Revision tags: OpenSSL_1_1_1j |
|
#
899e2564 |
| 09-Feb-2021 |
Matt Caswell |
Implement EVP_PKEY_param_check_quick() and use it in libssl The low level DH API has two functions for checking parameters: DH_check_ex() and DH_check_params_ex(). The former does a "ful
Implement EVP_PKEY_param_check_quick() and use it in libssl The low level DH API has two functions for checking parameters: DH_check_ex() and DH_check_params_ex(). The former does a "full" check, while the latter does a "quick" check. Most importantly it skips the check for a safe prime. We're ok without using safe primes here because we're doing ephemeral DH. Now that libssl is fully using the EVP API, we need a way to specify that we want a quick check instead of a full check. Therefore we introduce EVP_PKEY_param_check_quick() and use it. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14146)
show more ...
|
Revision tags: openssl-3.0.0-alpha11, openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8 |
|
#
d1fb6b48 |
| 20-Oct-2020 |
Nicola Tuveri |
Constify OSSL_FUNC_keymgmt_validate() The keydata argument of OSSL_FUNC_keymgmt_validate() should be read-only. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from
Constify OSSL_FUNC_keymgmt_validate() The keydata argument of OSSL_FUNC_keymgmt_validate() should be read-only. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13201)
show more ...
|
#
3d914185 |
| 20-Oct-2020 |
Nicola Tuveri |
Constify OSSL_FUNC_keymgmt_has() The keydata argument of OSSL_FUNC_keymgmt_has() should be read-only. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <
Constify OSSL_FUNC_keymgmt_has() The keydata argument of OSSL_FUNC_keymgmt_has() should be read-only. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13200)
show more ...
|
Revision tags: openssl-3.0.0-alpha7, OpenSSL_1_1_1h, openssl-3.0.0-alpha6 |
|
#
992492f5 |
| 05-Aug-2020 |
Pauli |
gettables: documentation changes to pass the provider context. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12581)
|
Revision tags: openssl-3.0.0-alpha5 |
|
#
5dacb38c |
| 08-Jul-2020 |
Richard Levitte |
KEYMGMT: Add key loading function OSSL_FUNC_keymgmt_load() This function is used to create a keydata for a key that libcrypto only has a reference to. This introduces provider r
KEYMGMT: Add key loading function OSSL_FUNC_keymgmt_load() This function is used to create a keydata for a key that libcrypto only has a reference to. This introduces provider references, the contents which only the provider know how to interpret. Outside of the provider, this is just an array of bytes. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12410)
show more ...
|
Revision tags: openssl-3.0.0-alpha4 |
|
#
363b1e5d |
| 20-Jun-2020 |
Dr. Matthias St. Pierre |
Make the naming scheme for dispatched functions more consistent The new naming scheme consistently usese the `OSSL_FUNC_` prefix for all functions which are dispatched between the core a
Make the naming scheme for dispatched functions more consistent The new naming scheme consistently usese the `OSSL_FUNC_` prefix for all functions which are dispatched between the core and providers. This change includes in particular all up- and downcalls, i.e., the dispatched functions passed from core to provider and vice versa. - OSSL_core_ -> OSSL_FUNC_core_ - OSSL_provider_ -> OSSL_FUNC_core_ For operations and their function dispatch tables, the following convention is used: Type | Name (evp_generic_fetch(3)) | ---------------------|-----------------------------------| operation | OSSL_OP_FOO | function id | OSSL_FUNC_FOO_FUNCTION_NAME | function "name" | OSSL_FUNC_foo_function_name | function typedef | OSSL_FUNC_foo_function_name_fn | function ptr getter | OSSL_FUNC_foo_function_name | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12222)
show more ...
|
#
23c48d94 |
| 20-Jun-2020 |
Dr. Matthias St. Pierre |
Rename <openssl/core_numbers.h> -> <openssl/core_dispatch.h> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12222)
|
Revision tags: openssl-3.0.0-alpha3, openssl-3.0.0-alpha2 |
|
#
5e77b79a |
| 07-May-2020 |
Shane Lontis |
Remove gen_get_params & gen_gettable_params from keygen operation EVP_PKEY_CTX_gettable_params() was missing code for the keygen operation. After adding it it was noticed that it is prob
Remove gen_get_params & gen_gettable_params from keygen operation EVP_PKEY_CTX_gettable_params() was missing code for the keygen operation. After adding it it was noticed that it is probably not required for this type, so instead the gen_get_params and gen_gettable_params have been remnoved from the provider interface. gen_get_params was only implemented for ec to get the curve name. This seems redundant since normally you would set parameters into the keygen_init() and then generate a key. Normally you would expect to extract data from the key - not the object that we just set up to do the keygen. Added a simple settable and gettable test into a test that does keygen. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11683)
show more ...
