Clemens Lang
432cfa2baa
Allow disabling of SHA1 signatures
...
NOTE: This patch is ported from CentOS 9 / RHEL 9, where it defaults to
denying SHA1 signatures. On Fedora, the default is – for now – to allow
SHA1 signatures.
In order to phase out SHA1 signatures, introduce a new configuration
option in the alg_section named 'rh-allow-sha1-signatures'. This option
defaults to true. If set to false, any signature creation or
verification operations that involve SHA1 as digest will fail.
This also affects TLS, where the signature_algorithms extension of any
ClientHello message sent by OpenSSL will no longer include signatures
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
that request a client certificate, the same also applies for
CertificateRequest messages sent by them.
Resolves: rhbz#2070977
Related: rhbz#2031742, rhbz#2062640
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-07 18:14:04 +02:00
Miro Hrončok
e251b765e5
Restore Python CI tests removed when OpenSSL was updated to 3.0
2022-03-18 10:58:59 +01:00
Dmitry Belyavskiy
a0bd929a42
Update to openssl 3.0.2
...
Related: rhbz#2064453
2022-03-18 10:41:13 +01:00
Fedora Release Engineering
b9f33d724e
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-01-20 22:29:33 +00:00
Sahana Prasad
347681c6b2
Rebase to upstream version 3.0.0
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-09-09 17:27:21 +02:00
Fedora Release Engineering
5de10d4810
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-07-22 17:20:55 +00:00
Sahana Prasad
0f5f931f9a
update to version 1.1.1k
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-03-26 07:37:03 +01:00
Sahana Prasad
b023ffe39f
Upgrade to version 1.1.1.j
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-03-03 15:08:11 +01:00
Sahana Prasad
fb8e66a58f
Fix regression in X509_verify_cert() #bz1916594
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-02-10 14:56:08 +01:00
Fedora Release Engineering
d34c6392bf
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-26 22:36:18 +00:00
Tom Stellard
c89aeae26c
Add BuildRequires: make
...
https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot
2021-01-07 06:39:07 +00:00
Tomas Mraz
a07706cf0e
Update to the 1.1.1i release fixing CVE-2020-1971
2020-12-09 10:49:38 +01:00
Sahana Prasad
3413ff9700
Upgrade to version 1.1.1h
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2020-11-09 10:41:15 +01:00
Jakub Jelen
261f10a200
Do not ship in main package manuals (or aliases) to tools from perl subpackage
2020-10-23 10:06:51 +02:00
Fedora Release Engineering
7ae2c9cd85
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-28 12:48:57 +00:00
Tom Stellard
a75e581407
Use make macros
...
https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
2020-07-21 20:31:48 +00:00
Tomas Mraz
067d5800f2
Additional FIPS mode check for EC key generation
2020-07-20 14:51:05 +02:00
Tomas Mraz
04d5ef4d72
Further changes for SP 800-56A rev3 requirements
2020-07-17 12:41:39 +02:00
Tomas Mraz
7f27ca925c
Drop long ago obsolete part of the FIPS patch
2020-06-23 15:55:16 +02:00
Tomas Mraz
f023424321
Rewire FIPS_drbg API to use the RAND_DRBG
2020-06-22 13:43:12 +02:00
Tomas Mraz
ef93cf994d
SHA1 is allowed in @SECLEVEL=2 only if allowed by TLS SigAlgs configuration
...
Also some small TLS protocol fixes/changes:
Disallow dropping Extended Master Secret extension on renegotiation
Return alert from s_server if ALPN protocol does not match
2020-06-05 17:39:16 +02:00
Tomas Mraz
b9c80ecf85
Add FIPS selftest for PBKDF2 and KBKDF
...
Also more adjustments to the FIPS DH handling
2020-06-03 16:30:12 +02:00
Tomas Mraz
9833eff277
Use the well known DH groups in TLS
2020-05-26 09:28:42 +02:00
Tomas Mraz
8746bcba4c
Allow only well known DH groups in the FIPS mode
2020-05-25 18:52:45 +02:00
Adam Williamson
7396eb055e
Re-apply change from -2 now we have fixed nosync to work with it
2020-05-21 13:04:18 -07:00
Adam Williamson
6e23655506
Re-apply "FIPS module installed state definition is modified"
...
