mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-02 22:54:52 +00:00
openssl: Vendor import of OpenSSL-3.0.9
Summary: Release notes can be found at https://www.openssl.org/news/openssl-3.0-notes.html . Obtained from: https://www.openssl.org/source/openssl-3.0.10.tar.gz Test Plan: ``` $ git status On branch vendor/openssl-3.0 Your branch is up to date with 'origin/vendor/openssl-3.0'. nothing to commit, working tree clean $ (cd ..; fetch https://www.openssl.org/source/openssl-${OSSLVER}.tar.gz https://www.openssl.org/source/openssl-${OSSLVER}.tar.gz.asc) openssl-3.0.10.tar.gz 14 MB 15 MBps 01s openssl-3.0.10.tar.gz.asc 833 B 11 MBps 00s $ set | egrep '(XLIST|OSSLVER)=' OSSLVER=3.0.10 XLIST=FREEBSD-Xlist $ gpg --list-keys /home/khorben/.gnupg/pubring.kbx -------------------------------- pub rsa4096 2011-03-01 [SCA] DC34EE5DB2417BCC151E5100E5F8F8212F77A498 uid [ unknown] Willem Toorop <willem@nlnetlabs.nl> sub rsa4096 2011-03-01 [E] pub rsa4096 2014-10-04 [SC] [expires: 2024-01-30] EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 uid [ unknown] OpenSSL security team <openssl-security@openssl.org> uid [ unknown] OpenSSL OMC <openssl-omc@openssl.org> uid [ unknown] OpenSSL Security <openssl-security@openssl.org> sub rsa4096 2014-10-04 [E] [expires: 2024-01-30] $ gpg --verify ../openssl-${OSSLVER}.tar.gz.asc ../openssl-${OSSLVER}.tar.gz gpg: Signature made Tue Aug 1 15:47:28 2023 CEST gpg: using RSA key EFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5 gpg: Good signature from "OpenSSL security team <openssl-security@openssl.org>" [unknown] gpg: aka "OpenSSL OMC <openssl-omc@openssl.org>" [unknown] gpg: aka "OpenSSL Security <openssl-security@openssl.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5 $ tar -x -X $XLIST -f ../openssl-${OSSLVER}.tar.gz -C .. $ rsync --exclude FREEBSD.* --delete -avzz ../openssl-${OSSLVER}/* . [...] $ diff -arq ../openssl-${OSSLVER} . Only in .: .git Only in .: FREEBSD-Xlist Only in .: FREEBSD-upgrade $ git status FREEBSD* On branch vendor/openssl-3.0 Your branch is up to date with 'origin/vendor/openssl-3.0'. nothing to commit, working tree clean ``` Subscribers: imp Differential Revision: https://reviews.freebsd.org/D41293
This commit is contained in:
parent
b84c4564ef
commit
cf2fc1b0f5
66
CHANGES.md
66
CHANGES.md
|
@ -28,6 +28,64 @@ breaking changes, and mappings for the large list of deprecated functions.
|
|||
|
||||
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
|
||||
|
||||
### Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
|
||||
|
||||
* Fix excessive time spent checking DH q parameter value.
|
||||
|
||||
The function DH_check() performs various checks on DH parameters. After
|
||||
fixing CVE-2023-3446 it was discovered that a large q parameter value can
|
||||
also trigger an overly long computation during some of these checks.
|
||||
A correct q value, if present, cannot be larger than the modulus p
|
||||
parameter, thus it is unnecessary to perform these checks if q is larger
|
||||
than p.
|
||||
|
||||
If DH_check() is called with such q parameter value,
|
||||
DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
|
||||
intensive checks are skipped.
|
||||
|
||||
([CVE-2023-3817])
|
||||
|
||||
*Tomáš Mráz*
|
||||
|
||||
* Fix DH_check() excessive time with over sized modulus.
|
||||
|
||||
The function DH_check() performs various checks on DH parameters. One of
|
||||
those checks confirms that the modulus ("p" parameter) is not too large.
|
||||
Trying to use a very large modulus is slow and OpenSSL will not normally use
|
||||
a modulus which is over 10,000 bits in length.
|
||||
|
||||
However the DH_check() function checks numerous aspects of the key or
|
||||
parameters that have been supplied. Some of those checks use the supplied
|
||||
modulus value even if it has already been found to be too large.
|
||||
|
||||
A new limit has been added to DH_check of 32,768 bits. Supplying a
|
||||
key/parameters with a modulus over this size will simply cause DH_check() to
|
||||
fail.
|
||||
|
||||
([CVE-2023-3446])
|
||||
|
||||
*Matt Caswell*
|
||||
|
||||
* Do not ignore empty associated data entries with AES-SIV.
|
||||
|
||||
The AES-SIV algorithm allows for authentication of multiple associated
|
||||
data entries along with the encryption. To authenticate empty data the
|
||||
application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`)
|
||||
with NULL pointer as the output buffer and 0 as the input buffer length.
|
||||
The AES-SIV implementation in OpenSSL just returns success for such call
|
||||
instead of performing the associated data authentication operation.
|
||||
The empty data thus will not be authenticated. ([CVE-2023-2975])
|
||||
|
||||
Thanks to Juerg Wullschleger (Google) for discovering the issue.
|
||||
|
||||
The fix changes the authentication tag value and the ciphertext for
|
||||
applications that use empty associated data entries with AES-SIV.
|
||||
To decrypt data encrypted with previous versions of OpenSSL the application
|
||||
has to skip calls to `EVP_DecryptUpdate()` for empty associated data
|
||||
entries.
|
||||
|
||||
*Tomáš Mráz*
|
||||
|
||||
### Changes between 3.0.8 and 3.0.9 [30 May 2023]
|
||||
|
||||
* Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
|
||||
|
@ -42,7 +100,7 @@ breaking changes, and mappings for the large list of deprecated functions.
|
|||
IDENTIFIER to canonical numeric text form if the size of that OBJECT
|
||||
IDENTIFIER is 586 bytes or less, and fail otherwise.
|
||||
|
||||
The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
|
||||
The basis for this restriction is [RFC 2578 (STD 58), section 3.5]. OBJECT
|
||||
IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
|
||||
most 128 sub-identifiers, and that the maximum value that each sub-
|
||||
identifier may have is 2^32-1 (4294967295 decimal).
|
||||
|
@ -52,8 +110,6 @@ breaking changes, and mappings for the large list of deprecated functions.
|
|||
these restrictions may occupy is 32 * 128 / 7, which is approximately 586
|
||||
bytes.
|
||||
|
||||
Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
|
||||
|
||||
*Richard Levitte*
|
||||
|
||||
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
|
||||
|
@ -19652,6 +19708,10 @@ ndif
|
|||
|
||||
<!-- Links -->
|
||||
|
||||
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
|
||||
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
|
||||
[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
|
||||
[RFC 2578 (STD 58), section 3.5]: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
|
||||
[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
|
||||
[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
|
||||
[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
|
||||
|
|
|
@ -597,8 +597,7 @@ my @disable_cascades = (
|
|||
|
||||
"crypto-mdebug" => [ "crypto-mdebug-backtrace" ],
|
||||
|
||||
# If no modules, then no dynamic engines either
|
||||
"module" => [ "dynamic-engine" ],
|
||||
"module" => [ "dynamic-engine", "fips" ],
|
||||
|
||||
# Without shared libraries, dynamic engines aren't possible.
|
||||
# This is due to them having to link with libcrypto and register features
|
||||
|
@ -616,8 +615,6 @@ my @disable_cascades = (
|
|||
# or modules.
|
||||
"pic" => [ "shared", "module" ],
|
||||
|
||||
"module" => [ "fips", "dso" ],
|
||||
|
||||
"engine" => [ "dynamic-engine", grep(/eng$/, @disablables) ],
|
||||
"dynamic-engine" => [ "loadereng" ],
|
||||
"hw" => [ "padlockeng" ],
|
||||
|
|
18
INSTALL.md
18
INSTALL.md
|
@ -796,14 +796,22 @@ By default OpenSSL will attempt to stay in memory until the process exits.
|
|||
This is so that libcrypto and libssl can be properly cleaned up automatically
|
||||
via an `atexit()` handler. The handler is registered by libcrypto and cleans
|
||||
up both libraries. On some platforms the `atexit()` handler will run on unload of
|
||||
libcrypto (if it has been dynamically loaded) rather than at process exit. This
|
||||
option can be used to stop OpenSSL from attempting to stay in memory until the
|
||||
libcrypto (if it has been dynamically loaded) rather than at process exit.
|
||||
|
||||
This option can be used to stop OpenSSL from attempting to stay in memory until the
|
||||
process exits. This could lead to crashes if either libcrypto or libssl have
|
||||
already been unloaded at the point that the atexit handler is invoked, e.g. on a
|
||||
platform which calls `atexit()` on unload of the library, and libssl is unloaded
|
||||
before libcrypto then a crash is likely to happen. Applications can suppress
|
||||
running of the `atexit()` handler at run time by using the
|
||||
`OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`.
|
||||
before libcrypto then a crash is likely to happen.
|
||||
|
||||
Note that shared library pinning is not automatically disabled for static builds,
|
||||
i.e., `no-shared` does not imply `no-pinshared`. This may come as a surprise when
|
||||
linking libcrypto statically into a shared third-party library, because in this
|
||||
case the shared library will be pinned. To prevent this behaviour, you need to
|
||||
configure the static build using `no-shared` and `no-pinshared` together.
|
||||
|
||||
Applications can suppress running of the `atexit()` handler at run time by
|
||||
using the `OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`.
|
||||
See the man page for it for further details.
|
||||
|
||||
### no-posix-io
|
||||
|
|
9
NEWS.md
9
NEWS.md
|
@ -18,6 +18,12 @@ OpenSSL Releases
|
|||
OpenSSL 3.0
|
||||
-----------
|
||||
|
||||
### Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023]
|
||||
|
||||
* Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
|
||||
* Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
|
||||
* Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])
|
||||
|
||||
### Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
|
||||
|
||||
* Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT
|
||||
|
@ -1442,6 +1448,9 @@ OpenSSL 0.9.x
|
|||
|
||||
<!-- Links -->
|
||||
|
||||
[CVE-2023-3817]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3817
|
||||
[CVE-2023-3446]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-3446
|
||||
[CVE-2023-2975]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2975
|
||||
[CVE-2023-2650]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-2650
|
||||
[CVE-2023-1255]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-1255
|
||||
[CVE-2023-0466]: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
|
||||
|
|
|
@ -2,7 +2,7 @@ OpenSSL FIPS support
|
|||
====================
|
||||
|
||||
This release of OpenSSL includes a cryptographic module that can be
|
||||
FIPS 140-2 validated. The module is implemented as an OpenSSL provider.
|
||||
FIPS validated. The module is implemented as an OpenSSL provider.
|
||||
A provider is essentially a dynamically loadable module which implements
|
||||
cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file
|
||||
for further details.
|
||||
|
@ -28,8 +28,16 @@ resp. `fips.dll` (on Windows). The FIPS provider does not get built and
|
|||
installed automatically. To enable it, you need to configure OpenSSL using
|
||||
the `enable-fips` option.
|
||||
|
||||
Installing the FIPS module
|
||||
==========================
|
||||
Installing the FIPS provider
|
||||
============================
|
||||
|
||||
In order to be FIPS compliant you must only use FIPS validated source code.
|
||||
Refer to <https://www.openssl.org/source/> for information related to
|
||||
which versions are FIPS validated. The instructions given below build OpenSSL
|
||||
just using the FIPS validated source code.
|
||||
|
||||
If you want to use a validated FIPS provider, but also want to use the latest
|
||||
OpenSSL release to build everything else, then refer to the next section.
|
||||
|
||||
The following is only a guide.
|
||||
Please read the Security Policy for up to date installation instructions.
|
||||
|
@ -63,11 +71,12 @@ the installation by doing the following two things:
|
|||
|
||||
- Runs the FIPS module self tests
|
||||
- Generates the so-called FIPS module configuration file containing information
|
||||
about the module such as the self test status, and the module checksum.
|
||||
about the module such as the module checksum (and for OpenSSL 3.0 the
|
||||
self test status).
|
||||
|
||||
The FIPS module must have the self tests run, and the FIPS module config file
|
||||
output generated on every machine that it is to be used on. You must not copy
|
||||
the FIPS module config file output data from one machine to another.
|
||||
output generated on every machine that it is to be used on. For OpenSSL 3.0,
|
||||
you must not copy the FIPS module config file output data from one machine to another.
|
||||
|
||||
On Unix the `openssl fipsinstall` command will be invoked as follows by default:
|
||||
|
||||
|
@ -75,7 +84,80 @@ On Unix the `openssl fipsinstall` command will be invoked as follows by default:
|
|||
|
||||
If you configured OpenSSL to be installed to a different location, the paths will
|
||||
vary accordingly. In the rare case that you need to install the fipsmodule.cnf
|
||||
to non-standard location, you can execute the `openssl fipsinstall` command manually.
|
||||
to a non-standard location, you can execute the `openssl fipsinstall` command manually.
|
||||
|
||||
Installing the FIPS provider and using it with the latest release
|
||||
=================================================================
|
||||
|
||||
This normally requires you to download 2 copies of the OpenSSL source code.
|
||||
|
||||
Download and build a validated FIPS provider
|
||||
--------------------------------------------
|
||||
|
||||
Refer to <https://www.openssl.org/source/> for information related to
|
||||
which versions are FIPS validated. For this example we use OpenSSL 3.0.0.
|
||||
|
||||
$ wget https://www.openssl.org/source/openssl-3.0.0.tar.gz
|
||||
$ tar -xf openssl-3.0.0.tar.gz
|
||||
$ cd openssl-3.0.0
|
||||
$ ./Configure enable-fips
|
||||
$ make
|
||||
$ cd ..
|
||||
|
||||
Download and build the latest release of OpenSSL
|
||||
------------------------------------------------
|
||||
|
||||
We use OpenSSL 3.1.0 here, (but you could also use the latest 3.0.X)
|
||||
|
||||
$ wget https://www.openssl.org/source/openssl-3.1.0.tar.gz
|
||||
$ tar -xf openssl-3.1.0.tar.gz
|
||||
$ cd openssl-3.1.0
|
||||
$ ./Configure enable-fips
|
||||
$ make
|
||||
|
||||
Use the OpenSSL FIPS provider for testing
|
||||
-----------------------------------------
|
||||
|
||||
We do this by replacing the artifact for the OpenSSL 3.1.0 FIPS provider.
