[openssl-commits] [openssl] master update

Richard Levitte levitte at openssl.org
Sun Nov 18 17:53:25 UTC 2018 

The branch master has been updated
       via  6dfcea3dfb167ccf37907601a3be6dc50f9c213b (commit)
       via  9d1bf5f7dee88e2fc1149be16256404265765894 (commit)
      from  6b956fe77b8aeb899ef7bdfa147a00bda51b804a (commit)


- Log -----------------------------------------------------------------
commit 6dfcea3dfb167ccf37907601a3be6dc50f9c213b
Author: Johannes Bauer <joe at johannes-bauer.com>
Date:   Tue Mar 20 20:06:13 2018 +0100

    Add documentation for -pkeyopt_passin
    
    Add documentation to new parameter and two examples showcasing scrypt
    KDF.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5697)

commit 9d1bf5f7dee88e2fc1149be16256404265765894
Author: Johannes Bauer <joe at johannes-bauer.com>
Date:   Tue Aug 1 19:38:32 2017 +0200

    Add option to read pkeyopts interactively
    
    This patch adds the ability to interactively enter passphrases for
    the pkeyutl application. For example, you could use
    
    $ openssl pkeyutl -kdf TLS1-PRF -kdflen 8 -pkeyopt md:md5
      -pkeyopt_passin secret -pkeyopt_passin seed
    
    To have the "secret" and "seed" values read interactively from keyboard
    (with hidden input). Alternatively, the pass phrase argument syntax is
    also supported, e.g.:
    
    $ openssl pkeyutl -kdf TLS1-PRF -kdflen 8 -pkeyopt md:md5
      -pkeyopt_passin secret:stdin -pkeyopt_passin seed:env:SEEDVAR
    
    To have "secret" read from stdin and "seed" from the environment
    variable SEEDVAR.
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/5697)

-----------------------------------------------------------------------

Summary of changes:
 apps/pkeyutl.c       | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 doc/man1/pkeyutl.pod | 18 +++++++++++++++++
 2 files changed, 71 insertions(+), 2 deletions(-)

diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index 2c4e524..38fd624 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -37,8 +37,8 @@ typedef enum OPTION_choice {
     OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
     OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
     OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
-    OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_KDF, OPT_KDFLEN,
-    OPT_R_ENUM
+    OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF,
+    OPT_KDFLEN, OPT_R_ENUM
 } OPTION_CHOICE;
 
 const OPTIONS pkeyutl_options[] = {
@@ -66,6 +66,8 @@ const OPTIONS pkeyutl_options[] = {
     {"peerform", OPT_PEERFORM, 'E', "Peer key format - default PEM"},
     {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
     {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
+    {"pkeyopt_passin", OPT_PKEYOPT_PASSIN, 's',
+     "Public key option that is read as a passphrase argument opt:passphrase"},
     OPT_R_OPTIONS,
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
@@ -94,6 +96,7 @@ int pkeyutl_main(int argc, char **argv)
     const char *kdfalg = NULL;
     int kdflen = 0;
     STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
+    STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL;
 
