Compare commits
No commits in common. "c8" and "c8s" have entirely different histories.
48
.gitignore
vendored
48
.gitignore
vendored
@ -1 +1,47 @@
|
|||||||
SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
.build*.log
|
||||||
|
clog
|
||||||
|
000*.patch
|
||||||
|
*.src.rpm
|
||||||
|
openssl-1.0.0a-usa.tar.bz2
|
||||||
|
/openssl-1.0.0b-usa.tar.bz2
|
||||||
|
/openssl-1.0.0c-usa.tar.bz2
|
||||||
|
/openssl-1.0.0d-usa.tar.bz2
|
||||||
|
/openssl-1.0.0e-usa.tar.bz2
|
||||||
|
/openssl-1.0.0f-usa.tar.bz2
|
||||||
|
/openssl-1.0.0g-usa.tar.xz
|
||||||
|
/openssl-1.0.1-beta2-usa.tar.xz
|
||||||
|
/openssl-1.0.1-beta3-usa.tar.xz
|
||||||
|
/openssl-1.0.1-usa.tar.xz
|
||||||
|
/openssl-1.0.1a-usa.tar.xz
|
||||||
|
/openssl-1.0.1b-usa.tar.xz
|
||||||
|
/openssl-1.0.1c-usa.tar.xz
|
||||||
|
/openssl-1.0.1e-usa.tar.xz
|
||||||
|
/openssl-1.0.1e-hobbled.tar.xz
|
||||||
|
/openssl-1.0.1g-hobbled.tar.xz
|
||||||
|
/openssl-1.0.1h-hobbled.tar.xz
|
||||||
|
/openssl-1.0.1i-hobbled.tar.xz
|
||||||
|
/openssl-1.0.1j-hobbled.tar.xz
|
||||||
|
/openssl-1.0.1k-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2a-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2c-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2d-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2e-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2f-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2g-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2h-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2i-hobbled.tar.xz
|
||||||
|
/openssl-1.0.2j-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0b-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0c-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0d-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0e-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0f-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0g-hobbled.tar.xz
|
||||||
|
/openssl-1.1.0h-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1-pre8-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1-pre9-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1b-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1c-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1g-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1k-hobbled.tar.xz
|
||||||
|
@ -1 +0,0 @@
|
|||||||
6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
|
15
fixpatch
Executable file
15
fixpatch
Executable file
@ -0,0 +1,15 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Fixes patch from upstream tracker view
|
||||||
|
gawk '
|
||||||
|
BEGIN {
|
||||||
|
dir=""
|
||||||
|
}
|
||||||
|
/^Index: openssl\// {
|
||||||
|
dir = $2
|
||||||
|
}
|
||||||
|
/^(---|\+\+\+)/ {
|
||||||
|
$2 = dir
|
||||||
|
}
|
||||||
|
{
|
||||||
|
print
|
||||||
|
}'
|
9
gating.yaml
Normal file
9
gating.yaml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
--- !Policy
|
||||||
|
product_versions:
|
||||||
|
- rhel-8
|
||||||
|
decision_context: osci_compose_gate
|
||||||
|
rules:
|
||||||
|
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.userspace-fips-mode.functional}
|
||||||
|
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
|
@ -1,11 +1,13 @@
|
|||||||
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
|
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
|
||||||
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
|
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
|
||||||
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
|
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
|
||||||
@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
|
@@ -42,6 +42,9 @@ static int tls_parse_certificate_authori
|
||||||
#ifndef OPENSSL_NO_SRP
|
#ifndef OPENSSL_NO_SRP
|
||||||
static int init_srp(SSL *s, unsigned int context);
|
static int init_srp(SSL *s, unsigned int context);
|
||||||
#endif
|
#endif
|
||||||
|
+#ifndef OPENSSL_NO_EC
|
||||||
+static int init_ec_point_formats(SSL *s, unsigned int context);
|
+static int init_ec_point_formats(SSL *s, unsigned int context);
|
||||||
|
+#endif
|
||||||
static int init_etm(SSL *s, unsigned int context);
|
static int init_etm(SSL *s, unsigned int context);
|
||||||
static int init_ems(SSL *s, unsigned int context);
|
static int init_ems(SSL *s, unsigned int context);
|
||||||
static int final_ems(SSL *s, unsigned int context, int sent);
|
static int final_ems(SSL *s, unsigned int context, int sent);
|
||||||
@ -18,10 +20,11 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
|
|||||||
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
||||||
final_ec_pt_formats
|
final_ec_pt_formats
|
||||||
},
|
},
|
||||||
@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
|
@@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
+#ifndef OPENSSL_NO_EC
|
||||||
+static int init_ec_point_formats(SSL *s, unsigned int context)
|
+static int init_ec_point_formats(SSL *s, unsigned int context)
|
||||||
+{
|
+{
|
||||||
+ OPENSSL_free(s->ext.peer_ecpointformats);
|
+ OPENSSL_free(s->ext.peer_ecpointformats);
|
||||||
@ -30,6 +33,7 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
|
|||||||
+
|
+
|
||||||
+ return 1;
|
+ return 1;
|
||||||
+}
|
+}
|
||||||
|
+#endif
|
||||||
+
|
+
|
||||||
static int init_etm(SSL *s, unsigned int context)
|
static int init_etm(SSL *s, unsigned int context)
|
||||||
{
|
{
|
14
openssl-1.1.1-ignore-bound.patch
Normal file
14
openssl-1.1.1-ignore-bound.patch
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
Do not return failure when setting version bound on fixed protocol
|
||||||
|
version method.
