#
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes
|
#
05681e0e |
| 08-Aug-2024 |
slontis |
Add FIPS Indicator for ECDH cofactor. FIPS KAS requires use of ECC CDH. The EC 'B' and 'K' curves have a cofactor that is not 1, and this MUST be multiplied by the private key w
Add FIPS Indicator for ECDH cofactor. FIPS KAS requires use of ECC CDH. The EC 'B' and 'K' curves have a cofactor that is not 1, and this MUST be multiplied by the private key when deriving the shared secret. Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/25139)
show more ...
|
#
06da1473 |
| 03-Jul-2024 |
slontis |
Add FIPS indicators to evp_test evp_test code needed to be modified to defer setting algorithm contexts until the run phase. The parse functions also defer setting into the context u
Add FIPS indicators to evp_test evp_test code needed to be modified to defer setting algorithm contexts until the run phase. The parse functions also defer setting into the context until the run phase, which allows the context to initialize in a controlled order. This allows params to be passed into the algorithm init function. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24623)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16 |
|
#
a70936a8 |
| 23-Apr-2021 |
Richard Levitte |
TEST: correct test/recipes/30-test_evp_data/evppkey_ecdh.txt Some keys with groups that aren't supported by FIPS were still used for Derive stanzas, even when testing with the FIPS provi
TEST: correct test/recipes/30-test_evp_data/evppkey_ecdh.txt Some keys with groups that aren't supported by FIPS were still used for Derive stanzas, even when testing with the FIPS provider. This was due to the flaw in evp_keymgmt_util_try_import() that meant that even though the key was invalid for FIPS, it could still come through, because the imported keydata wasn't cleared on import error. With that flaw corrected, these few Derive stanzas start failing. We mitigate this by making of "offending" Derive stanzas only available with the default provider. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/15008)
show more ...
|
Revision tags: openssl-3.0.0-alpha15 |
|
#
f5afac4b |
| 22-Apr-2021 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14986)
|
#
46eee710 |
| 11-Apr-2021 |
Shane Lontis |
Add domain parameter match check for DH and ECDH key exchange. Fixes #14808 Validation checks were moved into EVP_PKEY_derive_set_peer() which broke an external negative test. O
Add domain parameter match check for DH and ECDH key exchange. Fixes #14808 Validation checks were moved into EVP_PKEY_derive_set_peer() which broke an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever checking that the domain parameters were consistent between the 2 parties. It now checks the parameters match as well as validating the peers public key. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14823)
show more ...
|
Revision tags: openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11, openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7, OpenSSL_1_1_1h |
|
#
7a810fac |
| 04-Sep-2020 |
Shane Lontis |
Add 'fips-securitychecks' option and plumb this into the actual fips checks Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12745)
|
#
96b92410 |
| 29-Aug-2020 |
Richard Levitte |
Revert "TEST: separate out NIST ECC tests from non-NIST" This file split turned out to be a mistake as soon as the fetching error reporting got properly sorted. This reverts com
Revert "TEST: separate out NIST ECC tests from non-NIST" This file split turned out to be a mistake as soon as the fetching error reporting got properly sorted. This reverts commit e6ed04a9dcc2ead94e35c4a7400b9c998b5ad9ac. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12587)
show more ...
|
#
e6ed04a9 |
| 18-Aug-2020 |
Richard Levitte |
TEST: separate out NIST ECC tests from non-NIST ECC keys with non-NIST group names aren't supported when running with the FIPS provider. Keys with such groups that are included
TEST: separate out NIST ECC tests from non-NIST ECC keys with non-NIST group names aren't supported when running with the FIPS provider. Keys with such groups that are included in evp_test stanza files aren't even possible to decode if provider side decoders are used, since those depend on available EVP_KEYMGMT implementations and what they support. Those keys could only be decoded because the legacy decoders were used. To make these tests future proof, we separate out the stanzas having keys with NIST approved group names into separate files, and adjust the file lists in test/recipes/30-test_evp.t aaccordingly. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12672)
show more ...
|
#
5ccada09 |
| 07-Aug-2020 |
Shane Lontis |
Add evp_test fixes. Changed many tests so they also test fips (and removed 'availablein = default' from some tests). Seperated the monolithic evppkey.txt file into smaller maintainable g
Add evp_test fixes. Changed many tests so they also test fips (and removed 'availablein = default' from some tests). Seperated the monolithic evppkey.txt file into smaller maintainable groups. Changed the availablein option so it must be first - this then skips the entire test before any fetching happens. Changed the code so that all the OPENSSL_NO_XXXX tests are done in code via methods such as is_cipher_disabled(alg), before the fetch happens. Added missing libctx's found by adding a libctx to test_evp. Broke up large data files for cipher, kdf's and mac's into smaller pieces so they no longer need 'AvailableIn = default' Added missing algorithm aliases for cipher/digests to the providers. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12236)
show more ...
|