKCS#12 PBES1 schemes\nanyway.)\n\nThis also moves some of the random API features (default iteration\ncount, default salt generation) out of the PBE suites and into the\ncommon code.\n\nBUG\u003d54\n\nChange-Id: Ie96924c73a229be2915be98eab680cadd17326db\nReviewed-on: https://boringssl-review.googlesource.com/13069\nReviewed-by: Adam Langley \u003calangley@gmail.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "ffb38218fa7b582d678e827e5801c19df424e6e2", "old_mode": 33188, "old_path": "crypto/pkcs8/CMakeLists.txt", "new_id": "a2e52e153315e78cac0a5b9bdb4f746b8232f0e3", "new_mode": 33188, "new_path": "crypto/pkcs8/CMakeLists.txt" }, { "type": "modify", "old_id": "7a6f057de9cfbeb256faa225f0a8dfa07f6243c8", "old_mode": 33188, "old_path": "crypto/pkcs8/internal.h", "new_id": "9cebe296269c297dd03bd9d0ec07f29c25cf9e96", "new_mode": 33188, "new_path": "crypto/pkcs8/internal.h" }, { "type": "delete", "old_id": "eff2e4011799af215d403507d6e83254e4f3a0b4", "old_mode": 33188, "old_path": "crypto/pkcs8/p5_pbe.c", "new_id": "0000000000000000000000000000000000000000", "new_mode": 0, "new_path": "/dev/null" }, { "type": "modify", "old_id": "ae187ac213e258f7916a7a9194a71f1d8c7a8396", "old_mode": 33188, "old_path": "crypto/pkcs8/p5_pbev2.c", "new_id": "59e206771c1e5862ae818b64bf3b3a805d94690a", "new_mode": 33188, "new_path": "crypto/pkcs8/p5_pbev2.c" }, { "type": "modify", "old_id": "22d6369477a432f0c76f1be2140512a4d1312019", "old_mode": 33188, "old_path": "crypto/pkcs8/pkcs8.c", "new_id": "6f634367eefe5f2a1dbbd2ce8841b5dba74d00ae", "new_mode": 33188, "new_path": "crypto/pkcs8/pkcs8.c" } ] }