Commit 547414f2 authored by Hugo Leisink's avatar Hugo Leisink

Release 10.9

parent 1bd5464b
cmake_minimum_required(VERSION 3.0)
project(Hiawatha VERSION 10.8.3 LANGUAGES C)
project(Hiawatha VERSION 10.9 LANGUAGES C)
# Compiler
set(CMAKE_C_FLAGS "-O2 -Wall -Wextra ${CMAKE_C_FLAGS}")
......@@ -7,7 +7,7 @@ set(CMAKE_BUILD_TYPE "RelWithDebInfo")
# Options
option(ENABLE_CACHE "Enable cache support in Hiawatha." on)
option(ENABLE_HTTP2 "Enable HTTP2 support in Hiawatha." off)
#option(ENABLE_HTTP2 "Enable HTTP2 support in Hiawatha." off)
option(ENABLE_IPV6 "Enable IPv6 support in Hiawatha." on)
option(ENABLE_MONITOR "Enable support for the Hiawatha Monitor." off)
option(ENABLE_RPROXY "Enable reverse proxy support in Hiawatha." on)
......@@ -193,6 +193,16 @@ endforeach()
install(FILES extra/index.html DESTINATION ${WEBROOT_DIR})
if(ENABLE_TLS AND NOT CYGWIN)
configure_file(extra/letsencrypt/lefh.in lefh)
install(FILES ${PROJECT_BINARY_DIR}/lefh DESTINATION ${CMAKE_INSTALL_SBINDIR}
PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
install(DIRECTORY extra/letsencrypt/letsencrypt DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}/hiawatha)
configure_file(extra/letsencrypt/letsencrypt.conf.in letsencrypt.conf)
install(FILES ${PROJECT_BINARY_DIR}/letsencrypt.conf DESTINATION ${CMAKE_INSTALL_FULL_LIBDIR}/hiawatha/letsencrypt)
install(FILES man/lefh.1 DESTINATION ${CMAKE_INSTALL_FULL_MANDIR}/man1)
endif()
# Create directories
install(DIRECTORY DESTINATION ${LOG_DIR})
install(DIRECTORY DESTINATION ${PID_DIR})
......
hiawatha (10.9) stable; urgency=low
* Let's Encrypt script installed via CMake.
* mbed TLS updated to 2.16.0.
* Small improvements.
-- Hugo Leisink <hugo@leisink.net> Mon, 18 Feb 2019 19:15:46 +0100
hiawatha (10.8.4) stable; urgency=high
* Bugfix: Directory traversal when AllowDotFiles is enabled.
-- Hugo Leisink <hugo@leisink.net> Tue, 12 Feb 2018 21:37:04 +0100
hiawatha (10.8.3) stable; urgency=low
* Several fixes in build system.
......
......@@ -30,9 +30,9 @@
/* Other Hiawatha features
*/
#define ENABLE_CHALLENGE ON
/* #define ENABLE_DEBUG ON */
//#define ENABLE_DEBUG ON
#define ENABLE_FILEHASHES ON
/* #define ENABLE_MEMDBG ON */
//#define ENABLE_MEMDBG ON
#define ENABLE_THREAD_POOL ON
/* Includes
......
......@@ -5,6 +5,7 @@ application/json json
application/pdf pdf
application/pkcs-crl crl
application/postscript ps ai eps
application/vnd.apple.pkpass pkpass
application/vnd.google-earth.kml+xml kml
application/vnd.google-earth.kmz kmz
application/xml xml xsl xslt
......
Copy the all the files belonging to this script to a suitable location, for
example /usr/local/letsencrypt. Create a directory .letsencrypt in your home
directory and copy /usr/local/letsencrypt/letsencrypt.conf to that directory.
Open letsencrypt.conf, change the account email address and key size according
to your needs. Add /usr/local/letsencrypt to your PATH environment variable.
