jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity
Utilities from the general purpose cryptography library with TLS implementation
197 Commits 9 Branches 54 Tags 3.3 MiB
C 97.3%
Shell 2.7%
db02879351
Go to file
Clemens Lang db02879351 FIPS: abort on rsa_keygen_pairwise_test failure 
ISO 19790 AS10.09 says the module shall not perform any cryptographic
operations or output data in an error state, but OpenSSL does not have
checks for the module state in EVP_DigestUpdate() and
EVP_EncryptUpdate().

Upstream and their certification lab says these checks aren't needed,
our lab disagrees. We asked for clarification from CMVP. While we are
waiting for that, add a change that will allow us to submit. We will
drop this patch one we found a solution together with upstream.

See #22506 for the discussion upstream.

Resolves: RHEL-17104
2023-11-21 12:32:41 +01:00
.fmf Add interop rpm-tmt-tests 2023-05-24 15:41:56 +00:00
plans Add interop rpm-tmt-tests 2023-05-24 15:41:56 +00:00
.gitignore - Upload new upstream sources without manually hobbling them. 2023-05-02 11:44:53 +02:00
0001-Aarch64-and-ppc64le-use-lib64.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0002-Use-more-general-default-values-in-openssl.cnf.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0003-Do-not-install-html-docs.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0004-Override-default-paths-for-the-CA-directory-tree.patch Provide empty evp_properties section in main OpenSSL configuration file 2023-10-17 12:56:38 +02:00
0005-apps-ca-fix-md-option-help-text.patch Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
0006-Disable-signature-verification-with-totally-unsafe-h.patch Update to Beta1 version 2021-07-14 13:31:08 +02:00
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0008-Add-FIPS_mode-compatibility-macro.patch Adjusting include for the FIPS_mode macro 2022-11-28 17:37:27 +01:00
0009-Add-Kernel-FIPS-mode-flag-support.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0010-Add-changes-to-ectest-and-eccurve.patch - Upload new upstream sources without manually hobbling them. 2023-05-02 11:44:53 +02:00
0011-Remove-EC-curves.patch Remove unsupported ec curves from nist_curves 2023-07-06 10:38:36 +02:00
0012-Disable-explicit-ec.patch Forbid explicit curves when created via EVP_PKEY_fromdata 2023-10-17 13:26:14 +02:00
0013-skipped-tests-EC-curves.patch - Upload new upstream sources without manually hobbling them. 2023-05-02 11:44:53 +02:00
0024-load-legacy-prov.patch Provide empty evp_properties section in main OpenSSL configuration file 2023-10-17 12:56:38 +02:00
0025-for-tests.patch Always activate default provider via config 2021-11-23 16:52:23 +01:00
0031-tmp-Fix-test-names.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0032-Force-fips.patch Avoid implicit function declaration when building openssl 2023-10-17 13:09:34 +02:00
0033-FIPS-embed-hmac.patch Refactor OpenSSL fips module MAC verification 2023-01-05 11:42:50 +01:00
0034.fipsinstall_disable.patch Rebase to upstream version 3.0.1 2022-01-18 18:30:10 +01:00
0035-speed-skip-unavailable-dgst.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0044-FIPS-140-3-keychecks.patch FIPS: abort on rsa_keygen_pairwise_test failure 2023-11-21 12:32:41 +01:00
0045-FIPS-services-minimize.patch Remove the listing of brainpool curves in FIPS mode 2023-06-26 10:23:11 +02:00
0047-FIPS-early-KATS.patch KATS self-tests should run before HMAC verifcation 2022-01-21 13:48:28 +01:00
