Fix Typos
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9288)
Antoine Cœur authored 4 years ago
Dr. Matthias St. Pierre committed 4 years ago
38 | 38 |
EVP_KDF_CTRL_SET_PBKDF2_PKCS5_MODE.
|
39 | 39 |
[Shane Lontis]
|
40 | 40 |
|
41 | |
*) Default cipher lists/suites are now avaialble via a function, the
|
|
41 |
*) Default cipher lists/suites are now available via a function, the
|
42 | 42 |
#defines are deprecated.
|
43 | 43 |
[Todd Short]
|
44 | 44 |
|
|
461 | 461 |
SSL_set_ciphersuites()
|
462 | 462 |
[Matt Caswell]
|
463 | 463 |
|
464 | |
*) Memory allocation failures consistenly add an error to the error
|
|
464 |
*) Memory allocation failures consistently add an error to the error
|
465 | 465 |
stack.
|
466 | 466 |
[Rich Salz]
|
467 | 467 |
|
0 | 0 |
#### iPhoneOS/iOS
|
1 | 1 |
#
|
2 | |
# It takes recent enough XCode to use following two targets. It shouldn't
|
|
2 |
# It takes recent enough Xcode to use following two targets. It shouldn't
|
3 | 3 |
# be a problem by now, but if they don't work, original targets below
|
4 | 4 |
# that depend on manual definition of environment variables should still
|
5 | 5 |
# work...
|
0 | 0 |
# Windows OneCore targets.
|
1 | 1 |
#
|
2 | |
# OneCore is new API stability "contract" that transends Desktop, IoT and
|
|
2 |
# OneCore is new API stability "contract" that transcends Desktop, IoT and
|
3 | 3 |
# Mobile[?] Windows editions. It's a set up "umbrella" libraries that
|
4 | 4 |
# export subset of Win32 API that are common to all Windows 10 devices.
|
5 | 5 |
#
|
21 | 21 |
our @generated =
|
22 | 22 |
sort ( ( grep { defined $unified_info{generate}->{$_} }
|
23 | 23 |
sort keys %generatables ),
|
24 | |
# Scripts are assumed to be generated, so add thhem too
|
|
24 |
# Scripts are assumed to be generated, so add them too
|
25 | 25 |
( grep { defined $unified_info{sources}->{$_} }
|
26 | 26 |
@{$unified_info{scripts}} ) );
|
27 | 27 |
|
837 | 837 |
goto done;
|
838 | 838 |
}
|
839 | 839 |
BIO_printf(bio_err, ", Salt length: %d, Cost(N): %ld, "
|
840 | |
"Block size(r): %ld, Paralelizm(p): %ld",
|
|
840 |
"Block size(r): %ld, Parallelism(p): %ld",
|
841 | 841 |
ASN1_STRING_length(kdf->salt),
|
842 | 842 |
ASN1_INTEGER_get(kdf->costParameter),
|
843 | 843 |
ASN1_INTEGER_get(kdf->blockSize),
|
1875 | 1875 |
}
|
1876 | 1876 |
|
1877 | 1877 |
buflen = lengths[size_num - 1];
|
1878 | |
if (buflen < 36) /* size of random vector in RSA bencmark */
|
|
1878 |
if (buflen < 36) /* size of random vector in RSA benchmark */
|
1879 | 1879 |
buflen = 36;
|
1880 | 1880 |
buflen += MAX_MISALIGNMENT + 1;
|
1881 | 1881 |
loopargs[i].buf_malloc = app_malloc(buflen, "input buffer");
|
124 | 124 |
}
|
125 | 125 |
/*
|
126 | 126 |
* If expected wasn't set at this point, it means the map
|
127 | |
* isn't syncronised with the possible options leading here.
|
|
127 |
* isn't synchronised with the possible options leading here.
|
128 | 128 |
*/
|
129 | 129 |
OPENSSL_assert(expected != 0);
|
130 | 130 |
}
|
42 | 42 |
An empty tree is represented by a NULL root pointer. Inserting a value at
|
43 | 43 |
index 0 results in the allocation of a top level node full of null pointers
|
44 | 44 |
except for the single pointer to the user's data (N = SA_BLOCK_MAX for
|
45 | |
breviety):
|
|
45 |
brevity):
