*) applies to 0.9.6a/0.9.6b and 0.9.7
+) applies to 0.9.7 only
+ +) Cleanup of EVP macros.
+ [Ben Laurie]
+
+ +) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
+ correct _ecb suffix.
+ [Ben Laurie]
+
+) Add initial OCSP responder support to ocsp application. The
revocation information is handled using the text based index
use by the ca application. The responder can either handle
"purify", "purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
"debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
+"debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
- evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
+ evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c openbsd_hw.c
LIBOBJ= encode.o digest.o evp_enc.o evp_key.o \
e_des.o e_bf.o e_idea.o e_des3.o \
p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \
bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
- evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o
+ evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o openbsd_hw.o
SRC= $(LIBSRC)
EVP_add_cipher_alias(SN_des_cbc,"DES");
EVP_add_cipher_alias(SN_des_cbc,"des");
EVP_add_cipher(EVP_des_ede_cbc());
+# ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+ EVP_add_cipher(EVP_dev_crypto_des_ede3_cbc());
+# else
EVP_add_cipher(EVP_des_ede3_cbc());
+# endif
EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
return 1;
}
-#define NID_des_ede_ecb NID_des_ede
-
BLOCK_CIPHER_defs(des_ede, des_ede, NID_des_ede, 8, 16, 8,
0, des_ede_init_key, NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,
NULL)
-#define NID_des_ede3_ecb NID_des_ede3
#define des_ede3_cfb_cipher des_ede_cfb_cipher
#define des_ede3_ofb_cipher des_ede_ofb_cipher
#define des_ede3_cbc_cipher des_ede_cbc_cipher
#endif
#ifndef OPENSSL_NO_AES
RIJNDAEL_KEY rijndael;
+#endif
+#ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+ struct session_op *dev_crypto;
#endif
} c;
int final_used;
const EVP_CIPHER *EVP_des_ede_cbc(void);
const EVP_CIPHER *EVP_des_ede3_cbc(void);
const EVP_CIPHER *EVP_desx_cbc(void);
+# ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+const EVP_CIPHER *EVP_dev_crypto_des_ede3_cbc(void);
+# endif
#endif
#ifndef OPENSSL_NO_RC4
const EVP_CIPHER *EVP_rc4(void);
BLOCK_CIPHER_func_ecb(cname, cprefix, kname) \
BLOCK_CIPHER_func_ofb(cname, cprefix, kname)
+#define BLOCK_CIPHER_def1(cname, nmode, mode, MODE, kstruct, nid, block_size, \
+ key_len, iv_len, flags, init_key, cleanup, \
+ set_asn1, get_asn1, ctrl) \
+static const EVP_CIPHER cname##_##mode = { \
+ nid##_##nmode, block_size, key_len, iv_len, \
+ flags | EVP_CIPH_##MODE##_MODE, \
+ init_key, \
+ cname##_##mode##_cipher, \
+ cleanup, \
+ sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+ sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+ set_asn1, get_asn1,\
+ ctrl, \
+ NULL \
+}; \
+const EVP_CIPHER *EVP_##cname##_##mode(void) { return &cname##_##mode; }
+
+#define BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, \
+ get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, \
+ get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, cfb64, cfb, CFB, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, \
