| #
01244adf |
| 27-Feb-2024 |
slontis |
fipsinstall: Save the 'status indicator' if the FIPS provider is 3.0.X.
Fixes #23400
The 3.1 FIPS provider no longer writes out the 'status indicator' by
default due to changes
fipsinstall: Save the 'status indicator' if the FIPS provider is 3.0.X.
Fixes #23400
The 3.1 FIPS provider no longer writes out the 'status indicator' by
default due to changes related to FIPS 140-3 requirements. For Backwards
compatability if the fipsinstall detects it is loading a 3.0.X FIPS
provider then it will save the 'status indicator' by default.
Disclaimer: Using a fipsinstall command line utility that is not supplied
with the FIPS provider tarball source is not recommended.
This PR deliberately does not attempt to exclude any additional options
that were added after 3.0.X. These additional options will be ignored by older
providers.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/23689)
show more ...
|
| #
fc68cf21 |
| 21-Sep-2024 |
Dimitri John Ledkov |
kdfs: implement key length check in X9.42
Similar to other KDFs, the input key should be 112 bits long.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dal
kdfs: implement key length check in X9.42
Similar to other KDFs, the input key should be 112 bits long.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25529)
show more ...
|
| #
3be63875 |
| 30-Sep-2024 |
Dimitri John Ledkov |
docs: document options added in openssl-fipsinstall 3.4+
Document new command line options added in 3.4.0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul D
docs: document options added in openssl-fipsinstall 3.4+
Document new command line options added in 3.4.0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)
show more ...
|
| #
9331a202 |
| 30-Sep-2024 |
Dimitri John Ledkov |
docs: document options added in openssl-fipsinstall 3.2+
Document new command line options added in 3.2.0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul D
docs: document options added in openssl-fipsinstall 3.2+
Document new command line options added in 3.2.0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)
show more ...
|
| #
1b52b24a |
| 30-Sep-2024 |
Dimitri John Ledkov |
docs: document options added in openssl-fipsinstall 3.1+
Document new command line options added in 3.1.0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul D
docs: document options added in openssl-fipsinstall 3.1+
Document new command line options added in 3.1.0
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)
show more ...
|
| #
634d8432 |
| 30-Sep-2024 |
Dimitri John Ledkov |
docs: add HISTORY section to openssl-fipsinstall (3.0+)
Documents when the command was added.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@
docs: add HISTORY section to openssl-fipsinstall (3.0+)
Documents when the command was added.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)
show more ...
|
| #
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
|
| #
ea396c70 |
| 05-Aug-2024 |
slontis |
Add FIPS KMAC key check
This adds a FIPS indicator for KMAC key size.
Note that 112 bits keys are still smaller than the
sizes required to reach 128 bits for KMAC128 and
256 bits
Add FIPS KMAC key check
This adds a FIPS indicator for KMAC key size.
Note that 112 bits keys are still smaller than the
sizes required to reach 128 bits for KMAC128 and
256 bits for KMAC256
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25049)
show more ...
|
| #
390f00a1 |
| 31-Jul-2024 |
slontis |
Add HMAC FIPS keysize check.
HMAC has been changed to use a FIPS indicator for its key check.
HKDF and Single Step use a salt rather than a key when using HMAC,
so we need a mec
Add HMAC FIPS keysize check.
HMAC has been changed to use a FIPS indicator for its key check.
HKDF and Single Step use a salt rather than a key when using HMAC,
so we need a mechanism to bypass this check in HMAC.
A seperate 'internal' query table has been added to the FIPS provider
for MACS. Giving HMAC a seprate dispatch table allows KDF's to ignore
the key check. If a KDF requires the key check then it must do the
check itself. The normal MAC dipatch table is used if the user fetches
HMAC directly.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25049)
show more ...
|
| #
a6aa2d1f |
| 14-Aug-2024 |
Pauli |
Revert "doc: add documentation for -eddsa_no_verify_digested fipsinstall option"
This reverts commit b00ea9a6a2a72f5ac7b38e82c9a7b6796972fc36.
Reviewed-by: Shane Lontis <shane.lonti
Revert "doc: add documentation for -eddsa_no_verify_digested fipsinstall option"
This reverts commit b00ea9a6a2a72f5ac7b38e82c9a7b6796972fc36.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)
show more ...
|
| #
05681e0e |
| 08-Aug-2024 |
slontis |
Add FIPS Indicator for ECDH cofactor.