|
46 | 46 |
|
47 | 47 |
+----+
|
48 | 48 |
|Root|
|
37 | 37 |
# Implement AES_set_[en|de]crypt_key. Key schedule setup is avoided
|
38 | 38 |
# for 128-bit keys, if hardware support is detected.
|
39 | 39 |
|
40 | |
# Januray 2009.
|
|
40 |
# January 2009.
|
41 | 41 |
#
|
42 | 42 |
# Add support for hardware AES192/256 and reschedule instructions to
|
43 | 43 |
# minimize/avoid Address Generation Interlock hazard and to favour
|
44 | 44 |
# dual-issue z10 pipeline. This gave ~25% improvement on z10 and
|
45 | 45 |
# almost 50% on z9. The gain is smaller on z10, because being dual-
|
46 | 46 |
# issue z10 makes it impossible to eliminate the interlock condition:
|
47 | |
# critial path is not long enough. Yet it spends ~24 cycles per byte
|
|
47 |
# critical path is not long enough. Yet it spends ~24 cycles per byte
|
48 | 48 |
# processed with 128-bit key.
|
49 | 49 |
#
|
50 | 50 |
# Unlike previous version hardware support detection takes place only
|
66 | 66 |
}
|
67 | 67 |
c = y / 100;
|
68 | 68 |
y %= 100;
|
69 | |
/* Zeller's congruance */
|
|
69 |
/* Zeller's congruence */
|
70 | 70 |
tm->tm_wday = (d + (13 * m) / 5 + y + y / 4 + c / 4 + 5 * c + 6) % 7;
|
71 | 71 |
}
|
72 | 72 |
|
783 | 783 |
* reasons. When BIO_CTRL_DGRAM_SET_PEEK_MODE was first defined its value
|
784 | 784 |
* was incorrectly clashing with BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE. The
|
785 | 785 |
* value has been updated to a non-clashing value. However to preserve
|
786 | |
* binary compatiblity we now respond to both the old value and the new one
|
|
786 |
* binary compatibility we now respond to both the old value and the new one
|
787 | 787 |
*/
|
788 | 788 |
case BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE:
|
789 | 789 |
case BIO_CTRL_DGRAM_SET_PEEK_MODE:
|
799 | 799 |
#if 0
|
800 | 800 |
/*
|
801 | 801 |
* The bn_div_3_words entry point is re-used for constant-time interface.
|
802 | |
* Implementation is retained as hystorical reference.
|
|
802 |
* Implementation is retained as historical reference.
|
803 | 803 |
*/
|
804 | 804 |
.align 5
|
805 | 805 |
.globl bn_div_3_words
|
257 | 257 |
*
|
258 | 258 |
* - availability of constant-time bn_div_3_words;
|
259 | 259 |
* - dividend is at least as "wide" as divisor, limb-wise, zero-padded
|
260 | |
* if so requied, which shouldn't be a privacy problem, because
|
|
260 |
* if so required, which shouldn't be a privacy problem, because
|
261 | 261 |
* divisor's length is considered public;
|
262 | 262 |
*/
|
263 | 263 |
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
|
294 | 294 |
(b) > 23 ? 3 : 1)
|
295 | 295 |
|
296 | 296 |
/*
|
297 | |
* BN_mod_exp_mont_conttime is based on the assumption that the L1 data cache
|
|
297 |
* BN_mod_exp_mont_consttime is based on the assumption that the L1 data cache
|
298 | 298 |
* line width of the target processor is at least the following value.
|
299 | 299 |
*/
|
300 | 300 |
# define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 )
|
247 | 247 |
* one bit longer than the modulus.
|
248 | 248 |
*
|
249 | 249 |
* There are some concerns about the efficacy of doing this. More
|
250 | |
* specificly refer to the discussion starting with:
|
|
250 |
* specifically refer to the discussion starting with:
|
251 | 251 |
* https://github.com/openssl/openssl/pull/7486#discussion_r228323705
|
252 | 252 |
* The fix is to rework BN so these gymnastics aren't required.
|
253 | 253 |
*/
|
450 | 450 |
and $t0,$t0,$t1
|
451 | 451 |
sldi $a3,$a3,1
|
452 | 452 |
add $t0,$t0,$t1 # compare to modulus in the same go
|
453 | |
srdi $a3,$a3,1 # most signifcant bit cleared
|
|
453 |
srdi $a3,$a3,1 # most significant bit cleared
|
454 | 454 |
|
455 | 455 |
addc $a0,$a0,$t0
|
456 | 456 |
addze $a1,$a1
|
|
461 | 461 |
sradi $t0,$a3,63 # most significant bit -> mask
|
462 | 462 |
sldi $a3,$a3,1
|
463 | 463 |
andc $t0,$t1,$t0
|
464 | |
srdi $a3,$a3,1 # most signifcant bit cleared
|
|
464 |
srdi $a3,$a3,1 # most significant bit cleared
|
465 | 465 |
|
466 | 466 |
subi $rp,$rp,1
|
467 | 467 |
subfc $a0,$t0,$a0
|
153 | 153 |
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
154 | 154 |
const BIGNUM *b, BN_CTX *);
|
155 | 155 |
/*-
|
156 | |
* 'field_inv' computes the multipicative inverse of a in the field,
|
|
156 |
* 'field_inv' computes the multiplicative inverse of a in the field,
|
157 | 157 |
* storing the result in r.
|
158 | 158 |
*
|
159 | 159 |
* If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
|
1268 | 1268 |
* ffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb
|
1269 | 1269 |
* 71e913863f7, in that case the penultimate intermediate is -9G and
|
1270 | 1270 |
* the final digit is also -9G. Since this only happens for a single
|
1271 | |
* scalar, the timing leak is irrelevent. (Any attacker who wanted to
|
|
1271 |
* scalar, the timing leak is irrelevant. (Any attacker who wanted to
|
1272 | 1272 |
* check whether a secret scalar was that exact value, can already do
|
1273 | 1273 |
* so.)
