rpms/openssl
8
1
Fork 1
Code Issues Pull Requests Releases Activity
603 Commits 10 Branches 66 Tags 3.8 MiB
fee9e80345
Commit Graph

501 Commits

Author SHA1 Message Date
Dmitry Belyavskiy
b5f6fd8216 Update patches to make ELN build happy 
Resolves: rhbz#2123755
 2022-09-12 11:39:39 +02:00
Clemens Lang
d54aeb5a0f Fix AES-GCM on Power 8 CPUs 
Our backported patch unconditionally uses assembly instructions for
Power9 and later, which triggers SIGILL on Power8 machines:

| [ 3705.137658] sshd[1703]: illegal instruction (4) at 7fff85526aac nip 7fff85526aac lr 7fff854828e0 code 1 in libcrypto.so.3.0.5[7fff85240000+300000]

Backport upstream's fix for this.

Resolves: rhbz#2124845
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-09-09 17:15:32 +02:00
Dmitry Belyavskiy
4855397272 openssl.spec is synced with RHEL 
Related: rhbz#2123755
 2022-09-02 16:22:10 +02:00
Fedora Release Engineering
d1b1996624 Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2022-07-22 02:15:17 +00:00
Clemens Lang
32908974c2 Rebase to upstream version 3.0.5 
Also fixes CVE-2022-2097, which only affects i686.

Related: rhbz#2099972
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-07-07 12:36:41 +02:00
Dmitry Belyavskiy
8a03afa13c Rebasing to OpenSSL 3.0.3 
Resolves: rhbz#2091987
 2022-06-01 17:29:35 +02:00
Clemens Lang
efdb8c60a3 Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0 
Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0
defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default.
However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of
security do not meet SECLEVEL=1's requirement of 80 bits.

Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which
would include all algorithms, regardless of their security level), allow
MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1.

Related: rhbz#2069239
 2022-04-27 12:24:38 +02:00
Alexander Sosedkin
8f08128432 Instrument with USDT probes related to SHA-1 deprecation 2022-04-26 19:08:09 +02:00
Clemens Lang
0eaa0014c9 Fix a FIXME in the openssl.cnf(5) manpage 
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-04-20 15:47:59 +02:00
Clemens Lang
0967bb5953 ELN: Disable SHA-1 by default using CentOS patches 
ELN should ideally be ahead of CentOS and RHEL with policy changes, but
due to time constraints was not. Fix that by bringing the current CentOS
9 / RHEL 9 state of SHA-1 disabling to ELN.

Due to differences in their lifecycles, Fedora's packages will stay at
allowing SHA-1 by default for now. There is a plan to gradually catch up
to the ELN state over the next few releases.

Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-04-20 15:18:07 +02:00
Clemens Lang
82a6212c47 Silence rpmlint false positives 
capi.so is only useful on Windows, it does not matter that it does not
have dependency information.

The invalid URL warnings are expected for packages with hobbled source
code archives.

We explicitly allow the use of SSL_CTX_set_cipher_list in the openssl(1)
binary.

Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-04-07 18:14:35 +02:00
Clemens Lang
432cfa2baa Allow disabling of SHA1 signatures 
NOTE: This patch is ported from CentOS 9 / RHEL 9, where it defaults to
denying SHA1 signatures. On Fedora, the default is – for now – to allow
SHA1 signatures.

In order to phase out SHA1 signatures, introduce a new configuration
option in the alg_section named 'rh-allow-sha1-signatures'. This option
defaults to true. If set to false, any signature creation or
verification operations that involve SHA1 as digest will fail.

This also affects TLS, where the signature_algorithms extension of any
ClientHello message sent by OpenSSL will no longer include signatures
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
that request a client certificate, the same also applies for
CertificateRequest messages sent by them.

Resolves: rhbz#2070977
Related: rhbz#2031742, rhbz#2062640
Signed-off-by: Clemens Lang <cllang@redhat.com>
 2022-04-07 18:14:04 +02:00
Dmitry Belyavskiy
a0bd929a42 Update to openssl 3.0.2 
Related: rhbz#2064453
 2022-03-18 10:41:13 +01:00
Fedora Release Engineering
b9f33d724e - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2022-01-20 22:29:33 +00:00
Sahana Prasad
347681c6b2 Rebase to upstream version 3.0.0 
Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-09-09 17:27:21 +02:00
Fedora Release Engineering
5de10d4810 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2021-07-22 17:20:55 +00:00
Sahana Prasad
0f5f931f9a update to version 1.1.1k 
Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-03-26 07:37:03 +01:00
Sahana Prasad
b023ffe39f Upgrade to version 1.1.1.j 
Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-03-03 15:08:11 +01:00
Sahana Prasad
fb8e66a58f Fix regression in X509_verify_cert() #bz1916594 
Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2021-02-10 14:56:08 +01:00
Fedora Release Engineering
d34c6392bf - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2021-01-26 22:36:18 +00:00
Tom Stellard
c89aeae26c Add BuildRequires: make 
https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot
 2021-01-07 06:39:07 +00:00
Tomas Mraz
a07706cf0e Update to the 1.1.1i release fixing CVE-2020-1971 2020-12-09 10:49:38 +01:00
Sahana Prasad
3413ff9700 Upgrade to version 1.1.1h 
Signed-off-by: Sahana Prasad <sahana@redhat.com>
 2020-11-09 10:41:15 +01:00
Jakub Jelen
261f10a200 Do not ship in main package manuals (or aliases) to tools from perl subpackage 2020-10-23 10:06:51 +02:00
Fedora Release Engineering
7ae2c9cd85 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2020-07-28 12:48:57 +00:00
Tom Stellard
a75e581407 Use make macros 
https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 2020-07-21 20:31:48 +00:00
Tomas Mraz
067d5800f2 Additional FIPS mode check for EC key generation 2020-07-20 14:51:05 +02:00
Tomas Mraz
04d5ef4d72 Further changes for SP 800-56A rev3 requirements 2020-07-17 12:41:39 +02:00
Tomas Mraz
7f27ca925c Drop long ago obsolete part of the FIPS patch 2020-06-23 15:55:16 +02:00
Tomas Mraz
f023424321 Rewire FIPS_drbg API to use the RAND_DRBG 2020-06-22 13:43:12 +02:00
Tomas Mraz
ef93cf994d SHA1 is allowed in @SECLEVEL=2 only if allowed by TLS SigAlgs configuration 
Also some small TLS protocol fixes/changes:

Disallow dropping Extended Master Secret extension on renegotiation
Return alert from s_server if ALPN protocol does not match
 2020-06-05 17:39:16 +02:00
Tomas Mraz
b9c80ecf85 Add FIPS selftest for PBKDF2 and KBKDF 
Also more adjustments to the FIPS DH handling
 2020-06-03 16:30:12 +02:00
Tomas Mraz
9833eff277 Use the well known DH groups in TLS 2020-05-26 09:28:42 +02:00
Tomas Mraz
8746bcba4c Allow only well known DH groups in the FIPS mode 2020-05-25 18:52:45 +02:00
Adam Williamson
7396eb055e Re-apply change from -2 now we have fixed nosync to work with it 2020-05-21 13:04:18 -07:00
Adam Williamson
87eaf879ac Revert the change from -2 as it seems to cause segfaults 2020-05-19 18:35:16 -07:00
Tomas Mraz
1e6a98d9e9 pull some fixes and improvements from RHEL-8 2020-05-18 13:26:53 +02:00
Tomas Mraz
89a24d69fc FIPS module installed state definition is modified 2020-05-15 17:45:44 +02:00
Tomas Mraz
5888d1863e update to the 1.1.1g release 2020-04-23 13:47:52 +02:00
Tomas Mraz
5004ccfb25 update to the 1.1.1f release 2020-04-07 16:50:53 +02:00
Tomas Mraz
ea310218f3 revert the unexpected EOF error reporting change 
it is too disruptive for the stable release branch
 2020-03-26 15:14:08 +01:00
Tomas Mraz
c9936c55c2 Additional perl module buildrequires 2020-03-20 13:30:41 +01:00
Tomas Mraz
30d45eb047 Add BuildRequires perl(FindBin) 2020-03-20 12:44:34 +01:00
Tomas Mraz
c11b71fd2f update to the 1.1.1e release 
add selftest of the RAND_DRBG implementation
fix incorrect error return value from FIPS_selftest_dsa
 2020-03-19 17:44:25 +01:00
Tomas Mraz
b9b156fb97 apply Intel CET support patches by hjl (#1788699) 2020-02-17 11:54:47 +01:00
Fedora Release Engineering
898af7893c - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2020-01-29 20:25:04 +00:00
Tomas Mraz
b8a97dc1d8 allow zero length parameters in KDF_CTX_ctrl() 2019-11-21 14:49:21 +01:00
Tomas Mraz
0536b721ef backport of SSKDF from master 2019-11-14 16:13:49 +01:00
Tomas Mraz
266efa3055 backport of KBKDF and KRB5KDF from master 2019-11-13 13:43:05 +01:00
Tomas Mraz
f1c4ba61a3 Multiple fixes 
re-enable the stitched AES-CBC-SHA implementations
make AES-GCM work in FIPS mode again
enable TLS-1.2 AES-CCM ciphers in FIPS mode
fix openssl speed errors in FIPS mode
 2019-10-03 17:43:23 +02:00
Tomas Mraz
f6a62c4c2c update to the 1.1.1d release 2019-09-13 17:25:44 +02:00
Tomas Mraz
c44b3f96fe Bump release correctly 2019-09-06 17:18:46 +02:00
Tomas Mraz
45ebb7fdc2 upstream fix for status request extension non-compliance (#1737471) 2019-09-06 17:02:18 +02:00
Fedora Release Engineering
dba4c3b578 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2019-07-25 23:35:44 +00:00
Tomas Mraz
8419f769c7 Do not try to use EC groups disallowed in FIPS mode in TLS 
Also fix Valgrind regression with constant-time code
 2019-06-24 15:13:12 +02:00
Tomas Mraz
a71f5ae7ab add upstream patch to defer sending KeyUpdate 
(after pending writes are complete)
 2019-06-03 16:05:45 +02:00
Tomas Mraz
4784e45765 fix use of uninitialized memory 2019-05-30 11:55:39 +02:00
Tomas Mraz
31d61b19d5 update to the 1.1.1c release 2019-05-29 17:23:31 +02:00
Tomas Mraz
b3060e5f2d Another attempt at the AES-CCM regression fix 2019-05-10 16:27:24 +02:00
Tomas Mraz
22a821356e Fix two small regressions 
Change the ts application default hash to SHA256
 2019-05-10 14:35:26 +02:00
Tomas Mraz
e18dcc63f4 FIPS compliance fixes 2019-05-07 10:30:26 +02:00
Tomas Mraz
569a3cb917 add S390x chacha20-poly1305 assembler support from master branch 2019-05-06 11:07:12 +02:00
Tomas Mraz
5c7382cd79 apply new bugfixes from upstream 1.1.1 branch 2019-05-03 11:15:37 +02:00
Tomas Mraz
1aaf4073e3 fix for BIO_get_mem_ptr() regression in 1.1.1b (#1691853) 2019-04-16 12:13:00 +02:00
Tomas Mraz
7a654fc69c drop unused BuildRequires and Requires in the -devel subpackage 2019-03-27 17:00:40 +01:00
Tomas Mraz
c99b8bf7f9 fix regression in EVP_PBE_scrypt() (#1688284) 
fix incorrect help message in ca app (#1553206)
 2019-03-15 16:05:02 +01:00
Tomas Mraz
e2ea1027fe use .include = syntax in the config file 
to allow it to be parsed by 1.0.2 version (#1668916)
 2019-03-01 08:58:32 +01:00
Tomas Mraz
5cda1ca091 update to the 1.1.1b release 
EVP_KDF API backport from master
SSH KDF implementation for EVP_KDF API backport from master
 2019-02-28 17:01:40 +01:00
Fedora Release Engineering
f565dfd7ec - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2019-02-01 17:32:16 +00:00
Igor Gnatenko
99d68c7f43 Remove obsolete Group tag 
References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag
 2019-01-28 20:24:24 +01:00
Igor Gnatenko
5ee230264d
Remove obsolete ldconfig scriptlets 
References: https://fedoraproject.org/wiki/Changes/RemoveObsoleteScriptlets
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
 2019-01-22 18:40:36 +01:00
Tomas Mraz
301c642c7f update to the 1.1.1a release 2019-01-15 15:07:49 +01:00
Tomas Mraz
06bb120ffb use /dev/urandom for seeding the RNG in FIPS POST 2018-11-09 15:46:42 +01:00
Tomas Mraz
68f387b1c4 fix SECLEVEL 3 support 
fix some issues found in Coverity scan
 2018-10-12 17:35:34 +02:00
Tomas Mraz
a985e4b118 Drop obsolete re-copying of headers. 2018-10-01 14:41:25 +02:00
Charalampos Stratakis
3bfe874268 Correctly invoke sed for defining OPENSSL_NO_SSL3 2018-09-27 20:49:10 +02:00
Tomas Mraz
8574fb5150 define OPENSSL_NO_SSL3 so the newly built dependencies do not 
have access to SSL3 API calls anymore
 2018-09-27 16:53:06 +02:00
Tomas Mraz
33bd389ea8 reinstate accidentally dropped patch for weak ciphersuites 2018-09-17 12:56:19 +02:00
Tomas Mraz
60efa7758e Bump release 2018-09-14 10:57:22 +02:00
Tomas Mraz
1a7b91b472 for consistent support of security policies we build 
RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
 2018-09-14 10:56:06 +02:00
Tomas Mraz
a4bf4e1b65 update to the final 1.1.1 version 2018-09-13 09:43:22 +02:00
Tomas Mraz
90121b0c9d Multiple fixes 
do not try to initialize RNG in cleanup if it was not initialized
  before (#1624554)
use only /dev/urandom if getrandom() is not available
disable SM4
 2018-09-06 13:48:54 +02:00
Tomas Mraz
cfeae6fcb3 Two minor fixes 
fix dangling symlinks to manual pages
make SSLv3_method work
 2018-08-29 18:25:29 +02:00
Tomas Mraz
62ec0f1fa9 update to the latest 1.1.1 beta version 2018-08-22 12:41:26 +02:00
Tomas Mraz
1186311ade bidirectional shutdown fixes from upstream 2018-08-13 16:03:04 +02:00
Tomas Mraz
f7a30f9a15 do not put error on stack when using fixed protocol version 
(#1615098)
 2018-08-13 11:34:33 +02:00
Tomas Mraz
60357072e0 load crypto policy config file from the default config 2018-07-31 16:24:45 +02:00
Tomas Mraz
9189f03055 update to the latest 1.1.1 beta version 2018-07-25 18:15:19 +02:00
Fedora Release Engineering
7f74f219f1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2018-07-13 15:12:04 +00:00
Tomas Mraz
98bbad839c fix FIPS RSA key generation failure 2018-06-19 16:05:15 +02:00
Tomas Mraz
357b7a7e37 ppc64le is not multilib arch (#1584994) 2018-06-04 12:24:19 +02:00
Tomas Mraz
08db5cbcb9 fix regression of c_rehash (#1562953) 2018-04-03 13:03:32 +02:00
Tomas Mraz
5a93773172 fix FIPS symbol versions 2018-03-29 18:13:54 +02:00
Tomas Mraz
c6d0704d87 Add missing build dependencies. 2018-03-29 16:40:14 +02:00
Tomas Mraz
6eb8f62027 update to upstream version 1.1.0h 
Add Recommends for openssl-pkcs11
 2018-03-29 15:44:09 +02:00
Tomas Mraz
6d92af0099 one more try to apply RPM_LD_FLAGS properly (#1541033) 
dropped unneeded starttls xmpp patch (#1417017)
 2018-02-23 17:01:58 +01:00
Igor Gnatenko
e688115b6d
Remove %clean section 
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
 2018-02-14 09:56:41 +01:00
Fedora Release Engineering
3a05f1f46a - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2018-02-08 17:49:45 +00:00
Tomas Mraz
c11b1341c5 apply RPM_LD_FLAGS properly (#1541033) 2018-02-01 18:07:30 +01:00
Tomas Mraz
899f2baacb silence the .rnd write failure as that is auxiliary functionality (#1524833) 2018-01-11 18:08:54 +01:00