Utilities from the general purpose cryptography library with TLS implementation
Go to file
Clemens Lang 21d2b9fb47 Fix X942KDF indicator for short output key lengths
In testing, we noticed that using output keys shorter than 14 bytes with
the X9.42 KDF does not set the explicit FIPS indicator to unapproved as
it should. The relevant check was implemented, but the state in the
implementation's context was not exposed.

Resolves: rhbz#2175864
Signed-off-by: Clemens Lang <cllang@redhat.com>
2023-03-16 16:40:54 +01:00
.gitignore Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0001-Aarch64-and-ppc64le-use-lib64.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0002-Use-more-general-default-values-in-openssl.cnf.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0003-Do-not-install-html-docs.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0004-Override-default-paths-for-the-CA-directory-tree.patch Fixes override of openssl_conf in openssl.cnf 2021-07-06 13:56:08 +02:00
0005-apps-ca-fix-md-option-help-text.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0006-Disable-signature-verification-with-totally-unsafe-h.patch Update to Beta1 version 2021-07-14 13:31:08 +02:00
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0008-Add-FIPS_mode-compatibility-macro.patch Adjusting include for the FIPS_mode macro 2022-11-28 17:37:27 +01:00
0009-Add-Kernel-FIPS-mode-flag-support.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0011-Remove-EC-curves.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0012-Disable-explicit-ec.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0024-load-legacy-prov.patch Always activate default provider via config 2021-11-23 16:52:23 +01:00
0025-for-tests.patch Always activate default provider via config 2021-11-23 16:52:23 +01:00
0031-tmp-Fix-test-names.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0032-Force-fips.patch -config argument of openssl app should work properly 2022-05-12 13:29:27 +02:00
0033-FIPS-embed-hmac.patch Refactor OpenSSL fips module MAC verification 2023-01-05 11:42:50 +01:00
0034.fipsinstall_disable.patch Rebase to upstream version 3.0.1 2022-01-18 18:30:10 +01:00
0035-speed-skip-unavailable-dgst.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0044-FIPS-140-3-keychecks.patch Fix Wpointer-sign compiler warning 2023-03-16 14:08:55 +01:00
0045-FIPS-services-minimize.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0047-FIPS-early-KATS.patch KATS self-tests should run before HMAC verifcation 2022-01-21 13:48:28 +01:00
0049-Selectively-disallow-SHA1-signatures.patch Pairwise consistency tests should use Digest+Sign/Verify 2023-03-14 17:27:15 +01:00
0050-FIPS-enable-pkcs12-mac.patch OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters 2022-02-22 16:32:34 +01:00
0051-Support-different-R_BITS-lengths-for-KBKDF.patch OpenSSL FIPS module should not build in non-approved algorithms 2022-05-05 17:34:49 +02:00
0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Strict certificates validation shouldn't allow explicit EC parameters 2022-06-24 17:17:35 +02:00
0056-strcasecmp.patch We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream 2022-11-25 19:23:22 +01:00
0058-FIPS-limit-rsa-encrypt.patch Limit RSA_NO_PADDING for encryption and signature in FIPS mode 2023-03-14 17:25:30 +01:00
0060-FIPS-KAT-signature-tests.patch Use KAT for ECDSA signature tests, s390 arch 2022-05-30 18:22:47 +02:00
0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0062-fips-Expose-a-FIPS-indicator.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0067-ppc64le-Montgomery-multiply.patch Backport of ppc64le Montgomery multiply enhancement 2022-11-29 12:00:38 +01:00
0071-AES-GCM-performance-optimization.patch Improve AES-GCM & ChaCha20 perf on Power9+ ppc64le 2022-07-14 18:19:36 +02:00
0072-ChaCha20-performance-optimizations-for-ppc64le.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0075-FIPS-Use-FFDHE2048-in-self-test.patch FIPS self-test: RSA-OAEP, FFDHE2048, digest_sign 2022-08-01 17:18:12 +02:00
