mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-11 09:50:12 +00:00
Merge OpenSSL 1.1.1a.
This commit is contained in:
commit
c9cf7b5cb1
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=340703
@ -7,6 +7,42 @@
|
||||
https://github.com/openssl/openssl/commits/ and pick the appropriate
|
||||
release branch.
|
||||
|
||||
Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
|
||||
|
||||
*) Timing vulnerability in DSA signature generation
|
||||
|
||||
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
|
||||
timing side channel attack. An attacker could use variations in the signing
|
||||
algorithm to recover the private key.
|
||||
|
||||
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
|
||||
(CVE-2018-0734)
|
||||
[Paul Dale]
|
||||
|
||||
*) Timing vulnerability in ECDSA signature generation
|
||||
|
||||
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
|
||||
timing side channel attack. An attacker could use variations in the signing
|
||||
algorithm to recover the private key.
|
||||
|
||||
This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
|
||||
(CVE-2018-0735)
|
||||
[Paul Dale]
|
||||
|
||||
*) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
|
||||
the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
|
||||
are retained for backwards compatibility.
|
||||
[Antoine Salon]
|
||||
|
||||
*) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
|
||||
if its length exceeds 4096 bytes. The limit has been raised to a buffer size
|
||||
of two gigabytes and the error handling improved.
|
||||
|
||||
This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
|
||||
categorized as a normal bug, not a security issue, because the DRBG reseeds
|
||||
automatically and is fully functional even without additional randomness
|
||||
provided by the application.
|
||||
|
||||
Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
|
||||
|
||||
*) Add a new ClientHello callback. Provides a callback interface that gives
|
||||
@ -13103,4 +13139,3 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
|
||||
*) A minor bug in ssl/s3_clnt.c where there would always be 4 0
|
||||
bytes sent in the client random.
|
||||
[Edward Bishop <ebishop@spyglass.com>]
|
||||
|
||||
|
@ -1013,13 +1013,18 @@ if (scalar(@seed_sources) == 0) {
|
||||
if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
|
||||
die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
|
||||
warn <<_____ if scalar(@seed_sources) == 1;
|
||||
You have selected the --with-rand-seed=none option, which effectively disables
|
||||
automatic reseeding of the OpenSSL random generator. All operations depending
|
||||
on the random generator such as creating keys will not work unless the random
|
||||
generator is seeded manually by the application.
|
||||
|
||||
Please read the 'Note on random number generation' section in the INSTALL
|
||||
instructions and the RAND_DRBG(7) manual page for more details.
|
||||
============================== WARNING ===============================
|
||||
You have selected the --with-rand-seed=none option, which effectively
|
||||
disables automatic reseeding of the OpenSSL random generator.
|
||||
All operations depending on the random generator such as creating keys
|
||||
will not work unless the random generator is seeded manually by the
|
||||
application.
|
||||
|
||||
Please read the 'Note on random number generation' section in the
|
||||
INSTALL instructions and the RAND_DRBG(7) manual page for more details.
|
||||
============================== WARNING ===============================
|
||||
|
||||
_____
|
||||
}
|
||||
push @{$config{openssl_other_defines}},
|
||||
@ -2174,6 +2179,16 @@ EOF
|
||||
|
||||
# Massage the result
|
||||
|
||||
# If the user configured no-shared, we allow no shared sources
|
||||
if ($disabled{shared}) {
|
||||
foreach (keys %{$unified_info{shared_sources}}) {
|
||||
foreach (keys %{$unified_info{shared_sources}->{$_}}) {
|
||||
delete $unified_info{sources}->{$_};
|
||||
}
|
||||
}
|
||||
$unified_info{shared_sources} = {};
|
||||
}
|
||||
|
||||
# If we depend on a header file or a perl module, add an inclusion of
|
||||
# its directory to allow smoothe inclusion
|
||||
foreach my $dest (keys %{$unified_info{depends}}) {
|
||||
@ -2198,8 +2213,8 @@ EOF
|
||||
next unless defined($unified_info{includes}->{$dest}->{$k});
|
||||
my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}};
|
||||
foreach my $obj (grep /\.o$/,
|
||||
(keys %{$unified_info{sources}->{$dest}},
|
||||
keys %{$unified_info{shared_sources}->{$dest}})) {
|
||||
(keys %{$unified_info{sources}->{$dest} // {}},
|
||||
keys %{$unified_info{shared_sources}->{$dest} // {}})) {
|
||||
foreach my $inc (@incs) {
|
||||
unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc
|
||||
unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}};
|
||||
@ -2238,6 +2253,42 @@ EOF
|
||||
[ @{$unified_info{includes}->{$dest}->{source}} ];
|
||||
}
|
||||
}
|
||||
|
||||
# For convenience collect information regarding directories where
|
||||
# files are generated, those generated files and the end product
|
||||
# they end up in where applicable. Then, add build rules for those
|
||||
# directories
|
||||
my %loopinfo = ( "lib" => [ @{$unified_info{libraries}} ],
|
||||
"dso" => [ @{$unified_info{engines}} ],
|
||||
"bin" => [ @{$unified_info{programs}} ],
|
||||
"script" => [ @{$unified_info{scripts}} ] );
|
||||
foreach my $type (keys %loopinfo) {
|
||||
foreach my $product (@{$loopinfo{$type}}) {
|
||||
my %dirs = ();
|
||||
my $pd = dirname($product);
|
||||
|
||||
foreach (@{$unified_info{sources}->{$product} // []},
|
||||
@{$unified_info{shared_sources}->{$product} // []}) {
|
||||
my $d = dirname($_);
|
||||
|
||||
# We don't want to create targets for source directories
|
||||
# when building out of source
|
||||
next if ($config{sourcedir} ne $config{builddir}
|
||||
&& $d =~ m|^\Q$config{sourcedir}\E|);
|
||||
# We already have a "test" target, and the current directory
|
||||
# is just silly to make a target for
|
||||
next if $d eq "test" || $d eq ".";
|
||||
|
||||
$dirs{$d} = 1;
|
||||
push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
|
||||
if $d ne $pd;
|
||||
}
|
||||
foreach (keys %dirs) {
|
||||
push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
|
||||
$product;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# For the schemes that need it, we provide the old *_obj configs
|
||||
@ -2712,10 +2763,16 @@ print <<"EOF";
|
||||
|
||||
**********************************************************************
|
||||
*** ***
|
||||
*** If you want to report a building issue, please include the ***
|
||||
*** output from this command: ***
|
||||
*** OpenSSL has been successfully configured ***
|
||||
*** ***
|
||||
*** perl configdata.pm --dump ***
|
||||
*** If you encounter a problem while building, please open an ***
|
||||
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
|
||||
*** and include the output from the following command: ***
|
||||
*** ***
|
||||
*** perl configdata.pm --dump ***
|
||||
*** ***
|
||||
*** (If you are new to OpenSSL, you might want to consult the ***
|
||||
*** 'Troubleshooting' section in the INSTALL file first) ***
|
||||
*** ***
|
||||
**********************************************************************
|
||||
EOF
|
||||
|
@ -614,8 +614,8 @@
|
||||
Windows, and as a comma separated list of
|
||||
libraries on VMS.
|
||||
RANLIB The library archive indexer.
|
||||
RC The Windows resources manipulator.
|
||||
RCFLAGS Flags for the Windows reources manipulator.
|
||||
RC The Windows resource compiler.
|
||||
RCFLAGS Flags for the Windows resource compiler.
|
||||
RM The command to remove files and directories.
|
||||
|
||||
These cannot be mixed with compiling / linking flags given
|
||||
@ -969,7 +969,7 @@
|
||||
|
||||
BUILDFILE
|
||||
Use a different build file name than the platform default
|
||||
("Makefile" on Unixly platforms, "makefile" on native Windows,
|
||||
("Makefile" on Unix-like platforms, "makefile" on native Windows,
|
||||
"descrip.mms" on OpenVMS). This requires that there is a
|
||||
corresponding build file template. See Configurations/README
|
||||
for further information.
|
||||
@ -1171,7 +1171,7 @@
|
||||
part of the file name, i.e. for OpenSSL 1.1.x, 1.1 is somehow part of
|
||||
the name.
|
||||
|
||||
On most POSIXly platforms, shared libraries are named libcrypto.so.1.1
|
||||
On most POSIX platforms, shared libraries are named libcrypto.so.1.1
|
||||
and libssl.so.1.1.
|
||||
|
||||
on Cygwin, shared libraries are named cygcrypto-1.1.dll and cygssl-1.1.dll
|
||||
@ -1202,7 +1202,7 @@
|
||||
The seeding method can be configured using the --with-rand-seed option,
|
||||
which can be used to specify a comma separated list of seed methods.
|
||||
However in most cases OpenSSL will choose a suitable default method,
|
||||
so it is not necessary to explicitely provide this option. Note also
|
||||
so it is not necessary to explicitly provide this option. Note also
|
||||
that not all methods are available on all platforms.
|
||||
|
||||
I) On operating systems which provide a suitable randomness source (in
|
||||
|
@ -5,6 +5,11 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
|
||||
|
||||
o Timing vulnerability in DSA signature generation (CVE-2018-0734)
|
||||
o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
|
||||
|
||||
Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]
|
||||
|
||||
o Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
OpenSSL 1.1.1 11 Sep 2018
|
||||
OpenSSL 1.1.1a 20 Nov 2018
|
||||
|
||||
Copyright (c) 1998-2018 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -26,7 +26,6 @@ void app_RAND_load_conf(CONF *c, const char *section)
|
||||
if (RAND_load_file(randfile, -1) < 0) {
|
||||
BIO_printf(bio_err, "Can't load %s into RNG\n", randfile);
|
||||
ERR_print_errors(bio_err);
|
||||
return;
|
||||
}
|
||||
if (save_rand_file == NULL)
|
||||
save_rand_file = OPENSSL_strdup(randfile);
|
||||
|
@ -1831,6 +1831,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
|
||||
opt_getprog(), typestr);
|
||||
continue;
|
||||
}
|
||||
if (*valstr == '\0') {
|
||||
BIO_printf(bio_err,
|
||||
"%s: No value provided for Subject Attribute %s, skipped\n",
|
||||
opt_getprog(), typestr);
|
||||
continue;
|
||||
}
|
||||
if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
|
||||
valstr, strlen((char *)valstr),
|
||||
-1, ismulti ? -1 : 0))
|
||||
|
@ -369,7 +369,7 @@ typedef struct string_int_pair_st {
|
||||
# define OPT_FMT_SMIME (1L << 3)
|
||||
# define OPT_FMT_ENGINE (1L << 4)
|
||||
# define OPT_FMT_MSBLOB (1L << 5)
|
||||
# define OPT_FMT_NETSCAPE (1L << 6)
|
||||
/* (1L << 6) was OPT_FMT_NETSCAPE, but wasn't used */
|
||||
# define OPT_FMT_NSS (1L << 7)
|
||||
# define OPT_FMT_TEXT (1L << 8)
|
||||
# define OPT_FMT_HTTP (1L << 9)
|
||||
@ -378,8 +378,8 @@ typedef struct string_int_pair_st {
|
||||
# define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME)
|
||||
# define OPT_FMT_ANY ( \
|
||||
OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
|
||||
OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \
|
||||
OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
|
||||
OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \
|
||||
OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
|
||||
|
||||
char *opt_progname(const char *argv0);
|
||||
char *opt_getprog(void);
|
||||
|
@ -605,7 +605,7 @@ int ca_main(int argc, char **argv)
|
||||
/*
|
||||
* outdir is a directory spec, but access() for VMS demands a
|
||||
* filename. We could use the DEC C routine to convert the
|
||||
* directory syntax to Unixly, and give that to app_isdir,
|
||||
* directory syntax to Unix, and give that to app_isdir,
|
||||
* but for now the fopen will catch the error if it's not a
|
||||
* directory
|
||||
*/
|
||||
@ -976,7 +976,7 @@ int ca_main(int argc, char **argv)
|
||||
BIO_printf(bio_err, "Write out database with %d new entries\n",
|
||||
sk_X509_num(cert_sk));
|
||||
|
||||
if (!rand_ser
|
||||
if (serialfile != NULL
|
||||
&& !save_serial(serialfile, "new", serial, NULL))
|
||||
goto end;
|
||||
|
||||
@ -1044,7 +1044,8 @@ int ca_main(int argc, char **argv)
|
||||
|
||||
if (sk_X509_num(cert_sk)) {
|
||||
/* Rename the database and the serial file */
|
||||
if (!rotate_serial(serialfile, "new", "old"))
|
||||
if (serialfile != NULL
|
||||
&& !rotate_serial(serialfile, "new", "old"))
|
||||
goto end;
|
||||
|
||||
if (!rotate_index(dbfile, "new", "old"))
|
||||
@ -1177,10 +1178,9 @@ int ca_main(int argc, char **argv)
|
||||
}
|
||||
|
||||
/* we have a CRL number that need updating */
|
||||
if (crlnumberfile != NULL)
|
||||
if (!rand_ser
|
||||
&& !save_serial(crlnumberfile, "new", crlnumber, NULL))
|
||||
goto end;
|
||||
if (crlnumberfile != NULL
|
||||
&& !save_serial(crlnumberfile, "new", crlnumber, NULL))
|
||||
goto end;
|
||||
|
||||
BN_free(crlnumber);
|
||||
crlnumber = NULL;
|
||||
@ -1195,9 +1195,10 @@ int ca_main(int argc, char **argv)
|
||||
|
||||
PEM_write_bio_X509_CRL(Sout, crl);
|
||||
|
||||
if (crlnumberfile != NULL) /* Rename the crlnumber file */
|
||||
if (!rotate_serial(crlnumberfile, "new", "old"))
|
||||
goto end;
|
||||
/* Rename the crlnumber file */
|
||||
if (crlnumberfile != NULL
|
||||
&& !rotate_serial(crlnumberfile, "new", "old"))
|
||||
goto end;
|
||||
|
||||
}
|
||||
/*****************************************************************/
|
||||
|
@ -950,6 +950,7 @@ static void spawn_loop(void)
|
||||
sleep(30);
|
||||
break;
|
||||
case 0: /* child */
|
||||
OPENSSL_free(kidpids);
|
||||
signal(SIGINT, SIG_DFL);
|
||||
signal(SIGTERM, SIG_DFL);
|
||||
if (termsig)
|
||||
@ -976,6 +977,7 @@ static void spawn_loop(void)
|
||||
}
|
||||
|
||||
/* The loop above can only break on termsig */
|
||||
OPENSSL_free(kidpids);
|
||||
syslog(LOG_INFO, "terminating on signal: %d", termsig);
|
||||
killall(0, kidpids);
|
||||
}
|
||||
|
@ -11,7 +11,6 @@
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
|
||||
# Extra OBJECT IDENTIFIER info:
|
||||
#oid_file = $ENV::HOME/.oid
|
||||
@ -58,7 +57,6 @@ crlnumber = $dir/crlnumber # the current crl number
|
||||
# must be commented out to leave a V1 CRL
|
||||
crl = $dir/crl.pem # The current CRL
|
||||
private_key = $dir/private/cakey.pem# The private key
|
||||
RANDFILE = $dir/private/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extensions to add to the cert
|
||||
|
||||
|
@ -168,7 +168,6 @@ static OPT_PAIR formats[] = {
|
||||
{"smime", OPT_FMT_SMIME},
|
||||
{"engine", OPT_FMT_ENGINE},
|
||||
{"msblob", OPT_FMT_MSBLOB},
|
||||
{"netscape", OPT_FMT_NETSCAPE},
|
||||
{"nss", OPT_FMT_NSS},
|
||||
{"text", OPT_FMT_TEXT},
|
||||
{"http", OPT_FMT_HTTP},
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com>
|
||||
* Copyright (c) 2013-2014 Timo Teräs <timo.teras@gmail.com>
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -38,8 +38,8 @@ typedef enum OPTION_choice {
|
||||
|
||||
const OPTIONS rsa_options[] = {
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"},
|
||||
{"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"},
|
||||
{"inform", OPT_INFORM, 'f', "Input format, one of DER PEM"},
|
||||
{"outform", OPT_OUTFORM, 'f', "Output format, one of DER PEM PVK"},
|
||||
{"in", OPT_IN, 's', "Input file"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
|
||||
@ -269,6 +269,9 @@ int rsa_main(int argc, char **argv)
|
||||
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
|
||||
EVP_PKEY *pk;
|
||||
pk = EVP_PKEY_new();
|
||||
if (pk == NULL)
|
||||
goto end;
|
||||
|
||||
EVP_PKEY_set1_RSA(pk, rsa);
|
||||
if (outformat == FORMAT_PVK) {
|
||||
if (pubin) {
|
||||
|
@ -394,7 +394,8 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)
|
||||
int ssl_print_tmp_key(BIO *out, SSL *s)
|
||||
{
|
||||
EVP_PKEY *key;
|
||||
if (!SSL_get_server_tmp_key(s, &key))
|
||||
|
||||
if (!SSL_get_peer_tmp_key(s, &key))
|
||||
return 1;
|
||||
BIO_puts(out, "Server Temp Key: ");
|
||||
switch (EVP_PKEY_id(key)) {
|
||||
|
@ -193,9 +193,8 @@ static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
|
||||
|
||||
if (strlen(psk_identity) != identity_len
|
||||
|| memcmp(psk_identity, identity, identity_len) != 0) {
|
||||
BIO_printf(bio_s_out,
|
||||
"PSK warning: client identity not what we expected"
|
||||
" (got '%s' expected '%s')\n", identity, psk_identity);
|
||||
*sess = NULL;
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (psksess != NULL) {
|
||||
@ -1622,6 +1621,11 @@ int s_server_main(int argc, char *argv[])
|
||||
goto end;
|
||||
}
|
||||
#endif
|
||||
if (early_data && (www > 0 || rev)) {
|
||||
BIO_printf(bio_err,
|
||||
"Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
if (protocol == IPPROTO_SCTP) {
|
||||
|
@ -2896,7 +2896,7 @@ int speed_main(int argc, char **argv)
|
||||
|
||||
if (rsa_count <= 1) {
|
||||
/* if longer than 10s, don't do any more */
|
||||
for (testnum++; testnum < EC_NUM; testnum++)
|
||||
for (testnum++; testnum < ECDSA_NUM; testnum++)
|
||||
ecdsa_doit[testnum] = 0;
|
||||
}
|
||||
}
|
||||
|
@ -67,10 +67,10 @@ typedef enum OPTION_choice {
|
||||
const OPTIONS x509_options[] = {
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'f',
|
||||
"Input format - default PEM (one of DER, NET or PEM)"},
|
||||
"Input format - default PEM (one of DER or PEM)"},
|
||||
{"in", OPT_IN, '<', "Input file - default stdin"},
|
||||
{"outform", OPT_OUTFORM, 'f',
|
||||
"Output format - default PEM (one of DER, NET or PEM)"},
|
||||
"Output format - default PEM (one of DER or PEM)"},
|
||||
{"out", OPT_OUT, '>', "Output file - default stdout"},
|
||||
{"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
|
||||
{"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},
|
||||
|
@ -51,7 +51,7 @@
|
||||
#endif
|
||||
|
||||
/*
|
||||
* The POSIXly macro for the maximum number of characters in a file path is
|
||||
* The POSIX macro for the maximum number of characters in a file path is
|
||||
* NAME_MAX. However, some operating systems use PATH_MAX instead.
|
||||
* Therefore, it seems natural to first check for PATH_MAX and use that, and
|
||||
* if it doesn't exist, use NAME_MAX.
|
||||
|
@ -17,7 +17,8 @@
|
||||
|
||||
# include <unistd.h>
|
||||
|
||||
# if _POSIX_VERSION >= 200112L
|
||||
# if _POSIX_VERSION >= 200112L \
|
||||
&& (_POSIX_VERSION < 200809L || defined(__GLIBC__))
|
||||
|
||||
# include <pthread.h>
|
||||
|
||||
|
@ -133,7 +133,9 @@ int BIO_connect(int sock, const BIO_ADDR *addr, int options)
|
||||
*/
|
||||
int BIO_bind(int sock, const BIO_ADDR *addr, int options)
|
||||
{
|
||||
# ifndef OPENSSL_SYS_WINDOWS
|
||||
int on = 1;
|
||||
# endif
|
||||
|
||||
if (sock == -1) {
|
||||
BIOerr(BIO_F_BIO_BIND, BIO_R_INVALID_SOCKET);
|
||||
|
@ -52,7 +52,7 @@ static long bio_call_callback(BIO *b, int oper, const char *argp, size_t len,
|
||||
argi = (int)len;
|
||||
}
|
||||
|
||||
if (inret && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
|
||||
if (inret > 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
|
||||
if (*processed > INT_MAX)
|
||||
return -1;
|
||||
inret = *processed;
|
||||
@ -60,7 +60,7 @@ static long bio_call_callback(BIO *b, int oper, const char *argp, size_t len,
|
||||
|
||||
ret = b->callback(b, oper, argp, argi, argl, inret);
|
||||
|
||||
if (ret >= 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
|
||||
if (ret > 0 && (oper & BIO_CB_RETURN) && bareoper != BIO_CB_CTRL) {
|
||||
*processed = (size_t)ret;
|
||||
ret = 1;
|
||||
}
|
||||
|
@ -408,4 +408,9 @@ static void xcloselog(BIO *bp)
|
||||
|
||||
# endif /* Unix */
|
||||
|
||||
#else /* NO_SYSLOG */
|
||||
const BIO_METHOD *BIO_s_log(void)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
#endif /* NO_SYSLOG */
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -64,12 +64,6 @@
|
||||
* machine.
|
||||
*/
|
||||
|
||||
# if defined(_WIN64) || !defined(__LP64__)
|
||||
# define BN_ULONG unsigned long long
|
||||
# else
|
||||
# define BN_ULONG unsigned long
|
||||
# endif
|
||||
|
||||
# undef mul
|
||||
# undef mul_add
|
||||
|
||||
|
@ -1077,7 +1077,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
* is not only slower but also makes each bit vulnerable to
|
||||
* EM (and likely other) side-channel attacks like One&Done
|
||||
* (for details see "One&Done: A Single-Decryption EM-Based
|
||||
* Attack on OpenSSL’s Constant-Time Blinded RSA" by M. Alam,
|
||||
* Attack on OpenSSL's Constant-Time Blinded RSA" by M. Alam,
|
||||
* H. Khan, M. Dey, N. Sinha, R. Callan, A. Zajic, and
|
||||
* M. Prvulovic, in USENIX Security'18)
|
||||
*/
|
||||
|
@ -767,26 +767,30 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
|
||||
b->neg ^= t;
|
||||
|
||||
/*-
|
||||
* Idea behind BN_FLG_STATIC_DATA is actually to
|
||||
* indicate that data may not be written to.
|
||||
* Intention is actually to treat it as it's
|
||||
* read-only data, and some (if not most) of it does
|
||||
* reside in read-only segment. In other words
|
||||
* observation of BN_FLG_STATIC_DATA in
|
||||
* BN_consttime_swap should be treated as fatal
|
||||
* condition. It would either cause SEGV or
|
||||
* effectively cause data corruption.
|
||||
* BN_FLG_MALLOCED refers to BN structure itself,
|
||||
* and hence must be preserved. Remaining flags are
|
||||
* BN_FLG_CONSTIME and BN_FLG_SECURE. Latter must be
|
||||
* preserved, because it determines how x->d was
|
||||
* allocated and hence how to free it. This leaves
|
||||
* BN_FLG_CONSTTIME that one can do something about.
|
||||
* To summarize it's sufficient to mask and swap
|
||||
* BN_FLG_CONSTTIME alone. BN_FLG_STATIC_DATA should
|
||||
* be treated as fatal.
|
||||
* BN_FLG_STATIC_DATA: indicates that data may not be written to. Intention
|
||||
* is actually to treat it as it's read-only data, and some (if not most)
|
||||
* of it does reside in read-only segment. In other words observation of
|
||||
* BN_FLG_STATIC_DATA in BN_consttime_swap should be treated as fatal
|
||||
* condition. It would either cause SEGV or effectively cause data
|
||||
* corruption.
|
||||
*
|
||||
* BN_FLG_MALLOCED: refers to BN structure itself, and hence must be
|
||||
* preserved.
|
||||
*
|
||||
* BN_FLG_SECURE: must be preserved, because it determines how x->d was
|
||||
* allocated and hence how to free it.
|
||||
*
|
||||
* BN_FLG_CONSTTIME: sufficient to mask and swap
|
||||
*
|
||||
* BN_FLG_FIXED_TOP: indicates that we haven't called bn_correct_top() on
|
||||
* the data, so the d array may be padded with additional 0 values (i.e.
