#
cc572c25 |
| 09-Apr-2020 |
Richard Levitte |
EVP: legacy_ctrl_to_param() to handle provider side keys There was one spot where this function would look at ctx->pmeth directly to determine if it's for RSASSA-PSS, which fails when
EVP: legacy_ctrl_to_param() to handle provider side keys There was one spot where this function would look at ctx->pmeth directly to determine if it's for RSASSA-PSS, which fails when presented with an EVP_PKEY_CTX holding a provider side key. Switching to use EVP_PKEY_is_a() should make things better. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11501)
show more ...
|
#
5fcb97c6 |
| 20-Mar-2020 |
Matt Caswell |
Ignore some fetch failures Some fetch failurs are ok and should be ignored. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
Ignore some fetch failures Some fetch failurs are ok and should be ignored. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11405)
show more ...
|
#
adc9f731 |
| 21-Mar-2020 |
Richard Levitte |
EVP: Clarify the states of an EVP_PKEY EVP_PKEY is rather complex, even before provider side keys entered the stage. You could have untyped / unassigned keys (pk->type == EVP_PKEY_NO
EVP: Clarify the states of an EVP_PKEY EVP_PKEY is rather complex, even before provider side keys entered the stage. You could have untyped / unassigned keys (pk->type == EVP_PKEY_NONE), keys that had been assigned a type but no data (pk->pkey.ptr == NULL), and fully assigned keys (pk->type != EVP_PKEY_NONE && pk->pkey.ptr != NULL). For provider side keys, the corresponding states weren't well defined, and the code didn't quite account for all the possibilities. We also guard most of the legacy fields in EVP_PKEY with FIPS_MODE, so they don't exist at all in the FIPS module. Most of all, code needs to adapt to the case where an EVP_PKEY's |keymgmt| is non-NULL, but its |keydata| is NULL. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11375)
show more ...
|
#
4b9e90f4 |
| 17-Mar-2020 |
Richard Levitte |
EVP: fetch the EVP_KEYMGMT earlier Instead of fetching the EVP_KEYMGMT in the init for every different operation, do it when creating the EVP_PKEY_CTX. This allows certain contr
EVP: fetch the EVP_KEYMGMT earlier Instead of fetching the EVP_KEYMGMT in the init for every different operation, do it when creating the EVP_PKEY_CTX. This allows certain control functions to be called between the creation of the EVP_PKEY_CTX and the call of the operation's init function. Use case: EVP_PKEY_CTX_set1_id(), which is allowed to be called very early with the legacy implementation, this should still be allowed with provider implementations. Reviewed-by: Paul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/11343)
show more ...
|
#
2decdad3 |
| 14-Mar-2020 |
Richard Levitte |
Fix legacy_ctrl_to_param() to pay better attention to keytype The keytype number will only be -1 when control commands are used for more than one key type. Sometimes, they share the sam
Fix legacy_ctrl_to_param() to pay better attention to keytype The keytype number will only be -1 when control commands are used for more than one key type. Sometimes, they share the same underlying structure, and sometimes not. Some of the RSA control commands that are using only with the keytype EVP_PKEY_RSA we misplaced to be handled with the keytype -1. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11329)
show more ...
|
Revision tags: OpenSSL_1_0_2u |
|
#
2972af10 |
| 27-Oct-2019 |
Richard Levitte |
PROV: Add RSA functionality for key generation This includes added support in legacy controls Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com
PROV: Add RSA functionality for key generation This includes added support in legacy controls Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10289)
show more ...
|
#
62924755 |
| 27-Oct-2019 |
Richard Levitte |
EVP: Add new domparams and key generation functionality The following functions are added: EVP_PKEY_gen_set_params(), replacing the older EVP_PKEY_CTX_ctrl() EVP_PKEY_gen(), rep
EVP: Add new domparams and key generation functionality The following functions are added: EVP_PKEY_gen_set_params(), replacing the older EVP_PKEY_CTX_ctrl() EVP_PKEY_gen(), replacing both EVP_PKEY_keygen() and EVP_PKEY_paramgen() These functions are made to work together with already existing domparams and key generation functionality: EVP_PKEY_CTX_new_provided(), EVP_PKEY_paramgen_init(), EVP_PKEY_keygen_init(), etc. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10289)
show more ...