|
1274 | 1274 |
*/
|
531 | 531 |
X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
|
532 | 532 |
if (alg2)
|
533 | 533 |
X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);
|
534 | |
/* Algorithm idetifiers set: carry on as normal */
|
|
534 |
/* Algorithm identifiers set: carry on as normal */
|
535 | 535 |
return 3;
|
536 | 536 |
}
|
537 | 537 |
|
2438 | 2438 |
EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported
|
2439 | 2439 |
EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
|
2440 | 2440 |
operation not supported for this keytype
|
2441 | |
EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
|
|
2441 |
EVP_R_OPERATON_NOT_INITIALIZED:151:operation not initialized
|
2442 | 2442 |
EVP_R_PARAMETER_TOO_LARGE:187:parameter too large
|
2443 | 2443 |
EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
|
2444 | 2444 |
EVP_R_PBKDF2_ERROR:181:pbkdf2 error
|
283 | 283 |
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
|
284 | 284 |
"operation not supported for this keytype"},
|
285 | 285 |
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OPERATON_NOT_INITIALIZED),
|
286 | |
"operaton not initialized"},
|
|
286 |
"operation not initialized"},
|
287 | 287 |
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
|
288 | 288 |
"parameter too large"},
|
289 | 289 |
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
|
138 | 138 |
* destructor for threads terminating before libcrypto is initialized or
|
139 | 139 |
* after it's de-initialized. Access to the key doesn't have to be
|
140 | 140 |
* serialized for the said threads, because they didn't use libcrypto
|
141 | |
* and it doesn't matter if they pick "impossible" or derefernce real
|
|
141 |
* and it doesn't matter if they pick "impossible" or dereference real
|
142 | 142 |
* key value and pull NULL past initialization in the first thread that
|
143 | 143 |
* intends to use libcrypto.
|
144 | 144 |
*/
|
18 | 18 |
|
19 | 19 |
/*
|
20 | 20 |
* A hashing implementation that appears to be based on the linear hashing
|
21 | |
* alogrithm:
|
|
21 |
* algorithm:
|
22 | 22 |
* https://en.wikipedia.org/wiki/Linear_hashing
|
23 | 23 |
*
|
24 | 24 |
* Litwin, Witold (1980), "Linear hashing: A new tool for file and table
|
25 | 25 |
* addressing", Proc. 6th Conference on Very Large Databases: 212-223
|
26 | |
* http://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf
|
|
26 |
* https://hackthology.com/pdfs/Litwin-1980-Linear_Hashing.pdf
|
27 | 27 |
*
|
28 | |
* From the wikipedia article "Linear hashing is used in the BDB Berkeley
|
|
28 |
* From the Wikipedia article "Linear hashing is used in the BDB Berkeley
|
29 | 29 |
* database system, which in turn is used by many software systems such as
|
30 | 30 |
* OpenLDAP, using a C implementation derived from the CACM article and first
|
31 | 31 |
* published on the Usenet in 1988 by Esmond Pitt."
|
968 | 968 |
addi $t1,$ctx,`48+(12^$BIG_ENDIAN)`
|
969 | 969 |
bl __poly1305_splat
|
970 | 970 |
|
971 | |
bl __poly1305_mul # caclulate r^2
|
|
971 |
bl __poly1305_mul # calculate r^2
|
972 | 972 |
addi $t1,$ctx,`48+(4^$BIG_ENDIAN)`
|
973 | 973 |
bl __poly1305_splat
|
974 | 974 |
|
975 | |
bl __poly1305_mul # caclulate r^3
|
|
975 |
bl __poly1305_mul # calculate r^3
|
976 | 976 |
addi $t1,$ctx,`48+(8^$BIG_ENDIAN)`
|
977 | 977 |
bl __poly1305_splat
|
978 | 978 |
|
979 | |
bl __poly1305_mul # caclulate r^4
|
|
979 |
bl __poly1305_mul # calculate r^4
|
980 | 980 |
addi $t1,$ctx,`48+(0^$BIG_ENDIAN)`
|
981 | 981 |
bl __poly1305_splat
|
982 | 982 |
|
545 | 545 |
/*
|
546 | 546 |
* NIST SP800-90Ar1 section 9.1 says you can combine getting the entropy
|
547 | 547 |
* and nonce in 1 call by increasing the entropy with 50% and increasing
|
548 | |
* the minimum length to accomadate the length of the nonce.
|
|
548 |
* the minimum length to accommodate the length of the nonce.
|
549 | 549 |
* We do this in case a nonce is require and get_nonce is NULL.
|
550 | 550 |
*/
|
551 | 551 |
if (drbg->min_noncelen > 0 && drbg->get_nonce == NULL) {
|
291 | 291 |
|
292 | 292 |
/* TODO(3.0): Do we need to handle this somehow in the FIPS module? */
|
293 | 293 |
/*
|
294 | |
* RAND_close_seed_files() ensures that any seed file decriptors are
|
|
294 |
* RAND_close_seed_files() ensures that any seed file descriptors are
|
295 | 295 |
* closed after use.