|
||||
* top could be greater than the minimal value that it could be). We should
|
||||
* be swapping it
|
||||
*/
|
||||
t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition;
|
||||
|
||||
#define BN_CONSTTIME_SWAP_FLAGS (BN_FLG_CONSTTIME | BN_FLG_FIXED_TOP)
|
||||
|
||||
t = ((a->flags ^ b->flags) & BN_CONSTTIME_SWAP_FLAGS) & condition;
|
||||
a->flags ^= t;
|
||||
b->flags ^= t;
|
||||
|
||||
|
@ -2,7 +2,7 @@ LIBS=../libcrypto
|
||||
SOURCE[../libcrypto]=\
|
||||
cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
|
||||
ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fopen.c ctype.c \
|
||||
threads_pthread.c threads_win.c threads_none.c \
|
||||
threads_pthread.c threads_win.c threads_none.c getenv.c \
|
||||
o_init.c o_fips.c mem_sec.c init.c {- $target{cpuid_asm_src} -} \
|
||||
{- $target{uplink_aux_src} -}
|
||||
EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
|
||||
|
@ -10,6 +10,7 @@
|
||||
/* Part of the code in here was originally in conf.c, which is now removed */
|
||||
|
||||
#include "e_os.h"
|
||||
#include "internal/cryptlib.h"
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <openssl/conf.h>
|
||||
@ -82,7 +83,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
|
||||
if (v != NULL)
|
||||
return v->value;
|
||||
if (strcmp(section, "ENV") == 0) {
|
||||
p = getenv(name);
|
||||
p = ossl_safe_getenv(name);
|
||||
if (p != NULL)
|
||||
return p;
|
||||
}
|
||||
@ -95,7 +96,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
|
||||
else
|
||||
return NULL;
|
||||
} else
|
||||
return getenv(name);
|
||||
return ossl_safe_getenv(name);
|
||||
}
|
||||
|
||||
static unsigned long conf_value_hash(const CONF_VALUE *v)
|
||||
|
@ -480,11 +480,8 @@ char *CONF_get1_default_config_file(void)
|
||||
char *file, *sep = "";
|
||||
int len;
|
||||
|
||||
if (!OPENSSL_issetugid()) {
|
||||
file = getenv("OPENSSL_CONF");
|
||||
if (file)
|
||||
return OPENSSL_strdup(file);
|
||||
}
|
||||
if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL)
|
||||
return OPENSSL_strdup(file);
|
||||
|
||||
len = strlen(X509_get_default_cert_area());
|
||||
#ifndef OPENSSL_SYS_VMS
|
||||
|
@ -204,7 +204,7 @@ int OPENSSL_isservice(void)
|
||||
|
||||
if (_OPENSSL_isservice.p == NULL) {
|
||||
HANDLE mod = GetModuleHandle(NULL);
|
||||
FARPROC f;
|
||||
FARPROC f = NULL;
|
||||
|
||||
if (mod != NULL)
|
||||
f = GetProcAddress(mod, "_OPENSSL_isservice");
|
||||
|
@ -137,7 +137,7 @@ static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *sec
|
||||
|
||||
int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
|
||||
{
|
||||
const char *fpath = getenv(CTLOG_FILE_EVP);
|
||||
const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP);
|
||||
|
||||
if (fpath == NULL)
|
||||
fpath = CTLOG_FILE;
|
||||
|
@ -327,6 +327,12 @@ int dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
|
||||
if (mctx == NULL)
|
||||
goto err;
|
||||
|
||||
/* make sure L > N, otherwise we'll get trapped in an infinite loop */
|
||||
if (L <= N) {
|
||||
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (evpmd == NULL) {
|
||||
if (N == 160)
|
||||
evpmd = EVP_sha1();
|
||||
|
@ -9,6 +9,7 @@
|
||||
|
||||
#include <stdio.h>
|
||||
#include "internal/cryptlib.h"
|
||||
#include "internal/bn_int.h"
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/sha.h>
|
||||
#include "dsa_locl.h"
|
||||
@ -23,6 +24,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len,
|
||||
DSA_SIG *sig, DSA *dsa);
|
||||
static int dsa_init(DSA *dsa);
|
||||
static int dsa_finish(DSA *dsa);
|
||||
static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
|
||||
BN_CTX *ctx);
|
||||
|
||||
static DSA_METHOD openssl_dsa_meth = {
|
||||
"OpenSSL DSA method",
|
||||
@ -178,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
|
||||
{
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *k, *kinv = NULL, *r = *rp;
|
||||
BIGNUM *l, *m;
|
||||
BIGNUM *l;
|
||||
int ret = 0;
|
||||
int q_bits;
|
||||
int q_bits, q_words;
|
||||
|
||||
if (!dsa->p || !dsa->q || !dsa->g) {
|
||||
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
|
||||
@ -189,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
|
||||
|
||||
k = BN_new();
|
||||
l = BN_new();
|
||||
m = BN_new();
|
||||
if (k == NULL || l == NULL || m == NULL)
|
||||
if (k == NULL || l == NULL)
|
||||
goto err;
|
||||
|
||||
if (ctx_in == NULL) {
|
||||
@ -201,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
|
||||
|
||||
/* Preallocate space */
|
||||
q_bits = BN_num_bits(dsa->q);
|
||||
if (!BN_set_bit(k, q_bits)
|
||||
|| !BN_set_bit(l, q_bits)
|
||||
|| !BN_set_bit(m, q_bits))
|
||||
q_words = bn_get_top(dsa->q);
|
||||
if (!bn_wexpand(k, q_words + 2)
|
||||
|| !bn_wexpand(l, q_words + 2))
|
||||
goto err;
|
||||
|
||||
/* Get random k */
|
||||
@ -221,6 +223,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
|
||||
} while (BN_is_zero(k));
|
||||
|
||||
BN_set_flags(k, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(l, BN_FLG_CONSTTIME);
|
||||
|
||||
if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
|
||||
if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
|
||||
@ -238,14 +241,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
|
||||
* small timing information leakage. We then choose the sum that is
|
||||
* one bit longer than the modulus.
|
||||
*
|
||||
* TODO: revisit the BN_copy aiming for a memory access agnostic
|
||||
* conditional copy.
|
||||
* There are some concerns about the efficacy of doing this. More
|
||||
* specificly refer to the discussion starting with:
|
||||
* https://github.com/openssl/openssl/pull/7486#discussion_r228323705
|
||||
* The fix is to rework BN so these gymnastics aren't required.
|
||||
*/
|
||||
if (!BN_add(l, k, dsa->q)
|
||||
|| !BN_add(m, l, dsa->q)
|
||||
|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
|
||||
|| !BN_add(k, l, dsa->q))
|
||||
goto err;
|
||||
|
||||
BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
|
||||
|
||||
if ((dsa)->meth->bn_mod_exp != NULL) {
|
||||
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
|
||||
dsa->method_mont_p))
|
||||
@ -258,8 +264,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
|
||||
if (!BN_mod(r, r, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
/* Compute part of 's = inv(k) (m + xr) mod q' */
|
||||
if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
|
||||
/* Compute part of 's = inv(k) (m + xr) mod q' */
|
||||
if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
|
||||
goto err;
|
||||
|
||||
BN_clear_free(*kinvp);
|
||||
@ -273,7 +279,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
|
||||
BN_CTX_free(ctx);
|
||||
BN_clear_free(k);
|
||||
BN_clear_free(l);
|
||||
BN_clear_free(m);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -393,3 +398,31 @@ static int dsa_finish(DSA *dsa)
|
||||
BN_MONT_CTX_free(dsa->method_mont_p);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Compute the inverse of k modulo q.
|
||||
* Since q is prime, Fermat's Little Theorem applies, which reduces this to
|
||||
* mod-exp operation. Both the exponent and modulus are public information
|
||||
* so a mod-exp that doesn't leak the base is sufficient. A newly allocated
|
||||
* BIGNUM is returned which the caller must free.
|
||||
*/
|
||||
static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
|
||||
BN_CTX *ctx)
|
||||
{
|
||||
BIGNUM *res = NULL;
|
||||
BIGNUM *r, *e;
|
||||
|
||||
if ((r = BN_new()) == NULL)
|
||||
return NULL;
|
||||
|
||||
BN_CTX_start(ctx);
|
||||
if ((e = BN_CTX_get(ctx)) != NULL
|
||||
&& BN_set_word(r, 2)
|
||||
&& BN_sub(e, q, r)
|
||||
&& BN_mod_exp_mont(r, k, e, q, ctx, NULL))
|
||||
res = r;
|
||||
else
|
||||
BN_free(r);
|
||||
BN_CTX_end(ctx);
|
||||
return res;
|
||||
}
|
||||
|
@ -699,7 +699,7 @@ static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid)
|
||||
if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
|
||||
return 0;
|
||||
|
||||
if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_62) <= 0)
|
||||
if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
|
||||
return 0;
|
||||
|
||||
kdf_md = EVP_get_digestbynid(kdfmd_nid);
|
||||
@ -864,7 +864,7 @@ static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
|
||||
ecdh_nid = NID_dh_cofactor_kdf;
|
||||
|
||||
if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
|
||||
kdf_type = EVP_PKEY_ECDH_KDF_X9_62;
|
||||
kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
|
||||
if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
|
||||
goto err;
|
||||
} else
|
||||
|
@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
|
||||
*/
|
||||
cardinality_bits = BN_num_bits(cardinality);
|
||||
group_top = bn_get_top(cardinality);
|
||||
if ((bn_wexpand(k, group_top + 1) == NULL)
|
||||
|| (bn_wexpand(lambda, group_top + 1) == NULL)) {
|
||||
if ((bn_wexpand(k, group_top + 2) == NULL)
|
||||
|| (bn_wexpand(lambda, group_top + 2) == NULL)) {
|
||||
ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
|
||||
goto err;
|
||||
}
|
||||
@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
|
||||
* k := scalar + 2*cardinality
|
||||
*/
|
||||
kbit = BN_is_bit_set(lambda, cardinality_bits);
|
||||
BN_consttime_swap(kbit, k, lambda, group_top + 1);
|
||||
BN_consttime_swap(kbit, k, lambda, group_top + 2);
|
||||
|
||||
group_top = bn_get_top(group->field);
|
||||
if ((bn_wexpand(s->X, group_top) == NULL)
|
||||
|
@ -209,7 +209,7 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
|
||||
if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
|
||||
goto err;
|
||||
/* Do KDF stuff */
|
||||
if (!ECDH_KDF_X9_62(key, *keylen, ktmp, ktmplen,
|
||||
if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen,
|
||||
dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
|
||||
goto err;
|
||||
rv = 1;
|
||||
@ -281,7 +281,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
|
||||
case EVP_PKEY_CTRL_EC_KDF_TYPE:
|
||||
if (p1 == -2)
|
||||
return dctx->kdf_type;
|
||||
if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_62)
|
||||
if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63)
|
||||
return -2;
|
||||
dctx->kdf_type = p1;
|
||||
return 1;
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -10,12 +10,13 @@
|
||||
#include <string.h>
|
||||
#include <openssl/ec.h>
|
||||
#include <openssl/evp.h>
|
||||
#include "ec_lcl.h"
|
||||
|
||||
/* Key derivation function from X9.62/SECG */
|
||||
/* Key derivation function from X9.63/SECG */
|
||||
/* Way more than we will ever need */
|
||||
#define ECDH_KDF_MAX (1 << 30)
|
||||
|
||||
int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
|
||||
int ecdh_KDF_X9_63(unsigned char *out, size_t outlen,
|
||||
const unsigned char *Z, size_t Zlen,
|
||||
const unsigned char *sinfo, size_t sinfolen,
|
||||
const EVP_MD *md)
|
||||
@ -66,3 +67,15 @@ int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
|
||||
EVP_MD_CTX_free(mctx);
|
||||
return rv;
|
||||
}
|
||||
|
||||
/*-
|
||||
* The old name for ecdh_KDF_X9_63
|
||||
* Retained for ABI compatibility
|
||||
*/
|
||||
int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
|
||||
const unsigned char *Z, size_t Zlen,
|
||||
const unsigned char *sinfo, size_t sinfolen,
|
||||
const EVP_MD *md)
|
||||
{
|
||||
return ecdh_KDF_X9_63(out, outlen, Z, Zlen, sinfo, sinfolen, md);
|
||||
}
|
||||
|
@ -28,6 +28,13 @@
|
||||
# define CHECK_BSD_STYLE_MACROS
|
||||
#endif
|
||||
|
||||
/*
|
||||
* ONE global file descriptor for all sessions. This allows operations
|
||||
* such as digest session data copying (see digest_copy()), but is also
|
||||
* saner... why re-open /dev/crypto for every session?
|
||||
*/
|
||||
static int cfd;
|
||||
|
||||
/******************************************************************************
|
||||
*
|
||||
* Ciphers
|
||||
@ -39,7 +46,6 @@
|
||||
*****/
|
||||
|
||||
struct cipher_ctx {
|
||||
int cfd;
|
||||
struct session_op sess;
|
||||
|
||||
/* to pass from init to do_cipher */
|
||||
@ -69,7 +75,7 @@ static const struct cipher_data_st {
|
||||
{ NID_aes_192_cbc, 16, 192 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
|
||||
{ NID_aes_256_cbc, 16, 256 / 8, 16, EVP_CIPH_CBC_MODE, CRYPTO_AES_CBC },
|
||||
#ifndef OPENSSL_NO_RC4
|
||||
{ NID_rc4, 1, 16, 0, CRYPTO_ARC4 },
|
||||
{ NID_rc4, 1, 16, 0, EVP_CIPH_STREAM_CIPHER, CRYPTO_ARC4 },
|
||||
#endif
|
||||
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_CTR)
|
||||
{ NID_aes_128_ctr, 16, 128 / 8, 16, EVP_CIPH_CTR_MODE, CRYPTO_AES_CTR },
|
||||
@ -135,19 +141,13 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
|
||||
const struct cipher_data_st *cipher_d =
|
||||
get_cipher_data(EVP_CIPHER_CTX_nid(ctx));
|
||||
|
||||
if ((cipher_ctx->cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
|
||||
SYSerr(SYS_F_OPEN, errno);
|
||||
return 0;
|
||||
}
|
||||
|
||||
memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess));
|
||||
cipher_ctx->sess.cipher = cipher_d->devcryptoid;
|
||||
cipher_ctx->sess.keylen = cipher_d->keylen;
|
||||
cipher_ctx->sess.key = (void *)key;
|
||||
cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT;
|
||||
if (ioctl(cipher_ctx->cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
|
||||
if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
close(cipher_ctx->cfd);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -186,7 +186,7 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
cryp.flags = COP_FLAG_WRITE_IV;
|
||||
#endif
|
||||
|
||||
if (ioctl(cipher_ctx->cfd, CIOCCRYPT, &cryp) < 0) {
|
||||
if (ioctl(cfd, CIOCCRYPT, &cryp) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
}
|
||||
@ -212,14 +212,10 @@ static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
|
||||
struct cipher_ctx *cipher_ctx =
|
||||
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
|
||||
|
||||
if (ioctl(cipher_ctx->cfd, CIOCFSESSION, &cipher_ctx->sess) < 0) {
|
||||
if (ioctl(cfd, CIOCFSESSION, &cipher_ctx->sess.ses) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
}
|
||||
if (close(cipher_ctx->cfd) < 0) {
|
||||
SYSerr(SYS_F_CLOSE, errno);
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
@ -233,14 +229,10 @@ static int known_cipher_nids[OSSL_NELEM(cipher_data)];
|
||||
static int known_cipher_nids_amount = -1; /* -1 indicates not yet initialised */
|
||||
static EVP_CIPHER *known_cipher_methods[OSSL_NELEM(cipher_data)] = { NULL, };
|
||||
|
||||
static void prepare_cipher_methods()
|
||||
static void prepare_cipher_methods(void)
|
||||
{
|
||||
size_t i;
|
||||
struct session_op sess;
|
||||
int cfd;
|
||||
|
||||
if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0)
|
||||
return;
|
||||
|
||||
memset(&sess, 0, sizeof(sess));
|
||||
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
|
||||
@ -255,7 +247,7 @@ static void prepare_cipher_methods()
|
||||
sess.cipher = cipher_data[i].devcryptoid;
|
||||
sess.keylen = cipher_data[i].keylen;
|
||||
if (ioctl(cfd, CIOCGSESSION, &sess) < 0
|
||||
|| ioctl(cfd, CIOCFSESSION, &sess) < 0)
|
||||
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
|
||||
continue;
|
||||
|
||||
if ((known_cipher_methods[i] =
|
||||
@ -281,8 +273,6 @@ static void prepare_cipher_methods()
|
||||
cipher_data[i].nid;
|
||||
}
|
||||
}
|
||||
|
||||
close(cfd);
|
||||
}
|
||||
|
||||
static const EVP_CIPHER *get_cipher_method(int nid)
|
||||
@ -308,7 +298,7 @@ static void destroy_cipher_method(int nid)
|
||||
known_cipher_methods[i] = NULL;
|
||||
}
|
||||
|
||||
static void destroy_all_cipher_methods()
|
||||
static void destroy_all_cipher_methods(void)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
@ -329,11 +319,12 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
|
||||
|
||||
/*
|
||||
* We only support digests if the cryptodev implementation supports multiple
|
||||
* data updates. Otherwise, we would be forced to maintain a cache, which is
|
||||
* perilous if there's a lot of data coming in (if someone wants to checksum
|
||||
* an OpenSSL tarball, for example).
|
||||
* data updates and session copying. Otherwise, we would be forced to maintain
|
||||
* a cache, which is perilous if there's a lot of data coming in (if someone
|
||||
* wants to checksum an OpenSSL tarball, for example).
|
||||
*/
|
||||
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
|
||||
#if defined(CIOCCPHASH) && defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
|
||||
#define IMPLEMENT_DIGEST
|
||||
|
||||
/******************************************************************************
|
||||
*
|
||||
@ -346,7 +337,6 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
|
||||
*****/
|
||||
|
||||
struct digest_ctx {
|
||||
int cfd;
|
||||
struct session_op sess;
|
||||
int init;
|
||||
};
|
||||
@ -413,19 +403,12 @@ static int digest_init(EVP_MD_CTX *ctx)
|
||||
const struct digest_data_st *digest_d =
|
||||
get_digest_data(EVP_MD_CTX_type(ctx));
|
||||
|
||||
if (digest_ctx->init == 0
|
||||
&& (digest_ctx->cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
|
||||
SYSerr(SYS_F_OPEN, errno);
|
||||
return 0;
|
||||
}
|
||||
|
||||
digest_ctx->init = 1;
|
||||
|
||||
memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess));
|
||||
digest_ctx->sess.mac = digest_d->devcryptoid;
|
||||
if (ioctl(digest_ctx->cfd, CIOCGSESSION, &digest_ctx->sess) < 0) {
|
||||
if (ioctl(cfd, CIOCGSESSION, &digest_ctx->sess) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
close(digest_ctx->cfd);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -444,7 +427,7 @@ static int digest_op(struct digest_ctx *ctx, const void *src, size_t srclen,
|
||||
cryp.dst = NULL;
|
||||
cryp.mac = res;
|
||||
cryp.flags = flags;
|
||||
return ioctl(ctx->cfd, CIOCCRYPT, &cryp);
|
||||
return ioctl(cfd, CIOCCRYPT, &cryp);
|
||||
}
|
||||
|
||||
static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count)
|
||||
@ -472,7 +455,7 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md)
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
}
|
||||
if (ioctl(digest_ctx->cfd, CIOCFSESSION, &digest_ctx->sess) < 0) {
|
||||
if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
}
|
||||
@ -480,16 +463,38 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int digest_cleanup(EVP_MD_CTX *ctx)
|
||||
static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
|
||||
{
|
||||
struct digest_ctx *digest_ctx =
|
||||
(struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
|
||||
struct digest_ctx *digest_from =
|
||||
(struct digest_ctx *)EVP_MD_CTX_md_data(from);
|
||||
struct digest_ctx *digest_to =
|
||||
(struct digest_ctx *)EVP_MD_CTX_md_data(to);
|
||||
struct cphash_op cphash;
|
||||
|
||||
if (close(digest_ctx->cfd) < 0) {
|
||||
SYSerr(SYS_F_CLOSE, errno);
|
||||
if (digest_from == NULL)
|
||||
return 1;
|
||||
|
||||
if (digest_from->init != 1) {
|
||||
SYSerr(SYS_F_IOCTL, EINVAL);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!digest_init(to)) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
}
|
||||
|
||||
cphash.src_ses = digest_from->sess.ses;
|
||||
cphash.dst_ses = digest_to->sess.ses;
|
||||
if (ioctl(cfd, CIOCCPHASH, &cphash) < 0) {
|
||||
SYSerr(SYS_F_IOCTL, errno);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int digest_cleanup(EVP_MD_CTX *ctx)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -502,14 +507,10 @@ static int known_digest_nids[OSSL_NELEM(digest_data)];
|
||||
static int known_digest_nids_amount = -1; /* -1 indicates not yet initialised */
|
||||
static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, };
|
||||
|
||||
static void prepare_digest_methods()
|
||||
static void prepare_digest_methods(void)
|
||||
{
|
||||
size_t i;
|
||||
struct session_op sess;
|
||||
int cfd;
|
||||
|
||||
if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0)
|
||||
return;
|
||||
|
||||
memset(&sess, 0, sizeof(sess));
|
||||
|
||||
@ -522,7 +523,7 @@ static void prepare_digest_methods()
|
||||
*/
|
||||
sess.mac = digest_data[i].devcryptoid;
|
||||
if (ioctl(cfd, CIOCGSESSION, &sess) < 0
|
||||
|| ioctl(cfd, CIOCFSESSION, &sess) < 0)
|
||||
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
|
||||
continue;
|
||||
|
||||
if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,
|
||||
@ -532,6 +533,7 @@ static void prepare_digest_methods()
|
||||
|| !EVP_MD_meth_set_init(known_digest_methods[i], digest_init)
|
||||
|| !EVP_MD_meth_set_update(known_digest_methods[i], digest_update)
|
||||
|| !EVP_MD_meth_set_final(known_digest_methods[i], digest_final)
|
||||
|| !EVP_MD_meth_set_copy(known_digest_methods[i], digest_copy)
|
||||
|| !EVP_MD_meth_set_cleanup(known_digest_methods[i], digest_cleanup)
|
||||
|| !EVP_MD_meth_set_app_datasize(known_digest_methods[i],
|
||||
sizeof(struct digest_ctx))) {
|
||||
@ -541,8 +543,6 @@ static void prepare_digest_methods()
|
||||
known_digest_nids[known_digest_nids_amount++] = digest_data[i].nid;
|
||||
}
|
||||
}
|
||||
|
||||
close(cfd);
|
||||
}
|
||||
|
||||
static const EVP_MD *get_digest_method(int nid)
|
||||
@ -568,7 +568,7 @@ static void destroy_digest_method(int nid)
|
||||
known_digest_methods[i] = NULL;
|
||||
}
|
||||
|
||||
static void destroy_all_digest_methods()
|
||||
static void destroy_all_digest_methods(void)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
@ -598,9 +598,12 @@ static int devcrypto_digests(ENGINE *e, const EVP_MD **digest,
|
||||
static int devcrypto_unload(ENGINE *e)
|
||||
{
|
||||
destroy_all_cipher_methods();
|
||||
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
|
||||
#ifdef IMPLEMENT_DIGEST
|
||||
destroy_all_digest_methods();
|
||||
#endif
|
||||
|
||||
close(cfd);
|
||||
|
||||
return 1;
|
||||
}
|
||||
/*
|
||||
@ -611,23 +614,30 @@ void engine_load_devcrypto_int()
|
||||
{
|
||||
ENGINE *e = NULL;
|
||||
|
||||
if (access("/dev/crypto", R_OK | W_OK) < 0) {
|
||||
fprintf(stderr,
|
||||
"/dev/crypto not present, not enabling devcrypto engine\n");
|
||||
if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
|
||||
fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno));
|
||||
return;
|
||||
}
|
||||
|
||||
prepare_cipher_methods();
|
||||
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
|
||||
#ifdef IMPLEMENT_DIGEST
|
||||
prepare_digest_methods();
|
||||
#endif
|
||||
|
||||
if ((e = ENGINE_new()) == NULL)
|
||||
if ((e = ENGINE_new()) == NULL
|
||||
|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
|
||||
ENGINE_free(e);
|
||||
/*
|
||||
* We know that devcrypto_unload() won't be called when one of the
|
||||
* above two calls have failed, so we close cfd explicitly here to
|
||||
* avoid leaking resources.
|
||||
*/
|
||||
close(cfd);
|
||||
return;
|
||||
}
|
||||
|
||||
if (!ENGINE_set_id(e, "devcrypto")
|
||||
|| !ENGINE_set_name(e, "/dev/crypto engine")
|
||||
|| !ENGINE_set_destroy_function(e, devcrypto_unload)
|
||||
|
||||
/*
|
||||
* Asymmetric ciphers aren't well supported with /dev/crypto. Among the BSD
|
||||
@ -664,7 +674,7 @@ void engine_load_devcrypto_int()
|
||||
# endif
|
||||
#endif
|
||||
|| !ENGINE_set_ciphers(e, devcrypto_ciphers)
|
||||
#if defined(COP_FLAG_UPDATE) && defined(COP_FLAG_FINAL)
|
||||
#ifdef IMPLEMENT_DIGEST
|
||||
|| !ENGINE_set_digests(e, devcrypto_digests)
|
||||
#endif
|
||||
) {
|
||||
|
@ -317,8 +317,7 @@ ENGINE *ENGINE_by_id(const char *id)
|
||||
* Prevent infinite recursion if we're looking for the dynamic engine.
|
||||
*/
|
||||
if (strcmp(id, "dynamic")) {
|
||||
if (OPENSSL_issetugid()
|
||||
|| (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
|
||||
if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == NULL)
|
||||
load_dir = ENGINESDIR;
|
||||
iterator = ENGINE_by_id("dynamic");
|
||||
if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
|
||||
|
@ -1014,6 +1014,7 @@ RAND_F_RAND_POOL_ACQUIRE_ENTROPY:122:rand_pool_acquire_entropy
|
||||
RAND_F_RAND_POOL_ADD:103:rand_pool_add
|
||||
RAND_F_RAND_POOL_ADD_BEGIN:113:rand_pool_add_begin
|
||||
RAND_F_RAND_POOL_ADD_END:114:rand_pool_add_end
|
||||
RAND_F_RAND_POOL_ATTACH:124:rand_pool_attach
|
||||
RAND_F_RAND_POOL_BYTES_NEEDED:115:rand_pool_bytes_needed
|
||||
RAND_F_RAND_POOL_NEW:116:rand_pool_new
|
||||
RAND_F_RAND_WRITE_FILE:112:RAND_write_file
|
||||
|
@ -2241,7 +2241,7 @@ static int s390x_aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
|
||||
|
||||
if (!cctx->aes.ccm.len_set) {
|
||||
/*-
|
||||
* In case message length was not previously set explicitely via
|
||||
* In case message length was not previously set explicitly via
|
||||
* Update(), set it now.
