From 354c3ace73db6eafa235b6db948060a2ab82bb7b Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Sat, 18 Aug 2001 10:22:54 +0000 Subject: [PATCH 1/5] Add first cut symmetric crypto support. --- CHANGES | 3 + TABLE | 133 +++++++++++++++++--------- apps/apps.c | 4 + apps/engine.c | 10 +- crypto/des/Makefile.ssl | 3 +- crypto/engine/Makefile.ssl | 39 +++++++- crypto/engine/engine.h | 11 +++ crypto/engine/engine_all.c | 10 ++ crypto/engine/engine_evp.c | 98 +++++++++++++++++++ crypto/engine/engine_int.h | 17 ++++ crypto/engine/engine_list.c | 1 + crypto/engine/hw_openbsd_dev_crypto.c | 79 +++++++++++++++ crypto/evp/Makefile.ssl | 1 + crypto/evp/c_allc.c | 4 - crypto/evp/openbsd_hw.c | 2 - crypto/stack/safestack.h | 20 ++++ crypto/x509/Makefile.ssl | 14 +++ util/libeay.num | 4 + 18 files changed, 399 insertions(+), 54 deletions(-) create mode 100644 crypto/engine/engine_evp.c create mode 100644 crypto/engine/hw_openbsd_dev_crypto.c diff --git a/CHANGES b/CHANGES index ab1037ed0..52593b2e0 100644 --- a/CHANGES +++ b/CHANGES @@ -12,6 +12,9 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only + +) Add symmetric cipher support to ENGINE. Expect the API to change! + [Ben Laurie] + +) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name() X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(), X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate(). diff --git a/TABLE b/TABLE index 2871c8a70..01e0383b0 100644 --- a/TABLE +++ b/TABLE @@ -1,3 +1,4 @@ +Output of `Configure TABLE': *** BC-16 $cc = bcc @@ -70,7 +71,7 @@ $ranlib = *** CygWin32 $cc = gcc -$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -mcpu=i486 -Wall $unistd = $thread_cflag = $sys_id = CYGWIN32 @@ -93,7 +94,7 @@ $ranlib = *** FreeBSD $cc = gcc -$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -mcpu=i486 -Wall $unistd = $thread_cflag = (unknown) $sys_id = @@ -139,7 +140,7 @@ $ranlib = *** FreeBSD-elf $cc = gcc -$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$cflags = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -mcpu=i486 -Wall $unistd = $thread_cflag = -pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE $sys_id = @@ -185,7 +186,7 @@ $ranlib = *** Mingw32 $cc = gcc -$cflags = -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$cflags = -DL_ENDIAN -fomit-frame-pointer -O3 -mcpu=i486 -Wall $unistd = $thread_cflag = $sys_id = @@ -254,7 +255,7 @@ $ranlib = *** NetBSD-x86 $cc = gcc -$cflags = -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall +$cflags = -DTERMIOS -O3 -fomit-frame-pointer -mcpu=i486 -Wall $unistd = $thread_cflag = (unknown) $sys_id = @@ -369,7 +370,7 @@ $ranlib = *** OpenBSD-x86 $cc = gcc -$cflags = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 +$cflags = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -mcpu=i486 $unistd = $thread_cflag = (unknown) $sys_id = @@ -691,12 +692,12 @@ $ranlib = *** alpha-cc $cc = cc -$cflags = -std1 -tune host -O4 -readonly_strings +$cflags = -std1 -tune host -fast -readonly_strings $unistd = -$thread_cflag = (unknown) +$thread_cflag = -pthread $sys_id = -$lflags = -$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$lflags = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$bn_ops = $bn_obj = $des_obj = $bf_obj = @@ -705,11 +706,34 @@ $sha1_obj = $cast_obj = $rc4_obj = $rmd160_obj = -$rc5_obj = -$dso_scheme = dlfcn -$shared_target= tru64-shared -$shared_cflag = -$shared_extension = .so +$rc5_obj = dlfcn +$dso_scheme = tru64-shared +$shared_target= +$shared_cflag = .so +$shared_extension = +$ranlib = + +*** alpha-cc-rpath +$cc = cc +$cflags = -std1 -tune host -fast -readonly_strings +$unistd = +$thread_cflag = -pthread +$sys_id = +$lflags = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = dlfcn +$dso_scheme = tru64-shared-rpath +$shared_target= +$shared_cflag = .so +$shared_extension = $ranlib = *** alpha-gcc @@ -718,8 +742,8 @@ $cflags = -O3 $unistd = $thread_cflag = (unknown) $sys_id = -$lflags = -$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1 +$lflags = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1 +$bn_ops = $bn_obj = $des_obj = $bf_obj = @@ -728,21 +752,21 @@ $sha1_obj = $cast_obj = $rc4_obj = $rmd160_obj = -$rc5_obj = -$dso_scheme = dlfcn -$shared_target= tru64-shared -$shared_cflag = -$shared_extension = .so +$rc5_obj = dlfcn +$dso_scheme = alpha-osf1-shared +$shared_target= +$shared_cflag = .so +$shared_extension = $ranlib = *** alpha164-cc $cc = cc $cflags = -std1 -tune host -fast -readonly_strings $unistd = -$thread_cflag = (unknown) +$thread_cflag = -pthread $sys_id = -$lflags = -$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$lflags = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$bn_ops = $bn_obj = $des_obj = $bf_obj = @@ -751,16 +775,39 @@ $sha1_obj = $cast_obj = $rc4_obj = $rmd160_obj = -$rc5_obj = -$dso_scheme = dlfcn -$shared_target= tru64-shared -$shared_cflag = -$shared_extension = .so +$rc5_obj = dlfcn +$dso_scheme = tru64-shared +$shared_target= +$shared_cflag = .so +$shared_extension = +$ranlib = + +*** alphaold-cc +$cc = cc +$cflags = -std1 -tune host -O4 -readonly_strings +$unistd = +$thread_cflag = (unknown) +$sys_id = +$lflags = SIXTY_FOUR_BIT_LONG RC4_CHUNK +$bn_ops = +$bn_obj = +$des_obj = +$bf_obj = +$md5_obj = +$sha1_obj = +$cast_obj = +$rc4_obj = +$rmd160_obj = +$rc5_obj = dlfcn +$dso_scheme = alpha-osf1-shared +$shared_target= +$shared_cflag = .so +$shared_extension = $ranlib = *** bsdi-elf-gcc $cc = gcc -$cflags = -DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall +$cflags = -DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -mcpu=i486 -Wall $unistd = $thread_cflag = (unknown) $sys_id = @@ -783,7 +830,7 @@ $ranlib = *** bsdi-gcc $cc = gcc -$cflags = -O3 -ffast-math -DL_ENDIAN -DPERL5 -m486 +$cflags = -O3 -ffast-math -DL_ENDIAN -DPERL5 -mcpu=i486 $unistd = $thread_cflag = (unknown) $sys_id = @@ -1036,7 +1083,7 @@ $ranlib = *** debug-bodo $cc = gcc -$cflags = -DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall +$cflags = -DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -mcpu=i486 -pedantic -Wshadow -Wall $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -1059,7 +1106,7 @@ $ranlib = *** debug-levitte-linux-elf $cc = gcc -$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe +$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -1082,7 +1129,7 @@ $ranlib = *** debug-levitte-linux-noasm $cc = gcc -$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe +$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -Wno-long-long -pipe $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -1105,7 +1152,7 @@ $ranlib = *** debug-linux-elf $cc = gcc -$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=i486 -Wall $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -1128,7 +1175,7 @@ $ranlib = *** debug-linux-elf-noefence $cc = gcc -$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall +$cflags = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=i486 -Wall $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -1266,7 +1313,7 @@ $ranlib = *** debug-steve $cc = gcc -$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -m486 -pedantic -Wall -Werror -Wshadow -pipe +$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -1289,7 +1336,7 @@ $ranlib = *** debug-ulf $cc = gcc -$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe +$cflags = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -mcpu=i486 -Wall -Werror -Wshadow -pipe $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -1818,7 +1865,7 @@ $ranlib = *** hurd-x86 $cc = gcc -$cflags = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall +$cflags = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -mcpu=i486 -Wall $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -2071,7 +2118,7 @@ $ranlib = *** linux-aout $cc = gcc -$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=i486 -Wall $unistd = $thread_cflag = (unknown) $sys_id = @@ -2094,7 +2141,7 @@ $ranlib = *** linux-elf $cc = gcc -$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall +$cflags = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=i486 -Wall $unistd = $thread_cflag = -D_REENTRANT $sys_id = @@ -2807,7 +2854,7 @@ $ranlib = *** solaris-x86-gcc $cc = gcc -$cflags = -O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM +$cflags = -O3 -fomit-frame-pointer -mcpu=i486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM $unistd = $thread_cflag = -D_REENTRANT $sys_id = diff --git a/apps/apps.c b/apps/apps.c index 31225b3f9..4d04ea21d 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1165,7 +1165,11 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug) BIO_printf(err,"can't use that engine\n"); return NULL; } + + ENGINE_load_engine_ciphers(e); + BIO_printf(err,"engine \"%s\" set.\n", engine); + /* Free our "structural" reference. */ ENGINE_free(e); } diff --git a/apps/engine.c b/apps/engine.c index 1308b6b7f..1b2fc50cc 100644 --- a/apps/engine.c +++ b/apps/engine.c @@ -94,7 +94,7 @@ static void identity(void *ptr) return; } -static int append_buf(char **buf, char *s, int *size, int step) +static int append_buf(char **buf, const char *s, int *size, int step) { int l = strlen(s); @@ -430,6 +430,7 @@ skip_arg_loop: { int cap_size = 256; char *cap_buf = NULL; + int k,n; if (ENGINE_get_RSA(e) != NULL && !append_buf(&cap_buf, "RSA", @@ -448,6 +449,13 @@ skip_arg_loop: &cap_size, 256)) goto end; + n=ENGINE_cipher_num(e); + for(k=0 ; k < n ; ++k) + if(!append_buf(&cap_buf, + OBJ_nid2sn(ENGINE_get_cipher(e, k)->nid), + &cap_size, 256)) + goto end; + if (cap_buf && (*cap_buf != '\0')) BIO_printf(bio_out, " [%s]", cap_buf); diff --git a/crypto/des/Makefile.ssl b/crypto/des/Makefile.ssl index a3a0ee265..c13a802e6 100644 --- a/crypto/des/Makefile.ssl +++ b/crypto/des/Makefile.ssl @@ -152,8 +152,7 @@ cfb64enc.o: ../../include/openssl/opensslconf.h cfb64enc.c des_locl.h cfb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h cfb_enc.o: ../../include/openssl/opensslconf.h cfb_enc.c des_locl.h des_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h -des_enc.o: ../../include/openssl/opensslconf.h des_enc.c des_locl.h des_locl.h -des_enc.o: ncbc_enc.c +des_enc.o: ../../include/openssl/opensslconf.h des_enc.c des_locl.h ncbc_enc.c ecb3_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h ecb3_enc.o: ../../include/openssl/opensslconf.h des_locl.h ecb3_enc.c ecb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h diff --git a/crypto/engine/Makefile.ssl b/crypto/engine/Makefile.ssl index 99524794b..934d2e3fb 100644 --- a/crypto/engine/Makefile.ssl +++ b/crypto/engine/Makefile.ssl @@ -24,9 +24,13 @@ APPS= LIB=$(TOP)/libcrypto.a LIBSRC= engine_err.c engine_lib.c engine_list.c engine_all.c engine_openssl.c \ - hw_atalla.c hw_cswift.c hw_ncipher.c hw_nuron.c hw_ubsec.c + engine_evp.c \ + hw_atalla.c hw_cswift.c hw_ncipher.c hw_nuron.c hw_ubsec.c \ + hw_openbsd_dev_crypto.c LIBOBJ= engine_err.o engine_lib.o engine_list.o engine_all.o engine_openssl.o \ - hw_atalla.o hw_cswift.o hw_ncipher.o hw_nuron.o hw_ubsec.o + engine_evp.o \ + hw_atalla.o hw_cswift.o hw_ncipher.o hw_nuron.o hw_ubsec.o \ + hw_openbsd_dev_crypto.o SRC= $(LIBSRC) @@ -103,6 +107,18 @@ engine_err.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h engine_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h engine_err.o: ../../include/openssl/types.h ../../include/openssl/ui.h engine_err.o: engine_err.c +engine_evp.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h +engine_evp.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h +engine_evp.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h +engine_evp.o: ../../include/openssl/e_os2.h ../../include/openssl/engine.h +engine_evp.o: ../../include/openssl/evp.h ../../include/openssl/obj_mac.h +engine_evp.o: ../../include/openssl/objects.h +engine_evp.o: ../../include/openssl/opensslconf.h +engine_evp.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h +engine_evp.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +engine_evp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +engine_evp.o: ../../include/openssl/types.h ../../include/openssl/ui.h +engine_evp.o: engine_evp.c engine_int.h engine_lib.o: ../../e_os.h ../../include/openssl/asn1.h engine_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h engine_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h @@ -194,6 +210,25 @@ hw_nuron.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h hw_nuron.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h hw_nuron.o: ../../include/openssl/types.h ../../include/openssl/ui.h hw_nuron.o: ../cryptlib.h hw_nuron.c +hw_openbsd_dev_crypto.o: ../../include/openssl/asn1.h +hw_openbsd_dev_crypto.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +hw_openbsd_dev_crypto.o: ../../include/openssl/crypto.h +hw_openbsd_dev_crypto.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h +hw_openbsd_dev_crypto.o: ../../include/openssl/e_os2.h +hw_openbsd_dev_crypto.o: ../../include/openssl/engine.h +hw_openbsd_dev_crypto.o: ../../include/openssl/evp.h +hw_openbsd_dev_crypto.o: ../../include/openssl/obj_mac.h +hw_openbsd_dev_crypto.o: ../../include/openssl/objects.h +hw_openbsd_dev_crypto.o: ../../include/openssl/opensslconf.h +hw_openbsd_dev_crypto.o: ../../include/openssl/opensslv.h +hw_openbsd_dev_crypto.o: ../../include/openssl/rand.h +hw_openbsd_dev_crypto.o: ../../include/openssl/rsa.h +hw_openbsd_dev_crypto.o: ../../include/openssl/safestack.h +hw_openbsd_dev_crypto.o: ../../include/openssl/stack.h +hw_openbsd_dev_crypto.o: ../../include/openssl/symhacks.h +hw_openbsd_dev_crypto.o: ../../include/openssl/types.h +hw_openbsd_dev_crypto.o: ../../include/openssl/ui.h engine_int.h +hw_openbsd_dev_crypto.o: hw_openbsd_dev_crypto.c hw_ubsec.o: ../../e_os.h ../../include/openssl/asn1.h hw_ubsec.o: ../../include/openssl/bio.h ../../include/openssl/bn.h hw_ubsec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h index 693b82089..9955582a6 100644 --- a/crypto/engine/engine.h +++ b/crypto/engine/engine.h @@ -304,8 +304,12 @@ void ENGINE_load_chil(void); void ENGINE_load_atalla(void); void ENGINE_load_nuron(void); void ENGINE_load_ubsec(void); +void ENGINE_load_openbsd_dev_crypto(void); void ENGINE_load_builtin_engines(void); +/* Load all the currently known ciphers from all engines */ +void ENGINE_load_ciphers(void); + /* Send parametrised control commands to the engine. The possibilities to send * down an integer, a pointer to data or a function pointer are provided. Any of * the parameters may or may not be NULL, depending on the command number. In @@ -373,6 +377,7 @@ int ENGINE_set_load_privkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpriv_f); int ENGINE_set_load_pubkey_function(ENGINE *e, ENGINE_LOAD_KEY_PTR loadpub_f); int ENGINE_set_flags(ENGINE *e, int flags); int ENGINE_set_cmd_defns(ENGINE *e, const ENGINE_CMD_DEFN *defns); +int ENGINE_add_cipher(ENGINE *e,const EVP_CIPHER *c); /* Copies across all ENGINE methods and pointers. NB: This does *not* change * reference counts however. */ int ENGINE_cpy(ENGINE *dest, const ENGINE *src); @@ -399,6 +404,8 @@ const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e); const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e); const