Copyright year updates


Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes

Add FIPS Indicator for ECDH cofactor.

FIPS KAS requires use of ECC CDH.

The EC 'B' and 'K' curves have a cofactor that is not 1, and this
MUST be multiplied by the private key w

Add FIPS Indicator for ECDH cofactor.

FIPS KAS requires use of ECC CDH.

The EC 'B' and 'K' curves have a cofactor that is not 1, and this
MUST be multiplied by the private key when deriving the shared secret.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25139)

show more ...

Add FIPS indicators to evp_test

evp_test code needed to be modified to defer setting algorithm contexts
until the run phase. The parse functions also defer setting into the context
u

Add FIPS indicators to evp_test

evp_test code needed to be modified to defer setting algorithm contexts
until the run phase. The parse functions also defer setting into the context
until the run phase, which allows the context to initialize in a controlled order.
This allows params to be passed into the algorithm init function.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24623)

show more ...

TEST: correct test/recipes/30-test_evp_data/evppkey_ecdh.txt

Some keys with groups that aren't supported by FIPS were still used
for Derive stanzas, even when testing with the FIPS provi

TEST: correct test/recipes/30-test_evp_data/evppkey_ecdh.txt

Some keys with groups that aren't supported by FIPS were still used
for Derive stanzas, even when testing with the FIPS provider.
This was due to the flaw in evp_keymgmt_util_try_import() that meant
that even though the key was invalid for FIPS, it could still come
through, because the imported keydata wasn't cleared on import error.
With that flaw corrected, these few Derive stanzas start failing.

We mitigate this by making of "offending" Derive stanzas only
available with the default provider.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)

show more ...

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14986)

Add domain parameter match check for DH and ECDH key exchange.

Fixes #14808

Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. O

Add domain parameter match check for DH and ECDH key exchange.

Fixes #14808

Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever
checking that the domain parameters were consistent between the 2
parties. It now checks the parameters match as well as validating the
peers public key.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14823)

show more ...

Add 'fips-securitychecks' option and plumb this into the actual fips checks

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12745)

Revert "TEST: separate out NIST ECC tests from non-NIST"

This file split turned out to be a mistake as soon as the fetching
error reporting got properly sorted.

This reverts com

Revert "TEST: separate out NIST ECC tests from non-NIST"

This file split turned out to be a mistake as soon as the fetching
error reporting got properly sorted.

This reverts commit e6ed04a9dcc2ead94e35c4a7400b9c998b5ad9ac.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12587)

show more ...

TEST: separate out NIST ECC tests from non-NIST

ECC keys with non-NIST group names aren't supported when running with
the FIPS provider.

Keys with such groups that are included

TEST: separate out NIST ECC tests from non-NIST

ECC keys with non-NIST group names aren't supported when running with
the FIPS provider.

Keys with such groups that are included in evp_test stanza files
aren't even possible to decode if provider side decoders are used,
since those depend on available EVP_KEYMGMT implementations and what
they support.

Those keys could only be decoded because the legacy decoders were
used.

To make these tests future proof, we separate out the stanzas having
keys with NIST approved group names into separate files, and adjust
the file lists in test/recipes/30-test_evp.t aaccordingly.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12672)

show more ...

Add evp_test fixes.

Changed many tests so they also test fips (and removed 'availablein = default' from some tests).
Seperated the monolithic evppkey.txt file into smaller maintainable g

Add evp_test fixes.

Changed many tests so they also test fips (and removed 'availablein = default' from some tests).
Seperated the monolithic evppkey.txt file into smaller maintainable groups.
Changed the availablein option so it must be first - this then skips the entire test before any fetching happens.
Changed the code so that all the OPENSSL_NO_XXXX tests are done in code via methods such as is_cipher_disabled(alg),
before the fetch happens.
Added missing libctx's found by adding a libctx to test_evp.
Broke up large data files for cipher, kdf's and mac's into smaller pieces so they no longer need 'AvailableIn = default'
Added missing algorithm aliases for cipher/digests to the providers.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12236)

show more ...