jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity
449 Commits 9 Branches 54 Tags 3.3 MiB
1a7b91b472
Commit Graph

372 Commits

Author SHA1 Message Date
Peter Robinson
b5f54ff916 Drop obsolete and irrelevant docs, Move devel docs to appropriate package, they're all rather large and of little use for all but historical reference 2014-05-31 22:49:33 +01:00
Tomas Mraz
0376d8368c new upstream release 1.0.1g 
- do not include ECC ciphersuites in SSLv2 client hello (#1090952)
- fail on hmac integrity check if the .hmac file is empty
 2014-05-07 11:42:32 +02:00
Dennis Gilmore
e55cd2c0e4 pull in upstream patch for CVE-2014-0160 
- removed CHANGES file portion from patch for expediency
 2014-04-07 19:20:31 -05:00
Tomas Mraz
239d122765 add support for ppc64le architecture (#1072633) 2014-04-03 16:24:35 +02:00
Tomas Mraz
477d4a1758 properly detect encryption failure in BIO 
- use 2048 bit RSA key in FIPS selftests
 2014-03-17 17:22:08 +01:00
Tomas Mraz
423ab177c8 use the key length from configuration file if req -newkey rsa is invoked 2014-02-14 16:24:31 +01:00
Tomas Mraz
a9591c7f1f Add macro for performance build on certain arches. 2014-02-12 16:58:49 +01:00
Tomas Mraz
24632bb1db print ephemeral key size negotiated in TLS handshake (#1057715) 
- add DH_compute_key_padded needed for FIPS CAVS testing
 2014-02-12 16:20:03 +01:00
Tomas Mraz
abe62302b2 make expiration and key length changeable by DAYS and KEYLEN 
variables in the certificate Makefile (#1058108)
- change default hash to sha256 (#1062325)
 2014-02-06 18:07:59 +01:00
Tomas Mraz
40825564d8 make 3des strength to be 128 bits instead of 168 (#1056616) 2014-01-22 17:57:22 +01:00
Tomas Mraz
519fe2cc24 Two security fixes 
- fix CVE-2013-4353 - Invalid TLS handshake crash
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
 2014-01-07 15:09:40 +01:00
Tomas Mraz
8978637f3b fix CVE-2013-6449 - crash when version in SSL structure is incorrect 
- more FIPS validation requirement changes
 2013-12-20 14:14:15 +01:00
Tomas Mraz
dc728e2d8b drop weak ciphers from the default TLS ciphersuite list 
- add back some symbols that were dropped with update to 1.0.1 branch
- more FIPS validation requirement changes
 2013-12-18 15:55:26 +01:00
Tomas Mraz
ad237d19e6 fix locking and reseeding problems with FIPS drbg 2013-11-19 14:52:30 +01:00
Tomas Mraz
e64d4ea7bb additional changes required for FIPS validation 2013-11-15 16:13:44 +01:00
Tomas Mraz
dcd0fb1ec9 disable verification of certificate, CRL, and OCSP signatures using MD5 
if OPENSSL_ENABLE_MD5_VERIFY environment variable is not set
 2013-11-13 19:42:54 +01:00
Tomas Mraz
83d99a68af add back support for secp521r1 EC curve 
- add aarch64 to Configure (#969692)
 2013-11-08 18:16:49 +01:00
Tomas Mraz
5714047e75 fix misdetection of RDRAND support on Cyrix CPUS (from upstream) (#1022346) 2013-10-29 16:24:08 +01:00
Tomas Mraz
eca676db7a do not advertise ECC curves we do not support (#1022493) 2013-10-24 10:40:18 +02:00
Tomas Mraz
b3551463ca only ECC NIST Suite B curves support 
- drop -fips subpackage
 2013-10-16 14:37:51 +02:00
Tom Callaway
1f19ac14f9 resolve bugzilla 319901 (phew! only took 6 years & 9 days) 2013-10-15 02:08:35 +01:00
Tomas Mraz
7ae1dc1df9 Bump release 2013-09-27 15:46:03 +02:00
Tomas Mraz
4e423c3c50 make DTLS1 work in FIPS mode 
- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode
 2013-09-27 15:43:51 +02:00
Tomas Mraz
df94661da5 avoid dlopening libssl.so from libcrypto (#1010357) 2013-09-23 18:30:01 +02:00
Tomas Mraz
372f3ac997 fix small memory leak in FIPS aes selftest 2013-09-20 16:04:50 +02:00
Tomas Mraz
8c28623e94 fix segfault in openssl speed hmac in the FIPS mode 2013-09-19 15:16:50 +02:00
Tomas Mraz
30ebb4d732 document the nextprotoneg option in manual pages 
original patch by Hubert Kario
 2013-09-12 10:39:33 +02:00
Tomas Mraz
ae08b15c89 document the nextprotoneg option in manual pages 
original patch by Hubert Kario
 2013-09-12 10:23:34 +02:00
Kyle McMartin
cb069618e7 arm: use auxv to figure out armcap.c instead of using signals (#1006474) 2013-09-11 10:36:42 -04:00
Tomas Mraz
eb63cc63df try to avoid some races when updating the -fips subpackage 2013-09-04 13:53:38 +02:00
Tomas Mraz
850ca72b9a use version-release in .hmac suffix to avoid overwrite during upgrade 2013-09-02 15:02:18 +02:00
Tomas Mraz
b5d2711ab6 allow deinitialization of the FIPS mode 2013-08-29 16:41:24 +02:00
Tomas Mraz
1465572e17 always perform the FIPS selftests in library constructor 
if FIPS module is installed
 2013-08-29 11:45:04 +02:00
Tomas Mraz
bb2f3882f2 add -fips subpackage that contains the FIPS module files 2013-08-27 16:03:43 +02:00
Tomas Mraz
9c324da28e fix use of rdrand if available 
- more commits cherry picked from upstream
- documentation fixes
 2013-08-16 16:06:51 +02:00
Petr Písař
a254940dd1 Perl 5.18 rebuild 2013-08-03 12:05:42 +02:00
Tomas Mraz
acdf8a62f6 use symbol versioning also for the textual version 
- additional manual page fix
 2013-07-26 13:16:10 +02:00
Tomas Mraz
9b36f08da8 additional manual page fixes 2013-07-25 15:14:25 +02:00
Tomas Mraz
653e1efa34 use _prefix macro 2013-07-19 11:46:56 +02:00
Petr Písař
49a1fc761b Perl 5.18 rebuild 2013-07-17 16:32:50 +02:00
Tomas Mraz
7ccde74773 add openssl.cnf.5 manpage symlink to config.5 2013-07-11 10:44:55 +02:00
Tomas Mraz
9555809e80 add relro linking flag 2013-07-10 17:54:24 +02:00
Tomas Mraz
30aa9303c7 add support for the -trusted_first option for certificate chain verification 2013-07-10 11:02:41 +02:00
Tomas Mraz
dad6e3ee78 fix build of manual pages with current pod2man (#959439) 2013-05-03 18:38:28 +02:00
Peter Robinson
6705192b85 Enable ARM optimised build 2013-04-21 14:33:34 +01:00
Tomas Mraz
64e30c5369 fix random bad record mac errors (#918981) 2013-03-18 21:34:18 +01:00
Tomas Mraz
9cf55df55b fix up the SHLIB_VERSION_NUMBER 2013-02-19 20:35:16 +01:00
Tomas Mraz
169c3a0ddb disable ZLIB loading by default (due to CRIME attack) 2013-02-19 16:41:14 +01:00
Tomas Mraz
dc696fdac4 new upstream version 2013-02-19 13:57:39 +01:00
Tomas Mraz
0fd0958b75 more fixes from upstream 
- fix errors in manual causing build failure (#904777)
 2013-01-30 18:32:56 +01:00
Tomas Mraz
2ca16b9a24 Add the renew-dummy-cert script to file list 2012-12-21 17:38:32 +01:00
Tomas Mraz
c67ea975b9 add script for renewal of a self-signed cert by Philip Prindeville (#871566) 
- allow X509_issuer_and_serial_hash() produce correct result in
  the FIPS mode (#881336)
 2012-12-21 17:21:50 +01:00
Tomas Mraz
07ac3d216e Fix bogus dates in changelog. 2012-12-07 12:37:49 +01:00
Tomas Mraz
650873ff0e do not load default verify paths if CApath or CAfile specified (#884305) 2012-12-06 18:30:15 +01:00
Tomas Mraz
12aab15a03 more fixes from upstream CVS 