|
296 | 296 |
*/
|
297 | 297 |
void RAND_keep_random_devices_open(int keep)
|
255 | 255 |
*
|
256 | 256 |
* This strategy has the following goals:
|
257 | 257 |
*
|
258 | |
* 1. 1024-bit factors are effcient when using 3072 and 4096-bit key
|
|
258 |
* 1. 1024-bit factors are efficient when using 3072 and 4096-bit key
|
259 | 259 |
* 2. stay the same logic with normal 2-prime key
|
260 | 260 |
*/
|
261 | 261 |
bitse -= bitsr[i];
|
26 | 26 |
# over 2x than 32-bit code. X[16] resides on stack, but access to it
|
27 | 27 |
# is scheduled for L2 latency and staged through 32 least significant
|
28 | 28 |
# bits of %l0-%l7. The latter is done to achieve 32-/64-bit ABI
|
29 | |
# duality. Nevetheless it's ~40% faster than SHA256, which is pretty
|
|
29 |
# duality. Nevertheless it's ~40% faster than SHA256, which is pretty
|
30 | 30 |
# good [optimal coefficient is 50%].
|
31 | 31 |
#
|
32 | 32 |
# SHA512 on UltraSPARC T1.
|
312 | 312 |
|
313 | 313 |
/*
|
314 | 314 |
* B1: verify whether r' in [1,n-1], verification failed if not
|
315 | |
* B2: vefify whether s' in [1,n-1], verification failed if not
|
|
315 |
* B2: verify whether s' in [1,n-1], verification failed if not
|
316 | 316 |
* B3: set M'~=ZA || M'
|
317 | 317 |
* B4: calculate e'=Hv(M'~)
|
318 | 318 |
* B5: calculate t = (r' + s') modn, verification failed if t=0
|
319 | 319 |
* B6: calculate the point (x1', y1')=[s']G + [t]PA
|
320 | |
* B7: calculate R=(e'+x1') modn, verfication pass if yes, otherwise failed
|
|
320 |
* B7: calculate R=(e'+x1') modn, verification pass if yes, otherwise failed
|
321 | 321 |
*/
|
322 | 322 |
|
323 | 323 |
ECDSA_SIG_get0(sig, &r, &s);
|
12 | 12 |
#include "internal/sparse_array.h"
|
13 | 13 |
|
14 | 14 |
/*
|
15 | |
* How many bits are used to index each level in the tree structre?
|
|
15 |
* How many bits are used to index each level in the tree structure?
|
16 | 16 |
* This setting determines the number of pointers stored in each node of the
|
17 | 17 |
* tree used to represent the sparse array. Having more pointers reduces the
|
18 | 18 |
* depth of the tree but potentially wastes more memory. That is, this is a
|
171 | 171 |
typedef int (*file_eof_fn)(void *handler_ctx);
|
172 | 172 |
/*
|
173 | 173 |
* The destroy_ctx function is used to destroy the handler_ctx that was
|
174 | |
* intiated by a repeatable try_decode fuction. This is only used when
|
|
174 |
* initiated by a repeatable try_decode function. This is only used when
|
175 | 175 |
* the handler is marked repeatable.
|
176 | 176 |
*/
|
177 | 177 |
typedef void (*file_destroy_ctx_fn)(void **handler_ctx);
|
|
469 | 469 |
};
|
470 | 470 |
|
471 | 471 |
/*
|
472 | |
* Public key decoder. Only supports SubjectPublicKeyInfo formated keys.
|
|
472 |
* Public key decoder. Only supports SubjectPublicKeyInfo formatted keys.
|
473 | 473 |
*/
|
474 | 474 |
static OSSL_STORE_INFO *try_decode_PUBKEY(const char *pem_name,
|
475 | 475 |
const char *pem_header,
|
36 | 36 |
server-cmod.exe : server-cmod.obj
|
37 | 37 |
server-conf.exe : server-conf.obj
|
38 | 38 |
|
39 | |
# Stoopid MMS doesn't infer this automatically...
|
|
39 |
# MMS doesn't infer this automatically...
|
40 | 40 |
client-arg.obj : client-arg.c
|
41 | 41 |
client-conf.obj : client-conf.c
|
42 | 42 |
saccept.obj : saccept.c
|
83 | 83 |
EVP_CIPHER_CTX *ctx;
|
84 | 84 |
int outlen, tmplen, rv;
|
85 | 85 |
unsigned char outbuf[1024];
|
86 | |
printf("AES GCM Derypt:\n");
|
|
86 |
printf("AES GCM Decrypt:\n");
|
87 | 87 |
printf("Ciphertext:\n");
|
88 | 88 |
BIO_dump_fp(stdout, gcm_ct, sizeof(gcm_ct));
|
89 | 89 |
ctx = EVP_CIPHER_CTX_new();
|
28 | 28 |
library to be added and removed dynamically.
|
29 | 29 |
Each such data item must have a corresponding CRYPTO_EX_DATA index
|
30 | 30 |
associated with it. Unlike normal CRYPTO_EX_DATA objects we use static indexes
|
31 | |
to identify data items. These are mapped transparetnly to CRYPTO_EX_DATA dynamic
|
|
31 |
to identify data items. These are mapped transparently to CRYPTO_EX_DATA dynamic
|
32 | 32 |
indexes internally to the implementation.
|
33 | 33 |
See the example further down to see how that's done.
|
34 | 34 |
|
134 | 134 |
|
135 | 135 |
This function is expected to set the method's reference count to 1.
|
136 | 136 |
|
137 | |
=item desctruct()
|
|
137 |
=item destruct()
|
138 | 138 |
|
139 | 139 |
Decrement the I<method>'s reference count, and destruct it when
|
140 | 140 |
the reference count reaches zero.
|
140 | 140 |
|
141 | 141 |
=item *
|
142 | 142 |
|
143 | |
If no intialization function was given with ossl_provider_new(), a
|
|
143 |
If no initialization function was given with ossl_provider_new(), a
|
144 | 144 |
loadable module with the I<name> that was given to ossl_provider_new()
|
145 | 145 |
will be located and loaded, then the symbol B<OSSL_provider_init> will
|
146 | 146 |
be located in that module, and called.
