Utilities from the general purpose cryptography library with TLS implementation
bc7dfd9722
Invocations of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING) before setting an allowed digest with EVP_PKEY_CTX_set_signature_md() would fail with SHA-1 use in signatures disabled, because OpenSSL's internal default for the digest was SHA-1. This isn't documented in any of the manpages, hence we expect users to always call both EVP_PKEY_CTX_set_rsa_padding() and EVP_PKEY_CTX_set_signature_md(). We do not want set_rsa_padding() to fail if users set a non-SHA-1 signature algorithm after setting the padding mode, though, so change the internal default to SHA-256 if SHA-1 is disabled. Resolves: rhbz#2062640 |
||
---|---|---|
.gitignore | ||
0001-Aarch64-and-ppc64le-use-lib64.patch | ||
0002-Use-more-general-default-values-in-openssl.cnf.patch | ||
0003-Do-not-install-html-docs.patch | ||
0004-Override-default-paths-for-the-CA-directory-tree.patch | ||
0005-apps-ca-fix-md-option-help-text.patch | ||
0006-Disable-signature-verification-with-totally-unsafe-h.patch | ||
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch | ||
0008-Add-FIPS_mode-compatibility-macro.patch | ||
0009-Add-Kernel-FIPS-mode-flag-support.patch | ||
0011-Remove-EC-curves.patch | ||
0012-Disable-explicit-ec.patch | ||
0024-load-legacy-prov.patch | ||
0025-for-tests.patch | ||
0031-tmp-Fix-test-names.patch | ||
0032-Force-fips.patch | ||
0033-FIPS-embed-hmac.patch | ||
0034.fipsinstall_disable.patch | ||
0035-speed-skip-unavailable-dgst.patch | ||
0045-FIPS-services-minimize.patch | ||
0046-FIPS-s390x-hardening.patch | ||
0047-FIPS-early-KATS.patch | ||
0048-correctly-handle-records.patch | ||
0049-Selectively-disallow-SHA1-signatures.patch | ||
0050-FIPS-enable-pkcs12-mac.patch | ||
0051-Support-different-R_BITS-lengths-for-KBKDF.patch | ||
0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch | ||
configuration-prefix.h | ||
configuration-switch.h | ||
ec_curve.c | ||
ectest.c | ||
gating.yaml | ||
genpatches | ||
hobble-openssl | ||
make-dummy-cert | ||
Makefile.certificate | ||
openssl.spec | ||
renew-dummy-cert | ||
rpminspect.yaml | ||
sources |