- fix DSA key pairwise check (#878597)
 2012-11-20 22:33:42 +01:00
Tomas Mraz
d8e7bfc73b Add the marker for required patch. 2012-11-19 17:43:07 +01:00
Tomas Mraz
b7eb6f4a5f use 1024 bit DH parameters in s_server as 512 bit is not allowed 
in FIPS mode and it is quite weak anyway
 2012-11-15 21:11:36 +01:00
Tomas Mraz
79971bf194 Use secure_getenv() with new glibc. 2012-09-10 20:25:19 +02:00
Tomas Mraz
c015bd1b1e add missing initialization of str in aes_ccm_init_key (#853963) 
- add important patches from upstream CVS
 2012-09-07 10:48:56 +02:00
Dennis Gilmore
eaa5561c35 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-20 02:06:56 -05:00
Tomas Mraz
af044b4037 use __getenv_secure() instead of __libc_enable_secure 2012-07-13 22:21:05 +02:00
Tomas Mraz
72a1bddddc do not move libcrypto to /lib 
- do not use environment variables if __libc_enable_secure is on
- fix strict aliasing problems in modes
 2012-07-13 14:30:31 +02:00
Tomas Mraz
c2e3151786 do not move libcrypto to /lib 
- do not use environment variables if __libc_enable_secure is on
- fix strict aliasing problems in modes
 2012-07-13 14:23:34 +02:00
Tomas Mraz
55a3598cc7 fix DSA key generation in FIPS mode (#833866) 
- allow duplicate FIPS_mode_set(1)
- enable build on ppc64 subarch (#834652)
 2012-07-12 21:59:56 +02:00
Tomas Mraz
5183d32904 Make it build with new Perl 2012-07-12 00:35:57 +02:00
Tomas Mraz
18ccae20f6 fix s_server with new glibc when no global IPv6 address (#839031) 2012-07-12 00:04:06 +02:00
Tomas Mraz
5e74bace82 new upstream version 2012-05-15 19:40:22 +02:00
Tomas Mraz
651215c12b new upstream version 2012-05-15 19:37:55 +02:00
Tomas Mraz
5eb4589d83 new upstream version 2012-04-26 18:10:52 +02:00
Tomas Mraz
6a4bd67710 new upstream version fixing CVE-2012-2110 2012-04-20 12:30:37 +02:00
Tomas Mraz
e8c18345a4 new upstream version fixing CVE-2012-2110 2012-04-20 12:24:39 +02:00
Tomas Mraz
d46b44c249 add Kerberos 5 libraries to pkgconfig for static linking (#807050) 2012-04-11 16:33:03 +02:00
Tomas Mraz
d7587a26b6 backports from upstream CVS 
fix segfault when /dev/urandom is not available (#809586)
 2012-04-05 19:56:49 +02:00
Tomas Mraz
0f0ab24176 new upstream release 2012-03-14 21:38:58 +01:00
Tomas Mraz
0aa7d61151 add obsoletes to assist multilib updates (#799636) 2012-03-05 10:51:13 +01:00
Tomas Mraz
00c4986d53 new upstream release from the 1.0.1 branch 
- epoch bumped to 1 due to revert to 1.0.0g on Fedora 17
- fix s390x build (#798411)
- versioning for the SSLeay symbol (#794950)
- add -DPURIFY to build flags (#797323)
- filter engine provides
- split the libraries to a separate -libs package
- add make to requires on the base package (#783446)
 2012-02-29 21:54:08 +01:00
Tomas Mraz
ad05b50537 New upstream release from the 1.0.1 branch, ABI compatible 
- also add documentation for the -no_ign_eof option
 2012-02-07 13:46:42 +01:00
Tomas Mraz
d91aea8890 new upstream release fixing CVE-2012-0050 - DoS regression in 
DTLS support introduced by the previous release (#782795)
 2012-01-19 16:48:48 +01:00
Peter Robinson
48bba71e16 mktemp was long obsoleted by coreutils 2012-01-11 10:41:37 +00:00
Tomas Mraz
628d7e4989 new upstream release fixing multiple CVEs 2012-01-05 15:14:10 +01:00
Tomas Mraz
c28bd1cc5f Make the non-upstream tarball comment more clear. 2011-11-25 16:32:43 +01:00
Tomas Mraz
