| a540ef90 | 11-Aug-2020 |
Matt Caswell |
Extend the provider MAC bridge for CMAC
The previous commits added support for HMAC, SIPHASH and Poly1305 into
the provider MAC bridge. We now extend that for CMAC too.
Reviewed
Extend the provider MAC bridge for CMAC
The previous commits added support for HMAC, SIPHASH and Poly1305 into
the provider MAC bridge. We now extend that for CMAC too.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
| 4db71d01 | 11-Aug-2020 |
Matt Caswell |
Extend the provider MAC bridge for Poly1305
The previous commits added support for HMAC and SIPHASH into the provider
MAC bridge. We now extend that for Poly1305 too.
Reviewed-b
Extend the provider MAC bridge for Poly1305
The previous commits added support for HMAC and SIPHASH into the provider
MAC bridge. We now extend that for Poly1305 too.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
| 8014b2a9 | 11-Aug-2020 |
Matt Caswell |
Don't require a default digest from signature algorithms
Some signature algorithms don't need a default digest, so don't fail if
we don't have one.
Reviewed-by: Paul Dale <paul.
Don't require a default digest from signature algorithms
Some signature algorithms don't need a default digest, so don't fail if
we don't have one.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
| b27b31b6 | 11-Aug-2020 |
Matt Caswell |
Extend the provider MAC bridge for SIPHASH
The previous commits added support for HMAC into the provider MAC bridge.
We now extend that for SIPHASH too.
Reviewed-by: Paul Dale <
Extend the provider MAC bridge for SIPHASH
The previous commits added support for HMAC into the provider MAC bridge.
We now extend that for SIPHASH too.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
| 6f0bd6ca | 11-Aug-2020 |
Matt Caswell |
Ensure libssl creates libctx aware MAC keys
Convert various mac key creation function calls to use the _with_libctx
variants.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(
Ensure libssl creates libctx aware MAC keys
Convert various mac key creation function calls to use the _with_libctx
variants.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
| ada0670b | 10-Aug-2020 |
Matt Caswell |
Fix some EVP_MD_CTX_* functions
Fixes some issues with EVP_MD_CTX_* functions when doing EVP_DigestSign*
and EVP_DigestVerify* functions.
Reviewed-by: Paul Dale <paul.dale@oracl
Fix some EVP_MD_CTX_* functions
Fixes some issues with EVP_MD_CTX_* functions when doing EVP_DigestSign*
and EVP_DigestVerify* functions.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
| 5d51925a | 10-Aug-2020 |
Matt Caswell |
Convert EVP_PKEY_CTX_set_mac_key() into a function
Previously it was a macro. We now make it into a function that is params
aware.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Convert EVP_PKEY_CTX_set_mac_key() into a function
Previously it was a macro. We now make it into a function that is params
aware.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
| 1bf62504 | 07-Aug-2020 |
Matt Caswell |
Fix evp_extra_test to not assume that HMAC is legacy
evp_extra_test had a test that checks whether an EVP_PKEY_CTX can still
be created for HMAC even though there are no providers loaded
Fix evp_extra_test to not assume that HMAC is legacy
evp_extra_test had a test that checks whether an EVP_PKEY_CTX can still
be created for HMAC even though there are no providers loaded because it
is a legacy algorithm. However after the earlier commits this is no longer
the case. We swap the check to a different legacy algorithm (SM2).
Hopefully before too long there will be no legacy algorithms left and the
test can be deleted.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
| b571e662 | 07-Aug-2020 |
Matt Caswell |
Make the provider side EVP PKEY MAC bridge available in default and fips
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637) |
| 409910be | 07-Aug-2020 |
Matt Caswell |
Implement signature functions for EVP_PKEY MAC to EVP_MAC provider bridge
Some MAC implementations were available before the current EVP_MAC API. They
were used via EVP_DigestSign*. Ther
Implement signature functions for EVP_PKEY MAC to EVP_MAC provider bridge
Some MAC implementations were available before the current EVP_MAC API. They
were used via EVP_DigestSign*. There exists a bridge between the oldAPI and
the EVP_MAC API however this bridge itself uses a legacy EVP_PKEY_METHOD.
This commit implements the signature functions for the provider side bridge
without having to use any legacy code.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
| e538294f | 07-Aug-2020 |
Matt Caswell |
Implement key management for the EVP_PKEY MAC to EVP_MAC provider bridge
Some MAC implementations were available before the current EVP_MAC API. They
were used via EVP_DigestSign*. There
Implement key management for the EVP_PKEY MAC to EVP_MAC provider bridge
Some MAC implementations were available before the current EVP_MAC API. They
were used via EVP_DigestSign*. There exists a bridge between the old API and
the EVP_MAC API however this bridge itself uses a legacy EVP_PKEY_METHOD.
