jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity
Utilities from the general purpose cryptography library with TLS implementation
175 Commits 9 Branches 54 Tags 3.3 MiB
C 97.3%
Shell 2.7%
b1d3f019d4
Go to file
Clemens Lang b1d3f019d4 FIPS: Re-enable DHX, disable FIPS 186-4 groups 
For DH parameter and key pair generation/verification, the DSA
procedures specified in FIPS 186-4 are used. With the release of FIPS
186-5 and the removal of DSA, the approved status of these groups is in
peril. Once the transition for DSA ends (this transition will be 1 year
long and start once CMVP has published the guidance), no more
submissions claiming DSA will be allowed. Hence, FIPS 186-type
parameters will also be automatically non-approved.

Previously, we had addressed this by completely disabling the DHX key
type in the OpenSSL FIPS provider, but the default encoding for DHX-type
keys is X9.42 DH, which is used, for example, by kerberos.

Re-enable DHX-type keys in the FIPS provider, but disable import and
validation of any DH parameters that are not well-known groups, and
remove DH parameter generation completely.

Adjust tests to use well-known groups or larger DH groups where this
change would now cause failures, and skip tests that are expected to
fail due to this change.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Resolves: rhbz#2169757
2023-05-23 14:01:14 +02:00
.gitignore - Upload new upstream sources without manually hobbling them. 2023-05-02 11:44:53 +02:00
0001-Aarch64-and-ppc64le-use-lib64.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0002-Use-more-general-default-values-in-openssl.cnf.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0003-Do-not-install-html-docs.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0004-Override-default-paths-for-the-CA-directory-tree.patch Fixes override of openssl_conf in openssl.cnf 2021-07-06 13:56:08 +02:00
0005-apps-ca-fix-md-option-help-text.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0006-Disable-signature-verification-with-totally-unsafe-h.patch Update to Beta1 version 2021-07-14 13:31:08 +02:00
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0008-Add-FIPS_mode-compatibility-macro.patch Adjusting include for the FIPS_mode macro 2022-11-28 17:37:27 +01:00
0009-Add-Kernel-FIPS-mode-flag-support.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0010-Add-changes-to-ectest-and-eccurve.patch - Upload new upstream sources without manually hobbling them. 2023-05-02 11:44:53 +02:00
0011-Remove-EC-curves.patch - Upload new upstream sources without manually hobbling them. 2023-05-02 11:44:53 +02:00
0012-Disable-explicit-ec.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0013-skipped-tests-EC-curves.patch - Upload new upstream sources without manually hobbling them. 2023-05-02 11:44:53 +02:00
0024-load-legacy-prov.patch Always activate default provider via config 2021-11-23 16:52:23 +01:00
0025-for-tests.patch Always activate default provider via config 2021-11-23 16:52:23 +01:00
0031-tmp-Fix-test-names.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0032-Force-fips.patch -config argument of openssl app should work properly 2022-05-12 13:29:27 +02:00
0033-FIPS-embed-hmac.patch Refactor OpenSSL fips module MAC verification 2023-01-05 11:42:50 +01:00
0034.fipsinstall_disable.patch Rebase to upstream version 3.0.1 2022-01-18 18:30:10 +01:00
0035-speed-skip-unavailable-dgst.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0044-FIPS-140-3-keychecks.patch Fix Wpointer-sign compiler warning 2023-03-16 14:08:55 +01:00
0045-FIPS-services-minimize.patch - Upload new upstream sources without manually hobbling them. 2023-05-02 11:44:53 +02:00
0047-FIPS-early-KATS.patch KATS self-tests should run before HMAC verifcation 2022-01-21 13:48:28 +01:00
0049-Selectively-disallow-SHA1-signatures.patch Pairwise consistency tests should use Digest+Sign/Verify 2023-03-14 17:27:15 +01:00
0050-FIPS-enable-pkcs12-mac.patch OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters 2022-02-22 16:32:34 +01:00
0051-Support-different-R_BITS-lengths-for-KBKDF.patch OpenSSL FIPS module should not build in non-approved algorithms 2022-05-05 17:34:49 +02:00
0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Strict certificates validation shouldn't allow explicit EC parameters 2022-06-24 17:17:35 +02:00
0056-strcasecmp.patch We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream 2022-11-25 19:23:22 +01:00
0058-FIPS-limit-rsa-encrypt.patch Limit RSA_NO_PADDING for encryption and signature in FIPS mode 2023-03-14 17:25:30 +01:00
0060-FIPS-KAT-signature-tests.patch Use KAT for ECDSA signature tests, s390 arch 2022-05-30 18:22:47 +02:00
0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0062-fips-Expose-a-FIPS-indicator.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0067-ppc64le-Montgomery-multiply.patch Backport of ppc64le Montgomery multiply enhancement 2022-11-29 12:00:38 +01:00
