| #
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
|
| #
f6a296c3 |
| 12-Aug-2024 |
slontis |
Cleanups for FIPS options..
The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.
Some FIPS related he
Cleanups for FIPS options..
The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.
Some FIPS related headers have moved to providers/fips/include so that
they can use fips_indicator_params.inc.
securitycheck.h now includes fipsindicator.h, and fipsindicator.h includes
fipscommon.h.
fipsinstall.c uses OSSL_PROV_PARAM_ for the configurable FIPS options rather than
using OSSL_PROV_FIPS_PARAM_* as this was confusing as to which one should be used.
fips_names.h just uses aliases now for existing public names.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25162)
show more ...
|
| #
d0575619 |
| 02-Aug-2024 |
Pauli |
test: update SSL old test in light of PKCS#1 version 1.5 padding change under FIPS
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
test: update SSL old test in light of PKCS#1 version 1.5 padding change under FIPS
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25070)
show more ...
|
| #
85caa417 |
| 04-Jul-2024 |
slontis |
Disable DSA signing in the FIPS provider.
This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATU
Disable DSA signing in the FIPS provider.
This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24799)
show more ...
|
| #
7bf2e4d7 |
| 04-May-2022 |
Pauli |
tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above
This is in line with the NEWS entry (erroneously) announcing such for 3.0.
Fixes #18194
Reviewed-by:
tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above
This is in line with the NEWS entry (erroneously) announcing such for 3.0.
Fixes #18194
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18236)
show more ...
|
| #
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
|
| #
d71151ae |
| 23-Feb-2022 |
Nicola Tuveri |
[ssl] Add tests for Perfect Forward Secrecy criteria on SECLEVEL >= 3
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas
[ssl] Add tests for Perfect Forward Secrecy criteria on SECLEVEL >= 3
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17763)
show more ...
|
| #
8fff986d |
| 14-Jan-2022 |
Bernd Edlinger |
Cleanup record length checks for KTLS
In some corner cases the check for packets
which exceed the allowed record length was missing
when KTLS is initially enabled, when some
unpr
Cleanup record length checks for KTLS
In some corner cases the check for packets
which exceed the allowed record length was missing
when KTLS is initially enabled, when some
unprocessed packets are still pending.
Add at least some tests for KTLS, since we have
currently not very much test coverage for KTLS.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17504)
show more ...
|
| #
0c7ec1d2 |
| 21-Jun-2021 |
Pauli |
test: put the new DHE auto test in the correct place
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15840)
|
| #
c602fadc |
| 18-Jun-2021 |
Pauli |
test: fix indentation
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15824)
|
| #
a0430488 |
| 18-Jun-2021 |
Pauli |
test: replace tabs with spaces in test recipes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/
test: replace tabs with spaces in test recipes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15824)
show more ...
|
| #
d0e5230d |
| 18-Jun-2021 |
Pauli |
test: add test for auto DH security level meets the minimum
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/o
test: add test for auto DH security level meets the minimum
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15818)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11, openssl-3.0.0-alpha10 |
|
| #
91f2b15f |
| 12-Dec-2020 |
Dr. David von Oheimb |
TEST: Prefer using precomputed RSA and DH keys for more efficient tests
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://gi
TEST: Prefer using precomputed RSA and DH keys for more efficient tests
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
show more ...
|
|
Revision tags: OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7 |
|
| #
e25b4db7 |
| 29-Sep-2020 |
Richard Levitte |
TEST: Remove the build of fipsmodule.cnf from test recipes
The exception is the test recipe that tests 'openssl fipsinstall'.
However, that one uses a different output file name, so it's
TEST: Remove the build of fipsmodule.cnf from test recipes
The exception is the test recipe that tests 'openssl fipsinstall'.
However, that one uses a different output file name, so it's safe.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)
show more ...
|
| #
a763ca11 |
| 14-Jan-2021 |
Matt Caswell |
Stop disabling TLSv1.3 if ec and dh are disabled
Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provid
Stop disabling TLSv1.3 if ec and dh are disabled
Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provider.
Fixes #13767
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)
show more ...
|
| #
4333b89f |
| 28-Jan-2021 |
Richard Levitte |
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13999)
|
| #
1d1d2312 |
| 06-Jan-2021 |
Dr. David von Oheimb |
80-test_ssl_old.t: Minor corrections: update name of test dir etc.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)
|
| #
49da54b9 |
| 02-Dec-2020 |
Matt Caswell |
Don't use legacy provider if not available in test_ssl_old
If we've been configured with no-legacy then we should not attempt to
load the legacy provider.
Reviewed-by: Richard L
Don't use legacy provider if not available in test_ssl_old
If we've been configured with no-legacy then we should not attempt to
load the legacy provider.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13595)
show more ...
|
| #
20f8bc72 |
| 29-Nov-2020 |
Dr. David von Oheimb |
test cleanup: move helper .c and .h files to test/helpers/
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13568)
|
| #
5658470c |
| 27-Nov-2020 |
Dr. David von Oheimb |
endecode_test.c: Significant speedup in generating DH and DHX keys
Fixes #13495
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openss
endecode_test.c: Significant speedup in generating DH and DHX keys
Fixes #13495
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13552)
show more ...
|
| #
6955e3f7 |
| 10-Nov-2020 |
Matt Caswell |
Re-enable testing of ciphersuites
Commit be9d82bb3 inadvertently disabled ciphersuite testing. This masked
some issues. Therefore we fix this testing.
Reviewed-by: Tomas Mraz <t
Re-enable testing of ciphersuites
Commit be9d82bb3 inadvertently disabled ciphersuite testing. This masked
some issues. Therefore we fix this testing.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13378)
show more ...
|
|
Revision tags: OpenSSL_1_1_1h |
|
| #
7192e4df |
| 30-Aug-2020 |
Richard Levitte |
TEST: Ensure that the base provider i activated when needed
The fips providers can't be activated alone if encoding, decoding or
STORE are going to be used.
To enable this, we s
TEST: Ensure that the base provider i activated when needed
The fips providers can't be activated alone if encoding, decoding or
STORE are going to be used.
To enable this, we selectively use test/fips-and-base.cnf instead of
test/fips.cnf in our test recipes.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12587)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha6, openssl-3.0.0-alpha5 |
|
| #
5744dacb |
| 29-Jun-2020 |
Rich Salz |
Make -provider_name and -section_name optional
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https:
Make -provider_name and -section_name optional
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12311)
show more ...
|
| #
31214258 |
| 29-Jun-2020 |
Rich Salz |
Add --fips-key configuration parameter to fipsinstall application.
Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in
Add --fips-key configuration parameter to fipsinstall application.
Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in fipsinstall optional
Make all tests, except fipsinstall, use the default -macopt and
-mac_name flags.
Define and use FIPSDIR variable on VMS/MMS.
Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12235)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2 |
|
| #
2b584ff3 |
| 27-Apr-2020 |
Rich Salz |
Update manpage to fix examples, other minor tweaks
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from http
Update manpage to fix examples, other minor tweaks
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11347)
show more ...
|
