SecBSD/src
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sync with OpenBSD -current

Browse source
This commit is contained in:
purplerain 2025-01-08 01:55:14 +00:00
parent a48b7fc94f
commit df306e9b72
Signed by: purplerain
GPG key ID: F42C07F07E2E35B7
1354 changed files with 105229 additions and 31150 deletions
Download patch file Download diff file Expand all files Collapse all files

26
lib/libcrypto/Makefile
View file

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.214 2024/10/19 08:26:03 tb Exp $
# $OpenBSD: Makefile,v 1.231 2024/12/19 23:56:32 tb Exp $
LIB= crypto
LIBREBUILD=y
@ -43,6 +43,7 @@ CFLAGS+= -I${LCRYPTO_SRC}/hidden
CFLAGS+= -I${LCRYPTO_SRC}/hmac
CFLAGS+= -I${LCRYPTO_SRC}/kdf
CFLAGS+= -I${LCRYPTO_SRC}/lhash
CFLAGS+= -I${LCRYPTO_SRC}/mlkem
CFLAGS+= -I${LCRYPTO_SRC}/modes
CFLAGS+= -I${LCRYPTO_SRC}/ocsp
CFLAGS+= -I${LCRYPTO_SRC}/pkcs12
@ -56,16 +57,12 @@ VERSION_SCRIPT= Symbols.map
SYMBOL_LIST= ${.CURDIR}/Symbols.list
# crypto/
SRCS+= cpt_err.c
SRCS+= cryptlib.c
SRCS+= crypto_err.c
SRCS+= crypto_ex_data.c
SRCS+= crypto_init.c
SRCS+= crypto_legacy.c
SRCS+= crypto_lock.c
SRCS+= cversion.c
SRCS+= malloc-wrapper.c
SRCS+= mem_clr.c
SRCS+= mem_dbg.c
SRCS+= o_fips.c
SRCS+= crypto_memory.c
# aes/
SRCS+= aes.c
@ -281,19 +278,15 @@ SRCS+= dsa_prn.c
# ec/
SRCS+= ec_ameth.c
SRCS+= ec_asn1.c
SRCS+= ec_convert.c
SRCS+= ec_curve.c
SRCS+= ec_err.c
SRCS+= ec_key.c
SRCS+= ec_kmeth.c
SRCS+= ec_lib.c
SRCS+= ec_mult.c
SRCS+= ec_oct.c
SRCS+= ec_pmeth.c
SRCS+= ec_print.c
SRCS+= eck_prn.c
SRCS+= ecp_mont.c
SRCS+= ecp_oct.c
SRCS+= ecp_smpl.c
SRCS+= ecp_methods.c
SRCS+= ecx_methods.c
# ecdh/
@ -379,6 +372,10 @@ SRCS+= md4.c
# md5/
SRCS+= md5.c
# mlkem/
SRCS+= mlkem768.c
SRCS+= mlkem1024.c
# modes/
SRCS+= cbc128.c
SRCS+= ccm128.c
@ -615,6 +612,7 @@ SRCS+= x_all.c
${LCRYPTO_SRC}/lhash \
${LCRYPTO_SRC}/md4 \
${LCRYPTO_SRC}/md5 \
${LCRYPTO_SRC}/mlkem \
${LCRYPTO_SRC}/modes \
${LCRYPTO_SRC}/objects \
${LCRYPTO_SRC}/ocsp \

6
lib/libcrypto/aes/aes_core.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: aes_core.c,v 1.24 2024/08/11 13:02:39 jsing Exp $ */
/* $OpenBSD: aes_core.c,v 1.25 2024/11/13 21:00:57 tb Exp $ */
/**
* rijndael-alg-fst.c
*
@ -1021,7 +1021,7 @@ aes_encrypt_internal(const unsigned char *in, unsigned char *out,
void
AES_encrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
{
return aes_encrypt_internal(in, out, key);
aes_encrypt_internal(in, out, key);
}
LCRYPTO_ALIAS(AES_encrypt);
@ -1224,6 +1224,6 @@ aes_decrypt_internal(const unsigned char *in, unsigned char *out,
void
AES_decrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
{
return aes_decrypt_internal(in, out, key);
aes_decrypt_internal(in, out, key);
}
LCRYPTO_ALIAS(AES_decrypt);

12
lib/libcrypto/arch/aarch64/Makefile.inc
View file

@ -1,15 +1,7 @@
# $OpenBSD: Makefile.inc,v 1.13 2024/03/29 07:24:09 jsing Exp $
# $OpenBSD: Makefile.inc,v 1.14 2024/11/08 13:34:24 jsing Exp $
# aarch64-specific libcrypto build rules
.for dir f in ${SSLASM}
SRCS+= ${f}.S
GENERATED+=${f}.S
${f}.S: ${LCRYPTO_SRC}/${dir}/asm/${f}.pl
/usr/bin/perl \
${LCRYPTO_SRC}/${dir}/asm/${f}.pl void ${.TARGET} > ${.TARGET}
.endfor
SRCS += crypto_cpu_caps.c
CFLAGS+= -DOPENSSL_CPUID_OBJ
AFLAGS+= -mmark-bti-property
SRCS+= arm64cpuid.S arm64cap.c

59
lib/libcrypto/arch/aarch64/arm64_arch.h
View file

@ -1,59 +0,0 @@
/* $OpenBSD: arm64_arch.h,v 1.1 2022/03/23 15:13:31 tb Exp $ */
#ifndef __ARM_ARCH_H__
#define __ARM_ARCH_H__
#if !defined(__ARM_ARCH__)
# if defined(__CC_ARM)
# define __ARM_ARCH__ __TARGET_ARCH_ARM
# if defined(__BIG_ENDIAN)
# define __ARMEB__
# else
# define __ARMEL__
# endif
# elif defined(__GNUC__)
/*
* Why doesn't gcc define __ARM_ARCH__? Instead it defines
* bunch of below macros. See all_architectures[] table in
* gcc/config/arm/arm.c. On a side note it defines
* __ARMEL__/__ARMEB__ for little-/big-endian.
*/
# if defined(__ARM_ARCH)
# define __ARM_ARCH__ __ARM_ARCH
# elif defined(__ARM_ARCH_8A__)
# define __ARM_ARCH__ 8
# elif defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__) || \
defined(__ARM_ARCH_7R__)|| defined(__ARM_ARCH_7M__) || \
defined(__ARM_ARCH_7EM__)
# define __ARM_ARCH__ 7
# elif defined(__ARM_ARCH_6__) || defined(__ARM_ARCH_6J__) || \
defined(__ARM_ARCH_6K__)|| defined(__ARM_ARCH_6M__) || \
defined(__ARM_ARCH_6Z__)|| defined(__ARM_ARCH_6ZK__) || \
defined(__ARM_ARCH_6T2__)
# define __ARM_ARCH__ 6
# elif defined(__ARM_ARCH_5__) || defined(__ARM_ARCH_5T__) || \
defined(__ARM_ARCH_5E__)|| defined(__ARM_ARCH_5TE__) || \
defined(__ARM_ARCH_5TEJ__)
# define __ARM_ARCH__ 5
# elif defined(__ARM_ARCH_4__) || defined(__ARM_ARCH_4T__)
# define __ARM_ARCH__ 4
# else
# error "unsupported ARM architecture"
# endif
# endif
#endif
#if !defined(__ASSEMBLER__)
extern unsigned int OPENSSL_armcap_P;
#define ARMV7_NEON (1<<0)
#define ARMV8_AES (1<<1)
#define ARMV8_SHA1 (1<<2)
#define ARMV8_SHA256 (1<<3)
#define ARMV8_PMULL (1<<4)
#endif
#if defined(__OpenBSD__)
#define __STRICT_ALIGNMENT
#endif
#endif

138
lib/libcrypto/arch/aarch64/arm64cap.c
View file

@ -1,138 +0,0 @@
/* $OpenBSD: arm64cap.c,v 1.4 2024/08/29 03:30:05 deraadt Exp $ */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <setjmp.h>
#include <signal.h>
#include <openssl/crypto.h>
#if defined(__OpenBSD__)
#include <sys/sysctl.h>
#include <machine/cpu.h> /* CPU_ID_AA64ISAR0 */
#endif
#include "arm64_arch.h"
/* ID_AA64ISAR0_EL1 required for OPENSSL_cpuid_setup */
#define ID_AA64ISAR0_AES_SHIFT 4
#define ID_AA64ISAR0_AES_MASK (0xf << ID_AA64ISAR0_AES_SHIFT)
#define ID_AA64ISAR0_AES(x) ((x) & ID_AA64ISAR0_AES_MASK)
#define ID_AA64ISAR0_AES_BASE (0x1 << ID_AA64ISAR0_AES_SHIFT)
#define ID_AA64ISAR0_AES_PMULL (0x2 << ID_AA64ISAR0_AES_SHIFT)
#define ID_AA64ISAR0_SHA1_SHIFT 8
#define ID_AA64ISAR0_SHA1_MASK (0xf << ID_AA64ISAR0_SHA1_SHIFT)
#define ID_AA64ISAR0_SHA1(x) ((x) & ID_AA64ISAR0_SHA1_MASK)
#define ID_AA64ISAR0_SHA1_BASE (0x1 << ID_AA64ISAR0_SHA1_SHIFT)
#define ID_AA64ISAR0_SHA2_SHIFT 12
#define ID_AA64ISAR0_SHA2_MASK (0xf << ID_AA64ISAR0_SHA2_SHIFT)
#define ID_AA64ISAR0_SHA2(x) ((x) & ID_AA64ISAR0_SHA2_MASK)
#define ID_AA64ISAR0_SHA2_BASE (0x1 << ID_AA64ISAR0_SHA2_SHIFT)
unsigned int OPENSSL_armcap_P;
#if defined(CPU_ID_AA64ISAR0)
void
OPENSSL_cpuid_setup(void)
{
int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 };
size_t len = sizeof(uint64_t);
uint64_t cpu_id = 0;
if (OPENSSL_armcap_P != 0)
return;
if (sysctl(isar0_mib, 2, &cpu_id, &len, NULL, 0) < 0)
return;
OPENSSL_armcap_P |= ARMV7_NEON;
if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_BASE)
OPENSSL_armcap_P |= ARMV8_AES;
if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_PMULL)
OPENSSL_armcap_P |= ARMV8_PMULL;
if (ID_AA64ISAR0_SHA1(cpu_id) >= ID_AA64ISAR0_SHA1_BASE)
OPENSSL_armcap_P |= ARMV8_SHA1;
if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_BASE)
OPENSSL_armcap_P |= ARMV8_SHA256;
}
#else
#if __ARM_ARCH__ >= 7
static sigset_t all_masked;
static sigjmp_buf ill_jmp;
static void
ill_handler(int sig)
{
siglongjmp(ill_jmp, sig);
}
/*
* Following subroutines could have been inlined, but it's not all
* ARM compilers support inline assembler...
*/
void _armv7_neon_probe(void);
void _armv8_aes_probe(void);
void _armv8_sha1_probe(void);
void _armv8_sha256_probe(void);
void _armv8_pmull_probe(void);
#endif
void
OPENSSL_cpuid_setup(void)
{
#if __ARM_ARCH__ >= 7
struct sigaction ill_oact, ill_act;
sigset_t oset;
#endif
static int trigger = 0;
if (trigger)
return;
trigger = 1;
OPENSSL_armcap_P = 0;
#if __ARM_ARCH__ >= 7
sigfillset(&all_masked);
sigdelset(&all_masked, SIGILL);
sigdelset(&all_masked, SIGTRAP);
sigdelset(&all_masked, SIGFPE);
sigdelset(&all_masked, SIGBUS);
sigdelset(&all_masked, SIGSEGV);
memset(&ill_act, 0, sizeof(ill_act));
ill_act.sa_handler = ill_handler;
ill_act.sa_mask = all_masked;
sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset);
sigaction(SIGILL, &ill_act, &ill_oact);
if (sigsetjmp(ill_jmp, 1) == 0) {
_armv7_neon_probe();
OPENSSL_armcap_P |= ARMV7_NEON;
if (sigsetjmp(ill_jmp, 1) == 0) {
_armv8_pmull_probe();
OPENSSL_armcap_P |= ARMV8_PMULL | ARMV8_AES;
} else if (sigsetjmp(ill_jmp, 1) == 0) {
_armv8_aes_probe();
OPENSSL_armcap_P |= ARMV8_AES;
}
if (sigsetjmp(ill_jmp, 1) == 0) {
_armv8_sha1_probe();
OPENSSL_armcap_P |= ARMV8_SHA1;
}
if (sigsetjmp(ill_jmp, 1) == 0) {
_armv8_sha256_probe();
OPENSSL_armcap_P |= ARMV8_SHA256;
}
}
sigaction (SIGILL, &ill_oact, NULL);
sigprocmask(SIG_SETMASK, &oset, NULL);
#endif
}
#endif

53
lib/libcrypto/arch/aarch64/arm64cpuid.S
View file

@ -1,53 +0,0 @@
#include "arm64_arch.h"
.text
.arch armv8-a+crypto+sha3
.align 5
.globl _armv7_neon_probe
.type _armv7_neon_probe,%function
_armv7_neon_probe:
bti c
orr v15.16b, v15.16b, v15.16b
ret
.size _armv7_neon_probe,.-_armv7_neon_probe
.globl _armv8_aes_probe
.type _armv8_aes_probe,%function
_armv8_aes_probe:
bti c
aese v0.16b, v0.16b
ret
.size _armv8_aes_probe,.-_armv8_aes_probe
.globl _armv8_sha1_probe
.type _armv8_sha1_probe,%function
_armv8_sha1_probe:
bti c
sha1h s0, s0
ret
.size _armv8_sha1_probe,.-_armv8_sha1_probe
.globl _armv8_sha256_probe
.type _armv8_sha256_probe,%function
_armv8_sha256_probe:
bti c
sha256su0 v0.4s, v0.4s
ret
.size _armv8_sha256_probe,.-_armv8_sha256_probe
.globl _armv8_pmull_probe
.type _armv8_pmull_probe,%function
_armv8_pmull_probe:
bti c
pmull v0.1q, v0.1d, v0.1d
ret
.size _armv8_pmull_probe,.-_armv8_pmull_probe
.globl _armv8_sha512_probe
.type _armv8_sha512_probe,%function
_armv8_sha512_probe:
bti c
sha512su0 v0.2d,v0.2d
ret
.size _armv8_sha512_probe,.-_armv8_sha512_probe

17
lib/libcrypto/arch/aarch64/crypto_arch.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: crypto_arch.h,v 1.1 2024/08/11 13:02:39 jsing Exp $ */
/* $OpenBSD: crypto_arch.h,v 1.2 2024/11/08 13:34:24 jsing Exp $ */
/*
* Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
*
@ -15,7 +15,22 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdint.h>
#ifndef HEADER_CRYPTO_ARCH_H
#define HEADER_CRYPTO_ARCH_H
#define HAVE_CRYPTO_CPU_CAPS_INIT
#ifndef __ASSEMBLER__
extern uint64_t crypto_cpu_caps_aarch64;
#endif
#define CRYPTO_CPU_CAPS_AARCH64_AES (1ULL << 0)
#define CRYPTO_CPU_CAPS_AARCH64_PMULL (1ULL << 1)
#define CRYPTO_CPU_CAPS_AARCH64_SHA1 (1ULL << 2)
#define CRYPTO_CPU_CAPS_AARCH64_SHA2 (1ULL << 3)
#define CRYPTO_CPU_CAPS_AARCH64_SHA512 (1ULL << 4)
#define CRYPTO_CPU_CAPS_AARCH64_SHA3 (1ULL << 5)
#endif

97
lib/libcrypto/arch/aarch64/crypto_cpu_caps.c Normal file
View file

@ -0,0 +1,97 @@
/* $OpenBSD: crypto_cpu_caps.c,v 1.2 2024/11/12 13:52:31 jsing Exp $ */
/*
* Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <sys/types.h>
#include <sys/sysctl.h>
#include <machine/cpu.h>
#include <stddef.h>
#include <stdio.h>
#include "crypto_arch.h"
/* Machine dependent CPU capabilities. */
uint64_t crypto_cpu_caps_aarch64;
static inline uint64_t
extract_bits(uint64_t val, int start, int end)
{
return (val >> end) & (1ULL << (1 + start - end)) - 1;
}
static uint64_t
parse_isar0(uint64_t isar0)
{
uint64_t caps = 0;
uint64_t feature;
/* AES - bits [7:4] */
feature = extract_bits(isar0, 7, 4);
if (feature >= 1)
caps |= CRYPTO_CPU_CAPS_AARCH64_AES;
if (feature >= 2)
caps |= CRYPTO_CPU_CAPS_AARCH64_PMULL;
/* SHA1 - bits [11:8] */
feature = extract_bits(isar0, 11, 8);
if (feature >= 1)
caps |= CRYPTO_CPU_CAPS_AARCH64_SHA1;
/* SHA2 - bits [15:12] */
feature = extract_bits(isar0, 15, 12);
if (feature >= 1)
caps |= CRYPTO_CPU_CAPS_AARCH64_SHA2;
if (feature >= 2)
caps |= CRYPTO_CPU_CAPS_AARCH64_SHA512;
/* SHA3 - bits [35:32] */
feature = extract_bits(isar0, 35, 32);
if (feature >= 1)
caps |= CRYPTO_CPU_CAPS_AARCH64_SHA3;
return caps;
}
static int
read_isar0(uint64_t *isar0)
{
uint64_t isar;
int mib[2];
size_t len;
mib[0] = CTL_MACHDEP;
mib[1] = CPU_ID_AA64ISAR0;
len = sizeof(isar);
if (sysctl(mib, 2, &isar, &len, NULL, 0) == -1)
return 0;
*isar0 = isar;
return 1;
}
void
crypto_cpu_caps_init(void)
{
uint64_t isar = 0;
if (!read_isar0(&isar))
return;
crypto_cpu_caps_aarch64 = parse_isar0(isar);
}

2
lib/libcrypto/arch/aarch64/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

2
lib/libcrypto/arch/alpha/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

21
lib/libcrypto/arch/amd64/Makefile.inc
View file

@ -1,4 +1,4 @@
# $OpenBSD: Makefile.inc,v 1.30 2024/10/18 13:36:24 jsing Exp $
# $OpenBSD: Makefile.inc,v 1.35 2024/12/06 11:57:17 jsing Exp $
# amd64-specific libcrypto build rules
@ -49,19 +49,16 @@ SSLASM+= rc4 rc4-x86_64
# ripemd
# sha
CFLAGS+= -DSHA1_ASM
SSLASM+= sha sha1-x86_64
SRCS+= sha1_amd64.c
SRCS+= sha1_amd64_generic.S
SRCS+= sha1_amd64_shani.S
CFLAGS+= -DSHA256_ASM
SRCS+= sha256-x86_64.S
GENERATED+= sha256-x86_64.S
sha256-x86_64.S: ${LCRYPTO_SRC}/sha/asm/sha512-x86_64.pl ${EXTRA_PL}
cd ${LCRYPTO_SRC}/sha/asm ; \
/usr/bin/perl ./sha512-x86_64.pl ${.OBJDIR}/${.TARGET}
SRCS+= sha256_amd64.c
SRCS+= sha256_amd64_generic.S
SRCS+= sha256_amd64_shani.S
CFLAGS+= -DSHA512_ASM
SRCS+= sha512-x86_64.S
GENERATED+= sha512-x86_64.S
sha512-x86_64.S: ${LCRYPTO_SRC}/sha/asm/sha512-x86_64.pl ${EXTRA_PL}
cd ${LCRYPTO_SRC}/sha/asm ; \
/usr/bin/perl ./sha512-x86_64.pl ${.OBJDIR}/${.TARGET}
SRCS+= sha512_amd64.c
SRCS+= sha512_amd64_generic.S
.for dir f in ${SSLASM}
SRCS+= ${f}.S

10
lib/libcrypto/arch/amd64/crypto_arch.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: crypto_arch.h,v 1.3 2024/10/19 13:06:11 jsing Exp $ */
/* $OpenBSD: crypto_arch.h,v 1.4 2024/11/16 13:05:35 jsing Exp $ */
/*
* Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
*
@ -15,12 +15,20 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdint.h>
#ifndef HEADER_CRYPTO_ARCH_H
#define HEADER_CRYPTO_ARCH_H
#define HAVE_CRYPTO_CPU_CAPS_INIT
#define HAVE_CRYPTO_CPU_CAPS_IA32
#ifndef __ASSEMBLER__
extern uint64_t crypto_cpu_caps_amd64;
#endif
#define CRYPTO_CPU_CAPS_AMD64_SHA (1ULL << 0)
#ifndef OPENSSL_NO_ASM
#define HAVE_AES_CBC_ENCRYPT_INTERNAL

24
lib/libcrypto/arch/amd64/crypto_cpu_caps.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: crypto_cpu_caps.c,v 1.2 2024/10/19 13:06:11 jsing Exp $ */
/* $OpenBSD: crypto_cpu_caps.c,v 1.4 2024/11/16 13:05:35 jsing Exp $ */
/*
* Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
*
@ -19,11 +19,15 @@
#include <openssl/crypto.h>
#include "crypto_arch.h"
#include "x86_arch.h"
/* Legacy architecture specific capabilities, used by perlasm. */
uint64_t OPENSSL_ia32cap_P;
/* Machine dependent CPU capabilities. */
uint64_t crypto_cpu_caps_amd64;
/* Machine independent CPU capabilities. */
extern uint64_t crypto_cpu_caps;
@ -43,7 +47,7 @@ cpuid(uint32_t eax, uint32_t *out_eax, uint32_t *out_ebx, uint32_t *out_ecx,
*out_eax = eax;
if (out_ebx != NULL)
*out_ebx = ebx;
if (out_ebx != NULL)
if (out_ecx != NULL)
*out_ecx = ecx;
if (out_edx != NULL)
*out_edx = edx;
@ -67,19 +71,21 @@ xgetbv(uint32_t ecx, uint32_t *out_eax, uint32_t *out_edx)
void
crypto_cpu_caps_init(void)
{
uint32_t eax, ebx, ecx, edx;
uint32_t eax, ebx, ecx, edx, max_cpuid;
uint64_t caps = 0;
cpuid(0, &eax, &ebx, &ecx, &edx);
max_cpuid = eax;
/* "GenuineIntel" in little endian. */
if (ebx == 0x756e6547 && edx == 0x49656e69 && ecx == 0x6c65746e)
caps |= CPUCAP_MASK_INTEL;
if (eax < 1)
if (max_cpuid < 1)
return;
cpuid(1, &eax, &ebx, &ecx, &edx);
cpuid(1, &eax, NULL, &ecx, &edx);
if ((edx & IA32CAP_MASK0_FXSR) != 0)
caps |= CPUCAP_MASK_FXSR;
@ -106,6 +112,14 @@ crypto_cpu_caps_init(void)
caps |= CPUCAP_MASK_AVX;
}
if (max_cpuid >= 7) {
cpuid(7, NULL, &ebx, NULL, NULL);
/* Intel SHA extensions feature bit - ebx[29]. */
if (((ebx >> 29) & 1) != 0)
crypto_cpu_caps_amd64 |= CRYPTO_CPU_CAPS_AMD64_SHA;
}
/* Set machine independent CPU capabilities. */
if ((caps & CPUCAP_MASK_AESNI) != 0)
crypto_cpu_caps |= CRYPTO_CPU_CAPS_ACCELERATED_AES;

2
lib/libcrypto/arch/amd64/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

2
lib/libcrypto/arch/arm/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

2
lib/libcrypto/arch/hppa/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

4
lib/libcrypto/arch/i386/crypto_cpu_caps.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: crypto_cpu_caps.c,v 1.2 2024/10/19 13:06:11 jsing Exp $ */
/* $OpenBSD: crypto_cpu_caps.c,v 1.3 2024/11/12 13:14:57 jsing Exp $ */
/*
* Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
*
@ -43,7 +43,7 @@ cpuid(uint32_t eax, uint32_t *out_eax, uint32_t *out_ebx, uint32_t *out_ecx,
*out_eax = eax;
if (out_ebx != NULL)
*out_ebx = ebx;
if (out_ebx != NULL)
if (out_ecx != NULL)
*out_ecx = ecx;
if (out_edx != NULL)
*out_edx = edx;

2
lib/libcrypto/arch/i386/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

2
lib/libcrypto/arch/m88k/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

2
lib/libcrypto/arch/mips64/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

8
lib/libcrypto/arch/powerpc/Makefile.inc
View file

@ -1,4 +1,4 @@
# $OpenBSD: Makefile.inc,v 1.12 2024/03/29 07:24:09 jsing Exp $
# $OpenBSD: Makefile.inc,v 1.13 2024/11/01 12:56:38 jsing Exp $
# powerpc-specific libcrypto build rules
@ -7,8 +7,7 @@
#SSLASM+= aes aes-ppc aes-ppc
# bn
SSLASM+= bn ppc bn-ppc
SSLASM+= bn ppc-mont ppc-mont # bn_mul_mont_int
#SSLASM+= bn ppc64-mont ppc64-mont # bn_mul_mont_fpu64
SSLASM+= bn ppc-mont ppc-mont
CFLAGS+= -DOPENSSL_BN_ASM_MONT
# sha
CFLAGS+= -DSHA1_ASM
@ -23,6 +22,3 @@ ${dst}.S: ${LCRYPTO_SRC}/${dir}/asm/${src}.pl
/usr/bin/perl \
${LCRYPTO_SRC}/${dir}/asm/${src}.pl linux32 ${.TARGET} > ${.TARGET}
.endfor
#CFLAGS+= -DOPENSSL_CPUID_OBJ # it's commented out in ppccap.c
SRCS+= ppccap.c

2
lib/libcrypto/arch/powerpc/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

8
lib/libcrypto/arch/powerpc64/Makefile.inc
View file

@ -1,4 +1,4 @@
# $OpenBSD: Makefile.inc,v 1.14 2024/03/29 07:24:09 jsing Exp $
# $OpenBSD: Makefile.inc,v 1.15 2024/11/01 12:56:38 jsing Exp $
# powerpc-specific libcrypto build rules
@ -7,8 +7,7 @@
#SSLASM+= aes aes-ppc aes-ppc
# bn
#SSLASM+= bn ppc bn-ppc
#SSLASM+= bn ppc-mont ppc-mont # bn_mul_mont_int
#SSLASM+= bn ppc64-mont ppc64-mont # bn_mul_mont_fpu64
#SSLASM+= bn ppc-mont ppc-mont
#CFLAGS+= -DOPENSSL_BN_ASM_MONT
# sha
#CFLAGS+= -DSHA1_ASM
@ -23,6 +22,3 @@ ${dst}.S: ${LCRYPTO_SRC}/${dir}/asm/${src}.pl
/usr/bin/perl \
${LCRYPTO_SRC}/${dir}/asm/${src}.pl linux32 ${.TARGET} > ${.TARGET}
.endfor
#CFLAGS+= -DOPENSSL_CPUID_OBJ # it's commented out in ppccap.c
SRCS+= ppccap.c

2
lib/libcrypto/arch/powerpc64/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

2
lib/libcrypto/arch/riscv64/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

2
lib/libcrypto/arch/sh/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

2
lib/libcrypto/arch/sparc64/opensslconf.h
View file

@ -1,7 +1,7 @@
#include <openssl/opensslfeatures.h>
/* crypto/opensslconf.h.in */
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/etc/ssl"
#endif

7
lib/libcrypto/asn1/tasn_fre.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: tasn_fre.c,v 1.23 2023/07/28 10:00:10 tb Exp $ */
/* $OpenBSD: tasn_fre.c,v 1.24 2024/12/11 11:22:06 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2000.
*/
@ -152,10 +152,9 @@ asn1_item_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
* determine the type of the field it defines. So
* free up in reverse order.
*/
tt = it->templates + it->tcount - 1;
for (i = 0; i < it->tcount; tt--, i++) {
for (i = it->tcount - 1; i >= 0; i--) {
ASN1_VALUE **pseqval;
seqtt = asn1_do_adb(pval, tt, 0);
seqtt = asn1_do_adb(pval, &it->templates[i], 0);
if (!seqtt)
continue;
pseqval = asn1_get_field_ptr(pval, seqtt);

4
lib/libcrypto/asn1/x_info.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: x_info.c,v 1.21 2024/04/09 13:55:02 beck Exp $ */
/* $OpenBSD: x_info.c,v 1.22 2024/12/11 10:28:03 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -69,7 +69,7 @@ X509_INFO_new(void)
if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) {
ASN1error(ERR_R_MALLOC_FAILURE);
return (NULL);
return NULL;
}
ret->references = 1;

4
lib/libcrypto/bn/asm/ppc-mont.pl
View file

@ -109,9 +109,9 @@ $code=<<___;
.machine "any"
.text
.globl .bn_mul_mont_int
.globl .bn_mul_mont
.align 4
.bn_mul_mont_int:
.bn_mul_mont:
cmpwi $num,4
mr $rp,r3 ; $rp is reassigned
li r3,0

1088
lib/libcrypto/bn/asm/ppc64-mont.pl
View file

File diff suppressed because it is too large Load diff

8
lib/libcrypto/bn/bn.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn.h,v 1.78 2024/04/10 14:58:06 beck Exp $ */
/* $OpenBSD: bn.h,v 1.79 2025/01/06 13:15:08 tb Exp $ */
/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -401,8 +401,8 @@ int BN_set_bit(BIGNUM *a, int n);
int BN_clear_bit(BIGNUM *a, int n);
char * BN_bn2hex(const BIGNUM *a);
char * BN_bn2dec(const BIGNUM *a);
int BN_hex2bn(BIGNUM **a, const char *str);
int BN_dec2bn(BIGNUM **a, const char *str);
int BN_hex2bn(BIGNUM **a, const char *str);
int BN_dec2bn(BIGNUM **a, const char *str);
int BN_asc2bn(BIGNUM **a, const char *str);
int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
int BN_kronecker(const BIGNUM *a,const BIGNUM *b,BN_CTX *ctx); /* returns -2 for error */
@ -421,7 +421,7 @@ int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb);
int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx,
int do_trial_division, BN_GENCB *cb);
BN_MONT_CTX *BN_MONT_CTX_new(void );
BN_MONT_CTX *BN_MONT_CTX_new(void);
int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx);
int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,

