1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-11 09:50:12 +00:00

Merge OpenSSL 1.1.1a.

This commit is contained in:
Jung-uk Kim 2018-11-20 21:10:04 +00:00
commit c9cf7b5cb1
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=340703
662 changed files with 3305 additions and 2206 deletions

View File

@ -7,6 +7,42 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
*) Timing vulnerability in ECDSA signature generation
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
(CVE-2018-0735)
[Paul Dale]
*) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
are retained for backwards compatibility.
[Antoine Salon]
*) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
if its length exceeds 4096 bytes. The limit has been raised to a buffer size
of two gigabytes and the error handling improved.
This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
categorized as a normal bug, not a security issue, because the DRBG reseeds
automatically and is fully functional even without additional randomness
provided by the application.
Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
*) Add a new ClientHello callback. Provides a callback interface that gives
@ -13103,4 +13139,3 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
*) A minor bug in ssl/s3_clnt.c where there would always be 4 0
bytes sent in the client random.
[Edward Bishop <ebishop@spyglass.com>]

View File

@ -1013,13 +1013,18 @@ if (scalar(@seed_sources) == 0) {
if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
warn <<_____ if scalar(@seed_sources) == 1;
You have selected the --with-rand-seed=none option, which effectively disables
automatic reseeding of the OpenSSL random generator. All operations depending
on the random generator such as creating keys will not work unless the random
generator is seeded manually by the application.
Please read the 'Note on random number generation' section in the INSTALL
instructions and the RAND_DRBG(7) manual page for more details.
============================== WARNING ===============================
You have selected the --with-rand-seed=none option, which effectively
disables automatic reseeding of the OpenSSL random generator.
All operations depending on the random generator such as creating keys
will not work unless the random generator is seeded manually by the
application.
Please read the 'Note on random number generation' section in the
INSTALL instructions and the RAND_DRBG(7) manual page for more details.
============================== WARNING ===============================
_____
}
push @{$config{openssl_other_defines}},
@ -2174,6 +2179,16 @@ EOF
# Massage the result
# If the user configured no-shared, we allow no shared sources
if ($disabled{shared}) {
foreach (keys %{$unified_info{shared_sources}}) {
foreach (keys %{$unified_info{shared_sources}->{$_}}) {
delete $unified_info{sources}->{$_};
}
}
$unified_info{shared_sources} = {};
}
# If we depend on a header file or a perl module, add an inclusion of
# its directory to allow smoothe inclusion
foreach my $dest (keys %{$unified_info{depends}}) {
@ -2198,8 +2213,8 @@ EOF
next unless defined($unified_info{includes}->{$dest}->{$k});
my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}};
foreach my $obj (grep /\.o$/,
(keys %{$unified_info{sources}->{$dest}},
keys %{$unified_info{shared_sources}->{$dest}})) {
(keys %{$unified_info{sources}->{$dest} // {}},
keys %{$unified_info{shared_sources}->{$dest} // {}})) {
foreach my $inc (@incs) {
unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc
unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}};
@ -2238,6 +2253,42 @@ EOF
[ @{$unified_info{includes}->{$dest}->{source}} ];
}
}
# For convenience collect information regarding directories where
# files are generated, those generated files and the end product
# they end up in where applicable. Then, add build rules for those
# directories
my %loopinfo = ( "lib" => [ @{$unified_info{libraries}} ],
"dso" => [ @{$unified_info{engines}} ],
"bin" => [ @{$unified_info{programs}} ],
"script" => [ @{$unified_info{scripts}} ] );
foreach my $type (keys %loopinfo) {
foreach my $product (@{$loopinfo{$type}}) {
my %dirs = ();
my $pd = dirname($product);
foreach (@{$unified_info{sources}->{$product} // []},
@{$unified_info{shared_sources}->{$product} // []}) {
my $d = dirname($_);
# We don't want to create targets for source directories
# when building out of source
next if ($config{sourcedir} ne $config{builddir}
&& $d =~ m|^\Q$config{sourcedir}\E|);
# We already have a "test" target, and the current directory
# is just silly to make a target for
next if $d eq "test" || $d eq ".";
$dirs{$d} = 1;
push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
if $d ne $pd;
}
foreach (keys %dirs) {
push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
$product;
}
}
}
}
# For the schemes that need it, we provide the old *_obj configs
@ -2712,10 +2763,16 @@ print <<"EOF";
**********************************************************************
*** ***
*** If you want to report a building issue, please include the ***
*** output from this command: ***
*** OpenSSL has been successfully configured ***
*** ***
*** perl configdata.pm --dump ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
EOF

View File

@ -614,8 +614,8 @@
Windows, and as a comma separated list of
libraries on VMS.
RANLIB The library archive indexer.
RC The Windows resources manipulator.
RCFLAGS Flags for the Windows reources manipulator.
RC The Windows resource compiler.
RCFLAGS Flags for the Windows resource compiler.
RM The command to remove files and directories.
These cannot be mixed with compiling / linking flags given
@ -969,7 +969,7 @@
BUILDFILE
Use a different build file name than the platform default
("Makefile" on Unixly platforms, "makefile" on native Windows,
("Makefile" on Unix-like platforms, "makefile" on native Windows,
"descrip.mms" on OpenVMS). This requires that there is a
corresponding build file template. See Configurations/README
for further information.
@ -1171,7 +1171,7 @@
part of the file name, i.e. for OpenSSL 1.1.x, 1.1 is somehow part of
the name.
On most POSIXly platforms, shared libraries are named libcrypto.so.1.1
On most POSIX platforms, shared libraries are named libcrypto.so.1.1
and libssl.so.1.1.
on Cygwin, shared libraries are named cygcrypto-1.1.dll and cygssl-1.1.dll
@ -1202,7 +1202,7 @@
The seeding method can be configured using the --with-rand-seed option,
which can be used to specify a comma separated list of seed methods.
However in most cases OpenSSL will choose a suitable default method,
so it is not necessary to explicitely provide this option. Note also
so it is not necessary to explicitly provide this option. Note also
that not all methods are available on all platforms.
I) On operating systems which provide a suitable randomness source (in

View File

@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
o Timing vulnerability in DSA signature generation (CVE-2018-0734)
o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]
o Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3

View File

@ -1,5 +1,5 @@
OpenSSL 1.1.1 11 Sep 2018
OpenSSL 1.1.1a 20 Nov 2018
Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -26,7 +26,6 @@ void app_RAND_load_conf(CONF *c, const char *section)
if (RAND_load_file(randfile, -1) < 0) {
BIO_printf(bio_err, "Can't load %s into RNG\n", randfile);
ERR_print_errors(bio_err);
return;
}
if (save_rand_file == NULL)
save_rand_file = OPENSSL_strdup(randfile);

View File

@ -1831,6 +1831,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
opt_getprog(), typestr);
continue;
}
if (*valstr == '\0') {
BIO_printf(bio_err,
"%s: No value provided for Subject Attribute %s, skipped\n",
opt_getprog(), typestr);
continue;
}
if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
valstr, strlen((char *)valstr),
-1, ismulti ? -1 : 0))

View File

@ -369,7 +369,7 @@ typedef struct string_int_pair_st {
# define OPT_FMT_SMIME (1L << 3)
# define OPT_FMT_ENGINE (1L << 4)
# define OPT_FMT_MSBLOB (1L << 5)
# define OPT_FMT_NETSCAPE (1L << 6)
/* (1L << 6) was OPT_FMT_NETSCAPE, but wasn't used */
# define OPT_FMT_NSS (1L << 7)
# define OPT_FMT_TEXT (1L << 8)
# define OPT_FMT_HTTP (1L << 9)
@ -378,8 +378,8 @@ typedef struct string_int_pair_st {
# define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME)
# define OPT_FMT_ANY ( \
OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \
OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \
OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
char *opt_progname(const char *argv0);
char *opt_getprog(void);

View File

@ -605,7 +605,7 @@ int ca_main(int argc, char **argv)
/*
* outdir is a directory spec, but access() for VMS demands a
* filename. We could use the DEC C routine to convert the
* directory syntax to Unixly, and give that to app_isdir,
* directory syntax to Unix, and give that to app_isdir,
* but for now the fopen will catch the error if it's not a
* directory
*/
@ -976,7 +976,7 @@ int ca_main(int argc, char **argv)
BIO_printf(bio_err, "Write out database with %d new entries\n",
sk_X509_num(cert_sk));
if (!rand_ser
if (serialfile != NULL
&& !save_serial(serialfile, "new", serial, NULL))
goto end;
@ -1044,7 +1044,8 @@ int ca_main(int argc, char **argv)
if (sk_X509_num(cert_sk)) {
/* Rename the database and the serial file */
if (!rotate_serial(serialfile, "new", "old"))
if (serialfile != NULL
&& !rotate_serial(serialfile, "new", "old"))
goto end;
if (!rotate_index(dbfile, "new", "old"))
@ -1177,10 +1178,9 @@ int ca_main(int argc, char **argv)
}
/* we have a CRL number that need updating */
if (crlnumberfile != NULL)
if (!rand_ser
&& !save_serial(crlnumberfile, "new", crlnumber, NULL))
goto end;
if (crlnumberfile != NULL
&& !save_serial(crlnumberfile, "new", crlnumber, NULL))
goto end;
BN_free(crlnumber);
crlnumber = NULL;
@ -1195,9 +1195,10 @@ int ca_main(int argc, char **argv)
PEM_write_bio_X509_CRL(Sout, crl);
if (crlnumberfile != NULL) /* Rename the crlnumber file */
if (!rotate_serial(crlnumberfile, "new", "old"))
goto end;
/* Rename the crlnumber file */
if (crlnumberfile != NULL
&& !rotate_serial(crlnumberfile, "new", "old"))
goto end;
}
/*****************************************************************/

View File

@ -950,6 +950,7 @@ static void spawn_loop(void)
sleep(30);
break;
case 0: /* child */
OPENSSL_free(kidpids);
signal(SIGINT, SIG_DFL);
signal(SIGTERM, SIG_DFL);
if (termsig)
@ -976,6 +977,7 @@ static void spawn_loop(void)
}
/* The loop above can only break on termsig */
OPENSSL_free(kidpids);
syslog(LOG_INFO, "terminating on signal: %d", termsig);
killall(0, kidpids);
}

View File

@ -11,7 +11,6 @@
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
@ -58,7 +57,6 @@ crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extensions to add to the cert

View File

@ -168,7 +168,6 @@ static OPT_PAIR formats[] = {
{"smime", OPT_FMT_SMIME},
{"engine", OPT_FMT_ENGINE},
{"msblob", OPT_FMT_MSBLOB},
{"netscape", OPT_FMT_NETSCAPE},
{"nss", OPT_FMT_NSS},
{"text", OPT_FMT_TEXT},
{"http", OPT_FMT_HTTP},

View File

@ -1,6 +1,6 @@
/*
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com>
* Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com>
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy

View File

@ -38,8 +38,8 @@ typedef enum OPTION_choice {
const OPTIONS rsa_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"},
{"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"},
{"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"},
{"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"},
{"in", OPT_IN, 's', "Input file"},
{"out", OPT_OUT, '>', "Output file"},
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
@ -269,6 +269,9 @@ int rsa_main(int argc, char **argv)
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
EVP_PKEY *pk;
pk = EVP_PKEY_new();
if (pk == NULL)
goto end;
EVP_PKEY_set1_RSA(pk, rsa);
if (outformat == FORMAT_PVK) {
if (pubin) {

View File

@ -394,7 +394,8 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)
int ssl_print_tmp_key(BIO *out, SSL *s)
{
EVP_PKEY *key;
if (!SSL_get_server_tmp_key(s, &key))
if (!SSL_get_peer_tmp_key(s, &key))
return 1;
BIO_puts(out, "Server Temp Key: ");
switch (EVP_PKEY_id(key)) {

View File

@ -193,9 +193,8 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
if (strlen(psk_identity) != identity_len
|| memcmp(psk_identity, identity, identity_len) != 0) {
BIO_printf(bio_s_out,
"PSK warning: client identity not what we expected"
" (got '%s' expected '%s')\n", identity, psk_identity);
*sess = NULL;
return 1;
}
if (psksess != NULL) {
@ -1622,6 +1621,11 @@ int s_server_main(int argc, char *argv[])
goto end;
}
#endif
if (early_data && (www > 0 || rev)) {
BIO_printf(bio_err,
"Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n");
goto end;
}
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP) {

View File

@ -2896,7 +2896,7 @@ int speed_main(int argc, char **argv)
if (rsa_count <= 1) {
/* if longer than 10s, don't do any more */
for (testnum++; testnum < EC_NUM; testnum++)
for (testnum++; testnum < ECDSA_NUM; testnum++)
ecdsa_doit[testnum] = 0;
}
}

View File

@ -67,10 +67,10 @@ typedef enum OPTION_choice {
const OPTIONS x509_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"inform", OPT_INFORM, 'f',
"Input format - default PEM (one of DER, NET or PEM)"},
"Input format - default PEM (one of DER or PEM)"},
{"in", OPT_IN, '<', "Input file - default stdin"},
{"outform", OPT_OUTFORM, 'f',
"Output format - default PEM (one of DER, NET or PEM)"},
"Output format - default PEM (one of DER or PEM)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
{"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},

View File

@ -51,7 +51,7 @@
#endif
/*
* The POSIXly macro for the maximum number of characters in a file path is
* The POSIX macro for the maximum number of characters in a file path is
* NAME_MAX. However, some operating systems use PATH_MAX instead.
* Therefore, it seems natural to first check for PATH_MAX and use that, and
* if it doesn't exist, use NAME_MAX.

View File

@ -17,7 +17,8 @@
# include <unistd.h>
# if _POSIX_VERSION >= 200112L
# if _POSIX_VERSION >= 200112L \
&& (_POSIX_VERSION < 200809L || defined(__GLIBC__))
# include <pthread.h>

View File

@ -133,7 +133,9 @@ int BIO_connect(int sock, const BIO_ADDR *addr, int options)
*/
int BIO_bind(int sock, const BIO_ADDR *addr, int options)
{
# ifndef OPENSSL_SYS_WINDOWS
int on = 1;
# endif
if (sock == -1) {
BIOerr(BIO_F_BIO_BIND, BIO_R_INVALID_SOCKET);

View File

@ -52,7 +52,7 @@ static long bio_call_callback(BIO *b, int oper, const char *argp, size_t len,
argi = (int)len;
}
if (inret && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
if (inret > 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
if (*processed > INT_MAX)
return -1;
inret = *processed;
@ -60,7 +60,7 @@ static long bio_call_callback(BIO *b, int oper, const char *argp, size_t len,
ret = b->callback(b, oper, argp, argi, argl, inret);
if (ret >= 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
if (ret > 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
*processed = (size_t)ret;
ret = 1;
}

View File

@ -408,4 +408,9 @@ static void xcloselog(BIO *bp)
# endif /* Unix */
#else /* NO_SYSLOG */
const BIO_METHOD *BIO_s_log(void)
{
return NULL;
}
#endif /* NO_SYSLOG */

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -64,12 +64,6 @@
* machine.
*/
# if defined(_WIN64) || !defined(__LP64__)
# define BN_ULONG unsigned long long
# else
# define BN_ULONG unsigned long
# endif
# undef mul
# undef mul_add

View File

@ -1077,7 +1077,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
* is not only slower but also makes each bit vulnerable to
* EM (and likely other) side-channel attacks like One&Done
* (for details see "One&Done: A Single-Decryption EM-Based
* Attack on OpenSSLs Constant-Time Blinded RSA" by M. Alam,
* Attack on OpenSSL's Constant-Time Blinded RSA" by M. Alam,
* H. Khan, M. Dey, N. Sinha, R. Callan, A. Zajic, and
* M. Prvulovic, in USENIX Security'18)
*/

View File

@ -767,26 +767,30 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
b->neg ^= t;
/*-
* Idea behind BN_FLG_STATIC_DATA is actually to
* indicate that data may not be written to.
* Intention is actually to treat it as it's
* read-only data, and some (if not most) of it does
* reside in read-only segment. In other words
* observation of BN_FLG_STATIC_DATA in
* BN_consttime_swap should be treated as fatal
* condition. It would either cause SEGV or
* effectively cause data corruption.
* BN_FLG_MALLOCED refers to BN structure itself,
* and hence must be preserved. Remaining flags are
* BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be
* preserved, because it determines how x->d was
* allocated and hence how to free it. This leaves
* BN_FLG_CONSTTIME that one can do something about.
* To summarize it's sufficient to mask and swap
* BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should
* be treated as fatal.
* BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention
* is actually to treat it as it's read-only data, and some (if not most)
* of it does reside in read-only segment. In other words observation of
* BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal
* condition. It would either cause SEGV or effectively cause data
* corruption.
*
* BN_FLG_MALLOCED: refers to BN structure itself, and hence must be
* preserved.
*
* BN_FLG_SECURE: must be preserved, because it determines how x->d was
* allocated and hence how to free it.
*
* BN_FLG_CONSTTIME: sufficient to mask and swap
*
* BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on
* the data, so the d array may be padded with additional 0 values (i.e.
* top could be greater than the minimal value that it could be). We should
* be swapping it
*/
t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition;
#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP)
t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition;
a->flags ^= t;
b->flags ^= t;

View File

@ -2,7 +2,7 @@ LIBS=../libcrypto
SOURCE[../libcrypto]=\
cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fopen.c ctype.c \
threads_pthread.c threads_win.c threads_none.c \
threads_pthread.c threads_win.c threads_none.c getenv.c \
o_init.c o_fips.c mem_sec.c init.c {- $target{cpuid_asm_src} -} \
{- $target{uplink_aux_src} -}
EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \

View File

@ -10,6 +10,7 @@
/* Part of the code in here was originally in conf.c, which is now removed */
#include "e_os.h"
#include "internal/cryptlib.h"
#include <stdlib.h>
#include <string.h>
#include <openssl/conf.h>
@ -82,7 +83,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
if (v != NULL)
return v->value;
if (strcmp(section, "ENV") == 0) {
p = getenv(name);
p = ossl_safe_getenv(name);
if (p != NULL)
return p;
}
@ -95,7 +96,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
else
return NULL;
} else
return getenv(name);
return ossl_safe_getenv(name);
}
static unsigned long conf_value_hash(const CONF_VALUE *v)

View File

@ -480,11 +480,8 @@ char *CONF_get1_default_config_file(void)
char *file, *sep = "";
int len;
if (!OPENSSL_issetugid()) {
file = getenv("OPENSSL_CONF");
if (file)
return OPENSSL_strdup(file);
}
if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL)
return OPENSSL_strdup(file);
len = strlen(X509_get_default_cert_area());
#ifndef OPENSSL_SYS_VMS

View File

@ -204,7 +204,7 @@ int OPENSSL_isservice(void)
if (_OPENSSL_isservice.p == NULL) {
HANDLE mod = GetModuleHandle(NULL);
FARPROC f;
FARPROC f = NULL;
if (mod != NULL)
f = GetProcAddress(mod, "_OPENSSL_isservice");

View File

@ -137,7 +137,7 @@ static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *sec
int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
{
const char *fpath = getenv(CTLOG_FILE_EVP);
const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP);
if (fpath == NULL)
fpath = CTLOG_FILE;

View File

@ -327,6 +327,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
if (mctx == NULL)
goto err;
/* make sure L > N, otherwise we'll get trapped in an infinite loop */
if (L <= N) {
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
goto err;
}
if (evpmd == NULL) {
if (N == 160)
evpmd = EVP_sha1();

