#
6f20c680 |
| 05-Sep-2024 |
Pauli |
fips: continuous random bit generator tests For FIPS 140-3 the continuous tests specified in SP 800-90B need to be included on the output of any entropy source. They are impleme
fips: continuous random bit generator tests For FIPS 140-3 the continuous tests specified in SP 800-90B need to be included on the output of any entropy source. They are implemented here as a replacement for the primary DRBG in the FIPS provider. This results in a setup that looks like this: +-------------+ | | | Seed Source | | | +------+------+ | | v +-------------+ | | | CRNG Test | | | ++----------+-+ | | | | v v +--------------+ +--------------+ | | | | | Public DRBG | | Private DRBG | | | | | +--------------+ +--------------+ An additional benefit, that of avoiding DRBG chains, is also gained. The current standards do not permit the output of one DRBG to be used as the input for a second (i.e. a chain). This also leaves open the future possibility of incorporating a seed source inside the FIPS boundary. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25415)
show more ...
|
#
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
|
#
ca3c6f38 |
| 01-Aug-2024 |
FdaSilvaYY |
crypto: factorize to hex chars conversion code. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/o
crypto: factorize to hex chars conversion code. Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24968)
show more ...
|
#
0557d6c6 |
| 01-Jul-2024 |
slontis |
Add FIPS indicator callback. Add a FIPS indicator callback that can be set via OSSL_INDICATOR_set_callback(). This callback is intended to be run whenever a non approved algorithm ch
Add FIPS indicator callback. Add a FIPS indicator callback that can be set via OSSL_INDICATOR_set_callback(). This callback is intended to be run whenever a non approved algorithm check has occurred and strict checking has been disabled.The callback may be used to log non approved algorithms. The callback is passed a type and description string as well as the cbarg specified in OSSL_INDICATOR_set_callback. The return value can be either 0 or 1. A value of 0 can be used for testing purposes to force an error to occur from the algorithm that called the callback. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24623)
show more ...
|
#
da9342ed |
| 16-May-2024 |
sashan |
Move stack of compression methods from libssl to OSSL_LIB_CTX The compression methods are now a global variable in libssl. This change moves it into OSSL library context. It is
Move stack of compression methods from libssl to OSSL_LIB_CTX The compression methods are now a global variable in libssl. This change moves it into OSSL library context. It is necessary to eliminate atexit call from libssl. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24414)
show more ...
|
#
24d16d3a |
| 15-Apr-2024 |
Neil Horman |
Make rcu_thread_key context-aware Currently, rcu has a global bit of data, the CRYPTO_THREAD_LOCAL object to store per thread data. This works in some cases, but fails in FIPS, becu
Make rcu_thread_key context-aware Currently, rcu has a global bit of data, the CRYPTO_THREAD_LOCAL object to store per thread data. This works in some cases, but fails in FIPS, becuase it contains its own copy of the global key. So 1) Make the rcu_thr_key a per-context variable, and force ossl_rcu_lock_new to be context aware 2) Store a pointer to the context in the lock object 3) Use the context to get the global thread key on read/write lock 4) Use ossl_thread_start_init to properly register a cleanup on thread exit 5) Fix up missed calls to OSSL_thread_stop() in our tests Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24162)
show more ...
|
#
80f32964 |
| 19-Oct-2023 |
Tomas Mraz |
Do not include crypto/asn1.h from internal/cryptlib.h This is unnecessary and conceptualy wrong as headers from internal should not include headers from crypto Reviewed-by: Hugo
Do not include crypto/asn1.h from internal/cryptlib.h This is unnecessary and conceptualy wrong as headers from internal should not include headers from crypto Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22432)
show more ...
|
#
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
|
#
32d3c3ab |
| 10-Jul-2023 |
Matt Caswell |
Optimise PKEY decoders The most expensive part of using a PKEY decoder is the OSSL_DECODER_CTX_new_for_pkey() call. This builds up all of the decoder chains, which is a complex and t
Optimise PKEY decoders The most expensive part of using a PKEY decoder is the OSSL_DECODER_CTX_new_for_pkey() call. This builds up all of the decoder chains, which is a complex and time consuming operation. However, if no new providers have been loaded/unloaded since the last time it was called we can expect the same results for the same parameters. Note that this operation takes place *before* we event parse the data for decoding so it is not dependent on the parsed data at all. We introduce a cache for OSSL_DECODER_CTX objects. If we have been called with the same parameters then we just duplicate an existing OSSL_DECODER_CTX. This should be significantly faster than creating a new one every time. Partially addressed the issue in #15199 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21426)
show more ...
|
#
629b408c |
| 17-May-2023 |
Hugo Landau |
QUIC: Fix bugs where threading is disabled Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pu
QUIC: Fix bugs where threading is disabled Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20856)
show more ...
