#
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
|
#
e675aabb |
| 18-Jan-2024 |
Richard Levitte |
Implement functionality for direct use of composite signature algorithms The following API groups are extended with a new init function, as well as an update and final function, to allow
Implement functionality for direct use of composite signature algorithms The following API groups are extended with a new init function, as well as an update and final function, to allow the use of explicitly fetched signature implementations for any composite signature algorithm, like "sha1WithRSAEncryption": - EVP_PKEY_sign - EVP_PKEY_verify - EVP_PKEY_verify_recover To support this, providers are required to add a few new functions, not the least one that declares what key types an signature implementation supports. While at this, the validity check in evp_signature_from_algorithm() is also refactored; the SIGNATURE provider functionality is too complex for counters. It's better, or at least more readable, to check function combinations. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23416)
show more ...
|
#
d9346c59 |
| 24-Jul-2024 |
slontis |
Add KeyManagement keygen parameter getter/gettable functions. Added OSSL_FUNC_keymgmt_gen_get_params() and OSSL_FUNC_keymgmt_gen_gettable_params() This will allow a FIPS indicat
Add KeyManagement keygen parameter getter/gettable functions. Added OSSL_FUNC_keymgmt_gen_get_params() and OSSL_FUNC_keymgmt_gen_gettable_params() This will allow a FIPS indicator parameter to be queried after keygen. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24978)
show more ...
|
#
0557d6c6 |
| 01-Jul-2024 |
slontis |
Add FIPS indicator callback. Add a FIPS indicator callback that can be set via OSSL_INDICATOR_set_callback(). This callback is intended to be run whenever a non approved algorithm ch
Add FIPS indicator callback. Add a FIPS indicator callback that can be set via OSSL_INDICATOR_set_callback(). This callback is intended to be run whenever a non approved algorithm check has occurred and strict checking has been disabled.The callback may be used to log non approved algorithms. The callback is passed a type and description string as well as the cbarg specified in OSSL_INDICATOR_set_callback. The return value can be either 0 or 1. A value of 0 can be used for testing purposes to force an error to occur from the algorithm that called the callback. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24623)
show more ...
|
#
53664908 |
| 21-Jul-2023 |
slontis |
Add EVP_DigestSqueeze() API. Fixes #7894 This allows SHAKE to squeeze multiple times with different output sizes. The existing EVP_DigestFinalXOF() API has been left as a o
Add EVP_DigestSqueeze() API. Fixes #7894 This allows SHAKE to squeeze multiple times with different output sizes. The existing EVP_DigestFinalXOF() API has been left as a one shot operation. A similar interface is used by another toolkit. The low level SHA3_Squeeze() function needed to change slightly so that it can handle multiple squeezes. This involves changing the assembler code so that it passes a boolean to indicate whether the Keccak function should be called on entry. At the provider level, the squeeze is buffered, so that it only requests a multiple of the blocksize when SHA3_Squeeze() is called. On the first call the value is zero, on subsequent calls the value passed is 1. This PR is derived from the excellent work done by @nmathewson in https://github.com/openssl/openssl/pull/7921 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21511)
show more ...
|
#
5516d202 |
| 16-Oct-2023 |
Matthias St. Pierre |
rand: add callbacks to cleanup the user entropy resp. nonce The `get_user_{entropy,nonce}` callbacks were add recently to the dispatch table in commit 4cde7585ce8e. Instead of adding cor
rand: add callbacks to cleanup the user entropy resp. nonce The `get_user_{entropy,nonce}` callbacks were add recently to the dispatch table in commit 4cde7585ce8e. Instead of adding corresponding `cleanup_user_{entropy,nonce}` callbacks, the `cleanup_{entropy,nonce}` callbacks were reused. This can cause a problem in the case where the seed source is replaced by a provider: the buffer gets allocated by the provider but cleared by the core. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22423)
show more ...
|
#
4cde7585 |
| 05-Sep-2023 |
Pauli |
fips: use seed source requested Fixes #21909 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl
fips: use seed source requested Fixes #21909 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21964)
show more ...
|
#
96e67808 |
| 23-Jan-2023 |
Simo Sorce |
Allow to pass a passprase callback at store open Some PKCS11 modules require authentication early on to be able to preload objects, which we want to do to avoid costly roundtrips when th
Allow to pass a passprase callback at store open Some PKCS11 modules require authentication early on to be able to preload objects, which we want to do to avoid costly roundtrips when the HSM is actually reached over a network (Cloud HSM). Unfortunately at open time we can't interact with the user becaue the callbacks are only passed at object load time. later on. This patch corrects this issue by providing a more feature rich open call for providers. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20131)
show more ...
