Commit Graph

1197 Commits

Author SHA1 Message Date
Richard Levitte
df65c06b59 DECODER: Add input structure support for EVP_PKEY decoding
OSSL_DECODER_CTX_new_by_EVP_PKEY() takes one more argument to express
the desired outermost structure for the input.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13248)
2020-11-11 11:42:06 +01:00
Dr. David von Oheimb
d718521fca cmp_msg.c: Use issuer of reference cert as default issuer entry in certTemplate
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13357)
2020-11-11 10:51:04 +01:00
David von Oheimb
bbc8343478 Improve doc of X509_verify_cert(), also in openssl.pod
in particular regarding the checks due to X509_V_FLAG_X509_STRICT/-x509_strict

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13312)
2020-11-06 11:17:22 +01:00
Randall S. Becker
9750b4d39c Moved OPENSSL_fork_prepare,_parent,_child from init.c to threads_pthread.c.
These methods should ultimately be deprecated. The move is to insulate
non-UNIX platforms from these undefined symbols.

CLA: Permission is granted by the author to the OpenSSL team to use
these modifications.

Fixes #13273

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13276)
2020-11-04 17:02:38 +01:00
Richard Levitte
140eee2b3b Add easy to digest selector macros for EVP_PKEYs
These are meant to be used with functions like
OSSL_ENCODER_CTX_new_by_EVP_PKEY()

The OSSL_ENCODER_CTX_new_by_EVP_PKEY() manual is also expanded on the
topics of output types and selections.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13189)
2020-10-30 13:09:52 +01:00
Shane Lontis
a49d0a491c Rename EVP_KDF_reset() to EVP_KDF_CTX_reset().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13116)
2020-10-22 20:47:02 +10:00
Shane Lontis
1ba21239dd Rename EVP_KDF_size() to EVP_KDF_CTX_get_kdf_size().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13116)
2020-10-22 20:47:02 +10:00
Shane Lontis
90a2576b9b Rename EVP_MAC_size() to EVP_MAC_CTX_get_mac_size().
Fixes #11320

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13116)
2020-10-22 20:47:02 +10:00
Matt Caswell
0a737e16b2 Deprecate EVP_PKEY_set1_tls_encodedpoint()
Also deprecate EVP_PKEY_get1_tls_encodedpoint().

The preferred alternative is EVP_PKEY_set1_encoded_public_key() and
EVP_PKEY_get1_encoded_public_key().

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13105)
2020-10-20 16:39:41 +01:00
Matt Caswell
3795b2a302 Document EVP_PKEY_set1_encoded_public_key()
Also documented EVP_PKEY_get1_encoded_public_key

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13105)
2020-10-20 16:39:41 +01:00
Matt Caswell
5ac8fb584a Rename EVP_PKEY_set1_tls_encodedpoint to EVP_PKEY_set1_encoded_public_key
We do the same thing for the "get1" version. In reality this has broader
use than just TLS (it can also be used in CMS), and "encodedpoint" only
makes sense when you are talking about EC based algorithms.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13105)
2020-10-20 16:39:41 +01:00
Matt Caswell
eec0ad10b9 Update copyright year
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13144)
2020-10-15 14:10:06 +01:00
Dr. Matthias St. Pierre
b425001010 Rename OPENSSL_CTX prefix to OSSL_LIB_CTX
Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.

The OPENSSL_CTX type stands out a little by using a different prefix.
For consistency reasons, this type is renamed to OSSL_LIB_CTX.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)
2020-10-15 11:59:53 +01:00
Matt Caswell
29000e43ea Make evp_pkey_ctx_get0_libctx/propq public API
These were previously added as an internal API. But since the CMS code
needs them, other code might do too.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)
2020-10-15 10:00:28 +01:00
Richard Levitte
25cf949fc6 ENCODER / DECODER: Add functions to encode/decode to/from a buffer
This adds OSSL_ENCODER_to_data() and OSSL_DECODER_from_data().  These
functions allow fairly simple rewrites of type-specific i2d and d2i
calls.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13094)
2020-10-10 20:23:39 +02:00
Jordan Montgomery
db554ae110 Expose PKCS7_get_octet_string and PKCS7_type_is_other
Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public interface.
Fixes #11139

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13059)
2020-10-08 13:26:44 +03:00
Richard Levitte
70c06aafa6 DECODER: Allow precise result type for OSSL_DECODER_CTX_new_by_EVP_PKEY()
There is some data that is very difficult to guess.  For example, DSA
parameters and X9.42 DH parameters look exactly the same, a SEQUENCE
of 3 INTEGER.  Therefore, callers may need the possibility to select
the exact keytype that they expect to get.