+ get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, ofb64, ofb, OFB, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, \
+ get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, ecb, ecb, ECB, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_defs(cname, kstruct, \
+ nid, block_size, key_len, iv_len, flags, \
+ init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+ init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_cfb(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+ init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ofb(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+ init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+ init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+
+/*
#define BLOCK_CIPHER_defs(cname, kstruct, \
nid, block_size, key_len, iv_len, flags,\
init_key, cleanup, set_asn1, get_asn1, ctrl)\
NULL \
};\
const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
-
+*/
#define IMPLEMENT_BLOCK_CIPHER(cname, kname, cprefix, kstruct, \
--- /dev/null
+/*
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/ioctl.h>
+#include <crypto/cryptodev.h>
+#include <unistd.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+#include <assert.h>
+
+// longest key supported in hardware
+#define MAX_HW_KEY 24
+
+static int fd;
+static int dev_failed;
+
+static void err(const char *str)
+ {
+ fprintf(stderr,"%s: errno %d\n",str,errno);
+ }
+
+static int dev_crypto_init(EVP_CIPHER_CTX *ctx)
+ {
+ if(dev_failed)
+ return 0;
+ if(!fd)
+ {
+ int cryptodev_fd;
+
+ if ((cryptodev_fd=open("/dev/crypto",O_RDWR,0)) < 0)
+ {
+ err("/dev/crypto");
+ dev_failed=1;
+ return 0;
+ }
+ if (ioctl(cryptodev_fd,CRIOGET,&fd) == -1)
+ {
+ err("CRIOGET failed");
+ close(cryptodev_fd);
+ dev_failed=1;
+ return 0;
+ }
+ close(cryptodev_fd);
+ }
+ if(!ctx->c.dev_crypto)
+ {
+ ctx->c.dev_crypto=OPENSSL_malloc(sizeof *ctx->c.dev_crypto);
+ memset(ctx->c.dev_crypto,'\0',sizeof *ctx->c.dev_crypto);
+ ctx->c.dev_crypto->key=OPENSSL_malloc(MAX_HW_KEY);
+ }
+
+ return 1;
+ }
+
+static int dev_crypto_cleanup(EVP_CIPHER_CTX *ctx)
+ {
+ if(ioctl(fd,CIOCFSESSION,ctx->c.dev_crypto->ses) == -1)
+ err("CIOCFSESSION failed");
+
+ OPENSSL_free(ctx->c.dev_crypto->key);
+ OPENSSL_free(ctx->c.dev_crypto);
+ ctx->c.dev_crypto=NULL;
+
+ return 1;
+ }
+
+// FIXME: there should be some non-fatal way to report we fell back to s/w?
+static int dev_crypto_des_ede3_init_key(EVP_CIPHER_CTX *ctx,
+ const unsigned char *key,
+ const unsigned char *iv, int enc)
+ {
+ if(!dev_crypto_init(ctx))
+ {
+ // fall back to using software...
+ ctx->cipher=EVP_des_ede3_cbc();
+ return ctx->cipher->init(ctx,key,iv,enc);
+ }
+ memcpy(ctx->c.dev_crypto->key,key,24);
+
+ ctx->c.dev_crypto->cipher=CRYPTO_3DES_CBC;
+ ctx->c.dev_crypto->mac=0;
+ ctx->c.dev_crypto->keylen=24;
+
+ if (ioctl(fd,CIOCGSESSION,ctx->c.dev_crypto) == -1)
+ {
+ err("CIOCGSESSION failed");
+ // fall back to using software...
+ dev_crypto_cleanup(ctx);
+ ctx->cipher=EVP_des_ede3_cbc();
+ return ctx->cipher->init(ctx,key,iv,enc);
+ }
+ return 1;
+ }
+
+static int dev_crypto_des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx,
+ unsigned char *out,
+ const unsigned char *in,
+ unsigned int inl)
+ {
+ struct crypt_op cryp;
+ unsigned char lb[8];
+
+ assert(ctx->c.dev_crypto);
