Commit Graph

491 Commits

Author SHA1 Message Date
Tomas Mraz
1ff978b22e update to upstream version 1.1.0f
SRP and GOST is now allowed, note that GOST support requires
  adding GOST engine which is not part of openssl anymore
2017-06-02 15:32:15 +02:00
Tomas Mraz
c676ac32d5 update to upstream version 1.1.0e
add documentation of the PROFILE=SYSTEM special cipher string (#1420232)
2017-02-16 16:59:27 +01:00
Fedora Release Engineering
f6b0040c3e - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild 2017-02-11 00:58:36 +00:00
Tomas Mraz
d00e0a5904 applied upstream fixes (fix regression in X509_CRL_digest) 2017-02-01 15:56:59 +01:00
Tomas Mraz
c144665042 update to upstream version 1.1.0d 2017-01-26 16:24:24 +01:00
Tomas Mraz
fe449cd23c preserve new line in fd BIO BIO_gets() as other BIOs do 2016-12-22 14:40:28 +01:00
Tomas Mraz
836560b322 FIPS mode fixes for TLS 2016-12-02 17:32:17 +01:00
Tomas Mraz
3a8593870a apply properly revert SSL_read() behavior change - patch from upstream (#1394677)
- fix behavior on client certificate request in renegotiation (#1393579)
2016-11-30 14:29:59 +01:00
Tomas Mraz
e443a79334 Add back EC NIST P-224 and revert SSL_read() change
- revert SSL_read() behavior change - patch from upstream (#1394677)
- EC curve NIST P-224 is now allowed, still kept disabled in TLS due
  to less than optimal security
2016-11-22 10:39:55 +01:00
Tomas Mraz
be56ae067b update to upstream version 1.1.0c 2016-11-11 14:47:36 +01:00
Tomas Mraz
f655917cf7 use a random seed if the supplied one did not generate valid
parameters in dsa_builtin_paramgen2()
2016-11-04 12:10:01 +01:00
Tomas Mraz
c7fc8d6daa do not break contract on return value when using dsa_builtin_paramgen2() 2016-10-17 13:06:36 +02:00
Tomas Mraz
d2220322f3 fix afalg failure on big endian 2016-10-12 14:47:08 +02:00
Tomas Mraz
4e52f8d3db Use eventfd2 syscall instead of deprecated eventfd. 2016-10-11 10:58:08 +02:00
Tomas Mraz
510bcc2e3a update to upstream version 1.1.0b 2016-10-11 10:31:54 +02:00
Richard W.M. Jones
d0c38b1fe6 Add flags for riscv64. 2016-10-07 20:44:34 +01:00
Tomas Mraz
e8261d1b72 minor upstream release 1.0.2j fixing regression from previous release 2016-09-26 12:56:04 +02:00
David Woodhouse
edc03c1b9b Fix enginesdir in libcrypto.pc (#1375361) 2016-09-24 20:36:58 +01:00
Tomas Mraz
6e67274c62 minor upstream release 1.0.2i fixing security issues
- move man pages for perl based scripts to perl subpackage (#1377617)
2016-09-22 14:16:05 +02:00
Tomas Mraz
9fc25c1d28 fix regression in Cisco AnyConnect VPN support (#1354588) 2016-08-10 13:50:49 +02:00
Tomas Mraz
a1b5b83ccd require libcrypto in libssl.pc (#1301301) 2016-06-27 12:09:15 +02:00
Petr Písař
b7ec4eee2b Mandatory Perl build-requires added <https://fedoraproject.org/wiki/Changes/Build_Root_Without_Perl> 2016-06-24 10:44:40 +02:00
Tomas Mraz