DH_METHOD *ENGINE_get_DH(const ENGINE *e); const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e); +int ENGINE_cipher_num(const ENGINE *e); +const EVP_CIPHER *ENGINE_get_cipher(const ENGINE *e, int n); BN_MOD_EXP ENGINE_get_BN_mod_exp(const ENGINE *e); BN_MOD_EXP_CRT ENGINE_get_BN_mod_exp_crt(const ENGINE *e); ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e); @@ -473,6 +480,10 @@ int ENGINE_set_default(ENGINE *e, unsigned int flags); * no need to call both (although no harm is done). */ int ENGINE_clear_defaults(void); +/* Instruct an engine to load any EVP ciphers it knows of */ +/* XXX make this work via defaults? */ +void ENGINE_load_engine_ciphers(ENGINE *e); + /* Obligatory error function. */ void ERR_load_ENGINE_strings(void); diff --git a/crypto/engine/engine_all.c b/crypto/engine/engine_all.c index 4d0244f35..0e8480155 100644 --- a/crypto/engine/engine_all.c +++ b/crypto/engine/engine_all.c @@ -117,6 +117,15 @@ void ENGINE_load_ubsec(void) #endif /* !OPENSSL_NO_HW */ } +void ENGINE_load_openbsd_dev_crypto(void) + { +#ifndef OPENSSL_NO_HW +# ifdef OPENSSL_OPENBSD_DEV_CRYPTO + engine_add(ENGINE_openbsd_dev_crypto()); +# endif +#endif /* !OPENSSL_NO_HW */ + } + void ENGINE_load_builtin_engines(void) { static int done=0; @@ -129,4 +138,5 @@ void ENGINE_load_builtin_engines(void) ENGINE_load_atalla(); ENGINE_load_nuron(); ENGINE_load_ubsec(); + ENGINE_load_openbsd_dev_crypto(); } diff --git a/crypto/engine/engine_evp.c b/crypto/engine/engine_evp.c new file mode 100644 index 000000000..ffd1bff8f --- /dev/null +++ b/crypto/engine/engine_evp.c @@ -0,0 +1,98 @@ +/* Written by Ben Laurie August 2001 */ +/* ==================================================================== + * Copyright (c) 2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include +#include "engine_int.h" +#include + +int ENGINE_add_cipher(ENGINE *e,const EVP_CIPHER *c) + { + ENGINE_EVP_CIPHER *p; + + p=OPENSSL_malloc(sizeof *p); + p->cipher=c; + + if(!e->ciphers) + e->ciphers=sk_ENGINE_EVP_CIPHER_new_null(); + sk_ENGINE_EVP_CIPHER_push(e->ciphers,p); + + return 1; + } + +void ENGINE_free_engine_cipher(ENGINE_EVP_CIPHER *p) + { OPENSSL_free(p); } + +int ENGINE_cipher_num(const ENGINE *e) + { return sk_ENGINE_EVP_CIPHER_num(e->ciphers); } + +const EVP_CIPHER *ENGINE_get_cipher(const ENGINE *e, int n) + { return sk_ENGINE_EVP_CIPHER_value(e->ciphers, n)->cipher; } + +void ENGINE_load_ciphers() + { + ENGINE *e; + + for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e)) + ENGINE_load_engine_ciphers(e); + } + +void ENGINE_load_engine_ciphers(ENGINE *e) + { + int n; + + for(n=0 ; n < sk_ENGINE_EVP_CIPHER_num(e->ciphers) ; ++n) + EVP_add_cipher(sk_ENGINE_EVP_CIPHER_value(e->ciphers,n)->cipher); + } diff --git a/crypto/engine/engine_int.h b/crypto/engine/engine_int.h index e57cfcb06..126fef746 100644 --- a/crypto/engine/engine_int.h +++ b/crypto/engine/engine_int.h @@ -87,6 +87,15 @@ extern "C" { #endif +typedef struct engine_evp_cipher_st + { + const EVP_CIPHER *cipher; + } ENGINE_EVP_CIPHER; + +DECLARE_STACK_OF(ENGINE_EVP_CIPHER) + +void ENGINE_free_engine_cipher(ENGINE_EVP_CIPHER *p); + /* NB: Bitwise OR-able values for the "flags" variable in ENGINE are now exposed * in engine.h. */ @@ -100,6 +109,7 @@ struct engine_st const DSA_METHOD *dsa_meth; const DH_METHOD *dh_meth; const RAND_METHOD *rand_meth; + BN_MOD_EXP bn_mod_exp; BN_MOD_EXP_CRT bn_mod_exp_crt; ENGINE_GEN_INT_FUNC_PTR init; @@ -107,6 +117,9 @@ struct engine_st ENGINE_CTRL_FUNC_PTR ctrl; ENGINE_LOAD_KEY_PTR load_privkey; ENGINE_LOAD_KEY_PTR load_pubkey; + + STACK_OF(ENGINE_EVP_CIPHER) *ciphers; + const ENGINE_CMD_DEFN *cmd_defns; int flags; /* reference count on the structure itself */ @@ -156,6 +169,10 @@ ENGINE *ENGINE_nuron(); ENGINE *ENGINE_ubsec(); #endif /* !OPENSSL_NO_HW_UBSEC */ +#ifdef OPENSSL_OPENBSD_DEV_CRYPTO +ENGINE *ENGINE_openbsd_dev_crypto(void); +#endif + #endif /* !OPENSSL_NO_HW */ #ifdef __cplusplus diff --git a/crypto/engine/engine_list.c b/crypto/engine/engine_list.c index 087a0df15..53eadbbd4 100644 --- a/crypto/engine/engine_list.c +++ b/crypto/engine/engine_list.c @@ -417,6 +417,7 @@ int ENGINE_free(ENGINE *e) abort(); } #endif + sk_ENGINE_EVP_CIPHER_pop_free(e->ciphers,ENGINE_free_engine_cipher); CRYPTO_free_ex_data(engine_ex_data_stack, e, &e->ex_data); OPENSSL_free(e); return 1; diff --git a/crypto/engine/hw_openbsd_dev_crypto.c b/crypto/engine/hw_openbsd_dev_crypto.c new file mode 100644 index 000000000..10a271cd0 --- /dev/null +++ b/crypto/engine/hw_openbsd_dev_crypto.c @@ -0,0 +1,79 @@ +/* Written by Ben Laurie August 2001 */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include +#include "engine_int.h" + +static void load_ciphers(ENGINE *e) + { + ENGINE_add_cipher(e,EVP_dev_crypto_des_ede3_cbc()); + } + +ENGINE *ENGINE_openbsd_dev_crypto(void) + { + ENGINE *engine=ENGINE_new(); + + if(!ENGINE_set_id(engine,"openbsd_dev_crypto") + || !ENGINE_set_name(engine,"OpenBSD /dev/crypto")) + { + ENGINE_free(engine); + return NULL; + } + load_ciphers(engine); + + return engine; + } + diff --git a/crypto/evp/Makefile.ssl b/crypto/evp/Makefile.ssl index 8093b623f..1d92d8e84 100644 --- a/crypto/evp/Makefile.ssl +++ b/crypto/evp/Makefile.ssl @@ -513,6 +513,7 @@ names.o: ../../include/openssl/sha.h ../../include/openssl/stack.h names.o: ../../include/openssl/symhacks.h ../../include/openssl/types.h names.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h names.o: ../cryptlib.h names.c +openbsd_hw.o: openbsd_hw.c p5_crpt.o: ../../e_os.h ../../include/openssl/asn1.h p5_crpt.o: ../../include/openssl/bio.h ../../include/openssl/bn.h p5_crpt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c index def53b678..0fe545742 100644 --- a/crypto/evp/c_allc.c +++ b/crypto/evp/c_allc.c @@ -82,11 +82,7 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher_alias(SN_des_cbc,"DES"); EVP_add_cipher_alias(SN_des_cbc,"des"); EVP_add_cipher(EVP_des_ede_cbc()); -# ifdef OPENSSL_OPENBSD_DEV_CRYPTO - EVP_add_cipher(EVP_dev_crypto_des_ede3_cbc()); -# else EVP_add_cipher(EVP_des_ede3_cbc()); -# endif EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3"); EVP_add_cipher_alias(SN_des_ede3_cbc,"des3"); diff --git a/crypto/evp/openbsd_hw.c b/crypto/evp/openbsd_hw.c index c77adc140..e60eafcef 100644 --- a/crypto/evp/openbsd_hw.c +++ b/crypto/evp/openbsd_hw.c @@ -106,7 +106,6 @@ static int dev_crypto_init(EVP_CIPHER_CTX *ctx) static int dev_crypto_cleanup(EVP_CIPHER_CTX *ctx) { - fprintf(stderr,"clean up session %d\n",data(ctx)->ses); if(ioctl(fd,CIOCFSESSION,&data(ctx)->ses) == -1) err("CIOCFSESSION failed"); @@ -140,7 +139,6 @@ static int dev_crypto_des_ede3_init_key(EVP_CIPHER_CTX *ctx, ctx->cipher=EVP_des_ede3_cbc(); return ctx->cipher->init(ctx,key,iv,enc); } - fprintf(stderr,"created session %d\n",data(ctx)->ses); return 1; } diff --git a/crypto/stack/safestack.h b/crypto/stack/safestack.h index f9e494dba..d997f95c5 100644 --- a/crypto/stack/safestack.h +++ b/crypto/stack/safestack.h @@ -424,6 +424,26 @@ STACK_OF(type) \ #define sk_DIST_POINT_pop(st) SKM_sk_pop(DIST_POINT, (st)) #define sk_DIST_POINT_sort(st) SKM_sk_sort(DIST_POINT, (st)) +#define sk_ENGINE_EVP_CIPHER_new(st) SKM_sk_new(ENGINE_EVP_CIPHER, (st)) +#define sk_ENGINE_EVP_CIPHER_new_null() SKM_sk_new_null(ENGINE_EVP_CIPHER) +#define sk_ENGINE_EVP_CIPHER_free(st) SKM_sk_free(ENGINE_EVP_CIPHER, (st)) +#define sk_ENGINE_EVP_CIPHER_num(st) SKM_sk_num(ENGINE_EVP_CIPHER, (st)) +#define sk_ENGINE_EVP_CIPHER_value(st, i) SKM_sk_value(ENGINE_EVP_CIPHER, (st), (i)) +#define