This commit implements the key management for provider side bridge without
having to useany legacy code.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
show more ...
|
| bddfea02 | 27-Aug-2020 |
Richard Levitte |
TEST: Adapt some tests for a stricter PEM_write_bio_PrivateKey_traditional()
- test/endecode_test.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github
TEST: Adapt some tests for a stricter PEM_write_bio_PrivateKey_traditional()
- test/endecode_test.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12728)
show more ...
|
| 87d91d22 | 27-Aug-2020 |
Richard Levitte |
Fix PEM_write_bio_PrivateKey_traditional() to not output PKCS#8
PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER. However, i2d_PrivateKey()
Fix PEM_write_bio_PrivateKey_traditional() to not output PKCS#8
PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER. However, i2d_PrivateKey() is a generic
function that will do what it can to produce output according to what
the associated EVP_PKEY_ASN1_METHOD offers. If that method offers a
function 'old_priv_encode', which is expected to produce the
"traditional" encoded form, then i2d_PrivateKey() uses that. If not,
i2d_PrivateKey() will go on and used more modern methods, which are
all expected to produce PKCS#8.
To ensure that PEM_write_bio_PrivateKey_traditional() never produces
more modern encoded forms, an extra check that 'old_priv_encode' is
non-NULL is added. If it is NULL, an error is returned.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12728)
show more ...
|
| b6ef3c70 | 27-Aug-2020 |
T.Yanagisawa <52776010+mogisawa@users.noreply.github.com> |
Correct description of BN_mask_bits
CLA: trivial
Correct right shift to left shift.
Pseudo code `a&=~((~0)>>n)` means "get higher n-bits of a", but actually crypto lib gives low
Correct description of BN_mask_bits
CLA: trivial
Correct right shift to left shift.
Pseudo code `a&=~((~0)>>n)` means "get higher n-bits of a", but actually crypto lib gives lower n-bits.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12727)
show more ...
|
| 33855c0a | 26-Aug-2020 |
Pauli |
conf: add diagnostic option
Add an option to configuration files "config_diagnostics" that when set to a
non-zero value, overrides the error ignoring flags. The outcome is that
diag
conf: add diagnostic option
Add an option to configuration files "config_diagnostics" that when set to a
non-zero value, overrides the error ignoring flags. The outcome is that
diagnostic option is produced when e.g. sections are missing.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12663)
show more ...
|
| 3d941857 | 19-Aug-2020 |
Pauli |
provider_conf: report missing section on error
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/
provider_conf: report missing section on error
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12663)
show more ...
|
| cd84d883 | 26-Aug-2020 |
Jung-uk Kim |
Ignore vendor name in Clang version number.
For example, FreeBSD prepends "FreeBSD" to version string, e.g.,
FreeBSD clang version 11.0.0 (git@github.com:llvm/llvm-project.git llvmo
Ignore vendor name in Clang version number.
For example, FreeBSD prepends "FreeBSD" to version string, e.g.,
FreeBSD clang version 11.0.0 (git@github.com:llvm/llvm-project.git llvmorg-11.0.0-rc2-0-g414f32a9e86)
Target: x86_64-unknown-freebsd13.0
Thread model: posix
InstalledDir: /usr/bin
This prevented us from properly detecting AVX support, etc.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12725)
show more ...
|
| 4516bf74 | 26-Aug-2020 |
Pauli |
rand: instantiate the DRBGs upon first use.
Fixes #12714
[skip ci]
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierr
rand: instantiate the DRBGs upon first use.
Fixes #12714
[skip ci]
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12717)
show more ...
|
| edd53e91 | 26-Aug-2020 |
Pauli |
rand: add a note about a potentially misleading code analyzer warning.
When seeding from a parent DRBG, the pointer to the child is used as
additional data. This triggers static code an
rand: add a note about a potentially misleading code analyzer warning.
When seeding from a parent DRBG, the pointer to the child is used as
additional data. This triggers static code analysers. Rearrange and
expand the comments to make this more obvious.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12724)
show more ...
|
| 1d6c8670 | 10-Aug-2020 |
Dr. David von Oheimb |
apps/pkcs12.c: Add -untrusted option
Also improve EE cert selection, user guidance, and documentation.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://git
apps/pkcs12.c: Add -untrusted option
Also improve EE cert selection, user guidance, and documentation.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12643)
show more ...
|
| 77a9bb83 | 13-Aug-2020 |
Dr. David von Oheimb |
X509_add_certs(): Add to doc some warning notes on memory management
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12643) |
| 0495a3ec | 17-Aug-2020 |
Rich Salz |
Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()
This adds a flag, OCSP_PARTIAL_CHAIN, to the OCSP_basic_verify()
function. This is equivlent to X509_V_FLAG_PARTIAL_CHAIN, in that
if a
Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()
This adds a flag, OCSP_PARTIAL_CHAIN, to the OCSP_basic_verify()
function. This is equivlent to X509_V_FLAG_PARTIAL_CHAIN, in that
if any certificate in the OCSP response is in the trust store, then
trust it.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12666)
show more ...
|
| fcc3a520 | 28-Jun-2020 |
Marc <34656315+MarcT512@users.noreply.github.com> |
apps: -msg flag enhancement 2/2
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl
apps: -msg flag enhancement 2/2
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12310)
show more ...
|
| 50c911b0 | 28-Jun-2020 |
Marc <34656315+MarcT512@users.noreply.github.com> |
apps: -msg flag enhancement 1/2
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl
apps: -msg flag enhancement 1/2
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12310)
show more ...
|
| 625679b6 | 26-Aug-2020 |
Pauli |
EVP: NULL pctx pointer after free.
Not doing so can result in a double free.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/p
EVP: NULL pctx pointer after free.
Not doing so can result in a double free.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12718)
show more ...
|
