SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync code with last improvements from OpenBSD

Browse source
This commit is contained in:
purplerain 2023-08-17 07:36:55 +00:00
parent 454dab66ed
commit 27298272ec
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
237 changed files with 4666 additions and 2149 deletions
Download patch file Download diff file Expand all files Collapse all files

12
lib/libcrypto/asn1/a_string.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: a_string.c,v 1.14 2023/07/05 21:23:36 beck Exp $ */
/* $OpenBSD: a_string.c,v 1.17 2023/08/15 18:05:15 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -119,10 +119,12 @@ ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
return -1;
if ((cmp = (a->length - b->length)) != 0)
return cmp;
if ((cmp = memcmp(a->data, b->data, a->length)) != 0)
return cmp;
if (a->length != 0) {
if ((cmp = memcmp(a->data, b->data, a->length)) != 0)
return cmp;
}
return (a->type - b->type);
return a->type - b->type;
}
LCRYPTO_ALIAS(ASN1_STRING_cmp);
@ -184,7 +186,7 @@ ASN1_STRING_set(ASN1_STRING *astr, const void *_data, int len)
if ((astr->data = calloc(1, len + 1)) == NULL) {
ASN1error(ERR_R_MALLOC_FAILURE);
return (0);
return 0;
}
astr->length = len;

33
lib/libcrypto/crypto_internal.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: crypto_internal.h,v 1.6 2023/05/27 09:18:17 jsing Exp $ */
/* $OpenBSD: crypto_internal.h,v 1.7 2023/08/15 08:39:27 jsing Exp $ */
/*
* Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
*
@ -87,6 +87,37 @@ crypto_store_htobe64(uint8_t *dst, uint64_t v)
}
#endif
/*
* crypto_load_le32toh() loads a 32 bit unsigned little endian value as a 32 bit
* unsigned host endian value, from the specified address in memory. The memory
* address may have any alignment.
*/
#ifndef HAVE_CRYPTO_LOAD_BE32TOH
static inline uint32_t
crypto_load_le32toh(const uint8_t *src)
{
uint32_t v;
memcpy(&v, src, sizeof(v));
return le32toh(v);
}
#endif
/*
* crypto_store_htole32() stores a 32 bit unsigned host endian value as a 32 bit
* unsigned little endian value, at the specified address in memory. The memory
* address may have any alignment.
*/
#ifndef HAVE_CRYPTO_STORE_HTOBE32
static inline void
crypto_store_htole32(uint8_t *dst, uint32_t v)
{
v = htole32(v);
memcpy(dst, &v, sizeof(v));
}
#endif
#ifndef HAVE_CRYPTO_ROL_U32
static inline uint32_t
crypto_rol_u32(uint32_t v, size_t shift)

234
lib/libcrypto/dh/dh_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dh_ameth.c,v 1.33 2023/08/10 16:57:15 tb Exp $ */
/* $OpenBSD: dh_ameth.c,v 1.39 2023/08/12 07:59:48 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -70,7 +70,7 @@
#include "evp_local.h"
static void
int_dh_free(EVP_PKEY *pkey)
dh_free(EVP_PKEY *pkey)
{
DH_free(pkey->pkey.dh);
}
@ -78,83 +78,86 @@ int_dh_free(EVP_PKEY *pkey)
static int
dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
{
const unsigned char *p, *pm;
int pklen, pmlen;
X509_ALGOR *algor;
int ptype;
const void *pval;
const ASN1_STRING *pstr;
X509_ALGOR *palg;
ASN1_INTEGER *public_key = NULL;
const ASN1_STRING *astr;
const unsigned char *key, *params, *p;
int key_len, params_len;
ASN1_INTEGER *aint = NULL;
DH *dh = NULL;
int ret = 0;
if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey))
return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
if (!X509_PUBKEY_get0_param(NULL, &key, &key_len, &algor, pubkey))
goto err;
X509_ALGOR_get0(NULL, &ptype, &pval, algor);
if (ptype != V_ASN1_SEQUENCE) {
DHerror(DH_R_PARAMETER_ENCODING_ERROR);
goto err;
}
pstr = pval;
pm = pstr->data;
pmlen = pstr->length;
astr = pval;
params = astr->data;
params_len = astr->length;
if (!(dh = d2i_DHparams(NULL, &pm, pmlen))) {
p = params;
if ((dh = d2i_DHparams(NULL, &p, params_len)) == NULL) {
DHerror(DH_R_DECODE_ERROR);
goto err;
}
if (!(public_key=d2i_ASN1_INTEGER(NULL, &p, pklen))) {
p = key;
if ((aint = d2i_ASN1_INTEGER(NULL, &p, key_len)) == NULL) {
DHerror(DH_R_DECODE_ERROR);
goto err;
}
/* We have parameters now set public key */
if (!(dh->pub_key = ASN1_INTEGER_to_BN(public_key, NULL))) {
BN_free(dh->pub_key);
if ((dh->pub_key = ASN1_INTEGER_to_BN(aint, NULL)) == NULL) {
DHerror(DH_R_BN_DECODE_ERROR);
goto err;
}
ASN1_INTEGER_free(public_key);
EVP_PKEY_assign_DH(pkey, dh);
return 1;
if (!EVP_PKEY_assign_DH(pkey, dh))
goto err;
dh = NULL;
err:
if (public_key)
ASN1_INTEGER_free(public_key);
ret = 1;
err:
ASN1_INTEGER_free(aint);
DH_free(dh);
return 0;
return ret;
}
static int
dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
const DH *dh = pkey->pkey.dh;
ASN1_STRING *params = NULL;
ASN1_STRING *astr = NULL;
int ptype = V_ASN1_SEQUENCE;
ASN1_INTEGER *key = NULL;
ASN1_INTEGER *aint = NULL;
ASN1_OBJECT *aobj;
unsigned char *params_der = NULL, *key_der = NULL;
unsigned char *params = NULL, *key = NULL;
int params_len = 0, key_len = 0;
int ret = 0;
if ((params_len = i2d_DHparams(dh, &params_der)) <= 0) {
if ((params_len = i2d_DHparams(dh, &params)) <= 0) {
DHerror(ERR_R_MALLOC_FAILURE);
params_len = 0;
goto err;
}
if ((params = ASN1_STRING_new()) == NULL) {
if ((astr = ASN1_STRING_new()) == NULL) {
DHerror(ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set0(params, params_der, params_len);
params_der = NULL;
ASN1_STRING_set0(astr, params, params_len);
params = NULL;
params_len = 0;
if ((key = BN_to_ASN1_INTEGER(dh->pub_key, NULL)) == NULL)
if ((aint = BN_to_ASN1_INTEGER(dh->pub_key, NULL)) == NULL)
goto err;
if ((key_len = i2d_ASN1_INTEGER(key, &key_der)) <= 0) {
if ((key_len = i2d_ASN1_INTEGER(aint, &key)) <= 0) {
DHerror(ERR_R_MALLOC_FAILURE);
key_len = 0;
goto err;
@ -162,19 +165,19 @@ dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
if ((aobj = OBJ_nid2obj(EVP_PKEY_DH)) == NULL)
goto err;
if (!X509_PUBKEY_set0_param(pk, aobj, ptype, params, key_der, key_len))
if (!X509_PUBKEY_set0_param(pk, aobj, ptype, astr, key, key_len))
goto err;
params = NULL;
key_der = NULL;
astr = NULL;
key = NULL;
key_len = 0;
ret = 1;
err:
ASN1_STRING_free(params);
ASN1_INTEGER_free(key);
freezero(params_der, params_len);
freezero(key_der, key_len);
ASN1_STRING_free(astr);
ASN1_INTEGER_free(aint);
freezero(params, params_len);
freezero(key, key_len);
return ret;
}
@ -188,84 +191,90 @@ dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
static int
dh_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
{
const unsigned char *p, *pm;
int pklen, pmlen;
const X509_ALGOR *algor;
int ptype;
const void *pval;
const ASN1_STRING *pstr;
const X509_ALGOR *palg;
ASN1_INTEGER *privkey = NULL;
const ASN1_STRING *astr;
const unsigned char *key, *params, *p;
int key_len, params_len;
ASN1_INTEGER *aint = NULL;
DH *dh = NULL;
int ret = 0;
if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
return 0;
if (!PKCS8_pkey_get0(NULL, &key, &key_len, &algor, p8))
goto err;
X509_ALGOR_get0(NULL, &ptype, &pval, algor);
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
if (ptype != V_ASN1_SEQUENCE)
goto decerr;
if (!(privkey=d2i_ASN1_INTEGER(NULL, &p, pklen)))
goto decerr;
pstr = pval;
pm = pstr->data;
pmlen = pstr->length;
if (!(dh = d2i_DHparams(NULL, &pm, pmlen)))
goto decerr;
/* We have parameters now set private key */
if (!(dh->priv_key = ASN1_INTEGER_to_BN(privkey, NULL))) {
DHerror(DH_R_BN_ERROR);
goto dherr;
if (ptype != V_ASN1_SEQUENCE) {
DHerror(DH_R_PARAMETER_ENCODING_ERROR);
goto err;
}
astr = pval;
params = astr->data;
params_len = astr->length;
p = params;
if ((dh = d2i_DHparams(NULL, &p, params_len)) == NULL) {
DHerror(DH_R_DECODE_ERROR);
goto err;
}
p = key;
if ((aint = d2i_ASN1_INTEGER(NULL, &p, key_len)) == NULL) {
DHerror(DH_R_DECODE_ERROR);
goto err;
}
BN_free(dh->priv_key);
if ((dh->priv_key = ASN1_INTEGER_to_BN(aint, NULL)) == NULL) {
DHerror(DH_R_BN_DECODE_ERROR);
goto err;
}
/* Calculate public key */
if (!DH_generate_key(dh))
goto dherr;
goto err;
EVP_PKEY_assign_DH(pkey, dh);
if (!EVP_PKEY_assign_DH(pkey, dh))
goto err;
dh = NULL;
ASN1_INTEGER_free(privkey);
ret = 1;
return 1;
decerr:
DHerror(EVP_R_DECODE_ERROR);
dherr:
ASN1_INTEGER_free(privkey);
err:
ASN1_INTEGER_free(aint);
DH_free(dh);
return 0;
return ret;
}
static int
dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
{
const DH *dh = pkey->pkey.dh;
ASN1_STRING *params = NULL;
ASN1_STRING *astr = NULL;
int ptype = V_ASN1_SEQUENCE;
ASN1_INTEGER *key = NULL;
ASN1_INTEGER *aint = NULL;
ASN1_OBJECT *aobj;
unsigned char *params_der = NULL, *key_der = NULL;
unsigned char *params = NULL, *key = NULL;
int params_len = 0, key_len = 0;
int ret = 0;
if ((params_len = i2d_DHparams(dh, &params_der)) <= 0) {
if ((params_len = i2d_DHparams(dh, &params)) <= 0) {
DHerror(ERR_R_MALLOC_FAILURE);
params_len = 0;
goto err;
}
if ((params = ASN1_STRING_type_new(V_ASN1_SEQUENCE)) == NULL) {
if ((astr = ASN1_STRING_type_new(V_ASN1_SEQUENCE)) == NULL) {
DHerror(ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set0(params, params_der, params_len);
params_der = NULL;
ASN1_STRING_set0(astr, params, params_len);
params = NULL;
params_len = 0;
if ((key = BN_to_ASN1_INTEGER(dh->priv_key, NULL)) == NULL) {
if ((aint = BN_to_ASN1_INTEGER(dh->priv_key, NULL)) == NULL) {
DHerror(DH_R_BN_ERROR);
goto err;
}
if ((key_len = i2d_ASN1_INTEGER(key, &key_der)) <= 0) {
if ((key_len = i2d_ASN1_INTEGER(aint, &key)) <= 0) {
DHerror(ERR_R_MALLOC_FAILURE);
key_len = 0;
goto err;
@ -273,40 +282,49 @@ dh_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
if ((aobj = OBJ_nid2obj(NID_dhKeyAgreement)) == NULL)
goto err;
if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, params, key_der, key_len))
if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, astr, key, key_len))
goto err;
params = NULL;
key_der = NULL;
astr = NULL;
key = NULL;
key_len = 0;
ret = 1;
err:
ASN1_STRING_free(params);
ASN1_INTEGER_free(key);
freezero(params_der, params_len);
freezero(key_der, key_len);
ASN1_STRING_free(astr);
ASN1_INTEGER_free(aint);
freezero(params, params_len);
freezero(key, key_len);
return ret;
}
static int
dh_param_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
dh_param_decode(EVP_PKEY *pkey, const unsigned char **params, int params_len)
{
DH *dh;
DH *dh = NULL;
int ret = 0;
if (!(dh = d2i_DHparams(NULL, pder, derlen))) {
if ((dh = d2i_DHparams(NULL, params, params_len)) == NULL) {
DHerror(ERR_R_DH_LIB);
return 0;
goto err;
}
EVP_PKEY_assign_DH(pkey, dh);
return 1;
if (!EVP_PKEY_assign_DH(pkey, dh))
goto err;
dh = NULL;
ret = 1;
err:
DH_free(dh);
return ret;
}
static int
dh_param_encode(const EVP_PKEY *pkey, unsigned char **pder)
dh_param_encode(const EVP_PKEY *pkey, unsigned char **params)
{
return i2d_DHparams(pkey->pkey.dh, pder);
return i2d_DHparams(pkey->pkey.dh, params);
}
static int
@ -370,7 +388,7 @@ do_dh_print(BIO *bp, const DH *x, int indent, ASN1_PCTX *ctx, int ptype)
}
static int
int_dh_size(const EVP_PKEY *pkey)
dh_size(const EVP_PKEY *pkey)
{
return DH_size(pkey->pkey.dh);
}
@ -416,11 +434,11 @@ dh_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
}
static int
dh_missing_parameters(const EVP_PKEY *a)
dh_missing_parameters(const EVP_PKEY *pkey)
{
if (!a->pkey.dh->p || !a->pkey.dh->g)
return 1;
return 0;
const DH *dh = pkey->pkey.dh;
return dh->p == NULL || dh->g == NULL;
}
static int
@ -520,7 +538,7 @@ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = {
.priv_encode = dh_priv_encode,
.priv_print = dh_private_print,
.pkey_size = int_dh_size,
.pkey_size = dh_size,
.pkey_bits = dh_bits,
.pkey_security_bits = dh_security_bits,
@ -531,7 +549,7 @@ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = {
.param_cmp = dh_cmp_parameters,
.param_print = dh_param_print,
.pkey_free = int_dh_free,
.pkey_free = dh_free,
.pkey_check = NULL,
.pkey_public_check = dh_pkey_public_check,

