diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 14fce80..ca9c1c9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,7 +21,9 @@ jobs: run: sudo sh ./scripts/openssl.sh ${{ matrix.openssl-version }} - name: Check headers working-directory: ./cmd/checkheader - run: go run . --ossl-include /usr/local/src/openssl-${{ matrix.openssl-version }}/include -shim ../../shims.h + run: | + go run . --ossl-include /usr/local/src/openssl-${{ matrix.openssl-version }}/include -shim ../../shims.h + go run . --ossl-include /usr/local/src/openssl-${{ matrix.openssl-version }}/include -shim ../../const.go - name: Set OpenSSL config and prove FIPS run: | sudo cp ./scripts/openssl-3.cnf /usr/local/ssl/openssl.cnf diff --git a/cipher.go b/cipher.go index 84172ed..828aba1 100644 --- a/cipher.go +++ b/cipher.go @@ -471,7 +471,7 @@ func (g *cipherGCM) Seal(dst, nonce, plaintext, aad []byte) []byte { if C.go_openssl_EVP_EncryptFinal_ex(ctx, base(out[outl:]), &discard) != 1 { panic(newOpenSSLError("EVP_EncryptFinal_ex")) } - if C.go_openssl_EVP_CIPHER_CTX_ctrl(ctx, C.GO_EVP_CTRL_GCM_GET_TAG, 16, unsafe.Pointer(base(out[outl:]))) != 1 { + if C.go_openssl_EVP_CIPHER_CTX_ctrl(ctx, _EVP_CTRL_GCM_GET_TAG, 16, unsafe.Pointer(base(out[outl:]))) != 1 { panic(newOpenSSLError("EVP_CIPHER_CTX_ctrl")) } runtime.KeepAlive(g) @@ -520,7 +520,7 @@ func (g *cipherGCM) Open(dst, nonce, ciphertext, aad []byte) (_ []byte, err erro if C.go_openssl_EVP_DecryptInit_ex(ctx, nil, nil, nil, base(nonce)) != 1 { return nil, errOpen } - if C.go_openssl_EVP_CIPHER_CTX_ctrl(ctx, C.GO_EVP_CTRL_GCM_SET_TAG, 16, unsafe.Pointer(base(tag))) != 1 { + if C.go_openssl_EVP_CIPHER_CTX_ctrl(ctx, _EVP_CTRL_GCM_SET_TAG, 16, unsafe.Pointer(base(tag))) != 1 { return nil, errOpen } var outl, discard C.int diff --git a/cmd/checkheader/main.go b/cmd/checkheader/main.go index 73e1b41..25f6b1b 100644 --- a/cmd/checkheader/main.go +++ b/cmd/checkheader/main.go @@ -21,8 +21,8 @@ import ( // - Blank lines are discarded. // - Comments are discarded unless they contain a C directive, i.e #include, #if or #endif. The directive in the comment is included in the output. // - Typedefs following the pattern "typedef void* GO_%name%_PTR" are translated into "#define %name% GO_%name%_PTR". -// - Enums are validated against their definition in the OpenSSL headers. Example: -// "enum { GO_EVP_CTRL_GCM_SET_TAG = 0x11 }" => "_Static_assert(EVP_CTRL_GCM_SET_TAG == 0x11);" +// - Go constants are validated against their definition in the OpenSSL headers. Example: +// "const { _EVP_CTRL_GCM_SET_TAG = 0x11 }" => "_Static_assert(EVP_CTRL_GCM_SET_TAG == 0x11);" // - Function macros are validated against their definition in the OpenSSL headers. Example: // "DEFINEFUNC(int, RAND_bytes, (unsigned char *a0, int a1), (a0, a1))" => "int(*__check_0)(unsigned char *, int) = RAND_bytes;" // - Function macros are excluded when checking old OpenSSL versions if they are prepended with '/*check:from=%version%*/', %version% being a version string such as '1.1.1' or '3.0.0'. @@ -113,14 +113,14 @@ func generate(header string) (string, error) { for sc.Scan() { l := strings.TrimSpace(sc.Text()) if enum { - if !strings.HasPrefix(l, "}") { - tryConvertEnum(&b, l) + if !strings.HasPrefix(l, ")") { + tryConvertGoConst(&b, l) } else { enum = false } continue } - if strings.HasPrefix(l, "enum {") || strings.HasPrefix(l, "typedef enum {") { + if strings.HasPrefix(l, "const (") && !strings.HasSuffix(l, "//checkheader:ignore") { enum = true continue } @@ -169,25 +169,22 @@ func tryConvertTypedef(w io.Writer, l string) bool { return true } -// tryConvertEnum adds a static check which verifies that -// the enum contained in the line l +// tryConvertGoConst adds a static check which verifies that +// the const contained in the line l // matches the corresponding OpenSSL value. -// Only enum names starting with GO_ are converted. -func tryConvertEnum(w io.Writer, l string) { - if !strings.HasPrefix(l, "GO_") { +// Only const names starting with _ are converted. +func tryConvertGoConst(w io.Writer, l string) { + if !strings.HasPrefix(l, "_") || strings.HasSuffix(l, "//checkheader:ignore") { return } - if l[len(l)-1] == ',' { - l = l[:len(l)-1] - } - split := strings.SplitN(l, " = ", 2) + split := strings.Split(l, " ") if len(split) < 2 { log.Printf("unexpected enum definition in function line: %s\n", l) return } - name := split[0][len("GO_"):] + name := split[0][len("_"):] fmt.Fprintf(w, "#ifdef %s\n", name) - fmt.Fprintf(w, "_Static_assert(%s == %s, \"%s\");\n", name, split[1], name) + fmt.Fprintf(w, "_Static_assert(%s == %s, \"%s\");\n", name, split[len(split)-1], name) fmt.Fprintln(w, "#endif") } diff --git a/const.go b/const.go index f2c7e84..15b4fa2 100644 --- a/const.go +++ b/const.go @@ -30,7 +30,7 @@ func (s cString) ptr() *C.char { return (*C.char)(unsafe.Pointer(unsafe.StringData(string(s)))) } -const ( +const ( //checkheader:ignore // Provider names _ProviderNameFips cString = "fips\x00" _ProviderNameDefault cString = "default\x00" @@ -85,3 +85,75 @@ const ( // MAC parameters _OSSL_MAC_PARAM_DIGEST cString = "digest\x00" ) + +// #include +// #include +// #include +// #include +// #include +// #include +// #if OPENSSL_VERSION_NUMBER >= 0x30000000L +// #include +// #endif + +const ( + _POINT_CONVERSION_UNCOMPRESSED = 4 + + _OPENSSL_INIT_LOAD_CRYPTO_STRINGS = 0x00000002 + _OPENSSL_INIT_ADD_ALL_CIPHERS = 0x00000004 + _OPENSSL_INIT_ADD_ALL_DIGESTS = 0x00000008 + _OPENSSL_INIT_LOAD_CONFIG = 0x00000040 + + _EVP_CTRL_GCM_GET_TAG = 0x10 + _EVP_CTRL_GCM_SET_TAG = 0x11 + _EVP_PKEY_CTRL_MD = 1 + _EVP_PKEY_RSA = 6 + _EVP_PKEY_EC = 408 + _EVP_PKEY_TLS1_PRF = 1021 + _EVP_PKEY_HKDF = 1036 + _EVP_PKEY_ED25519 = 1087 + _EVP_PKEY_DSA = 116 + // This is defined differently in OpenSSL 3 (1 << 11), + // but in our code it is only used in OpenSSL 1. + _EVP_PKEY_OP_DERIVE = (1 << 10) //checkheader:ignore + _EVP_MAX_MD_SIZE = 64 + + _EVP_PKEY_PUBLIC_KEY = 0x86 + _EVP_PKEY_KEYPAIR = 0x87 + + _EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID = 0x1001 + + _EVP_KDF_HKDF_MODE_EXTRACT_ONLY = 1 + _EVP_KDF_HKDF_MODE_EXPAND_ONLY = 2 + + _EVP_PKEY_CTRL_TLS_MD = 0x1000 + _EVP_PKEY_CTRL_TLS_SECRET = 0x1001 + _EVP_PKEY_CTRL_TLS_SEED = 0x1002 + _EVP_PKEY_CTRL_HKDF_MD = 0x1003 + _EVP_PKEY_CTRL_HKDF_SALT = 0x1004 + _EVP_PKEY_CTRL_HKDF_KEY = 0x1005 + _EVP_PKEY_CTRL_HKDF_INFO = 0x1006 + _EVP_PKEY_CTRL_HKDF_MODE = 0x1007 + + _NID_X9_62_prime256v1 = 415 + _NID_secp224r1 = 713 + _NID_secp384r1 = 715 + _NID_secp521r1 = 716 + + _RSA_PKCS1_PADDING = 1 + _RSA_NO_PADDING = 3 + _RSA_PKCS1_OAEP_PADDING = 4 + _RSA_PKCS1_PSS_PADDING = 6 + _RSA_PSS_SALTLEN_DIGEST = -1 + _RSA_PSS_SALTLEN_AUTO = -2 + _RSA_PSS_SALTLEN_MAX_SIGN = -2 + _RSA_PSS_SALTLEN_MAX = -3 + _EVP_PKEY_CTRL_RSA_PADDING = 0x1001 + _EVP_PKEY_CTRL_RSA_PSS_SALTLEN = 0x1002 + _EVP_PKEY_CTRL_RSA_KEYGEN_BITS = 0x1003 + _EVP_PKEY_CTRL_RSA_MGF1_MD = 0x1005 + _EVP_PKEY_CTRL_RSA_OAEP_MD = 0x1009 + _EVP_PKEY_CTRL_RSA_OAEP_LABEL = 0x100A + _EVP_PKEY_CTRL_DSA_PARAMGEN_BITS = 0x1001 + _EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS = 0x1002 +) diff --git a/dsa.go b/dsa.go index c9313b1..6c2258b 100644 --- a/dsa.go +++ b/dsa.go @@ -11,7 +11,7 @@ import ( // SupportsDSA returns true if the OpenSSL library supports DSA. func SupportsDSA() bool { - ctx := C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_DSA, nil) + ctx := C.go_openssl_EVP_PKEY_CTX_new_id(_EVP_PKEY_DSA, nil) if ctx == nil { return false } @@ -66,7 +66,7 @@ func GenerateParametersDSA(l, n int) (DSAParameters, error) { // extracting the domain parameters from it. // Generate a new DSA key context and set the known parameters. - ctx := C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_DSA, nil) + ctx := C.go_openssl_EVP_PKEY_CTX_new_id(_EVP_PKEY_DSA, nil) if ctx == nil { return DSAParameters{}, newOpenSSLError("EVP_PKEY_CTX_new_id failed") } @@ -74,10 +74,10 @@ func GenerateParametersDSA(l, n int) (DSAParameters, error) { if C.go_openssl_EVP_PKEY_paramgen_init(ctx) != 1 { return DSAParameters{}, newOpenSSLError("EVP_PKEY_paramgen_init failed") } - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_DSA, -1, C.GO_EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, C.int(l), nil) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, _EVP_PKEY_DSA, -1, _EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, C.int(l), nil) != 1 { return DSAParameters{}, newOpenSSLError("EVP_PKEY_CTX_ctrl failed") } - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_DSA, -1, C.GO_EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, C.int(n), nil) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, _EVP_PKEY_DSA, -1, _EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, C.int(n), nil) != 1 { return DSAParameters{}, newOpenSSLError("EVP_PKEY_CTX_ctrl failed") } var pkey C.GO_EVP_PKEY_PTR @@ -228,7 +228,7 @@ func newDSA1(params DSAParameters, x, y BigInt) (pkey C.GO_EVP_PKEY_PTR, err err if pkey == nil { return nil, newOpenSSLError("EVP_PKEY_new