sk_ENGINE_EVP_CIPHER_set(st, i, val) SKM_sk_set(ENGINE_EVP_CIPHER, (st), (i), (val)) +#define sk_ENGINE_EVP_CIPHER_zero(st) SKM_sk_zero(ENGINE_EVP_CIPHER, (st)) +#define sk_ENGINE_EVP_CIPHER_push(st, val) SKM_sk_push(ENGINE_EVP_CIPHER, (st), (val)) +#define sk_ENGINE_EVP_CIPHER_unshift(st, val) SKM_sk_unshift(ENGINE_EVP_CIPHER, (st), (val)) +#define sk_ENGINE_EVP_CIPHER_find(st, val) SKM_sk_find(ENGINE_EVP_CIPHER, (st), (val)) +#define sk_ENGINE_EVP_CIPHER_delete(st, i) SKM_sk_delete(ENGINE_EVP_CIPHER, (st), (i)) +#define sk_ENGINE_EVP_CIPHER_delete_ptr(st, ptr) SKM_sk_delete_ptr(ENGINE_EVP_CIPHER, (st), (ptr)) +#define sk_ENGINE_EVP_CIPHER_insert(st, val, i) SKM_sk_insert(ENGINE_EVP_CIPHER, (st), (val), (i)) +#define sk_ENGINE_EVP_CIPHER_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ENGINE_EVP_CIPHER, (st), (cmp)) +#define sk_ENGINE_EVP_CIPHER_dup(st) SKM_sk_dup(ENGINE_EVP_CIPHER, st) +#define sk_ENGINE_EVP_CIPHER_pop_free(st, free_func) SKM_sk_pop_free(ENGINE_EVP_CIPHER, (st), (free_func)) +#define sk_ENGINE_EVP_CIPHER_shift(st) SKM_sk_shift(ENGINE_EVP_CIPHER, (st)) +#define sk_ENGINE_EVP_CIPHER_pop(st) SKM_sk_pop(ENGINE_EVP_CIPHER, (st)) +#define sk_ENGINE_EVP_CIPHER_sort(st) SKM_sk_sort(ENGINE_EVP_CIPHER, (st)) + #define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st)) #define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME) #define sk_GENERAL_NAME_free(st) SKM_sk_free(GENERAL_NAME, (st)) diff --git a/crypto/x509/Makefile.ssl b/crypto/x509/Makefile.ssl index b8183712d..d69b8ffb6 100644 --- a/crypto/x509/Makefile.ssl +++ b/crypto/x509/Makefile.ssl @@ -325,6 +325,20 @@ x509_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h x509_vfy.o: ../../include/openssl/symhacks.h ../../include/openssl/types.h x509_vfy.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h x509_vfy.o: ../../include/openssl/x509v3.h ../cryptlib.h x509_vfy.c +x509cset.o: ../../e_os.h ../../include/openssl/asn1.h +x509cset.o: ../../include/openssl/bio.h ../../include/openssl/bn.h +x509cset.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h +x509cset.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h +x509cset.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +x509cset.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +x509cset.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +x509cset.o: ../../include/openssl/opensslconf.h +x509cset.o: ../../include/openssl/opensslv.h ../../include/openssl/pkcs7.h +x509cset.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h +x509cset.o: ../../include/openssl/sha.h ../../include/openssl/stack.h +x509cset.o: ../../include/openssl/symhacks.h ../../include/openssl/types.h +x509cset.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +x509cset.o: ../cryptlib.h x509cset.c x509name.o: ../../e_os.h ../../include/openssl/asn1.h x509name.o: ../../include/openssl/bio.h ../../include/openssl/bn.h x509name.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h diff --git a/util/libeay.num b/util/libeay.num index 7d9d0f3b8..933c97905 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -2628,3 +2628,7 @@ HMAC_CTX_cleanup 3076 EXIST::FUNCTION:HMAC EVP_MD_CTX_cleanup 3077 EXIST::FUNCTION: EVP_MD_CTX_destroy 3078 EXIST::FUNCTION: des_release_key 3079 EXIST::FUNCTION:DES +ENGINE_load_openbsd_dev_crypto 3080 EXIST::FUNCTION: +ENGINE_add_all_evp 3081 EXIST::FUNCTION: +ENGINE_add_evp_cipher 3082 EXIST::FUNCTION: +ENGINE_load_evp 3083 EXIST::FUNCTION: From 0e36019977e78c34d6ea67b943fe17d4a01e769d Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Sat, 18 Aug 2001 13:53:01 +0000 Subject: [PATCH 2/5] Add EVP test program. --- CHANGES | 3 + crypto/engine/engine.h | 4 + crypto/engine/engine_evp.c | 14 ++ crypto/evp/Makefile.ssl | 2 +- crypto/evp/evp.h | 15 ++- crypto/evp/evp_enc.c | 12 +- crypto/evp/evp_test.c | 255 +++++++++++++++++++++++++++++++++++++ crypto/evp/evptests.txt | 16 +++ crypto/evp/openbsd_hw.c | 3 +- test/Makefile.ssl | 28 +++- 10 files changed, 333 insertions(+), 19 deletions(-) create mode 100644 crypto/evp/evp_test.c create mode 100644 crypto/evp/evptests.txt diff --git a/CHANGES b/CHANGES index 52593b2e0..d7e86490b 100644 --- a/CHANGES +++ b/CHANGES @@ -12,6 +12,9 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only + +) Add EVP test program. + [Ben Laurie] + +) Add symmetric cipher support to ENGINE. Expect the API to change! [Ben Laurie] diff --git a/crypto/engine/engine.h b/crypto/engine/engine.h index 9955582a6..0558f2018 100644 --- a/crypto/engine/engine.h +++ b/crypto/engine/engine.h @@ -483,6 +483,10 @@ int ENGINE_clear_defaults(void); /* Instruct an engine to load any EVP ciphers it knows of */ /* XXX make this work via defaults? */ void ENGINE_load_engine_ciphers(ENGINE *e); +/* Get a particular cipher from a particular engine - NULL if the engine + * doesn't have it */ +const EVP_CIPHER *ENGINE_get_cipher_by_name(ENGINE *e,const char *name); + /* Obligatory error function. */ void ERR_load_ENGINE_strings(void); diff --git a/crypto/engine/engine_evp.c b/crypto/engine/engine_evp.c index ffd1bff8f..b2fbdc68c 100644 --- a/crypto/engine/engine_evp.c +++ b/crypto/engine/engine_evp.c @@ -96,3 +96,17 @@ void ENGINE_load_engine_ciphers(ENGINE *e) for(n=0 ; n < sk_ENGINE_EVP_CIPHER_num(e->ciphers) ; ++n) EVP_add_cipher(sk_ENGINE_EVP_CIPHER_value(e->ciphers,n)->cipher); } + +const EVP_CIPHER *ENGINE_get_cipher_by_name(ENGINE *e,const char *name) + { + int n; + + for(n=0 ; n < ENGINE_cipher_num(e) ; ++n) + { + const EVP_CIPHER *c=ENGINE_get_cipher(e,n); + + if(!strcmp(EVP_CIPHER_name(c),name)) + return c; + } + return NULL; + } diff --git a/crypto/evp/Makefile.ssl b/crypto/evp/Makefile.ssl index 1d92d8e84..7206baf76 100644 --- a/crypto/evp/Makefile.ssl +++ b/crypto/evp/Makefile.ssl @@ -19,7 +19,7 @@ AR= ar r CFLAGS= $(INCLUDES) $(CFLAG) GENERAL=Makefile -TEST= +TEST=evp_test.c evptests.txt APPS= LIB=$(TOP)/libcrypto.a diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index 8feb6c7a1..629782c8b 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -387,6 +387,7 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, #define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest) #define EVP_CIPHER_nid(e) ((e)->nid) +#define EVP_CIPHER_name(e) OBJ_nid2sn(EVP_CIPHER_nid(e)) #define EVP_CIPHER_block_size(e) ((e)->block_size) #define EVP_CIPHER_key_length(e) ((e)->key_len) #define EVP_CIPHER_iv_length(e) ((e)->iv_len) @@ -435,7 +436,6 @@ void BIO_set_md(BIO *,const EVP_MD *md); #define EVP_delete_digest_alias(alias) \ OBJ_NAME_remove(alias,OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS); - void EVP_MD_CTX_init(EVP_MD_CTX *ctx); int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); EVP_MD_CTX *EVP_MD_CTX_create(void); @@ -457,21 +457,22 @@ int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md, int datal, int count, unsigned char *key,unsigned char *iv); int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type, - unsigned char *key, unsigned char *iv); + const unsigned char *key, const unsigned char *iv); int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, - int *outl, unsigned char *in, int inl); + int *outl, const unsigned char *in, int inl); int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); int EVP_DecryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type, - unsigned char *key, unsigned char *iv); + const unsigned char *key, const unsigned char *iv); int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, - int *outl, unsigned char *in, int inl); + int *outl, const unsigned char *in, int