eeb6ac1a65 minor upstream release 1.0.2h fixing security issues 2016-05-03 18:23:18 +02:00
Tomas Mraz
0a6d0e5ddc disable SSLv2 support altogether (without ABI break) 2016-03-29 15:47:40 +02:00
Tom Callaway
589d3ee15b enable RC5 with permission from Legal 2016-03-07 21:56:55 -06:00
Tomas Mraz
8f6be98bf7 reenable SSL2 in the build to avoid ABI break
(it does not make the openssl vulnerable to DROWN attack)
2016-03-02 09:33:35 +01:00
Tomas Mraz
e7a0ff581f minor upstream release 1.0.2g fixing security issues 2016-03-01 17:22:06 +01:00
Fedora Release Engineering
843fdf0512 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 11:34:33 +00:00
Tomas Mraz
1004dabcc6 minor upstream release 1.0.2f fixing security issues
- add support for MIPS secondary architecture
2016-01-28 17:12:09 +01:00
Tomas Mraz
341f751fb7 Add missing buildrequires for SCTP 2016-01-15 14:43:57 +01:00
Tomas Mraz
0d8bb6ef41 document some options of openssl speed command 2016-01-15 14:19:55 +01:00
Tomas Mraz
41a5ee166a enable sctp support in DTLS 2015-12-18 13:52:00 +01:00
Tomas Mraz
c79bed9e76 remove unimplemented EC method from header (#1289599) 2015-12-08 15:56:50 +01:00
Tomas Mraz
88482b2b4a the fast nistp implementation works only on little endian architectures 2015-12-07 15:02:57 +01:00
Tomas Mraz
6536aa4c73 Makefile.certificate should not set serial to 0 by default 2015-12-04 14:36:15 +01:00
Tomas Mraz
4240ecaa1b minor upstream release 1.0.2e fixing moderate severity security issues
- enable fast assembler implementation for NIST P-256 and P-521
  elliptic curves (#1164210)
- filter out unwanted link options from the .pc files (#1257836)
2015-12-04 14:13:59 +01:00
Tomas Mraz
a83e4d7c4a fix sigill on some AMD CPUs (#1278194) 2015-11-16 17:47:54 +01:00
Tom Callaway
314b2359b8 BR: /usr/bin/pod2man 2015-08-12 17:16:04 -04:00
Tom Callaway
1417ec988d enable secp256k1 (bz1021898) 2015-08-12 17:07:46 -04:00
Tomas Mraz
5675d07a14 minor upstream release 1.0.2d fixing a high severity security issue 2015-07-09 17:25:58 +02:00
Tomas Mraz
7f0b164051 fix the aarch64 build 2015-07-07 09:47:17 +02:00
Dennis Gilmore
49a07018fb - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild 2015-06-18 00:06:33 +00:00
Tomas Mraz
837dd04882 minor upstream release 1.0.2c fixing multiple security issues 2015-06-15 18:23:46 +02:00
Peter Robinson
18455c91c0 Add aarch64 sslarch details 2015-05-07 16:04:05 +01:00
Tomas Mraz
e4bf425a79 fix some 64 bit build targets 2015-05-07 12:01:04 +02:00
Tomas Mraz
d743a79756 add alternative certificate chain discovery support from upstream 2015-04-28 17:10:52 +02:00
Tomas Mraz
a1fb602a95 rebase to 1.0.2 branch 2015-04-23 13:57:26 +02:00
Tomas Mraz
805c06e347 drop the AES-GCM restriction of 2^32 operations
The IV is always 96 bits (32 bit fixed field + 64 bit invocation field).
2015-04-09 13:10:25 +02:00
Tomas Mraz
729d2d0e11 Multiple security issues fixed.
- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()
- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison
- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption
- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data
- fix CVE-2015-0293 - triggerable assert in SSLv2 server
2015-03-19 18:08:12 +01:00
Tomas Mraz
446f9bea43 fix bug in the CRYPTO_128_unwrap() 2015-03-16 18:02:06 +01:00
Tomas Mraz
303fb7be60 fix bug in the RFC 5649 support (#1185878) 2015-02-27 16:03:52 +01:00
Till Maas
1804d4c857 Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
2015-02-21 22:15:20 +01:00
Tomas Mraz
6a450be963 test in the non-FIPS RSA keygen for minimal distance of p and q
similarly to the FIPS RSA keygen
2015-01-16 16:16:14 +01:00
Tomas Mraz
7e7e3f299f new upstream release fixing multiple security issues 2015-01-09 10:54:51 +01:00
Tomas Mraz
8c1cdfe3ab Fix date in changelog. 2014-11-20 11:14:35 +01:00
Tomas Mraz
80b5477597 disable SSLv3 by default again
Mail servers and possibly LDAP servers should probably allow
it explicitly by SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3) call
for buggy legacy clients on the smtps, imaps, and ldaps ports.
2014-11-20 10:25:56 +01:00
Tomas Mraz
3f43f7e93a update the FIPS RSA keygen to be FIPS 186-4 compliant 2014-10-21 16:02:25 +02:00
Tomas Mraz
613f664141 new upstream release fixing multiple security issues 2014-10-16 13:50:08 +02:00
Tomas Mraz
1f162bf2ee copy negotiated digests when switching certs by SNI (#1150032) 2014-10-10 14:16:48 +02:00
Tomas Mraz
11aeae71ed add support for RFC 5649 2014-09-08 15:22:44 +02:00
Peter Robinson
58eec73ac0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild 2014-08-17 14:08:44 +00:00
Tomas Mraz
a577400ed8 drop RSA X9.31 from RSA FIPS selftests
- add Power 8 optimalizations
2014-08-13 20:03:17 +02:00
Tomas Mraz
a78828f786 new upstream release fixing multiple moderate security issues
- for now disable only SSLv2 by default
2014-08-07 16:00:47 +02:00
Tom Callaway
6c0bfa087d fix license handling 2014-07-18 19:31:16 -04:00
Tomas Mraz
6466466115 disable SSLv2 and SSLv3 protocols by default
(can be enabled via appropriate SSL_CTX_clear_options() call)
2014-06-30 14:21:11 +02:00
Tomas Mraz
f550490681 use system profile for default cipher list 2014-06-11 15:07:06 +02:00
Tomas Mraz
a98d99a503 fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- make FIPS mode keygen bit length restriction enforced only when
  OPENSSL_ENFORCE_MODULUS_BITS is set
2014-06-10 16:38:56 +02:00
Dennis Gilmore
0a491cd9f2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-07 12:02:05 -05:00
Tomas Mraz
360a4bb67c new upstream release 1.0.1h 2014-06-05 15:05:17 +02:00
Peter Robinson
b5f54ff916 Drop obsolete and irrelevant docs, Move devel docs to appropriate package, they're all rather large and of little use for all but historical reference 2014-05-31 22:49:33 +01:00
Tomas Mraz
0376d8368c new upstream release 1.0.1g
- do not include ECC ciphersuites in SSLv2 client hello (#1090952)
- fail on hmac integrity check if the .hmac file is empty
2014-05-07 11:42:32 +02:00
Dennis Gilmore
e55cd2c0e4 pull in upstream patch for CVE-2014-0160
- removed CHANGES file portion from patch for expediency
2014-04-07 19:20:31 -05:00
Tomas Mraz
