Add a CMAC test

We did not have a test of the low level CMAC APIs so we add one. This is
heavily based on the HMAC test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(

Add a CMAC test

We did not have a test of the low level CMAC APIs so we add one. This is
heavily based on the HMAC test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11972)

show more ...

Correctly handle the return value from EVP_Cipher() in the CMAC code

EVP_Cipher() is a very low level routine that directly calls the
underlying cipher function. It's return value semant

Correctly handle the return value from EVP_Cipher() in the CMAC code

EVP_Cipher() is a very low level routine that directly calls the
underlying cipher function. It's return value semantics are very odd.
Depending on the type of cipher 0 or -1 is returned on error. We should
just check for <=0 for a failure.

Fixes #11957

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11972)

show more ...

Ensure we never use a partially initialised CMAC_CTX

If the CMAC_CTX is partially initialised then we make a note of this so
that future operations will fail if the initialisation has no

Ensure we never use a partially initialised CMAC_CTX

If the CMAC_CTX is partially initialised then we make a note of this so
that future operations will fail if the initialisation has not been
completed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11972)

show more ...

run_tests.pl: Add options for focussing output on failed (sub-)tests

VERBOSE_FAILURES_ONLY (VFO): verbose output only of failed (sub-)tests
VERBOSE_FAILURES_PROGRESS (VFP): in addition s

run_tests.pl: Add options for focussing output on failed (sub-)tests

VERBOSE_FAILURES_ONLY (VFO): verbose output only of failed (sub-)tests
VERBOSE_FAILURES_PROGRESS (VFP): in addition summary for passed tests
This adds a workaroud for TAP::Parser not coping well with indentation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12088)

show more ...

Make error output of dhparams and dsaparams app more consistent

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12062)

Generate error queue entry on FFC_CHECK_BAD_LN_PAIR for DH and DSA

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12062)

Silence gcc false positive warning on refdatalen in test/tls13encryptiontest.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Re

Silence gcc false positive warning on refdatalen in test/tls13encryptiontest.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12042)

show more ...

Silence gcc false positive warning on alpn_protos_len in test/handshake_helper.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>

Silence gcc false positive warning on alpn_protos_len in test/handshake_helper.c

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12042)

show more ...

Update RSA keygen to use sp800-56b by default

Fixes #11742
Fixes #11764

The newer RSA sp800-56b algorithm is being used for the normal case of a non multiprime key of at least l

Update RSA keygen to use sp800-56b by default

Fixes #11742
Fixes #11764

The newer RSA sp800-56b algorithm is being used for the normal case of a non multiprime key of at least length 2048.
Insecure key lengths and mutltiprime RSA will use the old method.

Bad public exponents are no longer allowed (i.e values less than 65537 or even). Values such as 2 that would cause a infinite loop now result in an error. The value of 3 has been marked as deprecated but is still allowed for legacy purposes.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11765)

show more ...

Add a test for renegotiation with EXTMS dropped

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12045)

Do not allow dropping Extended Master Secret extension on renegotiaton

Abort renegotiation if server receives client hello with Extended Master
Secret extension dropped in comparison to

Do not allow dropping Extended Master Secret extension on renegotiaton

Abort renegotiation if server receives client hello with Extended Master
Secret extension dropped in comparison to the initial session.

Fixes #9754

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12045)

show more ...

use safe primes in ssl_get_auto_dh()

DH_get_1024_160() and DH_get_2048_224() return parameters from
RFC5114. Those parameters include primes with known small subgroups,
making them u

use safe primes in ssl_get_auto_dh()

DH_get_1024_160() and DH_get_2048_224() return parameters from
RFC5114. Those parameters include primes with known small subgroups,
making them unsafe. Change the code to use parameters from
RFC 2409 and RFC 3526 instead (group 2 and 14 respectively).

This patch also adds automatic selection of 4096 bit params for 4096 bit
RSA keys

Signed-off-by: Hubert Kario <hkario@redhat.com>

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12061)

show more ...