This will also allow use to translate d2i_TYPEPrivateKey(),
d2i_TYPEPublicKey() and d2i_TYPEParams() into OSSL_DECODER terms much
more smoothly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13061)
2020-10-04 13:01:47 +02:00
Matt Caswell
746f367489 Fix some things the rename script didn't quite get right
The previous commit ran an automated rename throughout the codebase.
There are a small number of things it didn't quite get right so we fix
those in this commit.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)
2020-10-01 09:25:20 +01:00
Matt Caswell
d8652be06e Run the withlibctx.pl script
Automatically rename all instances of _with_libctx() to _ex() as per
our coding style.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)
2020-10-01 09:25:20 +01:00
Dr. David von Oheimb
4ff993d791 Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()
Fixes #7761

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
2020-09-26 14:03:44 +02:00
Dr. David von Oheimb
37326895b7 OCSP_resp_find_status.pod: Slightly improve the documentation of various flags
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
2020-09-26 14:03:23 +02:00
Dr. David von Oheimb
7d5ea3fecb OCSP_resp_find_status.pod: Replace function arg references B<...> by I<...>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
2020-09-26 14:03:23 +02:00
jwalch
3786d74868 en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management
Fixes #12635

As discussed in the issue, supporting the set0-like semantics long-term is not necessarily desirable, although necessary for short-term compatibility concerns. So I've deprecated the original method and added an equivalent that is explicitly labelled as set1.

I tried to audit existing usages of the (now-deprecated) API and update them to use set1 if that appeared to align with their expectations.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12917)
2020-09-26 07:31:59 +10:00
Shane Lontis
1c52bf3c04 Add EVP_ASYM_CIPHER_gettable_ctx_params() and EVP_ASYM_CIPHER_settable_ctx_params()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)
2020-09-26 07:13:21 +10:00
Shane Lontis
5a9500488d Add EVP_KEM_gettable_ctx_params() and EVP_KEM_settable_ctx_params()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)
2020-09-26 07:13:21 +10:00
Richard Levitte
14711fffbf EVP: Enforce that EVP_PKEY_set_alias_type() only works with legacy keys
This also deprecates the function, as it is not necessary any more,
and should fall out of use.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12920)
2020-09-25 11:07:42 +02:00
Richard Levitte
25b16562d3 Hide ECX_KEY again
ECX_KEY was not meant for public consumption, it was only to be
accessed indirectly via EVP routines.  However, we still need internal
access for our decoders.

This partially reverts 7c664b1f1b

Fixes #12880

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12956)
2020-09-25 12:12:22 +10:00
Dr. Matthias St. Pierre
b0614f0ae3 drbg: revert renamings of the generate and reseed counter
The original names were more intuitive: the generate_counter counts the
number of generate requests, and the reseed_counter counts the number
of reseedings (of the principal DRBG).

    reseed_gen_counter  -> generate_counter
    reseed_prop_counter -> reseed_counter

This is the anologue to commit 8380f453ec on the 1.1.1 stable branch.
The only difference is that the second renaming has already been reverted
on the master branch.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12941)
2020-09-23 23:15:46 +02:00
Pauli
c9452d74a4 kdf/mac: add name query calls for KDFs and MACs
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)
2020-09-23 15:28:29 +10:00
Daniel Bevenius
11b93a1c82 DOC: remove OPENSSL_CTX from OSSL_DECODER_CTX_new
This commit changes the man page for OSSL_DECODER_CTX_new by removing
the OPENSSL_CTX parameter which matches the declaration in decoder.h.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12935)
2020-09-23 09:22:11 +10:00
Pauli
4640cd00c3 rand: reference count the EVP_RAND contexts.
This is required before the RAND/DRBG framework can be made user mutable.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12904)
2020-09-23 08:39:43 +10:00
olszomal
434343f896 Add const to 'ppin' function parameter
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #12205
2020-09-21 16:54:42 +02:00
ozppupbg
d5b170a2fc Fixed EVP_MAC_final argument count in example
EVP_MAC_final had only three arguments / the buffer/tag size was missing.
Fixes #12424

Note, that I didn't try to compile the example to look for other problems.

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12429)
2020-09-21 17:48:00 +10:00
Richard Levitte
48b62fb33a DECODER: Some cleanups, and aligning with OSSL_ENCODER
Mostly source nits, but also removing a couple of OSSL_DECODER_PARAM
macros that are never used or even make sense.

