12d14de6 | 30-Sep-2024 |
Pauli |
test: add FIPS version check for EC cofactor derive tests These were added in #25548 but didn't include a FIPS version check which causes failures testing older FIPS providers against la
test: add FIPS version check for EC cofactor derive tests These were added in #25548 but didn't include a FIPS version check which causes failures testing older FIPS providers against later versions. Also change some skips to use TEST_skip. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25582)
show more ...
|
2f362e99 | 26-Sep-2024 |
slontis |
Fix bugs in ECDH cofactor FIPS indicator. The code was not detecting that the cofactor was set up correctly if OSSL_PKEY_PARAM_USE_COFACTOR_ECDH was set, resulting in an incorrect FI
Fix bugs in ECDH cofactor FIPS indicator. The code was not detecting that the cofactor was set up correctly if OSSL_PKEY_PARAM_USE_COFACTOR_ECDH was set, resulting in an incorrect FIPS indicator error being triggered. Added a test for all possible combinations of a EVP_PKEY setting OSSL_PKEY_PARAM_USE_COFACTOR_ECDH and the derive context setting OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE. This only affects the B & K curves (which have a cofactor that is not 1). Bug reported by @abkarcher Testing this properly, also detected a memory leak of privk when the FIPS indicator error was triggered (in the case where mode = 0 and use_cofactor was 1). Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25548)
show more ...
|
fc68cf21 | 21-Sep-2024 |
Dimitri John Ledkov |
kdfs: implement key length check in X9.42 Similar to other KDFs, the input key should be 112 bits long. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dal
kdfs: implement key length check in X9.42 Similar to other KDFs, the input key should be 112 bits long. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25529)
show more ...
|
3be63875 | 30-Sep-2024 |
Dimitri John Ledkov |
docs: document options added in openssl-fipsinstall 3.4+ Document new command line options added in 3.4.0 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul D
docs: document options added in openssl-fipsinstall 3.4+ Document new command line options added in 3.4.0 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25546)
show more ...
|
9331a202 | 30-Sep-2024 |
Dimitri John Ledkov |
docs: document options added in openssl-fipsinstall 3.2+ Document new command line options added in 3.2.0 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul D
docs: document options added in openssl-fipsinstall 3.2+ Document new command line options added in 3.2.0 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25546)
show more ...
|
1b52b24a | 30-Sep-2024 |
Dimitri John Ledkov |
docs: document options added in openssl-fipsinstall 3.1+ Document new command line options added in 3.1.0 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul D
docs: document options added in openssl-fipsinstall 3.1+ Document new command line options added in 3.1.0 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25546)
show more ...
|
634d8432 | 30-Sep-2024 |
Dimitri John Ledkov |
docs: add HISTORY section to openssl-fipsinstall (3.0+) Documents when the command was added. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@
docs: add HISTORY section to openssl-fipsinstall (3.0+) Documents when the command was added. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25546)
show more ...
|
c788f1c6 | 25-Sep-2024 |
Pauli |
Add CHANGES entry To match changes in #25526 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/
Add CHANGES entry To match changes in #25526 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25536)
show more ...
|
00819648 | 25-Sep-2024 |
Pauli |
test: fix unit tests for fips CRNG tests To match changes in #25526 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged f
test: fix unit tests for fips CRNG tests To match changes in #25526 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25536)
show more ...
|
d927eb29 | 25-Sep-2024 |
Pauli |
doc: fix typo in CRNG test documentation. To match changes in #25526 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged
doc: fix typo in CRNG test documentation. To match changes in #25526 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25536)
show more ...
|
ed686232 | 23-Sep-2024 |
Dimitri John Ledkov |
fips: Prohibit SHA1 in DH & ECDH exchange See Section 5 Key Agreement Using Diffie-Hellman and MQV of [NIST SP 800-131Ar2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
fips: Prohibit SHA1 in DH & ECDH exchange See Section 5 Key Agreement Using Diffie-Hellman and MQV of [NIST SP 800-131Ar2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf). Strengths less than 112bits is disallowed, thus eliminating SHA1. Skip cms test case that requires use of SHA1 with X9.42 DH. Rename ossl_fips_ind_digest_check to ossl_fips_ind_digest_exch_check Add myself to Changes for fips indicator work Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/25517)
show more ...
|
3ef1b742 | 13-Sep-2024 |
Зишан Мирза |
Check file name for not being NULL before opening it Fixes #24416 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from h
Check file name for not being NULL before opening it Fixes #24416 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25458)
show more ...