0071-AES-GCM-performance-optimization.patch Improve AES-GCM & ChaCha20 perf on Power9+ ppc64le 2022-07-14 18:19:36 +02:00
0072-ChaCha20-performance-optimizations-for-ppc64le.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0075-FIPS-Use-FFDHE2048-in-self-test.patch FIPS self-test: RSA-OAEP, FFDHE2048, digest_sign 2022-08-01 17:18:12 +02:00
0076-FIPS-140-3-DRBG.patch Increase RNG seeding buffer size to 32 2023-03-14 17:30:33 +01:00
0077-FIPS-140-3-zeroization.patch Extra zeroization related to FIPS-140-3 requirements 2022-08-05 14:31:48 +02:00
0078-KDF-Add-FIPS-indicators.patch Fix X942KDF indicator for short output key lengths 2023-03-16 16:40:54 +01:00
0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC 2022-11-21 10:39:28 +01:00
0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch Remove support for X9.31 signature padding in FIPS mode 2022-11-21 10:42:34 +01:00
0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch Add indicator for HMAC with short key lengths 2022-11-21 10:42:43 +01:00
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch pbkdf2: Set minimum password length of 8 bytes 2022-11-21 10:42:43 +01:00
0085-FIPS-RSA-disable-shake.patch Disallow SHAKE in OAEP decryption in FIPS mode 2023-01-11 14:12:12 +01:00
0088-signature-Add-indicator-for-PSS-salt-length.patch Limit RSA_NO_PADDING for encryption and signature in FIPS mode 2023-03-14 17:25:30 +01:00
0089-PSS-salt-length-from-provider.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0090-signature-Clamp-PSS-salt-len-to-MD-len.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0091-FIPS-RSA-encapsulate.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0092-provider-improvements.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch FIPS: Re-enable DHX, disable FIPS 186-4 groups 2023-05-23 14:01:14 +02:00
0101-CVE-2022-4203-nc-match.patch Fixed X.509 Name Constraints Read Buffer Overflow 2023-02-08 17:54:11 +01:00
0102-CVE-2022-4304-RSA-time-oracle.patch Fixed Timing Oracle in RSA Decryption 2023-02-08 17:54:13 +01:00
0103-CVE-2022-4450-pem-read-bio.patch Fixed Double free after calling PEM_read_bio_ex 2023-02-08 17:54:13 +01:00
0104-CVE-2023-0215-UAF-bio.patch Fixed Use-after-free following BIO_new_NDEF 2023-02-08 17:54:13 +01:00
0105-CVE-2023-0216-pkcs7-deref.patch Fixed Invalid pointer dereference in d2i_PKCS7 functions 2023-02-08 17:54:13 +01:00
0106-CVE-2023-0217-dsa.patch Fixed NULL dereference validating DSA public key 2023-02-08 17:54:13 +01:00
0107-CVE-2023-0286-X400.patch Fixed X.400 address type confusion in X.509 GeneralName 2023-02-08 17:54:13 +01:00
0108-CVE-2023-0401-pkcs7-md.patch Fixed NULL dereference during PKCS7 data verification 2023-02-08 17:54:13 +01:00
0109-fips-Zeroize-out-in-fips-selftest.patch Zeroize FIPS module integrity check MAC after check 2023-03-14 17:23:22 +01:00
0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch GCM: Implement explicit FIPS indicator for IV gen 2023-03-14 17:23:22 +01:00
0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch Add explicit FIPS indicator for PBKDF2 2023-03-14 17:23:22 +01:00
0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch Add explicit FIPS indicator for PBKDF2 2023-03-14 17:23:22 +01:00
0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch Change explicit FIPS indicator for RSA decryption to unapproved 2023-03-24 16:00:24 +01:00
0114-FIPS-enforce-EMS-support.patch Enforce using EMS in FIPS mode - better alerts 2023-05-09 12:44:49 +02:00
0115-CVE-2023-0464.patch Fix excessive resource usage in verifying X509 policy constraints 2023-04-18 09:43:21 +02:00
0116-CVE-2023-0465.patch Fix invalid certificate policies in leaf certificates check 2023-04-18 09:45:07 +02:00
0117-CVE-2023-0466.patch Certificate policy check not enabled 2023-04-18 09:46:41 +02:00
0118-CVE-2023-1255.patch Input buffer over-read in AES-XTS implementation on 64 bit ARM 2023-04-21 12:33:25 +02:00
0120-RSA-PKCS15-implicit-rejection.patch Backport implicit rejection for RSA PKCS#1 v1.5 encryption 2023-04-28 19:10:51 +02:00
0121-FIPS-cms-defaults.patch Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode 2023-05-22 10:58:28 +02:00
configuration-prefix.h Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
configuration-switch.h Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
gating.yaml Temporary manual test 2022-04-21 13:20:27 +02:00
genpatches Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
make-dummy-cert RHEL 9.0.0 Alpha bootstrap 2020-10-15 22:27:53 +02:00
Makefile.certificate RHEL 9.0.0 Alpha bootstrap 2020-10-15 22:27:53 +02:00
openssl.spec FIPS: Re-enable DHX, disable FIPS 186-4 groups 2023-05-23 14:01:14 +02:00
renew-dummy-cert RHEL 9.0.0 Alpha bootstrap 2020-10-15 22:27:53 +02:00
rpminspect.yaml Make rpminspect happy 2021-12-10 14:19:15 +01:00
sources - Upload new upstream sources without manually hobbling them. 2023-05-02 11:44:53 +02:00