|
||||
*/
|
||||
ivec = EVP_CIPHER_CTX_iv_noconst(ctx);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@ -92,7 +92,8 @@ static int rc2_meth_to_magic(EVP_CIPHER_CTX *e)
|
||||
{
|
||||
int i;
|
||||
|
||||
EVP_CIPHER_CTX_ctrl(e, EVP_CTRL_GET_RC2_KEY_BITS, 0, &i);
|
||||
if (EVP_CIPHER_CTX_ctrl(e, EVP_CTRL_GET_RC2_KEY_BITS, 0, &i) <= 0)
|
||||
return 0;
|
||||
if (i == 128)
|
||||
return RC2_128_MAGIC;
|
||||
else if (i == 64)
|
||||
@ -136,8 +137,9 @@ static int rc2_get_asn1_type_and_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
|
||||
return -1;
|
||||
if (i > 0 && !EVP_CipherInit_ex(c, NULL, NULL, NULL, iv, -1))
|
||||
return -1;
|
||||
EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
|
||||
if (EVP_CIPHER_CTX_set_key_length(c, key_bits / 8) <= 0)
|
||||
if (EVP_CIPHER_CTX_ctrl(c, EVP_CTRL_SET_RC2_KEY_BITS, key_bits,
|
||||
NULL) <= 0
|
||||
|| EVP_CIPHER_CTX_set_key_length(c, key_bits / 8) <= 0)
|
||||
return -1;
|
||||
}
|
||||
return i;
|
||||
|
@ -837,21 +837,21 @@ void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth,
|
||||
void EVP_PKEY_meth_get_check(const EVP_PKEY_METHOD *pmeth,
|
||||
int (**pcheck) (EVP_PKEY *pkey))
|
||||
{
|
||||
if (*pcheck)
|
||||
if (pcheck != NULL)
|
||||
*pcheck = pmeth->check;
|
||||
}
|
||||
|
||||
void EVP_PKEY_meth_get_public_check(const EVP_PKEY_METHOD *pmeth,
|
||||
int (**pcheck) (EVP_PKEY *pkey))
|
||||
{
|
||||
if (*pcheck)
|
||||
if (pcheck != NULL)
|
||||
*pcheck = pmeth->public_check;
|
||||
}
|
||||
|
||||
void EVP_PKEY_meth_get_param_check(const EVP_PKEY_METHOD *pmeth,
|
||||
int (**pcheck) (EVP_PKEY *pkey))
|
||||
{
|
||||
if (*pcheck)
|
||||
if (pcheck != NULL)
|
||||
*pcheck = pmeth->param_check;
|
||||
}
|
||||
|
||||
|
31
crypto/openssl/crypto/getenv.c
Normal file
31
crypto/openssl/crypto/getenv.c
Normal file
@ -0,0 +1,31 @@
|
||||
/*
|
||||
* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef _GNU_SOURCE
|
||||
# define _GNU_SOURCE
|
||||
#endif
|
||||
|
||||
#include <stdlib.h>
|
||||
#include "internal/cryptlib.h"
|
||||
|
||||
char *ossl_safe_getenv(const char *name)
|
||||
{
|
||||
#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
|
||||
# if __GLIBC_PREREQ(2, 17)
|
||||
# define SECURE_GETENV
|
||||
return secure_getenv(name);
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#ifndef SECURE_GETENV
|
||||
if (OPENSSL_issetugid())
|
||||
return NULL;
|
||||
return getenv(name);
|
||||
#endif
|
||||
}
|
@ -41,5 +41,13 @@
|
||||
__owur int ec_group_do_inverse_ord(const EC_GROUP *group, BIGNUM *res,
|
||||
const BIGNUM *x, BN_CTX *ctx);
|
||||
|
||||
/*-
|
||||
* ECDH Key Derivation Function as defined in ANSI X9.63
|
||||
*/
|
||||
int ecdh_KDF_X9_63(unsigned char *out, size_t outlen,
|
||||
const unsigned char *Z, size_t Zlen,
|
||||
const unsigned char *sinfo, size_t sinfolen,
|
||||
const EVP_MD *md);
|
||||
|
||||
# endif /* OPENSSL_NO_EC */
|
||||
#endif
|
||||
|
@ -45,18 +45,21 @@ size_t rand_drbg_get_nonce(RAND_DRBG *drbg,
|
||||
void rand_drbg_cleanup_nonce(RAND_DRBG *drbg,
|
||||
unsigned char *out, size_t outlen);
|
||||
|
||||
size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len);
|
||||
size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout);
|
||||
|
||||
void rand_drbg_cleanup_additional_data(unsigned char *out, size_t outlen);
|
||||
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
|
||||
|
||||
/*
|
||||
* RAND_POOL functions
|
||||
*/
|
||||
RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len);
|
||||
RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,
|
||||
size_t entropy);
|
||||
void rand_pool_free(RAND_POOL *pool);
|
||||
|
||||
const unsigned char *rand_pool_buffer(RAND_POOL *pool);
|
||||
unsigned char *rand_pool_detach(RAND_POOL *pool);
|
||||
void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer);
|
||||
|
||||
size_t rand_pool_entropy(RAND_POOL *pool);
|
||||
size_t rand_pool_length(RAND_POOL *pool);
|
||||
|
@ -175,6 +175,18 @@ static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
|
||||
return -2;
|
||||
}
|
||||
|
||||
static int pkey_hkdf_derive_init(EVP_PKEY_CTX *ctx)
|
||||
{
|
||||
HKDF_PKEY_CTX *kctx = ctx->data;
|
||||
|
||||
OPENSSL_clear_free(kctx->key, kctx->key_len);
|
||||
OPENSSL_clear_free(kctx->salt, kctx->salt_len);
|
||||
OPENSSL_cleanse(kctx->info, kctx->info_len);
|
||||
memset(kctx, 0, sizeof(*kctx));
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
|
||||
size_t *keylen)
|
||||
{
|
||||
@ -236,7 +248,7 @@ const EVP_PKEY_METHOD hkdf_pkey_meth = {
|
||||
|
||||
0, 0,
|
||||
|
||||
0,
|
||||
pkey_hkdf_derive_init,
|
||||
pkey_hkdf_derive,
|
||||
pkey_hkdf_ctrl,
|
||||
pkey_hkdf_ctrl_str
|
||||
|
@ -20,12 +20,8 @@
|
||||
|
||||
#include <string.h>
|
||||
|
||||
/* e_os.h includes unistd.h, which defines _POSIX_VERSION */
|
||||
#if !defined(OPENSSL_NO_SECURE_MEMORY) && defined(OPENSSL_SYS_UNIX) \
|
||||
&& ( (defined(_POSIX_VERSION) && _POSIX_VERSION >= 200112L) \
|
||||
|| defined(__sun) || defined(__hpux) || defined(__sgi) \
|
||||
|| defined(__osf__) )
|
||||
# define IMPLEMENTED
|
||||
/* e_os.h defines OPENSSL_SECURE_MEMORY if secure memory can be implemented */
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
# include <stdlib.h>
|
||||
# include <assert.h>
|
||||
# include <unistd.h>
|
||||
@ -51,7 +47,7 @@
|
||||
# define MAP_ANON MAP_ANONYMOUS
|
||||
#endif
|
||||
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
static size_t secure_mem_used;
|
||||
|
||||
static int secure_mem_initialized;
|
||||
@ -71,7 +67,7 @@ static int sh_allocated(const char *ptr);
|
||||
|
||||
int CRYPTO_secure_malloc_init(size_t size, int minsize)
|
||||
{
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
int ret = 0;
|
||||
|
||||
if (!secure_mem_initialized) {
|
||||
@ -89,12 +85,12 @@ int CRYPTO_secure_malloc_init(size_t size, int minsize)
|
||||
return ret;
|
||||
#else
|
||||
return 0;
|
||||
#endif /* IMPLEMENTED */
|
||||
#endif /* OPENSSL_SECURE_MEMORY */
|
||||
}
|
||||
|
||||
int CRYPTO_secure_malloc_done(void)
|
||||
{
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
if (secure_mem_used == 0) {
|
||||
sh_done();
|
||||
secure_mem_initialized = 0;
|
||||
@ -102,22 +98,22 @@ int CRYPTO_secure_malloc_done(void)
|
||||
sec_malloc_lock = NULL;
|
||||
return 1;
|
||||
}
|
||||
#endif /* IMPLEMENTED */
|
||||
#endif /* OPENSSL_SECURE_MEMORY */
|
||||
return 0;
|
||||
}
|
||||
|
||||
int CRYPTO_secure_malloc_initialized(void)
|
||||
{
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
return secure_mem_initialized;
|
||||
#else
|
||||
return 0;
|
||||
#endif /* IMPLEMENTED */
|
||||
#endif /* OPENSSL_SECURE_MEMORY */
|
||||
}
|
||||
|
||||
void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
|
||||
{
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
void *ret;
|
||||
size_t actual_size;
|
||||
|
||||
@ -132,12 +128,12 @@ void *CRYPTO_secure_malloc(size_t num, const char *file, int line)
|
||||
return ret;
|
||||
#else
|
||||
return CRYPTO_malloc(num, file, line);
|
||||
#endif /* IMPLEMENTED */
|
||||
#endif /* OPENSSL_SECURE_MEMORY */
|
||||
}
|
||||
|
||||
void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
|
||||
{
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
if (secure_mem_initialized)
|
||||
/* CRYPTO_secure_malloc() zeroes allocations when it is implemented */
|
||||
return CRYPTO_secure_malloc(num, file, line);
|
||||
@ -147,7 +143,7 @@ void *CRYPTO_secure_zalloc(size_t num, const char *file, int line)
|
||||
|
||||
void CRYPTO_secure_free(void *ptr, const char *file, int line)
|
||||
{
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
size_t actual_size;
|
||||
|
||||
if (ptr == NULL)
|
||||
@ -164,13 +160,13 @@ void CRYPTO_secure_free(void *ptr, const char *file, int line)
|
||||
CRYPTO_THREAD_unlock(sec_malloc_lock);
|
||||
#else
|
||||
CRYPTO_free(ptr, file, line);
|
||||
#endif /* IMPLEMENTED */
|
||||
#endif /* OPENSSL_SECURE_MEMORY */
|
||||
}
|
||||
|
||||
void CRYPTO_secure_clear_free(void *ptr, size_t num,
|
||||
const char *file, int line)
|
||||
{
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
size_t actual_size;
|
||||
|
||||
if (ptr == NULL)
|
||||
@ -191,12 +187,12 @@ void CRYPTO_secure_clear_free(void *ptr, size_t num,
|
||||
return;
|
||||
OPENSSL_cleanse(ptr, num);
|
||||
CRYPTO_free(ptr, file, line);
|
||||
#endif /* IMPLEMENTED */
|
||||
#endif /* OPENSSL_SECURE_MEMORY */
|
||||
}
|
||||
|
||||
int CRYPTO_secure_allocated(const void *ptr)
|
||||
{
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
int ret;
|
||||
|
||||
if (!secure_mem_initialized)
|
||||
@ -207,21 +203,21 @@ int CRYPTO_secure_allocated(const void *ptr)
|
||||
return ret;
|
||||
#else
|
||||
return 0;
|
||||
#endif /* IMPLEMENTED */
|
||||
#endif /* OPENSSL_SECURE_MEMORY */
|
||||
}
|
||||
|
||||
size_t CRYPTO_secure_used(void)
|
||||
{
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
return secure_mem_used;
|
||||
#else
|
||||
return 0;
|
||||
#endif /* IMPLEMENTED */
|
||||
#endif /* OPENSSL_SECURE_MEMORY */
|
||||
}
|
||||
|
||||
size_t CRYPTO_secure_actual_size(void *ptr)
|
||||
{
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
size_t actual_size;
|
||||
|
||||
CRYPTO_THREAD_write_lock(sec_malloc_lock);
|
||||
@ -239,7 +235,7 @@ size_t CRYPTO_secure_actual_size(void *ptr)
|
||||
/*
|
||||
* SECURE HEAP IMPLEMENTATION
|
||||
*/
|
||||
#ifdef IMPLEMENTED
|
||||
#ifdef OPENSSL_SECURE_MEMORY
|
||||
|
||||
|
||||
/*
|
||||
@ -647,4 +643,4 @@ static size_t sh_actual_size(char *ptr)
|
||||
OPENSSL_assert(sh_testbit(ptr, list, sh.bittable));
|
||||
return sh.arena_size / (ONE << list);
|
||||
}
|
||||
#endif /* IMPLEMENTED */
|
||||
#endif /* OPENSSL_SECURE_MEMORY */
|
||||
|
@ -25,14 +25,12 @@
|
||||
# endif
|
||||
# endif
|
||||
|
||||
#include "e_os.h"
|
||||
#include "internal/cryptlib.h"
|
||||
|
||||
#if !defined(OPENSSL_NO_STDIO)
|
||||
|
||||
# include <stdio.h>
|
||||
# ifdef _WIN32
|
||||
# include <windows.h>
|
||||
# endif
|
||||
# ifdef __DJGPP__
|
||||
# include <unistd.h>
|
||||
# endif
|
||||
|
@ -7,13 +7,13 @@
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
# include <stdio.h>
|
||||
# include "internal/cryptlib.h"
|
||||
# include <openssl/crypto.h>
|
||||
# include <openssl/hmac.h>
|
||||
# include <openssl/rand.h>
|
||||
# include <openssl/pkcs12.h>
|
||||
# include "p12_lcl.h"
|
||||
#include <stdio.h>
|
||||
#include "internal/cryptlib.h"
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/pkcs12.h>
|
||||
#include "p12_lcl.h"
|
||||
|
||||
int PKCS12_mac_present(const PKCS12 *p12)
|
||||
{
|
||||
@ -44,7 +44,7 @@ void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
|
||||
}
|
||||
}
|
||||
|
||||
# define TK26_MAC_KEY_LEN 32
|
||||
#define TK26_MAC_KEY_LEN 32
|
||||
|
||||
static int pkcs12_gen_gost_mac_key(const char *pass, int passlen,
|
||||
const unsigned char *salt, int saltlen,
|
||||
@ -112,7 +112,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
|
||||
if ((md_type_nid == NID_id_GostR3411_94
|
||||
|| md_type_nid == NID_id_GostR3411_2012_256
|
||||
|| md_type_nid == NID_id_GostR3411_2012_512)
|
||||
&& !getenv("LEGACY_GOST_PKCS12")) {
|
||||
&& ossl_safe_getenv("LEGACY_GOST_PKCS12") == NULL) {
|
||||
md_size = TK26_MAC_KEY_LEN;
|
||||
if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter,
|
||||
md_size, key, md_type)) {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2016-20018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -402,10 +402,10 @@ int drbg_ctr_init(RAND_DRBG *drbg)
|
||||
if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
|
||||
/* df initialisation */
|
||||
static const unsigned char df_key[32] = {
|
||||
0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
|
||||
0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,
|
||||
0x10,0x11,0x12,0x13,0x14,0x15,0x16,0x17,
|
||||
0x18,0x19,0x1a,0x1b,0x1c,0x1d,0x1e,0x1f
|
||||
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
|
||||
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
|
||||
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
|
||||
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
|
||||
};
|
||||
|
||||
if (ctr->ctx_df == NULL)
|
||||
@ -417,9 +417,9 @@ int drbg_ctr_init(RAND_DRBG *drbg)
|
||||
return 0;
|
||||
|
||||
drbg->min_entropylen = ctr->keylen;
|
||||
drbg->max_entropylen = DRBG_MINMAX_FACTOR * drbg->min_entropylen;
|
||||
drbg->max_entropylen = DRBG_MAX_LENGTH;
|
||||
drbg->min_noncelen = drbg->min_entropylen / 2;
|
||||
drbg->max_noncelen = DRBG_MINMAX_FACTOR * drbg->min_noncelen;
|
||||
drbg->max_noncelen = DRBG_MAX_LENGTH;
|
||||
drbg->max_perslen = DRBG_MAX_LENGTH;
|
||||
drbg->max_adinlen = DRBG_MAX_LENGTH;
|
||||
} else {
|
||||
|
@ -82,6 +82,10 @@ static unsigned int slave_reseed_interval = SLAVE_RESEED_INTERVAL;
|
||||
static time_t master_reseed_time_interval = MASTER_RESEED_TIME_INTERVAL;
|
||||
static time_t slave_reseed_time_interval = SLAVE_RESEED_TIME_INTERVAL;
|
||||
|
||||
/* A logical OR of all used DRBG flag bits (currently there is only one) */
|
||||
static const unsigned int rand_drbg_used_flags =
|
||||
RAND_DRBG_FLAG_CTR_NO_DF;
|
||||
|
||||
static RAND_DRBG *drbg_setup(RAND_DRBG *parent);
|
||||
|
||||
static RAND_DRBG *rand_drbg_new(int secure,
|
||||
@ -105,16 +109,27 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
|
||||
flags = rand_drbg_flags;
|
||||
}
|
||||
|
||||
/* If set is called multiple times - clear the old one */
|
||||
if (drbg->type != 0 && (type != drbg->type || flags != drbg->flags)) {
|
||||
drbg->meth->uninstantiate(drbg);
|
||||
rand_pool_free(drbg->adin_pool);
|
||||
drbg->adin_pool = NULL;
|
||||
}
|
||||
|
||||
drbg->state = DRBG_UNINITIALISED;
|
||||
drbg->flags = flags;
|
||||
drbg->type = type;
|
||||
|
||||
switch (type) {
|
||||
default:
|
||||
drbg->type = 0;
|
||||
drbg->flags = 0;
|
||||
drbg->meth = NULL;
|
||||
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_UNSUPPORTED_DRBG_TYPE);
|
||||
return 0;
|
||||
case 0:
|
||||
/* Uninitialized; that's okay. */
|
||||
drbg->meth = NULL;
|
||||
return 1;
|
||||
case NID_aes_128_ctr:
|
||||
case NID_aes_192_ctr:
|
||||
@ -123,8 +138,10 @@ int RAND_DRBG_set(RAND_DRBG *drbg, int type, unsigned int flags)
|
||||
break;
|
||||
}
|
||||
|
||||
if (ret == 0)
|
||||
if (ret == 0) {
|
||||
drbg->state = DRBG_ERROR;
|
||||
RANDerr(RAND_F_RAND_DRBG_SET, RAND_R_ERROR_INITIALISING_DRBG);
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -147,7 +164,7 @@ int RAND_DRBG_set_defaults(int type, unsigned int flags)
|
||||
break;
|
||||
}
|
||||
|
||||
if ((flags & ~RAND_DRBG_USED_FLAGS) != 0) {
|
||||
if ((flags & ~rand_drbg_used_flags) != 0) {
|
||||
RANDerr(RAND_F_RAND_DRBG_SET_DEFAULTS, RAND_R_UNSUPPORTED_DRBG_FLAGS);
|
||||
return 0;
|
||||
}
|
||||
@ -224,11 +241,8 @@ static RAND_DRBG *rand_drbg_new(int secure,
|
||||
|
||||
return drbg;
|
||||
|
||||
err:
|
||||
if (drbg->secure)
|
||||
OPENSSL_secure_free(drbg);
|
||||
else
|
||||
OPENSSL_free(drbg);
|
||||
err:
|
||||
RAND_DRBG_free(drbg);
|
||||
|
||||
return NULL;
|
||||
}
|
||||
@ -253,6 +267,7 @@ void RAND_DRBG_free(RAND_DRBG *drbg)
|
||||
|
||||
if (drbg->meth != NULL)
|
||||
drbg->meth->uninstantiate(drbg);
|
||||
rand_pool_free(drbg->adin_pool);
|
||||
CRYPTO_THREAD_lock_free(drbg->lock);
|
||||
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data);
|
||||
|
||||
@ -312,11 +327,18 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
|
||||
max_entropylen += drbg->max_noncelen;
|
||||
}
|
||||
|
||||
drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
|
||||
if (drbg->reseed_next_counter) {
|
||||
drbg->reseed_next_counter++;
|
||||
if(!drbg->reseed_next_counter)
|
||||
drbg->reseed_next_counter = 1;
|
||||
}
|
||||
|
||||
if (drbg->get_entropy != NULL)
|
||||
entropylen = drbg->get_entropy(drbg, &entropy, min_entropy,
|
||||
min_entropylen, max_entropylen, 0);
|
||||
if (entropylen < min_entropylen
|
||||
|| entropylen > max_entropylen) {
|
||||
|| entropylen > max_entropylen) {
|
||||
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE, RAND_R_ERROR_RETRIEVING_ENTROPY);
|
||||
goto end;
|
||||
}
|
||||
@ -337,29 +359,15 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
|
||||
}
|
||||
|
||||
drbg->state = DRBG_READY;
|
||||
drbg->generate_counter = 0;
|
||||
drbg->reseed_gen_counter = 1;
|
||||
drbg->reseed_time = time(NULL);
|
||||
if (drbg->reseed_counter > 0) {
|
||||
if (drbg->parent == NULL)
|
||||
drbg->reseed_counter++;
|
||||
else
|
||||
drbg->reseed_counter = drbg->parent->reseed_counter;
|
||||
}
|
||||
tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
|
||||
|
||||
end:
|
||||
end:
|
||||
if (entropy != NULL && drbg->cleanup_entropy != NULL)
|
||||
drbg->cleanup_entropy(drbg, entropy, entropylen);
|
||||
if (nonce != NULL && drbg->cleanup_nonce!= NULL )
|
||||
if (nonce != NULL && drbg->cleanup_nonce != NULL)
|
||||
drbg->cleanup_nonce(drbg, nonce, noncelen);
|
||||
if (drbg->pool != NULL) {
|
||||
if (drbg->state == DRBG_READY) {
|
||||
RANDerr(RAND_F_RAND_DRBG_INSTANTIATE,
|
||||
RAND_R_ERROR_ENTROPY_POOL_WAS_IGNORED);
|
||||
drbg->state = DRBG_ERROR;
|
||||
}
|
||||
rand_pool_free(drbg->pool);
|
||||
drbg->pool = NULL;
|
||||
}
|
||||
if (drbg->state == DRBG_READY)
|
||||
return 1;
|
||||
return 0;
|
||||
@ -375,6 +383,7 @@ int RAND_DRBG_instantiate(RAND_DRBG *drbg,
|
||||
int RAND_DRBG_uninstantiate(RAND_DRBG *drbg)
|
||||
{
|
||||
if (drbg->meth == NULL) {
|
||||
drbg->state = DRBG_ERROR;
|
||||
RANDerr(RAND_F_RAND_DRBG_UNINSTANTIATE,
|
||||
RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED);
|
||||
return 0;
|
||||
@ -419,13 +428,21 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
|
||||
}
|
||||
|
||||
drbg->state = DRBG_ERROR;
|
||||
|
||||
drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
|
||||
if (drbg->reseed_next_counter) {
|
||||
drbg->reseed_next_counter++;
|
||||
if(!drbg->reseed_next_counter)
|
||||
drbg->reseed_next_counter = 1;
|
||||
}
|
||||
|
||||
if (drbg->get_entropy != NULL)
|
||||
entropylen = drbg->get_entropy(drbg, &entropy, drbg->strength,
|
||||
drbg->min_entropylen,
|
||||
drbg->max_entropylen,
|
||||
prediction_resistance);
|
||||
if (entropylen < drbg->min_entropylen
|
||||
|| entropylen > drbg->max_entropylen) {
|
||||
|| entropylen > drbg->max_entropylen) {
|
||||
RANDerr(RAND_F_RAND_DRBG_RESEED, RAND_R_ERROR_RETRIEVING_ENTROPY);
|
||||
goto end;
|
||||
}
|
||||
@ -434,16 +451,11 @@ int RAND_DRBG_reseed(RAND_DRBG *drbg,
|
||||
goto end;
|
||||
|
||||
drbg->state = DRBG_READY;
|
||||
drbg->generate_counter = 0;
|
||||
drbg->reseed_gen_counter = 1;
|
||||
drbg->reseed_time = time(NULL);
|
||||
if (drbg->reseed_counter > 0) {
|
||||
if (drbg->parent == NULL)
|
||||
drbg->reseed_counter++;
|
||||
else
|
||||
drbg->reseed_counter = drbg->parent->reseed_counter;
|
||||
}
|
||||
tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
|
||||
|
||||
end:
|
||||
end:
|
||||
if (entropy != NULL && drbg->cleanup_entropy != NULL)
|
||||
drbg->cleanup_entropy(drbg, entropy, entropylen);
|
||||
if (drbg->state == DRBG_READY)
|
||||
@ -475,10 +487,12 @@ int rand_drbg_restart(RAND_DRBG *drbg,
|
||||
const unsigned char *adin = NULL;
|
||||
size_t adinlen = 0;
|
||||
|
||||
if (drbg->pool != NULL) {
|
||||
if (drbg->seed_pool != NULL) {
|
||||
RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR);
|
||||
rand_pool_free(drbg->pool);
|
||||
drbg->pool = NULL;
|
||||
drbg->state = DRBG_ERROR;
|
||||
rand_pool_free(drbg->seed_pool);
|
||||
drbg->seed_pool = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (buffer != NULL) {
|
||||
@ -486,24 +500,25 @@ int rand_drbg_restart(RAND_DRBG *drbg,
|
||||
if (drbg->max_entropylen < len) {
|
||||
RANDerr(RAND_F_RAND_DRBG_RESTART,
|
||||
RAND_R_ENTROPY_INPUT_TOO_LONG);
|
||||
drbg->state = DRBG_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (entropy > 8 * len) {
|
||||
RANDerr(RAND_F_RAND_DRBG_RESTART, RAND_R_ENTROPY_OUT_OF_RANGE);
|
||||
drbg->state = DRBG_ERROR;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* will be picked up by the rand_drbg_get_entropy() callback */
|
||||
drbg->pool = rand_pool_new(entropy, len, len);
|
||||
if (drbg->pool == NULL)
|
||||
drbg->seed_pool = rand_pool_attach(buffer, len, entropy);
|
||||
if (drbg->seed_pool == NULL)
|
||||
return 0;
|
||||
|
||||
rand_pool_add(drbg->pool, buffer, len, entropy);
|
||||
} else {
|
||||
if (drbg->max_adinlen < len) {
|
||||
RANDerr(RAND_F_RAND_DRBG_RESTART,
|
||||
RAND_R_ADDITIONAL_INPUT_TOO_LONG);
|
||||
drbg->state = DRBG_ERROR;
|
||||
return 0;
|
||||
}
|
||||
adin = buffer;
|
||||
@ -543,14 +558,8 @@ int rand_drbg_restart(RAND_DRBG *drbg,
|
||||
}
|
||||
}
|
||||
|
||||
/* check whether a given entropy pool was cleared properly during reseed */
|
||||
if (drbg->pool != NULL) {
|
||||
drbg->state = DRBG_ERROR;
|
||||
RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR);
|
||||
rand_pool_free(drbg->pool);
|
||||
drbg->pool = NULL;
|
||||
return 0;
|
||||
}
|
||||
rand_pool_free(drbg->seed_pool);
|
||||
drbg->seed_pool = NULL;
|
||||
|
||||
return drbg->state == DRBG_READY;
|
||||
}
|
||||
@ -600,7 +609,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
|
||||
}
|
||||
|
||||
if (drbg->reseed_interval > 0) {
|
||||
if (drbg->generate_counter >= drbg->reseed_interval)
|
||||
if (drbg->reseed_gen_counter >= drbg->reseed_interval)
|
||||
reseed_required = 1;
|
||||
}
|
||||
if (drbg->reseed_time_interval > 0) {
|
||||
@ -609,8 +618,11 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
|
||||
|| now - drbg->reseed_time >= drbg->reseed_time_interval)
|
||||
reseed_required = 1;
|
||||
}
|
||||
if (drbg->reseed_counter > 0 && drbg->parent != NULL) {
|
||||
if (drbg->reseed_counter != drbg->parent->reseed_counter)
|
||||
if (drbg->parent != NULL) {
|
||||
unsigned int reseed_counter = tsan_load(&drbg->reseed_prop_counter);
|
||||
if (reseed_counter > 0
|
||||
&& tsan_load(&drbg->parent->reseed_prop_counter)
|
||||
!= reseed_counter)
|
||||
reseed_required = 1;
|
||||
}
|
||||
|
||||
@ -629,7 +641,7 @@ int RAND_DRBG_generate(RAND_DRBG *drbg, unsigned char *out, size_t outlen,
|
||||
return 0;
|
||||
}
|
||||
|
||||
drbg->generate_counter++;
|
||||
drbg->reseed_gen_counter++;
|
||||
|
||||
return 1;
|
||||
}
|
||||
@ -647,9 +659,18 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
|
||||
unsigned char *additional = NULL;
|
||||
size_t additional_len;
|
||||
size_t chunk;
|
||||
size_t ret;
|
||||
size_t ret = 0;
|
||||
|
||||
additional_len = rand_drbg_get_additional_data(&additional, drbg->max_adinlen);
|
||||
if (drbg->adin_pool == NULL) {
|
||||
if (drbg->type == 0)
|
||||
goto err;
|
||||
drbg->adin_pool = rand_pool_new(0, 0, drbg->max_adinlen);
|
||||
if (drbg->adin_pool == NULL)
|
||||
goto err;
|
||||
}
|
||||
|
||||
additional_len = rand_drbg_get_additional_data(drbg->adin_pool,
|
||||
&additional);
|
||||
|
||||
for ( ; outlen > 0; outlen -= chunk, out += chunk) {
|
||||
chunk = outlen;
|
||||
@ -661,9 +682,9 @@ int RAND_DRBG_bytes(RAND_DRBG *drbg, unsigned char *out, size_t outlen)
|
||||
}
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
if (additional_len != 0)
|
||||
OPENSSL_secure_clear_free(additional, additional_len);
|
||||
err:
|
||||
if (additional != NULL)
|
||||
rand_drbg_cleanup_additional_data(drbg->adin_pool, additional);
|
||||
|
||||
return ret;
|
||||
}
|
||||
@ -682,7 +703,8 @@ int RAND_DRBG_set_callbacks(RAND_DRBG *drbg,
|
||||
RAND_DRBG_get_nonce_fn get_nonce,
|
||||
RAND_DRBG_cleanup_nonce_fn cleanup_nonce)
|
||||
{
|
||||
if (drbg->state != DRBG_UNINITIALISED)
|
||||
if (drbg->state != DRBG_UNINITIALISED
|
||||
|| drbg->parent != NULL)
|
||||
return 0;
|
||||
drbg->get_entropy = get_entropy;
|
||||
drbg->cleanup_entropy = cleanup_entropy;
|
||||
@ -859,7 +881,7 @@ static RAND_DRBG *drbg_setup(RAND_DRBG *parent)
|
||||
goto err;
|
||||
|
||||
/* enable seed propagation */
|
||||
drbg->reseed_counter = 1;
|
||||
tsan_store(&drbg->reseed_prop_counter, 1);
|
||||
|
||||
/*
|
||||
* Ignore instantiation error to support just-in-time instantiation.