|
||||
Note that the OpenSSL 3.1.0 FIPS provider has not been validated
|
||||
so it must not be used for FIPS purposes.
|
||||
|
||||
$ cp ../openssl-3.0.0/providers/fips.so providers/.
|
||||
$ cp ../openssl-3.0.0/providers/fipsmodule.cnf providers/.
|
||||
// Note that for OpenSSL 3.0 that the `fipsmodule.cnf` file should not
|
||||
// be copied across multiple machines if it contains an entry for
|
||||
// `install-status`. (Otherwise the self tests would be skipped).
|
||||
|
||||
// Validate the output of the following to make sure we are using the
|
||||
// OpenSSL 3.0.0 FIPS provider
|
||||
$ ./util/wrap.pl -fips apps/openssl list -provider-path providers \
|
||||
-provider fips -providers
|
||||
|
||||
// Now run the current tests using the OpenSSL 3.0 FIPS provider.
|
||||
$ make tests
|
||||
|
||||
Copy the FIPS provider artifacts (`fips.so` & `fipsmodule.cnf`) to known locations
|
||||
-------------------------------------------------------------------------------------
|
||||
|
||||
$ cd ../openssl-3.0.0
|
||||
$ sudo make install_fips
|
||||
|
||||
Check that the correct FIPS provider is being used
|
||||
--------------------------------------------------
|
||||
|
||||
$./util/wrap.pl -fips apps/openssl list -provider-path providers \
|
||||
-provider fips -providers
|
||||
|
||||
// This should produce the following output
|
||||
Providers:
|
||||
base
|
||||
name: OpenSSL Base Provider
|
||||
version: 3.1.0
|
||||
status: active
|
||||
fips
|
||||
name: OpenSSL FIPS Provider
|
||||
version: 3.0.0
|
||||
status: active
|
||||
|
||||
Using the FIPS Module in applications
|
||||
=====================================
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
MAJOR=3
|
||||
MINOR=0
|
||||
PATCH=9
|
||||
PATCH=10
|
||||
PRE_RELEASE_TAG=
|
||||
BUILD_METADATA=
|
||||
RELEASE_DATE="30 May 2023"
|
||||
RELEASE_DATE="1 Aug 2023"
|
||||
SHLIB_VERSION=3
|
||||
|
|
52
apps/ca.c
52
apps/ca.c
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -628,6 +628,8 @@ int ca_main(int argc, char **argv)
|
|||
|
||||
f = NCONF_get_string(conf, section, ENV_NAMEOPT);
|
||||
|
||||
if (f == NULL)
|
||||
ERR_clear_error();
|
||||
if (f != NULL) {
|
||||
if (!set_nameopt(f)) {
|
||||
BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f);
|
||||
|
@ -785,8 +787,10 @@ int ca_main(int argc, char **argv)
|
|||
/* We can have sections in the ext file */
|
||||
if (extensions == NULL) {
|
||||
extensions = NCONF_get_string(extfile_conf, "default", "extensions");
|
||||
if (extensions == NULL)
|
||||
if (extensions == NULL) {
|
||||
ERR_clear_error();
|
||||
extensions = "default";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -802,15 +806,20 @@ int ca_main(int argc, char **argv)
|
|||
/*
|
||||
* EVP_PKEY_get_default_digest_name() returns 2 if the digest is
|
||||
* mandatory for this algorithm.
|
||||
*
|
||||
* That call may give back the name "UNDEF", which has these meanings:
|
||||
*
|
||||
* when def_ret == 2: the user MUST leave the digest unspecified
|
||||
* when def_ret == 1: the user MAY leave the digest unspecified
|
||||
*/
|
||||
if (def_ret == 2 && strcmp(def_dgst, "UNDEF") == 0) {
|
||||
/* The signing algorithm requires there to be no digest */
|
||||
dgst = NULL;
|
||||
} else if (dgst == NULL
|
||||
&& (dgst = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) {
|
||||
&& (dgst = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL
|
||||
&& strcmp(def_dgst, "UNDEF") != 0) {
|
||||
goto end;
|
||||
} else {
|
||||
if (strcmp(dgst, "default") == 0) {
|
||||
if (strcmp(dgst, "default") == 0 || strcmp(def_dgst, "UNDEF") == 0) {
|
||||
if (def_ret <= 0) {
|
||||
BIO_puts(bio_err, "no default digest\n");
|
||||
goto end;
|
||||
|
@ -824,6 +833,8 @@ int ca_main(int argc, char **argv)
|
|||
char *tmp_email_dn = NULL;
|
||||
|
||||
tmp_email_dn = NCONF_get_string(conf, section, ENV_DEFAULT_EMAIL_DN);
|
||||
if (tmp_email_dn == NULL)
|
||||
ERR_clear_error();
|
||||
if (tmp_email_dn != NULL && strcmp(tmp_email_dn, "no") == 0)
|
||||
email_dn = 0;
|
||||
}
|
||||
|
@ -839,6 +850,7 @@ int ca_main(int argc, char **argv)
|
|||
if (NCONF_get_string(conf, section, ENV_RAND_SERIAL) != NULL) {
|
||||
rand_ser = 1;
|
||||
} else {
|
||||
ERR_clear_error();
|
||||
serialfile = lookup_conf(conf, section, ENV_SERIAL);
|
||||
if (serialfile == NULL)
|
||||
goto end;
|
||||
|
@ -908,8 +920,10 @@ int ca_main(int argc, char **argv)
|
|||
}
|
||||
|
||||
if (days == 0) {
|
||||
if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days))
|
||||
if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days)) {
|
||||
ERR_clear_error();
|
||||
days = 0;
|
||||
}
|
||||
}
|
||||
if (enddate == NULL && days == 0) {
|
||||
BIO_printf(bio_err, "cannot lookup how many days to certify for\n");
|
||||
|
@ -1034,7 +1048,7 @@ int ca_main(int argc, char **argv)
|
|||
}
|
||||
}
|
||||
/*
|
||||
* we have a stack of newly certified certificates and a data base
|
||||
* we have a stack of newly certified certificates and a database
|
||||
* and serial number that need updating
|
||||
*/
|
||||
|
||||
|
@ -1135,7 +1149,7 @@ int ca_main(int argc, char **argv)
|
|||
if (!rotate_index(dbfile, "new", "old"))
|
||||
goto end;
|
||||
|
||||
BIO_printf(bio_err, "Data Base Updated\n");
|
||||
BIO_printf(bio_err, "Database updated\n");
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1161,22 +1175,28 @@ int ca_main(int argc, char **argv)
|
|||
}
|
||||
}
|
||||
|
||||
if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER))
|
||||
!= NULL)
|
||||
crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER);
|
||||
if (crlnumberfile != NULL) {
|
||||
if ((crlnumber = load_serial(crlnumberfile, NULL, 0, NULL))
|
||||
== NULL) {
|
||||
BIO_printf(bio_err, "error while loading CRL number\n");
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
ERR_clear_error();
|
||||
}
|
||||
|
||||
if (!crldays && !crlhours && !crlsec) {
|
||||
if (!NCONF_get_number(conf, section,
|
||||
ENV_DEFAULT_CRL_DAYS, &crldays))
|
||||
ENV_DEFAULT_CRL_DAYS, &crldays)) {
|
||||
ERR_clear_error();
|
||||
crldays = 0;
|
||||
}
|
||||
if (!NCONF_get_number(conf, section,
|
||||
ENV_DEFAULT_CRL_HOURS, &crlhours))
|
||||
ENV_DEFAULT_CRL_HOURS, &crlhours)) {
|
||||
ERR_clear_error();
|
||||
crlhours = 0;
|
||||
ERR_clear_error();
|
||||
}
|
||||
}
|
||||
if ((crl_nextupdate == NULL) &&
|
||||
(crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
|
||||
|
@ -1316,7 +1336,7 @@ int ca_main(int argc, char **argv)
|
|||
if (!rotate_index(dbfile, "new", "old"))
|
||||
goto end;
|
||||
|
||||
BIO_printf(bio_err, "Data Base Updated\n");
|
||||
BIO_printf(bio_err, "Database updated\n");
|
||||
}
|
||||
}
|
||||
ret = 0;
|
||||
|
@ -1758,7 +1778,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
|
|||
|
||||
if (verbose)
|
||||
BIO_printf(bio_err,
|
||||
"The subject name appears to be ok, checking data base for clashes\n");
|
||||
"The subject name appears to be ok, checking database for clashes\n");
|
||||
|
||||
/* Build the correct Subject if no e-mail is wanted in the subject. */
|
||||
if (!email_dn) {
|
||||
|
@ -1847,7 +1867,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
|
|||
else if (rrow[DB_type][0] == DB_TYPE_VAL)
|
||||
p = "Valid";
|
||||
else
|
||||
p = "\ninvalid type, Data base error\n";
|
||||
p = "\ninvalid type, Database error\n";
|
||||
BIO_printf(bio_err, "Type :%s\n", p);;
|
||||
if (rrow[DB_type][0] == DB_TYPE_REV) {
|
||||
p = rrow[DB_exp_date];
|
||||
|
|
|
@ -2115,7 +2115,7 @@ static const char *prev_item(const char *opt, const char *end)
|
|||
beg = end;
|
||||
while (beg > opt) {
|
||||
--beg;
|
||||
if (beg[0] == ',' || isspace(beg[0])) {
|
||||
if (beg[0] == ',' || isspace(_UC(beg[0]))) {
|
||||
++beg;
|
||||
break;
|
||||
}
|
||||
|
@ -2130,7 +2130,7 @@ static const char *prev_item(const char *opt, const char *end)
|
|||
opt_item[len] = '\0';
|
||||
while (beg > opt) {
|
||||
--beg;
|
||||
if (beg[0] != ',' && !isspace(beg[0])) {
|
||||
if (beg[0] != ',' && !isspace(_UC(beg[0]))) {
|
||||
++beg;
|
||||
break;
|
||||
}
|
||||
|
@ -2148,6 +2148,7 @@ static char *conf_get_string(const CONF *src_conf, const char *groups,
|
|||
while ((end = prev_item(groups, end)) != NULL) {
|
||||
if ((res = NCONF_get_string(src_conf, opt_item, name)) != NULL)
|
||||
return res;
|
||||
ERR_clear_error();
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
|
25
apps/cms.c
25
apps/cms.c
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -796,6 +796,9 @@ int cms_main(int argc, char **argv)
|
|||
if ((operation & SMIME_IP) == 0 && contfile != NULL)
|
||||
BIO_printf(bio_err,
|
||||
"Warning: -contfile option is ignored for the given operation\n");
|
||||
if (operation != SMIME_ENCRYPT && *argv != NULL)
|
||||
BIO_printf(bio_err,
|
||||
"Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
|
||||
|
||||
if ((flags & CMS_BINARY) != 0) {
|
||||
if (!(operation & SMIME_OP))
|
||||
|
@ -823,19 +826,13 @@ int cms_main(int argc, char **argv)
|
|||
goto end;
|
||||
}
|
||||
|
||||
if (*argv != NULL) {
|
||||
if (operation == SMIME_ENCRYPT) {
|
||||
for (; *argv != NULL; argv++) {
|
||||
cert = load_cert(*argv, FORMAT_UNDEF,
|
||||
"recipient certificate file");
|
||||
if (cert == NULL)
|
||||
goto end;
|
||||
sk_X509_push(encerts, cert);
|
||||
cert = NULL;
|
||||
}
|
||||
} else {
|
||||
BIO_printf(bio_err, "Warning: recipient certificate file parameters ignored for operation other than -encrypt\n");
|
||||
}
|
||||
for (; *argv != NULL; argv++) {
|
||||
cert = load_cert(*argv, FORMAT_UNDEF,
|
||||
"recipient certificate file");
|
||||
if (cert == NULL)
|
||||
goto end;
|
||||
sk_X509_push(encerts, cert);
|
||||
cert = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -638,13 +638,13 @@ void *app_malloc(size_t sz, const char *what)
|
|||
char *next_item(char *opt) /* in list separated by comma and/or space */
|
||||
{
|
||||
/* advance to separator (comma or whitespace), if any */
|
||||
while (*opt != ',' && !isspace(*opt) && *opt != '\0')
|
||||
while (*opt != ',' && !isspace(_UC(*opt)) && *opt != '\0')
|
||||
opt++;
|
||||
if (*opt != '\0') {
|
||||
/* terminate current item */
|
||||
*opt++ = '\0';
|
||||
/* skip over any whitespace after separator */
|
||||
while (isspace(*opt))
|
||||
while (isspace(_UC(*opt)))
|
||||
opt++;
|
||||
}
|
||||
return *opt == '\0' ? NULL : opt; /* NULL indicates end of input */
|
||||
|
@ -1679,7 +1679,10 @@ CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)
|
|||
char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
|
||||
if (p) {
|
||||
retdb->attributes.unique_subject = parse_yesno(p, 1);
|
||||
} else {
|
||||
ERR_clear_error();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
retdb->dbfname = OPENSSL_strdup(dbfile);
|
||||
|
@ -2008,7 +2011,8 @@ int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
|
|||
BIO_free(mem);
|
||||
return -1;
|
||||
}
|
||||
maxlen -= len;
|
||||
if (maxlen != -1)
|
||||
maxlen -= len;
|
||||
|
||||
if (maxlen == 0)
|
||||
break;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -421,7 +421,7 @@ int pkeyutl_main(int argc, char **argv)