|
#
0a8807b4 |
| 28-Aug-2023 |
Dmitry Belyavskiy |
Store: API for deletion Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21901)
|
#
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
|
#
5e3b8450 |
| 08-Feb-2023 |
Ingo Franzki |
Add OSSL_FUNC_keymgmt_im/export_types function that gets the provider context The provider functions OSSL_FUNC_keymgmt_import_types() and OSSL_FUNC_keymgmt_export_types() do not get the
Add OSSL_FUNC_keymgmt_im/export_types function that gets the provider context The provider functions OSSL_FUNC_keymgmt_import_types() and OSSL_FUNC_keymgmt_export_types() do not get the provider context passed. This makes it difficult for providers to implement these functions unless its a static implementation returning a truly constant OSSL_PARAM array. Some providers may have a need to return an OSSL_PARAM array that is dependent on the provider configuration, or anything else that is contained in its provider context. Add extended variants of these functions that get the provider context passed. The functions should still return a static and constant OSSL_PARAM array, but may use the provider context to select the array to return dependent on its context. The returned array must be constant at least until the provider is unloaded. Providers can implement only the original functions, or only the extended functions, or both. Implementing at least one of those functions is required if also the respective OSSL_FUNC_keymgmt_import() or OSSL_FUNC_keymgmt_export() function is implemented. If an extended function is available, it is called by evp_keymgmt_import_types() or evp_keymgmt_export_types(), otherwise the original function is called. This makes the code backward compatible. Existing providers will only implement the original functions, so these functions will continued to be called. Newer providers can choose to implement the extended functions, and thus can benefit from the provider context being passed to the implementation. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20255)
show more ...
|
#
78c44b05 |
| 26-Aug-2022 |
slontis |
Add HPKE DHKEM provider support for EC, X25519 and X448. The code is derived from @sftcd's work in PR #17172. This PR puts the DHKEM algorithms into the provider layer as KEM algorit
Add HPKE DHKEM provider support for EC, X25519 and X448. The code is derived from @sftcd's work in PR #17172. This PR puts the DHKEM algorithms into the provider layer as KEM algorithms for EC and ECX. This PR only implements the DHKEM component of HPKE as specified in RFC 9180. crypto/hpke/hpke_util.c has been added for fuctions that will be shared between DHKEM and HPKE. API's for EVP_PKEY_auth_encapsulate_init() and EVP_PKEY_auth_decapsulate_init() have been added to support authenticated encapsulation. auth_init() functions were chosen rather that a EVP_PKEY_KEM_set_auth() interface to support future algorithms that could possibly need different init functions. Internal code has been refactored, so that it can be shared between the DHKEM and other systems. Since DHKEM operates on low level keys it needs to be able to do low level ECDH and ECXDH calls without converting the keys back into EVP_PKEY/EVP_PKEY_CTX form. See ossl_ecx_compute_key(), ossl_ec_public_from_private() DHKEM requires API's to derive a key using a seed (IKM). This did not sit well inside the DHKEM itself as dispatch functions. This functionality fits better inside the EC and ECX keymanagers keygen, since they are just variations of keygen where the private key is generated in a different manner. This should mainly be used for testing purposes. See ossl_ec_generate_key_dhkem(). It supports this by allowing a settable param to be passed to keygen (See OSSL_PKEY_PARAM_DHKEM_IKM). The keygen calls code within ec and ecx dhkem implementation to handle this. See ossl_ecx_dhkem_derive_private() and ossl_ec_dhkem_derive_private(). These 2 functions are also used by the EC/ECX DHKEM implementations to generate the sender ephemeral keys. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19068)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
e304aa87 |
| 02-Jan-2022 |
Dimitris Apostolou |
Fix typos Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17392)
|
#
97abae6a |
| 09-Jun-2021 |
Matt Caswell |
Add various OBJ functions as callbacks This enables providers to register new OIDs in the same libcrypto instance as is used by the application. Fixes #15624 Reviewed-b
Add various OBJ functions as callbacks This enables providers to register new OIDs in the same libcrypto instance as is used by the application. Fixes #15624 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15681)
show more ...
