Commit Graph

625 Commits

Author SHA1 Message Date
Simo Sorce
e014d8a609 Temporarily disable SLH-DSA FIPS self tests
This was enabled during the rebase but it needs to be disabled until
performance issues are resolved.

Related: RHEL-80854

Signed-off-by: Simo Sorce <simo@redhat.com>
2025-07-24 06:32:50 -04:00
Dmitry Belyavskiy
98cf25a4c0 Rebasing to OpenSSL 3.5.1
Resolves: RHEL-90350
Resolves: RHEL-95613
Resolves: RHEL-97796
Resolves: RHEL-99353
Resolves: RHEL-100168
2025-07-01 16:33:14 +02:00
Dmitry Belyavskiy
5a68570dd4 rebuilt
Related: RHEL-80811
2025-06-05 15:50:22 +02:00
Dmitry Belyavskiy
d13b9c5c36 rebuilt
Related: RHEL-80811
2025-06-05 11:59:49 +02:00
Dmitry Belyavskiy
1d401560ac rebuilt
Related: RHEL-80811
2025-06-04 17:43:35 +02:00
Dmitry Belyavskiy
1e7815b2cf Make hybrid MLKEM work with our FIPS provider (3.0.7)
Resolves: RHEL-94614
2025-06-04 14:16:20 +02:00
Dmitry Belyavskiy
0367bee51d Compact patches for better maintainability
Related: RHEL-80811
2025-06-03 17:26:56 +02:00
Dmitry Belyavskiy
63b528e647 Fix UEFI builds on double function definitions
Resolves: RHEL-93168
2025-05-22 13:30:46 +02:00
Dmitry Belyavskiy
062693b2b8 Fix regressions caused by rebase to OpenSSL 3.5
Related: RHEL-80811
2025-05-22 12:59:35 +02:00
Dmitry Belyavskiy
dc0e1f27f5 Fix UEFI builds
Resolves: RHEL-89137
2025-05-14 12:54:07 +02:00
Dmitry Belyavskiy
f911c21296 Enable sslkeylog support
Resolves: RHEL-90853
2025-05-14 11:48:09 +02:00
Dmitry Belyavskiy
4b761c8ea2 Restore RHEL9-style indicators defines
Resolves: RHEL-88906
2025-05-14 11:41:03 +02:00
Dmitry Belyavskiy
154d1831cd Expose settable params for EVP_SKEY
Resolves: RHEL-88913
2025-05-14 11:38:56 +02:00
Dmitry Belyavskiy
1934b43ef1 pkeyutl ecdsa signature with sha1 shouldn't work by default
Resolves: RHEL-88911
2025-05-14 11:36:32 +02:00
Dmitry Belyavskiy
b5cbb03855 Fix openssl speed running in FIPS mode
Resolves: RHEL-88908
2025-05-14 11:33:54 +02:00
Dmitry Belyavskiy
cad2bb93ac Update depencency on crypto-policies
Related: RHEL-80811
2025-04-17 10:59:34 +02:00
George Pantelakis
06ffd03349 plans: update the CI plan with the correct plan names 2025-04-16 16:58:23 +02:00
Dmitry Belyavskiy
296ae60f11 Rebasing OpenSSL to 3.5
Resolves: RHEL-80811
Resolves: RHEL-57022
Resolves: RHEL-24098
Resolves: RHEL-24097
Resolves: RHEL-86865
2025-04-16 10:23:19 +02:00
Dmitry Belyavskiy
fb8a97e51d Fix segfault on printing the temp key from s_client when connection is not established
Resolves: RHEL-79045
2025-02-12 14:59:33 +01:00
Dmitry Belyavskiy
f784b47db4 RFC7250 handshakes with unauthenticated servers don't abort as expected (CVE-2024-12797)
Resolves: RHEL-76754
2025-02-12 14:58:19 +01:00
Dmitry Belyavskiy
7840be76de Load system default cipher string from crypto-policies configuration file
...should ignore errors.