|
|||
/* Raw input data is handled elsewhere */
|
||||
if (in != NULL && !rawin) {
|
||||
/* Read the input data */
|
||||
buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
|
||||
buf_inlen = bio_to_mem(&buf_in, -1, in);
|
||||
if (buf_inlen < 0) {
|
||||
BIO_printf(bio_err, "Error reading input Data\n");
|
||||
goto end;
|
||||
|
|
10
apps/req.c
10
apps/req.c
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -199,7 +199,7 @@ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv)
|
|||
|
||||
/* Check syntax. */
|
||||
/* Skip leading whitespace, make a copy. */
|
||||
while (*kv && isspace(*kv))
|
||||
while (*kv && isspace(_UC(*kv)))
|
||||
if (*++kv == '\0')
|
||||
return 1;
|
||||
if ((p = strchr(kv, '=')) == NULL)
|
||||
|
@ -210,7 +210,7 @@ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv)
|
|||
|
||||
/* Skip trailing space before the equal sign. */
|
||||
for (p = kv + off; p > kv; --p)
|
||||
if (!isspace(p[-1]))
|
||||
if (!isspace(_UC(p[-1])))
|
||||
break;
|
||||
if (p == kv) {
|
||||
OPENSSL_free(kv);
|
||||
|
@ -635,8 +635,10 @@ int req_main(int argc, char **argv)
|
|||
if (newreq && pkey == NULL) {
|
||||
app_RAND_load_conf(req_conf, section);
|
||||
|
||||
if (!NCONF_get_number(req_conf, section, BITS, &newkey_len))
|
||||
if (!NCONF_get_number(req_conf, section, BITS, &newkey_len)) {
|
||||
ERR_clear_error();
|
||||
newkey_len = DEFAULT_KEY_LENGTH;
|
||||
}
|
||||
|
||||
genctx = set_keygen_ctx(keyalg, &keyalgstr, &newkey_len, gen_eng);
|
||||
if (genctx == NULL)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2005 Nokia. All rights reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
|
@ -2271,7 +2271,7 @@ int s_client_main(int argc, char **argv)
|
|||
do {
|
||||
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
||||
}
|
||||
while (mbuf_len > 3 && (!isdigit(mbuf[0]) || !isdigit(mbuf[1]) || !isdigit(mbuf[2]) || mbuf[3] != ' '));
|
||||
while (mbuf_len > 3 && (!isdigit((unsigned char)mbuf[0]) || !isdigit((unsigned char)mbuf[1]) || !isdigit((unsigned char)mbuf[2]) || mbuf[3] != ' '));
|
||||
(void)BIO_flush(fbio);
|
||||
BIO_pop(fbio);
|
||||
BIO_free(fbio);
|
||||
|
|
30
apps/speed.c
30
apps/speed.c
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
|
@ -1005,6 +1005,13 @@ static int EdDSA_sign_loop(void *args)
|
|||
int ret, count;
|
||||
|
||||
for (count = 0; COND(eddsa_c[testnum][0]); count++) {
|
||||
ret = EVP_DigestSignInit(edctx[testnum], NULL, NULL, NULL, NULL);
|
||||
if (ret == 0) {
|
||||
BIO_printf(bio_err, "EdDSA sign init failure\n");
|
||||
ERR_print_errors(bio_err);
|
||||
count = -1;
|
||||
break;
|
||||
}
|
||||
ret = EVP_DigestSign(edctx[testnum], eddsasig, eddsasigsize, buf, 20);
|
||||
if (ret == 0) {
|
||||
BIO_printf(bio_err, "EdDSA sign failure\n");
|
||||
|
@ -1026,6 +1033,13 @@ static int EdDSA_verify_loop(void *args)
|
|||
int ret, count;
|
||||
|
||||
for (count = 0; COND(eddsa_c[testnum][1]); count++) {
|
||||
ret = EVP_DigestVerifyInit(edctx[testnum], NULL, NULL, NULL, NULL);
|
||||
if (ret == 0) {
|
||||
BIO_printf(bio_err, "EdDSA verify init failure\n");
|
||||
ERR_print_errors(bio_err);
|
||||
count = -1;
|
||||
break;
|
||||
}
|
||||
ret = EVP_DigestVerify(edctx[testnum], eddsasig, eddsasigsize, buf, 20);
|
||||
if (ret != 1) {
|
||||
BIO_printf(bio_err, "EdDSA verify failure\n");
|
||||
|
@ -3133,12 +3147,22 @@ int speed_main(int argc, char **argv)
|
|||
}
|
||||
|
||||
for (k = 0; k < ALGOR_NUM; k++) {
|
||||
const char *alg_name = names[k];
|
||||
|
||||
if (!doit[k])
|
||||
continue;
|
||||
|
||||
if (k == D_EVP) {
|
||||
if (evp_cipher == NULL)
|
||||
alg_name = evp_md_name;
|
||||
else if ((alg_name = EVP_CIPHER_get0_name(evp_cipher)) == NULL)
|
||||
app_bail_out("failed to get name of cipher '%s'\n", evp_cipher);
|
||||
}
|
||||
|
||||
if (mr)
|
||||
printf("+F:%u:%s", k, names[k]);
|
||||
printf("+F:%u:%s", k, alg_name);
|
||||
else
|
||||
printf("%-13s", names[k]);
|
||||
printf("%-13s", alg_name);
|
||||
for (testnum = 0; testnum < size_num; testnum++) {
|
||||
if (results[k][testnum] > 10000 && !mr)
|
||||
printf(" %11.2fk", results[k][testnum] / 1e3);
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -137,7 +137,7 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
|
|||
if ((*ctx)->expect_file_generations) {
|
||||
char *p = (*ctx)->entry_name + strlen((*ctx)->entry_name);
|
||||
|
||||
while(p > (*ctx)->entry_name && isdigit(p[-1]))
|
||||
while (p > (*ctx)->entry_name && isdigit((unsigned char)p[-1]))
|
||||
p--;
|
||||
if (p > (*ctx)->entry_name && p[-1] == ';')
|
||||
p[-1] = '\0';
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2008-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -516,6 +516,12 @@ int SMIME_crlf_copy(BIO *in, BIO *out, int flags)
|
|||
int len;
|
||||
char linebuf[MAX_SMLEN];
|
||||
int ret;
|
||||
|
||||
if (in == NULL || out == NULL) {
|
||||
ERR_raise(ERR_LIB_ASN1, ERR_R_PASSED_NULL_PARAMETER);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Buffer output so we don't write one line at a time. This is useful
|
||||
* when streaming as we don't end up with one OCTET STRING per line.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -44,7 +44,7 @@ void BN_RECP_CTX_free(BN_RECP_CTX *recp)
|
|||
|
||||
int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *d, BN_CTX *ctx)
|
||||
{
|
||||
if (!BN_copy(&(recp->N), d))
|
||||
if (BN_is_zero(d) || !BN_copy(&(recp->N), d))
|
||||
return 0;
|
||||
BN_zero(&(recp->Nr));
|
||||
recp->num_bits = BN_num_bits(d);
|
||||
|
|
|
@ -142,10 +142,12 @@ CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *c
|
|||
{
|
||||
switch (cms_get_enveloped_type(cms)) {
|
||||
case CMS_ENVELOPED_STANDARD:
|
||||
return cms->d.envelopedData->encryptedContentInfo;
|
||||
return cms->d.envelopedData == NULL ? NULL
|
||||
: cms->d.envelopedData->encryptedContentInfo;
|
||||
|
||||
case CMS_ENVELOPED_AUTH:
|
||||
return cms->d.authEnvelopedData->authEncryptedContentInfo;
|
||||
return cms->d.authEnvelopedData == NULL ? NULL
|
||||
: cms->d.authEnvelopedData->authEncryptedContentInfo;
|
||||
|
||||
default:
|
||||
return NULL;
|
||||
|
|
|
@ -76,6 +76,10 @@ CMS_ContentInfo *CMS_ContentInfo_new(void)
|
|||
void CMS_ContentInfo_free(CMS_ContentInfo *cms)
|
||||
{
|
||||
if (cms != NULL) {
|
||||
CMS_EncryptedContentInfo *ec = ossl_cms_get0_env_enc_content(cms);
|
||||
|
||||
if (ec != NULL)
|
||||
OPENSSL_clear_free(ec->key, ec->keylen);
|
||||
OPENSSL_free(cms->ctx.propq);
|
||||
ASN1_item_free((ASN1_VALUE *)cms, ASN1_ITEM_rptr(CMS_ContentInfo));
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -13,6 +13,7 @@
|
|||
#include <openssl/core_names.h>
|
||||
#include "crypto/asn1.h"
|
||||
#include "crypto/rsa.h"
|
||||
#include "crypto/evp.h"
|
||||
#include "cms_local.h"
|
||||
|
||||
static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg)
|
||||
|
@ -210,6 +211,16 @@ static int rsa_cms_sign(CMS_SignerInfo *si)
|
|||
if (pad_mode != RSA_PKCS1_PSS_PADDING)
|
||||
return 0;
|
||||
|
||||
if (evp_pkey_ctx_is_legacy(pkctx)) {
|
||||
/* No provider -> we cannot query it for algorithm ID. */
|
||||
ASN1_STRING *os = NULL;
|
||||
|
||||
os = ossl_rsa_ctx_to_pss_string(pkctx);
|
||||
if (os == NULL)
|
||||
return 0;
|
||||
return X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os);
|
||||
}
|
||||
|
||||
params[0] = OSSL_PARAM_construct_octet_string(
|
||||
OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
|
||||
params[1] = OSSL_PARAM_construct_end();
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -184,15 +184,21 @@ int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename,
|
|||
CONF *conf = NULL;
|
||||
int ret = 0, diagnostics = 0;
|
||||
|
||||
ERR_set_mark();
|
||||
|
||||
if (filename == NULL) {
|
||||
file = CONF_get1_default_config_file();
|
||||
if (file == NULL)
|
||||
goto err;
|
||||
if (*file == '\0') {
|
||||
/* Do not try to load an empty file name but do not error out */
|
||||
ret = 1;
|
||||
goto err;
|
||||
}
|
||||
} else {
|
||||
file = (char *)filename;
|
||||
}
|
||||
|
||||
ERR_set_mark();
|
||||
conf = NCONF_new_ex(libctx, NULL);
|
||||
if (conf == NULL)
|
||||
goto err;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -66,6 +66,8 @@ int ossl_config_int(const OPENSSL_INIT_SETTINGS *settings)
|
|||
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
ret = CONF_modules_load_file(filename, appname, flags);
|
||||
#else
|
||||
ret = 1;
|
||||
#endif
|
||||
openssl_configured = 1;
|
||||
return ret;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -142,6 +142,9 @@ int ossl_namemap_doall_names(const OSSL_NAMEMAP *namemap, int number,
|
|||
cbdata.number = number;
|
||||
cbdata.found = 0;
|
||||
|
||||
if (namemap == NULL)
|
||||
return 0;
|
||||
|
||||
/*
|
||||
* We collect all the names first under a read lock. Subsequently we call
|
||||
* the user function, so that we're not holding the read lock when in user
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret)
|
|||
#ifdef FIPS_MODULE
|
||||
return DH_check_params(dh, ret);
|
||||
#else
|
||||
int ok = 0, r;
|
||||
int ok = 0, r, q_good = 0;
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *t1 = NULL, *t2 = NULL;
|
||||
int nid = DH_get_nid((DH *)dh);
|
||||
|
@ -152,6 +152,13 @@ int DH_check(const DH *dh, int *ret)
|
|||
if (nid != NID_undef)
|
||||
return 1;
|
||||
|
||||
/* Don't do any checks at all with an excessively large modulus */
|
||||
if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
||||
*ret = DH_MODULUS_TOO_LARGE | DH_CHECK_P_NOT_PRIME;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!DH_check_params(dh, ret))
|
||||
return 0;
|
||||
|
||||
|
@ -165,6 +172,13 @@ int DH_check(const DH *dh, int *ret)
|
|||
goto err;
|
||||
|
||||
if (dh->params.q != NULL) {
|
||||
if (BN_ucmp(dh->params.p, dh->params.q) > 0)
|
||||
q_good = 1;
|
||||
else
|
||||
*ret |= DH_CHECK_INVALID_Q_VALUE;
|
||||
}
|
||||
|
||||
if (q_good) {
|
||||
if (BN_cmp(dh->params.g, BN_value_one()) <= 0)
|
||||
*ret |= DH_NOT_SUITABLE_GENERATOR;
|
||||
else if (BN_cmp(dh->params.g, dh->params.p) >= 0)
|
||||
|
|
|
@ -1675,6 +1675,7 @@ X509_R_CERTIFICATE_VERIFICATION_FAILED:139:certificate verification failed
|
|||
X509_R_CERT_ALREADY_IN_HASH_TABLE:101:cert already in hash table
|
||||
X509_R_CRL_ALREADY_DELTA:127:crl already delta
|
||||
X509_R_CRL_VERIFY_FAILURE:131:crl verify failure
|
||||
X509_R_DUPLICATE_ATTRIBUTE:140:duplicate attribute
|
||||
X509_R_ERROR_GETTING_MD_BY_NID:141:error getting md by nid
|
||||
X509_R_ERROR_USING_SIGINF_SET:142:error using siginf set
|
||||
X509_R_IDP_MISMATCH:128:idp mismatch
|
||||
|
|
|
@ -636,8 +636,8 @@ static int default_fixup_args(enum state state,
|
|||
ctx->p2, ctx->sz);
|
||||
case OSSL_PARAM_OCTET_STRING:
|
||||
return OSSL_PARAM_get_octet_string(ctx->params,
|
||||
ctx->p2, ctx->sz,
|
||||
&ctx->sz);
|
||||
&ctx->p2, ctx->sz,
|
||||
(size_t *)&ctx->p1);
|
||||
case OSSL_PARAM_OCTET_PTR:
|
||||
return OSSL_PARAM_get_octet_ptr(ctx->params,
|
||||
ctx->p2, &ctx->sz);
|
||||
|
@ -685,7 +685,7 @@ static int default_fixup_args(enum state state,
|
|||
