Commit Graph

130 Commits (477d91adece6f348bc77888a646ecd590418af14)
 

Author SHA1 Message Date
Dmitry Belyavskiy 477d91adec Rebasing to OpenSSL 3.0.7 2 years ago
Dmitry Belyavskiy 5d738bdd7f Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode 2 years ago
Clemens Lang 80de7ffd9c Add explicit indicator & clamp default PSS salt len 2 years ago
Clemens Lang fe09690308 pbkdf2: Set minimum password length of 8 bytes 2 years ago
Clemens Lang 438a2c64b7 Add indicator for HMAC with short key lengths 2 years ago
Clemens Lang 105cc32a20 Add indicator for SP 800-108 KDFs w/short keys 2 years ago
Clemens Lang 066be87ccd Remove support for X9.31 signature padding in FIPS mode 2 years ago
Dmitry Belyavskiy 2bd2c7ac27 FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC 2 years ago
Dmitry Belyavskiy fb8fee4b43 FIPS RSA CRT tests must use correct parameters 2 years ago
Dmitry Belyavskiy 474a112b98 Avoid memory leaks in TLS 2 years ago
Dmitry Belyavskiy 6c57fc8dcc SHAKE-128/256 are not allowed with RSA in FIPS mode 2 years ago
Dmitry Belyavskiy 39f800af50 CVE-2022-3602, CVE-2022-3786: X.509 Email Address Buffer Overflow 2 years ago
Clemens Lang ff78525169 .gitignore: Stop ignoring 000*.patch 2 years ago
Clemens Lang 7c8235f8cd Zeroize public keys, add HKDF FIPS indicator 2 years ago
Dmitry Belyavskiy 730ccadf04 Extra zeroization related to FIPS-140-3 requirements 3 years ago
Dmitry Belyavskiy fc45520150 Reseed all the parent DRBGs in chain on reseeding a DRBG 3 years ago
Dmitry Belyavskiy a0907c129c Use signature for RSA pairwise test according FIPS-140-3 requirements 3 years ago
Dmitry Belyavskiy f1dba9d301 Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements 3 years ago
Dmitry Belyavskiy 3f7cd79d02 Deal with DH keys in FIPS mode according FIPS-140-3 requirements 3 years ago
Clemens Lang 61f739868e FIPS: Fix memory leak in digest_sign self-test 3 years ago
Clemens Lang 08d6c35051 FIPS self-test: RSA-OAEP, FFDHE2048, digest_sign 3 years ago
Clemens Lang 3e6d5a385b Improve AES-GCM & ChaCha20 perf on Power9+ ppc64le 3 years ago
Clemens Lang c64694b961 Fix segfault in EVP_PKEY_Q_keygen() 3 years ago
Clemens Lang 5901637dea CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86 3 years ago
Dmitry Belyavskiy f3b52e907b CVE-2022-2068: the c_rehash script allows command injection 3 years ago
Dmitry Belyavskiy fea833cb56 Strict certificates validation shouldn't allow explicit EC parameters 3 years ago
Dmitry Belyavskiy ea75c725ee Fix PPC64 Montgomery multiplication bug 3 years ago
Dmitry Belyavskiy f4e1bded66 Improve diagnostics when passing unsupported groups in TLS 3 years ago
Dmitry Belyavskiy cbe5a9ff12 FIPS provider should block RSA encryption for key transport. 3 years ago
Dmitry Belyavskiy 8638196167 Ciphersuites with RSAPSK KX should be filterd in FIPS mode 3 years ago
Clemens Lang 8b08b372c8 FIPS: Expose explicit indicator from fips.so 3 years ago
Dmitry Belyavskiy e859029ea0 Replace expired certificates 3 years ago
Dmitry Belyavskiy a8a3a389ee Use KAT for ECDSA signature tests, s390 arch 3 years ago
Clemens Lang 96926ffe00 Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode" 3 years ago
Dmitry Belyavskiy 794d81540e CVE-2022-1292 openssl: c_rehash script allows command injection 3 years ago
Dmitry Belyavskiy a63915eb2b CVE-2022-1343 openssl: inacurate verification when using OCSP_NOCHECKS 3 years ago
Dmitry Belyavskiy ac312e8ff7 CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory 3 years ago
Dmitry Belyavskiy b5de6bd830 In FIPS mode limit key sizes for signature verification 3 years ago
Dmitry Belyavskiy 7bc4f9f094 Ciphersuites with RSA KX should be filterd in FIPS mode 3 years ago
Dmitry Belyavskiy b393177f7d `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode 3 years ago
Clemens Lang 389313b118 FIPS: Disable SHA1 signs and EVP_PKEY_{sign,verify} 3 years ago
Dmitry Belyavskiy 87f109e9fb Use KAT for ECDSA signature tests 3 years ago
Dmitry Belyavskiy 69c1abb4df openssl req defaults on PKCS#8 encryption changed to AES-256-CBC 3 years ago
Dmitry Belyavskiy b4d281e4de -config argument of openssl app should work properly 3 years ago
Dmitry Belyavskiy 1b2d08b2c2 Adaptation of upstream patches disabling explicit EC parameters in FIPS mode 3 years ago
Dmitry Belyavskiy 4dc19fe033 Reworked patch forbidding explicit EC parameters 3 years ago
Clemens Lang 1447e64bc3 Include hash in FIPS module version 3 years ago
Dmitry Belyavskiy ad863e9fc8 OpenSSL FIPS module should not build in non-approved algorithms 3 years ago
Dmitry Belyavskiy 6ba0e5efa3 When FIPS provider is in use, we forbid only some padding modes - spec 3 years ago
Dmitry Belyavskiy 067b6b249b When FIPS provider is in use, we forbid only some padding modes 3 years ago