0076-FIPS-140-3-DRBG.patch Increase RNG seeding buffer size to 32 2023-03-14 17:30:33 +01:00
0077-FIPS-140-3-zeroization.patch Extra zeroization related to FIPS-140-3 requirements 2022-08-05 14:31:48 +02:00
0078-KDF-Add-FIPS-indicators.patch Fix X942KDF indicator for short output key lengths 2023-03-16 16:40:54 +01:00
0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC 2022-11-21 10:39:28 +01:00
0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch Remove support for X9.31 signature padding in FIPS mode 2022-11-21 10:42:34 +01:00
0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch Add indicator for HMAC with short key lengths 2022-11-21 10:42:43 +01:00
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch pbkdf2: Set minimum password length of 8 bytes 2022-11-21 10:42:43 +01:00
0085-FIPS-RSA-disable-shake.patch Disallow SHAKE in OAEP decryption in FIPS mode 2023-01-11 14:12:12 +01:00
0088-signature-Add-indicator-for-PSS-salt-length.patch Limit RSA_NO_PADDING for encryption and signature in FIPS mode 2023-03-14 17:25:30 +01:00
0089-PSS-salt-length-from-provider.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0090-signature-Clamp-PSS-salt-len-to-MD-len.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0091-FIPS-RSA-encapsulate.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0092-provider-improvements.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0093-FIPS-nodhx.patch Disable DHX keys completely in FIPS mode 2023-03-14 17:28:24 +01:00
0101-CVE-2022-4203-nc-match.patch Fixed X.509 Name Constraints Read Buffer Overflow 2023-02-08 17:54:11 +01:00
0102-CVE-2022-4304-RSA-time-oracle.patch Fixed Timing Oracle in RSA Decryption 2023-02-08 17:54:13 +01:00
0103-CVE-2022-4450-pem-read-bio.patch Fixed Double free after calling PEM_read_bio_ex 2023-02-08 17:54:13 +01:00
0104-CVE-2023-0215-UAF-bio.patch Fixed Use-after-free following BIO_new_NDEF 2023-02-08 17:54:13 +01:00
0105-CVE-2023-0216-pkcs7-deref.patch Fixed Invalid pointer dereference in d2i_PKCS7 functions 2023-02-08 17:54:13 +01:00
0106-CVE-2023-0217-dsa.patch Fixed NULL dereference validating DSA public key 2023-02-08 17:54:13 +01:00
0107-CVE-2023-0286-X400.patch Fixed X.400 address type confusion in X.509 GeneralName 2023-02-08 17:54:13 +01:00
0108-CVE-2023-0401-pkcs7-md.patch Fixed NULL dereference during PKCS7 data verification 2023-02-08 17:54:13 +01:00
0109-fips-Zeroize-out-in-fips-selftest.patch Zeroize FIPS module integrity check MAC after check 2023-03-14 17:23:22 +01:00
0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch GCM: Implement explicit FIPS indicator for IV gen 2023-03-14 17:23:22 +01:00
0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch Add explicit FIPS indicator for PBKDF2 2023-03-14 17:23:22 +01:00
0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch Add explicit FIPS indicator for PBKDF2 2023-03-14 17:23:22 +01:00
configuration-prefix.h Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
configuration-switch.h Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
ec_curve.c Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
ectest.c Reworked patch forbidding explicit EC parameters 2022-05-06 16:51:28 +02:00
gating.yaml Temporary manual test 2022-04-21 13:20:27 +02:00
genpatches Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
hobble-openssl RHEL 9.0.0 Alpha bootstrap 2020-10-15 22:27:53 +02:00
make-dummy-cert RHEL 9.0.0 Alpha bootstrap 2020-10-15 22:27:53 +02:00
Makefile.certificate RHEL 9.0.0 Alpha bootstrap 2020-10-15 22:27:53 +02:00
openssl.spec Fix X942KDF indicator for short output key lengths 2023-03-16 16:40:54 +01:00
renew-dummy-cert RHEL 9.0.0 Alpha bootstrap 2020-10-15 22:27:53 +02:00
rpminspect.yaml Make rpminspect happy 2021-12-10 14:19:15 +01:00
sources Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00