Clean up EVP macros, rename DES EDE3 modes correctly, temporary support for
OpenBSD /dev/crypto (this will be revamped later when the appropriate machinery
is available).
diff --git a/CHANGES b/CHANGES
index b1929ca..e4c1778 100644
--- a/CHANGES
+++ b/CHANGES
@@ -12,6 +12,13 @@
*) applies to 0.9.6a/0.9.6b and 0.9.7
+) applies to 0.9.7 only
+ +) Cleanup of EVP macros.
+ [Ben Laurie]
+
+ +) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
+ correct _ecb suffix.
+ [Ben Laurie]
+
+) Add initial OCSP responder support to ocsp application. The
revocation information is handled using the text based index
use by the ca application. The responder can either handle
diff --git a/Configure b/Configure
index 610336c..0954401 100755
--- a/Configure
+++ b/Configure
@@ -133,6 +133,7 @@
"purify", "purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
"debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
"debug-ben", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
+"debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
"debug-ben-debug", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
diff --git a/crypto/evp/Makefile.ssl b/crypto/evp/Makefile.ssl
index 0e7f2e1..7ad3e0e 100644
--- a/crypto/evp/Makefile.ssl
+++ b/crypto/evp/Makefile.ssl
@@ -32,7 +32,7 @@
p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
- evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
+ evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c openbsd_hw.c
LIBOBJ= encode.o digest.o evp_enc.o evp_key.o \
e_des.o e_bf.o e_idea.o e_des3.o \
@@ -43,7 +43,7 @@
p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \
bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
- evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o
+ evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o openbsd_hw.o
SRC= $(LIBSRC)
diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
index 0fe5457..def53b6 100644
--- a/crypto/evp/c_allc.c
+++ b/crypto/evp/c_allc.c
@@ -82,7 +82,11 @@
EVP_add_cipher_alias(SN_des_cbc,"DES");
EVP_add_cipher_alias(SN_des_cbc,"des");
EVP_add_cipher(EVP_des_ede_cbc());
+# ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+ EVP_add_cipher(EVP_dev_crypto_des_ede3_cbc());
+# else
EVP_add_cipher(EVP_des_ede3_cbc());
+# endif
EVP_add_cipher_alias(SN_des_ede3_cbc,"DES3");
EVP_add_cipher_alias(SN_des_ede3_cbc,"des3");
diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c
index f9e20c8..b1b36ce 100644
--- a/crypto/evp/e_des3.c
+++ b/crypto/evp/e_des3.c
@@ -119,15 +119,12 @@
return 1;
}
-#define NID_des_ede_ecb NID_des_ede
-
BLOCK_CIPHER_defs(des_ede, des_ede, NID_des_ede, 8, 16, 8,
0, des_ede_init_key, NULL,
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,
NULL)
-#define NID_des_ede3_ecb NID_des_ede3
#define des_ede3_cfb_cipher des_ede_cfb_cipher
#define des_ede3_ofb_cipher des_ede_ofb_cipher
#define des_ede3_cbc_cipher des_ede_cbc_cipher
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index 04cb709..93f9315 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -454,6 +454,9 @@
#ifndef OPENSSL_NO_AES
RIJNDAEL_KEY rijndael;
#endif
+#ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+ struct session_op *dev_crypto;
+#endif
} c;
int final_used;
int block_mask;
@@ -674,6 +677,9 @@
const EVP_CIPHER *EVP_des_ede_cbc(void);
const EVP_CIPHER *EVP_des_ede3_cbc(void);
const EVP_CIPHER *EVP_desx_cbc(void);
+# ifdef OPENSSL_OPENBSD_DEV_CRYPTO
+const EVP_CIPHER *EVP_dev_crypto_des_ede3_cbc(void);
+# endif
#endif
#ifndef OPENSSL_NO_RC4
const EVP_CIPHER *EVP_rc4(void);
diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h
index 91670b4..264e9ce 100644
--- a/crypto/evp/evp_locl.h
+++ b/crypto/evp/evp_locl.h
