Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							02c75e5a65 
							
						 
					 
					
						
						
							
							We dont'want totally forbid RSA encryption.  
						
						... 
						
						
						
						Related: rhbz#2053289 
						
					 
					
						2022-05-02 15:54:28 +02:00 
						 
				 
			
				
					
						
							
							
								Clemens Lang 
							
						 
					 
					
						
						
						
						
							
						
						
							9afaa3d1f4 
							
						 
					 
					
						
						
							
							Fix regression in evp_pkey_name2type caused by tr_TR locale fix  
						
						... 
						
						
						
						Resolves: rhbz#2071631
Signed-off-by: Clemens Lang <cllang@redhat.com> 
						
					 
					
						2022-04-28 13:39:35 +02:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							a711ac2e4f 
							
						 
					 
					
						
						
							
							Fix openssl curl error with LANG=tr_TR.utf8  
						
						... 
						
						
						
						Resolves: rhbz#2071631 
						
					 
					
						2022-04-21 15:16:46 +02:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							c0744a0cbf 
							
						 
					 
					
						
						
							
							Temporary manual test  
						
						
						
					 
					
						2022-04-21 13:20:27 +02:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							7a1c7b28bc 
							
						 
					 
					
						
						
							
							FIPS provider doesn't block RSA encryption for key transport  
						
						... 
						
						
						
						Resolves: rhbz#2053289 
						
					 
					
						2022-03-29 13:32:47 +02:00 
						 
				 
			
				
					
						
							
							
								Clemens Lang 
							
						 
					 
					
						
						
						
						
							
						
						
							93ff3f8fe5 
							
						 
					 
					
						
						
							
							Fix occasional internal error in TLS when DHE is used  
						
						... 
						
						
						
						Resolves: rhbz#2004915
Signed-off-by: Clemens Lang <cllang@redhat.com> 
						
					 
					
						2022-03-22 13:04:16 +01:00 
						 
				 
			
				
					
						
							
							
								Clemens Lang 
							
						 
					 
					
						
						
						
						
							
						
						
							153f593fa6 
							
						 
					 
					
						
						
							
							Fix SHA1 certs in LEGACY without openssl lib ctxt  
						
						... 
						
						
						
						Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com> 
						
					 
					
						2022-03-18 13:36:55 +01:00 
						 
				 
			
				
					
						
							
							
								Clemens Lang 
							
						 
					 
					
						
						
						
						
							
						
						
							4eb630f7d5 
							
						 
					 
					
						
						
							
							Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes  
						
						... 
						
						
						
						Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com> 
						
					 
					
						2022-03-18 09:27:51 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							03697fff80 
							
						 
					 
					
						
						
							
							CVE-2022-0778 fix  
						
						... 
						
						
						
						Resolves: rhbz#2062315 
						
					 
					
						2022-03-16 15:03:25 +01:00 
						 
				 
			
				
					
						
							
							
								Clemens Lang 
							
						 
					 
					
						
						
						
						
							
						
						
							bc7dfd9722 
							
						 
					 
					
						
						
							
							Fix RSA PSS padding with SHA-1 disabled  
						
						... 
						
						
						
						Invocations of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING)
before setting an allowed digest with EVP_PKEY_CTX_set_signature_md()
would fail with SHA-1 use in signatures disabled, because OpenSSL's
internal default for the digest was SHA-1.
This isn't documented in any of the manpages, hence we expect users to
always call both EVP_PKEY_CTX_set_rsa_padding() and
EVP_PKEY_CTX_set_signature_md(). We do not want set_rsa_padding() to
fail if users set a non-SHA-1 signature algorithm after setting the
padding mode, though, so change the internal default to SHA-256 if SHA-1
is disabled.
Resolves: rhbz#2062640 
						
					 
					
						2022-03-10 13:29:29 +01:00 
						 
				 
			
				
					
						
							
							
								Clemens Lang 
							
						 
					 
					
						
						
						
						
							
						
						
							3c66c99bd5 
							
						 
					 
					
						
						
							
							Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes  
						
						... 
						
						
						
						We want legacy policy to be able to talk to older RHEL that only
supports SHA1 signature algorithms, so allow SHA1 signatures even in
seclevel 2 if rh-allow-sha1-signatures is set to yes.
Resolves: rhbz#2060510
Signed-off-by: Clemens Lang <cllang@redhat.com> 
						
					 
					
						2022-03-04 10:19:04 +01:00 
						 
				 
			
				
					
						
							
							
								Clemens Lang 
							
						 
					 
					
						
						
						
						
							
						
						
							ede38fcb54 
							
						 
					 
					
						
						
							
							Prevent use of SHA1 with ECDSA  
						
						... 
						