failed") } - if C.go_openssl_EVP_PKEY_assign(pkey, C.GO_EVP_PKEY_DSA, unsafe.Pointer(dsa)) != 1 { + if C.go_openssl_EVP_PKEY_assign(pkey, _EVP_PKEY_DSA, unsafe.Pointer(dsa)) != 1 { C.go_openssl_EVP_PKEY_free(pkey) return nil, newOpenSSLError("EVP_PKEY_assign failed") } @@ -247,11 +247,11 @@ func newDSA3(params DSAParameters, x, y BigInt) (C.GO_EVP_PKEY_PTR, error) { bld.addBigInt(_OSSL_PKEY_PARAM_FFC_P, params.P, false) bld.addBigInt(_OSSL_PKEY_PARAM_FFC_Q, params.Q, false) bld.addBigInt(_OSSL_PKEY_PARAM_FFC_G, params.G, false) - selection := C.int(C.GO_EVP_PKEY_KEYPAIR) + selection := C.int(_EVP_PKEY_KEYPAIR) if y != nil { bld.addBigInt(_OSSL_PKEY_PARAM_PUB_KEY, y, false) if x == nil { - selection = C.int(C.GO_EVP_PKEY_PUBLIC_KEY) + selection = _EVP_PKEY_PUBLIC_KEY } } if x != nil { @@ -262,7 +262,7 @@ func newDSA3(params DSAParameters, x, y BigInt) (C.GO_EVP_PKEY_PTR, error) { return nil, err } defer C.go_openssl_OSSL_PARAM_free(bldparams) - pkey, err := newEvpFromParams(C.GO_EVP_PKEY_DSA, selection, bldparams) + pkey, err := newEvpFromParams(_EVP_PKEY_DSA, selection, bldparams) if err != nil { return nil, err } diff --git a/ec.go b/ec.go index 734c14b..14a729a 100644 --- a/ec.go +++ b/ec.go @@ -8,13 +8,13 @@ import "C" func curveNID(curve string) C.int { switch curve { case "P-224": - return C.GO_NID_secp224r1 + return _NID_secp224r1 case "P-256": - return C.GO_NID_X9_62_prime256v1 + return _NID_X9_62_prime256v1 case "P-384": - return C.GO_NID_secp384r1 + return _NID_secp384r1 case "P-521": - return C.GO_NID_secp521r1 + return _NID_secp521r1 default: panic("openssl: unknown curve " + curve) } @@ -39,13 +39,13 @@ func curveSize(curve string) int { // encodeEcPoint encodes pt. func encodeEcPoint(group C.GO_EC_GROUP_PTR, pt C.GO_EC_POINT_PTR) ([]byte, error) { // Get encoded point size. - n := C.go_openssl_EC_POINT_point2oct(group, pt, C.GO_POINT_CONVERSION_UNCOMPRESSED, nil, 0, nil) + n := C.go_openssl_EC_POINT_point2oct(group, pt, _POINT_CONVERSION_UNCOMPRESSED, nil, 0, nil) if n == 0 { return nil, newOpenSSLError("EC_POINT_point2oct") } // Encode point into bytes. bytes := make([]byte, n) - n = C.go_openssl_EC_POINT_point2oct(group, pt, C.GO_POINT_CONVERSION_UNCOMPRESSED, base(bytes), n, nil) + n = C.go_openssl_EC_POINT_point2oct(group, pt, _POINT_CONVERSION_UNCOMPRESSED, base(bytes), n, nil) if n == 0 { return nil, newOpenSSLError("EC_POINT_point2oct") } diff --git a/ecdh.go b/ecdh.go index 14e7d7f..b5e7e26 100644 --- a/ecdh.go +++ b/ecdh.go @@ -197,10 +197,10 @@ func newECDHPkey3(nid C.int, bytes []byte, isPrivate bool) (C.GO_EVP_PKEY_PTR, e } bld.addOctetString(_OSSL_PKEY_PARAM_PUB_KEY, pubBytes) bld.addBN(_OSSL_PKEY_PARAM_PRIV_KEY, priv) - selection = C.GO_EVP_PKEY_KEYPAIR + selection = _EVP_PKEY_KEYPAIR } else { bld.addOctetString(_OSSL_PKEY_PARAM_PUB_KEY, bytes) - selection = C.GO_EVP_PKEY_PUBLIC_KEY + selection = _EVP_PKEY_PUBLIC_KEY } params, err := bld.build() @@ -208,7 +208,7 @@ func newECDHPkey3(nid C.int, bytes []byte, isPrivate bool) (C.GO_EVP_PKEY_PTR, e return nil, err } defer C.go_openssl_OSSL_PARAM_free(params) - pkey, err := newEvpFromParams(C.GO_EVP_PKEY_EC, selection, params) + pkey, err := newEvpFromParams(_EVP_PKEY_EC, selection, params) if err != nil { return nil, err } @@ -261,7 +261,7 @@ func ECDH(priv *PrivateKeyECDH, pub *PublicKeyECDH) ([]byte, error) { } func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) { - pkey, err := generateEVPPKey(C.GO_EVP_PKEY_EC, 0, curve) + pkey, err := generateEVPPKey(_EVP_PKEY_EC, 0, curve) if err != nil { return nil, nil, err } diff --git a/ecdsa.go b/ecdsa.go index 382a12c..c035ee3 100644 --- a/ecdsa.go +++ b/ecdsa.go @@ -62,7 +62,7 @@ func NewPrivateKeyECDSA(curve string, x, y, d BigInt) (*PrivateKeyECDSA, error) func GenerateKeyECDSA(curve string) (x, y, d BigInt, err error) { // Generate the private key. - pkey, err := generateEVPPKey(C.GO_EVP_PKEY_EC, 0, curve) + pkey, err := generateEVPPKey(_EVP_PKEY_EC, 0, curve) if err != nil { return nil, nil, nil, err } @@ -195,14 +195,14 @@ func newECDSAKey3(nid C.int, bx, by, bd C.GO_BIGNUM_PTR) (C.GO_EVP_PKEY_PTR, err var selection C.int if bd != nil { bld.addBN(_OSSL_PKEY_PARAM_PRIV_KEY, bd) - selection = C.GO_EVP_PKEY_KEYPAIR + selection = _EVP_PKEY_KEYPAIR } else { - selection = C.GO_EVP_PKEY_PUBLIC_KEY + selection = _EVP_PKEY_PUBLIC_KEY } params, err := bld.build() if err != nil { return nil, err } defer C.go_openssl_OSSL_PARAM_free(params) - return