1b2d08b2c2
Adaptation of upstream patches disabling explicit EC parameters in FIPS mode
...
Resolves: rhbz#2058663
3 years ago
1447e64bc3
Include hash in FIPS module version
...
Include a hash of specfile, patches, and sources in the FIPS module
version. This should allow us to uniquely identify a build that we do,
so that we can be sure which specific binary is being submitted for
validation and was certified.
The previous solution used $(date +%Y%m%d), which had some risks related
to build server timezone and build date differences on different
architectures.
Resolves: rhbz#2070550
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
ad863e9fc8
OpenSSL FIPS module should not build in non-approved algorithms
...
Resolves: rhbz#2081378
3 years ago
6ba0e5efa3
When FIPS provider is in use, we forbid only some padding modes - spec
...
Resolves: rhbz#2053289
3 years ago
9afaa3d1f4
Fix regression in evp_pkey_name2type caused by tr_TR locale fix
...
Resolves: rhbz#2071631
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
a711ac2e4f
Fix openssl curl error with LANG=tr_TR.utf8
...
Resolves: rhbz#2071631
3 years ago
7a1c7b28bc
FIPS provider doesn't block RSA encryption for key transport
...
Resolves: rhbz#2053289
3 years ago
93ff3f8fe5
Fix occasional internal error in TLS when DHE is used
...
Resolves: rhbz#2004915
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
153f593fa6
Fix SHA1 certs in LEGACY without openssl lib ctxt
...
Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
4eb630f7d5
Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes
...
Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
03697fff80
CVE-2022-0778 fix
...
Resolves: rhbz#2062315
3 years ago
bc7dfd9722
Fix RSA PSS padding with SHA-1 disabled
...
Invocations of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING)
before setting an allowed digest with EVP_PKEY_CTX_set_signature_md()
would fail with SHA-1 use in signatures disabled, because OpenSSL's
internal default for the digest was SHA-1.
This isn't documented in any of the manpages, hence we expect users to
always call both EVP_PKEY_CTX_set_rsa_padding() and
EVP_PKEY_CTX_set_signature_md(). We do not want set_rsa_padding() to
fail if users set a non-SHA-1 signature algorithm after setting the
padding mode, though, so change the internal default to SHA-256 if SHA-1
is disabled.
Resolves: rhbz#2062640
3 years ago
3c66c99bd5
Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
...
We want legacy policy to be able to talk to older RHEL that only
supports SHA1 signature algorithms, so allow SHA1 signatures even in
seclevel 2 if rh-allow-sha1-signatures is set to yes.
Resolves: rhbz#2060510
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
ede38fcb54
Prevent use of SHA1 with ECDSA
...
providers/implementations/signature/{ec,}dsa_sig.c accept a NID_undef
digest, so to prevent SHA1 from working with ECDSA and DSA, we must
return a negative value in securitycheck.c.
Resolves: rhbz#2031742
3 years ago
ea9f0a5726
OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
...
Resolves: rhbz#1977867
3 years ago
849a9965ee
Support KBKDF (NIST SP800-108) with an R value of 8bits Resolves: rhbz#2027261
...
Signed-off-by: Peter Robinson <pbrobinson@redhat.com>
3 years ago
53f53fedec
Allow SHA1 usage in MGF1 for RSASSA-PSS signatures
...
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
b33dfd3fc3
Spec bump
...
Resolves: rhbz#2031742
3 years ago
5a9ab1160e
Allow SHA1 usage in HMAC in TLS
...
The EVP_DigestSign API is used in TLS to compute a SHA1 HMAC, which is
OK from our point of view, but was blocked so far. Modify
0049-Selectively-disallow-SHA1-signatures.patch to check the EVP_PKEY
type for HMAC (and TLS1-PRF and HKDF), and allow SHA1 for these cases.
Note that TLS1.1 signs a MD5-SHA1 hash with a private key, which does
not work with rh-allow-sha1-signatures = no, so the minimum TLS version
will be TLS 1.2.
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
53b85f538c
OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
...
Resolves: rhbz#1977867
3 years ago
78fb78d307
Disable SHA1 signature creation and verification by default
...
Set rh-allow-sha1-signatures = yes to re-enable
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
3 years ago
0a5c81da78
s_server: correctly handle 2^14 byte long records
...
Resolves: rhbz#2042011
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
922b5301ea
Adjust FIPS provider version
...
FIPS provider version is now autofilled from release and date
Related: rhbz#2026445
3 years ago
8c3b745547
On the s390x, zeroize all the copies of TLS premaster secret
...
Related: rhbz#2040448
3 years ago
92e721fa5d
Rebuild
...
Related: rhbz#2026445
3 years ago
d237e7f301
Restoring fips=yes to SHA-1
...
Related: rhbz#2026445
3 years ago
9df33eabbe
KATS self-tests should run before HMAC verifcation
...
Related: rhbz#2041994
3 years ago
f5421022ee
Adds enable-buildtest-c++ to the configure options.
...
Related: rhbz#1990814
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
78a467efcc
Rebase to upstream version 3.0.1
...
Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
Resolves: rhbz#2038910, rhbz#2035148
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
e63c4b68b2
Update spec file, remove fipsmodule.cnf
...
Related: rhbz#2026445
3 years ago
225b6d37b9
openssl speed should run in FIPS mode
...
Related: rhbz#1977318
3 years ago
4c1c00d6af
Updated spec, some cleanup done
...
Related: rhbz#1985362
3 years ago
9422ae52de
Always activate default provider via config
...