95
lib/libcrypto/dh/dh_lib.c
View file

@ -1,25 +1,25 @@
/* $OpenBSD: dh_lib.c,v 1.39 2023/07/08 15:29:03 beck Exp $ */
/* $OpenBSD: dh_lib.c,v 1.41 2023/08/13 12:09:14 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -34,10 +34,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -49,7 +49,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
@ -96,19 +96,19 @@ DH_set_method(DH *dh, const DH_METHOD *meth)
* NB: The caller is specifically setting a method, so it's not up to us
* to deal with which ENGINE it comes from.
*/
const DH_METHOD *mtmp;
const DH_METHOD *mtmp;
mtmp = dh->meth;
if (mtmp->finish)
mtmp = dh->meth;
if (mtmp->finish)
mtmp->finish(dh);
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(dh->engine);
dh->engine = NULL;
#endif
dh->meth = meth;
if (meth->init)
dh->meth = meth;
if (meth->init)
meth->init(dh);
return 1;
return 1;
}
LCRYPTO_ALIAS(DH_set_method);
@ -122,61 +122,46 @@ LCRYPTO_ALIAS(DH_new);
DH *
DH_new_method(ENGINE *engine)
{
DH *ret;
DH *dh;
ret = malloc(sizeof(DH));
if (ret == NULL) {
if ((dh = calloc(1, sizeof(*dh))) == NULL) {
DHerror(ERR_R_MALLOC_FAILURE);
return NULL;
goto err;
}
ret->meth = DH_get_default_method();
dh->meth = DH_get_default_method();
dh->flags = dh->meth->flags & ~DH_FLAG_NON_FIPS_ALLOW;
dh->references = 1;
#ifndef OPENSSL_NO_ENGINE
if (engine) {
if (engine != NULL) {
if (!ENGINE_init(engine)) {
DHerror(ERR_R_ENGINE_LIB);
free(ret);
return NULL;
goto err;
}
ret->engine = engine;
dh->engine = engine;
} else
ret->engine = ENGINE_get_default_DH();
if(ret->engine) {
ret->meth = ENGINE_get_DH(ret->engine);
if (ret->meth == NULL) {
dh->engine = ENGINE_get_default_DH();
if (dh->engine != NULL) {
if ((dh->meth = ENGINE_get_DH(dh->engine)) == NULL) {
DHerror(ERR_R_ENGINE_LIB);
ENGINE_finish(ret->engine);
free(ret);
return NULL;
goto err;
}
dh->flags = dh->meth->flags & ~DH_FLAG_NON_FIPS_ALLOW;
}
#endif
ret->pad = 0;
ret->version = 0;
ret->p = NULL;
ret->g = NULL;
ret->length = 0;
ret->pub_key = NULL;
ret->priv_key = NULL;
ret->q = NULL;
ret->j = NULL;
ret->seed = NULL;
ret->seedlen = 0;
ret->counter = NULL;
ret->method_mont_p=NULL;
ret->references = 1;
ret->flags = ret->meth->flags & ~DH_FLAG_NON_FIPS_ALLOW;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
if (ret->meth->init != NULL && !ret->meth->init(ret)) {
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(ret->engine);
#endif
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
free(ret);
ret = NULL;
}
return ret;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, dh, &dh->ex_data))
goto err;
if (dh->meth->init != NULL && !dh->meth->init(dh))
goto err;
return dh;
err:
DH_free(dh);
return NULL;
}
LCRYPTO_ALIAS(DH_new_method);
@ -191,7 +176,7 @@ DH_free(DH *r)
if (i > 0)
return;
if (r->meth->finish)
if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(r->engine);