0049-Selectively-disallow-SHA1-signatures.patch Don't limit using SHA1 in KDFs in non-FIPS mode. 2023-10-16 11:06:43 +02:00
0050-FIPS-enable-pkcs12-mac.patch OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters 2022-02-22 16:32:34 +01:00
0051-Support-different-R_BITS-lengths-for-KBKDF.patch OpenSSL FIPS module should not build in non-approved algorithms 2022-05-05 17:34:49 +02:00
0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Strict certificates validation shouldn't allow explicit EC parameters 2022-06-24 17:17:35 +02:00
0056-strcasecmp.patch Avoid implicit function declaration when building openssl 2023-11-21 12:11:01 +01:00
0058-FIPS-limit-rsa-encrypt.patch Limit RSA_NO_PADDING for encryption and signature in FIPS mode 2023-03-14 17:25:30 +01:00
0060-FIPS-KAT-signature-tests.patch Use KAT for ECDSA signature tests, s390 arch 2022-05-30 18:22:47 +02:00
0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0062-fips-Expose-a-FIPS-indicator.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0067-ppc64le-Montgomery-multiply.patch Backport of ppc64le Montgomery multiply enhancement 2022-11-29 12:00:38 +01:00
0071-AES-GCM-performance-optimization.patch Improve AES-GCM & ChaCha20 perf on Power9+ ppc64le 2022-07-14 18:19:36 +02:00
0072-ChaCha20-performance-optimizations-for-ppc64le.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch Rebasing to OpenSSL 3.0.7 2022-11-24 10:31:36 +01:00
0075-FIPS-Use-FFDHE2048-in-self-test.patch FIPS self-test: RSA-OAEP, FFDHE2048, digest_sign 2022-08-01 17:18:12 +02:00
0076-FIPS-140-3-DRBG.patch Increase RNG seeding buffer size to 32 2023-03-14 17:30:33 +01:00
0077-FIPS-140-3-zeroization.patch Extra zeroization related to FIPS-140-3 requirements 2022-08-05 14:31:48 +02:00
0078-KDF-Add-FIPS-indicators.patch Add a workaround for lack of EMS in FIPS mode 2023-07-12 15:56:26 +02:00
0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC 2022-11-21 10:39:28 +01:00
0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch Remove support for X9.31 signature padding in FIPS mode 2022-11-21 10:42:34 +01:00
0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch Add indicator for HMAC with short key lengths 2022-11-21 10:42:43 +01:00
0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch pbkdf2: Set minimum password length of 8 bytes 2022-11-21 10:42:43 +01:00
0085-FIPS-RSA-disable-shake.patch Disallow SHAKE in OAEP decryption in FIPS mode 2023-01-11 14:12:12 +01:00
0088-signature-Add-indicator-for-PSS-salt-length.patch Limit RSA_NO_PADDING for encryption and signature in FIPS mode 2023-03-14 17:25:30 +01:00
0089-PSS-salt-length-from-provider.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0090-signature-Clamp-PSS-salt-len-to-MD-len.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0091-FIPS-RSA-encapsulate.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0092-provider-improvements.patch Fix explicit indicator for PSS salt length 2022-11-29 13:23:25 +01:00
0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch FIPS: Re-enable DHX, disable FIPS 186-4 groups 2023-05-23 14:01:14 +02:00
0101-CVE-2022-4203-nc-match.patch Fixed X.509 Name Constraints Read Buffer Overflow 2023-02-08 17:54:11 +01:00
0102-CVE-2022-4304-RSA-time-oracle.patch Fixed Timing Oracle in RSA Decryption 2023-02-08 17:54:13 +01:00
0103-CVE-2022-4450-pem-read-bio.patch Fixed Double free after calling PEM_read_bio_ex 2023-02-08 17:54:13 +01:00
0104-CVE-2023-0215-UAF-bio.patch Fixed Use-after-free following BIO_new_NDEF 2023-02-08 17:54:13 +01:00