|
||||
@ -948,11 +970,49 @@ static int drbg_bytes(unsigned char *out, int count)
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Calculates the minimum length of a full entropy buffer
|
||||
* which is necessary to seed (i.e. instantiate) the DRBG
|
||||
* successfully.
|
||||
*/
|
||||
size_t rand_drbg_seedlen(RAND_DRBG *drbg)
|
||||
{
|
||||
/*
|
||||
* If no os entropy source is available then RAND_seed(buffer, bufsize)
|
||||
* is expected to succeed if and only if the buffer length satisfies
|
||||
* the following requirements, which follow from the calculations
|
||||
* in RAND_DRBG_instantiate().
|
||||
*/
|
||||
size_t min_entropy = drbg->strength;
|
||||
size_t min_entropylen = drbg->min_entropylen;
|
||||
|
||||
/*
|
||||
* Extra entropy for the random nonce in the absence of a
|
||||
* get_nonce callback, see comment in RAND_DRBG_instantiate().
|
||||
*/
|
||||
if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) {
|
||||
min_entropy += drbg->strength / 2;
|
||||
min_entropylen += drbg->min_noncelen;
|
||||
}
|
||||
|
||||
/*
|
||||
* Convert entropy requirement from bits to bytes
|
||||
* (dividing by 8 without rounding upwards, because
|
||||
* all entropy requirements are divisible by 8).
|
||||
*/
|
||||
min_entropy >>= 3;
|
||||
|
||||
/* Return a value that satisfies both requirements */
|
||||
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
|
||||
}
|
||||
|
||||
/* Implements the default OpenSSL RAND_add() method */
|
||||
static int drbg_add(const void *buf, int num, double randomness)
|
||||
{
|
||||
int ret = 0;
|
||||
RAND_DRBG *drbg = RAND_DRBG_get0_master();
|
||||
size_t buflen;
|
||||
size_t seedlen;
|
||||
|
||||
if (drbg == NULL)
|
||||
return 0;
|
||||
@ -960,20 +1020,49 @@ static int drbg_add(const void *buf, int num, double randomness)
|
||||
if (num < 0 || randomness < 0.0)
|
||||
return 0;
|
||||
|
||||
if (randomness > (double)drbg->max_entropylen) {
|
||||
rand_drbg_lock(drbg);
|
||||
seedlen = rand_drbg_seedlen(drbg);
|
||||
|
||||
buflen = (size_t)num;
|
||||
|
||||
if (buflen < seedlen || randomness < (double) seedlen) {
|
||||
#if defined(OPENSSL_RAND_SEED_NONE)
|
||||
/*
|
||||
* If no os entropy source is available, a reseeding will fail
|
||||
* inevitably. So we use a trick to mix the buffer contents into
|
||||
* the DRBG state without forcing a reseeding: we generate a
|
||||
* dummy random byte, using the buffer content as additional data.
|
||||
* Note: This won't work with RAND_DRBG_FLAG_CTR_NO_DF.
|
||||
*/
|
||||
unsigned char dummy[1];
|
||||
|
||||
ret = RAND_DRBG_generate(drbg, dummy, sizeof(dummy), 0, buf, buflen);
|
||||
rand_drbg_unlock(drbg);
|
||||
return ret;
|
||||
#else
|
||||
/*
|
||||
* If an os entropy source is avaible then we declare the buffer content
|
||||
* as additional data by setting randomness to zero and trigger a regular
|
||||
* reseeding.
|
||||
*/
|
||||
randomness = 0.0;
|
||||
#endif
|
||||
}
|
||||
|
||||
|
||||
if (randomness > (double)seedlen) {
|
||||
/*
|
||||
* The purpose of this check is to bound |randomness| by a
|
||||
* relatively small value in order to prevent an integer
|
||||
* overflow when multiplying by 8 in the rand_drbg_restart()
|
||||
* call below.
|
||||
* call below. Note that randomness is measured in bytes,
|
||||
* not bits, so this value corresponds to eight times the
|
||||
* security strength.
|
||||
*/
|
||||
return 0;
|
||||
randomness = (double)seedlen;
|
||||
}
|
||||
|
||||
rand_drbg_lock(drbg);
|
||||
ret = rand_drbg_restart(drbg, buf,
|
||||
(size_t)(unsigned int)num,
|
||||
(size_t)(8*randomness));
|
||||
ret = rand_drbg_restart(drbg, buf, buflen, (size_t)(8 * randomness));
|
||||
rand_drbg_unlock(drbg);
|
||||
|
||||
return ret;
|
||||
|
@ -44,6 +44,7 @@ static const ERR_STRING_DATA RAND_str_functs[] = {
|
||||
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_ADD_BEGIN, 0),
|
||||
"rand_pool_add_begin"},
|
||||
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_ADD_END, 0), "rand_pool_add_end"},
|
||||
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_ATTACH, 0), "rand_pool_attach"},
|
||||
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_BYTES_NEEDED, 0),
|
||||
"rand_pool_bytes_needed"},
|
||||
{ERR_PACK(ERR_LIB_RAND, RAND_F_RAND_POOL_NEW, 0), "rand_pool_new"},
|
||||
|
@ -16,6 +16,9 @@
|
||||
# include <openssl/hmac.h>
|
||||
# include <openssl/ec.h>
|
||||
# include <openssl/rand_drbg.h>
|
||||
# include "internal/tsan_assist.h"
|
||||
|
||||
# include "internal/numbers.h"
|
||||
|
||||
/* How many times to read the TSC as a randomness source. */
|
||||
# define TSC_READ_COUNT 4
|
||||
@ -32,18 +35,42 @@
|
||||
|
||||
|
||||
|
||||
/* Max size of additional input and personalization string. */
|
||||
# define DRBG_MAX_LENGTH 4096
|
||||
/*
|
||||
* Maximum input size for the DRBG (entropy, nonce, personalization string)
|
||||
*
|
||||
* NIST SP800 90Ar1 allows a maximum of (1 << 35) bits i.e., (1 << 32) bytes.
|
||||
*
|
||||
* We lower it to 'only' INT32_MAX bytes, which is equivalent to 2 gigabytes.
|
||||
*/
|
||||
# define DRBG_MAX_LENGTH INT32_MAX
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* The quotient between max_{entropy,nonce}len and min_{entropy,nonce}len
|
||||
* Maximum allocation size for RANDOM_POOL buffers
|
||||
*
|
||||
* The current factor is large enough that the RAND_POOL can store a
|
||||
* random input which has a lousy entropy rate of 0.0625 bits per byte.
|
||||
* This input will be sent through the derivation function which 'compresses'
|
||||
* the low quality input into a high quality output.
|
||||
* The max_len value for the buffer provided to the rand_drbg_get_entropy()
|
||||
* callback is currently 2^31 bytes (2 gigabytes), if a derivation function
|
||||
* is used. Since this is much too large to be allocated, the rand_pool_new()
|
||||
* function chooses more modest values as default pool length, bounded
|
||||
* by RAND_POOL_MIN_LENGTH and RAND_POOL_MAX_LENGTH
|
||||
*
|
||||
* The choice of the RAND_POOL_FACTOR is large enough such that the
|
||||
* RAND_POOL can store a random input which has a lousy entropy rate of
|
||||
* 8/256 (= 0.03125) bits per byte. This input will be sent through the
|
||||
* derivation function which 'compresses' the low quality input into a
|
||||
* high quality output.
|
||||
*
|
||||
* The factor 1.5 below is the pessimistic estimate for the extra amount
|
||||
* of entropy required when no get_nonce() callback is defined.
|
||||
*/
|
||||
# define RAND_POOL_FACTOR 256
|
||||
# define RAND_POOL_MAX_LENGTH (RAND_POOL_FACTOR * \
|
||||
3 * (RAND_DRBG_STRENGTH / 16))
|
||||
/*
|
||||
* = (RAND_POOL_FACTOR * \
|
||||
* 1.5 * (RAND_DRBG_STRENGTH / 8))
|
||||
*/
|
||||
# define DRBG_MINMAX_FACTOR 128
|
||||
|
||||
|
||||
/* DRBG status values */
|
||||
@ -54,7 +81,7 @@ typedef enum drbg_status_e {
|
||||
} DRBG_STATUS;
|
||||
|
||||
|
||||
/* intantiate */
|
||||
/* instantiate */
|
||||
typedef int (*RAND_DRBG_instantiate_fn)(RAND_DRBG *ctx,
|
||||
const unsigned char *ent,
|
||||
size_t entlen,
|
||||
@ -68,7 +95,7 @@ typedef int (*RAND_DRBG_reseed_fn)(RAND_DRBG *ctx,
|
||||
size_t entlen,
|
||||
const unsigned char *adin,
|
||||
size_t adinlen);
|
||||
/* generat output */
|
||||
/* generate output */
|
||||
typedef int (*RAND_DRBG_generate_fn)(RAND_DRBG *ctx,
|
||||
unsigned char *out,
|
||||
size_t outlen,
|
||||
@ -122,10 +149,12 @@ struct rand_pool_st {
|
||||
unsigned char *buffer; /* points to the beginning of the random pool */
|
||||
size_t len; /* current number of random bytes contained in the pool */
|
||||
|
||||
int attached; /* true pool was attached to existing buffer */
|
||||
|
||||
size_t min_len; /* minimum number of random bytes requested */
|
||||
size_t max_len; /* maximum number of random bytes (allocated buffer size) */
|
||||
size_t entropy; /* current entropy count in bits */
|
||||
size_t requested_entropy; /* requested entropy count in bits */
|
||||
size_t entropy_requested; /* requested entropy count in bits */
|
||||
};
|
||||
|
||||
/*
|
||||
@ -139,7 +168,7 @@ struct rand_drbg_st {
|
||||
int type; /* the nid of the underlying algorithm */
|
||||
/*
|
||||
* Stores the value of the rand_fork_count global as of when we last
|
||||
* reseeded. The DRG reseeds automatically whenever drbg->fork_count !=
|
||||
* reseeded. The DRBG reseeds automatically whenever drbg->fork_count !=
|
||||
* rand_fork_count. Used to provide fork-safety and reseed this DRBG in
|
||||
* the child process.
|
||||
*/
|
||||
@ -147,14 +176,19 @@ struct rand_drbg_st {
|
||||
unsigned short flags; /* various external flags */
|
||||
|
||||
/*
|
||||
* The random pool is used by RAND_add()/drbg_add() to attach random
|
||||
* The random_data is used by RAND_add()/drbg_add() to attach random
|
||||
* data to the global drbg, such that the rand_drbg_get_entropy() callback
|
||||
* can pull it during instantiation and reseeding. This is necessary to
|
||||
* reconcile the different philosophies of the RAND and the RAND_DRBG
|
||||
* with respect to how randomness is added to the RNG during reseeding
|
||||
* (see PR #4328).
|
||||
*/
|
||||
struct rand_pool_st *pool;
|
||||
struct rand_pool_st *seed_pool;
|
||||
|
||||
/*
|
||||
* Auxiliary pool for additional data.
|
||||
*/
|
||||
struct rand_pool_st *adin_pool;
|
||||
|
||||
/*
|
||||
* The following parameters are setup by the per-type "init" function.
|
||||
@ -180,7 +214,7 @@ struct rand_drbg_st {
|
||||
size_t max_perslen, max_adinlen;
|
||||
|
||||
/* Counts the number of generate requests since the last reseed. */
|
||||
unsigned int generate_counter;
|
||||
unsigned int reseed_gen_counter;
|
||||
/*
|
||||
* Maximum number of generate requests until a reseed is required.
|
||||
* This value is ignored if it is zero.
|
||||
@ -203,7 +237,8 @@ struct rand_drbg_st {
|
||||
* is added by RAND_add() or RAND_seed() will have an immediate effect on
|
||||
* the output of RAND_bytes() resp. RAND_priv_bytes().
|
||||
*/
|
||||
unsigned int reseed_counter;
|
||||
TSAN_QUALIFIER unsigned int reseed_prop_counter;
|
||||
unsigned int reseed_next_counter;
|
||||
|
||||
size_t seedlen;
|
||||
DRBG_STATUS state;
|
||||
@ -245,7 +280,7 @@ extern int rand_fork_count;
|
||||
/* DRBG helpers */
|
||||
int rand_drbg_restart(RAND_DRBG *drbg,
|
||||
const unsigned char *buffer, size_t len, size_t entropy);
|
||||
|
||||
size_t rand_drbg_seedlen(RAND_DRBG *drbg);
|
||||
/* locking api */
|
||||
int rand_drbg_lock(RAND_DRBG *drbg);
|
||||
int rand_drbg_unlock(RAND_DRBG *drbg);
|
||||
|
@ -31,7 +31,7 @@ int rand_fork_count;
|
||||
static CRYPTO_RWLOCK *rand_nonce_lock;
|
||||
static int rand_nonce_count;
|
||||
|
||||
static int rand_cleaning_up = 0;
|
||||
static int rand_inited = 0;
|
||||
|
||||
#ifdef OPENSSL_RAND_SEED_RDTSC
|
||||
/*
|
||||
@ -146,17 +146,13 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
|
||||
return 0;
|
||||
}
|
||||
|
||||
pool = rand_pool_new(entropy, min_len, max_len);
|
||||
if (pool == NULL)
|
||||
return 0;
|
||||
|
||||
if (drbg->pool) {
|
||||
rand_pool_add(pool,
|
||||
rand_pool_buffer(drbg->pool),
|
||||
rand_pool_length(drbg->pool),
|
||||
rand_pool_entropy(drbg->pool));
|
||||
rand_pool_free(drbg->pool);
|
||||
drbg->pool = NULL;
|
||||
if (drbg->seed_pool != NULL) {
|
||||
pool = drbg->seed_pool;
|
||||
pool->entropy_requested = entropy;
|
||||
} else {
|
||||
pool = rand_pool_new(entropy, min_len, max_len);
|
||||
if (pool == NULL)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (drbg->parent) {
|
||||
@ -178,6 +174,8 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
|
||||
prediction_resistance,
|
||||
NULL, 0) != 0)
|
||||
bytes = bytes_needed;
|
||||
drbg->reseed_next_counter
|
||||
= tsan_load(&drbg->parent->reseed_prop_counter);
|
||||
rand_drbg_unlock(drbg->parent);
|
||||
|
||||
rand_pool_add_end(pool, bytes, 8 * bytes);
|
||||
@ -206,7 +204,8 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
|
||||
}
|
||||
|
||||
err:
|
||||
rand_pool_free(pool);
|
||||
if (drbg->seed_pool == NULL)
|
||||
rand_pool_free(pool);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -217,7 +216,8 @@ size_t rand_drbg_get_entropy(RAND_DRBG *drbg,
|
||||
void rand_drbg_cleanup_entropy(RAND_DRBG *drbg,
|
||||
unsigned char *out, size_t outlen)
|
||||
{
|
||||
OPENSSL_secure_clear_free(out, outlen);
|
||||
if (drbg->seed_pool == NULL)
|
||||
OPENSSL_secure_clear_free(out, outlen);
|
||||
}
|
||||
|
||||
|
||||
@ -279,14 +279,9 @@ void rand_drbg_cleanup_nonce(RAND_DRBG *drbg,
|
||||
* On success it allocates a buffer at |*pout| and returns the length of
|
||||
* the data. The buffer should get freed using OPENSSL_secure_clear_free().
|
||||
*/
|
||||
size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len)
|
||||
size_t rand_drbg_get_additional_data(RAND_POOL *pool, unsigned char **pout)
|
||||
{
|
||||
size_t ret = 0;
|
||||
RAND_POOL *pool;
|
||||
|
||||
pool = rand_pool_new(0, 0, max_len);
|
||||
if (pool == NULL)
|
||||
return 0;
|
||||
|
||||
if (rand_pool_add_additional_data(pool) == 0)
|
||||
goto err;
|
||||
@ -295,14 +290,12 @@ size_t rand_drbg_get_additional_data(unsigned char **pout, size_t max_len)
|
||||
*pout = rand_pool_detach(pool);
|
||||
|
||||
err:
|
||||
rand_pool_free(pool);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
void rand_drbg_cleanup_additional_data(unsigned char *out, size_t outlen)
|
||||
void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out)
|
||||
{
|
||||
OPENSSL_secure_clear_free(out, outlen);
|
||||
rand_pool_reattach(pool, out);
|
||||
}
|
||||
|
||||
void rand_fork(void)
|
||||
@ -326,13 +319,15 @@ DEFINE_RUN_ONCE_STATIC(do_rand_init)
|
||||
if (rand_nonce_lock == NULL)
|
||||
goto err2;
|
||||
|
||||
if (!rand_cleaning_up && !rand_pool_init())
|
||||
if (!rand_pool_init())
|
||||
goto err3;
|
||||
|
||||
rand_inited = 1;
|
||||
return 1;
|
||||
|
||||
err3:
|
||||
rand_pool_cleanup();
|
||||
CRYPTO_THREAD_lock_free(rand_nonce_lock);
|
||||
rand_nonce_lock = NULL;
|
||||
err2:
|
||||
CRYPTO_THREAD_lock_free(rand_meth_lock);
|
||||
rand_meth_lock = NULL;
|
||||
@ -348,7 +343,8 @@ void rand_cleanup_int(void)
|
||||
{
|
||||
const RAND_METHOD *meth = default_RAND_meth;
|
||||
|
||||
rand_cleaning_up = 1;
|
||||
if (!rand_inited)
|
||||
return;
|
||||
|
||||
if (meth != NULL && meth->cleanup != NULL)
|
||||
meth->cleanup();
|
||||
@ -362,6 +358,7 @@ void rand_cleanup_int(void)
|
||||
rand_meth_lock = NULL;
|
||||
CRYPTO_THREAD_lock_free(rand_nonce_lock);
|
||||
rand_nonce_lock = NULL;
|
||||
rand_inited = 0;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -370,7 +367,8 @@ void rand_cleanup_int(void)
|
||||
*/
|
||||
void RAND_keep_random_devices_open(int keep)
|
||||
{
|
||||
rand_pool_keep_random_devices_open(keep);
|
||||
if (RUN_ONCE(&rand_init, do_rand_init))
|
||||
rand_pool_keep_random_devices_open(keep);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -405,7 +403,7 @@ int RAND_poll(void)
|
||||
/* fill random pool and seed the current legacy RNG */
|
||||
pool = rand_pool_new(RAND_DRBG_STRENGTH,
|
||||
RAND_DRBG_STRENGTH / 8,
|
||||
DRBG_MINMAX_FACTOR * (RAND_DRBG_STRENGTH / 8));
|
||||
RAND_POOL_MAX_LENGTH);
|
||||
if (pool == NULL)
|
||||
return 0;
|
||||
|
||||
@ -430,17 +428,18 @@ int RAND_poll(void)
|
||||
* Allocate memory and initialize a new random pool
|
||||
*/
|
||||
|
||||
RAND_POOL *rand_pool_new(int entropy, size_t min_len, size_t max_len)
|
||||
RAND_POOL *rand_pool_new(int entropy_requested, size_t min_len, size_t max_len)
|
||||
{
|
||||
RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
|
||||
|
||||
if (pool == NULL) {
|
||||
RANDerr(RAND_F_RAND_POOL_NEW, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
pool->min_len = min_len;
|
||||
pool->max_len = max_len;
|
||||
pool->max_len = (max_len > RAND_POOL_MAX_LENGTH) ?
|
||||
RAND_POOL_MAX_LENGTH : max_len;
|
||||
|
||||
pool->buffer = OPENSSL_secure_zalloc(pool->max_len);
|
||||
if (pool->buffer == NULL) {
|
||||
@ -448,7 +447,7 @@ RAND_POOL *rand_pool_new(int entropy, size_t min_len, size_t max_len)
|
||||
goto err;
|
||||
}
|
||||
|
||||
pool->requested_entropy = entropy;
|
||||
pool->entropy_requested = entropy_requested;
|
||||
|
||||
return pool;
|
||||
|
||||
@ -457,6 +456,38 @@ RAND_POOL *rand_pool_new(int entropy, size_t min_len, size_t max_len)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Attach new random pool to the given buffer
|
||||
*
|
||||
* This function is intended to be used only for feeding random data
|
||||
* provided by RAND_add() and RAND_seed() into the <master> DRBG.
|
||||
*/
|
||||
RAND_POOL *rand_pool_attach(const unsigned char *buffer, size_t len,
|
||||
size_t entropy)
|
||||
{
|
||||
RAND_POOL *pool = OPENSSL_zalloc(sizeof(*pool));
|
||||
|
||||
if (pool == NULL) {
|
||||
RANDerr(RAND_F_RAND_POOL_ATTACH, ERR_R_MALLOC_FAILURE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* The const needs to be cast away, but attached buffers will not be
|
||||
* modified (in contrary to allocated buffers which are zeroed and
|
||||
* freed in the end).
|
||||
*/
|
||||
pool->buffer = (unsigned char *) buffer;
|
||||
pool->len = len;
|
||||
|
||||
pool->attached = 1;
|
||||
|
||||
pool->min_len = pool->max_len = pool->len;
|
||||
pool->entropy = entropy;
|
||||
|
||||
return pool;
|
||||
}
|
||||
|
||||
/*
|
||||
* Free |pool|, securely erasing its buffer.
|
||||
*/
|
||||
@ -465,7 +496,14 @@ void rand_pool_free(RAND_POOL *pool)
|
||||
if (pool == NULL)
|
||||
return;
|
||||
|
||||
OPENSSL_secure_clear_free(pool->buffer, pool->max_len);
|
||||
/*
|
||||
* Although it would be advisable from a cryptographical viewpoint,
|
||||
* we are not allowed to clear attached buffers, since they are passed
|
||||
* to rand_pool_attach() as `const unsigned char*`.
|
||||
* (see corresponding comment in rand_pool_attach()).
|
||||
*/
|
||||
if (!pool->attached)
|
||||
OPENSSL_secure_clear_free(pool->buffer, pool->max_len);
|
||||
OPENSSL_free(pool);
|
||||
}
|
||||
|
||||
@ -496,15 +534,27 @@ size_t rand_pool_length(RAND_POOL *pool)
|
||||
/*
|
||||
* Detach the |pool| buffer and return it to the caller.
|
||||
* It's the responsibility of the caller to free the buffer
|
||||
* using OPENSSL_secure_clear_free().
|
||||
* using OPENSSL_secure_clear_free() or to re-attach it
|
||||
* again to the pool using rand_pool_reattach().
|
||||
*/
|
||||
unsigned char *rand_pool_detach(RAND_POOL *pool)
|
||||
{
|
||||
unsigned char *ret = pool->buffer;
|
||||
pool->buffer = NULL;
|
||||
pool->entropy = 0;
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Re-attach the |pool| buffer. It is only allowed to pass
|
||||
* the |buffer| which was previously detached from the same pool.
|
||||
*/
|
||||
void rand_pool_reattach(RAND_POOL *pool, unsigned char *buffer)
|
||||
{
|
||||
pool->buffer = buffer;
|
||||
OPENSSL_cleanse(pool->buffer, pool->len);
|
||||
pool->len = 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* If |entropy_factor| bits contain 1 bit of entropy, how many bytes does one
|
||||
@ -524,7 +574,7 @@ unsigned char *rand_pool_detach(RAND_POOL *pool)
|
||||
*/
|
||||
size_t rand_pool_entropy_available(RAND_POOL *pool)
|
||||
{
|
||||
if (pool->entropy < pool->requested_entropy)
|
||||
if (pool->entropy < pool->entropy_requested)
|
||||
return 0;
|
||||
|
||||
if (pool->len < pool->min_len)
|
||||
@ -540,8 +590,8 @@ size_t rand_pool_entropy_available(RAND_POOL *pool)
|
||||
|
||||
size_t rand_pool_entropy_needed(RAND_POOL *pool)
|
||||
{
|
||||
if (pool->entropy < pool->requested_entropy)
|
||||
return pool->requested_entropy - pool->entropy;
|
||||
if (pool->entropy < pool->entropy_requested)
|
||||
return pool->entropy_requested - pool->entropy;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -601,6 +651,11 @@ int rand_pool_add(RAND_POOL *pool,
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (pool->buffer == NULL) {
|
||||
RANDerr(RAND_F_RAND_POOL_ADD, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (len > 0) {
|
||||
memcpy(pool->buffer + pool->len, buffer, len);
|
||||
pool->len += len;
|
||||
@ -632,6 +687,11 @@ unsigned char *rand_pool_add_begin(RAND_POOL *pool, size_t len)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (pool->buffer == NULL) {
|
||||
RANDerr(RAND_F_RAND_POOL_ADD_BEGIN, ERR_R_INTERNAL_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
||||
return pool->buffer + pool->len;
|
||||
}
|
||||
|
||||
|
@ -77,6 +77,17 @@ static uint64_t get_timer_bits(void);
|
||||
# endif
|
||||
#endif /* defined(OPENSSL_SYS_UNIX) || defined(__DJGPP__) */
|
||||
|
||||
#if defined(OPENSSL_RAND_SEED_NONE)
|
||||
/* none means none. this simplifies the following logic */
|
||||
# undef OPENSSL_RAND_SEED_OS
|
||||
# undef OPENSSL_RAND_SEED_GETRANDOM
|
||||
# undef OPENSSL_RAND_SEED_LIBRANDOM
|
||||
# undef OPENSSL_RAND_SEED_DEVRANDOM
|
||||
# undef OPENSSL_RAND_SEED_RDTSC
|
||||
# undef OPENSSL_RAND_SEED_RDCPU
|
||||
# undef OPENSSL_RAND_SEED_EGD
|
||||
#endif
|
||||
|
||||
#if (defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_UEFI)) && \
|
||||
!defined(OPENSSL_RAND_SEED_NONE)
|
||||
# error "UEFI and VXWorks only support seeding NONE"
|
||||
@ -86,8 +97,6 @@ static uint64_t get_timer_bits(void);
|
||||
|| defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \
|
||||
|| defined(OPENSSL_SYS_UEFI))
|
||||
|
||||
static ssize_t syscall_random(void *buf, size_t buflen);
|
||||
|
||||
# if defined(OPENSSL_SYS_VOS)
|
||||
|
||||
# ifndef OPENSSL_RAND_SEED_OS
|
||||
@ -244,6 +253,7 @@ static ssize_t sysctl_random(char *buf, size_t buflen)
|
||||
}
|
||||
# endif
|
||||
|
||||
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
|
||||
/*
|
||||
* syscall_random(): Try to get random data using a system call
|
||||
* returns the number of bytes returned in buf, or < 0 on error.