239d122765 add support for ppc64le architecture (#1072633) 2014-04-03 16:24:35 +02:00
Tomas Mraz
477d4a1758 properly detect encryption failure in BIO
- use 2048 bit RSA key in FIPS selftests
2014-03-17 17:22:08 +01:00
Tomas Mraz
423ab177c8 use the key length from configuration file if req -newkey rsa is invoked 2014-02-14 16:24:31 +01:00
Tomas Mraz
a9591c7f1f Add macro for performance build on certain arches. 2014-02-12 16:58:49 +01:00
Tomas Mraz
24632bb1db print ephemeral key size negotiated in TLS handshake (#1057715)
- add DH_compute_key_padded needed for FIPS CAVS testing
2014-02-12 16:20:03 +01:00
Tomas Mraz
abe62302b2 make expiration and key length changeable by DAYS and KEYLEN
variables in the certificate Makefile (#1058108)
- change default hash to sha256 (#1062325)
2014-02-06 18:07:59 +01:00
Tomas Mraz
40825564d8 make 3des strength to be 128 bits instead of 168 (#1056616) 2014-01-22 17:57:22 +01:00
Tomas Mraz
519fe2cc24 Two security fixes
- fix CVE-2013-4353 - Invalid TLS handshake crash
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
2014-01-07 15:09:40 +01:00
Tomas Mraz
8978637f3b fix CVE-2013-6449 - crash when version in SSL structure is incorrect
- more FIPS validation requirement changes
2013-12-20 14:14:15 +01:00
Tomas Mraz
dc728e2d8b drop weak ciphers from the default TLS ciphersuite list
- add back some symbols that were dropped with update to 1.0.1 branch
- more FIPS validation requirement changes
2013-12-18 15:55:26 +01:00
Tomas Mraz
ad237d19e6 fix locking and reseeding problems with FIPS drbg 2013-11-19 14:52:30 +01:00
Tomas Mraz
e64d4ea7bb additional changes required for FIPS validation 2013-11-15 16:13:44 +01:00
Tomas Mraz
dcd0fb1ec9 disable verification of certificate, CRL, and OCSP signatures using MD5
if OPENSSL_ENABLE_MD5_VERIFY environment variable is not set
2013-11-13 19:42:54 +01:00
Tomas Mraz
83d99a68af add back support for secp521r1 EC curve
- add aarch64 to Configure (#969692)
2013-11-08 18:16:49 +01:00
Tomas Mraz
5714047e75 fix misdetection of RDRAND support on Cyrix CPUS (from upstream) (#1022346) 2013-10-29 16:24:08 +01:00
Tomas Mraz
eca676db7a do not advertise ECC curves we do not support (#1022493) 2013-10-24 10:40:18 +02:00
Tomas Mraz
b3551463ca only ECC NIST Suite B curves support
- drop -fips subpackage
2013-10-16 14:37:51 +02:00
Tom Callaway
1f19ac14f9 resolve bugzilla 319901 (phew! only took 6 years & 9 days) 2013-10-15 02:08:35 +01:00
Tomas Mraz
7ae1dc1df9 Bump release 2013-09-27 15:46:03 +02:00
Tomas Mraz
4e423c3c50 make DTLS1 work in FIPS mode
- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode
2013-09-27 15:43:51 +02:00
Tomas Mraz
df94661da5 avoid dlopening libssl.so from libcrypto (#1010357) 2013-09-23 18:30:01 +02:00
Tomas Mraz
372f3ac997 fix small memory leak in FIPS aes selftest 2013-09-20 16:04:50 +02:00
Tomas Mraz
8c28623e94 fix segfault in openssl speed hmac in the FIPS mode 2013-09-19 15:16:50 +02:00
Tomas Mraz
30ebb4d732 document the nextprotoneg option in manual pages
original patch by Hubert Kario
2013-09-12 10:39:33 +02:00
Tomas Mraz
ae08b15c89 document the nextprotoneg option in manual pages
original patch by Hubert Kario
2013-09-12 10:23:34 +02:00
Kyle McMartin
cb069618e7 arm: use auxv to figure out armcap.c instead of using signals (#1006474) 2013-09-11 10:36:42 -04:00