FIPS KAS requires use of ECC CDH.
The EC 'B' and 'K' curves have a cofactor that is not 1, and this
MUST be multiplied by the private key w
Add FIPS Indicator for ECDH cofactor.
FIPS KAS requires use of ECC CDH.
The EC 'B' and 'K' curves have a cofactor that is not 1, and this
MUST be multiplied by the private key when deriving the shared secret.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25139)
show more ...
|
| #
f3c03be3 |
| 07-Aug-2024 |
pohsingwu |
Restrict salt length for RSA-PSS in the FIPS provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/o
Restrict salt length for RSA-PSS in the FIPS provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)
show more ...
|
| #
5d6e692c |
| 25-Jul-2024 |
Pauli |
doc: document -signature_digest_check option to fipsinstall
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https:
doc: document -signature_digest_check option to fipsinstall
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
show more ...
|
| #
8d52cf52 |
| 05-Aug-2024 |
Pauli |
doc: document kbkdf key check argument for fipsinstall
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com
doc: document kbkdf key check argument for fipsinstall
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
show more ...
|
| #
08bd84b2 |
| 31-Jul-2024 |
Pauli |
doc: document the fipsintsall option to disallow PKCS#1 version 1.5 padding for key agreement & transport
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavsk
doc: document the fipsintsall option to disallow PKCS#1 version 1.5 padding for key agreement & transport
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25070)
show more ...
|
| #
b00ea9a6 |
| 30-Jul-2024 |
Pauli |
doc: add documentation for -eddsa_no_verify_digested fipsinstall option
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from h
doc: add documentation for -eddsa_no_verify_digested fipsinstall option
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25032)
show more ...
|
| #
aa3830c3 |
| 26-Jul-2024 |
pohsingwu |
Add new configurable item `pbkdf2-lower-bound-check`
Since FIPS provider performs lower bound check by default from v3.0, the
default value for new configurable item will be one.
Add new configurable item `pbkdf2-lower-bound-check`
Since FIPS provider performs lower bound check by default from v3.0, the
default value for new configurable item will be one.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24120)
show more ...
|
| #
1b838621 |
| 02-Jun-2024 |
pohsingwu |
Restrict the length of key-derivation key used in KDFs
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/o
Restrict the length of key-derivation key used in KDFs
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/23900)
show more ...
|
| #
07e4d7f4 |
| 29-Jul-2024 |
slontis |
Add RSA Signature restrictions for X9.31 padding in the FIPS provider.
In FIPS 140-3, RSA Signing with X9.31 padding is not approved,
but verification is allowed for legacy purposes. An
Add RSA Signature restrictions for X9.31 padding in the FIPS provider.
In FIPS 140-3, RSA Signing with X9.31 padding is not approved,
but verification is allowed for legacy purposes. An indicator has been added
for RSA signing with X9.31 padding.
A strict restriction on the size of the RSA modulus has been added
i.e. It must be 1024 + 256 * s (which is part of the ANSI X9.31 spec).
Added implementation comments to the X9.31 padding code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24021)
show more ...
|
| #
bc431587 |
| 22-Jul-2024 |
slontis |
Add FIPS indicator support for Triple-DES encryption.
This leaves 3DES with the FIPS query "FIPS=yes", which allows
Triple-DES to be used for Decryption by default.
Disallow CMA
Add FIPS indicator support for Triple-DES encryption.
This leaves 3DES with the FIPS query "FIPS=yes", which allows
Triple-DES to be used for Decryption by default.
Disallow CMAC using Triple-DES in FIPS.
This does not use a FIPS indicator.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24960)
show more ...
|
| #
fc98a2f6 |
| 17-Jul-2024 |
Pauli |
doc: document no_short_mac option to fipsinstall
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/
doc: document no_short_mac option to fipsinstall
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)
show more ...
|
| #
85caa417 |
| 04-Jul-2024 |
slontis |
Disable DSA signing in the FIPS provider.
This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATU
Disable DSA signing in the FIPS provider.
This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24799)
show more ...
|
| #
6d47e819 |
| 02-Jun-2024 |
pohsingwu |
Restrict digest algorithm used in KDFs
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/
Restrict digest algorithm used in KDFs
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23889)
show more ...
|
| #
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
| #
d30fec6f |
| 17-Apr-2023 |
Pauli |
doc: document the -pedantic option to fipsinstall.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/ope
doc: document the -pedantic option to fipsinstall.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)
show more ...
|
