Dmitry Belyavskiy
7d3d9af0c8
SHA-1 signature shouldn't work in normal mode
...
Resolves: RHEL-36677
2024-07-10 11:43:37 +02:00
Dmitry Belyavskiy
09b4e34fcf
Disallow SHA1 at SECLEVEL2 in OpenSSL
...
Resolves: RHEL-39962
2024-07-10 10:50:30 +02:00
Dmitry Belyavskiy
6084652840
Do not install ENGINE headers, man pages, and define OPENSSL_NO_ENGINE
...
Resolves: RHEL-45704
2024-07-02 14:51:09 +02:00
George Pantelakis
68e0354892
configure basic gating on RHEL-10
2024-07-01 14:15:53 +00:00
Daiki Ueno
dfb3583fef
Replace HKDF backward compatibility patch with the official one
...
Related: RHEL-41261
Signed-off-by: Daiki Ueno <dueno@redhat.com>
2024-07-01 09:36:26 +09:00
Troy Dawson
e82e52bbae
Bump release for June 2024 mass rebuild
2024-06-24 09:06:12 -07:00
Daiki Ueno
9eb261ba85
Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers
...
Resolves: RHEL-41261
Signed-off-by: Daiki Ueno <dueno@redhat.com>
2024-06-15 10:04:02 +09:00
Dmitry Belyavskiy
1d9e9ba818
Build openssl with no-atexit
...
Resolves: RHEL-40408
2024-06-12 13:12:26 +02:00
Dmitry Belyavskiy
3ae0078fd9
Rebase to OpenSSL 3.2.2.
...
Related: RHEL-31762
2024-06-05 18:56:27 +02:00
Sahana Prasad
c948b4d252
Bump the version
...
Related: RHEL-31762
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2024-06-05 11:03:24 +02:00
Sahana Prasad
d508cbed93
Synchronize patches from c9s and Fedora
...
Resolves: RHEL-31762
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2024-06-05 09:32:43 +02:00
Sahana Prasad
96988f0060
temporarily disable ktls to unblock c10s builds
...
Resolves: RHEL-25259
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2024-02-13 13:13:42 +01:00
Sahana Prasad
4334bc837f
Fix version aliasing issue
...
https://github.com/openssl/openssl/issues/23534
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2024-02-09 21:17:11 +01:00
Sahana Prasad
f4c397c598
Rebase to new upstream release 3.2.1
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2024-02-08 13:42:51 +01:00
Fedora Release Engineering
2a7a4d9e50
Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
2024-01-25 11:30:17 +00:00
Fedora Release Engineering
3cb13195fa
Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
2024-01-21 11:22:20 +00:00
Dmitry Belyavskiy
84795a9247
We don't want to ship openssl-pkcs11 in RHEL10/Centos 10
2024-01-10 18:15:14 +01:00
Sahana Prasad
e331fc1326
Rebase to upstream version 3.1.4
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-10-26 12:29:21 +02:00
Dmitry Belyavskiy
5c67b5adc3
Slightly rearranged the patches we have
2023-08-31 17:23:53 +02:00
Dmitry Belyavskiy
e52367af47
Synchronize patches from CentOS stream
2023-08-22 16:39:12 +02:00
Dmitry Belyavskiy
c73a6ab930
migrated to SPDX license
2023-08-04 13:55:50 +02:00
Sahana Prasad
1eb7adc383
Adding changes to patch files from source-git sync
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-07-31 10:04:55 +02:00
Sahana Prasad
9409bc7044
Rebase to upstream release 3.1.1
...
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-07-28 15:26:00 +02:00
Dmitry Belyavskiy
2b0eda88de
Forbid custom EC more completely
...
Resolves: rhbz#2223953
2023-07-27 12:48:59 +02:00
Fedora Release Engineering
7e9699e170
Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-20 18:12:28 +00:00
Peter Leitmann
979cb8a57b
Add TMT interoperability tests & rewrite python STI test to TMT
2023-05-23 17:51:57 +02:00
Sahana Prasad
477bb5e652
- Upload new upstream sources without manually hobbling them.
...
- Remove the hobbling script as it is redundant. It is now allowed to ship
the sources of patented EC curves, however it is still made unavailable to use
by compiling with the 'no-ec2m' Configure option. The additional forbidden
curves such as P-160, P-192, wap-tls curves are manually removed by updating
0011-Remove-EC-curves.patch.
- Apply the changes to ec_curve.c and ectest.c as a new patch
0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them.
- Modify 0011-Remove-EC-curves.patch to allow Brainpool curves.
- Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M.
┊ Resolves: rhbz#2130618, rhbz#2141672
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2023-03-21 14:21:41 +01:00
Stephen Gallagher
e198b69ab5
Rebase ELN/RHEL patch for OpenSSL 3.0.8
...
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-02-13 13:36:24 -05:00
Stephen Gallagher
167e0dd694
ELN: fix SHA1 signature patch again
...