Tomas Mraz
eb63cc63df try to avoid some races when updating the -fips subpackage 2013-09-04 13:53:38 +02:00
Tomas Mraz
850ca72b9a use version-release in .hmac suffix to avoid overwrite during upgrade 2013-09-02 15:02:18 +02:00
Tomas Mraz
b5d2711ab6 allow deinitialization of the FIPS mode 2013-08-29 16:41:24 +02:00
Tomas Mraz
1465572e17 always perform the FIPS selftests in library constructor
if FIPS module is installed
2013-08-29 11:45:04 +02:00
Tomas Mraz
bb2f3882f2 add -fips subpackage that contains the FIPS module files 2013-08-27 16:03:43 +02:00
Tomas Mraz
9c324da28e fix use of rdrand if available
- more commits cherry picked from upstream
- documentation fixes
2013-08-16 16:06:51 +02:00
Petr Písař
a254940dd1 Perl 5.18 rebuild 2013-08-03 12:05:42 +02:00
Tomas Mraz
acdf8a62f6 use symbol versioning also for the textual version
- additional manual page fix
2013-07-26 13:16:10 +02:00
Tomas Mraz
9b36f08da8 additional manual page fixes 2013-07-25 15:14:25 +02:00
Tomas Mraz
653e1efa34 use _prefix macro 2013-07-19 11:46:56 +02:00
Petr Písař
49a1fc761b Perl 5.18 rebuild 2013-07-17 16:32:50 +02:00
Tomas Mraz
7ccde74773 add openssl.cnf.5 manpage symlink to config.5 2013-07-11 10:44:55 +02:00
Tomas Mraz
9555809e80 add relro linking flag 2013-07-10 17:54:24 +02:00
Tomas Mraz
30aa9303c7 add support for the -trusted_first option for certificate chain verification 2013-07-10 11:02:41 +02:00
Tomas Mraz
dad6e3ee78 fix build of manual pages with current pod2man (#959439) 2013-05-03 18:38:28 +02:00
Peter Robinson
6705192b85 Enable ARM optimised build 2013-04-21 14:33:34 +01:00
Tomas Mraz
64e30c5369 fix random bad record mac errors (#918981) 2013-03-18 21:34:18 +01:00
Tomas Mraz
9cf55df55b fix up the SHLIB_VERSION_NUMBER 2013-02-19 20:35:16 +01:00
Tomas Mraz
169c3a0ddb disable ZLIB loading by default (due to CRIME attack) 2013-02-19 16:41:14 +01:00
Tomas Mraz
dc696fdac4 new upstream version 2013-02-19 13:57:39 +01:00
Tomas Mraz
0fd0958b75 more fixes from upstream
- fix errors in manual causing build failure (#904777)
2013-01-30 18:32:56 +01:00
Tomas Mraz
2ca16b9a24 Add the renew-dummy-cert script to file list 2012-12-21 17:38:32 +01:00
Tomas Mraz
c67ea975b9 add script for renewal of a self-signed cert by Philip Prindeville (#871566)
- allow X509_issuer_and_serial_hash() produce correct result in
  the FIPS mode (#881336)
2012-12-21 17:21:50 +01:00
Tomas Mraz
07ac3d216e Fix bogus dates in changelog. 2012-12-07 12:37:49 +01:00
Tomas Mraz
650873ff0e do not load default verify paths if CApath or CAfile specified (#884305) 2012-12-06 18:30:15 +01:00
Tomas Mraz
12aab15a03 more fixes from upstream CVS
- fix DSA key pairwise check (#878597)
2012-11-20 22:33:42 +01:00
Tomas Mraz
d8e7bfc73b Add the marker for required patch. 2012-11-19 17:43:07 +01:00
Tomas Mraz
b7eb6f4a5f use 1024 bit DH parameters in s_server as 512 bit is not allowed
in FIPS mode and it is quite weak anyway
2012-11-15 21:11:36 +01:00
Tomas Mraz
79971bf194 Use secure_getenv() with new glibc. 2012-09-10 20:25:19 +02:00
Tomas Mraz
c015bd1b1e add missing initialization of str in aes_ccm_init_key (#853963)
- add important patches from upstream CVS
2012-09-07 10:48:56 +02:00
Dennis Gilmore
eaa5561c35 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-20 02:06:56 -05:00