102
lib/libcrypto/bn/bn_convert.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn_convert.c,v 1.22 2024/06/22 16:33:00 jsing Exp $ */
/* $OpenBSD: bn_convert.c,v 1.23 2024/11/08 14:18:44 jsing Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -69,87 +69,73 @@
#include "bn_local.h"
#include "bytestring.h"
#include "crypto_internal.h"
static int bn_dec2bn_cbs(BIGNUM **bnp, CBS *cbs);
static int bn_hex2bn_cbs(BIGNUM **bnp, CBS *cbs);
static const char hex_digits[] = "0123456789ABCDEF";
typedef enum {
big,
little,
} endianness_t;
/* ignore negative */
static int
bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianness_t endianness)
bn_bn2binpad_internal(const BIGNUM *bn, uint8_t *out, int out_len,
int little_endian)
{
int n;
size_t i, lasti, j, atop, mask;
BN_ULONG l;
uint8_t mask, v;
BN_ULONG w;
int i, j;
int b, n;
/*
* In case |a| is fixed-top, BN_num_bytes can return bogus length,
* but it's assumed that fixed-top inputs ought to be "nominated"
* even for padded output, so it works out...
*/
n = BN_num_bytes(a);
if (tolen == -1)
tolen = n;
else if (tolen < n) { /* uncommon/unlike case */
BIGNUM temp = *a;
n = BN_num_bytes(bn);
bn_correct_top(&temp);
if (out_len == -1)
out_len = n;
if (out_len < n)
return -1;
n = BN_num_bytes(&temp);
if (tolen < n)
return -1;
if (bn->dmax == 0) {
explicit_bzero(out, out_len);
return out_len;
}
/* Swipe through whole available data and don't give away padded zero. */
atop = a->dmax * BN_BYTES;
if (atop == 0) {
explicit_bzero(to, tolen);
return tolen;
mask = 0;
b = BN_BITS2;
j = 0;
for (i = out_len - 1; i >= 0; i--) {
if (b == BN_BITS2) {
mask = crypto_ct_lt_mask(j, bn->top);
w = bn->d[j++ % bn->dmax];
b = 0;
}
out[i] = (w >> b) & mask;
b += 8;
}
lasti = atop - 1;
atop = a->top * BN_BYTES;
if (endianness == big)
to += tolen; /* start from the end of the buffer */
for (i = 0, j = 0; j < (size_t)tolen; j++) {
unsigned char val;
l = a->d[i / BN_BYTES];
mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1));
val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask);
if (endianness == big)
*--to = val;
else
*to++ = val;
i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */
if (little_endian) {
for (i = 0, j = out_len - 1; i < out_len / 2; i++, j--) {
v = out[i];
out[i] = out[j];
out[j] = v;
}
}
return tolen;
return out_len;
}
int
BN_bn2bin(const BIGNUM *a, unsigned char *to)
BN_bn2bin(const BIGNUM *bn, unsigned char *to)
{
return bn2binpad(a, to, -1, big);
return bn_bn2binpad_internal(bn, to, -1, 0);
}
LCRYPTO_ALIAS(BN_bn2bin);
int
BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen)
BN_bn2binpad(const BIGNUM *bn, unsigned char *to, int to_len)
{
if (tolen < 0)
if (to_len < 0)
return -1;
return bn2binpad(a, to, tolen, big);
return bn_bn2binpad_internal(bn, to, to_len, 0);
}
LCRYPTO_ALIAS(BN_bn2binpad);
@ -225,12 +211,12 @@ BN_bin2bn(const unsigned char *d, int len, BIGNUM *bn)
LCRYPTO_ALIAS(BN_bin2bn);
int
BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen)
BN_bn2lebinpad(const BIGNUM *bn, unsigned char *to, int to_len)
{
if (tolen < 0)
if (to_len < 0)
return -1;
return bn2binpad(a, to, tolen, little);
return bn_bn2binpad_internal(bn, to, to_len, 1);
}
LCRYPTO_ALIAS(BN_bn2lebinpad);

8
lib/libcrypto/bn/bn_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn_local.h,v 1.43 2024/04/16 13:07:14 jsing Exp $ */
/* $OpenBSD: bn_local.h,v 1.45 2025/01/06 13:47:37 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -280,18 +280,16 @@ int bn_rand_interval(BIGNUM *rnd, BN_ULONG lower_word, const BIGNUM *upper_exc);
void BN_init(BIGNUM *);
int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx);
void BN_RECP_CTX_init(BN_RECP_CTX *recp);
BN_RECP_CTX *BN_RECP_CTX_new(void);
void BN_RECP_CTX_free(BN_RECP_CTX *recp);
int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *rdiv, BN_CTX *ctx);
int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, BN_RECP_CTX *recp,
BN_CTX *ctx);
int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
BN_RECP_CTX *recp, BN_CTX *ctx);
int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx);
int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
BN_RECP_CTX *recp, BN_CTX *ctx);
/* Explicitly const time / non-const time versions for internal use */
int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,

73
lib/libcrypto/bn/bn_recp.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bn_recp.c,v 1.19 2023/03/27 10:25:02 tb Exp $ */
/* $OpenBSD: bn_recp.c,v 1.21 2025/01/06 13:47:37 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -107,30 +107,28 @@ BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *d, BN_CTX *ctx)
return (1);
}
int
BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
BN_RECP_CTX *recp, BN_CTX *ctx)
/* len is the expected size of the result
* We actually calculate with an extra word of precision, so
* we can do faster division if the remainder is not required.
*/
/* r := 2^len / m */
static int
BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx)
{
int ret = 0;
BIGNUM *a;
const BIGNUM *ca;
int ret = -1;
BIGNUM *t;
BN_CTX_start(ctx);
if ((a = BN_CTX_get(ctx)) == NULL)
if ((t = BN_CTX_get(ctx)) == NULL)
goto err;
if (y != NULL) {
if (x == y) {
if (!BN_sqr(a, x, ctx))
goto err;
} else {
if (!BN_mul(a, x, y, ctx))
goto err;
}
ca = a;
} else
ca = x; /* Just do the mod */
ret = BN_div_recp(NULL, r, ca, recp, ctx);
if (!BN_set_bit(t, len))
goto err;
if (!BN_div_ct(r, NULL, t,m, ctx))
goto err;
ret = len;
err:
BN_CTX_end(ctx);
@ -231,28 +229,31 @@ err:
return (ret);
}
/* len is the expected size of the result
* We actually calculate with an extra word of precision, so
* we can do faster division if the remainder is not required.
*/
/* r := 2^len / m */
int
BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx)
BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,
BN_RECP_CTX *recp, BN_CTX *ctx)
{
int ret = -1;
BIGNUM *t;
int ret = 0;
BIGNUM *a;
const BIGNUM *ca;
BN_CTX_start(ctx);
if ((t = BN_CTX_get(ctx)) == NULL)
if ((a = BN_CTX_get(ctx)) == NULL)
goto err;
if (y != NULL) {
if (x == y) {
if (!BN_sqr(a, x, ctx))
goto err;
} else {
if (!BN_mul(a, x, y, ctx))
goto err;
}
ca = a;
} else
ca = x; /* Just do the mod */
if (!BN_set_bit(t, len))
goto err;
if (!BN_div_ct(r, NULL, t,m, ctx))
goto err;
ret = len;
ret = BN_div_recp(NULL, r, ca, recp, ctx);
err:
BN_CTX_end(ctx);

2
lib/libcrypto/bytestring/bytestring.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: bytestring.h,v 1.5 2024/06/22 15:32:51 jsing Exp $ */
/* $OpenBSD: bytestring.h,v 1.6 2024/12/05 19:57:37 tb Exp $ */
/*
* Copyright (c) 2014, Google Inc.
*

2393
lib/libcrypto/cert.pem
View file

File diff suppressed because it is too large Load diff

17
lib/libcrypto/cms/cms_asn1.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: cms_asn1.c,v 1.24 2024/07/09 06:12:45 beck Exp $ */
/* $OpenBSD: cms_asn1.c,v 1.25 2024/11/01 18:53:35 tb Exp $ */
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
@ -52,12 +52,17 @@
* ====================================================================
*/
#include <openssl/asn1t.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/cms.h>
#include "cms_local.h"
#include <stddef.h>
#include <stdlib.h>
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/cms.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "cms_local.h"
static const ASN1_TEMPLATE CMS_IssuerAndSerialNumber_seq_tt[] = {
{

16
lib/libcrypto/cms/cms_enc.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: cms_enc.c,v 1.24 2024/01/14 18:40:24 tb Exp $ */
/* $OpenBSD: cms_enc.c,v 1.25 2024/11/01 18:34:06 tb Exp $ */
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
@ -52,19 +52,19 @@
* ====================================================================
*/
#include <stdlib.h>
#include <string.h>
#include "cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/asn1.h>
#include <openssl/bio.h>
#include <openssl/cms.h>
#include <openssl/rand.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include "cms_local.h"
#include "evp_local.h"
#include "x509_local.h"
/* CMS EncryptedData Utilities */

19
lib/libcrypto/cms/cms_env.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: cms_env.c,v 1.27 2024/01/14 18:40:24 tb Exp $ */
/* $OpenBSD: cms_env.c,v 1.28 2024/11/01 18:42:10 tb Exp $ */
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
@ -52,19 +52,20 @@
* ====================================================================
*/
#include <stdlib.h>
#include <string.h>
#include <openssl/asn1t.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/cms.h>
#include <openssl/aes.h>
#include <openssl/asn1.h>
#include <openssl/bio.h>
#include <openssl/cms.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include "asn1/asn1_local.h"
#include "cms_local.h"
#include "evp/evp_local.h"
#include "x509_local.h"
#include "evp_local.h"
/* CMS EnvelopedData Utilities */

15
lib/libcrypto/cms/cms_ess.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: cms_ess.c,v 1.25 2024/03/30 01:53:05 joshua Exp $ */
/* $OpenBSD: cms_ess.c,v 1.26 2024/11/01 18:53:35 tb Exp $ */
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
@ -52,17 +52,18 @@
* ====================================================================
*/
#include <stdlib.h>
#include <string.h>
#include <openssl/asn1t.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/asn1.h>
#include <openssl/cms.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "cms_local.h"
#include "x509_local.h"
CMS_ReceiptRequest *
d2i_CMS_ReceiptRequest(CMS_ReceiptRequest **a, const unsigned char **in, long len)

14
lib/libcrypto/cms/cms_kari.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: cms_kari.c,v 1.16 2024/02/02 14:11:45 tb Exp $ */
/* $OpenBSD: cms_kari.c,v 1.17 2024/11/01 18:34:06 tb Exp $ */
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
@ -52,17 +52,15 @@
* ====================================================================
*/
#include <stdlib.h>
#include <string.h>
#include "cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/asn1.h>
#include <openssl/cms.h>
#include <openssl/aes.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include "cms_local.h"
#include "asn1/asn1_local.h"
/* Key Agreement Recipient Info (KARI) routines */

15
lib/libcrypto/cms/cms_lib.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: cms_lib.c,v 1.25 2024/03/30 01:53:05 joshua Exp $ */
/* $OpenBSD: cms_lib.c,v 1.26 2024/11/01 18:53:35 tb Exp $ */
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
@ -52,13 +52,16 @@
* ====================================================================
*/
#include <openssl/asn1t.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/bio.h>
#include <stddef.h>
#include <openssl/asn1.h>
#include <openssl/bio.h>
#include <openssl/cms.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "cms_local.h"
#include "x509_local.h"

84
lib/libcrypto/cryptlib.h
View file

@ -1,84 +0,0 @@
/* $OpenBSD: cryptlib.h,v 1.26 2021/11/24 01:12:43 beck Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#ifndef HEADER_CRYPTLIB_H
#define HEADER_CRYPTLIB_H
#include <openssl/opensslconf.h>
#ifdef __cplusplus
extern "C" {
#endif
#define X509_CERT_AREA OPENSSLDIR
#define X509_CERT_DIR OPENSSLDIR "/certs"
#define X509_CERT_FILE OPENSSLDIR "/cert.pem"
#define X509_PRIVATE_DIR OPENSSLDIR "/private"
#define X509_CERT_DIR_EVP "SSL_CERT_DIR"
#define X509_CERT_FILE_EVP "SSL_CERT_FILE"
#define CTLOG_FILE OPENSSLDIR "/ct_log_list.cnf"
#define CTLOG_FILE_EVP "CTLOG_FILE"
void OPENSSL_cpuid_setup(void);
#ifdef __cplusplus
}
#endif
#endif

2
lib/libcrypto/cpt_err.c → lib/libcrypto/crypto_err.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: cpt_err.c,v 1.16 2024/06/24 06:43:22 tb Exp $ */
/* $OpenBSD: crypto_err.c,v 1.1 2024/11/05 11:21:15 tb Exp $ */
/* ====================================================================
* Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
*

70
lib/libcrypto/crypto_internal.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: crypto_internal.h,v 1.13 2024/10/17 14:27:57 jsing Exp $ */
/* $OpenBSD: crypto_internal.h,v 1.14 2024/11/08 14:05:43 jsing Exp $ */
/*
* Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
*
@ -28,6 +28,74 @@
#define CTASSERT(x) \
extern char _ctassert[(x) ? 1 : -1] __attribute__((__unused__))
/*
* Constant time functions for size_t.
*/
#ifndef HAVE_CRYPTO_CT_NE_ZERO
static inline int
crypto_ct_ne_zero(size_t v)
{
return (v | ~(v - 1)) >> ((sizeof(v) * 8) - 1);
}
#endif
#ifndef HAVE_CRYPTO_CT_NE_ZERO_MASK
static inline size_t
crypto_ct_ne_zero_mask(size_t v)
{
return 0 - crypto_ct_ne_zero(v);
}
#endif
#ifndef HAVE_CRYPTO_CT_EQ_ZERO
static inline int
crypto_ct_eq_zero(size_t v)
{
return 1 - crypto_ct_ne_zero(v);
}
#endif
#ifndef HAVE_CRYPTO_CT_EQ_ZERO_MASK_U8
static inline size_t
crypto_ct_eq_zero_mask(size_t v)
{
return 0 - crypto_ct_eq_zero(v);
}
#endif
#ifndef HAVE_CRYPTO_CT_LT
static inline int
crypto_ct_lt(size_t a, size_t b)
{
return (((a - b) | (b & ~a)) & (b | ~a)) >>
(sizeof(size_t) * 8 - 1);
}
#endif
#ifndef HAVE_CRYPTO_CT_LT_MASK
static inline size_t
crypto_ct_lt_mask(size_t a, size_t b)
{
return 0 - crypto_ct_lt(a, b);
}
#endif
#ifndef HAVE_CRYPTO_CT_GT
static inline int
crypto_ct_gt(size_t a, size_t b)
{
return crypto_ct_lt(b, a);
}
#endif
#ifndef HAVE_CRYPTO_CT_GT_MASK
static inline size_t
crypto_ct_gt_mask(size_t a, size_t b)
{
return 0 - crypto_ct_gt(a, b);
}
#endif
/*
* Constant time operations for uint8_t.
*/

110
lib/libcrypto/cryptlib.c → lib/libcrypto/crypto_legacy.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: cryptlib.c,v 1.57 2024/10/19 13:06:11 jsing Exp $ */
/* $OpenBSD: crypto_legacy.c,v 1.6 2024/11/06 04:18:42 tb Exp $ */
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
@ -123,8 +123,8 @@
#include <openssl/opensslconf.h>
#include <openssl/crypto.h>
#include <openssl/err.h>
#include "cryptlib.h"
#include "crypto_internal.h"
#include "crypto_local.h"
#include "x86_arch.h"
@ -211,7 +211,8 @@ CRYPTO_get_dynlock_value(int i)
}
LCRYPTO_ALIAS(CRYPTO_get_dynlock_value);
int CRYPTO_get_new_dynlockid(void)
int
CRYPTO_get_new_dynlockid(void)
{
return 0;
}
@ -305,31 +306,6 @@ void
}
LCRYPTO_ALIAS(CRYPTO_get_dynlock_destroy_callback);
void
CRYPTO_THREADID_current(CRYPTO_THREADID *id)
{
memset(id, 0, sizeof(*id));
id->val = (unsigned long)pthread_self();
}
int
CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b)
{
return memcmp(a, b, sizeof(*a));
}
void
CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src)
{
memcpy(dest, src, sizeof(*src));
}
unsigned long
CRYPTO_THREADID_hash(const CRYPTO_THREADID *id)
{
return id->val;
}
#if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
void
OPENSSL_cpuid_setup(void)
@ -381,6 +357,13 @@ OpenSSLDie(const char *file, int line, const char *assertion)
}
LCRYPTO_ALIAS(OpenSSLDie);
int
CRYPTO_mem_ctrl(int mode)
{
return CRYPTO_MEM_CHECK_OFF;
}
LCRYPTO_ALIAS(CRYPTO_mem_ctrl);
int
CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
{
@ -395,3 +378,74 @@ CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
return x;
}
LCRYPTO_ALIAS(CRYPTO_memcmp);
int
FIPS_mode(void)
{
return 0;
}
LCRYPTO_ALIAS(FIPS_mode);
int
FIPS_mode_set(int r)
{
if (r == 0)
return 1;
CRYPTOerror(CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
return 0;
}
LCRYPTO_ALIAS(FIPS_mode_set);
const char *
SSLeay_version(int t)
{
switch (t) {
case SSLEAY_VERSION:
return OPENSSL_VERSION_TEXT;
case SSLEAY_BUILT_ON:
return "built on: date not available";
case SSLEAY_CFLAGS:
return "compiler: information not available";
case SSLEAY_PLATFORM:
return "platform: information not available";
case SSLEAY_DIR:
return "OPENSSLDIR: \"" OPENSSLDIR "\"";
}
return "not available";
}
LCRYPTO_ALIAS(SSLeay_version);
unsigned long
SSLeay(void)
{
return SSLEAY_VERSION_NUMBER;
}
LCRYPTO_ALIAS(SSLeay);
const char *
OpenSSL_version(int t)
{
switch (t) {
case OPENSSL_VERSION:
return OPENSSL_VERSION_TEXT;
case OPENSSL_BUILT_ON:
return "built on: date not available";
case OPENSSL_CFLAGS:
return "compiler: information not available";
case OPENSSL_PLATFORM:
return "platform: information not available";
case OPENSSL_DIR:
return "OPENSSLDIR: \"" OPENSSLDIR "\"";
case OPENSSL_ENGINES_DIR:
return "ENGINESDIR: N/A";
}
return "not available";
}
LCRYPTO_ALIAS(OpenSSL_version);
unsigned long
OpenSSL_version_num(void)
{
return SSLeay();
}
LCRYPTO_ALIAS(OpenSSL_version_num);

98
lib/libcrypto/crypto_local.h
View file

@ -1,57 +1,4 @@
/* $OpenBSD: crypto_local.h,v 1.1 2024/03/02 11:37:13 tb Exp $ */
/* ====================================================================
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* $OpenBSD: crypto_local.h,v 1.4 2024/11/05 10:11:58 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -108,31 +55,30 @@
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
* ECDH support in OpenSSL originally developed by
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#ifndef HEADER_CRYPTO_LOCAL_H
#define HEADER_CRYPTO_LOCAL_H
__BEGIN_HIDDEN_DECLS
struct crypto_threadid_st {
void *ptr;
unsigned long val;
} /* CRYPTO_THREADID */;
void CRYPTO_THREADID_current(CRYPTO_THREADID *id);
int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b);
void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src);
unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id);
__END_HIDDEN_DECLS
#include <openssl/opensslconf.h>
#ifdef __cplusplus
extern "C" {
#endif
#define X509_CERT_AREA OPENSSLDIR
#define X509_CERT_DIR OPENSSLDIR "/certs"
#define X509_CERT_FILE OPENSSLDIR "/cert.pem"
#define X509_PRIVATE_DIR OPENSSLDIR "/private"
#define X509_CERT_DIR_EVP "SSL_CERT_DIR"
#define X509_CERT_FILE_EVP "SSL_CERT_FILE"
#define CTLOG_FILE OPENSSLDIR "/ct_log_list.cnf"
#define CTLOG_FILE_EVP "CTLOG_FILE"
void OPENSSL_cpuid_setup(void);
#ifdef __cplusplus
}
#endif
#endif /* HEADER_CRYPTO_LOCAL_H */

10
lib/libcrypto/malloc-wrapper.c → lib/libcrypto/crypto_memory.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: malloc-wrapper.c,v 1.11 2024/04/10 14:51:02 beck Exp $ */
/* $OpenBSD: crypto_memory.c,v 1.3 2024/11/06 04:18:42 tb Exp $ */
/*
* Copyright (c) 2014 Bob Beck
*
@ -14,12 +14,20 @@
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/crypto.h>
void
OPENSSL_cleanse(void *ptr, size_t len)
{
explicit_bzero(ptr, len);
}
LCRYPTO_ALIAS(OPENSSL_cleanse);
int
CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t),
void (*f)(void *))

10
lib/libcrypto/ct/ct_log.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ct_log.c,v 1.7 2024/08/31 09:26:18 tb Exp $ */
/* $OpenBSD: ct_log.c,v 1.9 2024/11/05 09:35:40 tb Exp $ */
/* Author: Adam Eijdenberg <adam.eijdenberg@gmail.com>. */
/* ====================================================================
* Copyright (c) 1998-2016 The OpenSSL Project. All rights reserved.
@ -58,18 +58,20 @@
* https://www.openssl.org/source/license.html
*/
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/asn1.h>
#include <openssl/conf.h>
#include <openssl/ct.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/safestack.h>
#include <openssl/sha.h>
#include <openssl/x509.h>
#include "conf_local.h"
#include "cryptlib.h"
#include "crypto_local.h"
/*

116
lib/libcrypto/cversion.c
View file

@ -1,116 +0,0 @@
/* $OpenBSD: cversion.c,v 1.19 2024/03/16 21:42:20 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <openssl/crypto.h>
#include <openssl/opensslv.h>
#include "cryptlib.h"
const char *
SSLeay_version(int t)
{
switch (t) {
case SSLEAY_VERSION:
return OPENSSL_VERSION_TEXT;
case SSLEAY_BUILT_ON:
return "built on: date not available";
case SSLEAY_CFLAGS:
return "compiler: information not available";
case SSLEAY_PLATFORM:
return "platform: information not available";
case SSLEAY_DIR:
return "OPENSSLDIR: \"" OPENSSLDIR "\"";
}
return "not available";
}
LCRYPTO_ALIAS(SSLeay_version);
unsigned long
SSLeay(void)
{
return (SSLEAY_VERSION_NUMBER);
}
LCRYPTO_ALIAS(SSLeay);
const char *
OpenSSL_version(int t)
{
switch (t) {
case OPENSSL_VERSION:
return OPENSSL_VERSION_TEXT;
case OPENSSL_BUILT_ON:
return "built on: date not available";
case OPENSSL_CFLAGS:
return "compiler: information not available";
case OPENSSL_PLATFORM:
return "platform: information not available";
case OPENSSL_DIR:
return "OPENSSLDIR: \"" OPENSSLDIR "\"";
case OPENSSL_ENGINES_DIR:
return "ENGINESDIR: N/A";
}
return "not available";
}
LCRYPTO_ALIAS(OpenSSL_version);
unsigned long
OpenSSL_version_num(void)
{
return SSLeay();
}
LCRYPTO_ALIAS(OpenSSL_version_num);

10
lib/libcrypto/dh/dh_check.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dh_check.c,v 1.29 2024/08/30 17:44:56 tb Exp $ */
/* $OpenBSD: dh_check.c,v 1.30 2024/11/29 15:59:57 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -127,10 +127,8 @@ DH_check(const DH *dh, int *flags)
BN_CTX_start(ctx);
if (dh->q != NULL) {
BIGNUM *quotient, *residue;
BIGNUM *residue;
if ((quotient = BN_CTX_get(ctx)) == NULL)
goto err;
if ((residue = BN_CTX_get(ctx)) == NULL)
goto err;
if ((*flags & DH_NOT_SUITABLE_GENERATOR) == 0) {
@ -147,12 +145,10 @@ DH_check(const DH *dh, int *flags)
if (is_prime == 0)
*flags |= DH_CHECK_Q_NOT_PRIME;
/* Check p == 1 mod q, i.e., q divides p - 1 */
if (!BN_div_ct(quotient, residue, dh->p, dh->q, ctx))
if (!BN_div_ct(NULL, residue, dh->p, dh->q, ctx))
goto err;
if (!BN_is_one(residue))
*flags |= DH_CHECK_INVALID_Q_VALUE;
if (dh->j != NULL && BN_cmp(dh->j, quotient) != 0)
*flags |= DH_CHECK_INVALID_J_VALUE;
}
is_prime = BN_is_prime_ex(dh->p, DH_NUMBER_ITERATIONS_FOR_PRIME,

7
lib/libcrypto/dh/dh_lib.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dh_lib.c,v 1.45 2024/03/27 01:26:30 tb Exp $ */
/* $OpenBSD: dh_lib.c,v 1.46 2024/11/29 15:59:57 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -154,11 +154,8 @@ DH_free(DH *dh)
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, dh, &dh->ex_data);
BN_free(dh->p);
BN_free(dh->g);
BN_free(dh->q);
BN_free(dh->j);
free(dh->seed);
BN_free(dh->counter);
BN_free(dh->g);
BN_free(dh->pub_key);
BN_free(dh->priv_key);
free(dh);

12
lib/libcrypto/dh/dh_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dh_local.h,v 1.5 2024/08/30 17:44:56 tb Exp $ */
/* $OpenBSD: dh_local.h,v 1.7 2024/11/29 15:59:57 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -78,11 +78,9 @@ struct dh_method {
};
struct dh_st {
/* This first argument is used to pick up errors when
* a DH is passed instead of a EVP_PKEY */
int pad;
int version;
BIGNUM *p;
BIGNUM *q;
BIGNUM *g;
long length; /* optional */
BIGNUM *pub_key; /* g^x */
@ -90,12 +88,6 @@ struct dh_st {
int flags;
BN_MONT_CTX *method_mont_p;
/* Place holders if we want to do X9.42 DH */
BIGNUM *q;
BIGNUM *j;
unsigned char *seed;
int seedlen;
BIGNUM *counter;
int references;
CRYPTO_EX_DATA ex_data;

11
lib/libcrypto/dsa/dsa.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dsa.h,v 1.44 2024/03/02 09:33:14 tb Exp $ */
/* $OpenBSD: dsa.h,v 1.46 2024/12/05 19:34:46 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -177,15 +177,6 @@ int DSA_print(BIO *bp, const DSA *x, int off);
int DSAparams_print_fp(FILE *fp, const DSA *x);
int DSA_print_fp(FILE *bp, const DSA *x, int off);
/*
* Primality test according to FIPS PUB 186-4, Appendix C.3. Set the number
* to 64 rounds of Miller-Rabin, which corresponds to 128 bits of security.
* This is necessary for keys of size >= 3072.
*/
#define DSS_prime_checks 64
#define DSA_is_prime(n, callback, cb_arg) \
BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
#ifndef OPENSSL_NO_DH
/* Convert DSA structure (key or just parameters) into DH structure
* (be careful to avoid small subgroup attacks when using this!) */

14
lib/libcrypto/dsa/dsa_gen.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dsa_gen.c,v 1.32 2024/05/11 06:43:50 tb Exp $ */
/* $OpenBSD: dsa_gen.c,v 1.33 2024/12/05 19:34:46 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -71,6 +71,14 @@
#include "bn_local.h"
#include "dsa_local.h"
/*
* Primality test according to FIPS PUB 186-4, Appendix C.3. Set the number
* to 64 rounds of Miller-Rabin, which corresponds to 128 bits of security.
* This is necessary for keys of size >= 3072.
* XXX - now that we do BPSW the recommendation is to do 2 for p and 27 for q.
*/
#define DSA_prime_checks 64
int
DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in,
int seed_len, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb)
@ -207,7 +215,7 @@ dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd,
goto err;
/* step 4 */
r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx,
r = BN_is_prime_fasttest_ex(q, DSA_prime_checks, ctx,
seed_is_random, cb);
if (r > 0)
break;
@ -278,7 +286,7 @@ dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd,
/* step 10 */
if (BN_cmp(p, test) >= 0) {
/* step 11 */
r = BN_is_prime_fasttest_ex(p, DSS_prime_checks,
r = BN_is_prime_fasttest_ex(p, DSA_prime_checks,
ctx, 1, cb);
if (r > 0)
goto end; /* found it */

5
lib/libcrypto/dsa/dsa_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: dsa_local.h,v 1.4 2024/05/11 06:43:50 tb Exp $ */
/* $OpenBSD: dsa_local.h,v 1.5 2024/11/29 07:42:35 tb Exp $ */
/* ====================================================================
* Copyright (c) 2007 The OpenSSL Project. All rights reserved.
*
@ -75,9 +75,6 @@ struct dsa_method {
} /* DSA_METHOD */;
struct dsa_st {
/* This first variable is used to pick up errors where
* a DSA is passed instead of of a EVP_PKEY */
int pad;
long version;
BIGNUM *p;
BIGNUM *q; /* == 20 */

17
lib/libcrypto/ec/ec_ameth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_ameth.c,v 1.69 2024/08/29 16:58:19 tb Exp $ */
/* $OpenBSD: ec_ameth.c,v 1.73 2024/11/25 06:51:39 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -56,18 +56,24 @@
*
*/
#include <stdio.h>
#include <stddef.h>
#include <stdlib.h>
#include <openssl/opensslconf.h>
#include <openssl/asn1.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/cms.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pkcs7.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include "asn1_local.h"
#include "ec_local.h"
#include "bn_local.h"
#include "evp_local.h"
#include "x509_local.h"
@ -98,7 +104,7 @@ eckey_get_curve_name(const EC_KEY *eckey, int *nid)
ECerror(EC_R_MISSING_PARAMETERS);
return 0;
}
if (EC_GROUP_get_asn1_flag(group) != 0)
if ((EC_GROUP_get_asn1_flag(group) & OPENSSL_EC_NAMED_CURVE) != 0)
*nid = EC_GROUP_get_curve_name(group);
return 1;
@ -304,7 +310,7 @@ eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
return -2;
}
static int
int
eckey_compute_pubkey(EC_KEY *eckey)
{
const BIGNUM *priv_key;
@ -322,7 +328,6 @@ eckey_compute_pubkey(EC_KEY *eckey)
goto err;
if (!EC_KEY_set_public_key(eckey, pub_key))
goto err;
pub_key = NULL;
ret = 1;

