Mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2026-01-18 17:11:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,614 Commits 37 Branches 420 Tags
dbe8059edf947f53e899777fda33d99b4776af24
Commit Graph

35614 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Shih-Yi Chen
dbe8059edf Update krb5 to latest master to pick up CVE fixes 
CLA: trivial

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25131)

(cherry picked from commit 099a71b48b)
 2024-08-14 17:57:43 +02:00
slontis
5f04124aab Add EDDSA FIPS self tests. 
See FIPS 140-3 IG Section 10.3.A Part 11
Indicates ECDSA requires a sign and verify test.
Note 11 states that HashEdDSA is not required to be tested if PureEdDSA is tested.
Note 12 indicates that both ED25519 and X448 need to be tested.

Since ED uses the oneshot interface, additional API's needed to be exposed to the
FIPS provider using #ifdef FIPS_MODULE.

Changed ED25518 and ED448 to use fips=true in the FIPS provider.
Updated documentation for provider lists for EDDSA.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22112)
 2024-08-14 16:17:47 +02:00
Dmitry Belyavskiy
12ba471c29 Improve the EVP_PKEY_CTX_set_kem_op() documentation 
Fixes #25142

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25164)
 2024-08-14 11:05:11 +02:00
Pauli
21bcae6561 test: Improve coverage for the PBKDF2 unit tests 
Fixes #25136

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25160)
 2024-08-14 08:17:45 +10:00
Dmitry Belyavskiy
bd3b24c3af Encap/decap in pkeyutl - tests 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
 2024-08-13 11:03:11 +02:00
Dmitry Belyavskiy
14fa2f5f47 Encap/decap in pkeyutl - documentation 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
 2024-08-13 11:03:11 +02:00
Dmitry Belyavskiy
12b2e5552b Support of en/decapsulation in the pkeyutl command 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
 2024-08-13 11:03:11 +02:00
Michael Baentsch
38a7183102 adds TLS signature algorithms list feature 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24821)
 2024-08-13 11:48:54 +10:00
pohsingwu
f3c03be3ad Restrict salt length for RSA-PSS in the FIPS provider 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)
 2024-08-13 09:55:36 +10:00
pohsingwu
878f74eb08 Setup padding mode correctly in acvp_test 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25115)
 2024-08-12 10:26:42 +08:00
Pauli
2f33265039 fipsmodule.cnf: set the signature digest checks option on installation 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:50 +10:00
Pauli
fc5c86b8c1 fips: support signature-digest-checks in FIPS provider 
Fixes #24936

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:50 +10:00
Pauli
db9eb0f96c test: add unit tests for disallowed XOF digests 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:43 +10:00
Pauli
5ab9f7e249 signatures: disallow XOF digests when doing signatures 
Except for Ed448 and RSA PSS where they are mandatory and allow respectively.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:43 +10:00
Pauli
d8783a1807 fipsinstall: use correct macro for no drbg trunc digest option 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:43 +10:00
Pauli
fcf8390503 test: update fipsinstall tests to cover signature_digest_check option 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:43 +10:00
Pauli
c613f080ca Add signature digest check option to fipsinstall 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:43 +10:00
Pauli
5d6e692c36 doc: document -signature_digest_check option to fipsinstall 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25020)
 2024-08-12 09:30:42 +10:00
Neil Horman
a46abbd66e Fix typing on call to interlockedExchange for windows 
mingw is complaining on builds about the use of InterlockedExchange on a
uint32_t type, as the input parameter here is expected to be LONG
(defined as signed 32 bit on all versions of windows).

the input value (reader_idx) will never grow larger than the group size
of the lock (nominally 2, but always a reasonably small value), so it
should be safe to just cast it to the appropriate type here.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25015)
 2024-08-11 08:23:19 -04:00
Dmitry Belyavskiy
d7b659e185 Fix PBMAC1 MAC verification in FIPS mode 
The check for fetchability PKCS12KDF doesn't make sense when we have a
different MAC mechanism