|
Revision tags: openssl-3.0.0-alpha1, OpenSSL_1_1_1g |
|
#
33df1cfd |
| 14-Apr-2020 |
Richard Levitte |
DOC: Refactor provider-keymgmt(7) to give the keytypes their own pages Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11546)
|
#
b03ec3b5 |
| 15-Apr-2020 |
Shane Lontis |
Add DSA keygen to provider Moved some shared FFC code into the FFC files. Added extra paramgen parameters for seed, gindex. Fixed bug in ossl_prov util to print bignums. Rev
Add DSA keygen to provider Moved some shared FFC code into the FFC files. Added extra paramgen parameters for seed, gindex. Fixed bug in ossl_prov util to print bignums. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11303)
show more ...
|
Revision tags: OpenSSL_1_1_1f |
|
#
2b9add69 |
| 19-Mar-2020 |
Richard Levitte |
KEYMGMT: Add functions to get param/key generation parameters Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.
KEYMGMT: Add functions to get param/key generation parameters Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11328)
show more ...
|
#
96ebe52e |
| 01-Apr-2020 |
Shane Lontis |
Add EVP_PKEY_gettable_params support for accessing EVP_PKEY key data fields Currently only RSA, EC and ECX are supported (DH and DSA need to be added to the keygen PR's seperately becaus
Add EVP_PKEY_gettable_params support for accessing EVP_PKEY key data fields Currently only RSA, EC and ECX are supported (DH and DSA need to be added to the keygen PR's seperately because the fields supported have changed significantly). The API's require the keys to be provider based. Made the keymanagement export and get_params functions share the same code by supplying support functions that work for both a OSSL_PARAM_BLD as well as a OSSL_PARAM[]. This approach means that complex code is not required to build an empty OSSL_PARAM[] with the correct sized fields before then doing a second pass to populate the array. The RSA factor arrays have been changed to use unique key names to simplify the interface needed by the user. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11365)
show more ...
|
Revision tags: OpenSSL_1_1_1e, OpenSSL_1_0_2u |
|
#
1a5632e0 |
| 26-Oct-2019 |
Richard Levitte |
CORE: Add the key object generator libcrypto<->provider interface We introduce these dispatched functions: - OP_keymgmt_gen_init() to initialize the key object generation. -
CORE: Add the key object generator libcrypto<->provider interface We introduce these dispatched functions: - OP_keymgmt_gen_init() to initialize the key object generation. - OP_keymgmt_gen_set_template() to set a template for key object generation. The template is another key object, for example one with domain parameters. - OP_keymgmt_gen_set_params() to set other key object generation parameters. - OP_keymgmt_gen_settable_params() to find out what settable parameters there are. - OP_keymgmt_gen() to perform the key object generation. - OP_keymgmt_gen_cleanup() to clean up the key object generation. Internal function for easy and consistent use of these ddispatched functions are added. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10289)
show more ...
|
#
b4dc705a |
| 07-Mar-2020 |
Richard Levitte |
DOCS: Fix documentation on asymmetric keydata types Some type specs didn't correspond to actual use. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://git
DOCS: Fix documentation on asymmetric keydata types Some type specs didn't correspond to actual use. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11275)
show more ...
|
#
f552d900 |
| 16-Feb-2020 |
Shane Lontis |
Add Serializers for EC Provide EC serializers for text, pem and der. EC parameters use ANS1 'CHOICE' - which means they are more embedded than other parameters used by other KEY
Add Serializers for EC Provide EC serializers for text, pem and der. EC parameters use ANS1 'CHOICE' - which means they are more embedded than other parameters used by other KEY types (which normally have a SEQUENCE at the top level). For this reason the ANS1_STRING type that was being passed around has been changed to a void so that the code can still be shared with EC. The EC serializer only supports named curves currently. NOTE the serializer code assumes PKCS8 format - if the older encode methods are needed they will need to be added in another PR. (Probably when deserialization is considered). EVP_PKEY_key_fromdata_init was changed from using a keypair selection to all bits of a key. A side effect of this was that the very restrictive checks in the ecx code needed to be relaxed as it was assuming all selection flags were non optional. As this is not the case for any other key the code has been modified. Fixed a bug in legacy_ctrl_str_to_params() - "ecdh_cofactor_mode" was being incorrectly converted to the wrong keyname. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11107)
show more ...