266
lib/libcrypto/dsa/dsa_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dsa_ameth.c,v 1.46 2023/08/10 16:57:15 tb Exp $ */
/* $OpenBSD: dsa_ameth.c,v 1.55 2023/08/12 07:59:48 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -75,31 +75,32 @@
static int
dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
{
const unsigned char *p, *pm;
int pklen, pmlen;
X509_ALGOR *algor;
int ptype;
const void *pval;
const ASN1_STRING *pstr;
X509_ALGOR *palg;
ASN1_INTEGER *public_key = NULL;
const ASN1_STRING *astr;
const unsigned char *key, *params, *p;
int key_len, params_len;
ASN1_INTEGER *aint = NULL;
DSA *dsa = NULL;
int ret = 0;
if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &palg, pubkey))
return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
if (!X509_PUBKEY_get0_param(NULL, &key, &key_len, &algor, pubkey))
goto err;
X509_ALGOR_get0(NULL, &ptype, &pval, algor);
if (ptype == V_ASN1_SEQUENCE) {
pstr = pval;
pm = pstr->data;
pmlen = pstr->length;
astr = pval;
params = astr->data;
params_len = astr->length;
if (!(dsa = d2i_DSAparams(NULL, &pm, pmlen))) {
p = params;
if ((dsa = d2i_DSAparams(NULL, &p, params_len)) == NULL) {
DSAerror(DSA_R_DECODE_ERROR);
goto err;
}
} else if (ptype == V_ASN1_NULL || ptype == V_ASN1_UNDEF) {
if (!(dsa = DSA_new())) {
if ((dsa = DSA_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
@ -108,12 +109,13 @@ dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
goto err;
}
if (!(public_key = d2i_ASN1_INTEGER(NULL, &p, pklen))) {
p = key;
if ((aint = d2i_ASN1_INTEGER(NULL, &p, key_len)) == NULL) {
DSAerror(DSA_R_DECODE_ERROR);
goto err;
}
if (!(dsa->pub_key = ASN1_INTEGER_to_BN(public_key, NULL))) {
BN_free(dsa->pub_key);
if ((dsa->pub_key = ASN1_INTEGER_to_BN(aint, NULL)) == NULL) {
DSAerror(DSA_R_BN_DECODE_ERROR);
goto err;
}
@ -124,50 +126,52 @@ dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
goto err;
}
ASN1_INTEGER_free(public_key);
EVP_PKEY_assign_DSA(pkey, dsa);
return 1;
if (!EVP_PKEY_assign_DSA(pkey, dsa))
goto err;
dsa = NULL;
err:
if (public_key)
ASN1_INTEGER_free(public_key);
ret = 1;
err:
ASN1_INTEGER_free(aint);
DSA_free(dsa);
return 0;
return ret;
}
static int
dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
const DSA *dsa = pkey->pkey.dsa;
ASN1_STRING *params = NULL;
ASN1_STRING *astr = NULL;
int ptype = V_ASN1_UNDEF;
ASN1_INTEGER *key = NULL;
ASN1_INTEGER *aint = NULL;
ASN1_OBJECT *aobj;
unsigned char *params_der = NULL, *key_der = NULL;
unsigned char *params = NULL, *key = NULL;
int params_len = 0, key_len = 0;
int ret = 0;
if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) {
if ((params_len = i2d_DSAparams(dsa, &params_der)) <= 0) {
if (pkey->save_parameters > 0 && !EVP_PKEY_missing_parameters(pkey)) {
if ((params_len = i2d_DSAparams(dsa, &params)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
params_len = 0;
goto err;
}
if ((params = ASN1_STRING_new()) == NULL) {
if ((astr = ASN1_STRING_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set0(params, params_der, params_len);
params_der = NULL;
ASN1_STRING_set0(astr, params, params_len);
params = NULL;
params_len = 0;
ptype = V_ASN1_SEQUENCE;
}
if ((key = BN_to_ASN1_INTEGER(dsa->pub_key, NULL)) == NULL) {
if ((aint = BN_to_ASN1_INTEGER(dsa->pub_key, NULL)) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
if ((key_len = i2d_ASN1_INTEGER(key, &key_der)) <= 0) {
if ((key_len = i2d_ASN1_INTEGER(aint, &key)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
key_len = 0;
goto err;
@ -175,98 +179,104 @@ dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
if ((aobj = OBJ_nid2obj(EVP_PKEY_DSA)) == NULL)
goto err;
if (!X509_PUBKEY_set0_param(pk, aobj, ptype, params, key_der, key_len))
if (!X509_PUBKEY_set0_param(pk, aobj, ptype, astr, key, key_len))
goto err;
params = NULL;
key_der = NULL;
astr = NULL;
key = NULL;
key_len = 0;
ret = 1;
err:
ASN1_STRING_free(params);
ASN1_INTEGER_free(key);
freezero(params_der, params_len);
freezero(key_der, key_len);
ASN1_STRING_free(astr);
ASN1_INTEGER_free(aint);
freezero(params, params_len);
freezero(key, key_len);
return ret;
}
/* In PKCS#8 DSA: you just get a private key integer and parameters in the
/*
* In PKCS#8 DSA: you just get a private key integer and parameters in the
* AlgorithmIdentifier the pubkey must be recalculated.
*/
static int
dsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
{
const unsigned char *p, *pm;
int pklen, pmlen;
const X509_ALGOR *algor;
int ptype;
const void *pval;
const ASN1_STRING *pstr;
const X509_ALGOR *palg;
ASN1_INTEGER *privkey = NULL;
const ASN1_STRING *astr;
const unsigned char *key, *params, *p;
int key_len, params_len;
ASN1_INTEGER *aint = NULL;
BN_CTX *ctx = NULL;
DSA *dsa = NULL;
int ret = 0;
if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
if (ptype != V_ASN1_SEQUENCE)
goto decerr;
if (!PKCS8_pkey_get0(NULL, &key, &key_len, &algor, p8))
goto err;
X509_ALGOR_get0(NULL, &ptype, &pval, algor);
if ((privkey = d2i_ASN1_INTEGER(NULL, &p, pklen)) == NULL)
goto decerr;
if (privkey->type == V_ASN1_NEG_INTEGER)
goto decerr;
if (ptype != V_ASN1_SEQUENCE) {
DSAerror(DSA_R_PARAMETER_ENCODING_ERROR);
goto err;
}
pstr = pval;
pm = pstr->data;
pmlen = pstr->length;
if (!(dsa = d2i_DSAparams(NULL, &pm, pmlen)))
goto decerr;
/* We have parameters now set private key */
if (!(dsa->priv_key = ASN1_INTEGER_to_BN(privkey, NULL))) {
DSAerror(DSA_R_BN_ERROR);
goto dsaerr;
astr = pval;
params = astr->data;
params_len = astr->length;
p = params;
if ((dsa = d2i_DSAparams(NULL, &p, params_len)) == NULL) {
DSAerror(DSA_R_DECODE_ERROR);
goto err;
}
p = key;
if ((aint = d2i_ASN1_INTEGER(NULL, &p, key_len)) == NULL) {
DSAerror(DSA_R_DECODE_ERROR);
goto err;
}
BN_free(dsa->priv_key);
if ((dsa->priv_key = ASN1_INTEGER_to_BN(aint, NULL)) == NULL) {
DSAerror(DSA_R_BN_DECODE_ERROR);
goto err;
}
/* Check the key for basic consistency before doing expensive things. */
if (!dsa_check_key(dsa))
goto dsaerr;
goto err;
/* Calculate public key */
if (!(dsa->pub_key = BN_new())) {
BN_free(dsa->pub_key);
if ((dsa->pub_key = BN_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto dsaerr;
goto err;
}
if ((ctx = BN_CTX_new()) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto dsaerr;
goto err;
}
BN_CTX_start(ctx);
if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) {
DSAerror(DSA_R_BN_ERROR);
goto dsaerr;
goto err;
}
if (!EVP_PKEY_assign_DSA(pkey, dsa))
goto decerr;
goto err;
dsa = NULL;
ret = 1;
goto done;
decerr:
DSAerror(DSA_R_DECODE_ERROR);
dsaerr:
err:
DSA_free(dsa);
done:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
ASN1_INTEGER_free(privkey);
ASN1_INTEGER_free(aint);
return ret;
}
@ -275,32 +285,32 @@ static int
dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
{
const DSA *dsa = pkey->pkey.dsa;
ASN1_STRING *params = NULL;
ASN1_STRING *astr = NULL;
int ptype = V_ASN1_SEQUENCE;
ASN1_INTEGER *key = NULL;
ASN1_INTEGER *aint = NULL;
ASN1_OBJECT *aobj;
unsigned char *params_der = NULL, *key_der = NULL;
unsigned char *params = NULL, *key = NULL;
int params_len = 0, key_len = 0;
int ret = 0;
if ((params_len = i2d_DSAparams(dsa, &params_der)) <= 0) {
if ((params_len = i2d_DSAparams(dsa, &params)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
params_len = 0;
goto err;
}
if ((params = ASN1_STRING_type_new(V_ASN1_SEQUENCE)) == NULL) {
if ((astr = ASN1_STRING_type_new(V_ASN1_SEQUENCE)) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
goto err;
}
ASN1_STRING_set0(params, params_der, params_len);
params_der = NULL;
ASN1_STRING_set0(astr, params, params_len);
params = NULL;
params_len = 0;
if ((key = BN_to_ASN1_INTEGER(dsa->priv_key, NULL)) == NULL) {
if ((aint = BN_to_ASN1_INTEGER(dsa->priv_key, NULL)) == NULL) {
DSAerror(DSA_R_BN_ERROR);
goto err;
}
if ((key_len = i2d_ASN1_INTEGER(key, &key_der)) <= 0) {
if ((key_len = i2d_ASN1_INTEGER(aint, &key)) <= 0) {
DSAerror(ERR_R_MALLOC_FAILURE);
key_len = 0;
goto err;
@ -308,25 +318,25 @@ dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
if ((aobj = OBJ_nid2obj(NID_dsa)) == NULL)
goto err;
if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, params, key_der, key_len))
if (!PKCS8_pkey_set0(p8, aobj, 0, ptype, astr, key, key_len))
goto err;
params = NULL;
key_der = NULL;
astr = NULL;
key = NULL;
key_len = 0;
ret = 1;
err:
ASN1_STRING_free(params);
ASN1_INTEGER_free(key);
freezero(params_der, params_len);
freezero(key_der, key_len);
ASN1_STRING_free(astr);
ASN1_INTEGER_free(aint);
freezero(params, params_len);
freezero(key, key_len);
return ret;
}
static int
int_dsa_size(const EVP_PKEY *pkey)
dsa_size(const EVP_PKEY *pkey)
{
return DSA_size(pkey->pkey.dsa);
}
@ -346,12 +356,9 @@ dsa_security_bits(const EVP_PKEY *pkey)
static int
dsa_missing_parameters(const EVP_PKEY *pkey)
{
DSA *dsa;
const DSA *dsa = pkey->pkey.dsa;
dsa = pkey->pkey.dsa;
if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL)
return 1;
return 0;
return dsa->p == NULL || dsa->q == NULL || dsa->g == NULL;
}
static int
@ -397,7 +404,7 @@ dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
}
static void
int_dsa_free(EVP_PKEY *pkey)
dsa_free(EVP_PKEY *pkey)
{
DSA_free(pkey->pkey.dsa);
}
@ -452,26 +459,33 @@ do_dsa_print(BIO *bp, const DSA *x, int off, int ptype)
}
static int
dsa_param_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
dsa_param_decode(EVP_PKEY *pkey, const unsigned char **params, int params_len)
{
DSA *dsa;
DSA *dsa = NULL;
int ret = 0;
if (!(dsa = d2i_DSAparams(NULL, pder, derlen))) {
if ((dsa = d2i_DSAparams(NULL, params, params_len)) == NULL) {
DSAerror(ERR_R_DSA_LIB);
return 0;
goto err;
}
if (!dsa_check_key(dsa)) {
DSA_free(dsa);
return 0;
}
EVP_PKEY_assign_DSA(pkey, dsa);
return 1;
if (!dsa_check_key(dsa))
goto err;
if (!EVP_PKEY_assign_DSA(pkey, dsa))
goto err;
dsa = NULL;
ret = 1;
err:
DSA_free(dsa);
return ret;
}
static int
dsa_param_encode(const EVP_PKEY *pkey, unsigned char **pder)
dsa_param_encode(const EVP_PKEY *pkey, unsigned char **params)
{
return i2d_DSAparams(pkey->pkey.dsa, pder);
return i2d_DSAparams(pkey->pkey.dsa, params);
}
static int
@ -493,13 +507,14 @@ dsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx)
}
static int
old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **key, int key_len)
{
DSA *dsa;
DSA *dsa = NULL;
BN_CTX *ctx = NULL;
BIGNUM *result;
int ret = 0;
if ((dsa = d2i_DSAPrivateKey(NULL, pder, derlen)) == NULL) {
if ((dsa = d2i_DSAPrivateKey(NULL, key, key_len)) == NULL) {
DSAerror(ERR_R_DSA_LIB);
goto err;
}
@ -551,23 +566,24 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
goto err;
}
BN_CTX_end(ctx);
BN_CTX_free(ctx);
if (!EVP_PKEY_assign_DSA(pkey, dsa))
goto err;
dsa = NULL;
EVP_PKEY_assign_DSA(pkey, dsa);
return 1;
ret = 1;
err:
BN_CTX_end(ctx);
BN_CTX_free(ctx);
DSA_free(dsa);
return 0;
return ret;
}
static int
old_dsa_priv_encode(const EVP_PKEY *pkey, unsigned char **pder)
old_dsa_priv_encode(const EVP_PKEY *pkey, unsigned char **key)
{
return i2d_DSAPrivateKey(pkey->pkey.dsa, pder);
return i2d_DSAPrivateKey(pkey->pkey.dsa, key);
}
static int
@ -701,7 +717,7 @@ const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] = {
.priv_encode = dsa_priv_encode,
.priv_print = dsa_priv_print,
.pkey_size = int_dsa_size,
.pkey_size = dsa_size,
.pkey_bits = dsa_bits,
.pkey_security_bits = dsa_security_bits,
@ -713,7 +729,7 @@ const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] = {
.param_print = dsa_param_print,
.sig_print = dsa_sig_print,
.pkey_free = int_dsa_free,
.pkey_free = dsa_free,
.pkey_ctrl = dsa_pkey_ctrl,
.old_priv_decode = old_dsa_priv_decode,
.old_priv_encode = old_dsa_priv_encode