|
75 | 75 |
|
76 | 76 |
=item B<cipher:string>
|
77 | 77 |
|
78 | |
Used by CMAC and GMAC to specifiy the cipher algorithm.
|
|
78 |
Used by CMAC and GMAC to specify the cipher algorithm.
|
79 | 79 |
For CMAC it must be one of AES-128-CBC, AES-192-CBC, AES-256-CBC or
|
80 | 80 |
DES-EDE3-CBC.
|
81 | 81 |
For GMAC it should be a GCM mode cipher e.g. AES-128-GCM.
|
129 | 129 |
functions free any existing value and set the pointer to the specified value.
|
130 | 130 |
|
131 | 131 |
The B<ADMISSION> type has an authority name, authority object, and a
|
132 | |
stack of B<PROFSSION_INFO> items.
|
|
132 |
stack of B<PROFESSION_INFO> items.
|
133 | 133 |
The ADMISSIONS_get0_admissionAuthority(), ADMISSIONS_get0_namingAuthority(),
|
134 | 134 |
and ADMISSIONS_get0_professionInfos()
|
135 | 135 |
functions return pointers to those values within the object.
|
108 | 108 |
flag set can have unexpected outcome when the reads and writes to the
|
109 | 109 |
BIO are intertwined. As documented above the BIO will be reset to the
|
110 | 110 |
state after the last completed write operation. The effects of reads
|
111 | |
preceeding that write operation cannot be undone.
|
|
111 |
preceding that write operation cannot be undone.
|
112 | 112 |
|
113 | 113 |
Calling BIO_get_mem_ptr() prior to a BIO_reset() call with
|
114 | 114 |
BIO_FLAGS_NONCLEAR_RST set has the same effect as a write operation.
|
34 | 34 |
|
35 | 35 |
The digest B<type> may be NULL if the signing algorithm supports it.
|
36 | 36 |
|
37 | |
No B<EVP_PKEY_CTX> will be created by EVP_DigsetSignInit() if the passed B<ctx>
|
|
37 |
No B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit() if the passed B<ctx>
|
38 | 38 |
has already been assigned one via L<EVP_MD_CTX_set_ctx(3)>. See also L<SM2(7)>.
|
39 | 39 |
|
40 | 40 |
Only EVP_PKEY types that support signing can be used with these functions. This
|
31 | 31 |
inside EVP_DigestVerifyInit() and it will be freed automatically when the
|
32 | 32 |
EVP_MD_CTX is freed).
|
33 | 33 |
|
34 | |
No B<EVP_PKEY_CTX> will be created by EVP_DigsetSignInit() if the passed B<ctx>
|
|
34 |
No B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit() if the passed B<ctx>
|
35 | 35 |
has already been assigned one via L<EVP_MD_CTX_set_ctx(3)>. See also L<SM2(7)>.
|
36 | 36 |
|
37 | 37 |
EVP_DigestVerifyUpdate() hashes B<cnt> bytes of data at B<d> into the
|
139 | 139 |
|
140 | 140 |
Where an application that previously used implicit fetch is converted to use
|
141 | 141 |
explicit fetch care should be taken with the L<EVP_MD_CTX_md(3)> function.
|
142 | |
Specifically, this function returns the EVP_MD object orginally passed to
|
|
142 |
Specifically, this function returns the EVP_MD object originally passed to
|
143 | 143 |
EVP_DigestInit_ex() (or other similar function). With implicit fetch the
|
144 | 144 |
returned EVP_MD object is guaranteed to be available throughout the application
|
145 | 145 |
lifetime. However, with explicit fetch EVP_MD objects are reference counted.
|
|
198 | 198 |
EVP_MD_meth_free(md);
|
199 | 199 |
|
200 | 200 |
Note that in the above example the property string "legacy=yes" is optional
|
201 | |
since, assuming no other providers have been loaded, the only implmentation of
|
|
201 |
since, assuming no other providers have been loaded, the only implementation of
|
202 | 202 |
the "whirlpool" algorithm is in the "legacy" provider. Also note that the
|
203 | 203 |
default provider should be explicitly loaded if it is required in addition to
|
204 | 204 |
other providers:
|
28 | 28 |
|
29 | 29 |
=item EVP_md5_sha1()
|
30 | 30 |
|
31 | |
A hash algorithm of SSL v3 that combines MD5 with SHA-1 as decirbed in RFC
|
|
31 |
A hash algorithm of SSL v3 that combines MD5 with SHA-1 as described in RFC
|
32 | 32 |
6101.
|
33 | 33 |
|
34 | 34 |
WARNING: this algorithm is not intended for non-SSL usage.
|
21 | 21 |
|
22 | 22 |
OSSL_CRMF_pbm_new() generates a PBM (Password-Based MAC) based on given PBM
|
23 | 23 |
parameters B<pbmp>, message B<msg>, and secret B<sec>, along with the respective
|
24 | |
lengths B<msglen> and B<seclen>. On success writes the adddress of the newly
|
|
24 |
lengths B<msglen> and B<seclen>. On success writes the address of the newly
|
25 | 25 |
allocated MAC via the B<mac> reference parameter and writes the length via the
|
26 | 26 |
B<maclen> reference parameter unless it its NULL.