Tomas Mraz
af044b4037 use __getenv_secure() instead of __libc_enable_secure 2012-07-13 22:21:05 +02:00
Tomas Mraz
72a1bddddc do not move libcrypto to /lib
- do not use environment variables if __libc_enable_secure is on
- fix strict aliasing problems in modes
2012-07-13 14:30:31 +02:00
Tomas Mraz
c2e3151786 do not move libcrypto to /lib
- do not use environment variables if __libc_enable_secure is on
- fix strict aliasing problems in modes
2012-07-13 14:23:34 +02:00
Tomas Mraz
55a3598cc7 fix DSA key generation in FIPS mode (#833866)
- allow duplicate FIPS_mode_set(1)
- enable build on ppc64 subarch (#834652)
2012-07-12 21:59:56 +02:00
Tomas Mraz
5183d32904 Make it build with new Perl 2012-07-12 00:35:57 +02:00
Tomas Mraz
18ccae20f6 fix s_server with new glibc when no global IPv6 address (#839031) 2012-07-12 00:04:06 +02:00
Tomas Mraz
5e74bace82 new upstream version 2012-05-15 19:40:22 +02:00
Tomas Mraz
651215c12b new upstream version 2012-05-15 19:37:55 +02:00
Tomas Mraz
5eb4589d83 new upstream version 2012-04-26 18:10:52 +02:00
Tomas Mraz
6a4bd67710 new upstream version fixing CVE-2012-2110 2012-04-20 12:30:37 +02:00
Tomas Mraz
e8c18345a4 new upstream version fixing CVE-2012-2110 2012-04-20 12:24:39 +02:00
Tomas Mraz
d46b44c249 add Kerberos 5 libraries to pkgconfig for static linking (#807050) 2012-04-11 16:33:03 +02:00
Tomas Mraz
d7587a26b6 backports from upstream CVS
fix segfault when /dev/urandom is not available (#809586)
2012-04-05 19:56:49 +02:00
Tomas Mraz
0f0ab24176 new upstream release 2012-03-14 21:38:58 +01:00
Tomas Mraz
0aa7d61151 add obsoletes to assist multilib updates (#799636) 2012-03-05 10:51:13 +01:00
Tomas Mraz
00c4986d53 new upstream release from the 1.0.1 branch
- epoch bumped to 1 due to revert to 1.0.0g on Fedora 17
- fix s390x build (#798411)
- versioning for the SSLeay symbol (#794950)
- add -DPURIFY to build flags (#797323)
- filter engine provides
- split the libraries to a separate -libs package
- add make to requires on the base package (#783446)
2012-02-29 21:54:08 +01:00
Tomas Mraz
ad05b50537 New upstream release from the 1.0.1 branch, ABI compatible
- also add documentation for the -no_ign_eof option
2012-02-07 13:46:42 +01:00
Tomas Mraz
d91aea8890 new upstream release fixing CVE-2012-0050 - DoS regression in
DTLS support introduced by the previous release (#782795)
2012-01-19 16:48:48 +01:00
Peter Robinson
48bba71e16 mktemp was long obsoleted by coreutils 2012-01-11 10:41:37 +00:00
Tomas Mraz
628d7e4989 new upstream release fixing multiple CVEs 2012-01-05 15:14:10 +01:00
Tomas Mraz
c28bd1cc5f Make the non-upstream tarball comment more clear. 2011-11-25 16:32:43 +01:00
Tomas Mraz
497f2d674c move the libraries needed for static linking to Libs.private 2011-11-22 11:53:40 +01:00
Tomas Mraz
6f65ffce68 do not use AVX instructions when osxsave bit not set
add direct known answer tests for SHA2 algorithms
2011-11-03 10:18:52 +01:00
Tomas Mraz
e4008f0b0e fix missing initialization of variable in CHIL engine 2011-09-21 17:34:13 +02:00
Tomas Mraz
3447c41c99 new upstream release fixing CVE-2011-3207 (#736088) 2011-09-07 18:27:06 +02:00
Tomas Mraz
4c970c62c5 drop the separate engine for Intel acceleration improvements
and merge in the AES-NI, SHA1, and RC4 optimizations