newEvpFromParams(C.GO_EVP_PKEY_EC, selection, params) + return newEvpFromParams(_EVP_PKEY_EC, selection, params) } diff --git a/ed25519.go b/ed25519.go index 218bd51..2384568 100644 --- a/ed25519.go +++ b/ed25519.go @@ -29,7 +29,7 @@ var supportsEd25519 = sync.OnceValue(func() bool { switch vMajor { case 1: if versionAtOrAbove(1, 1, 1) { - ctx := C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_ED25519, nil) + ctx := C.go_openssl_EVP_PKEY_CTX_new_id(_EVP_PKEY_ED25519, nil) if ctx != nil { C.go_openssl_EVP_PKEY_CTX_free(ctx) return true @@ -99,7 +99,7 @@ func (k *PrivateKeyEd25519) Public() (*PublicKeyEd25519, error) { // GenerateKeyEd25519 generates a private key. func GenerateKeyEd25519() (*PrivateKeyEd25519, error) { - pkeyPriv, err := generateEVPPKey(C.GO_EVP_PKEY_ED25519, 0, "") + pkeyPriv, err := generateEVPPKey(_EVP_PKEY_ED25519, 0, "") if err != nil { return nil, err } @@ -129,7 +129,7 @@ func NewPublicKeyEd25519(pub []byte) (*PublicKeyEd25519, error) { if len(pub) != publicKeySizeEd25519 { panic("ed25519: bad public key length: " + strconv.Itoa(len(pub))) } - pkey := C.go_openssl_EVP_PKEY_new_raw_public_key(C.GO_EVP_PKEY_ED25519, nil, base(pub), C.size_t(len(pub))) + pkey := C.go_openssl_EVP_PKEY_new_raw_public_key(_EVP_PKEY_ED25519, nil, base(pub), C.size_t(len(pub))) if pkey == nil { return nil, newOpenSSLError("EVP_PKEY_new_raw_public_key") } @@ -145,7 +145,7 @@ func NewPrivateKeyEd25519FromSeed(seed []byte) (*PrivateKeyEd25519, error) { if len(seed) != seedSizeEd25519 { panic("ed25519: bad seed length: " + strconv.Itoa(len(seed))) } - pkey := C.go_openssl_EVP_PKEY_new_raw_private_key(C.GO_EVP_PKEY_ED25519, nil, base(seed), C.size_t(len(seed))) + pkey := C.go_openssl_EVP_PKEY_new_raw_private_key(_EVP_PKEY_ED25519, nil, base(seed), C.size_t(len(seed))) if pkey == nil { return nil, newOpenSSLError("EVP_PKEY_new_raw_private_key") } diff --git a/evp.go b/evp.go index 99f5fce..814bcd9 100644 --- a/evp.go +++ b/evp.go @@ -180,12 +180,12 @@ func generateEVPPKey(id C.int, bits int, curve string) (C.GO_EVP_PKEY_PTR, error return nil, newOpenSSLError("EVP_PKEY_keygen_init") } if bits != 0 { - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, id, -1, C.GO_EVP_PKEY_CTRL_RSA_KEYGEN_BITS, C.int(bits), nil) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, id, -1, _EVP_PKEY_CTRL_RSA_KEYGEN_BITS, C.int(bits), nil) != 1 { return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl") } } if curve != "" { - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, id, -1, C.GO_EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, curveNID(curve), nil) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, id, -1, _EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, curveNID(curve), nil) != 1 { return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl") } } @@ -194,11 +194,11 @@ func generateEVPPKey(id C.int, bits int, curve string) (C.GO_EVP_PKEY_PTR, error } case 3: switch id { - case C.GO_EVP_PKEY_RSA: + case _EVP_PKEY_RSA: pkey = C.go_openssl_EVP_PKEY_Q_keygen_RSA(nil, nil, _KeyTypeRSA.ptr(), C.size_t(bits)) - case C.GO_EVP_PKEY_EC: + case _EVP_PKEY_EC: pkey = C.go_openssl_EVP_PKEY_Q_keygen_EC(nil, nil, _KeyTypeEC.ptr(), C.go_openssl_OBJ_nid2sn(curveNID(curve))) - case C.GO_EVP_PKEY_ED25519: + case _EVP_PKEY_ED25519: pkey = C.go_openssl_EVP_PKEY_Q_keygen(nil, nil, _KeyTypeED25519.ptr()) default: panic("unsupported key type '" + strconv.Itoa(int(id)) + "'") @@ -246,13 +246,13 @@ func setupEVP(withKey withKeyFunc, padding C.int, // Each padding type has its own requirements in terms of when to apply the padding, // so it can't be just set at this point. setPadding := func() error { - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_PADDING, padding, nil) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, _EVP_PKEY_RSA, -1, _EVP_PKEY_CTRL_RSA_PADDING, padding, nil) != 1 { return newOpenSSLError("EVP_PKEY_CTX_ctrl failed") } return nil } switch padding { - case C.GO_RSA_PKCS1_OAEP_PADDING: + case _RSA_PKCS1_OAEP_PADDING: md := hashToMD(h) if md == nil { return nil, errors.New("crypto/rsa: unsupported hash function") @@ -269,11 +269,11 @@ func setupEVP(withKey withKeyFunc, padding C.int, if err := setPadding(); err != nil { return nil, err } - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_OAEP_MD, 0, unsafe.Pointer(md)) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, _EVP_PKEY_RSA, -1, _EVP_PKEY_CTRL_RSA_OAEP_MD, 0, unsafe.Pointer(md)) != 1 { return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed") } if