497f2d674c move the libraries needed for static linking to Libs.private 2011-11-22 11:53:40 +01:00
Tomas Mraz
6f65ffce68 do not use AVX instructions when osxsave bit not set 
add direct known answer tests for SHA2 algorithms
 2011-11-03 10:18:52 +01:00
Tomas Mraz
e4008f0b0e fix missing initialization of variable in CHIL engine 2011-09-21 17:34:13 +02:00
Tomas Mraz
3447c41c99 new upstream release fixing CVE-2011-3207 (#736088) 2011-09-07 18:27:06 +02:00
Tomas Mraz
4c970c62c5 drop the separate engine for Intel acceleration improvements 
and merge in the AES-NI, SHA1, and RC4 optimizations
add support for OPENSSL_DISABLE_AES_NI environment variable
that disables the AES-NI support
 2011-08-24 13:12:33 +02:00
Tomas Mraz
0ed17c0652 correct openssl cms help output (#636266) 
more tolerant starttls detection in XMPP protocol (#608239)
 2011-07-26 13:02:17 +02:00
Tomas Mraz
5c4fc08e4d add support for newest Intel acceleration improvements backported 
from upstream by Intel in form of a separate engine
 2011-07-20 14:56:21 +02:00
Tomas Mraz
f4fb8490a9 allow the AES-NI engine in the FIPS mode 2011-06-09 16:22:08 +02:00
Tomas Mraz
19062db533 add API necessary for CAVS testing of the new DSA parameter generation 2011-05-24 14:57:29 +02:00
Tomas Mraz
0b4cee3bc2 Allow easier rebuilds on some multilib arches. 2011-05-19 10:34:38 +02:00
Tomas Mraz
138493a921 add support for VIA Padlock on 64bit arch from upstream (#617539) 
do not return bogus values from load_certs (#652286)
 2011-04-28 21:58:56 +02:00
Tomas Mraz
8d20fec281 clarify apps help texts for available digest algorithms (#693858) 2011-04-05 21:24:01 +02:00
Tomas Mraz
1caf3ae072 - new upstream release fixing CVE-2011-0014 (OCSP stapling vulnerability) 2011-02-10 15:41:44 +01:00
Dennis Gilmore
ccc6e6f1c6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild 2011-02-08 21:34:08 -06:00
Tomas Mraz
65ebbaecc7 - add -x931 parameter to openssl genrsa command to use the ANSI X9.31 
key generation method
- use FIPS-186-3 method for DSA parameter generation
- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
  to allow using MD5 when the system is in the maintenance state
  even if the /proc fips flag is on
- make openssl pkcs12 command work by default in the FIPS mode
 2011-02-04 15:27:28 +01:00
Tomas Mraz
15fad7109b - add -x931 parameter to openssl genrsa command to use the ANSI X9.31 
key generation method
- use FIPS-186-3 method for DSA parameter generation
- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
  to allow using MD5 when the system is in the maintenance state
  even if the /proc fips flag is on
 2011-02-04 15:14:18 +01:00
Tomas Mraz
09127ac54a - listen on ipv6 wildcard in s_server so we accept connections 
from both ipv4 and ipv6 (#601612)
- fix openssl speed command so it can be used in the FIPS mode
  with FIPS allowed ciphers
 2011-01-24 17:41:43 +01:00
Tomas Mraz
154f82b97d - new upstream version fixing CVE-2010-4180 2010-12-03 14:23:13 +01:00
Tomas Mraz
0a5657ab94 - replace the revert for the s390x bignum asm routines with 
fix from upstream
 2010-12-03 14:19:39 +01:00
Tomas Mraz
143a23a635 - bump release 2010-11-23 10:07:16 +01:00
Tomas Mraz
6e7d6d4dfd - replace the revert for the s390x bignum asm routines with 
fix from upstream
 2010-11-23 09:51:17 +01:00
Tomas Mraz
23675ff78b - revert upstream change in s390x bignum asm routines 2010-11-22 15:15:11 +01:00
