| 2274d22d | 30-Jul-2020 |
Richard Levitte |
STORE: Distinguish public keys from private keys
While public keys and private keys use the same type (EVP_PKEY), just
with different contents, callers still need to distinguish between
STORE: Distinguish public keys from private keys
While public keys and private keys use the same type (EVP_PKEY), just
with different contents, callers still need to distinguish between the
two to be able to know what functions to call with them (for example,
to be able to choose between EVP_PKEY_print_private() and
EVP_PKEY_print_public()).
The OSSL_STORE backend knows what it loaded, so it has the capacity to
inform.
Note that the same as usual still applies, that a private key EVP_PKEY
contains the public parts, but not necessarily the other way around.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12673)
show more ...
|
| 6cc1dfca | 30-Jul-2020 |
Richard Levitte |
PROV: Fix DSA and DH private key serializers
If those private key serializer were given a key structure with just
the public key material, they crashed, because they tried to
de-refe
PROV: Fix DSA and DH private key serializers
If those private key serializer were given a key structure with just
the public key material, they crashed, because they tried to
de-reference NULL. This adds better checking.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12679)
show more ...
|
| 22b81444 | 18-Aug-2020 |
Richard Levitte |
X509: Add d2i_PUBKEY_ex(), which take a libctx and propq
Just like d2i_PrivateKey() / d2i_PrivateKey_ex(), there's a need to
associate an EVP_PKEY extracted from a PUBKEY to a library co
X509: Add d2i_PUBKEY_ex(), which take a libctx and propq
Just like d2i_PrivateKey() / d2i_PrivateKey_ex(), there's a need to
associate an EVP_PKEY extracted from a PUBKEY to a library context and
a property query string. Without it, a provider-native EVP_PKEY can
only fetch necessary internal algorithms from the default library
context, even though an application specific context should be used.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12671)
show more ...
|
| 3b1fd0b0 | 19-Aug-2020 |
Pauli |
cmp: handle error return from OBJ_obj2txt()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12678) |
| ffcdb24b | 19-Aug-2020 |
Pauli |
pkeyutil: check return value reading password
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12678) |
| 16486f63 | 18-Aug-2020 |
Richard Levitte |
PROV: Fix EC OSSL_FUNC_keymgmt_match() to work in the FIPS provider
In the FIPS provider, calling EC_GROUP_cmp() with NULL for the BN_CTX
argument is forbidden. Since that's what ec_mat
PROV: Fix EC OSSL_FUNC_keymgmt_match() to work in the FIPS provider
In the FIPS provider, calling EC_GROUP_cmp() with NULL for the BN_CTX
argument is forbidden. Since that's what ec_match() does, it simply
cannot work in the FIPS provider. Therefore, we allocate a BN_CTX
with the library context asssociated with one of the input keys
(doesn't matter which) and use that.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12677)
show more ...
|
| 26a8f2ac | 18-Aug-2020 |
Richard Levitte |
RSA: Fix rsa_todata() to only add params for existing data
The RSA key could be a public key, and yet, rsa_todata() always tries
to add the private parts as well. The resulting paramete
RSA: Fix rsa_todata() to only add params for existing data
The RSA key could be a public key, and yet, rsa_todata() always tries
to add the private parts as well. The resulting parameters will look
a bit odd, such as a zero |d|, resulting in an invalid key.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12676)
show more ...
|
| e6ed04a9 | 18-Aug-2020 |
Richard Levitte |
TEST: separate out NIST ECC tests from non-NIST
ECC keys with non-NIST group names aren't supported when running with
the FIPS provider.
Keys with such groups that are included
TEST: separate out NIST ECC tests from non-NIST
ECC keys with non-NIST group names aren't supported when running with
the FIPS provider.
Keys with such groups that are included in evp_test stanza files
aren't even possible to decode if provider side decoders are used,
since those depend on available EVP_KEYMGMT implementations and what
they support.
Those keys could only be decoded because the legacy decoders were
used.
To make these tests future proof, we separate out the stanzas having
keys with NIST approved group names into separate files, and adjust
the file lists in test/recipes/30-test_evp.t aaccordingly.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12672)
show more ...
|
| a24b510c | 07-Aug-2020 |
Richard Levitte |
EVP: Have evp_pkey_cmp_any() detect if export wasn't possible
There are some EC keys that can't be exported to provider keymgmt,
because the keymgmt implementation doesn't support certai
EVP: Have evp_pkey_cmp_any() detect if export wasn't possible
There are some EC keys that can't be exported to provider keymgmt,
because the keymgmt implementation doesn't support certain forms of EC
keys. This could lead to a crash caused by dereferencing a NULL
pointer, so we need to cover that case by returning an error instead.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12610)
show more ...
|
| c7dfb2ab | 14-Aug-2020 |
Dr. David von Oheimb |
PKCS12_parse(): Clean up code and correct documentation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12641) |
| fc0aae73 | 12-Aug-2020 |
Dr. David von Oheimb |
PKCS12_parse(): Fix reversed order of certs parsed and output via *ca
Fixes #6698
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/opens
PKCS12_parse(): Fix reversed order of certs parsed and output via *ca
Fixes #6698
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12641)
show more ...
|
| 9a30f40c | 14-Aug-2020 |
Dr. David von Oheimb |
OSSL_STORE file_load_try_decode(): Avoid flooding error queue by failed tries
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Me
OSSL_STORE file_load_try_decode(): Avoid flooding error queue by failed tries
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12645)
show more ...
|
| 7fe32ef6 | 19-Aug-2020 |
Shane Lontis |
Fix no-cms build errors.