65
lib/libcrypto/dsa/dsa_lib.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dsa_lib.c,v 1.43 2023/07/08 14:28:15 beck Exp $ */
/* $OpenBSD: dsa_lib.c,v 1.44 2023/08/12 06:14:36 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -127,61 +127,46 @@ LCRYPTO_ALIAS(DSA_set_method);
DSA *
DSA_new_method(ENGINE *engine)
{
DSA *ret;
DSA *dsa;
ret = malloc(sizeof(DSA));
if (ret == NULL) {
if ((dsa = calloc(1, sizeof(DSA))) == NULL) {
DSAerror(ERR_R_MALLOC_FAILURE);
return NULL;
goto err;
}
ret->meth = DSA_get_default_method();
dsa->meth = DSA_get_default_method();
dsa->flags = dsa->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
dsa->references = 1;
#ifndef OPENSSL_NO_ENGINE
if (engine) {
if (!ENGINE_init(engine)) {
DSAerror(ERR_R_ENGINE_LIB);
free(ret);
return NULL;
goto err;
}
ret->engine = engine;
dsa->engine = engine;
} else
ret->engine = ENGINE_get_default_DSA();
if (ret->engine) {
ret->meth = ENGINE_get_DSA(ret->engine);
if (ret->meth == NULL) {
dsa->engine = ENGINE_get_default_DSA();
if (dsa->engine != NULL) {
if ((dsa->meth = ENGINE_get_DSA(dsa->engine)) == NULL) {
DSAerror(ERR_R_ENGINE_LIB);
ENGINE_finish(ret->engine);
free(ret);
return NULL;
goto err;
}
dsa->flags = dsa->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
}
#endif
ret->pad = 0;
ret->version = 0;
ret->p = NULL;
ret->q = NULL;
ret->g = NULL;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data))
goto err;
if (dsa->meth->init != NULL && !dsa->meth->init(dsa))
goto err;
ret->pub_key = NULL;
ret->priv_key = NULL;
return dsa;
ret->kinv = NULL;
ret->r = NULL;
ret->method_mont_p = NULL;
err:
DSA_free(dsa);
ret->references = 1;
ret->flags = ret->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
if (ret->meth->init != NULL && !ret->meth->init(ret)) {
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(ret->engine);
#endif
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
free(ret);
ret = NULL;
}
return ret;
return NULL;
}
LCRYPTO_ALIAS(DSA_new_method);
@ -197,7 +182,7 @@ DSA_free(DSA *r)
if (i > 0)
return;
if (r->meth->finish)
if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r);
#ifndef OPENSSL_NO_ENGINE
ENGINE_finish(r->engine);

10
lib/libcrypto/ec/ec_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_ameth.c,v 1.41 2023/07/07 06:59:18 tb Exp $ */
/* $OpenBSD: ec_ameth.c,v 1.42 2023/08/12 08:07:35 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -359,7 +359,7 @@ eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
}
static int
int_ec_size(const EVP_PKEY *pkey)
ec_size(const EVP_PKEY *pkey)
{
return ECDSA_size(pkey->pkey.ec);
}
@ -419,7 +419,7 @@ ec_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b)
}
static void
int_ec_free(EVP_PKEY *pkey)
ec_free(EVP_PKEY *pkey)
{
EC_KEY_free(pkey->pkey.ec);
}
@ -994,7 +994,7 @@ const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
.priv_encode = eckey_priv_encode,
.priv_print = eckey_priv_print,
.pkey_size = int_ec_size,
.pkey_size = ec_size,
.pkey_bits = ec_bits,
.pkey_security_bits = ec_security_bits,
@ -1005,7 +1005,7 @@ const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = {
.param_cmp = ec_cmp_parameters,
.param_print = eckey_param_print,
.pkey_free = int_ec_free,
.pkey_free = ec_free,
.pkey_ctrl = ec_pkey_ctrl,
.old_priv_decode = old_ec_priv_decode,
.old_priv_encode = old_ec_priv_encode,

8
lib/libcrypto/man/DSA_dup_DH.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: DSA_dup_DH.3,v 1.8 2019/06/10 14:58:48 schwarze Exp $
.\" $OpenBSD: DSA_dup_DH.3,v 1.9 2023/08/12 08:26:38 tb Exp $
.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
.\" This file was written by Ulf Moeller <ulf@openssl.org>.
@ -48,7 +48,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: June 10 2019 $
.Dd $Mdocdate: August 12 2023 $
.Dt DSA_DUP_DH 3
.Os
.Sh NAME
@ -67,10 +67,6 @@ duplicates
parameters/keys as
.Vt DH
parameters/keys.
.Fa r->q
is lost during that conversion, but the resulting
.Vt DH
parameters contain its length.
.Sh RETURN VALUES
.Fn DSA_dup_DH
returns the new

241
lib/libcrypto/man/EVP_DigestInit.3
View file

@ -1,11 +1,11 @@
.\" $OpenBSD: EVP_DigestInit.3,v 1.25 2023/04/23 18:24:01 job Exp $
.\" $OpenBSD: EVP_DigestInit.3,v 1.28 2023/08/14 14:22:32 schwarze Exp $
.\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000
.\" selective merge up to: OpenSSL a95d7574 Jul 2 12:16:38 2017 -0400
.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
.\"
.\" This file is a derived work.
.\" The changes are covered by the following Copyright and license:
.\"
.\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
.\" Copyright (c) 2019, 2023 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -19,9 +19,11 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>
.\" and Richard Levitte <levitte@openssl.org>.
.\" Copyright (c) 2000-2004, 2009, 2012-2016 The OpenSSL Project.
.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>,
.\" Richard Levitte <levitte@openssl.org>,
.\" Paul Yang <yang.yang@baishancloud.com>, and
.\" Antoine Salon <asalon@vmware.com>.
.\" Copyright (c) 2000-2004, 2009, 2012-2016, 2018, 2019 The OpenSSL Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -68,7 +70,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: April 23 2023 $
.Dd $Mdocdate: August 14 2023 $
.Dt EVP_DIGESTINIT 3
.Os
.Sh NAME
@ -80,6 +82,9 @@
.Nm EVP_MD_CTX_cleanup ,
.Nm EVP_MD_CTX_destroy ,
.Nm EVP_MD_CTX_ctrl ,
.Nm EVP_MD_CTX_set_flags ,
.Nm EVP_MD_CTX_clear_flags ,
.Nm EVP_MD_CTX_test_flags ,
.Nm EVP_DigestInit_ex ,
.Nm EVP_DigestUpdate ,
.Nm EVP_DigestFinal_ex ,
@ -93,10 +98,14 @@
.Nm EVP_MD_pkey_type ,
.Nm EVP_MD_size ,
.Nm EVP_MD_block_size ,
.Nm EVP_MD_flags ,
.Nm EVP_MD_CTX_md ,
.Nm EVP_MD_CTX_size ,
.Nm EVP_MD_CTX_block_size ,
.Nm EVP_MD_CTX_type ,
.Nm EVP_MD_CTX_md_data ,
.Nm EVP_MD_CTX_pkey_ctx ,
.Nm EVP_MD_CTX_set_pkey_ctx ,
.Nm EVP_md_null ,
.Nm EVP_md5 ,
.Nm EVP_md5_sha1 ,
@ -141,10 +150,25 @@
.Ft int
.Fo EVP_MD_CTX_ctrl
.Fa "EVP_MD_CTX *ctx"
.Fa "int cmd"
.Fa "int command"
.Fa "int p1"
.Fa "void* p2"
.Fc
.Ft void
.Fo EVP_MD_CTX_set_flags
.Fa "EVP_MD_CTX *ctx"
.Fa "int flags"
.Fc
.Ft void
.Fo EVP_MD_CTX_clear_flags
.Fa "EVP_MD_CTX *ctx"
.Fa "int flags"
.Fc
.Ft int
.Fo EVP_MD_CTX_test_flags
.Fa "const EVP_MD_CTX *ctx"
.Fa "int flags"
.Fc
.Ft int
.Fo EVP_DigestInit_ex
.Fa "EVP_MD_CTX *ctx"
@ -210,21 +234,38 @@
.Fo EVP_MD_block_size
.Fa "const EVP_MD *md"
.Fc
.Ft unsigned long
.Fo EVP_MD_flags
.Fa "const EVP_MD *md"
.Fc
.Ft const EVP_MD *
.Fo EVP_MD_CTX_md
.Fa "const EVP_MD_CTX *ctx"
.Fc
.Ft int
.Fo EVP_MD_CTX_size
.Fa "const EVP_MD *ctx"
.Fa "const EVP_MD_CTX *ctx"
.Fc
.Ft int
.Fo EVP_MD_CTX_block_size
.Fa "const EVP_MD *ctx"
.Fa "const EVP_MD_CTX *ctx"
.Fc
.Ft int
.Fo EVP_MD_CTX_type
.Fa "const EVP_MD *ctx"
.Fa "const EVP_MD_CTX *ctx"
.Fc
.Ft void *
.Fo EVP_MD_CTX_md_data
.Fa "const EVP_MD_CTX *ctx"
.Fc
.Ft EVP_PKEY_CTX *
.Fo EVP_MD_CTX_pkey_ctx
.Fa "const EVP_MD_CTX *ctx"
.Fc
.Ft void
.Fo EVP_MD_CTX_set_pkey_ctx
.Fa "EVP_MD_CTX *ctx"
.Fa "EVP_PKEY_CTX *pctx"
.Fc
.Ft const EVP_MD *
.Fn EVP_md_null void
@ -261,7 +302,7 @@
.Fa "const ASN1_OBJECT *o"
.Fc
.Sh DESCRIPTION
The EVP digest routines are a high level interface to message digests
The EVP digest routines are a high-level interface to message digests
and should be used instead of the cipher-specific functions.
.Pp
.Fn EVP_MD_CTX_new
@ -298,8 +339,68 @@ and
respectively.
.Pp
.Fn EVP_MD_CTX_ctrl
performs digest-specific control actions on the context
performs the digest-specific control
.Fa command
with the command-specific arguments
.Fa p1
and
.Fa p2
on
.Fa ctx ,
which needs to already be set up with
.Fn EVP_DigestInit_ex
before calling this function.
Other restrictions may apply depending on the control
.Fa command
and digest implementation.
.Pp
If the
.Fa command
is
.Dv EVP_MD_CTRL_MICALG ,
.Fa p1
is ignored and
.Fa p2
is an output argument of the type
.Fa "char **p2" .
A string specifying the digest Message Integrity Check algorithm
is allocated and a pointer to this string is returned in
.Pf * Fa p2 .
It is the responsibility of the caller to
.Xr free 3
.Pf * Fa p2
when it is no longer needed.
This
.Fa command
is used by
.Xr SMIME_write_ASN1 3
when creating S/MIME multipart/signed messages as specified in RFC 3851.
.Pp
.Fn EVP_MD_CTX_set_flags
sets and
.Fn EVP_MD_CTX_clear_flags
clears all the flag bits in
.Fa ctx
that are set in the
.Fa flags
argument.
.Fn EVP_MD_CTX_test_flags
tests which of the flag bits that are set in the
.Fa flags
argument are also set in
.Fa ctx .
Possible flag bits are:
.Bl -tag -width Ds -offset 2n
.It Dv EVP_MD_CTX_FLAG_NO_INIT
Instruct
.Fn EVP_DigestInit_ex
and functions calling it not to initialise the internal data
that is specific to the digest method and its implementation.
.It Dv EVP_MD_CTX_FLAG_ONESHOT
Instruct the digest to optimize for one update only, if possible.
For digest algorithms built into the library, this flag usually
has no effect.
.El
.Pp
.Fn EVP_DigestInit_ex
sets up the digest context
@ -434,15 +535,29 @@ structure.
.Fn EVP_MD_type
and
.Fn EVP_MD_CTX_type
return the NID of the OBJECT IDENTIFIER representing the given message
digest when passed an
.Vt EVP_MD
structure.
return the NID of the OBJECT IDENTIFIER representing the message digest.
For example
.Fn EVP_MD_type EVP_sha1()
returns
.Dv NID_sha1 .
This function is normally used when setting ASN.1 OIDs.
These functions are normally used when setting ASN.1 OIDs.
.Pp
.Fn EVP_MD_CTX_md_data
returns the digest method private data of
.Fa ctx .
The space was allocated and its size set with
.Xr EVP_MD_meth_set_app_datasize 3 .
.Pp
.Fn EVP_MD_flags
returns the
.Fa md
flags.
These are different from the
.Vt EVP_MD_CTX
ones.
See
.Xr EVP_MD_meth_set_flags 3
for more information.
.Pp
.Fn EVP_MD_pkey_type
returns the NID of the public key signing algorithm associated with this
@ -454,6 +569,56 @@ is associated with RSA so this will return
Since digests and signature algorithms are no longer linked, this
function is only retained for compatibility reasons.
.Pp
.Fn EVP_MD_CTX_pkey_ctx
returns the
.Vt EVP_PKEY_CTX
assigned to
.Fa ctx .
The returned pointer should not be freed by the caller.
.Pp
.Fn EVP_MD_CTX_set_pkey_ctx
assigns
.Fa pctx
to
.Fa ctx .
This is normally used to provide a customized
.Vt EVP_PKEY_CTX
to
.Xr EVP_DigestSignInit 3
or
.Xr EVP_DigestVerifyInit 3 .
The caller retains ownership of the
.Fa pctx
passed to this function and is responsible for freeing it
when it is no longer needed.
.Pp
If the
.Fa ctx
already contains a
.Vt EVP_PKEY_CTX
when this function is called, that old
.Vt EVP_PKEY_CTX
is freed if it was created internally, but if it was also installed with
.Fn EVP_MD_CTX_set_pkey_ctx ,
the pointer to the old
.Vt EVP_PKEY_CTX
is merely replaced by the new pointer and ownership of the old
.Vt EVP_PKEY_CTX
remains with the previous caller.
.Pp
Passing a
.Dv NULL
pointer for the
.Fa pctx
argument is also allowed.
In that case, any
.Vt EVP_PKEY_CTX
already assigned to
.Fa ctx
is dissociated from it as described above, but no new
.Vt EVP_PKEY_CTX
is assigned.
.Pp
.Fn EVP_md5 ,
.Fn EVP_sha1 ,
.Fn EVP_sha224 ,
@ -502,7 +667,7 @@ and
are implemented as macros.
.Pp
The EVP interface to message digests should almost always be used
in preference to the low level interfaces.
in preference to the low-level interfaces.
This is because the code then becomes transparent to the digest used and
much more flexible.
.Pp
@ -559,6 +724,12 @@ and
.Fn EVP_MD_CTX_copy
return 1 for success or 0 for failure.
.Pp
.Fn EVP_MD_CTX_test_flags
returns the bitwise OR of the
.Fa flags
argument and the flags set in
.Fa ctx .
.Pp
.Fn EVP_MD_type ,
.Fn EVP_MD_pkey_type ,
and
@ -610,6 +781,7 @@ This example digests the data "Test Message\en" and "Hello World\en",
using the digest name passed on the command line.
.Bd -literal -offset indent
#include <stdio.h>
#include <string.h>
#include <openssl/evp.h>
int
@ -620,7 +792,7 @@ main(int argc, char *argv[])
const char mess1[] = "Test Message\en";
const char mess2[] = "Hello World\en";
unsigned char md_value[EVP_MAX_MD_SIZE];
int md_len, i;
unsigned int md_len, i;
if (argc <= 1) {
printf("Usage: mdtest digestname\en");
@ -655,8 +827,10 @@ main(int argc, char *argv[])
.Xr EVP_BytesToKey 3 ,
.Xr EVP_DigestSignInit 3 ,
.Xr EVP_DigestVerifyInit 3 ,
.Xr EVP_MD_meth_new 3 ,
.Xr EVP_PKEY_CTX_set_signature_md 3 ,
.Xr EVP_PKEY_meth_set_signctx 3 ,
.Xr EVP_sha3_224 3 ,
.Xr EVP_SignInit 3 ,
.Xr EVP_sm3 3 ,
.Xr EVP_VerifyInit 3 ,
@ -715,6 +889,9 @@ first appeared in OpenSSL 0.9.5 and has been available since
.Fn EVP_MD_CTX_create ,
.Fn EVP_MD_CTX_cleanup ,
.Fn EVP_MD_CTX_destroy ,
.Fn EVP_MD_CTX_set_flags ,
.Fn EVP_MD_CTX_clear_flags ,
.Fn EVP_MD_CTX_test_flags ,
.Fn EVP_DigestInit_ex ,
.Fn EVP_DigestFinal_ex ,
.Fn EVP_Digest ,
@ -732,11 +909,10 @@ first appeared in OpenSSL 0.9.7h and 0.9.8a
and have been available since
.Ox 4.0 .
.Pp
.Fn EVP_sha512_224
and
.Fn EVP_sha512_256
first appeared in OpenSSL 1.1.1 and has been available since
.Ox 7.4 .
.Fn EVP_MD_flags
first appeared in OpenSSL 1.0.0
and has been available since
.Ox 4.9 .
.Pp
.Fn EVP_MD_CTX_ctrl
first appeared in OpenSSL 1.1.0 and has been available since
@ -750,6 +926,21 @@ and
first appeared in OpenSSL 1.1.0 and have been available since
.Ox 6.3 .
.Pp
.Fn EVP_MD_CTX_md_data
and
.Fn EVP_MD_CTX_pkey_ctx
first appeared in OpenSSL 1.1.0 and
.Fn EVP_MD_CTX_set_pkey_ctx
in OpenSSL 1.1.1.
These functions have been available since
.Ox 7.1 .
.Pp
.Fn EVP_sha512_224
and
.Fn EVP_sha512_256
first appeared in OpenSSL 1.1.1 and have been available since
.Ox 7.4 .
.Pp
The link between digests and signing algorithms was fixed in OpenSSL 1.0
and later, so now
.Fn EVP_sha1