Tomas Mraz
3ff2d49a83 - new upstream version fixing CVE-2010-3864 (#649304) 2010-11-16 18:21:39 +01:00
Tomas Mraz
17a6aec60b - make SHLIB_VERSION reflect the library suffix 2010-09-07 21:41:52 +02:00
Tomáš Mráz
56642f75b1 - openssl man page fix (#609484) 2010-06-30 12:36:47 +00:00
Tomáš Mráz
1b4b1eaf63 - new upstream patch release, fixes CVE-2010-0742 (#598738) and 
CVE-2010-1633 (#598732)
 2010-06-04 12:23:14 +00:00
Tomáš Mráz
6adf85458c - pkgconfig files now contain the correct libdir (#593723) 2010-05-19 15:39:13 +00:00
Tomáš Mráz
ae0beee7db - make CA dir readable - the private keys are in private subdir (#584810) 2010-05-18 15:40:32 +00:00
Tomáš Mráz
290d51ec7f - make CA dir readable - the private keys are in private subdir (#584810) 2010-05-18 15:34:17 +00:00
Tomáš Mráz
3bdf494b4f - a few fixes from upstream CVS 
- move libcrypto to /lib (#559953)
 2010-04-09 15:25:39 +00:00
Tomáš Mráz
7325c65a3e - set UTC timezone on pod2man run (#578842) 
- make X509_NAME_hash_old work in FIPS mode
 2010-04-06 14:49:34 +00:00
Tomáš Mráz
c2fc1058b4 - set UTC timezone on pod2man run (#578842) 2010-04-06 14:35:57 +00:00
Tomáš Mráz
fa66cf4b52 - update to final 1.0.0 upstream release 2010-03-30 09:37:41 +00:00
Tomáš Mráz
7c4ab8ff8e - make TLS work in the FIPS mode 2010-02-16 23:21:07 +00:00
Tomáš Mráz
bffe20438c - gracefully handle zero length in assembler implementations of 
OPENSSL_cleanse (#564029)
- do not fail in s_server if client hostname not resolvable (#561260)
 2010-02-12 17:20:50 +00:00
Tomáš Mráz
ae5568515b - new upstream release 2010-01-21 08:12:12 +00:00
Tomáš Mráz
79249339a7 - fix CVE-2009-4355 - leak in applications incorrectly calling 
CRYPTO_free_all_ex_data() before application exit (#546707)
- upstream fix for future TLS protocol version handling
 2010-01-14 08:57:34 +00:00
Tomáš Mráz
7f0747ce73 - add support for Intel AES-NI 2010-01-13 09:21:02 +00:00
Tomáš Mráz
2d6ef07fa3 - upstream fix compression handling on session resumption 
- various null checks and other small fixes from upstream
- upstream changes for the renegotiation info according to the latest draft
 2010-01-07 22:43:57 +00:00
Tomáš Mráz
5845987ab4 - fix non-fips mingw build (patch by Kalev Lember) 
- add IPV6 fix for DTLS
 2009-11-23 07:54:08 +00:00
Tomáš Mráz
c9026def03 - add better error reporting for the unsafe renegotiation 2009-11-20 17:30:27 +00:00
Tomáš Mráz
359f84cd81 - fix build on s390x 2009-11-20 09:27:16 +00:00
Tomáš Mráz
5b761f5986 - disable enforcement of the renegotiation extension on the client 
(#537962)
- add fixes from the current upstream snapshot
 2009-11-18 13:14:13 +00:00
Tomáš Mráz
982ac6e5f9 - keep the beta status in version number at 3 so we do not have to rebuild 
openssh and possibly other dependencies with too strict version check
 2009-11-13 12:11:41 +00:00
Tomáš Mráz
a9fcedd3fb - keep the beta status in version number at 3 so we do not have to rebuild 
openssh and possibly other dependencies with too strict version check
 2009-11-13 11:45:07 +00:00
Tomáš Mráz
654ccf4a2f - add fix to compile on new binutils 2009-11-12 16:27:52 +00:00
Tomáš Mráz
aabbc9ad89 - update to new upstream version, no soname bump needed 
- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
    so the compatibility with unfixed clients is not broken. The protocol
    extension is also not final.
