Check that OPENSSL_zalloc was successful when creating EVP types

We were missing a NULL check in a few very similar places following an
OPENSSL_zalloc() call.

Reported-by: Ziyan

Check that OPENSSL_zalloc was successful when creating EVP types

We were missing a NULL check in a few very similar places following an
OPENSSL_zalloc() call.

Reported-by: Ziyang Li (@Liby99)

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10526)

show more ...

Final cleanup after move to leaner EVP_PKEY methods

Now that KEYMGMT method pointers have moved away from the diverse
methods that are used with EVP_PKEY_CTX, we no longer need to pass

Final cleanup after move to leaner EVP_PKEY methods

Now that KEYMGMT method pointers have moved away from the diverse
methods that are used with EVP_PKEY_CTX, we no longer need to pass
special argument to evp_generic_fetch() and evp_generic_do_all().

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10309)

show more ...

EVP: Make the KEYEXCH implementation leaner

Because the algorithm to use is decided already when creating an
EVP_PKEY_CTX regardless of how it was created, it turns out that it's
unn

EVP: Make the KEYEXCH implementation leaner

Because the algorithm to use is decided already when creating an
EVP_PKEY_CTX regardless of how it was created, it turns out that it's
unnecessary to provide the KEYEXCH method explicitly, and rather
always have it be fetched implicitly.

This means fewer changes for applications that want to use new key
exchange algorithms / implementations.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10305)

show more ...

PKEY: adapt the export_to_provider funtions to handle domain params too

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10169)

EVP: add functions that return the name number

The returned number can be used for comparison purposes.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://gi

EVP: add functions that return the name number

The returned number can be used for comparison purposes.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9979)

show more ...

EVP: add name traversal functions to all fetchable types

The following new functions all do the same thing; they traverse
the set of names assigned to implementations of each algorithm t

EVP: add name traversal functions to all fetchable types

The following new functions all do the same thing; they traverse
the set of names assigned to implementations of each algorithm type:

EVP_MD_names_do_all(), EVP_CIPHER_names_do_all(),
EVP_MAC_names_do_all(), EVP_KEYMGMT_names_do_all(),
EVP_KEYEXCH_names_do_all(), EVP_KDF_names_do_all(),
EVP_SIGNATURE_names_do_all()

We add a warning to the documentation of EVP_CIPHER_name() and
EVP_MD_name(), as they aren't suitable to use with multiple-name
implementation.

We also remove EVP_MAC_name() and evp_KDF_name(), as they serve no
useful purpose.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9979)

show more ...

EVP: add missing common functionality

This adds the missing functions that should be common for all
fetchable EVP sub-APIs:

EVP_KEYMGMT_is_a(), EVP_KEYMGMT_do_all_provided(), EV

EVP: add missing common functionality

This adds the missing functions that should be common for all
fetchable EVP sub-APIs:

EVP_KEYMGMT_is_a(), EVP_KEYMGMT_do_all_provided(), EVP_KEYEXCH_is_a(),
EVP_KEYEXCH_do_all_provided(), EVP_KDF_is_a(), EVP_MD_is_a(),
EVP_SIGNATURE_do_all_provided(), EVP_SIGNATURE_is_a().

This also renames EVP_MD_do_all_ex(), EVP_CIPHER_do_all_ex(),
EVP_KDF_do_all_ex(), EVP_MAC_do_all_ex() to change '_ex'
to '_provided'.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9979)

show more ...

Reorganize local header files

Apart from public and internal header files, there is a third type called
local header files, which are located next to source files in the source
direc

Reorganize local header files

Apart from public and internal header files, there is a third type called
local header files, which are located next to source files in the source
directory. Currently, they have different suffixes like

'*_lcl.h', '*_local.h', or '*_int.h'

This commit changes the different suffixes to '*_local.h' uniformly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)

show more ...

Reorganize private crypto header files

Currently, there are two different directories which contain internal
header files of libcrypto which are meant to be shared internally:

W

Reorganize private crypto header files

Currently, there are two different directories which contain internal
header files of libcrypto which are meant to be shared internally:

While header files in 'include/internal' are intended to be shared
between libcrypto and libssl, the files in 'crypto/include/internal'
are intended to be shared inside libcrypto only.

To make things complicated, the include search path is set up in such
a way that the directive #include "internal/file.h" could refer to
a file in either of these two directoroes. This makes it necessary
in some cases to add a '_int.h' suffix to some files to resolve this
ambiguity:

#include "internal/file.h" # located in 'include/internal'
#include "internal/file_int.h" # located in 'crypto/include/internal'

This commit moves the private crypto headers from

'crypto/include/internal' to 'include/crypto'

As a result, the include directives become unambiguous

#include "internal/file.h" # located in 'include/internal'
#include "crypto/file.h" # located in 'include/crypto'

hence the superfluous '_int.h' suffixes can be stripped.

The files 'store_int.h' and 'store.h' need to be treated specially;
they are joined into a single file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)

show more ...

