#
c829c23b |
| 01-Dec-2020 |
Richard Levitte |
EVP_PKEY & DH: Make DH EVP_PKEY_CTX parameter ctrls / setters more available EVP_PKEY_CTX_set_dh_ functions were only available when DH was enabled ('no-dsa' not configured). However, t
EVP_PKEY & DH: Make DH EVP_PKEY_CTX parameter ctrls / setters more available EVP_PKEY_CTX_set_dh_ functions were only available when DH was enabled ('no-dsa' not configured). However, that makes it impossible to use these functions with an engine or a provider that happens to implement DH. This change solves that problem by shuffling these functions to more appropriate places. By consequence, there are a number of places where we can remove the check of OPENSSL_NO_DH. This requires some re-arrangements of internal tables to translate between numeric identities and names. Partially fixes #13550 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13589)
show more ...
|
#
ac7750bb |
| 25-Nov-2020 |
Shane Lontis |
Fix Segfault in EVP_PKEY_CTX_dup when the ctx has an undefined operation. Fixes #12438 Note: This worked in 1.1.1 so just returning an error is not valid. Reviewed-by: Ben
Fix Segfault in EVP_PKEY_CTX_dup when the ctx has an undefined operation. Fixes #12438 Note: This worked in 1.1.1 so just returning an error is not valid. Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/13505)
show more ...
|
#
ddfd7182 |
| 02-Dec-2020 |
Shane Lontis |
Fix EVP_PKEY_CTX propq so that it uses a copy Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/o
Fix EVP_PKEY_CTX propq so that it uses a copy Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12700)
show more ...
|
#
9311d0c4 |
| 04-Nov-2020 |
Richard Levitte |
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call This includes error reporting for libcrypto sub-libraries in surprising places. This was done using ut
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call This includes error reporting for libcrypto sub-libraries in surprising places. This was done using util/err-to-raise Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13318)
show more ...
|
#
b4250010 |
| 15-Oct-2020 |
Dr. Matthias St. Pierre |
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER. The OPENSSL_CTX type stands out a little by using a different prefix. For consistency reasons, this type is renamed to OSSL_LIB_CTX. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12621)
show more ...
|
#
29000e43 |
| 12-Oct-2020 |
Matt Caswell |
Make evp_pkey_ctx_get0_libctx/propq public API These were previously added as an internal API. But since the CMS code needs them, other code might do too. Reviewed-by: Shane Lon
Make evp_pkey_ctx_get0_libctx/propq public API These were previously added as an internal API. But since the CMS code needs them, other code might do too. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13088)
show more ...
|
#
0b3a4ef2 |
| 06-Oct-2020 |
Matt Caswell |
Move CMS enveloping code out of the algorithms and into CMS There is quite a large amount of algorithm specific CMS code sitting in the algorithm directories. However, this seems to brea
Move CMS enveloping code out of the algorithms and into CMS There is quite a large amount of algorithm specific CMS code sitting in the algorithm directories. However, this seems to break layering. Algorithms really have no business knowing anything about CMS. Really it should be the other way around. Where there is algorithm specific CMS code it is the CMS layer that should know how to handle different algorithms. Therefore we move this code into the CMS layer. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13088)
show more ...
|
#
23b2fc0b |
| 30-Sep-2020 |
Pauli |
rsa: add ossl_ prefix to internal rsa_ calls. The functions being: rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff, rsa_check_prime_factor, rsa_check_prime_fa
rsa: add ossl_ prefix to internal rsa_ calls. The functions being: rsa_check_crt_components, rsa_check_key, rsa_check_pminusq_diff, rsa_check_prime_factor, rsa_check_prime_factor_range, rsa_check_private_exponent, rsa_check_public_exponent, rsa_digestinfo_encoding, rsa_fips186_4_gen_prob_primes, rsa_fromdata, rsa_get0_all_params, rsa_get0_libctx, rsa_get0_pss_params_30, rsa_get_lcm, rsa_mgf_nid2name, rsa_mp_coeff_names, rsa_mp_exp_names, rsa_mp_factor_names, rsa_new_with_ctx, rsa_oaeppss_md2nid, rsa_oaeppss_nid2name, rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx, rsa_padding_add_PKCS1_type_2_with_libctx, rsa_padding_add_SSLv23_with_libctx, rsa_padding_check_PKCS1_type_2_TLS, rsa_pkey_method, rsa_pss_params_30_copy, rsa_pss_params_30_fromdata, rsa_pss_params_30_hashalg, rsa_pss_params_30_is_unrestricted, rsa_pss_params_30_maskgenalg, rsa_pss_params_30_maskgenhashalg, rsa_pss_params_30_saltlen, rsa_pss_params_30_set_defaults, rsa_pss_params_30_set_hashalg, rsa_pss_params_30_set_maskgenalg, rsa_pss_params_30_set_maskgenhashalg, rsa_pss_params_30_set_saltlen, rsa_pss_params_30_set_trailerfield, rsa_pss_params_30_todata, rsa_pss_params_30_trailerfield, rsa_pss_pkey_method, rsa_set0_all_params, rsa_sp800_56b_check_keypair, rsa_sp800_56b_check_private, rsa_sp800_56b_check_public, rsa_sp800_56b_derive_params_from_pq, rsa_sp800_56b_generate_key, rsa_sp800_56b_pairwise_test, rsa_sp800_56b_validate_strength, rsa_todata, rsa_validate_pairwise, rsa_validate_private and rsa_validate_public. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13040)
show more ...