|
#
4574a7fd |
| 27-Sep-2021 |
Čestmír Kalina |
crypto: add preemptive threading support Some primitives are designed to be used in a multi-threaded environment, if supported, e.g., Argon2. This patch adds support for preempt
crypto: add preemptive threading support Some primitives are designed to be used in a multi-threaded environment, if supported, e.g., Argon2. This patch adds support for preemptive threading and basic synchronization primitives for platforms compliant with POSIX threads or Windows CRT. Native functions are wrapped to provide a common (internal) API. Threading support can be disabled at compile time. If enabled, threading is disabled by default and needs to be explicitly enabled by the user. Thread enablement requires an explicit limit on the number of threads that OpenSSL may spawn (non-negative integer/infinity). The limit may be changed. Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12255)
show more ...
|
#
7c310e87 |
| 28-Jun-2022 |
Dr. David von Oheimb |
libcrypto refactoring: introduce and use ossl_asn1_string_set_bits_left() Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by:
libcrypto refactoring: introduce and use ossl_asn1_string_set_bits_left() Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18668)
show more ...
|
#
5317b6ee |
| 22-Mar-2022 |
Hugo Landau |
Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/op
Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17937)
show more ...
|
#
fb4cdca0 |
| 19-May-2022 |
Pauli |
strcasecmp: implement strcasecmp and strncasecmp Rather than relying on the locale code working, instead implement these functions directly. Fixes #18322 Reviewed-by: T
strcasecmp: implement strcasecmp and strncasecmp Rather than relying on the locale code working, instead implement these functions directly. Fixes #18322 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18344)
show more ...
|
#
f505be99 |
| 10-May-2022 |
Tomas Mraz |
Always try locale initialization from OPENSSL_strcasecmp Fixes #18172 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged f
Always try locale initialization from OPENSSL_strcasecmp Fixes #18172 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18282)
show more ...
|
#
71c17c36 |
| 10-May-2022 |
Tomas Mraz |
Move OPENSSL_strcasecmp() and related to o_str.c Otherwise the implementation is unnecessarily duplicated in legacy.so. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Review
Move OPENSSL_strcasecmp() and related to o_str.c Otherwise the implementation is unnecessarily duplicated in legacy.so. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18282)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
ed7c64fc |
| 04-Apr-2022 |
Hugo Landau |
Remove unused libctx functions (runonce, onfree) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
Remove unused libctx functions (runonce, onfree) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18031)
show more ...
|
#
927d0566 |
| 14-Mar-2022 |
Hugo Landau |
Refactor OSSL_LIB_CTX to avoid using CRYPTO_EX_DATA This refactors OSSL_LIB_CTX to avoid using CRYPTO_EX_DATA. The assorted objects to be managed by OSSL_LIB_CTX are hardcoded and are in
Refactor OSSL_LIB_CTX to avoid using CRYPTO_EX_DATA This refactors OSSL_LIB_CTX to avoid using CRYPTO_EX_DATA. The assorted objects to be managed by OSSL_LIB_CTX are hardcoded and are initialized eagerly rather than lazily, which avoids the need for locking on access in most cases. Fixes #17116. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17881)
show more ...
|
#
af16097f |
| 24-Jun-2021 |
Dr. David von Oheimb |
Move more general parts of internal/cryptlib.h to new internal/common.h Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15847)
|
#
747adb6a |
| 24-Jun-2021 |
Dr. David von Oheimb |
Add and use HAS_CASE_PREFIX(), CHECK_AND_SKIP_CASE_PREFIX(), and HAS_CASE_SUFFIX() Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15847)
|
#
2ff286c2 |
| 21-Jun-2021 |
Dr. David von Oheimb |
Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string has literal prefix Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/
Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string has literal prefix Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15847)
show more ...
|
Revision tags: openssl-3.0.0-alpha17 |
|
#
ec91f1ae |
| 18-May-2021 |
Pauli |
core: condition out more in FIPS builds Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15278)
|
#
9be5f9a8 |
| 17-May-2021 |
Dr. David von Oheimb |
Move ossl_sleep() to e_os.h and use it in apps Fixes #15304 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://githu
Move ossl_sleep() to e_os.h and use it in apps Fixes #15304 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15308)
show more ...
|
#
a227ff33 |
| 14-May-2021 |
Matt Caswell |
Fix a use-after-free in the child provider code If the child provider context data gets cleaned up before all usage of providers has finished then a use-after-free can occur. We change t
Fix a use-after-free in the child provider code If the child provider context data gets cleaned up before all usage of providers has finished then a use-after-free can occur. We change the priority of this data so that it gets freed later. Fixes #15284 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15286)
show more ...
|