inl); int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); int EVP_CipherInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type, - unsigned char *key,unsigned char *iv,int enc); + const unsigned char *key,const unsigned char *iv, + int enc); int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, - int *outl, unsigned char *in, int inl); + int *outl, const unsigned char *in, int inl); int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *md,unsigned int *s, diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 9abb9855f..e4f9bf073 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -73,7 +73,7 @@ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) } int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - unsigned char *key, unsigned char *iv, int enc) + const unsigned char *key, const unsigned char *iv, int enc) { if(enc && (enc != -1)) enc = 1; if (cipher) @@ -133,7 +133,7 @@ int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, } int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - unsigned char *in, int inl) + const unsigned char *in, int inl) { if (ctx->encrypt) return EVP_EncryptUpdate(ctx,out,outl,in,inl); @@ -148,19 +148,19 @@ int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) } int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - unsigned char *key, unsigned char *iv) + const unsigned char *key, const unsigned char *iv) { return EVP_CipherInit(ctx, cipher, key, iv, 1); } int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, - unsigned char *key, unsigned char *iv) + const unsigned char *key, const unsigned char *iv) { return EVP_CipherInit(ctx, cipher, key, iv, 0); } int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - unsigned char *in, int inl) + const unsigned char *in, int inl) { int i,j,bl; @@ -252,7 +252,7 @@ int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) } int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, - unsigned char *in, int inl) + const unsigned char *in, int inl) { int b; diff --git a/crypto/evp/evp_test.c b/crypto/evp/evp_test.c new file mode 100644 index 000000000..811574b21 --- /dev/null +++ b/crypto/evp/evp_test.c @@ -0,0 +1,255 @@ +/* Written by Ben Laurie, 2001 */ +/* + * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include + +static void hexdump(FILE *f,const char *title,const unsigned char *s,int l) + { + int n=0; + + fprintf(f,"%s",title); + for( ; n < l ; ++n) + { + if((n%16) == 0) + fprintf(f,"\n%04x",n); + fprintf(f," %02x",s[n]); + } + fprintf(f,"\n"); + } + +static int convert(unsigned char *s) + { + unsigned char *d; + + for(d=s ; *s ; s+=2,++d) + { + int n; + + if(!s[1]) + { + fprintf(stderr,"Odd number of hex digits!"); + exit(4); + } + sscanf((char *)s,"%2x",&n); + *d=(unsigned char)n; + } + return s-d; + } + +static unsigned char *ustrsep(char **p,const char *sep) + { return (unsigned char *)strsep((char **)p,sep); } + +static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn, + const unsigned char *iv,int in, + const unsigned char *plaintext,int pn, + const unsigned char *ciphertext,int cn) + { + EVP_CIPHER_CTX ctx; + unsigned char out[4096]; + int outl,outl2; + + printf("Testing cipher %s\n",EVP_CIPHER_name(c)); + hexdump(stdout,"Key",key,kn); + if(in) + hexdump(stdout,"IV",iv,in); + hexdump(stdout,"Plaintext",plaintext,pn); + hexdump(stdout,"Ciphertext",ciphertext,cn); + + + if(kn != c->key_len) + { + fprintf(stderr,"Key length doesn't match, got %d expected %d\n",kn, + c->key_len); + exit(5); + } + + if(!EVP_EncryptInit(&ctx,c,key,iv)) + { + fprintf(stderr,"EncryptInit failed\n"); + exit(10); + } + EVP_CIPHER_CTX_set_padding(&ctx,0); + + if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn)) + { + fprintf(stderr,"Encrypt failed\n"); + exit(6); + } + if(!EVP_EncryptFinal(&ctx,out+outl,&outl2)) + { + fprintf(stderr,"EncryptFinal failed\n"); + exit(7); + } + + if(outl+outl2 != cn) + { + fprintf(stderr,"Ciphertext length mismatch got %d expected %d\n", + outl+outl2,cn); + exit(8); + } + + if(memcmp(out,ciphertext,cn)) + { + fprintf(stderr,"Ciphertext mismatch\n"); + hexdump(stderr,"Got",out,cn); + hexdump(stderr,"Expected",ciphertext,cn); + exit(9); + } + + if(!EVP_DecryptInit(&ctx,c,key,iv)) + { + fprintf(stderr,"DecryptInit failed\n"); + exit(10); + } + EVP_CIPHER_CTX_set_padding(&ctx,0); + + if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,pn)) + { + fprintf(stderr,"Decrypt failed\n"); + exit(6); + } + if(!EVP_DecryptFinal(&ctx,out+outl,&outl2)) + { + fprintf(stderr,"DecryptFinal failed\n"); + exit(7); + } + + if(outl+outl2 != cn) + { + fprintf(stderr,"Plaintext length mismatch got %d expected %d\n", + outl+outl2,cn); + exit(8); + } + + if(memcmp(out,plaintext,cn)) + { + fprintf(stderr,"Plaintext mismatch\n"); + hexdump(stderr,"Got",out,cn); + hexdump(stderr,"Expected",plaintext,cn); + exit(9); + } + + printf("\n"); + } + +int main(int argc,char **argv) + { + const char *szTestFile; + FILE *f; + + if(argc != 2) + { + fprintf(stderr,"%s \n",argv[0]); + exit(1); + } + + szTestFile=argv[1]; + + f=fopen(szTestFile,"r"); + if(!f) + { + perror(szTestFile); + exit(2); + } + + OpenSSL_add_all_ciphers(); + ENGINE_load_builtin_engines(); + + for( ; ; ) + { + char acLine[4096]; + char *p; + char *cipher; + unsigned char *iv,*key,*plaintext,*ciphertext; + const EVP_CIPHER *c; + int kn,in,pn,cn; + ENGINE *e; + + if(!fgets((char *)acLine,sizeof acLine,f)) + break; + if(acLine[0] == '#') + continue; + p=acLine; + cipher=strsep(&p,":"); + key=ustrsep(&p,":"); + iv=ustrsep(&p,":"); + plaintext=ustrsep(&p,":"); + ciphertext=ustrsep(&p,"\n"); + + c=EVP_get_cipherbyname(cipher); + if(!c) + { + fprintf(stderr,"Can't find cipher %s!\n",cipher); + exit(3); + } + + kn=convert(key); + in=convert(iv); + pn=convert(plaintext); + cn=convert(ciphertext); + + test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn); + + for(e=ENGINE_get_first() ; e ; e=ENGINE_get_next(e)) + { + c=ENGINE_get_cipher_by_name(e,cipher); + if(!c) + continue; + printf("Testing engine %s\n",ENGINE_get_name(e)); + + test1(c,key,kn,iv,in,plaintext,pn,ciphertext,cn); + } + } + + + return 0; + } diff --git a/crypto/evp/evptests.txt b/crypto/evp/evptests.txt new file mode 100644 index 000000000..05094a8d7 --- /dev/null +++ b/crypto/evp/evptests.txt @@ -0,0 +1,16 @@ +#cipher:key:iv:input:output +# AES 128 CBC tests (from NIST test vectors, encrypt) +#AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:8A05FC5E095AF4848A08D328D3688E3D +# AES 128 CBC tests (from NIST test vectors, decrypt) +#AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:FACA37E0B0C85373DF706E73F7C9AF86:00000000000000000000000000000000 +# DES ECB tests (from destest) +DES-ECB:0000000000000000::0000000000000000:8CA64DE9C1B123A7 +# DES EDE3 CBC tests (from destest) +DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 +# RC4 tests (from rc4test) +RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596 +RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879 +RC4:00000000000000000000000000000000::0000000000000000:de188941a3375d3a +RC4:ef012345ef012345ef012345ef012345::0000000000000000000000000000000000000000:d6a141a7ec3c38dfbd615a1162e1c7ba36b67858 +RC4:0123456789abcdef0123456789abcdef::123456789ABCDEF0123456789ABCDEF0123456789ABCDEF012345678:66a0949f8af7d6891f7f832ba833c00c892ebe30143ce28740011ecf +RC4:ef012345ef012345ef012345ef012345::00000000000000000000:d6a141a7ec3c38dfbd61 diff --git a/crypto/evp/openbsd_hw.c b/crypto/evp/openbsd_hw.c index e60eafcef..7de06ba17 100644 --- a/crypto/evp/openbsd_hw.c +++ b/crypto/evp/openbsd_hw.c @@ -1,5 +1,6 @@ +/* Written by Ben Laurie, 2001 */ /* - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/test/Makefile.ssl b/test/Makefile.ssl index a0c33a363..91e093ec9 100644 --- a/test/Makefile.ssl +++ b/test/Makefile.ssl @@ -56,6 +56,7 @@ METHTEST= methtest SSLTEST= ssltest RSATEST= rsa_test ENGINETEST= enginetest +EVPTEST= evp_test TESTS= alltests @@ -63,7 +64,8 @@ EXE= $(BNTEST) $(ECTEST) $(IDEATEST) $(MD2TEST) $(MD4TEST) $(MD5TEST) $(HMACTES $(RC2TEST) $(RC4TEST) $(RC5TEST) \ $(DESTEST) $(SHATEST) $(SHA1TEST) $(MDC2TEST) $(RMDTEST) \ $(RANDTEST) $(DHTEST) $(ENGINETEST) \ - $(BFTEST) $(CASTTEST) $(SSLTEST) $(EXPTEST) $(DSATEST) $(RSATEST) + $(BFTEST) $(CASTTEST) $(SSLTEST) $(EXPTEST) $(DSATEST) $(RSATEST) \ + $(EVPTEST) # $(METHTEST) @@ -72,13 +74,15 @@ OBJ= $(BNTEST).o $(ECTEST).o $(IDEATEST).o $(MD2TEST).o $(MD4TEST).o $(MD5TEST). $(RC2TEST).o $(RC4TEST).o $(RC5TEST).o \ $(DESTEST).o $(SHATEST).o $(SHA1TEST).o $(MDC2TEST).o $(RMDTEST).o \ $(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \ - $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o + $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ + $(EVPTEST).o SRC= $(BNTEST).c $(ECTEST).c $(IDEATEST).c $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ $(HMACTEST).c \ $(RC2TEST).c $(RC4TEST).c $(RC5TEST).c \ $(DESTEST).c $(SHATEST).c $(SHA1TEST).c $(MDC2TEST).c $(RMDTEST).c \ $(RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \ - $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c + $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \ + $(EVPTEST).c EXHEADER= HEADER= $(EXHEADER) @@ -116,7 +120,10 @@ alltests: \ test_rmd test_rc2 test_rc4 test_rc5 test_bf test_cast test_rd \ test_rand test_bn test_ec test_enc test_x509 test_rsa test_crl test_sid \ test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ - test_ss test_ca test_engine test_ssl + test_ss test_ca test_engine test_ssl test_evp + +test_evp: + ./$(EVPTEST) evptests.txt test_des: ./$(DESTEST) @@ -342,6 +349,9 @@ $(SSLTEST): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO) $(ENGINETEST): $(ENGINETEST).o $(DLIBCRYPTO) $(CC) -o $(ENGINETEST) $(CFLAGS) $(ENGINETEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) +$(EVPTEST): $(EVPTEST).o $(DLIBCRYPTO) + $(CC) -o $(EVPTEST) $(CFLAGS) $(EVPTEST).o $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS) + #$(RDTEST).o: $(RDTEST).c # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(RDTEST).c @@ -401,6 +411,16 @@ enginetest.o: ../include/openssl/rand.h ../include/openssl/rsa.h enginetest.o: ../include/openssl/safestack.h ../include/openssl/stack.h enginetest.o: ../include/openssl/symhacks.h ../include/openssl/types.h enginetest.o: ../include/openssl/ui.h enginetest.c +evp_test.o: ../include/openssl/asn1.h ../include/openssl/bio.h +evp_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h +evp_test.o: ../include/openssl/dh.h ../include/openssl/dsa.h +evp_test.o: ../include/openssl/e_os2.h ../include/openssl/engine.h +evp_test.o: ../include/openssl/evp.h ../include/openssl/obj_mac.h +evp_test.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +evp_test.o: ../include/openssl/opensslv.h ../include/openssl/rand.h +evp_test.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +evp_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +evp_test.o: ../include/openssl/types.h ../include/openssl/ui.h evp_test.c exptest.o: ../include/openssl/bio.h ../include/openssl/bn.h exptest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h exptest.o: ../include/openssl/err.h ../include/openssl/lhash.h From a8a004987c730aa433b18e3d1f91198eca18e324 Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Sat, 18 Aug 2001 16:02:52 +0000 Subject: [PATCH 3/5] Add AES tests. --- crypto/evp/evp_test.c | 8 ++++---- crypto/evp/evptests.txt | 24 ++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/crypto/evp/evp_test.c b/crypto/evp/evp_test.c index 811574b21..efbe9fa3c 100644 --- a/crypto/evp/evp_test.c +++ b/crypto/evp/evp_test.c @@ -206,7 +206,7 @@ int main(int argc,char **argv) for( ; ; ) { - char acLine[4096]; + char line[4096]; char *p; char *cipher; unsigned char *iv,*key,*plaintext,*ciphertext; @@ -214,11 +214,11 @@ int main(int argc,char **argv) int kn,in,pn,cn; ENGINE *e; - if(!fgets((char *)acLine,sizeof acLine,f)) + if(!fgets((char *)line,sizeof line,f)) break; - if(acLine[0] == '#') + if(line[0] == '#' || line[0] == '\n') continue; - p=acLine; + p=line; cipher=strsep(&p,":"); key=ustrsep(&p,":"); iv=ustrsep(&p,":"); diff --git a/crypto/evp/evptests.txt b/crypto/evp/evptests.txt index 05094a8d7..ee3b7fd69 100644 --- a/crypto/evp/evptests.txt +++ b/crypto/evp/evptests.txt @@ -1,12 +1,36 @@ #cipher:key:iv:input:output + +# AES 128 ECB tests (from NIST test vectors, encrypt) + +AES-128-ECB:00000000000000000000000000000000::00000000000000000000000000000000:C34C052CC0DA8D73451AFE5F03BE297F + +# AES 128 ECB tests (from NIST test vectors, decrypt) + +#AES-128-ECB:00000000000000000000000000000000::44416AC2D1F53C583303917E6BE9EBE0:00000000000000000000000000000000 + +# AES 192 ECB tests (from NIST test vectors, decrypt) + +#AES-192-ECB:000000000000000000000000000000000000000000000000::48E31E9E256718F29229319C19F15BA4:00000000000000000000000000000000 + +# AES 256 ECB tests (from NIST test vectors, decrypt) + +#AES-256-ECB:0000000000000000000000000000000000000000000000000000000000000000::058CCFFDBBCB382D1F6F56585D8A4ADE:00000000000000000000000000000000 + # AES 128 CBC tests (from NIST test vectors, encrypt) + #AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:00000000000000000000000000000000:8A05FC5E095AF4848A08D328D3688E3D + # AES 128 CBC tests (from NIST test vectors, decrypt) + #AES-128-CBC:00000000000000000000000000000000:00000000000000000000000000000000:FACA37E0B0C85373DF706E73F7C9AF86:00000000000000000000000000000000 + # DES ECB tests (from destest) + DES-ECB:0000000000000000::0000000000000000:8CA64DE9C1B123A7 + # DES EDE3 CBC tests (from destest) DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675 + # RC4 tests (from rc4test) RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596 RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879 From 82b223052712859ccb71d587d4e29394dae813e8 Mon Sep 17 00:00:00 2001 From: Ben Laurie Date: Sat, 18 Aug 2001 16:04:36 +0000 Subject: [PATCH 4/5] Add RC4 support to OpenBSD. --- crypto/engine/hw_openbsd_dev_crypto.c | 1 + crypto/evp/evp.h | 1 + crypto/evp/evp_enc.c | 6 ++ crypto/evp/openbsd_hw.c | 80 +++++++++++++++++---------- 4 files changed, 60 insertions(+), 28 deletions(-) diff --git a/crypto/engine/hw_openbsd_dev_crypto.c b/crypto/engine/hw_openbsd_dev_crypto.c index 10a271cd0..b3e1d0e24 100644 --- a/crypto/engine/hw_openbsd_dev_crypto.c +++ b/crypto/engine/hw_openbsd_dev_crypto.c @@ -60,6 +60,7 @@ static void load_ciphers(ENGINE *e) { ENGINE_add_cipher(e,EVP_dev_crypto_des_ede3_cbc()); + ENGINE_add_cipher(e,EVP_dev_crypto_rc4()); } ENGINE *ENGINE_openbsd_dev_crypto(void) diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index 629782c8b..807b8e1f2 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -558,6 +558,7 @@ const EVP_CIPHER *EVP_des_ede3_cbc(void); const EVP_CIPHER *EVP_desx_cbc(void); # ifdef OPENSSL_OPENBSD_DEV_CRYPTO const EVP_CIPHER *EVP_dev_crypto_des_ede3_cbc(void); +const EVP_CIPHER *EVP_dev_crypto_rc4(void); # endif #endif #ifndef OPENSSL_NO_RC4 diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index e4f9bf073..83b70129c 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -222,6 +222,7 @@ int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) b=ctx->cipher->block_size; if (b == 1) { + EVP_CIPHER_CTX_cleanup(ctx); *outl=0; return 