This reverts commit 1bc9545b38
and
re-applies the previous change
"FIPS module installed state definition is modified", commit
89a24d69fc
. We have updated the
builders to the newer nosync version that should work OK with
this change now, so we can try it again.
2020-05-21 13:01:54 -07:00
Adam Williamson
87eaf879ac
Revert the change from -2 as it seems to cause segfaults
2020-05-19 18:35:16 -07:00
Adam Williamson
1bc9545b38
Revert "FIPS module installed state definition is modified"
...
This reverts commit 89a24d69fc
.
2020-05-19 18:33:30 -07:00
Tomas Mraz
1e6a98d9e9
pull some fixes and improvements from RHEL-8
2020-05-18 13:26:53 +02:00
Tomas Mraz
d902645d90
Unused patch dropped
2020-05-18 13:13:56 +02:00
Tomas Mraz
89a24d69fc
FIPS module installed state definition is modified
2020-05-15 17:45:44 +02:00
Miro Hrončok
0f4ce87941
Fedora CI: Test with the "main" Python version
...
See https://src.fedoraproject.org/tests/python/pull-request/21
2020-04-28 19:01:56 +00:00
Tomas Mraz
5888d1863e
update to the 1.1.1g release
2020-04-23 13:47:52 +02:00
Tomas Mraz
5004ccfb25
update to the 1.1.1f release
2020-04-07 16:50:53 +02:00
Tomas Mraz
ea310218f3
revert the unexpected EOF error reporting change
...
it is too disruptive for the stable release branch
2020-03-26 15:14:08 +01:00
Tomas Mraz
c9936c55c2
Additional perl module buildrequires
2020-03-20 13:30:41 +01:00
Tomas Mraz
30d45eb047
Add BuildRequires perl(FindBin)
2020-03-20 12:44:34 +01:00
Tomas Mraz
c11b71fd2f
update to the 1.1.1e release
...
add selftest of the RAND_DRBG implementation
fix incorrect error return value from FIPS_selftest_dsa
2020-03-19 17:44:25 +01:00
Tomas Mraz
c77593a912
Intel CET patch - also add CFI fixes to sync with upstream
2020-02-17 12:05:57 +01:00
Tomas Mraz
b9b156fb97
apply Intel CET support patches by hjl ( #1788699 )
2020-02-17 11:54:47 +01:00
Tomas Mraz
d742997a1e
Fix incorrect error return value from FIPS_selftest_dsa()
2020-02-12 17:03:11 +01:00
Fedora Release Engineering
898af7893c
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-29 20:25:04 +00:00
Tomas Mraz
b8a97dc1d8
allow zero length parameters in KDF_CTX_ctrl()
2019-11-21 14:49:21 +01:00
Tomas Mraz
0536b721ef
backport of SSKDF from master
2019-11-14 16:13:49 +01:00
Tomas Mraz
266efa3055
backport of KBKDF and KRB5KDF from master
2019-11-13 13:43:05 +01:00
Tomas Mraz
dc9d5caf5e
KBKDF for Kerberos 5
2019-11-12 16:38:11 +01:00
Tomas Mraz
f1c4ba61a3
Multiple fixes
...
re-enable the stitched AES-CBC-SHA implementations
make AES-GCM work in FIPS mode again
enable TLS-1.2 AES-CCM ciphers in FIPS mode
fix openssl speed errors in FIPS mode
2019-10-03 17:43:23 +02:00
Tomas Mraz
10c30b2322
Re-add one hunk of the fips patch accidentally dropped in the rebase.
2019-09-27 08:36:50 +02:00
Tomas Mraz
f6a62c4c2c
update to the 1.1.1d release
2019-09-13 17:25:44 +02:00
Tomas Mraz
c44b3f96fe
Bump release correctly
2019-09-06 17:18:46 +02:00