add support for OPENSSL_DISABLE_AES_NI environment variable
that disables the AES-NI support
2011-08-24 13:12:33 +02:00
Tomas Mraz
0ed17c0652 correct openssl cms help output (#636266)
more tolerant starttls detection in XMPP protocol (#608239)
2011-07-26 13:02:17 +02:00
Tomas Mraz
5c4fc08e4d add support for newest Intel acceleration improvements backported
from upstream by Intel in form of a separate engine
2011-07-20 14:56:21 +02:00
Tomas Mraz
f4fb8490a9 allow the AES-NI engine in the FIPS mode 2011-06-09 16:22:08 +02:00
Tomas Mraz
19062db533 add API necessary for CAVS testing of the new DSA parameter generation 2011-05-24 14:57:29 +02:00
Tomas Mraz
0b4cee3bc2 Allow easier rebuilds on some multilib arches. 2011-05-19 10:34:38 +02:00
Tomas Mraz
138493a921 add support for VIA Padlock on 64bit arch from upstream (#617539)
do not return bogus values from load_certs (#652286)
2011-04-28 21:58:56 +02:00
Tomas Mraz
8d20fec281 clarify apps help texts for available digest algorithms (#693858) 2011-04-05 21:24:01 +02:00
Tomas Mraz
1caf3ae072 - new upstream release fixing CVE-2011-0014 (OCSP stapling vulnerability) 2011-02-10 15:41:44 +01:00
Dennis Gilmore
ccc6e6f1c6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-08 21:34:08 -06:00
Tomas Mraz
65ebbaecc7 - add -x931 parameter to openssl genrsa command to use the ANSI X9.31
key generation method
- use FIPS-186-3 method for DSA parameter generation
- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
  to allow using MD5 when the system is in the maintenance state
  even if the /proc fips flag is on
- make openssl pkcs12 command work by default in the FIPS mode
2011-02-04 15:27:28 +01:00
Tomas Mraz
15fad7109b - add -x931 parameter to openssl genrsa command to use the ANSI X9.31
key generation method
- use FIPS-186-3 method for DSA parameter generation
- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
  to allow using MD5 when the system is in the maintenance state
  even if the /proc fips flag is on
2011-02-04 15:14:18 +01:00
Tomas Mraz
09127ac54a - listen on ipv6 wildcard in s_server so we accept connections
from both ipv4 and ipv6 (#601612)
- fix openssl speed command so it can be used in the FIPS mode
  with FIPS allowed ciphers
2011-01-24 17:41:43 +01:00
Tomas Mraz
154f82b97d - new upstream version fixing CVE-2010-4180 2010-12-03 14:23:13 +01:00
Tomas Mraz
0a5657ab94 - replace the revert for the s390x bignum asm routines with
fix from upstream
2010-12-03 14:19:39 +01:00
Tomas Mraz
143a23a635 - bump release 2010-11-23 10:07:16 +01:00
Tomas Mraz
6e7d6d4dfd - replace the revert for the s390x bignum asm routines with
fix from upstream
2010-11-23 09:51:17 +01:00
Tomas Mraz
23675ff78b - revert upstream change in s390x bignum asm routines 2010-11-22 15:15:11 +01:00
Tomas Mraz
3ff2d49a83 - new upstream version fixing CVE-2010-3864 (#649304) 2010-11-16 18:21:39 +01:00
Tomas Mraz
17a6aec60b - make SHLIB_VERSION reflect the library suffix 2010-09-07 21:41:52 +02:00
Tomáš Mráz
56642f75b1 - openssl man page fix (#609484) 2010-06-30 12:36:47 +00:00
Tomáš Mráz
1b4b1eaf63 - new upstream patch release, fixes CVE-2010-0742 (#598738) and
CVE-2010-1633 (#598732)
2010-06-04 12:23:14 +00:00
Tomáš Mráz
6adf85458c - pkgconfig files now contain the correct libdir (#593723) 2010-05-19 15:39:13 +00:00