|
||||
@ -254,7 +264,7 @@ static ssize_t syscall_random(void *buf, size_t buflen)
|
||||
* Note: 'buflen' equals the size of the buffer which is used by the
|
||||
* get_entropy() callback of the RAND_DRBG. It is roughly bounded by
|
||||
*
|
||||
* 2 * DRBG_MINMAX_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^13
|
||||
* 2 * RAND_POOL_FACTOR * (RAND_DRBG_STRENGTH / 8) = 2^14
|
||||
*
|
||||
* which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion
|
||||
* between size_t and ssize_t is safe even without a range check.
|
||||
@ -302,8 +312,9 @@ static ssize_t syscall_random(void *buf, size_t buflen)
|
||||
return -1;
|
||||
# endif
|
||||
}
|
||||
# endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */
|
||||
|
||||
#if !defined(OPENSSL_RAND_SEED_NONE) && defined(OPENSSL_RAND_SEED_DEVRANDOM)
|
||||
# if defined(OPENSSL_RAND_SEED_DEVRANDOM)
|
||||
static const char *random_device_paths[] = { DEVRANDOM };
|
||||
static struct random_device {
|
||||
int fd;
|
||||
@ -375,21 +386,13 @@ static void close_random_device(size_t n)
|
||||
rd->fd = -1;
|
||||
}
|
||||
|
||||
static void open_random_devices(void)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < OSSL_NELEM(random_devices); i++)
|
||||
(void)get_random_device(i);
|
||||
}
|
||||
|
||||
int rand_pool_init(void)
|
||||
{
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < OSSL_NELEM(random_devices); i++)
|
||||
random_devices[i].fd = -1;
|
||||
open_random_devices();
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -403,16 +406,13 @@ void rand_pool_cleanup(void)
|
||||
|
||||
void rand_pool_keep_random_devices_open(int keep)
|
||||
{
|
||||
if (keep)
|
||||
open_random_devices();
|
||||
else
|
||||
if (!keep)
|
||||
rand_pool_cleanup();
|
||||
|
||||
keep_random_devices_open = keep;
|
||||
}
|
||||
|
||||
# else /* defined(OPENSSL_RAND_SEED_NONE)
|
||||
* || !defined(OPENSSL_RAND_SEED_DEVRANDOM)
|
||||
*/
|
||||
# else /* !defined(OPENSSL_RAND_SEED_DEVRANDOM) */
|
||||
|
||||
int rand_pool_init(void)
|
||||
{
|
||||
@ -427,9 +427,7 @@ void rand_pool_keep_random_devices_open(int keep)
|
||||
{
|
||||
}
|
||||
|
||||
# endif /* !defined(OPENSSL_RAND_SEED_NONE)
|
||||
* && defined(OPENSSL_RAND_SEED_DEVRANDOM)
|
||||
*/
|
||||
# endif /* defined(OPENSSL_RAND_SEED_DEVRANDOM) */
|
||||
|
||||
/*
|
||||
* Try the various seeding methods in turn, exit when successful.
|
||||
@ -450,14 +448,14 @@ void rand_pool_keep_random_devices_open(int keep)
|
||||
*/
|
||||
size_t rand_pool_acquire_entropy(RAND_POOL *pool)
|
||||
{
|
||||
# ifdef OPENSSL_RAND_SEED_NONE
|
||||
# if defined(OPENSSL_RAND_SEED_NONE)
|
||||
return rand_pool_entropy_available(pool);
|
||||
# else
|
||||
size_t bytes_needed;
|
||||
size_t entropy_available = 0;
|
||||
unsigned char *buffer;
|
||||
|
||||
# ifdef OPENSSL_RAND_SEED_GETRANDOM
|
||||
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
|
||||
{
|
||||
ssize_t bytes;
|
||||
/* Maximum allowed number of consecutive unsuccessful attempts */
|
||||
@ -487,7 +485,7 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
|
||||
}
|
||||
# endif
|
||||
|
||||
# ifdef OPENSSL_RAND_SEED_DEVRANDOM
|
||||
# if defined(OPENSSL_RAND_SEED_DEVRANDOM)
|
||||
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
||||
{
|
||||
size_t i;
|
||||
@ -524,19 +522,19 @@ size_t rand_pool_acquire_entropy(RAND_POOL *pool)
|
||||
}
|
||||
# endif
|
||||
|
||||
# ifdef OPENSSL_RAND_SEED_RDTSC
|
||||
# if defined(OPENSSL_RAND_SEED_RDTSC)
|
||||
entropy_available = rand_acquire_entropy_from_tsc(pool);
|
||||
if (entropy_available > 0)
|
||||
return entropy_available;
|
||||
# endif
|
||||
|
||||
# ifdef OPENSSL_RAND_SEED_RDCPU
|
||||
# if defined(OPENSSL_RAND_SEED_RDCPU)
|
||||
entropy_available = rand_acquire_entropy_from_cpu(pool);
|
||||
if (entropy_available > 0)
|
||||
return entropy_available;
|
||||
# endif
|
||||
|
||||
# ifdef OPENSSL_RAND_SEED_EGD
|
||||
# if defined(OPENSSL_RAND_SEED_EGD)
|
||||
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
||||
if (bytes_needed > 0) {
|
||||
static const char *paths[] = { DEVRANDOM_EGD, NULL };
|
||||
@ -577,7 +575,7 @@ int rand_pool_add_nonce_data(RAND_POOL *pool)
|
||||
|
||||
/*
|
||||
* Add process id, thread id, and a high resolution timestamp to
|
||||
* ensure that the nonce is unique whith high probability for
|
||||
* ensure that the nonce is unique with high probability for
|
||||
* different process instances.
|
||||
*/
|
||||
data.pid = getpid();
|
||||
|
@ -16,6 +16,7 @@
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/rand_drbg.h>
|
||||
#include <openssl/buffer.h>
|
||||
|
||||
#ifdef OPENSSL_SYS_VMS
|
||||
@ -48,7 +49,7 @@
|
||||
# define S_ISREG(m) ((m) & S_IFREG)
|
||||
# endif
|
||||
|
||||
#define RAND_FILE_SIZE 1024
|
||||
#define RAND_BUF_SIZE 1024
|
||||
#define RFILE ".rnd"
|
||||
|
||||
#ifdef OPENSSL_SYS_VMS
|
||||
@ -74,7 +75,16 @@ static __FILE_ptr32 (*const vms_fopen)(const char *, const char *, ...) =
|
||||
*/
|
||||
int RAND_load_file(const char *file, long bytes)
|
||||
{
|
||||
unsigned char buf[RAND_FILE_SIZE];
|
||||
/*
|
||||
* The load buffer size exceeds the chunk size by the comfortable amount
|
||||
* of 'RAND_DRBG_STRENGTH' bytes (not bits!). This is done on purpose
|
||||
* to avoid calling RAND_add() with a small final chunk. Instead, such
|
||||
* a small final chunk will be added together with the previous chunk
|
||||
* (unless it's the only one).
|
||||
*/
|
||||
#define RAND_LOAD_BUF_SIZE (RAND_BUF_SIZE + RAND_DRBG_STRENGTH)
|
||||
unsigned char buf[RAND_LOAD_BUF_SIZE];
|
||||
|
||||
#ifndef OPENSSL_NO_POSIX_IO
|
||||
struct stat sb;
|
||||
#endif
|
||||
@ -98,8 +108,12 @@ int RAND_load_file(const char *file, long bytes)
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (!S_ISREG(sb.st_mode) && bytes < 0)
|
||||
bytes = 256;
|
||||
if (bytes < 0) {
|
||||
if (S_ISREG(sb.st_mode))
|
||||
bytes = sb.st_size;
|
||||
else
|
||||
bytes = RAND_DRBG_STRENGTH;
|
||||
}
|
||||
#endif
|
||||
/*
|
||||
* On VMS, setbuf() will only take 32-bit pointers, and a compilation
|
||||
@ -124,9 +138,9 @@ int RAND_load_file(const char *file, long bytes)
|
||||
|
||||
for ( ; ; ) {
|
||||
if (bytes > 0)
|
||||
n = (bytes < RAND_FILE_SIZE) ? (int)bytes : RAND_FILE_SIZE;
|
||||
n = (bytes <= RAND_LOAD_BUF_SIZE) ? (int)bytes : RAND_BUF_SIZE;
|
||||
else
|
||||
n = RAND_FILE_SIZE;
|
||||
n = RAND_LOAD_BUF_SIZE;
|
||||
i = fread(buf, 1, n, in);
|
||||
#ifdef EINTR
|
||||
if (ferror(in) && errno == EINTR){
|
||||
@ -148,12 +162,18 @@ int RAND_load_file(const char *file, long bytes)
|
||||
|
||||
OPENSSL_cleanse(buf, sizeof(buf));
|
||||
fclose(in);
|
||||
if (!RAND_status()) {
|
||||
RANDerr(RAND_F_RAND_LOAD_FILE, RAND_R_RESEED_ERROR);
|
||||
ERR_add_error_data(2, "Filename=", file);
|
||||
return -1;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int RAND_write_file(const char *file)
|
||||
{
|
||||
unsigned char buf[RAND_FILE_SIZE];
|
||||
unsigned char buf[RAND_BUF_SIZE];
|
||||
int ret = -1;
|
||||
FILE *out = NULL;
|
||||
#ifndef OPENSSL_NO_POSIX_IO
|
||||
@ -222,9 +242,9 @@ int RAND_write_file(const char *file)
|
||||
chmod(file, 0600);
|
||||
#endif
|
||||
|
||||
ret = fwrite(buf, 1, RAND_FILE_SIZE, out);
|
||||
ret = fwrite(buf, 1, RAND_BUF_SIZE, out);
|
||||
fclose(out);
|
||||
OPENSSL_cleanse(buf, RAND_FILE_SIZE);
|
||||
OPENSSL_cleanse(buf, RAND_BUF_SIZE);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -262,11 +282,9 @@ const char *RAND_file_name(char *buf, size_t size)
|
||||
}
|
||||
}
|
||||
#else
|
||||
if (OPENSSL_issetugid() != 0) {
|
||||
if ((s = ossl_safe_getenv("RANDFILE")) == NULL || *s == '\0') {
|
||||
use_randfile = 0;
|
||||
} else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') {
|
||||
use_randfile = 0;
|
||||
s = getenv("HOME");
|
||||
s = ossl_safe_getenv("HOME");
|
||||
}
|
||||
#endif
|
||||
|
||||
|
@ -125,8 +125,8 @@ void RSA_free(RSA *r)
|
||||
|
||||
CRYPTO_THREAD_lock_free(r->lock);
|
||||
|
||||
BN_clear_free(r->n);
|
||||
BN_clear_free(r->e);
|
||||
BN_free(r->n);
|
||||
BN_free(r->e);
|
||||
BN_clear_free(r->d);
|
||||
BN_clear_free(r->p);
|
||||
BN_clear_free(r->q);
|
||||
@ -196,7 +196,7 @@ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
|
||||
r->e = e;
|
||||
}
|
||||
if (d != NULL) {
|
||||
BN_free(r->d);
|
||||
BN_clear_free(r->d);
|
||||
r->d = d;
|
||||
}
|
||||
|
||||
@ -213,11 +213,11 @@ int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
|
||||
return 0;
|
||||
|
||||
if (p != NULL) {
|
||||
BN_free(r->p);
|
||||
BN_clear_free(r->p);
|
||||
r->p = p;
|
||||
}
|
||||
if (q != NULL) {
|
||||
BN_free(r->q);
|
||||
BN_clear_free(r->q);
|
||||
r->q = q;
|
||||
}
|
||||
|
||||
@ -235,15 +235,15 @@ int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
|
||||
return 0;
|
||||
|
||||
if (dmp1 != NULL) {
|
||||
BN_free(r->dmp1);
|
||||
BN_clear_free(r->dmp1);
|
||||
r->dmp1 = dmp1;
|
||||
}
|
||||
if (dmq1 != NULL) {
|
||||
BN_free(r->dmq1);
|
||||
BN_clear_free(r->dmq1);
|
||||
r->dmq1 = dmq1;
|
||||
}
|
||||
if (iqmp != NULL) {
|
||||
BN_free(r->iqmp);
|
||||
BN_clear_free(r->iqmp);
|
||||
r->iqmp = iqmp;
|
||||
}
|
||||
|
||||
|
@ -163,13 +163,13 @@ int RSA_meth_set_priv_dec(RSA_METHOD *meth,
|
||||
|
||||
/* Can be null */
|
||||
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
|
||||
(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
||||
(BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx)
|
||||
{
|
||||
return meth->rsa_mod_exp;
|
||||
}
|
||||
|
||||
int RSA_meth_set_mod_exp(RSA_METHOD *meth,
|
||||
int (*mod_exp) (BIGNUM *r0, const BIGNUM *I, RSA *rsa,
|
||||
int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa,
|
||||
BN_CTX *ctx))
|
||||
{
|
||||
meth->rsa_mod_exp = mod_exp;
|
||||
|
@ -680,10 +680,11 @@ static int rsa_ossl_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
||||
*/
|
||||
|| !bn_mod_sub_fixed_top(r1, r1, m1, rsa->p)
|
||||
|
||||
/* r0 = r0 * iqmp mod p */
|
||||
/* r1 = r1 * iqmp mod p */
|
||||
|| !bn_to_mont_fixed_top(r1, r1, rsa->_method_mod_p, ctx)
|
||||
|| !bn_mul_mont_fixed_top(r1, r1, rsa->iqmp, rsa->_method_mod_p,
|
||||
ctx)
|
||||
/* r0 = r1 * q + m1 */
|
||||
|| !bn_mul_fixed_top(r0, r1, rsa->q, ctx)
|
||||
|| !bn_mod_add_fixed_top(r0, r0, m1, rsa->n))
|
||||
goto err;
|
||||
|
@ -432,9 +432,9 @@ SHA3_absorb:
|
||||
lrvg %r0,0($inp)
|
||||
la $inp,8($inp)
|
||||
xg %r0,0(%r1)
|
||||
la %r1,8(%r1)
|
||||
a${g}hi $len,-8
|
||||
stg %r0,-8(%r1)
|
||||
stg %r0,0(%r1)
|
||||
la %r1,8(%r1)
|
||||
brct $bsz,.Lblock_absorb
|
||||
|
||||
stm${g} $inp,$len,$frame+3*$SIZE_T($sp)
|
||||
|
@ -166,8 +166,8 @@ $func:
|
||||
addi r11,r11,32
|
||||
stvx v30,r10,$sp
|
||||
stvx v31,r11,$sp
|
||||
li r11,-4096+255
|
||||
stw $vrsave,`$FRAME+6*$SIZE_T-4`($sp) # save vrsave
|
||||
li r11,-4096+255 # 0xfffff0ff
|
||||
stw $vrsave,`$FRAME-6*$SIZE_T-4`($sp) # save vrsave
|
||||
li $x10,0x10
|
||||
$PUSH r26,`$FRAME-6*$SIZE_T`($sp)
|
||||
li $x20,0x20
|
||||
@ -286,24 +286,17 @@ $code.=<<___ if ($SZ==8);
|
||||
stvx_u $G,$x30,$ctx
|
||||
___
|
||||
$code.=<<___;
|
||||
li r10,`$LOCALS+15`
|
||||
addi $offload,$sp,`$LOCALS+15`
|
||||
mtlr $lrsave
|
||||
li r11,`$LOCALS+31`
|
||||
mtspr 256,$vrsave
|
||||
lvx v24,r10,$sp # ABI says so
|
||||
addi r10,r10,32
|
||||
lvx v25,r11,$sp
|
||||
addi r11,r11,32
|
||||
lvx v26,r10,$sp
|
||||
addi r10,r10,32
|
||||
lvx v27,r11,$sp
|
||||
addi r11,r11,32
|
||||
lvx v28,r10,$sp
|
||||
addi r10,r10,32
|
||||
lvx v29,r11,$sp
|
||||
addi r11,r11,32
|
||||
lvx v30,r10,$sp
|
||||
lvx v31,r11,$sp
|
||||
lvx v24,$x00,$offload # ABI says so
|
||||
lvx v25,$x10,$offload
|
||||
lvx v26,$x20,$offload
|
||||
lvx v27,$x30,$offload
|
||||
lvx v28,$x40,$offload
|
||||
lvx v29,$x50,$offload
|
||||
lvx v30,$x60,$offload
|
||||
lvx v31,$x70,$offload
|
||||
$POP r26,`$FRAME-6*$SIZE_T`($sp)
|
||||
$POP r27,`$FRAME-5*$SIZE_T`($sp)
|
||||
$POP r28,`$FRAME-4*$SIZE_T`($sp)
|
||||
|
@ -94,7 +94,19 @@ int SipHash_set_hash_size(SIPHASH *ctx, size_t hash_size)
|
||||
&& hash_size != SIPHASH_MAX_DIGEST_SIZE)
|
||||
return 0;
|
||||
|
||||
ctx->hash_size = hash_size;
|
||||
/*
|
||||
* It's possible that the key was set first. If the hash size changes,
|
||||
* we need to adjust v1 (see SipHash_Init().
|
||||
*/
|
||||
|
||||
/* Start by adjusting the stored size, to make things easier */
|
||||
ctx->hash_size = siphash_adjust_hash_size(ctx->hash_size);
|
||||
|
||||
/* Now, adjust ctx->v1 if the old and the new size differ */
|
||||
if ((size_t)ctx->hash_size != hash_size) {
|
||||
ctx->v1 ^= 0xee;
|
||||
ctx->hash_size = hash_size;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
@ -11,6 +11,7 @@
|
||||
|
||||
#include "internal/sm2.h"
|
||||
#include "internal/sm2err.h"
|
||||
#include "internal/ec_int.h" /* ecdh_KDF_X9_63() */
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/bn.h>
|
||||
@ -203,7 +204,7 @@ int sm2_encrypt(const EC_KEY *key,
|
||||
}
|
||||
|
||||
/* X9.63 with no salt happens to match the KDF used in SM2 */
|
||||
if (!ECDH_KDF_X9_62(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0,
|
||||
if (!ecdh_KDF_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0,
|
||||
digest)) {
|
||||
SM2err(SM2_F_SM2_ENCRYPT, ERR_R_EVP_LIB);
|
||||
goto done;
|
||||
@ -344,7 +345,7 @@ int sm2_decrypt(const EC_KEY *key,
|
||||
|
||||
if (BN_bn2binpad(x2, x2y2, field_size) < 0
|
||||
|| BN_bn2binpad(y2, x2y2 + field_size, field_size) < 0
|
||||
|| !ECDH_KDF_X9_62(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0,
|
||||
|| !ecdh_KDF_X9_63(msg_mask, msg_len, x2y2, 2 * field_size, NULL, 0,
|
||||
digest)) {
|
||||
SM2err(SM2_F_SM2_DECRYPT, ERR_R_INTERNAL_ERROR);
|
||||
goto done;
|
||||
|
@ -12,6 +12,7 @@
|
||||
#include "internal/sm2.h"
|
||||
#include "internal/sm2err.h"
|
||||
#include "internal/ec_int.h" /* ec_group_do_inverse_ord() */
|
||||
#include "internal/numbers.h"
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
|
@ -415,6 +415,24 @@ static int open_console(UI *ui)
|
||||
is_a_tty = 0;
|
||||
else
|
||||
# endif
|
||||
# ifdef ENXIO
|
||||
/*
|
||||
* Solaris can return ENXIO.
|
||||
* This should be ok
|
||||
*/
|
||||
if (errno == ENXIO)
|
||||
is_a_tty = 0;
|
||||
else
|
||||
# endif
|
||||
# ifdef EIO
|
||||
/*
|
||||
* Linux can return EIO.
|
||||
* This should be ok
|
||||
*/
|
||||
if (errno == EIO)
|
||||
is_a_tty = 0;
|
||||
else
|
||||
# endif
|
||||
# ifdef ENODEV
|
||||
/*
|
||||
* MacOS X returns ENODEV (Operation not supported by device),
|
||||
|
@ -73,7 +73,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
|
||||
switch (cmd) {
|
||||
case X509_L_ADD_DIR:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
const char *dir = getenv(X509_get_default_cert_dir_env());
|
||||
const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
|
||||
|
||||
if (dir)
|
||||
ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
|
||||
|
@ -46,7 +46,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
|
||||
switch (cmd) {
|
||||
case X509_L_FILE_LOAD:
|
||||
if (argl == X509_FILETYPE_DEFAULT) {
|
||||
file = getenv(X509_get_default_cert_file_env());
|
||||
file = ossl_safe_getenv(X509_get_default_cert_file_env());
|
||||
if (file)
|
||||
ok = (X509_load_cert_crl_file(ctx, file,
|
||||
X509_FILETYPE_PEM) != 0);
|
||||
|
@ -517,15 +517,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
|
||||
/* check_purpose() makes the callback as needed */
|
||||
if (purpose > 0 && !check_purpose(ctx, x, purpose, i, must_be_ca))
|
||||
return 0;
|
||||
/* Check pathlen if not self issued */
|
||||
if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
|
||||
&& (x->ex_pathlen != -1)
|
||||
&& (plen > (x->ex_pathlen + proxy_path_length + 1))) {
|
||||
/* Check pathlen */
|
||||
if ((i > 1) && (x->ex_pathlen != -1)
|
||||
&& (plen > (x->ex_pathlen + proxy_path_length))) {
|
||||
if (!verify_cb_cert(ctx, x, i, X509_V_ERR_PATH_LENGTH_EXCEEDED))
|
||||
return 0;
|
||||
}
|
||||
/* Increment path length if not self issued */
|
||||
if (!(x->ex_flags & EXFLAG_SI))
|
||||
/* Increment path length if not a self issued intermediate CA */
|
||||
if (i > 0 && (x->ex_flags & EXFLAG_SI) == 0)
|
||||
plen++;
|
||||
/*
|
||||
* If this certificate is a proxy certificate, the next certificate
|
||||
|
@ -250,8 +250,10 @@ for all available algorithms.
|
||||
=item B<-subj arg>
|
||||
|
||||
Supersedes subject name given in the request.
|
||||
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
|
||||
characters may be escaped by \ (backslash), no spaces are skipped.
|
||||
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
|
||||
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
|
||||
Empty values are permitted, but the corresponding type will not be included
|
||||
in the resulting certificate.
|
||||
|
||||
=item B<-utf8>
|
||||
|
||||
|
@ -257,7 +257,7 @@ ones provided by configured engines.
|
||||
The B<enc> program does not support authenticated encryption modes
|
||||
like CCM and GCM, and will not support such modes in the future.
|
||||
The B<enc> interface by necessity must begin streaming output (e.g.,
|
||||
to standard output when B<-out> is not used before the authentication
|
||||
to standard output when B<-out> is not used) before the authentication
|
||||
tag could be validated, leading to the usage of B<enc> in pipelines
|
||||
that begin processing untrusted data and are not capable of rolling
|
||||
back upon authentication failure. The AEAD modes currently in common
|
||||
@ -277,6 +277,7 @@ standard data format and performs the needed key/iv/nonce management.
|
||||
|
||||
bf-cbc Blowfish in CBC mode
|
||||
bf Alias for bf-cbc
|
||||
blowfish Alias for bf-cbc
|
||||
bf-cfb Blowfish in CFB mode
|
||||
bf-ecb Blowfish in ECB mode
|
||||
bf-ofb Blowfish in OFB mode
|
||||
@ -288,6 +289,8 @@ standard data format and performs the needed key/iv/nonce management.
|
||||
cast5-ecb CAST5 in ECB mode
|
||||
cast5-ofb CAST5 in OFB mode
|
||||
|
||||
chacha20 ChaCha20 algorithm
|
||||
|
||||
des-cbc DES in CBC mode
|
||||
des Alias for des-cbc
|
||||
des-cfb DES in CFB mode
|
||||
@ -334,6 +337,19 @@ standard data format and performs the needed key/iv/nonce management.
|
||||
rc5-ecb RC5 cipher in ECB mode
|
||||
rc5-ofb RC5 cipher in OFB mode
|
||||
|
||||
seed-cbc SEED cipher in CBC mode
|
||||
seed Alias for seed-cbc
|
||||
seed-cfb SEED cipher in CFB mode
|
||||
seed-ecb SEED cipher in ECB mode
|
||||
seed-ofb SEED cipher in OFB mode
|
||||
|
||||
sm4-cbc SM4 cipher in CBC mode
|
||||
sm4 Alias for sm4-cbc
|
||||
sm4-cfb SM4 cipher in CFB mode
|
||||
sm4-ctr SM4 cipher in CTR mode
|
||||
sm4-ecb SM4 cipher in ECB mode
|
||||
sm4-ofb SM4 cipher in OFB mode
|
||||
|
||||
aes-[128|192|256]-cbc 128/192/256 bit AES in CBC mode
|
||||
aes[128|192|256] Alias for aes-[128|192|256]-cbc
|
||||
aes-[128|192|256]-cfb 128/192/256 bit AES in 128 bit CFB mode
|
||||
@ -343,6 +359,15 @@ standard data format and performs the needed key/iv/nonce management.
|
||||
aes-[128|192|256]-ecb 128/192/256 bit AES in ECB mode
|
||||
aes-[128|192|256]-ofb 128/192/256 bit AES in OFB mode
|
||||
|
||||
aria-[128|192|256]-cbc 128/192/256 bit ARIA in CBC mode
|
||||
aria[128|192|256] Alias for aria-[128|192|256]-cbc
|
||||
aria-[128|192|256]-cfb 128/192/256 bit ARIA in 128 bit CFB mode
|
||||
aria-[128|192|256]-cfb1 128/192/256 bit ARIA in 1 bit CFB mode
|
||||
aria-[128|192|256]-cfb8 128/192/256 bit ARIA in 8 bit CFB mode
|
||||
aria-[128|192|256]-ctr 128/192/256 bit ARIA in CTR mode
|
||||
aria-[128|192|256]-ecb 128/192/256 bit ARIA in ECB mode
|
||||
aria-[128|192|256]-ofb 128/192/256 bit ARIA in OFB mode
|
||||
|
||||
camellia-[128|192|256]-cbc 128/192/256 bit Camellia in CBC mode
|
||||
camellia[128|192|256] Alias for camellia-[128|192|256]-cbc
|
||||
camellia-[128|192|256]-cfb 128/192/256 bit Camellia in 128 bit CFB mode
|
||||
@ -362,26 +387,25 @@ Decode the same file
|
||||
|
||||
openssl base64 -d -in file.b64 -out file.bin
|
||||
|
||||
Encrypt a file using triple DES in CBC mode using a prompted password:
|
||||
Encrypt a file using AES-128 using a prompted password
|
||||
and PBKDF2 key derivation:
|
||||
|
||||
openssl des3 -salt -in file.txt -out file.des3
|
||||
openssl enc -aes128 -pbkdf2 -in file.txt -out file.aes128
|
||||
|
||||
Decrypt a file using a supplied password:
|
||||
|
||||
openssl des3 -d -salt -in file.des3 -out file.txt -k mypassword
|
||||
openssl enc -aes128 -pbkdf2 -d -in file.aes128 -out file.txt \
|
||||
-pass pass:<password>
|
||||
|
||||
Encrypt a file then base64 encode it (so it can be sent via mail for example)
|
||||
using Blowfish in CBC mode:
|
||||
using AES-256 in CTR mode and PBKDF2 key derivation:
|
||||
|
||||
openssl bf -a -salt -in file.txt -out file.bf
|
||||
openssl enc -aes-256-ctr -pbkdf2 -a -in file.txt -out file.aes256
|
||||
|
||||
Base64 decode a file then decrypt it:
|
||||
Base64 decode a file then decrypt it using a password supplied in a file:
|
||||
|
||||
openssl bf -d -salt -a -in file.bf -out file.txt
|
||||
|
||||
Decrypt some data using a supplied 40 bit RC4 key:
|
||||
|
||||
openssl rc4-40 -in file.rc4 -out file.txt -K 0102030405
|
||||
openssl enc -aes-256-ctr -pbkdf2 -d -a -in file.aes256 -out file.txt \
|
||||
-pass file:<passfile>
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
|
@ -40,6 +40,9 @@ The B<openssl> program provides a rich variety of commands (I<command> in the
|
||||
SYNOPSIS above), each of which often has a wealth of options and arguments
|
||||
(I<command_opts> and I<command_args> in the SYNOPSIS).
|
||||
|
||||
Detailed documentation and use cases for most standard subcommands are available
|
||||
(e.g., L<x509(1)> or L<openssl-x509(1)>).
|
||||
|
||||
Many commands use an external configuration file for some or all of their
|
||||
arguments and have a B<-config> option to specify that file.
|
||||
The environment variable B<OPENSSL_CONF> can be used to specify
|
||||
@ -369,8 +372,38 @@ SM3 Digest
|
||||
|
||||
=head2 Encoding and Cipher Commands
|
||||
|
||||
The following aliases provide convenient access to the most used encodings
|
||||
and ciphers.
|
||||
|
||||
Depending on how OpenSSL was configured and built, not all ciphers listed
|
||||
here may be present. See L<enc(1)> for more information and command usage.