						
						
						providers/implementations/signature/{ec,}dsa_sig.c accept a NID_undef
digest, so to prevent SHA1 from working with ECDSA and DSA, we must
return a negative value in securitycheck.c.
Resolves: rhbz#2031742 
						
					 
					
						2022-02-25 14:45:22 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							ea9f0a5726 
							
						 
					 
					
						
						
							
							OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters  
						
						... 
						
						
						
						Resolves: rhbz#1977867 
						
					 
					
						2022-02-25 12:37:01 +01:00 
						 
				 
			
				
					
						
							
							
								Peter Robinson 
							
						 
					 
					
						
						
						
						
							
						
						
							849a9965ee 
							
						 
					 
					
						
						
							
							Support KBKDF (NIST SP800-108) with an R value of 8bits Resolves: rhbz#2027261  
						
						... 
						
						
						
						Signed-off-by: Peter Robinson <pbrobinson@redhat.com> 
						
					 
					
						2022-02-24 10:14:16 +00:00 
						 
				 
			
				
					
						
							
							
								Clemens Lang 
							
						 
					 
					
						
						
						
						
							
						
						
							53f53fedec 
							
						 
					 
					
						
						
							
							Allow SHA1 usage in MGF1 for RSASSA-PSS signatures  
						
						... 
						
						
						
						Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com> 
						
					 
					
						2022-02-23 17:53:55 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							b33dfd3fc3 
							
						 
					 
					
						
						
							
							Spec bump  
						
						... 
						
						
						
						Resolves: rhbz#2031742 
						
					 
					
						2022-02-23 11:47:25 +01:00 
						 
				 
			
				
					
						
							
							
								Clemens Lang 
							
						 
					 
					
						
						
						
						
							
						
						
							5a9ab1160e 
							
						 
					 
					
						
						
							
							Allow SHA1 usage in HMAC in TLS  
						
						... 
						
						
						
						The EVP_DigestSign API is used in TLS to compute a SHA1 HMAC, which is
OK from our point of view, but was blocked so far. Modify
0049-Selectively-disallow-SHA1-signatures.patch to check the EVP_PKEY
type for HMAC (and TLS1-PRF and HKDF), and allow SHA1 for these cases.
Note that TLS1.1 signs a MD5-SHA1 hash with a private key, which does
not work with rh-allow-sha1-signatures = no, so the minimum TLS version
will be TLS 1.2.
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com> 
						
					 
					
						2022-02-22 19:40:20 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							53b85f538c 
							
						 
					 
					
						
						
							
							OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters  
						
						... 
						
						
						
						Resolves: rhbz#1977867 
						
					 
					
						2022-02-22 16:32:34 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							d79f404164 
							
						 
					 
					
						
						
							
							Allows non-fips KDF for PKCS#12  
						
						... 
						
						
						
						Related: rhbz#2049265 
						
					 
					
						2022-02-22 16:30:16 +01:00 
						 
				 
			
				
					
						
							
							
								Clemens Lang 
							
						 
					 
					
						
						
						
						
							
						
						
							78fb78d307 
							
						 
					 
					
						
						
							
							Disable SHA1 signature creation and verification by default  
						
						... 
						
						
						
						Set rh-allow-sha1-signatures = yes to re-enable
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com> 
						
					 
					
						2022-02-22 12:25:35 +01:00 
						 
				 
			
				
					
						
							
							
								Sahana Prasad 
							
						 
					 
					
						
						
						
						
							
						
						
							0a5c81da78 
							
						 
					 
					
						
						
							
							s_server: correctly handle 2^14 byte long records  
						
						... 
						
						
						
						Resolves: rhbz#2042011
Signed-off-by: Sahana Prasad <sahana@redhat.com> 
						
					 
					
						2022-02-03 15:37:48 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							922b5301ea 
							
						 
					 
					
						
						
							
							Adjust FIPS provider version  
						
						... 
						
						
						
						FIPS provider version is now autofilled from release and date
Related: rhbz#2026445 
						
					 
					
						2022-02-01 16:02:01 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							8c3b745547 
							
						 
					 
					
						
						
							
							On the s390x, zeroize all the copies of TLS premaster secret  
						
						... 
						