Related: RHEL-71132
2025-01-29 21:36:05 +01:00
Dmitry Belyavskiy
d6a9e4cbb6 Fix timing side-channel in ECDSA signature computation (CVE-2024-13176)
Resolves: RHEL-70879
2025-01-29 18:34:26 +01:00
Dmitry Belyavskiy
34e41ff200 Get rid of checking /etc/crypto-policies/back-ends/openssl.config
Resolves: RHEL-71132
2025-01-24 17:39:21 +01:00
Dmitry Belyavskiy
a4086ec177 Locally configured providers should not interfere with openssl build-time tests
Resolves: RHEL-76182
2025-01-24 17:36:21 +01:00
Dmitry Belyavskiy
e5573d1b8d Ensure correct fips.so checksum calculation
Resolves: RHEL-73170
2025-01-24 17:36:21 +01:00
Dmitry Belyavskiy
9a7c320d2c Print key exchange group for hybrid PQC
Resolves: RHEL-66163
2025-01-24 17:36:21 +01:00
Dmitry Belyavskiy
bdb28e8ff0 Fix pkcs12 command line segfault
Resolves: RHEL-70878
2025-01-24 17:36:14 +01:00
Dmitry Belyavskiy
5fae31daba - Fix providers no_cache behavior
Resolves: RHEL-71903
2025-01-24 17:34:42 +01:00
Troy Dawson
8b5d84e945 Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
2024-10-29 08:53:09 -07:00
Dmitry Belyavskiy
936c0664b3 Ship dummy(empty) openssl/engine.h
Resolves: RHEL-58178
2024-10-17 17:11:29 +02:00
Dmitry Belyavskiy
edf5bf79a4 Fix CVE-2024-6119: Possible denial of service in X.509 name checks
Resolves: RHEL-55303
2024-09-04 11:47:44 +02:00
Clemens Lang
f3cb03b52a Fix CVE-2024-5535
The first patch caused a QUIC test to fail, so backport the entire
series, which looks reasonable and adds good additional safeguards and
checks.

Resolves: RHEL-45692
Signed-off-by: Clemens Lang <cllang@redhat.com>
2024-08-21 17:09:28 +02:00
Dmitry Belyavskiy
57fda30988 Resolve SAST package scan results
Resolves: RHEL-37561
2024-08-14 19:25:12 +02:00
Dmitry Belyavskiy
fdd1e62fc4 Speedup SSL_add_{file,dir}_cert_subjects_to_stack
Resolves: RHEL-54232
2024-08-14 13:03:42 +02:00
Dmitry Belyavskiy
83382cc2a0 Enable KTLS, temporary disable KTLS tests
Related: RHEL-47335
2024-08-14 13:03:42 +02:00
Dmitry Belyavskiy
e6422e7346 Fix typo in the patch numeration
Related: RHEL-41261
2024-08-14 13:03:42 +02:00
Dmitry Belyavskiy
656cb62647 Support key encapsulation/decapsulation in openssl pkeyutl command
Resolves: RHEL-54156
2024-08-14 11:43:38 +02:00
Dmitry Belyavskiy
8fc2d48423 Use PBMAC1 by default when creating PKCS#12 files in FIPS mode
Related: RHEL-36659
2024-08-14 11:36:06 +02:00
Dmitry Belyavskiy
299b43d420 An interface to create PKCS #12 files in FIPS compliant way
Related: RHEL-36659
2024-08-09 13:27:18 +00:00
George Pantelakis
a44bf0f715 Fix the gating test names 2024-08-07 15:40:45 +02:00
Dmitry Belyavskiy
ce2e7dc60e An interface to create PKCS #12 files in FIPS compliant way
Resolves: RHEL-36659
2024-08-07 10:57:04 +02:00
Dmitry Belyavskiy
7d3d9af0c8 SHA-1 signature shouldn't work in normal mode
Resolves: RHEL-36677
2024-07-10 11:43:37 +02:00
Dmitry Belyavskiy
09b4e34fcf Disallow SHA1 at SECLEVEL2 in OpenSSL
Resolves: RHEL-39962
2024-07-10 10:50:30 +02:00
Dmitry Belyavskiy
6084652840 Do not install ENGINE headers, man pages, and define OPENSSL_NO_ENGINE
Resolves: RHEL-45704
2024-07-02 14:51:09 +02:00
George Pantelakis
68e0354892 configure basic gating on RHEL-10 2024-07-01 14:15:53 +00:00
Daiki Ueno
dfb3583fef Replace HKDF backward compatibility patch with the official one
Related: RHEL-41261
Signed-off-by: Daiki Ueno <dueno@redhat.com>
2024-07-01 09:36:26 +09:00
Troy Dawson
e82e52bbae Bump release for June 2024 mass rebuild 2024-06-24 09:06:12 -07:00
Daiki Ueno
9eb261ba85 Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers
Resolves: RHEL-41261
Signed-off-by: Daiki Ueno <dueno@redhat.com>
2024-06-15 10:04:02 +09:00
Dmitry Belyavskiy
1d9e9ba818 Build openssl with no-atexit
Resolves: RHEL-40408
2024-06-12 13:12:26 +02:00
Dmitry Belyavskiy
3ae0078fd9 Rebase to OpenSSL 3.2.2.
Related: RHEL-31762
2024-06-05 18:56:27 +02:00