     prog = opt_init(argc, argv, pkeyutl_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -192,6 +195,14 @@ int pkeyutl_main(int argc, char **argv)
                 goto end;
             }
             break;
+        case OPT_PKEYOPT_PASSIN:
+            if ((pkeyopts_passin == NULL &&
+                 (pkeyopts_passin = sk_OPENSSL_STRING_new_null()) == NULL) ||
+                sk_OPENSSL_STRING_push(pkeyopts_passin, opt_arg()) == 0) {
+                BIO_puts(bio_err, "out of memory\n");
+                goto end;
+            }
+            break;
         }
     }
     argc = opt_num_rest();
@@ -240,6 +251,45 @@ int pkeyutl_main(int argc, char **argv)
             }
         }
     }
+    if (pkeyopts_passin != NULL) {
+        int num = sk_OPENSSL_STRING_num(pkeyopts_passin);
+        int i;
+
+        for (i = 0; i < num; i++) {
+            char *opt = sk_OPENSSL_STRING_value(pkeyopts_passin, i);
+            char *passin = strchr(opt, ':');
+            char *passwd;
+
+            if (passin == NULL) {
+                /* Get password interactively */
+                char passwd_buf[4096];
+                BIO_snprintf(passwd_buf, sizeof(passwd_buf), "Enter %s: ", opt);
+                EVP_read_pw_string(passwd_buf, sizeof(passwd_buf) - 1,
+                                   passwd_buf, 0);
+                passwd = OPENSSL_strdup(passwd_buf);
+                if (passwd == NULL) {
+                    BIO_puts(bio_err, "out of memory\n");
+                    goto end;
+                }
+            } else {
+                /* Get password as a passin argument: First split option name
+                 * and passphrase argument into two strings */
+                *passin = 0;
+                passin++;
+                if (app_passwd(passin, NULL, &passwd, NULL) == 0) {
+                    BIO_printf(bio_err, "failed to get '%s'\n", opt);
+                    goto end;
+                }
+            }
+
+            if (EVP_PKEY_CTX_ctrl_str(ctx, opt, passwd) <= 0) {
+                BIO_printf(bio_err, "%s: Can't set parameter \"%s\":\n",
+                           prog, opt);
+                goto end;
+            }
+            OPENSSL_free(passwd);
+        }
+    }
 
     if (sigfile != NULL && (pkey_op != EVP_PKEY_OP_VERIFY)) {
         BIO_printf(bio_err,
@@ -359,6 +409,7 @@ int pkeyutl_main(int argc, char **argv)
     OPENSSL_free(buf_out);
     OPENSSL_free(sig);
     sk_OPENSSL_STRING_free(pkeyopts);
+    sk_OPENSSL_STRING_free(pkeyopts_passin);
     return ret;
 }
 
diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod
index 664dbef..a0dae86 100644
--- a/doc/man1/pkeyutl.pod
+++ b/doc/man1/pkeyutl.pod
@@ -29,6 +29,7 @@ B<openssl> B<pkeyutl>
 [B<-kdf algorithm>]
 [B<-kdflen length>]
 [B<-pkeyopt opt:value>]
+[B<-pkeyopt_passin opt:passarg>]
 [B<-hexdump>]
 [B<-asn1parse>]
 [B<-rand file...>]
@@ -140,6 +141,13 @@ Set the output length for KDF.
 
 Public key options specified as opt:value. See NOTES below for more details.
 
+=item B<-pkeyopt_passin opt:passarg>
+
+Allows reading a public key option B<opt> from stdin or a password source. If
+only opt is specified, the user will be prompted to enter the value on stdin.
+Alternatively, passarg can be specified which can be any value supported by
+B<PASS PHRASE ARGUMENTS> in L<openssl(1)>.
+
 =item B<-hexdump>
 
 hex dump the output data.
@@ -320,6 +328,16 @@ seed consisting of the single byte 0xFF:
  openssl pkeyutl -kdf TLS1-PRF -kdflen 48 -pkeyopt md:SHA256 \
     -pkeyopt hexsecret:ff -pkeyopt hexseed:ff -hexdump
 
+Derive a key using B<scrypt> where the password is read from command line:
+
+ openssl pkeyutl -kdf scrypt -kdflen 16 -pkeyopt_passin pass \
+    -pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1
+
+Derive using the same algorithm, but read key from environment variable MYPASS:
+
+ openssl pkeyutl -kdf scrypt -kdflen 16 -pkeyopt_passin pass:env:MYPASS \
+    -pkeyopt hexsalt:aabbcc -pkeyopt N:16384 -pkeyopt r:8 -pkeyopt p:1
+
 =head1 SEE ALSO
 
 L<genpkey(1)>, L<pkey(1)>, L<rsautl(1)>

More information about the openssl-commits mailing list