- 20 8月, 2020 3 次提交
-
-
由 Richard Levitte 提交于
The RSA key could be a public key, and yet, rsa_todata() always tries to add the private parts as well. The resulting parameters will look a bit odd, such as a zero |d|, resulting in an invalid key. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12676)
-
由 Richard Levitte 提交于
ECC keys with non-NIST group names aren't supported when running with the FIPS provider. Keys with such groups that are included in evp_test stanza files aren't even possible to decode if provider side decoders are used, since those depend on available EVP_KEYMGMT implementations and what they support. Those keys could only be decoded because the legacy decoders were used. To make these tests future proof, we separate out the stanzas having keys with NIST approved group names into separate files, and adjust the file lists in test/recipes/30-test_evp.t aaccordingly. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12672)
-
由 Richard Levitte 提交于
There are some EC keys that can't be exported to provider keymgmt, because the keymgmt implementation doesn't support certain forms of EC keys. This could lead to a crash caused by dereferencing a NULL pointer, so we need to cover that case by returning an error instead. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12610)
-
- 19 8月, 2020 5 次提交
-
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12641)
-
由 Dr. David von Oheimb 提交于
Fixes #6698 Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12641)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12645)
-
由 Shane Lontis 提交于
Fixes #12640 The X942-KDF is now indepedent of the CMS code (since it no longer uses CMS_SharedInfo_encode). Any code related to EVP_PKEY_DH_KDF_X9_42 needs to not be wrapped by !defined(OPENSSL_NO_CMS). Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12642)
-
由 Pauli 提交于
The calls are unlikely to fail but better checking their return than not. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12648)
-
- 18 8月, 2020 1 次提交
-
-
由 Pauli 提交于
The applications use '-' in options not '_'. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12662)
-
- 17 8月, 2020 4 次提交
-
-
由 Shane Lontis 提交于
Fixes #12589 The 'type' parameter needed to be propagated to the ffc params during keygen, so that the simple validation of params done during keygen can handle legacy keys for the default provider. The fips provider ignores this change and only allows fips186-4 approved sizes. Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12623)
-
由 Shane Lontis 提交于
A miscellaneous '\' was accidently added to set FIPSKEY=$(FIPSKEY) which was causing some external CI build loops to not produce test results. It looks like it was accidently copied from the unix variant which requires the '\'. Thanks to Wolfgang Beck for tracking down the issue. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12661)
-
由 Matt Caswell 提交于
We check that EVP_default_properties_is_fips_enabled() is working even before other function calls have auto-loaded the config file. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12567)
-
由 Matt Caswell 提交于
A config file can change the global default properties. Therefore we must ensure that the config file is loaded before reading or amending them. Fixes #12565 Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12567)
-
- 14 8月, 2020 4 次提交
-
-
由 Pauli 提交于
If an attempt is made to load a provider and it fails, the fall-back mechanism should be disabled to prevent the user getting some weird happening. E.g. a failure to load the FIPS provider should not allow the default to load as a fall-back. The OSSL_PROVIDER_try_load() call has been added, to allow a provider to be loaded without disabling the fall-back mechanism if it fails. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12625)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12624)
-
由 Pauli 提交于
This KDF is defined in RFC7292 in appendix B. It is widely used in PKCS#12 and should be provided. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12624)
-
由 Patrick Steuer 提交于
gcc 10 seems to think of assigning to an (unsigned) char array as a stringop and demands additional space for a terminating '\0': In function 'ssl3_generate_key_block', inlined from 'ssl3_setup_key_block' at ssl/s3_enc.c:304:11: ssl/s3_enc.c:51:20: error: writing 1 byte into a region of size 0 [-Werror=stringop-overflow=] 51 | buf[j] = c; | ~~~~~~~^~~ ssl/s3_enc.c: In function 'ssl3_setup_key_block': ssl/s3_enc.c:23:19: note: at offset 16 to object 'buf' with size 16 declared here 23 | unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; | ^~~ Signed-off-by: NPatrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12632)
-
- 13 8月, 2020 4 次提交
-
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12638)
-
由 Tomas Mraz 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12594)
-
由 Tomas Mraz 提交于
Fixes #12588 Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12594)
-
由 Benjamin Kaduk 提交于
Also, document its unusual semantics of resetting the cipher list (but preserving other configuration). Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/7274)
-
- 12 8月, 2020 5 次提交
-
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12615)
-
由 Shane Lontis 提交于
The openssl provider app will now display these params. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12396)
-
由 Shane Lontis 提交于
Fix serializer_EVP_PKEY_to_bio so that that the key is exported if the serializer provider does not match the key provider. RSA keys in the 'base' provider are different from a fips provider RSA key (since they have different object structures). To use a fips provider key in the base serializer the key needs to be exported. The fix was suggested by @levitte. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12162)
-
由 Shane Lontis 提交于
Fixes #11863 Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12162)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12603)
-
- 11 8月, 2020 14 次提交
-
-
由 Benjamin Kaduk 提交于
The S390x hardware-accelerated cipher implementations keep their IV state in an internal structure tied to the underlying implementation. However, the provider itself needs to be able to expose the IV state to libcrypto when processing the "iv-state" parameter. In the absence of a S390x hardware-specific get_ctx_params() implementation, be sure to copy the IV state from the hw-specific structure back to the generic PROV_CIPHER_CTX object after each cipher operation in order to synchronize the internal and fetchable state. [extended tests] Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Use EVP_CIPHER_CTX_get_iv_state() in cipher_test_enc() rather than the deprecated EVP_CIPHER_CTX_iv(). [extended tests] Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Use EVP_CIPHER_CTX_get_iv() to implement EVP_CIPHER_set_asn1_iv(), rather than the deprecated EVP_CIPHER_CTX_original_iv(). Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in evp.h. These macros are internal-only, used to implement legacy libcrypto EVP ciphers, with no real provider involvement. Accordingly, just use the EVP_CIPHER_CTX storage directly and don't try to reach into a provider-side context. This does necessitate including evp_local.h in several more files. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_rc2.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_xcbc_d.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_sm4.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_des3.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_des.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_camellia.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_aria.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_aes_cbc_hmac_sha256.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_aes_cbc_hmac_sha1.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-
由 Benjamin Kaduk 提交于
Inline the pre-13273237 versions of EVP_CIPHER_CTX_iv(), EVP_CIPHER_CTX_original_iv(), and EVP_CIPHER_CTX_iv_noconst() in e_aes.c. For the legacy implementations, there's no need to use an in-provider storage for the IV, when the crypto operations themselves will be performed outside of the provider. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12233)
-