Before you can request a certificate, you need to register an account at the
Let's Encrypt CA. You can do this via the command: letsencrypt register
When running the tool for the first time, it will create a Let's Encrypt
account key. Make sure you make a backup of this account.key file.
You can request a website certificate via: letsencrypt request <hostname>
A virtual host for <hostname> must be present in the webserver configuration
and you must have write access rights to its website root. The <hostname> must
be the first hostname for that virtual host. All other hostnames will be used
as alternative hostnames for the certificate. Wildcards are supported by Let's
Encrypt, but the can only be obtained via DNS challenges. Because that's not an
option for this script, they will not be used as an alternative name in the
certificate. Unless you specify a filename as the third parameter, the
requested certificate will be stored in the file <hostname>.pem. When
requesting a Let's Encrypt certificate, make sure your website is reachable via
HTTP (port 80). This is necessary because the Let's Encrypt CA will request a
file from it, which the script will create in the webroot in order to prove you
are the owner of that website.
After properly testing, open letsencrypt.conf, comment the testing CA hostname
(the LE_CA_HOSTNAME setting), uncomment the production CA hostname, register
your account key at the production server and request the final version of your
website certificate.
Certificates will be written to a file in the directory of this script. If you
run the script as user root, the certificate will be written to the directory
configured via the HIAWATHA_CERT_DIR setting.
To automatically renew certificates that are about to get expired, run the
letsencrypt tool with the parameter 'renew' as a cronjob of the user root. Add
the parameter 'restart' to automatically restart the webserver when one or more
certificates have been renewed. All certificates located in the
HIAWATHA_CERT_DIR directory and those referred to in the webserver
configuration will be renewed.
You can run a script when the certificate of a host is renewed. Create a script
in the RENEWAL_SCRIPT_DIR directory and give it the name of the hostname for
which it must be run. That script will be executed upon renewal of the matching
certificate.
This diff is collapsed.
This is the Let's Encrypt script for the Hiawatha webserver. It can be used to
request, renew and revoke certificated as provided by Let's Encrypt in a very
easy way. It requires the PHP command line interface and uses version 2 of the
ACME protocol to communicate with the Let's Encrypt server.
......@@ -15,20 +15,21 @@
/* Let's Encrypt / ACME v2
*/
define("VERSION", "2.0");
define("VERSION", "2.1");
define("DAY", 86400);
error_reporting(E_ALL & ~E_NOTICE & ~E_WARNING);
$config_locations = array(
$_SERVER["HOME"]."/.letsencrypt",
"/etc/letsencrypt",
"/usr/local/etc/letsencrypt",
__DIR__);
$config_dir = $_SERVER["HOME"]."/.letsencrypt";
if (file_exists($config_dir) == false) {
mkdir($config_dir);
copy("@CMAKE_INSTALL_FULL_LIBDIR@/hiawatha/letsencrypt/letsencrypt.conf", $config_dir."/letsencrypt.conf");
}
/* Autoloader
*/
function class_autoloader($class_name) {
$library = __DIR__."/libraries/".strtolower($class_name).".php";
$library ="@CMAKE_INSTALL_FULL_LIBDIR@/hiawatha/letsencrypt/".strtolower($class_name).".php";
if (file_exists($library) == false) {
printf("Error including library for class %s.\n", $class_name);
......@@ -41,7 +42,7 @@
/* Configuration
*/
$config = new config($config_locations);
$config = new config($config_dir);
if (count($config->content) == 0) {
printf(" - Error reading configuration.\n");
exit;
......@@ -68,7 +69,7 @@
/* Check configuration
*/
if (ACCOUNT_EMAIL_ADDRESS == "info@example.org") {
exit("Read README.txt before using this tool.\n");
exit("Read the lefh manual page and follow its instructions before using this tool.\n");
}
/* Account key
......@@ -173,6 +174,7 @@
if ($restart) {
if ($argv[2] == "restart") {
printf("Restarting webserver.\n");
system(HIAWATHA_RESTART_COMMAND);
}
exit(1);
......