|
27 | 27 |
|
185 | 185 |
The value is copied to the address B<val>.
|
186 | 186 |
Type coercion takes place as discussed in the NOTES section.
|
187 | 187 |
|
188 | |
OSSL_PARAM_set_TYPE() stores a value B<val> of type B<TYPE> into the paramter
|
|
188 |
OSSL_PARAM_set_TYPE() stores a value B<val> of type B<TYPE> into the parameter
|
189 | 189 |
B<p>.
|
190 | 190 |
Type coercion takes place as discussed in the NOTES section.
|
191 | 191 |
|
|
193 | 193 |
The BIGNUM referenced by B<val> is updated and is allocated if B<*val> is
|
194 | 194 |
B<NULL>.
|
195 | 195 |
|
196 | |
OSSL_PARAM_set_BN() stores the BIGNUM B<val> into the paramater B<p>.
|
|
196 |
OSSL_PARAM_set_BN() stores the BIGNUM B<val> into the parameter B<p>.
|
197 | 197 |
|
198 | 198 |
OSSL_PARAM_get_utf8_string() retrieves a UTF8 string from the parameter
|
199 | 199 |
pointed to by B<p>.
|
94 | 94 |
takes a B<UI_METHOD> and associated data, to be used any time
|
95 | 95 |
something needs to be prompted for.
|
96 | 96 |
Furthermore, this function is expected to initialize what needs to be
|
97 | |
initialized, to create a privata data store (B<OSSL_STORE_LOADER_CTX>, see
|
|
97 |
initialized, to create a private data store (B<OSSL_STORE_LOADER_CTX>, see
|
98 | 98 |
above), and to return it.
|
99 | 99 |
If something goes wrong, this function is expected to return NULL.
|
100 | 100 |
|
31 | 31 |
|
32 | 32 |
OSSL_STORE_supports_search() checks if the loader of the given OSSL_STORE
|
33 | 33 |
context supports the given search type.
|
34 | |
See L<OSSL_STORE_SEARCH/SUPPORED CRITERION TYPES> for information on the
|
|
34 |
See L<OSSL_STORE_SEARCH/SUPPORTED CRITERION TYPES> for information on the
|
35 | 35 |
supported search criterion types.
|
36 | 36 |
|
37 | 37 |
OSSL_STORE_expect() and OSSL_STORE_find I<must> be called before the first
|
110 | 110 |
The derivation function is disabled during initialization by calling the
|
111 | 111 |
RAND_DRBG_set() function with the RAND_DRBG_FLAG_CTR_NO_DF flag.
|
112 | 112 |
For more information on the derivation function and when it can be omitted,
|
113 | |
see [NIST SP 800-90A Rev. 1]. Roughly speeking it can be omitted if the random
|
|
113 |
see [NIST SP 800-90A Rev. 1]. Roughly speaking it can be omitted if the random
|
114 | 114 |
source has "full entropy", i.e., contains 8 bits of entropy per byte.
|
115 | 115 |
|
116 | 116 |
Even if a nonce is required, the B<get_nonce>() and B<cleanup_nonce>()
|
35 | 35 |
|
36 | 36 |
SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3
|
37 | 37 |
ciphersuites for B<ctx>. This is a simple colon (":") separated list of TLSv1.3
|
38 | |
ciphersuite names in order of perference. Valid TLSv1.3 ciphersuite names are:
|
|
38 |
ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are:
|
39 | 39 |
|
40 | 40 |
=over 4
|
41 | 41 |
|
110 | 110 |
|
111 | 111 |
The SSL_set_srp_server_param_pw() function sets all SRP parameters for the
|
112 | 112 |
connection B<s> by generating a random salt and a password verifier.
|
113 | |
B<user> is the username, B<pass> the password and B<grp> the SRP group paramters
|
|
113 |
B<user> is the username, B<pass> the password and B<grp> the SRP group parameters
|
114 | 114 |
identifier for L<SRP_get_default_gN(3)>.
|
115 | 115 |
|
116 | 116 |
The SSL_get_srp_g() function returns the SRP group generator for B<s>, or from
|
5 | 5 |
SSL_SESSION_set1_hostname,
|
6 | 6 |
SSL_SESSION_get0_alpn_selected,
|
7 | 7 |
SSL_SESSION_set1_alpn_selected
|
8 | |
- get and set SNI and ALPN data ssociated with a session
|
|
8 |
- get and set SNI and ALPN data associated with a session
|
9 | 9 |
|
10 | 10 |
=head1 SYNOPSIS
|
11 | 11 |
|
124 | 124 |
=item E<lt> 0
|
125 | 125 |
|
126 | 126 |
The write operation was not successful, because either the connection was
|
127 | |
closed, an error occured or action must be taken by the calling process.
|
|
127 |
closed, an error occurred or action must be taken by the calling process.
|
128 | 128 |
Call SSL_get_error() with the return value to find out the reason.
|
129 | 129 |
|
130 | 130 |
=back
|
10 | 10 |
during the execution of a key establishment scheme) and fixedinfo.
|
11 | 11 |
SSKDF is also informally referred to as 'Concat KDF'.
