rpms/openssl
8
1
Fork 1
Code Issues Pull Requests Releases Activity
74 Commits 10 Branches 65 Tags 7.2 MiB
153f593fa6
Commit Graph

74 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Clemens Lang
153f593fa6 Fix SHA1 certs in LEGACY without openssl lib ctxt 
Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-03-18 13:36:55 +01:00
Clemens Lang
4eb630f7d5 Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes 
Resolves: rhbz#2065400
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-03-18 09:27:51 +01:00
Dmitry Belyavskiy
03697fff80 CVE-2022-0778 fix 
Resolves: rhbz#2062315
 2022-03-16 15:03:25 +01:00
Clemens Lang
bc7dfd9722 Fix RSA PSS padding with SHA-1 disabled 
Invocations of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING)
before setting an allowed digest with EVP_PKEY_CTX_set_signature_md()
would fail with SHA-1 use in signatures disabled, because OpenSSL's
internal default for the digest was SHA-1.

This isn't documented in any of the manpages, hence we expect users to
always call both EVP_PKEY_CTX_set_rsa_padding() and
EVP_PKEY_CTX_set_signature_md(). We do not want set_rsa_padding() to
fail if users set a non-SHA-1 signature algorithm after setting the
padding mode, though, so change the internal default to SHA-256 if SHA-1
is disabled.

Resolves: rhbz#2062640
 2022-03-10 13:29:29 +01:00
Clemens Lang
3c66c99bd5 Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes 
We want legacy policy to be able to talk to older RHEL that only
supports SHA1 signature algorithms, so allow SHA1 signatures even in
seclevel 2 if rh-allow-sha1-signatures is set to yes.

Resolves: rhbz#2060510
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-03-04 10:19:04 +01:00
Clemens Lang
ede38fcb54 Prevent use of SHA1 with ECDSA 
providers/implementations/signature/{ec,}dsa_sig.c accept a NID_undef
digest, so to prevent SHA1 from working with ECDSA and DSA, we must
return a negative value in securitycheck.c.

Resolves: rhbz#2031742
 2022-02-25 14:45:22 +01:00
Dmitry Belyavskiy
ea9f0a5726 OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters 
Resolves: rhbz#1977867
 2022-02-25 12:37:01 +01:00
Peter Robinson
849a9965ee Support KBKDF (NIST SP800-108) with an R value of 8bits Resolves: rhbz#2027261 
Signed-off-by: Peter Robinson <pbrobinson@redhat.com>
 2022-02-24 10:14:16 +00:00
Clemens Lang
53f53fedec Allow SHA1 usage in MGF1 for RSASSA-PSS signatures 
Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-02-23 17:53:55 +01:00
Dmitry Belyavskiy
b33dfd3fc3 Spec bump 
Resolves: rhbz#2031742
 2022-02-23 11:47:25 +01:00
Clemens Lang
5a9ab1160e Allow SHA1 usage in HMAC in TLS 
The EVP_DigestSign API is used in TLS to compute a SHA1 HMAC, which is
OK from our point of view, but was blocked so far. Modify
0049-Selectively-disallow-SHA1-signatures.patch to check the EVP_PKEY
type for HMAC (and TLS1-PRF and HKDF), and allow SHA1 for these cases.

Note that TLS1.1 signs a MD5-SHA1 hash with a private key, which does
not work with rh-allow-sha1-signatures = no, so the minimum TLS version
will be TLS 1.2.

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-02-22 19:40:20 +01:00
Dmitry Belyavskiy
53b85f538c OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters 
Resolves: rhbz#1977867
 2022-02-22 16:32:34 +01:00
Dmitry Belyavskiy
d79f404164 Allows non-fips KDF for PKCS#12 
Related: rhbz#2049265
 2022-02-22 16:30:16 +01:00
Clemens Lang
78fb78d307 Disable SHA1 signature creation and verification by default 
Set rh-allow-sha1-signatures = yes to re-enable

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-02-22 12:25:35 +01:00
Sahana Prasad
0a5c81da78 s_server: correctly handle 2^14 byte long records 
Resolves: rhbz#2042011

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2022-02-03 15:37:48 +01:00
Dmitry Belyavskiy
922b5301ea Adjust FIPS provider version 
FIPS provider version is now autofilled from release and date
Related: rhbz#2026445
 2022-02-01 16:02:01 +01:00
Dmitry Belyavskiy
8c3b745547 On the s390x, zeroize all the copies of TLS premaster secret 
Related: rhbz#2040448
 2022-01-26 16:50:19 +01:00
Dmitry Belyavskiy
92e721fa5d Rebuild 
Related: rhbz#2026445
 2022-01-21 14:40:57 +01:00
Dmitry Belyavskiy
691c22b61c Remove volatile attribute from HMAC to make annocheck happy 
Related: rhbz#1985362
 2022-01-21 13:48:28 +01:00
Dmitry Belyavskiy
d237e7f301 Restoring fips=yes to SHA-1 
Related: rhbz#2026445
 2022-01-21 13:48:28 +01:00
Dmitry Belyavskiy
9df33eabbe KATS self-tests should run before HMAC verifcation 
Related: rhbz#2041994
 2022-01-21 13:48:28 +01:00
Sahana Prasad
f5421022ee Adds enable-buildtest-c++ to the configure options. 
Related: rhbz#1990814