|
#
5357c106 |
| 30-Sep-2020 |
Pauli |
ffc: add _ossl to exported but internal functions The functions updated are: ffc_generate_private_key, ffc_named_group_from_uid, ffc_named_group_to_uid, ffc_params_FIPS186_2_
ffc: add _ossl to exported but internal functions The functions updated are: ffc_generate_private_key, ffc_named_group_from_uid, ffc_named_group_to_uid, ffc_params_FIPS186_2_gen_verify, ffc_params_FIPS186_2_generate, ffc_params_FIPS186_2_validate, ffc_params_FIPS186_4_gen_verify, ffc_params_FIPS186_4_generate, ffc_params_FIPS186_4_validate, ffc_params_cleanup, ffc_params_cmp, ffc_params_copy, ffc_params_enable_flags, ffc_params_flags_from_name, ffc_params_flags_to_name, ffc_params_fromdata, ffc_params_get0_pqg, ffc_params_get_validate_params, ffc_params_init, ffc_params_print, ffc_params_set0_j, ffc_params_set0_pqg, ffc_params_set_flags, ffc_params_set_gindex, ffc_params_set_h, ffc_params_set_pcounter, ffc_params_set_seed, ffc_params_set_validate_params, ffc_params_simple_validate, ffc_params_todata, ffc_params_validate_unverifiable_g, ffc_set_digest, ffc_set_group_pqg, ffc_validate_private_key, ffc_validate_public_key and ffc_validate_public_key_partial. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13041)
show more ...
|
#
3786d748 |
| 24-Sep-2020 |
jwalch |
en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management Fixes #12635 As discussed in the issue, supporting the set0-like semantics long-term is not necessarily desirable, although
en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management Fixes #12635 As discussed in the issue, supporting the set0-like semantics long-term is not necessarily desirable, although necessary for short-term compatibility concerns. So I've deprecated the original method and added an equivalent that is explicitly labelled as set1. I tried to audit existing usages of the (now-deprecated) API and update them to use set1 if that appeared to align with their expectations. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12917)
show more ...
|
Revision tags: OpenSSL_1_1_1h |
|
#
98968422 |
| 18-Sep-2020 |
Matt Caswell |
Remove some dead SM2 code Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12913)
|
#
d65ab22e |
| 21-Sep-2020 |
Shane Lontis |
Fix CID 1466714 : Null pointer dereference in EVP_PKEY_CTX_ctrl() due to new call to evp_pkey_ctx_store_cached_data() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https
Fix CID 1466714 : Null pointer dereference in EVP_PKEY_CTX_ctrl() due to new call to evp_pkey_ctx_store_cached_data() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12930)
show more ...
|
Revision tags: openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e |
|
#
d0b79f86 |
| 04-Mar-2020 |
Paul Yang |
Add SM2 signature algorithm to default provider Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openss
Add SM2 signature algorithm to default provider Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12536)
show more ...
|
#
80f4fd18 |
| 19-Sep-2020 |
Shane Lontis |
Add KEM (Key encapsulation mechanism) support to providers SP800-56Br2 requires support for the RSA primitives for RSASVE generate and recover. As these are simple KEM operations another
Add KEM (Key encapsulation mechanism) support to providers SP800-56Br2 requires support for the RSA primitives for RSASVE generate and recover. As these are simple KEM operations another operation type has been added that can support future extensions. Added public functions EVP_PKEY_encapsulate_init(), EVP_PKEY_encapsulate(), EVP_PKEY_decapsulate_init() and EVP_PKEY_decapsulate() Added EVP_KEM_* functions. Added OSSL_FUNC_kem_* dispatch functions Added EVP_PKEY_CTX_set_kem_op() so that different types of KEM can be added in the future. This value must currently be set to "RSASVE" after EVP_PKEY_encapsulate_init() & EVP_PKEY_decapsulate_init() as there is no default value. This allows the existing RSA key types, keymanagers, and encoders to be used with the encapsulation operations. The design of the public API's resulted from contributions from @romen & @levitte. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12750)
show more ...
|
#
4343a418 |
| 16-Sep-2020 |
Shane Lontis |
Add self tests for rsa encryption SP800-56br2 requires seperate KAT's (fips self tests) to be tested for both encryption and decryption using the RSA primitive (i.e. no padding). This is
Add self tests for rsa encryption SP800-56br2 requires seperate KAT's (fips self tests) to be tested for both encryption and decryption using the RSA primitive (i.e. no padding). This is specified in FIPS140-2 IG D.9 A copy of the methods EVP_PKEY_encrypt_init(), EVP_PKEY_encrypt(), EVP_PKEY_decrypt_init(), EVP_PKEY_decrypt() are now in the fips module. Removed the #ifdef FIPS_MODULE in evp_pkey_ctx_free_old_ops(). Added corruption test Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12835)
show more ...
