Skip to content

O
openssl

btwise / openssl

通知 1
Star 0
Fork 0
O
openssl

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
  1. 14 4月, 2020 1 次提交
  3. 09 4月, 2020 1 次提交
  5. 08 4月, 2020 2 次提交
  7. 01 4月, 2020 1 次提交
    • S
      Add EVP_PKEY_gettable_params support for accessing EVP_PKEY key data fields · 96ebe52e
      Shane Lontis 提交于 
      Currently only RSA, EC and ECX are supported (DH and DSA need to be added to the keygen
PR's seperately because the fields supported have changed significantly).

The API's require the keys to be provider based.

Made the keymanagement export and get_params functions share the same code by supplying
support functions that work for both a OSSL_PARAM_BLD as well as a OSSL_PARAM[].
This approach means that complex code is not required to build an
empty OSSL_PARAM[] with the correct sized fields before then doing a second
pass to populate the array.

The RSA factor arrays have been changed to use unique key names to simplify the interface
needed by the user.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11365)
      96ebe52e
  9. 26 3月, 2020 4 次提交
    • R
      EVP: Limit the diverse key parameter functions to domain params only · 8158cf20
      Richard Levitte 提交于 
      Provider KEYMGMT functions can handle domain parameters as well as
"other" parameters (the cofactor mode flag in ECC keys is one of
those).  The public EVP functions EVP_PKEY_copy_parameters(),
EVP_PKEY_missing_parameters(), EVP_PKEY_cmp_parameters() and
EVP_PKEY_cmp() tried to handle all parameters, but looking back at
EVP_PKEY_ASN1_METHOD code (especially crypto/ec/ec_ameth.c), it turns
out that they only need to concern themselves with domain parameters.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11375)
      8158cf20
    • R
      EVP: Downgrade keys rather than upgrade · acb90ba8
      Richard Levitte 提交于 
      Upgrading EVP_PKEYs from containing legacy keys to containing provider
side keys proved to be risky, with a number of unpleasant corner
cases, and with functions like EVP_PKEY_get0_DSA() failing
unexpectedly.

We therefore change course, and instead of upgrading legacy internal
keys to provider side internal keys, we downgrade provider side
internal keys to legacy ones.  To be able to do this, we add
|import_from| and make it a callback function designed for
evp_keymgmt_export().

This means that evp_pkey_upgrade_to_provider() is replaced with
evp_pkey_downgrade().

EVP_PKEY_copy_parameters() is the most deeply affected function of
this change.

Fixes #11366
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11375)
      acb90ba8
    • R
      EVP: Add EVP_PKEY_set_type_by_keymgmt() and use it · 8243d8d1
      Richard Levitte 提交于 
      This function intialises an EVP_PKEY to contain a provider side internal
key.

We take the opportunity to also document the older EVP_PKEY_set_type()
and EVP_PKEY_set_type_str().
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11375)
      8243d8d1
    • R
      EVP: Clarify the states of an EVP_PKEY · adc9f731
      Richard Levitte 提交于 
      EVP_PKEY is rather complex, even before provider side keys entered the
stage.
You could have untyped / unassigned keys (pk->type == EVP_PKEY_NONE),
keys that had been assigned a type but no data (pk->pkey.ptr == NULL),
and fully assigned keys (pk->type != EVP_PKEY_NONE && pk->pkey.ptr != NULL).

For provider side keys, the corresponding states weren't well defined,
and the code didn't quite account for all the possibilities.

We also guard most of the legacy fields in EVP_PKEY with FIPS_MODE, so
they don't exist at all in the FIPS module.

Most of all, code needs to adapt to the case where an EVP_PKEY's
|keymgmt| is non-NULL, but its |keydata| is NULL.
Reviewed-by: NMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11375)
      adc9f731
  11. 21 3月, 2020 1 次提交
    • R
      EVP: fetch the EVP_KEYMGMT earlier · 4b9e90f4
      Richard Levitte 提交于 
      Instead of fetching the EVP_KEYMGMT in the init for every different
operation, do it when creating the EVP_PKEY_CTX.

This allows certain control functions to be called between the
creation of the EVP_PKEY_CTX and the call of the operation's init
function.

Use case: EVP_PKEY_CTX_set1_id(), which is allowed to be called very
early with the legacy implementation, this should still be allowed
with provider implementations.
Reviewed-by: NPaul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11343)
      4b9e90f4
  13. 12 3月, 2020 1 次提交
  15. 02 3月, 2020 3 次提交
  17. 29 2月, 2020 2 次提交
  19. 22 2月, 2020 1 次提交
  21. 12 2月, 2020 1 次提交
  23. 08 2月, 2020 1 次提交
  25. 07 2月, 2020 2 次提交
    • R
      Redesign the KEYMGMT libcrypto <-> provider interface - the basics · b305452f
      Richard Levitte 提交于 
      The KEYMGMT libcrypto <-> provider interface currently makes a few
assumptions:

1.  provider side domain parameters and key data isn't mutable. In
    other words, as soon as a key has been created in any (loaded,
    imported data, ...), it's set in stone.
2.  provider side domain parameters can be strictly separated from the
    key data.