1; } @@ -303,6 +304,7 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) b=ctx->cipher->block_size; if (ctx->flags & EVP_CIPH_NO_PADDING) { + EVP_CIPHER_CTX_cleanup(ctx); if(ctx->buf_len) { EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH); @@ -315,12 +317,14 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { if (ctx->buf_len || !ctx->final_used) { + EVP_CIPHER_CTX_cleanup(ctx); EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_WRONG_FINAL_BLOCK_LENGTH); return(0); } n=ctx->final[b-1]; if (n > b) { + EVP_CIPHER_CTX_cleanup(ctx); EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT); return(0); } @@ -328,6 +332,7 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { if (ctx->final[--b] != n) { + EVP_CIPHER_CTX_cleanup(ctx); EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT); return(0); } @@ -339,6 +344,7 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) } else *outl=0; + EVP_CIPHER_CTX_cleanup(ctx); return(1); } diff --git a/crypto/evp/openbsd_hw.c b/crypto/evp/openbsd_hw.c index 7de06ba17..231ded8bf 100644 --- a/crypto/evp/openbsd_hw.c +++ b/crypto/evp/openbsd_hw.c @@ -62,6 +62,7 @@ /* longest key supported in hardware */ #define MAX_HW_KEY 24 +#define MAX_HW_IV 8 static int fd; static int dev_failed; @@ -107,6 +108,7 @@ static int dev_crypto_init(EVP_CIPHER_CTX *ctx) static int dev_crypto_cleanup(EVP_CIPHER_CTX *ctx) { + printf("Cleanup %d\n",data(ctx)->ses); if(ioctl(fd,CIOCFSESSION,&data(ctx)->ses) == -1) err("CIOCFSESSION failed"); @@ -116,40 +118,34 @@ static int dev_crypto_cleanup(EVP_CIPHER_CTX *ctx) } /* FIXME: there should be some non-fatal way to report we fell back to s/w? */ -static int dev_crypto_des_ede3_init_key(EVP_CIPHER_CTX *ctx, - const unsigned char *key, - const unsigned char *iv, int enc) +static int dev_crypto_init_key(EVP_CIPHER_CTX *ctx,int cipher, + const unsigned char *key,int klen) { if(!dev_crypto_init(ctx)) - { - /* fall back to using software... */ - ctx->cipher=EVP_des_ede3_cbc(); - return ctx->cipher->init(ctx,key,iv,enc); - } - memcpy(data(ctx)->key,key,24); + return 0; + + assert(ctx->cipher->iv_len <= MAX_HW_IV); + + memcpy(data(ctx)->key,key,klen); - data(ctx)->cipher=CRYPTO_3DES_CBC; + data(ctx)->cipher=cipher; data(ctx)->mac=0; - data(ctx)->keylen=24; + data(ctx)->keylen=klen; if (ioctl(fd,CIOCGSESSION,data(ctx)) == -1) { err("CIOCGSESSION failed"); - /* fall back to using software... */ - dev_crypto_cleanup(ctx); - ctx->cipher=EVP_des_ede3_cbc(); - return ctx->cipher->init(ctx,key,iv,enc); + return 0; } + printf("Init %d\n",data(ctx)->ses); return 1; } -static int dev_crypto_des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, - unsigned char *out, - const unsigned char *in, - unsigned int inl) +static int dev_crypto_cipher(EVP_CIPHER_CTX *ctx,unsigned char *out, + const unsigned char *in,unsigned int inl) { struct crypt_op cryp; - unsigned char lb[8]; + unsigned char lb[MAX_HW_IV]; assert(data(ctx)); assert(!dev_failed); @@ -158,18 +154,16 @@ static int dev_crypto_des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, cryp.ses=data(ctx)->ses; cryp.op=ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; cryp.flags=0; -#if 0 - cryp.len=((inl+7)/8)*8; -#endif cryp.len=inl; - assert((inl&7) == 0); + assert((inl&ctx->cipher->block_size) == 0); cryp.src=(caddr_t)in; cryp.dst=(caddr_t)out; cryp.mac=0; - cryp.iv=(caddr_t)ctx->iv; + if(ctx->cipher->iv_len) + cryp.iv=(caddr_t)ctx->iv; if(!ctx->encrypt) - memcpy(lb,&in[cryp.len-8],8); + memcpy(lb,&in[cryp.len-ctx->cipher->iv_len],ctx->cipher->iv_len); if (ioctl(fd, CIOCCRYPT, &cryp) == -1) { @@ -179,19 +173,49 @@ static int dev_crypto_des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, } if(ctx->encrypt) - memcpy(ctx->iv,&out[cryp.len-8],8); + memcpy(ctx->iv,&out[cryp.len-ctx->cipher->iv_len],ctx->cipher->iv_len); else - memcpy(ctx->iv,lb,8); + memcpy(ctx->iv,lb,ctx->cipher->iv_len); return 1; } +static int dev_crypto_des_ede3_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, int enc) + { return dev_crypto_init_key(ctx,CRYPTO_3DES_CBC,key,24); } + +#define dev_crypto_des_ede3_cbc_cipher dev_crypto_cipher + BLOCK_CIPHER_def_cbc(dev_crypto_des_ede3, session_op, NID_des_ede3, 8, 24, 8, 0, dev_crypto_des_ede3_init_key, dev_crypto_cleanup, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) + +static int dev_crypto_rc4_init_key(EVP_CIPHER_CTX *ctx, + const unsigned char *key, + const unsigned char *iv, int enc) + { return dev_crypto_init_key(ctx,CRYPTO_ARC4,key,16); } + +static const EVP_CIPHER r4_cipher= + { + NID_rc4, + 1,16,0, /* FIXME: key should be up to 256 bytes */ + EVP_CIPH_VARIABLE_LENGTH, + dev_crypto_rc4_init_key, + dev_crypto_cipher, + dev_crypto_cleanup, + sizeof(session_op), + NULL, + NULL, + NULL + }; + +const EVP_CIPHER *EVP_dev_crypto_rc4(void) + { return &r4_cipher; } + #else static void *dummy=&dummy; #endif From a403188f92101512d4d3e45bc7b8e047d283d9d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lutz=20J=C3=A4nicke?= Date: Sun, 19 Aug 2001 16:20:42 +0000 Subject: [PATCH 5/5] Alert description strings for TLSv1 and documentation. --- CHANGES | 3 + doc/ssl/SSL_alert_type_string.pod | 228 ++++++++++++++++++++++++++++++ doc/ssl/ssl.pod | 1 + ssl/ssl_stat.c | 48 +++++++ 4 files changed, 280 insertions(+) create mode 100644 doc/ssl/SSL_alert_type_string.pod diff --git a/CHANGES b/CHANGES index d7e86490b..aef5034c8 100644 --- a/CHANGES +++ b/CHANGES @@ -12,6 +12,9 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only + *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). + [Lutz Jaenicke] + +) Add EVP test program. [Ben Laurie] diff --git a/doc/ssl/SSL_alert_type_string.pod b/doc/ssl/SSL_alert_type_string.pod new file mode 100644 index 000000000..1d8e524f1 --- /dev/null +++ b/doc/ssl/SSL_alert_type_string.pod @@ -0,0 +1,228 @@ +=pod + +=head1 NAME + +SSL_alert_type_string, SSL_alert_type_string_long, SSL_alert_desc_string, SSL_alert_desc_string_long - get textual description of alert information + +=head1 SYNOPSIS + + #include + + const char *SSL_alert_type_string(int value); + const char *SSL_alert_type_string_long(int value); + + const char *SSL_alert_desc_string(int value); + const char *SSL_alert_desc_string_long(int value); + +=head1 DESCRIPTION + +SSL_alert_type_string() returns the a one letter string indicating the +type of the alert specified by B. + +SSL_alert_type_string_long() returns a string indicating the type of the alert +specified by B. + +SSL_alert_desc_string() returns the a two letter string as a short form +describing the reason of the alert specified by B. + +SSL_alert_desc_string_long() returns the a string describing the reason +of the alert specified by B. + +=head1 NOTES + +When one side of an SSL/TLS communication wants to inform the peer about +a special situation, it sends an alert. The alert is sent as a special message +and does not influence the normal data stream (unless its contents results +in the communication being canceled). + +A warning alert is sent, when a non-fatal error condition occurs. The +"close notify" alert is sent as a warning alert. Other examples for +non-fatal errors are certificate errors ("certificate expired", +"unsupported certificate"), for which a warning alert may be sent. +(The sending party may however decide to send a fatal error.) The +receiving side may cancel the connection on reception of a warning +alert on it discretion. + +Several alert messages must be sent as fatal alert messages as specified +by the TLS RFC. A fatal alert always leads to a connection abort. + +=head1 