						
						
						Related: rhbz#2040448 
						
					 
					
						2022-01-26 16:50:19 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							92e721fa5d 
							
						 
					 
					
						
						
							
							Rebuild  
						
						... 
						
						
						
						Related: rhbz#2026445 
						
					 
					
						2022-01-21 14:40:57 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							691c22b61c 
							
						 
					 
					
						
						
							
							Remove volatile attribute from HMAC to make annocheck happy  
						
						... 
						
						
						
						Related: rhbz#1985362 
						
					 
					
						2022-01-21 13:48:28 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							d237e7f301 
							
						 
					 
					
						
						
							
							Restoring fips=yes to SHA-1  
						
						... 
						
						
						
						Related: rhbz#2026445 
						
					 
					
						2022-01-21 13:48:28 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							9df33eabbe 
							
						 
					 
					
						
						
							
							KATS self-tests should run before HMAC verifcation  
						
						... 
						
						
						
						Related: rhbz#2041994 
						
					 
					
						2022-01-21 13:48:28 +01:00 
						 
				 
			
				
					
						
							
							
								Sahana Prasad 
							
						 
					 
					
						
						
						
						
							
						
						
							f5421022ee 
							
						 
					 
					
						
						
							
							Adds enable-buildtest-c++ to the configure options.  
						
						... 
						
						
						
						Related: rhbz#1990814
Signed-off-by: Sahana Prasad <sahana@redhat.com> 
						
					 
					
						2022-01-20 16:37:50 +01:00 
						 
				 
			
				
					
						
							
							
								Sahana Prasad 
							
						 
					 
					
						
						
						
						
							
						
						
							78a467efcc 
							
						 
					 
					
						
						
							
							Rebase to upstream version 3.0.1  
						
						... 
						
						
						
						Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
Resolves: rhbz#2038910, rhbz#2035148
Signed-off-by: Sahana Prasad <sahana@redhat.com> 
						
					 
					
						2022-01-18 18:30:10 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							e63c4b68b2 
							
						 
					 
					
						
						
							
							Update spec file, remove fipsmodule.cnf  
						
						... 
						
						
						
						Related: rhbz#2026445 
						
					 
					
						2022-01-17 14:18:22 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							6cdaa527d8 
							
						 
					 
					
						
						
							
							Explicitly permit SHA1 HMAC  
						
						... 
						
						
						
						Related: rhbz#2026445 
						
					 
					
						2022-01-17 13:19:40 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							cc37486d86 
							
						 
					 
					
						
						
							
							Minimize the list of services allowed for FIPS  
						
						... 
						
						
						
						Related: rhbz#2026445 
						
					 
					
						2022-01-17 13:19:29 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							225b6d37b9 
							
						 
					 
					
						
						
							
							openssl speed should run in FIPS mode  
						
						... 
						
						
						
						Related: rhbz#1977318 
						
					 
					
						2021-12-21 16:16:07 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							13dc3794cb 
							
						 
					 
					
						
						
							
							Make rpminspect happy  
						
						
						
					 
					
						2021-12-10 14:19:15 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							4c1c00d6af 
							
						 
					 
					
						
						
							
							Updated spec, some cleanup done  
						
						... 
						
						
						
						Related: rhbz#1985362 
						
					 
					
						2021-11-24 13:44:25 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							9422ae52de 
							
						 
					 
					
						
						
							
							Always activate default provider via config  
						
						... 
						
						
						
						Related: rhbz#1985362 
						
					 
					
						2021-11-23 16:52:23 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							210c37e906 
							
						 
					 
					
						
						
							
							Disable fipsinstall application  
						
						... 
						
						
						
						Related: rhbz#1985362 
						
					 
					
						2021-11-23 15:02:48 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							3ff0db7558 
							
						 
					 
					
						
						
							
							Embed correct HMAC into fips provider  
						
						... 
						
						
						
						We have stripped production version and unstripped version for tests.
Related: rhbz#1985362 
						
					 
					
						2021-11-23 15:02:14 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							5c4e10ac26 
							
						 
					 
					
						
						
							
							FIPS provider auto activation  
						
						... 
						