@@ -101,6 +101,61 @@
BLOCK_CIPHER_func_ecb(cname, cprefix, kname) \
BLOCK_CIPHER_func_ofb(cname, cprefix, kname)
+#define BLOCK_CIPHER_def1(cname, nmode, mode, MODE, kstruct, nid, block_size, \
+ key_len, iv_len, flags, init_key, cleanup, \
+ set_asn1, get_asn1, ctrl) \
+static const EVP_CIPHER cname##_##mode = { \
+ nid##_##nmode, block_size, key_len, iv_len, \
+ flags | EVP_CIPH_##MODE##_MODE, \
+ init_key, \
+ cname##_##mode##_cipher, \
+ cleanup, \
+ sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\
+ sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\
+ set_asn1, get_asn1,\
+ ctrl, \
+ NULL \
+}; \
+const EVP_CIPHER *EVP_##cname##_##mode(void) { return &cname##_##mode; }
+
+#define BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, \
+ get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, \
+ get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, cfb64, cfb, CFB, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, \
+ get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, ofb64, ofb, OFB, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, \
+ get_asn1, ctrl) \
+BLOCK_CIPHER_def1(cname, ecb, ecb, ECB, kstruct, nid, block_size, key_len, \
+ iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+#define BLOCK_CIPHER_defs(cname, kstruct, \
+ nid, block_size, key_len, iv_len, flags, \
+ init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_cbc(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+ init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_cfb(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+ init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ofb(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+ init_key, cleanup, set_asn1, get_asn1, ctrl) \
+BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+ init_key, cleanup, set_asn1, get_asn1, ctrl)
+
+
+/*
#define BLOCK_CIPHER_defs(cname, kstruct, \
nid, block_size, key_len, iv_len, flags,\
init_key, cleanup, set_asn1, get_asn1, ctrl)\
@@ -156,7 +211,7 @@
NULL \
};\
const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
-
+*/
#define IMPLEMENT_BLOCK_CIPHER(cname, kname, cprefix, kstruct, \
diff --git a/crypto/evp/openbsd_hw.c b/crypto/evp/openbsd_hw.c
new file mode 100644
index 0000000..012856a
--- /dev/null
+++ b/crypto/evp/openbsd_hw.c
@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <errno.h>
+#include <sys/ioctl.h>
+#include <crypto/cryptodev.h>
+#include <unistd.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include "evp_locl.h"
+#include <assert.h>
+
+// longest key supported in hardware
+#define MAX_HW_KEY 24
+
+static int fd;
+static int dev_failed;
+
+static void err(const char *str)
+ {
+ fprintf(stderr,"%s: errno %d\n",str,errno);
+ }
+
+static int dev_crypto_init(EVP_CIPHER_CTX *ctx)
+ {
+ if(dev_failed)
+ return 0;
+ if(!fd)
+ {
+ int cryptodev_fd;
+
+ if ((cryptodev_fd=open("/dev/crypto",O_RDWR,0)) < 0)
+ {
+ err("/dev/crypto");
+ dev_failed=1;
+ return 0;
+ }
+ if (ioctl(cryptodev_fd,CRIOGET,&fd) == -1)
+ {
+ err("CRIOGET failed");
+ close(cryptodev_fd);
+ dev_failed=1;
+ return 0;
+ }
+ close(cryptodev_fd);
+ }
+ if(!ctx->c.dev_crypto)
+ {
+ ctx->c.dev_crypto=OPENSSL_malloc(sizeof *ctx->c.dev_crypto);
+ memset(ctx->c.dev_crypto,'\0',sizeof *ctx->c.dev_crypto);
+ ctx->c.dev_crypto->key=OPENSSL_malloc(MAX_HW_KEY);
+ }
+
+ return 1;
+ }
+
+static int dev_crypto_cleanup(EVP_CIPHER_CTX *ctx)
+ {
+ if(ioctl(fd,CIOCFSESSION,ctx->c.dev_crypto->ses) == -1)
+ err("CIOCFSESSION failed");
+
+ OPENSSL_free(ctx->c.dev_crypto->key);
+ OPENSSL_free(ctx->c.dev_crypto);
+ ctx->c.dev_crypto=NULL;
+
+ return 1;
+ }
+
+// FIXME: there should be some non-fatal way to report we fell back to s/w?