The util/libcrypto.num patch did not apply cleanly.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-02-13 10:53:54 -05:00
Dmitry Belyavskiy
194ef7464a
Rebase to upstream version 3.0.8
...
Resolves: CVE-2022-4203
Resolves: CVE-2022-4304
Resolves: CVE-2022-4450
Resolves: CVE-2023-0215
Resolves: CVE-2023-0216
Resolves: CVE-2023-0217
Resolves: CVE-2023-0286
Resolves: CVE-2023-0401
2023-02-09 17:57:19 +01:00
Fedora Release Engineering
02d85d00af
Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-19 22:58:20 +00:00
Dmitry Belyavskiy
9ce9458604
Backport implicit rejection for RSA PKCS#1 v1.5 encryption
...
Resolves: rhbz#2153470
2023-01-05 18:17:28 +01:00
Dmitry Belyavskiy
500ad3d300
Refactor embedded mac verification in FIPS module
...
Resolves: rhbz#2156045
2023-01-05 11:30:00 +01:00
Dmitry Belyavskiy
106fe8964c
- Rebase to upstream version 3.0.7
...
Rebased to openssl-3.0.7 with corresponding minor bugfixes
- C99 compatibility in downstream-only 0032-Force-fips.patch
Resolves: rhbz#2152504
- Adjusting include for the FIPS_mode macro
Resolves: rhbz#2083876
2022-12-23 11:53:21 +01:00
Simo Sorce
e9a0511933
Backport patches to fix external providers compatibility issues
2022-11-16 14:27:12 -05:00
Dmitry Belyavskiy
f7a2c68257
CVE-2022-3602, CVE-2022-3786: X.509 Email Address Buffer Overflow
...
Resolves: CVE-2022-3602
Resolves: CVE-2022-3786
2022-11-01 15:54:54 +01:00
Dmitry Belyavskiy
b5f6fd8216
Update patches to make ELN build happy
...
Resolves: rhbz#2123755
2022-09-12 11:39:39 +02:00
Clemens Lang
d54aeb5a0f
Fix AES-GCM on Power 8 CPUs
...
Our backported patch unconditionally uses assembly instructions for
Power9 and later, which triggers SIGILL on Power8 machines:
| [ 3705.137658] sshd[1703]: illegal instruction (4) at 7fff85526aac nip 7fff85526aac lr 7fff854828e0 code 1 in libcrypto.so.3.0.5[7fff85240000+300000]
Backport upstream's fix for this.
Resolves: rhbz#2124845
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-09-09 17:15:32 +02:00
Dmitry Belyavskiy
4855397272
openssl.spec is synced with RHEL
...
Related: rhbz#2123755
2022-09-02 16:22:10 +02:00
Dmitry Belyavskiy
89541c6ea4
We don't support explicit curves, commenting out the test
...
Related: rhbz#2123755
2022-09-02 16:21:43 +02:00
Dmitry Belyavskiy
080143cbc1
Sync with RHEL - applying patches
...
Related: rhbz#2123755
2022-09-02 16:20:26 +02:00
Stephen Gallagher
43e576feab
ELN: fix SHA1 signature patch
...
The util/libcrypto.num patch did not apply cleanly.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-08-17 13:17:58 -04:00
Stephen Gallagher
566546250b
ELN: fix SHA1 signature patch
...
The util/libcrypto.num patch did not apply cleanly.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-08-17 13:00:07 -04:00
Fedora Release Engineering
d1b1996624
Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
...
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-22 02:15:17 +00:00
Clemens Lang
32908974c2
Rebase to upstream version 3.0.5
...
Also fixes CVE-2022-2097, which only affects i686.
Related: rhbz#2099972
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-07-07 12:36:41 +02:00
Dmitry Belyavskiy
8a03afa13c
Rebasing to OpenSSL 3.0.3
...
Resolves: rhbz#2091987
2022-06-01 17:29:35 +02:00
Clemens Lang
efdb8c60a3
Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0
...
Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0
defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default.
However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of
security do not meet SECLEVEL=1's requirement of 80 bits.
Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which
would include all algorithms, regardless of their security level), allow
MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1.
Related: rhbz#2069239
2022-04-27 12:24:38 +02:00
Alexander Sosedkin
8f08128432
Instrument with USDT probes related to SHA-1 deprecation
2022-04-26 19:08:09 +02:00
Clemens Lang
0eaa0014c9
Fix a FIXME in the openssl.cnf(5) manpage
...
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-20 15:47:59 +02:00
Clemens Lang
0967bb5953
ELN: Disable SHA-1 by default using CentOS patches
...
ELN should ideally be ahead of CentOS and RHEL with policy changes, but
due to time constraints was not. Fix that by bringing the current CentOS
9 / RHEL 9 state of SHA-1 disabling to ELN.
Due to differences in their lifecycles, Fedora's packages will stay at
allowing SHA-1 by default for now. There is a plan to gradually catch up
to the ELN state over the next few releases.
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-20 15:18:07 +02:00