Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14512)

TEST: Remove the build of fipsmodule.cnf from test recipes

The exception is the test recipe that tests 'openssl fipsinstall'.
However, that one uses a different output file name, so it's

TEST: Remove the build of fipsmodule.cnf from test recipes

The exception is the test recipe that tests 'openssl fipsinstall'.
However, that one uses a different output file name, so it's safe.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)

show more ...

Make -provider_name and -section_name optional

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https:

Make -provider_name and -section_name optional

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12311)

show more ...

Add --fips-key configuration parameter to fipsinstall application.

Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in

Add --fips-key configuration parameter to fipsinstall application.

Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in fipsinstall optional
Make all tests, except fipsinstall, use the default -macopt and
-mac_name flags.
Define and use FIPSDIR variable on VMS/MMS.
Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12235)

show more ...

Centralise Environment Variables for the tests

The test_includes test was failing if OPENSSL_CONF_INCLUDE happened to
be set in the user's environment. To ensure that no tests accidental

Centralise Environment Variables for the tests

The test_includes test was failing if OPENSSL_CONF_INCLUDE happened to
be set in the user's environment. To ensure that no tests accidentally
use this or other enviroment variables from the user's environment we
automatically set them centrally for all tests.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11691)

show more ...

Update some nits around the FIPS module

- Changed the generated FIPS signature file to be "fipsmodule.conf"
since it contains information about the FIPS module/file.
- Add -q option

Update some nits around the FIPS module

- Changed the generated FIPS signature file to be "fipsmodule.conf"
since it contains information about the FIPS module/file.
- Add -q option to fipsinstall command, to stop chatty verbose status
messages.
- Document env var OPENSSL_CONF_INCLUDE

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11177)

show more ...

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)

Revert "TEST: make and use a fipsinstall script"

Unfortunately, this won't work on MacOS because of system integrity
measures on that platform, which clears DYLD_LIBRARY_PATH before

Revert "TEST: make and use a fipsinstall script"

Unfortunately, this won't work on MacOS because of system integrity
measures on that platform, which clears DYLD_LIBRARY_PATH before
starting a sub-process executable.

Ref: https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/RuntimeProtections/RuntimeProtections.html

This reverts commit ae6b654b669638882a6ddce012ff55adc7cf6a82.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11592)

show more ...

TEST: make and use a fipsinstall script

We have copies of the exact same fipsinstall call in several test
recipes. This refactors those calls into a single simple script.

Revie

TEST: make and use a fipsinstall script

We have copies of the exact same fipsinstall call in several test
recipes. This refactors those calls into a single simple script.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11565)

show more ...

Add support for passing the libctx to the config loader

The self tests for the fips module are triggered on startup and they need to know the
core's libctx in order to function correctly

Add support for passing the libctx to the config loader

The self tests for the fips module are triggered on startup and they need to know the
core's libctx in order to function correctly. As the provider can be autoloaded via configuration
it then needs to propagate the callers libctx down to the provider via the config load.

Note that OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, ..) is still called, but will only load the default
configuration if the OPENSSL_CONF environment variable is set.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11240)

show more ...

Use .cnf for config files, not .conf

The default is openssl.cnf The project seems to prefer xxx.conf these
days, but we should use the default convention.

Rename all foo.conf (

Use .cnf for config files, not .conf

The default is openssl.cnf The project seems to prefer xxx.conf these
days, but we should use the default convention.

Rename all foo.conf (except for Configurations) to foo.cnf

Fixes #11174

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11176)

show more ...

Introduce the provider property

Replace the properties default, fips and legacy with a single property
called "provider". So, for example, instead of writing "default=yes" to
get alg

Introduce the provider property

Replace the properties default, fips and legacy with a single property
called "provider". So, for example, instead of writing "default=yes" to
get algorithms from the default provider you would instead write
"provider=default". We also have a new "fips" property to indicate that
an algorithm is compatible with FIPS mode. This applies to all the
algorithms in the FIPS provider, as well as any non-cryptographic
algorithms (currently only serializers).

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11097)

show more ...

Fix typos in fipsinstall test

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10506)

Make relevant tests more sensitive to 'no-fips'

This applies to test/recipes/30-test_evp.t and
test/recipes/30-test_evp_fetch_prov.t.

Additionally, we make test/recipes/30-test_

Make relevant tests more sensitive to 'no-fips'

This applies to test/recipes/30-test_evp.t and
test/recipes/30-test_evp_fetch_prov.t.

Additionally, we make test/recipes/30-test_evp_fetch_prov.t data
driven, to make test number planning more automated, and to separate
what is unique from what is common to all the test cases.

[extended tests]

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10047)

show more ...

Add fips module integrity check

Add environment variable for setting CONF .include path

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openss

Add fips module integrity check

Add environment variable for setting CONF .include path

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9769)

show more ...