#
7f5a9399 |
| 12-Aug-2021 |
Shane Lontis |
Add support for camellia cbc cts mode Fixes #16276 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16286)
|
#
f7d998a2 |
| 02-Aug-2021 |
Pauli |
tls/prov: move the TLS 1.3 KDF code to providers This function needs to be power up tested as part of the FIPS validation and thus it needs to be inside the provider boundary. This is r
tls/prov: move the TLS 1.3 KDF code to providers This function needs to be power up tested as part of the FIPS validation and thus it needs to be inside the provider boundary. This is realised by introducing a new KDF "TLS13-KDF" which does the required massaging of parameters but is otherwise functionally equivalent to HKDF. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16203)
show more ...
|
#
8c7c1c84 |
| 08-Jun-2021 |
Matt Caswell |
Add a generic SubjectPublicKeyInfo decoder Previously all the SubjectPublicKeyInfo decoders were specific to a key type. We would iterate over all them until a match was found for the co
Add a generic SubjectPublicKeyInfo decoder Previously all the SubjectPublicKeyInfo decoders were specific to a key type. We would iterate over all them until a match was found for the correct key type. Each one would fully decode the key before then testing whether it was a match or not - throwing it away if not. This was very inefficient. Instead we introduce a generic SubjectPublicKeyInfo decoder which figures out what type of key is contained within it, before subsequently passing on the data to a key type specific SubjectPublicKeyInfo decoder. Fixes #15646 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15662)
show more ...
|
#
6a2b8ff3 |
| 27-May-2021 |
Richard Levitte |
Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8 This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo", which is sensible considering we already have
Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8 This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo", which is sensible considering we already have "SubjectPublicKeyInfo". We also add "EncryptedPrivateKeyInfo", and use it for a special decoder that detects and decrypts an EncryptedPrivateKeyInfo structured DER blob into a PrivateKeyInfo structured DER blob and passes that on to the next decoder implementation. The result of this change is that PKCS#8 decryption should only happen once per decoding instead of once for every expected key type. Furthermore, this new decoder implementation sets the data type to the OID of the algorithmIdentifier field, thus reducing how many decoder implementations are tentativaly run further down the call chain. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15498)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13 |
|
#
0f183675 |
| 26-Feb-2021 |
Jon Spillett |
Add PBKDF1 to the legacy provider Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/
Add PBKDF1 to the legacy provider Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14326)
show more ...
|
#
e2f5df36 |
| 10-Mar-2021 |
Richard Levitte |
PROV: Add OIDs we know to all provider applicable algorithms The OIDs were extracted with the help of libcrypto's ASN1 OID database. While doing this, we move all the names strings
PROV: Add OIDs we know to all provider applicable algorithms The OIDs were extracted with the help of libcrypto's ASN1 OID database. While doing this, we move all the names strings to macro definitions, to avoid duplication and conflicting names declarations. Those macros are all in providers/implementations/include/prov/names.h Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14498)
show more ...
|
#
c8182743 |
| 23-Feb-2021 |
Richard Levitte |
PROV: Implement an EC key -> blob encoder, to get the public key Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/op
PROV: Implement an EC key -> blob encoder, to get the public key Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/14291)
show more ...
|
Revision tags: openssl-3.0.0-alpha12 |
|
#
a28d06f3 |
| 18-Feb-2021 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14235)
|
Revision tags: OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
f2db0528 |
| 28-Jan-2021 |
Richard Levitte |
PROV: Add SM2 encoders and decoders, as well as support functionality The EC KEYMGMT implementation handled SM2 as well, except what's needed to support decoding: loading functions for b
PROV: Add SM2 encoders and decoders, as well as support functionality The EC KEYMGMT implementation handled SM2 as well, except what's needed to support decoding: loading functions for both EC and SM2 that checks for the presence or absence of the SM2 curve the same way as the EC / SM2 import functions. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14028)
show more ...
|
#
58f422f6 |
| 28-Jan-2021 |
Richard Levitte |
Fix some odd names in our provider source code ecossl_dh_keyexch_functions -> ossl_ecdh_keyexch_functions ecossl_dsa_signature_functions -> ossl_ecdsa_signature_functions sm2_as
Fix some odd names in our provider source code ecossl_dh_keyexch_functions -> ossl_ecdh_keyexch_functions ecossl_dsa_signature_functions -> ossl_ecdsa_signature_functions sm2_asym_cipher_functions -> ossl_sm2_asym_cipher_functions sm2_keymgmt_functions -> ossl_sm2_keymgmt_functions sm2_signature_functions -> ossl_sm2_signature_functions Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14028)
show more ...
|
Revision tags: openssl-3.0.0-alpha10 |
|
#
0cc0164d |
| 09-Dec-2020 |
Richard Levitte |
PROV: Add MSBLOB and PVK encoders This allows 15-test_rsa.t to succeed, and provides the same OSSL_ENCODER support for these formats as for all other formats supported in OpenSSL.