						
						
						When FIPS flag is on, we load fips provider and set properties to fips.
FIPS checksum is embedded in FIPS provider itself
Related: rhbz#1985362 
						
					 
					
						2021-11-23 15:01:33 +01:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							694c426faf 
							
						 
					 
					
						
						
							
							Fix memory leak in s_client  
						
						... 
						
						
						
						Related: rhbz#1996092 
						
					 
					
						2021-10-07 19:08:23 +02:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							b76c2316a3 
							
						 
					 
					
						
						
							
							KTLS and FIPS may interfere, so tests need to be tuned  
						
						... 
						
						
						
						Resolves: rhbz#1961643 
						
					 
					
						2021-09-22 17:15:22 +02:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							3edf474b5d 
							
						 
					 
					
						
						
							
							Avoid double-free on error seeding the RNG.  
						
						... 
						
						
						
						Resolves: rhbz#1952844 
						
					 
					
						2021-09-20 17:13:26 +02:00 
						 
				 
			
				
					
						
							
							
								Sahana Prasad 
							
						 
					 
					
						
						
						
						
							
						
						
							34d46544a5 
							
						 
					 
					
						
						
							
							Rebase to upstream version 3.0.0  
						
						... 
						
						
						
						Related: rhbz#1990814
Signed-off-by: Sahana Prasad <sahana@redhat.com> 
						
					 
					
						2021-09-09 13:07:02 +02:00 
						 
				 
			
				
					
						
							
							
								Sahana Prasad 
							
						 
					 
					
						
						
						
						
							
						
						
							07de966235 
							
						 
					 
					
						
						
							
							- Removes the dual-abi build as it not required anymore. The mass rebuild  
						
						... 
						
						
						
						was completed and all packages are rebuilt against Beta version.
Resolves: rhbz#1984097
Signed-off-by: Sahana Prasad <sahana@redhat.com> 
						
					 
					
						2021-08-25 17:02:52 +02:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							ddd1eb3708 
							
						 
					 
					
						
						
							
							Correctly processing CMS reading from /dev/stdin  
						
						... 
						
						
						
						Resolves: rhbz#1986315 
						
					 
					
						2021-08-23 10:45:49 +02:00 
						 
				 
			
				
					
						
							
							
								Sahana Prasad 
							
						 
					 
					
						
						
						
						
							
						
						
							49de59749c 
							
						 
					 
					
						
						
							
							Add instruction for loading legacy provider in openssl.cnf  
						
						... 
						
						
						
						Resolves: rhbz#1975836
Signed-off-by: Sahana Prasad <sahana@redhat.com> 
						
					 
					
						2021-08-16 14:16:12 +02:00 
						 
				 
			
				
					
						
							
							
								Sahana Prasad 
							
						 
					 
					
						
						
						
						
							
						
						
							03899fca38 
							
						 
					 
					
						
						
							
							Adds support for IDEA encryption.  
						
						... 
						
						
						
						Resolves: rhbz#1990602
Signed-off-by: Sahana Prasad <sahana@redhat.com> 
						
					 
					
						2021-08-16 11:44:00 +02:00 
						 
				 
			
				
					
						
							
							
								Sahana Prasad 
							
						 
					 
					
						
						
						
						
							
						
						
							0c6f4a599c 
							
						 
					 
					
						
						
							
							- Fixes core dump in openssl req -modulus  
						
						... 
						
						
						
						- Fixes 'openssl req' to not ask for password when non-encrypted private key
  is used
- cms: Do not try to check binary format on stdin and -rctform fix
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
Signed-off-by: Sahana Prasad <sahana@redhat.com> 
						
					 
					
						2021-08-10 16:54:16 +02:00 
						 
				 
			
				
					
						
							
							
								Mohan Boddu 
							
						 
					 
					
						
						
						
						
							
						
						
							2862adca42 
							
						 
					 
					
						
						
							
							Rebuilt for IMA sigs, glibc 2.34, aarch64 flags  
						
						... 
						
						
						
						Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com> 
						
					 
					
						2021-08-09 22:44:21 +00:00 
						 
				 
			
				
					
						
							
							
								Dmitry Belyavskiy 
							
						 
					 
					
						
						
						
						
							
						
						
							ecb6630fd3 
							
						 
					 
					
						
						
							
							When signature_algorithm extension is omitted, use more relevant alerts  
						
						... 
						
						
						
						Resolves: rhbz#1965017 
						
					 
					
						2021-08-04 15:55:01 +02:00