first cut at KEM & key management skeletons

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.or

first cut at KEM & key management skeletons

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25640)

show more ...

Cleanups for FIPS options..

The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.

Some FIPS related he

Cleanups for FIPS options..

The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.

Some FIPS related headers have moved to providers/fips/include so that
they can use fips_indicator_params.inc.
securitycheck.h now includes fipsindicator.h, and fipsindicator.h includes
fipscommon.h.

fipsinstall.c uses OSSL_PROV_PARAM_ for the configurable FIPS options rather than
using OSSL_PROV_FIPS_PARAM_* as this was confusing as to which one should be used.
fips_names.h just uses aliases now for existing public names.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25162)

show more ...

Add VERSIONINFO resource to legacy provider if it is not builtin

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale

Add VERSIONINFO resource to legacy provider if it is not builtin

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18416)

show more ...

Add Windows VERSIONINFO resource to fips provider dll.

Fixes #18388

This just looks like an omission, as this is added to libcrypto and libssl

Reviewed-by: Richard Levitte

Add Windows VERSIONINFO resource to fips provider dll.

Fixes #18388

This just looks like an omission, as this is added to libcrypto and libssl

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18416)

show more ...

Avoid duplicating prov_running.o in libdefault and libcrypto

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github

Avoid duplicating prov_running.o in libdefault and libcrypto

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15704)

show more ...

Rework how providers/fipsmodule.cnf is produced

First of all, we have concluded that we can calculate the integrity
checksum with a simple perl script.

Second, having the produc

Rework how providers/fipsmodule.cnf is produced

First of all, we have concluded that we can calculate the integrity
checksum with a simple perl script.

Second, having the production of providers/fipsmodule.cnf as a
dependency for run_tests wasn't quite right. What we really want is
to generate it as soon as a new providers/fips.so is produced. That
required a small bit of fiddling with how diverse dependencies are
made.

Fixes #15166

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)

show more ...

Makefile: Make sure providers/fipsmodule.cnf is re-built also for run_tests

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14901)

Drop libimplementations.a

libimplementations.a was a nice idea, but had a few flaws:

1. The idea to have common code in libimplementations.a and FIPS
sensitive helper funct

Drop libimplementations.a

libimplementations.a was a nice idea, but had a few flaws:

1. The idea to have common code in libimplementations.a and FIPS
sensitive helper functions in libfips.a / libnonfips.a didn't
catch on, and we saw full implementation ending up in them instead
and not appearing in libimplementations.a at all.

2. Because more or less ALL algorithm implementations were included
in libimplementations.a (the idea being that the appropriate
objects from it would be selected automatically by the linker when
building the shared libraries), it's very hard to find only the
implementation source that should go into the FIPS module, with
the result that the FIPS checksum mechanism include source files
that it shouldn't

To mitigate, we drop libimplementations.a, but retain the idea of
collecting implementations in static libraries. With that, we not
have:

libfips.a

Includes all implementations that should become part of the FIPS
provider.

liblegacy.a

Includes all implementations that should become part of the legacy
provider.

libdefault.a

Includes all implementations that should become part of the
default and base providers.

With this, libnonfips.a becomes irrelevant and is dropped.
libcommon.a is retained to include common provider code that can be
used uniformly by all providers.

Fixes #15157

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15171)

show more ...

test: never run fipsinstall if the tests are not enabled.

Fixes #15056

The dependency for fipsinstall was being added to the makefile regardless of
it being used. This means th

test: never run fipsinstall if the tests are not enabled.

Fixes #15056

The dependency for fipsinstall was being added to the makefile regardless of
it being used. This means that a subsequent `make test` would fail if the
command line application wasn't present. Rather than fix the instance in question,
it is better to leave out this part of the makefile if the tests cannot be
run.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15057)

show more ...

Make fipsinstall -out flag optional

If -out is not specified, send output to stdout.
Fix documentation errors.
Remove "-out -" from an invocation.

Reviewed-by: Shane Lontis

Make fipsinstall -out flag optional

If -out is not specified, send output to stdout.
Fix documentation errors.
Remove "-out -" from an invocation.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14623)

show more ...

Make 'tests' depend on a generated 'providers/fipsmodule.cnf'

providers/fipsmodule.cnf is generated using 'openssl fipsinstall' with
the openssl program in the build directory.

Make 'tests' depend on a generated 'providers/fipsmodule.cnf'

providers/fipsmodule.cnf is generated using 'openssl fipsinstall' with
the openssl program in the build directory.

