STORE: Add a built-in 'file:' storemgmt implementation (loader)

This replaces the older 'file:' loader that is now an engine.

It's still possible to use the older 'file:' loader by

STORE: Add a built-in 'file:' storemgmt implementation (loader)

This replaces the older 'file:' loader that is now an engine.

It's still possible to use the older 'file:' loader by explicitly
using the engine, and tests will remain for it as long as ENGINEs are
still supported (even through deprecated).

To support this storemgmt implementation, a few internal OSSL_DECODER
modifications are needed:

- An internal function that implements most of
OSSL_DECODER_CTX_new_by_EVP_PKEY(), but operates on an already
existing OSSL_DECODER_CTX instead of allocating a new one.
- Allow direct creation of a OSSL_DECODER from an OSSL_ALGORITHM.
It isn't attached to any provider, and is only used internally, to
simply catch any DER encoded object to be passed back to the
object callback with no further checking. This implementation
becomes the last resort decoder, when all "normal"
decodation attempts (i.e. those that are supposed to result
in an OpenSSL object of some sort) have failed.

Because file_store_attach() uses BIO_tell(), we must also support
BIO_ctrl() as a libcrypto upcall.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12587)

show more ...

PROV: Fix DSA and DH private key serializers

If those private key serializer were given a key structure with just
the public key material, they crashed, because they tried to
de-refe

PROV: Fix DSA and DH private key serializers

If those private key serializer were given a key structure with just
the public key material, they crashed, because they tried to
de-reference NULL. This adds better checking.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12679)

show more ...

Move PKCS#12 KDF to provider.

This KDF is defined in RFC7292 in appendix B. It is widely used in PKCS#12
and should be provided.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.or

Move PKCS#12 KDF to provider.

This KDF is defined in RFC7292 in appendix B. It is widely used in PKCS#12
and should be provided.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12624)

show more ...

PROV: Add a DER to RSA-PSS deserializer implementation

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12492)

Add ERR_raise() errors to fips OSSL_provider_init and self tests.

As the ERR_raise() is setup at this point returng a range of negative values for errors is not required.
This will need

Add ERR_raise() errors to fips OSSL_provider_init and self tests.

As the ERR_raise() is setup at this point returng a range of negative values for errors is not required.
This will need to be revisited if the code ever moves to running from the DEP.
Added a -config option to the fips install so that it can test if a fips module is loadable from configuration.
(The -verify option only uses the generated config, whereas -config uses the normal way of including the generated data via another config file).
Added more failure tests for the raised errors.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12346)

show more ...

[EC][ASN1] Detect missing OID when serializing EC parameters and keys

The following built-in curves do not have an assigned OID:

- Oakley-EC2N-3
- Oakley-EC2N-4

In gene

[EC][ASN1] Detect missing OID when serializing EC parameters and keys

The following built-in curves do not have an assigned OID:

- Oakley-EC2N-3
- Oakley-EC2N-4

In general we shouldn't assume that an OID is always available.

This commit detects such cases, raises an error and returns appropriate
return values so that the condition can be detected and correctly
handled by the callers, when serializing EC parameters or EC keys with
the default `ec_param_enc:named_curve`.

Fixes #12306

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12313)

show more ...

rand: core APIs for provider friendly random.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

PROV & SIGNATURE: Adapt the RSA signature code for PSS-parameters

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11710)

PROV: Implement EC param / key generation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/

PROV: Implement EC param / key generation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11328)

show more ...

Implement provider support for Ed25519 annd Ed448

At the moment we only provider support for these algorithms in the default
provider. These algorithms only support "one shot" EVP_Digest

Implement provider support for Ed25519 annd Ed448

At the moment we only provider support for these algorithms in the default
provider. These algorithms only support "one shot" EVP_DigestSign() and
EVP_DigestVerify() as per the existing libcrypto versions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11261)

show more ...

PROV: add RSA signature implementation

This includes legacy PSS controls to params conversion, and an attempt
to generalise the parameter names when they are suitable for more than
o

PROV: add RSA signature implementation

This includes legacy PSS controls to params conversion, and an attempt
to generalise the parameter names when they are suitable for more than
one operation.

