CI: Fix GCM IV check in acvp_test for crosstest

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/

CI: Fix GCM IV check in acvp_test for crosstest

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25223)

show more ...

speed.c: Return success with -testmode -async_jobs if not ASYNC_is_capable()

Fixes #25203

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@ar

speed.c: Return success with -testmode -async_jobs if not ASYNC_is_capable()

Fixes #25203

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25204)

show more ...

test: add a default greeting to avoid printing a null pointer.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https:/

test: add a default greeting to avoid printing a null pointer.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/25221)

show more ...

Add an indicator for AES GCM that returns if the iv has been generated
internally.

This is not using a strict check since there may be applications that
require the IV to be generate

Add an indicator for AES GCM that returns if the iv has been generated
internally.

This is not using a strict check since there may be applications that
require the IV to be generated externally (e.g. java).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25178)

show more ...

list_tls_signatures(): Avoid leak with zero length builtin_sigalgs

Fixes Coverity 1616307

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.o

list_tls_signatures(): Avoid leak with zero length builtin_sigalgs

Fixes Coverity 1616307

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25219)

show more ...

We can't check policy if we got an empty stack of certs

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/o

We can't check policy if we got an empty stack of certs

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25186)

show more ...

Move docker files to test

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25091)

Add workflow to do nightly build of interop container and push to quay

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://gith

Add workflow to do nightly build of interop container and push to quay

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25091)

show more ...

Add dockerfile for generation of a quic interop container

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openss

Add dockerfile for generation of a quic interop container

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25091)

show more ...

Fix unpredictible refcount handling of d2i functions

The passed in reference of a ref-counted object
is free'd by d2i functions in the error handling.
However if it is not the last r

Fix unpredictible refcount handling of d2i functions

The passed in reference of a ref-counted object
is free'd by d2i functions in the error handling.
However if it is not the last reference, the
in/out reference variable is not set to null here.
This makes it impossible for the caller to handle
the error correctly, because there are numerous
cases where the passed in reference is free'd
and set to null, while in other cases, where the
passed in reference is not free'd, the reference
is left untouched.

Therefore the passed in reference must be set
to NULL even when it was not the last reference.

Fixes #23713

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22809)

show more ...

Extend test case for reused PEM_ASN1_read_bio

This is related to #22780, simply add test cases
for the different failure modes of PEM_ASN1_read_bio.
Depending on whether the PEM or t

Extend test case for reused PEM_ASN1_read_bio

This is related to #22780, simply add test cases
for the different failure modes of PEM_ASN1_read_bio.
Depending on whether the PEM or the DER format is valid or not,
the passed in CRL may be deleted ot not, therefore a statement
like this:

reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL);

must be avoided, because it can create memory leaks.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22809)

show more ...

replace static declarations

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2519

replace static declarations

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

Revert "fipsinstall: add ed_no_verify_digested option"

This reverts commit 70b6d57fd94fe11fa2510bc8026fa6a6ead51d68.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed

Revert "fipsinstall: add ed_no_verify_digested option"

This reverts commit 70b6d57fd94fe11fa2510bc8026fa6a6ead51d68.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

Revert "doc: add documentation for -eddsa_no_verify_digested fipsinstall option"

This reverts commit b00ea9a6a2a72f5ac7b38e82c9a7b6796972fc36.

Reviewed-by: Shane Lontis <shane.lonti

Revert "doc: add documentation for -eddsa_no_verify_digested fipsinstall option"

This reverts commit b00ea9a6a2a72f5ac7b38e82c9a7b6796972fc36.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

Revert "doc: add verify-digested param for EdDSA"

This reverts commit ab02a297eb3d7f314eea371038c0b8e4038f658b.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by:

Revert "doc: add verify-digested param for EdDSA"

This reverts commit ab02a297eb3d7f314eea371038c0b8e4038f658b.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

Revert "param: add OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED"

This reverts commit 5abd7e5f796a9564c5f020053833deee1b9f7c6e.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>

Revert "param: add OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED"

This reverts commit 5abd7e5f796a9564c5f020053833deee1b9f7c6e.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

Revert "fips: add no digested option to FIPS provider"

This reverts commit 889277effb65b7f276e375cf0176c4c8597f4203.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed

Revert "fips: add no digested option to FIPS provider"

This reverts commit 889277effb65b7f276e375cf0176c4c8597f4203.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

Revert "EdDSA: disallow verification from a pregenerated hash when in FIPS"

This reverts commit 2d759937e2ee78c27c83f1433f79b33256ab1a39.

Reviewed-by: Shane Lontis <shane.lontis@ora

Revert "EdDSA: disallow verification from a pregenerated hash when in FIPS"

This reverts commit 2d759937e2ee78c27c83f1433f79b33256ab1a39.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

Revert "test: update EdDSA tests for FIPS and no pre-hashing"

This reverts commit 09eaf16771fe5b5b57cac0ddfd6bf8ca3584134b.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
R

Revert "test: update EdDSA tests for FIPS and no pre-hashing"

This reverts commit 09eaf16771fe5b5b57cac0ddfd6bf8ca3584134b.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

Revert "test: omit failing test when using a FIPS provider that supports eddsa_no_verify_digested"

This reverts commit 54933db9f0e1a03b644cecc6735f8f2025b748b5.

Reviewed-by: Shane L

Revert "test: omit failing test when using a FIPS provider that supports eddsa_no_verify_digested"

This reverts commit 54933db9f0e1a03b644cecc6735f8f2025b748b5.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

Revert "Apply the FIPS_eddsa_no_verify_digested indicator on prehash EdDSA only"

This reverts commit ca112fccdd34a8538f14ddf8c3569b8331eae357.

Reviewed-by: Shane Lontis <shane.lonti

Revert "Apply the FIPS_eddsa_no_verify_digested indicator on prehash EdDSA only"

This reverts commit ca112fccdd34a8538f14ddf8c3569b8331eae357.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25192)

show more ...

FIPS: Remove ability to bypass the FIPS self tests

This is a FIPS 140-3 requirement.
It should not be done as a FIPS indicator.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Rev

FIPS: Remove ability to bypass the FIPS self tests

This is a FIPS 140-3 requirement.
It should not be done as a FIPS indicator.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25147)

show more ...

Change existing evp_test KeyGen Ctrls to use provider algorithm
parameter names.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged

Change existing evp_test KeyGen Ctrls to use provider algorithm
parameter names.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25008)

show more ...

Update evp_test KeyGen

The EVP_PKEY_CTX is now created in keygen_test_run().
keygen_test_parse() inserts all values into KEYGEN_TEST_DATA.
The 'Ctrl' parameters have been changed to

Update evp_test KeyGen

The EVP_PKEY_CTX is now created in keygen_test_run().
keygen_test_parse() inserts all values into KEYGEN_TEST_DATA.
The 'Ctrl' parameters have been changed to just be settables,
rather than using legacy controls.

Added EC keygen tests

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25008)

show more ...

Restrict FIPS EC Keygen to only allow curves with a security strength
>=112 bits

Add a FIPS indicator to EC keygen

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by

Restrict FIPS EC Keygen to only allow curves with a security strength
>=112 bits

Add a FIPS indicator to EC keygen

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25008)

show more ...