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25144)
 2024-08-11 10:11:33 +02:00
Pauli
3416c0bff9 test: add error reasons to KBKDF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:36:03 +10:00
Pauli
fb51e4f611 test: add positive FIPS indicator failure tests for DRBGs 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:36:03 +10:00
Pauli
dc16db61f1 test: add error reasons to TLS 1 PRF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
90f64d064e test: add error reasons to X9.63 test 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
0acf9f8934 test: add error reasons to X9.42 test 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
41a9aeb672 test: add error reasons to TLS 1.3 KDF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
a969c466b1 test: add error reasons to TLS 1.2 PRF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
3cccd17eed test: add error reasons to Single Step KDF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
20284908c4 test: add error reasons to SSHKDF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
bb3b3abfd5 test: add error reasons to PBKDF2 tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
8c24acda18 test: add error reasons to HKDF tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:54 +10:00
Pauli
77915ae8eb test: add error reasons to KMAC tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:53 +10:00
Pauli
068c9bee37 test: add error reasons to RSA tests 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25135)
 2024-08-10 16:35:53 +10:00
Pauli
8e316edd71 fips: change from function call to macro in rsa_enc.c 
Use of the function instead of the macro for the indicator unapproved check was
noted in: https://github.com/openssl/openssl/pull/25070#discussion_r1706564363
Fix things to use the macro properly.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25134)
 2024-08-10 16:34:51 +10:00
Neil Horman
11adb943ab amend! fixup! limit bignums to 512 bytes 
fixup! limit bignums to 512 bytes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25013)
 2024-08-09 07:59:03 -04:00
Neil Horman
f0768376e1 limit bignums to 128 bytes 
Keep us from spinning forever doing huge amounts of math in the fuzzer

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25013)
 2024-08-09 07:59:03 -04:00
slontis
250a7adbea Add "no-fips-post" configure option. 
Using this option disables the OpenSSL FIPS provider
self tests.
This is intended for debugging purposes only,
as it breaks FIPS compliance.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25063)
 2024-08-09 09:12:45 +10:00
slontis
ea3888a397 Fix FIPS indicator defines for larger indicies. 
A newer PR is using setable3 now so these indicies should be fixed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25118)
 2024-08-09 07:16:29 +10:00
Pauli
fd39d1c80c test: add negative tests for KBKDF key size check under FIPS 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:44:42 +10:00
Pauli
ae87c48895 fips: add kbkdf key length check as per SP 800-131a revision 2 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:44:38 +10:00
Pauli
6cb6b17171 fips: add kbkdf key check checking function 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:43:00 +10:00
Pauli
57fb8841dc doc: docment key-check param for kbkdf 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:42:59 +10:00
Pauli
8d52cf525b doc: document kbkdf key check argument for fipsinstall 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:42:59 +10:00
Pauli
243b7f399a fips: install with the kbkdf key check option set 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:42:59 +10:00
Pauli
c2b8af893f params: add kbkdf key check param 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:42:59 +10:00
Pauli
090247b2e2 fipsinstall: add kbkdf key check option 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
 2024-08-08 08:42:59 +10:00
JulieDzeze1
e77eb1dc0b Update BN_add.pod documentation so it is consistent with header declarations 
CLA: trivial

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24215)
 2024-08-07 19:55:57 +02:00
Mathis Marion
de8861a7e3 Remove duplicate colon in otherName display 
The colon is already added in X509V3_EXT_val_prn(). In fact, the other
branches from i2v_GENERAL_NAME() do not include a trailing colon.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23428)
 2024-08-07 19:53:49 +02:00
Mathis Marion
387491d537 Add OIDs id-kp-wisun-fan-device and id-on-hardwareModule 
Sub-OIDs for {iso(1) identified-organization(3) dod(6) internet(1)
private(4) enterprise(1) 45605} are recorded in the document "Wi-SUN
Assigned Value Registry" (WAVR).

OID id-on-hardwareModule is defined in RFC 4108.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23428)
 2024-08-07 19:53:19 +02:00
Matt Caswell
c0c4e6ba0a Remove the event queue code 
PR #18345 added some code for an event queue. It also added a test for it.
Unfortunately this event queue code has never been used for anything.
Additionally the test was never integrated into a test recipe, so it never
actually gets invoked via "make test". This makes the code entirely dead,
unnecessarily bloats the size of libssl and causes a decrease in our
testing code coverage value.

We remove the dead code.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25100)
 2024-08-07 19:48:26 +02:00