Compare commits
No commits in common. "c8s" and "c8" have entirely different histories.
48
.gitignore
vendored
48
.gitignore
vendored
@ -1,47 +1 @@
|
||||
.build*.log
|
||||
clog
|
||||
000*.patch
|
||||
*.src.rpm
|
||||
openssl-1.0.0a-usa.tar.bz2
|
||||
/openssl-1.0.0b-usa.tar.bz2
|
||||
/openssl-1.0.0c-usa.tar.bz2
|
||||
/openssl-1.0.0d-usa.tar.bz2
|
||||
/openssl-1.0.0e-usa.tar.bz2
|
||||
/openssl-1.0.0f-usa.tar.bz2
|
||||
/openssl-1.0.0g-usa.tar.xz
|
||||
/openssl-1.0.1-beta2-usa.tar.xz
|
||||
/openssl-1.0.1-beta3-usa.tar.xz
|
||||
/openssl-1.0.1-usa.tar.xz
|
||||
/openssl-1.0.1a-usa.tar.xz
|
||||
/openssl-1.0.1b-usa.tar.xz
|
||||
/openssl-1.0.1c-usa.tar.xz
|
||||
/openssl-1.0.1e-usa.tar.xz
|
||||
/openssl-1.0.1e-hobbled.tar.xz
|
||||
/openssl-1.0.1g-hobbled.tar.xz
|
||||
/openssl-1.0.1h-hobbled.tar.xz
|
||||
/openssl-1.0.1i-hobbled.tar.xz
|
||||
/openssl-1.0.1j-hobbled.tar.xz
|
||||
/openssl-1.0.1k-hobbled.tar.xz
|
||||
/openssl-1.0.2a-hobbled.tar.xz
|
||||
/openssl-1.0.2c-hobbled.tar.xz
|
||||
/openssl-1.0.2d-hobbled.tar.xz
|
||||
/openssl-1.0.2e-hobbled.tar.xz
|
||||
/openssl-1.0.2f-hobbled.tar.xz
|
||||
/openssl-1.0.2g-hobbled.tar.xz
|
||||
/openssl-1.0.2h-hobbled.tar.xz
|
||||
/openssl-1.0.2i-hobbled.tar.xz
|
||||
/openssl-1.0.2j-hobbled.tar.xz
|
||||
/openssl-1.1.0b-hobbled.tar.xz
|
||||
/openssl-1.1.0c-hobbled.tar.xz
|
||||
/openssl-1.1.0d-hobbled.tar.xz
|
||||
/openssl-1.1.0e-hobbled.tar.xz
|
||||
/openssl-1.1.0f-hobbled.tar.xz
|
||||
/openssl-1.1.0g-hobbled.tar.xz
|
||||
/openssl-1.1.0h-hobbled.tar.xz
|
||||
/openssl-1.1.1-pre8-hobbled.tar.xz
|
||||
/openssl-1.1.1-pre9-hobbled.tar.xz
|
||||
/openssl-1.1.1-hobbled.tar.xz
|
||||
/openssl-1.1.1b-hobbled.tar.xz
|
||||
/openssl-1.1.1c-hobbled.tar.xz
|
||||
/openssl-1.1.1g-hobbled.tar.xz
|
||||
/openssl-1.1.1k-hobbled.tar.xz
|
||||
SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
||||
|
1
.openssl.metadata
Normal file
1
.openssl.metadata
Normal file
@ -0,0 +1 @@
|
||||
6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz
|
@ -1,13 +1,11 @@
|
||||
diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c
|
||||
--- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100
|
||||
+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200
|
||||
@@ -42,6 +42,9 @@ static int tls_parse_certificate_authori
|
||||
@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
static int init_srp(SSL *s, unsigned int context);
|
||||
#endif
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+static int init_ec_point_formats(SSL *s, unsigned int context);
|
||||
+#endif
|
||||
static int init_etm(SSL *s, unsigned int context);
|
||||
static int init_ems(SSL *s, unsigned int context);
|
||||
static int final_ems(SSL *s, unsigned int context, int sent);
|
||||
@ -20,11 +18,10 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
|
||||
tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats,
|
||||
final_ec_pt_formats
|
||||
},
|
||||
@@ -1164,6 +1165,17 @@ static int init_srp(SSL *s, unsigned int
|
||||
@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int
|
||||
}
|
||||
#endif
|
||||
|
||||
+#ifndef OPENSSL_NO_EC
|
||||
+static int init_ec_point_formats(SSL *s, unsigned int context)
|
||||
+{
|
||||
+ OPENSSL_free(s->ext.peer_ecpointformats);
|
||||
@ -33,7 +30,6 @@ diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl
|
||||
+
|
||||
+ return 1;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