return OSSL_PARAM_set_octet_string(ctx->params, ctx->p2,
|
||||
size);
|
||||
case OSSL_PARAM_OCTET_PTR:
|
||||
return OSSL_PARAM_set_octet_ptr(ctx->params, ctx->p2,
|
||||
return OSSL_PARAM_set_octet_ptr(ctx->params, *(void **)ctx->p2,
|
||||
size);
|
||||
default:
|
||||
ERR_raise_data(ERR_LIB_EVP, ERR_R_UNSUPPORTED,
|
||||
|
@ -695,6 +695,9 @@ static int default_fixup_args(enum state state,
|
|||
translation->param_data_type);
|
||||
return 0;
|
||||
}
|
||||
} else if (state == PRE_PARAMS_TO_CTRL && ctx->action_type == GET) {
|
||||
if (translation->param_data_type == OSSL_PARAM_OCTET_PTR)
|
||||
ctx->p2 = &ctx->bufp;
|
||||
}
|
||||
}
|
||||
/* Any other combination is simply pass-through */
|
||||
|
@ -2254,7 +2257,7 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
|
|||
OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL },
|
||||
{ GET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT,
|
||||
EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL,
|
||||
OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL },
|
||||
OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL },
|
||||
|
||||
{ SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN,
|
||||
EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL,
|
||||
|
|
|
@ -231,13 +231,16 @@ int PKCS5_v2_PBKDF2_keyivgen_ex(EVP_CIPHER_CTX *ctx, const char *pass,
|
|||
goto err;
|
||||
}
|
||||
|
||||
(void)ERR_set_mark();
|
||||
prfmd = prfmd_fetch = EVP_MD_fetch(libctx, OBJ_nid2sn(hmac_md_nid), propq);
|
||||
if (prfmd == NULL)
|
||||
prfmd = EVP_get_digestbynid(hmac_md_nid);
|
||||
if (prfmd == NULL) {
|
||||
(void)ERR_clear_last_mark();
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_PRF);
|
||||
goto err;
|
||||
}
|
||||
(void)ERR_pop_to_mark();
|
||||
|
||||
if (kdf->salt->type != V_ASN1_OCTET_STRING) {
|
||||
ERR_raise(ERR_LIB_EVP, EVP_R_UNSUPPORTED_SALT_TYPE);
|
||||
|
|
|
@ -722,6 +722,7 @@ static void detect_foreign_key(EVP_PKEY *pkey)
|
|||
break;
|
||||
# ifndef OPENSSL_NO_EC
|
||||
case EVP_PKEY_SM2:
|
||||
break;
|
||||
case EVP_PKEY_EC:
|
||||
pkey->foreign = pkey->pkey.ec != NULL
|
||||
&& ossl_ec_key_is_foreign(pkey->pkey.ec);
|
||||
|
|
|
@ -22,6 +22,13 @@ static void init_pstring(char **pstr)
|
|||
}
|
||||
}
|
||||
|
||||
static void init_pint(int *pint)
|
||||
{
|
||||
if (pint != NULL) {
|
||||
*pint = 0;
|
||||
}
|
||||
}
|
||||
|
||||
static int copy_substring(char **dest, const char *start, const char *end)
|
||||
{
|
||||
return dest == NULL
|
||||
|
@ -54,6 +61,7 @@ int OSSL_parse_url(const char *url, char **pscheme, char **puser, char **phost,
|
|||
init_pstring(puser);
|
||||
init_pstring(phost);
|
||||
init_pstring(pport);
|
||||
init_pint(pport_num);
|
||||
init_pstring(ppath);
|
||||
init_pstring(pfrag);
|
||||
init_pstring(pquery);
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
#include "internal/numbers.h"
|
||||
#include "internal/endian.h"
|
||||
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
/*
|
||||
* Return the number of bits in the mantissa of a double. This is used to
|
||||
* shift a larger integral value to determine if it will exactly fit into a
|
||||
|
@ -23,6 +24,7 @@ static unsigned int real_shift(void)
|
|||
{
|
||||
return sizeof(double) == 4 ? 24 : 53;
|
||||
}
|
||||
#endif
|
||||
|
||||
OSSL_PARAM *OSSL_PARAM_locate(OSSL_PARAM *p, const char *key)
|
||||
{
|
||||
|
@ -342,8 +344,6 @@ OSSL_PARAM OSSL_PARAM_construct_ulong(const char *key, unsigned long int *buf)
|
|||
|
||||
int OSSL_PARAM_get_int32(const OSSL_PARAM *p, int32_t *val)
|
||||
{
|
||||
double d;
|
||||
|
||||
if (val == NULL || p == NULL )
|
||||
return 0;
|
||||
|
||||
|
@ -391,6 +391,9 @@ int OSSL_PARAM_get_int32(const OSSL_PARAM *p, int32_t *val)
|
|||
return general_get_int(p, val, sizeof(*val));
|
||||
|
||||
} else if (p->data_type == OSSL_PARAM_REAL) {
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
double d;
|
||||
|
||||
switch (p->data_size) {
|
||||
case sizeof(double):
|
||||
d = *(const double *)p->data;
|
||||
|
@ -400,6 +403,7 @@ int OSSL_PARAM_get_int32(const OSSL_PARAM *p, int32_t *val)
|
|||
}
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -442,6 +446,7 @@ int OSSL_PARAM_set_int32(OSSL_PARAM *p, int32_t val)
|
|||
#endif
|
||||
return general_set_int(p, &val, sizeof(val));
|
||||
} else if (p->data_type == OSSL_PARAM_REAL) {
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
p->return_size = sizeof(double);
|
||||
if (p->data == NULL)
|
||||
return 1;
|
||||
|
@ -450,6 +455,7 @@ int OSSL_PARAM_set_int32(OSSL_PARAM *p, int32_t val)
|
|||
*(double *)p->data = (double)val;
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -462,8 +468,6 @@ OSSL_PARAM OSSL_PARAM_construct_int32(const char *key, int32_t *buf)
|
|||
|
||||
int OSSL_PARAM_get_uint32(const OSSL_PARAM *p, uint32_t *val)
|
||||
{
|
||||
double d;
|
||||
|
||||
if (val == NULL || p == NULL)
|
||||
return 0;
|
||||
|
||||
|
@ -509,6 +513,9 @@ int OSSL_PARAM_get_uint32(const OSSL_PARAM *p, uint32_t *val)
|
|||
#endif
|
||||
return general_get_uint(p, val, sizeof(*val));
|
||||
} else if (p->data_type == OSSL_PARAM_REAL) {
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
double d;
|
||||
|
||||
switch (p->data_size) {
|
||||
case sizeof(double):
|
||||
d = *(const double *)p->data;
|
||||
|
@ -518,6 +525,7 @@ int OSSL_PARAM_get_uint32(const OSSL_PARAM *p, uint32_t *val)
|
|||
}
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -564,6 +572,7 @@ int OSSL_PARAM_set_uint32(OSSL_PARAM *p, uint32_t val)
|
|||
#endif
|
||||
return general_set_uint(p, &val, sizeof(val));
|
||||
} else if (p->data_type == OSSL_PARAM_REAL) {
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
p->return_size = sizeof(double);
|
||||
if (p->data == NULL)
|
||||
return 1;
|
||||
|
@ -572,6 +581,7 @@ int OSSL_PARAM_set_uint32(OSSL_PARAM *p, uint32_t val)
|
|||
*(double *)p->data = (double)val;
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -584,8 +594,6 @@ OSSL_PARAM OSSL_PARAM_construct_uint32(const char *key, uint32_t *buf)
|
|||
|
||||
int OSSL_PARAM_get_int64(const OSSL_PARAM *p, int64_t *val)
|
||||
{
|
||||
double d;
|
||||
|
||||
if (val == NULL || p == NULL )
|
||||
return 0;
|
||||
|
||||
|
@ -620,6 +628,9 @@ int OSSL_PARAM_get_int64(const OSSL_PARAM *p, int64_t *val)
|
|||
#endif
|
||||
return general_get_int(p, val, sizeof(*val));
|
||||
} else if (p->data_type == OSSL_PARAM_REAL) {
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
double d;
|
||||
|
||||
switch (p->data_size) {
|
||||
case sizeof(double):
|
||||
d = *(const double *)p->data;
|
||||
|
@ -636,14 +647,13 @@ int OSSL_PARAM_get_int64(const OSSL_PARAM *p, int64_t *val)
|
|||
}
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int OSSL_PARAM_set_int64(OSSL_PARAM *p, int64_t val)
|
||||
{
|
||||
uint64_t u64;
|
||||
|
||||
if (p == NULL)
|
||||
return 0;
|
||||
p->return_size = 0;
|
||||
|
@ -686,6 +696,9 @@ int OSSL_PARAM_set_int64(OSSL_PARAM *p, int64_t val)
|
|||
#endif
|
||||
return general_set_int(p, &val, sizeof(val));
|
||||
} else if (p->data_type == OSSL_PARAM_REAL) {
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
uint64_t u64;
|
||||
|
||||
p->return_size = sizeof(double);
|
||||
if (p->data == NULL)
|
||||
return 1;
|
||||
|
@ -698,6 +711,7 @@ int OSSL_PARAM_set_int64(OSSL_PARAM *p, int64_t val)
|
|||
}
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -709,8 +723,6 @@ OSSL_PARAM OSSL_PARAM_construct_int64(const char *key, int64_t *buf)
|
|||
|
||||
int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val)
|
||||
{
|
||||
double d;
|
||||
|
||||
if (val == NULL || p == NULL)
|
||||
return 0;
|
||||
|
||||
|
@ -750,6 +762,9 @@ int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val)
|
|||
#endif
|
||||
return general_get_uint(p, val, sizeof(*val));
|
||||
} else if (p->data_type == OSSL_PARAM_REAL) {
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
double d;
|
||||
|
||||
switch (p->data_size) {
|
||||
case sizeof(double):
|
||||
d = *(const double *)p->data;
|
||||
|
@ -766,6 +781,7 @@ int OSSL_PARAM_get_uint64(const OSSL_PARAM *p, uint64_t *val)
|
|||
}
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -818,6 +834,7 @@ int OSSL_PARAM_set_uint64(OSSL_PARAM *p, uint64_t val)
|
|||
#endif
|
||||
return general_set_uint(p, &val, sizeof(val));
|
||||
} else if (p->data_type == OSSL_PARAM_REAL) {
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
p->return_size = sizeof(double);
|
||||
switch (p->data_size) {
|
||||
case sizeof(double):
|
||||
|
@ -827,6 +844,7 @@ int OSSL_PARAM_set_uint64(OSSL_PARAM *p, uint64_t val)
|
|||
}
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
@ -953,6 +971,7 @@ OSSL_PARAM OSSL_PARAM_construct_BN(const char *key, unsigned char *buf,
|
|||
buf, bsize);
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_SYS_UEFI
|
||||
int OSSL_PARAM_get_double(const OSSL_PARAM *p, double *val)
|
||||
{
|
||||
int64_t i64;
|
||||
|
@ -1073,6 +1092,7 @@ OSSL_PARAM OSSL_PARAM_construct_double(const char *key, double *buf)
|
|||
{
|
||||
return ossl_param_construct(key, OSSL_PARAM_REAL, buf, sizeof(double));
|
||||
}
|
||||
#endif
|
||||
|
||||
static int get_string_internal(const OSSL_PARAM *p, void **val,
|
||||
size_t *max_len, size_t *used_len,
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -108,15 +108,20 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
|
|||
X509_ALGOR_get0(&macoid, NULL, NULL, macalg);
|
||||
if (OBJ_obj2txt(md_name, sizeof(md_name), macoid, 0) < 0)
|
||||
return 0;
|
||||
|
||||
(void)ERR_set_mark();
|
||||
md = md_fetch = EVP_MD_fetch(p12->authsafes->ctx.libctx, md_name,
|
||||
p12->authsafes->ctx.propq);
|
||||
if (md == NULL)
|
||||
md = EVP_get_digestbynid(OBJ_obj2nid(macoid));
|
||||
|
||||
if (md == NULL) {
|
||||
(void)ERR_clear_last_mark();
|
||||
ERR_raise(ERR_LIB_PKCS12, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
|
||||
return 0;
|
||||
}
|
||||
(void)ERR_pop_to_mark();
|
||||
|
||||
md_size = EVP_MD_get_size(md);
|
||||
md_nid = EVP_MD_get_type(md);
|
||||
if (md_size < 0)
|
||||
|
|
|
@ -120,6 +120,8 @@ void RAND_keep_random_devices_open(int keep)
|
|||
*/
|
||||
int RAND_poll(void)
|
||||
{
|
||||
static const char salt[] = "polling";
|
||||
|
||||
# ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
const RAND_METHOD *meth = RAND_get_rand_method();
|
||||
int ret = meth == RAND_OpenSSL();
|
||||
|
@ -148,14 +150,12 @@ int RAND_poll(void)
|
|||
ret = 1;
|
||||
err:
|
||||
ossl_rand_pool_free(pool);
|
||||
return ret;
|
||||
}
|
||||
return ret;
|
||||
# else
|
||||
static const char salt[] = "polling";
|
||||
# endif
|
||||
|
||||
RAND_seed(salt, sizeof(salt));
|
||||
return 1;
|
||||
# endif
|
||||
}
|
||||
|
||||
# ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
|
|
|
@ -21,10 +21,15 @@ SOURCE[../../libcrypto]=$RC4ASM
|
|||
|
||||
# When all deprecated symbols are removed, libcrypto doesn't export the
|
||||
# rc4 functions, so we must include them directly in liblegacy.a
|
||||
IF[{- $disabled{'deprecated-3.0'} && !$disabled{module} && !$disabled{shared} -}]
|
||||
IF[{- !$disabled{module} && !$disabled{shared} -}]
