rpms/openssl
7
1
Fork 1
Code Issues Pull Requests Releases Activity
225 Commits 12 Branches 89 Tags 5.4 MiB
d791b13cf1
Commit Graph

225 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dmitry Belyavskiy
d791b13cf1 Enable sslkeylog support 
Resolves: RHEL-90854
 2025-05-14 13:25:37 +02:00
Dmitry Belyavskiy
36af632032 Restore RHEL9-style indicators defines 
Resolves: RHEL-89859
 2025-05-14 13:21:32 +02:00
Dmitry Belyavskiy
431532b994 Expose settable params for EVP_SKEY 
Resolves: RHEL-89862
 2025-05-14 13:20:16 +02:00
Dmitry Belyavskiy
1d113921da pkeyutl ecdsa signature with sha1 shouldn't work by default 
Resolves: RHEL-89861
 2025-05-14 13:18:51 +02:00
Dmitry Belyavskiy
6af659130e Fix openssl speed running in FIPS mode 
Resolves: RHEL-89860
 2025-05-14 13:16:46 +02:00
Dmitry Belyavskiy
3717faa9f1 PKCS#12 should not default to pbmac1 in FIPS mode in RHEL-9 
Resolves: RHEL-88912
 2025-05-09 13:45:26 +02:00
Dmitry Belyavskiy
58aefe30f2 OpenSSL ignores "rh-allow-sha1-signatures = yes" option on RHEL-9 
Resolves: RHEL-88910
 2025-05-02 16:46:23 +02:00
George Pantelakis
74174e6c12 plans: migrate gating to fmf format 2025-04-16 18:20:25 +00:00
Dmitry Belyavskiy
b0cff60812 Rebasing OpenSSL to 3.5 
Resolves: RHEL-80854
Resolves: RHEL-50208
Resolves: RHEL-50210
Resolves: RHEL-50211
Resolves: RHEL-85954
 2025-04-16 14:34:22 +02:00
Dmitry Belyavskiy
5946116ede RFC7250 handshakes with unauthenticated servers don't abort as expected (CVE-2024-12797) 
Resolves: RHEL-76756
 2025-02-12 13:15:51 +01:00
George Pantelakis
8d05945dc2 Change to the ci tmt plan 
Removed the old ci plan using a weird dependency config and organized the
test plans better as it is in c10s branch. The main reason is that tmt
dist-git plans to run against aarch64 architecture for FuSa support
successfully.
 2024-12-09 11:50:58 +01:00
Dmitry Belyavskiy
979f6ecb70 Rebuild 
Related: RHEL-55339
 2024-09-05 10:38:14 +02:00
Dmitry Belyavskiy
0808e4b669 Fix CVE-2024-6119: Possible denial of service in X.509 name checks 
Resolves: RHEL-55339
 2024-09-04 11:24:27 +02:00
Clemens Lang
8bdb45e21d Fix CVE-2024-5535 
The first patch caused a QUIC test to fail, so backport the entire
series, which looks reasonable and adds good additional safeguards and
checks.

(cherry picked from commit f3cb03b52a)

Resolves: RHEL-45657
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2024-08-21 18:09:03 +02:00
Daiki Ueno
35940569f1 Replace HKDF backward compatibility patch with the official one 
Related: RHEL-40823
Signed-off-by: Daiki Ueno <dueno@redhat.com>
 2024-06-22 10:24:51 +09:00
Daiki Ueno
d53f31aa80 Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers 
Resolves: RHEL-40823
Signed-off-by: Daiki Ueno <dueno@redhat.com>
 2024-06-12 20:19:44 +09:00
Dmitry Belyavskiy
ed09ce6530 Rebase to OpenSSL 3.2.2. Fixes CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, and Minerva attack. 
Resolves: RHEL-32148
Resolves: RHEL-36792
Resolves: RHEL-38514
Resolves: RHEL-39111
 2024-06-05 15:07:02 +02:00
Dmitry Belyavskiy
bd9060b13c Update RNG changing for FIPS purpose 
Resolves: RHEL-35380
 2024-06-05 15:07:02 +02:00
Dmitry Belyavskiy
2c5c3fcced Rebasing to OpenSSL 3.2.1 
Resolves: RHEL-26271
 2024-04-15 10:41:31 +02:00
Dmitry Belyavskiy
8e5beb7708 Use certified FIPS module instead of freshly built one in Red Hat distribution 
Related: RHEL-23474
 2024-02-21 10:46:29 +00:00
Dmitry Belyavskiy
b9f699b8a8 Use certified FIPS module instead of freshly built one in Red Hat distribution 
Resolves: RHEL-23474
 2024-02-07 10:10:17 +00:00
Dmitry Belyavskiy
50997010d1 Add a directory for OpenSSL providers configuration 
Related: RHEL-17193
 2024-01-31 16:39:33 +01:00
Dmitry Belyavskiy
e6e479521b Denial of service via null dereference in PKCS#12 
Resolves: RHEL-22486
 2024-01-29 13:30:00 +01:00
Dmitry Belyavskiy
08c722bcd1 SSL ECDHE Kex fails when pkcs11 engine is set in config file 
Resolves: RHEL-20249
 2024-01-19 15:18:50 +01:00
Dmitry Belyavskiy
0707122b95 Excessive time spent checking invalid RSA public keys (CVE-2023-6237) 
Resolves: RHEL-21654
 2024-01-19 15:07:58 +01:00
Dmitry Belyavskiy
3c49cf388a POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129) 
Resolves: RHEL-21151
 2024-01-19 14:59:04 +01:00
Dmitry Belyavskiy
6c9dd70b94 Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context 
Resolves: RHEL-19515
 2024-01-19 14:49:51 +01:00
Dmitry Belyavskiy
e7c35f0ede Add a directory for OpenSSL providers configuration 
Resolves: RHEL-17193
 2023-11-28 11:32:05 +01:00
Clemens Lang
db02879351 FIPS: abort on rsa_keygen_pairwise_test failure 
ISO 19790 AS10.09 says the module shall not perform any cryptographic
operations or output data in an error state, but OpenSSL does not have
checks for the module state in EVP_DigestUpdate() and
EVP_EncryptUpdate().