static int init_etm(SSL *s, unsigned int context)
|
||||
{
|
@ -22,7 +22,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.1.1k
|
||||
Release: 13%{?dist}
|
||||
Release: 14%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -99,7 +99,7 @@ Patch107: openssl-1.1.1-cve-2023-5678.patch
|
||||
# Backport from OpenSSL 3.2/RHEL 9
|
||||
# Proper fix for CVE-2020-25659
|
||||
Patch108: openssl-1.1.1-pkcs1-implicit-rejection.patch
|
||||
# Backport from OpenSSL 3.0
|
||||
# Backport from OpenSSL 3.2
|
||||
# Fix for CVE-2024-5535
|
||||
Patch109: openssl-1.1.1-fix-ssl-select-next-proto.patch
|
||||
|
||||
@ -519,7 +519,7 @@ export LD_LIBRARY_PATH
|
||||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Mon Sep 16 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-13
|
||||
* Tue Sep 17 2024 Maurizio Barbaro <mbarbaro@redhat.com> - 1:1.1.1k-14
|
||||
- Backport fix SSL_select_next proto from OpenSSL 3.2
|
||||
Fix CVE-2024-5535
|
||||
Resolves: RHEL-45654
|
||||
@ -527,46 +527,44 @@ export LD_LIBRARY_PATH
|
||||
* Thu Nov 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-12
|
||||
- Backport implicit rejection mechanism for RSA PKCS#1 v1.5 to RHEL-8 series
|
||||
(a proper fix for CVE-2020-25659)
|
||||
Resolves: RHEL-17696
|
||||
Resolves: RHEL-17694
|
||||
|
||||
* Wed Nov 15 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-11
|
||||
- Fix CVE-2023-5678: Generating excessively long X9.42 DH keys or checking
|
||||
excessively long X9.42 DH keys or parameters may be very slow
|
||||
Resolves: RHEL-16538
|
||||
Resolves: RHEL-16536
|
||||
|
||||
* Thu Oct 19 2023 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-10
|
||||
- Fix CVE-2023-3446: Excessive time spent checking DH keys and parameters
|
||||
Resolves: RHEL-14245
|
||||
Resolves: RHEL-14243
|
||||
- Fix CVE-2023-3817: Excessive time spent checking DH q parameter value
|
||||
Resolves: RHEL-14239
|
||||
Resolves: RHEL-14237
|
||||
|
||||
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
|
||||
* Thu May 04 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
|
||||
- Fixed Timing Oracle in RSA Decryption
|
||||
Resolves: CVE-2022-4304
|
||||
- Fixed Double free after calling PEM_read_bio_ex
|
||||
Resolves: CVE-2022-4450
|
||||
- Fixed Use-after-free following BIO_new_NDEF
|
||||
Resolves: CVE-2023-0215
|
||||
|
||||
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
|
||||
- Fixed X.400 address type confusion in X.509 GeneralName
|
||||
Resolves: CVE-2023-0286
|
||||
|
||||
* Thu Jul 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
|
||||
- Fix no-ec build
|
||||
Resolves: rhbz#2071020
|
||||
|
||||
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
|
||||
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
|
||||
Resolves: CVE-2022-2097
|
||||
- Update expired certificates used in the testsuite
|
||||
Resolves: rhbz#2092462
|
||||
Resolves: rhbz#2100554
|
||||
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
|
||||
Resolves: rhbz#2090372
|
||||
Resolves: rhbz#2090371
|
||||
- Fix CVE-2022-2068: the c_rehash script allows command injection
|
||||
Resolves: rhbz#2098279
|
||||
Resolves: rhbz#2098278
|
||||
|
||||
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
|
||||
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
|
||||
- Resolves: rhbz#2067146
|
||||
- Resolves: rhbz#2067145
|
||||
|
||||
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