|
||||
SOURCE[../../providers/liblegacy.a]=$RC4ASM
|
||||
ENDIF
|
||||
|
||||
# Implementations are now spread across several libraries, so the defines
|
||||
# need to be applied to all affected libraries and modules.
|
||||
DEFINE[../../libcrypto]=$RC4DEF
|
||||
DEFINE[../../providers/liblegacy.a]=$RC4DEF
|
||||
|
||||
GENERATE[rc4-586.S]=asm/rc4-586.pl
|
||||
DEPEND[rc4-586.S]=../perlasm/x86asm.pl
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -641,6 +641,36 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn,
|
|||
size_t aid_len = 0;
|
||||
OSSL_PARAM params[2];
|
||||
|
||||
if (evp_pkey_ctx_is_legacy(pkctx)) {
|
||||
/* No provider -> we cannot query it for algorithm ID. */
|
||||
ASN1_STRING *os1 = NULL;
|
||||
|
||||
os1 = ossl_rsa_ctx_to_pss_string(pkctx);
|
||||
if (os1 == NULL)
|
||||
return 0;
|
||||
/* Duplicate parameters if we have to */
|
||||
if (alg2 != NULL) {
|
||||
ASN1_STRING *os2 = ASN1_STRING_dup(os1);
|
||||
|
||||
if (os2 == NULL) {
|
||||
ASN1_STRING_free(os1);
|
||||
return 0;
|
||||
}
|
||||
if (!X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
|
||||
V_ASN1_SEQUENCE, os2)) {
|
||||
ASN1_STRING_free(os1);
|
||||
ASN1_STRING_free(os2);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
if (!X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS),
|
||||
V_ASN1_SEQUENCE, os1)) {
|
||||
ASN1_STRING_free(os1);
|
||||
return 0;
|
||||
}
|
||||
return 3;
|
||||
}
|
||||
|
||||
params[0] = OSSL_PARAM_construct_octet_string(
|
||||
OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
|
||||
params[1] = OSSL_PARAM_construct_end();
|
||||
|
@ -652,11 +682,13 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn,
|
|||
|
||||
if (alg1 != NULL) {
|
||||
const unsigned char *pp = aid;
|
||||
|
||||
if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL)
|
||||
return 0;
|
||||
}
|
||||
if (alg2 != NULL) {
|
||||
const unsigned char *pp = aid;
|
||||
|
||||
if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL)
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -584,6 +584,10 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
|
|||
ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE);
|
||||
return -2;
|
||||
}
|
||||
if (p2 == NULL) {
|
||||
ERR_raise(ERR_LIB_EVP, ERR_R_PASSED_NULL_PARAMETER);
|
||||
return 0;
|
||||
}
|
||||
*(unsigned char **)p2 = rctx->oaep_label;
|
||||
return rctx->oaep_labellen;
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#!/usr/bin/env perl
|
||||
# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -432,6 +432,7 @@ $code.=<<___;
|
|||
ret
|
||||
.size SHA3_squeeze,.-SHA3_squeeze
|
||||
|
||||
.section .rodata
|
||||
.align 64
|
||||
rhotates_left:
|
||||
.quad 3, 18, 36, 41 # [2][0] [4][0] [1][0] [3][0]
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#!/usr/bin/env perl
|
||||
# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -486,6 +486,7 @@ SHA3_squeeze:
|
|||
ret
|
||||
.size SHA3_squeeze,.-SHA3_squeeze
|
||||
|
||||
.section .rodata
|
||||
.align 64
|
||||
theta_perm:
|
||||
.quad 0, 1, 2, 3, 4, 5, 6, 7 # [not used]
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#!/usr/bin/env perl
|
||||
# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -349,6 +349,7 @@ $code.=<<___;
|
|||
ret
|
||||
.size SHA3_squeeze,.-SHA3_squeeze
|
||||
|
||||
.section .rodata
|
||||
.align 64
|
||||
rhotates_left:
|
||||
.quad 3, 18, 36, 41 # [2][0] [4][0] [1][0] [3][0]
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -553,8 +553,10 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
|
|||
|
||||
ok = 0; /* Assume decryption or parse error */
|
||||
|
||||
if (PKCS12_verify_mac(p12, "", 0)
|
||||
if (!PKCS12_mac_present(p12)
|
||||
|| PKCS12_verify_mac(p12, NULL, 0)) {
|
||||
pass = NULL;
|
||||
} else if (PKCS12_verify_mac(p12, "", 0)) {
|
||||
pass = "";
|
||||
} else {
|
||||
static char prompt_info[] = "PKCS12 import pass phrase";
|
||||
|
|
|
@ -348,7 +348,8 @@ static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
|
|||
/*
|
||||
* we have added it to the cache so now pull it out again
|
||||
*/
|
||||
X509_STORE_lock(xl->store_ctx);
|
||||
if (!X509_STORE_lock(xl->store_ctx))
|
||||
goto finish;
|
||||
j = sk_X509_OBJECT_find(xl->store_ctx->objs, &stmp);
|
||||
tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, j);
|
||||
X509_STORE_unlock(xl->store_ctx);
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -50,43 +50,38 @@ static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_
|
|||
}
|
||||
if (strcmp(cnf->name, "signTool") == 0) {
|
||||
ist->signTool = ASN1_UTF8STRING_new();
|
||||
if (ist->signTool == NULL) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
ISSUER_SIGN_TOOL_free(ist);
|
||||
return NULL;
|
||||
if (ist->signTool == NULL || !ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value))) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
|
||||
goto err;
|
||||
}
|
||||
ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value));
|
||||
} else if (strcmp(cnf->name, "cATool") == 0) {
|
||||
ist->cATool = ASN1_UTF8STRING_new();
|
||||
if (ist->cATool == NULL) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
ISSUER_SIGN_TOOL_free(ist);
|
||||
return NULL;
|
||||
if (ist->cATool == NULL || !ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value))) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
|
||||
goto err;
|
||||
}
|
||||
ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value));
|
||||
} else if (strcmp(cnf->name, "signToolCert") == 0) {
|
||||
ist->signToolCert = ASN1_UTF8STRING_new();
|
||||
if (ist->signToolCert == NULL) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
ISSUER_SIGN_TOOL_free(ist);
|
||||
return NULL;
|
||||
if (ist->signToolCert == NULL || !ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value))) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
|
||||
goto err;
|
||||
}
|
||||
ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value));
|
||||
} else if (strcmp(cnf->name, "cAToolCert") == 0) {
|
||||
ist->cAToolCert = ASN1_UTF8STRING_new();
|
||||
if (ist->cAToolCert == NULL) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
|
||||
ISSUER_SIGN_TOOL_free(ist);
|
||||
return NULL;
|
||||
if (ist->cAToolCert == NULL || !ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value))) {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
|
||||
goto err;
|
||||
}
|
||||
ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value));
|
||||
} else {
|
||||
ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_INVALID_ARGUMENT);
|
||||
ISSUER_SIGN_TOOL_free(ist);
|
||||
return NULL;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
return ist;
|
||||
|
||||
err:
|
||||
ISSUER_SIGN_TOOL_free(ist);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static int i2r_issuer_sign_tool(X509V3_EXT_METHOD *method,
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -438,7 +438,7 @@ int ossl_x509v3_cache_extensions(X509 *x)
|
|||
* in case ctx->param->flags & X509_V_FLAG_X509_STRICT
|
||||
*/
|
||||
if (bs->pathlen->type == V_ASN1_NEG_INTEGER) {
|
||||
ERR_raise(ERR_LIB_X509, X509V3_R_NEGATIVE_PATHLEN);
|
||||
ERR_raise(ERR_LIB_X509V3, X509V3_R_NEGATIVE_PATHLEN);
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
} else {
|
||||
x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
|
||||
|
@ -479,7 +479,7 @@ int ossl_x509v3_cache_extensions(X509 *x)
|
|||
ASN1_BIT_STRING_free(usage);
|
||||
/* Check for empty key usage according to RFC 5280 section 4.2.1.3 */
|
||||
if (x->ex_kusage == 0) {
|
||||
ERR_raise(ERR_LIB_X509, X509V3_R_EMPTY_KEY_USAGE);
|
||||
ERR_raise(ERR_LIB_X509V3, X509V3_R_EMPTY_KEY_USAGE);
|
||||
x->ex_flags |= EXFLAG_INVALID;
|
||||
}
|
||||
} else if (i != -1) {
|
||||
|
@ -632,7 +632,7 @@ int ossl_x509v3_cache_extensions(X509 *x)
|
|||
return 1;
|
||||
}
|
||||
if ((x->ex_flags & EXFLAG_INVALID) != 0)
|
||||
ERR_raise(ERR_LIB_X509, X509V3_R_INVALID_CERTIFICATE);
|
||||
ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_CERTIFICATE);
|
||||
/* If computing sha1_hash failed the error queue already reflects this. */
|
||||
|
||||
err:
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -82,6 +82,11 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
|
|||
return NULL;
|
||||
}
|
||||
|
||||
if (*x != NULL && X509at_get_attr_by_OBJ(*x, attr->object, -1) != -1) {
|
||||
ERR_raise(ERR_LIB_X509, X509_R_DUPLICATE_ATTRIBUTE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (*x == NULL) {
|
||||
if ((sk = sk_X509_ATTRIBUTE_new_null()) == NULL)
|
||||
goto err;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -277,11 +277,11 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
|
|||
if (ret == 0 && a->canon_enclen == 0)
|
||||
return 0;
|
||||
|
||||
if (a->canon_enc == NULL || b->canon_enc == NULL)
|
||||
return -2;
|
||||
|
||||
if (ret == 0)
|
||||
if (ret == 0) {
|
||||
if (a->canon_enc == NULL || b->canon_enc == NULL)
|
||||
return -2;
|
||||
ret = memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);
|
||||
}
|
||||
|
||||
return ret < 0 ? -1 : ret > 0;
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -28,6 +28,8 @@ static const ERR_STRING_DATA X509_str_reasons[] = {
|
|||
{ERR_PACK(ERR_LIB_X509, 0, X509_R_CRL_ALREADY_DELTA), "crl already delta"},
|
||||
{ERR_PACK(ERR_LIB_X509, 0, X509_R_CRL_VERIFY_FAILURE),
|
||||
"crl verify failure"},
|
||||
{ERR_PACK(ERR_LIB_X509, 0, X509_R_DUPLICATE_ATTRIBUTE),
|
||||
"duplicate attribute"},
|
||||
{ERR_PACK(ERR_LIB_X509, 0, X509_R_ERROR_GETTING_MD_BY_NID),
|
||||
"error getting md by nid"},
|
||||
{ERR_PACK(ERR_LIB_X509, 0, X509_R_ERROR_USING_SIGINF_SET),
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
|
@ -337,7 +337,10 @@ int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
|
|||
if (param->policies == NULL)
|
||||
return 0;
|
||||
}
|
||||
return sk_ASN1_OBJECT_push(param->policies, policy);
|
||||
|
||||
if (sk_ASN1_OBJECT_push(param->policies, policy) <= 0)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
|
||||
|
@ -592,7 +595,10 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param)
|
|||
X509_VERIFY_PARAM_free(ptmp);
|
||||
}
|
||||
}
|
||||
return sk_X509_VERIFY_PARAM_push(param_table, param);
|
||||
|
||||
if (sk_X509_VERIFY_PARAM_push(param_table, param) <= 0)
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int X509_VERIFY_PARAM_get_count(void)
|
||||
|
|
|
@ -88,7 +88,7 @@ I<numbits>. It must be the last option. If this option is present then
|
|||
the input file is ignored and parameters are generated instead. If
|
||||
this option is not present but a generator (B<-2>, B<-3> or B<-5>) is
|
||||
present, parameters are generated with a default length of 2048 bits.
|
||||
The minimim length is 512 bits. The maximum length is 10000 bits.
|
||||
The minimum length is 512 bits. The maximum length is 10000 bits.
|
||||
|
||||
=item B<-noout>
|
||||
|
||||
|
@ -126,7 +126,7 @@ The B<-C> option was removed in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -278,7 +278,7 @@ RFC5114 names "dh_1024_160", "dh_2048_224", "dh_2048_256".
|
|||
|
||||
If this option is set, then the appropriate RFC5114 parameters are used
|
||||
instead of generating new parameters. The value I<num> can be one of
|
||||
1, 2 or 3 that are equivalant to using the option B<group> with one of
|
||||
1, 2 or 3 that are equivalent to using the option B<group> with one of
|
||||
"dh_1024_160", "dh_2048_224" or "dh_2048_256".
|
||||
All other options will be ignored if this value is set.
|
||||
|
||||
|
@ -333,7 +333,7 @@ The B<algorithm> option must be B<"DH">.
|
|||
=item "default"
|
||||
|
||||
Selects a default type based on the B<algorithm>. This is used by the
|
||||
OpenSSL default provider to set the type for backwards compatability.
|
||||
OpenSSL default provider to set the type for backwards compatibility.
|
||||
If B<algorithm> is B<"DH"> then B<"generator"> is used.
|
||||
If B<algorithm> is B<"DHX"> then B<"fips186_2"> is used.
|
||||
|
||||
|
@ -494,7 +494,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -35,9 +35,6 @@ B<openssl> B<genrsa>
|
|||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
This command has been deprecated.
|
||||
The L<openssl-genpkey(1)> command should be used instead.
|
||||
|
||||
This command generates an RSA private key.
|
||||
|
||||
=head1 OPTIONS
|
||||
|
@ -118,13 +115,9 @@ L<openssl(1)>,
|
|||
L<openssl-genpkey(1)>,
|
||||
L<openssl-gendsa(1)>
|
||||
|
||||
=head1 HISTORY
|
||||
|
||||
This command was deprecated in OpenSSL 3.0.
