]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/openssl-util.h
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
repart: add --private-key-source and drop --private-key-uri
[thirdparty/systemd.git] / src / shared / openssl-util.h
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2 #pragma once
3
4 #include "iovec-util.h"
5 #include "macro.h"
6 #include "sha256.h"
7
8 typedef enum KeySourceType {
9 OPENSSL_KEY_SOURCE_FILE,
10 OPENSSL_KEY_SOURCE_ENGINE,
11 OPENSSL_KEY_SOURCE_PROVIDER,
12 _OPENSSL_KEY_SOURCE_MAX,
13 _OPENSSL_KEY_SOURCE_INVALID = -EINVAL,
14 } KeySourceType;
15
16 int parse_openssl_key_source_argument(const char *argument, char **private_key_source, KeySourceType *private_key_source_type);
17
18 #define X509_FINGERPRINT_SIZE SHA256_DIGEST_SIZE
19
20 #if HAVE_OPENSSL
21 # include <openssl/bio.h>
22 # include <openssl/bn.h>
23 # include <openssl/crypto.h>
24 # include <openssl/engine.h>
25 # include <openssl/err.h>
26 # include <openssl/evp.h>
27 # include <openssl/opensslv.h>
28 # include <openssl/pkcs7.h>
29 # include <openssl/ssl.h>
30 # include <openssl/x509v3.h>
31 # ifndef OPENSSL_VERSION_MAJOR
32 /* OPENSSL_VERSION_MAJOR macro was added in OpenSSL 3. Thus, if it doesn't exist, we must be before OpenSSL 3. */
33 # define OPENSSL_VERSION_MAJOR 1
34 # endif
35 # if OPENSSL_VERSION_MAJOR >= 3
36 # include <openssl/core_names.h>
37 # include <openssl/kdf.h>
38 # include <openssl/param_build.h>
39 # include <openssl/provider.h>
40 # include <openssl/store.h>
41 # endif
42
43 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_MACRO(void*, OPENSSL_free, NULL);
44 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509_NAME*, X509_NAME_free, NULL);
45 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY_CTX*, EVP_PKEY_CTX_free, NULL);
46 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER_CTX*, EVP_CIPHER_CTX_free, NULL);
47 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_POINT*, EC_POINT_free, NULL);
48 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_GROUP*, EC_GROUP_free, NULL);
49 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIGNUM*, BN_free, NULL);
50 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BN_CTX*, BN_CTX_free, NULL);
51 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ECDSA_SIG*, ECDSA_SIG_free, NULL);
52 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(PKCS7*, PKCS7_free, NULL);
53 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
54 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
55 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD_CTX*, EVP_MD_CTX_free, NULL);
56 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ASN1_OCTET_STRING*, ASN1_OCTET_STRING_free, NULL);
57 DISABLE_WARNING_DEPRECATED_DECLARATIONS;
58 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(ENGINE*, ENGINE_free, NULL);
59 REENABLE_WARNING;
60 #if OPENSSL_VERSION_MAJOR >= 3
61 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_CIPHER*, EVP_CIPHER_free, NULL);
62 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_KDF*, EVP_KDF_free, NULL);
63 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_KDF_CTX*, EVP_KDF_CTX_free, NULL);
64 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MAC*, EVP_MAC_free, NULL);
65 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MAC_CTX*, EVP_MAC_CTX_free, NULL);
66 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_MD*, EVP_MD_free, NULL);
67 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_PARAM*, OSSL_PARAM_free, NULL);
68 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_PARAM_BLD*, OSSL_PARAM_BLD_free, NULL);
69 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_STORE_CTX*, OSSL_STORE_close, NULL);
70 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OSSL_STORE_INFO*, OSSL_STORE_INFO_free, NULL);
71 #else
72 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL);
73 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(HMAC_CTX*, HMAC_CTX_free, NULL);
74 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(RSA*, RSA_free, NULL);
75 #endif
76
77 static inline void sk_X509_free_allp(STACK_OF(X509) **sk) {
78 if (!sk || !*sk)
79 return;
80
81 sk_X509_pop_free(*sk, X509_free);
82 }
83
84 int openssl_pkey_from_pem(const void *pem, size_t pem_size, EVP_PKEY **ret);
85
86 int openssl_digest_size(const char *digest_alg, size_t *ret_digest_size);
87
88 int openssl_digest_many(const char *digest_alg, const struct iovec data[], size_t n_data, void **ret_digest, size_t *ret_digest_size);
89
90 static inline int openssl_digest(const char *digest_alg, const void *buf, size_t len, void **ret_digest, size_t *ret_digest_size) {
91 return openssl_digest_many(digest_alg, &IOVEC_MAKE((void*) buf, len), 1, ret_digest, ret_digest_size);
92 }
93
94 int openssl_hmac_many(const char *digest_alg, const void *key, size_t key_size, const struct iovec data[], size_t n_data, void **ret_digest, size_t *ret_digest_size);