|
||||
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
|
15
fixpatch
15
fixpatch
@ -1,15 +0,0 @@
|
||||
#!/bin/sh
|
||||
# Fixes patch from upstream tracker view
|
||||
gawk '
|
||||
BEGIN {
|
||||
dir=""
|
||||
}
|
||||
/^Index: openssl\// {
|
||||
dir = $2
|
||||
}
|
||||
/^(---|\+\+\+)/ {
|
||||
$2 = dir
|
||||
}
|
||||
{
|
||||
print
|
||||
}'
|
@ -1,9 +0,0 @@
|
||||
--- !Policy
|
||||
product_versions:
|
||||
- rhel-8
|
||||
decision_context: osci_compose_gate
|
||||
rules:
|
||||
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.userspace-fips-mode.functional}
|
||||
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}
|
@ -1,14 +0,0 @@
|
||||
Do not return failure when setting version bound on fixed protocol
|
||||
version method.
|
||||
diff -up openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound openssl-1.1.1-pre8/ssl/statem/statem_lib.c
|
||||
--- openssl-1.1.1-pre8/ssl/statem/statem_lib.c.ignore-bound 2018-06-20 16:48:13.000000000 +0200
|
||||
+++ openssl-1.1.1-pre8/ssl/statem/statem_lib.c 2018-08-13 11:07:52.826304045 +0200
|
||||
@@ -1595,7 +1595,7 @@ int ssl_set_version_bound(int method_ver
|
||||
* methods are not subject to controls that disable individual protocol
|
||||
* versions.
|
||||
*/
|
||||
- return 0;
|
||||
+ return 1;
|
||||
|
||||
case TLS_ANY_VERSION:
|
||||
if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
|
1
sources
1
sources
@ -1 +0,0 @@
|
||||
SHA512 (openssl-1.1.1k-hobbled.tar.xz) = dd48b6200bcda1938c362888789bf0dbac7dbcc80b15a32794e25f6cbe8f727b6f8d1302a2bc43708da79124db9e5a5d27446ec1c91cf1e270aba1d8664d65d8
|
@ -1,63 +0,0 @@
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Makefile of /CoreOS/openssl/Sanity/simple-rsapss-test
|
||||
# Description: Test if RSA-PSS signature scheme is supported
|
||||
# Author: Hubert Kario <hkario@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
export TEST=/CoreOS/openssl/Sanity/simple-rsapss-test
|
||||
export TESTVERSION=1.0
|
||||
|
||||
BUILT_FILES=
|
||||
|
||||
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||
|
||||
.PHONY: all install download clean
|
||||
|
||||
run: $(FILES) build
|
||||
./runtest.sh
|
||||
|
||||
build: $(BUILT_FILES)
|
||||
test -x runtest.sh || chmod a+x runtest.sh
|
||||
|
||||
clean:
|
||||
rm -f *~ $(BUILT_FILES)
|
||||
|
||||
|
||||
-include /usr/share/rhts/lib/rhts-make.include
|
||||
|
||||
$(METADATA): Makefile
|
||||
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
|
||||
@echo "Name: $(TEST)" >> $(METADATA)
|
||||
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||
@echo "Description: Test if RSA-PSS signature scheme is supported" >> $(METADATA)
|
||||
@echo "Type: Sanity" >> $(METADATA)
|
||||
@echo "TestTime: 1m" >> $(METADATA)
|
||||
@echo "RunFor: openssl" >> $(METADATA)
|
||||
@echo "Requires: openssl man man-db" >> $(METADATA)
|
||||
@echo "Priority: Normal" >> $(METADATA)
|
||||
@echo "License: GPLv2" >> $(METADATA)
|
||||
@echo "Confidential: no" >> $(METADATA)
|
||||
@echo "Destructive: no" >> $(METADATA)
|
||||
|
||||
rhts-lint $(METADATA)
|
@ -1,3 +0,0 @@
|
||||
PURPOSE of /CoreOS/openssl/Sanity/simple-rsapss-test
|
||||
Description: Test if RSA-PSS signature scheme is supported
|
||||
Author: Hubert Kario <hkario@redhat.com>
|
@ -1,74 +0,0 @@
|
||||
#!/bin/bash
|
||||
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# runtest.sh of /CoreOS/openssl/Sanity/simple-rsapss-test