......@@ -5,7 +5,7 @@ ACCOUNT_EMAIL_ADDRESS = info@example.org
# Hiawatha settings
#
HIAWATHA_CONFIG_DIR = /etc/hiawatha
HIAWATHA_CONFIG_DIR = @CONFIG_DIR@
HIAWATHA_CERT_DIR = {HIAWATHA_CONFIG_DIR}/tls
HIAWATHA_RESTART_COMMAND = /etc/init.d/hiawatha restart
......
......@@ -18,11 +18,7 @@
/* Constructor
*/
public function __construct($locations) {
if (($config_dir = $this->find_config_dir($locations)) == false) {
return;
}
public function __construct($config_dir) {
$config_file = $config_dir."/".self::CONFIG_FILE;
$this->config["ACCOUNT_KEY_FILE"] = $config_dir."/account.key";
......@@ -76,18 +72,5 @@
return null;
}
/* Find configuration directory
*/
private function find_config_dir($locations) {
foreach ($locations as $location) {
$file = $location."/".self::CONFIG_FILE;
if (file_exists($file)) {
return $location;
}
}
return false;
}
}
?>
......@@ -81,6 +81,7 @@
$inside_virtual_host = false;
while (($line = fgets($fp)) !== false) {
$line = preg_replace('/(^|\s)#.*/', '', $line);
list($command, $param) = explode(" ", trim($line), 2);
$command = strtolower($command);
$param = trim($param, " =");
......
......@@ -182,7 +182,7 @@
/* Add HTTP header
*
* INPUT: string key, string value,[ bool replace header]
* INPUT: string key, string value[, bool replace header]
* OUTPUT: -
* ERROR: -
*/
......
......@@ -27,33 +27,6 @@
$this->hiawatha = new Hiawatha_config(HIAWATHA_CONFIG_DIR);
}
/* Extract CA url from certificate
*/
private function get_CA_url($certificate) {
if (($x509 = openssl_x509_parse($certificate)) == false) {
return false;
}
$ca_info = $x509["extensions"]["authorityInfoAccess"];
$ca_info = explode("\n", $ca_info);
foreach ($ca_info as $item) {
list($label, $info) = explode(" - ", $item);
if ($label != "CA Issuers") {
continue;
}
list($type, $url) = explode(":", $info, 2);
if ($type != "URI") {
return false;
}
return $url;
}
return false;
}
/* Remove hostnames containing a wildcard from the list
*/
private function remove_wildcard_hostnames($hostnames) {
......@@ -86,17 +59,16 @@
return $result;
}
/* Check if certificate is in PEM format
/* Get process user id
*/
private function is_pem_format($cert) {
return substr($cert, 0, 10) == "-----BEGIN";
}
private function get_uid() {
if (function_exists("posix_geteuid")) {
return posix_geteuid();
} else if (($uid = exec("id -u")) !== false) {
return (int)$uid;
}
/* Convert certificate in DER format to PEM format
*/
private function convert_to_pem($der_cert) {
$pem_data = chunk_split(base64_encode($der_cert), 64, "\n");
return "-----BEGIN CERTIFICATE-----\n".$pem_data."-----END CERTIFICATE-----\n";
return 0;
}
/* Get all Hiawatha certificates
......@@ -333,16 +305,12 @@
return false;
}
if ($this->is_pem_format($certificate) == false) {
$certificate = $this->convert_to_pem($certificate);
}
$certificate = str_replace("\r", "", $certificate);
/* Write certificates
*/
if ($cert_file == null) {
$dir = (getmyuid() == 0) ? HIAWATHA_CERT_DIR."/" : "";
$dir = ($this->get_uid() == 0) ? HIAWATHA_CERT_DIR."/" : "";
$cert_file = $dir.$website_hostname.".pem";
$number = 1;
while (file_exists($cert_file)) {
......
