- 10 8月, 2020 2 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12573)
-
由 Matt Caswell 提交于
Some KDF implementations were available before the current EVP_KDF API. They were used via EVP_PKEY_derive. There exists a bridge between the old API and the EVP_KDF API however this bridge itself uses a legacy EVP_PKEY_METHOD. This commit implements a provider side bridge without having to use any legacy code. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12573)
-
- 07 8月, 2020 1 次提交
-
-
由 Pauli 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12581)
-
- 19 6月, 2020 2 次提交
-
-
由 Matt Caswell 提交于
The previous commit added the EVP_PKEY_CTX_[get|set]_group_name functions to work with EC groups. We now extend that to also work for DH. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
-
由 Matt Caswell 提交于
We rename these function to EVP_PKEY_CTX_get_group_name and EVP_PKEY_CTX_set_group_name so that they can be used for other algorithms other than EC. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11914)
-
- 04 6月, 2020 1 次提交
-
-
由 Aaron Thompson 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11514)
-
- 29 5月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
If we failed to fetch an EVP_KEYMGMT then we were falling back to legacy. This is because some algorithms (such as MACs and KDFs used via an old style EVP_PKEY) have not been transferred to providers. Unfortunately this means that you cannot stop some algorithms from being used by not loading the provider. For example if you wanted to prevent RSA from being used, you might expect to just not load any providers that make it available. Unfortunately that doesn't work because we simply fall back to legacy if we fail to fetch the EVP_KEYMGMT. Instead we should fail *unless* the key type is one of those legacy key types that we have not transferred. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11826)
-
- 26 5月, 2020 1 次提交
-
-
由 Shane Lontis 提交于
Renamed some values in core_names i.e Some DH specific names were changed to use DH instead of FFC. Added some strings values related to RSA keys. Moved set_params related docs out of EVP_PKEY_CTX_ctrl.pod into its own file. Updated Keyexchange and signature code and docs. Moved some common DSA/DH docs into a shared EVP_PKEY-FFC.pod. Moved Ed25519.pod into EVP_SIGNATURE-ED25519.pod and reworked it. Added some usage examples. As a result of the usage examples the following change was also made: ec allows OSSL_PKEY_PARAM_USE_COFACTOR_ECDH as a settable gen parameter. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11610)
-
- 24 5月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
EVP_PKEYs with provider side internal keys got the key type EVP_PKEY_NONE. This turned out to be too disruptive, so we try instead to find a matching EVP_PKEY_ASN1_METHOD and use whatever EVP_PKEY type it uses. To make internal coding easier, we introduce a few internal macros to distinguish what can be expected from a EVP_PKEY: - evp_pkey_is_blank(), to detect an unassigned EVP_PKEY. - evp_pkey_is_typed(), to detect that an EVP_PKEY has been assigned a type, which may be an old style type number or a EVP_KEYMGMT method. - evp_pkey_is_assigned(), to detect that an EVP_PKEY has been assigned an key value. - evp_pkey_is_legacy(), to detect that the internal EVP_PKEY key is a legacy one, i.e. will be handled via an EVP_PKEY_ASN1_METHOD and an EVP_PKEY_METHOD. - evp_pkey_is_provided(), to detect that the internal EVP_PKEY key is a provider side one, i.e. will be handdled via an EVP_KEYMGMT and other provider methods. This also introduces EVP_PKEY_KEYMGMT, to indicate that this EVP_PKEY contains a provider side key for which there are no known EVP_PKEY_ASN1_METHODs or EVP_PKEY_METHODs, i.e. these can only be handled via EVP_KEYMGMT and other provider methods. Fixes #11823 Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11913)
-
- 14 5月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
- 07 5月, 2020 1 次提交
-
-
由 Shane Lontis 提交于
EVP_PKEY_CTX_gettable_params() was missing code for the keygen operation. After adding it it was noticed that it is probably not required for this type, so instead the gen_get_params and gen_gettable_params have been remnoved from the provider interface. gen_get_params was only implemented for ec to get the curve name. This seems redundant since normally you would set parameters into the keygen_init() and then generate a key. Normally you would expect to extract data from the key - not the object that we just set up to do the keygen. Added a simple settable and gettable test into a test that does keygen. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11683)
-
- 28 4月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
This macro is used to determine if certain pieces of code should become part of the FIPS module or not. The old name was confusing. Fixes #11538 Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11539)
-
- 23 4月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
-
- 17 4月, 2020 1 次提交
-
-
由 Pauli 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11371)
-
- 15 4月, 2020 4 次提交
-
-
由 Shane Lontis 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11332)
-
由 Shane Lontis 提交于
Moved some shared FFC code into the FFC files. Added extra paramgen parameters for seed, gindex. Fixed bug in ossl_prov util to print bignums. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11303)
-
由 Richard Levitte 提交于
The macros are converted to functions, and are modified to support provider implementations. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11328)
-
由 Richard Levitte 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11328)
-
- 11 4月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
There was one spot where this function would look at ctx->pmeth directly to determine if it's for RSASSA-PSS, which fails when presented with an EVP_PKEY_CTX holding a provider side key. Switching to use EVP_PKEY_is_a() should make things better. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11501)
-
- 27 3月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
Some fetch failurs are ok and should be ignored. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11405)
-
- 26 3月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
EVP_PKEY is rather complex, even before provider side keys entered the stage. You could have untyped / unassigned keys (pk->type == EVP_PKEY_NONE), keys that had been assigned a type but no data (pk->pkey.ptr == NULL), and fully assigned keys (pk->type != EVP_PKEY_NONE && pk->pkey.ptr != NULL). For provider side keys, the corresponding states weren't well defined, and the code didn't quite account for all the possibilities. We also guard most of the legacy fields in EVP_PKEY with FIPS_MODE, so they don't exist at all in the FIPS module. Most of all, code needs to adapt to the case where an EVP_PKEY's |keymgmt| is non-NULL, but its |keydata| is NULL. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11375)
