summaryrefslogtreecommitdiff
path: root/src/lib/tests/kex_test.c
diff options
context:
space:
mode:
authorDimitri Staessens <dimitri@ouroboros.rocks>2026-06-21 12:55:17 +0200
committerSander Vrijders <sander@ouroboros.rocks>2026-06-29 08:32:59 +0200
commit8499436b4673ac2e2026879a95d97162ba2e8cbc (patch)
treeb09e1677e9f21c149a530361dadaa0868c824ac5 /src/lib/tests/kex_test.c
parente42a24f39afe15c5ac579fa519df98643d4fc6dd (diff)
downloadouroboros-8499436b4673ac2e2026879a95d97162ba2e8cbc.tar.gz
ouroboros-8499436b4673ac2e2026879a95d97162ba2e8cbc.zip
lib: Harden OpenSSL crypto backend
This contains a few improvements and fixes in the OpenSSL backed. We now zeroize shared secrets with OPENSSL_clear_free. The i2d_PUBKEY output is bound against CRYPT_KEY_BUFSZ. We now return NULL rather than silently falling back to SHA-256 when a digest is unknown. FILE handles are now closed via pthread cleanup so a cancelled thread cannot leak them. The DHE kex tests now set the KDF NID explicitly, since the SHA-256 fallback is gone. Also refactors the PEM string loaders to clean up some code duplication. Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks> Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
Diffstat (limited to 'src/lib/tests/kex_test.c')
-rw-r--r--src/lib/tests/kex_test.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/lib/tests/kex_test.c b/src/lib/tests/kex_test.c
index 7a4d36d8..786e1977 100644
--- a/src/lib/tests/kex_test.c
+++ b/src/lib/tests/kex_test.c
@@ -241,6 +241,7 @@ static int test_kex_dhe_derive(const char * algo)
memset(&kex, 0, sizeof(kex));
SET_KEX_ALGO(&kex, algo);
+ SET_KEX_KDF_NID(&kex, NID_sha256);
len = kex_pkp_create(&kex, &pkp1, buf1);
if (len < 0) {
@@ -352,6 +353,7 @@ static int test_kex_dhe_corrupted_pubkey(const char * algo)
memset(&kex, 0, sizeof(kex));
SET_KEX_ALGO(&kex, algo);
+ SET_KEX_KDF_NID(&kex, NID_sha256);
len = kex_pkp_create(&kex, &pkp, buf);
if (len < 0) {
@@ -403,6 +405,8 @@ static int test_kex_dhe_wrong_algo(void)
memset(&kex2, 0, sizeof(kex2));
SET_KEX_ALGO(&kex1, algo1);
SET_KEX_ALGO(&kex2, algo2);
+ SET_KEX_KDF_NID(&kex1, NID_sha256);
+ SET_KEX_KDF_NID(&kex2, NID_sha256);
if (kex_pkp_create(&kex1, &pkp1, buf1) < 0) {
printf("Failed to create first key pair.\n");