Tomáš Mráz
ae0beee7db - make CA dir readable - the private keys are in private subdir (#584810) 2010-05-18 15:40:32 +00:00
Tomáš Mráz
290d51ec7f - make CA dir readable - the private keys are in private subdir (#584810) 2010-05-18 15:34:17 +00:00
Tomáš Mráz
3bdf494b4f - a few fixes from upstream CVS
- move libcrypto to /lib (#559953)
2010-04-09 15:25:39 +00:00
Tomáš Mráz
7325c65a3e - set UTC timezone on pod2man run (#578842)
- make X509_NAME_hash_old work in FIPS mode
2010-04-06 14:49:34 +00:00
Tomáš Mráz
c2fc1058b4 - set UTC timezone on pod2man run (#578842) 2010-04-06 14:35:57 +00:00
Tomáš Mráz
fa66cf4b52 - update to final 1.0.0 upstream release 2010-03-30 09:37:41 +00:00
Tomáš Mráz
7c4ab8ff8e - make TLS work in the FIPS mode 2010-02-16 23:21:07 +00:00
Tomáš Mráz
bffe20438c - gracefully handle zero length in assembler implementations of
OPENSSL_cleanse (#564029)
- do not fail in s_server if client hostname not resolvable (#561260)
2010-02-12 17:20:50 +00:00
Tomáš Mráz
ae5568515b - new upstream release 2010-01-21 08:12:12 +00:00
Tomáš Mráz
79249339a7 - fix CVE-2009-4355 - leak in applications incorrectly calling
CRYPTO_free_all_ex_data() before application exit (#546707)
- upstream fix for future TLS protocol version handling
2010-01-14 08:57:34 +00:00
Tomáš Mráz
7f0747ce73 - add support for Intel AES-NI 2010-01-13 09:21:02 +00:00
Tomáš Mráz
2d6ef07fa3 - upstream fix compression handling on session resumption
- various null checks and other small fixes from upstream
- upstream changes for the renegotiation info according to the latest draft
2010-01-07 22:43:57 +00:00
Tomáš Mráz
5845987ab4 - fix non-fips mingw build (patch by Kalev Lember)
- add IPV6 fix for DTLS
2009-11-23 07:54:08 +00:00
Tomáš Mráz
c9026def03 - add better error reporting for the unsafe renegotiation 2009-11-20 17:30:27 +00:00
Tomáš Mráz
359f84cd81 - fix build on s390x 2009-11-20 09:27:16 +00:00
Tomáš Mráz
5b761f5986 - disable enforcement of the renegotiation extension on the client
(#537962)
- add fixes from the current upstream snapshot
2009-11-18 13:14:13 +00:00
Tomáš Mráz
982ac6e5f9 - keep the beta status in version number at 3 so we do not have to rebuild
openssh and possibly other dependencies with too strict version check
2009-11-13 12:11:41 +00:00
Tomáš Mráz
a9fcedd3fb - keep the beta status in version number at 3 so we do not have to rebuild
openssh and possibly other dependencies with too strict version check
2009-11-13 11:45:07 +00:00
Tomáš Mráz
654ccf4a2f - add fix to compile on new binutils 2009-11-12 16:27:52 +00:00
Tomáš Mráz
aabbc9ad89 - update to new upstream version, no soname bump needed
- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
    so the compatibility with unfixed clients is not broken. The protocol
    extension is also not final.
2009-11-12 15:51:40 +00:00
Tomáš Mráz
e0fe963bd1 - fix use of freed memory if SSL_CTX_free() is called before SSL_free()
(#521342)
2009-10-16 11:28:02 +00:00
Tomáš Mráz
1a303f4853 - fix typo in DTLS1 code (#527015)
- fix leak in error handling of d2i_SSL_SESSION()
2009-10-08 18:45:10 +00:00
Tomáš Mráz
75f7276f8b - fix RSA and DSA FIPS selftests
- reenable fixed x86_64 camellia assembler code (#521127)
2009-09-30 18:18:48 +00:00