24
lib/libcrypto/man/EVP_EncryptInit.3
View file

@ -1,9 +1,7 @@
.\" $OpenBSD: EVP_EncryptInit.3,v 1.44 2022/08/31 14:27:34 tb Exp $
.\" $OpenBSD: EVP_EncryptInit.3,v 1.46 2023/08/16 13:50:05 schwarze Exp $
.\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
.\" EVP_bf_cbc.pod EVP_cast5_cbc.pod EVP_idea_cbc.pod EVP_rc2_cbc.pod
.\" 7c6d372a Nov 20 13:20:01 2018 +0000
.\" selective merge up to: OpenSSL 16cfc2c9 Mar 8 22:30:28 2018 +0100
.\" EVP_chacha20.pod 8fa4d95e Oct 21 11:59:09 2017 +0900
.\"
.\" This file is a derived work.
.\" The changes are covered by the following Copyright and license:
@ -71,7 +69,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: August 31 2022 $
.Dd $Mdocdate: August 16 2023 $
.Dt EVP_ENCRYPTINIT 3
.Os
.Sh NAME
@ -149,8 +147,7 @@
.Nm EVP_cast5_ecb ,
.Nm EVP_cast5_cfb64 ,
.Nm EVP_cast5_cfb ,
.Nm EVP_cast5_ofb ,
.Nm EVP_chacha20
.Nm EVP_cast5_ofb
.Nd EVP cipher routines
.Sh SYNOPSIS
.In openssl/evp.h
@ -906,6 +903,15 @@ return 1 for success or 0 for failure.
.Fn EVP_CIPHER_CTX_set_padding
always returns 1.
.Pp
.Fn EVP_CIPHER_CTX_ctrl
usually returns 1 for success, 0 for failure, or \-1 if the
.Fa type
is not supported by the
.Fa ctx ,
but there may be exceptions for some
.Fa type
arguments.
.Pp
.Fn EVP_get_cipherbyname ,
.Fn EVP_get_cipherbynid ,
and
@ -1020,11 +1026,6 @@ This is a variable key length cipher.
is an alias for
.Fn EVP_cast5_cfb64 ,
implemented as a macro.
.It Fn EVP_chacha20
The ChaCha20 stream cipher.
The key length is 256 bits.
The first 32 bits of the 128-bit IV are used as a counter,
and the remaining 96 bits as a nonce.
.El
.Pp
See also
@ -1241,6 +1242,7 @@ do_crypt(FILE *in, FILE *out, int do_encrypt)
.Xr EVP_AEAD_CTX_init 3 ,
.Xr EVP_aes_128_cbc 3 ,
.Xr EVP_camellia_128_cbc 3 ,
.Xr EVP_chacha20 3 ,
.Xr EVP_des_cbc 3 ,
.Xr EVP_OpenInit 3 ,
.Xr EVP_rc4 3 ,

20
lib/libcrypto/man/EVP_MD_meth_new.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_MD_meth_new.3,v 1.2 2023/07/09 06:47:51 tb Exp $
.\" $OpenBSD: EVP_MD_meth_new.3,v 1.3 2023/08/12 16:48:23 schwarze Exp $
.\" selective merge up to:
.\" OpenSSL man3/EVP_MD_meth_new 0388d212 Dec 14 12:47:07 2018 -0800
.\"
@ -49,7 +49,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: July 9 2023 $
.Dd $Mdocdate: August 12 2023 $
.Dt EVP_MD_METH_NEW 3
.Os
.Sh NAME
@ -130,7 +130,7 @@
.Ft int
.Fo EVP_MD_meth_set_ctrl
.Fa "EVP_MD *md"
.Fa "int (*ctrl)(EVP_MD_CTX *ctx, int cmd, int p1, void *p2)"
.Fa "int (*control)(EVP_MD_CTX *ctx, int command, int p1, void *p2)"
.Fc
.Sh DESCRIPTION
The
@ -267,11 +267,21 @@ and
.Xr EVP_MD_CTX_free 3 .
.Pp
.Fn EVP_MD_meth_set_ctrl
sets the control function for
sets the
.Fa control
function for
.Fa md .
The
.Fa control
function supplied by the application program has to return 1 to indicate
success, 0 to indicate failure, or \-1 if the
.Fa command
is not supported for this digest method.
See
.Xr EVP_MD_CTX_ctrl 3
for the available controls.
for the available
.Fa command
arguments.
.Sh RETURN VALUES
.Fn EVP_MD_meth_new
and