APPS: Fix 'openssl dhparam'

'dhparam' can't be completely rewritten in terms of EVP_PKEY functions
yet, because we lack X9.42 support. However, we do when generating,
but forgot to

APPS: Fix 'openssl dhparam'

'dhparam' can't be completely rewritten in terms of EVP_PKEY functions
yet, because we lack X9.42 support. However, we do when generating,
but forgot to extract a DH pointer with EVP_PKEY_get0_DH().

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12048)

show more ...

APPS: Fix 'openssl dsaparam -genkey'

Using a parameter EVP_PKEY for key generation with EVP_PKEY routines
works a little differently than the raw DSA routines that were used
before.

APPS: Fix 'openssl dsaparam -genkey'

Using a parameter EVP_PKEY for key generation with EVP_PKEY routines
works a little differently than the raw DSA routines that were used
before.

While fixing that, clean away all remaining use of the DSA type, which
simplifies the code a bit more.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12048)

show more ...

EVP: Let EVP_PKEY_gen() initialize ctx->keygen_info

In EVP_PKEY_METHOD code, the backend initializes ctx->keygen_info.
With provider side code, it's not possible to reach back into the

EVP: Let EVP_PKEY_gen() initialize ctx->keygen_info

In EVP_PKEY_METHOD code, the backend initializes ctx->keygen_info.
With provider side code, it's not possible to reach back into the
EVP_PKEY_CTX in the same manner, so we need to make that
initialization in the central generation function, EVP_PKEY_gen().

This isn't quite compatible with the idea that keygen_info could have
an arbitrary amount of elements, but since all our legacy backends use
exactly two elements, that's what we go for.

Fixes #12047

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12048)

show more ...

TLSv1.3: additional checks in SSL_set_record_padding_callback

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.c

TLSv1.3: additional checks in SSL_set_record_padding_callback

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11589)

show more ...

test: TLS1.3 and new ciphers for kTLS

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

test: TLS1.3 and new ciphers for kTLS

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11589)

show more ...

TLSv13: add kTLS support

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11589)

kTLS: add support for AES_CCM128 and AES_GCM256

The support of new algos is added by converting code to use
helper functions found in ktls.h.

Reviewed-by: Paul Dale <paul.dale@o

kTLS: add support for AES_CCM128 and AES_GCM256

The support of new algos is added by converting code to use
helper functions found in ktls.h.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11589)

show more ...

kTLS: add Linux-specific kTLS helpers

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

kTLS: add Linux-specific kTLS helpers

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11589)

show more ...

kTLS: add new algo definitions

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11589)

kTLS: make ktls_start type independed

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

kTLS: make ktls_start type independed

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11589)

show more ...

fix doc typo in bn_dh.c

while RFC 2312 refers to S/MIME it doesn't actually declare any groups,
RFC 2412 actually talks about DH extensively and the group
defined in the code below i

fix doc typo in bn_dh.c

while RFC 2312 refers to S/MIME it doesn't actually declare any groups,
RFC 2412 actually talks about DH extensively and the group
defined in the code below is defined on page 47 of it

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12076)

show more ...

Fix 90-test_store.t for latest config, limits, providers, and disabled algos

Also make sure that the test do not 'pass' if their initialization fails.
Leave out the expensive parts of DS

Fix 90-test_store.t for latest config, limits, providers, and disabled algos

Also make sure that the test do not 'pass' if their initialization fails.
Leave out the expensive parts of DSA key gen and RSA keygen for efficiency.
Fix use of the new CA configuration file test/ca-and-certs.cnf.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11733)

show more ...

Fix documentation of OSSL_STORE

Among others, make clear that OSSL_STORE_close() meanwhile does nothing on NULL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from

Fix documentation of OSSL_STORE

Among others, make clear that OSSL_STORE_close() meanwhile does nothing on NULL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11733)

show more ...