3c66c99bd5
Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
...
We want legacy policy to be able to talk to older RHEL that only
supports SHA1 signature algorithms, so allow SHA1 signatures even in
seclevel 2 if rh-allow-sha1-signatures is set to yes.
Resolves: rhbz#2060510
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
ede38fcb54
Prevent use of SHA1 with ECDSA
...
providers/implementations/signature/{ec,}dsa_sig.c accept a NID_undef
digest, so to prevent SHA1 from working with ECDSA and DSA, we must
return a negative value in securitycheck.c.
Resolves: rhbz#2031742
3 years ago
ea9f0a5726
OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
...
Resolves: rhbz#1977867
3 years ago
849a9965ee
Support KBKDF (NIST SP800-108) with an R value of 8bits Resolves: rhbz#2027261
...
Signed-off-by: Peter Robinson <pbrobinson@redhat.com>
3 years ago
53f53fedec
Allow SHA1 usage in MGF1 for RSASSA-PSS signatures
...
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
b33dfd3fc3
Spec bump
...
Resolves: rhbz#2031742
3 years ago
5a9ab1160e
Allow SHA1 usage in HMAC in TLS
...
The EVP_DigestSign API is used in TLS to compute a SHA1 HMAC, which is
OK from our point of view, but was blocked so far. Modify
0049-Selectively-disallow-SHA1-signatures.patch to check the EVP_PKEY
type for HMAC (and TLS1-PRF and HKDF), and allow SHA1 for these cases.
Note that TLS1.1 signs a MD5-SHA1 hash with a private key, which does
not work with rh-allow-sha1-signatures = no, so the minimum TLS version
will be TLS 1.2.
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
53b85f538c
OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
...
Resolves: rhbz#1977867
3 years ago
78fb78d307
Disable SHA1 signature creation and verification by default
...
Set rh-allow-sha1-signatures = yes to re-enable
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
0a5c81da78
s_server: correctly handle 2^14 byte long records
...
Resolves: rhbz#2042011
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
922b5301ea
Adjust FIPS provider version
...
FIPS provider version is now autofilled from release and date
Related: rhbz#2026445
3 years ago
8c3b745547
On the s390x, zeroize all the copies of TLS premaster secret
...
Related: rhbz#2040448
3 years ago
92e721fa5d
Rebuild
...
Related: rhbz#2026445
3 years ago
d237e7f301
Restoring fips=yes to SHA-1
...
Related: rhbz#2026445
3 years ago
9df33eabbe
KATS self-tests should run before HMAC verifcation
...
Related: rhbz#2041994
3 years ago
f5421022ee
Adds enable-buildtest-c++ to the configure options.
...
Related: rhbz#1990814
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
78a467efcc
Rebase to upstream version 3.0.1
...
Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
Resolves: rhbz#2038910, rhbz#2035148
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
e63c4b68b2
Update spec file, remove fipsmodule.cnf
...
Related: rhbz#2026445
3 years ago
225b6d37b9
openssl speed should run in FIPS mode
...
Related: rhbz#1977318
3 years ago
4c1c00d6af
Updated spec, some cleanup done
...
Related: rhbz#1985362
3 years ago
9422ae52de
Always activate default provider via config
...
Related: rhbz#1985362
3 years ago
210c37e906
Disable fipsinstall application
...
Related: rhbz#1985362
3 years ago
3ff0db7558
Embed correct HMAC into fips provider
...
We have stripped production version and unstripped version for tests.
Related: rhbz#1985362
3 years ago
694c426faf
Fix memory leak in s_client
...
Related: rhbz#1996092
3 years ago
b76c2316a3
KTLS and FIPS may interfere, so tests need to be tuned
...
Resolves: rhbz#1961643
3 years ago
3edf474b5d
Avoid double-free on error seeding the RNG.
...
Resolves: rhbz#1952844
3 years ago
34d46544a5
Rebase to upstream version 3.0.0
...
Related: rhbz#1990814
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
07de966235
- Removes the dual-abi build as it not required anymore. The mass rebuild
...
was completed and all packages are rebuilt against Beta version.
Resolves: rhbz#1984097
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
ddd1eb3708
Correctly processing CMS reading from /dev/stdin
...
Resolves: rhbz#1986315
3 years ago
49de59749c
Add instruction for loading legacy provider in openssl.cnf
...
Resolves: rhbz#1975836
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
03899fca38
Adds support for IDEA encryption.
...
Resolves: rhbz#1990602
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
0c6f4a599c
- Fixes core dump in openssl req -modulus
...
- Fixes 'openssl req' to not ask for password when non-encrypted private key
is used
- cms: Do not try to check binary format on stdin and -rctform fix
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
2862adca42
Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
...
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
3 years ago
ecb6630fd3
When signature_algorithm extension is omitted, use more relevant alerts
...
Resolves: rhbz#1965017
3 years ago
fe7445d93d
Rebase to upstream version beta2
...
Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
0b6afca185
- Prevents creation of duplicate cert entries in PKCS #12 files
...
Resolves: rhbz#1978670
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
e3d0ba4f1e
NVR Bump to Update to OpenSSL 3.0 Beta1 version
...
Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
529b968a17
Update patch dual-abi.patch to add the #define macros in implementation
...
files instead of public header files
Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
a3158ae4f7
Removes unused patch dual-abi.patch
...
Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
d4e97b3110
Update to Beta1 version
...
Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16
Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
90bf702df6
- Fixes override of openssl_conf in openssl.cnf
...
- Use AI_ADDRCONFIG only when explicit host name is given
- Temporarily remove fipsmodule.cnf for arch i686
- Fixes segmentation fault in BN_lebin2bn
Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
4f728a9f3f
Fixes override of openssl_conf in openssl.cnf
...
Resolves: rhbz#1975847
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
826e7990ea
Adds FIPS mode compatibility patch
...
Related: rhbz#1977318
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
240131b9eb
- Fixes system hang issue when booted in FIPS mode
...
- Temporarily disable downstream FIPS patches
Related: rhbz#1977318
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
220d8a96f5
Spec bump and changelog for Speeding up building openssl
...
Related: rhbz#1903209
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
3 years ago
b0a763c723
Speeding up building openssl
...
Resolves: rhbz#1903209
Signed-off-by: Dmitry Belyavskiy <dbelyavs@redhat.com>
3 years ago
e863fff325
Fix reading SPKAC data from stdin
...
Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448
Return 0 after cleanup in OPENSSL_init_crypto()
Cleanup the peer point formats on regotiation
Fix default digest to SHA256
Resolves: rhbz#1958045, rhbz#1952850, rhbz#1961687
Related: rhbz#1958033
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
5fa0564b3a
Enable FIPS via config options
...
Resolves: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
4 years ago
ef962954ab
Update to alpha 16 version
...
Avoids sending alert after orderly connection close
Resolves: rhbz#1952901, rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
4 years ago
eeabdb936d
Merge gitlab.com:redhat/centos-stream/rpms/openssl into c9s
4 years ago
Clemens Lang
Dmitry Belyavskiy
Peter Robinson
Sahana Prasad
Mohan Boddu
Mohan Boddu