259
lib/libcrypto/man/EVP_chacha20.3 Normal file
View file

@ -0,0 +1,259 @@
.\" $OpenBSD: EVP_chacha20.3,v 1.2 2023/08/16 13:47:18 schwarze Exp $
.\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
.\"
.\" This file is a derived work.
.\" The changes are covered by the following Copyright and license:
.\"
.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" The original file was written by Ronald Tse <ronald.tse@ribose.com>.
.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" 3. All advertising materials mentioning features or use of this
.\" software must display the following acknowledgment:
.\" "This product includes software developed by the OpenSSL Project
.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
.\"
.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
.\" endorse or promote products derived from this software without
.\" prior written permission. For written permission, please contact
.\" openssl-core@openssl.org.
.\"
.\" 5. Products derived from this software may not be called "OpenSSL"
.\" nor may "OpenSSL" appear in their names without prior written
.\" permission of the OpenSSL Project.
.\"
.\" 6. Redistributions of any form whatsoever must retain the following
.\" acknowledgment:
.\" "This product includes software developed by the OpenSSL Project
.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: August 16 2023 $
.Dt EVP_CHACHA20 3
.Os
.Sh NAME
.Nm EVP_chacha20 ,
.Nm EVP_chacha20_poly1305
.Nd ChaCha20 stream cipher for EVP
.Sh SYNOPSIS
.In openssl/evp.h
.Ft const EVP_CIPHER *
.Fn EVP_chacha20 void
.Ft const EVP_CIPHER *
.Fn EVP_chacha20_poly1305 void
.Sh DESCRIPTION
.Fn EVP_chacha20
provides the ChaCha20 stream cipher in the EVP framework.
.Xr EVP_EncryptInit_ex 3 ,
.Xr EVP_DecryptInit_ex 3 ,
and
.Xr EVP_CipherInit_ex 3
take a
.Fa key
argument of 32 bytes = 256 bits and an
.Fa iv
argument of 16 bytes = 128 bits, internally using
.Xr ChaCha_set_key 3
and
.Xr ChaCha_set_iv 3 .
Due to the symmetry of the internal cipher state, interpreting the
.Fa iv
argument as a 4 byte counter followed by a 12 byte nonce
or interpreting it as an 8 byte counter followed by an 8 byte nonce
is functionally equivalent.
.Xr EVP_EncryptUpdate 3 ,
.Xr EVP_EncryptFinal_ex 3 ,
.Xr EVP_DecryptUpdate 3 ,
and
.Xr EVP_DecryptFinal_ex 3
internally use
.Xr ChaCha 3
to perform encryption and decryption.
.Xr EVP_CIPHER_CTX_ctrl 3
always fails for
.Fa ctx
objects created from
.Fn EVP_chacha20 .
.Pp
.Fn EVP_chacha20_poly1305
provides authenticated encryption with ChaCha20-Poly1305.
.Xr EVP_EncryptInit_ex 3 ,
.Xr EVP_DecryptInit_ex 3 ,
and
.Xr EVP_CipherInit_ex 3
take a
.Fa key
argument of 32 bytes = 256 bits and an
.Fa iv
argument of 12 bytes = 96 bits.
This supports additional authenticated data (AAD) and produces a 128-bit
authentication tag.
.Pp
The following
.Fa type
arguments are supported for
.Xr EVP_CIPHER_CTX_ctrl 3 :
.Bl -tag -width Ds
.It Dv EVP_CTRL_AEAD_GET_TAG
Copy the number of bytes indicated by the
.Fa arg
argument from the tag to the location indicated by the
.Fa ptr
argument;
to be called after
.Xr EVP_EncryptFinal_ex 3 .
This control operation fails if the
.Fa ctx
is not configured for encryption or if
.Fa arg
is less than 1 or greater than 16.
.It Dv EVP_CTRL_AEAD_SET_TAG
Copy the number of bytes indicated by the
.Fa arg
argument from the location indicated by the
.Fa ptr
argument and designate them as the expected tag length and tag,
causing subsequent
.Xr EVP_DecryptFinal_ex 3
to fail if the tag calculated during decryption does not match.
It is strongly recommended to specify
.Fa arg
as exactly 16.
Otherwise, only the initial part of the tag may be compared
and mismatches near the end of the tag may get silently irgnored.
This control operation fails if the
.Fa ctx
is configured for encryption or if
.Fa arg
is less than 1 or greater than 16.
If the
.Fa ptr
argument is a
.Dv NULL
pointer, this control operation succeeds without having any effect.
.It EVP_CTRL_AEAD_SET_IV_FIXED
Set the initialization vector by reading the 12 bytes pointed to by the
.Fa ptr
argument, independently of
.Xr EVP_EncryptInit_ex 3 ,
.Xr EVP_DecryptInit_ex 3 ,
and
.Xr EVP_CipherInit_ex 3 .
This control operation fails if the
.Fa arg
argument is not exactly 12.
.It Dv EVP_CTRL_AEAD_SET_IVLEN
Instruct subsequent
.Xr EVP_EncryptInit_ex 3 ,
.Xr EVP_DecryptInit_ex 3 ,
or
.Xr EVP_CipherInit_ex 3
to expect an
.Fa iv
argument shorter than the default of 12 bytes; the
.Fa arg
argument specifies the number of bytes to be used.
The initialization functions will only read
the specified smaller number of bytes from
.Fa iv
and internally zero-pad them on the left.
Using this is not recommended because it is likely more fragile
and less often tested than the equivalent method of simply providing
a full-sized
.Fa iv .
This control operation fails if
.Fa arg
is less than 1 or greater than 16.
.It Dv EVP_CTRL_INIT
Set the length of the initialization vector to the default value
of 12 bytes and clear the Poly1305 internal state.
The application program usually does not need to invoke this contol
operation manually because it is automatically called internally by
.Xr EVP_EncryptInit_ex 3 ,
.Xr EVP_DecryptInit_ex 3 ,
and
.Xr EVP_CipherInit_ex 3 .
.El
.Sh RETURN VALUES
.Fn EVP_chacha20
and
.Fn EVP_chacha20_poly1305
return pointers to static
.Vt EVP_CIPHER
objects that contain the implementations of the symmetric cipher.
.Pp
If
.Fa ctx
was created from
.Fn EVP_chacha20
or
.Fn EVP_chacha20_poly1305 ,
.Xr EVP_CIPHER_CTX_ctrl 3
returns 1 for success or 0 for failure.
.Sh SEE ALSO
.Xr ChaCha 3 ,
.Xr evp 3 ,
.Xr EVP_aead_chacha20_poly1305 3 ,
.Xr EVP_CIPHER_meth_new 3 ,
.Xr EVP_EncryptInit 3
.Sh STANDARDS
.Rs
.%A A. Langley
.%A W. Chang
.%D November 2013
.%R draft-agl-tls-chacha20poly1305-04
.%T ChaCha20 and Poly1305 based Cipher Suites for TLS
.Re
.Pp
.Rs
.%A Y. Nir
.%A A. Langley
.%D May 2015
.%R RFC 7539
.%T ChaCha20 and Poly1305 for IETF Protocols
.Re
.Sh HISTORY
.Fn EVP_chacha20
first appeared in
.Ox 5.6 .
.Pp
.Fn EVP_chacha20_poly1305
first appeared in OpenSSL 1.1.0 and has been available since
.Ox 7.2 .

92
lib/libcrypto/man/EVP_sha3_224.3 Normal file
View file

@ -0,0 +1,92 @@
.\" $OpenBSD: EVP_sha3_224.3,v 1.2 2023/08/15 11:54:38 schwarze Exp $
.\" selective merge up to: OpenSSL bbda8ce9 Oct 31 15:43:01 2017 +0800
.\"
.\" This file was written by Ronald Tse <ronald.tse@ribose.com>.
.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" 3. All advertising materials mentioning features or use of this
.\" software must display the following acknowledgment:
.\" "This product includes software developed by the OpenSSL Project
.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
.\"
.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
.\" endorse or promote products derived from this software without
.\" prior written permission. For written permission, please contact
.\" openssl-core@openssl.org.
.\"
.\" 5. Products derived from this software may not be called "OpenSSL"
.\" nor may "OpenSSL" appear in their names without prior written
.\" permission of the OpenSSL Project.
.\"
.\" 6. Redistributions of any form whatsoever must retain the following
.\" acknowledgment:
.\" "This product includes software developed by the OpenSSL Project
.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: August 15 2023 $
.Dt EVP_SHA3_224 3
.Os
.Sh NAME
.Nm EVP_sha3_224 ,
.Nm EVP_sha3_256 ,
.Nm EVP_sha3_384 ,
.Nm EVP_sha3_512
.Nd Secure Hash Algorithm 3 for EVP
.Sh SYNOPSIS
.In openssl/evp.h
.Ft const EVP_MD *
.Fn EVP_sha3_224 void
.Ft const EVP_MD *
.Fn EVP_sha3_256 void
.Ft const EVP_MD *
.Fn EVP_sha3_384 void
.Ft const EVP_MD *
.Fn EVP_sha3_512 void
.Sh DESCRIPTION
SHA-3 (Secure Hash Algorithm 3) is a family of cryptographic hash
functions standardized in NIST FIPS 202, first published in 2015.
It is based on the Keccak algorithm.
.Pp
.Fn EVP_sha3_224 ,
.Fn EVP_sha3_256 ,
.Fn EVP_sha3_384 ,
and
.Fn EVP_sha3_512
implement the SHA3-224, SHA3-256, SHA3-384, and SHA3-512 algorithms
and produce 224, 256, 384 and 512 bits of output from a given input,
respectively.
.Sh RETURN VALUES
These functions return pointers to static
.Vt EVP_MD
objects implementing the hash functions.
.Sh SEE ALSO
.Xr evp 3 ,
.Xr EVP_DigestInit 3 ,
.Xr EVP_MD_meth_new 3
.Sh STANDARDS
NIST FIPS 202

4
lib/libcrypto/man/Makefile
View file

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.259 2023/07/28 05:48:33 tb Exp $
# $OpenBSD: Makefile,v 1.261 2023/08/15 11:26:49 schwarze Exp $
.include <bsd.own.mk>
@ -200,8 +200,10 @@ MAN= \
EVP_VerifyInit.3 \
EVP_aes_128_cbc.3 \
EVP_camellia_128_cbc.3 \
EVP_chacha20.3 \
EVP_des_cbc.3 \
EVP_rc4.3 \
EVP_sha3_224.3 \
EVP_sm3.3 \
EVP_sm4_cbc.3 \
EVP_whirlpool.3 \