Upstream and their certification lab says these checks aren't needed,
our lab disagrees. We asked for clarification from CMVP. While we are
waiting for that, add a change that will allow us to submit. We will
drop this patch one we found a solution together with upstream.

See #22506 for the discussion upstream.

Resolves: RHEL-17104
 2023-11-21 12:32:41 +01:00
Dmitry Belyavskiy
67bb06894f Avoid implicit function declaration when building openssl 
Related: RHEL-1780
 2023-11-21 12:11:01 +01:00
Dmitry Belyavskiy
f1d5ccdb6e Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678) 
Resolves: RHEL-15954
 2023-11-08 12:39:41 +01:00
Dmitry Belyavskiy
72772f737e Add missing ECDH Public Key Check in FIPS mode 
Resolves: RHEL-15990
 2023-11-08 12:38:23 +01:00
Clemens Lang
9a075c13c3 Mark RSA-OAEP as approved in FIPS mode 
Switch explicit FIPS indicator for RSA-OAEP to approved following
clarification with CMVP. Additionally, backport a check required by
SP800-56Br2 6.4.1.2.1 (3.c).

Resolves: RHEL-14083
 2023-10-26 12:42:29 +02:00
Dmitry Belyavskiy
66dddb942c Fix incorrect cipher key and IV length processing (CVE-2023-5363) 
Resolves: RHEL-13251
 2023-10-25 12:08:21 +02:00
Dmitry Belyavskiy
6e0d3b16e6 Excessive time spent checking DH q parameter value 
Resolves: RHEL-5308
 2023-10-18 11:20:31 +02:00
Dmitry Belyavskiy
d6248f76c4 Excessive time spent checking DH keys and parameters 
Resolves: RHEL-5306
 2023-10-18 11:18:44 +02:00
Dmitry Belyavskiy
6775e82636 AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries 
Resolves: RHEL-5302
 2023-10-18 11:15:19 +02:00
Dmitry Belyavskiy
fa5df9d74b Forbid explicit curves when created via EVP_PKEY_fromdata 
Resolves: RHEL-5304
 2023-10-17 13:26:14 +02:00
Dmitry Belyavskiy
92436854f9 Avoid implicit function declaration when building openssl 
Resolves: RHEL-1780
 2023-10-17 13:09:34 +02:00
Dmitry Belyavskiy
ec6d7cf272 Provide empty evp_properties section in main OpenSSL configuration file 
Resolves: RHEL-11439
 2023-10-17 12:56:38 +02:00
Dmitry Belyavskiy
223304543a Don't limit using SHA1 in KDFs in non-FIPS mode. 
Resolves: RHEL-5295
 2023-10-16 11:06:43 +02:00
Dmitry Belyavskiy
131e7d1602 Provide relevant diagnostics when FIPS checksum is corrupted 
Resolves: RHEL-5317
 2023-10-16 11:06:43 +02:00
Dmitry Belyavskiy
d30c497ed1 Make FIPS module configuration more crypto-policies friendly 
Related: rhbz#2216256
 2023-07-12 17:59:35 +02:00
Dmitry Belyavskiy
217cd631e8 Add a workaround for lack of EMS in FIPS mode 
Resolves: rhbz#2216256
 2023-07-12 15:56:26 +02:00
Sahana Prasad
8fb737bf79 Remove unsupported ec curves from nist_curves 
Resolves: rhbz#2069336

Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2023-07-06 10:38:36 +02:00
Sahana Prasad
05b87f449d Remove the listing of brainpool curves in FIPS mode 
Related: rhbz#2188180
Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2023-06-26 10:23:11 +02:00
Dmitry Belyavskiy
d1a87553bb Release the DRBG in global default libctx early 
Resolves: rhbz#2211340
 2023-05-31 16:21:07 +02:00
Dmitry Belyavskiy
df4dd7dd7f Fix possible DoS translating ASN.1 object identifiers 
Resolves: CVE-2023-2650
 2023-05-31 16:18:19 +02:00
Daiki Ueno
103d3109dc ci.fmf: Enable golang tests as reverse dependency 
This will trigger the tests for the golang package when the openssl
package is updated, which would be particularly useful when openssl
adds a new algorithm tightning.

Manual configuration is necessary as Go applications dlopen's
libcrypto.so.* and openssl doesn't normally appear as a dependency at
RPM level.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
 2023-05-29 10:01:36 +02:00
Peter Leitmann
34e7dd5be4 Add interop rpm-tmt-tests 2023-05-24 15:41:56 +00:00