| #
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
|
| #
4b7b40f2 |
| 09-Aug-2024 |
slontis |
FIPS: Remove ability to bypass the FIPS self tests
This is a FIPS 140-3 requirement.
It should not be done as a FIPS indicator.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Rev
FIPS: Remove ability to bypass the FIPS self tests
This is a FIPS 140-3 requirement.
It should not be done as a FIPS indicator.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25147)
show more ...
|
| #
250a7adb |
| 01-Aug-2024 |
slontis |
Add "no-fips-post" configure option.
Using this option disables the OpenSSL FIPS provider
self tests.
This is intended for debugging purposes only,
as it breaks FIPS compliance.
Add "no-fips-post" configure option.
Using this option disables the OpenSSL FIPS provider
self tests.
This is intended for debugging purposes only,
as it breaks FIPS compliance.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25063)
show more ...
|
| #
fffa78c2 |
| 05-Sep-2023 |
Pauli |
fips selftest: avoid relying on a real RNG for self tests
Rather than instantiate the private and primary DRBGs during the
selftest, instead use a test RNG. This leaves the DRBG setup
fips selftest: avoid relying on a real RNG for self tests
Rather than instantiate the private and primary DRBGs during the
selftest, instead use a test RNG. This leaves the DRBG setup
pristine and permits later replacement of the seed source despite
the very early running power up self tests.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21964)
show more ...
|
| #
da1c088f |
| 07-Sep-2023 |
Matt Caswell |
Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
| #
ff934cfd |
| 14-Jun-2023 |
Pauli |
fips: use tsan counter instead of tsan_add to increment
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.co
fips: use tsan counter instead of tsan_add to increment
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/21199)
show more ...
|
| #
8e9ca334 |
| 13-Jun-2023 |
Pauli |
fips: use memory ordering rather than locks
The FIPS provider accesses it's current state under lock.
This is overkill, little or no synchronisation is actually required in
practice
fips: use memory ordering rather than locks
The FIPS provider accesses it's current state under lock.
This is overkill, little or no synchronisation is actually required in
practice (because it's essentially a read only setting). Switch to using
TSAN operations in preference.
Fixes #21179
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21187)
show more ...
|
| #
33290c53 |
| 26-Oct-2022 |
Pauli |
fips: verify that the RNG was restored after the self tests
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lon
fips: verify that the RNG was restored after the self tests
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19510)
show more ...
|
| #
a11064c8 |
| 26-Oct-2022 |
Pauli |
Update FIPS KATs for 140-3
Co-authored-by: Randall Steck <rsteck@thinqsoft.com>
Co-authored-by: Mark J. Minnoch <mark@keypair.us>
Co-authored-by: Steve Weymann <steve@keypair.us>
Update FIPS KATs for 140-3
Co-authored-by: Randall Steck <rsteck@thinqsoft.com>
Co-authored-by: Mark J. Minnoch <mark@keypair.us>
Co-authored-by: Steve Weymann <steve@keypair.us>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19510)
show more ...
|
| #
df1e33bc |
| 27-Jul-2022 |
Rob Mc Gee |
Updating ifdefs to account for xlclang compiler frontend on AIX.
The fallback DEP works fine there. XLC should be unaffected.
CLA: trivial
Reviewed-by: Todd Short <todd.sho
Updating ifdefs to account for xlclang compiler frontend on AIX.
The fallback DEP works fine there. XLC should be unaffected.
CLA: trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18892)
show more ...
|
| #
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
|
| #
2dc3a4a4 |
| 21-Apr-2022 |
Jon Spillett |
Prefer GNU library initialization mechanism over platform one
If GNU toolchain is used, use the __attribute__((constructor))
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewe
Prefer GNU library initialization mechanism over platform one
If GNU toolchain is used, use the __attribute__((constructor))
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18147)
show more ...
|
| #
d5f9166b |
| 04-Feb-2022 |
Richard Levitte |
Move e_os.h to include/internal
Including e_os.h with a path from a header file doesn't work well on
certain exotic platform. It simply fails to build.
