Commit Graph

114 Commits

Author SHA1 Message Date
Clemens Lang
5a9ab1160e Allow SHA1 usage in HMAC in TLS
The EVP_DigestSign API is used in TLS to compute a SHA1 HMAC, which is
OK from our point of view, but was blocked so far. Modify
0049-Selectively-disallow-SHA1-signatures.patch to check the EVP_PKEY
type for HMAC (and TLS1-PRF and HKDF), and allow SHA1 for these cases.

Note that TLS1.1 signs a MD5-SHA1 hash with a private key, which does
not work with rh-allow-sha1-signatures = no, so the minimum TLS version
will be TLS 1.2.

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-22 19:40:20 +01:00
Dmitry Belyavskiy
53b85f538c OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
Resolves: rhbz#1977867
2022-02-22 16:32:34 +01:00
Dmitry Belyavskiy
d79f404164 Allows non-fips KDF for PKCS#12
Related: rhbz#2049265
2022-02-22 16:30:16 +01:00
Clemens Lang
78fb78d307 Disable SHA1 signature creation and verification by default
Set rh-allow-sha1-signatures = yes to re-enable

Resolves: rhbz#2031742
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-02-22 12:25:35 +01:00
Sahana Prasad
0a5c81da78 s_server: correctly handle 2^14 byte long records
Resolves: rhbz#2042011

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2022-02-03 15:37:48 +01:00
Dmitry Belyavskiy
922b5301ea Adjust FIPS provider version
FIPS provider version is now autofilled from release and date
Related: rhbz#2026445
2022-02-01 16:02:01 +01:00
Dmitry Belyavskiy
8c3b745547 On the s390x, zeroize all the copies of TLS premaster secret
Related: rhbz#2040448
2022-01-26 16:50:19 +01:00
Dmitry Belyavskiy
92e721fa5d Rebuild
Related: rhbz#2026445
2022-01-21 14:40:57 +01:00
Dmitry Belyavskiy
691c22b61c Remove volatile attribute from HMAC to make annocheck happy
Related: rhbz#1985362
2022-01-21 13:48:28 +01:00
Dmitry Belyavskiy
d237e7f301 Restoring fips=yes to SHA-1
Related: rhbz#2026445
2022-01-21 13:48:28 +01:00
Dmitry Belyavskiy
9df33eabbe KATS self-tests should run before HMAC verifcation
Related: rhbz#2041994
2022-01-21 13:48:28 +01:00
Sahana Prasad
f5421022ee Adds enable-buildtest-c++ to the configure options.
Related: rhbz#1990814

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2022-01-20 16:37:50 +01:00
Sahana Prasad
78a467efcc Rebase to upstream version 3.0.1
Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
Resolves: rhbz#2038910, rhbz#2035148

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2022-01-18 18:30:10 +01:00
Dmitry Belyavskiy
e63c4b68b2 Update spec file, remove fipsmodule.cnf
Related: rhbz#2026445
2022-01-17 14:18:22 +01:00
Dmitry Belyavskiy
6cdaa527d8 Explicitly permit SHA1 HMAC
Related: rhbz#2026445
2022-01-17 13:19:40 +01:00
Dmitry Belyavskiy
cc37486d86 Minimize the list of services allowed for FIPS
Related: rhbz#2026445
2022-01-17 13:19:29 +01:00
Dmitry Belyavskiy
225b6d37b9 openssl speed should run in FIPS mode
Related: rhbz#1977318
2021-12-21 16:16:07 +01:00
Dmitry Belyavskiy
13dc3794cb Make rpminspect happy 2021-12-10 14:19:15 +01:00
Dmitry Belyavskiy
4c1c00d6af Updated spec, some cleanup done
Related: rhbz#1985362
2021-11-24 13:44:25 +01:00
Dmitry Belyavskiy
9422ae52de Always activate default provider via config
Related: rhbz#1985362
2021-11-23 16:52:23 +01:00
Dmitry Belyavskiy
210c37e906 Disable fipsinstall application
Related: rhbz#1985362
2021-11-23 15:02:48 +01:00
Dmitry Belyavskiy
3ff0db7558 Embed correct HMAC into fips provider
We have stripped production version and unstripped version for tests.
Related: rhbz#1985362
2021-11-23 15:02:14 +01:00
Dmitry Belyavskiy
5c4e10ac26 FIPS provider auto activation
When FIPS flag is on, we load fips provider and set properties to fips.
FIPS checksum is embedded in FIPS provider itself
Related: rhbz#1985362
2021-11-23 15:01:33 +01:00
Dmitry Belyavskiy
694c426faf Fix memory leak in s_client
Related: rhbz#1996092
2021-10-07 19:08:23 +02:00
Dmitry Belyavskiy
b76c2316a3 KTLS and FIPS may interfere, so tests need to be tuned
Resolves: rhbz#1961643
2021-09-22 17:15:22 +02:00
Dmitry Belyavskiy
3edf474b5d Avoid double-free on error seeding the RNG.
Resolves: rhbz#1952844
2021-09-20 17:13:26 +02:00
Sahana Prasad
34d46544a5 Rebase to upstream version 3.0.0
Related: rhbz#1990814

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-09-09 13:07:02 +02:00
Sahana Prasad
07de966235 - Removes the dual-abi build as it not required anymore. The mass rebuild
was completed and all packages are rebuilt against Beta version.
Resolves: rhbz#1984097

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-08-25 17:02:52 +02:00
Dmitry Belyavskiy
ddd1eb3708 Correctly processing CMS reading from /dev/stdin
Resolves: rhbz#1986315
2021-08-23 10:45:49 +02:00
Sahana Prasad
49de59749c Add instruction for loading legacy provider in openssl.cnf
Resolves: rhbz#1975836

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-08-16 14:16:12 +02:00
Sahana Prasad
03899fca38 Adds support for IDEA encryption.
Resolves: rhbz#1990602

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-08-16 11:44:00 +02:00
Sahana Prasad
0c6f4a599c - Fixes core dump in openssl req -modulus
- Fixes 'openssl req' to not ask for password when non-encrypted private key
  is used
- cms: Do not try to check binary format on stdin and -rctform fix
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-08-10 16:54:16 +02:00
Mohan Boddu
2862adca42 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 22:44:21 +00:00
Dmitry Belyavskiy
ecb6630fd3 When signature_algorithm extension is omitted, use more relevant alerts
Resolves: rhbz#1965017
2021-08-04 15:55:01 +02:00
Sahana Prasad
c5d8025ca8 Remove tier 0 functional test from gating.yaml.
These tests are removed from dist-git and are executed
as tier1 or higher tests already.
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-08-04 10:37:11 +02:00
Sahana Prasad
fe7445d93d Rebase to upstream version beta2
Related: rhbz#1903209

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-08-03 15:11:22 +02:00
Sahana Prasad
0b6afca185 - Prevents creation of duplicate cert entries in PKCS #12 files
Resolves: rhbz#1978670

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-07-22 15:38:17 +02:00
Aleksandra Fedorova
b7c6b85c95 Add RHEL gating configuration 2021-07-22 07:14:14 +00:00
Sahana Prasad
e3d0ba4f1e NVR Bump to Update to OpenSSL 3.0 Beta1 version
Related: rhbz#1903209

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-07-21 14:37:35 +02:00
Sahana Prasad
529b968a17 Update patch dual-abi.patch to add the #define macros in implementation
files instead of public header files

Related: rhbz#1903209
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-07-19 14:00:13 +02:00
Sahana Prasad
a3158ae4f7 Removes unused patch dual-abi.patch
Related: rhbz#1903209

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-07-14 14:20:07 +02:00
Sahana Prasad
d4e97b3110 Update to Beta1 version
Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16

Related: rhbz#1903209

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-07-14 13:31:08 +02:00
Sahana Prasad
90bf702df6 - Fixes override of openssl_conf in openssl.cnf
- Use AI_ADDRCONFIG only when explicit host name is given
- Temporarily remove fipsmodule.cnf for arch i686
- Fixes segmentation fault in BN_lebin2bn

Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-07-06 22:35:53 +02:00
Sahana Prasad
4f728a9f3f Fixes override of openssl_conf in openssl.cnf
Resolves: rhbz#1975847

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-07-06 13:56:08 +02:00
Sahana Prasad
826e7990ea Adds FIPS mode compatibility patch
Related: rhbz#1977318
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-07-02 21:05:44 +02:00
Sahana Prasad
240131b9eb - Fixes system hang issue when booted in FIPS mode
- Temporarily disable downstream FIPS patches
Related: rhbz#1977318

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-07-02 20:15:32 +02:00
Mohan Boddu
220d8a96f5 Spec bump and changelog for Speeding up building openssl
Related: rhbz#1903209

Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-06-14 08:56:05 -04:00
Dmitry Belyavskiy
b0a763c723 Speeding up building openssl
Resolves: rhbz#1903209
Signed-off-by: Dmitry Belyavskiy <dbelyavs@redhat.com>
2021-06-11 13:10:06 +02:00
Sahana Prasad
e863fff325 Fix reading SPKAC data from stdin
Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448
Return 0 after cleanup in OPENSSL_init_crypto()
Cleanup the peer point formats on regotiation
Fix default digest to SHA256

Resolves: rhbz#1958045, rhbz#1952850, rhbz#1961687
Related: rhbz#1958033
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-06-04 11:07:23 +02:00
Sahana Prasad
5fa0564b3a Enable FIPS via config options
Resolves: rhbz#1903209

Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-05-27 15:53:25 +02:00