PROV: Add MSBLOB and PVK encoders This allows 15-test_rsa.t to succeed, and provides the same OSSL_ENCODER support for these formats as for all other formats supported in OpenSSL. Fixes #13379 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13645)
show more ...
|
Revision tags: OpenSSL_1_1_1i, openssl-3.0.0-alpha9 |
|
#
81aef6ba |
| 19-Nov-2020 |
Pauli |
rand: add a provider side seed source. This allows the operating system sources that OpenSSL supports to be used directly as RNGs. It also allows DRBG seeding to be explicitly speci
rand: add a provider side seed source. This allows the operating system sources that OpenSSL supports to be used directly as RNGs. It also allows DRBG seeding to be explicitly specified rather than being left to a fall back case. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13455)
show more ...
|
#
89cccbea |
| 16-Nov-2020 |
Shane Lontis |
Add EVP_KDF-X942 to the fips module The X942 KDF had been modified so that it supports all optional fields - not just the fields used by CMS. As there are 2 types of KDF for X94
Add EVP_KDF-X942 to the fips module The X942 KDF had been modified so that it supports all optional fields - not just the fields used by CMS. As there are 2 types of KDF for X942 - this has been made a bit clearer by adding an X942KDF-ASN1 alias. X942KDF-CONCAT has also been added as an alias of X963KDF. This work was instigated as a result of the ACVP tests optionally being able to use keybits for the supp_pubinfo field. Setting the parameter OSSL_KDF_PARAM_X942_USE_KEYBITS to 0 allows this to be disabled. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13418)
show more ...
|
Revision tags: openssl-3.0.0-alpha8 |
|
#
c319b627 |
| 17-Oct-2020 |
Richard Levitte |
PROV: Re-implement all the keypair encoders The base functionality to implement the keypair encoders doesn't change much, but this results in a more massive amount of OSSL_DISPATCH a
PROV: Re-implement all the keypair encoders The base functionality to implement the keypair encoders doesn't change much, but this results in a more massive amount of OSSL_DISPATCH and OSSL_ALGORITHM arrays, to support a fine grained selection of implementation based on what parts of the keypair structure (combinations of key parameters, public key and private key) should be output, the output type ("TEXT", "DER" or "PEM") and the outermost output structure ("pkcs8", "SubjectPublicKeyInfo", key type specific structures, ...). We add support for the generic structure name "type-specific", to allow selecting that without knowing the exact name of that structure. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13167)
show more ...
|
#
2c090c1d |
| 26-Oct-2020 |
Richard Levitte |
PROV: Re-implement all the keypair decoders The base functionality to implement the keypair decoders doesn't change much, but this results in a more massive amount of OSSL_DISPATCH a
PROV: Re-implement all the keypair decoders The base functionality to implement the keypair decoders doesn't change much, but this results in a more massive amount of OSSL_DISPATCH and OSSL_ALGORITHM arrays, to support a fine grained selection of implementation based on what parts of the keypair structure (combinations of key parameters, public key and private key) should be expected as input, the input type ("DER", "PEM", ...) and the outermost input structure ("pkcs8", "SubjectPublicKeyInfo", key type specific structures, ...). We add support for the generic structure name "type-specific", to allow selecting that without knowing the exact name of that structure. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13248)
show more ...
|
#
8ea761bf |
| 29-Oct-2020 |
Shane Lontis |
Add AES KW inverse ciphers to the EVP layer Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13272)
|
Revision tags: openssl-3.0.0-alpha7 |
|
#
1be63951 |
| 28-Sep-2020 |
Pauli |
prov: prefix all OSSL_DISPATCH tables names with ossl_ This stops them leaking into other namespaces in a static build. They remain internal. Reviewed-by: Richard Levitte <levit
prov: prefix all OSSL_DISPATCH tables names with ossl_ This stops them leaking into other namespaces in a static build. They remain internal. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13013)
show more ...