Fixes #12640
The X942-KDF is now indepedent of the CMS code (since it no longer uses CMS_SharedInfo_encode).
Any code related to EVP_PKEY_DH_KDF_X9_42 n
Fix no-cms build errors.
Fixes #12640
The X942-KDF is now indepedent of the CMS code (since it no longer uses CMS_SharedInfo_encode).
Any code related to EVP_PKEY_DH_KDF_X9_42 needs to not be wrapped by !defined(OPENSSL_NO_CMS).
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12642)
show more ...
|
| c51a8af8 | 15-Aug-2020 |
Pauli |
OCSP: Add return value checks.
The calls are unlikely to fail but better checking their return than not.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://g
OCSP: Add return value checks.
The calls are unlikely to fail but better checking their return than not.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12648)
show more ...
|
| c9dcbc07 | 17-Aug-2020 |
Pauli |
Apps: change provider_path option to provider-path.
The applications use '-' in options not '_'.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.c
Apps: change provider_path option to provider-path.
The applications use '-' in options not '_'.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12662)
show more ...
|
| 38145fba | 11-Aug-2020 |
Shane Lontis |
Fix DSA/DH so that legacy keys can still be generated by the default provider
Fixes #12589
The 'type' parameter needed to be propagated to the ffc params during keygen,
so that
Fix DSA/DH so that legacy keys can still be generated by the default provider
Fixes #12589
The 'type' parameter needed to be propagated to the ffc params during keygen,
so that the simple validation of params done during keygen can handle legacy keys for the default provider.
The fips provider ignores this change and only allows fips186-4 approved sizes.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12623)
show more ...
|
| 6c4e2e52 | 17-Aug-2020 |
Shane Lontis |
Fix broken windows builds.
A miscellaneous '\' was accidently added to set FIPSKEY=$(FIPSKEY) which was causing some
external CI build loops to not produce test results.
It looks lik
Fix broken windows builds.
A miscellaneous '\' was accidently added to set FIPSKEY=$(FIPSKEY) which was causing some
external CI build loops to not produce test results.
It looks like it was accidently copied from the unix variant which requires the '\'.
Thanks to Wolfgang Beck for tracking down the issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12661)
show more ...
|
| bfa6aaab | 05-Aug-2020 |
Matt Caswell |
Test that EVP_default_properties_is_fips_enabled() works early
We check that EVP_default_properties_is_fips_enabled() is working even
before other function calls have auto-loaded the con
Test that EVP_default_properties_is_fips_enabled() works early
We check that EVP_default_properties_is_fips_enabled() is working even
before other function calls have auto-loaded the config file.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12567)
show more ...
|
| e6c54619 | 31-Jul-2020 |
Matt Caswell |
Load the default config file before working with default properties
A config file can change the global default properties. Therefore we
must ensure that the config file is loaded before
Load the default config file before working with default properties
A config file can change the global default properties. Therefore we
must ensure that the config file is loaded before reading or amending
them.
Fixes #12565
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12567)
show more ...
|
| ebe3f24b | 13-Aug-2020 |
Pauli |
provider: disable fall-backs if OSSL_PROVIDER_load() fails.
If an attempt is made to load a provider and it fails, the fall-back mechanism
should be disabled to prevent the user getting
provider: disable fall-backs if OSSL_PROVIDER_load() fails.
If an attempt is made to load a provider and it fails, the fall-back mechanism
should be disabled to prevent the user getting some weird happening. E.g. a
failure to load the FIPS provider should not allow the default to load as a
fall-back.
The OSSL_PROVIDER_try_load() call has been added, to allow a provider to be
loaded without disabling the fall-back mechanism if it fails.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12625)
show more ...
|
| 0e53cd52 | 11-Aug-2020 |
Pauli |
PKCS#12 KDF: don't run tests with the FIPS provider.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12624) |
| b7466c13 | 11-Aug-2020 |
Pauli |
Move PKCS#12 KDF to provider.
This KDF is defined in RFC7292 in appendix B. It is widely used in PKCS#12
and should be provided.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.or
Move PKCS#12 KDF to provider.
This KDF is defined in RFC7292 in appendix B. It is widely used in PKCS#12
and should be provided.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12624)
show more ...
|
| c19e6da9 | 11-Aug-2020 |
Patrick Steuer |
Appease -Werror=stringop-overflow=
gcc 10 seems to think of assigning to an (unsigned) char
array as a stringop and demands additional space for a
terminating '\0':
In funct
Appease -Werror=stringop-overflow=
gcc 10 seems to think of assigning to an (unsigned) char
array as a stringop and demands additional space for a
terminating '\0':
In function 'ssl3_generate_key_block',
inlined from 'ssl3_setup_key_block' at ssl/s3_enc.c:304:11:
ssl/s3_enc.c:51:20: error: writing 1 byte into a region of size 0
[-Werror=stringop-overflow=]
51 | buf[j] = c;
| ~~~~~~~^~~
ssl/s3_enc.c: In function 'ssl3_setup_key_block':
ssl/s3_enc.c:23:19: note: at offset 16 to object 'buf' with size 16
declared here
23 | unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
| ^~~
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12632)
show more ...
|
| cddbcf0d | 04-Jun-2020 |
Dr. David von Oheimb |
Remove needless #ifndef OPENSSL_NO_SOCK for X509_{CRL_}load_http
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12638) |
| ea9f6890 | 06-Aug-2020 |
Tomas Mraz |
sslapitest: Add test for premature call of SSL_export_keying_material
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12594) |