|
||||
# Description: Test if RSA-PSS signature scheme is supported
|
||||
# Author: Hubert Kario <hkario@redhat.com>
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
|
||||
#
|
||||
# This copyrighted material is made available to anyone wishing
|
||||
# to use, modify, copy, or redistribute it subject to the terms
|
||||
# and conditions of the GNU General Public License version 2.
|
||||
#
|
||||
# This program is distributed in the hope that it will be
|
||||
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
# PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public
|
||||
# License along with this program; if not, write to the Free
|
||||
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
# Boston, MA 02110-1301, USA.
|
||||
#
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
# Include Beaker environment
|
||||
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||
|
||||
PACKAGE="openssl"
|
||||
|
||||
PUB_KEY="rsa_pubkey.pem"
|
||||
PRIV_KEY="rsa_key.pem"
|
||||
FILE="text.txt"
|
||||
SIG="text.sig"
|
||||
|
||||
rlJournalStart
|
||||
rlPhaseStartSetup
|
||||
rlAssertRpm $PACKAGE
|
||||
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||
rlRun "pushd $TmpDir"
|
||||
rlRun "openssl genrsa -out $PRIV_KEY 2048" 0 "Generate RSA key"
|
||||
rlRun "openssl rsa -in $PRIV_KEY -out $PUB_KEY -pubout" 0 "Split the public key from private key"
|
||||
rlRun "echo 'sign me!' > $FILE" 0 "Create file for signing"
|
||||
rlAssertExists $FILE
|
||||
rlAssertExists $PRIV_KEY
|
||||
rlAssertExists $PUB_KEY
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Test RSA-PSS padding mode"
|
||||
set -o pipefail
|
||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -out $SIG -sign $PRIV_KEY $FILE" 0 "Sign the file"
|
||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file"
|
||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:32 -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file"
|
||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -prverify $PRIV_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using the private key file without specifying salt length"
|
||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verified OK'" 0 "Verify the signature using public key file without specifying salt length"
|
||||
set +o pipefail
|
||||
rlRun "sed -i 's/sign/Sign/' $FILE" 0 "Modify signed file"
|
||||
rlRun "openssl dgst -sha256 -sigopt rsa_padding_mode:pss -verify $PUB_KEY -signature $SIG $FILE | grep 'Verification Failure'" 0 "Verify that the signature is no longer valid"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartTest "Documentation check"
|
||||
[ -e "$(rpm -ql openssl | grep dgst)"] && rlRun "man dgst | col -b | grep -- -sigopt" 0 "Check if -sigopt option is described in man page"
|
||||
rlRun "openssl dgst -help 2>&1 | grep -- -sigopt" 0 "Check if -sigopt option is present in help message"
|
||||
rlPhaseEnd
|
||||
|
||||
rlPhaseStartCleanup
|
||||
rlRun "popd"
|
||||
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||
rlPhaseEnd
|
||||
rlJournalPrintText
|
||||
rlJournalEnd
|
@ -1,15 +0,0 @@
|
||||
---
|
||||
# This first play always runs on the local staging system
|
||||
- hosts: localhost
|
||||
roles:
|
||||
- role: standard-test-beakerlib
|
||||
tags:
|
||||
- classic
|
||||
- container
|
||||
tests:
|
||||
- simple-rsapss-test
|
||||
required_packages:
|
||||
- findutils # beakerlib needs find command
|
||||
- man # needed by simple-rsapss-test
|
||||
- man-db # needed by simple-rsapss-test
|
||||
- openssl # needed by simple-rsapss-test
|
Loading…
Reference in New Issue
Block a user