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2022-01-20 16:37:50 +01:00
Sahana Prasad
78a467efcc Rebase to upstream version 3.0.1 
Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
Resolves: rhbz#2038910, rhbz#2035148

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2022-01-18 18:30:10 +01:00
Dmitry Belyavskiy
e63c4b68b2 Update spec file, remove fipsmodule.cnf 
Related: rhbz#2026445
 2022-01-17 14:18:22 +01:00
Dmitry Belyavskiy
6cdaa527d8 Explicitly permit SHA1 HMAC 
Related: rhbz#2026445
 2022-01-17 13:19:40 +01:00
Dmitry Belyavskiy
cc37486d86 Minimize the list of services allowed for FIPS 
Related: rhbz#2026445
 2022-01-17 13:19:29 +01:00
Dmitry Belyavskiy
225b6d37b9 openssl speed should run in FIPS mode 
Related: rhbz#1977318
 2021-12-21 16:16:07 +01:00
Dmitry Belyavskiy
13dc3794cb Make rpminspect happy 2021-12-10 14:19:15 +01:00
Dmitry Belyavskiy
4c1c00d6af Updated spec, some cleanup done 
Related: rhbz#1985362
 2021-11-24 13:44:25 +01:00
Dmitry Belyavskiy
9422ae52de Always activate default provider via config 
Related: rhbz#1985362
 2021-11-23 16:52:23 +01:00
Dmitry Belyavskiy
210c37e906 Disable fipsinstall application 
Related: rhbz#1985362
 2021-11-23 15:02:48 +01:00
Dmitry Belyavskiy
3ff0db7558 Embed correct HMAC into fips provider 
We have stripped production version and unstripped version for tests.
Related: rhbz#1985362
 2021-11-23 15:02:14 +01:00
Dmitry Belyavskiy
5c4e10ac26 FIPS provider auto activation 
When FIPS flag is on, we load fips provider and set properties to fips.
FIPS checksum is embedded in FIPS provider itself
Related: rhbz#1985362
 2021-11-23 15:01:33 +01:00
Dmitry Belyavskiy
694c426faf Fix memory leak in s_client 
Related: rhbz#1996092
 2021-10-07 19:08:23 +02:00
Dmitry Belyavskiy
b76c2316a3 KTLS and FIPS may interfere, so tests need to be tuned 
Resolves: rhbz#1961643
 2021-09-22 17:15:22 +02:00
Dmitry Belyavskiy
3edf474b5d Avoid double-free on error seeding the RNG. 
Resolves: rhbz#1952844
 2021-09-20 17:13:26 +02:00
Sahana Prasad
34d46544a5 Rebase to upstream version 3.0.0 
Related: rhbz#1990814

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-09-09 13:07:02 +02:00
Sahana Prasad
07de966235 - Removes the dual-abi build as it not required anymore. The mass rebuild 
was completed and all packages are rebuilt against Beta version.
Resolves: rhbz#1984097

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-08-25 17:02:52 +02:00
Dmitry Belyavskiy
ddd1eb3708 Correctly processing CMS reading from /dev/stdin 
Resolves: rhbz#1986315
 2021-08-23 10:45:49 +02:00
Sahana Prasad
49de59749c Add instruction for loading legacy provider in openssl.cnf 
Resolves: rhbz#1975836

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-08-16 14:16:12 +02:00
Sahana Prasad
03899fca38 Adds support for IDEA encryption. 
Resolves: rhbz#1990602

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-08-16 11:44:00 +02:00
Sahana Prasad
0c6f4a599c - Fixes core dump in openssl req -modulus 
- Fixes 'openssl req' to not ask for password when non-encrypted private key
  is used
- cms: Do not try to check binary format on stdin and -rctform fix
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-08-10 16:54:16 +02:00
Mohan Boddu
2862adca42 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags 
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
 2021-08-09 22:44:21 +00:00
Dmitry Belyavskiy
ecb6630fd3 When signature_algorithm extension is omitted, use more relevant alerts 
Resolves: rhbz#1965017
 2021-08-04 15:55:01 +02:00
Sahana Prasad
c5d8025ca8 Remove tier 0 functional test from gating.yaml. 
These tests are removed from dist-git and are executed
as tier1 or higher tests already.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-08-04 10:37:11 +02:00
Sahana Prasad
fe7445d93d Rebase to upstream version beta2 
Related: rhbz#1903209

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-08-03 15:11:22 +02:00
Sahana Prasad
0b6afca185 - Prevents creation of duplicate cert entries in PKCS #12 files 
Resolves: rhbz#1978670

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-07-22 15:38:17 +02:00
Aleksandra Fedorova
b7c6b85c95 Add RHEL gating configuration 2021-07-22 07:14:14 +00:00
Sahana Prasad
e3d0ba4f1e NVR Bump to Update to OpenSSL 3.0 Beta1 version 
Related: rhbz#1903209

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-07-21 14:37:35 +02:00
Sahana Prasad
529b968a17 Update patch dual-abi.patch to add the #define macros in implementation 
files instead of public header files

Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-07-19 14:00:13 +02:00