95
96 static inline int openssl_hmac(const char *digest_alg, const void *key, size_t key_size, const void *buf, size_t len, void **ret_digest, size_t *ret_digest_size) {
97 return openssl_hmac_many(digest_alg, key, key_size, &IOVEC_MAKE((void*) buf, len), 1, ret_digest, ret_digest_size);
98 }
99
100 int openssl_cipher_many(const char *alg, size_t bits, const char *mode, const void *key, size_t key_size, const void *iv, size_t iv_size, const struct iovec data[], size_t n_data, void **ret, size_t *ret_size);
101
102 static inline int openssl_cipher(const char *alg, size_t bits, const char *mode, const void *key, size_t key_size, const void *iv, size_t iv_size, const void *buf, size_t len, void **ret, size_t *ret_size) {
103 return openssl_cipher_many(alg, bits, mode, key, key_size, iv, iv_size, &IOVEC_MAKE((void*) buf, len), 1, ret, ret_size);
104 }
105
106 int kdf_ss_derive(const char *digest, const void *key, size_t key_size, const void *salt, size_t salt_size, const void *info, size_t info_size, size_t derive_size, void **ret);
107
108 int kdf_kb_hmac_derive(const char *mode, const char *digest, const void *key, size_t key_size, const void *salt, size_t salt_size, const void *info, size_t info_size, const void *seed, size_t seed_size, size_t derive_size, void **ret);
109
110 int rsa_encrypt_bytes(EVP_PKEY *pkey, const void *decrypted_key, size_t decrypted_key_size, void **ret_encrypt_key, size_t *ret_encrypt_key_size);
111
112 int rsa_oaep_encrypt_bytes(const EVP_PKEY *pkey, const char *digest_alg, const char *label, const void *decrypted_key, size_t decrypted_key_size, void **ret_encrypt_key, size_t *ret_encrypt_key_size);
113
114 int rsa_pkey_to_suitable_key_size(EVP_PKEY *pkey, size_t *ret_suitable_key_size);
115
116 int rsa_pkey_new(size_t bits, EVP_PKEY **ret);
117
118 int rsa_pkey_from_n_e(const void *n, size_t n_size, const void *e, size_t e_size, EVP_PKEY **ret);
119
120 int rsa_pkey_to_n_e(const EVP_PKEY *pkey, void **ret_n, size_t *ret_n_size, void **ret_e, size_t *ret_e_size);
121
122 int ecc_pkey_from_curve_x_y(int curve_id, const void *x, size_t x_size, const void *y, size_t y_size, EVP_PKEY **ret);
123
124 int ecc_pkey_to_curve_x_y(const EVP_PKEY *pkey, int *ret_curve_id, void **ret_x, size_t *ret_x_size, void **ret_y, size_t *ret_y_size);
125
126 int ecc_pkey_new(int curve_id, EVP_PKEY **ret);
127
128 int ecc_ecdh(const EVP_PKEY *private_pkey, const EVP_PKEY *peer_pkey, void **ret_shared_secret, size_t *ret_shared_secret_size);
129
130 int pkey_generate_volume_keys(EVP_PKEY *pkey, void **ret_decrypted_key, size_t *ret_decrypted_key_size, void **ret_saved_key, size_t *ret_saved_key_size);
131
132 int pubkey_fingerprint(EVP_PKEY *pk, const EVP_MD *md, void **ret, size_t *ret_size);
133
134 int digest_and_sign(const EVP_MD *md, EVP_PKEY *privkey, const void *data, size_t size, void **ret, size_t *ret_size);
135
136 int openssl_load_key_from_token(KeySourceType private_key_source_type, const char *private_key_source, const char *private_key, EVP_PKEY **ret);
137
138 #else
139
140 typedef struct X509 X509;
141 typedef struct EVP_PKEY EVP_PKEY;
142
143 static inline void *X509_free(X509 *p) {
144 assert(p == NULL);
145 return NULL;
146 }
147
148 static inline void *EVP_PKEY_free(EVP_PKEY *p) {
149 assert(p == NULL);
150 return NULL;
151 }
152
153 static inline int openssl_load_key_from_token(
154 KeySourceType private_key_source_type,
155 const char *private_key_source,
156 const char *private_key,
157 EVP_PKEY **ret) {
158
159 return -EOPNOTSUPP;
160 }
161
162 #endif
163
164 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL);
165 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EVP_PKEY*, EVP_PKEY_free, NULL);
166
167 int x509_fingerprint(X509 *cert, uint8_t buffer[static X509_FINGERPRINT_SIZE]);
168
169 #if PREFER_OPENSSL
170 /* The openssl definition */
171 typedef const EVP_MD* hash_md_t;
172 typedef const EVP_MD* hash_algorithm_t;
173 typedef int elliptic_curve_t;
174 typedef EVP_MD_CTX* hash_context_t;
175 # define OPENSSL_OR_GCRYPT(a, b) (a)
176
177 #elif HAVE_GCRYPT
178
179 # include <gcrypt.h>
180
181 /* The gcrypt definition */
182 typedef int hash_md_t;
183 typedef const char* hash_algorithm_t;
184 typedef const char* elliptic_curve_t;
185 typedef gcry_md_hd_t hash_context_t;
186 # define OPENSSL_OR_GCRYPT(a, b) (b)
187 #endif
188
189 #if PREFER_OPENSSL
190 int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret);
191
192 static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) {
193 return string_hashsum(s, len, "SHA224", ret);
194 }
195
196 static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) {
197 return string_hashsum(s, len, "SHA256", ret);
198 }
199 #endif
Unnamed repository; edit this file 'description' to name the repository.