......@@ -45,4 +45,4 @@ The CGI-wrapper is part of the Hiawatha webserver. See hiawatha(1) for more info
.SH AUTHOR
Hugo Leisink <hugo@hiawatha-webserver.org> - \fIhttp://www.hiawatha-webserver.org/\fP
Hugo Leisink <hugo@hiawatha-webserver.org> - \fIhttps://www.hiawatha-webserver.org/\fP
......@@ -444,7 +444,7 @@ Example: RequiredCA = /etc/ssl/cacert.pem, /etc/ssl/cacrl.pem
(requires that Hiawatha was not compiled with -DENABLE_TLS=off)
.TP
.B TLScertFile = <TLS private key and certificate file>
Encrypt the connections of the current binding with the TLS private key and certificate in the specified file. Intermediate certificates also go in this file. Make sure the order matches the TLS chain order: host certificate first, CA certificate last.
Encrypt the connections of the current binding with the TLS private key and certificate in the specified file. Intermediate certificates also go in this file. Make sure the order matches the TLS chain order: host certificate first, CA certificate last. Use the tool 'lefh' (Let's Encrypt For Hiawatha) to obtain and maintain Let's Encrypt certificates.
.br
Example: TLScertFile = my_domain.pem
.br
......@@ -1100,4 +1100,4 @@ cgi-wrapper(1), ssi-cgi(1), wigwam(1)
.SH AUTHOR
Hugo Leisink <hugo@hiawatha-webserver.org> - \fIhttp://www.hiawatha-webserver.org/\fP
Hugo Leisink <hugo@hiawatha-webserver.org> - \fIhttps://www.hiawatha-webserver.org/\fP
.\" Let's Encrypt For Hiawatha manualpage
.\"
.TH LEFH 1
.SH NAME
lefh - Let's Encrypt for Hiawatha
.SH SYNOPSIS
.B lefh
[options]
.br
Options: register: Register your account key at the Let's Encrypt CA.
.br
request <hostname> [<cert.pem>]: Request new certificate for website.
.br
expire: show number of days left before certificate expires.
.br
renew [restart]: Renew the almost expired Let's Encrypt certificates in Hiawatha's certificate directory.
.br
revoke <cert.pem>: Revoke the certificate.
.br
version: Show version information.
.SH DESCRIPTION
The Let's Encrypt script for the Hiawatha webserver can be used to request, renew and revoke certificated as provided by Let's Encrypt in a very easy way. It requires the PHP command line interface and uses version 2 of the ACME protocol to communicate with the Let's Encrypt server.
.br
Start by editing the file ~/.letsencrypt/letsencrypt.conf and change the settings according to your needs. This file will be created when you run the letsencrypt script for the first time. At least, you need to change the e-mail address to use the tool.
.br
Before you can request a certificate, you need to register an account at the Let's Encrypt CA. You can do this via the command: letsencrypt register
.br
When running the tool for the first time, it will create a Let's Encrypt account key. Make sure you make a backup of this account.key file.
.br
You can request a website certificate via: letsencrypt request <hostname> A virtual host for <hostname> must be present in the webserver configuration and you must have write access rights to its website root. The <hostname> must be the first hostname for that virtual host. All other hostnames will be used as alternative hostnames for the certificate. Wildcards are supported by Let's Encrypt, but the can only be obtained via DNS challenges. Because that's not an option for this script, they will not be used as an alternative name in the certificate. Unless you specify a filename as the third parameter, the requested certificate will be stored in the file <hostname>.pem. When requesting a Let's Encrypt certificate, make sure your website is reachable via HTTP (port 80). This is necessary because the Let's Encrypt CA will request a file from it, which the script will create in the webroot in order to prove you are the owner of that website.
.br
After properly testing, open letsencrypt.conf, comment the testing CA hostname (the LE_CA_HOSTNAME setting), uncomment the production CA hostname, register your account key at the production server and request the final version of your website certificate.