View File

@ -9,6 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
#include "internal/bn_int.h"
#include <openssl/bn.h>
#include <openssl/sha.h>
#include "dsa_locl.h"
@ -23,6 +24,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa);
static int dsa_init(DSA *dsa);
static int dsa_finish(DSA *dsa);
static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
BN_CTX *ctx);
static DSA_METHOD openssl_dsa_meth = {
"OpenSSL DSA method",
@ -178,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
{
BN_CTX *ctx = NULL;
BIGNUM *k, *kinv = NULL, *r = *rp;
BIGNUM *l, *m;
BIGNUM *l;
int ret = 0;
int q_bits;
int q_bits, q_words;
if (!dsa->p || !dsa->q || !dsa->g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
@ -189,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
k = BN_new();
l = BN_new();
m = BN_new();
if (k == NULL || l == NULL || m == NULL)
if (k == NULL || l == NULL)
goto err;
if (ctx_in == NULL) {
@ -201,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
/* Preallocate space */
q_bits = BN_num_bits(dsa->q);
if (!BN_set_bit(k, q_bits)
|| !BN_set_bit(l, q_bits)
|| !BN_set_bit(m, q_bits))
q_words = bn_get_top(dsa->q);
if (!bn_wexpand(k, q_words + 2)
|| !bn_wexpand(l, q_words + 2))
goto err;
/* Get random k */
@ -221,6 +223,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
} while (BN_is_zero(k));
BN_set_flags(k, BN_FLG_CONSTTIME);
BN_set_flags(l, BN_FLG_CONSTTIME);
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
@ -238,14 +241,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
* small timing information leakage. We then choose the sum that is
* one bit longer than the modulus.
*
* TODO: revisit the BN_copy aiming for a memory access agnostic
* conditional copy.
* There are some concerns about the efficacy of doing this. More
* specificly refer to the discussion starting with:
* https://github.com/openssl/openssl/pull/7486#discussion_r228323705
* The fix is to rework BN so these gymnastics aren't required.
*/
if (!BN_add(l, k, dsa->q)
|| !BN_add(m, l, dsa->q)
|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
|| !BN_add(k, l, dsa->q))
goto err;
BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
if ((dsa)->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
dsa->method_mont_p))
@ -258,8 +264,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
if (!BN_mod(r, r, dsa->q, ctx))
goto err;
/* Compute part of 's = inv(k) (m + xr) mod q' */
if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
/* Compute part of 's = inv(k) (m + xr) mod q' */
if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
goto err;
BN_clear_free(*kinvp);
@ -273,7 +279,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
BN_CTX_free(ctx);
BN_clear_free(k);
BN_clear_free(l);
BN_clear_free(m);
return ret;
}
@ -393,3 +398,31 @@ static int dsa_finish(DSA *dsa)
BN_MONT_CTX_free(dsa->method_mont_p);
return 1;
}
/*
* Compute the inverse of k modulo q.
* Since q is prime, Fermat's Little Theorem applies, which reduces this to
* mod-exp operation. Both the exponent and modulus are public information
* so a mod-exp that doesn't leak the base is sufficient. A newly allocated
* BIGNUM is returned which the caller must free.
*/
static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
BN_CTX *ctx)
{
BIGNUM *res = NULL;
BIGNUM *r, *e;
if ((r = BN_new()) == NULL)
return NULL;
BN_CTX_start(ctx);
if ((e = BN_CTX_get(ctx)) != NULL
&& BN_set_word(r, 2)
&& BN_sub(e, q, r)
&& BN_mod_exp_mont(r, k, e, q, ctx, NULL))
res = r;
else
BN_free(r);
BN_CTX_end(ctx);
return res;
}

View File

@ -699,7 +699,7 @@ static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid)
if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
return 0;
if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_62) <= 0)
if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
return 0;
kdf_md = EVP_get_digestbynid(kdfmd_nid);
@ -864,7 +864,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
ecdh_nid = NID_dh_cofactor_kdf;
if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
kdf_type = EVP_PKEY_ECDH_KDF_X9_62;
kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
goto err;
} else

View File

@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
*/
cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality);
if ((bn_wexpand(k, group_top + 1) == NULL)
|| (bn_wexpand(lambda, group_top + 1) == NULL)) {
if ((bn_wexpand(k, group_top + 2) == NULL)
|| (bn_wexpand(lambda, group_top + 2) == NULL)) {
ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
goto err;
}
@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
* k := scalar + 2*cardinality
*/
kbit = BN_is_bit_set(lambda, cardinality_bits);
BN_consttime_swap(kbit, k, lambda, group_top + 1);
BN_consttime_swap(kbit, k, lambda, group_top + 2);
group_top = bn_get_top(group->field);
if ((bn_wexpand(s->X, group_top) == NULL)

View File

@ -209,7 +209,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
goto err;
/* Do KDF stuff */
if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen,
if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen,
dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
goto err;
rv = 1;
@ -281,7 +281,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
case EVP_PKEY_CTRL_EC_KDF_TYPE:
if (p1 == -2)
return dctx->kdf_type;
if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62)
if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63)
return -2;
dctx->kdf_type = p1;
return 1;

View File

@ -1,5 +1,5 @@
/*
* Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -10,12 +10,13 @@
#include <string.h>
#include <openssl/ec.h>
#include <openssl/evp.h>
#include "ec_lcl.h"
/* Key derivation function from X9.62/SECG */
/* Key derivation function from X9.63/SECG */
/* Way more than we will ever need */
#define ECDH_KDF_MAX (1 << 30)
int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
int ecdh_KDF_X9_63(unsigned char *out, size_t outlen,
const unsigned char *Z, size_t Zlen,
const unsigned char *sinfo, size_t sinfolen,
const EVP_MD *md)
@ -66,3 +67,15 @@ int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
EVP_MD_CTX_free(mctx);
return rv;
}
/*-
* The old name for ecdh_KDF_X9_63
* Retained for ABI compatibility
*/
int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
const unsigned char *Z, size_t Zlen,
const unsigned char *sinfo, size_t sinfolen,
const EVP_MD *md)
{
return ecdh_KDF_X9_63(out, outlen, Z, Zlen, sinfo, sinfolen, md);
}

View File

@ -28,6 +28,13 @@
# define CHECK_BSD_STYLE_MACROS
#endif
/*
* ONE global file descriptor for all sessions. This allows operations
* such as digest session data copying (see digest_copy()), but is also
* saner... why re-open /dev/crypto for every session?
*/
static int cfd;
/******************************************************************************
*
* Ciphers
@ -39,7 +46,6 @@
*****/
struct cipher_ctx {
int cfd;
struct session_op sess;
/* to pass from init to do_cipher */
@ -69,7 +75,7 @@ static const struct cipher_data_st {
{ NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
{ NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
#ifndef OPENSSL_NO_RC4
{ NID_rc4, 1, 16, 0, CRYPTO_ARC4 },
{ NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR)
{ NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
@ -135,19 +141,13 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const struct cipher_data_st *cipher_d =
get_cipher_data(EVP_CIPHER_CTX_nid(ctx));
if ((cipher_ctx->cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
SYSerr(SYS_F_OPEN, errno);
return 0;
}
memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess));
cipher_ctx->sess.cipher = cipher_d->devcryptoid;
cipher_ctx->sess.keylen = cipher_d->keylen;
cipher_ctx->sess.key = (void *)key;
cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT;
if (ioctl(cipher_ctx->cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
SYSerr(SYS_F_IOCTL, errno);
close(cipher_ctx->cfd);
return 0;
}
@ -186,7 +186,7 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
cryp.flags = COP_FLAG_WRITE_IV;
#endif
if (ioctl(cipher_ctx->cfd, CIOCCRYPT, &cryp) < 0) {
if (ioctl(cfd, CIOCCRYPT, &cryp) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
}
@ -212,14 +212,10 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
struct cipher_ctx *cipher_ctx =
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
if (ioctl(cipher_ctx->cfd, CIOCFSESSION, &cipher_ctx->sess) < 0) {
if (ioctl(cfd, CIOCFSESSION, &cipher_ctx->sess.ses) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
}
if (close(cipher_ctx->cfd) < 0) {
SYSerr(SYS_F_CLOSE, errno);
return 0;
}
return 1;
}
@ -233,14 +229,10 @@ static int known_cipher_nids[OSSL_NELEM(cipher_data)];
static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */
static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, };
static void prepare_cipher_methods()
static void prepare_cipher_methods(void)
{
size_t i;
struct session_op sess;
int cfd;
if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0)
return;
memset(&sess, 0, sizeof(sess));
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
@ -255,7 +247,7 @@ static void prepare_cipher_methods()
sess.cipher = cipher_data[i].devcryptoid;
sess.keylen = cipher_data[i].keylen;
if (ioctl(cfd, CIOCGSESSION, &sess) < 0
|| ioctl(cfd, CIOCFSESSION, &sess) < 0)
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
continue;
if ((known_cipher_methods[i] =
@ -281,8 +273,6 @@ static void prepare_cipher_methods()
cipher_data[i].nid;
}
}
close(cfd);
}
static const EVP_CIPHER *get_cipher_method(int nid)
@ -308,7 +298,7 @@ static void destroy_cipher_method(int nid)
known_cipher_methods[i] = NULL;
}
static void destroy_all_cipher_methods()
static void destroy_all_cipher_methods(void)
{
size_t i;
@ -329,11 +319,12 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
/*
* We only support digests if the cryptodev implementation supports multiple
* data updates. Otherwise, we would be forced to maintain a cache, which is
* perilous if there's a lot of data coming in (if someone wants to checksum
* an OpenSSL tarball, for example).
* data updates and session copying. Otherwise, we would be forced to maintain
* a cache, which is perilous if there's a lot of data coming in (if someone
* wants to checksum an OpenSSL tarball, for example).
*/
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
#if defined(CIOCCPHASH) && defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
#define IMPLEMENT_DIGEST
/******************************************************************************
*
@ -346,7 +337,6 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
*****/
struct digest_ctx {
int cfd;
struct session_op sess;
int init;
};
@ -413,19 +403,12 @@ static int digest_init(EVP_MD_CTX *ctx)
const struct digest_data_st *digest_d =
get_digest_data(EVP_MD_CTX_type(ctx));
if (digest_ctx->init == 0
&& (digest_ctx->cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
SYSerr(SYS_F_OPEN, errno);
return 0;
}
digest_ctx->init = 1;
memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess));
digest_ctx->sess.mac = digest_d->devcryptoid;
if (ioctl(digest_ctx->cfd, CIOCGSESSION, &digest_ctx->sess) < 0) {
if (ioctl(cfd, CIOCGSESSION, &digest_ctx->sess) < 0) {
SYSerr(SYS_F_IOCTL, errno);
close(digest_ctx->cfd);
return 0;
}
@ -444,7 +427,7 @@ static int digest_op(struct digest_ctx *ctx, const void *src, size_t srclen,
cryp.dst = NULL;
cryp.mac = res;
cryp.flags = flags;
return ioctl(ctx->cfd, CIOCCRYPT, &cryp);
return ioctl(cfd, CIOCCRYPT, &cryp);
}
static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count)
@ -472,7 +455,7 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md)
SYSerr(SYS_F_IOCTL, errno);
return 0;
}
if (ioctl(digest_ctx->cfd, CIOCFSESSION, &digest_ctx->sess) < 0) {
if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
}
@ -480,16 +463,38 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md)
return 1;
}
static int digest_cleanup(EVP_MD_CTX *ctx)
static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
{
struct digest_ctx *digest_ctx =
(struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
struct digest_ctx *digest_from =
(struct digest_ctx *)EVP_MD_CTX_md_data(from);
struct digest_ctx *digest_to =
(struct digest_ctx *)EVP_MD_CTX_md_data(to);
struct cphash_op cphash;
if (close(digest_ctx->cfd) < 0) {
SYSerr(SYS_F_CLOSE, errno);
if (digest_from == NULL)
return 1;
if (digest_from->init != 1) {
SYSerr(SYS_F_IOCTL, EINVAL);
return 0;
}
if (!digest_init(to)) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
}
cphash.src_ses = digest_from->sess.ses;
cphash.dst_ses = digest_to->sess.ses;
if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
}
return 1;
}
static int digest_cleanup(EVP_MD_CTX *ctx)
{
return 1;
}
@ -502,14 +507,10 @@ static int known_digest_nids[OSSL_NELEM(digest_data)];
static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */
static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, };
static void prepare_digest_methods()
static void prepare_digest_methods(void)
{
size_t i;
struct session_op sess;
int cfd;
if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0)
return;
memset(&sess, 0, sizeof(sess));
@ -522,7 +523,7 @@ static void prepare_digest_methods()
*/
sess.mac = digest_data[i].devcryptoid;
if (ioctl(cfd, CIOCGSESSION, &sess) < 0
|| ioctl(cfd, CIOCFSESSION, &sess) < 0)
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
continue;
if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,
@ -532,6 +533,7 @@ static void prepare_digest_methods()
|| !EVP_MD_meth_set_init(known_digest_methods[i], digest_init)
|| !EVP_MD_meth_set_update(known_digest_methods[i], digest_update)
|| !EVP_MD_meth_set_final(known_digest_methods[i], digest_final)
|| !EVP_MD_meth_set_copy(known_digest_methods[i], digest_copy)
|| !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup)
|| !EVP_MD_meth_set_app_datasize(known_digest_methods[i],
sizeof(struct digest_ctx))) {
@ -541,8 +543,6 @@ static void prepare_digest_methods()
known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid;
}
}
close(cfd);
}
static const EVP_MD *get_digest_method(int nid)
@ -568,7 +568,7 @@ static void destroy_digest_method(int nid)
known_digest_methods[i] = NULL;
}
static void destroy_all_digest_methods()
static void destroy_all_digest_methods(void)
{
size_t i;
@ -598,9 +598,12 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest,
static int devcrypto_unload(ENGINE *e)
{
destroy_all_cipher_methods();
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
#ifdef IMPLEMENT_DIGEST
destroy_all_digest_methods();
#endif
close(cfd);
return 1;
}
/*
@ -611,23 +614,30 @@ void engine_load_devcrypto_int()
{
ENGINE *e = NULL;
if (access("/dev/crypto", R_OK | W_OK) < 0) {
fprintf(stderr,
"/dev/crypto not present, not enabling devcrypto engine\n");
if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno));
return;
}
prepare_cipher_methods();
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
#ifdef IMPLEMENT_DIGEST
prepare_digest_methods();
#endif
if ((e = ENGINE_new()) == NULL)
if ((e = ENGINE_new()) == NULL
|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
ENGINE_free(e);
/*
* We know that devcrypto_unload() won't be called when one of the
* above two calls have failed, so we close cfd explicitly here to
* avoid leaking resources.
*/
close(cfd);
return;
}
if (!ENGINE_set_id(e, "devcrypto")
|| !ENGINE_set_name(e, "/dev/crypto engine")
|| !ENGINE_set_destroy_function(e, devcrypto_unload)
/*
* Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD
@ -664,7 +674,7 @@ void engine_load_devcrypto_int()
# endif
#endif
|| !ENGINE_set_ciphers(e, devcrypto_ciphers)
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
#ifdef IMPLEMENT_DIGEST
|| !ENGINE_set_digests(e, devcrypto_digests)
#endif
) {

View File

@ -317,8 +317,7 @@ ENGINE *ENGINE_by_id(const char *id)
* Prevent infinite recursion if we're looking for the dynamic engine.
*/
if (strcmp(id, "dynamic")) {
if (OPENSSL_issetugid()
|| (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == NULL)
load_dir = ENGINESDIR;
iterator = ENGINE_by_id("dynamic");
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||

View File

@ -1014,6 +1014,7 @@ RAND_F_RAND_POOL_ACQUIRE_ENTROPY:122:rand_pool_acquire_entropy
RAND_F_RAND_POOL_ADD:103:rand_pool_add
RAND_F_RAND_POOL_ADD_BEGIN:113:rand_pool_add_begin
RAND_F_RAND_POOL_ADD_END:114:rand_pool_add_end
RAND_F_RAND_POOL_ATTACH:124:rand_pool_attach
RAND_F_RAND_POOL_BYTES_NEEDED:115:rand_pool_bytes_needed
RAND_F_RAND_POOL_NEW:116:rand_pool_new
RAND_F_RAND_WRITE_FILE:112:RAND_write_file

View File

@ -2241,7 +2241,7 @@ static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
if (!cctx->aes.ccm.len_set) {
/*-
* In case message length was not previously set explicitely via
* In case message length was not previously set explicitly via
* Update(), set it now.
*/
ivec = EVP_CIPHER_CTX_iv_noconst(ctx);

View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -92,7 +92,8 @@ static int rc2_meth_to_magic(EVP_CIPHER_CTX *e)
{
int i;
EVP_CIPHER_CTX_ctrl(e, EVP_CTRL_GET_RC2_KEY_BITS, 0, &i);
if (EVP_CIPHER_CTX_ctrl(e, EVP_CTRL_GET_RC2_KEY_BITS, 0, &i) <= 0)
return 0;
if (i == 128)
return RC2_128_MAGIC;
else if (i == 64)
@ -136,8 +137,9 @@ static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
return -1;
if (i > 0 && !EVP_CipherInit_ex(c, NULL, NULL, NULL, iv, -1))
return -1;
EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
if (EVP_CIPHER_CTX_set_key_length(c, key_bits / 8) <= 0)
if (EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits,
NULL) <= 0
|| EVP_CIPHER_CTX_set_key_length(c, key_bits / 8) <= 0)
return -1;
}
return i;

View File

@ -837,21 +837,21 @@ void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth,
void EVP_PKEY_meth_get_check(const EVP_PKEY_METHOD *pmeth,
int (**pcheck) (EVP_PKEY *pkey))
{
if (*pcheck)
if (pcheck != NULL)
*pcheck = pmeth->check;
}
void EVP_PKEY_meth_get_public_check(const EVP_PKEY_METHOD *pmeth,
int (**pcheck) (EVP_PKEY *pkey))
{
if (*pcheck)
if (pcheck != NULL)
*pcheck = pmeth->public_check;
}
void EVP_PKEY_meth_get_param_check(const EVP_PKEY_METHOD *pmeth,
int (**pcheck) (EVP_PKEY *pkey))
{
if (*pcheck)
if (pcheck != NULL)
*pcheck = pmeth->param_check;
}

View File

@ -0,0 +1,31 @@
/*
* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef _GNU_SOURCE
# define _GNU_SOURCE
#endif
#include <stdlib.h>
#include "internal/cryptlib.h"
char *ossl_safe_getenv(const char *name)
{
#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
# if __GLIBC_PREREQ(2, 17)
# define SECURE_GETENV
return secure_getenv(name);
# endif
#endif
#ifndef SECURE_GETENV
if (OPENSSL_issetugid())
return NULL;
return getenv(name);
#endif
}

View File

@ -41,5 +41,13 @@
__owur int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res,
const BIGNUM *x, BN_CTX *ctx);
/*-
* ECDH Key Derivation Function as defined in ANSI X9.63
*/
int ecdh_KDF_X9_63(unsigned char *out, size_t outlen,
const unsigned char *Z, size_t Zlen,
const unsigned char *sinfo, size_t sinfolen,
const EVP_MD *md);
# endif /* OPENSSL_NO_EC */
#endif

View File

@ -45,18 +45,21 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg,
void rand_drbg_cleanup_nonce(RAND_DRBG *drbg,
unsigned char *out, size_t outlen);
size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len);
size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout);
void rand_drbg_cleanup_additional_data(unsigned char *out, size_t outlen);
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
/*
* RAND_POOL functions
*/
RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len);
RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,
size_t entropy);
void rand_pool_free(RAND_POOL *pool);
const unsigned char *rand_pool_buffer(RAND_POOL *pool);
unsigned char *rand_pool_detach(RAND_POOL *pool);
void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer);
size_t rand_pool_entropy(RAND_POOL *pool);
size_t rand_pool_length(RAND_POOL *pool);

