#
d8652be0 |
| 24-Sep-2020 |
Matt Caswell |
Run the withlibctx.pl script Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged fro
Run the withlibctx.pl script Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12970)
show more ...
|
Revision tags: OpenSSL_1_1_1h |
|
#
29844ea5 |
| 16-Sep-2020 |
Dr. David von Oheimb |
Prune low-level ASN.1 parse errors from error queue in decoder_process() Fixes #12840 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@ope
Prune low-level ASN.1 parse errors from error queue in decoder_process() Fixes #12840 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12893)
show more ...
|
#
d135774e |
| 24-Aug-2020 |
Shane Lontis |
Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/
Fix coverity CID #1465967 & #1465968 - fix NULL dereference in dh_ameth.c Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12708)
show more ...
|
Revision tags: openssl-3.0.0-alpha6 |
|
#
31d2daec |
| 04-Aug-2020 |
Shane Lontis |
Add DHX serialization Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12575)
|
Revision tags: openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3 |
|
#
6a9bd929 |
| 20-May-2020 |
Matt Caswell |
Make EVP_PKEY_[get1|set1]_tls_encodedpoint work with provided keys EVP_PKEY_[get1|set1]_tls_encodedpoint() only worked if an ameth was present which isn't the case for provided keys. Sup
Make EVP_PKEY_[get1|set1]_tls_encodedpoint work with provided keys EVP_PKEY_[get1|set1]_tls_encodedpoint() only worked if an ameth was present which isn't the case for provided keys. Support has been added to dh, ec and ecx keys. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11898)
show more ...
|
#
7674e923 |
| 24-May-2020 |
Dr. David von Oheimb |
Constify X509_PUBKEY_get(), X509_PUBKEY_get0(), and X509_PUBKEY_get0_param() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11894)
|
Revision tags: openssl-3.0.0-alpha2, openssl-3.0.0-alpha1 |
|
#
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
|
Revision tags: OpenSSL_1_1_1g |
|
#
738ee181 |
| 20-Apr-2020 |
Shane Lontis |
Fix DH_get_nid() so that it does not cache values. DH_set0_pqg() is now responsible for caching the nid, q and length. DH with or without named safe prime groups now default to usin
Fix DH_get_nid() so that it does not cache values. DH_set0_pqg() is now responsible for caching the nid, q and length. DH with or without named safe prime groups now default to using the maximum private key length (BN_num_bits(q) - 1) when generating a DH private key. The code is now shared between fips and non fips mode for DH key generation. The OSSL_PKEY_PARAM_DH_PRIV_LEN parameter can be used during keygen to override the maximum private key length to be in the range (2 * strength ... bits(q) - 1). Where the strength depends on the length of p. Added q = (p - 1) / 2 safe prime BIGNUMS so that the code is data driven (To simplify adding new names). The BIGNUMS were code generated. Fix error in documented return value for DH_get_nid Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11562)
show more ...
|
#
629c72db |
| 10-Apr-2020 |
Matt Caswell |
When calling the import_to function pass the libctx too Previously import_to just took an EVP_PKEY as the argument. However we need to some additional context data as well - specifically
When calling the import_to function pass the libctx too Previously import_to just took an EVP_PKEY as the argument. However we need to some additional context data as well - specifically the libctx. Therefore we pass an EVP_PKEY_CTX instead to hold the combination of both of these things. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11536)
show more ...
|
#
b03ec3b5 |
| 15-Apr-2020 |
Shane Lontis |
Add DSA keygen to provider Moved some shared FFC code into the FFC files. Added extra paramgen parameters for seed, gindex. Fixed bug in ossl_prov util to print bignums. Rev
Add DSA keygen to provider Moved some shared FFC code into the FFC files. Added extra paramgen parameters for seed, gindex. Fixed bug in ossl_prov util to print bignums. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11303)
show more ...
|
#
76e23fc5 |
| 06-Apr-2020 |
Matt Caswell |
Enable export_to functions to have access to the libctx The EC export_to function calls EC_POINT_point2buf that can later generate a random number in some circumstances. Therefore we pas
Enable export_to functions to have access to the libctx The EC export_to function calls EC_POINT_point2buf that can later generate a random number in some circumstances. Therefore we pass in a BN_CTX associated with the library context. This means we have to change the export_to function signature to accept the library context. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11493)
show more ...
|
Revision tags: OpenSSL_1_1_1f |
|
#
6d4e6009 |
| 25-Mar-2020 |
Pauli |
Param build: make structures opaque. Since this is public, it is best to make the underlying structure opaque. This means converting from stack allocation to dynamic allocation for all
Param build: make structures opaque. Since this is public, it is best to make the underlying structure opaque. This means converting from stack allocation to dynamic allocation for all usages. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11390)
show more ...
|
#
110bff61 |
| 24-Mar-2020 |
Pauli |
Param builder: make the OSSL_PARAM_BLD APIs public. The catalyst for this is the difficult of passing BNs through the other OSSL_PARAM APIs. Reviewed-by: Nicola Tuveri <nic.tuv@
Param builder: make the OSSL_PARAM_BLD APIs public. The catalyst for this is the difficult of passing BNs through the other OSSL_PARAM APIs. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11390)
show more ...
|
#
0abae163 |
| 23-Mar-2020 |
Richard Levitte |
EVP: Implement support for key downgrading in backends Downgrading EVP_PKEYs from containing provider side internal keys to containing legacy keys demands support in the EVP_PKEY_ASN1_ME
EVP: Implement support for key downgrading in backends Downgrading EVP_PKEYs from containing provider side internal keys to containing legacy keys demands support in the EVP_PKEY_ASN1_METHOD. This became a bit elaborate because the code would be almost exactly the same as the import functions int EVP_KEYMGMT. Therefore, we end up moving most of the code to common backend support files that can be used both by legacy backend code and by our providers. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11375)
show more ...
|
#
0996cff9 |
| 19-Mar-2020 |
Richard Levitte |
DH, DSA, EC_KEY: Fix exporters to allow domain parameter keys The export-to-provider functions for DH, DSA and EC_KEY assumed that a public key is always present, and would fail if not.