0105-CVE-2023-0216-pkcs7-deref.patch Fixed Invalid pointer dereference in d2i_PKCS7 functions 2023-02-08 17:54:13 +01:00
0106-CVE-2023-0217-dsa.patch Fixed NULL dereference validating DSA public key 2023-02-08 17:54:13 +01:00
0107-CVE-2023-0286-X400.patch Fixed X.400 address type confusion in X.509 GeneralName 2023-02-08 17:54:13 +01:00
0108-CVE-2023-0401-pkcs7-md.patch Fixed NULL dereference during PKCS7 data verification 2023-02-08 17:54:13 +01:00
0109-fips-Zeroize-out-in-fips-selftest.patch Zeroize FIPS module integrity check MAC after check 2023-03-14 17:23:22 +01:00
0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch GCM: Implement explicit FIPS indicator for IV gen 2023-03-14 17:23:22 +01:00
0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch Add explicit FIPS indicator for PBKDF2 2023-03-14 17:23:22 +01:00
0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch Add explicit FIPS indicator for PBKDF2 2023-03-14 17:23:22 +01:00
0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch Mark RSA-OAEP as approved in FIPS mode 2023-10-26 12:42:29 +02:00
0114-FIPS-enforce-EMS-support.patch Add a workaround for lack of EMS in FIPS mode 2023-07-12 15:56:26 +02:00
0115-CVE-2023-0464.patch Fix excessive resource usage in verifying X509 policy constraints 2023-04-18 09:43:21 +02:00
0116-CVE-2023-0465.patch Fix invalid certificate policies in leaf certificates check 2023-04-18 09:45:07 +02:00
0117-CVE-2023-0466.patch Certificate policy check not enabled 2023-04-18 09:46:41 +02:00
0118-CVE-2023-1255.patch Input buffer over-read in AES-XTS implementation on 64 bit ARM 2023-04-21 12:33:25 +02:00
0120-RSA-PKCS15-implicit-rejection.patch Backport implicit rejection for RSA PKCS#1 v1.5 encryption 2023-04-28 19:10:51 +02:00
0121-FIPS-cms-defaults.patch Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode 2023-05-22 10:58:28 +02:00
0122-CVE-2023-2650.patch Fix possible DoS translating ASN.1 object identifiers 2023-05-31 16:18:19 +02:00
0123-ibmca-atexit-crash.patch Release the DRBG in global default libctx early 2023-05-31 16:21:07 +02:00
0125-CVE-2023-2975.patch AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries 2023-10-18 11:15:19 +02:00
0126-CVE-2023-3446.patch Excessive time spent checking DH keys and parameters 2023-10-18 11:18:44 +02:00
0127-CVE-2023-3817.patch Excessive time spent checking DH q parameter value 2023-10-18 11:20:31 +02:00
0128-CVE-2023-5363.patch Fix incorrect cipher key and IV length processing (CVE-2023-5363) 2023-10-25 12:08:21 +02:00
0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch Mark RSA-OAEP as approved in FIPS mode 2023-10-26 12:42:29 +02:00
0130-CVE-2023-5678.patch Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678) 2023-11-08 12:39:41 +01:00
ci.fmf ci.fmf: Enable golang tests as reverse dependency 2023-05-29 10:01:36 +02:00
configuration-prefix.h Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
configuration-switch.h Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
gating.yaml Temporary manual test 2022-04-21 13:20:27 +02:00
genpatches Rebase to OpenSSL version 3.0.0 2021-04-12 00:34:30 +02:00
make-dummy-cert RHEL 9.0.0 Alpha bootstrap 2020-10-15 22:27:53 +02:00
Makefile.certificate RHEL 9.0.0 Alpha bootstrap 2020-10-15 22:27:53 +02:00
openssl.spec FIPS: abort on rsa_keygen_pairwise_test failure 2023-11-21 12:32:41 +01:00
renew-dummy-cert RHEL 9.0.0 Alpha bootstrap 2020-10-15 22:27:53 +02:00
rpminspect.yaml Make rpminspect happy 2021-12-10 14:19:15 +01:00
sources - Upload new upstream sources without manually hobbling them. 2023-05-02 11:44:53 +02:00