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<aes128>, B<aes-128-cbc>, B<aes-128-cfb>, B<aes-128-ctr>, B<aes-128-ecb>, B<aes-128-ofb>
|
||||
|
||||
AES-128 Cipher
|
||||
|
||||
=item B<aes192>, B<aes-192-cbc>, B<aes-192-cfb>, B<aes-192-ctr>, B<aes-192-ecb>, B<aes-192-ofb>
|
||||
|
||||
AES-192 Cipher
|
||||
|
||||
=item B<aes256>, B<aes-256-cbc>, B<aes-256-cfb>, B<aes-256-ctr>, B<aes-256-ecb>, B<aes-256-ofb>
|
||||
|
||||
AES-256 Cipher
|
||||
|
||||
=item B<aria128>, B<aria-128-cbc>, B<aria-128-cfb>, B<aria-128-ctr>, B<aria-128-ecb>, B<aria-128-ofb>
|
||||
|
||||
Aria-128 Cipher
|
||||
|
||||
=item B<aria192>, B<aria-192-cbc>, B<aria-192-cfb>, B<aria-192-ctr>, B<aria-192-ecb>, B<aria-192-ofb>
|
||||
|
||||
Aria-192 Cipher
|
||||
|
||||
=item B<aria256>, B<aria-256-cbc>, B<aria-256-cfb>, B<aria-256-ctr>, B<aria-256-ecb>, B<aria-256-ofb>
|
||||
|
||||
Aria-256 Cipher
|
||||
|
||||
=item B<base64>
|
||||
|
||||
Base64 Encoding
|
||||
@ -379,6 +412,18 @@ Base64 Encoding
|
||||
|
||||
Blowfish Cipher
|
||||
|
||||
=item B<camellia128>, B<camellia-128-cbc>, B<camellia-128-cfb>, B<camellia-128-ctr>, B<camellia-128-ecb>, B<camellia-128-ofb>
|
||||
|
||||
Camellia-128 Cipher
|
||||
|
||||
=item B<camellia192>, B<camellia-192-cbc>, B<camellia-192-cfb>, B<camellia-192-ctr>, B<camellia-192-ecb>, B<camellia-192-ofb>
|
||||
|
||||
Camellia-192 Cipher
|
||||
|
||||
=item B<camellia256>, B<camellia-256-cbc>, B<camellia-256-cfb>, B<camellia-256-ctr>, B<camellia-256-ecb>, B<camellia-256-ofb>
|
||||
|
||||
Camellia-256 Cipher
|
||||
|
||||
=item B<cast>, B<cast-cbc>
|
||||
|
||||
CAST Cipher
|
||||
@ -387,6 +432,10 @@ CAST Cipher
|
||||
|
||||
CAST5 Cipher
|
||||
|
||||
=item B<chacha20>
|
||||
|
||||
Chacha20 Cipher
|
||||
|
||||
=item B<des>, B<des-cbc>, B<des-cfb>, B<des-ecb>, B<des-ede>, B<des-ede-cbc>, B<des-ede-cfb>, B<des-ede-ofb>, B<des-ofb>
|
||||
|
||||
DES Cipher
|
||||
@ -411,6 +460,14 @@ RC4 Cipher
|
||||
|
||||
RC5 Cipher
|
||||
|
||||
=item B<seed>, B<seed-cbc>, B<seed-cfb>, B<seed-ecb>, B<seed-ofb>
|
||||
|
||||
SEED Cipher
|
||||
|
||||
=item B<sm4>, B<sm4-cbc>, B<sm4-cfb>, B<sm4-ctr>, B<sm4-ecb>, B<sm4-ofb>
|
||||
|
||||
SM4 Cipher
|
||||
|
||||
=back
|
||||
|
||||
=head1 OPTIONS
|
||||
|
@ -221,8 +221,10 @@ see L<openssl(1)/COMMAND SUMMARY>.
|
||||
|
||||
Sets subject name for new request or supersedes the subject name
|
||||
when processing a request.
|
||||
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
|
||||
characters may be escaped by \ (backslash), no spaces are skipped.
|
||||
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
|
||||
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
|
||||
Empty values are permitted, but the corresponding type will not be included
|
||||
in the request.
|
||||
|
||||
=item B<-multivalue-rdn>
|
||||
|
||||
|
@ -9,8 +9,8 @@ rsa - RSA key processing tool
|
||||
|
||||
B<openssl> B<rsa>
|
||||
[B<-help>]
|
||||
[B<-inform PEM|NET|DER>]
|
||||
[B<-outform PEM|NET|DER>]
|
||||
[B<-inform PEM|DER>]
|
||||
[B<-outform PEM|DER>]
|
||||
[B<-in filename>]
|
||||
[B<-passin arg>]
|
||||
[B<-out filename>]
|
||||
@ -53,16 +53,15 @@ utility.
|
||||
|
||||
Print out a usage message.
|
||||
|
||||
=item B<-inform DER|NET|PEM>
|
||||
=item B<-inform DER|PEM>
|
||||
|
||||
This specifies the input format. The B<DER> option uses an ASN1 DER encoded
|
||||
form compatible with the PKCS#1 RSAPrivateKey or SubjectPublicKeyInfo format.
|
||||
The B<PEM> form is the default format: it consists of the B<DER> format base64
|
||||
encoded with additional header and footer lines. On input PKCS#8 format private
|
||||
keys are also accepted. The B<NET> form is a format is described in the B<NOTES>
|
||||
section.
|
||||
keys are also accepted.
|
||||
|
||||
=item B<-outform DER|NET|PEM>
|
||||
=item B<-outform DER|PEM>
|
||||
|
||||
This specifies the output format, the options have the same meaning and default
|
||||
as the B<-inform> option.
|
||||
@ -158,17 +157,6 @@ The PEM B<RSAPublicKey> format uses the header and footer lines:
|
||||
-----BEGIN RSA PUBLIC KEY-----
|
||||
-----END RSA PUBLIC KEY-----
|
||||
|
||||
The B<NET> form is a format compatible with older Netscape servers
|
||||
and Microsoft IIS .key files, this uses unsalted RC4 for its encryption.
|
||||
It is not very secure and so should only be used when necessary.
|
||||
|
||||
Some newer version of IIS have additional data in the exported .key
|
||||
files. To use these with the utility, view the file with a binary editor
|
||||
and look for the string "private-key", then trace back to the byte
|
||||
sequence 0x30, 0x82 (this is an ASN1 SEQUENCE). Copy all the data
|
||||
from this point onwards to another file and use that as the input
|
||||
to the B<rsa> utility with the B<-inform NET> option.
|
||||
|
||||
=head1 EXAMPLES
|
||||
|
||||
To remove the pass phrase on an RSA private key:
|
||||
@ -197,9 +185,6 @@ Output the public part of a private key in B<RSAPublicKey> format:
|
||||
|
||||
=head1 BUGS
|
||||
|
||||
The command line password arguments don't currently work with
|
||||
B<NET> format.
|
||||
|
||||
There should be an option that automatically handles .key files,
|
||||
without having to manually edit them.
|
||||
|
||||
|
@ -405,13 +405,14 @@ Inhibit printing of session and certificate information.
|
||||
Sends a status message back to the client when it connects. This includes
|
||||
information about the ciphers used and various session parameters.
|
||||
The output is in HTML format so this option will normally be used with a
|
||||
web browser.
|
||||
web browser. Cannot be used in conjunction with B<-early_data>.
|
||||
|
||||
=item B<-WWW>
|
||||
|
||||
Emulates a simple web server. Pages will be resolved relative to the
|
||||
current directory, for example if the URL https://myhost/page.html is
|
||||
requested the file ./page.html will be loaded.
|
||||
requested the file ./page.html will be loaded. Cannot be used in conjunction
|
||||
with B<-early_data>.
|
||||
|
||||
=item B<-tlsextdebug>
|
||||
|
||||
@ -423,7 +424,8 @@ Emulates a simple web server. Pages will be resolved relative to the
|
||||
current directory, for example if the URL https://myhost/page.html is
|
||||
requested the file ./page.html will be loaded. The files loaded are
|
||||
assumed to contain a complete and correct HTTP response (lines that
|
||||
are part of the HTTP response line and headers must end with CRLF).
|
||||
are part of the HTTP response line and headers must end with CRLF). Cannot be
|
||||
used in conjunction with B<-early_data>.
|
||||
|
||||
=item B<-id_prefix val>
|
||||
|
||||
@ -488,7 +490,8 @@ output.
|
||||
=item B<-rev>
|
||||
|
||||
Simple test server which just reverses the text received from the client
|
||||
and sends it back to the server. Also sets B<-brief>.
|
||||
and sends it back to the server. Also sets B<-brief>. Cannot be used in
|
||||
conjunction with B<-early_data>.
|
||||
|
||||
=item B<-async>
|
||||
|
||||
@ -711,7 +714,8 @@ greater than or equal to 0.
|
||||
|
||||
=item B<-early_data>
|
||||
|
||||
Accept early data where possible.
|
||||
Accept early data where possible. Cannot be used in conjunction with B<-www>,
|
||||
B<-WWW>, B<-HTTP> or B<-rev>.
|
||||
|
||||
=item B<-anti_replay>, B<-no_anti_replay>
|
||||
|
||||
|
@ -82,8 +82,11 @@ returned.
|
||||
=item B<-subject arg>
|
||||
|
||||
Search for an object having the subject name B<arg>.
|
||||
The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
|
||||
characters may be escaped by \ (backslash), no spaces are skipped.
|
||||
The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
|
||||
Keyword characters may be escaped by \ (backslash), and whitespace is retained.
|
||||
Empty values are permitted but are ignored for the search. That is,
|
||||
a search with an empty value will have the same effect as not specifying
|
||||
the type at all.
|
||||
|
||||
=item B<-issuer arg>
|
||||
|
||||
|
@ -9,8 +9,8 @@ x509 - Certificate display and signing utility
|
||||
|
||||
B<openssl> B<x509>
|
||||
[B<-help>]
|
||||
[B<-inform DER|PEM|NET>]
|
||||
[B<-outform DER|PEM|NET>]
|
||||
[B<-inform DER|PEM>]
|
||||
[B<-outform DER|PEM>]
|
||||
[B<-keyform DER|PEM>]
|
||||
[B<-CAform DER|PEM>]
|
||||
[B<-CAkeyform DER|PEM>]
|
||||
@ -86,16 +86,15 @@ various sections.
|
||||
|
||||
Print out a usage message.
|
||||
|
||||
=item B<-inform DER|PEM|NET>
|
||||
=item B<-inform DER|PEM>
|
||||
|
||||
This specifies the input format normally the command will expect an X509
|
||||
certificate but this can change if other options such as B<-req> are
|
||||
present. The DER format is the DER encoding of the certificate and PEM
|
||||
is the base64 encoding of the DER encoding with header and footer lines
|
||||
added. The NET option is an obscure Netscape server format that is now
|
||||
obsolete. The default format is PEM.
|
||||
added. The default format is PEM.
|
||||
|
||||
=item B<-outform DER|PEM|NET>
|
||||
=item B<-outform DER|PEM>
|
||||
|
||||
This specifies the output format, the options have the same meaning and default
|
||||
as the B<-inform> option.
|
||||
|
@ -99,7 +99,7 @@ algorithm.
|
||||
|
||||
There are two phases to the use of DES encryption. The first is the
|
||||
generation of a I<DES_key_schedule> from a key, the second is the
|
||||
actual encryption. A DES key is of type I<DES_cblock>. This type is
|
||||
actual encryption. A DES key is of type I<DES_cblock>. This type
|
||||
consists of 8 bytes with odd parity. The least significant bit in
|
||||
each byte is the parity bit. The key schedule is an expanded form of
|
||||
the key; it is used to speed the encryption process.
|
||||
@ -170,42 +170,42 @@ of 24 bytes. This is much better than CBC DES.
|
||||
|
||||
DES_ede3_cbc_encrypt() implements outer triple CBC DES encryption with
|
||||
three keys. This means that each DES operation inside the CBC mode is
|
||||
an C<C=E(ks3,D(ks2,E(ks1,M)))>. This mode is used by SSL.
|
||||
C<C=E(ks3,D(ks2,E(ks1,M)))>. This mode is used by SSL.
|
||||
|
||||
The DES_ede2_cbc_encrypt() macro implements two-key Triple-DES by
|
||||
reusing I<ks1> for the final encryption. C<C=E(ks1,D(ks2,E(ks1,M)))>.
|
||||
This form of Triple-DES is used by the RSAREF library.
|
||||
|
||||
DES_pcbc_encrypt() encrypt/decrypts using the propagating cipher block
|
||||
DES_pcbc_encrypt() encrypts/decrypts using the propagating cipher block
|
||||
chaining mode used by Kerberos v4. Its parameters are the same as
|
||||
DES_ncbc_encrypt().
|
||||
|
||||
DES_cfb_encrypt() encrypt/decrypts using cipher feedback mode. This
|
||||
method takes an array of characters as input and outputs and array of
|
||||
DES_cfb_encrypt() encrypts/decrypts using cipher feedback mode. This
|
||||
method takes an array of characters as input and outputs an array of
|
||||
characters. It does not require any padding to 8 character groups.
|
||||
Note: the I<ivec> variable is changed and the new changed value needs to
|
||||
be passed to the next call to this function. Since this function runs
|
||||
a complete DES ECB encryption per I<numbits>, this function is only
|
||||
suggested for use when sending small numbers of characters.
|
||||
suggested for use when sending a small number of characters.
|
||||
|
||||
DES_cfb64_encrypt()
|
||||
implements CFB mode of DES with 64bit feedback. Why is this
|
||||
implements CFB mode of DES with 64-bit feedback. Why is this
|
||||
useful you ask? Because this routine will allow you to encrypt an
|
||||
arbitrary number of bytes, no 8 byte padding. Each call to this
|
||||
arbitrary number of bytes, without 8 byte padding. Each call to this
|
||||
routine will encrypt the input bytes to output and then update ivec
|
||||
and num. num contains 'how far' we are though ivec. If this does
|
||||
not make much sense, read more about cfb mode of DES :-).
|
||||
not make much sense, read more about CFB mode of DES.
|
||||
|
||||
DES_ede3_cfb64_encrypt() and DES_ede2_cfb64_encrypt() is the same as
|
||||
DES_cfb64_encrypt() except that Triple-DES is used.
|
||||
|
||||
DES_ofb_encrypt() encrypts using output feedback mode. This method
|
||||
takes an array of characters as input and outputs and array of
|
||||
takes an array of characters as input and outputs an array of
|
||||
characters. It does not require any padding to 8 character groups.
|
||||
Note: the I<ivec> variable is changed and the new changed value needs to
|
||||
be passed to the next call to this function. Since this function runs
|
||||
a complete DES ECB encryption per numbits, this function is only
|
||||
suggested for use when sending small numbers of characters.
|
||||
a complete DES ECB encryption per I<numbits>, this function is only
|
||||
suggested for use when sending a small number of characters.
|
||||
|
||||
DES_ofb64_encrypt() is the same as DES_cfb64_encrypt() using Output
|
||||
Feed Back mode.
|
||||
@ -232,10 +232,10 @@ The following are DES-based transformations:
|
||||
|
||||
DES_fcrypt() is a fast version of the Unix crypt(3) function. This
|
||||
version takes only a small amount of space relative to other fast
|
||||
crypt() implementations. This is different to the normal crypt in
|
||||
crypt() implementations. This is different to the normal crypt() in
|
||||
that the third parameter is the buffer that the return value is
|
||||
written into. It needs to be at least 14 bytes long. This function
|
||||
is thread safe, unlike the normal crypt.
|
||||
is thread safe, unlike the normal crypt().
|
||||
|
||||
DES_crypt() is a faster replacement for the normal system crypt().
|
||||
This function calls DES_fcrypt() with a static array passed as the
|
||||
|
@ -310,16 +310,17 @@ This example digests the data "Test Message\n" and "Hello World\n", using the
|
||||
digest name passed on the command line.
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <openssl/evp.h>
|
||||
|
||||
main(int argc, char *argv[])
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
EVP_MD_CTX *mdctx;
|
||||
const EVP_MD *md;
|
||||
char mess1[] = "Test Message\n";
|
||||
char mess2[] = "Hello World\n";
|
||||
unsigned char md_value[EVP_MAX_MD_SIZE];
|
||||
int md_len, i;
|
||||
unsigned int md_len, i;
|
||||
|
||||
if (argv[1] == NULL) {
|
||||
printf("Usage: mdtest digestname\n");
|
||||
|
@ -4,20 +4,55 @@
|
||||
|
||||
EVP_PKEY_CTX_ctrl,
|
||||
EVP_PKEY_CTX_ctrl_str,
|
||||
EVP_PKEY_CTX_ctrl_uint64,
|
||||
EVP_PKEY_CTX_md,
|
||||
EVP_PKEY_CTX_set_signature_md,
|
||||
EVP_PKEY_CTX_get_signature_md,
|
||||
EVP_PKEY_CTX_set_mac_key,
|
||||
EVP_PKEY_CTX_set_rsa_padding,
|
||||
EVP_PKEY_CTX_get_rsa_padding,
|
||||
EVP_PKEY_CTX_set_rsa_pss_saltlen,
|
||||
EVP_PKEY_CTX_get_rsa_pss_saltlen,
|
||||
EVP_PKEY_CTX_set_rsa_keygen_bits,
|
||||
EVP_PKEY_CTX_set_rsa_keygen_pubexp,
|
||||
EVP_PKEY_CTX_set_rsa_keygen_primes,
|
||||
EVP_PKEY_CTX_set_rsa_mgf1_md,
|
||||
EVP_PKEY_CTX_get_rsa_mgf1_md,
|
||||
EVP_PKEY_CTX_set_rsa_oaep_md,
|
||||
EVP_PKEY_CTX_get_rsa_oaep_md,
|
||||
EVP_PKEY_CTX_set0_rsa_oaep_label,
|
||||
EVP_PKEY_CTX_get0_rsa_oaep_label,
|
||||
EVP_PKEY_CTX_set_dsa_paramgen_bits,
|
||||
EVP_PKEY_CTX_set_dh_paramgen_prime_len,
|
||||
EVP_PKEY_CTX_set_dh_paramgen_subprime_len,
|
||||
EVP_PKEY_CTX_set_dh_paramgen_generator,
|
||||
EVP_PKEY_CTX_set_dh_paramgen_type,
|
||||
EVP_PKEY_CTX_set_dh_rfc5114,
|
||||
EVP_PKEY_CTX_set_dhx_rfc5114,
|
||||
EVP_PKEY_CTX_set_dh_pad,
|
||||
EVP_PKEY_CTX_set_dh_nid,
|
||||
EVP_PKEY_CTX_set_dh_kdf_type,
|
||||
EVP_PKEY_CTX_get_dh_kdf_type,
|
||||
EVP_PKEY_CTX_set0_dh_kdf_oid,
|
||||
EVP_PKEY_CTX_get0_dh_kdf_oid,
|
||||
EVP_PKEY_CTX_set_dh_kdf_md,
|
||||
EVP_PKEY_CTX_get_dh_kdf_md,
|
||||
EVP_PKEY_CTX_set_dh_kdf_outlen,
|
||||
EVP_PKEY_CTX_get_dh_kdf_outlen,
|
||||
EVP_PKEY_CTX_set0_dh_kdf_ukm,
|
||||
EVP_PKEY_CTX_get0_dh_kdf_ukm,
|
||||
EVP_PKEY_CTX_set_ec_paramgen_curve_nid,
|
||||
EVP_PKEY_CTX_set_ec_param_enc,
|
||||
EVP_PKEY_CTX_set_ecdh_cofactor_mode,
|
||||
EVP_PKEY_CTX_get_ecdh_cofactor_mode,
|
||||
EVP_PKEY_CTX_set_ecdh_kdf_type,
|
||||
EVP_PKEY_CTX_get_ecdh_kdf_type,
|
||||
EVP_PKEY_CTX_set_ecdh_kdf_md,
|
||||
EVP_PKEY_CTX_get_ecdh_kdf_md,
|
||||
EVP_PKEY_CTX_set_ecdh_kdf_outlen,
|
||||
EVP_PKEY_CTX_get_ecdh_kdf_outlen,
|
||||
EVP_PKEY_CTX_set0_ecdh_kdf_ukm,
|
||||
EVP_PKEY_CTX_get0_ecdh_kdf_ukm,
|
||||
EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len
|
||||
- algorithm specific control operations
|
||||
|
||||
@ -27,9 +62,13 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len
|
||||
|
||||
int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,
|
||||
int cmd, int p1, void *p2);
|
||||
int EVP_PKEY_CTX_ctrl_uint64(EVP_PKEY_CTX *ctx, int keytype, int optype,
|
||||
int cmd, uint64_t value);
|
||||
int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
|
||||
const char *value);
|
||||
|
||||
int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md);
|
||||
|
||||
int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
|
||||
int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD **pmd);
|
||||
|
||||
@ -38,22 +77,58 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len
|
||||
#include <openssl/rsa.h>
|
||||
|
||||
int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad);
|
||||
int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *pad);
|
||||
int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len);
|
||||
int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *len);
|
||||
int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits);
|
||||
int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
|
||||
int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes);
|
||||
int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
|
||||
int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
|
||||
int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
|
||||
int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
|
||||
int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char *label, int len);
|
||||
int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
|
||||
|
||||
#include <openssl/dsa.h>
|
||||
|
||||
int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits);
|
||||
|
||||
#include <openssl/dh.h>
|
||||
|
||||
int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int len);
|
||||
int EVP_PKEY_CTX_set_dh_paramgen_subprime_len(EVP_PKEY_CTX *ctx, int len);
|
||||
int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen);
|
||||
int EVP_PKEY_CTX_set_dh_paramgen_type(EVP_PKEY_CTX *ctx, int type);
|
||||
int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad);
|
||||
int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid);
|
||||
int EVP_PKEY_CTX_set_dh_rfc5114(EVP_PKEY_CTX *ctx, int rfc5114);
|
||||
int EVP_PKEY_CTX_set_dhx_rfc5114(EVP_PKEY_CTX *ctx, int rfc5114);
|
||||
int EVP_PKEY_CTX_set_dh_kdf_type(EVP_PKEY_CTX *ctx, int kdf);
|
||||
int EVP_PKEY_CTX_get_dh_kdf_type(EVP_PKEY_CTX *ctx);
|
||||
int EVP_PKEY_CTX_set0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT *oid);
|
||||
int EVP_PKEY_CTX_get0_dh_kdf_oid(EVP_PKEY_CTX *ctx, ASN1_OBJECT **oid);
|
||||
int EVP_PKEY_CTX_set_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
|
||||
int EVP_PKEY_CTX_get_dh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
|
||||
int EVP_PKEY_CTX_set_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int len);
|
||||
int EVP_PKEY_CTX_get_dh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len);
|
||||
int EVP_PKEY_CTX_set0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len);
|
||||
int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
|
||||
|
||||
#include <openssl/ec.h>
|
||||
|
||||
int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid);
|
||||
int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc);
|
||||
int EVP_PKEY_CTX_set_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx, int cofactor_mode);
|
||||
int EVP_PKEY_CTX_get_ecdh_cofactor_mode(EVP_PKEY_CTX *ctx);
|
||||
int EVP_PKEY_CTX_set_ecdh_kdf_type(EVP_PKEY_CTX *ctx, int kdf);
|
||||
int EVP_PKEY_CTX_get_ecdh_kdf_type(EVP_PKEY_CTX *ctx);
|
||||
int EVP_PKEY_CTX_set_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
|
||||
int EVP_PKEY_CTX_get_ecdh_kdf_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
|
||||
int EVP_PKEY_CTX_set_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int len);
|
||||
int EVP_PKEY_CTX_get_ecdh_kdf_outlen(EVP_PKEY_CTX *ctx, int *len);
|
||||
int EVP_PKEY_CTX_set0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char *ukm, int len);
|
||||
int EVP_PKEY_CTX_get0_ecdh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
|
||||
|
||||
int EVP_PKEY_CTX_set1_id(EVP_PKEY_CTX *ctx, void *id, size_t id_len);
|
||||
int EVP_PKEY_CTX_get1_id(EVP_PKEY_CTX *ctx, void *id);
|
||||
@ -73,6 +148,9 @@ and B<p2> is MAC key. This is used by Poly1305, SipHash, HMAC and CMAC.
|
||||
Applications will not normally call EVP_PKEY_CTX_ctrl() directly but will
|
||||
instead call one of the algorithm specific macros below.
|
||||
|
||||
The function EVP_PKEY_CTX_ctrl_uint64() is a wrapper that directly passes a
|
||||
uint64 value as B<p2> to EVP_PKEY_CTX_ctrl().