View File

@ -175,6 +175,18 @@ static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
return -2;
}
static int pkey_hkdf_derive_init(EVP_PKEY_CTX *ctx)
{
HKDF_PKEY_CTX *kctx = ctx->data;
OPENSSL_clear_free(kctx->key, kctx->key_len);
OPENSSL_clear_free(kctx->salt, kctx->salt_len);
OPENSSL_cleanse(kctx->info, kctx->info_len);
memset(kctx, 0, sizeof(*kctx));
return 1;
}
static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
size_t *keylen)
{
@ -236,7 +248,7 @@ const EVP_PKEY_METHOD hkdf_pkey_meth = {
0, 0,
0,
pkey_hkdf_derive_init,
pkey_hkdf_derive,
pkey_hkdf_ctrl,
pkey_hkdf_ctrl_str

View File

@ -20,12 +20,8 @@
#include <string.h>
/* e_os.h includes unistd.h, which defines _POSIX_VERSION */
#if !defined(OPENSSL_NO_SECURE_MEMORY) && defined(OPENSSL_SYS_UNIX) \
&& ( (defined(_POSIX_VERSION) && _POSIX_VERSION >= 200112L) \
|| defined(__sun) || defined(__hpux) || defined(__sgi) \
|| defined(__osf__) )
# define IMPLEMENTED
/* e_os.h defines OPENSSL_SECURE_MEMORY if secure memory can be implemented */
#ifdef OPENSSL_SECURE_MEMORY
# include <stdlib.h>
# include <assert.h>
# include <unistd.h>
@ -51,7 +47,7 @@
# define MAP_ANON MAP_ANONYMOUS
#endif
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
static size_t secure_mem_used;
static int secure_mem_initialized;
@ -71,7 +67,7 @@ static int sh_allocated(const char *ptr);
int CRYPTO_secure_malloc_init(size_t size, int minsize)
{
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
int ret = 0;
if (!secure_mem_initialized) {
@ -89,12 +85,12 @@ int CRYPTO_secure_malloc_init(size_t size, int minsize)
return ret;
#else
return 0;
#endif /* IMPLEMENTED */
#endif /* OPENSSL_SECURE_MEMORY */
}
int CRYPTO_secure_malloc_done(void)
{
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
if (secure_mem_used == 0) {
sh_done();
secure_mem_initialized = 0;
@ -102,22 +98,22 @@ int CRYPTO_secure_malloc_done(void)
sec_malloc_lock = NULL;
return 1;
}
#endif /* IMPLEMENTED */
#endif /* OPENSSL_SECURE_MEMORY */
return 0;
}
int CRYPTO_secure_malloc_initialized(void)
{
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
return secure_mem_initialized;
#else
return 0;
#endif /* IMPLEMENTED */
#endif /* OPENSSL_SECURE_MEMORY */
}
void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
{
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
void *ret;
size_t actual_size;
@ -132,12 +128,12 @@ void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
return ret;
#else
return CRYPTO_malloc(num, file, line);
#endif /* IMPLEMENTED */
#endif /* OPENSSL_SECURE_MEMORY */
}
void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
{
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
if (secure_mem_initialized)
/* CRYPTO_secure_malloc() zeroes allocations when it is implemented */
return CRYPTO_secure_malloc(num, file, line);
@ -147,7 +143,7 @@ void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
void CRYPTO_secure_free(void *ptr, const char *file, int line)
{
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
size_t actual_size;
if (ptr == NULL)
@ -164,13 +160,13 @@ void CRYPTO_secure_free(void *ptr, const char *file, int line)
CRYPTO_THREAD_unlock(sec_malloc_lock);
#else
CRYPTO_free(ptr, file, line);
#endif /* IMPLEMENTED */
#endif /* OPENSSL_SECURE_MEMORY */
}
void CRYPTO_secure_clear_free(void *ptr, size_t num,
const char *file, int line)
{
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
size_t actual_size;
if (ptr == NULL)
@ -191,12 +187,12 @@ void CRYPTO_secure_clear_free(void *ptr, size_t num,
return;
OPENSSL_cleanse(ptr, num);
CRYPTO_free(ptr, file, line);
#endif /* IMPLEMENTED */
#endif /* OPENSSL_SECURE_MEMORY */
}
int CRYPTO_secure_allocated(const void *ptr)
{
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
int ret;
if (!secure_mem_initialized)
@ -207,21 +203,21 @@ int CRYPTO_secure_allocated(const void *ptr)
return ret;
#else
return 0;
#endif /* IMPLEMENTED */
#endif /* OPENSSL_SECURE_MEMORY */
}
size_t CRYPTO_secure_used(void)
{
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
return secure_mem_used;
#else
return 0;
#endif /* IMPLEMENTED */
#endif /* OPENSSL_SECURE_MEMORY */
}
size_t CRYPTO_secure_actual_size(void *ptr)
{
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
size_t actual_size;
CRYPTO_THREAD_write_lock(sec_malloc_lock);
@ -239,7 +235,7 @@ size_t CRYPTO_secure_actual_size(void *ptr)
/*
* SECURE HEAP IMPLEMENTATION
*/
#ifdef IMPLEMENTED
#ifdef OPENSSL_SECURE_MEMORY
/*
@ -647,4 +643,4 @@ static size_t sh_actual_size(char *ptr)
OPENSSL_assert(sh_testbit(ptr, list, sh.bittable));
return sh.arena_size / (ONE << list);
}
#endif /* IMPLEMENTED */
#endif /* OPENSSL_SECURE_MEMORY */

View File

@ -25,14 +25,12 @@
# endif
# endif
#include "e_os.h"
#include "internal/cryptlib.h"
#if !defined(OPENSSL_NO_STDIO)
# include <stdio.h>
# ifdef _WIN32
# include <windows.h>
# endif
# ifdef __DJGPP__
# include <unistd.h>
# endif

View File

@ -7,13 +7,13 @@
* https://www.openssl.org/source/license.html
*/
# include <stdio.h>
# include "internal/cryptlib.h"
# include <openssl/crypto.h>
# include <openssl/hmac.h>
# include <openssl/rand.h>
# include <openssl/pkcs12.h>
# include "p12_lcl.h"
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/crypto.h>
#include <openssl/hmac.h>
#include <openssl/rand.h>
#include <openssl/pkcs12.h>
#include "p12_lcl.h"
int PKCS12_mac_present(const PKCS12 *p12)
{
@ -44,7 +44,7 @@ void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
}
}
# define TK26_MAC_KEY_LEN 32
#define TK26_MAC_KEY_LEN 32
static int pkcs12_gen_gost_mac_key(const char *pass, int passlen,
const unsigned char *salt, int saltlen,
@ -112,7 +112,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
if ((md_type_nid == NID_id_GostR3411_94
|| md_type_nid == NID_id_GostR3411_2012_256
|| md_type_nid == NID_id_GostR3411_2012_512)
&& !getenv("LEGACY_GOST_PKCS12")) {
&& ossl_safe_getenv("LEGACY_GOST_PKCS12") == NULL) {
md_size = TK26_MAC_KEY_LEN;
if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter,
md_size, key, md_type)) {

View File

@ -1,5 +1,5 @@
/*
* Copyright 2016-20018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy

View File

@ -402,10 +402,10 @@ int drbg_ctr_init(RAND_DRBG *drbg)
if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
/* df initialisation */
static const unsigned char df_key[32] = {
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
};
if (ctr->ctx_df == NULL)
@ -417,9 +417,9 @@ int drbg_ctr_init(RAND_DRBG *drbg)
return 0;
drbg->min_entropylen = ctr->keylen;
drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;
drbg->max_entropylen = DRBG_MAX_LENGTH;
drbg->min_noncelen = drbg->min_entropylen / 2;
drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;
drbg->max_noncelen = DRBG_MAX_LENGTH;
drbg->max_perslen = DRBG_MAX_LENGTH;
drbg->max_adinlen = DRBG_MAX_LENGTH;
} else {

View File

@ -82,6 +82,10 @@ static unsigned int slave_reseed_interval = SLAVE_RESEED_INTERVAL;
static time_t master_reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;
static time_t slave_reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL;
/* A logical OR of all used DRBG flag bits (currently there is only one) */
static const unsigned int rand_drbg_used_flags =
RAND_DRBG_FLAG_CTR_NO_DF;
static RAND_DRBG *drbg_setup(RAND_DRBG *parent);
static RAND_DRBG *rand_drbg_new(int secure,
@ -105,16 +109,27 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
flags = rand_drbg_flags;
}
/* If set is called multiple times - clear the old one */
if (drbg->type != 0 && (type != drbg->type || flags != drbg->flags)) {
drbg->meth->uninstantiate(drbg);
rand_pool_free(drbg->adin_pool);
drbg->adin_pool = NULL;
}
drbg->state = DRBG_UNINITIALISED;
drbg->flags = flags;
drbg->type = type;
switch (type) {
default:
drbg->type = 0;
drbg->flags = 0;
drbg->meth = NULL;
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
return 0;
case 0:
/* Uninitialized; that's okay. */
drbg->meth = NULL;
return 1;
case NID_aes_128_ctr:
case NID_aes_192_ctr:
@ -123,8 +138,10 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
break;
}
if (ret == 0)
if (ret == 0) {
drbg->state = DRBG_ERROR;
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
}
return ret;
}
@ -147,7 +164,7 @@ int RAND_DRBG_set_defaults(int type, unsigned int flags)
break;
}
if ((flags & ~RAND_DRBG_USED_FLAGS) != 0) {
if ((flags & ~rand_drbg_used_flags) != 0) {
RANDerr(RAND_F_RAND_DRBG_SET_DEFAULTS, RAND_R_UNSUPPORTED_DRBG_FLAGS);
return 0;
}
@ -224,11 +241,8 @@ static RAND_DRBG *rand_drbg_new(int secure,
return drbg;
err:
if (drbg->secure)
OPENSSL_secure_free(drbg);
else
OPENSSL_free(drbg);
err:
RAND_DRBG_free(drbg);
return NULL;
}
@ -253,6 +267,7 @@ void RAND_DRBG_free(RAND_DRBG *drbg)
if (drbg->meth != NULL)
drbg->meth->uninstantiate(drbg);
rand_pool_free(drbg->adin_pool);
CRYPTO_THREAD_lock_free(drbg->lock);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data);
@ -312,11 +327,18 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
max_entropylen += drbg->max_noncelen;
}
drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
if (drbg->reseed_next_counter) {
drbg->reseed_next_counter++;
if(!drbg->reseed_next_counter)
drbg->reseed_next_counter = 1;
}
if (drbg->get_entropy != NULL)
entropylen = drbg->get_entropy(drbg, &entropy, min_entropy,
min_entropylen, max_entropylen, 0);
if (entropylen < min_entropylen
|| entropylen > max_entropylen) {
|| entropylen > max_entropylen) {
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_ENTROPY);
goto end;
}
@ -337,29 +359,15 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
}
drbg->state = DRBG_READY;
drbg->generate_counter = 0;
drbg->reseed_gen_counter = 1;
drbg->reseed_time = time(NULL);
if (drbg->reseed_counter > 0) {
if (drbg->parent == NULL)
drbg->reseed_counter++;
else
drbg->reseed_counter = drbg->parent->reseed_counter;
}
tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
end:
end:
if (entropy != NULL && drbg->cleanup_entropy != NULL)
drbg->cleanup_entropy(drbg, entropy, entropylen);
if (nonce != NULL && drbg->cleanup_nonce!= NULL )
if (nonce != NULL && drbg->cleanup_nonce != NULL)
drbg->cleanup_nonce(drbg, nonce, noncelen);
if (drbg->pool != NULL) {
if (drbg->state == DRBG_READY) {
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,
RAND_R_ERROR_ENTROPY_POOL_WAS_IGNORED);
drbg->state = DRBG_ERROR;
}
rand_pool_free(drbg->pool);
drbg->pool = NULL;
}
if (drbg->state == DRBG_READY)
return 1;
return 0;
@ -375,6 +383,7 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
{
if (drbg->meth == NULL) {
drbg->state = DRBG_ERROR;
RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE,
RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
return 0;
@ -419,13 +428,21 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
}
drbg->state = DRBG_ERROR;
drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
if (drbg->reseed_next_counter) {
drbg->reseed_next_counter++;
if(!drbg->reseed_next_counter)
drbg->reseed_next_counter = 1;
}
if (drbg->get_entropy != NULL)
entropylen = drbg->get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen,
drbg->max_entropylen,
prediction_resistance);
if (entropylen < drbg->min_entropylen
|| entropylen > drbg->max_entropylen) {
|| entropylen > drbg->max_entropylen) {
RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_ERROR_RETRIEVING_ENTROPY);
goto end;
}
@ -434,16 +451,11 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
goto end;
drbg->state = DRBG_READY;
drbg->generate_counter = 0;
drbg->reseed_gen_counter = 1;
drbg->reseed_time = time(NULL);
if (drbg->reseed_counter > 0) {
if (drbg->parent == NULL)
drbg->reseed_counter++;
else
drbg->reseed_counter = drbg->parent->reseed_counter;
}
tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
end:
end:
if (entropy != NULL && drbg->cleanup_entropy != NULL)
drbg->cleanup_entropy(drbg, entropy, entropylen);
if (drbg->state == DRBG_READY)
@ -475,10 +487,12 @@ int rand_drbg_restart(RAND_DRBG *drbg,
const unsigned char *adin = NULL;
size_t adinlen = 0;
if (drbg->pool != NULL) {
if (drbg->seed_pool != NULL) {
RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR);
rand_pool_free(drbg->pool);
drbg->pool = NULL;
drbg->state = DRBG_ERROR;
rand_pool_free(drbg->seed_pool);
drbg->seed_pool = NULL;
return 0;
}
if (buffer != NULL) {
@ -486,24 +500,25 @@ int rand_drbg_restart(RAND_DRBG *drbg,
if (drbg->max_entropylen < len) {
RANDerr(RAND_F_RAND_DRBG_RESTART,
RAND_R_ENTROPY_INPUT_TOO_LONG);
drbg->state = DRBG_ERROR;
return 0;
}
if (entropy > 8 * len) {
RANDerr(RAND_F_RAND_DRBG_RESTART, RAND_R_ENTROPY_OUT_OF_RANGE);
drbg->state = DRBG_ERROR;
return 0;
}
/* will be picked up by the rand_drbg_get_entropy() callback */
drbg->pool = rand_pool_new(entropy, len, len);
if (drbg->pool == NULL)
drbg->seed_pool = rand_pool_attach(buffer, len, entropy);
if (drbg->seed_pool == NULL)
return 0;
rand_pool_add(drbg->pool, buffer, len, entropy);
} else {
if (drbg->max_adinlen < len) {
RANDerr(RAND_F_RAND_DRBG_RESTART,
RAND_R_ADDITIONAL_INPUT_TOO_LONG);
drbg->state = DRBG_ERROR;
return 0;
}
adin = buffer;
@ -543,14 +558,8 @@ int rand_drbg_restart(RAND_DRBG *drbg,
}
}
/* check whether a given entropy pool was cleared properly during reseed */
if (drbg->pool != NULL) {
drbg->state = DRBG_ERROR;
RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR);
rand_pool_free(drbg->pool);
drbg->pool = NULL;
return 0;
}
rand_pool_free(drbg->seed_pool);
drbg->seed_pool = NULL;
return drbg->state == DRBG_READY;
}
@ -600,7 +609,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
}
if (drbg->reseed_interval > 0) {
if (drbg->generate_counter >= drbg->reseed_interval)
if (drbg->reseed_gen_counter >= drbg->reseed_interval)
reseed_required = 1;
}
if (drbg->reseed_time_interval > 0) {
@ -609,8 +618,11 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
|| now - drbg->reseed_time >= drbg->reseed_time_interval)
reseed_required = 1;
}
if (drbg->reseed_counter > 0 && drbg->parent != NULL) {
if (drbg->reseed_counter != drbg->parent->reseed_counter)
if (drbg->parent != NULL) {
unsigned int reseed_counter = tsan_load(&drbg->reseed_prop_counter);
if (reseed_counter > 0
&& tsan_load(&drbg->parent->reseed_prop_counter)
!= reseed_counter)
reseed_required = 1;
}
@ -629,7 +641,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
return 0;
}
drbg->generate_counter++;
drbg->reseed_gen_counter++;
return 1;
}
@ -647,9 +659,18 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
unsigned char *additional = NULL;
size_t additional_len;
size_t chunk;
size_t ret;
size_t ret = 0;
additional_len = rand_drbg_get_additional_data(&additional, drbg->max_adinlen);
if (drbg->adin_pool == NULL) {
if (drbg->type == 0)
goto err;
drbg->adin_pool = rand_pool_new(0, 0, drbg->max_adinlen);
if (drbg->adin_pool == NULL)
goto err;
}
additional_len = rand_drbg_get_additional_data(drbg->adin_pool,
&additional);
for ( ; outlen > 0; outlen -= chunk, out += chunk) {
chunk = outlen;
@ -661,9 +682,9 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
}
ret = 1;
err:
if (additional_len != 0)
OPENSSL_secure_clear_free(additional, additional_len);
err:
if (additional != NULL)
rand_drbg_cleanup_additional_data(drbg->adin_pool, additional);
return ret;
}
@ -682,7 +703,8 @@ int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
RAND_DRBG_get_nonce_fn get_nonce,
RAND_DRBG_cleanup_nonce_fn cleanup_nonce)
{
if (drbg->state != DRBG_UNINITIALISED)
if (drbg->state != DRBG_UNINITIALISED
|| drbg->parent != NULL)
return 0;
drbg->get_entropy = get_entropy;
drbg->cleanup_entropy = cleanup_entropy;
@ -859,7 +881,7 @@ static RAND_DRBG *drbg_setup(RAND_DRBG *parent)
goto err;
/* enable seed propagation */
drbg->reseed_counter = 1;
tsan_store(&drbg->reseed_prop_counter, 1);
/*
* Ignore instantiation error to support just-in-time instantiation.
@ -948,11 +970,49 @@ static int drbg_bytes(unsigned char *out, int count)
return ret;
}
/*
* Calculates the minimum length of a full entropy buffer
* which is necessary to seed (i.e. instantiate) the DRBG
* successfully.
*/
size_t rand_drbg_seedlen(RAND_DRBG *drbg)
{
/*
* If no os entropy source is available then RAND_seed(buffer, bufsize)
* is expected to succeed if and only if the buffer length satisfies
* the following requirements, which follow from the calculations
* in RAND_DRBG_instantiate().
*/
size_t min_entropy = drbg->strength;
size_t min_entropylen = drbg->min_entropylen;
/*
* Extra entropy for the random nonce in the absence of a
* get_nonce callback, see comment in RAND_DRBG_instantiate().
*/
if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) {
min_entropy += drbg->strength / 2;
min_entropylen += drbg->min_noncelen;
}
/*
* Convert entropy requirement from bits to bytes
* (dividing by 8 without rounding upwards, because
* all entropy requirements are divisible by 8).
*/
min_entropy >>= 3;
/* Return a value that satisfies both requirements */
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
}
/* Implements the default OpenSSL RAND_add() method */
static int drbg_add(const void *buf, int num, double randomness)
{
int ret = 0;
RAND_DRBG *drbg = RAND_DRBG_get0_master();
size_t buflen;
size_t seedlen;
if (drbg == NULL)
return 0;
@ -960,20 +1020,49 @@ static int drbg_add(const void *buf, int num, double randomness)
if (num < 0 || randomness < 0.0)
return 0;
if (randomness > (double)drbg->max_entropylen) {
rand_drbg_lock(drbg);
seedlen = rand_drbg_seedlen(drbg);
buflen = (size_t)num;
if (buflen < seedlen || randomness < (double) seedlen) {
#if defined(OPENSSL_RAND_SEED_NONE)
/*
* If no os entropy source is available, a reseeding will fail
* inevitably. So we use a trick to mix the buffer contents into
* the DRBG state without forcing a reseeding: we generate a
* dummy random byte, using the buffer content as additional data.
* Note: This won't work with RAND_DRBG_FLAG_CTR_NO_DF.
*/
unsigned char dummy[1];
ret = RAND_DRBG_generate(drbg, dummy, sizeof(dummy), 0, buf, buflen);
rand_drbg_unlock(drbg);
return ret;
#else
/*
* If an os entropy source is avaible then we declare the buffer content
* as additional data by setting randomness to zero and trigger a regular
* reseeding.
*/
randomness = 0.0;
#endif
}
if (randomness > (double)seedlen) {
/*
* The purpose of this check is to bound |randomness| by a
* relatively small value in order to prevent an integer
* overflow when multiplying by 8 in the rand_drbg_restart()
* call below.
* call below. Note that randomness is measured in bytes,
* not bits, so this value corresponds to eight times the
* security strength.
*/
return 0;
randomness = (double)seedlen;
}
rand_drbg_lock(drbg);
ret = rand_drbg_restart(drbg, buf,
(size_t)(unsigned int)num,
(size_t)(8*randomness));
ret = rand_drbg_restart(drbg, buf, buflen, (size_t)(8 * randomness));
rand_drbg_unlock(drbg);
return ret;