646
lib/libcrypto/ec/ec_asn1.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_asn1.c,v 1.75 2024/10/18 17:27:07 tb Exp $ */
/* $OpenBSD: ec_asn1.c,v 1.109 2024/12/06 05:13:35 tb Exp $ */
/*
* Written by Nils Larsch for the OpenSSL project.
*/
@ -56,10 +56,16 @@
*
*/
#include <limits.h>
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/opensslconf.h>
#include <openssl/asn1.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/asn1t.h>
#include <openssl/objects.h>
@ -556,6 +562,92 @@ EC_PRIVATEKEY_free(EC_PRIVATEKEY *a)
ASN1_item_free((ASN1_VALUE *)a, &EC_PRIVATEKEY_it);
}
static int
ec_point_from_asn1_string(const EC_GROUP *group, const ASN1_STRING *astr,
EC_POINT **out_point, uint8_t *out_form)
{
return ec_point_from_octets(group, astr->data, astr->length,
out_point, out_form, NULL);
}
static int
ec_point_from_asn1_bit_string(const EC_GROUP *group, const ASN1_BIT_STRING *abs,
EC_POINT **out_point, uint8_t *out_form)
{
/*
* Per SEC 1, C.3, the bit string representing the public key comes from
* an octet string, therefore the unused bits octet must be 0x00.
* XXX - move this check to a helper in a_bitstr.c?
*/
if ((abs->flags & ASN1_STRING_FLAG_BITS_LEFT) != 0 &&
(abs->flags & 0x07) != 0)
return 0;
return ec_point_from_asn1_string(group, abs, out_point, out_form);
}
static int
ec_point_from_asn1_octet_string(const EC_GROUP *group, const ASN1_OCTET_STRING *aos,
EC_POINT **out_point, uint8_t *out_form)
{
return ec_point_from_asn1_string(group, aos, out_point, out_form);
}
static int
ec_point_to_asn1_string_type(const EC_GROUP *group, const EC_POINT *point,
int form, int type, ASN1_STRING **out_astr)
{
ASN1_STRING *astr = NULL;
unsigned char *buf = NULL;
size_t len = 0;
int ret = 0;
if (*out_astr != NULL && ASN1_STRING_type(*out_astr) != type)
goto err;
if (!ec_point_to_octets(group, point, form, &buf, &len, NULL))
goto err;
if ((astr = *out_astr) == NULL)
astr = ASN1_STRING_type_new(type);
if (astr == NULL)
goto err;
ASN1_STRING_set0(astr, buf, len);
buf = NULL;
len = 0;
*out_astr = astr;
astr = NULL;
ret = 1;
err:
ASN1_STRING_free(astr);
freezero(buf, len);
return ret;
}
static int
ec_point_to_asn1_bit_string(const EC_GROUP *group, const EC_POINT *point,
int form, ASN1_BIT_STRING **out_abs)
{
if (!ec_point_to_asn1_string_type(group, point, form,
V_ASN1_BIT_STRING, out_abs))
return 0;
return asn1_abs_set_unused_bits(*out_abs, 0);
}
static int
ec_point_to_asn1_octet_string(const EC_GROUP *group, const EC_POINT *point,
int form, ASN1_OCTET_STRING **out_aos)
{
return ec_point_to_asn1_string_type(group, point, form,
V_ASN1_OCTET_STRING, out_aos);
}
static int
ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
{
@ -566,7 +658,7 @@ ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
if (group == NULL || field == NULL)
goto err;
nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
nid = ec_group_get_field_type(group);
if (nid == NID_X9_62_characteristic_two_field) {
ECerror(EC_R_GF2M_NOT_SUPPORTED);
goto err;
@ -602,16 +694,12 @@ ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field)
}
static int
ec_asn1_encode_field_element(const EC_GROUP *group, const BIGNUM *bn,
ec_asn1_encode_bn(const EC_GROUP *group, const BIGNUM *bn, int len,
ASN1_OCTET_STRING *os)
{
unsigned char *buf;
int len;
int ret = 0;
/* Zero-pad field element per SEC 1, section 2.3.5. */
len = (EC_GROUP_get_degree(group) + 7) / 8;
/* One extra byte for historic NUL termination of ASN1_STRINGs. */
if ((buf = calloc(1, len + 1)) == NULL)
goto err;
@ -631,6 +719,32 @@ ec_asn1_encode_field_element(const EC_GROUP *group, const BIGNUM *bn,
return ret;
}
static int
ec_asn1_encode_field_element(const EC_GROUP *group, const BIGNUM *bn,
ASN1_OCTET_STRING *os)
{
int len;
/* Zero-pad field element to byte length of p per SEC 1, 2.3.5. */
len = (EC_GROUP_get_degree(group) + 7) / 8;
return ec_asn1_encode_bn(group, bn, len, os);
}
static int
ec_asn1_encode_private_key(const EC_GROUP *group, const BIGNUM *bn,
ASN1_OCTET_STRING *os)
{
const BIGNUM *order;
if ((order = EC_GROUP_get0_order(group)) == NULL) {
ECerror(EC_R_INVALID_GROUP_ORDER);
return 0;
}
/* Zero-pad private key to byte length of order per SEC 1, C.4. */
return ec_asn1_encode_bn(group, bn, BN_num_bytes(order), os);
}
static int
ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve)
{
@ -692,60 +806,37 @@ ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve)
static ECPARAMETERS *
ec_asn1_group2parameters(const EC_GROUP *group)
{
int ok = 0;
size_t len = 0;
ECPARAMETERS *ret = NULL;
ECPARAMETERS *parameters = NULL;
const EC_POINT *generator = NULL;
const BIGNUM *order, *cofactor;
unsigned char *buffer = NULL;
const EC_POINT *point = NULL;
point_conversion_form_t form;
uint8_t form;
if ((ret = ECPARAMETERS_new()) == NULL) {
if ((parameters = ECPARAMETERS_new()) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
/* set the version (always one) */
ret->version = (long) 0x1;
parameters->version = 0x1;
/* set the fieldID */
if (!ec_asn1_group2fieldid(group, ret->fieldID)) {
if (!ec_asn1_group2fieldid(group, parameters->fieldID)) {
ECerror(ERR_R_EC_LIB);
goto err;
}
/* set the curve */
if (!ec_asn1_group2curve(group, ret->curve)) {
if (!ec_asn1_group2curve(group, parameters->curve)) {
ECerror(ERR_R_EC_LIB);
goto err;
}
/* set the base point */
if ((point = EC_GROUP_get0_generator(group)) == NULL) {
if ((generator = EC_GROUP_get0_generator(group)) == NULL) {
ECerror(EC_R_UNDEFINED_GENERATOR);
goto err;
}
form = EC_GROUP_get_point_conversion_form(group);
len = EC_POINT_point2oct(group, point, form, NULL, len, NULL);
if (len == 0) {
ECerror(ERR_R_EC_LIB);
form = EC_GROUP_get_point_conversion_form(group);
if (!ec_point_to_asn1_octet_string(group, generator, form, &parameters->base))
goto err;
}
if ((buffer = malloc(len)) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EC_POINT_point2oct(group, point, form, buffer, len, NULL)) {
ECerror(ERR_R_EC_LIB);
goto err;
}
if (ret->base == NULL && (ret->base = ASN1_OCTET_STRING_new()) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
if (!ASN1_OCTET_STRING_set(ret->base, buffer, len)) {
ECerror(ERR_R_ASN1_LIB);
goto err;
}
if ((order = EC_GROUP_get0_order(group)) == NULL) {
ECerror(ERR_R_EC_LIB);
goto err;
@ -754,35 +845,35 @@ ec_asn1_group2parameters(const EC_GROUP *group)
ECerror(ERR_R_EC_LIB);
goto err;
}
ASN1_INTEGER_free(ret->order);
if ((ret->order = BN_to_ASN1_INTEGER(order, NULL)) == NULL) {
ASN1_INTEGER_free(parameters->order);
if ((parameters->order = BN_to_ASN1_INTEGER(order, NULL)) == NULL) {
ECerror(ERR_R_ASN1_LIB);
goto err;
}
ASN1_INTEGER_free(ret->cofactor);
ret->cofactor = NULL;
ASN1_INTEGER_free(parameters->cofactor);
parameters->cofactor = NULL;
if ((cofactor = EC_GROUP_get0_cofactor(group)) == NULL) {
ECerror(ERR_R_EC_LIB);
goto err;
}
if (!BN_is_zero(cofactor)) {
if ((ret->cofactor = BN_to_ASN1_INTEGER(cofactor, NULL)) == NULL) {
if ((parameters->cofactor = BN_to_ASN1_INTEGER(cofactor,
NULL)) == NULL) {
ECerror(ERR_R_ASN1_LIB);
goto err;
}
}
ok = 1;
return parameters;
err:
if (!ok) {
ECPARAMETERS_free(ret);
ret = NULL;
}
free(buffer);
return (ret);
ECPARAMETERS_free(parameters);
return NULL;
}
ECPKPARAMETERS *
static ECPKPARAMETERS *
ec_asn1_group2pkparameters(const EC_GROUP *group)
{
ECPKPARAMETERS *pkparameters;
@ -900,19 +991,16 @@ ec_asn1_parameters_curve2group(const X9_62_CURVE *curve,
static int
ec_asn1_set_group_parameters(const ECPARAMETERS *params, EC_GROUP *group)
{
EC_POINT *generator;
EC_POINT *generator = NULL;
BIGNUM *order = NULL, *cofactor = NULL;
const ASN1_BIT_STRING *seed;
point_conversion_form_t form;
uint8_t form;
int ret = 0;
if ((generator = EC_POINT_new(group)) == NULL)
if (!ec_point_from_asn1_octet_string(group, params->base, &generator, &form))
goto err;
if (!EC_POINT_oct2point(group, generator,
params->base->data, params->base->length, NULL)) {
ECerror(ERR_R_EC_LIB);
goto err;
}
EC_GROUP_set_point_conversion_form(group, form);
if ((order = ASN1_INTEGER_to_BN(params->order, NULL)) == NULL) {
ECerror(ERR_R_ASN1_LIB);
goto err;
@ -938,10 +1026,6 @@ ec_asn1_set_group_parameters(const ECPARAMETERS *params, EC_GROUP *group)
}
}
/* oct2point has ensured that to be compressed, uncompressed, or hybrid. */
form = params->base->data[0] & ~1U;
EC_GROUP_set_point_conversion_form(group, form);
ret = 1;
err:
@ -985,6 +1069,7 @@ static EC_GROUP *
ec_asn1_parameters2group(const ECPARAMETERS *params)
{
EC_GROUP *group = NULL;
int nid = NID_undef;
if (params == NULL) {
ECerror(EC_R_ASN1_ERROR);
@ -993,8 +1078,9 @@ ec_asn1_parameters2group(const ECPARAMETERS *params)
if (!ec_asn1_parameters_extract_prime_group(params, &group))
goto err;
if (!ec_group_is_builtin_curve(group))
if (!ec_group_is_builtin_curve(group, &nid))
goto err;
EC_GROUP_set_curve_name(group, nid);
return group;
@ -1004,7 +1090,7 @@ ec_asn1_parameters2group(const ECPARAMETERS *params)
return NULL;
}
EC_GROUP *
static EC_GROUP *
ec_asn1_pkparameters2group(const ECPKPARAMETERS *params)
{
EC_GROUP *group;
@ -1026,7 +1112,7 @@ ec_asn1_pkparameters2group(const ECPKPARAMETERS *params)
ECerror(ERR_R_EC_LIB);
return NULL;
}
EC_GROUP_set_asn1_flag(group, 0);
EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
} else if (params->type == ECPK_PARAM_IMPLICITLY_CA) {
return NULL;
} else {
@ -1059,7 +1145,8 @@ d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
err:
ECPKPARAMETERS_free(params);
return (group);
return group;
}
LCRYPTO_ALIAS(d2i_ECPKParameters);
@ -1085,289 +1172,322 @@ i2d_ECPKParameters(const EC_GROUP *group, unsigned char **out_der)
}
LCRYPTO_ALIAS(i2d_ECPKParameters);
EC_KEY *
d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
static int
ec_key_set_group_from_parameters(EC_KEY *ec_key, const ECPKPARAMETERS *params)
{
EC_KEY *ret = NULL;
EC_PRIVATEKEY *priv_key = NULL;
EC_GROUP *group = NULL;
int ret = 0;
if ((priv_key = d2i_EC_PRIVATEKEY(NULL, in, len)) == NULL) {
ECerror(ERR_R_EC_LIB);
return NULL;
}
if (a == NULL || *a == NULL) {
if ((ret = EC_KEY_new()) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
/* Use group in parameters, if any. Fall back to existing group. */
if (params != NULL) {
if ((group = ec_asn1_pkparameters2group(params)) == NULL)
goto err;
if (!EC_KEY_set_group(ec_key, group))
goto err;
}
} else
ret = *a;
if (priv_key->parameters) {
EC_GROUP_free(ret->group);
ret->group = ec_asn1_pkparameters2group(priv_key->parameters);
}
if (ret->group == NULL) {
ECerror(ERR_R_EC_LIB);
if (ec_key->group == NULL)
goto err;
}
ret->version = priv_key->version;
if (priv_key->privateKey) {
ret->priv_key = BN_bin2bn(
ASN1_STRING_data(priv_key->privateKey),
ASN1_STRING_length(priv_key->privateKey),
ret->priv_key);
if (ret->priv_key == NULL) {
ECerror(ERR_R_BN_LIB);
goto err;
}
} else {
ret = 1;
err:
EC_GROUP_free(group);
return ret;
}
static int
ec_key_set_private_key(EC_KEY *ec_key, const ASN1_OCTET_STRING *aos)
{
BIGNUM *priv_key = NULL;
int ret = 0;
if (aos == NULL) {
ECerror(EC_R_MISSING_PRIVATE_KEY);
goto err;
}
if (ret->pub_key)
EC_POINT_free(ret->pub_key);
ret->pub_key = EC_POINT_new(ret->group);
if (ret->pub_key == NULL) {
/*
* XXX - Sec 1, C.4 requires that this octet string be padded to the
* byte length of the group's order. This can't be enforced because
* i2d_ECPrivateKey() used to produce a semi-compatible ad hoc format.
*/
if ((priv_key = BN_bin2bn(aos->data, aos->length, NULL)) == NULL)
goto err;
if (!EC_KEY_set_private_key(ec_key, priv_key))
goto err;
ret = 1;
err:
BN_free(priv_key);
return ret;
}
static int
ec_key_set_public_key(EC_KEY *ec_key, const ASN1_BIT_STRING *abs)
{
EC_POINT *pub_key = NULL;
uint8_t form;
int ret = 0;
if (abs == NULL) {
ec_key->enc_flag |= EC_PKEY_NO_PUBKEY;
return eckey_compute_pubkey(ec_key);
}
/* XXX - SEC 1, 2.3.4 does not allow hybrid encoding. */
if (!ec_point_from_asn1_bit_string(ec_key->group, abs, &pub_key, &form))
goto err;
if (!EC_KEY_set_public_key(ec_key, pub_key))
goto err;
EC_KEY_set_conv_form(ec_key, form);
ret = 1;
err:
EC_POINT_free(pub_key);
return ret;
}
EC_KEY *
d2i_ECPrivateKey(EC_KEY **out_ec_key, const unsigned char **in, long len)
{
EC_KEY *ec_key = NULL;
EC_PRIVATEKEY *ec_privatekey = NULL;
if (out_ec_key == NULL || (ec_key = *out_ec_key) == NULL)
ec_key = EC_KEY_new();
if (ec_key == NULL)
goto err;
if ((ec_privatekey = d2i_EC_PRIVATEKEY(NULL, in, len)) == NULL) {
ECerror(ERR_R_EC_LIB);
goto err;
}
if (priv_key->publicKey) {
const unsigned char *pub_oct;
size_t pub_oct_len;
ec_key->version = ec_privatekey->version;
if (!ec_key_set_group_from_parameters(ec_key, ec_privatekey->parameters))
goto err;
if (!ec_key_set_private_key(ec_key, ec_privatekey->privateKey))
goto err;
if (!ec_key_set_public_key(ec_key, ec_privatekey->publicKey))
goto err;
pub_oct = ASN1_STRING_data(priv_key->publicKey);
pub_oct_len = ASN1_STRING_length(priv_key->publicKey);
if (pub_oct == NULL || pub_oct_len <= 0) {
ECerror(EC_R_BUFFER_TOO_SMALL);
goto err;
}
EC_PRIVATEKEY_free(ec_privatekey);
ec_privatekey = NULL;
/* save the point conversion form */
ret->conv_form = (point_conversion_form_t) (pub_oct[0] & ~0x01);
if (!EC_POINT_oct2point(ret->group, ret->pub_key,
pub_oct, pub_oct_len, NULL)) {
ECerror(ERR_R_EC_LIB);
goto err;
}
} else {
if (!EC_POINT_mul(ret->group, ret->pub_key, ret->priv_key,
NULL, NULL, NULL)) {
ECerror(ERR_R_EC_LIB);
goto err;
}
/* Remember the original private-key-only encoding. */
ret->enc_flag |= EC_PKEY_NO_PUBKEY;
}
if (out_ec_key != NULL)
*out_ec_key = ec_key;
EC_PRIVATEKEY_free(priv_key);
if (a != NULL)
*a = ret;
return (ret);
return ec_key;
err:
if (a == NULL || *a != ret)
EC_KEY_free(ret);
if (priv_key)
EC_PRIVATEKEY_free(priv_key);
if (out_ec_key == NULL || *out_ec_key != ec_key)
EC_KEY_free(ec_key);
EC_PRIVATEKEY_free(ec_privatekey);
return (NULL);
return NULL;
}
LCRYPTO_ALIAS(d2i_ECPrivateKey);
int
i2d_ECPrivateKey(EC_KEY *a, unsigned char **out)
i2d_ECPrivateKey(EC_KEY *ec_key, unsigned char **out)
{
int ret = 0, ok = 0;
unsigned char *buffer = NULL;
size_t buf_len = 0, tmp_len;
EC_PRIVATEKEY *priv_key = NULL;
EC_PRIVATEKEY *ec_privatekey = NULL;
const EC_GROUP *group;
const BIGNUM *private_key;
const EC_POINT *public_key = NULL;
int ret = 0;
if (a == NULL || a->group == NULL || a->priv_key == NULL ||
(!(a->enc_flag & EC_PKEY_NO_PUBKEY) && a->pub_key == NULL)) {
if (ec_key == NULL) {
ECerror(ERR_R_PASSED_NULL_PARAMETER);
goto err;
}
if ((priv_key = EC_PRIVATEKEY_new()) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
if ((group = EC_KEY_get0_group(ec_key)) == NULL) {
ECerror(EC_R_MISSING_PARAMETERS);
goto err;
}
priv_key->version = a->version;
if ((private_key = EC_KEY_get0_private_key(ec_key)) == NULL) {
ECerror(EC_R_KEYS_NOT_SET);
goto err;
}
if ((ec_key->enc_flag & EC_PKEY_NO_PUBKEY) == 0) {
if ((public_key = EC_KEY_get0_public_key(ec_key)) == NULL) {
ECerror(EC_R_KEYS_NOT_SET);
goto err;
}
}
buf_len = (size_t) BN_num_bytes(a->priv_key);
buffer = malloc(buf_len);
if (buffer == NULL) {
if ((ec_privatekey = EC_PRIVATEKEY_new()) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
if (!BN_bn2bin(a->priv_key, buffer)) {
ECerror(ERR_R_BN_LIB);
ec_privatekey->version = ec_key->version;
if (!ec_asn1_encode_private_key(group, private_key, ec_privatekey->privateKey))
goto err;
}
if (!ASN1_STRING_set(priv_key->privateKey, buffer, buf_len)) {
ECerror(ERR_R_ASN1_LIB);
goto err;
}
if (!(a->enc_flag & EC_PKEY_NO_PARAMETERS)) {
if ((ec_key->enc_flag & EC_PKEY_NO_PARAMETERS) == 0) {
ECPKPARAMETERS *parameters;
if ((parameters = ec_asn1_group2pkparameters(a->group)) == NULL) {
if ((parameters = ec_asn1_group2pkparameters(group)) == NULL) {
ECerror(ERR_R_EC_LIB);
goto err;
}
priv_key->parameters = parameters;
ec_privatekey->parameters = parameters;
}
if (!(a->enc_flag & EC_PKEY_NO_PUBKEY) && a->pub_key != NULL) {
priv_key->publicKey = ASN1_BIT_STRING_new();
if (priv_key->publicKey == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
tmp_len = EC_POINT_point2oct(a->group, a->pub_key,
a->conv_form, NULL, 0, NULL);
if (public_key != NULL) {
uint8_t form;
if (tmp_len > buf_len) {
unsigned char *tmp_buffer = realloc(buffer, tmp_len);
if (!tmp_buffer) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
buffer = tmp_buffer;
buf_len = tmp_len;
}
if (!EC_POINT_point2oct(a->group, a->pub_key,
a->conv_form, buffer, buf_len, NULL)) {
ECerror(ERR_R_EC_LIB);
form = EC_KEY_get_conv_form(ec_key);
if (!ec_point_to_asn1_bit_string(group, public_key, form,
&ec_privatekey->publicKey))
goto err;
}
if (!ASN1_STRING_set(priv_key->publicKey, buffer, buf_len)) {
ECerror(ERR_R_ASN1_LIB);
goto err;
}
if (!asn1_abs_set_unused_bits(priv_key->publicKey, 0)) {
ECerror(ERR_R_ASN1_LIB);
goto err;
}
}
if ((ret = i2d_EC_PRIVATEKEY(priv_key, out)) == 0) {
if ((ret = i2d_EC_PRIVATEKEY(ec_privatekey, out)) <= 0) {
ECerror(ERR_R_EC_LIB);
goto err;
}
ok = 1;
err:
free(buffer);
if (priv_key)
EC_PRIVATEKEY_free(priv_key);
return (ok ? ret : 0);
EC_PRIVATEKEY_free(ec_privatekey);
return ret;
}
LCRYPTO_ALIAS(i2d_ECPrivateKey);
int
i2d_ECParameters(EC_KEY *a, unsigned char **out)
i2d_ECParameters(EC_KEY *ec_key, unsigned char **out)
{
if (a == NULL) {
if (ec_key == NULL) {
ECerror(ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
return i2d_ECPKParameters(a->group, out);
return i2d_ECPKParameters(ec_key->group, out);
}
LCRYPTO_ALIAS(i2d_ECParameters);
EC_KEY *
d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
d2i_ECParameters(EC_KEY **out_ec_key, const unsigned char **in, long len)
{
EC_KEY *ret;
EC_KEY *ec_key = NULL;
if (in == NULL || *in == NULL) {
ECerror(ERR_R_PASSED_NULL_PARAMETER);
return NULL;
goto err;
}
if (out_ec_key == NULL || (ec_key = *out_ec_key) == NULL)
ec_key = EC_KEY_new();
if (ec_key == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
if (a == NULL || *a == NULL) {
if ((ret = EC_KEY_new()) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
return NULL;
}
} else
ret = *a;
if (!d2i_ECPKParameters(&ret->group, in, len)) {
if (!d2i_ECPKParameters(&ec_key->group, in, len)) {
ECerror(ERR_R_EC_LIB);
if (a == NULL || *a != ret)
EC_KEY_free(ret);
return NULL;
goto err;
}
if (a != NULL)
*a = ret;
return ret;
if (out_ec_key != NULL)
*out_ec_key = ec_key;
return ec_key;
err:
if (out_ec_key == NULL || *out_ec_key != ec_key)
EC_KEY_free(ec_key);
return NULL;
}
LCRYPTO_ALIAS(d2i_ECParameters);
EC_KEY *
o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len)
ECParameters_dup(EC_KEY *key)
{
EC_KEY *ret = NULL;
const unsigned char *p;
unsigned char *der = NULL;
EC_KEY *dup = NULL;
int len;
if (a == NULL || (*a) == NULL || (*a)->group == NULL) {
/* An EC_GROUP structure is necessary to set the public key. */
if (key == NULL)
return NULL;
if ((len = i2d_ECParameters(key, &der)) <= 0)
return NULL;
p = der;
dup = d2i_ECParameters(NULL, &p, len);
freezero(der, len);
return dup;
}
LCRYPTO_ALIAS(ECParameters_dup);
EC_KEY *
o2i_ECPublicKey(EC_KEY **in_ec_key, const unsigned char **in, long len)
{
EC_KEY *ec_key = NULL;
const EC_GROUP *group;
uint8_t form;
if (in_ec_key == NULL || (ec_key = *in_ec_key) == NULL) {
ECerror(ERR_R_PASSED_NULL_PARAMETER);
return 0;
return NULL;
}
ret = *a;
if (ret->pub_key == NULL &&
(ret->pub_key = EC_POINT_new(ret->group)) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
return 0;
if ((group = ec_key->group) == NULL) {
ECerror(ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
if (!EC_POINT_oct2point(ret->group, ret->pub_key, *in, len, NULL)) {
ECerror(ERR_R_EC_LIB);
return 0;
if (len < 0) {
ECerror(EC_R_INVALID_ARGUMENT);
return NULL;
}
/* save the point conversion form */
ret->conv_form = (point_conversion_form_t) (*in[0] & ~0x01);
if (!ec_point_from_octets(group, *in, len, &ec_key->pub_key, &form, NULL))
return NULL;
EC_KEY_set_conv_form(ec_key, form);
*in += len;
return ret;
return ec_key;
}
LCRYPTO_ALIAS(o2i_ECPublicKey);
int
i2o_ECPublicKey(const EC_KEY *a, unsigned char **out)
i2o_ECPublicKey(const EC_KEY *ec_key, unsigned char **out)
{
unsigned char *buf = NULL;
size_t buf_len = 0;
int new_buffer = 0;
int ret = 0;
if (a == NULL) {
if (ec_key == NULL) {
ECerror(ERR_R_PASSED_NULL_PARAMETER);
return 0;
goto err;
}
buf_len = EC_POINT_point2oct(a->group, a->pub_key,
a->conv_form, NULL, 0, NULL);
if (out == NULL || buf_len == 0)
/* out == NULL => just return the length of the octet string */
return buf_len;
if (!ec_point_to_octets(ec_key->group, ec_key->pub_key,
ec_key->conv_form, &buf, &buf_len, NULL))
goto err;
if (buf_len > INT_MAX)
goto err;
if (*out == NULL) {
if ((*out = malloc(buf_len)) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
return 0;
}
new_buffer = 1;
}
if (!EC_POINT_point2oct(a->group, a->pub_key, a->conv_form,
*out, buf_len, NULL)) {
ECerror(ERR_R_EC_LIB);
if (new_buffer) {
free(*out);
*out = NULL;
}
return 0;
}
if (!new_buffer)
if (out != NULL && *out != NULL) {
/* Muppet's answer to the Jackass show. */
memcpy(*out, buf, buf_len);
*out += buf_len;
return buf_len;
} else if (out != NULL) {
*out = buf;
buf = NULL;
}
ret = buf_len;
err:
freezero(buf, buf_len);
return ret;
}
LCRYPTO_ALIAS(i2o_ECPublicKey);