Fixes #14315

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)

show more ...

providers/build.info: Tag the FIPS module, for the build file

The build file templates have code to pick up the 'fips' attribute and
thereby find out what module is the FIPS without havi

providers/build.info: Tag the FIPS module, for the build file

The build file templates have code to pick up the 'fips' attribute and
thereby find out what module is the FIPS without having to resort to
ugly hard coding.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13032)

show more ...

provider: add an 'is_running' call to all providers.

It can be accessed (read only) via the status parameter.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://g

provider: add an 'is_running' call to all providers.

It can be accessed (read only) via the status parameter.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)

show more ...

serialisation: Add a built-in base provider.

Move the libcrypto serialisation functionality into a place where it can
be provided at some point. The serialisation still remains native in

serialisation: Add a built-in base provider.

Move the libcrypto serialisation functionality into a place where it can
be provided at some point. The serialisation still remains native in the
default provider.

Add additional code to the list command to display what kind of serialisation
each entry is capable of.

Having the FIPS provider auto load the base provider is a future
(but necessary) enhancement.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12104)

show more ...

PROV: Move bio_prov.c from libcommon.a to libfips.a / libnonfips.a

libcommon.a is FIPS agnostic, while libfips.a and libnonfips.a are
FIPS / non-FIPS specific. Since bio_prov.c checks F

PROV: Move bio_prov.c from libcommon.a to libfips.a / libnonfips.a

libcommon.a is FIPS agnostic, while libfips.a and libnonfips.a are
FIPS / non-FIPS specific. Since bio_prov.c checks FIPS_MODULE, it
belongs to the latter.

Along with this, a bit more instruction commentary is added to
providers/build.info.

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/12486)

show more ...

include source root directory via -I for libnonfips.a

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

Fix some misunderstandings in our providers' main modules

This started with adding forward declarations of all provider side
interface functions, and fixing all compiler errors.

Fix some misunderstandings in our providers' main modules

This started with adding forward declarations of all provider side
interface functions, and fixing all compiler errors.

Furthermore, diminish the faulty assumption that the provider context
is and always will be just a library context. That means adding a
teardown function in all providers that aren't necessarily built into
libcrypto.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11777)

show more ...

Rename FIPS_MODE to FIPS_MODULE

This macro is used to determine if certain pieces of code should
become part of the FIPS module or not. The old name was confusing.

Fixes #11538

Rename FIPS_MODE to FIPS_MODULE

This macro is used to determine if certain pieces of code should
become part of the FIPS module or not. The old name was confusing.

Fixes #11538

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11539)

show more ...

Add a null provider which implements no algorithms.

By loading the null provider into the default context, it is possible
to verify that it is not accidentally being used.

Revie

Add a null provider which implements no algorithms.

By loading the null provider into the default context, it is possible
to verify that it is not accidentally being used.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11488)

show more ...

Move legacy ciphers into the legacy provider

DES, idea, seed, rc2, rc4, rc5, cast and blowfish have been moved out of the default provider.
Code shared between desx and tdes has been mov

Move legacy ciphers into the legacy provider

DES, idea, seed, rc2, rc4, rc5, cast and blowfish have been moved out of the default provider.
Code shared between desx and tdes has been moved into a seperate file (cipher_tdes_common.c).
3 test recipes failed due to using app/openssl calls that used legacy ciphers.
These calls have been updated to supply both the default and legacy providers.
Fixed openssl app '-provider' memory leak

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11419)

show more ...

PROV: Build the main FIPS module code with FIPS_MODE defined

Without that, its main source wasn't compiled correctly.

Fixes #11089

Reviewed-by: Matthias St. Pierre <Matthia

PROV: Build the main FIPS module code with FIPS_MODE defined

Without that, its main source wasn't compiled correctly.

Fixes #11089

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11090)

show more ...

EVP & PROV: Fix all platform inclusions

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/opens

EVP & PROV: Fix all platform inclusions

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10662)

show more ...

Fix some typos

Reported-by: misspell-fixer <https://github.com/vlajos/misspell-fixer>

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Revie

Fix some typos

Reported-by: misspell-fixer <https://github.com/vlajos/misspell-fixer>

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10544)

show more ...

Move providers/common/{ciphers,digests}/* to providers/implementations

The idea to have all these things in providers/common was viable as
long as the implementations was spread around t

Move providers/common/{ciphers,digests}/* to providers/implementations

The idea to have all these things in providers/common was viable as
long as the implementations was spread around their main providers.
This is, however, no longer the case, so we move the common blocks
closer to the source that use them.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10564)

show more ...

Cleanup: move provider mains up

providers/default/defltprov.c and providers/legacy/legacyprov.c
are moved up to providers/ and providers/build.info is adjusted
accordingly.

Cleanup: move provider mains up

providers/default/defltprov.c and providers/legacy/legacyprov.c
are moved up to providers/ and providers/build.info is adjusted
accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10088)

show more ...