|
#
7229a2f4 |
| 10-Sep-2020 |
Richard Levitte |
EC: Reimplement EVP_PKEY_CTX_set_ec_param_enc() to support providers Fixes #12852 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.c
EC: Reimplement EVP_PKEY_CTX_set_ec_param_enc() to support providers Fixes #12852 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12853)
show more ...
|
#
8d6481f5 |
| 04-Sep-2020 |
Richard Levitte |
EVP: Move the functions and controls for setting and getting distid Those functions were located in the EC files, but is really broader than that, even thought currently only used for SM
EVP: Move the functions and controls for setting and getting distid Those functions were located in the EC files, but is really broader than that, even thought currently only used for SM2. They should therefore be in a more central location, which was also indicated by diverse TODOs. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12789)
show more ...
|
#
b9689452 |
| 03-Sep-2020 |
Richard Levitte |
EVP: Expand the use of EVP_PKEY_CTX_md() Setting a hash function was reserved for signature operations. However, it turns out that SM2 uses a hash function for encryption and decrypt
EVP: Expand the use of EVP_PKEY_CTX_md() Setting a hash function was reserved for signature operations. However, it turns out that SM2 uses a hash function for encryption and decryption as well. Therefore, EVP_PKEY_CTX_md() must be called with an expanded operation type combination that includes EVP_PKEY_OP_TYPE_CRYPT when used in a generic way. For SM2, test/recipes/30-test_evp_data/evppkey_sm2.txt is expanded to test decryption both with an implicit and an explicit digest. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12789)
show more ...
|
#
86df26b3 |
| 02-Sep-2020 |
Richard Levitte |
EVP: Add support for delayed EVP_PKEY operation parameters They get called "delayed parameters" because they may make it to the implementation at a later time than when they're given.
EVP: Add support for delayed EVP_PKEY operation parameters They get called "delayed parameters" because they may make it to the implementation at a later time than when they're given. This currently only covers the distinguished ID, as that's the only EVP_PKEY operation parameter so far that has been possible to give before the operation has been initialized. This includes a re-implementation of EVP_PKEY_CTX_set1_id(), EVP_PKEY_CTX_get1_id(), and EVP_PKEY_CTX_get1_id_len(). Also, the more rigorous controls of keytype and optype are restored. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12789)
show more ...
|
#
50914496 |
| 02-Sep-2020 |
Richard Levitte |
EVP: Preserve the EVP_PKEY id in a few more spots As long as there are internal legacy keys for EVP_PKEY, we need to preserve the EVP_PKEY numeric identity when generating a key, and whe
EVP: Preserve the EVP_PKEY id in a few more spots As long as there are internal legacy keys for EVP_PKEY, we need to preserve the EVP_PKEY numeric identity when generating a key, and when creating the EVP_PKEY_CTX. For added consistency, the EVP_PKEY_CTX contructor tries a little harder to find a EVP_PKEY_METHOD. Otherwise, we may run into situations where the EVP_PKEY_CTX ends up having no associated methods at all. Reviewed-by: Paul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/12785)
show more ...
|
#
2cf765e5 |
| 12-Aug-2020 |
Matt Caswell |
Delete unused PKEY MAC files Now that the all the legacy PKEY MAC bridge code has been moved to the providers we no longer need the old bridge and it can be removed. Reviewed-by
Delete unused PKEY MAC files Now that the all the legacy PKEY MAC bridge code has been moved to the providers we no longer need the old bridge and it can be removed. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
#
a540ef90 |
| 11-Aug-2020 |
Matt Caswell |
Extend the provider MAC bridge for CMAC The previous commits added support for HMAC, SIPHASH and Poly1305 into the provider MAC bridge. We now extend that for CMAC too. Reviewed
Extend the provider MAC bridge for CMAC The previous commits added support for HMAC, SIPHASH and Poly1305 into the provider MAC bridge. We now extend that for CMAC too. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
#
4db71d01 |
| 11-Aug-2020 |
Matt Caswell |
Extend the provider MAC bridge for Poly1305 The previous commits added support for HMAC and SIPHASH into the provider MAC bridge. We now extend that for Poly1305 too. Reviewed-b
Extend the provider MAC bridge for Poly1305 The previous commits added support for HMAC and SIPHASH into the provider MAC bridge. We now extend that for Poly1305 too. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
#
b27b31b6 |
| 11-Aug-2020 |
Matt Caswell |
Extend the provider MAC bridge for SIPHASH The previous commits added support for HMAC into the provider MAC bridge. We now extend that for SIPHASH too. Reviewed-by: Paul Dale <
Extend the provider MAC bridge for SIPHASH The previous commits added support for HMAC into the provider MAC bridge. We now extend that for SIPHASH too. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
#
5d51925a |
| 10-Aug-2020 |
Matt Caswell |
Convert EVP_PKEY_CTX_set_mac_key() into a function Previously it was a macro. We now make it into a function that is params aware. Reviewed-by: Paul Dale <paul.dale@oracle.com>
Convert EVP_PKEY_CTX_set_mac_key() into a function Previously it was a macro. We now make it into a function that is params aware. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|