-
- 21 3月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
Instead of fetching the EVP_KEYMGMT in the init for every different operation, do it when creating the EVP_PKEY_CTX. This allows certain control functions to be called between the creation of the EVP_PKEY_CTX and the call of the operation's init function. Use case: EVP_PKEY_CTX_set1_id(), which is allowed to be called very early with the legacy implementation, this should still be allowed with provider implementations. Reviewed-by: NPaul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/11343)
-
- 15 3月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
The keytype number will only be -1 when control commands are used for more than one key type. Sometimes, they share the same underlying structure, and sometimes not. Some of the RSA control commands that are using only with the keytype EVP_PKEY_RSA we misplaced to be handled with the keytype -1. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11329)
-
- 12 3月, 2020 2 次提交
-
-
由 Richard Levitte 提交于
This includes added support in legacy controls Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10289)
-
由 Richard Levitte 提交于
The following functions are added: EVP_PKEY_gen_set_params(), replacing the older EVP_PKEY_CTX_ctrl() EVP_PKEY_gen(), replacing both EVP_PKEY_keygen() and EVP_PKEY_paramgen() These functions are made to work together with already existing domparams and key generation functionality: EVP_PKEY_CTX_new_provided(), EVP_PKEY_paramgen_init(), EVP_PKEY_keygen_init(), etc. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10289)
-
- 04 3月, 2020 1 次提交
-
-
由 Shane Lontis 提交于
Provide EC serializers for text, pem and der. EC parameters use ANS1 'CHOICE' - which means they are more embedded than other parameters used by other KEY types (which normally have a SEQUENCE at the top level). For this reason the ANS1_STRING type that was being passed around has been changed to a void so that the code can still be shared with EC. The EC serializer only supports named curves currently. NOTE the serializer code assumes PKCS8 format - if the older encode methods are needed they will need to be added in another PR. (Probably when deserialization is considered). EVP_PKEY_key_fromdata_init was changed from using a keypair selection to all bits of a key. A side effect of this was that the very restrictive checks in the ecx code needed to be relaxed as it was assuming all selection flags were non optional. As this is not the case for any other key the code has been modified. Fixed a bug in legacy_ctrl_str_to_params() - "ecdh_cofactor_mode" was being incorrectly converted to the wrong keyname. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11107)
-
- 03 3月, 2020 1 次提交
-
-
由 Dmitry Belyavskiy 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10904)
-
- 29 2月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
The role of this cache was two-fold: 1. It was a cache of key copies exported to providers with which an operation was initiated. 2. If the EVP_PKEY didn't have a legacy key, item 0 of the cache was the corresponding provider side origin, while the rest was the actual cache. This dual role for item 0 made the code a bit confusing, so we now make a separate keymgmt / keydata pair outside of that cache, which is the provider side "origin" key. A hard rule is that an EVP_PKEY cannot hold a legacy "origin" and a provider side "origin" at the same time. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11148)
-
- 22 2月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
This includes legacy PSS controls to params conversion, and an attempt to generalise the parameter names when they are suitable for more than one operation. Also added crypto/rsa/rsa_aid.c, containing proper AlgorithmIdentifiers for known RSA+hash function combinations. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10557)
-
- 21 2月, 2020 2 次提交
-
-
由 Pauli 提交于
When converting legacy controls to OSSL_PARAMs, return the unsupported -2 value correctly. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11049)
-
由 Pauli 提交于
The extra argument is a integer pointer and is optional. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11049)
-
- 20 2月, 2020 1 次提交
-
-
由 Pauli 提交于
Use of the low level DH functions has been informally discouraged for a long time. We now formally deprecate them. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11024)
-
- 19 2月, 2020 1 次提交
-
-
由 Nicola Tuveri 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10631)
-
- 06 2月, 2020 1 次提交
-
-
由 Pauli 提交于
It is better, safer and smaller to let the library routine handle the strlen(3) call. Added a note to the documentation suggesting this. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11019)
-
- 05 2月, 2020 2 次提交
-
-
由 Richard Levitte 提交于
It turns out this was never necessary, as the implementation should always check the default digest size anyway. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10947)
-
由 Richard Levitte 提交于
This function did a bit too much in terms of central control, actually more so than the legacy counterpart, where all the string processing is done in the diverse *_pmeth.c. Furthermore, there was no room whatsoever for control keys that libcrypto isn't centrally aware of. This function is changed to simply translating keys and values to OSSL_PARAM form and then sent on their merry way to the provider implementations through EVP_PKEY_CTX_set_params(). It translates selected well known legacy names to their core name counterpart, and that's as far as centralized control should extend. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10947)
-
- 31 1月, 2020 1 次提交
-
-
由 Pauli 提交于
The code was calling EVP_MD_meth_free which is incorrect. It should call EVP_MD_free. It happened to work but by luck rather than design. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10973)
-
- 29 1月, 2020 1 次提交
-
-
由 Shane Lontis 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10780)
-
- 27 1月, 2020 1 次提交
-
-
由 Matt Caswell 提交于
The function EVP_PKEY_CTX_new_from_pkey() infers the name of the algorithm to fetch from the EVP_PKEY that has been supplied as an argument. But there was no way to specify properties to be used during that fetch. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10926)
-
- 23 1月, 2020 1 次提交
-
-
由 Shane Lontis 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10826)
-