|
Revision tags: OpenSSL_1_1_1h |
|
#
ce64d3ee |
| 18-Sep-2020 |
Matt Caswell |
Move SM2 asymmetric encryption to be available in the default provider Fixes #12908 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/o
Move SM2 asymmetric encryption to be available in the default provider Fixes #12908 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12913)
show more ...
|
Revision tags: openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e |
|
#
d0b79f86 |
| 04-Mar-2020 |
Paul Yang |
Add SM2 signature algorithm to default provider Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openss
Add SM2 signature algorithm to default provider Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12536)
show more ...
|
#
7ee511d0 |
| 26-Jul-2020 |
Paul Yang |
Add SM2 key management Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12536)
|
#
111dc4b0 |
| 14-Sep-2020 |
Richard Levitte |
ENCODER: Refactor our provider encoder implementations This only refactors them for the changed API, there's not yet a separate DER to PEM encoder and therefore no chaining possibility
ENCODER: Refactor our provider encoder implementations This only refactors them for the changed API, there's not yet a separate DER to PEM encoder and therefore no chaining possibility yet. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12873)
show more ...
|
#
80f4fd18 |
| 19-Sep-2020 |
Shane Lontis |
Add KEM (Key encapsulation mechanism) support to providers SP800-56Br2 requires support for the RSA primitives for RSASVE generate and recover. As these are simple KEM operations another
Add KEM (Key encapsulation mechanism) support to providers SP800-56Br2 requires support for the RSA primitives for RSASVE generate and recover. As these are simple KEM operations another operation type has been added that can support future extensions. Added public functions EVP_PKEY_encapsulate_init(), EVP_PKEY_encapsulate(), EVP_PKEY_decapsulate_init() and EVP_PKEY_decapsulate() Added EVP_KEM_* functions. Added OSSL_FUNC_kem_* dispatch functions Added EVP_PKEY_CTX_set_kem_op() so that different types of KEM can be added in the future. This value must currently be set to "RSASVE" after EVP_PKEY_encapsulate_init() & EVP_PKEY_decapsulate_init() as there is no default value. This allows the existing RSA key types, keymanagers, and encoders to be used with the encapsulation operations. The design of the public API's resulted from contributions from @romen & @levitte. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12750)
show more ...
|
#
8ae40cf5 |
| 07-Sep-2020 |
Richard Levitte |
ENCODER: Refactor provider implementations, and some cleanup The encoder implementations were implemented by unnecessarily copying code into numerous topical source files, making them ha
ENCODER: Refactor provider implementations, and some cleanup The encoder implementations were implemented by unnecessarily copying code into numerous topical source files, making them hard to maintain. This changes merges all those into two source files, one that encodes into DER and PEM, the other to text. Diverse small cleanups are included. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12803)
show more ...
|
#
63f187cf |
| 02-Aug-2020 |
Richard Levitte |
STORE: Add a built-in 'file:' storemgmt implementation (loader) This replaces the older 'file:' loader that is now an engine. It's still possible to use the older 'file:' loader by
STORE: Add a built-in 'file:' storemgmt implementation (loader) This replaces the older 'file:' loader that is now an engine. It's still possible to use the older 'file:' loader by explicitly using the engine, and tests will remain for it as long as ENGINEs are still supported (even through deprecated). To support this storemgmt implementation, a few internal OSSL_DECODER modifications are needed: - An internal function that implements most of OSSL_DECODER_CTX_new_by_EVP_PKEY(), but operates on an already existing OSSL_DECODER_CTX instead of allocating a new one. - Allow direct creation of a OSSL_DECODER from an OSSL_ALGORITHM. It isn't attached to any provider, and is only used internally, to simply catch any DER encoded object to be passed back to the object callback with no further checking. This implementation becomes the last resort decoder, when all "normal" decodation attempts (i.e. those that are supposed to result in an OpenSSL object of some sort) have failed. Because file_store_attach() uses BIO_tell(), we must also support BIO_ctrl() as a libcrypto upcall. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12587)
show more ...
|
#
e3bf65da |
| 19-Aug-2020 |
Matt Caswell |
Include "legacy" in the name of the various MAC bridge functions Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12637)
|