View File

@ -44,6 +44,7 @@ static const ERR_STRING_DATA RAND_str_functs[] = {
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_ADD_BEGIN, 0),
"rand_pool_add_begin"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_ADD_END, 0), "rand_pool_add_end"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_ATTACH, 0), "rand_pool_attach"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_BYTES_NEEDED, 0),
"rand_pool_bytes_needed"},
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_NEW, 0), "rand_pool_new"},

View File

@ -16,6 +16,9 @@
# include <openssl/hmac.h>
# include <openssl/ec.h>
# include <openssl/rand_drbg.h>
# include "internal/tsan_assist.h"
# include "internal/numbers.h"
/* How many times to read the TSC as a randomness source. */
# define TSC_READ_COUNT 4
@ -32,18 +35,42 @@
/* Max size of additional input and personalization string. */
# define DRBG_MAX_LENGTH 4096
/*
* Maximum input size for the DRBG (entropy, nonce, personalization string)
*
* NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes.
*
* We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes.
*/
# define DRBG_MAX_LENGTH INT32_MAX
/*
* The quotient between max_{entropy,nonce}len and min_{entropy,nonce}len
* Maximum allocation size for RANDOM_POOL buffers
*
* The current factor is large enough that the RAND_POOL can store a
* random input which has a lousy entropy rate of 0.0625 bits per byte.
* This input will be sent through the derivation function which 'compresses'
* the low quality input into a high quality output.
* The max_len value for the buffer provided to the rand_drbg_get_entropy()
* callback is currently 2^31 bytes (2 gigabytes), if a derivation function
* is used. Since this is much too large to be allocated, the rand_pool_new()
* function chooses more modest values as default pool length, bounded
* by RAND_POOL_MIN_LENGTH and RAND_POOL_MAX_LENGTH
*
* The choice of the RAND_POOL_FACTOR is large enough such that the
* RAND_POOL can store a random input which has a lousy entropy rate of
* 8/256 (= 0.03125) bits per byte. This input will be sent through the
* derivation function which 'compresses' the low quality input into a
* high quality output.
*
* The factor 1.5 below is the pessimistic estimate for the extra amount
* of entropy required when no get_nonce() callback is defined.
*/
# define RAND_POOL_FACTOR 256
# define RAND_POOL_MAX_LENGTH (RAND_POOL_FACTOR * \
3 * (RAND_DRBG_STRENGTH / 16))
/*
* = (RAND_POOL_FACTOR * \
* 1.5 * (RAND_DRBG_STRENGTH / 8))
*/
# define DRBG_MINMAX_FACTOR 128
/* DRBG status values */
@ -54,7 +81,7 @@ typedef enum drbg_status_e {
} DRBG_STATUS;
/* intantiate */
/* instantiate */
typedef int (*RAND_DRBG_instantiate_fn)(RAND_DRBG *ctx,
const unsigned char *ent,
size_t entlen,
@ -68,7 +95,7 @@ typedef int (*RAND_DRBG_reseed_fn)(RAND_DRBG *ctx,
size_t entlen,
const unsigned char *adin,
size_t adinlen);
/* generat output */
/* generate output */
typedef int (*RAND_DRBG_generate_fn)(RAND_DRBG *ctx,
unsigned char *out,
size_t outlen,
@ -122,10 +149,12 @@ struct rand_pool_st {
unsigned char *buffer; /* points to the beginning of the random pool */
size_t len; /* current number of random bytes contained in the pool */
int attached; /* true pool was attached to existing buffer */
size_t min_len; /* minimum number of random bytes requested */
size_t max_len; /* maximum number of random bytes (allocated buffer size) */
size_t entropy; /* current entropy count in bits */
size_t requested_entropy; /* requested entropy count in bits */
size_t entropy_requested; /* requested entropy count in bits */
};
/*
@ -139,7 +168,7 @@ struct rand_drbg_st {
int type; /* the nid of the underlying algorithm */
/*
* Stores the value of the rand_fork_count global as of when we last
* reseeded. The DRG reseeds automatically whenever drbg->fork_count !=
* reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
* rand_fork_count. Used to provide fork-safety and reseed this DRBG in
* the child process.
*/
@ -147,14 +176,19 @@ struct rand_drbg_st {
unsigned short flags; /* various external flags */
/*
* The random pool is used by RAND_add()/drbg_add() to attach random
* The random_data is used by RAND_add()/drbg_add() to attach random
* data to the global drbg, such that the rand_drbg_get_entropy() callback
* can pull it during instantiation and reseeding. This is necessary to
* reconcile the different philosophies of the RAND and the RAND_DRBG
* with respect to how randomness is added to the RNG during reseeding
* (see PR #4328).
*/
struct rand_pool_st *pool;
struct rand_pool_st *seed_pool;
/*
* Auxiliary pool for additional data.
*/
struct rand_pool_st *adin_pool;
/*
* The following parameters are setup by the per-type "init" function.
@ -180,7 +214,7 @@ struct rand_drbg_st {
size_t max_perslen, max_adinlen;
/* Counts the number of generate requests since the last reseed. */
unsigned int generate_counter;
unsigned int reseed_gen_counter;
/*
* Maximum number of generate requests until a reseed is required.
* This value is ignored if it is zero.
@ -203,7 +237,8 @@ struct rand_drbg_st {
* is added by RAND_add() or RAND_seed() will have an immediate effect on
* the output of RAND_bytes() resp. RAND_priv_bytes().
*/
unsigned int reseed_counter;
TSAN_QUALIFIER unsigned int reseed_prop_counter;
unsigned int reseed_next_counter;
size_t seedlen;
DRBG_STATUS state;
@ -245,7 +280,7 @@ extern int rand_fork_count;
/* DRBG helpers */
int rand_drbg_restart(RAND_DRBG *drbg,
const unsigned char *buffer, size_t len, size_t entropy);
size_t rand_drbg_seedlen(RAND_DRBG *drbg);
/* locking api */
int rand_drbg_lock(RAND_DRBG *drbg);
int rand_drbg_unlock(RAND_DRBG *drbg);

View File

@ -31,7 +31,7 @@ int rand_fork_count;
static CRYPTO_RWLOCK *rand_nonce_lock;
static int rand_nonce_count;
static int rand_cleaning_up = 0;
static int rand_inited = 0;
#ifdef OPENSSL_RAND_SEED_RDTSC
/*
@ -146,17 +146,13 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
return 0;
}
pool = rand_pool_new(entropy, min_len, max_len);
if (pool == NULL)
return 0;
if (drbg->pool) {
rand_pool_add(pool,
rand_pool_buffer(drbg->pool),
rand_pool_length(drbg->pool),
rand_pool_entropy(drbg->pool));
rand_pool_free(drbg->pool);
drbg->pool = NULL;
if (drbg->seed_pool != NULL) {
pool = drbg->seed_pool;
pool->entropy_requested = entropy;
} else {
pool = rand_pool_new(entropy, min_len, max_len);
if (pool == NULL)
return 0;
}
if (drbg->parent) {
@ -178,6 +174,8 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
prediction_resistance,
NULL, 0) != 0)
bytes = bytes_needed;
drbg->reseed_next_counter
= tsan_load(&drbg->parent->reseed_prop_counter);
rand_drbg_unlock(drbg->parent);
rand_pool_add_end(pool, bytes, 8 * bytes);
@ -206,7 +204,8 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
}
err:
rand_pool_free(pool);
if (drbg->seed_pool == NULL)
rand_pool_free(pool);
return ret;
}
@ -217,7 +216,8 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
void rand_drbg_cleanup_entropy(RAND_DRBG *drbg,
unsigned char *out, size_t outlen)
{
OPENSSL_secure_clear_free(out, outlen);
if (drbg->seed_pool == NULL)
OPENSSL_secure_clear_free(out, outlen);
}
@ -279,14 +279,9 @@ void rand_drbg_cleanup_nonce(RAND_DRBG *drbg,
* On success it allocates a buffer at |*pout| and returns the length of
* the data. The buffer should get freed using OPENSSL_secure_clear_free().
*/
size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len)
size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout)
{
size_t ret = 0;
RAND_POOL *pool;
pool = rand_pool_new(0, 0, max_len);
if (pool == NULL)
return 0;
if (rand_pool_add_additional_data(pool) == 0)
goto err;
@ -295,14 +290,12 @@ size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len)
*pout = rand_pool_detach(pool);
err:
rand_pool_free(pool);
return ret;
}
void rand_drbg_cleanup_additional_data(unsigned char *out, size_t outlen)
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out)
{
OPENSSL_secure_clear_free(out, outlen);
rand_pool_reattach(pool, out);
}
void rand_fork(void)
@ -326,13 +319,15 @@ DEFINE_RUN_ONCE_STATIC(do_rand_init)
if (rand_nonce_lock == NULL)
goto err2;
if (!rand_cleaning_up && !rand_pool_init())
if (!rand_pool_init())
goto err3;
rand_inited = 1;
return 1;
err3:
rand_pool_cleanup();
CRYPTO_THREAD_lock_free(rand_nonce_lock);
rand_nonce_lock = NULL;
err2:
CRYPTO_THREAD_lock_free(rand_meth_lock);
rand_meth_lock = NULL;
@ -348,7 +343,8 @@ void rand_cleanup_int(void)
{
const RAND_METHOD *meth = default_RAND_meth;
rand_cleaning_up = 1;
if (!rand_inited)
return;
if (meth != NULL && meth->cleanup != NULL)
meth->cleanup();
@ -362,6 +358,7 @@ void rand_cleanup_int(void)
rand_meth_lock = NULL;
CRYPTO_THREAD_lock_free(rand_nonce_lock);
rand_nonce_lock = NULL;
rand_inited = 0;
}
/*
@ -370,7 +367,8 @@ void rand_cleanup_int(void)
*/
void RAND_keep_random_devices_open(int keep)
{
rand_pool_keep_random_devices_open(keep);
if (RUN_ONCE(&rand_init, do_rand_init))
rand_pool_keep_random_devices_open(keep);
}
/*
@ -405,7 +403,7 @@ int RAND_poll(void)
/* fill random pool and seed the current legacy RNG */
pool = rand_pool_new(RAND_DRBG_STRENGTH,
RAND_DRBG_STRENGTH / 8,
DRBG_MINMAX_FACTOR * (RAND_DRBG_STRENGTH / 8));
RAND_POOL_MAX_LENGTH);
if (pool == NULL)
return 0;
@ -430,17 +428,18 @@ int RAND_poll(void)
* Allocate memory and initialize a new random pool
*/
RAND_POOL *rand_pool_new(int entropy, size_t min_len, size_t max_len)
RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len)
{
RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
if (pool == NULL) {
RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);
goto err;
return NULL;
}
pool->min_len = min_len;
pool->max_len = max_len;
pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ?
RAND_POOL_MAX_LENGTH : max_len;
pool->buffer = OPENSSL_secure_zalloc(pool->max_len);
if (pool->buffer == NULL) {
@ -448,7 +447,7 @@ RAND_POOL *rand_pool_new(int entropy, size_t min_len, size_t max_len)
goto err;
}
pool->requested_entropy = entropy;
pool->entropy_requested = entropy_requested;
return pool;
@ -457,6 +456,38 @@ RAND_POOL *rand_pool_new(int entropy, size_t min_len, size_t max_len)
return NULL;
}
/*
* Attach new random pool to the given buffer
*
* This function is intended to be used only for feeding random data
* provided by RAND_add() and RAND_seed() into the <master> DRBG.
*/
RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,
size_t entropy)
{
RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
if (pool == NULL) {
RANDerr(RAND_F_RAND_POOL_ATTACH, ERR_R_MALLOC_FAILURE);
return NULL;
}
/*
* The const needs to be cast away, but attached buffers will not be
* modified (in contrary to allocated buffers which are zeroed and
* freed in the end).
*/
pool->buffer = (unsigned char *) buffer;
pool->len = len;
pool->attached = 1;
pool->min_len = pool->max_len = pool->len;
pool->entropy = entropy;
return pool;
}
/*
* Free |pool|, securely erasing its buffer.
*/
@ -465,7 +496,14 @@ void rand_pool_free(RAND_POOL *pool)
if (pool == NULL)
return;
OPENSSL_secure_clear_free(pool->buffer, pool->max_len);
/*
* Although it would be advisable from a cryptographical viewpoint,
* we are not allowed to clear attached buffers, since they are passed
* to rand_pool_attach() as `const unsigned char*`.
* (see corresponding comment in rand_pool_attach()).
*/
if (!pool->attached)
OPENSSL_secure_clear_free(pool->buffer, pool->max_len);
OPENSSL_free(pool);
}
@ -496,15 +534,27 @@ size_t rand_pool_length(RAND_POOL *pool)
/*
* Detach the |pool| buffer and return it to the caller.
* It's the responsibility of the caller to free the buffer
* using OPENSSL_secure_clear_free().
* using OPENSSL_secure_clear_free() or to re-attach it
* again to the pool using rand_pool_reattach().
*/
unsigned char *rand_pool_detach(RAND_POOL *pool)
{
unsigned char *ret = pool->buffer;
pool->buffer = NULL;
pool->entropy = 0;
return ret;
}
/*
* Re-attach the |pool| buffer. It is only allowed to pass
* the |buffer| which was previously detached from the same pool.
*/
void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer)
{
pool->buffer = buffer;
OPENSSL_cleanse(pool->buffer, pool->len);
pool->len = 0;
}
/*
* If |entropy_factor| bits contain 1 bit of entropy, how many bytes does one
@ -524,7 +574,7 @@ unsigned char *rand_pool_detach(RAND_POOL *pool)
*/
size_t rand_pool_entropy_available(RAND_POOL *pool)
{
if (pool->entropy < pool->requested_entropy)
if (pool->entropy < pool->entropy_requested)
return 0;
if (pool->len < pool->min_len)
@ -540,8 +590,8 @@ size_t rand_pool_entropy_available(RAND_POOL *pool)
size_t rand_pool_entropy_needed(RAND_POOL *pool)
{
if (pool->entropy < pool->requested_entropy)
return pool->requested_entropy - pool->entropy;
if (pool->entropy < pool->entropy_requested)
return pool->entropy_requested - pool->entropy;
return 0;
}
@ -601,6 +651,11 @@ int rand_pool_add(RAND_POOL *pool,
return 0;
}
if (pool->buffer == NULL) {
RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR);
return 0;
}
if (len > 0) {
memcpy(pool->buffer + pool->len, buffer, len);
pool->len += len;
@ -632,6 +687,11 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len)
return NULL;
}
if (pool->buffer == NULL) {
RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, ERR_R_INTERNAL_ERROR);
return 0;
}
return pool->buffer + pool->len;
}

View File

@ -77,6 +77,17 @@ static uint64_t get_timer_bits(void);
# endif
#endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */
#if defined(OPENSSL_RAND_SEED_NONE)
/* none means none. this simplifies the following logic */
# undef OPENSSL_RAND_SEED_OS
# undef OPENSSL_RAND_SEED_GETRANDOM
# undef OPENSSL_RAND_SEED_LIBRANDOM
# undef OPENSSL_RAND_SEED_DEVRANDOM
# undef OPENSSL_RAND_SEED_RDTSC
# undef OPENSSL_RAND_SEED_RDCPU
# undef OPENSSL_RAND_SEED_EGD
#endif
#if (defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)) && \
!defined(OPENSSL_RAND_SEED_NONE)
# error "UEFI and VXWorks only support seeding NONE"
@ -86,8 +97,6 @@ static uint64_t get_timer_bits(void);
|| defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \
|| defined(OPENSSL_SYS_UEFI))
static ssize_t syscall_random(void *buf, size_t buflen);
# if defined(OPENSSL_SYS_VOS)
# ifndef OPENSSL_RAND_SEED_OS
@ -244,6 +253,7 @@ static ssize_t sysctl_random(char *buf, size_t buflen)
}
# endif
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
/*
* syscall_random(): Try to get random data using a system call
* returns the number of bytes returned in buf, or < 0 on error.
@ -254,7 +264,7 @@ static ssize_t syscall_random(void *buf, size_t buflen)
* Note: 'buflen' equals the size of the buffer which is used by the
* get_entropy() callback of the RAND_DRBG. It is roughly bounded by
*
* 2 * DRBG_MINMAX_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^13
* 2 * RAND_POOL_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^14
*
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
* between size_t and ssize_t is safe even without a range check.
@ -302,8 +312,9 @@ static ssize_t syscall_random(void *buf, size_t buflen)
return -1;
# endif
}
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
#if !defined(OPENSSL_RAND_SEED_NONE) && defined(OPENSSL_RAND_SEED_DEVRANDOM)
# if defined(OPENSSL_RAND_SEED_DEVRANDOM)
static const char *random_device_paths[] = { DEVRANDOM };
static struct random_device {
int fd;
@ -375,21 +386,13 @@ static void close_random_device(size_t n)
rd->fd = -1;
}
static void open_random_devices(void)
{
size_t i;
for (i = 0; i < OSSL_NELEM(random_devices); i++)
(void)get_random_device(i);
}
int rand_pool_init(void)
{
size_t i;
for (i = 0; i < OSSL_NELEM(random_devices); i++)
random_devices[i].fd = -1;
open_random_devices();
return 1;
}
@ -403,16 +406,13 @@ void rand_pool_cleanup(void)
void rand_pool_keep_random_devices_open(int keep)
{
if (keep)
open_random_devices();
else
if (!keep)
rand_pool_cleanup();
keep_random_devices_open = keep;
}
# else /* defined(OPENSSL_RAND_SEED_NONE)
* || !defined(OPENSSL_RAND_SEED_DEVRANDOM)
*/
# else /* !defined(OPENSSL_RAND_SEED_DEVRANDOM) */
int rand_pool_init(void)
{
@ -427,9 +427,7 @@ void rand_pool_keep_random_devices_open(int keep)
{
}
# endif /* !defined(OPENSSL_RAND_SEED_NONE)
* && defined(OPENSSL_RAND_SEED_DEVRANDOM)
*/
# endif /* defined(OPENSSL_RAND_SEED_DEVRANDOM) */
/*
* Try the various seeding methods in turn, exit when successful.
@ -450,14 +448,14 @@ void rand_pool_keep_random_devices_open(int keep)
*/
size_t rand_pool_acquire_entropy(RAND_POOL *pool)
{
# ifdef OPENSSL_RAND_SEED_NONE
# if defined(OPENSSL_RAND_SEED_NONE)
return rand_pool_entropy_available(pool);
# else
size_t bytes_needed;
size_t entropy_available = 0;
unsigned char *buffer;
# ifdef OPENSSL_RAND_SEED_GETRANDOM
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
{
ssize_t bytes;
/* Maximum allowed number of consecutive unsuccessful attempts */
@ -487,7 +485,7 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
}
# endif
# ifdef OPENSSL_RAND_SEED_DEVRANDOM
# if defined(OPENSSL_RAND_SEED_DEVRANDOM)
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
{
size_t i;
@ -524,19 +522,19 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
}
# endif
# ifdef OPENSSL_RAND_SEED_RDTSC
# if defined(OPENSSL_RAND_SEED_RDTSC)
entropy_available = rand_acquire_entropy_from_tsc(pool);
if (entropy_available > 0)
return entropy_available;
# endif
# ifdef OPENSSL_RAND_SEED_RDCPU
# if defined(OPENSSL_RAND_SEED_RDCPU)
entropy_available = rand_acquire_entropy_from_cpu(pool);
if (entropy_available > 0)
return entropy_available;
# endif
# ifdef OPENSSL_RAND_SEED_EGD
# if defined(OPENSSL_RAND_SEED_EGD)
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
if (bytes_needed > 0) {
static const char *paths[] = { DEVRANDOM_EGD, NULL };
@ -577,7 +575,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
/*
* Add process id, thread id, and a high resolution timestamp to
* ensure that the nonce is unique whith high probability for
* ensure that the nonce is unique with high probability for
* different process instances.
*/
data.pid = getpid();