68
lib/libcrypto/man/evp.3
View file

@ -1,5 +1,5 @@
.\" $OpenBSD: evp.3,v 1.15 2023/07/09 06:49:25 tb Exp $
.\" OpenSSL a9c85cea Nov 11 09:33:55 2016 +0100
.\" $OpenBSD: evp.3,v 1.17 2023/08/15 11:26:49 schwarze Exp $
.\" full merge up to: OpenSSL man7/evp 24a535ea Sep 22 13:14:20 2020 +0100
.\"
.\" This file was written by Ulf Moeller <ulf@openssl.org>,
.\" Matt Caswell <matt@openssl.org>, Geoff Thorpe <geoff@openssl.org>,
@ -51,16 +51,16 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: July 9 2023 $
.Dd $Mdocdate: August 15 2023 $
.Dt EVP 3
.Os
.Sh NAME
.Nm evp
.Nd high level cryptographic functions
.Nd high-level cryptographic functions
.Sh SYNOPSIS
.In openssl/evp.h
.Sh DESCRIPTION
The EVP library provides a high level interface to cryptographic
The EVP library provides a high-level interface to cryptographic
functions.
.Pp
.Xr EVP_SealInit 3
@ -95,7 +95,7 @@ functions.
.Pp
The
.Fn EVP_PKEY_*
functions provide a high level interface to asymmetric algorithms.
functions provide a high-level interface to asymmetric algorithms.
To create a new
.Vt EVP_PKEY ,
see
@ -127,7 +127,7 @@ and
.Xr EVP_PKEY_verify_recover 3 .
However, note that these functions do not perform a digest of the
data to be signed.
Therefore normally you would use the
Therefore, normally you would use the
.Xr EVP_DigestSignInit 3
functions for this purpose.
.It
@ -169,45 +169,91 @@ implementations of ciphers or digests are registered as defaults,
then the various EVP functions will automatically use those
implementations in preference to built in software implementations.
.Pp
Although low level algorithm specific functions exist for many
Although low-level algorithm specific functions exist for many
algorithms, their use is discouraged.
They cannot be used with an
.Vt ENGINE ,
and
.Vt ENGINE
versions of new algorithms cannot be accessed using the low level
versions of new algorithms cannot be accessed using the low-level
functions.
Using them also makes code harder to adapt to new algorithms, some
options are not cleanly supported at the low level, and some
operations are more efficient using the high level interfaces.
operations are more efficient using the high-level interfaces.
.Sh SEE ALSO
.Xr ASN1_item_digest 3 ,
.Xr ASN1_item_sign 3 ,
.Xr BIO_f_cipher 3 ,
.Xr BIO_f_md 3 ,
.Xr CMAC_Init 3 ,
.Xr CMS_encrypt 3 ,
.Xr CMS_sign 3 ,
.Xr crypto 3 ,
.Xr d2i_PKCS8PrivateKey_bio 3 ,
.Xr d2i_PrivateKey 3 ,
.Xr ENGINE_get_cipher 3 ,
.Xr ENGINE_register_RSA 3 ,
.Xr EVP_AEAD_CTX_init 3 ,
.Xr EVP_aes_128_cbc 3 ,
.Xr EVP_BytesToKey 3 ,
.Xr EVP_camellia_128_cbc 3 ,
.Xr EVP_chacha20 3 ,
.Xr EVP_CIPHER_meth_new 3 ,
.Xr EVP_des_cbc 3 ,
.Xr EVP_DigestInit 3 ,
.Xr EVP_DigestSignInit 3 ,
.Xr EVP_DigestVerifyInit 3 ,
.Xr EVP_EncodeInit 3 ,
.Xr EVP_EncryptInit 3 ,
.Xr EVP_MD_meth_new 3 ,
.Xr EVP_OpenInit 3 ,
.Xr EVP_PKCS82PKEY 3 ,
.Xr EVP_PKEY_add1_attr 3 ,
.Xr EVP_PKEY_asn1_get_count 3 ,
.Xr EVP_PKEY_asn1_new 3 ,
.Xr EVP_PKEY_check 3 ,
.Xr EVP_PKEY_cmp 3 ,
.Xr EVP_PKEY_CTX_ctrl 3 ,
.Xr EVP_PKEY_CTX_new 3 ,
.Xr EVP_PKEY_CTX_set_hkdf_md 3 ,
.Xr EVP_PKEY_decrypt 3 ,
.Xr EVP_PKEY_derive 3 ,
.Xr EVP_PKEY_encrypt 3 ,
.Xr EVP_PKEY_get_default_digest_nid 3 ,
.Xr EVP_PKEY_keygen 3 ,
.Xr EVP_PKEY_meth_get0_info 3 ,
.Xr EVP_PKEY_meth_new 3 ,
.Xr EVP_PKEY_new 3 ,
.Xr EVP_PKEY_print_private 3 ,
.Xr EVP_PKEY_set1_RSA 3 ,
.Xr EVP_PKEY_sign 3 ,
.Xr EVP_PKEY_size 3 ,
.Xr EVP_PKEY_verify 3 ,
.Xr EVP_PKEY_verify_recover 3 ,
.Xr EVP_rc4 3 ,
.Xr EVP_SealInit 3 ,
.Xr EVP_sha3_224 3 ,
.Xr EVP_SignInit 3 ,
.Xr EVP_sm3 3 ,
.Xr EVP_sm4_cbc 3 ,
.Xr EVP_VerifyInit 3 ,
.Xr EVP_whirlpool 3
.Xr EVP_whirlpool 3 ,
.Xr HMAC 3 ,
.Xr OCSP_basic_sign 3 ,
.Xr OCSP_request_sign 3 ,
.Xr PEM_get_EVP_CIPHER_INFO 3 ,
.Xr PEM_read_bio_PrivateKey 3 ,
.Xr PKCS12_create 3 ,
.Xr PKCS5_PBKDF2_HMAC 3 ,
.Xr PKCS7_encrypt 3 ,
.Xr PKCS7_sign 3 ,
.Xr RSA_pkey_ctx_ctrl 3 ,
.Xr SSL_CTX_set_tlsext_ticket_key_cb 3 ,
.Xr X509_ALGOR_set_md 3 ,
.Xr X509_check_private_key 3 ,
.Xr X509_CRL_METHOD_new 3 ,
.Xr X509_digest 3 ,
.Xr X509_get_pubkey 3 ,
.Xr X509_PUBKEY_set 3 ,
.Xr X509_sign 3 ,
.Xr X509_to_X509_REQ 3

136
lib/libcrypto/md5/md5.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: md5.c,v 1.13 2023/08/10 14:04:54 jsing Exp $ */
/* $OpenBSD: md5.c,v 1.18 2023/08/15 08:39:27 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -64,21 +64,16 @@
#include <openssl/md5.h>
#include "crypto_internal.h"
/* Ensure that MD5_LONG and uint32_t are equivalent size. */
CTASSERT(sizeof(MD5_LONG) == sizeof(uint32_t));
#ifdef MD5_ASM
# if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__) || \
defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
# define md5_block_data_order md5_block_asm_data_order
# elif defined(__ia64) || defined(__ia64__) || defined(_M_IA64)
# define md5_block_data_order md5_block_asm_data_order
# endif
void md5_block_asm_data_order(MD5_CTX *c, const void *p, size_t num);
#define md5_block_data_order md5_block_asm_data_order
#endif
__BEGIN_HIDDEN_DECLS
void md5_block_data_order (MD5_CTX *c, const void *p, size_t num);
__END_HIDDEN_DECLS
#define DATA_ORDER_IS_LITTLE_ENDIAN
#define HASH_LONG MD5_LONG
@ -129,16 +124,15 @@ __END_HIDDEN_DECLS
a=ROTATE(a,s); \
a+=b; };
/* Implemented from RFC1321 The MD5 Message-Digest Algorithm
*/
/* Implemented from RFC1321 The MD5 Message-Digest Algorithm. */
#ifndef md5_block_data_order
void
md5_block_data_order(MD5_CTX *c, const void *data_, size_t num)
#ifndef MD5_ASM
static void
md5_block_data_order(MD5_CTX *c, const void *_in, size_t num)
{
const unsigned char *data = data_;
unsigned int A, B, C, D, l;
unsigned int X0, X1, X2, X3, X4, X5, X6, X7,
const uint8_t *in = _in;
MD5_LONG A, B, C, D;
MD5_LONG X0, X1, X2, X3, X4, X5, X6, X7,
X8, X9, X10, X11, X12, X13, X14, X15;
A = c->A;
@ -147,53 +141,39 @@ md5_block_data_order(MD5_CTX *c, const void *data_, size_t num)
D = c->D;
for (; num--; ) {
HOST_c2l(data, l);
X0 = l;
HOST_c2l(data, l);
X1 = l;
X0 = crypto_load_le32toh(&in[0 * 4]);
X1 = crypto_load_le32toh(&in[1 * 4]);
X2 = crypto_load_le32toh(&in[2 * 4]);
X3 = crypto_load_le32toh(&in[3 * 4]);
X4 = crypto_load_le32toh(&in[4 * 4]);
X5 = crypto_load_le32toh(&in[5 * 4]);
X6 = crypto_load_le32toh(&in[6 * 4]);
X7 = crypto_load_le32toh(&in[7 * 4]);
X8 = crypto_load_le32toh(&in[8 * 4]);
X9 = crypto_load_le32toh(&in[9 * 4]);
X10 = crypto_load_le32toh(&in[10 * 4]);
X11 = crypto_load_le32toh(&in[11 * 4]);
X12 = crypto_load_le32toh(&in[12 * 4]);
X13 = crypto_load_le32toh(&in[13 * 4]);
X14 = crypto_load_le32toh(&in[14 * 4]);
X15 = crypto_load_le32toh(&in[15 * 4]);
in += MD5_CBLOCK;
/* Round 0 */
R0(A, B, C, D, X0, 7, 0xd76aa478L);
HOST_c2l(data, l);
X2 = l;
R0(D, A, B, C, X1, 12, 0xe8c7b756L);
HOST_c2l(data, l);
X3 = l;
R0(C, D, A, B, X2, 17, 0x242070dbL);
HOST_c2l(data, l);
X4 = l;
R0(B, C, D, A, X3, 22, 0xc1bdceeeL);
HOST_c2l(data, l);
X5 = l;
R0(A, B, C, D, X4, 7, 0xf57c0fafL);
HOST_c2l(data, l);
X6 = l;
R0(D, A, B, C, X5, 12, 0x4787c62aL);
HOST_c2l(data, l);
X7 = l;
R0(C, D, A, B, X6, 17, 0xa8304613L);
HOST_c2l(data, l);
X8 = l;
R0(B, C, D, A, X7, 22, 0xfd469501L);
HOST_c2l(data, l);
X9 = l;
R0(A, B, C, D, X8, 7, 0x698098d8L);
HOST_c2l(data, l);
X10 = l;
R0(D, A, B, C, X9, 12, 0x8b44f7afL);
HOST_c2l(data, l);
X11 = l;
R0(C, D, A, B, X10, 17, 0xffff5bb1L);
HOST_c2l(data, l);
X12 = l;
R0(B, C, D, A, X11, 22, 0x895cd7beL);
HOST_c2l(data, l);
X13 = l;
R0(A, B, C, D, X12, 7, 0x6b901122L);
HOST_c2l(data, l);
X14 = l;
R0(D, A, B, C, X13, 12, 0xfd987193L);
HOST_c2l(data, l);
X15 = l;
R0(C, D, A, B, X14, 17, 0xa679438eL);
R0(B, C, D, A, X15, 22, 0x49b40821L);
/* Round 1 */
@ -256,19 +236,16 @@ md5_block_data_order(MD5_CTX *c, const void *data_, size_t num)
}
#endif
#define INIT_DATA_A (unsigned long)0x67452301L
#define INIT_DATA_B (unsigned long)0xefcdab89L
#define INIT_DATA_C (unsigned long)0x98badcfeL
#define INIT_DATA_D (unsigned long)0x10325476L
int
MD5_Init(MD5_CTX *c)
{
memset (c, 0, sizeof(*c));
c->A = INIT_DATA_A;
c->B = INIT_DATA_B;
c->C = INIT_DATA_C;
c->D = INIT_DATA_D;
memset(c, 0, sizeof(*c));
c->A = 0x67452301UL;
c->B = 0xefcdab89UL;
c->C = 0x98badcfeUL;
c->D = 0x10325476UL;
return 1;
}
LCRYPTO_ALIAS(MD5_Init);
@ -313,8 +290,8 @@ MD5_Update(MD5_CTX *c, const void *data_, size_t len)
n = len/MD5_CBLOCK;
if (n > 0) {
md5_block_data_order (c, data, n);
n *= MD5_CBLOCK;
md5_block_data_order(c, data, n);
n *= MD5_CBLOCK;
data += n;
len -= n;
}
@ -322,7 +299,7 @@ MD5_Update(MD5_CTX *c, const void *data_, size_t len)
if (len != 0) {
p = (unsigned char *)c->data;
c->num = (unsigned int)len;
memcpy (p, data, len);
memcpy(p, data, len);
}
return 1;
}
@ -339,7 +316,6 @@ int
MD5_Final(unsigned char *md, MD5_CTX *c)
{
unsigned char *p = (unsigned char *)c->data;
unsigned long ll;
size_t n = c->num;
p[n] = 0x80; /* there is always room for one */
@ -350,29 +326,19 @@ MD5_Final(unsigned char *md, MD5_CTX *c)
n = 0;
md5_block_data_order(c, p, 1);
}
memset(p + n, 0, MD5_CBLOCK - 8 - n);
p += MD5_CBLOCK - 8;
#if defined(DATA_ORDER_IS_BIG_ENDIAN)
HOST_l2c(c->Nh, p);
HOST_l2c(c->Nl, p);
#elif defined(DATA_ORDER_IS_LITTLE_ENDIAN)
HOST_l2c(c->Nl, p);
HOST_l2c(c->Nh, p);
#endif
p -= MD5_CBLOCK;
memset(p + n, 0, MD5_CBLOCK - 8 - n);
c->data[MD5_LBLOCK - 2] = htole32(c->Nl);
c->data[MD5_LBLOCK - 1] = htole32(c->Nh);
md5_block_data_order(c, p, 1);
c->num = 0;
memset(p, 0, MD5_CBLOCK);
ll = c->A;
HOST_l2c(ll, md);
ll = c->B;
HOST_l2c(ll, md);
ll = c->C;
HOST_l2c(ll, md);
ll = c->D;
HOST_l2c(ll, md);
crypto_store_htole32(&md[0 * 4], c->A);
crypto_store_htole32(&md[1 * 4], c->B);
crypto_store_htole32(&md[2 * 4], c->C);
crypto_store_htole32(&md[3 * 4], c->D);
return 1;
}