|
||||||
|
diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
|
||||||
|
--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
|
||||||
|
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
|
||||||
|
@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
|
||||||
|
* methods are not subject to controls that disable individual protocol
|
||||||
|
* versions.
|
||||||
|
*/
|
||||||
|
- return 0;
|
||||||
|
+ return 1;
|
||||||
|
|
||||||
|
case TLS_ANY_VERSION:
|
||||||
|
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
|
@ -22,7 +22,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.1.1k
|
Version: 1.1.1k
|
||||||
Release: 14%{?dist}
|
Release: 13%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -99,7 +99,7 @@ Patch107: openssl-1.1.1-cve-2023-5678.patch
|
|||||||
# Backport from OpenSSL 3.2/RHEL 9
|
# Backport from OpenSSL 3.2/RHEL 9
|
||||||
# Proper fix for CVE-2020-25659
|
# Proper fix for CVE-2020-25659
|
||||||
Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
|
Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
|
||||||
# Backport from OpenSSL 3.2
|
# Backport from OpenSSL 3.0
|
||||||
# Fix for CVE-2024-5535
|
# Fix for CVE-2024-5535
|
||||||
Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
|
Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
|
||||||
|
|
||||||
@ -519,52 +519,54 @@ export LD_LIBRARY_PATH
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Sep 17 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-14
|
* Mon Sep 16 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-13
|
||||||
- Backport fix SSL_select_next proto from OpenSSL 3.2
|
- Backport fix SSL_select_next proto from OpenSSL 3.2
|
||||||
Fix CVE-2024-5535
|
Fix CVE-2024-5535
|
||||||
Resolves: RHEL-45654
|
Resolves: RHEL-45654
|
||||||
|
|
||||||
* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
|
* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
|
||||||
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
|
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
|
||||||
(a proper fix for CVE-2020-25659)
|
(a proper fix for CVE-2020-25659)
|
||||||
Resolves: RHEL-17694
|
Resolves: RHEL-17696
|
||||||
|
|
||||||
* Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
|
* Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
|
||||||
- Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
|
- Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
|
||||||
excessively long X9.42 DH keys or parameters may be very slow
|
excessively long X9.42 DH keys or parameters may be very slow
|
||||||
Resolves: RHEL-16536
|
Resolves: RHEL-16538
|
||||||
|
|
||||||
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
|
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
|
||||||
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
|
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
|
||||||
Resolves: RHEL-14243
|
Resolves: RHEL-14245
|
||||||
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
|
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
|
||||||
Resolves: RHEL-14237
|
Resolves: RHEL-14239
|
||||||
|
|
||||||
* Thu May 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
|
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
|
||||||
- Fixed Timing Oracle in RSA Decryption
|
- Fixed Timing Oracle in RSA Decryption
|
||||||
Resolves: CVE-2022-4304
|
Resolves: CVE-2022-4304
|
||||||
- Fixed Double free after calling PEM_read_bio_ex
|
- Fixed Double free after calling PEM_read_bio_ex
|
||||||
Resolves: CVE-2022-4450
|
Resolves: CVE-2022-4450
|
||||||
- Fixed Use-after-free following BIO_new_NDEF
|
- Fixed Use-after-free following BIO_new_NDEF
|
||||||
Resolves: CVE-2023-0215
|
Resolves: CVE-2023-0215
|
||||||
|
|
||||||
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
|
|
||||||
- Fixed X.400 address type confusion in X.509 GeneralName
|
- Fixed X.400 address type confusion in X.509 GeneralName
|
||||||
Resolves: CVE-2023-0286
|
Resolves: CVE-2023-0286
|
||||||
|
|
||||||
|
* Thu Jul 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
|
||||||
|
- Fix no-ec build
|
||||||
|
Resolves: rhbz#2071020
|
||||||
|
|
||||||
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
|
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
|
||||||
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
|
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
|
||||||
Resolves: CVE-2022-2097
|
Resolves: CVE-2022-2097
|
||||||
- Update expired certificates used in the testsuite
|
- Update expired certificates used in the testsuite
|
||||||
Resolves: rhbz#2100554
|
Resolves: rhbz#2092462
|
||||||
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
|
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
|
||||||
Resolves: rhbz#2090371
|
Resolves: rhbz#2090372
|
||||||
- Fix CVE-2022-2068: the c_rehash script allows command injection
|
- Fix CVE-2022-2068: the c_rehash script allows command injection
|
||||||
Resolves: rhbz#2098278
|
Resolves: rhbz#2098279
|
||||||
|
|
||||||
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
|
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
|
||||||
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
||||||
- Resolves: rhbz#2067145
|
- Resolves: rhbz#2067146
|
||||||
|
|
||||||
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
||||||
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
|||||||
|
SHA512 (openssl-1.1.1k-hobbled.tar.xz) = dd48b6200bcda1938c362888789bf0dbac7dbcc80b15a32794e25f6cbe8f727b6f8d1302a2bc43708da79124db9e5a5d27446ec1c91cf1e270aba1d8664d65d8
|
63
tests/simple-rsapss-test/Makefile
Normal file
63
tests/simple-rsapss-test/Makefile
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/openssl/Sanity/simple-rsapss-test
|
||||||
|
# Description: Test if RSA-PSS signature scheme is supported
|
||||||
|
# Author: Hubert Kario <hkario@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/openssl/Sanity/simple-rsapss-test
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
-include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: Test if RSA-PSS signature scheme is supported" >> $(METADATA)
|
||||||
|
@echo "Type: Sanity" >> $(METADATA)
|
||||||
|
@echo "TestTime: 1m" >> $(METADATA)
|
||||||
|
@echo "RunFor: openssl" >> $(METADATA)
|
||||||
|
@echo "Requires: openssl man man-db" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
3
tests/simple-rsapss-test/PURPOSE
Normal file
3
tests/simple-rsapss-test/PURPOSE
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
PURPOSE of /CoreOS/openssl/Sanity/simple-rsapss-test
|
||||||
|
Description: Test if RSA-PSS signature scheme is supported
|
||||||
|
Author: Hubert Kario <hkario@redhat.com>
|
74
tests/simple-rsapss-test/runtest.sh
Executable file
74
tests/simple-rsapss-test/runtest.sh
Executable file
@ -0,0 +1,74 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of /CoreOS/openssl/Sanity/simple-rsapss-test
|
||||||
|
# Description: Test if RSA-PSS signature scheme is supported
|
||||||
|
# Author: Hubert Kario <hkario@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="openssl"
|
||||||
|
|
||||||
|
PUB_KEY="rsa_pubkey.pem"
|
||||||
|
PRIV_KEY="rsa_key.pem"
|
||||||
|
FILE="text.txt"
|
||||||
|
SIG="text.sig"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm $PACKAGE
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlRun "openssl genrsa -out $PRIV_KEY 2048" 0 "Generate RSA key"
|
||||||
|
rlRun "openssl rsa -in $PRIV_KEY -out $PUB_KEY -pubout" 0 "Split the public key from private key"
|
||||||
|
rlRun "echo 'sign me!' > $FILE" 0 "Create file for signing"
|
||||||
|
rlAssertExists $FILE
|
||||||
|
rlAssertExists $PRIV_KEY
|
||||||
|
rlAssertExists $PUB_KEY
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Test RSA-PSS padding mode"
|
||||||
|
set -o pipefail
|
||||||
|
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -out $SIG -sign $PRIV_KEY $FILE" 0 "Sign the file"
|
||||||
|
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file"
|
||||||
|
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file"
|
||||||
|
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file without specifying salt length"
|
||||||
|
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file without specifying salt length"
|
||||||
|
set +o pipefail
|
||||||
|
rlRun "sed -i 's/sign/Sign/' $FILE" 0 "Modify signed file"
|
||||||
|
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verification Failure'" 0 "Verify that the signature is no longer valid"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Documentation check"
|
||||||
|
[ -e "$(rpm -ql openssl | grep dgst)"] && rlRun "man dgst | col -b | grep -- -sigopt" 0 "Check if -sigopt option is described in man page"
|
||||||
|
rlRun "openssl dgst -help 2>&1 | grep -- -sigopt" 0 "Check if -sigopt option is present in help message"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
15
tests/tests.yml
Normal file
15
tests/tests.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
# This first play always runs on the local staging system
|
||||||
|
- hosts: localhost
|
||||||
|
roles:
|
||||||
|
- role: standard-test-beakerlib
|
||||||
|
tags:
|
||||||
|
- classic
|
||||||
|
- container
|
||||||
|
tests:
|
||||||
|
- simple-rsapss-test
|
||||||
|
required_packages:
|
||||||
|
- findutils # beakerlib needs find command
|
||||||
|
- man # needed by simple-rsapss-test
|
||||||
|
- man-db # needed by simple-rsapss-test
|
||||||
|
- openssl # needed by simple-rsapss-test
|
Loading…
Reference in New Issue
Block a user