.br
Certificates will be written to a file in the directory of this script. If you run the script as user root, the certificate will be written to the directory configured via the HIAWATHA_CERT_DIR setting.
.br
To automatically renew certificates that are about to get expired, run the letsencrypt tool with the parameter 'renew' as a cronjob of the user root. Add the parameter 'restart' to automatically restart the webserver when one or more certificates have been renewed. All certificates located in the HIAWATHA_CERT_DIR directory and those referred to in the webserver configuration will be renewed.
.br
You can run a script when the certificate of a host is renewed. Create a script in the RENEWAL_SCRIPT_DIR directory and give it the name of the hostname for which it must be run. That script will be executed upon renewal of the matching certificate.
.SH SEE ALSO
lefh is part of the Hiawatha webserver. See hiawatha(1) for more information about Hiawatha.
.SH AUTHOR
Hugo Leisink <hugo@hiawatha-webserver.org> - \fIhttps://www.hiawatha-webserver.org/\fP
......@@ -99,4 +99,4 @@ SSI-CGI is part of the Hiawatha webserver. See hiawatha(1) for more information
.SH AUTHOR
Hugo Leisink <hugo@hiawatha-webserver.org> - \fIhttp://www.hiawatha-webserver.org/\fP
Hugo Leisink <hugo@hiawatha-webserver.org> - \fIhttps://www.hiawatha-webserver.org/\fP
......@@ -47,4 +47,4 @@ Wigwam is part of the Hiawatha webserver. See hiawatha(1) for more information a
.SH AUTHOR
Hugo Leisink <hugo@hiawatha-webserver.org> - \fIhttp://www.hiawatha-webserver.org/\fP
Hugo Leisink <hugo@hiawatha-webserver.org> - \fIhttps://www.hiawatha-webserver.org/\fP
This diff is collapsed.
This diff is collapsed.
......@@ -2,6 +2,9 @@
* \file aesni.h
*
* \brief AES-NI for hardware AES acceleration on some Intel processors
*
* \warning These functions are only for internal use by other library
* functions; you must not call them directly.
*/
/*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
......@@ -44,7 +47,10 @@ extern "C" {
#endif
/**
* \brief AES-NI features detection routine
* \brief Internal function to detect the AES-NI feature in CPUs.
*
* \note This function is only for internal use by other library
* functions; you must not call it directly.
*
* \param what The feature to detect
* (MBEDTLS_AESNI_AES or MBEDTLS_AESNI_CLMUL)
......@@ -54,7 +60,10 @@ extern "C" {
int mbedtls_aesni_has_support( unsigned int what );
/**
* \brief AES-NI AES-ECB block en(de)cryption
* \brief Internal AES-NI AES-ECB block encryption and decryption
*
* \note This function is only for internal use by other library
* functions; you must not call it directly.
*
* \param ctx AES context
* \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
......@@ -64,12 +73,15 @@ int mbedtls_aesni_has_support( unsigned int what );
* \return 0 on success (cannot fail)
*/
int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
int mode,
const unsigned char input[16],
unsigned char output[16] );
int mode,
const unsigned char input[16],
unsigned char output[16] );
/**
* \brief GCM multiplication: c = a * b in GF(2^128)
* \brief Internal GCM multiplication: c = a * b in GF(2^128)
*
* \note This function is only for internal use by other library
* functions; you must not call it directly.
*
* \param c Result
* \param a First operand
......@@ -79,21 +91,29 @@ int mbedtls_aesni_crypt_ecb( mbedtls_aes_context *ctx,
* elements of GF(2^128) as per the GCM spec.
*/
void mbedtls_aesni_gcm_mult( unsigned char c[16],
const unsigned char a[16],
const unsigned char b[16] );
const unsigned char a[16],
const unsigned char b[16] );
/**
* \brief Compute decryption round keys from encryption round keys
* \brief Internal round key inversion. This function computes
* decryption round keys from the encryption round keys.