575
lib/libcrypto/ec/ec_convert.c Normal file
View file

@ -0,0 +1,575 @@
/* $OpenBSD: ec_convert.c,v 1.14 2025/01/05 16:07:08 tb Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
/* ====================================================================
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
* Binary polynomial ECC support in OpenSSL originally developed by
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/
#include <string.h>
#include <openssl/asn1.h>
#include <openssl/err.h>
#include "asn1_local.h"
#include "ec_local.h"
/*
* Internal handling of the point conversion octet
* (see X9.62, section 4.4.2, SEC 1 section 2.3.3)
*
* Only the last three bits of the leading octet of a point should be set.
* Bits 3 and 2 encode the conversion form for all points except the point
* at infinity. In compressed and hybrid form bit 1 indicates if the even
* or the odd solution of the quadratic equation for y should be used.
*
* The public point_conversion_t enum lacks the point at infinity, so we
* ignore it except at the API boundary.
*/
#define EC_POINT_YBIT 0x01
#define EC_POINT_AT_INFINITY 0x00
#define EC_POINT_COMPRESSED 0x02
#define EC_POINT_UNCOMPRESSED 0x04
#define EC_POINT_HYBRID 0x06
#define EC_POINT_CONVERSION_MASK 0x06
static int
ec_conversion_form_is_valid(uint8_t form)
{
return (form & EC_POINT_CONVERSION_MASK) == form;
}
static int
ec_check_hybrid_ybit_is_consistent(uint8_t form, int ybit, const BIGNUM *y)
{
if (form == EC_POINT_HYBRID && ybit != BN_is_odd(y)) {
ECerror(EC_R_INVALID_ENCODING);
return 0;
}
return 1;
}
/* Nonzero y-bit only makes sense with compressed or hybrid encoding. */
static int
ec_nonzero_ybit_allowed(uint8_t form)
{
return form == EC_POINT_COMPRESSED || form == EC_POINT_HYBRID;
}
static int
ec_add_leading_octet_cbb(CBB *cbb, uint8_t form, int ybit)
{
if (ec_nonzero_ybit_allowed(form) && ybit != 0)
form |= EC_POINT_YBIT;
return CBB_add_u8(cbb, form);
}
static int
ec_get_leading_octet_cbs(CBS *cbs, uint8_t *out_form, int *out_ybit)
{
uint8_t octet;
if (!CBS_get_u8(cbs, &octet)) {
ECerror(EC_R_BUFFER_TOO_SMALL);
return 0;
}
*out_ybit = octet & EC_POINT_YBIT;
*out_form = octet & ~EC_POINT_YBIT;
if (!ec_conversion_form_is_valid(*out_form)) {
ECerror(EC_R_INVALID_ENCODING);
return 0;
}
if (*out_ybit != 0 && !ec_nonzero_ybit_allowed(*out_form)) {
ECerror(EC_R_INVALID_ENCODING);
return 0;
}
return 1;
}
static int
ec_encoded_length(const EC_GROUP *group, uint8_t form, size_t *out_len)
{
switch (form) {
case EC_POINT_AT_INFINITY:
*out_len = 1;
return 1;
case EC_POINT_COMPRESSED:
*out_len = 1 + BN_num_bytes(group->p);
return 1;
case EC_POINT_UNCOMPRESSED:
case EC_POINT_HYBRID:
*out_len = 1 + 2 * BN_num_bytes(group->p);
return 1;
default:
return 0;
}
}
static int
ec_field_element_is_valid(const EC_GROUP *group, const BIGNUM *bn)
{
/* Ensure bn is in the range [0, p). */
return !BN_is_negative(bn) && BN_cmp(group->p, bn) > 0;
}
static int
ec_add_field_element_cbb(CBB *cbb, const EC_GROUP *group, const BIGNUM *bn)
{
uint8_t *buf = NULL;
int buf_len = BN_num_bytes(group->p);
if (!ec_field_element_is_valid(group, bn)) {
ECerror(EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
if (!CBB_add_space(cbb, &buf, buf_len)) {
ECerror(ERR_R_MALLOC_FAILURE);
return 0;
}
if (BN_bn2binpad(bn, buf, buf_len) != buf_len) {
ECerror(ERR_R_MALLOC_FAILURE);
return 0;
}
return 1;
}
static int
ec_get_field_element_cbs(CBS *cbs, const EC_GROUP *group, BIGNUM *bn)
{
CBS field_element;
if (!CBS_get_bytes(cbs, &field_element, BN_num_bytes(group->p))) {
ECerror(EC_R_INVALID_ENCODING);
return 0;
}
if (!BN_bin2bn(CBS_data(&field_element), CBS_len(&field_element), bn)) {
ECerror(ERR_R_MALLOC_FAILURE);
return 0;
}
if (!ec_field_element_is_valid(group, bn)) {
ECerror(EC_R_BIGNUM_OUT_OF_RANGE);
return 0;
}
return 1;
}
static size_t
ec_point2oct(const EC_GROUP *group, const EC_POINT *point, uint8_t form,
unsigned char *buf, size_t len, BN_CTX *ctx)
{
CBB cbb;
BIGNUM *x, *y;
size_t encoded_length;
size_t ret = 0;
if (EC_POINT_is_at_infinity(group, point))
form = EC_POINT_AT_INFINITY;
if (!ec_encoded_length(group, form, &encoded_length)) {
ECerror(EC_R_INVALID_FORM);
return 0;
}
if (buf == NULL)
return encoded_length;
if (len < encoded_length) {
ECerror(EC_R_BUFFER_TOO_SMALL);
return 0;
}
BN_CTX_start(ctx);
if (!CBB_init_fixed(&cbb, buf, len))
goto err;
if (form == EC_POINT_AT_INFINITY) {
if (!EC_POINT_is_at_infinity(group, point))
goto err;
if (!ec_add_leading_octet_cbb(&cbb, form, 0))
goto err;
goto done;
}
if ((x = BN_CTX_get(ctx)) == NULL)
goto err;
if ((y = BN_CTX_get(ctx)) == NULL)
goto err;
if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
goto err;
if (!ec_add_leading_octet_cbb(&cbb, form, BN_is_odd(y)))
goto err;
if (form == EC_POINT_COMPRESSED) {
if (!ec_add_field_element_cbb(&cbb, group, x))
goto err;
} else {
if (!ec_add_field_element_cbb(&cbb, group, x))
goto err;
if (!ec_add_field_element_cbb(&cbb, group, y))
goto err;
}
done:
if (!CBB_finish(&cbb, NULL, &ret))
goto err;
if (ret != encoded_length) {
ret = 0;
goto err;
}
err:
CBB_cleanup(&cbb);
BN_CTX_end(ctx);
return ret;
}
static int
ec_oct2point(const EC_GROUP *group, EC_POINT *point,
const unsigned char *buf, size_t len, BN_CTX *ctx)
{
CBS cbs;
uint8_t form;
int ybit;
BIGNUM *x, *y;
int ret = 0;
BN_CTX_start(ctx);
CBS_init(&cbs, buf, len);
if (!ec_get_leading_octet_cbs(&cbs, &form, &ybit))
goto err;
if (form == EC_POINT_AT_INFINITY) {
if (!EC_POINT_set_to_infinity(group, point))
goto err;
goto done;
}
if ((x = BN_CTX_get(ctx)) == NULL)
goto err;
if ((y = BN_CTX_get(ctx)) == NULL)
goto err;
if (form == EC_POINT_COMPRESSED) {
if (!ec_get_field_element_cbs(&cbs, group, x))
goto err;
if (!EC_POINT_set_compressed_coordinates(group, point, x, ybit, ctx))
goto err;
} else {
if (!ec_get_field_element_cbs(&cbs, group, x))
goto err;
if (!ec_get_field_element_cbs(&cbs, group, y))
goto err;
if (!ec_check_hybrid_ybit_is_consistent(form, ybit, y))
goto err;
if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
goto err;
}
done:
if (CBS_len(&cbs) > 0) {
ECerror(EC_R_INVALID_ENCODING);
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
int
ec_point_to_octets(const EC_GROUP *group, const EC_POINT *point, int form,
unsigned char **out_buf, size_t *out_len, BN_CTX *ctx)
{
unsigned char *buf = NULL;
size_t len = 0;
int ret = 0;
*out_len = 0;
if (out_buf == NULL || *out_buf != NULL)
goto err;
if ((len = EC_POINT_point2oct(group, point, form, NULL, 0, ctx)) == 0)
goto err;
if ((buf = calloc(1, len)) == NULL)
goto err;
if (EC_POINT_point2oct(group, point, form, buf, len, ctx) != len)
goto err;
*out_buf = buf;
buf = NULL;
*out_len = len;
len = 0;
ret = 1;
err:
freezero(buf, len);
return ret;
}
int
ec_point_from_octets(const EC_GROUP *group, const unsigned char *buf, size_t buf_len,
EC_POINT **out_point, uint8_t *out_form, BN_CTX *ctx)
{
EC_POINT *point;
int ret = 0;
if ((point = *out_point) == NULL)
point = EC_POINT_new(group);
if (point == NULL)
goto err;
if (!EC_POINT_oct2point(group, point, buf, buf_len, ctx))
goto err;
if (out_form != NULL)
*out_form = buf[0] & ~EC_POINT_YBIT;
*out_point = point;
point = NULL;
ret = 1;
err:
if (*out_point != point)
EC_POINT_free(point);
return ret;
}
static int
ec_normalize_form(const EC_GROUP *group, const EC_POINT *point, int form,
uint8_t *out_form)
{
/*
* Established behavior is to reject a request for the form 0 for the
* point at infinity even if it is valid.
*/
if (form <= 0 || form > UINT8_MAX)
return 0;
if (!ec_conversion_form_is_valid(form))
return 0;
*out_form = form;
if (EC_POINT_is_at_infinity(group, point))
*out_form = EC_POINT_AT_INFINITY;
return 1;
}
size_t
EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
point_conversion_form_t conv_form, unsigned char *buf, size_t len,
BN_CTX *ctx_in)
{
BN_CTX *ctx = NULL;
uint8_t form;
size_t ret = 0;
if (!ec_normalize_form(group, point, conv_form, &form)) {
ECerror(EC_R_INVALID_FORM);
goto err;
}
if ((ctx = ctx_in) == NULL)
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
if (group->meth != point->meth) {
ECerror(EC_R_INCOMPATIBLE_OBJECTS);
goto err;
}
ret = ec_point2oct(group, point, form, buf, len, ctx);
err:
if (ctx != ctx_in)
BN_CTX_free(ctx);
return ret;
}
LCRYPTO_ALIAS(EC_POINT_point2oct);
int
EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
const unsigned char *buf, size_t len, BN_CTX *ctx_in)
{
BN_CTX *ctx;
int ret = 0;
if ((ctx = ctx_in) == NULL)
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
if (group->meth != point->meth) {
ECerror(EC_R_INCOMPATIBLE_OBJECTS);
goto err;
}
ret = ec_oct2point(group, point, buf, len, ctx);
err:
if (ctx != ctx_in)
BN_CTX_free(ctx);
return ret;
}
LCRYPTO_ALIAS(EC_POINT_oct2point);
BIGNUM *
EC_POINT_point2bn(const EC_GROUP *group, const EC_POINT *point,
point_conversion_form_t form, BIGNUM *in_bn, BN_CTX *ctx)
{
BIGNUM *bn = NULL;
unsigned char *buf = NULL;
size_t buf_len = 0;
if (!ec_point_to_octets(group, point, form, &buf, &buf_len, ctx))
goto err;
if ((bn = BN_bin2bn(buf, buf_len, in_bn)) == NULL)
goto err;
err:
freezero(buf, buf_len);
return bn;
}
LCRYPTO_ALIAS(EC_POINT_point2bn);
EC_POINT *
EC_POINT_bn2point(const EC_GROUP *group,
const BIGNUM *bn, EC_POINT *point, BN_CTX *ctx)
{
unsigned char *buf = NULL;
size_t buf_len = 0;
/* Of course BN_bn2bin() is in no way symmetric to BN_bin2bn()... */
if ((buf_len = BN_num_bytes(bn)) == 0)
goto err;
if ((buf = calloc(1, buf_len)) == NULL)
goto err;
if (!BN_bn2bin(bn, buf))
goto err;
if (!ec_point_from_octets(group, buf, buf_len, &point, NULL, ctx))
goto err;
err:
freezero(buf, buf_len);
return point;
}
LCRYPTO_ALIAS(EC_POINT_bn2point);
char *
EC_POINT_point2hex(const EC_GROUP *group, const EC_POINT *point,
point_conversion_form_t form, BN_CTX *ctx)
{
BIGNUM *bn;
char *hex = NULL;
if ((bn = EC_POINT_point2bn(group, point, form, NULL, ctx)) == NULL)
goto err;
if ((hex = BN_bn2hex(bn)) == NULL)
goto err;
err:
BN_free(bn);
return hex;
}
LCRYPTO_ALIAS(EC_POINT_point2hex);
EC_POINT *
EC_POINT_hex2point(const EC_GROUP *group, const char *hex,
EC_POINT *in_point, BN_CTX *ctx)
{
EC_POINT *point = NULL;
BIGNUM *bn = NULL;
if (BN_hex2bn(&bn, hex) == 0)
goto err;
if ((point = EC_POINT_bn2point(group, bn, in_point, ctx)) == NULL)
goto err;
err:
BN_free(bn);
return point;
}
LCRYPTO_ALIAS(EC_POINT_hex2point);

1014
lib/libcrypto/ec/ec_curve.c
View file

File diff suppressed because it is too large Load diff

409
lib/libcrypto/ec/ec_key.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_key.c,v 1.40 2024/03/27 01:22:30 tb Exp $ */
/* $OpenBSD: ec_key.c,v 1.48 2024/11/16 10:38:10 tb Exp $ */
/*
* Written by Nils Larsch for the OpenSSL project.
*/
@ -65,10 +65,12 @@
#include <openssl/opensslconf.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include "bn_local.h"
#include "ec_local.h"
#include "ecdsa_local.h"
EC_KEY *
EC_KEY_new(void)
@ -80,45 +82,48 @@ LCRYPTO_ALIAS(EC_KEY_new);
EC_KEY *
EC_KEY_new_by_curve_name(int nid)
{
EC_KEY *ret = EC_KEY_new();
if (ret == NULL)
return NULL;
ret->group = EC_GROUP_new_by_curve_name(nid);
if (ret->group == NULL) {
EC_KEY_free(ret);
return NULL;
EC_KEY *ec_key;
if ((ec_key = EC_KEY_new()) == NULL)
goto err;
if ((ec_key->group = EC_GROUP_new_by_curve_name(nid)) == NULL)
goto err;
/* XXX - do we want an ec_key_set0_group()? */
if (ec_key->meth->set_group != NULL) {
if (!ec_key->meth->set_group(ec_key, ec_key->group))
goto err;
}
if (ret->meth->set_group != NULL &&
ret->meth->set_group(ret, ret->group) == 0) {
EC_KEY_free(ret);
return NULL;
}
return ret;
return ec_key;
err:
EC_KEY_free(ec_key);
return NULL;
}
LCRYPTO_ALIAS(EC_KEY_new_by_curve_name);
void
EC_KEY_free(EC_KEY *r)
EC_KEY_free(EC_KEY *ec_key)
{
int i;
if (r == NULL)
if (ec_key == NULL)
return;
i = CRYPTO_add(&r->references, -1, CRYPTO_LOCK_EC);
if (i > 0)
if (CRYPTO_add(&ec_key->references, -1, CRYPTO_LOCK_EC) > 0)
return;
if (r->meth != NULL && r->meth->finish != NULL)
r->meth->finish(r);
if (ec_key->meth != NULL && ec_key->meth->finish != NULL)
ec_key->meth->finish(ec_key);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, r, &r->ex_data);
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, ec_key, &ec_key->ex_data);
EC_GROUP_free(r->group);
EC_POINT_free(r->pub_key);
BN_free(r->priv_key);
EC_GROUP_free(ec_key->group);
EC_POINT_free(ec_key->pub_key);
BN_free(ec_key->priv_key);
freezero(r, sizeof(EC_KEY));
freezero(ec_key, sizeof(*ec_key));
}
LCRYPTO_ALIAS(EC_KEY_free);
@ -129,75 +134,73 @@ EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
ECerror(ERR_R_PASSED_NULL_PARAMETER);
return NULL;
}
if (src->meth != dest->meth) {
if (dest->meth != NULL && dest->meth->finish != NULL)
dest->meth->finish(dest);
}
/* copy the parameters */
if (src->group) {
const EC_METHOD *meth = EC_GROUP_method_of(src->group);
/* clear the old group */
if (src->group != NULL) {
EC_GROUP_free(dest->group);
dest->group = EC_GROUP_new(meth);
if (dest->group == NULL)
if ((dest->group = EC_GROUP_dup(src->group)) == NULL)
return NULL;
if (!EC_GROUP_copy(dest->group, src->group))
return NULL;
}
/* copy the public key */
if (src->pub_key && src->group) {
EC_POINT_free(dest->pub_key);
dest->pub_key = EC_POINT_new(src->group);
if (dest->pub_key == NULL)
return NULL;
if (!EC_POINT_copy(dest->pub_key, src->pub_key))
return NULL;
}
/* copy the private key */
if (src->priv_key) {
if (dest->priv_key == NULL) {
dest->priv_key = BN_new();
if (dest->priv_key == NULL)
if (src->pub_key != NULL) {
EC_POINT_free(dest->pub_key);
if ((dest->pub_key = EC_POINT_dup(src->pub_key,
src->group)) == NULL)
return NULL;
}
if (!bn_copy(dest->priv_key, src->priv_key))
}
BN_free(dest->priv_key);
dest->priv_key = NULL;
if (src->priv_key != NULL) {
if ((dest->priv_key = BN_dup(src->priv_key)) == NULL)
return NULL;
}
/* copy the rest */
dest->enc_flag = src->enc_flag;
dest->conv_form = src->conv_form;
dest->version = src->version;
dest->flags = src->flags;
/*
* The fun part about being a toolkit implementer is that the rest of
* the world gets to live with your terrible API design choices for
* eternity. (To be fair: the signature was changed in OpenSSL 3).
*/
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY, &dest->ex_data,
&((EC_KEY *)src)->ex_data)) /* XXX const */
return NULL;
if (src->meth != dest->meth) {
dest->meth = src->meth;
}
dest->meth = src->meth;
if (src->meth != NULL && src->meth->copy != NULL &&
src->meth->copy(dest, src) == 0)
return 0;
if (src->meth != NULL && src->meth->copy != NULL) {
if (!src->meth->copy(dest, src))
return NULL;
}
return dest;
}
LCRYPTO_ALIAS(EC_KEY_copy);
EC_KEY *
EC_KEY_dup(const EC_KEY *ec_key)
EC_KEY_dup(const EC_KEY *in_ec_key)
{
EC_KEY *ret;
EC_KEY *ec_key;
if ((ret = EC_KEY_new_method(NULL)) == NULL)
return NULL;
if (EC_KEY_copy(ret, ec_key) == NULL) {
EC_KEY_free(ret);
return NULL;
}
return ret;
/* XXX - Pass NULL - so we're perhaps not running the right init()? */
if ((ec_key = EC_KEY_new_method(NULL)) == NULL)
goto err;
if (EC_KEY_copy(ec_key, in_ec_key) == NULL)
goto err;
return ec_key;
err:
EC_KEY_free(ec_key);
return NULL;
}
LCRYPTO_ALIAS(EC_KEY_dup);
@ -287,7 +290,7 @@ EC_KEY_check_key(const EC_KEY *eckey)
goto err;
}
if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key) > 0) {
if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) {
ECerror(EC_R_POINT_AT_INFINITY);
goto err;
}
@ -313,7 +316,7 @@ EC_KEY_check_key(const EC_KEY *eckey)
ECerror(ERR_R_EC_LIB);
goto err;
}
if (EC_POINT_is_at_infinity(eckey->group, point) <= 0) {
if (!EC_POINT_is_at_infinity(eckey->group, point)) {
ECerror(EC_R_WRONG_ORDER);
goto err;
}
@ -534,3 +537,271 @@ EC_KEY_clear_flags(EC_KEY *key, int flags)
key->flags &= ~flags;
}
LCRYPTO_ALIAS(EC_KEY_clear_flags);
const EC_KEY_METHOD *
EC_KEY_get_method(const EC_KEY *key)
{
return key->meth;
}
LCRYPTO_ALIAS(EC_KEY_get_method);
int
EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth)
{
void (*finish)(EC_KEY *key) = key->meth->finish;
if (finish != NULL)
finish(key);
key->meth = meth;
if (meth->init != NULL)
return meth->init(key);
return 1;
}
LCRYPTO_ALIAS(EC_KEY_set_method);
EC_KEY *
EC_KEY_new_method(ENGINE *engine)
{
EC_KEY *ret;
if ((ret = calloc(1, sizeof(EC_KEY))) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->meth = EC_KEY_get_default_method();
ret->version = 1;
ret->flags = 0;
ret->group = NULL;
ret->pub_key = NULL;
ret->priv_key = NULL;
ret->enc_flag = 0;
ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
ret->references = 1;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_EC_KEY, ret, &ret->ex_data))
goto err;
if (ret->meth->init != NULL && ret->meth->init(ret) == 0)
goto err;
return ret;
err:
EC_KEY_free(ret);
return NULL;
}
LCRYPTO_ALIAS(EC_KEY_new_method);
EC_KEY_METHOD *
EC_KEY_METHOD_new(const EC_KEY_METHOD *meth)
{
EC_KEY_METHOD *ret;
if ((ret = calloc(1, sizeof(*meth))) == NULL)
return NULL;
if (meth != NULL)
*ret = *meth;
ret->flags |= EC_KEY_METHOD_DYNAMIC;
return ret;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_new);
void
EC_KEY_METHOD_free(EC_KEY_METHOD *meth)
{
if (meth == NULL)
return;
if (meth->flags & EC_KEY_METHOD_DYNAMIC)
free(meth);
}
LCRYPTO_ALIAS(EC_KEY_METHOD_free);
void
EC_KEY_METHOD_set_init(EC_KEY_METHOD *meth,
int (*init)(EC_KEY *key),
void (*finish)(EC_KEY *key),
int (*copy)(EC_KEY *dest, const EC_KEY *src),
int (*set_group)(EC_KEY *key, const EC_GROUP *grp),
int (*set_private)(EC_KEY *key, const BIGNUM *priv_key),
int (*set_public)(EC_KEY *key, const EC_POINT *pub_key))
{
meth->init = init;
meth->finish = finish;
meth->copy = copy;
meth->set_group = set_group;
meth->set_private = set_private;
meth->set_public = set_public;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_set_init);
void
EC_KEY_METHOD_set_keygen(EC_KEY_METHOD *meth, int (*keygen)(EC_KEY *key))
{
meth->keygen = keygen;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_set_keygen);
void
EC_KEY_METHOD_set_compute_key(EC_KEY_METHOD *meth,
int (*ckey)(unsigned char **out, size_t *out_len, const EC_POINT *pub_key,
const EC_KEY *ecdh))
{
meth->compute_key = ckey;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_set_compute_key);
void
EC_KEY_METHOD_set_sign(EC_KEY_METHOD *meth,
int (*sign)(int type, const unsigned char *dgst,
int dlen, unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey),
int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in,
BIGNUM **kinvp, BIGNUM **rp),
ECDSA_SIG *(*sign_sig)(const unsigned char *dgst,
int dgst_len, const BIGNUM *in_kinv,
const BIGNUM *in_r, EC_KEY *eckey))
{
meth->sign = sign;
meth->sign_setup = sign_setup;
meth->sign_sig = sign_sig;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_set_sign);
void
EC_KEY_METHOD_set_verify(EC_KEY_METHOD *meth,
int (*verify)(int type, const unsigned char *dgst, int dgst_len,
const unsigned char *sigbuf, int sig_len, EC_KEY *eckey),
int (*verify_sig)(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey))
{
meth->verify = verify;
meth->verify_sig = verify_sig;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_set_verify);
void
EC_KEY_METHOD_get_init(const EC_KEY_METHOD *meth,
int (**pinit)(EC_KEY *key),
void (**pfinish)(EC_KEY *key),
int (**pcopy)(EC_KEY *dest, const EC_KEY *src),
int (**pset_group)(EC_KEY *key, const EC_GROUP *grp),
int (**pset_private)(EC_KEY *key, const BIGNUM *priv_key),
int (**pset_public)(EC_KEY *key, const EC_POINT *pub_key))
{
if (pinit != NULL)
*pinit = meth->init;
if (pfinish != NULL)
*pfinish = meth->finish;
if (pcopy != NULL)
*pcopy = meth->copy;
if (pset_group != NULL)
*pset_group = meth->set_group;
if (pset_private != NULL)
*pset_private = meth->set_private;
if (pset_public != NULL)
*pset_public = meth->set_public;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_get_init);
void
EC_KEY_METHOD_get_keygen(const EC_KEY_METHOD *meth,
int (**pkeygen)(EC_KEY *key))
{
if (pkeygen != NULL)
*pkeygen = meth->keygen;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_get_keygen);
void
EC_KEY_METHOD_get_compute_key(const EC_KEY_METHOD *meth,
int (**pck)(unsigned char **out, size_t *out_len, const EC_POINT *pub_key,
const EC_KEY *ecdh))
{
if (pck != NULL)
*pck = meth->compute_key;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_get_compute_key);
void
EC_KEY_METHOD_get_sign(const EC_KEY_METHOD *meth,
int (**psign)(int type, const unsigned char *dgst,
int dlen, unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey),
int (**psign_setup)(EC_KEY *eckey, BN_CTX *ctx_in,
BIGNUM **kinvp, BIGNUM **rp),
ECDSA_SIG *(**psign_sig)(const unsigned char *dgst,
int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r,
EC_KEY *eckey))
{
if (psign != NULL)
*psign = meth->sign;
if (psign_setup != NULL)
*psign_setup = meth->sign_setup;
if (psign_sig != NULL)
*psign_sig = meth->sign_sig;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_get_sign);
void
EC_KEY_METHOD_get_verify(const EC_KEY_METHOD *meth,
int (**pverify)(int type, const unsigned char *dgst, int dgst_len,
const unsigned char *sigbuf, int sig_len, EC_KEY *eckey),
int (**pverify_sig)(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey))
{
if (pverify != NULL)
*pverify = meth->verify;
if (pverify_sig != NULL)
*pverify_sig = meth->verify_sig;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_get_verify);
static const EC_KEY_METHOD openssl_ec_key_method = {
.name = "OpenSSL EC_KEY method",
.flags = 0,
.init = NULL,
.finish = NULL,
.copy = NULL,
.set_group = NULL,
.set_private = NULL,
.set_public = NULL,
.keygen = ec_key_gen,
.compute_key = ecdh_compute_key,
.sign = ecdsa_sign,
.sign_setup = ecdsa_sign_setup,
.sign_sig = ecdsa_sign_sig,
.verify = ecdsa_verify,
.verify_sig = ecdsa_verify_sig,
};
const EC_KEY_METHOD *
EC_KEY_OpenSSL(void)
{
return &openssl_ec_key_method;
}
LCRYPTO_ALIAS(EC_KEY_OpenSSL);
const EC_KEY_METHOD *default_ec_key_meth = &openssl_ec_key_method;
const EC_KEY_METHOD *
EC_KEY_get_default_method(void)
{
return default_ec_key_meth;
}
LCRYPTO_ALIAS(EC_KEY_get_default_method);
void
EC_KEY_set_default_method(const EC_KEY_METHOD *meth)
{
if (meth == NULL)
default_ec_key_meth = &openssl_ec_key_method;
else
default_ec_key_meth = meth;
}
LCRYPTO_ALIAS(EC_KEY_set_default_method);

328
lib/libcrypto/ec/ec_kmeth.c
View file

@ -1,328 +0,0 @@
/* $OpenBSD: ec_kmeth.c,v 1.14 2024/08/03 13:06:37 tb Exp $ */
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project.
*/
/* ====================================================================
* Copyright (c) 2015 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*/
#include <openssl/ec.h>
#include <openssl/err.h>
#include "bn_local.h"
#include "ec_local.h"
#include "ecdsa_local.h"
static const EC_KEY_METHOD openssl_ec_key_method = {
.name = "OpenSSL EC_KEY method",
.flags = 0,
.init = NULL,
.finish = NULL,
.copy = NULL,
.set_group = NULL,
.set_private = NULL,
.set_public = NULL,
.keygen = ec_key_gen,
.compute_key = ecdh_compute_key,
.sign = ecdsa_sign,
.sign_setup = ecdsa_sign_setup,
.sign_sig = ecdsa_sign_sig,
.verify = ecdsa_verify,
.verify_sig = ecdsa_verify_sig,
};
const EC_KEY_METHOD *default_ec_key_meth = &openssl_ec_key_method;
const EC_KEY_METHOD *
EC_KEY_OpenSSL(void)
{
return &openssl_ec_key_method;
}
LCRYPTO_ALIAS(EC_KEY_OpenSSL);
const EC_KEY_METHOD *
EC_KEY_get_default_method(void)
{
return default_ec_key_meth;
}
LCRYPTO_ALIAS(EC_KEY_get_default_method);
void
EC_KEY_set_default_method(const EC_KEY_METHOD *meth)
{
if (meth == NULL)
default_ec_key_meth = &openssl_ec_key_method;
else
default_ec_key_meth = meth;
}
LCRYPTO_ALIAS(EC_KEY_set_default_method);
const EC_KEY_METHOD *
EC_KEY_get_method(const EC_KEY *key)
{
return key->meth;
}
LCRYPTO_ALIAS(EC_KEY_get_method);
int
EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth)
{
void (*finish)(EC_KEY *key) = key->meth->finish;
if (finish != NULL)
finish(key);
key->meth = meth;
if (meth->init != NULL)
return meth->init(key);
return 1;
}
LCRYPTO_ALIAS(EC_KEY_set_method);
EC_KEY *
EC_KEY_new_method(ENGINE *engine)
{
EC_KEY *ret;
if ((ret = calloc(1, sizeof(EC_KEY))) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
return NULL;
}
ret->meth = EC_KEY_get_default_method();
ret->version = 1;
ret->flags = 0;
ret->group = NULL;
ret->pub_key = NULL;
ret->priv_key = NULL;
ret->enc_flag = 0;
ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;
ret->references = 1;
if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_EC_KEY, ret, &ret->ex_data))
goto err;
if (ret->meth->init != NULL && ret->meth->init(ret) == 0)
goto err;
return ret;
err:
EC_KEY_free(ret);
return NULL;
}
LCRYPTO_ALIAS(EC_KEY_new_method);
EC_KEY_METHOD *
EC_KEY_METHOD_new(const EC_KEY_METHOD *meth)
{
EC_KEY_METHOD *ret;
if ((ret = calloc(1, sizeof(*meth))) == NULL)
return NULL;
if (meth != NULL)
*ret = *meth;
ret->flags |= EC_KEY_METHOD_DYNAMIC;
return ret;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_new);
void
EC_KEY_METHOD_free(EC_KEY_METHOD *meth)
{
if (meth == NULL)
return;
if (meth->flags & EC_KEY_METHOD_DYNAMIC)
free(meth);
}
LCRYPTO_ALIAS(EC_KEY_METHOD_free);
void
EC_KEY_METHOD_set_init(EC_KEY_METHOD *meth,
int (*init)(EC_KEY *key),
void (*finish)(EC_KEY *key),
int (*copy)(EC_KEY *dest, const EC_KEY *src),
int (*set_group)(EC_KEY *key, const EC_GROUP *grp),
int (*set_private)(EC_KEY *key, const BIGNUM *priv_key),
int (*set_public)(EC_KEY *key, const EC_POINT *pub_key))
{
meth->init = init;
meth->finish = finish;
meth->copy = copy;
meth->set_group = set_group;
meth->set_private = set_private;
meth->set_public = set_public;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_set_init);
void
EC_KEY_METHOD_set_keygen(EC_KEY_METHOD *meth, int (*keygen)(EC_KEY *key))
{
meth->keygen = keygen;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_set_keygen);
void
EC_KEY_METHOD_set_compute_key(EC_KEY_METHOD *meth,
int (*ckey)(unsigned char **out, size_t *out_len, const EC_POINT *pub_key,
const EC_KEY *ecdh))
{
meth->compute_key = ckey;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_set_compute_key);
void
EC_KEY_METHOD_set_sign(EC_KEY_METHOD *meth,
int (*sign)(int type, const unsigned char *dgst,
int dlen, unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey),
int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in,
BIGNUM **kinvp, BIGNUM **rp),
ECDSA_SIG *(*sign_sig)(const unsigned char *dgst,
int dgst_len, const BIGNUM *in_kinv,
const BIGNUM *in_r, EC_KEY *eckey))
{
meth->sign = sign;
meth->sign_setup = sign_setup;
meth->sign_sig = sign_sig;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_set_sign);
void
EC_KEY_METHOD_set_verify(EC_KEY_METHOD *meth,
int (*verify)(int type, const unsigned char *dgst, int dgst_len,
const unsigned char *sigbuf, int sig_len, EC_KEY *eckey),
int (*verify_sig)(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey))
{
meth->verify = verify;
meth->verify_sig = verify_sig;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_set_verify);
void
EC_KEY_METHOD_get_init(const EC_KEY_METHOD *meth,
int (**pinit)(EC_KEY *key),
void (**pfinish)(EC_KEY *key),
int (**pcopy)(EC_KEY *dest, const EC_KEY *src),
int (**pset_group)(EC_KEY *key, const EC_GROUP *grp),
int (**pset_private)(EC_KEY *key, const BIGNUM *priv_key),
int (**pset_public)(EC_KEY *key, const EC_POINT *pub_key))
{
if (pinit != NULL)
*pinit = meth->init;
if (pfinish != NULL)
*pfinish = meth->finish;
if (pcopy != NULL)
*pcopy = meth->copy;
if (pset_group != NULL)
*pset_group = meth->set_group;
if (pset_private != NULL)
*pset_private = meth->set_private;
if (pset_public != NULL)
*pset_public = meth->set_public;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_get_init);
void
EC_KEY_METHOD_get_keygen(const EC_KEY_METHOD *meth,
int (**pkeygen)(EC_KEY *key))
{
if (pkeygen != NULL)
*pkeygen = meth->keygen;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_get_keygen);
void
EC_KEY_METHOD_get_compute_key(const EC_KEY_METHOD *meth,
int (**pck)(unsigned char **out, size_t *out_len, const EC_POINT *pub_key,
const EC_KEY *ecdh))
{
if (pck != NULL)
*pck = meth->compute_key;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_get_compute_key);
void
EC_KEY_METHOD_get_sign(const EC_KEY_METHOD *meth,
int (**psign)(int type, const unsigned char *dgst,
int dlen, unsigned char *sig, unsigned int *siglen,
const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey),
int (**psign_setup)(EC_KEY *eckey, BN_CTX *ctx_in,
BIGNUM **kinvp, BIGNUM **rp),
ECDSA_SIG *(**psign_sig)(const unsigned char *dgst,
int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r,
EC_KEY *eckey))
{
if (psign != NULL)
*psign = meth->sign;
if (psign_setup != NULL)
*psign_setup = meth->sign_setup;
if (psign_sig != NULL)
*psign_sig = meth->sign_sig;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_get_sign);
void
EC_KEY_METHOD_get_verify(const EC_KEY_METHOD *meth,
int (**pverify)(int type, const unsigned char *dgst, int dgst_len,
const unsigned char *sigbuf, int sig_len, EC_KEY *eckey),
int (**pverify_sig)(const unsigned char *dgst, int dgst_len,
const ECDSA_SIG *sig, EC_KEY *eckey))
{
if (pverify != NULL)
*pverify = meth->verify;
if (pverify_sig != NULL)
*pverify_sig = meth->verify_sig;
}
LCRYPTO_ALIAS(EC_KEY_METHOD_get_verify);