|
4f899849 | 12-Sep-2024 |
Зишан Мирза |
Fix examples in EVP_PKEY_encapsulate/decapsulate documentation Fixes #25448 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> R
Fix examples in EVP_PKEY_encapsulate/decapsulate documentation Fixes #25448 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25450)
show more ...
|
ffc5a296 | 16-Sep-2024 |
Зишан Мирза |
Remove double engine reference in ossl_ec_key_dup() Fixes #25260 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https:
Remove double engine reference in ossl_ec_key_dup() Fixes #25260 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25453)
show more ...
|
8ac42a5f | 19-Sep-2024 |
Shawn C |
Fix NULL ptr dereference on EC_POINT *point Use non-usual params of pkcs11 module will trigger a null ptr deref bug. Fix it for #25493 CLA: trivial Reviewed-by: Tim Hudson
Fix NULL ptr dereference on EC_POINT *point Use non-usual params of pkcs11 module will trigger a null ptr deref bug. Fix it for #25493 CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25496)
show more ...
|
c4ec708b | 23-Sep-2024 |
Neil Horman |
Rename list macros The quic implementation defined a set of LIST_* macros for list manipulation, which conflicts with the generally support BSD api found in the queue.h system header
Rename list macros The quic implementation defined a set of LIST_* macros for list manipulation, which conflicts with the generally support BSD api found in the queue.h system header. While this isn't normally a problem, A report arrived indicating that MacOSX appears to implicitly include queue.h from another system header which causes definition conflicts. As the openssl macros are internal only, it seems the most sensible thing to do is place them in a well known namespace for our library to avoid the conflict, so add an OSSL_ prefix to all our macros Fixes #25516 Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Saša Nedvědický <sashan@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/25519)
show more ...
|
91ec19e9 | 24-Sep-2024 |
Dr. David von Oheimb |
check-format.pl: do checks regarding statement/block after for() also on {OSSL_,}LIST_FOREACH{,_*} Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com
check-format.pl: do checks regarding statement/block after for() also on {OSSL_,}LIST_FOREACH{,_*} Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/25535)
show more ...
|
260ecea0 | 23-Sep-2024 |
Pauli |
ctr-drbg: always use the DF for OpenSSL's DRBGs Force the use of the derivation function when creating OpenSSL's internal DRBGs. FIPS mandates the use of a derivation function,
ctr-drbg: always use the DF for OpenSSL's DRBGs Force the use of the derivation function when creating OpenSSL's internal DRBGs. FIPS mandates the use of a derivation function, so 3.4 cannot be validated as it stands which run counter to the indicator work that was included. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Hugo Landau <hlandau@devever.net> (Merged from https://github.com/openssl/openssl/pull/25511) (cherry picked from commit 0ab796ef9674b378ac644ad8d477685619a2ff37)
show more ...
|
9d71a662 | 24-Jul-2024 |
JohnnySavages |
Check sk_X509_value result before dereference issuer passed as second parameter to check_issued may result in NULL dereference CLA: trivial Reviewed-by: Hugo Landau <hl
Check sk_X509_value result before dereference issuer passed as second parameter to check_issued may result in NULL dereference CLA: trivial Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24760)
show more ...
|
e7abc211 | 06-Mar-2024 |
Vladimir Kotal |
document the format of DSA signature Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23762) |
1ef3032e | 26-Jul-2024 |
David von Oheimb |
80-test_cmp_http.t: fix handling of IPv6 server host (localhost '::1') Fixes 22467 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
80-test_cmp_http.t: fix handling of IPv6 server host (localhost '::1') Fixes 22467 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25010)
show more ...
|
ac91bd88 | 01-Aug-2024 |
David von Oheimb |
doc/man{1,3}: fix details on IPv6 host addresses and of whitespace in no_proxy Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged f
doc/man{1,3}: fix details on IPv6 host addresses and of whitespace in no_proxy Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25010)
show more ...
|
fe004a09 | 01-Aug-2024 |
David von Oheimb |
OSSL_HTTP_adapt_proxy(): fix handling of escaped IPv6 host addresses and of whitespace in no_proxy Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openss
OSSL_HTTP_adapt_proxy(): fix handling of escaped IPv6 host addresses and of whitespace in no_proxy Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25010)
show more ...
|
1c90d36a | 01-Aug-2024 |
David von Oheimb |
OSSL_HTTP_open(): fix completion with default port for IPv6 host addresses Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from
OSSL_HTTP_open(): fix completion with default port for IPv6 host addresses Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25010)
show more ...
|
ec4b123a | 31-Jul-2024 |
David von Oheimb |
http_server.{c,h}: make clear that IPv4 or IPv6 is used by http_server_init() Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged fr
http_server.{c,h}: make clear that IPv4 or IPv6 is used by http_server_init() Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25010)
show more ...
|