*
* \note This function is only for internal use by other library
* functions; you must not call it directly.
*
* \param invkey Round keys for the equivalent inverse cipher
* \param fwdkey Original round keys (for encryption)
* \param nr Number of rounds (that is, number of round keys minus one)
*/
void mbedtls_aesni_inverse_key( unsigned char *invkey,
const unsigned char *fwdkey, int nr );
const unsigned char *fwdkey,
int nr );
/**
* \brief Perform key expansion (for encryption)
* \brief Internal key expansion for encryption
*
* \note This function is only for internal use by other library
* functions; you must not call it directly.
*
* \param rk Destination buffer where the round keys are written
* \param key Encryption key
......@@ -102,8 +122,8 @@ void mbedtls_aesni_inverse_key( unsigned char *invkey,
* \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_KEY_LENGTH
*/
int mbedtls_aesni_setkey_enc( unsigned char *rk,
const unsigned char *key,
size_t bits );
const unsigned char *key,
size_t bits );
#ifdef __cplusplus
}
......
......@@ -38,6 +38,7 @@
#include <stddef.h>
/* MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED -0x0019 /**< ARC4 hardware accelerator failed. */
#ifdef __cplusplus
......
......@@ -41,6 +41,8 @@
#include <stddef.h>
#include <stdint.h>
#include "platform_util.h"
#define MBEDTLS_ARIA_ENCRYPT 1 /**< ARIA encryption. */
#define MBEDTLS_ARIA_DECRYPT 0 /**< ARIA decryption. */
......@@ -48,9 +50,18 @@
#define MBEDTLS_ARIA_MAX_ROUNDS 16 /**< Maxiumum number of rounds in ARIA. */
#define MBEDTLS_ARIA_MAX_KEYSIZE 32 /**< Maximum size of an ARIA key in bytes. */
#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH -0x005C /**< Invalid key length. */
#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( -0x005C )
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#define MBEDTLS_ERR_ARIA_BAD_INPUT_DATA -0x005C /**< Bad input data. */
#define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */
/* MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE is deprecated and should not be used.
*/
#define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE -0x005A /**< Feature not available. For example, an unsupported ARIA key size. */
/* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
#define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED -0x0058 /**< ARIA hardware accelerator failed. */
#if !defined(MBEDTLS_ARIA_ALT)
......@@ -82,14 +93,16 @@ mbedtls_aria_context;
* It must be the first API called before using
* the context.
*
* \param ctx The ARIA context to initialize.
* \param ctx The ARIA context to initialize. This must not be \c NULL.
*/
void mbedtls_aria_init( mbedtls_aria_context *ctx );
/**
* \brief This function releases and clears the specified ARIA context.
*
* \param ctx The ARIA context to clear.
* \param ctx The ARIA context to clear. This may be \c NULL, in which
* case this function returns immediately. If it is not \c NULL,
* it must point to an initialized ARIA context.
*/
void mbedtls_aria_free( mbedtls_aria_context *ctx );
......@@ -97,14 +110,16 @@ void mbedtls_aria_free( mbedtls_aria_context *ctx );
* \brief This function sets the encryption key.
*
* \param ctx The ARIA context to which the key should be bound.
* \param key The encryption key.
* \param keybits The size of data passed in bits. Valid options are:
* This must be initialized.
* \param key The encryption key. This must be a readable buffer
* of size \p keybits Bits.
* \param keybits The size of \p key in Bits. Valid options are:
* <ul><li>128 bits</li>
* <li>192 bits</li>
* <li>256 bits</li></ul>
*
* \return \c 0 on success or #MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH
* on failure.
* \return \c 0 on success.
* \return A negative error code on failure.
*/
int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
const unsigned char *key,
......@@ -114,13 +129,16 @@ int mbedtls_aria_setkey_enc( mbedtls_aria_context *ctx,
* \brief This function sets the decryption key.
