Copyright year updates


Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes

Cleanups for FIPS options..

The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.

Some FIPS related he

Cleanups for FIPS options..

The options in fipsprov.c are now generated using macros with fips_indicator_params.inc.
This should keep the naming consistent.

Some FIPS related headers have moved to providers/fips/include so that
they can use fips_indicator_params.inc.
securitycheck.h now includes fipsindicator.h, and fipsindicator.h includes
fipscommon.h.

fipsinstall.c uses OSSL_PROV_PARAM_ for the configurable FIPS options rather than
using OSSL_PROV_FIPS_PARAM_* as this was confusing as to which one should be used.
fips_names.h just uses aliases now for existing public names.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25162)

show more ...

test: update SSL API test in light of PKCS#1 version 1.5 padding change under FIPS

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>

test: update SSL API test in light of PKCS#1 version 1.5 padding change under FIPS

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25070)

show more ...

90-test_sslapi.t: Fix execution of sslapitest with fips provider

Default configuration of the fips provider for tests is pedantic
which means that sslapitest was not fully executed with

90-test_sslapi.t: Fix execution of sslapitest with fips provider

Default configuration of the fips provider for tests is pedantic
which means that sslapitest was not fully executed with fips provider.

The ems check must be switched off for full execution.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24347)

show more ...

[feat] SSL RTT in both client and server statem. SSL_get_handshake_rtt makes it available

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siem

[feat] SSL RTT in both client and server statem. SSL_get_handshake_rtt makes it available

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20248)

show more ...

sslapi: use correct fipsmodule.cnf

The SSL API tests copies fipsmodule.cnf and modifies it. Unfortunately, it
grabbed the wrong instance of this file.

Reviewed-by: Tomas Mraz <

sslapi: use correct fipsmodule.cnf

The SSL API tests copies fipsmodule.cnf and modifies it. Unfortunately, it
grabbed the wrong instance of this file.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)

show more ...

Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.

Fixes #19989

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merg

Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.

Fixes #19989

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20241)

show more ...

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

SSL_conf_cmd: Allow DH Parameters at any position.

Fixes openssl#17326.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from h

SSL_conf_cmd: Allow DH Parameters at any position.

Fixes openssl#17326.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18041)

show more ...

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14512)

TEST: Remove the build of fipsmodule.cnf from test recipes

The exception is the test recipe that tests 'openssl fipsinstall'.
However, that one uses a different output file name, so it's

TEST: Remove the build of fipsmodule.cnf from test recipes

The exception is the test recipe that tests 'openssl fipsinstall'.
However, that one uses a different output file name, so it's safe.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14320)

show more ...

TEST: Ensure that the base provider i activated when needed

The fips providers can't be activated alone if encoding, decoding or
STORE are going to be used.

To enable this, we s

TEST: Ensure that the base provider i activated when needed

The fips providers can't be activated alone if encoding, decoding or
STORE are going to be used.

To enable this, we selectively use test/fips-and-base.cnf instead of
test/fips.cnf in our test recipes.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12587)

show more ...

Make -provider_name and -section_name optional

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https:

Make -provider_name and -section_name optional

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12311)

show more ...

Add --fips-key configuration parameter to fipsinstall application.

Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in

Add --fips-key configuration parameter to fipsinstall application.

Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in fipsinstall optional
Make all tests, except fipsinstall, use the default -macopt and
-mac_name flags.
Define and use FIPSDIR variable on VMS/MMS.
Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12235)

show more ...

Centralise Environment Variables for the tests

The test_includes test was failing if OPENSSL_CONF_INCLUDE happened to
be set in the user's environment. To ensure that no tests accidental

Centralise Environment Variables for the tests

The test_includes test was failing if OPENSSL_CONF_INCLUDE happened to
be set in the user's environment. To ensure that no tests accidentally
use this or other enviroment variables from the user's environment we
automatically set them centrally for all tests.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11691)

show more ...

Rename fipsinstall.cnf->fipsmodule.cnf

Introduced by rebasing

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged f

Rename fipsinstall.cnf->fipsmodule.cnf

Introduced by rebasing

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11177)

show more ...

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)

Re-enable FIPS testing in sslapitest.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11508)

Use a non-default libctx in sslapitest

We also don't load the default provider into the default libctx to make
sure there is no accidental "leakage".

Reviewed-by: Paul Dale <pau

Use a non-default libctx in sslapitest

We also don't load the default provider into the default libctx to make
sure there is no accidental "leakage".

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11508)

show more ...

Extend tests of SSL_check_chain()

Actually supply a chain and then test:
1) A successful check of both the ee and chain certs
2) A failure to check the ee cert
3) A failure to ch

Extend tests of SSL_check_chain()

Actually supply a chain and then test:
1) A successful check of both the ee and chain certs
2) A failure to check the ee cert
3) A failure to check a chain cert

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9442)

show more ...

Following the license change, modify the boilerplates in test/

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7767)

Update copyright year

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5990)

Add a test for SRP

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)

Test recipes: remove duplicate OpenSSL::Test usage

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1815)

Add some session API tests

This commit adds some session API tests, and in particular tests the
modified behaviour of SSL_set_session() introduced in the last commit. To
do this I ha

Add some session API tests

This commit adds some session API tests, and in particular tests the
modified behaviour of SSL_set_session() introduced in the last commit. To
do this I have factored out some common code from the asynciotest into a
new ssltestlib.c file. I've also renamed getsettest to sslapitest as this
more closely matches what it now is!

Reviewed-by: Rich Salz <rsalz@openssl.org>

show more ...