729
lib/libcrypto/ec/ec_lib.c
View file

File diff suppressed because it is too large Load diff

188
lib/libcrypto/ec/ec_local.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_local.h,v 1.30 2024/10/18 17:27:07 tb Exp $ */
/* $OpenBSD: ec_local.h,v 1.54 2025/01/07 08:52:17 tb Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
@ -88,28 +88,11 @@ __BEGIN_HIDDEN_DECLS
struct ec_method_st {
int field_type;
int (*group_init)(EC_GROUP *);
void (*group_finish)(EC_GROUP *);
int (*group_copy)(EC_GROUP *, const EC_GROUP *);
int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
BIGNUM *b, BN_CTX *);
int (*group_get_degree)(const EC_GROUP *);
int (*group_order_bits)(const EC_GROUP *);
int (*group_check_discriminant)(const EC_GROUP *, BN_CTX *);
int (*point_init)(EC_POINT *);
void (*point_finish)(EC_POINT *);
int (*point_copy)(EC_POINT *, const EC_POINT *);
int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *);
int (*point_set_Jprojective_coordinates)(const EC_GROUP *, EC_POINT *,
const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
int (*point_get_Jprojective_coordinates)(const EC_GROUP *,
const EC_POINT *, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *,
const BIGNUM *x, const BIGNUM *y, BN_CTX *);
int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *,
@ -117,18 +100,11 @@ struct ec_method_st {
int (*point_set_compressed_coordinates)(const EC_GROUP *, EC_POINT *,
const BIGNUM *x, int y_bit, BN_CTX *);
size_t (*point2oct)(const EC_GROUP *, const EC_POINT *,
point_conversion_form_t form, unsigned char *buf, size_t len,
BN_CTX *);
int (*oct2point)(const EC_GROUP *, EC_POINT *, const unsigned char *buf,
size_t len, BN_CTX *);
int (*add)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
const EC_POINT *b, BN_CTX *);
int (*dbl)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
int (*invert)(const EC_GROUP *, EC_POINT *, BN_CTX *);
int (*is_at_infinity)(const EC_GROUP *, const EC_POINT *);
int (*is_on_curve)(const EC_GROUP *, const EC_POINT *, BN_CTX *);
int (*point_cmp)(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
BN_CTX *);
@ -145,10 +121,6 @@ struct ec_method_st {
const BIGNUM *g_scalar, const BIGNUM *p_scalar,
const EC_POINT *point, BN_CTX *);
/*
* Internal methods.
*/
/*
* These can be used by 'add' and 'dbl' so that the same implementations
* of point operations can be used with different optimized versions of
@ -158,18 +130,12 @@ struct ec_method_st {
const BIGNUM *b, BN_CTX *);
int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int (*field_div)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
/* Encode to and decode from other forms (e.g. Montgomery). */
int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *);
int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p,
BN_CTX *ctx);
} /* EC_METHOD */;
struct ec_group_st {
@ -180,10 +146,10 @@ struct ec_group_st {
const EC_METHOD *meth;
EC_POINT *generator; /* Optional */
BIGNUM order;
BIGNUM cofactor;
BIGNUM *order;
BIGNUM *cofactor;
int curve_name; /* Optional NID for named curve. */
int nid; /* Optional NID for named curve. */
/* ASN.1 encoding controls. */
int asn1_flag;
@ -194,119 +160,50 @@ struct ec_group_st {
size_t seed_len;
/*
* Internal methods and members. Handled by the method functions, even
* if they appear to be generic.
* Coefficients of the Weierstrass equation y^2 = x^3 + a*x + b (mod p).
*/
/*
* Field specification. For GF(p) this is the modulus; for GF(2^m),
* this is the irreducible polynomial defining the field.
*/
BIGNUM field;
/*
* Curve coefficients. In characteristic > 3, the curve is defined by a
* Weierstrass equation of the form y^2 = x^3 + a*x + b.
*/
BIGNUM a, b;
BIGNUM *p;
BIGNUM *a;
BIGNUM *b;
/* Enables optimized point arithmetics for special case. */
int a_is_minus3;
/* Montgomery context and values used by EC_GFp_mont_method. */
/* Montgomery context used by EC_GFp_mont_method. */
BN_MONT_CTX *mont_ctx;
BIGNUM *mont_one;
} /* EC_GROUP */;
struct ec_key_st {
const EC_KEY_METHOD *meth;
int version;
EC_GROUP *group;
EC_POINT *pub_key;
BIGNUM *priv_key;
unsigned int enc_flag;
point_conversion_form_t conv_form;
int references;
int flags;
CRYPTO_EX_DATA ex_data;
} /* EC_KEY */;
struct ec_point_st {
const EC_METHOD *meth;
/*
* All members except 'meth' are handled by the method functions,
* even if they appear generic.
*/
/*
* Jacobian projective coordinates: (X, Y, Z) represents (X/Z^2, Y/Z^3)
* if Z != 0
*/
BIGNUM X;
BIGNUM Y;
BIGNUM Z;
BIGNUM *X;
BIGNUM *Y;
BIGNUM *Z;
int Z_is_one; /* enable optimized point arithmetics for special case */
} /* EC_POINT */;
/* method functions in ec_mult.c
* (ec_lib.c uses these as defaults if group->method->mul is 0) */
int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
/* Compute r = generator * m + point * n in non-constant time. */
int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx);
/* method functions in ecp_smpl.c */
int ec_GFp_simple_group_init(EC_GROUP *);
void ec_GFp_simple_group_finish(EC_GROUP *);
int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *);
int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *);
int ec_GFp_simple_group_get_degree(const EC_GROUP *);
int ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *);
int ec_GFp_simple_point_init(EC_POINT *);
void ec_GFp_simple_point_finish(EC_POINT *);
int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *);
int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
int ec_GFp_simple_set_Jprojective_coordinates(const EC_GROUP *, EC_POINT *,
const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *);
int ec_GFp_simple_get_Jprojective_coordinates(const EC_GROUP *,
const EC_POINT *, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *);
int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
const BIGNUM *x, const BIGNUM *y, BN_CTX *);
int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *, const EC_POINT *,
BIGNUM *x, BIGNUM *y, BN_CTX *);
int ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *,
const BIGNUM *x, int y_bit, BN_CTX *);
size_t ec_GFp_simple_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form,
unsigned char *buf, size_t len, BN_CTX *);
int ec_GFp_simple_oct2point(const EC_GROUP *, EC_POINT *,
const unsigned char *buf, size_t len, BN_CTX *);
int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *);
int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *);
int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
int ec_GFp_simple_mul_generator_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, BN_CTX *);
int ec_GFp_simple_mul_single_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar,
const EC_POINT *point, BN_CTX *);
int ec_GFp_simple_mul_double_nonct(const EC_GROUP *, EC_POINT *r, const BIGNUM *g_scalar,
const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *);
int ec_group_is_builtin_curve(const EC_GROUP *group, int *out_nid);
int ec_group_get_field_type(const EC_GROUP *group);
int ec_group_simple_order_bits(const EC_GROUP *group);
int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
/*
* Wrappers around the unergonomic EC_POINT_{oct2point,point2oct}().
*/
int ec_point_from_octets(const EC_GROUP *group, const unsigned char *buf,
size_t buf_len, EC_POINT **out_point, uint8_t *out_form, BN_CTX *ctx_in);
int ec_point_to_octets(const EC_GROUP *group, const EC_POINT *point, int form,
unsigned char **out_buf, size_t *len, BN_CTX *ctx_in);
/* EC_METHOD definitions */
/* Public API in OpenSSL */
const BIGNUM *EC_GROUP_get0_cofactor(const EC_GROUP *group);
const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group);
struct ec_key_method_st {
const char *name;
@ -336,6 +233,26 @@ struct ec_key_method_st {
#define EC_KEY_METHOD_DYNAMIC 1
struct ec_key_st {
const EC_KEY_METHOD *meth;
int version;
EC_GROUP *group;
EC_POINT *pub_key;
BIGNUM *priv_key;
unsigned int enc_flag;
point_conversion_form_t conv_form;
int references;
int flags;
CRYPTO_EX_DATA ex_data;
} /* EC_KEY */;
int eckey_compute_pubkey(EC_KEY *eckey);
int ec_key_gen(EC_KEY *eckey);
int ecdh_compute_key(unsigned char **out, size_t *out_len,
const EC_POINT *pub_key, const EC_KEY *ecdh);
@ -350,15 +267,4 @@ int ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
int ecdh_KDF_X9_63(unsigned char *out, size_t outlen, const unsigned char *Z,
size_t Zlen, const unsigned char *sinfo, size_t sinfolen, const EVP_MD *md);
int EC_POINT_set_Jprojective_coordinates(const EC_GROUP *group, EC_POINT *p,
const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx);
int EC_POINT_get_Jprojective_coordinates(const EC_GROUP *group,
const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx);
int ec_group_is_builtin_curve(const EC_GROUP *group);
/* Public API in OpenSSL */
const BIGNUM *EC_GROUP_get0_cofactor(const EC_GROUP *group);
const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group);
__END_HIDDEN_DECLS

667
lib/libcrypto/ec/ec_mult.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_mult.c,v 1.31 2023/06/24 17:49:44 jsing Exp $ */
/* $OpenBSD: ec_mult.c,v 1.56 2024/12/19 21:05:46 tb Exp $ */
/*
* Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
*/
@ -61,390 +61,351 @@
* and contributed to the OpenSSL project.
*/
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include "ec_local.h"
/*
* This file implements the wNAF-based interleaving multi-exponentation method
* (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#multiexp>);
* for multiplication with precomputation, we use wNAF splitting
* (<URL:http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller.html#fastexp>).
*/
/* Holds the wNAF digits of bn and the corresponding odd multiples of point. */
struct ec_wnaf {
signed char *digits;
size_t num_digits;
EC_POINT **multiples;
size_t num_multiples;
};
/* Determine the modified width-(w+1) Non-Adjacent Form (wNAF) of 'scalar'.
* This is an array r[] of values that are either zero or odd with an
* absolute value less than 2^w satisfying
* scalar = \sum_j r[j]*2^j
* where at most one of any w+1 consecutive digits is non-zero
* with the exception that the most significant digit may be only
* w-1 zeros away from that next non-zero digit.
*/
static signed char *
compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len)
static int
ec_window_bits(const BIGNUM *bn)
{
int window_val;
int ok = 0;
signed char *r = NULL;
int sign = 1;
int bit, next_bit, mask;
size_t len = 0, j;
int bits = BN_num_bits(bn);
if (BN_is_zero(scalar)) {
r = malloc(1);
if (!r) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
r[0] = 0;
*ret_len = 1;
return r;
}
if (w <= 0 || w > 7) {
/* 'signed char' can represent integers with
* absolute values less than 2^7 */
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
bit = 1 << w; /* at most 128 */
next_bit = bit << 1; /* at most 256 */
mask = next_bit - 1; /* at most 255 */
if (bits >= 2000)
return 6;
if (bits >= 800)
return 5;
if (bits >= 300)
return 4;
if (bits >= 70)
return 3;
if (bits >= 20)
return 2;
if (BN_is_negative(scalar)) {
sign = -1;
}
if (scalar->d == NULL || scalar->top == 0) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
len = BN_num_bits(scalar);
r = malloc(len + 1); /* modified wNAF may be one digit longer than
* binary representation (*ret_len will be
* set to the actual length, i.e. at most
* BN_num_bits(scalar) + 1) */
if (r == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
window_val = scalar->d[0] & mask;
j = 0;
while ((window_val != 0) || (j + w + 1 < len)) {
/* if j+w+1 >= len, window_val will not increase */
int digit = 0;
/* 0 <= window_val <= 2^(w+1) */
if (window_val & 1) {
/* 0 < window_val < 2^(w+1) */
if (window_val & bit) {
digit = window_val - next_bit; /* -2^w < digit < 0 */
#if 1 /* modified wNAF */
if (j + w + 1 >= len) {
/*
* special case for generating
* modified wNAFs: no new bits will
* be added into window_val, so using
* a positive digit here will
* decrease the total length of the
* representation
*/
digit = window_val & (mask >> 1); /* 0 < digit < 2^w */
}
#endif
} else {
digit = window_val; /* 0 < digit < 2^w */
}
if (digit <= -bit || digit >= bit || !(digit & 1)) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
window_val -= digit;
/*
* now window_val is 0 or 2^(w+1) in standard wNAF
* generation; for modified window NAFs, it may also
* be 2^w
*/
if (window_val != 0 && window_val != next_bit && window_val != bit) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
}
r[j++] = sign * digit;
window_val >>= 1;
window_val += bit * BN_is_bit_set(scalar, j + w);
if (window_val > next_bit) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
}
if (j > len + 1) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
len = j;
ok = 1;
err:
if (!ok) {
free(r);
r = NULL;
}
if (ok)
*ret_len = len;
return r;
return 1;
}
/* TODO: table should be optimised for the wNAF-based implementation,
* sometimes smaller windows will give better performance
* (thus the boundaries should be increased)
/*
* Width-(w+1) non-adjacent form of bn = \sum_j n_j 2^j, with odd n_j,
* where at most one of any (w+1) consecutive digits is non-zero.
*/
#define EC_window_bits_for_scalar_size(b) \
((size_t) \
((b) >= 2000 ? 6 : \
(b) >= 800 ? 5 : \
(b) >= 300 ? 4 : \
(b) >= 70 ? 3 : \
(b) >= 20 ? 2 : \
1))
/* Compute
* \sum scalars[i]*points[i],
* also including
* scalar*generator
* in the addition if scalar != NULL
*/
int
ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx)
static int
ec_compute_wnaf(const BIGNUM *bn, signed char *digits, size_t num_digits)
{
const EC_POINT *generator = NULL;
EC_POINT *tmp = NULL;
size_t totalnum;
size_t numblocks = 0; /* for wNAF splitting */
size_t i, j;
int k;
int r_is_inverted = 0;
int r_is_at_infinity = 1;
size_t *wsize = NULL; /* individual window sizes */
signed char **wNAF = NULL; /* individual wNAFs */
signed char *tmp_wNAF = NULL;
size_t *wNAF_len = NULL;
size_t max_len = 0;
size_t num_val;
EC_POINT **val = NULL; /* precomputation */
EC_POINT **v;
EC_POINT ***val_sub = NULL; /* pointers to sub-arrays of 'val' or
* 'pre_comp->points' */
int num_scalar = 0; /* flag: will be set to 1 if 'scalar' must be
* treated like other scalars, i.e.
* precomputation is not available */
int digit, bit, next, sign, wbits, window;
size_t i;
int ret = 0;
if (group->meth != r->meth) {
ECerror(EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
if ((scalar == NULL) && (num == 0)) {
return EC_POINT_set_to_infinity(group, r);
}
for (i = 0; i < num; i++) {
if (group->meth != points[i]->meth) {
ECerror(EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
}
if (scalar != NULL) {
generator = EC_GROUP_get0_generator(group);
if (generator == NULL) {
ECerror(EC_R_UNDEFINED_GENERATOR);
goto err;
}
numblocks = 1;
num_scalar = 1; /* treat 'scalar' like 'num'-th
* element of 'scalars' */
}
totalnum = num + numblocks;
/* includes space for pivot */
wNAF = reallocarray(NULL, (totalnum + 1), sizeof wNAF[0]);
if (wNAF == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
wNAF[0] = NULL; /* preliminary pivot */
wsize = reallocarray(NULL, totalnum, sizeof wsize[0]);
wNAF_len = reallocarray(NULL, totalnum, sizeof wNAF_len[0]);
val_sub = reallocarray(NULL, totalnum, sizeof val_sub[0]);
if (wsize == NULL || wNAF_len == NULL || val_sub == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
/* num_val will be the total number of temporarily precomputed points */
num_val = 0;
for (i = 0; i < num + num_scalar; i++) {
size_t bits;
bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
wsize[i] = EC_window_bits_for_scalar_size(bits);
num_val += (size_t) 1 << (wsize[i] - 1);
wNAF[i + 1] = NULL; /* make sure we always have a pivot */
wNAF[i] = compute_wNAF((i < num ? scalars[i] : scalar), wsize[i], &wNAF_len[i]);
if (wNAF[i] == NULL)
goto err;
if (wNAF_len[i] > max_len)
max_len = wNAF_len[i];
}
if (numblocks) {
/* we go here iff scalar != NULL */
if (num_scalar != 1) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
}
/*
* All points we precompute now go into a single array 'val'.
* 'val_sub[i]' is a pointer to the subarray for the i-th point, or
* to a subarray of 'pre_comp->points' if we already have
* precomputation.
*/
val = reallocarray(NULL, (num_val + 1), sizeof val[0]);
if (val == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
val[num_val] = NULL; /* pivot element */
/* allocate points for precomputation */
v = val;
for (i = 0; i < num + num_scalar; i++) {
val_sub[i] = v;
for (j = 0; j < ((size_t) 1 << (wsize[i] - 1)); j++) {
*v = EC_POINT_new(group);
if (*v == NULL)
goto err;
v++;
}
}
if (!(v == val + num_val)) {
if (num_digits != BN_num_bits(bn) + 1) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
if (!(tmp = EC_POINT_new(group)))
goto err;
/*
* prepare precomputed values: val_sub[i][0] := points[i]
* val_sub[i][1] := 3 * points[i] val_sub[i][2] := 5 * points[i] ...
*/
for (i = 0; i < num + num_scalar; i++) {
if (i < num) {
if (!EC_POINT_copy(val_sub[i][0], points[i]))
goto err;
} else {
if (!EC_POINT_copy(val_sub[i][0], generator))
goto err;
}
sign = BN_is_negative(bn) ? -1 : 1;
if (wsize[i] > 1) {
if (!EC_POINT_dbl(group, tmp, val_sub[i][0], ctx))
goto err;
for (j = 1; j < ((size_t) 1 << (wsize[i] - 1)); j++) {
if (!EC_POINT_add(group, val_sub[i][j], val_sub[i][j - 1], tmp, ctx))
goto err;
}
}
wbits = ec_window_bits(bn);
bit = 1 << wbits;
next = bit << 1;
/* Extract the wbits + 1 lowest bits from bn into window. */
window = 0;
for (i = 0; i < wbits + 1; i++) {
if (BN_is_bit_set(bn, i))
window |= (1 << i);
}
if (!EC_POINTs_make_affine(group, num_val, val, ctx))
goto err;
/* Instead of bn >>= 1 in each iteration, slide window to the left. */
for (i = 0; i < num_digits; i++) {
digit = 0;
r_is_at_infinity = 1;
for (k = max_len - 1; k >= 0; k--) {
if (!r_is_at_infinity) {
if (!EC_POINT_dbl(group, r, r, ctx))
goto err;
/*
* If window is odd, the i-th wNAF digit is window (mods 2^w),
* where mods is the signed modulo in (-2^w-1, 2^w-1]. Subtract
* the digit from window, so window is 0 or next, and add the
* digit to the wNAF digits.
*/
if ((window & 1) != 0) {
digit = window;
if ((window & bit) != 0)
digit = window - next;
window -= digit;
}
for (i = 0; i < totalnum; i++) {
if (wNAF_len[i] > (size_t) k) {
int digit = wNAF[i][k];
int is_neg;
if (digit) {
is_neg = digit < 0;
digits[i] = sign * digit;
if (is_neg)
digit = -digit;
if (is_neg != r_is_inverted) {
if (!r_is_at_infinity) {
if (!EC_POINT_invert(group, r, ctx))
goto err;
}
r_is_inverted = !r_is_inverted;
}
/* digit > 0 */
if (r_is_at_infinity) {
if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
goto err;
r_is_at_infinity = 0;
} else {
if (!EC_POINT_add(group, r, r, val_sub[i][digit >> 1], ctx))
goto err;
}
}
}
}
}
if (r_is_at_infinity) {
if (!EC_POINT_set_to_infinity(group, r))
goto err;
} else {
if (r_is_inverted)
if (!EC_POINT_invert(group, r, ctx))
goto err;
/* Slide the window to the left. */
window >>= 1;
window += bit * BN_is_bit_set(bn, i + wbits + 1);
}
ret = 1;
err:
EC_POINT_free(tmp);
free(wsize);
free(wNAF_len);
free(tmp_wNAF);
if (wNAF != NULL) {
signed char **w;
for (w = wNAF; *w != NULL; w++)
free(*w);
free(wNAF);
}
if (val != NULL) {
for (v = val; *v != NULL; v++)
EC_POINT_free(*v);
free(val);
}
free(val_sub);
return ret;
}
static int
ec_compute_odd_multiples(const EC_GROUP *group, const EC_POINT *point,
EC_POINT **multiples, size_t num_multiples, BN_CTX *ctx)
{
EC_POINT *doubled = NULL;
size_t i;
int ret = 0;
if (num_multiples < 1)
goto err;
if ((multiples[0] = EC_POINT_dup(point, group)) == NULL)
goto err;
if ((doubled = EC_POINT_new(group)) == NULL)
goto err;
if (!EC_POINT_dbl(group, doubled, point, ctx))
goto err;
for (i = 1; i < num_multiples; i++) {
if ((multiples[i] = EC_POINT_new(group)) == NULL)
goto err;
if (!EC_POINT_add(group, multiples[i], multiples[i - 1], doubled,
ctx))
goto err;
}
ret = 1;
err:
EC_POINT_free(doubled);
return ret;
}
/*
* Bring multiples held in wnaf0 and wnaf1 simultaneously into affine form
* so that the operations in the loop in ec_wnaf_mul() can take fast paths.
*/
static int
ec_normalize_points(const EC_GROUP *group, struct ec_wnaf *wnaf0,
struct ec_wnaf *wnaf1, BN_CTX *ctx)
{
EC_POINT **points0 = wnaf0->multiples, **points1 = wnaf1->multiples;
size_t len0 = wnaf0->num_multiples, len1 = wnaf1->num_multiples;
EC_POINT **val = NULL;
size_t len = 0;
int ret = 0;
if (len1 > SIZE_MAX - len0)
goto err;
len = len0 + len1;
if ((val = calloc(len, sizeof(*val))) == NULL) {
ECerror(ERR_R_MALLOC_FAILURE);
goto err;
}
memcpy(&val[0], points0, sizeof(*val) * len0);
memcpy(&val[len0], points1, sizeof(*val) * len1);
if (!EC_POINTs_make_affine(group, len, val, ctx))
goto err;
ret = 1;
err:
free(val);
return ret;
}
static void
ec_points_free(EC_POINT **points, size_t num_points)
{
size_t i;
if (points == NULL)
return;
for (i = 0; i < num_points; i++)
EC_POINT_free(points[i]);
free(points);
}
static void
ec_wnaf_free(struct ec_wnaf *wnaf)
{
if (wnaf == NULL)
return;
free(wnaf->digits);
ec_points_free(wnaf->multiples, wnaf->num_multiples);
free(wnaf);
}
/*
* Calculate wNAF splitting of bn and the corresponding odd multiples of point.
*/
static struct ec_wnaf *
ec_wnaf_new(const EC_GROUP *group, const EC_POINT *point, const BIGNUM *bn,
BN_CTX *ctx)
{
struct ec_wnaf *wnaf;
if ((wnaf = calloc(1, sizeof(*wnaf))) == NULL)
goto err;
wnaf->num_digits = BN_num_bits(bn) + 1;
if ((wnaf->digits = calloc(wnaf->num_digits,
sizeof(*wnaf->digits))) == NULL)
goto err;
if (!ec_compute_wnaf(bn, wnaf->digits, wnaf->num_digits))
goto err;
wnaf->num_multiples = 1ULL << (ec_window_bits(bn) - 1);
if ((wnaf->multiples = calloc(wnaf->num_multiples,
sizeof(*wnaf->multiples))) == NULL)
goto err;
if (!ec_compute_odd_multiples(group, point, wnaf->multiples,
wnaf->num_multiples, ctx))
goto err;
return wnaf;
err:
ec_wnaf_free(wnaf);
return NULL;
}
static signed char
ec_wnaf_digit(struct ec_wnaf *wnaf, size_t idx)
{
if (idx >= wnaf->num_digits)
return 0;
return wnaf->digits[idx];
}
static const EC_POINT *
ec_wnaf_multiple(struct ec_wnaf *wnaf, signed char digit)
{
if (digit < 0)
return NULL;
if (digit >= 2 * wnaf->num_multiples)
return NULL;
return wnaf->multiples[digit >> 1];
}
/*
* Compute r = generator * m + point * n in non-constant time.
*/
int
ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *m,
const EC_POINT *point, const BIGNUM *n, BN_CTX *ctx)
{
struct ec_wnaf *wnaf[2] = { NULL, NULL };
const EC_POINT *generator;
size_t i;
int k;
int r_is_inverted = 0;
size_t num_digits;
int ret = 0;
if (m == NULL || n == NULL) {
ECerror(ERR_R_PASSED_NULL_PARAMETER);
goto err;
}
if (group->meth != r->meth || group->meth != point->meth) {
ECerror(EC_R_INCOMPATIBLE_OBJECTS);
goto err;
}
if ((generator = EC_GROUP_get0_generator(group)) == NULL) {
ECerror(EC_R_UNDEFINED_GENERATOR);
goto err;
}
if ((wnaf[0] = ec_wnaf_new(group, generator, m, ctx)) == NULL)
goto err;
if ((wnaf[1] = ec_wnaf_new(group, point, n, ctx)) == NULL)
goto err;
if (!ec_normalize_points(group, wnaf[0], wnaf[1], ctx))
goto err;
num_digits = wnaf[0]->num_digits;
if (wnaf[1]->num_digits > num_digits)
num_digits = wnaf[1]->num_digits;
/*
* Set r to the neutral element. Scan through the wNAF representations
* of m and n, starting at the most significant digit. Double r and for
* each wNAF digit of m add the digit times the generator, and for each
* wNAF digit of n add the digit times the point, adjusting the signs
* as appropriate.
*/
if (!EC_POINT_set_to_infinity(group, r))
goto err;
for (k = num_digits - 1; k >= 0; k--) {
if (!EC_POINT_dbl(group, r, r, ctx))
goto err;
for (i = 0; i < 2; i++) {
const EC_POINT *multiple;
signed char digit;
int is_neg = 0;
if ((digit = ec_wnaf_digit(wnaf[i], k)) == 0)
continue;
if (digit < 0) {
is_neg = 1;
digit = -digit;
}
if (is_neg != r_is_inverted) {
if (!EC_POINT_invert(group, r, ctx))
goto err;
r_is_inverted = !r_is_inverted;
}
if ((multiple = ec_wnaf_multiple(wnaf[i], digit)) == NULL)
goto err;
if (!EC_POINT_add(group, r, r, multiple, ctx))
goto err;
}
}
if (r_is_inverted) {
if (!EC_POINT_invert(group, r, ctx))
goto err;
}
ret = 1;
err:
ec_wnaf_free(wnaf[0]);
ec_wnaf_free(wnaf[1]);
return ret;
}

171
lib/libcrypto/ec/ec_oct.c
View file

@ -1,171 +0,0 @@
/* $OpenBSD: ec_oct.c,v 1.17 2024/04/10 15:01:31 beck Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
/* ====================================================================
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
* Binary polynomial ECC support in OpenSSL originally developed by
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
*/
#include <string.h>
#include <openssl/opensslconf.h>
#include <openssl/err.h>
#include <openssl/opensslv.h>
#include "ec_local.h"
int
EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point,
const BIGNUM *x, int y_bit, BN_CTX *ctx_in)
{
BN_CTX *ctx;
int ret = 0;
if ((ctx = ctx_in) == NULL)
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
if (group->meth->point_set_compressed_coordinates == NULL) {
ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
goto err;
}
if (group->meth != point->meth) {
ECerror(EC_R_INCOMPATIBLE_OBJECTS);
goto err;
}
ret = group->meth->point_set_compressed_coordinates(group, point,
x, y_bit, ctx);
err:
if (ctx != ctx_in)
BN_CTX_free(ctx);
return ret;
}
LCRYPTO_ALIAS(EC_POINT_set_compressed_coordinates);
int
EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,
const BIGNUM *x, int y_bit, BN_CTX *ctx)
{
return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx);
}
LCRYPTO_ALIAS(EC_POINT_set_compressed_coordinates_GFp);
size_t
EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
point_conversion_form_t form, unsigned char *buf, size_t len,
BN_CTX *ctx_in)
{
BN_CTX *ctx;
size_t ret = 0;
if ((ctx = ctx_in) == NULL)
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
if (group->meth->point2oct == NULL) {
ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
goto err;
}
if (group->meth != point->meth) {
ECerror(EC_R_INCOMPATIBLE_OBJECTS);
goto err;
}
ret = group->meth->point2oct(group, point, form, buf, len, ctx);
err:
if (ctx != ctx_in)
BN_CTX_free(ctx);
return ret;
}
LCRYPTO_ALIAS(EC_POINT_point2oct);
int
EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
const unsigned char *buf, size_t len, BN_CTX *ctx_in)
{
BN_CTX *ctx;
int ret = 0;
if ((ctx = ctx_in) == NULL)
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
if (group->meth->oct2point == NULL) {
ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
goto err;
}
if (group->meth != point->meth) {
ECerror(EC_R_INCOMPATIBLE_OBJECTS);
goto err;
}
ret = group->meth->oct2point(group, point, buf, len, ctx);
err:
if (ctx != ctx_in)
BN_CTX_free(ctx);
return ret;
}
LCRYPTO_ALIAS(EC_POINT_oct2point);

4
lib/libcrypto/ec/ec_pmeth.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec_pmeth.c,v 1.23 2024/10/19 14:41:03 tb Exp $ */
/* $OpenBSD: ec_pmeth.c,v 1.24 2025/01/05 16:07:08 tb Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@ -323,7 +323,7 @@ pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
if (!ec_key->group)
return -2;
/* If cofactor is 1 cofactor mode does nothing */
if (BN_is_one(&ec_key->group->cofactor))
if (BN_is_one(ec_key->group->cofactor))
return 1;
if (!dctx->co_key) {
dctx->co_key = EC_KEY_dup(ec_key);

181
lib/libcrypto/ec/ec_print.c
View file

@ -1,181 +0,0 @@
/* $OpenBSD: ec_print.c,v 1.14 2023/11/21 22:17:15 tb Exp $ */
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <openssl/crypto.h>
#include "ec_local.h"
BIGNUM *
EC_POINT_point2bn(const EC_GROUP *group, const EC_POINT *point,
point_conversion_form_t form, BIGNUM *ret, BN_CTX *ctx)
{
size_t buf_len = 0;
unsigned char *buf;
buf_len = EC_POINT_point2oct(group, point, form, NULL, 0, ctx);
if (buf_len == 0)
return NULL;
if ((buf = malloc(buf_len)) == NULL)
return NULL;
if (!EC_POINT_point2oct(group, point, form, buf, buf_len, ctx)) {
free(buf);
return NULL;
}
ret = BN_bin2bn(buf, buf_len, ret);
free(buf);
return ret;
}
LCRYPTO_ALIAS(EC_POINT_point2bn);
EC_POINT *
EC_POINT_bn2point(const EC_GROUP *group,
const BIGNUM *bn, EC_POINT *point, BN_CTX *ctx)
{
size_t buf_len = 0;
unsigned char *buf;
EC_POINT *ret;
if ((buf_len = BN_num_bytes(bn)) == 0)
return NULL;
buf = malloc(buf_len);
if (buf == NULL)
return NULL;
if (!BN_bn2bin(bn, buf)) {
free(buf);
return NULL;
}
if (point == NULL) {
if ((ret = EC_POINT_new(group)) == NULL) {
free(buf);
return NULL;
}
} else
ret = point;
if (!EC_POINT_oct2point(group, ret, buf, buf_len, ctx)) {
if (point == NULL)
EC_POINT_free(ret);
free(buf);
return NULL;
}
free(buf);
return ret;
}
LCRYPTO_ALIAS(EC_POINT_bn2point);
static const char *HEX_DIGITS = "0123456789ABCDEF";
/* the return value must be freed (using free()) */
char *
EC_POINT_point2hex(const EC_GROUP *group, const EC_POINT *point,
point_conversion_form_t form, BN_CTX *ctx)
{
char *ret, *p;
size_t buf_len = 0, i;
unsigned char *buf, *pbuf;
buf_len = EC_POINT_point2oct(group, point, form,
NULL, 0, ctx);
if (buf_len == 0 || buf_len + 1 == 0)
return NULL;
if ((buf = malloc(buf_len)) == NULL)
return NULL;
if (!EC_POINT_point2oct(group, point, form, buf, buf_len, ctx)) {
free(buf);
return NULL;
}
ret = reallocarray(NULL, buf_len + 1, 2);
if (ret == NULL) {
free(buf);
return NULL;
}
p = ret;
pbuf = buf;
for (i = buf_len; i > 0; i--) {
int v = (int) *(pbuf++);
*(p++) = HEX_DIGITS[v >> 4];
*(p++) = HEX_DIGITS[v & 0x0F];
}
*p = '\0';
free(buf);
return ret;
}
LCRYPTO_ALIAS(EC_POINT_point2hex);
EC_POINT *
EC_POINT_hex2point(const EC_GROUP *group, const char *buf,
EC_POINT *point, BN_CTX *ctx)
{
EC_POINT *ret = NULL;
BIGNUM *tmp_bn = NULL;
if (BN_hex2bn(&tmp_bn, buf) == 0)
return NULL;
ret = EC_POINT_bn2point(group, tmp_bn, point, ctx);
BN_free(tmp_bn);
return ret;
}
LCRYPTO_ALIAS(EC_POINT_hex2point);