mgfHash != nil { - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_MGF1_MD, 0, unsafe.Pointer(mgfMD)) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, _EVP_PKEY_RSA, -1, _EVP_PKEY_CTRL_RSA_MGF1_MD, 0, unsafe.Pointer(mgfMD)) != 1 { return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed") } } @@ -291,7 +291,7 @@ func setupEVP(withKey withKeyFunc, padding C.int, err = newOpenSSLError("EVP_PKEY_CTX_set0_rsa_oaep_label failed") } } else { - ret := C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_OAEP_LABEL, C.int(len(label)), unsafe.Pointer(clabel)) + ret := C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, _EVP_PKEY_RSA, -1, _EVP_PKEY_CTRL_RSA_OAEP_LABEL, C.int(len(label)), unsafe.Pointer(clabel)) if ret != 1 { err = newOpenSSLError("EVP_PKEY_CTX_ctrl failed") } @@ -301,12 +301,12 @@ func setupEVP(withKey withKeyFunc, padding C.int, return nil, err } } - case C.GO_RSA_PKCS1_PSS_PADDING: + case _RSA_PKCS1_PSS_PADDING: alg := loadHash(ch) if alg == nil { return nil, errors.New("crypto/rsa: unsupported hash function") } - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, _EVP_PKEY_RSA, -1, _EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)) != 1 { return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed") } // setPadding must happen after setting EVP_PKEY_CTRL_MD. @@ -314,19 +314,19 @@ func setupEVP(withKey withKeyFunc, padding C.int, return nil, err } if saltLen != 0 { - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltLen, nil) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, _EVP_PKEY_RSA, -1, _EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltLen, nil) != 1 { return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed") } } - case C.GO_RSA_PKCS1_PADDING: + case _RSA_PKCS1_PADDING: if ch != 0 { // We support unhashed messages. alg := loadHash(ch) if alg == nil { return nil, errors.New("crypto/rsa: unsupported hash function") } - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, -1, C.GO_EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, -1, _EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)) != 1 { return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed") } if err := setPadding(); err != nil { @@ -501,7 +501,7 @@ func newEVPPKEY(key C.GO_EC_KEY_PTR) (C.GO_EVP_PKEY_PTR, error) { if pkey == nil { return nil, newOpenSSLError("EVP_PKEY_new failed") } - if C.go_openssl_EVP_PKEY_assign(pkey, C.GO_EVP_PKEY_EC, unsafe.Pointer(key)) != 1 { + if C.go_openssl_EVP_PKEY_assign(pkey, _EVP_PKEY_EC, unsafe.Pointer(key)) != 1 { C.go_openssl_EVP_PKEY_free(pkey) return nil, newOpenSSLError("EVP_PKEY_assign failed") } diff --git a/hkdf.go b/hkdf.go index 64b015f..009c3e9 100644 --- a/hkdf.go +++ b/hkdf.go @@ -29,7 +29,7 @@ func SupportsHKDF() bool { func newHKDFCtx1(md C.GO_EVP_MD_PTR, mode C.int, secret, salt, pseudorandomKey, info []byte) (ctx C.GO_EVP_PKEY_CTX_PTR, err error) { checkMajorVersion(1) - ctx = C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_HKDF, nil) + ctx = C.go_openssl_EVP_PKEY_CTX_new_id(_EVP_PKEY_HKDF, nil) if ctx == nil { return nil, newOpenSSLError("EVP_PKEY_CTX_new_id") } @@ -47,25 +47,25 @@ func newHKDFCtx1(md C.GO_EVP_MD_PTR, mode C.int, secret, salt, pseudorandomKey, if len(data) == 0 { return 1 // No data to set. } - return C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, C.GO1_EVP_PKEY_OP_DERIVE, C.int(ctrl), C.int(len(data)), unsafe.Pointer(base(data))) + return C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, _EVP_PKEY_OP_DERIVE, C.int(ctrl), C.int(len(data)), unsafe.Pointer(base(data))) } - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, C.GO1_EVP_PKEY_OP_DERIVE, C.GO_EVP_PKEY_CTRL_HKDF_MODE, mode, nil) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, _EVP_PKEY_OP_DERIVE, _EVP_PKEY_CTRL_HKDF_MODE, mode, nil) != 1 { return ctx, newOpenSSLError("EVP_PKEY_CTX_set_hkdf_mode") } - if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, C.GO1_EVP_PKEY_OP_DERIVE, C.GO_EVP_PKEY_CTRL_HKDF_MD, 0, unsafe.Pointer(md)) != 1 { + if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, _EVP_PKEY_OP_DERIVE, _EVP_PKEY_CTRL_HKDF_MD, 0, unsafe.Pointer(md)) != 1 { return ctx, newOpenSSLError("EVP_PKEY_CTX_set_hkdf_md") } - if ctrlSlice(C.GO_EVP_PKEY_CTRL_HKDF_KEY, secret) != 1 { + if ctrlSlice(_EVP_PKEY_CTRL_HKDF_KEY, secret) != 1 { return ctx, newOpenSSLError("EVP_PKEY_CTX_set1_hkdf_key") } - if ctrlSlice(C.GO_EVP_PKEY_CTRL_HKDF_SALT, salt) != 1 { + if ctrlSlice(_EVP_PKEY_CTRL_HKDF_SALT, salt) != 