 2009-11-12 15:51:40 +00:00
Tomáš Mráz
e0fe963bd1 - fix use of freed memory if SSL_CTX_free() is called before SSL_free() 
(#521342)
 2009-10-16 11:28:02 +00:00
Tomáš Mráz
1a303f4853 - fix typo in DTLS1 code (#527015) 
- fix leak in error handling of d2i_SSL_SESSION()
 2009-10-08 18:45:10 +00:00
Tomáš Mráz
75f7276f8b - fix RSA and DSA FIPS selftests 
- reenable fixed x86_64 camellia assembler code (#521127)
 2009-09-30 18:18:48 +00:00
Tomáš Mráz
2d8446ff1a - temporarily disable x86_64 camellia assembler code (#521127) 2009-09-04 12:08:42 +00:00
Tomáš Mráz
c99976de43 - fix openssl dgst -dss1 (#520152) 2009-08-31 11:07:49 +00:00
Tomáš Mráz
9583cca278 - drop the compat symlink hacks 2009-08-26 15:50:36 +00:00
Tomáš Mráz
e1c2b406a8 - constify SSL_CIPHER_description() 2009-08-22 14:38:34 +00:00
Tomáš Mráz
4d132a5c14 - fix WWW:Curl:Easy reference in tsget 2009-08-21 13:42:11 +00:00
Tomáš Mráz
5ff2efa4d0 - enable MD-2 2009-08-21 13:08:15 +00:00
Tomáš Mráz
2ccfa6b48f - update to new major upstream release 2009-08-20 14:20:57 +00:00
Tomáš Mráz
58b40a384a - update to new major upstream release 2009-08-20 14:18:42 +00:00
Jesse Keating
72586e9d99 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild 2009-07-25 20:54:16 +00:00
Bill Nottingham
d01d89f81d - do not build special 'optimized' versions for i686, as that's the base 
arch in Fedora now
 2009-07-22 15:57:43 +00:00
Tomáš Mráz
44abf9d002 - abort if selftests failed and random number generator is polled 
- mention EVP_aes and EVP_sha2xx routines in the manpages
- add README.FIPS
- make CA dir absolute path (#445344)
- change default length for RSA key generation to 2048 (#484101)
 2009-06-30 11:17:45 +00:00
Tomáš Mráz
387d98c6e7 - fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379 (DTLS DoS problems) 
(#501253, #501254, #501572)
 2009-05-21 16:30:42 +00:00
Tomáš Mráz
7723dd9040 - support compatibility DTLS mode for CISCO AnyConnect (#464629) 2009-04-21 10:05:11 +00:00
Tomáš Mráz
e1c42b9abd - correct the SHLIB_VERSION define 2009-04-17 16:13:51 +00:00
Tomáš Mráz
bb917d493c - add support for multiple CRLs with same subject 
- load only dynamic engine support in FIPS mode
 2009-04-15 14:36:54 +00:00
Tomáš Mráz
a9e5f01ef5 - update to new upstream release (minor bug fixes, security fixes and 
machine code optimizations only)
 2009-03-25 21:12:41 +00:00
Tomáš Mráz
a9567a4b21 - move only on 64bits 2009-03-19 11:03:16 +00:00
Tomáš Mráz
58f96a71e5 - move libraries to /usr/lib (#239375) 2009-03-19 10:31:41 +00:00
Tomáš Mráz
15d9ef2c72 - add a static subpackage 2009-03-13 13:10:33 +00:00