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -66,8 +66,7 @@ cases.
|
|||
=item B<-kdfopt> I<nm>:I<v>
|
||||
|
||||
Passes options to the KDF algorithm.
|
||||
A comprehensive list of parameters can be found in the EVP_KDF_CTX
|
||||
implementation documentation.
|
||||
A comprehensive list of parameters can be found in L<EVP_KDF(3)/PARAMETERS>.
|
||||
Common parameter names used by EVP_KDF_CTX_set_params() are:
|
||||
|
||||
=over 4
|
||||
|
@ -81,9 +80,8 @@ A key must be specified for most KDF algorithms.
|
|||
|
||||
=item B<hexkey:>I<string>
|
||||
|
||||
Specifies the secret key in hexadecimal form (two hex digits per byte).
|
||||
The key length must conform to any restrictions of the KDF algorithm.
|
||||
A key must be specified for most KDF algorithms.
|
||||
Alternative to the B<key:> option where
|
||||
the secret key is specified in hexadecimal form (two hex digits per byte).
|
||||
|
||||
=item B<pass:>I<string>
|
||||
|
||||
|
@ -93,8 +91,35 @@ The password must be specified for PBKDF2 and scrypt.
|
|||
|
||||
=item B<hexpass:>I<string>
|
||||
|
||||
Specifies the password in hexadecimal form (two hex digits per byte).
|
||||
The password must be specified for PBKDF2 and scrypt.
|
||||
Alternative to the B<pass:> option where
|
||||
the password is specified in hexadecimal form (two hex digits per byte).
|
||||
|
||||
=item B<salt:>I<string>
|
||||
|
||||
Specifies a non-secret unique cryptographic salt as an alphanumeric string
|
||||
(use if it contains printable characters only).
|
||||
The length must conform to any restrictions of the KDF algorithm.
|
||||
A salt parameter is required for several KDF algorithms,
|
||||
such as L<EVP_KDF-PBKDF2(7)>.
|
||||
|
||||
=item B<hexsalt:>I<string>
|
||||
|
||||
Alternative to the B<salt:> option where
|
||||
the salt is specified in hexadecimal form (two hex digits per byte).
|
||||
|
||||
=item B<info:>I<string>
|
||||
|
||||
Some KDF implementations, such as L<EVP_KDF-HKDF(7)>, take an 'info' parameter
|
||||
for binding the derived key material
|
||||
to application- and context-specific information.
|
||||
Specifies the info, fixed info, other info or shared info argument
|
||||
as an alphanumeric string (use if it contains printable characters only).
|
||||
The length must conform to any restrictions of the KDF algorithm.
|
||||
|
||||
=item B<hexinfo:>I<string>
|
||||
|
||||
Alternative to the B<info:> option where
|
||||
the info is specified in hexadecimal form (two hex digits per byte).
|
||||
|
||||
=item B<digest:>I<string>
|
||||
|
||||
|
@ -195,7 +220,7 @@ Added in OpenSSL 3.0
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -99,7 +99,7 @@ Encrypt the input data using an RSA public key.
|
|||
|
||||
Decrypt the input data using an RSA private key.
|
||||
|
||||
=item B<-pkcs>, B<-oaep>, B<-x931> B<-raw>
|
||||
=item B<-pkcs>, B<-oaep>, B<-x931>, B<-raw>
|
||||
|
||||
The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP,
|
||||
ANSI X9.31, or no padding, respectively.
|
||||
|
@ -232,7 +232,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -274,7 +274,7 @@ See L<openssl-format-options(1)> for details.
|
|||
|
||||
=item B<-pass> I<arg>
|
||||
|
||||
the private key and certifiate file password source.
|
||||
the private key and certificate file password source.
|
||||
For more information about the format of I<arg>
|
||||
see L<openssl-passphrase-options(1)>.
|
||||
|
||||
|
@ -910,7 +910,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -92,7 +92,7 @@ It does not have a negative trust attribute rejecting the given use.
|
|||
=item *
|
||||
|
||||
It has a positive trust attribute accepting the given use
|
||||
or (by default) one of the following compatibilty conditions apply:
|
||||
or (by default) one of the following compatibility conditions apply:
|
||||
It is self-signed or the B<-partial_chain> option is given
|
||||
(which corresponds to the B<X509_V_FLAG_PARTIAL_CHAIN> flag being set).
|
||||
|
||||
|
@ -686,7 +686,7 @@ The checks enabled by B<-x509_strict> have been extended in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -478,7 +478,7 @@ unless the B<-new> option is given, which generates a certificate from scratch.
|
|||
|
||||
=item B<-CAform> B<DER>|B<PEM>|B<P12>,
|
||||
|
||||
The format for the CA certificate; unspecifed by default.
|
||||
The format for the CA certificate; unspecified by default.
|
||||
See L<openssl-format-options(1)> for details.
|
||||
|
||||
=item B<-CAkey> I<filename>|I<uri>
|
||||
|
@ -784,7 +784,7 @@ The B<-C> option was removed in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
=head1 NAME
|
||||
|
||||
ASN1_AUX, ASN1_PRINT_ARG, ASN1_STREAM_ARG, ASN1_aux_cb, ASN1_aux_const_cb
|
||||
- ASN.1 auxilliary data
|
||||
- ASN.1 auxiliary data
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
|
@ -45,7 +45,7 @@ ASN.1 data structures can be associated with an B<ASN1_AUX> object to supply
|
|||
additional information about the ASN.1 structure. An B<ASN1_AUX> structure is
|
||||
associated with the structure during the definition of the ASN.1 template. For
|
||||
example an B<ASN1_AUX> structure will be associated by using one of the various
|
||||
ASN.1 template definition macros that supply auxilliary information such as
|
||||
ASN.1 template definition macros that supply auxiliary information such as
|
||||
ASN1_SEQUENCE_enc(), ASN1_SEQUENCE_ref(), ASN1_SEQUENCE_cb_const_cb(),
|
||||
ASN1_SEQUENCE_const_cb(), ASN1_SEQUENCE_cb() or ASN1_NDEF_SEQUENCE_cb().
|
||||
|
||||
|
@ -274,7 +274,7 @@ B<ASN1_OP_GET0_PROPQ> operation types were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -62,7 +62,7 @@ I<algor2> are ignored if they are NULL.
|
|||
ASN1_item_sign() is similar to ASN1_item_sign_ex() but uses default values of
|
||||
NULL for the I<id>, I<libctx> and I<propq>.
|
||||
|
||||
ASN1_item_sign_ctx() is similiar to ASN1_item_sign() but uses the parameters
|
||||
ASN1_item_sign_ctx() is similar to ASN1_item_sign() but uses the parameters
|
||||
contained in digest context I<ctx>.
|
||||
|
||||
ASN1_item_verify_ex() is used to verify the signature I<signature> of internal
|
||||
|
@ -77,7 +77,7 @@ See EVP_PKEY_CTX_set1_id() for further info.
|
|||
ASN1_item_verify() is similar to ASN1_item_verify_ex() but uses default values of
|
||||
NULL for the I<id>, I<libctx> and I<propq>.
|
||||
|
||||
ASN1_item_verify_ctx() is similiar to ASN1_item_verify() but uses the parameters
|
||||
ASN1_item_verify_ctx() is similar to ASN1_item_verify() but uses the parameters
|
||||
contained in digest context I<ctx>.
|
||||
|
||||
|
||||
|
@ -216,7 +216,7 @@ ASN1_item_sign_ex() and ASN1_item_verify_ex() were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -83,7 +83,7 @@ will be populated with the list of added and deleted fds respectively. Similarly
|
|||
to ASYNC_WAIT_CTX_get_all_fds() either of these can be NULL, but if they are not
|
||||
NULL then the caller is responsible for ensuring sufficient memory is allocated.
|
||||
|
||||
Implementors of async aware code (e.g. engines) are encouraged to return a
|
||||
Implementers of async aware code (e.g. engines) are encouraged to return a
|
||||
stable fd for the lifetime of the B<ASYNC_WAIT_CTX> in order to reduce the
|
||||
"churn" of regularly changing fds - although no guarantees of this are provided
|
||||
to applications.
|
||||
|
@ -216,7 +216,7 @@ were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -22,7 +22,7 @@ libcrypto into a provider supply an OSSL_CORE_BIO parameter. This represents
|
|||
a BIO within libcrypto, but cannot be used directly by a provider. Instead it
|
||||
should be wrapped using a BIO_s_core().
|
||||
|
||||
Once a BIO is contructed based on BIO_s_core(), the associated OSSL_CORE_BIO
|
||||
Once a BIO is constructed based on BIO_s_core(), the associated OSSL_CORE_BIO
|
||||
object should be set on it using BIO_set_data(3). Note that the BIO will only
|
||||
operate correctly if it is associated with a library context constructed using
|
||||
OSSL_LIB_CTX_new_from_dispatch(3). To associate the BIO with a library context
|
||||
|
@ -62,7 +62,7 @@ Create a core BIO and write some data to it:
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -59,7 +59,7 @@ BN_rand() is the same as BN_rand_ex() except that the default library context
|
|||
is always used.
|
||||
|
||||
BN_rand_range_ex() generates a cryptographically strong pseudo-random
|
||||
number I<rnd>, of security stength at least I<strength> bits,
|
||||
number I<rnd>, of security strength at least I<strength> bits,
|
||||
in the range 0 E<lt>= I<rnd> E<lt> I<range> using the random number
|
||||
generator for the library context associated with I<ctx>. The parameter I<ctx>
|
||||
may be NULL in which case the default library context is used.
|
||||
|
@ -119,7 +119,7 @@ BN_priv_rand_range_ex() functions were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -34,7 +34,7 @@ as determined by calling CONF_get1_default_config_file().
|
|||
If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is
|
||||
used.
|
||||
The behaviour can be customized using B<flags>. Note that, the error suppressing
|
||||
can be overriden by B<config_diagnostics> as described in L<config(5)>.
|
||||
can be overridden by B<config_diagnostics> as described in L<config(5)>.
|
||||
|
||||
CONF_modules_load_file() is the same as CONF_modules_load_file_ex() but
|
||||
has a NULL library context.
|
||||
|
@ -154,7 +154,7 @@ L<NCONF_new_ex(3)>
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -40,7 +40,7 @@ see L<openssl_user_macros(7)>:
|
|||
|
||||
All of the functions described on this page are deprecated.
|
||||
Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that
|
||||
return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation.
|
||||
return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more information.
|
||||
|
||||
A DH object contains the parameters I<p>, I<q> and I<g>. Note that the I<q>
|
||||
parameter is optional. It also contains a public key (I<pub_key>) and
|
||||
|
@ -141,7 +141,7 @@ All of these functions were deprecated in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -665,7 +665,7 @@ Note that the block size for a cipher may be different to the block size for
|
|||
the underlying encryption/decryption primitive.
|
||||
For example AES in CTR mode has a block size of 1 (because it operates like a
|
||||
stream cipher), even though AES has a block size of 16.
|
||||
Use EVP_CIPHER_get_block_size() to retreive the cached value.
|
||||
Use EVP_CIPHER_get_block_size() to retrieve the cached value.
|
||||
|
||||
=item "aead" (B<OSSL_CIPHER_PARAM_AEAD>) <integer>
|
||||
|
||||
|
@ -1192,10 +1192,11 @@ EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
|
|||
EVP_CipherInit_ex2() and EVP_CipherUpdate() return 1 for success and 0 for failure.
|
||||
EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
|
||||
|
||||
EVP_Cipher() returns the amount of encrypted / decrypted bytes, or -1
|
||||
on failure if the flag B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the
|
||||
cipher. EVP_Cipher() returns 1 on success or 0 on failure, if the flag
|
||||
EVP_Cipher() returns 1 on success or 0 on failure, if the flag
|
||||
B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher.
|
||||
EVP_Cipher() returns the number of bytes written to I<out> for encryption / decryption, or
|
||||
the number of bytes authenticated in a call specifying AAD for an AEAD cipher, if the flag
|
||||
B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the cipher.
|
||||
|
||||
EVP_CIPHER_CTX_reset() returns 1 for success and 0 for failure.
|
||||
|
||||
|
@ -1266,7 +1267,8 @@ depending on the mode specified.
|
|||
|
||||
To specify additional authenticated data (AAD), a call to EVP_CipherUpdate(),
|
||||
EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output
|
||||
parameter I<out> set to B<NULL>.
|
||||
parameter I<out> set to B<NULL>. In this case, on success, the parameter
|
||||
I<outl> is set to the number of bytes authenticated.
|
||||
|
||||
When decrypting, the return value of EVP_DecryptFinal() or EVP_CipherFinal()
|
||||
indicates whether the operation was successful. If it does not indicate success,
|
||||
|
|
|
@ -191,7 +191,7 @@ For those KDF implementations that support it, this parameter sets the password.
|
|||
|
||||
=item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string>
|
||||
|
||||
Some KDF implementations can take a salt.
|
||||
Some KDF implementations can take a non-secret unique cryptographic salt.
|
||||
For those KDF implementations that support it, this parameter sets the salt.
|
||||
|
||||
The default value, if any, is implementation dependent.
|
||||
|
@ -227,6 +227,15 @@ Some KDF implementations require a key.
|
|||
For those KDF implementations that support it, this octet string parameter
|
||||
sets the key.
|
||||
|
||||
=item "info" (B<OSSL_KDF_PARAM_INFO>) <octet string>
|
||||
|
||||
Some KDF implementations, such as L<EVP_KDF-HKDF(7)>, take an 'info' parameter
|
||||
for binding the derived key material
|
||||
to application- and context-specific information.
|
||||
This parameter sets the info, fixed info, other info or shared info argument.
|
||||
You can specify this parameter multiple times, and each instance will
|
||||
be concatenated to form the final value.
|
||||
|
||||
=item "maclen" (B<OSSL_KDF_PARAM_MAC_SIZE>) <unsigned integer>
|
||||
|
||||
Used by implementations that use a MAC with a variable output size (KMAC).
|
||||
|
@ -295,7 +304,7 @@ This functionality was added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -123,7 +123,7 @@ otherwise 0.
|
|||
|
||||
EVP_KEYMGMT_get0_name() returns the algorithm name, or NULL on error.
|
||||
|
||||
EVP_KEYMGMT_get0_description() returns a pointer to a decription, or NULL if
|
||||
EVP_KEYMGMT_get0_description() returns a pointer to a description, or NULL if
|
||||
there isn't one.
|
||||
|
||||
EVP_KEYMGMT_gettable_params(), EVP_KEYMGMT_settable_params() and
|
||||
|
@ -140,7 +140,7 @@ The functions described here were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -21,7 +21,7 @@ EVP_PKEY2PKCS8() converts a private key I<pkey> into a returned PKCS8 object.
|
|||
EVP_PKCS82PKEY_ex() converts a PKCS8 object I<p8> into a returned private key.
|
||||
It uses I<libctx> and I<propq> when fetching algorithms.
|
||||
|
||||
EVP_PKCS82PKEY() is similiar to EVP_PKCS82PKEY_ex() but uses default values of
|
||||
EVP_PKCS82PKEY() is similar to EVP_PKCS82PKEY_ex() but uses default values of
|
||||
NULL for the I<libctx> and I<propq>.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
@ -37,7 +37,7 @@ L<PKCS8_pkey_add1_attr(3)>,
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
=head1 NAME
|
||||
|
||||
EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate
|
||||
- Key decapsulation using a private key algorithm
|
||||
- Key decapsulation using a KEM algorithm with a private key
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
|
@ -11,7 +11,7 @@ EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate
|
|||
|
||||
int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
|
||||
int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx,
|
||||
unsigned char *secret, size_t *secretlen,
|
||||
unsigned char *unwrapped, size_t *unwrappedlen,
|
||||
const unsigned char *wrapped, size_t wrappedlen);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
@ -19,18 +19,20 @@ EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate
|
|||
The EVP_PKEY_decapsulate_init() function initializes a private key algorithm
|
||||
context I<ctx> for a decapsulation operation and then sets the I<params>
|
||||
on the context in the same way as calling L<EVP_PKEY_CTX_set_params(3)>.