This does work for the most part, but there are places where that's a
bit too rigid for the functionality that the EVP_PKEY API delivers.
Key data needs to be mutable to allow the flexibility that functions
like EVP_PKEY_copy_parameters promise, as well as to provide the
combinations of data that an EVP_PKEY is generally assumed to be able
to hold:

- domain parameters only
- public key only
- public key + private key
- domain parameters + public key
- domain parameters + public key + private key

To remedy all this, we:

1.  let go of the distinction between domain parameters and key
    material proper in the libcrypto <-> provider interface.

    As a consequence, functions that still need it gain a selection
    argument, which is a set of bits that indicate what parts of the
    key object are to be considered in a specific call.  This allows
    a reduction of very similar functions into one.

2.  Rework the libcrypto <-> provider interface so provider side key
    objects are created and destructed with a separate function, and
    get their data filled and extracted in through import and export.

(future work will see other key object constructors and other
functions to fill them with data)

Fixes #10979

squash! Redesign the KEYMGMT libcrypto <-> provider interface - the basics

Remedy 1 needs a rewrite:
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)
      b305452f
    • R
      Reorganize the internal evp_keymgmt functions · 68552cde
      Richard Levitte 提交于 
      Some of the evp_keymgmt_ functions are just wrappers around the
EVP_KEYMGMT function pointers.  We move those from keymgmt_lib.c to
keymgmt_meth.c.

Other evp_keymgmt_ functions are utility functions to help the rest of
the EVP functions.  Since their names are easily confused with the
functions that were moved to keymgmt_meth.c, we rename them so they
all start with evp_keymgmt_util_.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
Reviewed-by: NPaul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11006)
      68552cde
  27. 02 2月, 2020 1 次提交
  29. 27 1月, 2020 1 次提交
  31. 24 1月, 2020 1 次提交
  33. 18 1月, 2020 1 次提交
  35. 17 1月, 2020 1 次提交
  37. 12 1月, 2020 1 次提交
  39. 07 1月, 2020 1 次提交
  41. 19 12月, 2019 1 次提交
  43. 16 12月, 2019 1 次提交
  45. 30 11月, 2019 1 次提交
  47. 21 11月, 2019 1 次提交
  49. 28 10月, 2019 1 次提交
  51. 10 10月, 2019 1 次提交
  53. 29 9月, 2019 1 次提交
    • D
      Reorganize private crypto header files · 25f2138b
      Dr. Matthias St. Pierre 提交于 
      Currently, there are two different directories which contain internal
header files of libcrypto which are meant to be shared internally:

While header files in 'include/internal' are intended to be shared
between libcrypto and libssl, the files in 'crypto/include/internal'
are intended to be shared inside libcrypto only.

To make things complicated, the include search path is set up in such
a way that the directive #include "internal/file.h" could refer to
a file in either of these two directoroes. This makes it necessary
in some cases to add a '_int.h' suffix to some files to resolve this
ambiguity:

  #include "internal/file.h"      # located in 'include/internal'
  #include "internal/file_int.h"  # located in 'crypto/include/internal'

This commit moves the private crypto headers from

  'crypto/include/internal'  to  'include/crypto'

As a result, the include directives become unambiguous

  #include "internal/file.h"       # located in 'include/internal'
  #include "crypto/file.h"         # located in 'include/crypto'

hence the superfluous '_int.h' suffixes can be stripped.

The files 'store_int.h' and 'store.h' need to be treated specially;
they are joined into a single file.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
      25f2138b
  55. 25 9月, 2019 1 次提交
  57. 04 9月, 2019 1 次提交
  59. 29 8月, 2019 2 次提交
  61. 24 8月, 2019 1 次提交
    • R
      Get rid of the diversity of names for MAC parameters · 703170d4
      Richard Levitte 提交于 
      The EVP_PKEY MAC implementations had a diversity of controls that were
really the same thing.  We did reproduce that for the provider based
MACs, but are changing our minds on this.  Instead of that, we now use
one parameter name for passing the name of the underlying ciphers or
digests to a MAC implementation, "cipher" and "digest", and one
parameter name for passing the output size of the MAC, "size".

Then we leave it to the EVP_PKEY->EVP_MAC bridge to translate "md"
to "digest", and "digestsize" to "size".
Reviewed-by: NShane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9667)
      703170d4