docs: document options added in openssl-fipsinstall 3.4+

Document new command line options added in 3.4.0

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul D

docs: document options added in openssl-fipsinstall 3.4+

Document new command line options added in 3.4.0

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)

show more ...

docs: document options added in openssl-fipsinstall 3.2+

Document new command line options added in 3.2.0

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul D

docs: document options added in openssl-fipsinstall 3.2+

Document new command line options added in 3.2.0

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)

show more ...

docs: document options added in openssl-fipsinstall 3.1+

Document new command line options added in 3.1.0

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul D

docs: document options added in openssl-fipsinstall 3.1+

Document new command line options added in 3.1.0

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)

show more ...

docs: add HISTORY section to openssl-fipsinstall (3.0+)

Documents when the command was added.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@

docs: add HISTORY section to openssl-fipsinstall (3.0+)

Documents when the command was added.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25546)

show more ...

Add CHANGES entry

To match changes in #25526

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/

Add CHANGES entry

To match changes in #25526

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25536)

show more ...

test: fix unit tests for fips CRNG tests

To match changes in #25526

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged f

test: fix unit tests for fips CRNG tests

To match changes in #25526

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25536)

show more ...

doc: fix typo in CRNG test documentation.

To match changes in #25526

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged

doc: fix typo in CRNG test documentation.

To match changes in #25526

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25536)

show more ...

fips: Prohibit SHA1 in DH & ECDH exchange

See Section 5 Key Agreement Using Diffie-Hellman and MQV of
[NIST SP 800-131Ar2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8

fips: Prohibit SHA1 in DH & ECDH exchange

See Section 5 Key Agreement Using Diffie-Hellman and MQV of
[NIST SP 800-131Ar2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).

Strengths less than 112bits is disallowed, thus eliminating SHA1.

Skip cms test case that requires use of SHA1 with X9.42 DH.

Rename ossl_fips_ind_digest_check to ossl_fips_ind_digest_exch_check

Add myself to Changes for fips indicator work

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25517)

show more ...

Check file name for not being NULL before opening it

Fixes #24416

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from h

Check file name for not being NULL before opening it

Fixes #24416

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25458)

show more ...

Fix examples in EVP_PKEY_encapsulate/decapsulate documentation

Fixes #25448

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
R

Fix examples in EVP_PKEY_encapsulate/decapsulate documentation

Fixes #25448

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25450)

show more ...

Remove double engine reference in ossl_ec_key_dup()

Fixes #25260

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https:

Remove double engine reference in ossl_ec_key_dup()

Fixes #25260

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25453)

show more ...

Fix NULL ptr dereference on EC_POINT *point

Use non-usual params of pkcs11 module will trigger a null ptr deref bug. Fix it for #25493

CLA: trivial

Reviewed-by: Tim Hudson

Fix NULL ptr dereference on EC_POINT *point

Use non-usual params of pkcs11 module will trigger a null ptr deref bug. Fix it for #25493

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25496)

show more ...

Rename list macros

The quic implementation defined a set of LIST_* macros for list
manipulation, which conflicts with the generally support BSD api found
in the queue.h system header

Rename list macros

The quic implementation defined a set of LIST_* macros for list
manipulation, which conflicts with the generally support BSD api found
in the queue.h system header. While this isn't normally a problem, A
report arrived indicating that MacOSX appears to implicitly include
queue.h from another system header which causes definition conflicts.

As the openssl macros are internal only, it seems the most sensible
thing to do is place them in a well known namespace for our library to
avoid the conflict, so add an OSSL_ prefix to all our macros

Fixes #25516

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/25519)

show more ...

check-format.pl: do checks regarding statement/block after for() also on {OSSL_,}LIST_FOREACH{,_*}

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com

check-format.pl: do checks regarding statement/block after for() also on {OSSL_,}LIST_FOREACH{,_*}

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25535)

show more ...

ctr-drbg: always use the DF for OpenSSL's DRBGs

Force the use of the derivation function when creating OpenSSL's internal
DRBGs.

FIPS mandates the use of a derivation function,

ctr-drbg: always use the DF for OpenSSL's DRBGs

Force the use of the derivation function when creating OpenSSL's internal
DRBGs.

FIPS mandates the use of a derivation function, so 3.4 cannot be validated as
it stands which run counter to the indicator work that was included.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Hugo Landau <hlandau@devever.net>
(Merged from https://github.com/openssl/openssl/pull/25511)

(cherry picked from commit 0ab796ef9674b378ac644ad8d477685619a2ff37)

show more ...

Check sk_X509_value result before dereference

issuer passed as second parameter to check_issued may result in
NULL dereference

CLA: trivial

Reviewed-by: Hugo Landau <hl

Check sk_X509_value result before dereference

issuer passed as second parameter to check_issued may result in
NULL dereference

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24760)

show more ...

document the format of DSA signature

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23762)

80-test_cmp_http.t: fix handling of IPv6 server host (localhost '::1')

Fixes 22467

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>

80-test_cmp_http.t: fix handling of IPv6 server host (localhost '::1')

Fixes 22467

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)

show more ...

doc/man{1,3}: fix details on IPv6 host addresses and of whitespace in no_proxy

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged f

doc/man{1,3}: fix details on IPv6 host addresses and of whitespace in no_proxy

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)

show more ...

OSSL_HTTP_adapt_proxy(): fix handling of escaped IPv6 host addresses and of whitespace in no_proxy

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openss

OSSL_HTTP_adapt_proxy(): fix handling of escaped IPv6 host addresses and of whitespace in no_proxy

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)

show more ...

OSSL_HTTP_open(): fix completion with default port for IPv6 host addresses

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from

OSSL_HTTP_open(): fix completion with default port for IPv6 host addresses

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)

show more ...

http_server.{c,h}: make clear that IPv4 or IPv6 is used by http_server_init()

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged fr

http_server.{c,h}: make clear that IPv4 or IPv6 is used by http_server_init()

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)

show more ...

http_server.c: fix checks of error return code in http_server_init()

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https:

http_server.c: fix checks of error return code in http_server_init()

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)

show more ...

BIO_s_accept.pod: fix whitespace nits: '<=0' -> '<= 0'

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/o

BIO_s_accept.pod: fix whitespace nits: '<=0' -> '<= 0'

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25010)

show more ...

Fix smime-type for AuthEnvelopedData

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull

Fix smime-type for AuthEnvelopedData

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25482)

show more ...