|
12 | 12 |
|
13 | |
=head2 Auxilary function
|
|
13 |
=head2 Auxiliary function
|
14 | 14 |
|
15 | 15 |
The implementation uses a selectable auxiliary function H, which can be one of:
|
16 | 16 |
|
67 | 67 |
|
68 | 68 |
=over 4
|
69 | 69 |
|
70 | |
=item EVP_KDF_SSHKDF_TYPE_ININITAL_IV_CLI_TO_SRV
|
|
70 |
=item EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV
|
71 | 71 |
|
72 | 72 |
The Initial IV from client to server.
|
73 | 73 |
A single char of value 65 (ASCII char 'A').
|
74 | 74 |
|
75 | |
=item EVP_KDF_SSHKDF_TYPE_ININITAL_IV_SRV_TO_CLI
|
|
75 |
=item EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI
|
76 | 76 |
|
77 | 77 |
The Initial IV from server to client
|
78 | 78 |
A single char of value 66 (ASCII char 'B').
|
|
102 | 102 |
EVP_KDF_ctrl_str() type string: "type"
|
103 | 103 |
|
104 | 104 |
The value is a string of length one character. The only valid values
|
105 | |
are the numerical values of the ASCII caracters: "A" (65) to "F" (70).
|
|
105 |
are the numerical values of the ASCII characters: "A" (65) to "F" (70).
|
106 | 106 |
|
107 | 107 |
=back
|
108 | 108 |
|
|
141 | 141 |
if (EVP_KDF_CTX_set1_sshkdf_session_id(kctx, session_id, 32) <= 0)
|
142 | 142 |
/* Error */
|
143 | 143 |
if (EVP_KDF_CTX_set_sshkdf_type(kctx,
|
144 | |
EVP_KDF_SSHKDF_TYPE_ININITAL_IV_CLI_TO_SRV) <= 0)
|
|
144 |
EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV) <= 0)
|
145 | 145 |
/* Error */
|
146 | 146 |
if (EVP_KDF_derive(kctx, out, &outlen) <= 0)
|
147 | 147 |
/* Error */
|
70 | 70 |
|
71 | 71 |
=head1 NOTES
|
72 | 72 |
|
73 | |
X963KDF is very similar to the SSKDF that uses a digest as the auxilary function,
|
|
73 |
X963KDF is very similar to the SSKDF that uses a digest as the auxiliary function,
|
74 | 74 |
X963KDF appends the counter to the secret, whereas SSKDF prepends the counter.
|
75 | 75 |
|
76 | 76 |
A context for X963KDF can be obtained by calling:
|
67 | 67 |
match counts in favor of the algorithm.
|
68 | 68 |
More details about that in the B<Lookups> section.
|
69 | 69 |
A I<property query> is a sequence of comma separated property query clauses.
|
70 | |
The full syntax for property queries appears below, but the available syntatic
|
|
70 |
The full syntax for property queries appears below, but the available syntactic
|
71 | 71 |
features are:
|
72 | 72 |
|
73 | 73 |
=over 4
|
|
128 | 128 |
the local clause overrides the context clause.
|
129 | 129 |
|
130 | 130 |
It is possible for a local property query to remove a clause in the context
|
131 | |
property query by preceeding the property name with a '-'.
|
|
131 |
property query by preceding the property name with a '-'.
|
132 | 132 |
For example, a context property query that contains "fips=yes" would normally
|
133 | 133 |
result in implementations that have "fips=yes".
|
134 | 134 |
|
58 | 58 |
|
59 | 59 |
enum devcrypto_accelerated_t {
|
60 | 60 |
DEVCRYPTO_NOT_ACCELERATED = -1, /* software implemented */
|
61 | |
DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unkown */
|
|
61 |
DEVCRYPTO_ACCELERATION_UNKNOWN = 0, /* acceleration support unknown */
|
62 | 62 |
DEVCRYPTO_ACCELERATED = 1 /* hardware accelerated */
|
63 | 63 |
} accelerated;
|
64 | 64 |
|
27 | 27 |
int ossl_method_store_set_global_properties(OSSL_METHOD_STORE *store,
|
28 | 28 |
const char *prop_query);
|
29 | 29 |
|
30 | |
/* proeprty query cache functions */
|
|
30 |
/* property query cache functions */
|
31 | 31 |
int ossl_method_store_cache_get(OSSL_METHOD_STORE *store, int nid,
|
32 | 32 |
const char *prop_query, void **result);
|
33 | 33 |
int ossl_method_store_cache_set(OSSL_METHOD_STORE *store, int nid,
|
71 | 71 |
* function defined via DEFINE_ONCE_STATIC where both functions use the same
|
72 | 72 |
* CRYPTO_ONCE object to synchronise. Where an alternative initialiser function
|
73 | 73 |
* is used only one of the primary or the alternative initialiser function will
|
74 | |
* ever be called - and that function will be called exactly once. Definitition
|
|
74 |
* ever be called - and that function will be called exactly once. Definition
|
75 | 75 |
* of an alternative initialiser function MUST occur AFTER the definition of the
|
76 | |
* primiary initialiser function.
|
|
76 |
* primary initialiser function.