|
#
f552d900 |
| 16-Feb-2020 |
Shane Lontis |
Add Serializers for EC Provide EC serializers for text, pem and der. EC parameters use ANS1 'CHOICE' - which means they are more embedded than other parameters used by other KEY
Add Serializers for EC Provide EC serializers for text, pem and der. EC parameters use ANS1 'CHOICE' - which means they are more embedded than other parameters used by other KEY types (which normally have a SEQUENCE at the top level). For this reason the ANS1_STRING type that was being passed around has been changed to a void so that the code can still be shared with EC. The EC serializer only supports named curves currently. NOTE the serializer code assumes PKCS8 format - if the older encode methods are needed they will need to be added in another PR. (Probably when deserialization is considered). EVP_PKEY_key_fromdata_init was changed from using a keypair selection to all bits of a key. A side effect of this was that the very restrictive checks in the ecx code needed to be relaxed as it was assuming all selection flags were non optional. As this is not the case for any other key the code has been modified. Fixed a bug in legacy_ctrl_str_to_params() - "ecdh_cofactor_mode" was being incorrectly converted to the wrong keyname. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11107)
show more ...
|
#
71434aed |
| 20-Jan-2020 |
Dmitry Belyavskiy |
Implementation of Russian GOST CMS Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/p
Implementation of Russian GOST CMS Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10904)
show more ...
|
#
3c6ed955 |
| 20-Feb-2020 |
Richard Levitte |
Rethink the EVP_PKEY cache of provider side keys The role of this cache was two-fold: 1. It was a cache of key copies exported to providers with which an operation was init
Rethink the EVP_PKEY cache of provider side keys The role of this cache was two-fold: 1. It was a cache of key copies exported to providers with which an operation was initiated. 2. If the EVP_PKEY didn't have a legacy key, item 0 of the cache was the corresponding provider side origin, while the rest was the actual cache. This dual role for item 0 made the code a bit confusing, so we now make a separate keymgmt / keydata pair outside of that cache, which is the provider side "origin" key. A hard rule is that an EVP_PKEY cannot hold a legacy "origin" and a provider side "origin" at the same time. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11148)
show more ...
|
#
6f4b7663 |
| 01-Dec-2019 |
Richard Levitte |
PROV: add RSA signature implementation This includes legacy PSS controls to params conversion, and an attempt to generalise the parameter names when they are suitable for more than o
PROV: add RSA signature implementation This includes legacy PSS controls to params conversion, and an attempt to generalise the parameter names when they are suitable for more than one operation. Also added crypto/rsa/rsa_aid.c, containing proper AlgorithmIdentifiers for known RSA+hash function combinations. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10557)
show more ...
|
#
292c8bdc |
| 10-Feb-2020 |
Pauli |
pmeth_lib: detect unsupported OSSL_PARAM. When converting legacy controls to OSSL_PARAMs, return the unsupported -2 value correctly. Reviewed-by: Tomas Mraz <tmraz@fedoraproject
pmeth_lib: detect unsupported OSSL_PARAM. When converting legacy controls to OSSL_PARAMs, return the unsupported -2 value correctly. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11049)
show more ...
|
#
2ee0dfa6 |
| 10-Feb-2020 |
Pauli |
Params: add argument to the _from_text calls to indicate if the param exists. The extra argument is a integer pointer and is optional. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.o
Params: add argument to the _from_text calls to indicate if the param exists. The extra argument is a integer pointer and is optional. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11049)
show more ...
|
#
ada66e78 |
| 03-Feb-2020 |
Pauli |
Deprecate the low level Diffie-Hellman functions. Use of the low level DH functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by
Deprecate the low level Diffie-Hellman functions. Use of the low level DH functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11024)
show more ...