Since we don't seem to b
Move e_os.h to include/internal
Including e_os.h with a path from a header file doesn't work well on
certain exotic platform. It simply fails to build.
Since we don't seem to be able to stop ourselves, the better move is
to move e_os.h to an include directory that's part of the inclusion
path given to the compiler.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17641)
show more ...
|
| #
d9ee027e |
| 17-Jun-2021 |
Tomas Mraz |
aix64-gcc target: Fix build breakage with enable-fips
Fixes #15804
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-b
aix64-gcc target: Fix build breakage with enable-fips
Fixes #15804
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15807)
show more ...
|
| #
69e0f8cc |
| 07-Jun-2021 |
Shane Lontis |
Fix AIX FIPS DEP.
The entry point needs the option 'binitfini', but it was not being
added since the perl code to detect the match did not work.
The entry point for AIX is no lo
Fix AIX FIPS DEP.
The entry point needs the option 'binitfini', but it was not being
added since the perl code to detect the match did not work.
The entry point for AIX is no longer static - so a wrapper has been
added to call the static version.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15636)
show more ...
|
| #
449bdf37 |
| 25-May-2021 |
Rich Salz |
Use "" for include internal/xxx
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15
Use "" for include internal/xxx
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15468)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16 |
|
| #
2abffec0 |
| 05-May-2021 |
Shane Lontis |
Add fipsinstall option to run self test KATS on module load
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/opens
Add fipsinstall option to run self test KATS on module load
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15149)
show more ...
|
| #
c45df330 |
| 18-May-2021 |
Pauli |
fips: default to running self tests when starting the fips provider
Also add a C++ constructor as per note 7 of IG 9.10 if no DEP is available and
C++ is being used.
Fixes #1532
fips: default to running self tests when starting the fips provider
Also add a C++ constructor as per note 7 of IG 9.10 if no DEP is available and
C++ is being used.
Fixes #15322
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15324)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13 |
|
| #
cd3f8c1b |
| 18-Feb-2021 |
Rich Salz |
Always check CRYPTO_LOCK_{read,write}_lock
Some functions that lock things are void, so we just return early.
Also make ossl_namemap_empty return 0 on error. Updated the docs, and
Always check CRYPTO_LOCK_{read,write}_lock
Some functions that lock things are void, so we just return early.
Also make ossl_namemap_empty return 0 on error. Updated the docs, and added
some code to ossl_namemap_stored() to handle the failure, and updated the
tests to allow for failure.
Fixes: #14230
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14238)
show more ...
|
| #
fbff75ca |
| 25-Feb-2021 |
Pauli |
fips: update to use the extra MAC init arguments
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)
|
|
Revision tags: openssl-3.0.0-alpha12, OpenSSL_1_1_1j |
|
| #
3262300a |
| 13-Feb-2021 |
Richard Levitte |
Adjust the few places where the string length was confused
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14168)
|
| #
a28d06f3 |
| 18-Feb-2021 |
Matt Caswell |
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14235)
|
| #
2741128e |
| 05-Feb-2021 |
Tomas Mraz |
Move the PROV_R reason codes to a public header
The PROV_R codes can be returned to applications so it is useful
to have some common set of provider reason codes for the applications
Move the PROV_R reason codes to a public header
The PROV_R codes can be returned to applications so it is useful
to have some common set of provider reason codes for the applications
or third party providers.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14086)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha11 |
|
| #
40994605 |
| 27-Jan-2021 |
Matt Caswell |
Ensure access to FIPS_state and rate_limit is appropriately locked
These variables can be accessed concurrently from multiple threads so
we ensure that we properly lock them before read
Ensure access to FIPS_state and rate_limit is appropriately locked
These variables can be accessed concurrently from multiple threads so
we ensure that we properly lock them before read or write.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13987)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7 |
|
| #
b4250010 |
| 15-Oct-2020 |
Dr. Matthias St. Pierre |
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX
Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX
Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
The OPENSSL_CTX type stands out a little by using a different prefix.
For consistency reasons, this type is renamed to OSSL_LIB_CTX.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)
show more ...
|
