Param builder: make the OSSL_PARAM_BLD APIs public.

The catalyst for this is the difficult of passing BNs through the other
OSSL_PARAM APIs.

Reviewed-by: Nicola Tuveri <nic.tuv@

Param builder: make the OSSL_PARAM_BLD APIs public.

The catalyst for this is the difficult of passing BNs through the other
OSSL_PARAM APIs.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11390)

show more ...

EVP: Implement support for key downgrading in backends

Downgrading EVP_PKEYs from containing provider side internal keys to
containing legacy keys demands support in the EVP_PKEY_ASN1_ME

EVP: Implement support for key downgrading in backends

Downgrading EVP_PKEYs from containing provider side internal keys to
containing legacy keys demands support in the EVP_PKEY_ASN1_METHOD.

This became a bit elaborate because the code would be almost exactly
the same as the import functions int EVP_KEYMGMT. Therefore, we end
up moving most of the code to common backend support files that can be
used both by legacy backend code and by our providers.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11375)

show more ...

EVP: Clarify the states of an EVP_PKEY

EVP_PKEY is rather complex, even before provider side keys entered the
stage.
You could have untyped / unassigned keys (pk->type == EVP_PKEY_NO

EVP: Clarify the states of an EVP_PKEY

EVP_PKEY is rather complex, even before provider side keys entered the
stage.
You could have untyped / unassigned keys (pk->type == EVP_PKEY_NONE),
keys that had been assigned a type but no data (pk->pkey.ptr == NULL),
and fully assigned keys (pk->type != EVP_PKEY_NONE && pk->pkey.ptr != NULL).

For provider side keys, the corresponding states weren't well defined,
and the code didn't quite account for all the possibilities.

We also guard most of the legacy fields in EVP_PKEY with FIPS_MODE, so
they don't exist at all in the FIPS module.

Most of all, code needs to adapt to the case where an EVP_PKEY's
|keymgmt| is non-NULL, but its |keydata| is NULL.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11375)

show more ...

Add DSA Key validation to default provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10912)

PROV: Add a OP_keymgmt_match() function to our DH, DSA, RSA and EC_KEY impl

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11158)

[PROV][KEYMGMT][DH][DSA] use BN_clear_free for secrets

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shan

[PROV][KEYMGMT][DH][DSA] use BN_clear_free for secrets

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10631)

show more ...

Add FFC param/key validation

Embed libctx in dsa and dh objects and cleanup internal methods to not pass libctx (This makes it consistent with the rsa changes)

Reviewed-by: Matt Cas

Add FFC param/key validation

Embed libctx in dsa and dh objects and cleanup internal methods to not pass libctx (This makes it consistent with the rsa changes)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10910)

show more ...

Deprecate the low level DSA functions.

Use of the low level DSA functions has been informally discouraged for a
long time. We now formally deprecate them.

Reviewed-by: Matt Casw

Deprecate the low level DSA functions.

Use of the low level DSA functions has been informally discouraged for a
long time. We now formally deprecate them.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10977)

show more ...

Implement Provider side Key Management for X25519 and X448

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from ht

Implement Provider side Key Management for X25519 and X448

Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10964)

show more ...

KEYMGMT: Require both get_params and gettable_params, or none

The same go for the pairs import + import_types and export + export_types.

This required some additional changes in our

KEYMGMT: Require both get_params and gettable_params, or none

The same go for the pairs import + import_types and export + export_types.

This required some additional changes in our KEYMGMT implementations.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)

show more ...

Adapt existing KEYMGMT implementations to the redesigned interface

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul

Adapt existing KEYMGMT implementations to the redesigned interface

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)

show more ...

Add answers for EVP_PKEY_get_default_digest_name() in RSA and DSA keymgmt

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10824)

PROV: Adapt the RSA, DSA and DH KEYMGMT implementations

They now all respond to requests for key size, bits and security bits.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Me

PROV: Adapt the RSA, DSA and DH KEYMGMT implementations

They now all respond to requests for key size, bits and security bits.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10778)

show more ...

PROV: Adapt the DSA keymgmt implementation to no ex_fields

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://githu

PROV: Adapt the DSA keymgmt implementation to no ex_fields

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10837)

show more ...

Add dsa signature alg to fips provider

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10615)

CORE & PROV: make export of key data leaner through callback

Exporting data from a provider owned domainparams or key is quite an
ordeal, with having to figure out what parameter keys an

CORE & PROV: make export of key data leaner through callback

Exporting data from a provider owned domainparams or key is quite an
ordeal, with having to figure out what parameter keys an
implementation supports, call the export function a first time to find
out how large each parameter buffer must be, allocate the necessary
space for it, and call the export function again.

So how about letting the export function build up the key data params
and call back with that? This change implements exactly such a
mechanism.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10414)

show more ...

DSA: Add export of keys and domain parameters from provider

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10169)

DSA: Add export of domain parameters to provider

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10169)

Cleanup: move providers/common/include/internal/provider_args.h

New name is providers/implementations/include/prov/implementations.h
All inclusions are adapted accordingly.

Revi

Cleanup: move providers/common/include/internal/provider_args.h

New name is providers/implementations/include/prov/implementations.h
All inclusions are adapted accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

show more ...

Providers: move common exchange,kdfs,keymgmt,macs,signature

From providers/common/ to providers/implementations/

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https:

Providers: move common exchange,kdfs,keymgmt,macs,signature

From providers/common/ to providers/implementations/

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

show more ...