DH, DSA, EC_KEY: Fix exporters to allow domain parameter keys The export-to-provider functions for DH, DSA and EC_KEY assumed that a public key is always present, and would fail if not. This blocks any attempt to export a key structure with only domain parameters. While fixing this, we also modify the selection declaration to evp_keymgmt_import() to be more adaptive, the diverse selection bits are now added when the corresponding data is added to the OSSL_PARAM array. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11374)
show more ...
|
Revision tags: OpenSSL_1_1_1e |
|
#
df13defd |
| 27-Feb-2020 |
Richard Levitte |
EVP: Check that key methods aren't foreign when exporting The EVP_PKEY_ASN1_METHOD function export_to() must check that the key we're trying to export has a known libcrypto method, i.e.
EVP: Check that key methods aren't foreign when exporting The EVP_PKEY_ASN1_METHOD function export_to() must check that the key we're trying to export has a known libcrypto method, i.e. is a built in RSA_METHOD, DSA_METHOD, etc. Otherwise, the method may be defined by the calling application, by an engine, by another library, and we simply cannot know all the quirks hidden behind that method, if we have access to the key data, or much anything. Such keys are simply deemed impossible to export to provider keys, i.e. have export_to() return 0. This cascades back to functions like evp_pkey_export_to_provider() and evp_pkey_upgrade_to_provider() and their callers. In most cases, this is fine, but if these get mixed in with provider side keys in any function, that function will fail. Fixes #11179 Fixes #9915 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11193)
show more ...
|
#
ada66e78 |
| 03-Feb-2020 |
Pauli |
Deprecate the low level Diffie-Hellman functions. Use of the low level DH functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by
Deprecate the low level Diffie-Hellman functions. Use of the low level DH functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11024)
show more ...
|
#
90d3cb57 |
| 27-Jan-2020 |
Matt Caswell |
Implement Provider side Key Management for X25519 and X448 Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from ht
Implement Provider side Key Management for X25519 and X448 Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10964)
show more ...
|
#
b305452f |
| 02-Feb-2020 |
Richard Levitte |
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain param
Redesign the KEYMGMT libcrypto <-> provider interface - the basics The KEYMGMT libcrypto <-> provider interface currently makes a few assumptions: 1. provider side domain parameters and key data isn't mutable. In other words, as soon as a key has been created in any (loaded, imported data, ...), it's set in stone. 2. provider side domain parameters can be strictly separated from the key data. This does work for the most part, but there are places where that's a bit too rigid for the functionality that the EVP_PKEY API delivers. Key data needs to be mutable to allow the flexibility that functions like EVP_PKEY_copy_parameters promise, as well as to provide the combinations of data that an EVP_PKEY is generally assumed to be able to hold: - domain parameters only - public key only - public key + private key - domain parameters + public key - domain parameters + public key + private key To remedy all this, we: 1. let go of the distinction between domain parameters and key material proper in the libcrypto <-> provider interface. As a consequence, functions that still need it gain a selection argument, which is a set of bits that indicate what parts of the key object are to be considered in a specific call. This allows a reduction of very similar functions into one. 2. Rework the libcrypto <-> provider interface so provider side key objects are created and destructed with a separate function, and get their data filled and extracted in through import and export. (future work will see other key object constructors and other functions to fill them with data) Fixes #10979 squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics Remedy 1 needs a rewrite: Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11006)
show more ...
|
#
dc8de3e6 |
| 24-Jan-2020 |
Shane Lontis |
Modify DSA and DH keys to use a shared FFC_PARAMS struct This is required in order to share code for FIPS related parameter generation and validation routinues. Note the 'counter' field
Modify DSA and DH keys to use a shared FFC_PARAMS struct This is required in order to share code for FIPS related parameter generation and validation routinues. Note the 'counter' field is now stored as a integer (as that is the form required for generation/validation functions). Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10860)
show more ...
|
#
756f5c6c |
| 06-Jan-2020 |
Pauli |
coverity 1201478: check BIO_indent returns Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10760)
|
Revision tags: OpenSSL_1_0_2u |
|
#
6624e1f7 |
| 31-Oct-2019 |
Scott Wilson |
Fix potential memory leak in dh_ameth.c Free dukm in error handling of dh_cms_encrypt() Fixes #10294 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Patrick S
Fix potential memory leak in dh_ameth.c Free dukm in error handling of dh_cms_encrypt() Fixes #10294 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com> (Merged from https://github.com/openssl/openssl/pull/10310)
show more ...
|
#
14e3e00f |
| 14-Oct-2019 |
Richard Levitte |
DH: Add export of domain parameters to provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10169)
|
#
12a765a5 |
| 16-Sep-2019 |
Rich Salz |
Explicitly test against NULL; do not use !p or similar Also added blanks lines after declarations in a couple of places. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Review
Explicitly test against NULL; do not use !p or similar Also added blanks lines after declarations in a couple of places. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9916)
show more ...
|
#
706457b7 |
| 27-Sep-2019 |
Dr. Matthias St. Pierre |
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source direc
Reorganize local header files Apart from public and internal header files, there is a third type called local header files, which are located next to source files in the source directory. Currently, they have different suffixes like '*_lcl.h', '*_local.h', or '*_int.h' This commit changes the different suffixes to '*_local.h' uniformly. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9333)
show more ...
|