|
||||
Note that I<ctx> usually is produced using L<EVP_PKEY_CTX_new_from_pkey(3)>,
|
||||
specifying the private key to use.
|
||||
|
||||
The EVP_PKEY_decapsulate() function performs a private key decapsulation
|
||||
operation using I<ctx>. The data to be decapsulated is specified using the
|
||||
I<wrapped> and I<wrappedlen> parameters.
|
||||
If I<secret> is I<NULL> then the maximum size of the output secret buffer
|
||||
is written to the I<*secretlen> parameter. If I<secret> is not B<NULL> and the
|
||||
call is successful then the decapsulated secret data is written to I<secret> and
|
||||
the amount of data written to I<secretlen>.
|
||||
If I<unwrapped> is NULL then the maximum size of the output secret buffer
|
||||
is written to I<*unwrappedlen>. If I<unwrapped> is not NULL and the
|
||||
call is successful then the decapsulated secret data is written to I<unwrapped>
|
||||
and the amount of data written to I<*unwrappedlen>.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
After the call to EVP_PKEY_decapsulate_init() algorithm specific parameters
|
||||
After the call to EVP_PKEY_decapsulate_init() algorithm-specific parameters
|
||||
for the operation may be set or modified using L<EVP_PKEY_CTX_set_params(3)>.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
@ -79,7 +81,7 @@ Decapsulate data using RSA:
|
|||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<EVP_PKEY_CTX_new(3)>,
|
||||
L<EVP_PKEY_CTX_new_from_pkey(3)>,
|
||||
L<EVP_PKEY_encapsulate(3)>,
|
||||
L<EVP_KEM-RSA(7)>,
|
||||
|
||||
|
@ -89,7 +91,7 @@ These functions were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -32,7 +32,7 @@ EVP_PKEY_derive_set_peer_ex() sets the peer key: this will normally
|
|||
be a public key. The I<validate_peer> will validate the public key if this value
|
||||
is non zero.
|
||||
|
||||
EVP_PKEY_derive_set_peer() is similiar to EVP_PKEY_derive_set_peer_ex() with
|
||||
EVP_PKEY_derive_set_peer() is similar to EVP_PKEY_derive_set_peer_ex() with
|
||||
I<validate_peer> set to 1.
|
||||
|
||||
EVP_PKEY_derive() derives a shared secret using I<ctx>.
|
||||
|
@ -114,7 +114,7 @@ added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
=head1 NAME
|
||||
|
||||
EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate
|
||||
- Key encapsulation using a public key algorithm
|
||||
- Key encapsulation using a KEM algorithm with a public key
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
|
@ -11,7 +11,7 @@ EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate
|
|||
|
||||
int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]);
|
||||
int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx,
|
||||
unsigned char *out, size_t *outlen,
|
||||
unsigned char *wrappedkey, size_t *wrappedkeylen,
|
||||
unsigned char *genkey, size_t *genkeylen);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
@ -19,19 +19,27 @@ EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate
|
|||
The EVP_PKEY_encapsulate_init() function initializes a public key algorithm
|
||||
context I<ctx> for an encapsulation operation and then sets the I<params>
|
||||
on the context in the same way as calling L<EVP_PKEY_CTX_set_params(3)>.
|
||||
Note that I<ctx> is usually is produced using L<EVP_PKEY_CTX_new_from_pkey(3)>,
|
||||
specifying the public key to use.
|
||||
|
||||
The EVP_PKEY_encapsulate() function performs a public key encapsulation
|
||||
operation using I<ctx> with the name I<name>.
|
||||
If I<out> is B<NULL> then the maximum size of the output buffer is written to the
|
||||
I<*outlen> parameter and the maximum size of the generated key buffer is written
|
||||
to I<*genkeylen>. If I<out> is not B<NULL> and the call is successful then the
|
||||
operation using I<ctx>.
|
||||
The symmetric secret generated in I<genkey> can be used as key material.
|
||||
The ciphertext in I<wrappedkey> is its encapsulated form, which can be sent
|
||||
to another party, who can use L<EVP_PKEY_decapsulate(3)> to retrieve it
|
||||
using their private key.
|
||||
If I<wrappedkey> is NULL then the maximum size of the output buffer
|
||||
is written to the I<*wrappedkeylen> parameter unless I<wrappedkeylen> is NULL
|
||||
and the maximum size of the generated key buffer is written to I<*genkeylen>
|
||||
unless I<genkeylen> is NULL.
|
||||
If I<wrappedkey> is not NULL and the call is successful then the
|
||||
internally generated key is written to I<genkey> and its size is written to
|
||||
I<*genkeylen>. The encapsulated version of the generated key is written to
|
||||
I<out> and its size is written to I<*outlen>.
|
||||
I<wrappedkey> and its size is written to I<*wrappedkeylen>.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
After the call to EVP_PKEY_encapsulate_init() algorithm specific parameters
|
||||
After the call to EVP_PKEY_encapsulate_init() algorithm-specific parameters
|
||||
for the operation may be set or modified using L<EVP_PKEY_CTX_set_params(3)>.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
@ -82,7 +90,7 @@ Encapsulate an RSASVE key (for RSA keys).
|
|||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<EVP_PKEY_CTX_new(3)>,
|
||||
L<EVP_PKEY_CTX_new_from_pkey(3)>,
|
||||
L<EVP_PKEY_decapsulate(3)>,
|
||||
L<EVP_KEM-RSA(7)>,
|
||||
|
||||
|
@ -92,7 +100,7 @@ These functions were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -18,8 +18,8 @@ EVP_PKEY_get_default_digest_nid, EVP_PKEY_get_default_digest_name
|
|||
EVP_PKEY_get_default_digest_name() fills in the default message digest
|
||||
name for the public key signature operations associated with key
|
||||
I<pkey> into I<mdname>, up to at most I<mdname_sz> bytes including the
|
||||
ending NUL byte. The name could be C<"UNDEF">, signifying that no digest
|
||||
should be used.
|
||||
ending NUL byte. The name could be C<"UNDEF">, signifying that a digest
|
||||
must (for return value 2) or may (for return value 1) be left unspecified.
|
||||
|
||||
EVP_PKEY_get_default_digest_nid() sets I<pnid> to the default message
|
||||
digest NID for the public key signature operations associated with key
|
||||
|
@ -57,7 +57,7 @@ This function was added in OpenSSL 1.0.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -60,7 +60,7 @@ is allocated by the method.
|
|||
|
||||
EVP_PKEY_get_utf8_string_param() get a key I<pkey> UTF8 string value into a
|
||||
buffer I<str> of maximum size I<max_buf_sz> associated with a name of
|
||||
I<key_name>. The maximum size must be large enough to accomodate the string
|
||||
I<key_name>. The maximum size must be large enough to accommodate the string
|
||||
value including a terminating NUL byte, or this function will fail.
|
||||
If I<out_len> is not NULL, I<*out_len> is set to the length of the string
|
||||
not including the terminating NUL byte. The required buffer size not including
|
||||
|
@ -125,7 +125,7 @@ These functions were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -62,7 +62,7 @@ see L<openssl_user_macros(7)>:
|
|||
B<EVP_PKEY> is a generic structure to hold diverse types of asymmetric keys
|
||||
(also known as "key pairs"), and can be used for diverse operations, like
|
||||
signing, verifying signatures, key derivation, etc. The asymmetric keys
|
||||
themselves are often refered to as the "internal key", and are handled by
|
||||
themselves are often referred to as the "internal key", and are handled by
|
||||
backends, such as providers (through L<EVP_KEYMGMT(3)>) or B<ENGINE>s.
|
||||
|
||||
Conceptually, an B<EVP_PKEY> internal key may hold a private key, a public
|
||||
|
@ -210,7 +210,7 @@ previously implied to be disallowed.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -23,7 +23,7 @@ I<selection> is described in L<EVP_PKEY_fromdata(3)/Selections>.
|
|||
L<OSSL_PARAM_free(3)> should be used to free the returned parameters in
|
||||
I<*params>.
|
||||
|
||||
EVP_PKEY_export() is similiar to EVP_PKEY_todata() but uses a callback
|
||||
EVP_PKEY_export() is similar to EVP_PKEY_todata() but uses a callback
|
||||
I<export_cb> that gets passed the value of I<export_cbarg>.
|
||||
See L<openssl-core.h(7)> for more information about the callback. Note that the
|
||||
L<OSSL_PARAM(3)> array that is passed to the callback is not persistent after the
|
||||
|
@ -53,7 +53,7 @@ These functions were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -22,10 +22,10 @@ The ChaCha20 stream cipher for EVP.
|
|||
=item EVP_chacha20()
|
||||
|
||||
The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long.
|
||||
The first 32 bits consists of a counter in little-endian order followed by a 96
|
||||
The first 64 bits consists of a counter in little-endian order followed by a 64
|
||||
bit nonce. For example a nonce of:
|
||||
|
||||
000000000000000000000002
|
||||
0000000000000002
|
||||
|
||||
With an initial counter of 42 (2a in hex) would be expressed as:
|
||||
|
||||
|
@ -47,6 +47,9 @@ calling these functions multiple times and should consider using
|
|||
L<EVP_CIPHER_fetch(3)> instead.
|
||||
See L<crypto(7)/Performance> for further information.
|
||||
|
||||
L<RFC 7539|https://www.rfc-editor.org/rfc/rfc7539.html#section-2.4>
|
||||
uses a 32 bit counter and a 96 bit nonce for the IV.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
These functions return an B<EVP_CIPHER> structure that contains the
|
||||
|
|
|
@ -131,7 +131,7 @@ in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
|
|||
If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs>
|
||||
and in I<bs>, else it takes them as untrusted intermediate CA certificates
|
||||
and uses them for constructing the validation path for the signer certificate.
|
||||
Certicate revocation status checks using CRLs is disabled during path validation
|
||||
Certificate revocation status checks using CRLs is disabled during path validation
|
||||
if the signer certificate contains the B<id-pkix-ocsp-no-check> extension.
|
||||
After successful path
|
||||
validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
|
||||
|
@ -210,7 +210,7 @@ L<X509_VERIFY_PARAM_set_flags(3)>
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -40,7 +40,7 @@ These functions perform an OCSP POST request / response transfer over HTTP,
|
|||
using the HTTP request functions described in L<OSSL_HTTP_REQ_CTX(3)>.
|
||||
|
||||
The function OCSP_sendreq_new() builds a complete B<OSSL_HTTP_REQ_CTX> structure
|
||||
with the B<BIO> I<io> to be used for requests and reponse, the URL path I<path>,
|
||||
with the B<BIO> I<io> to be used for requests and response, the URL path I<path>,
|
||||
optionally the OCSP request I<req>, and a response header maximum line length
|
||||
of I<buf_size>. If I<buf_size> is zero a default value of 4KiB is used.
|
||||
The I<req> may be set to NULL and provided later using OCSP_REQ_CTX_set1_req()
|
||||
|
@ -115,7 +115,7 @@ were deprecated in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -627,7 +627,7 @@ OSSL_CMP_CTX_set_certConf_cb_arg(), or NULL if unset.
|
|||
|
||||
OSSL_CMP_CTX_get_status() returns for client contexts the PKIstatus from
|
||||
the last received CertRepMessage or Revocation Response or error message:
|
||||
=item B<OSSL_CMP_PKISTATUS_accepted> on sucessful receipt of a GENP message:
|
||||
=item B<OSSL_CMP_PKISTATUS_accepted> on successful receipt of a GENP message:
|
||||
|
||||
=over 4
|
||||
|
||||
|
|
|
@ -89,7 +89,7 @@ As long as neither if the two is used any logging output is ignored.
|
|||
|
||||
OSSL_CMP_log_close() may be called when all activities are finished to flush
|
||||
any pending CMP-specific log output and deallocate related resources.
|
||||
It may be called multiple times. It does get called at OpenSSL stutdown.
|
||||
It may be called multiple times. It does get called at OpenSSL shutdown.
|
||||
|
||||
OSSL_CMP_print_to_bio() prints the given component info, filename, line number,
|
||||
severity level, and log message or error queue message to the given I<bio>.
|
||||
|
@ -114,7 +114,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -116,7 +116,7 @@ multiple synonyms associated with it. In this case the first name from the
|
|||
algorithm definition is returned. Ownership of the returned string is retained
|
||||
by the I<decoder> object and should not be freed by the caller.
|
||||
|
||||
OSSL_DECODER_get0_description() returns a pointer to a decription, or NULL if
|
||||
OSSL_DECODER_get0_description() returns a pointer to a description, or NULL if
|
||||
there isn't one.
|
||||
|
||||
OSSL_DECODER_names_do_all() returns 1 if the callback was called for all
|
||||
|
@ -180,7 +180,7 @@ The functions described here were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -41,7 +41,7 @@ them up, so all the caller has to do next is call functions like
|
|||
L<OSSL_DECODER_from_bio(3)>. The caller may use the optional I<input_type>,
|
||||
I<input_struct>, I<keytype> and I<selection> to specify what the input is
|
||||
expected to contain. The I<pkey> must reference an B<EVP_PKEY *> variable
|
||||
that will be set to the newly created B<EVP_PKEY> on succesfull decoding.
|
||||
that will be set to the newly created B<EVP_PKEY> on successful decoding.
|
||||
The referenced variable must be initialized to NULL before calling the
|
||||
function.
|
||||
|
||||
|
@ -135,7 +135,7 @@ The functions described here were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -117,7 +117,7 @@ multiple synonyms associated with it. In this case the first name from the
|
|||
algorithm definition is returned. Ownership of the returned string is retained
|
||||
by the I<encoder> object and should not be freed by the caller.
|
||||
|
||||
OSSL_ENCODER_get0_description() returns a pointer to a decription, or NULL if
|
||||
OSSL_ENCODER_get0_description() returns a pointer to a description, or NULL if
|
||||
there isn't one.
|
||||
|
||||
OSSL_ENCODER_names_do_all() returns 1 if the callback was called for all
|
||||
|
@ -134,7 +134,7 @@ The functions described here were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -80,7 +80,7 @@ as DER to PEM, as well as more specialized encoders like RSA to DER.
|
|||
The final output type must be given, and a chain of encoders must end with
|
||||
an implementation that produces that output type.