View File

@ -16,6 +16,7 @@
#include <openssl/crypto.h>
#include <openssl/rand.h>
#include <openssl/rand_drbg.h>
#include <openssl/buffer.h>
#ifdef OPENSSL_SYS_VMS
@ -48,7 +49,7 @@
# define S_ISREG(m) ((m) & S_IFREG)
# endif
#define RAND_FILE_SIZE 1024
#define RAND_BUF_SIZE 1024
#define RFILE ".rnd"
#ifdef OPENSSL_SYS_VMS
@ -74,7 +75,16 @@ static __FILE_ptr32 (*const vms_fopen)(const char *, const char *, ...) =
*/
int RAND_load_file(const char *file, long bytes)
{
unsigned char buf[RAND_FILE_SIZE];
/*
* The load buffer size exceeds the chunk size by the comfortable amount
* of 'RAND_DRBG_STRENGTH' bytes (not bits!). This is done on purpose
* to avoid calling RAND_add() with a small final chunk. Instead, such
* a small final chunk will be added together with the previous chunk
* (unless it's the only one).
*/
#define RAND_LOAD_BUF_SIZE (RAND_BUF_SIZE + RAND_DRBG_STRENGTH)
unsigned char buf[RAND_LOAD_BUF_SIZE];
#ifndef OPENSSL_NO_POSIX_IO
struct stat sb;
#endif
@ -98,8 +108,12 @@ int RAND_load_file(const char *file, long bytes)
return -1;
}
if (!S_ISREG(sb.st_mode) && bytes < 0)
bytes = 256;
if (bytes < 0) {
if (S_ISREG(sb.st_mode))
bytes = sb.st_size;
else
bytes = RAND_DRBG_STRENGTH;
}
#endif
/*
* On VMS, setbuf() will only take 32-bit pointers, and a compilation
@ -124,9 +138,9 @@ int RAND_load_file(const char *file, long bytes)
for ( ; ; ) {
if (bytes > 0)
n = (bytes < RAND_FILE_SIZE) ? (int)bytes : RAND_FILE_SIZE;
n = (bytes <= RAND_LOAD_BUF_SIZE) ? (int)bytes : RAND_BUF_SIZE;
else
n = RAND_FILE_SIZE;
n = RAND_LOAD_BUF_SIZE;
i = fread(buf, 1, n, in);
#ifdef EINTR
if (ferror(in) && errno == EINTR){
@ -148,12 +162,18 @@ int RAND_load_file(const char *file, long bytes)
OPENSSL_cleanse(buf, sizeof(buf));
fclose(in);
if (!RAND_status()) {
RANDerr(RAND_F_RAND_LOAD_FILE, RAND_R_RESEED_ERROR);
ERR_add_error_data(2, "Filename=", file);
return -1;
}
return ret;
}
int RAND_write_file(const char *file)
{
unsigned char buf[RAND_FILE_SIZE];
unsigned char buf[RAND_BUF_SIZE];
int ret = -1;
FILE *out = NULL;
#ifndef OPENSSL_NO_POSIX_IO
@ -222,9 +242,9 @@ int RAND_write_file(const char *file)
chmod(file, 0600);
#endif
ret = fwrite(buf, 1, RAND_FILE_SIZE, out);
ret = fwrite(buf, 1, RAND_BUF_SIZE, out);
fclose(out);
OPENSSL_cleanse(buf, RAND_FILE_SIZE);
OPENSSL_cleanse(buf, RAND_BUF_SIZE);
return ret;
}
@ -262,11 +282,9 @@ const char *RAND_file_name(char *buf, size_t size)
}
}
#else
if (OPENSSL_issetugid() != 0) {
if ((s = ossl_safe_getenv("RANDFILE")) == NULL || *s == '\0') {
use_randfile = 0;
} else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') {
use_randfile = 0;
s = getenv("HOME");
s = ossl_safe_getenv("HOME");
}
#endif

View File

@ -125,8 +125,8 @@ void RSA_free(RSA *r)
CRYPTO_THREAD_lock_free(r->lock);
BN_clear_free(r->n);
BN_clear_free(r->e);
BN_free(r->n);
BN_free(r->e);
BN_clear_free(r->d);
BN_clear_free(r->p);
BN_clear_free(r->q);
@ -196,7 +196,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
r->e = e;
}
if (d != NULL) {
BN_free(r->d);
BN_clear_free(r->d);
r->d = d;
}
@ -213,11 +213,11 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
return 0;
if (p != NULL) {
BN_free(r->p);
BN_clear_free(r->p);
r->p = p;
}
if (q != NULL) {
BN_free(r->q);
BN_clear_free(r->q);
r->q = q;
}
@ -235,15 +235,15 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
return 0;
if (dmp1 != NULL) {
BN_free(r->dmp1);
BN_clear_free(r->dmp1);
r->dmp1 = dmp1;
}
if (dmq1 != NULL) {
BN_free(r->dmq1);
BN_clear_free(r->dmq1);
r->dmq1 = dmq1;
}
if (iqmp != NULL) {
BN_free(r->iqmp);
BN_clear_free(r->iqmp);
r->iqmp = iqmp;
}

View File

@ -163,13 +163,13 @@ int RSA_meth_set_priv_dec(RSA_METHOD *meth,
/* Can be null */
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx)
{
return meth->rsa_mod_exp;
}
int RSA_meth_set_mod_exp(RSA_METHOD *meth,
int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa,
int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa,
BN_CTX *ctx))
{
meth->rsa_mod_exp = mod_exp;

View File

@ -680,10 +680,11 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
*/
|| !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
/* r0 = r0 * iqmp mod p */
/* r1 = r1 * iqmp mod p */
|| !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
|| !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
ctx)
/* r0 = r1 * q + m1 */
|| !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
|| !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
goto err;

View File

@ -432,9 +432,9 @@ SHA3_absorb:
lrvg %r0,0($inp)
la $inp,8($inp)
xg %r0,0(%r1)
la %r1,8(%r1)
a${g}hi $len,-8
stg %r0,-8(%r1)
stg %r0,0(%r1)
la %r1,8(%r1)
brct $bsz,.Lblock_absorb
stm${g} $inp,$len,$frame+3*$SIZE_T($sp)

View File

@ -166,8 +166,8 @@ $func:
addi r11,r11,32
stvx v30,r10,$sp
stvx v31,r11,$sp
li r11,-4096+255
stw $vrsave,`$FRAME+6*$SIZE_T-4`($sp) # save vrsave
li r11,-4096+255 # 0xfffff0ff
stw $vrsave,`$FRAME-6*$SIZE_T-4`($sp) # save vrsave
li $x10,0x10
$PUSH r26,`$FRAME-6*$SIZE_T`($sp)
li $x20,0x20
@ -286,24 +286,17 @@ $code.=<<___ if ($SZ==8);
stvx_u $G,$x30,$ctx
___
$code.=<<___;
li r10,`$LOCALS+15`
addi $offload,$sp,`$LOCALS+15`
mtlr $lrsave
li r11,`$LOCALS+31`
mtspr 256,$vrsave
lvx v24,r10,$sp # ABI says so
addi r10,r10,32
lvx v25,r11,$sp
addi r11,r11,32
lvx v26,r10,$sp
addi r10,r10,32
lvx v27,r11,$sp
addi r11,r11,32
lvx v28,r10,$sp
addi r10,r10,32
lvx v29,r11,$sp
addi r11,r11,32
lvx v30,r10,$sp
lvx v31,r11,$sp
lvx v24,$x00,$offload # ABI says so
lvx v25,$x10,$offload
lvx v26,$x20,$offload
lvx v27,$x30,$offload
lvx v28,$x40,$offload
lvx v29,$x50,$offload
lvx v30,$x60,$offload
lvx v31,$x70,$offload
$POP r26,`$FRAME-6*$SIZE_T`($sp)
$POP r27,`$FRAME-5*$SIZE_T`($sp)
$POP r28,`$FRAME-4*$SIZE_T`($sp)

View File

@ -94,7 +94,19 @@ int SipHash_set_hash_size(SIPHASH *ctx, size_t hash_size)
&& hash_size != SIPHASH_MAX_DIGEST_SIZE)
return 0;
ctx->hash_size = hash_size;
/*
* It's possible that the key was set first. If the hash size changes,
* we need to adjust v1 (see SipHash_Init().
*/
/* Start by adjusting the stored size, to make things easier */
ctx->hash_size = siphash_adjust_hash_size(ctx->hash_size);
/* Now, adjust ctx->v1 if the old and the new size differ */
if ((size_t)ctx->hash_size != hash_size) {
ctx->v1 ^= 0xee;
ctx->hash_size = hash_size;
}
return 1;
}

View File

@ -11,6 +11,7 @@
#include "internal/sm2.h"
#include "internal/sm2err.h"
#include "internal/ec_int.h" /* ecdh_KDF_X9_63() */
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/bn.h>
@ -203,7 +204,7 @@ int sm2_encrypt(const EC_KEY *key,
}
/* X9.63 with no salt happens to match the KDF used in SM2 */
if (!ECDH_KDF_X9_62(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0,
if (!ecdh_KDF_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0,
digest)) {
SM2err(SM2_F_SM2_ENCRYPT, ERR_R_EVP_LIB);
goto done;
@ -344,7 +345,7 @@ int sm2_decrypt(const EC_KEY *key,
if (BN_bn2binpad(x2, x2y2, field_size) < 0
|| BN_bn2binpad(y2, x2y2 + field_size, field_size) < 0
|| !ECDH_KDF_X9_62(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0,
|| !ecdh_KDF_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0,
digest)) {
SM2err(SM2_F_SM2_DECRYPT, ERR_R_INTERNAL_ERROR);
goto done;

View File

@ -12,6 +12,7 @@
#include "internal/sm2.h"
#include "internal/sm2err.h"
#include "internal/ec_int.h" /* ec_group_do_inverse_ord() */
#include "internal/numbers.h"
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/err.h>

View File

@ -415,6 +415,24 @@ static int open_console(UI *ui)
is_a_tty = 0;
else
# endif
# ifdef ENXIO
/*
* Solaris can return ENXIO.
* This should be ok
*/
if (errno == ENXIO)
is_a_tty = 0;
else
# endif
# ifdef EIO
/*
* Linux can return EIO.
* This should be ok
*/
if (errno == EIO)
is_a_tty = 0;
else
# endif
# ifdef ENODEV
/*
* MacOS X returns ENODEV (Operation not supported by device),

View File

@ -73,7 +73,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
switch (cmd) {
case X509_L_ADD_DIR:
if (argl == X509_FILETYPE_DEFAULT) {
const char *dir = getenv(X509_get_default_cert_dir_env());
const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
if (dir)
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);

View File

@ -46,7 +46,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
switch (cmd) {
case X509_L_FILE_LOAD:
if (argl == X509_FILETYPE_DEFAULT) {
file = getenv(X509_get_default_cert_file_env());
file = ossl_safe_getenv(X509_get_default_cert_file_env());
if (file)
ok = (X509_load_cert_crl_file(ctx, file,
X509_FILETYPE_PEM) != 0);

View File

@ -517,15 +517,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
/* check_purpose() makes the callback as needed */
if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
return 0;
/* Check pathlen if not self issued */
if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
&& (x->ex_pathlen != -1)
&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
/* Check pathlen */
if ((i > 1) && (x->ex_pathlen != -1)
&& (plen > (x->ex_pathlen + proxy_path_length))) {
if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
return 0;
}
/* Increment path length if not self issued */
if (!(x->ex_flags & EXFLAG_SI))
/* Increment path length if not a self issued intermediate CA */
if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0)
plen++;
/*
* If this certificate is a proxy certificate, the next certificate

View File

@ -250,8 +250,10 @@ for all available algorithms.
=item B<-subj arg>
Supersedes subject name given in the request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the resulting certificate.
=item B<-utf8>

View File

@ -257,7 +257,7 @@ ones provided by configured engines.
The B<enc> program does not support authenticated encryption modes
like CCM and GCM, and will not support such modes in the future.
The B<enc> interface by necessity must begin streaming output (e.g.,
to standard output when B<-out> is not used before the authentication
to standard output when B<-out> is not used) before the authentication
tag could be validated, leading to the usage of B<enc> in pipelines
that begin processing untrusted data and are not capable of rolling
back upon authentication failure. The AEAD modes currently in common
@ -277,6 +277,7 @@ standard data format and performs the needed key/iv/nonce management.
bf-cbc Blowfish in CBC mode
bf Alias for bf-cbc
blowfish Alias for bf-cbc
bf-cfb Blowfish in CFB mode
bf-ecb Blowfish in ECB mode
bf-ofb Blowfish in OFB mode
@ -288,6 +289,8 @@ standard data format and performs the needed key/iv/nonce management.
cast5-ecb CAST5 in ECB mode
cast5-ofb CAST5 in OFB mode
chacha20 ChaCha20 algorithm
des-cbc DES in CBC mode
des Alias for des-cbc
des-cfb DES in CFB mode
@ -334,6 +337,19 @@ standard data format and performs the needed key/iv/nonce management.
rc5-ecb RC5 cipher in ECB mode
rc5-ofb RC5 cipher in OFB mode
seed-cbc SEED cipher in CBC mode
seed Alias for seed-cbc
seed-cfb SEED cipher in CFB mode
seed-ecb SEED cipher in ECB mode
seed-ofb SEED cipher in OFB mode
sm4-cbc SM4 cipher in CBC mode
sm4 Alias for sm4-cbc
sm4-cfb SM4 cipher in CFB mode
sm4-ctr SM4 cipher in CTR mode
sm4-ecb SM4 cipher in ECB mode
sm4-ofb SM4 cipher in OFB mode
aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode
aes[128|192|256] Alias for aes-[128|192|256]-cbc
aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode
@ -343,6 +359,15 @@ standard data format and performs the needed key/iv/nonce management.
aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode
aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode
aria-[128|192|256]-cbc 128/192/256 bit ARIA in CBC mode
aria[128|192|256] Alias for aria-[128|192|256]-cbc
aria-[128|192|256]-cfb 128/192/256 bit ARIA in 128 bit CFB mode
aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
aria-[128|192|256]-ctr 128/192/256 bit ARIA in CTR mode
aria-[128|192|256]-ecb 128/192/256 bit ARIA in ECB mode
aria-[128|192|256]-ofb 128/192/256 bit ARIA in OFB mode
camellia-[128|192|256]-cbc 128/192/256 bit Camellia in CBC mode
camellia[128|192|256] Alias for camellia-[128|192|256]-cbc
camellia-[128|192|256]-cfb 128/192/256 bit Camellia in 128 bit CFB mode
@ -362,26 +387,25 @@ Decode the same file
openssl base64 -d -in file.b64 -out file.bin
Encrypt a file using triple DES in CBC mode using a prompted password:
Encrypt a file using AES-128 using a prompted password
and PBKDF2 key derivation:
openssl des3 -salt -in file.txt -out file.des3
openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128
Decrypt a file using a supplied password:
openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \
-pass pass:<password>
Encrypt a file then base64 encode it (so it can be sent via mail for example)
using Blowfish in CBC mode:
using AES-256 in CTR mode and PBKDF2 key derivation:
openssl bf -a -salt -in file.txt -out file.bf
openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256
Base64 decode a file then decrypt it:
Base64 decode a file then decrypt it using a password supplied in a file:
openssl bf -d -salt -a -in file.bf -out file.txt
Decrypt some data using a supplied 40 bit RC4 key:
openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \
-pass file:<passfile>
=head1 BUGS

View File

@ -40,6 +40,9 @@ The B<openssl> program provides a rich variety of commands (I<command> in the
SYNOPSIS above), each of which often has a wealth of options and arguments
(I<command_opts> and I<command_args> in the SYNOPSIS).
Detailed documentation and use cases for most standard subcommands are available
(e.g., L<x509(1)> or L<openssl-x509(1)>).
Many commands use an external configuration file for some or all of their
arguments and have a B<-config> option to specify that file.
The environment variable B<OPENSSL_CONF> can be used to specify
@ -369,8 +372,38 @@ SM3 Digest
=head2 Encoding and Cipher Commands
The following aliases provide convenient access to the most used encodings
and ciphers.
Depending on how OpenSSL was configured and built, not all ciphers listed
here may be present. See L<enc(1)> for more information and command usage.
=over 4
=item B<aes128>, B<aes-128-cbc>, B<aes-128-cfb>, B<aes-128-ctr>, B<aes-128-ecb>, B<aes-128-ofb>
AES-128 Cipher
=item B<aes192>, B<aes-192-cbc>, B<aes-192-cfb>, B<aes-192-ctr>, B<aes-192-ecb>, B<aes-192-ofb>
AES-192 Cipher
=item B<aes256>, B<aes-256-cbc>, B<aes-256-cfb>, B<aes-256-ctr>, B<aes-256-ecb>, B<aes-256-ofb>
AES-256 Cipher
=item B<aria128>, B<aria-128-cbc>, B<aria-128-cfb>, B<aria-128-ctr>, B<aria-128-ecb>, B<aria-128-ofb>
Aria-128 Cipher
=item B<aria192>, B<aria-192-cbc>, B<aria-192-cfb>, B<aria-192-ctr>, B<aria-192-ecb>, B<aria-192-ofb>
Aria-192 Cipher
=item B<aria256>, B<aria-256-cbc>, B<aria-256-cfb>, B<aria-256-ctr>, B<aria-256-ecb>, B<aria-256-ofb>
Aria-256 Cipher
=item B<base64>
Base64 Encoding
@ -379,6 +412,18 @@ Base64 Encoding
Blowfish Cipher
=item B<camellia128>, B<camellia-128-cbc>, B<camellia-128-cfb>, B<camellia-128-ctr>, B<camellia-128-ecb>, B<camellia-128-ofb>
Camellia-128 Cipher
=item B<camellia192>, B<camellia-192-cbc>, B<camellia-192-cfb>, B<camellia-192-ctr>, B<camellia-192-ecb>, B<camellia-192-ofb>
Camellia-192 Cipher
=item B<camellia256>, B<camellia-256-cbc>, B<camellia-256-cfb>, B<camellia-256-ctr>, B<camellia-256-ecb>, B<camellia-256-ofb>
Camellia-256 Cipher
=item B<cast>, B<cast-cbc>
CAST Cipher
@ -387,6 +432,10 @@ CAST Cipher
CAST5 Cipher
=item B<chacha20>
Chacha20 Cipher
=item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb>
DES Cipher
@ -411,6 +460,14 @@ RC4 Cipher
RC5 Cipher
=item B<seed>, B<seed-cbc>, B<seed-cfb>, B<seed-ecb>, B<seed-ofb>
SEED Cipher
=item B<sm4>, B<sm4-cbc>, B<sm4-cfb>, B<sm4-ctr>, B<sm4-ecb>, B<sm4-ofb>
SM4 Cipher
=back
=head1 OPTIONS

View File

@ -221,8 +221,10 @@ see L<openssl(1)/COMMAND SUMMARY>.
Sets subject name for new request or supersedes the subject name
when processing a request.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted, but the corresponding type will not be included
in the request.
=item B<-multivalue-rdn>

View File

@ -9,8 +9,8 @@ rsa - RSA key processing tool
B<openssl> B<rsa>
[B<-help>]
[B<-inform PEM|NET|DER>]
[B<-outform PEM|NET|DER>]
[B<-inform PEM|DER>]
[B<-outform PEM|DER>]
[B<-in filename>]
[B<-passin arg>]
[B<-out filename>]
@ -53,16 +53,15 @@ utility.
Print out a usage message.
=item B<-inform DER|NET|PEM>
=item B<-inform DER|PEM>
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. On input PKCS#8 format private
keys are also accepted. The B<NET> form is a format is described in the B<NOTES>
section.
keys are also accepted.
=item B<-outform DER|NET|PEM>
=item B<-outform DER|PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.
@ -158,17 +157,6 @@ The PEM B<RSAPublicKey> format uses the header and footer lines:
-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
The B<NET> form is a format compatible with older Netscape servers
and Microsoft IIS .key files, this uses unsalted RC4 for its encryption.
It is not very secure and so should only be used when necessary.
Some newer version of IIS have additional data in the exported .key
files. To use these with the utility, view the file with a binary editor
and look for the string "private-key", then trace back to the byte
sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data
from this point onwards to another file and use that as the input
to the B<rsa> utility with the B<-inform NET> option.
=head1 EXAMPLES
To remove the pass phrase on an RSA private key:
@ -197,9 +185,6 @@ Output the public part of a private key in B<RSAPublicKey> format:
=head1 BUGS
The command line password arguments don't currently work with
B<NET> format.
There should be an option that automatically handles .key files,
without having to manually edit them.

View File

@ -405,13 +405,14 @@ Inhibit printing of session and certificate information.
Sends a status message back to the client when it connects. This includes
information about the ciphers used and various session parameters.
The output is in HTML format so this option will normally be used with a
web browser.
web browser. Cannot be used in conjunction with B<-early_data>.
=item B<-WWW>
Emulates a simple web server. Pages will be resolved relative to the
current directory, for example if the URL https://myhost/page.html is
requested the file ./page.html will be loaded.
requested the file ./page.html will be loaded. Cannot be used in conjunction
with B<-early_data>.
=item B<-tlsextdebug>
@ -423,7 +424,8 @@ Emulates a simple web server. Pages will be resolved relative to the
current directory, for example if the URL https://myhost/page.html is
requested the file ./page.html will be loaded. The files loaded are
assumed to contain a complete and correct HTTP response (lines that
are part of the HTTP response line and headers must end with CRLF).
are part of the HTTP response line and headers must end with CRLF). Cannot be
used in conjunction with B<-early_data>.
=item B<-id_prefix val>
@ -488,7 +490,8 @@ output.
=item B<-rev>
Simple test server which just reverses the text received from the client
and sends it back to the server. Also sets B<-brief>.
and sends it back to the server. Also sets B<-brief>. Cannot be used in
conjunction with B<-early_data>.
=item B<-async>
@ -711,7 +714,8 @@ greater than or equal to 0.
=item B<-early_data>
Accept early data where possible.
Accept early data where possible. Cannot be used in conjunction with B<-www>,
B<-WWW>, B<-HTTP> or B<-rev>.
=item B<-anti_replay>, B<-no_anti_replay>

View File

@ -82,8 +82,11 @@ returned.
=item B<-subject arg>
Search for an object having the subject name B<arg>.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
characters may be escaped by \ (backslash), no spaces are skipped.
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
Empty values are permitted but are ignored for the search. That is,
a search with an empty value will have the same effect as not specifying
the type at all.
=item B<-issuer arg>

View File

@ -9,8 +9,8 @@ x509 - Certificate display and signing utility
B<openssl> B<x509>
[B<-help>]
[B<-inform DER|PEM|NET>]
[B<-outform DER|PEM|NET>]
[B<-inform DER|PEM>]
[B<-outform DER|PEM>]
[B<-keyform DER|PEM>]
[B<-CAform DER|PEM>]
[B<-CAkeyform DER|PEM>]
@ -86,16 +86,15 @@ various sections.
Print out a usage message.
=item B<-inform DER|PEM|NET>
=item B<-inform DER|PEM>
This specifies the input format normally the command will expect an X509
certificate but this can change if other options such as B<-req> are
present. The DER format is the DER encoding of the certificate and PEM
is the base64 encoding of the DER encoding with header and footer lines
added. The NET option is an obscure Netscape server format that is now
obsolete. The default format is PEM.
added. The default format is PEM.
=item B<-outform DER|PEM|NET>
=item B<-outform DER|PEM>
This specifies the output format, the options have the same meaning and default
as the B<-inform> option.

View File

@ -99,7 +99,7 @@ algorithm.
There are two phases to the use of DES encryption. The first is the
generation of a I<DES_key_schedule> from a key, the second is the
actual encryption. A DES key is of type I<DES_cblock>. This type is
actual encryption. A DES key is of type I<DES_cblock>. This type
consists of 8 bytes with odd parity. The least significant bit in
each byte is the parity bit. The key schedule is an expanded form of
the key; it is used to speed the encryption process.
@ -170,42 +170,42 @@ of 24 bytes. This is much better than CBC DES.
DES_ede3_cbc_encrypt() implements outer triple CBC DES encryption with
three keys. This means that each DES operation inside the CBC mode is
an C<C=E(ks3,D(ks2,E(ks1,M)))>. This mode is used by SSL.
C<C=E(ks3,D(ks2,E(ks1,M)))>. This mode is used by SSL.
The DES_ede2_cbc_encrypt() macro implements two-key Triple-DES by
reusing I<ks1> for the final encryption. C<C=E(ks1,D(ks2,E(ks1,M)))>.
This form of Triple-DES is used by the RSAREF library.
DES_pcbc_encrypt() encrypt/decrypts using the propagating cipher block
DES_pcbc_encrypt() encrypts/decrypts using the propagating cipher block
chaining mode used by Kerberos v4. Its parameters are the same as
DES_ncbc_encrypt().
DES_cfb_encrypt() encrypt/decrypts using cipher feedback mode. This
method takes an array of characters as input and outputs and array of
DES_cfb_encrypt() encrypts/decrypts using cipher feedback mode. This
method takes an array of characters as input and outputs an array of
characters. It does not require any padding to 8 character groups.
Note: the I<ivec> variable is changed and the new changed value needs to
be passed to the next call to this function. Since this function runs
a complete DES ECB encryption per I<numbits>, this function is only
suggested for use when sending small numbers of characters.
suggested for use when sending a small number of characters.
DES_cfb64_encrypt()
implements CFB mode of DES with 64bit feedback. Why is this
implements CFB mode of DES with 64-bit feedback. Why is this
useful you ask? Because this routine will allow you to encrypt an
arbitrary number of bytes, no 8 byte padding. Each call to this
arbitrary number of bytes, without 8 byte padding. Each call to this
routine will encrypt the input bytes to output and then update ivec
and num. num contains 'how far' we are though ivec. If this does
not make much sense, read more about cfb mode of DES :-).
not make much sense, read more about CFB mode of DES.
DES_ede3_cfb64_encrypt() and DES_ede2_cfb64_encrypt() is the same as
DES_cfb64_encrypt() except that Triple-DES is used.
DES_ofb_encrypt() encrypts using output feedback mode. This method
takes an array of characters as input and outputs and array of
takes an array of characters as input and outputs an array of
characters. It does not require any padding to 8 character groups.
Note: the I<ivec> variable is changed and the new changed value needs to
be passed to the next call to this function. Since this function runs
a complete DES ECB encryption per numbits, this function is only
suggested for use when sending small numbers of characters.
a complete DES ECB encryption per I<numbits>, this function is only
suggested for use when sending a small number of characters.
DES_ofb64_encrypt() is the same as DES_cfb64_encrypt() using Output
Feed Back mode.
@ -232,10 +232,10 @@ The following are DES-based transformations:
DES_fcrypt() is a fast version of the Unix crypt(3) function. This
version takes only a small amount of space relative to other fast
crypt() implementations. This is different to the normal crypt in
crypt() implementations. This is different to the normal crypt() in
that the third parameter is the buffer that the return value is
written into. It needs to be at least 14 bytes long. This function
is thread safe, unlike the normal crypt.
is thread safe, unlike the normal crypt().
DES_crypt() is a faster replacement for the normal system crypt().
This function calls DES_fcrypt() with a static array passed as the

View File

@ -310,16 +310,17 @@ This example digests the data "Test Message\n" and "Hello World\n", using the
digest name passed on the command line.
#include <stdio.h>
#include <string.h>
#include <openssl/evp.h>
main(int argc, char *argv[])
int main(int argc, char *argv[])
{
EVP_MD_CTX *mdctx;
const EVP_MD *md;
char mess1[] = "Test Message\n";
char mess2[] = "Hello World\n";
unsigned char md_value[EVP_MAX_MD_SIZE];
int md_len, i;
unsigned int md_len, i;
if (argv[1] == NULL) {
printf("Usage: mdtest digestname\n");

View File

@ -4,20 +4,55 @@
EVP_PKEY_CTX_ctrl,
EVP_PKEY_CTX_ctrl_str,
EVP_PKEY_CTX_ctrl_uint64,
EVP_PKEY_CTX_md,
EVP_PKEY_CTX_set_signature_md,
EVP_PKEY_CTX_get_signature_md,
EVP_PKEY_CTX_set_mac_key,
EVP_PKEY_CTX_set_rsa_padding,
EVP_PKEY_CTX_get_rsa_padding,
EVP_PKEY_CTX_set_rsa_pss_saltlen,
EVP_PKEY_CTX_get_rsa_pss_saltlen,
EVP_PKEY_CTX_set_rsa_keygen_bits,
EVP_PKEY_CTX_set_rsa_keygen_pubexp,
EVP_PKEY_CTX_set_rsa_keygen_primes,
EVP_PKEY_CTX_set_rsa_mgf1_md,
EVP_PKEY_CTX_get_rsa_mgf1_md,
EVP_PKEY_CTX_set_rsa_oaep_md,
EVP_PKEY_CTX_get_rsa_oaep_md,
EVP_PKEY_CTX_set0_rsa_oaep_label,
EVP_PKEY_CTX_get0_rsa_oaep_label,
EVP_PKEY_CTX_set_dsa_paramgen_bits,
EVP_PKEY_CTX_set_dh_paramgen_prime_len,
EVP_PKEY_CTX_set_dh_paramgen_subprime_len,
EVP_PKEY_CTX_set_dh_paramgen_generator,
EVP_PKEY_CTX_set_dh_paramgen_type,
EVP_PKEY_CTX_set_dh_rfc5114,
EVP_PKEY_CTX_set_dhx_rfc5114,
EVP_PKEY_CTX_set_dh_pad,
EVP_PKEY_CTX_set_dh_nid,
EVP_PKEY_CTX_set_dh_kdf_type,
EVP_PKEY_CTX_get_dh_kdf_type,
EVP_PKEY_CTX_set0_dh_kdf_oid,
EVP_PKEY_CTX_get0_dh_kdf_oid,
EVP_PKEY_CTX_set_dh_kdf_md,
EVP_PKEY_CTX_get_dh_kdf_md,
EVP_PKEY_CTX_set_dh_kdf_outlen,
EVP_PKEY_CTX_get_dh_kdf_outlen,
EVP_PKEY_CTX_set0_dh_kdf_ukm,
EVP_PKEY_CTX_get0_dh_kdf_ukm,
EVP_PKEY_CTX_set_ec_paramgen_curve_nid,
EVP_PKEY_CTX_set_ec_param_enc,
EVP_PKEY_CTX_set_ecdh_cofactor_mode,
EVP_PKEY_CTX_get_ecdh_cofactor_mode,
EVP_PKEY_CTX_set_ecdh_kdf_type,
EVP_PKEY_CTX_get_ecdh_kdf_type,
EVP_PKEY_CTX_set_ecdh_kdf_md,
EVP_PKEY_CTX_get_ecdh_kdf_md,
EVP_PKEY_CTX_set_ecdh_kdf_outlen,
EVP_PKEY_CTX_get_ecdh_kdf_outlen,
EVP_PKEY_CTX_set0_ecdh_kdf_ukm,
EVP_PKEY_CTX_get0_ecdh_kdf_ukm,
EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len
- algorithm specific control operations
@ -27,9 +62,13 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len
int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
int cmd, int p1, void *p2);
int EVP_PKEY_CTX_ctrl_uint64(EVP_PKEY_CTX *ctx, int keytype, int optype,
int cmd, uint64_t value);
int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
const char *value);
int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md);
int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD **pmd);
@ -38,22 +77,58 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len
#include <openssl/rsa.h>
int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad);
int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad);
int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len);
int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *len);
int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits);
int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes);
int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char *label, int len);
int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
#include <openssl/dsa.h>
int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits);
#include <openssl/dh.h>
int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int len);
int EVP_PKEY_CTX_set_dh_paramgen_subprime_len(EVP_PKEY_CTX *ctx, int len);
int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen);
int EVP_PKEY_CTX_set_dh_paramgen_type(EVP_PKEY_CTX *ctx, int type);
int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad);
int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid);
int EVP_PKEY_CTX_set_dh_rfc5114(EVP_PKEY_CTX *ctx, int rfc5114);
int EVP_PKEY_CTX_set_dhx_rfc5114(EVP_PKEY_CTX *ctx, int rfc5114);
int EVP_PKEY_CTX_set_dh_kdf_type(EVP_PKEY_CTX *ctx, int kdf);
int EVP_PKEY_CTX_get_dh_kdf_type(EVP_PKEY_CTX *ctx);
int EVP_PKEY_CTX_set0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT *oid);
int EVP_PKEY_CTX_get0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT **oid);
int EVP_PKEY_CTX_set_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
int EVP_PKEY_CTX_get_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
int EVP_PKEY_CTX_set_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int len);
int EVP_PKEY_CTX_get_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len);
int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len);
int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
#include <openssl/ec.h>
int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc);
int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode);
int EVP_PKEY_CTX_get_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx);
int EVP_PKEY_CTX_set_ecdh_kdf_type(EVP_PKEY_CTX *ctx, int kdf);
int EVP_PKEY_CTX_get_ecdh_kdf_type(EVP_PKEY_CTX *ctx);
int EVP_PKEY_CTX_set_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
int EVP_PKEY_CTX_get_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
int EVP_PKEY_CTX_set_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int len);
int EVP_PKEY_CTX_get_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len);
int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len);
int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
int EVP_PKEY_CTX_set1_id(EVP_PKEY_CTX *ctx, void *id, size_t id_len);
int EVP_PKEY_CTX_get1_id(EVP_PKEY_CTX *ctx, void *id);
@ -73,6 +148,9 @@ and B<p2> is MAC key. This is used by Poly1305, SipHash, HMAC and CMAC.
Applications will not normally call EVP_PKEY_CTX_ctrl() directly but will
instead call one of the algorithm specific macros below.
The function EVP_PKEY_CTX_ctrl_uint64() is a wrapper that directly passes a
uint64 value as B<p2> to EVP_PKEY_CTX_ctrl().
The function EVP_PKEY_CTX_ctrl_str() allows an application to send an algorithm
specific control operation to a context B<ctx> in string form. This is
intended to be used for options specified on the command line or in text
@ -80,6 +158,9 @@ files. The commands supported are documented in the openssl utility
command line pages for the option B<-pkeyopt> which is supported by the
B<pkeyutl>, B<genpkey> and B<req> commands.
The function EVP_PKEY_CTX_md() sends a message digest control operation
to the context B<ctx>. The message digest is specified by its name B<md>.
All the remaining "functions" are implemented as macros.
The EVP_PKEY_CTX_set_signature_md() macro sets the message digest type used
@ -99,12 +180,14 @@ L<EVP_PKEY_new_raw_private_key(3)> or similar functions instead of this macro.
The EVP_PKEY_CTX_set_mac_key() macro can be used with any of the algorithms
supported by the L<EVP_PKEY_new_raw_private_key(3)> function.
The macro EVP_PKEY_CTX_set_rsa_padding() sets the RSA padding mode for B<ctx>.
The B<pad> parameter can take the value RSA_PKCS1_PADDING for PKCS#1 padding,
RSA_SSLV23_PADDING for SSLv23 padding, RSA_NO_PADDING for no padding,
RSA_PKCS1_OAEP_PADDING for OAEP padding (encrypt and decrypt only),
RSA_X931_PADDING for X9.31 padding (signature operations only) and
RSA_PKCS1_PSS_PADDING (sign and verify only).
=head2 RSA parameters
The EVP_PKEY_CTX_set_rsa_padding() macro sets the RSA padding mode for B<ctx>.
The B<pad> parameter can take the value B<RSA_PKCS1_PADDING> for PKCS#1
padding, B<RSA_SSLV23_PADDING> for SSLv23 padding, B<RSA_NO_PADDING> for
no padding, B<RSA_PKCS1_OAEP_PADDING> for OAEP padding (encrypt and
decrypt only), B<RSA_X931_PADDING> for X9.31 padding (signature operations
only) and B<RSA_PKCS1_PSS_PADDING> (sign and verify only).
Two RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md()
is used. If this macro is called for PKCS#1 padding the plaintext buffer is
@ -116,41 +199,154 @@ padding for RSA the algorithm identifier byte is added or checked and removed
if this control is called. If it is not called then the first byte of the plaintext
buffer is expected to be the algorithm identifier byte.
The EVP_PKEY_CTX_get_rsa_padding() macro gets the RSA padding mode for B<ctx>.
The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro sets the RSA PSS salt length to
B<len> as its name implies it is only supported for PSS padding. Three special
values are supported: RSA_PSS_SALTLEN_DIGEST sets the salt length to the
digest length, RSA_PSS_SALTLEN_MAX sets the salt length to the maximum
permissible value. When verifying RSA_PSS_SALTLEN_AUTO causes the salt length
B<len>. As its name implies it is only supported for PSS padding. Three special
values are supported: B<RSA_PSS_SALTLEN_DIGEST> sets the salt length to the
digest length, B<RSA_PSS_SALTLEN_MAX> sets the salt length to the maximum
permissible value. When verifying B<RSA_PSS_SALTLEN_AUTO> causes the salt length
to be automatically determined based on the B<PSS> block structure. If this
macro is not called maximum salt length is used when signing and auto detection
when verifying is used by default.
The EVP_PKEY_CTX_get_rsa_pss_saltlen() macro gets the RSA PSS salt length
for B<ctx>. The padding mode must have been set to B<RSA_PKCS1_PSS_PADDING>.
The EVP_PKEY_CTX_set_rsa_keygen_bits() macro sets the RSA key length for
RSA key generation to B<bits>. If not specified 1024 bits is used.
The EVP_PKEY_CTX_set_rsa_keygen_pubexp() macro sets the public exponent value
for RSA key generation to B<pubexp> currently it should be an odd integer. The
for RSA key generation to B<pubexp>. Currently it should be an odd integer. The
B<pubexp> pointer is used internally by this function so it should not be
modified or free after the call. If this macro is not called then 65537 is used.
modified or freed after the call. If not specified 65537 is used.
The macro EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used
The EVP_PKEY_CTX_set_rsa_keygen_primes() macro sets the number of primes for
RSA key generation to B<primes>. If not specified 2 is used.
The EVP_PKEY_CTX_set_rsa_mgf1_md() macro sets the MGF1 digest for RSA padding
schemes to B<md>. If not explicitly set the signing digest is used. The
padding mode must have been set to B<RSA_PKCS1_OAEP_PADDING>
or B<RSA_PKCS1_PSS_PADDING>.
The EVP_PKEY_CTX_get_rsa_mgf1_md() macro gets the MGF1 digest for B<ctx>.
If not explicitly set the signing digest is used. The padding mode must have
been set to B<RSA_PKCS1_OAEP_PADDING> or B<RSA_PKCS1_PSS_PADDING>.
The EVP_PKEY_CTX_set_rsa_oaep_md() macro sets the message digest type used
in RSA OAEP to B<md>. The padding mode must have been set to
B<RSA_PKCS1_OAEP_PADDING>.
The EVP_PKEY_CTX_get_rsa_oaep_md() macro gets the message digest type used
in RSA OAEP to B<md>. The padding mode must have been set to
B<RSA_PKCS1_OAEP_PADDING>.
The EVP_PKEY_CTX_set0_rsa_oaep_label() macro sets the RSA OAEP label to
B<label> and its length to B<len>. If B<label> is NULL or B<len> is 0,
the label is cleared. The library takes ownership of the label so the
caller should not free the original memory pointed to by B<label>.
The padding mode must have been set to B<RSA_PKCS1_OAEP_PADDING>.
The EVP_PKEY_CTX_get0_rsa_oaep_label() macro gets the RSA OAEP label to
B<label>. The return value is the label length. The padding mode
must have been set to B<RSA_PKCS1_OAEP_PADDING>. The resulting pointer is owned
by the library and should not be freed by the caller.
=head2 DSA parameters
The EVP_PKEY_CTX_set_dsa_paramgen_bits() macro sets the number of bits used
for DSA parameter generation to B<bits>. If not specified 1024 is used.
The macro EVP_PKEY_CTX_set_dh_paramgen_prime_len() sets the length of the DH
=head2 DH parameters
The EVP_PKEY_CTX_set_dh_paramgen_prime_len() macro sets the length of the DH
prime parameter B<p> for DH parameter generation. If this macro is not called
then 1024 is used.
then 1024 is used. Only accepts lengths greater than or equal to 256.
The EVP_PKEY_CTX_set_dh_paramgen_subprime_len() macro sets the length of the DH
optional subprime parameter B<q> for DH parameter generation. The default is
256 if the prime is at least 2048 bits long or 160 otherwise. The DH
paramgen type must have been set to x9.42.
The EVP_PKEY_CTX_set_dh_paramgen_generator() macro sets DH generator to B<gen>
for DH parameter generation. If not specified 2 is used.
The EVP_PKEY_CTX_set_dh_paramgen_type() macro sets the key type for DH
parameter generation. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
The default is 0.
The EVP_PKEY_CTX_set_dh_pad() macro sets the DH padding mode. If B<pad> is
1 the shared secret is padded with zeroes up to the size of the DH prime B<p>.
If B<pad> is zero (the default) then no padding is performed.
EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to
B<nid>. The B<nid> parameter must be B<NID_ffdhe2048>, B<NID_ffdhe3072>,
B<NID_ffdhe4096>, B<NID_ffdhe6144> or B<NID_ffdhe8192>. This macro can be
called during parameter or key generation.
B<nid> as defined in RFC7919. The B<nid> parameter must be B<NID_ffdhe2048>,
B<NID_ffdhe3072>, B<NID_ffdhe4096>, B<NID_ffdhe6144>, B<NID_ffdhe8192>
or B<NID_undef> to clear the stored value. This macro can be called during
parameter or key generation.
The nid parameter and the rfc5114 parameter are mutually exclusive.
The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are
synonymous. They set the DH parameters to the values defined in RFC5114. The
B<rfc5114> parameter must be 1, 2 or 3 corresponding to RFC5114 sections
2.1, 2.2 and 2.3. or 0 to clear the stored value. This macro can be called
during parameter generation. The B<ctx> must have a key type of
B<EVP_PKEY_DHX>.
The rfc5114 parameter and the nid parameter are mutually exclusive.
=head2 DH key derivation function parameters
Note that all of the following functions require that the B<ctx> parameter has
a private key type of B<EVP_PKEY_DHX>. When using key derivation, the output of
EVP_PKEY_derive() is the output of the KDF instead of the DH shared secret.
The KDF output is typically used as a Key Encryption Key (KEK) that in turn
encrypts a Content Encryption Key (CEK).
The EVP_PKEY_CTX_set_dh_kdf_type() macro sets the key derivation function type
to B<kdf> for DH key derivation. Possible values are B<EVP_PKEY_DH_KDF_NONE>
and B<EVP_PKEY_DH_KDF_X9_42> which uses the key derivation specified in RFC2631
(based on the keying algorithm described in X9.42). When using key derivation,
the B<kdf_oid>, B<kdf_md> and B<kdf_outlen> parameters must also be specified.
The EVP_PKEY_CTX_get_dh_kdf_type() macro gets the key derivation function type
for B<ctx> used for DH key derivation. Possible values are B<EVP_PKEY_DH_KDF_NONE>
and B<EVP_PKEY_DH_KDF_X9_42>.
The EVP_PKEY_CTX_set0_dh_kdf_oid() macro sets the key derivation function
object identifier to B<oid> for DH key derivation. This OID should identify
the algorithm to be used with the Content Encryption Key.
The library takes ownership of the object identifier so the caller should not
free the original memory pointed to by B<oid>.
The EVP_PKEY_CTX_get0_dh_kdf_oid() macro gets the key derivation function oid
for B<ctx> used for DH key derivation. The resulting pointer is owned by the
library and should not be freed by the caller.
The EVP_PKEY_CTX_set_dh_kdf_md() macro sets the key derivation function
message digest to B<md> for DH key derivation. Note that RFC2631 specifies
that this digest should be SHA1 but OpenSSL tolerates other digests.
The EVP_PKEY_CTX_get_dh_kdf_md() macro gets the key derivation function
message digest for B<ctx> used for DH key derivation.
The EVP_PKEY_CTX_set_dh_kdf_outlen() macro sets the key derivation function
output length to B<len> for DH key derivation.
The EVP_PKEY_CTX_get_dh_kdf_outlen() macro gets the key derivation function
output length for B<ctx> used for DH key derivation.
The EVP_PKEY_CTX_set0_dh_kdf_ukm() macro sets the user key material to
B<ukm> and its length to B<len> for DH key derivation. This parameter is optional
and corresponds to the partyAInfo field in RFC2631 terms. The specification
requires that it is 512 bits long but this is not enforced by OpenSSL.
The library takes ownership of the user key material so the caller should not
free the original memory pointed to by B<ukm>.
The EVP_PKEY_CTX_get0_dh_kdf_ukm() macro gets the user key material for B<ctx>.
The return value is the user key material length. The resulting pointer is owned
by the library and should not be freed by the caller.
=head2 EC parameters
The EVP_PKEY_CTX_set_ec_paramgen_curve_nid() sets the EC curve for EC parameter
generation to B<nid>. For EC parameter generation this macro must be called
@ -158,7 +354,7 @@ or an error occurs because there is no default curve.
This function can also be called to set the curve explicitly when
generating an EC key.
The EVP_PKEY_CTX_set_ec_param_enc() sets the EC parameter encoding to
The EVP_PKEY_CTX_set_ec_param_enc() macro sets the EC parameter encoding to
B<param_enc> when generating EC parameters or an EC key. The encoding can be
B<OPENSSL_EC_EXPLICIT_CURVE> for explicit parameters (the default in versions
of OpenSSL before 1.1.0) or B<OPENSSL_EC_NAMED_CURVE> to use named curve form.
@ -166,6 +362,53 @@ For maximum compatibility the named curve form should be used. Note: the
B<OPENSSL_EC_NAMED_CURVE> value was only added to OpenSSL 1.1.0; previous
versions should use 0 instead.
=head2 ECDH parameters
The EVP_PKEY_CTX_set_ecdh_cofactor_mode() macro sets the cofactor mode to
B<cofactor_mode> for ECDH key derivation. Possible values are 1 to enable
cofactor key derivation, 0 to disable it and -1 to clear the stored cofactor
mode and fallback to the private key cofactor mode.
The EVP_PKEY_CTX_get_ecdh_cofactor_mode() macro returns the cofactor mode for
B<ctx> used for ECDH key derivation. Possible values are 1 when cofactor key
derivation is enabled and 0 otherwise.
=head2 ECDH key derivation function parameters
The EVP_PKEY_CTX_set_ecdh_kdf_type() macro sets the key derivation function type
to B<kdf> for ECDH key derivation. Possible values are B<EVP_PKEY_ECDH_KDF_NONE>
and B<EVP_PKEY_ECDH_KDF_X9_63> which uses the key derivation specified in X9.63.
When using key derivation, the B<kdf_md> and B<kdf_outlen> parameters must
also be specified.
The EVP_PKEY_CTX_get_ecdh_kdf_type() macro returns the key derivation function
type for B<ctx> used for ECDH key derivation. Possible values are
B<EVP_PKEY_ECDH_KDF_NONE> and B<EVP_PKEY_ECDH_KDF_X9_63>.
The EVP_PKEY_CTX_set_ecdh_kdf_md() macro sets the key derivation function
message digest to B<md> for ECDH key derivation. Note that X9.63 specifies
that this digest should be SHA1 but OpenSSL tolerates other digests.
The EVP_PKEY_CTX_get_ecdh_kdf_md() macro gets the key derivation function
message digest for B<ctx> used for ECDH key derivation.
The EVP_PKEY_CTX_set_ecdh_kdf_outlen() macro sets the key derivation function
output length to B<len> for ECDH key derivation.
The EVP_PKEY_CTX_get_ecdh_kdf_outlen() macro gets the key derivation function
output length for B<ctx> used for ECDH key derivation.
The EVP_PKEY_CTX_set0_ecdh_kdf_ukm() macro sets the user key material to B<ukm>
for ECDH key derivation. This parameter is optional and corresponds to the
shared info in X9.63 terms. The library takes ownership of the user key material
so the caller should not free the original memory pointed to by B<ukm>.
The EVP_PKEY_CTX_get0_ecdh_kdf_ukm() macro gets the user key material for B<ctx>.
The return value is the user key material length. The resulting pointer is owned
by the library and should not be freed by the caller.
=head2 Other parameters
The EVP_PKEY_CTX_set1_id(), EVP_PKEY_CTX_get1_id() and EVP_PKEY_CTX_get1_id_len()
macros are used to manipulate the special identifier field for specific signature
algorithms such as SM2. The EVP_PKEY_CTX_set1_id() sets an ID pointed by B<id> with
@ -191,7 +434,7 @@ L<EVP_PKEY_decrypt(3)>,
L<EVP_PKEY_sign(3)>,
L<EVP_PKEY_verify(3)>,
L<EVP_PKEY_verify_recover(3)>,
L<EVP_PKEY_derive(3)>
L<EVP_PKEY_derive(3)>,
L<EVP_PKEY_keygen(3)>
=head1 HISTORY

View File

@ -68,12 +68,12 @@ error occurs.
=back
EVP_PKEY_set_hkdf_md() sets the message digest associated with the HKDF.
EVP_PKEY_CTX_set_hkdf_md() sets the message digest associated with the HKDF.
EVP_PKEY_CTX_set1_hkdf_salt() sets the salt to B<saltlen> bytes of the
buffer B<salt>. Any existing value is replaced.
EVP_PKEY_CTX_set_hkdf_key() sets the key to B<keylen> bytes of the buffer
EVP_PKEY_CTX_set1_hkdf_key() sets the key to B<keylen> bytes of the buffer
B<key>. Any existing value is replaced.
EVP_PKEY_CTX_add1_hkdf_info() sets the info value to B<infolen> bytes of the

View File

@ -32,7 +32,7 @@ The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro is used to set the salt length.
If the key has usage restrictions then an error is returned if an attempt is
made to set the salt length below the minimum value. It is otherwise similar
to the B<RSA> operation except detection of the salt length (using
RSA_PSS_SALTLEN_AUTO is not supported for verification if the key has
RSA_PSS_SALTLEN_AUTO) is not supported for verification if the key has
usage restrictions.
The EVP_PKEY_CTX_set_signature_md() and EVP_PKEY_CTX_set_rsa_mgf1_md() macros
@ -43,7 +43,7 @@ similar to the B<RSA> versions.
=head2 Key Generation
As with RSA key generation the EVP_PKEY_CTX_set_rsa_rsa_keygen_bits()
As with RSA key generation the EVP_PKEY_CTX_set_rsa_keygen_bits()
and EVP_PKEY_CTX_set_rsa_keygen_pubexp() macros are supported for RSA-PSS:
they have exactly the same meaning as for the RSA algorithm.

View File

@ -6,8 +6,10 @@ EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY,
EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY,
EVP_PKEY_get0_RSA, EVP_PKEY_get0_DSA, EVP_PKEY_get0_DH, EVP_PKEY_get0_EC_KEY,
EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH,
EVP_PKEY_assign_EC_KEY, EVP_PKEY_get0_hmac, EVP_PKEY_type, EVP_PKEY_id,
EVP_PKEY_base_id, EVP_PKEY_set_alias_type, EVP_PKEY_set1_engine - EVP_PKEY assignment functions
EVP_PKEY_assign_EC_KEY, EVP_PKEY_assign_POLY1305, EVP_PKEY_assign_SIPHASH,
EVP_PKEY_get0_hmac, EVP_PKEY_get0_poly1305, EVP_PKEY_get0_siphash,
EVP_PKEY_type, EVP_PKEY_id, EVP_PKEY_base_id, EVP_PKEY_set_alias_type,
EVP_PKEY_set1_engine - EVP_PKEY assignment functions
=head1 SYNOPSIS
@ -24,6 +26,8 @@ EVP_PKEY_base_id, EVP_PKEY_set_alias_type, EVP_PKEY_set1_engine - EVP_PKEY assig
EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len);
const unsigned char *EVP_PKEY_get0_poly1305(const EVP_PKEY *pkey, size_t *len);
const unsigned char *EVP_PKEY_get0_siphash(const EVP_PKEY *pkey, size_t *len);
RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey);
DH *EVP_PKEY_get0_DH(EVP_PKEY *pkey);
@ -33,6 +37,8 @@ EVP_PKEY_base_id, EVP_PKEY_set_alias_type, EVP_PKEY_set1_engine - EVP_PKEY assig
int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key);
int EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key);
int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key);
int EVP_PKEY_assign_POLY1305(EVP_PKEY *pkey, ASN1_OCTET_STRING *key);
int EVP_PKEY_assign_SIPHASH(EVP_PKEY *pkey, ASN1_OCTET_STRING *key);
int EVP_PKEY_id(const EVP_PKEY *pkey);
int EVP_PKEY_base_id(const EVP_PKEY *pkey);
@ -50,14 +56,15 @@ EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
EVP_PKEY_get1_EC_KEY() return the referenced key in B<pkey> or
B<NULL> if the key is not of the correct type.
EVP_PKEY_get0_hmac(), EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(),
EVP_PKEY_get0_DH() and EVP_PKEY_get0_EC_KEY() also return the
referenced key in B<pkey> or B<NULL> if the key is not of the
correct type but the reference count of the returned key is
B<not> incremented and so must not be freed up after use.
EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305(), EVP_PKEY_get0_siphash(),
EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH()
and EVP_PKEY_get0_EC_KEY() also return the referenced key in B<pkey> or B<NULL>
if the key is not of the correct type but the reference count of the
returned key is B<not> incremented and so must not be freed up after use.
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
and EVP_PKEY_assign_EC_KEY() also set the referenced key to B<key>
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH(),
EVP_PKEY_assign_EC_KEY(), EVP_PKEY_assign_POLY1305() and
EVP_PKEY_assign_SIPHASH() also set the referenced key to B<key>
however these use the supplied B<key> internally and so B<key>
will be freed when the parent B<pkey> is freed.
@ -89,8 +96,9 @@ In accordance with the OpenSSL naming convention the key obtained
from or assigned to the B<pkey> using the B<1> functions must be
freed as well as B<pkey>.
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
and EVP_PKEY_assign_EC_KEY() are implemented as macros.
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH(),
EVP_PKEY_assign_EC_KEY(), EVP_PKEY_assign_POLY1305()
and EVP_PKEY_assign_SIPHASH() are implemented as macros.
Most applications wishing to know a key type will simply call
EVP_PKEY_base_id() and will not care about the actual type:
@ -119,8 +127,9 @@ EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
EVP_PKEY_get1_EC_KEY() return the referenced key or B<NULL> if
an error occurred.
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
and EVP_PKEY_assign_EC_KEY() return 1 for success and 0 for failure.
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH(),
EVP_PKEY_assign_EC_KEY(), EVP_PKEY_assign_POLY1305()
and EVP_PKEY_assign_SIPHASH() return 1 for success and 0 for failure.
EVP_PKEY_base_id(), EVP_PKEY_id() and EVP_PKEY_type() return a key
type or B<NID_undef> (equivalently B<EVP_PKEY_NONE>) on error.