14
lib/libcrypto/rsa/rsa_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: rsa_ameth.c,v 1.32 2023/08/10 15:05:28 tb Exp $ */
/* $OpenBSD: rsa_ameth.c,v 1.33 2023/08/12 08:02:43 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -273,7 +273,7 @@ rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8)
}
static int
int_rsa_size(const EVP_PKEY *pkey)
rsa_size(const EVP_PKEY *pkey)
{
return RSA_size(pkey->pkey.rsa);
}
@ -291,7 +291,7 @@ rsa_security_bits(const EVP_PKEY *pkey)
}
static void
int_rsa_free(EVP_PKEY *pkey)
rsa_free(EVP_PKEY *pkey)
{
RSA_free(pkey->pkey.rsa);
}
@ -1088,13 +1088,13 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = {
.priv_encode = rsa_priv_encode,
.priv_print = rsa_priv_print,
.pkey_size = int_rsa_size,
.pkey_size = rsa_size,
.pkey_bits = rsa_bits,
.pkey_security_bits = rsa_security_bits,
.sig_print = rsa_sig_print,
.pkey_free = int_rsa_free,
.pkey_free = rsa_free,
.pkey_ctrl = rsa_pkey_ctrl,
.old_priv_decode = old_rsa_priv_decode,
.old_priv_encode = old_rsa_priv_encode,
@ -1130,13 +1130,13 @@ const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = {
.priv_encode = rsa_priv_encode,
.priv_print = rsa_priv_print,
.pkey_size = int_rsa_size,
.pkey_size = rsa_size,
.pkey_bits = rsa_bits,
.pkey_security_bits = rsa_security_bits,
.sig_print = rsa_sig_print,
.pkey_free = int_rsa_free,
.pkey_free = rsa_free,
.pkey_ctrl = rsa_pkey_ctrl,
.item_verify = rsa_item_verify,
.item_sign = rsa_item_sign

173
lib/libcrypto/sha/sha256.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: sha256.c,v 1.28 2023/08/10 07:15:23 jsing Exp $ */
/* $OpenBSD: sha256.c,v 1.30 2023/08/11 15:27:28 jsing Exp $ */
/* ====================================================================
* Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
*
@ -68,24 +68,10 @@
/* Ensure that SHA_LONG and uint32_t are equivalent. */
CTASSERT(sizeof(SHA_LONG) == sizeof(uint32_t));
#define DATA_ORDER_IS_BIG_ENDIAN
#define HASH_LONG SHA_LONG
#define HASH_CTX SHA256_CTX
#define HASH_CBLOCK SHA_CBLOCK
#define HASH_BLOCK_DATA_ORDER sha256_block_data_order
#ifdef SHA256_ASM
void sha256_block_data_order(SHA256_CTX *ctx, const void *_in, size_t num);
#endif
#define HASH_NO_UPDATE
#define HASH_NO_TRANSFORM
#define HASH_NO_FINAL
#include "md32_common.h"
#ifndef SHA256_ASM
static const SHA_LONG K256[64] = {
0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
@ -106,36 +92,77 @@ static const SHA_LONG K256[64] = {
0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL,
};
/*
* FIPS specification refers to right rotations, while our ROTATE macro
* is left one. This is why you might notice that rotation coefficients
* differ from those observed in FIPS document by 32-N...
*/
#define Sigma0(x) (ROTATE((x),30) ^ ROTATE((x),19) ^ ROTATE((x),10))
#define Sigma1(x) (ROTATE((x),26) ^ ROTATE((x),21) ^ ROTATE((x),7))
#define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3))
#define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10))
static inline SHA_LONG
Sigma0(SHA_LONG x)
{
return crypto_ror_u32(x, 2) ^ crypto_ror_u32(x, 13) ^
crypto_ror_u32(x, 22);
}
#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
static inline SHA_LONG
Sigma1(SHA_LONG x)
{
return crypto_ror_u32(x, 6) ^ crypto_ror_u32(x, 11) ^
crypto_ror_u32(x, 25);
}
#define ROUND_00_15(x, i, a, b, c, d, e, f, g, h) do { \
T1 = x + h + Sigma1(e) + Ch(e, f, g) + K256[i]; \
h = Sigma0(a) + Maj(a, b, c); \
d += T1; h += T1; } while (0)
static inline SHA_LONG
sigma0(SHA_LONG x)
{
return crypto_ror_u32(x, 7) ^ crypto_ror_u32(x, 18) ^ (x >> 3);
}
#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) do { \
s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \
s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \
T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \
ROUND_00_15(T1, i, a, b, c, d, e, f, g, h); } while (0)
static inline SHA_LONG
sigma1(SHA_LONG x)
{
return crypto_ror_u32(x, 17) ^ crypto_ror_u32(x, 19) ^ (x >> 10);
}
static inline SHA_LONG
Ch(SHA_LONG x, SHA_LONG y, SHA_LONG z)
{
return (x & y) ^ (~x & z);
}
static inline SHA_LONG
Maj(SHA_LONG x, SHA_LONG y, SHA_LONG z)
{
return (x & y) ^ (x & z) ^ (y & z);
}
static inline void
sha256_msg_schedule_update(SHA_LONG *W0, SHA_LONG W1,
SHA_LONG W9, SHA_LONG W14)
{
*W0 = sigma1(W14) + W9 + sigma0(W1) + *W0;
}
static inline void
sha256_round(SHA_LONG *a, SHA_LONG *b, SHA_LONG *c, SHA_LONG *d,
SHA_LONG *e, SHA_LONG *f, SHA_LONG *g, SHA_LONG *h,
SHA_LONG Kt, SHA_LONG Wt)
{
SHA_LONG T1, T2;
T1 = *h + Sigma1(*e) + Ch(*e, *f, *g) + Kt + Wt;
T2 = Sigma0(*a) + Maj(*a, *b, *c);
*h = *g;
*g = *f;
*f = *e;
*e = *d + T1;
*d = *c;
*c = *b;
*b = *a;
*a = T1 + T2;
}
static void
sha256_block_data_order(SHA256_CTX *ctx, const void *_in, size_t num)
{
const uint8_t *in = _in;
const SHA_LONG *in32;
unsigned int a, b, c, d, e, f, g, h, s0, s1, T1;
SHA_LONG a, b, c, d, e, f, g, h;
SHA_LONG X[16];
int i;
@ -189,33 +216,57 @@ sha256_block_data_order(SHA256_CTX *ctx, const void *_in, size_t num)
}
in += SHA256_CBLOCK;
ROUND_00_15(X[0], 0, a, b, c, d, e, f, g, h);
ROUND_00_15(X[1], 1, h, a, b, c, d, e, f, g);
ROUND_00_15(X[2], 2, g, h, a, b, c, d, e, f);
ROUND_00_15(X[3], 3, f, g, h, a, b, c, d, e);
ROUND_00_15(X[4], 4, e, f, g, h, a, b, c, d);
ROUND_00_15(X[5], 5, d, e, f, g, h, a, b, c);
ROUND_00_15(X[6], 6, c, d, e, f, g, h, a, b);
ROUND_00_15(X[7], 7, b, c, d, e, f, g, h, a);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[0], X[0]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[1], X[1]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[2], X[2]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[3], X[3]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[4], X[4]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[5], X[5]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[6], X[6]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[7], X[7]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[8], X[8]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[9], X[9]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[10], X[10]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[11], X[11]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[12], X[12]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[13], X[13]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[14], X[14]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[15], X[15]);
ROUND_00_15(X[8], 8, a, b, c, d, e, f, g, h);
ROUND_00_15(X[9], 9, h, a, b, c, d, e, f, g);
ROUND_00_15(X[10], 10, g, h, a, b, c, d, e, f);
ROUND_00_15(X[11], 11, f, g, h, a, b, c, d, e);
ROUND_00_15(X[12], 12, e, f, g, h, a, b, c, d);
ROUND_00_15(X[13], 13, d, e, f, g, h, a, b, c);
ROUND_00_15(X[14], 14, c, d, e, f, g, h, a, b);
ROUND_00_15(X[15], 15, b, c, d, e, f, g, h, a);
for (i = 16; i < 64; i += 16) {
sha256_msg_schedule_update(&X[0], X[1], X[9], X[14]);
sha256_msg_schedule_update(&X[1], X[2], X[10], X[15]);
sha256_msg_schedule_update(&X[2], X[3], X[11], X[0]);
sha256_msg_schedule_update(&X[3], X[4], X[12], X[1]);
sha256_msg_schedule_update(&X[4], X[5], X[13], X[2]);
sha256_msg_schedule_update(&X[5], X[6], X[14], X[3]);
sha256_msg_schedule_update(&X[6], X[7], X[15], X[4]);
sha256_msg_schedule_update(&X[7], X[8], X[0], X[5]);
sha256_msg_schedule_update(&X[8], X[9], X[1], X[6]);
sha256_msg_schedule_update(&X[9], X[10], X[2], X[7]);
sha256_msg_schedule_update(&X[10], X[11], X[3], X[8]);
sha256_msg_schedule_update(&X[11], X[12], X[4], X[9]);
sha256_msg_schedule_update(&X[12], X[13], X[5], X[10]);
sha256_msg_schedule_update(&X[13], X[14], X[6], X[11]);
sha256_msg_schedule_update(&X[14], X[15], X[7], X[12]);
sha256_msg_schedule_update(&X[15], X[0], X[8], X[13]);
for (i = 16; i < 64; i += 8) {
ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);
ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);
ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);
ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);
ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);
ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);
ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);
ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 0], X[0]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 1], X[1]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 2], X[2]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 3], X[3]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 4], X[4]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 5], X[5]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 6], X[6]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 7], X[7]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 8], X[8]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 9], X[9]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 10], X[10]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 11], X[11]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 12], X[12]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 13], X[13]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 14], X[14]);
sha256_round(&a, &b, &c, &d, &e, &f, &g, &h, K256[i + 15], X[15]);
}
ctx->h[0] += a;