1 { return ctx, newOpenSSLError("EVP_PKEY_CTX_set1_hkdf_salt") } - if ctrlSlice(C.GO_EVP_PKEY_CTRL_HKDF_KEY, pseudorandomKey) != 1 { + if ctrlSlice(_EVP_PKEY_CTRL_HKDF_KEY, pseudorandomKey) != 1 { return ctx, newOpenSSLError("EVP_PKEY_CTX_set1_hkdf_key") } - if ctrlSlice(C.GO_EVP_PKEY_CTRL_HKDF_INFO, info) != 1 { + if ctrlSlice(_EVP_PKEY_CTRL_HKDF_INFO, info) != 1 { return ctx, newOpenSSLError("EVP_PKEY_CTX_add1_hkdf_info") } return ctx, nil @@ -121,7 +121,7 @@ func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) { switch vMajor { case 1: - ctx, err := newHKDFCtx1(md, C.GO_EVP_KDF_HKDF_MODE_EXTRACT_ONLY, secret, salt, nil, nil) + ctx, err := newHKDFCtx1(md, _EVP_KDF_HKDF_MODE_EXTRACT_ONLY, secret, salt, nil, nil) if err != nil { return nil, err } @@ -136,7 +136,7 @@ func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) { } return out[:keylen], nil case 3: - ctx, err := newHKDFCtx3(md, C.GO_EVP_KDF_HKDF_MODE_EXTRACT_ONLY, secret, salt, nil, nil) + ctx, err := newHKDFCtx3(md, _EVP_KDF_HKDF_MODE_EXTRACT_ONLY, secret, salt, nil, nil) if err != nil { return nil, err } @@ -165,7 +165,7 @@ func ExpandHKDFOneShot(h func() hash.Hash, pseudorandomKey, info []byte, keyLeng out := make([]byte, keyLength) switch vMajor { case 1: - ctx, err := newHKDFCtx1(md, C.GO_EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info) + ctx, err := newHKDFCtx1(md, _EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info) if err != nil { return nil, err } @@ -175,7 +175,7 @@ func ExpandHKDFOneShot(h func() hash.Hash, pseudorandomKey, info []byte, keyLeng return nil, newOpenSSLError("EVP_PKEY_derive") } case 3: - ctx, err := newHKDFCtx3(md, C.GO_EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info) + ctx, err := newHKDFCtx3(md, _EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info) if err != nil { return nil, err } @@ -201,7 +201,7 @@ func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, er switch vMajor { case 1: - ctx, err := newHKDFCtx1(md, C.GO_EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info) + ctx, err := newHKDFCtx1(md, _EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info) if err != nil { return nil, err } @@ -209,7 +209,7 @@ func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, er runtime.SetFinalizer(c, (*hkdf1).finalize) return c, nil case 3: - ctx, err := newHKDFCtx3(md, C.GO_EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info) + ctx, err := newHKDFCtx3(md, _EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info) if err != nil { return nil, err } diff --git a/hmac.go b/hmac.go index 6573167..ec3ef46 100644 --- a/hmac.go +++ b/hmac.go @@ -28,7 +28,7 @@ func NewHMAC(fh func() hash.Hash, key []byte) hash.Hash { // HMAC_Init will try and reuse the key from the ctx. This is // not the behavior previously implemented, so as a workaround // we pass an "empty" key. - key = make([]byte, C.GO_EVP_MAX_MD_SIZE) + key = make([]byte, _EVP_MAX_MD_SIZE) } hmac := &opensslHMAC{ diff --git a/init.go b/init.go index a2ed21d..13d1c1f 100644 --- a/init.go +++ b/init.go @@ -48,8 +48,12 @@ func opensslInit(file string) (major, minor, patch uint, err error) { // Initialize OpenSSL. C.go_openssl_OPENSSL_init() - flags := C.uint64_t(C.GO_OPENSSL_INIT_ADD_ALL_CIPHERS | C.GO_OPENSSL_INIT_ADD_ALL_DIGESTS | C.GO_OPENSSL_INIT_LOAD_CONFIG | C.GO_OPENSSL_INIT_LOAD_CRYPTO_STRINGS) - if C.go_openssl_OPENSSL_init_crypto(flags, nil) != 1 { + if C.go_openssl_OPENSSL_init_crypto( + _OPENSSL_INIT_ADD_ALL_CIPHERS| + _OPENSSL_INIT_ADD_ALL_DIGESTS| + _OPENSSL_INIT_LOAD_CONFIG| + _OPENSSL_INIT_LOAD_CRYPTO_STRINGS, + nil) != 1 { return 0, 0, 0, fail("openssl: init crypto") } return major, minor, patch, nil diff --git a/rsa.go b/rsa.go index 4747d0a..a3fd96b 100644 --- a/rsa.go +++ b/rsa.go @@ -17,7 +17,7 @@ func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) { bad := func(e error) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) { return nil, nil, nil, nil, nil, nil, nil, nil, e } - pkey, err := generateEVPPKey(C.GO_EVP_PKEY_RSA, bits, "") + pkey, err := generateEVPPKey(_EVP_PKEY_RSA, bits, "") if err != nil { return bad(err) } @@ -94,7 +94,7 @@ func NewPublicKeyRSA(n, e BigInt) (*PublicKeyRSA, error) { C.go_openssl_RSA_free(key) return nil, newOpenSSLError("EVP_PKEY_new failed") } - if C.go_openssl_EVP_PKEY_assign(pkey, C.GO_EVP_PKEY_RSA, (unsafe.Pointer)(key)) != 1 { + if C.go_openssl_EVP_PKEY_assign(pkey, _EVP_PKEY_RSA, (unsafe.Pointer)(key)) != 1 { C.go_openssl_RSA_free(key) C.go_openssl_EVP_PKEY_free(pkey) return