+static int dev_crypto_des_ede3_init_key(EVP_CIPHER_CTX *ctx,
+ const unsigned char *key,
+ const unsigned char *iv, int enc)
+ {
+ if(!dev_crypto_init(ctx))
+ {
+ // fall back to using software...
+ ctx->cipher=EVP_des_ede3_cbc();
+ return ctx->cipher->init(ctx,key,iv,enc);
+ }
+ memcpy(ctx->c.dev_crypto->key,key,24);
+
+ ctx->c.dev_crypto->cipher=CRYPTO_3DES_CBC;
+ ctx->c.dev_crypto->mac=0;
+ ctx->c.dev_crypto->keylen=24;
+
+ if (ioctl(fd,CIOCGSESSION,ctx->c.dev_crypto) == -1)
+ {
+ err("CIOCGSESSION failed");
+ // fall back to using software...
+ dev_crypto_cleanup(ctx);
+ ctx->cipher=EVP_des_ede3_cbc();
+ return ctx->cipher->init(ctx,key,iv,enc);
+ }
+ return 1;
+ }
+
+static int dev_crypto_des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx,
+ unsigned char *out,
+ const unsigned char *in,
+ unsigned int inl)
+ {
+ struct crypt_op cryp;
+ unsigned char lb[8];
+
+ assert(ctx->c.dev_crypto);
+ assert(!dev_failed);
+
+ memset(&cryp,'\0',sizeof cryp);
+ cryp.ses=ctx->c.dev_crypto->ses;
+ cryp.op=ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
+ cryp.flags=0;
+ // cryp.len=((inl+7)/8)*8;
+ cryp.len=inl;
+ assert((inl&7) == 0);
+ cryp.src=(caddr_t)in;
+ cryp.dst=(caddr_t)out;
+ cryp.mac=0;
+ cryp.iv=(caddr_t)ctx->iv;
+
+ if(!ctx->encrypt)
+ memcpy(lb,&in[cryp.len-8],8);
+
+ if (ioctl(fd, CIOCCRYPT, &cryp) == -1)
+ {
+ err("CIOCCRYPT failed");
+ abort();
+ return 0;
+ }
+
+ if(ctx->encrypt)
+ memcpy(ctx->iv,&out[cryp.len-8],8);
+ else
+ memcpy(ctx->iv,lb,8);
+
+ return 1;
+ }
+
+BLOCK_CIPHER_def_cbc(dev_crypto_des_ede3, des_ede,NID_des_ede3, 8, 24, 8,
+ 0, dev_crypto_des_ede3_init_key,
+ dev_crypto_cleanup,
+ EVP_CIPHER_set_asn1_iv,
+ EVP_CIPHER_get_asn1_iv,
+ NULL)
diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
index 17c806c..8e731bd 100644
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -99,7 +99,7 @@
0x2B,0x0E,0x03,0x02,0x06, /* [187] OBJ_des_ecb */
0x2B,0x0E,0x03,0x02,0x09, /* [192] OBJ_des_cfb64 */
0x2B,0x0E,0x03,0x02,0x07, /* [197] OBJ_des_cbc */
-0x2B,0x0E,0x03,0x02,0x11, /* [202] OBJ_des_ede */
+0x2B,0x0E,0x03,0x02,0x11, /* [202] OBJ_des_ede_ecb */
0x2B,0x06,0x01,0x04,0x01,0x81,0x3C,0x07,0x01,0x01,0x02,/* [207] OBJ_idea_cbc */
0x2A,0x86,0x48,0x86,0xF7,0x0D,0x03,0x02, /* [218] OBJ_rc2_cbc */
0x2B,0x0E,0x03,0x02,0x12, /* [226] OBJ_sha */
@@ -578,8 +578,8 @@
{"DES-ECB","des-ecb",NID_des_ecb,5,&(lvalues[187]),0},