Also, some function names weren't quite consistent.  They were made a
bit more consistent in the OSSL_ENCODER API, now we bring that back to
OSSL_DECODER.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12873)
2020-09-20 17:31:54 +02:00
Richard Levitte
ae12eac074 TEST: Adapt applicable tests to the changed OSSL_ENCODER_CTX_new_by_EVP_PKEY()
This adds the convenience function EVP_PKEY_typenames_do_all(), which
does the same as EVP_KEYMGMT_names_do_all(), but without having to
expose all the internal ways to find out if the internal EVP_PKEY key
is legacy or provider-native.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12873)
2020-09-20 17:31:54 +02:00
Richard Levitte
b8975c68b1 ENCODER: Refactor the OSSL_ENCODER API to be more like OSSL_DECODER
OSSL_ENCODER was developed before OSSL_DECODER, so the idea of
chaining and the resulting API came later.  This series of changes
brings the same sort of API and functionality back to OSSL_ENCODER,
making the two APIs more consistent with each other.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12873)
2020-09-20 17:31:22 +02:00
Shane Lontis
80f4fd18f7 Add KEM (Key encapsulation mechanism) support to providers
SP800-56Br2 requires support for the RSA primitives for RSASVE generate and recover.
As these are simple KEM operations another operation type has been added that can support future extensions.

Added public functions EVP_PKEY_encapsulate_init(), EVP_PKEY_encapsulate(), EVP_PKEY_decapsulate_init() and EVP_PKEY_decapsulate()
Added EVP_KEM_* functions.
Added OSSL_FUNC_kem_* dispatch functions

Added EVP_PKEY_CTX_set_kem_op() so that different types of KEM can be added in the future. This value must currently be set to
"RSASVE" after EVP_PKEY_encapsulate_init() & EVP_PKEY_decapsulate_init() as there is no default value.
This allows the existing RSA key types, keymanagers, and encoders to be used with the encapsulation operations.

The design of the public API's resulted from contributions from @romen & @levitte.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12750)
2020-09-19 18:08:46 +10:00
Shane Lontis
7f9e744036 Add selftest callback to CRNG output test
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12795)
2020-09-18 06:20:33 +10:00
Tomas Mraz
fe2f8aecfe EC_KEY: add EC_KEY_decoded_from_explicit_params()
The function returns 1 when the encoding of a decoded EC key used
explicit encoding of the curve parameters.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12683)
2020-09-17 17:15:15 +02:00
Matt Caswell
3f96b687f7 Document 2 newly added functions
Adds documentation for EVP_PKEY_get0_first_alg_name() and
EVP_KEYMGMT_get0_first_name().

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12850)
2020-09-17 11:13:05 +03:00
Tim Hudson
eb750219f2 undeprecate EVP_PKEY_cmp and EVP_PKEY_cmp_parameters
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12013)
2020-09-16 21:38:45 +02:00
Shane Lontis
96bb4ff9b8 Fix EVP_PKEY_CTX_ctrl() documentation
Remove references to 'macro' from EVP_PKEY_CTX_ctrl() as they are all
functions now, and update the HISTORY section.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12853)
2020-09-12 20:24:38 +02:00
Shane Lontis
33dd828d97 Update doc for EVP_PKEY_CTX_set_ec_param_enc()
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12853)
2020-09-12 20:24:22 +02:00
Dr. David von Oheimb
1cd77e2eca OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs}
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
2020-09-11 12:17:58 +02:00
Dr. David von Oheimb
d3dbc9b500 apps_ui.c: Correct password prompt for ui_method
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12493)
2020-09-10 22:01:07 +02:00
Dr. David von Oheimb
5fdcde816f X509_NAME_cmp(): Clearly document its semantics, referencing relevant RFCs
Fixes #12765

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
a8e2a9f569 X509_NAME_add_entry_by_txt.pod: Improve documentation w.r.t. multi-valued RDNs (containing sets of AVAs)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
bc64c5a69b X509_NAME_cmp: restrict normal return values to {-1,0,1} to avoid confusion with -2 for error
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
2aa91df406 X509_NAME_oneline(): Fix output of multi-valued RDNs, escaping '/' and '+' in values
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
2020-09-10 12:07:33 +02:00
Dr. David von Oheimb
115786793c X509_NAME_print_ex.pod: re-format lines to fit within 80 chars limit
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
2020-09-10 12:07:33 +02:00