|
Revision tags: openssl-3.0.0-alpha17 |
|
#
c9732f09 |
| 20-May-2021 |
Matt Caswell |
Fix a memleak in the FIPS provider If the DRBG is used within the scope of the FIPS OSSL_provider_init function then it attempts to register a thread callback via c_thread_start. How
Fix a memleak in the FIPS provider If the DRBG is used within the scope of the FIPS OSSL_provider_init function then it attempts to register a thread callback via c_thread_start. However the implementation of c_thread_start assumed that the provider's provctx was already present. However because OSSL_provider_init is still running it was actually NULL. This means the thread callback fail to work correctly and a memory leak resulted. Instead of having c_thread_start use the provctx as the callback argument we change the definition of c_thread_start to have an explicit callback argument to use. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15278)
show more ...
|
#
447588b6 |
| 07-May-2021 |
Matt Caswell |
Add a callback for providers to know about global properties changes Where a child libctx is in use it needs to know what the current global properties are. Reviewed-by: Paul Da
Add a callback for providers to know about global properties changes Where a child libctx is in use it needs to know what the current global properties are. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15242)
show more ...
|
Revision tags: openssl-3.0.0-alpha16 |
|
#
8c627075 |
| 29-Apr-2021 |
Matt Caswell |
Add support for child provider to up_ref/free their parent If the ref counts on a child provider change, then this needs to be reflected in the parent so we add callbacks to do this.
Add support for child provider to up_ref/free their parent If the ref counts on a child provider change, then this needs to be reflected in the parent so we add callbacks to do this. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14991)
show more ...
|
#
7b88c184 |
| 23-Apr-2021 |
Matt Caswell |
Register callbacks with core for child provider creation/deletion By adding callbacks to the core this will enable (in future commits) the ability to add/remove child providers as the pr
Register callbacks with core for child provider creation/deletion By adding callbacks to the core this will enable (in future commits) the ability to add/remove child providers as the providers are added/removed from the parent libctx. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14991)
show more ...
|
Revision tags: openssl-3.0.0-alpha15 |
|
#
f12a5690 |
| 21-Apr-2021 |
Matt Caswell |
Add the concept of a child OSSL_LIB_CTX Add a child OSSL_LIB_CTX that will mirror the providers loaded into the parent libctx. This is useful for providers that want to use algorithms
Add the concept of a child OSSL_LIB_CTX Add a child OSSL_LIB_CTX that will mirror the providers loaded into the parent libctx. This is useful for providers that want to use algorithms from other providers and just need to inherit the providers used by the application. Fixes #14925 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14991)
show more ...
|
#
16df436d |
| 20-Apr-2021 |
Nicola Tuveri |
Add missing argname for keymgmt_gettable_params and keymgmt_settable_params prototypes For some reason `keymgmt_gettable_params` and `keymgmt_settable_params` seem to be the only prototy
Add missing argname for keymgmt_gettable_params and keymgmt_settable_params prototypes For some reason `keymgmt_gettable_params` and `keymgmt_settable_params` seem to be the only prototypes in `core_dispatch.h` without named arguments. This is annoying if `core_dispatch.h` is being parsed to extract information and also for developers who would like the header to be self-contained, without having to refer to the documentation every time to check what is supposed to be passed. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14950)
show more ...
|
#
85fcc3fb |
| 08-Apr-2021 |
Tomas Mraz |
Remove keymgmt_copy function from the provider API It is superceded by the keymgmt_dup. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/opens
Remove keymgmt_copy function from the provider API It is superceded by the keymgmt_dup. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14793)
show more ...
|
#
b4f447c0 |
| 08-Apr-2021 |
Tomas Mraz |
Add selection support to the provider keymgmt_dup function Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14793)
|
Revision tags: openssl-3.0.0-alpha14 |
|
#
4a9fe33c |
| 07-Apr-2021 |
Tomas Mraz |
Implement provider-side keymgmt_dup function To avoid mutating key data add OSSL_FUNC_KEYMGMT_DUP function to the provider API and implement it for all asym-key key managements.
Implement provider-side keymgmt_dup function To avoid mutating key data add OSSL_FUNC_KEYMGMT_DUP function to the provider API and implement it for all asym-key key managements. Use it when copying everything to an empty EVP_PKEY which is the case with EVP_PKEY_dup(). Fixes #14658 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14793)
show more ...
|
#
bd6e7fb7 |
| 31-Mar-2021 |
Tomas Mraz |
Small fixes and cleanups of provider API documentation Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.co
Small fixes and cleanups of provider API documentation Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14756)
show more ...
|