nil, newOpenSSLError("EVP_PKEY_assign failed") @@ -155,7 +155,7 @@ func NewPrivateKeyRSA(n, e, d, p, q, dp, dq, qinv BigInt) (*PrivateKeyRSA, error C.go_openssl_RSA_free(key) return nil, newOpenSSLError("EVP_PKEY_new failed") } - if C.go_openssl_EVP_PKEY_assign(pkey, C.GO_EVP_PKEY_RSA, (unsafe.Pointer)(key)) != 1 { + if C.go_openssl_EVP_PKEY_assign(pkey, _EVP_PKEY_RSA, (unsafe.Pointer)(key)) != 1 { C.go_openssl_RSA_free(key) C.go_openssl_EVP_PKEY_free(pkey) return nil, newOpenSSLError("EVP_PKEY_assign failed") @@ -186,23 +186,23 @@ func (k *PrivateKeyRSA) withKey(f func(C.GO_EVP_PKEY_PTR) C.int) C.int { } func DecryptRSAOAEP(h, mgfHash hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) { - return evpDecrypt(priv.withKey, C.GO_RSA_PKCS1_OAEP_PADDING, h, mgfHash, label, ciphertext) + return evpDecrypt(priv.withKey, _RSA_PKCS1_OAEP_PADDING, h, mgfHash, label, ciphertext) } func EncryptRSAOAEP(h, mgfHash hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) { - return evpEncrypt(pub.withKey, C.GO_RSA_PKCS1_OAEP_PADDING, h, mgfHash, label, msg) + return evpEncrypt(pub.withKey, _RSA_PKCS1_OAEP_PADDING, h, mgfHash, label, msg) } func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) { - return evpDecrypt(priv.withKey, C.GO_RSA_PKCS1_PADDING, nil, nil, nil, ciphertext) + return evpDecrypt(priv.withKey, _RSA_PKCS1_PADDING, nil, nil, nil, ciphertext) } func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) { - return evpEncrypt(pub.withKey, C.GO_RSA_PKCS1_PADDING, nil, nil, nil, msg) + return evpEncrypt(pub.withKey, _RSA_PKCS1_PADDING, nil, nil, nil, msg) } func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) { - ret, err := evpDecrypt(priv.withKey, C.GO_RSA_NO_PADDING, nil, nil, nil, ciphertext) + ret, err := evpDecrypt(priv.withKey, _RSA_NO_PADDING, nil, nil, nil, ciphertext) if err != nil { return nil, err } @@ -226,7 +226,7 @@ func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) } func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) { - return evpEncrypt(pub.withKey, C.GO_RSA_NO_PADDING, nil, nil, nil, msg) + return evpEncrypt(pub.withKey, _RSA_NO_PADDING, nil, nil, nil, msg) } func saltLength(saltLen int, sign bool) (C.int, error) { @@ -241,14 +241,14 @@ func saltLength(saltLen int, sign bool) (C.int, error) { if sign { if vMajor == 1 { // OpenSSL 1.x uses -2 to mean maximal size when signing where Go crypto uses 0. - return C.GO_RSA_PSS_SALTLEN_MAX_SIGN, nil + return _RSA_PSS_SALTLEN_MAX_SIGN, nil } // OpenSSL 3.x deprecated RSA_PSS_SALTLEN_MAX_SIGN // and uses -3 to mean maximal size when signing where Go crypto uses 0. - return C.GO_RSA_PSS_SALTLEN_MAX, nil + return _RSA_PSS_SALTLEN_MAX, nil } // OpenSSL uses -2 to mean auto-detect size when verifying where Go crypto uses 0. - return C.GO_RSA_PSS_SALTLEN_AUTO, nil + return _RSA_PSS_SALTLEN_AUTO, nil } return C.int(saltLen), nil } @@ -258,7 +258,7 @@ func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) if err != nil { return nil, err } - return evpSign(priv.withKey, C.GO_RSA_PKCS1_PSS_PADDING, cSaltLen, h, hashed) + return evpSign(priv.withKey, _RSA_PKCS1_PSS_PADDING, cSaltLen, h, hashed) } func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error { @@ -266,11 +266,11 @@ func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen if err != nil { return err } - return evpVerify(pub.withKey, C.GO_RSA_PKCS1_PSS_PADDING, cSaltLen, h, sig, hashed) + return evpVerify(pub.withKey, _RSA_PKCS1_PSS_PADDING, cSaltLen, h, sig, hashed) } func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte) ([]byte, error) { - return evpSign(priv.withKey, C.GO_RSA_PKCS1_PADDING, 0, h, hashed) + return evpSign(priv.withKey, _RSA_PKCS1_PADDING, 0, h, hashed) } func HashSignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte) ([]byte, error) { @@ -287,7 +287,7 @@ func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) err }) == 0 { return errors.New("crypto/rsa: verification error") } - return evpVerify(pub.withKey, C.GO_RSA_PKCS1_PADDING, 0, h, sig, hashed) + return evpVerify(pub.withKey, _RSA_PKCS1_PADDING, 0, h, sig, hashed) } func HashVerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, msg, sig []byte) error { @@ -329,9 +329,9 @@ func newRSAKey3(isPriv bool, n, e, d, p, q, dp, dq, qinv BigInt) (C.GO_EVP_PKEY_ return nil, err } defer C.go_openssl_OSSL_PARAM_free(params) - selection := C.GO_EVP_PKEY_PUBLIC_KEY + selection := _EVP_PKEY_PUBLIC_KEY if isPriv { - selection = C.GO_EVP_PKEY_KEYPAIR + selection = _EVP_PKEY_KEYPAIR } - return newEvpFromParams(C.GO_EVP_PKEY_RSA, C.int(selection), params) + return newEvpFromParams(_EVP_PKEY_RSA, C.int(selection), params) } diff --git a/shims.h b/shims.h index a1f229c..f747a2f 100644 --- a/shims.h +++ b/shims.h @@ -1,86 +1,7 @@ #include // size_t #include // uint64_t -// #include -enum { - GO_OPENSSL_INIT_LOAD_CRYPTO_STRINGS = 0x00000002L, - GO_OPENSSL_INIT_ADD_ALL_CIPHERS = 0x00000004L, - GO_OPENSSL_INIT_ADD_ALL_DIGESTS = 0x00000008L, - GO_OPENSSL_INIT_LOAD_CONFIG = 0x00000040L -}; - -// #include -enum { - GO_EVP_CTRL_GCM_GET_TAG = 0x10, - GO_EVP_CTRL_GCM_SET_TAG = 0x11, - GO_EVP_PKEY_CTRL_MD = 1, - GO_EVP_PKEY_RSA = 6, - GO_EVP_PKEY_EC = 408, - GO_EVP_PKEY_TLS1_PRF = 1021, - GO_EVP_PKEY_HKDF = 1036, - GO_EVP_PKEY_ED25519 = 1087, - GO_EVP_PKEY_DSA = 116, - /* This is defined differently in OpenSSL 3 (1 << 11), but in our - * code it is only used in OpenSSL 1. - */ - GO1_EVP_PKEY_OP_DERIVE = (1 << 10), - GO_EVP_MAX_MD_SIZE = 64, - - GO_EVP_PKEY_PUBLIC_KEY = 0x86, - GO_EVP_PKEY_KEYPAIR = 0x87 -}; - -// #include -enum { - GO_EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID = 0x1001 -}; - -// #include -enum { - GO_EVP_KDF_HKDF_MODE_EXTRACT_ONLY = 1, - GO_EVP_KDF_HKDF_MODE_EXPAND_ONLY = 2, - - GO_EVP_PKEY_CTRL_TLS_MD = 0x1000, - GO_EVP_PKEY_CTRL_TLS_SECRET = 0x1001, - GO_EVP_PKEY_CTRL_TLS_SEED = 0x1002, - GO_EVP_PKEY_CTRL_HKDF_MD = 0x1003, - GO_EVP_PKEY_CTRL_HKDF_SALT = 0x1004, - GO_EVP_PKEY_CTRL_HKDF_KEY = 0x1005, - GO_EVP_PKEY_CTRL_HKDF_INFO = 0x1006, - GO_EVP_PKEY_CTRL_HKDF_MODE = 0x1007 -}; - -typedef enum { - GO_POINT_CONVERSION_UNCOMPRESSED = 4, -} point_conversion_form_t; - -// #include -enum { - GO_NID_X9_62_prime256v1 = 415, - GO_NID_secp224r1 = 713, - GO_NID_secp384r1 = 715, - GO_NID_secp521r1 = 716 -}; - -// #include -enum { - GO_RSA_PKCS1_PADDING = 1, - GO_RSA_NO_PADDING = 3, - GO_RSA_PKCS1_OAEP_PADDING = 4, - GO_RSA_PKCS1_PSS_PADDING = 6, - GO_RSA_PSS_SALTLEN_DIGEST = -1, - GO_RSA_PSS_SALTLEN_AUTO = -2, - GO_RSA_PSS_SALTLEN_MAX_SIGN = -2, - GO_RSA_PSS_SALTLEN_MAX = -3, - GO_EVP_PKEY_CTRL_RSA_PADDING = 0x1001, - GO_EVP_PKEY_CTRL_RSA_PSS_SALTLEN = 0x1002, - GO_EVP_PKEY_CTRL_RSA_KEYGEN_BITS = 0x1003, - GO_EVP_PKEY_CTRL_RSA_MGF1_MD = 0x1005, - GO_EVP_PKEY_CTRL_RSA_OAEP_MD = 0x1009, - GO_EVP_PKEY_CTRL_RSA_OAEP_LABEL = 0x100A, - GO_EVP_PKEY_CTRL_DSA_PARAMGEN_BITS = 0x1001, - GO_EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS = 0x1002 -}; +typedef int point_conversion_form_t; typedef void* GO_OPENSSL_INIT_SETTINGS_PTR; typedef void* GO_OSSL_LIB_CTX_PTR; @@ -164,6 +85,7 @@ typedef void* GO_SHA_CTX_PTR; // #include // #include // #include +// #include // #if OPENSSL_VERSION_NUMBER >= 0x30000000L // #include // #include diff --git a/tls1prf.go b/tls1prf.go index 307440c..fb32456 100644 --- a/tls1prf.go +++ b/tls1prf.go @@ -61,7 +61,7 @@ func TLS1PRF(result, secret, label, seed []byte, fh func() hash.Hash) error { func tls1PRF1(result, secret, label, seed []byte, md C.GO_EVP_MD_PTR) error { checkMajorVersion(1) - ctx := C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_TLS1_PRF, nil) + ctx := C.go_openssl_EVP_PKEY_CTX_new_id(_EVP_PKEY_TLS1_PRF, nil) if ctx == nil { return newOpenSSLError("EVP_PKEY_CTX_new_id") } @@ -73,26 +73,26 @@ func tls1PRF1(result, secret, label, seed []byte, md C.GO_EVP_MD_PTR) error { return newOpenSSLError("EVP_PKEY_derive_init") } if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, - C.GO1_EVP_PKEY_OP_DERIVE, - C.GO_EVP_PKEY_CTRL_TLS_MD, + _EVP_PKEY_OP_DERIVE, + _EVP_PKEY_CTRL_TLS_MD, 0, unsafe.Pointer(md)) != 1 { return newOpenSSLError("EVP_PKEY_CTX_set_tls1_prf_md") } if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, - C.GO1_EVP_PKEY_OP_DERIVE, - C.GO_EVP_PKEY_CTRL_TLS_SECRET, + _EVP_PKEY_OP_DERIVE, + _EVP_PKEY_CTRL_TLS_SECRET, C.int(len(secret)), unsafe.Pointer(base(secret))) != 1 { return newOpenSSLError("EVP_PKEY_CTX_set1_tls1_prf_secret") } if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, - C.GO1_EVP_PKEY_OP_DERIVE, - C.GO_EVP_PKEY_CTRL_TLS_SEED, + _EVP_PKEY_OP_DERIVE, + _EVP_PKEY_CTRL_TLS_SEED, C.int(len(label)), unsafe.Pointer(base(label))) != 1 { return newOpenSSLError("EVP_PKEY_CTX_add1_tls1_prf_seed") } if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, - C.GO1_EVP_PKEY_OP_DERIVE, - C.GO_EVP_PKEY_CTRL_TLS_SEED, + _EVP_PKEY_OP_DERIVE, + _EVP_PKEY_CTRL_TLS_SEED, C.int(len(seed)), unsafe.Pointer(base(seed))) != 1 { return newOpenSSLError("EVP_PKEY_CTX_add1_tls1_prf_seed") }