View File

@ -14,6 +14,9 @@ EVP_aes_256_cfb1,
EVP_aes_128_cfb8,
EVP_aes_192_cfb8,
EVP_aes_256_cfb8,
EVP_aes_128_cfb128,
EVP_aes_192_cfb128,
EVP_aes_256_cfb128,
EVP_aes_128_ctr,
EVP_aes_192_ctr,
EVP_aes_256_ctr,
@ -75,6 +78,9 @@ EVP_aes_256_cfb1(),
EVP_aes_128_cfb8(),
EVP_aes_192_cfb8(),
EVP_aes_256_cfb8(),
EVP_aes_128_cfb128(),
EVP_aes_192_cfb128(),
EVP_aes_256_cfb128(),
EVP_aes_128_ctr(),
EVP_aes_192_ctr(),
EVP_aes_256_ctr(),
@ -170,7 +176,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -14,6 +14,9 @@ EVP_aria_256_cfb1,
EVP_aria_128_cfb8,
EVP_aria_192_cfb8,
EVP_aria_256_cfb8,
EVP_aria_128_cfb128,
EVP_aria_192_cfb128,
EVP_aria_256_cfb128,
EVP_aria_128_ctr,
EVP_aria_192_ctr,
EVP_aria_256_ctr,
@ -60,6 +63,9 @@ EVP_aria_256_cfb1(),
EVP_aria_128_cfb8(),
EVP_aria_192_cfb8(),
EVP_aria_256_cfb8(),
EVP_aria_128_cfb128(),
EVP_aria_192_cfb128(),
EVP_aria_256_cfb128(),
EVP_aria_128_ctr(),
EVP_aria_192_ctr(),
EVP_aria_256_ctr(),
@ -100,7 +106,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -4,6 +4,7 @@
EVP_bf_cbc,
EVP_bf_cfb,
EVP_bf_cfb64,
EVP_bf_ecb,
EVP_bf_ofb
- EVP Blowfish cipher
@ -14,6 +15,7 @@ EVP_bf_ofb
const EVP_CIPHER *EVP_bf_cbc(void)
const EVP_CIPHER *EVP_bf_cfb(void)
const EVP_CIPHER *EVP_bf_cfb64(void)
const EVP_CIPHER *EVP_bf_ecb(void)
const EVP_CIPHER *EVP_bf_ofb(void)
@ -27,6 +29,7 @@ This is a variable key length cipher.
=item EVP_bf_cbc(),
EVP_bf_cfb(),
EVP_bf_cfb64(),
EVP_bf_ecb(),
EVP_bf_ofb()
@ -48,7 +51,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -14,6 +14,9 @@ EVP_camellia_256_cfb1,
EVP_camellia_128_cfb8,
EVP_camellia_192_cfb8,
EVP_camellia_256_cfb8,
EVP_camellia_128_cfb128,
EVP_camellia_192_cfb128,
EVP_camellia_256_cfb128,
EVP_camellia_128_ctr,
EVP_camellia_192_ctr,
EVP_camellia_256_ctr,
@ -54,6 +57,9 @@ EVP_camellia_256_cfb1(),
EVP_camellia_128_cfb8(),
EVP_camellia_192_cfb8(),
EVP_camellia_256_cfb8(),
EVP_camellia_128_cfb128(),
EVP_camellia_192_cfb128(),
EVP_camellia_256_cfb128(),
EVP_camellia_128_ctr(),
EVP_camellia_192_ctr(),
EVP_camellia_256_ctr(),
@ -83,7 +89,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -4,6 +4,7 @@
EVP_cast5_cbc,
EVP_cast5_cfb,
EVP_cast5_cfb64,
EVP_cast5_ecb,
EVP_cast5_ofb
- EVP CAST cipher
@ -14,6 +15,7 @@ EVP_cast5_ofb
const EVP_CIPHER *EVP_cast5_cbc(void)
const EVP_CIPHER *EVP_cast5_cfb(void)
const EVP_CIPHER *EVP_cast5_cfb64(void)
const EVP_CIPHER *EVP_cast5_ecb(void)
const EVP_CIPHER *EVP_cast5_ofb(void)
@ -28,6 +30,7 @@ This is a variable key length cipher.
=item EVP_cast5_cbc(),
EVP_cast5_ecb(),
EVP_cast5_cfb(),
EVP_cast5_cfb64(),
EVP_cast5_ofb()
CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
@ -48,7 +51,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -6,19 +6,24 @@ EVP_des_cbc,
EVP_des_cfb,
EVP_des_cfb1,
EVP_des_cfb8,
EVP_des_cfb64,
EVP_des_ecb,
EVP_des_ede,
EVP_des_ede_cfb,
EVP_des_ede_ofb,
EVP_des_ofb,
EVP_des_ede,
EVP_des_ede_cbc,
EVP_des_ede_cfb,
EVP_des_ede_cfb64,
EVP_des_ede_ecb,
EVP_des_ede_ofb,
EVP_des_ede3,
EVP_des_ede3_cbc,
EVP_des_ede3_cfb,
EVP_des_ede3_cfb1,
EVP_des_ede3_cfb8,
EVP_des_ede3_cfb64,
EVP_des_ede3_ecb,
EVP_des_ede3_ofb,
EVP_des_ede3_wrap,
EVP_des_ede_cbc
EVP_des_ede3_wrap
- EVP DES cipher
=head1 SYNOPSIS
@ -43,27 +48,32 @@ EVP_des_ecb(),
EVP_des_cfb(),
EVP_des_cfb1(),
EVP_des_cfb8(),
EVP_des_cfb64(),
EVP_des_ofb()
DES in CBC, ECB, CFB with 128-bit shift, CFB with 1-bit shift, CFB with 8-bit
shift and OFB modes respectively.
DES in CBC, ECB, CFB with 64-bit shift, CFB with 1-bit shift, CFB with 8-bit
shift and OFB modes.
=item EVP_des_ede(),
EVP_des_ede_cbc(),
EVP_des_ede_ofb(),
EVP_des_ede_cfb()
EVP_des_ede_cfb(),
EVP_des_ede_cfb64(),
EVP_des_ede_ecb(),
EVP_des_ede_ofb()
Two key triple DES in ECB, CBC, CFB and OFB modes respectively.
Two key triple DES in ECB, CBC, CFB with 64-bit shift and OFB modes.
=item EVP_des_ede3(),
EVP_des_ede3_cbc(),
EVP_des_ede3_cfb(),
EVP_des_ede3_cfb1(),
EVP_des_ede3_cfb8(),
EVP_des_ede3_cfb64(),
EVP_des_ede3_ecb(),
EVP_des_ede3_ofb()
Three-key triple DES in ECB, CBC, CFB with 128-bit shift, CFB with 1-bit shift,
CFB with 8-bit shift and OFB modes respectively.
Three-key triple DES in ECB, CBC, CFB with 64-bit shift, CFB with 1-bit shift,
CFB with 8-bit shift and OFB modes.
=item EVP_des_ede3_wrap()
@ -85,7 +95,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -4,6 +4,7 @@
EVP_idea_cbc,
EVP_idea_cfb,
EVP_idea_cfb64,
EVP_idea_ecb,
EVP_idea_ofb
- EVP IDEA cipher
@ -14,6 +15,7 @@ EVP_idea_ofb
const EVP_CIPHER *EVP_idea_cbc(void)
const EVP_CIPHER *EVP_idea_cfb(void)
const EVP_CIPHER *EVP_idea_cfb64(void)
const EVP_CIPHER *EVP_idea_ecb(void)
const EVP_CIPHER *EVP_idea_ofb(void)
@ -25,6 +27,7 @@ The IDEA encryption algorithm for EVP.
=item EVP_idea_cbc(),
EVP_idea_cfb(),
EVP_idea_cfb64(),
EVP_idea_ecb(),
EVP_idea_ofb()
@ -46,7 +49,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -2,7 +2,8 @@
=head1 NAME
EVP_md5
EVP_md5,
EVP_md5_sha1
- MD5 For EVP
=head1 SYNOPSIS
@ -10,6 +11,7 @@ EVP_md5
#include <openssl/evp.h>
const EVP_MD *EVP_md5(void);
const EVP_MD *EVP_md5_sha1(void);
=head1 DESCRIPTION

View File

@ -4,6 +4,7 @@
EVP_rc2_cbc,
EVP_rc2_cfb,
EVP_rc2_cfb64,
EVP_rc2_ecb,
EVP_rc2_ofb,
EVP_rc2_40_cbc,
@ -16,6 +17,7 @@ EVP_rc2_64_cbc
const EVP_CIPHER *EVP_rc2_cbc(void)
const EVP_CIPHER *EVP_rc2_cfb(void)
const EVP_CIPHER *EVP_rc2_cfb64(void)
const EVP_CIPHER *EVP_rc2_ecb(void)
const EVP_CIPHER *EVP_rc2_ofb(void)
const EVP_CIPHER *EVP_rc2_40_cbc(void)
@ -29,6 +31,7 @@ The RC2 encryption algorithm for EVP.
=item EVP_rc2_cbc(),
EVP_rc2_cfb(),
EVP_rc2_cfb64(),
EVP_rc2_ecb(),
EVP_rc2_ofb()
@ -62,7 +65,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -4,6 +4,7 @@
EVP_rc5_32_12_16_cbc,
EVP_rc5_32_12_16_cfb,
EVP_rc5_32_12_16_cfb64,
EVP_rc5_32_12_16_ecb,
EVP_rc5_32_12_16_ofb
- EVP RC5 cipher
@ -14,6 +15,7 @@ EVP_rc5_32_12_16_ofb
const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void)
const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void)
const EVP_CIPHER *EVP_rc5_32_12_16_cfb64(void)
const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void)
const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void)
@ -25,6 +27,7 @@ The RC5 encryption algorithm for EVP.
=item EVP_rc5_32_12_16_cbc(),
EVP_rc5_32_12_16_cfb(),
EVP_rc5_32_12_16_cfb64(),
EVP_rc5_32_12_16_ecb(),
EVP_rc5_32_12_16_ofb()
@ -53,7 +56,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -4,6 +4,7 @@
EVP_seed_cbc,
EVP_seed_cfb,
EVP_seed_cfb128,
EVP_seed_ecb,
EVP_seed_ofb
- EVP SEED cipher
@ -14,6 +15,7 @@ EVP_seed_ofb
const EVP_CIPHER *EVP_seed_cbc(void)
const EVP_CIPHER *EVP_seed_cfb(void)
const EVP_CIPHER *EVP_seed_cfb128(void)
const EVP_CIPHER *EVP_seed_ecb(void)
const EVP_CIPHER *EVP_seed_ofb(void)
@ -27,6 +29,7 @@ All modes below use a key length of 128 bits and acts on blocks of 128-bits.
=item EVP_seed_cbc(),
EVP_seed_cfb(),
EVP_seed_cfb128(),
EVP_seed_ecb(),
EVP_seed_ofb()
@ -48,7 +51,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -5,6 +5,7 @@
EVP_sm4_cbc,
EVP_sm4_ecb,
EVP_sm4_cfb,
EVP_sm4_cfb128,
EVP_sm4_ofb,
EVP_sm4_ctr
- EVP SM4 cipher
@ -16,6 +17,7 @@ EVP_sm4_ctr
const EVP_CIPHER *EVP_sm4_cbc(void);
const EVP_CIPHER *EVP_sm4_ecb(void);
const EVP_CIPHER *EVP_sm4_cfb(void);
const EVP_CIPHER *EVP_sm4_cfb128(void);
const EVP_CIPHER *EVP_sm4_ofb(void);
const EVP_CIPHER *EVP_sm4_ctr(void);
@ -30,6 +32,7 @@ All modes below use a key length of 128 bits and acts on blocks of 128 bits.
=item EVP_sm4_cbc(),
EVP_sm4_ecb(),
EVP_sm4_cfb(),
EVP_sm4_cfb128(),
EVP_sm4_ofb(),
EVP_sm4_ctr()

View File

@ -2,13 +2,14 @@
=head1 NAME
OPENSSL_VERSION_NUMBER, OpenSSL_version,
OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, OpenSSL_version,
OpenSSL_version_num - get OpenSSL version number
=head1 SYNOPSIS
#include <openssl/opensslv.h>
#define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL
#define OPENSSL_VERSION_TEXT "OpenSSL x.y.z xx XXX xxxx"
#include <openssl/crypto.h>
@ -45,6 +46,10 @@ Version 0.9.5a had an interim interpretation that is like the current one,
except the patch level got the highest bit set, to keep continuity. The
number was therefore 0x0090581f.
OPENSSL_VERSION_TEXT is the text variant of the version number and the
release date. For example,
"OpenSSL 1.0.1a 15 Oct 2015".
OpenSSL_version_num() returns the version number.
OpenSSL_version() returns different strings depending on B<t>:

View File

@ -64,10 +64,10 @@ RSA_meth_get_multi_prime_keygen, RSA_meth_set_multi_prime_keygen
unsigned char *to, RSA *rsa, int padding));
/* Can be null */
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))(BIGNUM *r0, const BIGNUM *I,
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))(BIGNUM *r0, const BIGNUM *i,
RSA *rsa, BN_CTX *ctx);
int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
int (*mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
int (*mod_exp)(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
BN_CTX *ctx));
/* Can be null */

View File

@ -2,14 +2,32 @@
=head1 NAME
SSL_set0_CA_list, SSL_CTX_set0_CA_list, SSL_get0_CA_list,
SSL_CTX_get0_CA_list, SSL_add1_to_CA_list, SSL_CTX_add1_to_CA_list,
SSL_get0_peer_CA_list - get or set CA list
SSL_CTX_set_client_CA_list,
SSL_set_client_CA_list,
SSL_get_client_CA_list,
SSL_CTX_get_client_CA_list,
SSL_CTX_add_client_CA,
SSL_add_client_CA,
SSL_set0_CA_list,
SSL_CTX_set0_CA_list,
SSL_get0_CA_list,
SSL_CTX_get0_CA_list,
SSL_add1_to_CA_list,
SSL_CTX_add1_to_CA_list,
SSL_get0_peer_CA_list
- get or set CA list
=head1 SYNOPSIS
#include <openssl/ssl.h>
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
int SSL_add_client_CA(SSL *ssl, X509 *cacert);
void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx);
@ -21,6 +39,70 @@ SSL_get0_peer_CA_list - get or set CA list
=head1 DESCRIPTION
The functions described here set and manage the list of CA names that are sent
between two communicating peers.
For TLS versions 1.2 and earlier the list of CA names is only sent from the
server to the client when requesting a client certificate. So any list of CA
names set is never sent from client to server and the list of CA names retrieved
by SSL_get0_peer_CA_list() is always B<NULL>.
For TLS 1.3 the list of CA names is sent using the B<certificate_authorities>
extension and may be sent by a client (in the ClientHello message) or by
a server (when requesting a certificate).
In most cases it is not necessary to set CA names on the client side. The list
of CA names that are acceptable to the client will be sent in plaintext to the
server. This has privacy implications and may also have performance implications
if the list is large. This optional capability was introduced as part of TLSv1.3
and therefore setting CA names on the client side will have no impact if that
protocol version has been disabled. Most servers do not need this and so this
should be avoided unless required.
The "client CA list" functions below only have an effect when called on the
server side.
SSL_CTX_set_client_CA_list() sets the B<list> of CAs sent to the client when
requesting a client certificate for B<ctx>. Ownership of B<list> is transferred
to B<ctx> and it should not be freed by the caller.
SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when
requesting a client certificate for the chosen B<ssl>, overriding the
setting valid for B<ssl>'s SSL_CTX object. Ownership of B<list> is transferred
to B<s> and it should not be freed by the caller.
SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for
B<ctx> using SSL_CTX_set_client_CA_list(). The returned list should not be freed
by the caller.
SSL_get_client_CA_list() returns the list of client CAs explicitly
set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with
SSL_CTX_set_client_CA_list(), when in server mode. In client mode,
SSL_get_client_CA_list returns the list of client CAs sent from the server, if
any. The returned list should not be freed by the caller.
SSL_CTX_add_client_CA() adds the CA name extracted from B<cacert> to the
list of CAs sent to the client when requesting a client certificate for
B<ctx>.
SSL_add_client_CA() adds the CA name extracted from B<cacert> to the
list of CAs sent to the client when requesting a client certificate for
the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object.
SSL_get0_peer_CA_list() retrieves the list of CA names (if any) the peer
has sent. This can be called on either the server or the client side. The
returned list should not be freed by the caller.
The "generic CA list" functions below are very similar to the "client CA
list" functions except that they have an effect on both the server and client
sides. The lists of CA names managed are separate - so you cannot (for example)
set CA names using the "client CA list" functions and then get them using the
"generic CA list" functions. Where a mix of the two types of functions has been
used on the server side then the "client CA list" functions take precedence.
Typically, on the server side, the "client CA list " functions should be used in
preference. As noted above in most cases it is not necessary to set CA names on
the client side.
SSL_CTX_set0_CA_list() sets the list of CAs to be sent to the peer to
B<name_list>. Ownership of B<name_list> is transferred to B<ctx> and
it should not be freed by the caller.
@ -30,10 +112,11 @@ overriding any list set in the parent B<SSL_CTX> of B<s>. Ownership of
B<name_list> is transferred to B<s> and it should not be freed by the caller.
SSL_CTX_get0_CA_list() retrieves any previously set list of CAs set for
B<ctx>.
B<ctx>. The returned list should not be freed by the caller.
SSL_CTX_get0_CA_list() retrieves any previously set list of CAs set for
B<s> or if none are set the list from the parent B<SSL_CTX> is retrieved.
SSL_get0_CA_list() retrieves any previously set list of CAs set for
B<s> or if none are set the list from the parent B<SSL_CTX> is retrieved. The
returned list should not be freed by the caller.
SSL_CTX_add1_to_CA_list() appends the CA subject name extracted from B<x> to the
list of CAs sent to peer for B<ctx>.
@ -42,47 +125,60 @@ SSL_add1_to_CA_list() appends the CA subject name extracted from B<x> to the
list of CAs sent to the peer for B<s>, overriding the setting in the parent
B<SSL_CTX>.
SSL_get0_peer_CA_list() retrieves the list of CA names (if any) the peer
has sent.
=head1 NOTES
These functions are generalised versions of the client authentication
CA list functions such as L<SSL_CTX_set_client_CA_list(3)>.
When a TLS/SSL server requests a client certificate (see
B<SSL_CTX_set_verify(3)>), it sends a list of CAs, for which it will accept
certificates, to the client.
For TLS versions before 1.3 the list of CA names is only sent from the server
to client when requesting a client certificate. So any list of CA names set
is never sent from client to server and the list of CA names retrieved by
SSL_get0_peer_CA_list() is always B<NULL>.
This list must explicitly be set using SSL_CTX_set_client_CA_list() or
SSL_CTX_set0_CA_list() for B<ctx> and SSL_set_client_CA_list() or
SSL_set0_CA_list() for the specific B<ssl>. The list specified
overrides the previous setting. The CAs listed do not become trusted (B<list>
only contains the names, not the complete certificates); use
L<SSL_CTX_load_verify_locations(3)> to additionally load them for verification.
For TLS 1.3 the list of CA names is sent using the B<certificate_authorities>
extension and will be sent by a client (in the ClientHello message) or by
a server (when requesting a certificate).
If the list of acceptable CAs is compiled in a file, the
L<SSL_load_client_CA_file(3)> function can be used to help to import the
necessary data.
SSL_CTX_add_client_CA(), SSL_CTX_add1_to_CA_list(), SSL_add_client_CA() and
SSL_add1_to_CA_list() can be used to add additional items the list of CAs. If no
list was specified before using SSL_CTX_set_client_CA_list(),
SSL_CTX_set0_CA_list(), SSL_set_client_CA_list() or SSL_set0_CA_list(), a
new CA list for B<ctx> or B<ssl> (as appropriate) is opened.
=head1 RETURN VALUES
SSL_CTX_set0_CA_list() and SSL_set0_CA_list() do not return a value.
SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(),
SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(), SSL_CTX_set0_CA_list()
and SSL_set0_CA_list() do not return a value.
SSL_CTX_get0_CA_list() and SSL_get0_CA_list() return a stack of CA names
or B<NULL> is no CA names are set.
SSL_CTX_get_client_CA_list(), SSL_get_client_CA_list(), SSL_CTX_get0_CA_list()
and SSL_get0_CA_list() return a stack of CA names or B<NULL> is no CA names are
set.
SSL_CTX_add1_to_CA_list() and SSL_add1_to_CA_list() return 1 for success and 0
for failure.
SSL_CTX_add_client_CA(),SSL_add_client_CA(), SSL_CTX_add1_to_CA_list() and
SSL_add1_to_CA_list() return 1 for success and 0 for failure.
SSL_get0_peer_CA_list() returns a stack of CA names sent by the peer or
B<NULL> or an empty stack if no list was sent.
=head1 EXAMPLES
Scan all certificates in B<CAfile> and list them as acceptable CAs:
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
=head1 SEE ALSO
L<ssl(7)>,
L<SSL_CTX_set_client_CA_list(3)>,
L<SSL_get_client_CA_list(3)>,
L<SSL_load_client_CA_file(3)>,
L<SSL_CTX_load_verify_locations(3)>
=head1 COPYRIGHT
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

View File

@ -32,6 +32,9 @@ SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve
=head1 DESCRIPTION
For all of the functions below that set the supported groups there must be at
least one group in the list.
SSL_CTX_set1_groups() sets the supported groups for B<ctx> to B<glistlen>
groups in the array B<glist>. The array consist of all NIDs of groups in
preference order. For a TLS client the groups are used directly in the
@ -99,7 +102,7 @@ functions were first added to OpenSSL 1.1.1.
=head1 COPYRIGHT
Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

Some files were not shown because too many files have changed in this diff Show More