*
* \param ctx The ARIA context to which the key should be bound.
* \param key The decryption key.
* This must be initialized.
* \param key The decryption key. This must be a readable buffer
* of size \p keybits Bits.
* \param keybits The size of data passed. Valid options are:
* <ul><li>128 bits</li>
* <li>192 bits</li>
* <li>256 bits</li></ul>
*
* \return \c 0 on success, or #MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH on failure.
* \return \c 0 on success.
* \return A negative error code on failure.
*/
int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
const unsigned char *key,
......@@ -139,10 +157,12 @@ int mbedtls_aria_setkey_dec( mbedtls_aria_context *ctx,
* call to this API with the same context.
*
* \param ctx The ARIA context to use for encryption or decryption.
* This must be initialized and bound to a key.
* \param input The 16-Byte buffer holding the input data.
* \param output The 16-Byte buffer holding the output data.
* \return \c 0 on success.
* \return A negative error code on failure.
*/
int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
const unsigned char input[MBEDTLS_ARIA_BLOCKSIZE],
......@@ -174,16 +194,21 @@ int mbedtls_aria_crypt_ecb( mbedtls_aria_context *ctx,
*
*
* \param ctx The ARIA context to use for encryption or decryption.
* \param mode The ARIA operation: #MBEDTLS_ARIA_ENCRYPT or
* #MBEDTLS_ARIA_DECRYPT.
* This must be initialized and bound to a key.
* \param mode The mode of operation. This must be either
* #MBEDTLS_ARIA_ENCRYPT for encryption, or
* #MBEDTLS_ARIA_DECRYPT for decryption.
* \param length The length of the input data in Bytes. This must be a
* multiple of the block size (16 Bytes).
* \param iv Initialization vector (updated after use).
* \param input The buffer holding the input data.
* \param output The buffer holding the output data.
* This must be a readable buffer of size 16 Bytes.
* \param input The buffer holding the input data. This must
* be a readable buffer of length \p length Bytes.
* \param output The buffer holding the output data. This must
* be a writable buffer of length \p length Bytes.
*
* \return \c 0 on success, or #MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH
* on failure.
* \return \c 0 on success.
* \return A negative error code on failure.
*/
int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
int mode,
......@@ -218,15 +243,22 @@ int mbedtls_aria_crypt_cbc( mbedtls_aria_context *ctx,
*
*
* \param ctx The ARIA context to use for encryption or decryption.
* \param mode The ARIA operation: #MBEDTLS_ARIA_ENCRYPT or
* #MBEDTLS_ARIA_DECRYPT.
* \param length The length of the input data.
* This must be initialized and bound to a key.
* \param mode The mode of operation. This must be either
* #MBEDTLS_ARIA_ENCRYPT for encryption, or
* #MBEDTLS_ARIA_DECRYPT for decryption.
* \param length The length of the input data \p input in Bytes.
* \param iv_off The offset in IV (updated after use).
* This must not be larger than 15.
* \param iv The initialization vector (updated after use).
* \param input The buffer holding the input data.
* \param output The buffer holding the output data.
* This must be a readable buffer of size 16 Bytes.
* \param input The buffer holding the input data. This must
* be a readable buffer of length \p length Bytes.
* \param output The buffer holding the output data. This must
* be a writable buffer of length \p length Bytes.
*
* \return \c 0 on success.
* \return A negative error code on failure.
*/
int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
int mode,
......@@ -296,17 +328,24 @@ int mbedtls_aria_crypt_cfb128( mbedtls_aria_context *ctx,
* securely discarded as soon as it's no longer needed.
*
* \param ctx The ARIA context to use for encryption or decryption.
* \param length The length of the input data.
* \param nc_off The offset in the current \p stream_block, for
* resuming within the current cipher stream. The
* offset pointer should be 0 at the start of a stream.
* \param nonce_counter The 128-bit nonce and counter.