|
#
4fe54d67 |
| 14-Dec-2019 |
Nicola Tuveri |
[PROV][KMGMT][KEXCH][EC] Implement EC keymgtm and ECDH Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shan
[PROV][KMGMT][KEXCH][EC] Implement EC keymgtm and ECDH Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
show more ...
|
#
8b6ffd40 |
| 05-Feb-2020 |
Pauli |
Params: change UTF8 construct calls to avoid explicit strlen(3) calls. It is better, safer and smaller to let the library routine handle the strlen(3) call. Added a note to the
Params: change UTF8 construct calls to avoid explicit strlen(3) calls. It is better, safer and smaller to let the library routine handle the strlen(3) call. Added a note to the documentation suggesting this. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11019)
show more ...
|
#
00bc1ad9 |
| 02-Feb-2020 |
Richard Levitte |
Don't pass a digest-size to signature implementations It turns out this was never necessary, as the implementation should always check the default digest size anyway. Reviewed-b
Don't pass a digest-size to signature implementations It turns out this was never necessary, as the implementation should always check the default digest size anyway. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10947)
show more ...
|
#
972fa318 |
| 25-Jan-2020 |
Richard Levitte |
Decentralize legacy_ctrl_str_to_param() This function did a bit too much in terms of central control, actually more so than the legacy counterpart, where all the string processing is
Decentralize legacy_ctrl_str_to_param() This function did a bit too much in terms of central control, actually more so than the legacy counterpart, where all the string processing is done in the diverse *_pmeth.c. Furthermore, there was no room whatsoever for control keys that libcrypto isn't centrally aware of. This function is changed to simply translating keys and values to OSSL_PARAM form and then sent on their merry way to the provider implementations through EVP_PKEY_CTX_set_params(). It translates selected well known legacy names to their core name counterpart, and that's as far as centralized control should extend. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10947)
show more ...
|
#
c98eab85 |
| 29-Jan-2020 |
Pauli |
evp_pmeth: free the MD reference correctly. The code was calling EVP_MD_meth_free which is incorrect. It should call EVP_MD_free. It happened to work but by luck rather than design.
evp_pmeth: free the MD reference correctly. The code was calling EVP_MD_meth_free which is incorrect. It should call EVP_MD_free. It happened to work but by luck rather than design. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10973)
show more ...
|
#
12603de6 |
| 29-Jan-2020 |
Shane Lontis |
Add RSA key validation to default provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10780)
|
#
2ee4a50a |
| 15-Jan-2020 |
Matt Caswell |
Modify EVP_PKEY_CTX_new_from_pkey() to add a propquery parameter The function EVP_PKEY_CTX_new_from_pkey() infers the name of the algorithm to fetch from the EVP_PKEY that has been suppl
Modify EVP_PKEY_CTX_new_from_pkey() to add a propquery parameter The function EVP_PKEY_CTX_new_from_pkey() infers the name of the algorithm to fetch from the EVP_PKEY that has been supplied as an argument. But there was no way to specify properties to be used during that fetch. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10926)
show more ...
|
#
62f49b90 |
| 23-Jan-2020 |
Shane Lontis |
Add DH key exchange to fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10826)
|
#
ed086e23 |
| 14-Jan-2020 |
Dmitry Belyavskiy |
Restoring correct check for legacy PKEY The fix inroduced in #10758 was rolled back by accident. Restoring it. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged fro
Restoring correct check for legacy PKEY The fix inroduced in #10758 was rolled back by accident. Restoring it. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10839)
show more ...
|
#
e683582b |
| 12-Jan-2020 |
Shane Lontis |
Add dsa signature alg to fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10615)
|
#
f23bc0b7 |
| 18-Dec-2019 |
Richard Levitte |
EVP: Adapt KEYEXCH, SIGNATURE and ASYM_CIPHER to handle key types better The adaptation is to handle the case when key types and operations that use these keys have different names. For
EVP: Adapt KEYEXCH, SIGNATURE and ASYM_CIPHER to handle key types better The adaptation is to handle the case when key types and operations that use these keys have different names. For example, EC keys can be used for ECDSA and ECDH. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10647)
show more ...
|