diff options
| author | Dimitri Staessens <Dimitri.Staessens@Quantum.Com> | 2026-01-28 00:35:28 +0100 |
|---|---|---|
| committer | Sander Vrijders <sander@ouroboros.rocks> | 2026-02-02 08:07:04 +0100 |
| commit | 37e3dbdd8206e4f0f03fab13ff3f38aa932be065 (patch) | |
| tree | c7508d4a50bb8a1e6025b489418a5f9aae4a308e /include | |
| parent | e9fb0eb1130a8efacab3add17f524197a9044a88 (diff) | |
| download | ouroboros-37e3dbdd8206e4f0f03fab13ff3f38aa932be065.tar.gz ouroboros-37e3dbdd8206e4f0f03fab13ff3f38aa932be065.zip | |
lib: Fix OpenSSL includes and explicit_bzero on OSX
The include headers and NIDs are different on macOS X. It also doesn't
have explicit_bzero.
The crypt.h includes are now guarded to work on OS X (trying to avoid
the includes by defining the OpenSSL mac header guard led to a whole
list of other issues).
The explicit zero'ing of buffers temporarily holding secrets has now
been abstracted in a crypt_secure_clear() function defaulting to
OpenSSL_cleanse, explicit_bzero (if present) or a best-effort option
using a volatile pointer.
Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'include')
| -rw-r--r-- | include/ouroboros/crypt.h | 38 |
1 files changed, 26 insertions, 12 deletions
diff --git a/include/ouroboros/crypt.h b/include/ouroboros/crypt.h index 6587a277..5b39fb5f 100644 --- a/include/ouroboros/crypt.h +++ b/include/ouroboros/crypt.h @@ -35,8 +35,14 @@ #define KEX_CIPHER_BUFSZ 32 #define MSGBUFSZ 2048 +/* + * On OSX the OpenSSL NIDs are automatically loaded with evp.h. + * Some have a different spelling. This header avoids the double definitions. + */ + + #define NID_undef 0 + /* Cipher NIDs (match OpenSSL values) */ -#define NID_undef 0 #define NID_aes_128_gcm 895 #define NID_aes_192_gcm 898 #define NID_aes_256_gcm 901 @@ -45,17 +51,7 @@ #define NID_aes_256_ctr 906 #define NID_chacha20_poly1305 1018 -/* KDF NIDs (match OpenSSL values) */ -#define NID_hkdf 1036 -#define NID_sha256 672 -#define NID_sha384 673 -#define NID_sha512 674 -#define NID_sha3_256 1096 -#define NID_sha3_384 1097 -#define NID_sha3_512 1098 -#define NID_blake2b512 1056 -#define NID_blake2s256 1057 - + #if !defined (__APPLE__) || !defined ( HAVE_OPENSSL ) /* KEX algorithm NIDs (match OpenSSL values) */ #define NID_X9_62_prime256v1 415 #define NID_secp384r1 715 @@ -65,12 +61,27 @@ #define NID_ffdhe2048 1126 #define NID_ffdhe3072 1127 #define NID_ffdhe4096 1128 +#endif /* __APPLE__ */ #define NID_MLKEM512 1454 #define NID_MLKEM768 1455 #define NID_MLKEM1024 1456 #define NID_X25519MLKEM768 2053 /* !! not in OpenSSL */ #define NID_X448MLKEM1024 2054 /* !! not in OpenSSL */ +/* KDF NIDs (match OpenSSL values) */ +#define NID_hkdf 1036 +#define NID_sha256 672 +#define NID_sha384 673 +#define NID_sha512 674 +#if !defined (__APPLE__) || !defined ( HAVE_OPENSSL ) +#define NID_sha3_256 1096 +#define NID_sha3_384 1097 +#define NID_sha3_512 1098 +#endif /* __APPLE__ */ +#define NID_blake2b512 1056 +#define NID_blake2s256 1057 + + #define IS_KEM_ALGORITHM(algo) \ (strstr(algo, "ML-KEM") != NULL || strstr(algo, "MLKEM") != NULL) @@ -351,4 +362,7 @@ void * crypt_secure_malloc(size_t size); void crypt_secure_free(void * ptr, size_t size); +void crypt_secure_clear(void * ptr, + size_t size); + #endif /* OUROBOROS_LIB_CRYPT_H */ |