{"DES-CFB","des-cfb",NID_des_cfb64,5,&(lvalues[192]),0},
{"DES-CBC","des-cbc",NID_des_cbc,5,&(lvalues[197]),0},
-{"DES-EDE","des-ede",NID_des_ede,5,&(lvalues[202]),0},
-{"DES-EDE3","des-ede3",NID_des_ede3,0,NULL},
+{"DES-EDE","des-ede",NID_des_ede_ecb,5,&(lvalues[202]),0},
+{"DES-EDE3","des-ede3",NID_des_ede3_ecb,0,NULL},
{"IDEA-CBC","idea-cbc",NID_idea_cbc,11,&(lvalues[207]),0},
{"IDEA-CFB","idea-cfb",NID_idea_cfb64,0,NULL},
{"IDEA-ECB","idea-ecb",NID_idea_ecb,0,NULL},
@@ -2345,7 +2345,7 @@
&(nid_objs[67]),/* OBJ_dsa_2 1 3 14 3 2 12 */
&(nid_objs[66]),/* OBJ_dsaWithSHA 1 3 14 3 2 13 */
&(nid_objs[42]),/* OBJ_shaWithRSAEncryption 1 3 14 3 2 15 */
-&(nid_objs[32]),/* OBJ_des_ede 1 3 14 3 2 17 */
+&(nid_objs[32]),/* OBJ_des_ede_ecb 1 3 14 3 2 17 */
&(nid_objs[41]),/* OBJ_sha 1 3 14 3 2 18 */
&(nid_objs[64]),/* OBJ_sha1 1 3 14 3 2 26 */
&(nid_objs[70]),/* OBJ_dsaWithSHA1_2 1 3 14 3 2 27 */
diff --git a/crypto/objects/obj_mac.h b/crypto/objects/obj_mac.h
index cd114a2..725efdb 100644
--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
@@ -1475,14 +1475,14 @@
#define NID_shaWithRSAEncryption 42
#define OBJ_shaWithRSAEncryption OBJ_algorithm,15L
-#define SN_des_ede "DES-EDE"
-#define LN_des_ede "des-ede"
-#define NID_des_ede 32
-#define OBJ_des_ede OBJ_algorithm,17L
+#define SN_des_ede_ecb "DES-EDE"
+#define LN_des_ede_ecb "des-ede"
+#define NID_des_ede_ecb 32
+#define OBJ_des_ede_ecb OBJ_algorithm,17L
-#define SN_des_ede3 "DES-EDE3"
-#define LN_des_ede3 "des-ede3"
-#define NID_des_ede3 33
+#define SN_des_ede3_ecb "DES-EDE3"
+#define LN_des_ede3_ecb "des-ede3"
+#define NID_des_ede3_ecb 33
#define SN_des_ede_cbc "DES-EDE-CBC"
#define LN_des_ede_cbc "des-ede-cbc"
diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
index 362bdb7..b286543 100644
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -30,8 +30,8 @@
des_ecb 29
des_cfb64 30
des_cbc 31
-des_ede 32
-des_ede3 33
+des_ede_ecb 32
+des_ede3_ecb 33
idea_cbc 34
idea_cfb64 35
idea_ecb 36
diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
index 86d337d..59e283b 100644
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -486,7 +486,9 @@
algorithm 12 : DSA-old : dsaEncryption-old
algorithm 13 : DSA-SHA : dsaWithSHA
algorithm 15 : RSA-SHA : shaWithRSAEncryption
+!Cname des-ede-ecb
algorithm 17 : DES-EDE : des-ede
+!Cname des-ede3-ecb
: DES-EDE3 : des-ede3
: DES-EDE-CBC : des-ede-cbc
!Cname des-ede-cfb64