|
#
13697f1c |
| 05-Feb-2020 |
Richard Levitte |
KEYMGMT: Add a keydata copy function Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11158)
|
#
bee5d6cd |
| 05-Feb-2020 |
Richard Levitte |
KEYMGMT: Add a keydata matching function Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11158)
|
#
8efc4a9c |
| 27-Feb-2020 |
Matt Caswell |
Implement the ECX Serializers Provide serializers for X25519 and X448 for text, pem and der. There are no parameter serializers because there are no parameters for these algorithms.
Implement the ECX Serializers Provide serializers for X25519 and X448 for text, pem and der. There are no parameter serializers because there are no parameters for these algorithms. Add some documentation about the various import/export types available Add additional testing for the serializers Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11095)
show more ...
|
#
ce82b892 |
| 09-Feb-2020 |
Nicola Tuveri |
[PROV][EC] Update documentation Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
[PROV][EC] Update documentation Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|
#
b305452f |
| 02-Feb-2020 |
Richard Levitte |
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain param
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain parameters and key data isn't mutable. In other words, as soon as a key has been created in any (loaded, imported data, ...), it's set in stone. 2. provider side domain parameters can be strictly separated from the key data. This does work for the most part, but there are places where that's a bit too rigid for the functionality that the EVP_PKEY API delivers. Key data needs to be mutable to allow the flexibility that functions like EVP_PKEY_copy_parameters promise, as well as to provide the combinations of data that an EVP_PKEY is generally assumed to be able to hold: - domain parameters only - public key only - public key + private key - domain parameters + public key - domain parameters + public key + private key To remedy all this, we: 1. let go of the distinction between domain parameters and key material proper in the libcrypto <-> provider interface. As a consequence, functions that still need it gain a selection argument, which is a set of bits that indicate what parts of the key object are to be considered in a specific call. This allows a reduction of very similar functions into one. 2. Rework the libcrypto <-> provider interface so provider side key objects are created and destructed with a separate function, and get their data filled and extracted in through import and export. (future work will see other key object constructors and other functions to fill them with data) Fixes #10979 squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics Remedy 1 needs a rewrite: Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11006)
show more ...
|
#
12603de6 |
| 29-Jan-2020 |
Shane Lontis |
Add RSA key validation to default provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10780)
|
#
6508e858 |
| 08-Jan-2020 |
Richard Levitte |
EVP: make EVP_PKEY_{bits,security_bits,size} work with provider only keys These functions relied entirely on the presence of 'pkey->pmeth', which is NULL on provider only keys. This add
EVP: make EVP_PKEY_{bits,security_bits,size} work with provider only keys These functions relied entirely on the presence of 'pkey->pmeth', which is NULL on provider only keys. This adds an interface to get domparam and key data from a provider, given corresponding provider data (the actual domparam or key). The retrieved data is cached in the EVP_PKEY structure (lending the idea from provided EVP_CIPHER). Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/10778)
show more ...
|
#
e62a45b6 |
| 18-Dec-2019 |
Richard Levitte |
CORE & EVP: Specify OP_query_operation_name() for KEYMGMT This will allow keymgmt implementation for key types that need it to specify the names of the diverse operation algorithms it ca
CORE & EVP: Specify OP_query_operation_name() for KEYMGMT This will allow keymgmt implementation for key types that need it to specify the names of the diverse operation algorithms it can be used with. Currently, only one name per key type and operation is allowed. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10647)
show more ...
|
Revision tags: OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d |
|
#
8ccf2ffb |
| 24-Jul-2019 |
Matt Caswell |
Document the provider DIGEST operation Extends the existing provider documentation with information about the DIGEST operation. This is primarily for provider authors. Reviewed-
Document the provider DIGEST operation Extends the existing provider documentation with information about the DIGEST operation. This is primarily for provider authors. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9453)
show more ...
|
#
da2addc5 |
| 22-Jul-2019 |
Richard Levitte |
provider-keymgmt(7): Document the KEYMGMT interface Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9429)
|