|
77 | 77 |
*
|
78 | 78 |
* Typical usage might be:
|
79 | 79 |
*
|
17 | 17 |
* if (var == NOT_YET_INITIALIZED)
|
18 | 18 |
* var = function_returning_same_value();
|
19 | 19 |
*
|
20 | |
* This does work provided that loads and stores are single-instuction
|
|
20 |
* This does work provided that loads and stores are single-instruction
|
21 | 21 |
* operations (and integer ones are on *all* supported platforms), but
|
22 | 22 |
* it upsets Thread Sanitizer. Suggested solution is
|
23 | 23 |
*
|
23 | 23 |
int expected_type; /* expected type after set/set_string_gmt */
|
24 | 24 |
int check_result; /* check result */
|
25 | 25 |
time_t t; /* expected time_t*/
|
26 | |
int cmp_result; /* compariston to baseline result */
|
27 | |
int convert_result; /* convertion result */
|
|
26 |
int cmp_result; /* comparison to baseline result */
|
|
27 |
int convert_result; /* conversion result */
|
28 | 28 |
};
|
29 | 29 |
|
30 | 30 |
static struct testdata tbl_testdata_pos[] = {
|
331 | 331 |
* Personalisation string tests
|
332 | 332 |
*/
|
333 | 333 |
|
334 | |
/* Test detection of too large personlisation string */
|
|
334 |
/* Test detection of too large personalisation string */
|
335 | 335 |
if (!init(drbg, td, &t)
|
336 | 336 |
|| RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0)
|
337 | 337 |
goto err;
|
95 | 95 |
|
96 | 96 |
/*
|
97 | 97 |
* Create the connection. We use "create_bare_ssl_connection" here so that
|
98 | |
* we can force the connection to not do "SSL_read" once partly conencted.
|
|
98 |
* we can force the connection to not do "SSL_read" once partly connected.
|
99 | 99 |
* We don't want to accidentally read the dummy records we injected because
|
100 | 100 |
* they will fail to decrypt.
|
101 | 101 |
*/
|
1177 | 1177 |
md = NULL;
|
1178 | 1178 |
|
1179 | 1179 |
/*
|
1180 | |
* Explicitly asking for the default implementation should succeeed except
|
|
1180 |
* Explicitly asking for the default implementation should succeed except
|
1181 | 1181 |
* in test 4 where the default provider is not loaded.
|
1182 | 1182 |
*/
|
1183 | 1183 |
md = EVP_MD_fetch(ctx, "SHA256", "default=yes");
|
45 | 45 |
double p2;
|
46 | 46 |
/*
|
47 | 47 |
* Documented as an arbitrarly large unsigned integer.
|
48 | |
* The data size must be large enough to accomodate.
|
|
48 |
* The data size must be large enough to accommodate.
|
49 | 49 |
* Assumed data type OSSL_PARAM_UNSIGNED_INTEGER
|
50 | 50 |
*/
|
51 | 51 |
BIGNUM *p3;
|
52 | 52 |
/*
|
53 | 53 |
* Documented as a C string.
|
54 | |
* The data size must be large enough to accomodate.
|
|
54 |
* The data size must be large enough to accommodate.
|
55 | 55 |
* Assumed data type OSSL_PARAM_UTF8_STRING
|
56 | 56 |
*/
|
57 | 57 |
char *p4;
|
|
292 | 292 |
|
293 | 293 |
/* In all our tests, these are variables that get manipulated as parameters
|
294 | 294 |
*
|
295 | |
* These arrays consistenly do nothing with the "p2" parameter, and
|
|
295 |
* These arrays consistently do nothing with the "p2" parameter, and
|
296 | 296 |
* always include a "foo" parameter. This is to check that the
|
297 | 297 |
* set_params and get_params calls ignore the lack of parameters that
|
298 | 298 |
* the application isn't interested in, as well as ignore parameters
|
1035 | 1035 |
/*
|
1036 | 1036 |
* We attempt to read some data on the client side which we expect to fail.
|
1037 | 1037 |
* This will ensure we have received the NewSessionTicket in TLSv1.3 where
|
1038 | |
* appropriate. We do this twice because there are 2 NewSesionTickets.
|
|
1038 |
* appropriate. We do this twice because there are 2 NewSessionTickets.
|
1039 | 1039 |
*/
|
1040 | 1040 |
for (i = 0; i < 2; i++) {
|
1041 | 1041 |
if (SSL_read_ex(clientssl, &buf, sizeof(buf), &readbytes) > 0) {
|
16 | 16 |
#define KEYLEN 16
|
17 | 17 |
|
18 | 18 |
/*
|
19 | |
* Based on the test vectors availble in:
|
|
19 |
* Based on the test vectors available in:
|
20 | 20 |
* https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
|
21 | 21 |
*/
|
22 | 22 |
|
164 | 164 |
|
165 | 165 |
=item B<create =E<gt> 0|1>
|
166 | 166 |
|
167 | |
When set to 1 (or any value that perl preceives as true), the subdirectory
|
|
167 |
When set to 1 (or any value that perl perceives as true), the subdirectory
|
168 | 168 |
will be created if it doesn't already exist. This happens before BLOCK
|
169 | 169 |
is executed.
|
170 | 170 |
|
171 | 171 |
=item B<cleanup =E<gt> 0|1>
|
172 | 172 |
|
173 | |
When set to 1 (or any value that perl preceives as true), the subdirectory
|
|
173 |
When set to 1 (or any value that perl perceives as true), the subdirectory
|
174 | 174 |
will be cleaned out and removed. This happens both before and after BLOCK
|
175 | 175 |
is executed.
|
176 | 176 |
|