Commit Graph

134 Commits (d60bf2b34362557596d3e5185246acb152579977)
 

Author SHA1 Message Date
Clemens Lang 1447e64bc3 Include hash in FIPS module version
3 years ago
Dmitry Belyavskiy ad863e9fc8 OpenSSL FIPS module should not build in non-approved algorithms
3 years ago
Dmitry Belyavskiy 6ba0e5efa3 When FIPS provider is in use, we forbid only some padding modes - spec
3 years ago
Dmitry Belyavskiy 067b6b249b When FIPS provider is in use, we forbid only some padding modes
3 years ago
Dmitry Belyavskiy 02c75e5a65 We dont'want totally forbid RSA encryption.
3 years ago
Clemens Lang 9afaa3d1f4 Fix regression in evp_pkey_name2type caused by tr_TR locale fix
3 years ago
Dmitry Belyavskiy a711ac2e4f Fix openssl curl error with LANG=tr_TR.utf8
3 years ago
Dmitry Belyavskiy c0744a0cbf Temporary manual test
3 years ago
Dmitry Belyavskiy 7a1c7b28bc FIPS provider doesn't block RSA encryption for key transport
3 years ago
Clemens Lang 93ff3f8fe5 Fix occasional internal error in TLS when DHE is used
3 years ago
Clemens Lang 153f593fa6 Fix SHA1 certs in LEGACY without openssl lib ctxt
3 years ago
Clemens Lang 4eb630f7d5 Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes
3 years ago
Dmitry Belyavskiy 03697fff80 CVE-2022-0778 fix
3 years ago
Clemens Lang bc7dfd9722 Fix RSA PSS padding with SHA-1 disabled
3 years ago
Clemens Lang 3c66c99bd5 Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
3 years ago
Clemens Lang ede38fcb54 Prevent use of SHA1 with ECDSA
3 years ago
Dmitry Belyavskiy ea9f0a5726 OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
3 years ago
Peter Robinson 849a9965ee Support KBKDF (NIST SP800-108) with an R value of 8bits Resolves: rhbz#2027261
3 years ago
Clemens Lang 53f53fedec Allow SHA1 usage in MGF1 for RSASSA-PSS signatures
3 years ago
Dmitry Belyavskiy b33dfd3fc3 Spec bump
3 years ago
Clemens Lang 5a9ab1160e Allow SHA1 usage in HMAC in TLS
3 years ago
Dmitry Belyavskiy 53b85f538c OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
3 years ago
Dmitry Belyavskiy d79f404164 Allows non-fips KDF for PKCS#12
3 years ago
Clemens Lang 78fb78d307 Disable SHA1 signature creation and verification by default
3 years ago
Sahana Prasad 0a5c81da78 s_server: correctly handle 2^14 byte long records
3 years ago
Dmitry Belyavskiy 922b5301ea Adjust FIPS provider version
3 years ago
Dmitry Belyavskiy 8c3b745547 On the s390x, zeroize all the copies of TLS premaster secret
3 years ago
Dmitry Belyavskiy 92e721fa5d Rebuild
3 years ago
Dmitry Belyavskiy 691c22b61c Remove volatile attribute from HMAC to make annocheck happy
3 years ago
Dmitry Belyavskiy d237e7f301 Restoring fips=yes to SHA-1
3 years ago
Dmitry Belyavskiy 9df33eabbe KATS self-tests should run before HMAC verifcation
3 years ago
Sahana Prasad f5421022ee Adds enable-buildtest-c++ to the configure options.
3 years ago
Sahana Prasad 78a467efcc Rebase to upstream version 3.0.1
3 years ago
Dmitry Belyavskiy e63c4b68b2 Update spec file, remove fipsmodule.cnf
3 years ago
Dmitry Belyavskiy 6cdaa527d8 Explicitly permit SHA1 HMAC
3 years ago
Dmitry Belyavskiy cc37486d86 Minimize the list of services allowed for FIPS
3 years ago
Dmitry Belyavskiy 225b6d37b9 openssl speed should run in FIPS mode
3 years ago
Dmitry Belyavskiy 13dc3794cb Make rpminspect happy
3 years ago
Dmitry Belyavskiy 4c1c00d6af Updated spec, some cleanup done
3 years ago
Dmitry Belyavskiy 9422ae52de Always activate default provider via config
3 years ago
Dmitry Belyavskiy 210c37e906 Disable fipsinstall application
3 years ago
Dmitry Belyavskiy 3ff0db7558 Embed correct HMAC into fips provider
3 years ago
Dmitry Belyavskiy 5c4e10ac26 FIPS provider auto activation
3 years ago
Dmitry Belyavskiy 694c426faf Fix memory leak in s_client
3 years ago
Dmitry Belyavskiy b76c2316a3 KTLS and FIPS may interfere, so tests need to be tuned
3 years ago
Dmitry Belyavskiy 3edf474b5d Avoid double-free on error seeding the RNG.
3 years ago
Sahana Prasad 34d46544a5 Rebase to upstream version 3.0.0
3 years ago
Sahana Prasad 07de966235 - Removes the dual-abi build as it not required anymore. The mass rebuild
3 years ago
Dmitry Belyavskiy ddd1eb3708 Correctly processing CMS reading from /dev/stdin
3 years ago
Sahana Prasad 49de59749c Add instruction for loading legacy provider in openssl.cnf
3 years ago