|
||||
|
||||
The function EVP_PKEY_CTX_ctrl_str() allows an application to send an algorithm
|
||||
specific control operation to a context B<ctx> in string form. This is
|
||||
intended to be used for options specified on the command line or in text
|
||||
@ -80,6 +158,9 @@ files. The commands supported are documented in the openssl utility
|
||||
command line pages for the option B<-pkeyopt> which is supported by the
|
||||
B<pkeyutl>, B<genpkey> and B<req> commands.
|
||||
|
||||
The function EVP_PKEY_CTX_md() sends a message digest control operation
|
||||
to the context B<ctx>. The message digest is specified by its name B<md>.
|
||||
|
||||
All the remaining "functions" are implemented as macros.
|
||||
|
||||
The EVP_PKEY_CTX_set_signature_md() macro sets the message digest type used
|
||||
@ -99,12 +180,14 @@ L<EVP_PKEY_new_raw_private_key(3)> or similar functions instead of this macro.
|
||||
The EVP_PKEY_CTX_set_mac_key() macro can be used with any of the algorithms
|
||||
supported by the L<EVP_PKEY_new_raw_private_key(3)> function.
|
||||
|
||||
The macro EVP_PKEY_CTX_set_rsa_padding() sets the RSA padding mode for B<ctx>.
|
||||
The B<pad> parameter can take the value RSA_PKCS1_PADDING for PKCS#1 padding,
|
||||
RSA_SSLV23_PADDING for SSLv23 padding, RSA_NO_PADDING for no padding,
|
||||
RSA_PKCS1_OAEP_PADDING for OAEP padding (encrypt and decrypt only),
|
||||
RSA_X931_PADDING for X9.31 padding (signature operations only) and
|
||||
RSA_PKCS1_PSS_PADDING (sign and verify only).
|
||||
=head2 RSA parameters
|
||||
|
||||
The EVP_PKEY_CTX_set_rsa_padding() macro sets the RSA padding mode for B<ctx>.
|
||||
The B<pad> parameter can take the value B<RSA_PKCS1_PADDING> for PKCS#1
|
||||
padding, B<RSA_SSLV23_PADDING> for SSLv23 padding, B<RSA_NO_PADDING> for
|
||||
no padding, B<RSA_PKCS1_OAEP_PADDING> for OAEP padding (encrypt and
|
||||
decrypt only), B<RSA_X931_PADDING> for X9.31 padding (signature operations
|
||||
only) and B<RSA_PKCS1_PSS_PADDING> (sign and verify only).
|
||||
|
||||
Two RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md()
|
||||
is used. If this macro is called for PKCS#1 padding the plaintext buffer is
|
||||
@ -116,41 +199,154 @@ padding for RSA the algorithm identifier byte is added or checked and removed
|
||||
if this control is called. If it is not called then the first byte of the plaintext
|
||||
buffer is expected to be the algorithm identifier byte.
|
||||
|
||||
The EVP_PKEY_CTX_get_rsa_padding() macro gets the RSA padding mode for B<ctx>.
|
||||
|
||||
The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro sets the RSA PSS salt length to
|
||||
B<len> as its name implies it is only supported for PSS padding. Three special
|
||||
values are supported: RSA_PSS_SALTLEN_DIGEST sets the salt length to the
|
||||
digest length, RSA_PSS_SALTLEN_MAX sets the salt length to the maximum
|
||||
permissible value. When verifying RSA_PSS_SALTLEN_AUTO causes the salt length
|
||||
B<len>. As its name implies it is only supported for PSS padding. Three special
|
||||
values are supported: B<RSA_PSS_SALTLEN_DIGEST> sets the salt length to the
|
||||
digest length, B<RSA_PSS_SALTLEN_MAX> sets the salt length to the maximum
|
||||
permissible value. When verifying B<RSA_PSS_SALTLEN_AUTO> causes the salt length
|
||||
to be automatically determined based on the B<PSS> block structure. If this
|
||||
macro is not called maximum salt length is used when signing and auto detection
|
||||
when verifying is used by default.
|
||||
|
||||
The EVP_PKEY_CTX_get_rsa_pss_saltlen() macro gets the RSA PSS salt length
|
||||
for B<ctx>. The padding mode must have been set to B<RSA_PKCS1_PSS_PADDING>.
|
||||
|
||||
The EVP_PKEY_CTX_set_rsa_keygen_bits() macro sets the RSA key length for
|
||||
RSA key generation to B<bits>. If not specified 1024 bits is used.
|
||||
|
||||
The EVP_PKEY_CTX_set_rsa_keygen_pubexp() macro sets the public exponent value
|
||||
for RSA key generation to B<pubexp> currently it should be an odd integer. The
|
||||
for RSA key generation to B<pubexp>. Currently it should be an odd integer. The
|
||||
B<pubexp> pointer is used internally by this function so it should not be
|
||||
modified or free after the call. If this macro is not called then 65537 is used.
|
||||
modified or freed after the call. If not specified 65537 is used.
|
||||
|
||||
The macro EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used
|
||||
The EVP_PKEY_CTX_set_rsa_keygen_primes() macro sets the number of primes for
|
||||
RSA key generation to B<primes>. If not specified 2 is used.
|
||||
|
||||
The EVP_PKEY_CTX_set_rsa_mgf1_md() macro sets the MGF1 digest for RSA padding
|
||||
schemes to B<md>. If not explicitly set the signing digest is used. The
|
||||
padding mode must have been set to B<RSA_PKCS1_OAEP_PADDING>
|
||||
or B<RSA_PKCS1_PSS_PADDING>.
|
||||
|
||||
The EVP_PKEY_CTX_get_rsa_mgf1_md() macro gets the MGF1 digest for B<ctx>.
|
||||
If not explicitly set the signing digest is used. The padding mode must have
|
||||
been set to B<RSA_PKCS1_OAEP_PADDING> or B<RSA_PKCS1_PSS_PADDING>.
|
||||
|
||||
The EVP_PKEY_CTX_set_rsa_oaep_md() macro sets the message digest type used
|
||||
in RSA OAEP to B<md>. The padding mode must have been set to
|
||||
B<RSA_PKCS1_OAEP_PADDING>.
|
||||
|
||||
The EVP_PKEY_CTX_get_rsa_oaep_md() macro gets the message digest type used
|
||||
in RSA OAEP to B<md>. The padding mode must have been set to
|
||||
B<RSA_PKCS1_OAEP_PADDING>.
|
||||
|
||||
The EVP_PKEY_CTX_set0_rsa_oaep_label() macro sets the RSA OAEP label to
|
||||
B<label> and its length to B<len>. If B<label> is NULL or B<len> is 0,
|
||||
the label is cleared. The library takes ownership of the label so the
|
||||
caller should not free the original memory pointed to by B<label>.
|
||||
The padding mode must have been set to B<RSA_PKCS1_OAEP_PADDING>.
|
||||
|
||||
The EVP_PKEY_CTX_get0_rsa_oaep_label() macro gets the RSA OAEP label to
|
||||
B<label>. The return value is the label length. The padding mode
|
||||
must have been set to B<RSA_PKCS1_OAEP_PADDING>. The resulting pointer is owned
|
||||
by the library and should not be freed by the caller.
|
||||
|
||||
=head2 DSA parameters
|
||||
|
||||
The EVP_PKEY_CTX_set_dsa_paramgen_bits() macro sets the number of bits used
|
||||
for DSA parameter generation to B<bits>. If not specified 1024 is used.
|
||||
|
||||
The macro EVP_PKEY_CTX_set_dh_paramgen_prime_len() sets the length of the DH
|
||||
=head2 DH parameters
|
||||
|
||||
The EVP_PKEY_CTX_set_dh_paramgen_prime_len() macro sets the length of the DH
|
||||
prime parameter B<p> for DH parameter generation. If this macro is not called
|
||||
then 1024 is used.
|
||||
then 1024 is used. Only accepts lengths greater than or equal to 256.
|
||||
|
||||
The EVP_PKEY_CTX_set_dh_paramgen_subprime_len() macro sets the length of the DH
|
||||
optional subprime parameter B<q> for DH parameter generation. The default is
|
||||
256 if the prime is at least 2048 bits long or 160 otherwise. The DH
|
||||
paramgen type must have been set to x9.42.
|
||||
|
||||
The EVP_PKEY_CTX_set_dh_paramgen_generator() macro sets DH generator to B<gen>
|
||||
for DH parameter generation. If not specified 2 is used.
|
||||
|
||||
The EVP_PKEY_CTX_set_dh_paramgen_type() macro sets the key type for DH
|
||||
parameter generation. Use 0 for PKCS#3 DH and 1 for X9.42 DH.
|
||||
The default is 0.
|
||||
|
||||
The EVP_PKEY_CTX_set_dh_pad() macro sets the DH padding mode. If B<pad> is
|
||||
1 the shared secret is padded with zeroes up to the size of the DH prime B<p>.
|
||||
If B<pad> is zero (the default) then no padding is performed.
|
||||
|
||||
EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to
|
||||
B<nid>. The B<nid> parameter must be B<NID_ffdhe2048>, B<NID_ffdhe3072>,
|
||||
B<NID_ffdhe4096>, B<NID_ffdhe6144> or B<NID_ffdhe8192>. This macro can be
|
||||
called during parameter or key generation.
|
||||
B<nid> as defined in RFC7919. The B<nid> parameter must be B<NID_ffdhe2048>,
|
||||
B<NID_ffdhe3072>, B<NID_ffdhe4096>, B<NID_ffdhe6144>, B<NID_ffdhe8192>
|
||||
or B<NID_undef> to clear the stored value. This macro can be called during
|
||||
parameter or key generation.
|
||||
The nid parameter and the rfc5114 parameter are mutually exclusive.
|
||||
|
||||
The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are
|
||||
synonymous. They set the DH parameters to the values defined in RFC5114. The
|
||||
B<rfc5114> parameter must be 1, 2 or 3 corresponding to RFC5114 sections
|
||||
2.1, 2.2 and 2.3. or 0 to clear the stored value. This macro can be called
|
||||
during parameter generation. The B<ctx> must have a key type of
|
||||
B<EVP_PKEY_DHX>.
|
||||
The rfc5114 parameter and the nid parameter are mutually exclusive.
|
||||
|
||||
=head2 DH key derivation function parameters
|
||||
|
||||
Note that all of the following functions require that the B<ctx> parameter has
|
||||
a private key type of B<EVP_PKEY_DHX>. When using key derivation, the output of
|
||||
EVP_PKEY_derive() is the output of the KDF instead of the DH shared secret.
|
||||
The KDF output is typically used as a Key Encryption Key (KEK) that in turn
|
||||
encrypts a Content Encryption Key (CEK).
|
||||
|
||||
The EVP_PKEY_CTX_set_dh_kdf_type() macro sets the key derivation function type
|
||||
to B<kdf> for DH key derivation. Possible values are B<EVP_PKEY_DH_KDF_NONE>
|
||||
and B<EVP_PKEY_DH_KDF_X9_42> which uses the key derivation specified in RFC2631
|
||||
(based on the keying algorithm described in X9.42). When using key derivation,
|
||||
the B<kdf_oid>, B<kdf_md> and B<kdf_outlen> parameters must also be specified.
|
||||
|
||||
The EVP_PKEY_CTX_get_dh_kdf_type() macro gets the key derivation function type
|
||||
for B<ctx> used for DH key derivation. Possible values are B<EVP_PKEY_DH_KDF_NONE>
|
||||
and B<EVP_PKEY_DH_KDF_X9_42>.
|
||||
|
||||
The EVP_PKEY_CTX_set0_dh_kdf_oid() macro sets the key derivation function
|
||||
object identifier to B<oid> for DH key derivation. This OID should identify
|
||||
the algorithm to be used with the Content Encryption Key.
|
||||
The library takes ownership of the object identifier so the caller should not
|
||||
free the original memory pointed to by B<oid>.
|
||||
|
||||
The EVP_PKEY_CTX_get0_dh_kdf_oid() macro gets the key derivation function oid
|
||||
for B<ctx> used for DH key derivation. The resulting pointer is owned by the
|
||||
library and should not be freed by the caller.
|
||||
|
||||
The EVP_PKEY_CTX_set_dh_kdf_md() macro sets the key derivation function
|
||||
message digest to B<md> for DH key derivation. Note that RFC2631 specifies
|
||||
that this digest should be SHA1 but OpenSSL tolerates other digests.
|
||||
|
||||
The EVP_PKEY_CTX_get_dh_kdf_md() macro gets the key derivation function
|
||||
message digest for B<ctx> used for DH key derivation.
|
||||
|
||||
The EVP_PKEY_CTX_set_dh_kdf_outlen() macro sets the key derivation function
|
||||
output length to B<len> for DH key derivation.
|
||||
|
||||
The EVP_PKEY_CTX_get_dh_kdf_outlen() macro gets the key derivation function
|
||||
output length for B<ctx> used for DH key derivation.
|
||||
|
||||
The EVP_PKEY_CTX_set0_dh_kdf_ukm() macro sets the user key material to
|
||||
B<ukm> and its length to B<len> for DH key derivation. This parameter is optional
|
||||
and corresponds to the partyAInfo field in RFC2631 terms. The specification
|
||||
requires that it is 512 bits long but this is not enforced by OpenSSL.
|
||||
The library takes ownership of the user key material so the caller should not
|
||||
free the original memory pointed to by B<ukm>.
|
||||
|
||||
The EVP_PKEY_CTX_get0_dh_kdf_ukm() macro gets the user key material for B<ctx>.
|
||||
The return value is the user key material length. The resulting pointer is owned
|
||||
by the library and should not be freed by the caller.
|
||||
|
||||
=head2 EC parameters
|
||||
|
||||
The EVP_PKEY_CTX_set_ec_paramgen_curve_nid() sets the EC curve for EC parameter
|
||||
generation to B<nid>. For EC parameter generation this macro must be called
|
||||
@ -158,7 +354,7 @@ or an error occurs because there is no default curve.
|
||||
This function can also be called to set the curve explicitly when
|
||||
generating an EC key.
|
||||
|
||||
The EVP_PKEY_CTX_set_ec_param_enc() sets the EC parameter encoding to
|
||||
The EVP_PKEY_CTX_set_ec_param_enc() macro sets the EC parameter encoding to
|
||||
B<param_enc> when generating EC parameters or an EC key. The encoding can be
|
||||
B<OPENSSL_EC_EXPLICIT_CURVE> for explicit parameters (the default in versions
|
||||
of OpenSSL before 1.1.0) or B<OPENSSL_EC_NAMED_CURVE> to use named curve form.
|
||||
@ -166,6 +362,53 @@ For maximum compatibility the named curve form should be used. Note: the
|
||||
B<OPENSSL_EC_NAMED_CURVE> value was only added to OpenSSL 1.1.0; previous
|
||||
versions should use 0 instead.
|
||||
|
||||
=head2 ECDH parameters
|
||||
|
||||
The EVP_PKEY_CTX_set_ecdh_cofactor_mode() macro sets the cofactor mode to
|
||||
B<cofactor_mode> for ECDH key derivation. Possible values are 1 to enable
|
||||
cofactor key derivation, 0 to disable it and -1 to clear the stored cofactor
|
||||
mode and fallback to the private key cofactor mode.
|
||||
|
||||
The EVP_PKEY_CTX_get_ecdh_cofactor_mode() macro returns the cofactor mode for
|
||||
B<ctx> used for ECDH key derivation. Possible values are 1 when cofactor key
|
||||
derivation is enabled and 0 otherwise.
|
||||
|
||||
=head2 ECDH key derivation function parameters
|
||||
|
||||
The EVP_PKEY_CTX_set_ecdh_kdf_type() macro sets the key derivation function type
|
||||
to B<kdf> for ECDH key derivation. Possible values are B<EVP_PKEY_ECDH_KDF_NONE>
|
||||
and B<EVP_PKEY_ECDH_KDF_X9_63> which uses the key derivation specified in X9.63.
|
||||
When using key derivation, the B<kdf_md> and B<kdf_outlen> parameters must
|
||||
also be specified.
|
||||
|
||||
The EVP_PKEY_CTX_get_ecdh_kdf_type() macro returns the key derivation function
|
||||
type for B<ctx> used for ECDH key derivation. Possible values are
|
||||
B<EVP_PKEY_ECDH_KDF_NONE> and B<EVP_PKEY_ECDH_KDF_X9_63>.
|
||||
|
||||
The EVP_PKEY_CTX_set_ecdh_kdf_md() macro sets the key derivation function
|
||||
message digest to B<md> for ECDH key derivation. Note that X9.63 specifies
|
||||
that this digest should be SHA1 but OpenSSL tolerates other digests.
|
||||
|
||||
The EVP_PKEY_CTX_get_ecdh_kdf_md() macro gets the key derivation function
|
||||
message digest for B<ctx> used for ECDH key derivation.
|
||||
|
||||
The EVP_PKEY_CTX_set_ecdh_kdf_outlen() macro sets the key derivation function
|
||||
output length to B<len> for ECDH key derivation.
|
||||
|
||||
The EVP_PKEY_CTX_get_ecdh_kdf_outlen() macro gets the key derivation function
|
||||
output length for B<ctx> used for ECDH key derivation.
|
||||
|
||||
The EVP_PKEY_CTX_set0_ecdh_kdf_ukm() macro sets the user key material to B<ukm>
|
||||
for ECDH key derivation. This parameter is optional and corresponds to the
|
||||
shared info in X9.63 terms. The library takes ownership of the user key material
|
||||
so the caller should not free the original memory pointed to by B<ukm>.
|
||||
|
||||
The EVP_PKEY_CTX_get0_ecdh_kdf_ukm() macro gets the user key material for B<ctx>.
|
||||
The return value is the user key material length. The resulting pointer is owned
|
||||
by the library and should not be freed by the caller.
|
||||
|
||||
=head2 Other parameters
|
||||
|
||||
The EVP_PKEY_CTX_set1_id(), EVP_PKEY_CTX_get1_id() and EVP_PKEY_CTX_get1_id_len()
|
||||
macros are used to manipulate the special identifier field for specific signature
|
||||
algorithms such as SM2. The EVP_PKEY_CTX_set1_id() sets an ID pointed by B<id> with
|
||||
@ -191,7 +434,7 @@ L<EVP_PKEY_decrypt(3)>,
|
||||
L<EVP_PKEY_sign(3)>,
|
||||
L<EVP_PKEY_verify(3)>,
|
||||
L<EVP_PKEY_verify_recover(3)>,
|
||||
L<EVP_PKEY_derive(3)>
|
||||
L<EVP_PKEY_derive(3)>,
|
||||
L<EVP_PKEY_keygen(3)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
@ -68,12 +68,12 @@ error occurs.
|
||||
|
||||
=back
|
||||
|
||||
EVP_PKEY_set_hkdf_md() sets the message digest associated with the HKDF.
|
||||
EVP_PKEY_CTX_set_hkdf_md() sets the message digest associated with the HKDF.
|
||||
|
||||
EVP_PKEY_CTX_set1_hkdf_salt() sets the salt to B<saltlen> bytes of the
|
||||
buffer B<salt>. Any existing value is replaced.
|
||||
|
||||
EVP_PKEY_CTX_set_hkdf_key() sets the key to B<keylen> bytes of the buffer
|
||||
EVP_PKEY_CTX_set1_hkdf_key() sets the key to B<keylen> bytes of the buffer
|
||||
B<key>. Any existing value is replaced.
|
||||
|
||||
EVP_PKEY_CTX_add1_hkdf_info() sets the info value to B<infolen> bytes of the
|
||||
|
@ -32,7 +32,7 @@ The EVP_PKEY_CTX_set_rsa_pss_saltlen() macro is used to set the salt length.
|
||||
If the key has usage restrictions then an error is returned if an attempt is
|
||||
made to set the salt length below the minimum value. It is otherwise similar
|
||||
to the B<RSA> operation except detection of the salt length (using
|
||||
RSA_PSS_SALTLEN_AUTO is not supported for verification if the key has
|
||||
RSA_PSS_SALTLEN_AUTO) is not supported for verification if the key has
|
||||
usage restrictions.
|
||||
|
||||
The EVP_PKEY_CTX_set_signature_md() and EVP_PKEY_CTX_set_rsa_mgf1_md() macros
|
||||
@ -43,7 +43,7 @@ similar to the B<RSA> versions.
|
||||
|
||||
=head2 Key Generation
|
||||
|
||||
As with RSA key generation the EVP_PKEY_CTX_set_rsa_rsa_keygen_bits()
|
||||
As with RSA key generation the EVP_PKEY_CTX_set_rsa_keygen_bits()
|
||||
and EVP_PKEY_CTX_set_rsa_keygen_pubexp() macros are supported for RSA-PSS:
|
||||
they have exactly the same meaning as for the RSA algorithm.
|
||||
|
||||
|
@ -6,8 +6,10 @@ EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY,
|
||||
EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY,
|
||||
EVP_PKEY_get0_RSA, EVP_PKEY_get0_DSA, EVP_PKEY_get0_DH, EVP_PKEY_get0_EC_KEY,
|
||||
EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH,
|
||||
EVP_PKEY_assign_EC_KEY, EVP_PKEY_get0_hmac, EVP_PKEY_type, EVP_PKEY_id,
|
||||
EVP_PKEY_base_id, EVP_PKEY_set_alias_type, EVP_PKEY_set1_engine - EVP_PKEY assignment functions
|
||||
EVP_PKEY_assign_EC_KEY, EVP_PKEY_assign_POLY1305, EVP_PKEY_assign_SIPHASH,
|
||||
EVP_PKEY_get0_hmac, EVP_PKEY_get0_poly1305, EVP_PKEY_get0_siphash,
|
||||
EVP_PKEY_type, EVP_PKEY_id, EVP_PKEY_base_id, EVP_PKEY_set_alias_type,
|
||||
EVP_PKEY_set1_engine - EVP_PKEY assignment functions
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
@ -24,6 +26,8 @@ EVP_PKEY_base_id, EVP_PKEY_set_alias_type, EVP_PKEY_set1_engine - EVP_PKEY assig
|
||||
EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
|
||||
|
||||
const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len);
|
||||
const unsigned char *EVP_PKEY_get0_poly1305(const EVP_PKEY *pkey, size_t *len);
|
||||
const unsigned char *EVP_PKEY_get0_siphash(const EVP_PKEY *pkey, size_t *len);
|
||||
RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
|
||||
DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey);
|
||||
DH *EVP_PKEY_get0_DH(EVP_PKEY *pkey);
|
||||
@ -33,6 +37,8 @@ EVP_PKEY_base_id, EVP_PKEY_set_alias_type, EVP_PKEY_set1_engine - EVP_PKEY assig
|
||||
int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key);
|
||||
int EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key);
|
||||
int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key);
|
||||
int EVP_PKEY_assign_POLY1305(EVP_PKEY *pkey, ASN1_OCTET_STRING *key);
|
||||
int EVP_PKEY_assign_SIPHASH(EVP_PKEY *pkey, ASN1_OCTET_STRING *key);
|
||||
|
||||
int EVP_PKEY_id(const EVP_PKEY *pkey);
|
||||
int EVP_PKEY_base_id(const EVP_PKEY *pkey);
|
||||
@ -50,14 +56,15 @@ EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
|
||||
EVP_PKEY_get1_EC_KEY() return the referenced key in B<pkey> or
|
||||
B<NULL> if the key is not of the correct type.
|
||||
|
||||
EVP_PKEY_get0_hmac(), EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(),
|
||||
EVP_PKEY_get0_DH() and EVP_PKEY_get0_EC_KEY() also return the
|
||||
referenced key in B<pkey> or B<NULL> if the key is not of the
|
||||
correct type but the reference count of the returned key is
|
||||
B<not> incremented and so must not be freed up after use.
|
||||
EVP_PKEY_get0_hmac(), EVP_PKEY_get0_poly1305(), EVP_PKEY_get0_siphash(),
|
||||
EVP_PKEY_get0_RSA(), EVP_PKEY_get0_DSA(), EVP_PKEY_get0_DH()
|
||||
and EVP_PKEY_get0_EC_KEY() also return the referenced key in B<pkey> or B<NULL>
|
||||
if the key is not of the correct type but the reference count of the
|
||||
returned key is B<not> incremented and so must not be freed up after use.
|
||||
|
||||
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
|
||||
and EVP_PKEY_assign_EC_KEY() also set the referenced key to B<key>
|
||||
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH(),
|
||||
EVP_PKEY_assign_EC_KEY(), EVP_PKEY_assign_POLY1305() and
|
||||
EVP_PKEY_assign_SIPHASH() also set the referenced key to B<key>
|
||||
however these use the supplied B<key> internally and so B<key>
|
||||
will be freed when the parent B<pkey> is freed.
|
||||
|
||||
@ -89,8 +96,9 @@ In accordance with the OpenSSL naming convention the key obtained
|
||||
from or assigned to the B<pkey> using the B<1> functions must be
|
||||
freed as well as B<pkey>.
|
||||
|
||||
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
|
||||
and EVP_PKEY_assign_EC_KEY() are implemented as macros.
|
||||
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH(),
|
||||
EVP_PKEY_assign_EC_KEY(), EVP_PKEY_assign_POLY1305()
|
||||
and EVP_PKEY_assign_SIPHASH() are implemented as macros.
|
||||
|
||||
Most applications wishing to know a key type will simply call
|
||||
EVP_PKEY_base_id() and will not care about the actual type:
|
||||
@ -119,8 +127,9 @@ EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and
|
||||
EVP_PKEY_get1_EC_KEY() return the referenced key or B<NULL> if
|
||||
an error occurred.
|
||||
|
||||
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH()
|
||||
and EVP_PKEY_assign_EC_KEY() return 1 for success and 0 for failure.
|
||||
EVP_PKEY_assign_RSA(), EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH(),
|
||||
EVP_PKEY_assign_EC_KEY(), EVP_PKEY_assign_POLY1305()
|
||||
and EVP_PKEY_assign_SIPHASH() return 1 for success and 0 for failure.
|
||||
|
||||
EVP_PKEY_base_id(), EVP_PKEY_id() and EVP_PKEY_type() return a key
|
||||
type or B<NID_undef> (equivalently B<EVP_PKEY_NONE>) on error.