Related: rhbz#1985362
3 years ago
210c37e906
Disable fipsinstall application
...
Related: rhbz#1985362
3 years ago
3ff0db7558
Embed correct HMAC into fips provider
...
We have stripped production version and unstripped version for tests.
Related: rhbz#1985362
3 years ago
694c426faf
Fix memory leak in s_client
...
Related: rhbz#1996092
3 years ago
b76c2316a3
KTLS and FIPS may interfere, so tests need to be tuned
...
Resolves: rhbz#1961643
3 years ago
3edf474b5d
Avoid double-free on error seeding the RNG.
...
Resolves: rhbz#1952844
3 years ago
34d46544a5
Rebase to upstream version 3.0.0
...
Related: rhbz#1990814
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
07de966235
- Removes the dual-abi build as it not required anymore. The mass rebuild
...
was completed and all packages are rebuilt against Beta version.
Resolves: rhbz#1984097
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
ddd1eb3708
Correctly processing CMS reading from /dev/stdin
...
Resolves: rhbz#1986315
3 years ago
49de59749c
Add instruction for loading legacy provider in openssl.cnf
...
Resolves: rhbz#1975836
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
03899fca38
Adds support for IDEA encryption.
...
Resolves: rhbz#1990602
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
0c6f4a599c
- Fixes core dump in openssl req -modulus
...
- Fixes 'openssl req' to not ask for password when non-encrypted private key
is used
- cms: Do not try to check binary format on stdin and -rctform fix
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
2862adca42
Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
...
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
3 years ago
ecb6630fd3
When signature_algorithm extension is omitted, use more relevant alerts
...
Resolves: rhbz#1965017
3 years ago
fe7445d93d
Rebase to upstream version beta2
...
Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
0b6afca185
- Prevents creation of duplicate cert entries in PKCS #12 files
...
Resolves: rhbz#1978670
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
e3d0ba4f1e
NVR Bump to Update to OpenSSL 3.0 Beta1 version
...
Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
529b968a17
Update patch dual-abi.patch to add the #define macros in implementation
...
files instead of public header files
Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
a3158ae4f7
Removes unused patch dual-abi.patch
...
Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
d4e97b3110
Update to Beta1 version
...
Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16
Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
90bf702df6
- Fixes override of openssl_conf in openssl.cnf
...
- Use AI_ADDRCONFIG only when explicit host name is given
- Temporarily remove fipsmodule.cnf for arch i686
- Fixes segmentation fault in BN_lebin2bn
Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
4f728a9f3f
Fixes override of openssl_conf in openssl.cnf
...
Resolves: rhbz#1975847
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
826e7990ea
Adds FIPS mode compatibility patch
...
Related: rhbz#1977318
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
240131b9eb
- Fixes system hang issue when booted in FIPS mode
...
- Temporarily disable downstream FIPS patches
Related: rhbz#1977318
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
220d8a96f5
Spec bump and changelog for Speeding up building openssl
...
Related: rhbz#1903209
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
3 years ago
b0a763c723
Speeding up building openssl
...
Resolves: rhbz#1903209
Signed-off-by: Dmitry Belyavskiy <dbelyavs@redhat.com>
3 years ago
e863fff325
Fix reading SPKAC data from stdin
...
Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448
Return 0 after cleanup in OPENSSL_init_crypto()
Cleanup the peer point formats on regotiation
Fix default digest to SHA256
Resolves: rhbz#1958045, rhbz#1952850, rhbz#1961687
Related: rhbz#1958033
Signed-off-by: Sahana Prasad <sahana@redhat.com>
3 years ago
5fa0564b3a
Enable FIPS via config options
...
Resolves: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
4 years ago
ef962954ab
Update to alpha 16 version
...
Avoids sending alert after orderly connection close
Resolves: rhbz#1952901, rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
4 years ago
eeabdb936d
Merge gitlab.com:redhat/centos-stream/rpms/openssl into c9s
4 years ago
007b0e01a9
Update to alpha 15 version
...
Resolves: openssl speed crashes rhbz#1952598
Resolves: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
4 years ago
620c697740
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
...
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
4 years ago
ec7ef62793
Rebase to OpenSSL version 3.0.0
...
Note: This is a W.I.P as this is a huge rebase.
Resolves: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
4 years ago
098f88f008
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/openssl.git#0f5f931f9a64a3fe3221c75ed799914cfd90b0db
4 years ago
efa5f39ef0
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/openssl.git#b023ffe39f798981219604746432376b15169c79
4 years ago
f731f488ac
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/openssl.git#fb8e66a58fb43344f23aefb4eaefe1b6ca04a80d
4 years ago
6cc21a3e02
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/openssl.git#d34c6392bf98cf355fca2f80538dcfdfd5c281f1
4 years ago
e33651f416
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/openssl.git#a07706cf0e50b02a61d3cb10ecad554d4ac4240c
4 years ago
a99ab8f40a
Merged update from upstream sources
...
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.
Source: https://src.fedoraproject.org/rpms/openssl.git#3413ff9700373616a74dcf14fe75868d046e22e2
4 years ago
16459847f1
RHEL 9.0.0 Alpha bootstrap
...
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/openssl#7ae2c9cd854539d3f09c5da76a55f6ff55ce55a8
4 years ago
Dmitry Belyavskiy
Clemens Lang
Peter Robinson
Sahana Prasad
Mohan Boddu
Mohan Boddu
DistroBaker
Petr Šabata