RETURN VALUES + +The following strings can occur for SSL_alert_type_string() or +SSL_alert_type_string_long(): + +=over 4 + +=item "W"/"warning" + +=item "F"/"fatal" + +=item "U"/"unknown" + +This indicates that no support is available for this alert type. +Probably B does not contain a correct alert message. + +=back + +The following strings can occur for SSL_alert_desc_string() or +SSL_alert_desc_string_long(): + +=over 4 + +=item "CN"/"close notify" + +The connection shall be closed. This is a warning alert. + +=item "UM"/"unexpected message" + +An inappropriate message was received. This alert is always fatal +and should never be observed in communication between proper +implementations. + +=item "BM"/"bad record mac" + +This alert is returned if a record is received with an incorrect +MAC. This message is always fatal. + +=item "DF"/"decompression failure" + +The decompression function received improper input (e.g. data +that would expand to excessive length). This message is always +fatal. + +=item "HF"/"handshake failure" + +Reception of a handshake_failure alert message indicates that the +sender was unable to negotiate an acceptable set of security +parameters given the options available. This is a fatal error. + +=item "NC"/"no certificate" + +A client, that was asked to send a certificate, does not send a certificate +(SSLv3 only). + +=item "BC"/"bad certificate" + +A certificate was corrupt, contained signatures that did not +verify correctly, etc + +=item "UC"/"unsupported certificate" + +A certificate was of an unsupported type. + +=item "CR"/"certificate revoked" + +A certificate was revoked by its signer. + +=item "CE"/"certificate expired" + +A certificate has expired or is not currently valid. + +=item "CU"/"certificate unknown" + +Some other (unspecified) issue arose in processing the +certificate, rendering it unacceptable. + +=item "IP"/"illegal parameter" + +A field in the handshake was out of range or inconsistent with +other fields. This is always fatal. + +=item "DC"/"decryption failed" + +A TLSCiphertext decrypted in an invalid way: either it wasn`t an +even multiple of the block length or its padding values, when +checked, weren`t correct. This message is always fatal. + +=item "RO"/"record overflow" + +A TLSCiphertext record was received which had a length more than +2^14+2048 bytes, or a record decrypted to a TLSCompressed record +with more than 2^14+1024 bytes. This message is always fatal. + +=item "CA"/"unknown CA" + +A valid certificate chain or partial chain was received, but the +certificate was not accepted because the CA certificate could not +be located or couldn`t be matched with a known, trusted CA. This +message is always fatal. + +=item "AD"/"access denied" + +A valid certificate was received, but when access control was +applied, the sender decided not to proceed with negotiation. +This message is always fatal. + +=item "DE"/"decode error" + +A message could not be decoded because some field was out of the +specified range or the length of the message was incorrect. This +message is always fatal. + +=item "CY"/"decrypt error" + +A handshake cryptographic operation failed, including being +unable to correctly verify a signature, decrypt a key exchange, +or validate a finished message. + +=item "ER"/"export restriction" + +A negotiation not in compliance with export restrictions was +detected; for example, attempting to transfer a 1024 bit +ephemeral RSA key for the RSA_EXPORT handshake method. This +message is always fatal. + +=item "PV"/"protocol version" + +The protocol version the client has attempted to negotiate is +recognized, but not supported. (For example, old protocol +versions might be avoided for security reasons). This message is +always fatal. + +=item "IS"/"insufficient security" + +Returned instead of handshake_failure when a negotiation has +failed specifically because the server requires ciphers more +secure than those supported by the client. This message is always +fatal. + +=item "IE"/"internal error" + +An internal error unrelated to the peer or the correctness of the +protocol makes it impossible to continue (such as a memory +allocation failure). This message is always fatal. + +=item "US"/"user canceled" + +This handshake is being canceled for some reason unrelated to a +protocol failure. If the user cancels an operation after the +handshake is complete, just closing the connection by sending a +close_notify is more appropriate. This alert should be followed +by a close_notify. This message is generally a warning. + +=item "NR"/"no renegotiation" + +Sent by the client in response to a hello request or by the +server in response to a client hello after initial handshaking. +Either of these would normally lead to renegotiation; when that +is not appropriate, the recipient should respond with this alert; +at that point, the original requester can decide whether to +proceed with the connection. One case where this would be +appropriate would be where a server has spawned a process to +satisfy a request; the process might receive security parameters +(key length, authentication, etc.) at startup and it might be +difficult to communicate changes to these parameters after that +point. This message is always a warning. + +=item "UK"/"unknown" + +This indicates that no description is available for this alert type. +Probably B does not contain a correct alert message. + +=back + +=head1 SEE ALSO + +L + +=cut diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index 6fc5f9050..bee252aa8 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -676,6 +676,7 @@ L, L, L, L, +L, L, L, L, diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index d74e0aa7c..e8b4f56aa 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -387,6 +387,18 @@ char *SSL_alert_desc_string(int value) case SSL3_AD_CERTIFICATE_EXPIRED: str="CE"; break; case SSL3_AD_CERTIFICATE_UNKNOWN: str="CU"; break; case SSL3_AD_ILLEGAL_PARAMETER: str="IP"; break; + case TLS1_AD_DECRYPTION_FAILED str="DC"; break; + case TLS1_AD_RECORD_OVERFLOW str="RO"; break; + case TLS1_AD_UNKNOWN_CA str="CA"; break; + case TLS1_AD_ACCESS_DENIED str="AD"; break; + case TLS1_AD_DECODE_ERROR str="DE"; break; + case TLS1_AD_DECRYPT_ERROR str="CY"; break; + case TLS1_AD_EXPORT_RESTRICTION str="ER"; break; + case TLS1_AD_PROTOCOL_VERSION str="PV"; break; + case TLS1_AD_INSUFFICIENT_SECURITY str="IS"; break; + case TLS1_AD_INTERNAL_ERROR str="IE"; break; + case TLS1_AD_USER_CANCELLED str="US"; break; + case TLS1_AD_NO_RENEGOTIATION str="NR"; break; default: str="UK"; break; } return(str); @@ -434,6 +446,42 @@ char *SSL_alert_desc_string_long(int value) case SSL3_AD_ILLEGAL_PARAMETER: str="illegal parameter"; break; + case TLS1_AD_DECRYPTION_FAILED + str="decryption failed"; + break; + case TLS1_AD_RECORD_OVERFLOW + str="record overflow"; + break; + case TLS1_AD_UNKNOWN_CA + str="unknown CA"; + break; + case TLS1_AD_ACCESS_DENIED + str="access denied"; + break; + case TLS1_AD_DECODE_ERROR + str="decode error"; + break; + case TLS1_AD_DECRYPT_ERROR + str="decrypt error"; + break; + case TLS1_AD_EXPORT_RESTRICTION + str="export restriction"; + break; + case TLS1_AD_PROTOCOL_VERSION + str="protocol version"; + break; + case TLS1_AD_INSUFFICIENT_SECURITY + str="insufficient security"; + break; + case TLS1_AD_INTERNAL_ERROR + str="internal error"; + break; + case TLS1_AD_USER_CANCELLED + str="user canceled"; + break; + case TLS1_AD_NO_RENEGOTIATION + str="no renegotiation"; + break; default: str="unknown"; break; } return(str);