200
lib/libcrypto/ec/eck_prn.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: eck_prn.c,v 1.30 2023/11/21 22:05:33 tb Exp $ */
/* $OpenBSD: eck_prn.c,v 1.40 2024/11/25 06:51:39 tb Exp $ */
/*
* Written by Nils Larsch for the OpenSSL project.
*/
@ -62,112 +62,109 @@
*/
#include <stdio.h>
#include <string.h>
#include <openssl/bio.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include "bn_local.h"
#include "ec_local.h"
int
ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off)
EC_KEY_print(BIO *bio, const EC_KEY *ec_key, int off)
{
BIO *b;
int ret;
if ((b = BIO_new(BIO_s_file())) == NULL) {
ECerror(ERR_R_BUF_LIB);
return (0);
}
BIO_set_fp(b, fp, BIO_NOCLOSE);
ret = ECPKParameters_print(b, x, off);
BIO_free(b);
return (ret);
}
LCRYPTO_ALIAS(ECPKParameters_print_fp);
int
EC_KEY_print_fp(FILE *fp, const EC_KEY *x, int off)
{
BIO *b;
int ret;
if ((b = BIO_new(BIO_s_file())) == NULL) {
ECerror(ERR_R_BIO_LIB);
return (0);
}
BIO_set_fp(b, fp, BIO_NOCLOSE);
ret = EC_KEY_print(b, x, off);
BIO_free(b);
return (ret);
}
LCRYPTO_ALIAS(EC_KEY_print_fp);
int
ECParameters_print_fp(FILE *fp, const EC_KEY *x)
{
BIO *b;
int ret;
if ((b = BIO_new(BIO_s_file())) == NULL) {
ECerror(ERR_R_BIO_LIB);
return (0);
}
BIO_set_fp(b, fp, BIO_NOCLOSE);
ret = ECParameters_print(b, x);
BIO_free(b);
return (ret);
}
LCRYPTO_ALIAS(ECParameters_print_fp);
int
EC_KEY_print(BIO *bp, const EC_KEY *x, int off)
{
EVP_PKEY *pk;
EVP_PKEY *pkey;
int ret = 0;
if ((pk = EVP_PKEY_new()) == NULL)
if ((pkey = EVP_PKEY_new()) == NULL)
goto err;
if (!EVP_PKEY_set1_EC_KEY(pk, (EC_KEY *) x))
if (!EVP_PKEY_set1_EC_KEY(pkey, (EC_KEY *)ec_key))
goto err;
ret = EVP_PKEY_print_private(bp, pk, off, NULL);
ret = EVP_PKEY_print_private(bio, pkey, off, NULL);
err:
EVP_PKEY_free(pk);
EVP_PKEY_free(pkey);
return ret;
}
LCRYPTO_ALIAS(EC_KEY_print);
int
ECParameters_print(BIO *bp, const EC_KEY *x)
EC_KEY_print_fp(FILE *fp, const EC_KEY *ec_key, int off)
{
EVP_PKEY *pk;
BIO *bio;
int ret;
if ((bio = BIO_new(BIO_s_file())) == NULL) {
ECerror(ERR_R_BIO_LIB);
return 0;
}
BIO_set_fp(bio, fp, BIO_NOCLOSE);
ret = EC_KEY_print(bio, ec_key, off);
BIO_free(bio);
return ret;
}
LCRYPTO_ALIAS(EC_KEY_print_fp);
int
ECParameters_print(BIO *bio, const EC_KEY *ec_key)
{
EVP_PKEY *pkey;
int ret = 0;
if ((pk = EVP_PKEY_new()) == NULL)
if ((pkey = EVP_PKEY_new()) == NULL)
goto err;
if (!EVP_PKEY_set1_EC_KEY(pk, (EC_KEY *) x))
if (!EVP_PKEY_set1_EC_KEY(pkey, (EC_KEY *)ec_key))
goto err;
ret = EVP_PKEY_print_params(bp, pk, 4, NULL);
ret = EVP_PKEY_print_params(bio, pkey, 4, NULL);
err:
EVP_PKEY_free(pk);
EVP_PKEY_free(pkey);
return ret;
}
LCRYPTO_ALIAS(ECParameters_print);
int
ECParameters_print_fp(FILE *fp, const EC_KEY *ec_key)
{
BIO *bio;
int ret;
if ((bio = BIO_new(BIO_s_file())) == NULL) {
ECerror(ERR_R_BIO_LIB);
return 0;
}
BIO_set_fp(bio, fp, BIO_NOCLOSE);
ret = ECParameters_print(bio, ec_key);
BIO_free(bio);
return ret;
}
LCRYPTO_ALIAS(ECParameters_print_fp);
static int
ecpk_print_asn1_parameters(BIO *bp, const EC_GROUP *group, int off)
ecpk_print_asn1_parameters(BIO *bio, const EC_GROUP *group, int off)
{
const char *nist_name;
int nid;
int ret = 0;
if (!BIO_indent(bp, off, 128)) {
if (!BIO_indent(bio, off, 128)) {
ECerror(ERR_R_BIO_LIB);
goto err;
}
@ -177,17 +174,17 @@ ecpk_print_asn1_parameters(BIO *bp, const EC_GROUP *group, int off)
goto err;
}
if (BIO_printf(bp, "ASN1 OID: %s\n", OBJ_nid2sn(nid)) <= 0) {
if (BIO_printf(bio, "ASN1 OID: %s\n", OBJ_nid2sn(nid)) <= 0) {
ECerror(ERR_R_BIO_LIB);
goto err;
}
if ((nist_name = EC_curve_nid2nist(nid)) != NULL) {
if (!BIO_indent(bp, off, 128)) {
if (!BIO_indent(bio, off, 128)) {
ECerror(ERR_R_BIO_LIB);
goto err;
}
if (BIO_printf(bp, "NIST CURVE: %s\n", nist_name) <= 0) {
if (BIO_printf(bio, "NIST CURVE: %s\n", nist_name) <= 0) {
ECerror(ERR_R_BIO_LIB);
goto err;
}
@ -200,7 +197,7 @@ ecpk_print_asn1_parameters(BIO *bp, const EC_GROUP *group, int off)
}
static int
ecpk_print_explicit_parameters(BIO *bp, const EC_GROUP *group, int off)
ecpk_print_explicit_parameters(BIO *bio, const EC_GROUP *group, int off)
{
BN_CTX *ctx = NULL;
const BIGNUM *order;
@ -249,24 +246,25 @@ ecpk_print_explicit_parameters(BIO *bp, const EC_GROUP *group, int off)
ECerror(ERR_R_EC_LIB);
goto err;
}
form = EC_GROUP_get_point_conversion_form(group);
if (EC_POINT_point2bn(group, generator, form, gen, ctx) == NULL) {
ECerror(ERR_R_EC_LIB);
goto err;
}
if (!BIO_indent(bp, off, 128))
if (!BIO_indent(bio, off, 128))
goto err;
nid = EC_METHOD_get_field_type(EC_GROUP_method_of(group));
if (BIO_printf(bp, "Field Type: %s\n", OBJ_nid2sn(nid)) <= 0)
nid = ec_group_get_field_type(group);
if (BIO_printf(bio, "Field Type: %s\n", OBJ_nid2sn(nid)) <= 0)
goto err;
if (!bn_printf(bp, p, off, "Prime:"))
if (!bn_printf(bio, p, off, "Prime:"))
goto err;
if (!bn_printf(bp, a, off, "A: "))
if (!bn_printf(bio, a, off, "A: "))
goto err;
if (!bn_printf(bp, b, off, "B: "))
if (!bn_printf(bio, b, off, "B: "))
goto err;
if (form == POINT_CONVERSION_COMPRESSED)
@ -277,41 +275,42 @@ ecpk_print_explicit_parameters(BIO *bp, const EC_GROUP *group, int off)
conversion_form = "hybrid";
else
conversion_form = "unknown";
if (!bn_printf(bp, gen, off, "Generator (%s):", conversion_form))
if (!bn_printf(bio, gen, off, "Generator (%s):", conversion_form))
goto err;
if (!bn_printf(bp, order, off, "Order: "))
if (!bn_printf(bio, order, off, "Order: "))
goto err;
if (!bn_printf(bp, cofactor, off, "Cofactor: "))
if (!bn_printf(bio, cofactor, off, "Cofactor: "))
goto err;
if ((seed = EC_GROUP_get0_seed(group)) != NULL) {
size_t i;
seed_len = EC_GROUP_get_seed_len(group);
/* XXX - ecx_buf_print() has a CBS version of this - dedup. */
if (!BIO_indent(bp, off, 128))
if (!BIO_indent(bio, off, 128))
goto err;
if (BIO_printf(bp, "Seed:") <= 0)
if (BIO_printf(bio, "Seed:") <= 0)
goto err;
for (i = 0; i < seed_len; i++) {
const char *sep = ":";
if (i % 15 == 0) {
if (BIO_printf(bp, "\n") <= 0)
if (BIO_printf(bio, "\n") <= 0)
goto err;
if (!BIO_indent(bp, off + 4, 128))
if (!BIO_indent(bio, off + 4, 128))
goto err;
}
if (i + 1 == seed_len)
sep = "";
if (BIO_printf(bp, "%02x%s", seed[i], sep) <= 0)
if (BIO_printf(bio, "%02x%s", seed[i], sep) <= 0)
goto err;
}
if (BIO_printf(bp, "\n") <= 0)
if (BIO_printf(bio, "\n") <= 0)
goto err;
}
@ -324,16 +323,37 @@ ecpk_print_explicit_parameters(BIO *bp, const EC_GROUP *group, int off)
}
int
ECPKParameters_print(BIO *bp, const EC_GROUP *group, int off)
ECPKParameters_print(BIO *bio, const EC_GROUP *group, int off)
{
if (group == NULL) {
ECerror(ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (EC_GROUP_get_asn1_flag(group))
return ecpk_print_asn1_parameters(bp, group, off);
if ((EC_GROUP_get_asn1_flag(group) & OPENSSL_EC_NAMED_CURVE) != 0)
return ecpk_print_asn1_parameters(bio, group, off);
return ecpk_print_explicit_parameters(bp, group, off);
return ecpk_print_explicit_parameters(bio, group, off);
}
LCRYPTO_ALIAS(ECPKParameters_print);
int
ECPKParameters_print_fp(FILE *fp, const EC_GROUP *group, int off)
{
BIO *bio;
int ret;
if ((bio = BIO_new(BIO_s_file())) == NULL) {
ECerror(ERR_R_BUF_LIB);
return 0;
}
BIO_set_fp(bio, fp, BIO_NOCLOSE);
ret = ECPKParameters_print(bio, group, off);
BIO_free(bio);
return ret;
}
LCRYPTO_ALIAS(ECPKParameters_print_fp);

1081
lib/libcrypto/ec/ecp_smpl.c → lib/libcrypto/ec/ecp_methods.c
View file

File diff suppressed because it is too large Load diff

272
lib/libcrypto/ec/ecp_mont.c
View file

@ -1,272 +0,0 @@
/* $OpenBSD: ecp_mont.c,v 1.30 2023/07/07 13:54:45 beck Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
* Portions of this software developed by SUN MICROSYSTEMS, INC.,
* and contributed to the OpenSSL project.
*/
#include <openssl/err.h>
#include "ec_local.h"
static void
ec_GFp_mont_group_clear(EC_GROUP *group)
{
BN_MONT_CTX_free(group->mont_ctx);
group->mont_ctx = NULL;
BN_free(group->mont_one);
group->mont_one = NULL;
}
static int
ec_GFp_mont_group_init(EC_GROUP *group)
{
int ok;
ok = ec_GFp_simple_group_init(group);
group->mont_ctx = NULL;
group->mont_one = NULL;
return ok;
}
static void
ec_GFp_mont_group_finish(EC_GROUP *group)
{
ec_GFp_mont_group_clear(group);
ec_GFp_simple_group_finish(group);
}
static int
ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src)
{
ec_GFp_mont_group_clear(dest);
if (!ec_GFp_simple_group_copy(dest, src))
return 0;
if (src->mont_ctx != NULL) {
dest->mont_ctx = BN_MONT_CTX_new();
if (dest->mont_ctx == NULL)
return 0;
if (!BN_MONT_CTX_copy(dest->mont_ctx, src->mont_ctx))
goto err;
}
if (src->mont_one != NULL) {
dest->mont_one = BN_dup(src->mont_one);
if (dest->mont_one == NULL)
goto err;
}
return 1;
err:
if (dest->mont_ctx != NULL) {
BN_MONT_CTX_free(dest->mont_ctx);
dest->mont_ctx = NULL;
}
return 0;
}
static int
ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
const BIGNUM *b, BN_CTX *ctx)
{
BN_MONT_CTX *mont = NULL;
BIGNUM *one = NULL;
int ret = 0;
ec_GFp_mont_group_clear(group);
mont = BN_MONT_CTX_new();
if (mont == NULL)
goto err;
if (!BN_MONT_CTX_set(mont, p, ctx)) {
ECerror(ERR_R_BN_LIB);
goto err;
}
one = BN_new();
if (one == NULL)
goto err;
if (!BN_to_montgomery(one, BN_value_one(), mont, ctx))
goto err;
group->mont_ctx = mont;
mont = NULL;
group->mont_one = one;
one = NULL;
ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
if (!ret)
ec_GFp_mont_group_clear(group);
err:
BN_MONT_CTX_free(mont);
BN_free(one);
return ret;
}
static int
ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *ctx)
{
if (group->mont_ctx == NULL) {
ECerror(EC_R_NOT_INITIALIZED);
return 0;
}
return BN_mod_mul_montgomery(r, a, b, group->mont_ctx, ctx);
}
static int
ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
{
if (group->mont_ctx == NULL) {
ECerror(EC_R_NOT_INITIALIZED);
return 0;
}
return BN_mod_mul_montgomery(r, a, a, group->mont_ctx, ctx);
}
static int
ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
{
if (group->mont_ctx == NULL) {
ECerror(EC_R_NOT_INITIALIZED);
return 0;
}
return BN_to_montgomery(r, a, group->mont_ctx, ctx);
}
static int
ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
{
if (group->mont_ctx == NULL) {
ECerror(EC_R_NOT_INITIALIZED);
return 0;
}
return BN_from_montgomery(r, a, group->mont_ctx, ctx);
}
static int
ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx)
{
if (group->mont_one == NULL) {
ECerror(EC_R_NOT_INITIALIZED);
return 0;
}
if (!bn_copy(r, group->mont_one))
return 0;
return 1;
}
static const EC_METHOD ec_GFp_mont_method = {
.field_type = NID_X9_62_prime_field,
.group_init = ec_GFp_mont_group_init,
.group_finish = ec_GFp_mont_group_finish,
.group_copy = ec_GFp_mont_group_copy,
.group_set_curve = ec_GFp_mont_group_set_curve,
.group_get_curve = ec_GFp_simple_group_get_curve,
.group_get_degree = ec_GFp_simple_group_get_degree,
.group_order_bits = ec_group_simple_order_bits,
.group_check_discriminant = ec_GFp_simple_group_check_discriminant,
.point_init = ec_GFp_simple_point_init,
.point_finish = ec_GFp_simple_point_finish,
.point_copy = ec_GFp_simple_point_copy,
.point_set_to_infinity = ec_GFp_simple_point_set_to_infinity,
.point_set_Jprojective_coordinates =
ec_GFp_simple_set_Jprojective_coordinates,
.point_get_Jprojective_coordinates =
ec_GFp_simple_get_Jprojective_coordinates,
.point_set_affine_coordinates =
ec_GFp_simple_point_set_affine_coordinates,
.point_get_affine_coordinates =
ec_GFp_simple_point_get_affine_coordinates,
.point_set_compressed_coordinates =
ec_GFp_simple_set_compressed_coordinates,
.point2oct = ec_GFp_simple_point2oct,
.oct2point = ec_GFp_simple_oct2point,
.add = ec_GFp_simple_add,
.dbl = ec_GFp_simple_dbl,
.invert = ec_GFp_simple_invert,
.is_at_infinity = ec_GFp_simple_is_at_infinity,
.is_on_curve = ec_GFp_simple_is_on_curve,
.point_cmp = ec_GFp_simple_cmp,
.make_affine = ec_GFp_simple_make_affine,
.points_make_affine = ec_GFp_simple_points_make_affine,
.mul_generator_ct = ec_GFp_simple_mul_generator_ct,
.mul_single_ct = ec_GFp_simple_mul_single_ct,
.mul_double_nonct = ec_GFp_simple_mul_double_nonct,
.field_mul = ec_GFp_mont_field_mul,
.field_sqr = ec_GFp_mont_field_sqr,
.field_encode = ec_GFp_mont_field_encode,
.field_decode = ec_GFp_mont_field_decode,
.field_set_to_one = ec_GFp_mont_field_set_to_one,
.blind_coordinates = ec_GFp_simple_blind_coordinates,
};
const EC_METHOD *
EC_GFp_mont_method(void)
{
return &ec_GFp_mont_method;
}
LCRYPTO_ALIAS(EC_GFp_mont_method);

365
lib/libcrypto/ec/ecp_oct.c
View file

@ -1,365 +0,0 @@
/* $OpenBSD: ecp_oct.c,v 1.21 2023/04/18 18:29:32 tb Exp $ */
/* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
* for the OpenSSL project.
* Includes code written by Bodo Moeller for the OpenSSL project.
*/
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
* Portions of this software developed by SUN MICROSYSTEMS, INC.,
* and contributed to the OpenSSL project.
*/
#include <openssl/err.h>
#include "ec_local.h"
int
ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
EC_POINT *point, const BIGNUM *x_, int y_bit, BN_CTX *ctx)
{
BIGNUM *tmp1, *tmp2, *x, *y;
int ret = 0;
/* clear error queue */
ERR_clear_error();
y_bit = (y_bit != 0);
BN_CTX_start(ctx);
if ((tmp1 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((tmp2 = BN_CTX_get(ctx)) == NULL)
goto err;
if ((x = BN_CTX_get(ctx)) == NULL)
goto err;
if ((y = BN_CTX_get(ctx)) == NULL)
goto err;
/*
* Recover y. We have a Weierstrass equation y^2 = x^3 + a*x + b, so
* y is one of the square roots of x^3 + a*x + b.
*/
/* tmp1 := x^3 */
if (!BN_nnmod(x, x_, &group->field, ctx))
goto err;
if (group->meth->field_decode == NULL) {
/* field_{sqr,mul} work on standard representation */
if (!group->meth->field_sqr(group, tmp2, x_, ctx))
goto err;
if (!group->meth->field_mul(group, tmp1, tmp2, x_, ctx))
goto err;
} else {
if (!BN_mod_sqr(tmp2, x_, &group->field, ctx))
goto err;
if (!BN_mod_mul(tmp1, tmp2, x_, &group->field, ctx))
goto err;
}
/* tmp1 := tmp1 + a*x */
if (group->a_is_minus3) {
if (!BN_mod_lshift1_quick(tmp2, x, &group->field))
goto err;
if (!BN_mod_add_quick(tmp2, tmp2, x, &group->field))
goto err;
if (!BN_mod_sub_quick(tmp1, tmp1, tmp2, &group->field))
goto err;
} else {
if (group->meth->field_decode) {
if (!group->meth->field_decode(group, tmp2, &group->a, ctx))
goto err;
if (!BN_mod_mul(tmp2, tmp2, x, &group->field, ctx))
goto err;
} else {
/* field_mul works on standard representation */
if (!group->meth->field_mul(group, tmp2, &group->a, x, ctx))
goto err;
}
if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field))
goto err;
}
/* tmp1 := tmp1 + b */
if (group->meth->field_decode != NULL) {
if (!group->meth->field_decode(group, tmp2, &group->b, ctx))
goto err;
if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field))
goto err;
} else {
if (!BN_mod_add_quick(tmp1, tmp1, &group->b, &group->field))
goto err;
}
if (!BN_mod_sqrt(y, tmp1, &group->field, ctx)) {
unsigned long err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {
ERR_clear_error();
ECerror(EC_R_INVALID_COMPRESSED_POINT);
} else
ECerror(ERR_R_BN_LIB);
goto err;
}
if (y_bit != BN_is_odd(y)) {
if (BN_is_zero(y)) {
ECerror(EC_R_INVALID_COMPRESSION_BIT);
goto err;
}
if (!BN_usub(y, &group->field, y))
goto err;
if (y_bit != BN_is_odd(y)) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
}
if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
goto err;
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
size_t
ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point,
point_conversion_form_t form, unsigned char *buf, size_t len, BN_CTX *ctx)
{
BIGNUM *x, *y;
size_t field_len, i, skip;
size_t ret = 0;
if (form != POINT_CONVERSION_COMPRESSED &&
form != POINT_CONVERSION_UNCOMPRESSED &&
form != POINT_CONVERSION_HYBRID) {
ECerror(EC_R_INVALID_FORM);
return 0;
}
if (EC_POINT_is_at_infinity(group, point) > 0) {
/* encodes to a single 0 octet */
if (buf != NULL) {
if (len < 1) {
ECerror(EC_R_BUFFER_TOO_SMALL);
return 0;
}
buf[0] = 0;
}
return 1;
}
/* ret := required output buffer length */
field_len = BN_num_bytes(&group->field);
ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len;
BN_CTX_start(ctx);
/* if 'buf' is NULL, just return required length */
if (buf != NULL) {
if (len < ret) {
ECerror(EC_R_BUFFER_TOO_SMALL);
goto err;
}
if ((x = BN_CTX_get(ctx)) == NULL)
goto err;
if ((y = BN_CTX_get(ctx)) == NULL)
goto err;
if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx))
goto err;
if ((form == POINT_CONVERSION_COMPRESSED || form == POINT_CONVERSION_HYBRID) && BN_is_odd(y))
buf[0] = form + 1;
else
buf[0] = form;
i = 1;
skip = field_len - BN_num_bytes(x);
if (skip > field_len) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
while (skip > 0) {
buf[i++] = 0;
skip--;
}
skip = BN_bn2bin(x, buf + i);
i += skip;
if (i != 1 + field_len) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
if (form == POINT_CONVERSION_UNCOMPRESSED || form == POINT_CONVERSION_HYBRID) {
skip = field_len - BN_num_bytes(y);
if (skip > field_len) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
while (skip > 0) {
buf[i++] = 0;
skip--;
}
skip = BN_bn2bin(y, buf + i);
i += skip;
}
if (i != ret) {
ECerror(ERR_R_INTERNAL_ERROR);
goto err;
}
}
err:
BN_CTX_end(ctx);
return ret;
}
int
ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
const unsigned char *buf, size_t len, BN_CTX *ctx)
{
point_conversion_form_t form;
int y_bit;
BIGNUM *x, *y;
size_t field_len, enc_len;
int ret = 0;
if (len == 0) {
ECerror(EC_R_BUFFER_TOO_SMALL);
return 0;
}
form = buf[0];
y_bit = form & 1;
form = form & ~1U;
if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED)
&& (form != POINT_CONVERSION_UNCOMPRESSED)
&& (form != POINT_CONVERSION_HYBRID)) {
ECerror(EC_R_INVALID_ENCODING);
return 0;
}
if ((form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) && y_bit) {
ECerror(EC_R_INVALID_ENCODING);
return 0;
}
if (form == 0) {
if (len != 1) {
ECerror(EC_R_INVALID_ENCODING);
return 0;
}
return EC_POINT_set_to_infinity(group, point);
}
field_len = BN_num_bytes(&group->field);
enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len;
if (len != enc_len) {
ECerror(EC_R_INVALID_ENCODING);
return 0;
}
BN_CTX_start(ctx);
if ((x = BN_CTX_get(ctx)) == NULL)
goto err;
if ((y = BN_CTX_get(ctx)) == NULL)
goto err;
if (!BN_bin2bn(buf + 1, field_len, x))
goto err;
if (BN_ucmp(x, &group->field) >= 0) {
ECerror(EC_R_INVALID_ENCODING);
goto err;
}
if (form == POINT_CONVERSION_COMPRESSED) {
/*
* EC_POINT_set_compressed_coordinates checks that the point
* is on the curve as required by X9.62.
*/
if (!EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx))
goto err;
} else {
if (!BN_bin2bn(buf + 1 + field_len, field_len, y))
goto err;
if (BN_ucmp(y, &group->field) >= 0) {
ECerror(EC_R_INVALID_ENCODING);
goto err;
}
if (form == POINT_CONVERSION_HYBRID) {
if (y_bit != BN_is_odd(y)) {
ECerror(EC_R_INVALID_ENCODING);
goto err;
}
}
/*
* EC_POINT_set_affine_coordinates checks that the point is
* on the curve as required by X9.62.
*/
if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx))
goto err;
}
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}

22
lib/libcrypto/err/err.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: err.c,v 1.73 2024/10/11 13:32:22 tb Exp $ */
/* $OpenBSD: err.c,v 1.75 2024/11/02 12:46:36 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -122,13 +122,11 @@
#include <openssl/err.h>
#include <openssl/lhash.h>
#include "crypto_local.h"
DECLARE_LHASH_OF(ERR_STRING_DATA);
DECLARE_LHASH_OF(ERR_STATE);
typedef struct err_state_st {
CRYPTO_THREADID tid;
pthread_t tid;
int err_flags[ERR_NUM_ERRORS];
unsigned long err_buffer[ERR_NUM_ERRORS];
char *err_data[ERR_NUM_ERRORS];
@ -350,14 +348,14 @@ err_del_item(const ERR_STRING_DATA *d)
static unsigned long
err_state_hash(const ERR_STATE *a)
{
return CRYPTO_THREADID_hash(&a->tid) * 13;
return 13 * (unsigned long)a->tid;
}
static IMPLEMENT_LHASH_HASH_FN(err_state, ERR_STATE)
static int
err_state_cmp(const ERR_STATE *a, const ERR_STATE *b)
{
return CRYPTO_THREADID_cmp(&a->tid, &b->tid);
return pthread_equal(a->tid, b->tid) == 0;
}
static IMPLEMENT_LHASH_COMP_FN(err_state, ERR_STATE)
@ -557,10 +555,8 @@ ERR_get_state(void)
static ERR_STATE fallback;
ERR_STATE *ret, tmp, *tmpp = NULL;
int i;
CRYPTO_THREADID tid;
CRYPTO_THREADID_current(&tid);
CRYPTO_THREADID_cpy(&tmp.tid, &tid);
tmp.tid = pthread_self();
ret = err_thread_get_item(&tmp);
/* ret == the error state, if NULL, make a new one */
@ -568,7 +564,7 @@ ERR_get_state(void)
ret = malloc(sizeof(ERR_STATE));
if (ret == NULL)
return (&fallback);
CRYPTO_THREADID_cpy(&ret->tid, &tid);
ret->tid = pthread_self();
ret->top = 0;
ret->bottom = 0;
for (i = 0; i < ERR_NUM_ERRORS; i++) {
@ -757,10 +753,8 @@ ERR_remove_thread_state(const CRYPTO_THREADID *id)
{
ERR_STATE tmp;
if (id)
CRYPTO_THREADID_cpy(&tmp.tid, id);
else
CRYPTO_THREADID_current(&tmp.tid);
OPENSSL_assert(id == NULL);
tmp.tid = pthread_self();
/*
* err_thread_del_item automatically destroys the LHASH if the number of

8
lib/libcrypto/err/err_prn.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: err_prn.c,v 1.23 2024/03/02 11:37:13 tb Exp $ */
/* $OpenBSD: err_prn.c,v 1.24 2024/11/02 08:54:40 tb Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@ -57,6 +57,7 @@
*/
#include <limits.h>
#include <pthread.h>
#include <stdio.h>
#include <string.h>
@ -66,7 +67,6 @@
#include <openssl/lhash.h>
#include "bio_local.h"
#include "crypto_local.h"
void
ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u), void *u)
@ -77,10 +77,8 @@ ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u), void *u)
const char *file, *data;
int line, flags;
unsigned long es;
CRYPTO_THREADID cur;
CRYPTO_THREADID_current(&cur);
es = CRYPTO_THREADID_hash(&cur);
es = (unsigned long)pthread_self();
while ((l = ERR_get_error_line_data(&file, &line, &data,
&flags)) != 0) {
ERR_error_string_n(l, buf, sizeof buf);

4
lib/libcrypto/evp/e_chacha20poly1305.c
View file

@ -1,4 +1,4 @@
/* $OpenBSD: e_chacha20poly1305.c,v 1.36 2024/05/22 14:02:08 tb Exp $ */
/* $OpenBSD: e_chacha20poly1305.c,v 1.37 2024/12/20 20:05:29 schwarze Exp $ */
/*
* Copyright (c) 2022 Joel Sing <jsing@openbsd.org>
@ -592,7 +592,7 @@ chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
return 1;
}
return 0;
return -1;
}
static const EVP_CIPHER cipher_chacha20_poly1305 = {

10
lib/libcrypto/format-pem.pl
View file

@ -1,5 +1,5 @@
#!/usr/bin/perl
# $OpenBSD: format-pem.pl,v 1.6 2022/07/03 15:02:04 sthen Exp $
# $OpenBSD: format-pem.pl,v 1.7 2024/11/01 11:19:13 sthen Exp $
#
# Copyright (c) 2016 Stuart Henderson <sthen@openbsd.org>
#
@ -115,9 +115,9 @@ while(<>) {
close $tmp;
chomp $rcsid;
print $rcsid;
foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
foreach my $o (sort{$a cmp $b} keys %ca) {
print "\n### $o\n\n";
foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
foreach my $subj (sort{$a cmp $b} keys %{ $ca{$o} }) {
if ($ca{$o}{$subj}{'valid'} == 1) {
print "=== $subj\n";
print $ca{$o}{$subj}{'info'};
@ -127,9 +127,9 @@ foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
}
# print a visual summary at the end
foreach my $o (sort{lc($a) cmp lc($b)} keys %ca) {
foreach my $o (sort{$a cmp $b} keys %ca) {
print STDERR "\n$o\n";
foreach my $subj (sort{lc($a) cmp lc($b)} keys %{ $ca{$o} }) {
foreach my $subj (sort{$a cmp $b} keys %{ $ca{$o} }) {
print STDERR " $subj\n";
}
}

2
lib/libcrypto/hidden/openssl/ec.h
View file

@ -1,4 +1,4 @@
/* $OpenBSD: ec.h,v 1.5 2024/04/10 15:01:31 beck Exp $ */
/* $OpenBSD: ec.h,v 1.7 2024/10/22 15:54:33 tb Exp $ */
/*
* Copyright (c) 2023 Bob Beck <beck@openbsd.org>
*

49
lib/libcrypto/hidden/openssl/mlkem.h Normal file
View file

@ -0,0 +1,49 @@
/* $OpenBSD: mlkem.h,v 1.4 2024/12/20 15:10:31 tb Exp $ */
/*
* Copyright (c) 2024 Bob Beck <beck@obtuse.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _LIBCRYPTO_MLKEM_H
#define _LIBCRYPTO_MLKEM_H
/* Undo when making public */
#ifdef LIBRESSL_HAS_MLKEM
#ifndef _MSC_VER
#include_next <openssl/mlkem.h>
#else
#include "../include/openssl/mlkem.h"
#endif
#include "crypto_namespace.h"
LCRYPTO_USED(MLKEM768_generate_key);
LCRYPTO_USED(MLKEM768_public_from_private);
LCRYPTO_USED(MLKEM768_encap);
LCRYPTO_USED(MLKEM768_decap);
LCRYPTO_USED(MLKEM768_marshal_public_key);
LCRYPTO_USED(MLKEM768_parse_public_key);
LCRYPTO_USED(MLKEM768_private_key_from_seed);
LCRYPTO_USED(MLKEM768_parse_private_key);
LCRYPTO_USED(MLKEM1024_generate_key);
LCRYPTO_USED(MLKEM1024_public_from_private);
LCRYPTO_USED(MLKEM1024_encap);
LCRYPTO_USED(MLKEM1024_decap);
LCRYPTO_USED(MLKEM1024_marshal_public_key);
LCRYPTO_USED(MLKEM1024_parse_public_key);
LCRYPTO_USED(MLKEM1024_private_key_from_seed);
LCRYPTO_USED(MLKEM1024_parse_private_key);
#endif /* LIBRESSL_HAS_MLKEM */
#endif /* _LIBCRYPTO_MLKEM_H */

7
lib/libcrypto/man/ASN1_BIT_STRING_set.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: ASN1_BIT_STRING_set.3,v 1.4 2023/07/28 05:53:10 tb Exp $
.\" $OpenBSD: ASN1_BIT_STRING_set.3,v 1.5 2024/12/24 09:48:56 schwarze Exp $
.\"
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
.\"
@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: July 28 2023 $
.Dd $Mdocdate: December 24 2024 $
.Dt ASN1_BIT_STRING_SET 3
.Os
.Sh NAME
@ -126,7 +126,8 @@ or if the requested bit is not set.
.Sh SEE ALSO
.Xr ASN1_BIT_STRING_new 3 ,
.Xr ASN1_STRING_set 3 ,
.Xr d2i_ASN1_BIT_STRING 3
.Xr d2i_ASN1_BIT_STRING 3 ,
.Xr v2i_ASN1_BIT_STRING 3
.Sh HISTORY
.Fn ASN1_BIT_STRING_set
first appeared in SSLeay 0.6.5.

9
lib/libcrypto/man/ASN1_STRING_length.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: ASN1_STRING_length.3,v 1.29 2021/12/14 19:36:18 schwarze Exp $
.\" $OpenBSD: ASN1_STRING_length.3,v 1.30 2024/12/27 15:30:17 schwarze Exp $
.\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
.\"
.\" This file is a derived work.
@ -66,7 +66,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: December 14 2021 $
.Dd $Mdocdate: December 27 2024 $
.Dt ASN1_STRING_LENGTH 3
.Os
.Sh NAME
@ -401,11 +401,14 @@ and
the reason can be determined with
.Xr ERR_get_error 3 .
.Sh SEE ALSO
.Xr a2i_ASN1_STRING 3 ,
.Xr a2i_ipadd 3 ,
.Xr ASN1_BIT_STRING_set 3 ,
.Xr ASN1_mbstring_copy 3 ,
.Xr ASN1_PRINTABLE_type 3 ,
.Xr ASN1_STRING_new 3 ,
.Xr ASN1_UNIVERSALSTRING_to_string 3
.Xr ASN1_UNIVERSALSTRING_to_string 3 ,
.Xr s2i_ASN1_INTEGER 3
.Sh HISTORY
.Fn ASN1_STRING_cmp ,
.Fn ASN1_STRING_dup ,

6
lib/libcrypto/man/ASN1_STRING_new.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: ASN1_STRING_new.3,v 1.26 2024/03/05 18:30:40 tb Exp $
.\" $OpenBSD: ASN1_STRING_new.3,v 1.27 2024/12/27 15:30:17 schwarze Exp $
.\" OpenSSL 99d63d46 Tue Mar 24 07:52:24 2015 -0400
.\"
.\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: March 5 2024 $
.Dd $Mdocdate: December 27 2024 $
.Dt ASN1_STRING_NEW 3
.Os
.Sh NAME
@ -205,6 +205,7 @@ object if successful; otherwise
is returned and an error code can be retrieved with
.Xr ERR_get_error 3 .
.Sh SEE ALSO
.Xr a2i_ipadd 3 ,
.Xr ASN1_BIT_STRING_set 3 ,
.Xr ASN1_INTEGER_get 3 ,
.Xr ASN1_item_pack 3 ,
@ -218,6 +219,7 @@ is returned and an error code can be retrieved with
.Xr d2i_ASN1_OBJECT 3 ,
.Xr d2i_ASN1_OCTET_STRING 3 ,
.Xr i2a_ASN1_STRING 3 ,
.Xr s2i_ASN1_INTEGER 3 ,
.Xr X509_cmp_time 3 ,
.Xr X509_EXTENSION_get_object 3 ,
.Xr X509_get_ext_by_OBJ 3 ,

12
lib/libcrypto/man/ASN1_item_sign.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: ASN1_item_sign.3,v 1.2 2021/12/18 17:47:44 schwarze Exp $
.\" $OpenBSD: ASN1_item_sign.3,v 1.3 2024/12/06 12:51:13 schwarze Exp $
.\"
.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
.\"
@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: December 18 2021 $
.Dd $Mdocdate: December 6 2024 $
.Dt ASN1_ITEM_SIGN 3
.Os
.Sh NAME
@ -91,12 +91,6 @@ Unless
is
.Dv NULL ,
the same data is copied into it.
.\" The following is not yet supported by LibreSSL
.\" because we do not provide EVP_PKEY_asn1_set_item(3).
.\" except that user-defined key types set up with
.\" .Xr EVP_PKEY_asn1_new 3
.\" may optionally provide information about a second algorithm in
.\" .Fa algor2 .
.Sh RETURN VALUES
These functions return the length of the signature in bytes
or 0 if memory allocation, encoding, or signing fails.
@ -113,8 +107,6 @@ is not fully initialized.
.Xr EVP_Digest 3 ,
.Xr EVP_DigestSign 3 ,
.Xr EVP_MD_CTX_new 3 ,
.\" We do not provide EVP_PKEY_asn1_set_item(3).
.\" .Xr EVP_PKEY_asn1_new 3 ,
.Xr EVP_PKEY_new 3 ,
.Xr OBJ_find_sigid_by_algs 3 ,
.Xr X509_ALGOR_new 3

27
lib/libcrypto/man/CMAC_Init.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: CMAC_Init.3,v 1.6 2024/03/02 09:30:21 tb Exp $
.\" $OpenBSD: CMAC_Init.3,v 1.9 2024/11/12 00:42:28 schwarze Exp $
.\"
.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
.\"
@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: March 2 2024 $
.Dd $Mdocdate: November 12 2024 $
.Dt CMAC_INIT 3
.Os
.Sh NAME
@ -51,6 +51,11 @@
.Fa "unsigned char *out_mac"
.Fa "size_t *out_len"
.Fc
.Ft int
.Fo CMAC_CTX_copy
.Fa "CMAC_CTX *out_ctx"
.Fa "CMAC_CTX *in_ctx"
.Fc
.Ft EVP_CIPHER_CTX *
.Fn CMAC_CTX_get0_cipher_ctx "CMAC_CTX *ctx"
.Ft void
@ -64,13 +69,11 @@ arbitrary block cipher using a symmetric key.
The present manual page describes low-level functions implementing CMAC.
Instead of using these functions directly,
application programs normally call
.Xr EVP_PKEY_CTX_new_id 3
with an argument of
.Dv EVP_PKEY_CMAC
.Xr EVP_PKEY_new_CMAC_key 3
and then pass the resulting
.Vt EVP_MD_CTX
.Vt EVP_PKEY
object to
.Xr EVP_DigestInit_ex 3 .
.Xr EVP_DigestSignInit 3 .
.Pp
The CMAC API is object-oriented.
Calculating a message authentication code requires a
@ -100,7 +103,7 @@ for use by
Functions to obtain suitable
.Vt EVP_CIPHER
objects are listed in the CIPHER LISTING section of the
.Xr EVP_Cipher 3
.Xr EVP_EncryptInit 3
manual page.
Unless
.Fa key
@ -244,14 +247,14 @@ The CMAC code itself does not use the
framework, so in general, the reasons for failure cannot be found out with
.Xr ERR_get_error 3 .
However, since the
.Xr EVP_Cipher 3
.Xr EVP_EncryptInit 3
functions are used internally, entries may still get pushed onto
the error stack in some cases of failure.
.Sh SEE ALSO
.Xr EVP_aes_128_cbc 3 ,
.Xr EVP_Cipher 3 ,
.Xr EVP_DigestInit 3 ,
.Xr EVP_PKEY_CTX_new_id 3 ,
.Xr EVP_DigestSignInit 3 ,
.Xr EVP_EncryptInit 3 ,
.Xr EVP_PKEY_new_CMAC_key 3 ,
.Xr HMAC 3
.Sh STANDARDS
.Rs

16
lib/libcrypto/man/CMS_add0_cert.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: CMS_add0_cert.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
.\" $OpenBSD: CMS_add0_cert.3,v 1.10 2024/11/30 21:21:40 tb Exp $
.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
.\"
.\" This file is a derived work.
@ -65,7 +65,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: November 2 2019 $
.Dd $Mdocdate: November 30 2024 $
.Dt CMS_ADD0_CERT 3
.Os
.Sh NAME
@ -183,9 +183,17 @@ and
return the STACK of certificates or CRLs or
.Dv NULL
if there are none or an error occurs.
The only error which will occur in practice is if the
Possible errors are that the
.Fa cms
type is invalid.
type is invalid or memory allocation failure.
Not all errors result in an error on the error stack.
The returned stack must be freed using the appropriate
macro wrapper of
.Xr sk_pop_free 3 ,
namely
.Dv sk_X509_pop_free()
or
.Dv sk_X509_CRL_pop_free() .
.Sh SEE ALSO
.Xr CMS_ContentInfo_new 3 ,
.Xr CMS_encrypt 3 ,

18
lib/libcrypto/man/ECDSA_SIG_new.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: ECDSA_SIG_new.3,v 1.20 2023/08/29 10:07:42 tb Exp $
.\" $OpenBSD: ECDSA_SIG_new.3,v 1.21 2024/11/15 20:14:58 tb Exp $
.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
.\" selective merge up to: OpenSSL da4ea0cf Aug 5 16:13:24 2019 +0100
.\"
@ -50,7 +50,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: August 29 2023 $
.Dd $Mdocdate: November 15 2024 $
.Dt ECDSA_SIG_NEW 3
.Os
.Sh NAME
@ -342,8 +342,8 @@ error.
The error codes can be obtained by
.Xr ERR_get_error 3 .
.Sh EXAMPLES
Creating an ECDSA signature of given SHA-1 hash value using the named
curve secp192k1.
Creating an ECDSA signature of given SHA-384 hash value using the named
curve secp384r1.
.Pp
First step: create an
.Vt EC_KEY
@ -356,7 +356,7 @@ int ret;
ECDSA_SIG *sig;
EC_KEY *eckey;
eckey = EC_KEY_new_by_curve_name(NID_secp192k1);
eckey = EC_KEY_new_by_curve_name(NID_secp384r1);
if (eckey == NULL) {
/* error */
}
@ -365,10 +365,10 @@ if (!EC_KEY_generate_key(eckey)) {
}
.Ed
.Pp
Second step: compute the ECDSA signature of a SHA-1 hash value using
Second step: compute the ECDSA signature of a SHA-384 hash value using
.Fn ECDSA_do_sign
.Bd -literal -offset indent
sig = ECDSA_do_sign(digest, 20, eckey);
sig = ECDSA_do_sign(digest, SHA384_DIGEST_LENGTH, eckey);
if (sig == NULL) {
/* error */
}
@ -391,12 +391,12 @@ if (!ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) {
Third step: verify the created ECDSA signature using
.Fn ECDSA_do_verify
.Pp
.Dl ret = ECDSA_do_verify(digest, 20, sig, eckey);
.Dl ret = ECDSA_do_verify(digest, SHA384_DIGEST_LENGTH, sig, eckey);
.Pp
or using
.Fn ECDSA_verify
.Pp
.Dl ret = ECDSA_verify(0, digest, 20, buffer, buf_len, eckey);
.Dl ret = ECDSA_verify(0, digest, SHA384_DIGEST_LENGTH, buffer, buf_len, eckey);
.Pp
and finally evaluate the return value:
.Bd -literal -offset indent

10
lib/libcrypto/man/EVP_BytesToKey.3
View file

@ -1,5 +1,5 @@
.\" $OpenBSD: EVP_BytesToKey.3,v 1.8 2019/06/07 20:46:25 schwarze Exp $
.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\" $OpenBSD: EVP_BytesToKey.3,v 1.9 2024/12/05 15:12:37 schwarze Exp $
.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
.\"
.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
.\" Copyright (c) 2001, 2011, 2013, 2014, 2015 The OpenSSL Project.
@ -49,7 +49,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: June 7 2019 $
.Dd $Mdocdate: December 5 2024 $
.Dt EVP_BYTESTOKEY 3
.Os
.Sh NAME
@ -78,7 +78,9 @@ is the message digest to use.
The
.Fa salt
parameter is used as a salt in the derivation:
it should point to an 8-byte buffer or
it should point to a buffer containing
.Dv PKCS5_SALT_LEN No = 8
bytes or
.Dv NULL
if no salt is used.
.Fa data

8
lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_CIPHER_CTX_ctrl.3,v 1.2 2023/10/01 18:23:50 tb Exp $
.\" $OpenBSD: EVP_CIPHER_CTX_ctrl.3,v 1.3 2024/12/08 17:41:23 schwarze Exp $
.\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
.\"
.\" This file is a derived work.
@ -67,7 +67,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: October 1 2023 $
.Dd $Mdocdate: December 8 2024 $
.Dt EVP_CIPHER_CTX_CTRL 3
.Os
.Sh NAME
@ -131,7 +131,9 @@
.Sh DESCRIPTION
.Fn EVP_CIPHER_CTX_ctrl
allows various cipher specific parameters to be determined and set.
Currently only the RC2 effective key length can be set.
Currently only the RC2 effective key length can be set; see
.Xr EVP_rc2_cbc 3
for details.
.Pp
.Fn EVP_CIPHER_CTX_set_padding
enables or disables padding.

12
lib/libcrypto/man/EVP_CIPHER_CTX_init.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.3 2023/12/26 22:13:00 schwarze Exp $
.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.4 2024/12/06 15:01:01 schwarze Exp $
.\" full merge up to:
.\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
.\"
@ -68,7 +68,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: December 26 2023 $
.Dd $Mdocdate: December 6 2024 $
.Dt EVP_CIPHER_CTX_INIT 3
.Os
.Sh NAME
@ -78,7 +78,7 @@
.Nd obsolete EVP cipher functions
.Sh SYNOPSIS
.In openssl/evp.h
.Ft void
.Ft int
.Fo EVP_CIPHER_CTX_init
.Fa "EVP_CIPHER_CTX *ctx"
.Fc
@ -102,7 +102,8 @@ was made opaque.
Calling it on a cipher context just returned from
.Xr EVP_CIPHER_CTX_new 3
has no effect.
Calling it on a cipher context that was already used leaks memory.
Calling it on a cipher context that was already used may leak memory
with older versions of the library.
Instead, use
.Xr EVP_CIPHER_CTX_reset 3
or
@ -173,6 +174,9 @@ the overhead incurred by using
.Xr EVP_CipherUpdate 3
is minimal.
.Sh RETURN VALUES
.Fn EVP_CIPHER_CTX_init
always returns 1.
.Pp
.Fn EVP_CIPHER_CTX_cleanup
returns 1 for success or 0 for failure.
.Pp

10
lib/libcrypto/man/EVP_DigestInit.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_DigestInit.3,v 1.35 2024/08/30 07:03:19 tb Exp $
.\" $OpenBSD: EVP_DigestInit.3,v 1.37 2024/12/06 15:01:01 schwarze Exp $
.\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000
.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
.\"
@ -70,7 +70,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: August 30 2024 $
.Dd $Mdocdate: December 6 2024 $
.Dt EVP_DIGESTINIT 3
.Os
.Sh NAME
@ -114,7 +114,7 @@
.Fo EVP_MD_CTX_free
.Fa "EVP_MD_CTX *ctx"
.Fc
.Ft void
.Ft int
.Fo EVP_MD_CTX_init
.Fa "EVP_MD_CTX *ctx"
.Fc
@ -427,7 +427,8 @@ object or
.Dv NULL
for failure.
.Pp
.Fn EVP_MD_CTX_reset
.Fn EVP_MD_CTX_reset ,
.Fn EVP_MD_CTX_init ,
and
.Fn EVP_MD_CTX_cleanup
always return 1.
@ -530,7 +531,6 @@ main(int argc, char *argv[])
.Xr EVP_MD_CTX_ctrl 3 ,
.Xr EVP_MD_nid 3 ,
.Xr EVP_PKEY_CTX_set_signature_md 3 ,
.Xr EVP_PKEY_meth_set_signctx 3 ,
.Xr EVP_sha1 3 ,
.Xr EVP_sha3_224 3 ,
.Xr EVP_SignInit 3 ,

46
lib/libcrypto/man/EVP_DigestSignInit.3
View file

@ -1,8 +1,9 @@
.\" $OpenBSD: EVP_DigestSignInit.3,v 1.13 2024/07/21 08:36:43 tb Exp $
.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
.\" $OpenBSD: EVP_DigestSignInit.3,v 1.15 2024/12/06 14:27:49 schwarze Exp $
.\" full merge up to: OpenSSL 28428130 Apr 17 15:18:40 2018 +0200
.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
.\"
.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
.\" Copyright (c) 2006, 2009, 2015, 2016 The OpenSSL Project.
.\" Copyright (c) 2006, 2009, 2015, 2016, 2017 The OpenSSL Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -49,7 +50,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: July 21 2024 $
.Dd $Mdocdate: December 6 2024 $
.Dt EVP_DIGESTSIGNINIT 3
.Os
.Sh NAME
@ -97,33 +98,35 @@ sets up the signing context
.Fa ctx
to use the digest
.Fa type
and private key
and the private key
.Fa pkey .
Before calling this function, obtain
.Fa ctx
from
.Xr EVP_MD_CTX_new 3
or call
.Xr EVP_MD_CTX_reset 3
on it.
The
.Fa ENGINE *engine
.Fa engine
argument is always ignored and passing
.Dv NULL
is recommended.
.Fa ctx
must be initialized with
.Xr EVP_MD_CTX_init 3
before calling this function.
.Pp
If
.Fa pctx
is not
.Dv NULL ,
the
.Vt EVP_PKEY_CTX
of the signing operation will be written to
.Pf * Fa pctx :
this can be used to set alternative signing options.
Any existing value in
any pointer passed in as
.Pf * Fa pctx
will be overwritten.
The
is ignored and overwritten by an internal pointer to the
.Vt EVP_PKEY_CTX
value returned must not be freed directly by the application.
It will be freed automatically when the
used by the signing operation:
this can be used to set alternative signing options.
The returned
.Vt EVP_PKEY_CTX
must not be freed by the application.
It is freed automatically when the
.Vt EVP_MD_CTX
is freed.
.Pp
@ -226,8 +229,7 @@ The error codes can be obtained from
.Sh SEE ALSO
.Xr evp 3 ,
.Xr EVP_DigestInit 3 ,
.Xr EVP_DigestVerifyInit 3 ,
.Xr EVP_PKEY_meth_set_signctx 3
.Xr EVP_DigestVerifyInit 3
.Sh HISTORY
.Fn EVP_DigestSignInit ,
.Fn EVP_DigestSignUpdate ,

58
lib/libcrypto/man/EVP_DigestVerifyInit.3
View file

@ -1,8 +1,9 @@
.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.15 2024/07/21 08:36:43 tb Exp $
.\" OpenSSL fb552ac6 Sep 30 23:43:01 2009 +0000
.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.17 2024/12/06 14:27:49 schwarze Exp $
.\" full merge up to OpenSSL f097e875 Aug 23 11:37:22 2018 +0100
.\" selective merge up to 24a535ea Sep 22 13:14:20 2020 +0100
.\"
.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
.\" Copyright (c) 2006, 2009, 2014, 2015, 2016 The OpenSSL Project.
.\" Copyright (c) 2006, 2009, 2014, 2015, 2016, 2017 The OpenSSL Project.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@ -49,7 +50,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: July 21 2024 $
.Dd $Mdocdate: December 6 2024 $
.Dt EVP_DIGESTVERIFYINIT 3
.Os
.Sh NAME
@ -93,39 +94,41 @@ The EVP signature routines are a high-level interface to digital
signatures.
.Pp
.Fn EVP_DigestVerifyInit
sets up verification context
sets up the verification context
.Fa ctx
to use digest
to use the digest
.Fa type
and public key
and the public key
.Fa pkey .
Before calling this function, obtain
.Fa ctx
must be initialized with
.Xr EVP_MD_CTX_init 3
before calling this function.
from
.Xr EVP_MD_CTX_new 3
or call
.Xr EVP_MD_CTX_reset 3
on it.
The
.Fa engine
argument is always ignored and passing
.Dv NULL
is recommended.
.Pp
If
.Fa pctx
is not
.Dv NULL ,
the
any pointer passed in as
.Pf * Fa pctx
is ignored and overwritten by an internal pointer to the
.Vt EVP_PKEY_CTX
of the verification operation will be written to
.Pf * Fa pctx :
this can be used to set alternative verification options.
Any existing value in
.Pf * .Fa pctx
is overwritten.
The
used by the verification operation:
this can be used to set alternative signing options.
The returned
.Vt EVP_PKEY_CTX
value returned must not be freed directly by the application.
It will be freed automatically when the
must not be freed by the application.
It is freed automatically when the
.Vt EVP_MD_CTX
is freed.
The
.Fa ENGINE *engine
argument is always ignored and passing
.Dv NULL
is recommended.
.Pp
.Fn EVP_DigestVerifyUpdate
hashes
@ -168,7 +171,7 @@ and
.\" it is the only way to verify data.
.Pp
The EVP interface to digital signatures should almost always be
used in preference to the low level interfaces.
used in preference to the low-level interfaces.
This is because the code then becomes transparent to the algorithm used
and much more flexible.
.Pp
@ -206,8 +209,7 @@ The error codes can be obtained from
.Sh SEE ALSO
.Xr evp 3 ,
.Xr EVP_DigestInit 3 ,
.Xr EVP_DigestSignInit 3 ,
.Xr EVP_PKEY_meth_set_verifyctx 3
.Xr EVP_DigestSignInit 3
.Sh HISTORY
.Fn EVP_DigestVerifyInit ,
.Fn EVP_DigestVerifyUpdate ,

187
lib/libcrypto/man/EVP_EncryptInit.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_EncryptInit.3,v 1.52 2024/07/21 08:36:43 tb Exp $
.\" $OpenBSD: EVP_EncryptInit.3,v 1.56 2024/12/20 01:54:03 schwarze Exp $
.\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
.\" EVP_bf_cbc.pod EVP_cast5_cbc.pod EVP_idea_cbc.pod EVP_rc2_cbc.pod
.\" 7c6d372a Nov 20 13:20:01 2018 +0000
@ -69,7 +69,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: July 21 2024 $
.Dd $Mdocdate: December 20 2024 $
.Dt EVP_ENCRYPTINIT 3
.Os
.Sh NAME
@ -103,13 +103,6 @@
.Nm EVP_idea_cfb64 ,
.Nm EVP_idea_cfb ,
.Nm EVP_idea_ofb ,
.Nm EVP_rc2_cbc ,
.Nm EVP_rc2_ecb ,
.Nm EVP_rc2_cfb64 ,
.Nm EVP_rc2_cfb ,
.Nm EVP_rc2_ofb ,
.Nm EVP_rc2_40_cbc ,
.Nm EVP_rc2_64_cbc ,
.Nm EVP_bf_cbc ,
.Nm EVP_bf_ecb ,
.Nm EVP_bf_cfb64 ,
@ -553,7 +546,6 @@ returns an
.Vt EVP_CIPHER
structure.
.Sh CIPHER LISTING
All algorithms have a fixed key length unless otherwise stated.
.Bl -tag -width Ds
.It Fn EVP_enc_null
Null cipher: does nothing.
@ -564,37 +556,13 @@ Null cipher: does nothing.
.Fn EVP_idea_ofb
.Xc
IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
IDEA is a block cipher operating on 64 bit blocks using a 128 bit
.Fa key .
.Fn EVP_idea_cfb
is an alias for
.Fn EVP_idea_cfb64 ,
implemented as a macro.
.It Xo
.Fn EVP_rc2_cbc ,
.Fn EVP_rc2_ecb ,
.Fn EVP_rc2_cfb64 ,
.Fn EVP_rc2_ofb
.Xc
RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
This is a variable key length cipher with an additional parameter called
"effective key bits" or "effective key length".
By default both are set to 128 bits.
.Fn EVP_rc2_cfb
is an alias for
.Fn EVP_rc2_cfb64 ,
implemented as a macro.
.It Xo
.Fn EVP_rc2_40_cbc ,
.Fn EVP_rc2_64_cbc
.Xc
RC2 algorithm in CBC mode with a default key length and effective key
length of 40 and 64 bits.
These are obsolete and new code should use
.Fn EVP_rc2_cbc ,
.Xr EVP_CIPHER_CTX_set_key_length 3 ,
and
.Xr EVP_CIPHER_CTX_ctrl 3
to set the key length and effective key length.
.It Xo
.Fn EVP_bf_cbc ,
.Fn EVP_bf_ecb ,
.Fn EVP_bf_cfb64 ,
@ -602,7 +570,10 @@ to set the key length and effective key length.
.Xc
Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes
respectively.
This is a variable key length cipher.
Blowfish is a block cipher operating on 64 bit blocks using a variable
.Fa key
length.
The default key length is 128 bits.
.Fn EVP_bf_cfb
is an alias for
.Fn EVP_bf_cfb64 ,
@ -613,120 +584,30 @@ implemented as a macro.
.Fn EVP_cast5_cfb64 ,
.Fn EVP_cast5_ofb
.Xc
CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
This is a variable key length cipher.
CAST-128 encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
CAST-128 is a block cipher operating on 64 bit blocks using a variable
.Fa key
length.
The default and maximum key length is 128 bits.
.Fn EVP_cast5_cfb
is an alias for
.Fn EVP_cast5_cfb64 ,
implemented as a macro.
.El
.Pp
See also
.Xr EVP_aes_128_cbc 3 ,
.Xr EVP_camellia_128_cbc 3 ,
.Xr EVP_des_cbc 3 ,
.Xr EVP_rc4 3 ,
and
.Xr EVP_sm4_cbc 3 .
.Ss GCM mode
For GCM mode ciphers, the behaviour of the EVP interface
is subtly altered and several additional ctrl operations are
supported.
Some algorithms are documented in separate manual pages:
.Pp
To specify any additional authenticated data (AAD), a call to
.Fn EVP_CipherUpdate ,
.Fn EVP_EncryptUpdate ,
or
.Fn EVP_DecryptUpdate
should be made with the output parameter
.Fa out
set to
.Dv NULL .
.Pp
When decrypting, the return value of
.Fn EVP_DecryptFinal ,
.Fn EVP_DecryptFinal_ex ,
.Fn EVP_CipherFinal ,
or
.Fn EVP_CipherFinal_ex
indicates if the operation was successful.
If it does not indicate success, the authentication operation has
failed and any output data MUST NOT be used as it is corrupted.
.Pp
The following ctrls are supported in GCM mode:
.Bl -tag -width Ds
.It Fn EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_GCM_SET_IVLEN ivlen NULL
Sets the IV length: this call can only be made before specifying an IV.
If not called, a default IV length is used.
For GCM AES the default is 12, i.e. 96 bits.
.It Fn EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_GCM_GET_TAG taglen tag
Writes
.Fa taglen
bytes of the tag value to the buffer indicated by
.Fa tag .
This call can only be made when encrypting data and after all data has
been processed, e.g. after an
.Fn EVP_EncryptFinal
or
.Fn EVP_EncryptFinal_ex
call.
.It Fn EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_GCM_SET_TAG taglen tag
Sets the expected tag to
.Fa taglen
bytes from
.Fa tag .
This call is only legal when decrypting data and must be made before
any data is processed, e.g. before any
.Fa EVP_DecryptUpdate
call.
.El
.Ss CCM mode
The behaviour of CCM mode ciphers is similar to GCM mode, but with
a few additional requirements and different ctrl values.
.Pp
Like GCM mode any additional authenticated data (AAD) is passed
by calling
.Fn EVP_CipherUpdate ,
.Fn EVP_EncryptUpdate ,
or
.Fn EVP_DecryptUpdate
with the output parameter
.Fa out
set to
.Dv NULL .
Additionally, the total
plaintext or ciphertext length MUST be passed to
.Fn EVP_CipherUpdate ,
.Fn EVP_EncryptUpdate ,
or
.Fn EVP_DecryptUpdate
with the output and input
parameters
.Pq Fa in No and Fa out
set to
.Dv NULL
and the length passed in the
.Fa in_len
parameter.
.Pp
The following ctrls are supported in CCM mode:
.Bl -tag -width Ds
.It Fn EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_CCM_SET_TAG taglen tag
This call is made to set the expected CCM tag value when decrypting or
the length of the tag (with the
.Fa tag
parameter set to
.Dv NULL )
when encrypting.
The tag length is often referred to as M.
If not set, a default value is used (12 for AES).
.It Fn EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_CCM_SET_L ivlen NULL
Sets the CCM L value.
If not set, a default is used (8 for AES).
.It Fn EVP_CIPHER_CTX_ctrl ctx EVP_CTRL_CCM_SET_IVLEN ivlen NULL
Sets the CCM nonce (IV) length: this call can only be made before
specifying a nonce value.
The nonce length is given by 15 - L so it is 7 by default for AES.
.Bl -column "EVP_camellia_128_cbc(3)" "block size" -compact
.It manual page Ta block size Ta Fa key No size Pq in bits
.It Xr EVP_aes_128_cbc 3 Ta 128 Ta 128, 192, 256
.It Xr EVP_aes_128_ccm 3 Ta 128 Ta 128, 192, 256
.It Xr EVP_aes_128_gcm 3 Ta 128 Ta 128, 192, 256
.It Xr EVP_camellia_128_cbc 3 Ta 128 Ta 128, 192, 256
.It Xr EVP_chacha20 3 Ta stream Ta 256
.It Xr EVP_des_cbc 3 Ta 64 Ta 64
.It Xr EVP_rc2_cbc 3 Ta 64 Ta variable, default 128
.It Xr EVP_rc4 3 Ta stream Ta variable, default 128
.It Xr EVP_sm4_cbc 3 Ta 128 Ta 128
.El
.Sh EXAMPLES
Encrypt a string using blowfish:
@ -842,6 +723,8 @@ do_crypt(FILE *in_fileptr, FILE *out_fileptr, int do_encrypt)
.Xr evp 3 ,
.Xr EVP_AEAD_CTX_init 3 ,
.Xr EVP_aes_128_cbc 3 ,
.Xr EVP_aes_128_ccm 3 ,
.Xr EVP_aes_128_gcm 3 ,
.Xr EVP_camellia_128_cbc 3 ,
.Xr EVP_chacha20 3 ,
.Xr EVP_CIPHER_CTX_ctrl 3 ,
@ -851,6 +734,7 @@ do_crypt(FILE *in_fileptr, FILE *out_fileptr, int do_encrypt)
.Xr EVP_CIPHER_nid 3 ,
.Xr EVP_des_cbc 3 ,
.Xr EVP_OpenInit 3 ,
.Xr EVP_rc2_cbc 3 ,
.Xr EVP_rc4 3 ,
.Xr EVP_SealInit 3 ,
.Xr EVP_sm4_cbc 3
@ -871,12 +755,6 @@ do_crypt(FILE *in_fileptr, FILE *out_fileptr, int do_encrypt)
and
.Fn EVP_idea_ofb
first appeared in SSLeay 0.5.1.
.Fn EVP_rc2_cbc ,
.Fn EVP_rc2_ecb ,
.Fn EVP_rc2_cfb ,
and
.Fn EVP_rc2_ofb
first appeared in SSLeay 0.5.2.
.Fn EVP_bf_cbc ,
.Fn EVP_bf_ecb ,
.Fn EVP_bf_cfb ,
@ -893,12 +771,6 @@ first appeared in SSLeay 0.8.1.
All these functions have been available since
.Ox 2.4 .
.Pp
.Fn EVP_rc2_40_cbc
and
.Fn EVP_rc2_64_cbc
first appeared in SSLeay 0.9.1 and have been available since
.Ox 2.6 .
.Pp
.Fn EVP_EncryptInit_ex ,
.Fn EVP_EncryptFinal_ex ,
.Fn EVP_DecryptInit_ex ,
@ -911,9 +783,8 @@ first appeared in OpenSSL 0.9.7 and have been available since
.Pp
.Fn EVP_bf_cfb64 ,
.Fn EVP_cast5_cfb64 ,
.Fn EVP_idea_cfb64 ,
and
.Fn EVP_rc2_cfb64
.Fn EVP_idea_cfb64
first appeared in OpenSSL 0.9.7e and have been available since
.Ox 3.8 .
.Pp

93
lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.23 2023/09/13 13:32:01 schwarze Exp $
.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.28 2024/12/10 14:54:20 schwarze Exp $
.\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
.\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
.\" Parts were split out into RSA_pkey_ctx_ctrl(3).
@ -6,7 +6,7 @@
.\" This file is a derived work.
.\" The changes are covered by the following Copyright and license:
.\"
.\" Copyright (c) 2019, 2023 Ingo Schwarze <schwarze@openbsd.org>
.\" Copyright (c) 2019, 2023, 2024 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@ -69,7 +69,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: September 13 2023 $
.Dd $Mdocdate: December 10 2024 $
.Dt EVP_PKEY_CTX_CTRL 3
.Os
.Sh NAME
@ -410,6 +410,92 @@ macro gets the user key material for
The return value is the user key material length.
The resulting pointer is owned by the library and should not be
freed by the caller.
.Ss CMAC parameters
Application programs normally implement CMAC as described in
.Xr EVP_PKEY_new_CMAC_key 3
and do not need the control commands documented here.
.Pp
Alternatively, the call to
.Xr EVP_PKEY_new_CMAC_key 3
can be replaced as follows,
leaving the rest of the example code given there unchanged:
.Pp
.Bl -enum -width 2n -compact
.It
Create an empty
.Vt EVP_PKEY_CTX
object by passing the
.Dv EVP_PKEY_CMAC
constant to
.Xr EVP_PKEY_CTX_new_id 3 .
.It
Initialize it with
.Xr EVP_PKEY_keygen_init 3 .
.It
Select the block cipher by calling
.Fn EVP_PKEY_CTX_ctrl
with an
.Fa optype
of
.Dv EVP_PKEY_OP_KEYGEN ,
a
.Fa cmd
of
.Dv EVP_PKEY_CTRL_CIPHER ,
and
.Fa p2
pointing to an
.Vt EVP_CIPHER
object, which can be obtained from the functions in the CIPHER LISTING in
.Xr EVP_EncryptInit 3 .
The
.Fa p1
argument is ignored; passing 0 is recommended.
.It
Call
.Fn EVP_PKEY_CTX_ctrl
again with an
.Fa optype
of
.Dv EVP_PKEY_OP_KEYGEN ,
a
.Fa cmd
of
.Dv EVP_PKEY_CTRL_SET_MAC_KEY ,
.Fa p2
pointing to the symmetric key, and
.Fa p1
specifying the length of the symmetric key in bytes.
.It
Extract the desired
.Vt EVP_PKEY
object using
.Xr EVP_PKEY_keygen 3 ,
making sure the
.Fa ppkey
argument points to a storage location containing a
.Dv NULL
pointer.
.It
Proceed with
.Xr EVP_MD_CTX_new 3 ,
.Xr EVP_DigestSignInit 3 ,
and
.Xr EVP_DigestSign 3
as usual.
.El
.Ss HMAC parameters
Application programs normally implement HMAC as described in
.Xr EVP_PKEY_new_raw_private_key 3 .
While it is possible to instead use
.Dv EVP_PKEY_CTRL_SET_MAC_KEY
directly, similar to the above description for CMAC,
that is strongly discouraged.
It's essentially what the deprecated function
.Xr EVP_PKEY_new_mac_key 3
does internally, and compared to the direct approach with
.Xr EVP_PKEY_new_raw_private_key 3 ,
it requires a lot of cumbersome and unnecessary work.
.Ss Other parameters
The
.Fn EVP_PKEY_CTX_set1_id ,
@ -453,7 +539,6 @@ supported by the public key algorithm.
.Xr EVP_PKEY_encrypt 3 ,
.Xr EVP_PKEY_get_default_digest_nid 3 ,
.Xr EVP_PKEY_keygen 3 ,
.Xr EVP_PKEY_meth_set_ctrl 3 ,
.Xr EVP_PKEY_sign 3 ,
.Xr EVP_PKEY_verify 3 ,
.Xr EVP_PKEY_verify_recover 3 ,

6
lib/libcrypto/man/EVP_PKEY_CTX_new.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.14 2024/07/21 08:36:43 tb Exp $
.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.16 2024/12/06 14:27:49 schwarze Exp $
.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
.\"
.\" This file is a derived work.
@ -65,7 +65,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: July 21 2024 $
.Dd $Mdocdate: December 6 2024 $
.Dt EVP_PKEY_CTX_NEW 3
.Os
.Sh NAME
@ -154,7 +154,6 @@ if an error occurred.
.Xr EVP_DigestSignInit 3 ,
.Xr EVP_DigestVerifyInit 3 ,
.Xr EVP_PKEY_base_id 3 ,
.Xr EVP_PKEY_check 3 ,
.Xr EVP_PKEY_CTX_ctrl 3 ,
.Xr EVP_PKEY_CTX_get_operation 3 ,
.Xr EVP_PKEY_CTX_hkdf_mode 3 ,
@ -162,7 +161,6 @@ if an error occurred.
.Xr EVP_PKEY_derive 3 ,
.Xr EVP_PKEY_encrypt 3 ,
.Xr EVP_PKEY_keygen 3 ,
.Xr EVP_PKEY_meth_set_init 3 ,
.Xr EVP_PKEY_new 3 ,
.Xr EVP_PKEY_sign 3 ,
.Xr EVP_PKEY_verify 3 ,

17
lib/libcrypto/man/EVP_PKEY_asn1_get_count.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.9 2024/07/21 08:36:43 tb Exp $
.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.10 2024/12/06 12:51:13 schwarze Exp $
.\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
.\"
.\" This file is a derived work.
@ -65,7 +65,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: July 21 2024 $
.Dd $Mdocdate: December 6 2024 $
.Dt EVP_PKEY_ASN1_GET_COUNT 3
.Os
.Sh NAME
@ -185,16 +185,10 @@ object and will never be returned from
or
.Fn EVP_PKEY_asn1_find_str .
.It Dv ASN1_PKEY_DYNAMIC
This
This flag is unused.
It could formerly be used to mark an
.Fa ameth
object is marked as dynamically allocated.
If this flag is set,
.Xr EVP_PKEY_asn1_free 3
can free
.Fa ameth ;
otherwise,
.Xr EVP_PKEY_asn1_free 3
has no effect on it.
object as dynamically allocated.
.It Dv ASN1_PKEY_SIGPARAM_NULL
If the signing
.Fa ctx
@ -240,7 +234,6 @@ if no match is found.
.Fn EVP_PKEY_asn1_get0_info
returns 1 on success or 0 on failure.
.Sh SEE ALSO
.Xr EVP_PKEY_asn1_new 3 ,
.Xr EVP_PKEY_base_id 3 ,
.Xr EVP_PKEY_new 3
.Sh HISTORY

505
lib/libcrypto/man/EVP_PKEY_asn1_new.3
View file

@ -1,505 +0,0 @@
.\" $OpenBSD: EVP_PKEY_asn1_new.3,v 1.11 2023/12/21 21:32:01 tb Exp $
.\" selective merge up to:
.\" OpenSSL man3/EVP_PKEY_ASN1_METHOD b0004708 Nov 1 00:45:24 2017 +0800
.\"
.\" This file is a derived work.
.\" The changes are covered by the following Copyright and license:
.\"
.\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" The original file was written by Richard Levitte <levitte@openssl.org>
.\" and Paul Yang <yang.yang@baishancloud.com>.
.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\"
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in
.\" the documentation and/or other materials provided with the
.\" distribution.
.\"
.\" 3. All advertising materials mentioning features or use of this
.\" software must display the following acknowledgment:
.\" "This product includes software developed by the OpenSSL Project
.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
.\"
.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
.\" endorse or promote products derived from this software without
.\" prior written permission. For written permission, please contact
.\" openssl-core@openssl.org.
.\"
.\" 5. Products derived from this software may not be called "OpenSSL"
.\" nor may "OpenSSL" appear in their names without prior written
.\" permission of the OpenSSL Project.
.\"
.\" 6. Redistributions of any form whatsoever must retain the following
.\" acknowledgment:
.\" "This product includes software developed by the OpenSSL Project
.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)"
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: December 21 2023 $
.Dt EVP_PKEY_ASN1_NEW 3
.Os
.Sh NAME
.\" .Nm EVP_PKEY_asn1_add0 and
.\" .Nm EVP_PKEY_asn1_add_alias are intentionally undocumented
.\" because they will be removed in the next major bump
.Nm EVP_PKEY_asn1_new ,
.Nm EVP_PKEY_asn1_copy ,
.Nm EVP_PKEY_asn1_free ,
.Nm EVP_PKEY_asn1_set_public ,
.Nm EVP_PKEY_asn1_set_private ,
.Nm EVP_PKEY_asn1_set_param ,
.Nm EVP_PKEY_asn1_set_free ,
.Nm EVP_PKEY_asn1_set_ctrl ,
.Nm EVP_PKEY_asn1_set_check ,
.Nm EVP_PKEY_asn1_set_public_check ,
.Nm EVP_PKEY_asn1_set_param_check ,
.Nm EVP_PKEY_asn1_set_security_bits
.Nd manipulating and registering an EVP_PKEY_ASN1_METHOD structure
.Sh SYNOPSIS
.In openssl/evp.h
.Ft EVP_PKEY_ASN1_METHOD *
.Fo EVP_PKEY_asn1_new
.Fa "int id"
.Fa "int flags"
.Fa "const char *pem_str"
.Fa "const char *info"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_copy
.Fa "EVP_PKEY_ASN1_METHOD *dst"
.Fa "const EVP_PKEY_ASN1_METHOD *src"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_free
.Fa "EVP_PKEY_ASN1_METHOD *ameth"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_set_public
.Fa "EVP_PKEY_ASN1_METHOD *ameth"
.Fa "int (*pub_decode)(EVP_PKEY *pk, X509_PUBKEY *pub)"
.Fa "int (*pub_encode)(X509_PUBKEY *pub, const EVP_PKEY *pk)"
.Fa "int (*pub_cmp)(const EVP_PKEY *a, const EVP_PKEY *b)"
.Fa "int (*pub_print)(BIO *out, const EVP_PKEY *pkey, int indent,\
ASN1_PCTX *pctx)"
.Fa "int (*pkey_size)(const EVP_PKEY *pk)"
.Fa "int (*pkey_bits)(const EVP_PKEY *pk)"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_set_private
.Fa "EVP_PKEY_ASN1_METHOD *ameth"
.Fa "int (*priv_decode)(EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf)"
.Fa "int (*priv_encode)(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk)"
.Fa "int (*priv_print)(BIO *out, const EVP_PKEY *pkey, int indent,\
ASN1_PCTX *pctx)"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_set_param
.Fa "EVP_PKEY_ASN1_METHOD *ameth"
.Fa "int (*param_decode)(EVP_PKEY *pkey, const unsigned char **pder,\
int derlen)"
.Fa "int (*param_encode)(const EVP_PKEY *pkey, unsigned char **pder)"
.Fa "int (*param_missing)(const EVP_PKEY *pk)"
.Fa "int (*param_copy)(EVP_PKEY *to, const EVP_PKEY *from)"
.Fa "int (*param_cmp)(const EVP_PKEY *a, const EVP_PKEY *b)"
.Fa "int (*param_print)(BIO *out, const EVP_PKEY *pkey, int indent,\
ASN1_PCTX *pctx)"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_set_free
.Fa "EVP_PKEY_ASN1_METHOD *ameth"
.Fa "void (*pkey_free)(EVP_PKEY *pkey)"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_set_ctrl
.Fa "EVP_PKEY_ASN1_METHOD *ameth"
.Fa "int (*pkey_ctrl)(EVP_PKEY *pkey, int op, long arg1, void *arg2)"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_set_check
.Fa "EVP_PKEY_ASN1_METHOD *ameth"
.Fa "int (*pkey_check)(const EVP_PKEY *pk)"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_set_public_check
.Fa "EVP_PKEY_ASN1_METHOD *ameth"
.Fa "int (*pkey_public_check)(const EVP_PKEY *pk)"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_set_param_check
.Fa "EVP_PKEY_ASN1_METHOD *ameth"
.Fa "int (*pkey_param_check)(const EVP_PKEY *pk)"
.Fc
.Ft void
.Fo EVP_PKEY_asn1_set_security_bits
.Fa "EVP_PKEY_ASN1_METHOD *ameth"
.Fa "int (*pkey_security_bits)(const EVP_PKEY *pkey)"
.Fc
.Sh DESCRIPTION
.Vt EVP_PKEY_ASN1_METHOD
is a structure which holds a set of ASN.1 conversion, printing and
information methods for a specific public key algorithm.
.Pp
The built-in
.Vt EVP_PKEY_ASN1_METHOD
objects are stored in a table containing the standard
methods for different algorithms.
.Ss Methods
The methods are the underlying implementations of a particular public
key algorithm present by the
.Vt EVP_PKEY
object.
.Bd -unfilled
.Ft int Fn (*pub_decode) "EVP_PKEY *pk" "X509_PUBKEY *pub"
.Ft int Fn (*pub_encode) "X509_PUBKEY *pub" "const EVP_PKEY *pk"
.Ed
.Pp
Decode and encode
.Vt X509_PUBKEY
ASN.1 parameters to and from
.Fa pk .
These methods must return 0 on error and 1 on success.
They are called by
.Xr X509_PUBKEY_get 3
and
.Xr X509_PUBKEY_set 3 .
.Bd -unfilled
.Ft int Fn (*pub_cmp) "const EVP_PKEY *a" "const EVP_PKEY *b"
.Ed
.Pp
Compare two public keys.
This method must return 1 when the keys are equal and 0 otherwise.
It is called by
.Xr EVP_PKEY_cmp 3 .
.Bd -filled
.Ft int Fo (*pub_print)
.Fa "BIO *out"
.Fa "const EVP_PKEY *pkey"
.Fa "int indent"
.Fa "ASN1_PCTX *pctx"
.Fc
.Ed
.Pp
Print a public key in humanly readable text to
.Fa out ,
indented
.Fa indent
spaces.
This method must return 0 on error and 1 on success.
It is called by
.Xr EVP_PKEY_print_public 3 .
.Bd -unfilled
.Ft int Fn (*priv_decode) "EVP_PKEY *pk" "const PKCS8_PRIV_KEY_INFO *p8inf"
.Ft int Fn (*priv_encode) "PKCS8_PRIV_KEY_INFO *p8" "const EVP_PKEY *pk"
.Ed
.Pp
Decode and encode
.Vt PKCS8_PRIV_KEY_INFO
form private key to and from
.Fa pk .
These methods must return 0 on error, 1 on success.
They are called by
.Xr EVP_PKCS82PKEY 3
and
.Xr EVP_PKEY2PKCS8 3 .
.Bd -filled
.Ft int Fo (*priv_print)
.Fa "BIO *out"
.Fa "const EVP_PKEY *pkey"
.Fa "int indent"
.Fa "ASN1_PCTX *pctx"
.Fc
.Ed
.Pp
Print a private key in humanly readable text to
.Fa out ,
indented
.Fa indent
spaces.
This method must return 0 on error and 1 on success.
It is called by
.Xr EVP_PKEY_print_private 3 .
.Bd -unfilled
.Ft int Fn (*pkey_size) "const EVP_PKEY *pk"
.Ed
.Pp
Returns the key size in bytes.
This method is called by
.Xr EVP_PKEY_size 3 .
.Bd -unfilled
.Ft int Fn (*pkey_bits) "const EVP_PKEY *pk"
.Ed
.Pp
Returns the key size in bits.
This method is called by
.Xr EVP_PKEY_bits 3 .
.Bd -filled
.Ft int Fo (*param_decode)
.Fa "EVP_PKEY *pkey"
.Fa "const unsigned char **pder"
.Fa "int derlen"
.Fc
.br
.Ft int Fo (*param_encode)
.Fa "const EVP_PKEY *pkey"
.Fa "unsigned char **pder"
.Fc
.Ed
.Pp
Decode and encode DER formatted parameters to and from
.Fa pk .
These methods must return 0 on error and 1 on success.
They are called by
.Fn PEM_read_bio_Parameters .
.Bd -unfilled
.Ft int Fn (*param_missing) "const EVP_PKEY *pk"
.Ed
.Pp
Return 0 if a key parameter is missing or 1 otherwise.
This method is called by
.Xr EVP_PKEY_missing_parameters 3 .
.Bd -unfilled
.Ft int Fn (*param_copy) "EVP_PKEY *to" "const EVP_PKEY *from"
.Ed
.Pp
Copy key parameters from
.Fa from
to
.Fa to .
This method must return 0 on error and 1 on success.
It is called by
.Xr EVP_PKEY_copy_parameters 3 .
.Bd -unfilled
.Ft int Fn (*param_cmp) "const EVP_PKEY *a" "const EVP_PKEY *b"
.Ed
.Pp
Compare the parameters of the keys
.Fa a
and
.Fa b .
This method must return 1 when the keys are equal, 0 when not equal, and a
negative number on error.
It is called by
.Xr EVP_PKEY_cmp_parameters 3 .
.Bd -filled
.Ft int Fo (*param_print)
.Fa "BIO *out"
.Fa "const EVP_PKEY *pkey"
.Fa "int indent"
.Fa "ASN1_PCTX *pctx"
.Fc
.Ed
.Pp
Print the private key parameters in humanly readable text to
.Fa out ,
indented
.Fa indent
spaces.
This method must return 0 on error and 1 on success.
It is called by
.Xr EVP_PKEY_print_params 3 .
.Bd -unfilled
.Ft void Fn (*pkey_free) "EVP_PKEY *pkey"
.Ed
.Pp
Free the internals of
.Fa pkey .
This method is called by
.Xr EVP_PKEY_free 3 ,
.Xr EVP_PKEY_set_type 3 ,
.Xr EVP_PKEY_set_type_str 3 ,
and
.Xr EVP_PKEY_assign 3 .
.Bd -filled
.Ft int Fo (*pkey_ctrl)
.Fa "EVP_PKEY *pkey"
.Fa "int op"
.Fa "long arg1"
.Fa "void *arg2"
.Fc
.Ed
.Pp
Add extra algorithm specific control.
.Pp
If the
.Fa op
argument is
.Dv ASN1_PKEY_CTRL_DEFAULT_MD_NID ,
the
.Fa pkey_ctrl
method is supposed to write the message digest NID
for public key signature operations with the given
.Fa pkey
to
.Pf * Fa arg2
as documented in the
.Xr EVP_PKEY_get_default_digest_nid 3
manual page.
.Pp
The
.Fa pkey_ctrl
method is also called by
.Fn PKCS7_SIGNER_INFO_set ,
.Fn PKCS7_RECIP_INFO_set ,
and other functions.
.\" TODO:
.\" ASN1_PKEY_CTRL_CMS_ENVELOPE in cms_env.c rsa_ameth.c
.\" ASN1_PKEY_CTRL_CMS_RI_TYPE in cms_env.c dsa_ameth.c ec_ameth.c rsa_ameth.c
.\" ASN1_PKEY_CTRL_CMS_SIGN in cms_sd.c dsa_ameth.c ec_ameth.c rsa_ameth.c
.\" ASN1_PKEY_CTRL_PKCS7_ENCRYPT in pk7_lib.c rsa_ameth.c
.\" ASN1_PKEY_CTRL_PKCS7_SIGN in pk7_lib.c dsa_ameth.c ec_ameth.c rsa_ameth.c
.Bd -unfilled
.Ft int Fn (*pkey_check) "const EVP_PKEY *pk"
.Ft int Fn (*pkey_public_check) "const EVP_PKEY *pk"
.Ft int Fn (*pkey_param_check) "const EVP_PKEY *pk"
.Ed
.Pp
Check the validity of
.Fa pk
for key-pair, public component, and parameters, respectively.
These methods must return 0 for an invalid key or 1 for a valid key.
They are called by
.Xr EVP_PKEY_check 3 ,
.Xr EVP_PKEY_public_check 3 ,
and
.Xr EVP_PKEY_param_check 3 ,
respectively.
.Bd -unfilled
.Ft int Fn (*pkey_security_bits) "const EVP_PKEY *pkey"
.Ed
.Pp
Return the security strength measured in bits of
.Fa pkey .
It is called by
.Xr EVP_PKEY_security_bits 3 .
.Ss Functions
.Fn EVP_PKEY_asn1_new
creates and returns a new
.Vt EVP_PKEY_ASN1_METHOD
object, marks it as dynamically allocated, and associates the given
.Fa id ,
.Fa flags ,
.Fa pem_str
and
.Fa info .
.Fa id
is a NID,
.Fa pem_str
is the PEM type string,
.Fa info
is a descriptive string.
If
.Dv ASN1_PKEY_SIGPARAM_NULL
is set in
.Fa flags ,
the signature algorithm parameters are given the type
.Dv V_ASN1_NULL
by default, otherwise they will be given the type
.Dv V_ASN1_UNDEF
(i.e. the parameter is omitted).
See
.Xr X509_ALGOR_set0 3
for more information.
.Pp
.Fn EVP_PKEY_asn1_copy
copies all function pointers from
.Fa src
to
.Fa dst .
The data in
.Fa dst
that can be set with
.Fn EVP_PKEY_asn1_new
\(em NIDs, flags, and strings \(em
remains unchanged.
This function is not thread safe, it is recommended to only use this when
initializing the application.
.Pp
.Fn EVP_PKEY_asn1_free
frees the dynamically allocated
.Fa ameth
including all memory it refers to.
If
.Fa ameth
is
.Dv NULL
of not marked as dynamically allocated, no action occurs.
.Pp
.Fn EVP_PKEY_asn1_set_public ,
.Fn EVP_PKEY_asn1_set_private ,
.Fn EVP_PKEY_asn1_set_param ,
.Fn EVP_PKEY_asn1_set_free ,
.Fn EVP_PKEY_asn1_set_ctrl ,
.Fn EVP_PKEY_asn1_set_check ,
.Fn EVP_PKEY_asn1_set_public_check ,
.Fn EVP_PKEY_asn1_set_param_check ,
and
.Fn EVP_PKEY_asn1_set_security_bits
set the diverse methods of the given
.Vt EVP_PKEY_ASN1_METHOD
object.
.Sh RETURN VALUES
.Fn EVP_PKEY_asn1_new
returns a pointer to the new
.Vt EVP_PKEY_ASN1_METHOD
object or
.Dv NULL
if memory allocation fails.
.Sh SEE ALSO
.Xr EVP_PKEY_asn1_get_count 3 ,
.Xr EVP_PKEY_new 3 ,
.Xr X509_PUBKEY_new 3
.Sh HISTORY
.Fn EVP_PKEY_asn1_new ,
.Fn EVP_PKEY_asn1_copy ,
.Fn EVP_PKEY_asn1_free ,
.Fn EVP_PKEY_asn1_set_public ,
.Fn EVP_PKEY_asn1_set_private ,
.Fn EVP_PKEY_asn1_set_param ,
.Fn EVP_PKEY_asn1_set_free ,
and
.Fn EVP_PKEY_asn1_set_ctrl
first appeared in OpenSSL 1.0.0 and have been available since
.Ox 4.9 .
.Pp
.Fn EVP_PKEY_asn1_set_check ,
.Fn EVP_PKEY_asn1_set_public_check ,
and
.Fn EVP_PKEY_asn1_set_param_check
first appeared in OpenSSL 1.1.1 and have been available since
.Ox 7.1 .
.Pp
.Fn EVP_PKEY_asn1_set_security_bits
first appeared in OpenSSL 1.1.0 and has been available since
.Ox 7.2 .

149
lib/libcrypto/man/EVP_PKEY_check.3
View file

@ -1,149 +0,0 @@
.\" $OpenBSD: EVP_PKEY_check.3,v 1.2 2022/07/14 14:49:09 tb Exp $
.\"
.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: July 14 2022 $
.Dt EVP_PKEY_CHECK 3
.Os
.Sh NAME
.Nm EVP_PKEY_check ,
.Nm EVP_PKEY_public_check ,
.Nm EVP_PKEY_param_check
.Nd key and parameter check functions
.Sh SYNOPSIS
.In openssl/evp.h
.Ft int
.Fn EVP_PKEY_check "EVP_PKEY_CTX *ctx"
.Ft int
.Fn EVP_PKEY_public_check "EVP_PKEY_CTX *ctx"
.Ft int
.Fn EVP_PKEY_param_check "EVP_PKEY_CTX *ctx"
.Sh DESCRIPTION
.Fn EVP_PKEY_check
performs various sanity checks on the key contained in
.Fa ctx
but only supports a small number of key types by default.
It preferably uses the function
.Fa check
configured for
.Fa ctx
with
.Xr EVP_PKEY_meth_set_check 3 .
It falls back to the function
.Fa pkey_check
configured for the private key contained in
.Fa ctx
with
.Xr EVP_PKEY_asn1_set_check 3 .
If that wasn't configured either, it attempts to use the following
check functions:
.Pp
.Bl -tag -width 3n -compact -offset -indent
.It DH
not supported, return value \-2
.It EC
.Xr EC_KEY_check_key 3
.It RSA
.Xr RSA_check_key 3
.El
.Pp
.Fn EVP_PKEY_public_check
performs various sanity checks on the public key contained in
.Fa ctx
but only supports a small number of key types by default.
It preferably uses the function
.Fa public_check
configured for
.Fa ctx
with
.Xr EVP_PKEY_meth_set_public_check 3 .
It falls back to the function
.Fa pkey_public_check
configured for the private key contained in
.Fa ctx
with
.Xr EVP_PKEY_asn1_set_public_check 3 .
If that wasn't configured either, it attempts to use the following
check functions:
.Pp
.Bl -tag -width 3n -compact -offset -indent
.It DH
.Xr DH_check_pub_key 3
.It EC
.Xr EC_KEY_check_key 3
.It RSA
not supported, return value \-2
.El
.Pp
.Fn EVP_PKEY_param_check
performs various sanity checks on the key parameters contained in
.Fa ctx
but only supports a small number of key types by default.
It preferably uses the function
.Fa check
configured for
.Fa ctx
with
.Xr EVP_PKEY_meth_set_param_check 3 .
It falls back to the function
.Fa pkey_check
configured for the private key contained in
.Fa ctx
with
.Xr EVP_PKEY_asn1_set_param_check 3 .
If that wasn't configured either, it attempts to use the following
check functions:
.Pp
.Bl -tag -width 3n -compact -offset -indent
.It DH
.Xr DH_check 3
.It EC
.Xr EC_GROUP_check 3
.It RSA
not supported, return value \-2
.El
.Sh RETURN VALUES
These functions return 1 if the check was performed and no problem
was found, 0 if a problem was found or if the check could not be
performed, for example because
.Fa ctx
does not contain an
.Vt EVP_PKEY
object, or \-2 if the required check function is neither configured for
.Fa ctx
nor for the
.Vt PKEY
contained therein, and the check in question is not supported by default
for the algorithm in question either.
.Sh SEE ALSO
.Xr DH_check 3 ,
.Xr EC_GROUP_check 3 ,
.Xr EC_KEY_new 3 ,
.Xr EVP_PKEY_asn1_new 3 ,
.Xr EVP_PKEY_CTX_new 3 ,
.Xr EVP_PKEY_meth_new 3 ,
.Xr EVP_PKEY_new 3 ,
.Xr RSA_check_key 3
.Sh HISTORY
These functions first appeared in OpenSSL 1.1.1
and have been available since
.Ox 7.1 .
.Sh BUGS
For EC keys,
.Fn EVP_PKEY_public_check
also checks the
.Em private
key and fails if there is a problem with any of the private
components, even if no problem is found with the public key.

5
lib/libcrypto/man/EVP_PKEY_cmp.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_PKEY_cmp.3,v 1.14 2024/03/05 19:21:31 tb Exp $
.\" $OpenBSD: EVP_PKEY_cmp.3,v 1.15 2024/12/06 12:51:13 schwarze Exp $
.\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
.\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
.\"
@ -67,7 +67,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: March 5 2024 $
.Dd $Mdocdate: December 6 2024 $
.Dt EVP_PKEY_CMP 3
.Os
.Sh NAME
@ -160,7 +160,6 @@ and
return 1 if the keys match, 0 if they don't match, -1 if the key types
are different and -2 if the operation is not supported.
.Sh SEE ALSO
.Xr EVP_PKEY_asn1_set_public 3 ,
.Xr EVP_PKEY_CTX_new 3 ,
.Xr EVP_PKEY_keygen 3 ,
.Xr EVP_PKEY_new 3 ,

5
lib/libcrypto/man/EVP_PKEY_decrypt.3
View file

@ -1,4 +1,4 @@
.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.9 2024/07/21 08:10:17 tb Exp $
.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.10 2024/12/06 14:27:49 schwarze Exp $
.\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
.\"
.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@ -49,7 +49,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
.\" OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd $Mdocdate: July 21 2024 $
.Dd $Mdocdate: December 6 2024 $
.Dt EVP_PKEY_DECRYPT 3
.Os
.Sh NAME
@ -164,7 +164,6 @@ if (EVP_PKEY_decrypt(ctx, out, &outlen, in, inlen) <= 0)
.Xr EVP_PKEY_CTX_new 3 ,
.Xr EVP_PKEY_derive 3 ,
.Xr EVP_PKEY_encrypt 3 ,
.Xr EVP_PKEY_meth_set_decrypt 3 ,
.Xr EVP_PKEY_sign 3 ,
.Xr EVP_PKEY_verify 3 ,
.Xr EVP_PKEY_verify_recover 3

Some files were not shown because too many files have changed in this diff Show more