|
||||
|
||||
At the beginning of the encoding process, a contructor provided by the
|
||||
At the beginning of the encoding process, a constructor provided by the
|
||||
caller is called to ensure that there is an appropriate provider-side object
|
||||
to start with.
|
||||
The constructor is set with OSSL_ENCODER_CTX_set_construct().
|
||||
|
@ -148,7 +148,7 @@ The pointer that was set with OSSL_ENCODE_CTX_set_construct_data().
|
|||
|
||||
The constructor is expected to return a valid (non-NULL) pointer to a
|
||||
provider-native object that can be used as first input of an encoding chain,
|
||||
or NULL to indicate that an error has occured.
|
||||
or NULL to indicate that an error has occurred.
|
||||
|
||||
These utility functions may be used by a constructor:
|
||||
|
||||
|
@ -211,7 +211,7 @@ The functions described here were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -46,7 +46,7 @@ while the list contained in I<ssv2> is of type B<ESS_CERT_ID_V2>.
|
|||
As far as these lists are present, they must be nonempty.
|
||||
The certificate identified by their first entry must be the first element of
|
||||
I<chain>, i.e. the signer certificate.
|
||||
Any further certficates referenced in the list must also be found in I<chain>.
|
||||
Any further certificates referenced in the list must also be found in I<chain>.
|
||||
The matching is done using the given certificate hash algorithm and value.
|
||||
In addition to the checks required by RFCs 2624 and 5035,
|
||||
if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2>
|
||||
|
@ -78,7 +78,7 @@ OSSL_ESS_check_signing_certs() were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -133,7 +133,7 @@ The function may need to be called again if its result is -1, which indicates
|
|||
L<BIO_should_retry(3)>. In such a case it is advisable to sleep a little in
|
||||
between, using L<BIO_wait(3)> on the read BIO to prevent a busy loop.
|
||||
|
||||
OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on successs
|
||||
OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on success
|
||||
in addition parses the response, which must be a DER-encoded ASN.1 structure,
|
||||
using the ASN.1 template I<it> and places the result in I<*pval>.
|
||||
|
||||
|
@ -256,7 +256,7 @@ The functions described here were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -57,7 +57,7 @@ The path component is also optional and defaults to C</>.
|
|||
Each non-NULL result pointer argument I<pscheme>, I<puser>, I<phost>, I<pport>,
|
||||
I<ppath>, I<pquery>, and I<pfrag>, is assigned the respective url component.
|
||||
On success, they are guaranteed to contain non-NULL string pointers, else NULL.
|
||||
It is the reponsibility of the caller to free them using L<OPENSSL_free(3)>.
|
||||
It is the responsibility of the caller to free them using L<OPENSSL_free(3)>.
|
||||
If I<pquery> is NULL, any given query component is handled as part of the path.
|
||||
A string returned via I<*ppath> is guaranteed to begin with a C</> character.
|
||||
For absent scheme, userinfo, port, query, and fragment components
|
||||
|
@ -97,7 +97,7 @@ OCSP_parse_url() was deprecated in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -108,7 +108,7 @@ B<OSSL_PARAM_UTF8_STRING> in relation to C strings. When setting
|
|||
parameters, the size should be set to the length of the string, not
|
||||
counting the terminating NUL byte. When requesting parameters, the
|
||||
size should be set to the size of the buffer to be populated, which
|
||||
should accomodate enough space for a terminating NUL byte.
|
||||
should accommodate enough space for a terminating NUL byte.
|
||||
|
||||
When I<requesting parameters>, it's acceptable for I<data> to be NULL.
|
||||
This can be used by the I<requester> to figure out dynamically exactly
|
||||
|
|
|
@ -241,7 +241,7 @@ will be assigned the size the parameter's I<data> buffer should have.
|
|||
OSSL_PARAM_get_utf8_string() retrieves a UTF8 string from the parameter
|
||||
pointed to by I<p>.
|
||||
The string is stored into I<*val> with a size limit of I<max_len>,
|
||||
which must be large enough to accomodate a terminating NUL byte,
|
||||
which must be large enough to accommodate a terminating NUL byte,
|
||||
otherwise this function will fail.
|
||||
If I<*val> is NULL, memory is allocated for the string (including the
|
||||
terminating NUL byte) and I<max_len> is ignored.
|
||||
|
@ -250,14 +250,14 @@ If memory is allocated by this function, it must be freed by the caller.
|
|||
OSSL_PARAM_set_utf8_string() sets a UTF8 string from the parameter pointed to
|
||||
by I<p> to the value referenced by I<val>.
|
||||
If the parameter's I<data> field isn't NULL, its I<data_size> must indicate
|
||||
that the buffer is large enough to accomodate the string that I<val> points at,
|
||||
that the buffer is large enough to accommodate the string that I<val> points at,
|
||||
not including the terminating NUL byte, or this function will fail.
|
||||
A terminating NUL byte is added only if the parameter's I<data_size> indicates
|
||||
the buffer is longer than the string length, otherwise the string will not be
|
||||
NUL terminated.
|
||||
If the parameter's I<data> field is NULL, then only its I<return_size> field
|
||||
will be assigned the minimum size the parameter's I<data> buffer should have
|
||||
to accomodate the string, not including a terminating NUL byte.
|
||||
to accommodate the string, not including a terminating NUL byte.
|
||||
|
||||
OSSL_PARAM_get_octet_string() retrieves an OCTET string from the parameter
|
||||
pointed to by I<p>.
|
||||
|
|
|
@ -90,8 +90,8 @@ the environment variable OPENSSL_MODULES if set.
|
|||
|
||||
OSSL_PROVIDER_try_load() functions like OSSL_PROVIDER_load(), except that
|
||||
it does not disable the fallback providers if the provider cannot be
|
||||
loaded and initialized or if I<retain_fallbacks> is zero.
|
||||
If the provider loads successfully and I<retain_fallbacks> is nonzero, the
|
||||
loaded and initialized or if I<retain_fallbacks> is nonzero.
|
||||
If the provider loads successfully and I<retain_fallbacks> is zero, the
|
||||
fallback providers are disabled.
|
||||
|
||||
OSSL_PROVIDER_unload() unloads the given provider.
|
||||
|
@ -213,7 +213,7 @@ The type and functions described here were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -22,7 +22,7 @@ OSSL_SELF_TEST_onend - functionality to trigger a callback during a self test
|
|||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
These methods are intended for use by provider implementors, to display
|
||||
These methods are intended for use by provider implementers, to display
|
||||
diagnostic information during self testing.
|
||||
|
||||
OSSL_SELF_TEST_new() allocates an opaque B<OSSL_SELF_TEST> object that has a
|
||||
|
@ -165,7 +165,7 @@ The functions described here were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -327,7 +327,7 @@ definition string, or NULL on error.
|
|||
OSSL_STORE_LOADER_is_a() returns 1 if I<loader> was identifiable,
|
||||
otherwise 0.
|
||||
|
||||
OSSL_STORE_LOADER_get0_description() returns a pointer to a decription, or NULL if
|
||||
OSSL_STORE_LOADER_get0_description() returns a pointer to a description, or NULL if
|
||||
there isn't one.
|
||||
|
||||
The functions with the types B<OSSL_STORE_open_fn>,
|
||||
|
@ -380,7 +380,7 @@ were added in OpenSSL 1.1.1, and became deprecated in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -48,7 +48,7 @@ so the caller must not free it directly.
|
|||
OSSL_trace_set_prefix() and OSSL_trace_set_suffix() can be used to add
|
||||
an extra line for each channel, to be output before and after group of
|
||||
tracing output.
|
||||
What constitues an output group is decided by the code that produces
|
||||
What constitutes an output group is decided by the code that produces
|
||||
the output.
|
||||
The lines given here are considered immutable; for more dynamic
|
||||
tracing prefixes, consider setting a callback with
|
||||
|
|
|
@ -21,7 +21,7 @@ decrypt functions
|
|||
PKCS12_decrypt_skey() Decrypt the PKCS#8 shrouded keybag contained within I<bag>
|
||||
using the supplied password I<pass> of length I<passlen>.
|
||||
|
||||
PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex
|
||||
PKCS12_decrypt_skey_ex() is similar to the above but allows for a library context
|
||||
I<ctx> and property query I<propq> to be used to select algorithm implementations.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
@ -45,7 +45,7 @@ PKCS12_decrypt_skey_ex() was added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -21,7 +21,7 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure
|
|||
=head1 DESCRIPTION
|
||||
|
||||
PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the
|
||||
supplied password along with a set of already configured paramters.
|
||||
supplied password along with a set of already configured parameters.
|
||||
|
||||
PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied
|
||||
password.
|
||||
|
@ -62,7 +62,7 @@ L<passphrase-encoding(7)>
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -37,7 +37,7 @@ and L<EVP_RAND(7)>.
|
|||
|
||||
RAND_bytes_ex() and RAND_priv_bytes_ex() are the same as RAND_bytes() and
|
||||
RAND_priv_bytes() except that they both take additional I<strength> and
|
||||
I<ctx> parameters. The bytes genreated will have a security strength of at
|
||||
I<ctx> parameters. The bytes generated will have a security strength of at
|
||||
least I<strength> bits.
|
||||
The DRBG used for the operation is the public or private DRBG associated with
|
||||
the specified I<ctx>. The parameter can be NULL, in which case
|
||||
|
@ -101,7 +101,7 @@ The RAND_bytes_ex() and RAND_priv_bytes_ex() functions were added in OpenSSL 3.0
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -54,7 +54,7 @@ see L<openssl_user_macros(7)>:
|
|||
|
||||
All of the functions described on this page are deprecated.
|
||||
Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that
|
||||
return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation.
|
||||
return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more information.
|
||||
|
||||
An RSA object contains the components for the public and private key,
|
||||
B<n>, B<e>, B<d>, B<p>, B<q>, B<dmp1>, B<dmq1> and B<iqmp>. B<n> is
|
||||
|
@ -184,7 +184,7 @@ All of these functions were deprecated in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -100,7 +100,7 @@ provide serialization of access for these cases.
|
|||
|
||||
=head1 NOTES
|
||||
|
||||
On session estabilishment, by default, no peer credentials verification is done.
|
||||
On session establishment, by default, no peer credentials verification is done.
|
||||
This must be explicitly requested, typically using L<SSL_CTX_set_verify(3)>.
|
||||
For verifying peer certificates many options can be set using various functions
|
||||
such as L<SSL_CTX_load_verify_locations(3)> and L<SSL_CTX_set1_param(3)>.
|
||||
|
@ -249,7 +249,7 @@ SSL_CTX_new_ex() was added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -73,9 +73,9 @@ the built-in parameter support described above. Applications wishing to supply
|
|||
their own DH parameters should call SSL_CTX_set0_tmp_dh_pkey() or
|
||||
SSL_set0_tmp_dh_pkey() to supply the parameters for the B<SSL_CTX> or B<SSL>
|
||||
respectively. The parameters should be supplied in the I<dhpkey> argument as
|
||||
an B<EVP_PKEY> containg DH parameters. Ownership of the I<dhpkey> value is
|
||||
an B<EVP_PKEY> containing DH parameters. Ownership of the I<dhpkey> value is
|
||||
passed to the B<SSL_CTX> or B<SSL> object as a result of this call, and so the
|
||||
caller should not free it if the function call is succesful.
|
||||
caller should not free it if the function call is successful.
|
||||
|
||||
The deprecated macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do the same
|
||||
thing as SSL_CTX_set0_tmp_dh_pkey() and SSL_set0_tmp_dh_pkey() except that the
|
||||
|
@ -112,7 +112,7 @@ L<openssl-ciphers(1)>, L<openssl-dhparam(1)>
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -22,6 +22,13 @@ of a certificate can fail because of many reasons at the same time. Only
|
|||
the last verification error that occurred during the processing is available
|
||||
from SSL_get_verify_result().
|
||||
|
||||
Sometimes there can be a sequence of errors leading to the verification
|
||||
failure as reported by SSL_get_verify_result().
|
||||
To get the errors, it is necessary to setup a verify callback via
|
||||
L<SSL_CTX_set_verify(3)> or L<SSL_set_verify(3)> and retrieve the errors
|
||||
from the error stack there, because once L<SSL_connect(3)> returns,
|
||||
these errors may no longer be available.
|
||||
|
||||
The verification result is part of the established session and is restored
|
||||
when a session is reused.
|
||||
|
||||
|
@ -56,7 +63,7 @@ L<openssl-verify(1)>
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -177,7 +177,7 @@ administrator might only trust it for the former. An X.509 certificate extension
|
|||
exists that can record extended key usage information to supplement the purpose
|
||||
information described above. This extended mechanism is arbitrarily extensible
|
||||
and not well suited for a generic library API; applications that need to
|
||||
validate extended key usage information in certifiates will need to define a
|
||||
validate extended key usage information in certificates will need to define a
|
||||
custom "purpose" (see below) or supply a nondefault verification callback
|
||||
(L<X509_STORE_set_verify_cb_func(3)>).
|
||||
|
||||
|
@ -273,7 +273,7 @@ There is no need to call X509_STORE_CTX_cleanup() explicitly since OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
|
@ -223,7 +223,7 @@ X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for
|
|||
failure.
|
||||
|
||||
X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and
|
||||
X509_VERIFY_PARAM_get1_ip_asc(), return the string pointers pecified above
|
||||
X509_VERIFY_PARAM_get1_ip_asc(), return the string pointer specified above
|
||||
or NULL if the respective value has not been set or on error.
|
||||
|
||||
X509_VERIFY_PARAM_get_flags() returns the current verification flags.
|
||||
|
|
|
@ -31,7 +31,7 @@ The value B<X509_ADD_FLAG_DEFAULT>, which equals 0, means no special semantics.
|
|||
If B<X509_ADD_FLAG_UP_REF> is set then
|
||||
the reference counts of those certificates added successfully are increased.
|
||||
|
||||
If B<X509_ADD_FLAG_PREPEND> is set then the certifcates are prepended to I<sk>.
|
||||
If B<X509_ADD_FLAG_PREPEND> is set then the certificates are prepended to I<sk>.
|
||||
By default they are appended to I<sk>.
|
||||
In both cases the original order of the added certificates is preserved.
|
||||
|
||||
|
@ -66,7 +66,7 @@ were added in OpenSSL 3.0.
|
|||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue