XRootD
Loading...
Searching...
No Matches
XrdCryptosslCipher.cc
Go to the documentation of this file.
1/******************************************************************************/
2/* */
3/* X r d C r y p t o S s l C i p h e r . c c */
4/* */
5/* (c) 2004 by the Board of Trustees of the Leland Stanford, Jr., University */
6/* Produced by Gerri Ganis for CERN */
7/* */
8/* This file is part of the XRootD software suite. */
9/* */
10/* XRootD is free software: you can redistribute it and/or modify it under */
11/* the terms of the GNU Lesser General Public License as published by the */
12/* Free Software Foundation, either version 3 of the License, or (at your */
13/* option) any later version. */
14/* */
15/* XRootD is distributed in the hope that it will be useful, but WITHOUT */
16/* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
17/* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
18/* License for more details. */
19/* */
20/* You should have received a copy of the GNU Lesser General Public License */
21/* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
22/* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
23/* */
24/* The copyright holder's institutional names and contributor's names may not */
25/* be used to endorse or promote products derived from this software without */
26/* specific prior written permission of the institution or contributor. */
27/******************************************************************************/
28
29/* ************************************************************************** */
30/* */
31/* OpenSSL implementation of XrdCryptoCipher */
32/* */
33/* ************************************************************************** */
34#include <cstring>
35#include <cassert>
36
37#include "XrdSut/XrdSutRndm.hh"
38#include "XrdCrypto/XrdCryptosslTrace.hh"
39#include "XrdCrypto/XrdCryptosslCipher.hh"
40
41//#include <openssl/dsa.h>
42#include <openssl/bio.h>
43#include <openssl/pem.h>
44#include <openssl/dh.h>
45#if OPENSSL_VERSION_NUMBER >= 0x30000000L
46#include <openssl/core_names.h>
47#include <openssl/param_build.h>
48#endif
49
50// Hardcoded DH parameters that are acceptable to both OpenSSL 3.0 (RHEL9)
51// and 1.0.2 (RHEL7). OpenSSL 3.0 reworked the DH parameter generation algorithm
52// and now produces DH params that don't pass OpenSSL 1.0.2's parameter verification
53// function (`DH_check`). Accordingly, since these are safe to reuse, we generated
54// a single set of parameters for the server to always utilize.
55static const char dh_param_enc[] =
56R"(
57-----BEGIN DH PARAMETERS-----
58MIIBiAKCAYEAzcEAf3ZCkm0FxJLgKd1YoT16Hietl7QV8VgJNc5CYKmRu/gKylxT
59MVZJqtUmoh2IvFHCfbTGEmZM5LdVaZfMLQf7yXjecg0nSGklYZeQQ3P0qshFLbI9
60u3z1XhEeCbEZPq84WWwXacSAAxwwRRrN5nshgAavqvyDiGNi+GqYpqGPb9JE38R3
61GJ51FTPutZlvQvEycjCbjyajhpItBB+XvIjWj2GQyvi+cqB0WrPQAsxCOPrBTCZL
62OjM0NfJ7PQfllw3RDQev2u1Q+Rt8QyScJQCFUj/SWoxpw2ydpWdgAkrqTmdVYrev
63x5AoXE52cVIC8wfOxaaJ4cBpnJui3Y0jZcOQj0FtC0wf4WcBpHnLLBzKSOQwbxts
64WE8LkskPnwwrup/HqWimFFg40bC9F5Lm3CTDCb45mtlBxi3DydIbRLFhGAjlKzV3
65s9G3opHwwfgXpFf3+zg7NPV3g1//HLgWCvooOvMqaO+X7+lXczJJLMafEaarcAya
66Kyo8PGKIAORrAgEF
67-----END DH PARAMETERS-----
68)";
69
70// ---------------------------------------------------------------------------//
71//
72// Cipher interface
73//
74// ---------------------------------------------------------------------------//
75
76static EVP_PKEY *getFixedDHParams() {
77 static EVP_PKEY *dhparms = [] {
78 EVP_PKEY *dhParam = 0;
79
80 BIO *biop = BIO_new(BIO_s_mem());
81 BIO_write(biop, dh_param_enc, strlen(dh_param_enc));
82 PEM_read_bio_Parameters(biop, &dhParam);
83 BIO_free(biop);
84 return dhParam;
85 }();
86
87 assert(dhparms);
88 return dhparms;
89}
90
91static int XrdCheckDH (EVP_PKEY *pkey) {
92 // If the DH parameters we received are our fixed set we know they
93 // are acceptable. The parameter check requires computation and more
94 // with openssl 3 than previously. So skip if DH params are known.
95 const EVP_PKEY *dhparms = getFixedDHParams();
96#if OPENSSL_VERSION_NUMBER >= 0x30000000L
97 const bool skipcheck = EVP_PKEY_parameters_eq(pkey, dhparms);
98#else
99 const bool skipcheck = EVP_PKEY_cmp_parameters(pkey, dhparms);
100#endif
101 if (skipcheck) return 1;
102
103 int rc;
104 EVP_PKEY_CTX *ckctx = EVP_PKEY_CTX_new(pkey, 0);
105 rc = EVP_PKEY_param_check(ckctx);
106 EVP_PKEY_CTX_free(ckctx);
107 return rc;
108}
109
110//_____________________________________________________________________________
111bool XrdCryptosslCipher::IsSupported(const char *cip)
112{
113 // Check if the specified cipher is supported
114
115 return (EVP_get_cipherbyname(cip) != 0);
116}
117
118//____________________________________________________________________________
119XrdCryptosslCipher::XrdCryptosslCipher(const char *t, int l)
120{
121 // Main Constructor
122 // Complete initialization of a cipher of type t and length l
123 // The initialization vector is also created
124 // Used to create ciphers
125
126 valid = 0;
127 ctx = 0;
128 fIV = 0;
129 lIV = 0;
130 cipher = 0;
131 fDH = 0;
132 deflength = 1;
133
134 // Check and set type
135 char cipnam[64] = {"bf-cbc"};
136 if (t && strcmp(t,"default")) {
137 strcpy(cipnam,t);
138 cipnam[63] = 0;
139 }
140 cipher = EVP_get_cipherbyname(cipnam);
141
142 if (cipher) {
143 // Determine key length
144 l = (l > EVP_MAX_KEY_LENGTH) ? EVP_MAX_KEY_LENGTH : l;
145 int ldef = EVP_CIPHER_key_length(cipher);
146 int lgen = (l > ldef) ? l : ldef;
147 // Generate and set a new key
148 char *ktmp = XrdSutRndm::GetBuffer(lgen);
149 if (ktmp) {
150 // Init context
151 ctx = EVP_CIPHER_CTX_new();
152 if (ctx) {
153 valid = 1;
154 // Try setting the key length
155 if (l && l != ldef) {
156 EVP_CipherInit_ex(ctx, cipher, 0, 0, 0, 1);
157 EVP_CIPHER_CTX_set_key_length(ctx,l);
158 EVP_CipherInit_ex(ctx, 0, 0, (unsigned char *)ktmp, 0, 1);
159 if (l == EVP_CIPHER_CTX_key_length(ctx)) {
160 // Use the l bytes at ktmp
161 SetBuffer(l,ktmp);
162 deflength = 0;
163 }
164 }
165 if (!Length()) {
166 EVP_CipherInit_ex(ctx, cipher, 0, (unsigned char *)ktmp, 0, 1);
167 SetBuffer(ldef,ktmp);
168 }
169 // Set also the type
170 SetType(cipnam);
171 }
172 // Cleanup
173 delete[] ktmp;
174 }
175 }
176
177 // Finally, generate and set a new IV
178 if (valid)
179 GenerateIV();
180}
181
182//____________________________________________________________________________
183XrdCryptosslCipher::XrdCryptosslCipher(const char *t, int l,
184 const char *k, int liv, const char *iv)
185{
186 // Constructor.
187 // Initialize a cipher of type t and length l using the key at k and
188 // the initialization vector at iv.
189 // Used to import ciphers.
190 valid = 0;
191 ctx = 0;
192 fIV = 0;
193 lIV = 0;
194 fDH = 0;
195 cipher = 0;
196 deflength = 1;
197
198 // Check and set type
199 char cipnam[64] = {"bf-cbc"};
200 if (t && strcmp(t,"default")) {
201 strcpy(cipnam,t);
202 cipnam[63] = 0;
203 }
204 cipher = EVP_get_cipherbyname(cipnam);
205
206 if (cipher) {
207 // Init context
208 ctx = EVP_CIPHER_CTX_new();
209 if (ctx) {
210 // Set the key
211 SetBuffer(l,k);
212 if (l != EVP_CIPHER_key_length(cipher))
213 deflength = 0;
214 // Set also the type
215 SetType(cipnam);
216 // Set validity flag
217 valid = 1;
218 }
219 }
220 //
221 // Init cipher
222 if (valid) {
223 //
224 // Set the IV
225 SetIV(liv,iv);
226
227 if (deflength) {
228 EVP_CipherInit_ex(ctx, cipher, 0, (unsigned char *)Buffer(), 0, 1);
229 } else {
230 EVP_CipherInit_ex(ctx, cipher, 0, 0, 0, 1);
231 EVP_CIPHER_CTX_set_key_length(ctx,Length());
232 EVP_CipherInit_ex(ctx, 0, 0, (unsigned char *)Buffer(), 0, 1);
233 }
234 }
235}
236
237//____________________________________________________________________________
238XrdCryptosslCipher::XrdCryptosslCipher(XrdSutBucket *bck)
239{
240 // Constructor from bucket.
241 // Initialize a cipher of type t and length l using the key at k
242 // Used to import ciphers.
243 valid = 0;
244 ctx = 0;
245 fIV = 0;
246 lIV = 0;
247 fDH = 0;
248 cipher = 0;
249 deflength = 1;
250
251 if (bck && bck->size > 0) {
252
253 valid = 1;
254
255 kXR_int32 ltyp = 0;
256 kXR_int32 livc = 0;
257 kXR_int32 lbuf = 0;
258 kXR_int32 lp = 0;
259 kXR_int32 lg = 0;
260 kXR_int32 lpub = 0;
261 kXR_int32 lpri = 0;
262 char *bp = bck->buffer;
263 int cur = 0;
264 memcpy(&ltyp,bp+cur,sizeof(kXR_int32));
265 cur += sizeof(kXR_int32);
266 memcpy(&livc,bp+cur,sizeof(kXR_int32));
267 cur += sizeof(kXR_int32);
268 memcpy(&lbuf,bp+cur,sizeof(kXR_int32));
269 cur += sizeof(kXR_int32);
270 memcpy(&lp,bp+cur,sizeof(kXR_int32));
271 cur += sizeof(kXR_int32);
272 memcpy(&lg,bp+cur,sizeof(kXR_int32));
273 cur += sizeof(kXR_int32);
274 memcpy(&lpub,bp+cur,sizeof(kXR_int32));
275 cur += sizeof(kXR_int32);
276 memcpy(&lpri,bp+cur,sizeof(kXR_int32));
277 cur += sizeof(kXR_int32);
278 // Type
279 if (ltyp) {
280 char *buf = new char[ltyp+1];
281 if (buf) {
282 memcpy(buf,bp+cur,ltyp);
283 buf[ltyp] = 0;
284 cipher = EVP_get_cipherbyname(buf);
285 if (!cipher)
286 cipher = EVP_get_cipherbyname("bf-cbc");
287 if (cipher) {
288 // Set the type
289 SetType(buf);
290 } else {
291 valid = 0;
292 }
293 delete[] buf;
294 } else
295 valid = 0;
296 cur += ltyp;
297 }
298 // IV
299 if (livc) {
300 char *buf = new char[livc];
301 if (buf) {
302 memcpy(buf,bp+cur,livc);
303 cur += livc;
304 // Set the IV
305 SetIV(livc,buf);
306 delete[] buf;
307 } else
308 valid = 0;
309 cur += livc;
310 }
311 // buffer
312 if (lbuf) {
313 char *buf = new char[lbuf];
314 if (buf) {
315 memcpy(buf,bp+cur,lbuf);
316 // Set the buffer
317 UseBuffer(lbuf,buf);
318 if (cipher && lbuf != EVP_CIPHER_key_length(cipher))
319 deflength = 0;
320 } else
321 valid = 0;
322 cur += lbuf;
323 }
324 // DH, if any
325 if (lp > 0 || lg > 0 || lpub > 0 || lpri > 0) {
326 char *buf = 0;
327 BIGNUM *p = NULL, *g = NULL;
328 BIGNUM *pub = NULL, *pri = NULL;
329 // p
330 if (lp > 0) {
331 buf = new char[lp+1];
332 if (buf) {
333 memcpy(buf,bp+cur,lp);
334 buf[lp] = 0;
335 BN_hex2bn(&p,buf);
336 delete[] buf;
337 } else
338 valid = 0;
339 cur += lp;
340 }
341 // g
342 if (lg > 0) {
343 buf = new char[lg+1];
344 if (buf) {
345 memcpy(buf,bp+cur,lg);
346 buf[lg] = 0;
347 BN_hex2bn(&g,buf);
348 delete[] buf;
349 } else
350 valid = 0;
351 cur += lg;
352 }
353 // pub_key
354 if (lpub > 0) {
355 buf = new char[lpub+1];
356 if (buf) {
357 memcpy(buf,bp+cur,lpub);
358 buf[lpub] = 0;
359 BN_hex2bn(&pub,buf);
360 delete[] buf;
361 } else
362 valid = 0;
363 cur += lpub;
364 }
365 // priv_key
366 if (lpri > 0) {
367 buf = new char[lpri+1];
368 if (buf) {
369 memcpy(buf,bp+cur,lpri);
370 buf[lpri] = 0;
371 BN_hex2bn(&pri,buf);
372 delete[] buf;
373 } else
374 valid = 0;
375 cur += lpri;
376 }
377#if OPENSSL_VERSION_NUMBER >= 0x30000000L
378 OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
379 if (p) OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p);
380 if (g) OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g);
381 if (pub) OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub);
382 if (pri) OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, pri);
383 OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(bld);
384 OSSL_PARAM_BLD_free(bld);
385 if (p) BN_free(p);
386 if (g) BN_free(g);
387 if (pub) BN_free(pub);
388 if (pri) BN_free(pri);
389 EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, 0);
390 EVP_PKEY_fromdata_init(pkctx);
391 EVP_PKEY_fromdata(pkctx, &fDH, EVP_PKEY_KEYPAIR, params);
392 EVP_PKEY_CTX_free(pkctx);
393 OSSL_PARAM_free(params);
394#else
395 DH* dh = DH_new();
396 DH_set0_pqg(dh, p, NULL, g);
397 DH_set0_key(dh, pub, pri);
398 fDH = EVP_PKEY_new();
399 EVP_PKEY_assign_DH(fDH, dh);
400#endif
401 if (XrdCheckDH(fDH) != 1)
402 valid = 0;
403 }
404 }
405 //
406 // Init cipher
407 if (valid) {
408 // Init context
409 ctx = EVP_CIPHER_CTX_new();
410 if (ctx) {
411 if (deflength) {
412 EVP_CipherInit_ex(ctx, cipher, 0, (unsigned char *)Buffer(), 0, 1);
413 } else {
414 EVP_CipherInit_ex(ctx, cipher, 0, 0, 0, 1);
415 EVP_CIPHER_CTX_set_key_length(ctx,Length());
416 EVP_CipherInit_ex(ctx, 0, 0, (unsigned char *)Buffer(), 0, 1);
417 }
418 } else
419 valid = 0;
420 }
421 if (!valid) {
422 Cleanup();
423 }
424}
425
426//____________________________________________________________________________
427XrdCryptosslCipher::XrdCryptosslCipher(bool padded, int bits, char *pub,
428 int lpub, const char *t)
429{
430 // Constructor for key agreement.
431 // If pub is not defined, generates a DH full key,
432 // the public part and parameters can be retrieved using Public().
433 // 'bits' is ignored (DH key is generated once)
434 // If pub is defined with the public part and parameters of the
435 // counterpart fully initialize a cipher with that information.
436 // Sets also the name to 't', if different from the default one.
437 // Used for key agreement.
438 EPNAME("sslCipher::XrdCryptosslCipher");
439
440 valid = 0;
441 ctx = 0;
442 fIV = 0;
443 lIV = 0;
444 fDH = 0;
445 cipher = 0;
446 deflength = 1;
447
448 if (!pub) {
449
450 DEBUG("generate DH parameters");
451 EVP_PKEY *dhparms = getFixedDHParams();
452//
453// Important historical context:
454// - We used to generate DH params on every server startup (commented
455// out below). This was prohibitively costly to do on startup for
456// DH parameters large enough to be considered secure.
457// - OpenSSL 3.0 improved the DH parameter generation to avoid leaking
458// the first bit of the session key (see https://github.com/openssl/openssl/issues/9792
459// for more information). However, a side-effect is that the new
460// parameters are not recognized as valid in OpenSSL 1.0.2.
461// - Since we can't control old client versions and new servers can't
462// generate compatible DH parameters, we switch to a fixed, much stronger
463// set of DH parameters (3072 bits).
464//
465// The impact is that we continue leaking the first bit of the session key
466// (meaning it's effectively 127 bits not 128 bits -- still plenty secure)
467// but upgrade the DH parameters to something more modern (3072; previously,
468// it was 512 bits which was not considered secure). The downside
469// of fixed DH parameters is that if a nation-state attacked our selected
470// parameters (using technology not currently available), we would have
471// to upgrade all servers with a new set of DH parameters.
472//
473
474/*
475 EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, 0);
476 EVP_PKEY_paramgen_init(pkctx);
477 EVP_PKEY_CTX_set_dh_paramgen_prime_len(pkctx, kDHMINBITS);
478 EVP_PKEY_CTX_set_dh_paramgen_generator(pkctx, 5);
479 EVP_PKEY_paramgen(pkctx, &dhParam);
480 EVP_PKEY_CTX_free(pkctx);
481*/
482
483 DEBUG("configure DH parameters");
484 //
485 // Set params for DH object
486 EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new(dhparms, 0);
487 EVP_PKEY_keygen_init(pkctx);
488 EVP_PKEY_keygen(pkctx, &fDH);
489 EVP_PKEY_CTX_free(pkctx);
490 if (fDH) {
491 // Init context
492 ctx = EVP_CIPHER_CTX_new();
493 if (ctx)
494 valid = 1;
495 }
496
497 } else {
498 DEBUG("initialize cipher from key-agreement buffer");
499 //
500 char *ktmp = 0;
501 size_t ltmp = 0;
502 // Extract string with bignumber
503 BIGNUM *bnpub = 0;
504 char *pb = strstr(pub,"---BPUB---");
505 char *pe = strstr(pub,"---EPUB--"); // one less (pub not null-terminated)
506 if (pb && pe) {
507 lpub = (int)(pb-pub);
508 pb += 10;
509 *pe = 0;
510 BN_hex2bn(&bnpub, pb);
511 *pe = '-';
512 }
513 if (bnpub) {
514 //
515 // Prepare to decode the input buffer
516 BIO *biop = BIO_new(BIO_s_mem());
517 if (biop) {
518 //
519 // Write buffer into BIO
520 BIO_write(biop,pub,lpub);
521 //
522 // Read params from BIO
523 EVP_PKEY *dhParam = 0;
524 PEM_read_bio_Parameters(biop, &dhParam);
525 if (dhParam) {
526 if (XrdCheckDH(dhParam) == 1) {
527 //
528 // generate DH key
529 EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new(dhParam, 0);
530 EVP_PKEY_keygen_init(pkctx);
531 EVP_PKEY_keygen(pkctx, &fDH);
532 EVP_PKEY_CTX_free(pkctx);
533 if (fDH) {
534 // Now we can compute the cipher
535 ltmp = EVP_PKEY_size(fDH);
536 ktmp = new char[ltmp];
537 memset(ktmp, 0, ltmp);
538 if (ktmp) {
539 // Create peer public key
540#if OPENSSL_VERSION_NUMBER >= 0x30000000L
541 EVP_PKEY *peer = 0;
542 OSSL_PARAM *params1 = 0;
543 EVP_PKEY_todata( dhParam, EVP_PKEY_KEY_PARAMETERS, &params1 );
544 OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
545 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, bnpub);
546 OSSL_PARAM *params2 = OSSL_PARAM_BLD_to_param(bld);
547 OSSL_PARAM_BLD_free(bld);
548 OSSL_PARAM *params = OSSL_PARAM_merge( params1, params2 );
549 pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, 0);
550 EVP_PKEY_fromdata_init(pkctx);
551 EVP_PKEY_fromdata(pkctx, &peer, EVP_PKEY_KEYPAIR, params);
552 EVP_PKEY_CTX_free(pkctx);
553 OSSL_PARAM_free(params);
554 OSSL_PARAM_free(params1);
555 OSSL_PARAM_free(params2);
556#else
557 DH* dh = DH_new();
558 DH_set0_key(dh, BN_dup(bnpub), NULL);
559 EVP_PKEY *peer = EVP_PKEY_new();
560 EVP_PKEY_assign_DH(peer, dh);
561#endif
562 // Derive shared secret
563 pkctx = EVP_PKEY_CTX_new(fDH, 0);
564 EVP_PKEY_derive_init(pkctx);
565 EVP_PKEY_CTX_set_dh_pad(pkctx, padded);
566 EVP_PKEY_derive_set_peer(pkctx, peer);
567 EVP_PKEY_derive(pkctx, (unsigned char *)ktmp, &ltmp);
568 EVP_PKEY_CTX_free(pkctx);
569 EVP_PKEY_free(peer);
570 if (ltmp > 0) {
571 valid = 1;
572 }
573 }
574 }
575 }
576 EVP_PKEY_free(dhParam);
577 }
578 BIO_free(biop);
579 }
580 BN_free( bnpub );
581 }
582 //
583 // If a valid key has been computed, set the cipher
584 if (valid) {
585 // Init context
586 ctx = EVP_CIPHER_CTX_new();
587 if (ctx) {
588 // Check and set type
589 char cipnam[64] = {"bf-cbc"};
590 if (t && strcmp(t,"default")) {
591 strcpy(cipnam,t);
592 cipnam[63] = 0;
593 }
594 if ((cipher = EVP_get_cipherbyname(cipnam))) {
595 // At most EVP_MAX_KEY_LENGTH bytes
596 ltmp = (ltmp > EVP_MAX_KEY_LENGTH) ? EVP_MAX_KEY_LENGTH : ltmp;
597 int ldef = EVP_CIPHER_key_length(cipher);
598 // Try setting the key length
599 if ((int)ltmp != ldef) {
600 EVP_CipherInit_ex(ctx, cipher, 0, 0, 0, 1);
601 EVP_CIPHER_CTX_set_key_length(ctx,ltmp);
602 EVP_CipherInit_ex(ctx, 0, 0, (unsigned char *)ktmp, 0, 1);
603 if ((int)ltmp == EVP_CIPHER_CTX_key_length(ctx)) {
604 // Use the ltmp bytes at ktmp
605 SetBuffer(ltmp,ktmp);
606 deflength = 0;
607 }
608 }
609 if (!Length()) {
610 EVP_CipherInit_ex(ctx, cipher, 0, (unsigned char *)ktmp, 0, 1);
611 SetBuffer(ldef,ktmp);
612 }
613 // Set also the type
614 SetType(cipnam);
615 }
616 } else
617 valid = 0;
618 }
619 // Cleanup
620 if (ktmp) {delete[] ktmp; ktmp = 0;}
621 }
622
623 // Cleanup, if invalid
624 if (!valid)
625 Cleanup();
626}
627
628//____________________________________________________________________________
629XrdCryptosslCipher::XrdCryptosslCipher(const XrdCryptosslCipher &c)
630 : XrdCryptoCipher()
631{
632 // Copy Constructor
633
634 // Basics
635 deflength = c.deflength;
636 valid = c.valid;
637 ctx = 0;
638 // IV
639 lIV = 0;
640 fIV = 0;
641 SetIV(c.lIV,c.fIV);
642
643 // Cipher
644 cipher = c.cipher;
645 // Set the key
646 SetBuffer(c.Length(),c.Buffer());
647 // Set also the type
648 SetType(c.Type());
649 // DH
650 fDH = 0;
651 if (valid && c.fDH) {
652 valid = 0;
653#if OPENSSL_VERSION_NUMBER >= 0x30000000L
654 BIGNUM *p = BN_new();
655 BIGNUM *g = BN_new();
656 BIGNUM *pub = BN_new();
657 BIGNUM *pri = BN_new();
658 OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
659 if (EVP_PKEY_get_bn_param(c.fDH, OSSL_PKEY_PARAM_FFC_P, &p) == 1)
660 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_P, p);
661 if (EVP_PKEY_get_bn_param(c.fDH, OSSL_PKEY_PARAM_FFC_G, &g) == 1)
662 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_FFC_G, g);
663 if (EVP_PKEY_get_bn_param(c.fDH, OSSL_PKEY_PARAM_PUB_KEY, &pub) == 1)
664 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub);
665 if (EVP_PKEY_get_bn_param(c.fDH, OSSL_PKEY_PARAM_PRIV_KEY, &pri) == 1)
666 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PRIV_KEY, pri);
667 OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(bld);
668 OSSL_PARAM_BLD_free(bld);
669 BN_free(p);
670 BN_free(g);
671 BN_free(pub);
672 BN_free(pri);
673 EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, 0);
674 EVP_PKEY_fromdata_init(pkctx);
675 EVP_PKEY_fromdata(pkctx, &fDH, EVP_PKEY_KEYPAIR, params);
676 EVP_PKEY_CTX_free(pkctx);
677 OSSL_PARAM_free(params);
678#else
679 DH* dh = DH_new();
680 if (dh) {
681 const BIGNUM *p, *g;
682 DH_get0_pqg(EVP_PKEY_get0_DH(c.fDH), &p, NULL, &g);
683 DH_set0_pqg(dh, p ? BN_dup(p) : NULL, NULL, g ? BN_dup(g) : NULL);
684 const BIGNUM *pub, *pri;
685 DH_get0_key(EVP_PKEY_get0_DH(c.fDH), &pub, &pri);
686 DH_set0_key(dh, pub ? BN_dup(pub) : NULL, pri ? BN_dup(pri) : NULL);
687 fDH = EVP_PKEY_new();
688 EVP_PKEY_assign_DH(fDH, dh);
689 }
690#endif
691 if (fDH) {
692 if (XrdCheckDH(fDH) == 1)
693 valid = 1;
694 }
695 }
696 if (valid) {
697 // Init context
698 ctx = EVP_CIPHER_CTX_new();
699 if (!ctx)
700 valid = 0;
701 }
702 if (!valid) {
703 Cleanup();
704 }
705}
706
707//____________________________________________________________________________
708XrdCryptosslCipher::~XrdCryptosslCipher()
709{
710 // Destructor.
711
712 // Cleanup IV
713 if (fIV)
714 delete[] fIV;
715
716 // Cleanups
717 if (valid)
718 EVP_CIPHER_CTX_free(ctx);
719 Cleanup();
720}
721
722//____________________________________________________________________________
723void XrdCryptosslCipher::Cleanup()
724{
725 // Cleanup temporary memory
726
727 // Cleanup IV
728 if (fDH) {
729 EVP_PKEY_free(fDH);
730 fDH = 0;
731 }
732}
733
734//____________________________________________________________________________
735bool XrdCryptosslCipher::Finalize(bool padded,
736 char *pub, int lpub, const char *t)
737{
738 // Finalize cipher during key agreement. Should be called
739 // for a cipher build with special constructor defining member fDH.
740 // The buffer pub should contain the public part of the counterpart.
741 // Sets also the name to 't', if different from the default one.
742 // Used for key agreement.
743 EPNAME("sslCipher::Finalize");
744
745 if (!fDH) {
746 DEBUG("DH undefined: this cipher cannot be finalized"
747 " by this method");
748 return 0;
749 }
750
751 char *ktmp = 0;
752 size_t ltmp = 0;
753 valid = 0;
754 if (pub) {
755 //
756 // Extract string with bignumber
757 BIGNUM *bnpub = 0;
758 char *pb = static_cast<char*>(memmem(pub, lpub, "---BPUB---", 10));
759 char *pe = static_cast<char*>(memmem(pub, lpub, "---EPUB--", 9));
760 if (pb && pe) {
761 //lpub = (int)(pb-pub);
762 pb += 10;
763 *pe = 0;
764 BN_hex2bn(&bnpub, pb);
765 *pe = '-';
766 }
767 if (bnpub) {
768 // Now we can compute the cipher
769 ltmp = EVP_PKEY_size(fDH);
770 ktmp = new char[ltmp];
771 if (ktmp) {
772 memset(ktmp, 0, ltmp);
773 // Create peer public key
774 EVP_PKEY_CTX *pkctx;
775#if OPENSSL_VERSION_NUMBER >= 0x30000000L
776 EVP_PKEY *peer = nullptr;
777 OSSL_PARAM *params1 = nullptr;
778 EVP_PKEY_todata(fDH, EVP_PKEY_KEY_PARAMETERS, &params1);
779 OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
780 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, bnpub);
781 OSSL_PARAM *params2 = OSSL_PARAM_BLD_to_param(bld);
782 OSSL_PARAM_BLD_free(bld);
783 OSSL_PARAM *params = OSSL_PARAM_merge(params1, params2);
784 pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DH, 0);
785 EVP_PKEY_fromdata_init(pkctx);
786 EVP_PKEY_fromdata(pkctx, &peer, EVP_PKEY_PUBLIC_KEY, params);
787 OSSL_PARAM_free(params1);
788 OSSL_PARAM_free(params2);
789 OSSL_PARAM_free(params);
790 EVP_PKEY_CTX_free(pkctx);
791#else
792 DH* dh = DH_new();
793 DH_set0_key(dh, BN_dup(bnpub), NULL);
794 EVP_PKEY *peer = EVP_PKEY_new();
795 EVP_PKEY_assign_DH(peer, dh);
796#endif
797 // Derive shared secret
798 pkctx = EVP_PKEY_CTX_new(fDH, 0);
799 EVP_PKEY_derive_init(pkctx);
800 EVP_PKEY_CTX_set_dh_pad(pkctx, padded);
801 EVP_PKEY_derive_set_peer(pkctx, peer);
802 EVP_PKEY_derive(pkctx, (unsigned char *)ktmp, &ltmp);
803 EVP_PKEY_CTX_free(pkctx);
804 EVP_PKEY_free(peer);
805 if (ltmp > 0) {
806 valid = 1;
807 }
808 }
809 BN_free(bnpub);
810 bnpub=0;
811 }
812 //
813 // If a valid key has been computed, set the cipher
814 if (valid) {
815 // Check and set type
816 char cipnam[64] = {"bf-cbc"};
817 if (t && strcmp(t,"default")) {
818 strcpy(cipnam,t);
819 cipnam[63] = 0;
820 }
821 if ((cipher = EVP_get_cipherbyname(cipnam))) {
822 // At most EVP_MAX_KEY_LENGTH bytes
823 ltmp = (ltmp > EVP_MAX_KEY_LENGTH) ? EVP_MAX_KEY_LENGTH : ltmp;
824 int ldef = EVP_CIPHER_key_length(cipher);
825 // Try setting the key length
826 if ((int)ltmp != ldef) {
827 EVP_CipherInit_ex(ctx, cipher, 0, 0, 0, 1);
828 EVP_CIPHER_CTX_set_key_length(ctx,ltmp);
829 EVP_CipherInit_ex(ctx, 0, 0, (unsigned char *)ktmp, 0, 1);
830 if ((int)ltmp == EVP_CIPHER_CTX_key_length(ctx)) {
831 // Use the ltmp bytes at ktmp
832 SetBuffer(ltmp,ktmp);
833 deflength = 0;
834 }
835 }
836 if (!Length()) {
837 EVP_CipherInit_ex(ctx, cipher, 0, (unsigned char *)ktmp, 0, 1);
838 SetBuffer(ldef,ktmp);
839 }
840 // Set also the type
841 SetType(cipnam);
842 }
843 }
844 // Cleanup
845 if (ktmp) {delete[] ktmp; ktmp = 0;}
846 }
847
848 // Cleanup, if invalid
849 if (!valid) {
850 EVP_CIPHER_CTX_free(ctx);
851 Cleanup();
852 }
853
854 // We are done
855 return valid;
856}
857
858//_____________________________________________________________________________
859int XrdCryptosslCipher::Publen()
860{
861 // Minimum length of export format of public key
862 static int lhdr = strlen("-----BEGIN DH PARAMETERS-----"
863 "-----END DH PARAMETERS-----") + 3;
864 if (fDH) {
865 // minimum length of the core is 22 bytes
866 int l = 2 * EVP_PKEY_size(fDH);
867 if (l < 22) l = 22;
868 // for headers
869 l += lhdr;
870 // some margin
871 return (l+20);
872 } else
873 return 0;
874}
875
876//_____________________________________________________________________________
877char *XrdCryptosslCipher::Public(int &lpub)
878{
879 // Return buffer with the public part of the DH key and the shared
880 // parameters; lpub contains the length of the meaningful bytes.
881 // Buffer should be deleted by the caller.
882 static int lhend = strlen("-----END DH PARAMETERS-----");
883
884 if (fDH) {
885 //
886 // Calculate and write public key hex
887#if OPENSSL_VERSION_NUMBER >= 0x30000000L
888 BIGNUM *pub = BN_new();
889 EVP_PKEY_get_bn_param(fDH, OSSL_PKEY_PARAM_PUB_KEY, &pub);
890 char *phex = BN_bn2hex(pub);
891 BN_free(pub);
892#else
893 const BIGNUM *pub;
894 DH_get0_key(EVP_PKEY_get0_DH(fDH), &pub, NULL);
895 char *phex = BN_bn2hex(pub);
896#endif
897 int lhex = strlen(phex);
898 //
899 // Prepare bio to export info buffer
900 BIO *biop = BIO_new(BIO_s_mem());
901 if (biop) {
902 int ltmp = Publen() + lhex + 20;
903 char *pub = new char[ltmp];
904 if (pub) {
905 // Write parms first
906 PEM_write_bio_Parameters(biop, fDH);
907 // Read key from BIO to buf
908 BIO_read(biop,(void *)pub,ltmp);
909 BIO_free(biop);
910 // Add public key
911 char *p = strstr(pub,"-----END DH PARAMETERS-----");
912 // Buffer length up to now
913 lpub = (int)(p - pub) + lhend + 1;
914 if (phex && p) {
915 // position at the end
916 p += (lhend+1);
917 // Begin of public key hex
918 memcpy(p,"---BPUB---",10);
919 p += 10;
920 // Calculate and write public key hex
921 memcpy(p,phex,lhex);
922 OPENSSL_free(phex);
923 // End of public key hex
924 p += lhex;
925 memcpy(p,"---EPUB---",10);
926 // Calculate total length
927 lpub += (20 + lhex);
928 } else {
929 if (phex) OPENSSL_free(phex);
930 }
931 // return
932 return pub;
933 }
934 } else {
935 if (phex) OPENSSL_free(phex);
936 }
937 }
938
939 lpub = 0;
940 return (char *)0;
941}
942
943//_____________________________________________________________________________
944void XrdCryptosslCipher::PrintPublic(BIGNUM *pub)
945{
946 // Print public part
947
948 //
949 // Prepare bio to export info buffer
950 BIO *biop = BIO_new(BIO_s_mem());
951 if (biop) {
952 // Use a DSA structure to export the public part
953#if OPENSSL_VERSION_NUMBER >= 0x30000000L
954 EVP_PKEY *dsa = 0;
955 OSSL_PARAM_BLD *bld = OSSL_PARAM_BLD_new();
956 OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_PUB_KEY, pub);
957 OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(bld);
958 OSSL_PARAM_BLD_free(bld);
959 EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, 0);
960 EVP_PKEY_fromdata_init(pkctx);
961 EVP_PKEY_fromdata(pkctx, &dsa, EVP_PKEY_PUBLIC_KEY, params);
962 EVP_PKEY_CTX_free(pkctx);
963 OSSL_PARAM_free(params);
964#else
965 EVP_PKEY *dsa = EVP_PKEY_new();
966 DSA *fdsa = DSA_new();
967 DSA_set0_key(fdsa, BN_dup(pub), NULL);
968 EVP_PKEY_assign_DSA(dsa, fdsa);
969#endif
970 if (dsa) {
971 // Write public key to BIO
972 PEM_write_bio_PUBKEY(biop, dsa);
973 // Read key from BIO to buf
974 int lpub = Publen();
975 char *bpub = new char[lpub];
976 if (bpub) {
977 BIO_read(biop,(void *)bpub,lpub);
978 std::cerr << bpub << std::endl;
979 delete[] bpub;
980 }
981 EVP_PKEY_free(dsa);
982 }
983 BIO_free(biop);
984 }
985}
986
987//_____________________________________________________________________________
988XrdSutBucket *XrdCryptosslCipher::AsBucket()
989{
990 // Return pointer to a bucket created using the internal information
991 // serialized
992 // The bucket is responsible for the allocated memory
993
994 XrdSutBucket *buck = (XrdSutBucket *)0;
995
996 if (valid) {
997
998 // Serialize .. total length
999 kXR_int32 lbuf = Length();
1000 kXR_int32 ltyp = Type() ? strlen(Type()) : 0;
1001 kXR_int32 livc = lIV;
1002#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1003 BIGNUM *p = BN_new();
1004 BIGNUM *g = BN_new();
1005 BIGNUM *pub = BN_new();
1006 BIGNUM *pri = BN_new();
1007 EVP_PKEY_get_bn_param(fDH, OSSL_PKEY_PARAM_FFC_P, &p);
1008 EVP_PKEY_get_bn_param(fDH, OSSL_PKEY_PARAM_FFC_G, &g);
1009 EVP_PKEY_get_bn_param(fDH, OSSL_PKEY_PARAM_PUB_KEY, &pub);
1010 EVP_PKEY_get_bn_param(fDH, OSSL_PKEY_PARAM_PRIV_KEY, &pri);
1011#else
1012 const BIGNUM *p, *g;
1013 const BIGNUM *pub, *pri;
1014 DH_get0_pqg(EVP_PKEY_get0_DH(fDH), &p, NULL, &g);
1015 DH_get0_key(EVP_PKEY_get0_DH(fDH), &pub, &pri);
1016#endif
1017 char *cp = BN_bn2hex(p);
1018 char *cg = BN_bn2hex(g);
1019 char *cpub = BN_bn2hex(pub);
1020 char *cpri = BN_bn2hex(pri);
1021#if OPENSSL_VERSION_NUMBER >= 0x30000000L
1022 BN_free(p);
1023 BN_free(g);
1024 BN_free(pub);
1025 BN_free(pri);
1026#endif
1027 kXR_int32 lp = cp ? strlen(cp) : 0;
1028 kXR_int32 lg = cg ? strlen(cg) : 0;
1029 kXR_int32 lpub = cpub ? strlen(cpub) : 0;
1030 kXR_int32 lpri = cpri ? strlen(cpri) : 0;
1031 int ltot = 7*sizeof(kXR_int32) + ltyp + Length() + livc +
1032 lp + lg + lpub + lpri;
1033 char *newbuf = new char[ltot];
1034 if (newbuf) {
1035 int cur = 0;
1036 memcpy(newbuf+cur,&ltyp,sizeof(kXR_int32));
1037 cur += sizeof(kXR_int32);
1038 memcpy(newbuf+cur,&livc,sizeof(kXR_int32));
1039 cur += sizeof(kXR_int32);
1040 memcpy(newbuf+cur,&lbuf,sizeof(kXR_int32));
1041 cur += sizeof(kXR_int32);
1042 memcpy(newbuf+cur,&lp,sizeof(kXR_int32));
1043 cur += sizeof(kXR_int32);
1044 memcpy(newbuf+cur,&lg,sizeof(kXR_int32));
1045 cur += sizeof(kXR_int32);
1046 memcpy(newbuf+cur,&lpub,sizeof(kXR_int32));
1047 cur += sizeof(kXR_int32);
1048 memcpy(newbuf+cur,&lpri,sizeof(kXR_int32));
1049 cur += sizeof(kXR_int32);
1050 if (Type()) {
1051 memcpy(newbuf+cur,Type(),ltyp);
1052 cur += ltyp;
1053 }
1054 if (fIV) {
1055 memcpy(newbuf+cur,fIV,livc);
1056 cur += livc;
1057 }
1058 if (Buffer()) {
1059 memcpy(newbuf+cur,Buffer(),lbuf);
1060 cur += lbuf;
1061 }
1062 if (cp) {
1063 memcpy(newbuf+cur,cp,lp);
1064 cur += lp;
1065 OPENSSL_free(cp);
1066 }
1067 if (cg) {
1068 memcpy(newbuf+cur,cg,lg);
1069 cur += lg;
1070 OPENSSL_free(cg);
1071 }
1072 if (cpub) {
1073 memcpy(newbuf+cur,cpub,lpub);
1074 cur += lpub;
1075 OPENSSL_free(cpub);
1076 }
1077 if (cpri) {
1078 memcpy(newbuf+cur,cpri,lpri);
1079 cur += lpri;
1080 OPENSSL_free(cpri);
1081 }
1082 // The bucket now
1083 buck = new XrdSutBucket(newbuf,ltot,kXRS_cipher);
1084 }
1085 }
1086
1087 return buck;
1088}
1089
1090//____________________________________________________________________________
1091void XrdCryptosslCipher::SetIV(int l, const char *iv)
1092{
1093 // Set IV from l bytes at iv. If !iv, sets the IV length.
1094
1095 if (fIV) {
1096 delete[] fIV;
1097 fIV = 0;
1098 lIV = 0;
1099 }
1100
1101 if (l > 0) {
1102 if (iv) {
1103 fIV = new char[l];
1104 if (fIV) memcpy(fIV,iv,l);
1105 }
1106 lIV = l;
1107 }
1108}
1109
1110//____________________________________________________________________________
1111char *XrdCryptosslCipher::RefreshIV(int &l)
1112{
1113 // Regenerate IV and return it
1114
1115 // Generate a new IV
1116 GenerateIV();
1117
1118 // Set output
1119 l = lIV;
1120 return fIV;
1121}
1122
1123//____________________________________________________________________________
1124void XrdCryptosslCipher::GenerateIV()
1125{
1126 // Generate IV
1127
1128 // Cleanup existing one, if any
1129 if (fIV) {
1130 delete[] fIV;
1131 fIV = 0;
1132 lIV = 0;
1133 }
1134
1135 // Generate a new one, using crypt-like chars
1136 fIV = XrdSutRndm::GetBuffer(EVP_MAX_IV_LENGTH, 3);
1137 if (fIV)
1138 lIV = EVP_MAX_IV_LENGTH;
1139}
1140
1141//____________________________________________________________________________
1142int XrdCryptosslCipher::Encrypt(const char *in, int lin, char *out)
1143{
1144 // Encrypt lin bytes at in with local cipher.
1145 // The outbut buffer must be provided by the caller for at least
1146 // EncOutLength(lin) bytes.
1147 // Returns number of meaningful bytes in out, or 0 in case of problems
1148
1149 return EncDec(1, in, lin, out);
1150}
1151
1152//____________________________________________________________________________
1153int XrdCryptosslCipher::Decrypt(const char *in, int lin, char *out)
1154{
1155 // Decrypt lin bytes at in with local cipher.
1156 // The outbut buffer must be provided by the caller for at least
1157 // DecOutLength(lin) bytes.
1158 // Returns number of meaningful bytes in out, or 0 in case of problems
1159
1160 return EncDec(0, in, lin, out);
1161}
1162
1163//____________________________________________________________________________
1164int XrdCryptosslCipher::EncDec(int enc, const char *in, int lin, char *out)
1165{
1166 // Encrypt (enc = 1)/ Decrypt (enc = 0) lin bytes at in with local cipher.
1167 // The outbut buffer must be provided by the caller for at least
1168 // EncOutLength(lin) or DecOutLength(lin) bytes.
1169 // Returns number of meaningful bytes in out, or 0 in case of problems
1170 EPNAME("Cipher::EncDec");
1171
1172 int lout = 0;
1173
1174 const char *action = (enc == 1) ? "encrypting" : "decrypting";
1175
1176 // Check inputs
1177 if (!in || lin <= 0 || !out) {
1178 DEBUG("wrong inputs arguments");
1179 if (!in) DEBUG("in: NULL");
1180 if (lin <= 0) DEBUG("lin: "<<lin);
1181 if (!out) DEBUG("out: NULL");
1182 return 0;
1183 }
1184
1185 // Set iv to the one in use
1186 unsigned char iv[EVP_MAX_IV_LENGTH];
1187 if (fIV) {
1188 memcpy((void *)iv,fIV,EVP_MAX_IV_LENGTH);
1189 } else {
1190 // We use 0's
1191 memset((void *)iv,0,EVP_MAX_IV_LENGTH);
1192 }
1193
1194 // Action depend on the length of the key wrt default length
1195 if (deflength) {
1196 // Init ctx, set key (default length) and set IV
1197 if (!EVP_CipherInit_ex(ctx, cipher, 0, (unsigned char *)Buffer(), iv, enc)) {
1198 DEBUG("error initializing");
1199 return 0;
1200 }
1201 } else {
1202 // Init ctx
1203 if (!EVP_CipherInit_ex(ctx, cipher, 0, 0, 0, enc)) {
1204 DEBUG("error initializing - 1");
1205 return 0;
1206 }
1207 // Set key length
1208 EVP_CIPHER_CTX_set_key_length(ctx,Length());
1209 // Set key and IV
1210 if (!EVP_CipherInit_ex(ctx, 0, 0, (unsigned char *)Buffer(), iv, enc)) {
1211 DEBUG("error initializing - 2");
1212 return 0;
1213 }
1214 }
1215
1216 // Encrypt / Decrypt
1217 int ltmp = 0;
1218 if (!EVP_CipherUpdate(ctx, (unsigned char *)&out[0], &ltmp,
1219 (unsigned char *)in, lin)) {
1220 DEBUG("error " << action);
1221 return 0;
1222 }
1223 lout = ltmp;
1224 if (!EVP_CipherFinal_ex(ctx, (unsigned char *)&out[lout], &ltmp)) {
1225 DEBUG("error finalizing");
1226 return 0;
1227 }
1228
1229 // Results
1230 lout += ltmp;
1231 return lout;
1232}
1233
1234//____________________________________________________________________________
1235int XrdCryptosslCipher::EncOutLength(int l)
1236{
1237 // Required buffer size for encrypting l bytes
1238
1239 return (l+EVP_CIPHER_CTX_block_size(ctx));
1240}
1241
1242//____________________________________________________________________________
1243int XrdCryptosslCipher::DecOutLength(int l)
1244{
1245 // Required buffer size for decrypting l bytes
1246
1247 int lout = l+EVP_CIPHER_CTX_block_size(ctx)+1;
1248 lout = (lout <= 0) ? l : lout;
1249 return lout;
1250}
1251
1252//____________________________________________________________________________
1253int XrdCryptosslCipher::MaxIVLength() const
1254{
1255 // Return the max cipher IV length
1256
1257 return (lIV > 0) ? lIV : EVP_MAX_IV_LENGTH;
1258}
kXR_int32
int kXR_int32
Definition XPtypes.hh:89
DEBUG
#define DEBUG(x)
Definition XrdBwmTrace.hh:54
EPNAME
#define EPNAME(x)
Definition XrdBwmTrace.hh:56
getFixedDHParams
static EVP_PKEY * getFixedDHParams()
Definition XrdCryptosslCipher.cc:76
dh_param_enc
static const char dh_param_enc[]
Definition XrdCryptosslCipher.cc:55
XrdCheckDH
static int XrdCheckDH(EVP_PKEY *pkey)
Definition XrdCryptosslCipher.cc:91
kXRS_cipher
@ kXRS_cipher
Definition XrdSutAux.hh:62
XrdCryptoBasic::Type
virtual char * Type() const
Definition XrdCryptoBasic.hh:60
XrdCryptoBasic::SetBuffer
virtual int SetBuffer(int l, const char *b)
Definition XrdCryptoBasic.cc:188
XrdCryptoBasic::Length
virtual int Length() const
Definition XrdCryptoBasic.hh:58
XrdCryptoBasic::Buffer
virtual char * Buffer() const
Definition XrdCryptoBasic.hh:59
XrdCryptoBasic::SetType
virtual int SetType(const char *t)
Definition XrdCryptoBasic.cc:221
XrdCryptoBasic::UseBuffer
virtual void UseBuffer(int l, const char *b)
Definition XrdCryptoBasic.hh:67
XrdCryptosslCipher::SetIV
void SetIV(int l, const char *iv)
Definition XrdCryptosslCipher.cc:1091
XrdCryptosslCipher::AsBucket
XrdSutBucket * AsBucket()
Definition XrdCryptosslCipher.cc:988
XrdCryptosslCipher::Encrypt
int Encrypt(const char *bin, int lin, char *out)
Definition XrdCryptosslCipher.cc:1142
XrdCryptosslCipher::XrdCryptosslCipher
XrdCryptosslCipher(const char *t, int l=0)
Definition XrdCryptosslCipher.cc:119
XrdCryptosslCipher::IsSupported
static bool IsSupported(const char *cip)
Definition XrdCryptosslCipher.cc:111
XrdCryptosslCipher::Decrypt
int Decrypt(const char *bin, int lin, char *out)
Definition XrdCryptosslCipher.cc:1153
XrdCryptosslCipher::Public
char * Public(int &lpub)
Definition XrdCryptosslCipher.cc:877
XrdCryptosslCipher::Finalize
bool Finalize(bool padded, char *pub, int lpub, const char *t)
Definition XrdCryptosslCipher.cc:735
XrdSutBucket::size
kXR_int32 size
Definition XrdSutBucket.hh:47
XrdSutRndm::GetBuffer
static char * GetBuffer(int len, int opt=-1)
Definition XrdSutRndm.cc:179