In provider implemented methods, save the name number, not the name string

Multiple names per implementation is already supported in the namemap,
but hasn't been used yet. However, as s

In provider implemented methods, save the name number, not the name string

Multiple names per implementation is already supported in the namemap,
but hasn't been used yet. However, as soon as we have multiple names,
we will get an issue with what name should be saved in the method.

The solution is to not save the name itself, but rather the number
it's associated with. This number is supposed to be unique for each
set of names, and we assume that algorithm names are globally unique,
i.e. there can be no name overlap between different algorithm types.

Incidently, it was also found that the 'get' function used by
ossl_construct_method() doesn't need all the parameters it was given;
most of what it needs, it can now get through the data structure given
by the caller of ossl_construct_method(). As a consequence,
ossl_construct_method() itself doesn't need all the parameters it was
given either.

There are some added internal functions that are expected to disappear
as soon as legacy code is removed, such as evp_first_name() and
ossl_namemap_num2name().

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9897)

show more ...

Move EVP_PKEY algorithm implementations into a union

An EVP_PKEY can be used for multiple different algorithm operations.
Only one can be used at a time, so we move those into a union.

Move EVP_PKEY algorithm implementations into a union

An EVP_PKEY can be used for multiple different algorithm operations.
Only one can be used at a time, so we move those into a union.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)

show more ...

Revise EVP_PKEY param handling

We add new functions for getting parameters and discovering the gettable
and settable parameters. We also make EVP_PKEY_CTX_get_signature_md() a
functi

Revise EVP_PKEY param handling

We add new functions for getting parameters and discovering the gettable
and settable parameters. We also make EVP_PKEY_CTX_get_signature_md() a
function and implement it in terms of the new functions.

This enables applications to discover the set of parameters that are
supported for a given algorithm implementation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)

show more ...

Add the ability to perform signatures in a provider

This makes EVP_PKEY_sign and EVP_PKEY_sign_init provider aware. It
also introduces the new type EVP_SIGNATURE to represent signature

Add the ability to perform signatures in a provider

This makes EVP_PKEY_sign and EVP_PKEY_sign_init provider aware. It
also introduces the new type EVP_SIGNATURE to represent signature
algorithms. This also automatically makes the EVP_Sign* APIs provider
aware because they use EVP_Digest* (which is already provider aware)
and EVP_PKEY_sign(_init) under the covers.

At this stage there are no signature algorithms in any providers. That
will come in the following commits.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9753)

show more ...

Refactor how KEYMGMT methods get associated with other methods

KEYMGMT methods were attached to other methods after those were fully
created and registered, thereby creating a potential

Refactor how KEYMGMT methods get associated with other methods

KEYMGMT methods were attached to other methods after those were fully
created and registered, thereby creating a potential data race, if two
threads tried to create the exact same method at the same time.

Instead of this, we change the method creating function to take an
extra data parameter, passed all the way from the public fetching
function. In the case of EVP_KEYEXCH, we pass all the necessary data
that evp_keyexch_from_dispatch() needs to be able to fetch the
appropriate KEYMGMT method on the fly.

Fixes #9592

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9678)

show more ...

Add missing SIZE_MAX define for windows

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openss

Add missing SIZE_MAX define for windows

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9559)

show more ...

Adapt DH to use with KEYMGMT

The biggest part in this was to move the key->param builder from EVP
to the DH ASN.1 method, and to implement the KEYMGMT support in the
provider DH.

Adapt DH to use with KEYMGMT

The biggest part in this was to move the key->param builder from EVP
to the DH ASN.1 method, and to implement the KEYMGMT support in the
provider DH.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9394)

show more ...

Add a mechnism to save the name of fetched methods

This will be useful for information display, as well as for code that
want to check the name of an algorithm. This can eventually repl

Add a mechnism to save the name of fetched methods

This will be useful for information display, as well as for code that
want to check the name of an algorithm. This can eventually replace
all NID checks.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9356)

show more ...

Add the ability to set PKCS#3 DH padding in providers

This also adds the ability to set arbitrary parameters on key exchange
algorithms. The ability to pad the output is one such paramet

Add the ability to set PKCS#3 DH padding in providers

This also adds the ability to set arbitrary parameters on key exchange
algorithms. The ability to pad the output is one such parameter for DH.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9266)

show more ...

Enable PKCS#3 DH in the providers

The default provider now has support for PKCS#3 Diffie-Hellman so we
switch libcrypto to using providers for that algorithm.

Reviewed-by: Paul

Enable PKCS#3 DH in the providers

The default provider now has support for PKCS#3 Diffie-Hellman so we
switch libcrypto to using providers for that algorithm.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9266)

show more ...

Make the EVP Key Exchange code provider aware

We introduce a new EVP_KEYEXCH type to represent key exchange algorithms
and refactor the existing code to use it where available.

Make the EVP Key Exchange code provider aware

We introduce a new EVP_KEYEXCH type to represent key exchange algorithms
and refactor the existing code to use it where available.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9266)

show more ...