|
||||
|
@ -14,6 +14,9 @@ EVP_aes_256_cfb1,
|
||||
EVP_aes_128_cfb8,
|
||||
EVP_aes_192_cfb8,
|
||||
EVP_aes_256_cfb8,
|
||||
EVP_aes_128_cfb128,
|
||||
EVP_aes_192_cfb128,
|
||||
EVP_aes_256_cfb128,
|
||||
EVP_aes_128_ctr,
|
||||
EVP_aes_192_ctr,
|
||||
EVP_aes_256_ctr,
|
||||
@ -75,6 +78,9 @@ EVP_aes_256_cfb1(),
|
||||
EVP_aes_128_cfb8(),
|
||||
EVP_aes_192_cfb8(),
|
||||
EVP_aes_256_cfb8(),
|
||||
EVP_aes_128_cfb128(),
|
||||
EVP_aes_192_cfb128(),
|
||||
EVP_aes_256_cfb128(),
|
||||
EVP_aes_128_ctr(),
|
||||
EVP_aes_192_ctr(),
|
||||
EVP_aes_256_ctr(),
|
||||
@ -170,7 +176,7 @@ L<EVP_CIPHER_meth_new(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -14,6 +14,9 @@ EVP_aria_256_cfb1,
|
||||
EVP_aria_128_cfb8,
|
||||
EVP_aria_192_cfb8,
|
||||
EVP_aria_256_cfb8,
|
||||
EVP_aria_128_cfb128,
|
||||
EVP_aria_192_cfb128,
|
||||
EVP_aria_256_cfb128,
|
||||
EVP_aria_128_ctr,
|
||||
EVP_aria_192_ctr,
|
||||
EVP_aria_256_ctr,
|
||||
@ -60,6 +63,9 @@ EVP_aria_256_cfb1(),
|
||||
EVP_aria_128_cfb8(),
|
||||
EVP_aria_192_cfb8(),
|
||||
EVP_aria_256_cfb8(),
|
||||
EVP_aria_128_cfb128(),
|
||||
EVP_aria_192_cfb128(),
|
||||
EVP_aria_256_cfb128(),
|
||||
EVP_aria_128_ctr(),
|
||||
EVP_aria_192_ctr(),
|
||||
EVP_aria_256_ctr(),
|
||||
@ -100,7 +106,7 @@ L<EVP_CIPHER_meth_new(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
EVP_bf_cbc,
|
||||
EVP_bf_cfb,
|
||||
EVP_bf_cfb64,
|
||||
EVP_bf_ecb,
|
||||
EVP_bf_ofb
|
||||
- EVP Blowfish cipher
|
||||
@ -14,6 +15,7 @@ EVP_bf_ofb
|
||||
|
||||
const EVP_CIPHER *EVP_bf_cbc(void)
|
||||
const EVP_CIPHER *EVP_bf_cfb(void)
|
||||
const EVP_CIPHER *EVP_bf_cfb64(void)
|
||||
const EVP_CIPHER *EVP_bf_ecb(void)
|
||||
const EVP_CIPHER *EVP_bf_ofb(void)
|
||||
|
||||
@ -27,6 +29,7 @@ This is a variable key length cipher.
|
||||
|
||||
=item EVP_bf_cbc(),
|
||||
EVP_bf_cfb(),
|
||||
EVP_bf_cfb64(),
|
||||
EVP_bf_ecb(),
|
||||
EVP_bf_ofb()
|
||||
|
||||
@ -48,7 +51,7 @@ L<EVP_CIPHER_meth_new(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -14,6 +14,9 @@ EVP_camellia_256_cfb1,
|
||||
EVP_camellia_128_cfb8,
|
||||
EVP_camellia_192_cfb8,
|
||||
EVP_camellia_256_cfb8,
|
||||
EVP_camellia_128_cfb128,
|
||||
EVP_camellia_192_cfb128,
|
||||
EVP_camellia_256_cfb128,
|
||||
EVP_camellia_128_ctr,
|
||||
EVP_camellia_192_ctr,
|
||||
EVP_camellia_256_ctr,
|
||||
@ -54,6 +57,9 @@ EVP_camellia_256_cfb1(),
|
||||
EVP_camellia_128_cfb8(),
|
||||
EVP_camellia_192_cfb8(),
|
||||
EVP_camellia_256_cfb8(),
|
||||
EVP_camellia_128_cfb128(),
|
||||
EVP_camellia_192_cfb128(),
|
||||
EVP_camellia_256_cfb128(),
|
||||
EVP_camellia_128_ctr(),
|
||||
EVP_camellia_192_ctr(),
|
||||
EVP_camellia_256_ctr(),
|
||||
@ -83,7 +89,7 @@ L<EVP_CIPHER_meth_new(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
EVP_cast5_cbc,
|
||||
EVP_cast5_cfb,
|
||||
EVP_cast5_cfb64,
|
||||
EVP_cast5_ecb,
|
||||
EVP_cast5_ofb
|
||||
- EVP CAST cipher
|
||||
@ -14,6 +15,7 @@ EVP_cast5_ofb
|
||||
|
||||
const EVP_CIPHER *EVP_cast5_cbc(void)
|
||||
const EVP_CIPHER *EVP_cast5_cfb(void)
|
||||
const EVP_CIPHER *EVP_cast5_cfb64(void)
|
||||
const EVP_CIPHER *EVP_cast5_ecb(void)
|
||||
const EVP_CIPHER *EVP_cast5_ofb(void)
|
||||
|
||||
@ -28,6 +30,7 @@ This is a variable key length cipher.
|
||||
=item EVP_cast5_cbc(),
|
||||
EVP_cast5_ecb(),
|
||||
EVP_cast5_cfb(),
|
||||
EVP_cast5_cfb64(),
|
||||
EVP_cast5_ofb()
|
||||
|
||||
CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
|
||||
@ -48,7 +51,7 @@ L<EVP_CIPHER_meth_new(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -6,19 +6,24 @@ EVP_des_cbc,
|
||||
EVP_des_cfb,
|
||||
EVP_des_cfb1,
|
||||
EVP_des_cfb8,
|
||||
EVP_des_cfb64,
|
||||
EVP_des_ecb,
|
||||
EVP_des_ede,
|
||||
EVP_des_ede_cfb,
|
||||
EVP_des_ede_ofb,
|
||||
EVP_des_ofb,
|
||||
EVP_des_ede,
|
||||
EVP_des_ede_cbc,
|
||||
EVP_des_ede_cfb,
|
||||
EVP_des_ede_cfb64,
|
||||
EVP_des_ede_ecb,
|
||||
EVP_des_ede_ofb,
|
||||
EVP_des_ede3,
|
||||
EVP_des_ede3_cbc,
|
||||
EVP_des_ede3_cfb,
|
||||
EVP_des_ede3_cfb1,
|
||||
EVP_des_ede3_cfb8,
|
||||
EVP_des_ede3_cfb64,
|
||||
EVP_des_ede3_ecb,
|
||||
EVP_des_ede3_ofb,
|
||||
EVP_des_ede3_wrap,
|
||||
EVP_des_ede_cbc
|
||||
EVP_des_ede3_wrap
|
||||
- EVP DES cipher
|
||||
|
||||
=head1 SYNOPSIS
|
||||
@ -43,27 +48,32 @@ EVP_des_ecb(),
|
||||
EVP_des_cfb(),
|
||||
EVP_des_cfb1(),
|
||||
EVP_des_cfb8(),
|
||||
EVP_des_cfb64(),
|
||||
EVP_des_ofb()
|
||||
|
||||
DES in CBC, ECB, CFB with 128-bit shift, CFB with 1-bit shift, CFB with 8-bit
|
||||
shift and OFB modes respectively.
|
||||
DES in CBC, ECB, CFB with 64-bit shift, CFB with 1-bit shift, CFB with 8-bit
|
||||
shift and OFB modes.
|
||||
|
||||
=item EVP_des_ede(),
|
||||
EVP_des_ede_cbc(),
|
||||
EVP_des_ede_ofb(),
|
||||
EVP_des_ede_cfb()
|
||||
EVP_des_ede_cfb(),
|
||||
EVP_des_ede_cfb64(),
|
||||
EVP_des_ede_ecb(),
|
||||
EVP_des_ede_ofb()
|
||||
|
||||
Two key triple DES in ECB, CBC, CFB and OFB modes respectively.
|
||||
Two key triple DES in ECB, CBC, CFB with 64-bit shift and OFB modes.
|
||||
|
||||
=item EVP_des_ede3(),
|
||||
EVP_des_ede3_cbc(),
|
||||
EVP_des_ede3_cfb(),
|
||||
EVP_des_ede3_cfb1(),
|
||||
EVP_des_ede3_cfb8(),
|
||||
EVP_des_ede3_cfb64(),
|
||||
EVP_des_ede3_ecb(),
|
||||
EVP_des_ede3_ofb()
|
||||
|
||||
Three-key triple DES in ECB, CBC, CFB with 128-bit shift, CFB with 1-bit shift,
|
||||
CFB with 8-bit shift and OFB modes respectively.
|
||||
Three-key triple DES in ECB, CBC, CFB with 64-bit shift, CFB with 1-bit shift,
|
||||
CFB with 8-bit shift and OFB modes.
|
||||
|
||||
=item EVP_des_ede3_wrap()
|
||||
|
||||
@ -85,7 +95,7 @@ L<EVP_CIPHER_meth_new(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
EVP_idea_cbc,
|
||||
EVP_idea_cfb,
|
||||
EVP_idea_cfb64,
|
||||
EVP_idea_ecb,
|
||||
EVP_idea_ofb
|
||||
- EVP IDEA cipher
|
||||
@ -14,6 +15,7 @@ EVP_idea_ofb
|
||||
|
||||
const EVP_CIPHER *EVP_idea_cbc(void)
|
||||
const EVP_CIPHER *EVP_idea_cfb(void)
|
||||
const EVP_CIPHER *EVP_idea_cfb64(void)
|
||||
const EVP_CIPHER *EVP_idea_ecb(void)
|
||||
const EVP_CIPHER *EVP_idea_ofb(void)
|
||||
|
||||
@ -25,6 +27,7 @@ The IDEA encryption algorithm for EVP.
|
||||
|
||||
=item EVP_idea_cbc(),
|
||||
EVP_idea_cfb(),
|
||||
EVP_idea_cfb64(),
|
||||
EVP_idea_ecb(),
|
||||
EVP_idea_ofb()
|
||||
|
||||
@ -46,7 +49,7 @@ L<EVP_CIPHER_meth_new(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -2,7 +2,8 @@
|
||||
|
||||
=head1 NAME
|
||||
|
||||
EVP_md5
|
||||
EVP_md5,
|
||||
EVP_md5_sha1
|
||||
- MD5 For EVP
|
||||
|
||||
=head1 SYNOPSIS
|
||||
@ -10,6 +11,7 @@ EVP_md5
|
||||
#include <openssl/evp.h>
|
||||
|
||||
const EVP_MD *EVP_md5(void);
|
||||
const EVP_MD *EVP_md5_sha1(void);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
EVP_rc2_cbc,
|
||||
EVP_rc2_cfb,
|
||||
EVP_rc2_cfb64,
|
||||
EVP_rc2_ecb,
|
||||
EVP_rc2_ofb,
|
||||
EVP_rc2_40_cbc,
|
||||
@ -16,6 +17,7 @@ EVP_rc2_64_cbc
|
||||
|
||||
const EVP_CIPHER *EVP_rc2_cbc(void)
|
||||
const EVP_CIPHER *EVP_rc2_cfb(void)
|
||||
const EVP_CIPHER *EVP_rc2_cfb64(void)
|
||||
const EVP_CIPHER *EVP_rc2_ecb(void)
|
||||
const EVP_CIPHER *EVP_rc2_ofb(void)
|
||||
const EVP_CIPHER *EVP_rc2_40_cbc(void)
|
||||
@ -29,6 +31,7 @@ The RC2 encryption algorithm for EVP.
|
||||
|
||||
=item EVP_rc2_cbc(),
|
||||
EVP_rc2_cfb(),
|
||||
EVP_rc2_cfb64(),
|
||||
EVP_rc2_ecb(),
|
||||
EVP_rc2_ofb()
|
||||
|
||||
@ -62,7 +65,7 @@ L<EVP_CIPHER_meth_new(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
EVP_rc5_32_12_16_cbc,
|
||||
EVP_rc5_32_12_16_cfb,
|
||||
EVP_rc5_32_12_16_cfb64,
|
||||
EVP_rc5_32_12_16_ecb,
|
||||
EVP_rc5_32_12_16_ofb
|
||||
- EVP RC5 cipher
|
||||
@ -14,6 +15,7 @@ EVP_rc5_32_12_16_ofb
|
||||
|
||||
const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void)
|
||||
const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void)
|
||||
const EVP_CIPHER *EVP_rc5_32_12_16_cfb64(void)
|
||||
const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void)
|
||||
const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void)
|
||||
|
||||
@ -25,6 +27,7 @@ The RC5 encryption algorithm for EVP.
|
||||
|
||||
=item EVP_rc5_32_12_16_cbc(),
|
||||
EVP_rc5_32_12_16_cfb(),
|
||||
EVP_rc5_32_12_16_cfb64(),
|
||||
EVP_rc5_32_12_16_ecb(),
|
||||
EVP_rc5_32_12_16_ofb()
|
||||
|
||||
@ -53,7 +56,7 @@ L<EVP_CIPHER_meth_new(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -4,6 +4,7 @@
|
||||
|
||||
EVP_seed_cbc,
|
||||
EVP_seed_cfb,
|
||||
EVP_seed_cfb128,
|
||||
EVP_seed_ecb,
|
||||
EVP_seed_ofb
|
||||
- EVP SEED cipher
|
||||
@ -14,6 +15,7 @@ EVP_seed_ofb
|
||||
|
||||
const EVP_CIPHER *EVP_seed_cbc(void)
|
||||
const EVP_CIPHER *EVP_seed_cfb(void)
|
||||
const EVP_CIPHER *EVP_seed_cfb128(void)
|
||||
const EVP_CIPHER *EVP_seed_ecb(void)
|
||||
const EVP_CIPHER *EVP_seed_ofb(void)
|
||||
|
||||
@ -27,6 +29,7 @@ All modes below use a key length of 128 bits and acts on blocks of 128-bits.
|
||||
|
||||
=item EVP_seed_cbc(),
|
||||
EVP_seed_cfb(),
|
||||
EVP_seed_cfb128(),
|
||||
EVP_seed_ecb(),
|
||||
EVP_seed_ofb()
|
||||
|
||||
@ -48,7 +51,7 @@ L<EVP_CIPHER_meth_new(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -5,6 +5,7 @@
|
||||
EVP_sm4_cbc,
|
||||
EVP_sm4_ecb,
|
||||
EVP_sm4_cfb,
|
||||
EVP_sm4_cfb128,
|
||||
EVP_sm4_ofb,
|
||||
EVP_sm4_ctr
|
||||
- EVP SM4 cipher
|
||||
@ -16,6 +17,7 @@ EVP_sm4_ctr
|
||||
const EVP_CIPHER *EVP_sm4_cbc(void);
|
||||
const EVP_CIPHER *EVP_sm4_ecb(void);
|
||||
const EVP_CIPHER *EVP_sm4_cfb(void);
|
||||
const EVP_CIPHER *EVP_sm4_cfb128(void);
|
||||
const EVP_CIPHER *EVP_sm4_ofb(void);
|
||||
const EVP_CIPHER *EVP_sm4_ctr(void);
|
||||
|
||||
@ -30,6 +32,7 @@ All modes below use a key length of 128 bits and acts on blocks of 128 bits.
|
||||
=item EVP_sm4_cbc(),
|
||||
EVP_sm4_ecb(),
|
||||
EVP_sm4_cfb(),
|
||||
EVP_sm4_cfb128(),
|
||||
EVP_sm4_ofb(),
|
||||
EVP_sm4_ctr()
|
||||
|
||||
|
@ -2,13 +2,14 @@
|
||||
|
||||
=head1 NAME
|
||||
|
||||
OPENSSL_VERSION_NUMBER, OpenSSL_version,
|
||||
OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, OpenSSL_version,
|
||||
OpenSSL_version_num - get OpenSSL version number
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
#include <openssl/opensslv.h>
|
||||
#define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL x.y.z xx XXX xxxx"
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
|
||||
@ -45,6 +46,10 @@ Version 0.9.5a had an interim interpretation that is like the current one,
|
||||
except the patch level got the highest bit set, to keep continuity. The
|
||||
number was therefore 0x0090581f.
|
||||
|
||||
OPENSSL_VERSION_TEXT is the text variant of the version number and the
|
||||
release date. For example,
|
||||
"OpenSSL 1.0.1a 15 Oct 2015".
|
||||
|
||||
OpenSSL_version_num() returns the version number.
|
||||
|
||||
OpenSSL_version() returns different strings depending on B<t>:
|
||||
|
@ -64,10 +64,10 @@ RSA_meth_get_multi_prime_keygen, RSA_meth_set_multi_prime_keygen
|
||||
unsigned char *to, RSA *rsa, int padding));
|
||||
|
||||
/* Can be null */
|
||||
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))(BIGNUM *r0, const BIGNUM *I,
|
||||
int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))(BIGNUM *r0, const BIGNUM *i,
|
||||
RSA *rsa, BN_CTX *ctx);
|
||||
int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
|
||||
int (*mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
|
||||
int (*mod_exp)(BIGNUM *r0, const BIGNUM *i, RSA *rsa,
|
||||
BN_CTX *ctx));
|
||||
|
||||
/* Can be null */
|
||||
|
@ -2,14 +2,32 @@
|
||||
|
||||
=head1 NAME
|
||||
|
||||
SSL_set0_CA_list, SSL_CTX_set0_CA_list, SSL_get0_CA_list,
|
||||
SSL_CTX_get0_CA_list, SSL_add1_to_CA_list, SSL_CTX_add1_to_CA_list,
|
||||
SSL_get0_peer_CA_list - get or set CA list
|
||||
SSL_CTX_set_client_CA_list,
|
||||
SSL_set_client_CA_list,
|
||||
SSL_get_client_CA_list,
|
||||
SSL_CTX_get_client_CA_list,
|
||||
SSL_CTX_add_client_CA,
|
||||
SSL_add_client_CA,
|
||||
SSL_set0_CA_list,
|
||||
SSL_CTX_set0_CA_list,
|
||||
SSL_get0_CA_list,
|
||||
SSL_CTX_get0_CA_list,
|
||||
SSL_add1_to_CA_list,
|
||||
SSL_CTX_add1_to_CA_list,
|
||||
SSL_get0_peer_CA_list
|
||||
- get or set CA list
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
|
||||
void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list);
|
||||
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
|
||||
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
|
||||
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert);
|
||||
int SSL_add_client_CA(SSL *ssl, X509 *cacert);
|
||||
|
||||
void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
|
||||
void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
|
||||
const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx);
|
||||
@ -21,6 +39,70 @@ SSL_get0_peer_CA_list - get or set CA list
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
The functions described here set and manage the list of CA names that are sent
|
||||
between two communicating peers.
|
||||
|
||||
For TLS versions 1.2 and earlier the list of CA names is only sent from the
|
||||
server to the client when requesting a client certificate. So any list of CA
|
||||
names set is never sent from client to server and the list of CA names retrieved
|
||||
by SSL_get0_peer_CA_list() is always B<NULL>.
|
||||
|
||||
For TLS 1.3 the list of CA names is sent using the B<certificate_authorities>
|
||||
extension and may be sent by a client (in the ClientHello message) or by
|
||||
a server (when requesting a certificate).
|
||||
|
||||
In most cases it is not necessary to set CA names on the client side. The list
|
||||
of CA names that are acceptable to the client will be sent in plaintext to the
|
||||
server. This has privacy implications and may also have performance implications
|
||||
if the list is large. This optional capability was introduced as part of TLSv1.3
|
||||
and therefore setting CA names on the client side will have no impact if that
|
||||
protocol version has been disabled. Most servers do not need this and so this
|
||||
should be avoided unless required.
|
||||
|
||||
The "client CA list" functions below only have an effect when called on the
|
||||
server side.
|
||||
|
||||
SSL_CTX_set_client_CA_list() sets the B<list> of CAs sent to the client when
|
||||
requesting a client certificate for B<ctx>. Ownership of B<list> is transferred
|
||||
to B<ctx> and it should not be freed by the caller.
|
||||
|
||||
SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when
|
||||
requesting a client certificate for the chosen B<ssl>, overriding the
|
||||
setting valid for B<ssl>'s SSL_CTX object. Ownership of B<list> is transferred
|
||||
to B<s> and it should not be freed by the caller.
|
||||
|
||||
SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for
|
||||
B<ctx> using SSL_CTX_set_client_CA_list(). The returned list should not be freed
|
||||
by the caller.
|
||||
|
||||
SSL_get_client_CA_list() returns the list of client CAs explicitly
|
||||
set for B<ssl> using SSL_set_client_CA_list() or B<ssl>'s SSL_CTX object with
|
||||
SSL_CTX_set_client_CA_list(), when in server mode. In client mode,
|
||||
SSL_get_client_CA_list returns the list of client CAs sent from the server, if
|
||||
any. The returned list should not be freed by the caller.
|
||||
|
||||
SSL_CTX_add_client_CA() adds the CA name extracted from B<cacert> to the
|
||||
list of CAs sent to the client when requesting a client certificate for
|
||||
B<ctx>.
|
||||
|
||||
SSL_add_client_CA() adds the CA name extracted from B<cacert> to the
|
||||
list of CAs sent to the client when requesting a client certificate for
|
||||
the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object.
|
||||
|
||||
SSL_get0_peer_CA_list() retrieves the list of CA names (if any) the peer
|
||||
has sent. This can be called on either the server or the client side. The
|
||||
returned list should not be freed by the caller.
|
||||
|
||||
The "generic CA list" functions below are very similar to the "client CA
|
||||
list" functions except that they have an effect on both the server and client
|
||||
sides. The lists of CA names managed are separate - so you cannot (for example)
|
||||
set CA names using the "client CA list" functions and then get them using the
|
||||
"generic CA list" functions. Where a mix of the two types of functions has been
|
||||
used on the server side then the "client CA list" functions take precedence.
|
||||
Typically, on the server side, the "client CA list " functions should be used in
|
||||
preference. As noted above in most cases it is not necessary to set CA names on
|
||||
the client side.
|
||||
|
||||
SSL_CTX_set0_CA_list() sets the list of CAs to be sent to the peer to
|
||||
B<name_list>. Ownership of B<name_list> is transferred to B<ctx> and
|
||||
it should not be freed by the caller.
|
||||
@ -30,10 +112,11 @@ overriding any list set in the parent B<SSL_CTX> of B<s>. Ownership of
|
||||
B<name_list> is transferred to B<s> and it should not be freed by the caller.
|
||||
|
||||
SSL_CTX_get0_CA_list() retrieves any previously set list of CAs set for
|
||||
B<ctx>.
|
||||
B<ctx>. The returned list should not be freed by the caller.
|
||||
|
||||
SSL_CTX_get0_CA_list() retrieves any previously set list of CAs set for
|
||||
B<s> or if none are set the list from the parent B<SSL_CTX> is retrieved.
|
||||
SSL_get0_CA_list() retrieves any previously set list of CAs set for
|
||||
B<s> or if none are set the list from the parent B<SSL_CTX> is retrieved. The
|
||||
returned list should not be freed by the caller.
|
||||
|
||||
SSL_CTX_add1_to_CA_list() appends the CA subject name extracted from B<x> to the
|
||||
list of CAs sent to peer for B<ctx>.
|
||||
@ -42,47 +125,60 @@ SSL_add1_to_CA_list() appends the CA subject name extracted from B<x> to the
|
||||
list of CAs sent to the peer for B<s>, overriding the setting in the parent
|
||||
B<SSL_CTX>.
|
||||
|
||||
SSL_get0_peer_CA_list() retrieves the list of CA names (if any) the peer
|
||||
has sent.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
These functions are generalised versions of the client authentication
|
||||
CA list functions such as L<SSL_CTX_set_client_CA_list(3)>.
|
||||
When a TLS/SSL server requests a client certificate (see
|
||||
B<SSL_CTX_set_verify(3)>), it sends a list of CAs, for which it will accept
|
||||
certificates, to the client.
|
||||
|
||||
For TLS versions before 1.3 the list of CA names is only sent from the server
|
||||
to client when requesting a client certificate. So any list of CA names set
|
||||
is never sent from client to server and the list of CA names retrieved by
|
||||
SSL_get0_peer_CA_list() is always B<NULL>.
|
||||
This list must explicitly be set using SSL_CTX_set_client_CA_list() or
|
||||
SSL_CTX_set0_CA_list() for B<ctx> and SSL_set_client_CA_list() or
|
||||
SSL_set0_CA_list() for the specific B<ssl>. The list specified
|
||||
overrides the previous setting. The CAs listed do not become trusted (B<list>
|
||||
only contains the names, not the complete certificates); use
|
||||
L<SSL_CTX_load_verify_locations(3)> to additionally load them for verification.
|
||||
|
||||
For TLS 1.3 the list of CA names is sent using the B<certificate_authorities>
|
||||
extension and will be sent by a client (in the ClientHello message) or by
|
||||
a server (when requesting a certificate).
|
||||
If the list of acceptable CAs is compiled in a file, the
|
||||
L<SSL_load_client_CA_file(3)> function can be used to help to import the
|
||||
necessary data.
|
||||
|
||||
SSL_CTX_add_client_CA(), SSL_CTX_add1_to_CA_list(), SSL_add_client_CA() and
|
||||
SSL_add1_to_CA_list() can be used to add additional items the list of CAs. If no
|
||||
list was specified before using SSL_CTX_set_client_CA_list(),
|
||||
SSL_CTX_set0_CA_list(), SSL_set_client_CA_list() or SSL_set0_CA_list(), a
|
||||
new CA list for B<ctx> or B<ssl> (as appropriate) is opened.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
SSL_CTX_set0_CA_list() and SSL_set0_CA_list() do not return a value.
|
||||
SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(),
|
||||
SSL_CTX_set_client_CA_list(), SSL_set_client_CA_list(), SSL_CTX_set0_CA_list()
|
||||
and SSL_set0_CA_list() do not return a value.
|
||||
|
||||
SSL_CTX_get0_CA_list() and SSL_get0_CA_list() return a stack of CA names
|
||||
or B<NULL> is no CA names are set.
|
||||
SSL_CTX_get_client_CA_list(), SSL_get_client_CA_list(), SSL_CTX_get0_CA_list()
|
||||
and SSL_get0_CA_list() return a stack of CA names or B<NULL> is no CA names are
|
||||
set.
|
||||
|
||||
SSL_CTX_add1_to_CA_list() and SSL_add1_to_CA_list() return 1 for success and 0
|
||||
for failure.
|
||||
SSL_CTX_add_client_CA(),SSL_add_client_CA(), SSL_CTX_add1_to_CA_list() and
|
||||
SSL_add1_to_CA_list() return 1 for success and 0 for failure.
|
||||
|
||||
SSL_get0_peer_CA_list() returns a stack of CA names sent by the peer or
|
||||
B<NULL> or an empty stack if no list was sent.
|
||||
|
||||
=head1 EXAMPLES
|
||||
|
||||
Scan all certificates in B<CAfile> and list them as acceptable CAs:
|
||||
|
||||
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(7)>,
|
||||
L<SSL_CTX_set_client_CA_list(3)>,
|
||||
L<SSL_get_client_CA_list(3)>,
|
||||
L<SSL_load_client_CA_file(3)>,
|
||||
L<SSL_CTX_load_verify_locations(3)>
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -32,6 +32,9 @@ SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
For all of the functions below that set the supported groups there must be at
|
||||
least one group in the list.
|
||||
|
||||
SSL_CTX_set1_groups() sets the supported groups for B<ctx> to B<glistlen>
|
||||
groups in the array B<glist>. The array consist of all NIDs of groups in
|
||||
preference order. For a TLS client the groups are used directly in the
|
||||
@ -99,7 +102,7 @@ functions were first added to OpenSSL 1.1.1.
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user