Also added crypto/rsa/rsa_aid.c, containing proper AlgorithmIdentifiers
for known RSA+hash function combinations.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10557)

show more ...

Add X25519/X448 Key Exchange to the default provider

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://

Add X25519/X448 Key Exchange to the default provider

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10964)

show more ...

PROV: Implement padding mode words in the RSA ASYM_CIPHER implementation

Because the libcrypto code has relinquished control of exact words to
express padding mode choices, we re-impleme

PROV: Implement padding mode words in the RSA ASYM_CIPHER implementation

Because the libcrypto code has relinquished control of exact words to
express padding mode choices, we re-implement them in the appropriate
provider implementation.

For the sake of legacy controls, we maintain support for the numeric
form of the padding mode, but leave that support otherwise undeclared.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10947)

show more ...

Teach the RSA implementation about TLS RSA Key Transport

In TLSv1.2 a pre-master secret value is passed from the client to the
server encrypted using RSA PKCS1 type 2 padding in a Client

Teach the RSA implementation about TLS RSA Key Transport

In TLSv1.2 a pre-master secret value is passed from the client to the
server encrypted using RSA PKCS1 type 2 padding in a ClientKeyExchange
message. As well as the normal formatting rules for RSA PKCA1 type 2
padding TLS imposes some additional rules about what constitutes a well
formed key. Specifically it must be exactly the right length and
encode the TLS version originally requested by the client (as opposed to
the actual negotiated version) in its first two bytes.

All of these checks need to be done in constant time and, if they fail,
then the TLS implementation is supposed to continue anyway with a random
key (and therefore the connection will fail later on). This avoids
padding oracle type attacks.

This commit implements this within the RSA padding code so that we keep
all the constant time padding logic in one place. A later commit will
remove it from libssl.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10411)

show more ...

PROV SERIALIZER: add support for writing DH keys and parameters

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

PROV SERIALIZER: add common functionality to serialize keys

To support generic output of public keys wrapped in a X509_PUBKEY,
additional PEM and i2d/d2i routines are added for that type

PROV SERIALIZER: add common functionality to serialize keys

To support generic output of public keys wrapped in a X509_PUBKEY,
additional PEM and i2d/d2i routines are added for that type.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10394)

show more ...

Implement provider support for Asym Ciphers

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10152)

Add KRB5KDF from RFC 3961

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(M

Add KRB5KDF from RFC 3961

Signed-off-by: Simo Sorce <simo@redhat.com>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9949)

show more ...

[KDF] Add feedback-mode and CMAC support to KBKDF

Implement SP800-108 section 5.2 with CMAC support. As a side effect,
enable 5.1 with CMAC and 5.2 with HMAC. Add test vectors from RFC

[KDF] Add feedback-mode and CMAC support to KBKDF

Implement SP800-108 section 5.2 with CMAC support. As a side effect,
enable 5.1 with CMAC and 5.2 with HMAC. Add test vectors from RFC 6803.

Add OSSL_KDF_PARAM_CIPHER and PROV_R_INVALID_SEED_LENGTH.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10143)

show more ...

Cleanup: move remaining providers/common/include/internal/*.h

The end up in providers/common/include/prov/.
All inclusions are adjusted accordingly.

Reviewed-by: Matt Caswell <m

Cleanup: move remaining providers/common/include/internal/*.h

The end up in providers/common/include/prov/.
All inclusions are adjusted accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

show more ...

Add rc2 ciphers to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9991)

Add rc5 ciphers to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10006)

Add aes_xts cipher to providers

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9327)

util/mkerr.pl: make it not depend on the function code

The output C code was made to use ERR_func_error_string() to see if a
string table was already loaded or not. Since this function

util/mkerr.pl: make it not depend on the function code

The output C code was made to use ERR_func_error_string() to see if a
string table was already loaded or not. Since this function returns
NULL always, this check became useless.

Change it to use ERR_reason_error_string() instead, as there's no
reason to believe we will get rid of reason strings, ever.

To top it off, we rebuild all affected C sources.

Fixes #9756

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9756)

show more ...

KDF error codes reworked

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9662)