+ assert(!dev_failed);
+
+ memset(&cryp,'\0',sizeof cryp);
+ cryp.ses=ctx->c.dev_crypto->ses;
+ cryp.op=ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
+ cryp.flags=0;
+ // cryp.len=((inl+7)/8)*8;
+ cryp.len=inl;
+ assert((inl&7) == 0);
+ cryp.src=(caddr_t)in;
+ cryp.dst=(caddr_t)out;
+ cryp.mac=0;
+ cryp.iv=(caddr_t)ctx->iv;
+
+ if(!ctx->encrypt)
+ memcpy(lb,&in[cryp.len-8],8);
+
+ if (ioctl(fd, CIOCCRYPT, &cryp) == -1)
+ {
+ err("CIOCCRYPT failed");
+ abort();
+ return 0;
+ }
+
+ if(ctx->encrypt)
+ memcpy(ctx->iv,&out[cryp.len-8],8);
+ else
+ memcpy(ctx->iv,lb,8);
+
+ return 1;
+ }
+
+BLOCK_CIPHER_def_cbc(dev_crypto_des_ede3, des_ede,NID_des_ede3, 8, 24, 8,
+ 0, dev_crypto_des_ede3_init_key,
+ dev_crypto_cleanup,
+ EVP_CIPHER_set_asn1_iv,
+ EVP_CIPHER_get_asn1_iv,
+ NULL)
0x2B,0x0E,0x03,0x02,0x06, /* [187] OBJ_des_ecb */
0x2B,0x0E,0x03,0x02,0x09, /* [192] OBJ_des_cfb64 */
0x2B,0x0E,0x03,0x02,0x07, /* [197] OBJ_des_cbc */
-0x2B,0x0E,0x03,0x02,0x11, /* [202] OBJ_des_ede */
+0x2B,0x0E,0x03,0x02,0x11, /* [202] OBJ_des_ede_ecb */
0x2B,0x06,0x01,0x04,0x01,0x81,0x3C,0x07,0x01,0x01,0x02,/* [207] OBJ_idea_cbc */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x02, /* [218] OBJ_rc2_cbc */
0x2B,0x0E,0x03,0x02,0x12, /* [226] OBJ_sha */
{"DES-ECB","des-ecb",NID_des_ecb,5,&(lvalues[187]),0},
{"DES-CFB","des-cfb",NID_des_cfb64,5,&(lvalues[192]),0},
{"DES-CBC","des-cbc",NID_des_cbc,5,&(lvalues[197]),0},
-{"DES-EDE","des-ede",NID_des_ede,5,&(lvalues[202]),0},
-{"DES-EDE3","des-ede3",NID_des_ede3,0,NULL},
+{"DES-EDE","des-ede",NID_des_ede_ecb,5,&(lvalues[202]),0},
+{"DES-EDE3","des-ede3",NID_des_ede3_ecb,0,NULL},
{"IDEA-CBC","idea-cbc",NID_idea_cbc,11,&(lvalues[207]),0},
{"IDEA-CFB","idea-cfb",NID_idea_cfb64,0,NULL},
{"IDEA-ECB","idea-ecb",NID_idea_ecb,0,NULL},
&(nid_objs[67]),/* OBJ_dsa_2 1 3 14 3 2 12 */
&(nid_objs[66]),/* OBJ_dsaWithSHA 1 3 14 3 2 13 */
&(nid_objs[42]),/* OBJ_shaWithRSAEncryption 1 3 14 3 2 15 */
-&(nid_objs[32]),/* OBJ_des_ede 1 3 14 3 2 17 */
+&(nid_objs[32]),/* OBJ_des_ede_ecb 1 3 14 3 2 17 */
&(nid_objs[41]),/* OBJ_sha 1 3 14 3 2 18 */
&(nid_objs[64]),/* OBJ_sha1 1 3 14 3 2 26 */
&(nid_objs[70]),/* OBJ_dsaWithSHA1_2 1 3 14 3 2 27 */
#define NID_shaWithRSAEncryption 42
#define OBJ_shaWithRSAEncryption OBJ_algorithm,15L
-#define SN_des_ede "DES-EDE"
-#define LN_des_ede "des-ede"
-#define NID_des_ede 32
-#define OBJ_des_ede OBJ_algorithm,17L
-
-#define SN_des_ede3 "DES-EDE3"
-#define LN_des_ede3 "des-ede3"
-#define NID_des_ede3 33
+#define SN_des_ede_ecb "DES-EDE"
+#define LN_des_ede_ecb "des-ede"
+#define NID_des_ede_ecb 32
+#define OBJ_des_ede_ecb OBJ_algorithm,17L
+
+#define SN_des_ede3_ecb "DES-EDE3"
+#define LN_des_ede3_ecb "des-ede3"
+#define NID_des_ede3_ecb 33
#define SN_des_ede_cbc "DES-EDE-CBC"
#define LN_des_ede_cbc "des-ede-cbc"
des_ecb 29
des_cfb64 30
des_cbc 31
-des_ede 32
-des_ede3 33
+des_ede_ecb 32
+des_ede3_ecb 33
idea_cbc 34
idea_cfb64 35
idea_ecb 36
algorithm 12 : DSA-old : dsaEncryption-old
algorithm 13 : DSA-SHA : dsaWithSHA
algorithm 15 : RSA-SHA : shaWithRSAEncryption
+!Cname des-ede-ecb
algorithm 17 : DES-EDE : des-ede
+!Cname des-ede3-ecb
: DES-EDE3 : des-ede3
: DES-EDE-CBC : des-ede-cbc
!Cname des-ede-cfb64