Update links in CONTRIBUTING.md

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)

Fix some small typos

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)

Test vectors from rfc9579 and creation tests

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pul

Test vectors from rfc9579 and creation tests

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24577)

show more ...

Implementation of the RFC 9579, PBMAC1 in PKCS#12 - documentation

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.co

Implementation of the RFC 9579, PBMAC1 in PKCS#12 - documentation

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24577)

show more ...

Implementation of the RFC 9579, PBMAC1 in PKCS#12

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openss

Implementation of the RFC 9579, PBMAC1 in PKCS#12

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24577)

show more ...

test: omit failing test when using a FIPS provider that supports eddsa_no_verify_digested

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>

test: omit failing test when using a FIPS provider that supports eddsa_no_verify_digested

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25032)

show more ...

test: update EdDSA tests for FIPS and no pre-hashing

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/o

test: update EdDSA tests for FIPS and no pre-hashing

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25032)

show more ...

EdDSA: disallow verification from a pregenerated hash when in FIPS

Also includes an indicator and the capability to bypass via configuration
or params.

Fixes #24937

Rev

EdDSA: disallow verification from a pregenerated hash when in FIPS

Also includes an indicator and the capability to bypass via configuration
or params.

Fixes #24937

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25032)

show more ...

fips: add no digested option to FIPS provider

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/

fips: add no digested option to FIPS provider

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25032)

show more ...

param: add OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/

param: add OSSL_SIGNATURE_PARAM_EDDSA_VERIFY_DIGESTED

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25032)

show more ...

doc: add verify-digested param for EdDSA

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/opens

doc: add verify-digested param for EdDSA

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25032)

show more ...

doc: add documentation for -eddsa_no_verify_digested fipsinstall option

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from h

doc: add documentation for -eddsa_no_verify_digested fipsinstall option

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25032)

show more ...

fipsinstall: add ed_no_verify_digested option

FIPS doesn't permit message hashes to be processed by thee algorithms.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Sha

fipsinstall: add ed_no_verify_digested option

FIPS doesn't permit message hashes to be processed by thee algorithms.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25032)

show more ...

Add FIPS DSA Keygen tests

Adjust the existing tests to disable DSA keygen in FIPS mode.

Allow evp_test to load DSA 'KeyParams' that can then be used to
perform a DSA KeyGen.

Add FIPS DSA Keygen tests

Adjust the existing tests to disable DSA keygen in FIPS mode.

Allow evp_test to load DSA 'KeyParams' that can then be used to
perform a DSA KeyGen.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24978)

show more ...

Disallow DSA Keygen in the FIPS provider

This uses a FIPS indicator.
Since DSA KeyGen is only useful for DSA signing,
it reuses the DSA signing FIPS configuration option and settable

Disallow DSA Keygen in the FIPS provider

This uses a FIPS indicator.
Since DSA KeyGen is only useful for DSA signing,
it reuses the DSA signing FIPS configuration option and settable ctx name.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24978)

show more ...

Add KeyManagement keygen parameter getter/gettable functions.

Added OSSL_FUNC_keymgmt_gen_get_params() and
OSSL_FUNC_keymgmt_gen_gettable_params()

This will allow a FIPS indicat

Add KeyManagement keygen parameter getter/gettable functions.

Added OSSL_FUNC_keymgmt_gen_get_params() and
OSSL_FUNC_keymgmt_gen_gettable_params()

This will allow a FIPS indicator parameter to be queried after keygen.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24978)

show more ...

Fix evp_test HKDF failure in crosstest 3.1.2 FIPS provider with master

Fixes #25089
The test to check if the FIPS indicator was correct failed in 3.1.2
since EVP_PKEY_CTX_get_params(

Fix evp_test HKDF failure in crosstest 3.1.2 FIPS provider with master

Fixes #25089
The test to check if the FIPS indicator was correct failed in 3.1.2
since EVP_PKEY_CTX_get_params() returns 0 if there is no
gettable/getter.

The code has been modified to return 1 if there is no gettable.
Manually reproduced and tested by copying the 3.1.2 FIPS provider to master.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25093)

show more ...

github: fix quoting in github workflow for jitter tests

Nested quoting got ignore previously. And this way one can specify
string name directly.

Successfully run with Jitter at

github: fix quoting in github workflow for jitter tests

Nested quoting got ignore previously. And this way one can specify
string name directly.

Successfully run with Jitter at
https://github.com/xnox/openssl/actions/runs/10223149419/job/28289017013

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25053)

show more ...

Add new configurable item `pbkdf2-lower-bound-check`

Since FIPS provider performs lower bound check by default from v3.0, the
default value for new configurable item will be one.

Add new configurable item `pbkdf2-lower-bound-check`

Since FIPS provider performs lower bound check by default from v3.0, the
default value for new configurable item will be one.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24120)

show more ...

Add explicit indicator for PBKDF2

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

Add explicit indicator for PBKDF2

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24120)

show more ...

Do not implicitly start connection with SSL_handle_events() or SSL_poll()

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from htt

Do not implicitly start connection with SSL_handle_events() or SSL_poll()

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25069)

show more ...

Return infinity time from SSL_get_event_timeout when the connection is not started

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged

Return infinity time from SSL_get_event_timeout when the connection is not started

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25069)

show more ...

Do not falsely start the connection through SSL_pending()/_has_pending()

Fixes #25054

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Do not falsely start the connection through SSL_pending()/_has_pending()

Fixes #25054

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25069)

show more ...

fix: util/mkinstallvars.pl mistreated LDLIBS on Unix (and Windows)

Don't do comma separation on those platforms.

Fixes #24986

Reviewed-by: Neil Horman <nhorman@openssl.org>

fix: util/mkinstallvars.pl mistreated LDLIBS on Unix (and Windows)

Don't do comma separation on those platforms.

Fixes #24986

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25018)

show more ...

ssl_evp_cipher_fetch(): Avoid using 3DES from the FIPS provider

Avoid using a fetched cipher that is decrypt-only
which is the case for 3DES from the fips provider.

Add a decryp

ssl_evp_cipher_fetch(): Avoid using 3DES from the FIPS provider

Avoid using a fetched cipher that is decrypt-only
which is the case for 3DES from the fips provider.

Add a decrypt-only parameter to the EVP_CIPHER and test it
in libssl when fetching.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25028)

show more ...