Commit Graph

556 Commits

Author SHA1 Message Date
Stephen Gallagher 167e0dd694
ELN: fix SHA1 signature patch again
The util/libcrypto.num patch did not apply cleanly.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-02-13 10:53:54 -05:00
Dmitry Belyavskiy 194ef7464a Rebase to upstream version 3.0.8
Resolves: CVE-2022-4203
Resolves: CVE-2022-4304
Resolves: CVE-2022-4450
Resolves: CVE-2023-0215
Resolves: CVE-2023-0216
Resolves: CVE-2023-0217
Resolves: CVE-2023-0286
Resolves: CVE-2023-0401
2023-02-09 17:57:19 +01:00
Fedora Release Engineering 02d85d00af Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-01-19 22:58:20 +00:00
Dmitry Belyavskiy 9ce9458604 Backport implicit rejection for RSA PKCS#1 v1.5 encryption
Resolves: rhbz#2153470
2023-01-05 18:17:28 +01:00
Dmitry Belyavskiy 500ad3d300 Refactor embedded mac verification in FIPS module
Resolves: rhbz#2156045
2023-01-05 11:30:00 +01:00
Dmitry Belyavskiy 106fe8964c - Rebase to upstream version 3.0.7
Rebased to openssl-3.0.7 with corresponding minor bugfixes
- C99 compatibility in downstream-only 0032-Force-fips.patch
  Resolves: rhbz#2152504
- Adjusting include for the FIPS_mode macro
  Resolves: rhbz#2083876
2022-12-23 11:53:21 +01:00
Simo Sorce e9a0511933 Backport patches to fix external providers compatibility issues 2022-11-16 14:27:12 -05:00
Dmitry Belyavskiy f7a2c68257 CVE-2022-3602, CVE-2022-3786: X.509 Email Address Buffer Overflow
Resolves: CVE-2022-3602
Resolves: CVE-2022-3786
2022-11-01 15:54:54 +01:00
Dmitry Belyavskiy b5f6fd8216 Update patches to make ELN build happy
Resolves: rhbz#2123755
2022-09-12 11:39:39 +02:00
Clemens Lang d54aeb5a0f Fix AES-GCM on Power 8 CPUs
Our backported patch unconditionally uses assembly instructions for
Power9 and later, which triggers SIGILL on Power8 machines:

| [ 3705.137658] sshd[1703]: illegal instruction (4) at 7fff85526aac nip 7fff85526aac lr 7fff854828e0 code 1 in libcrypto.so.3.0.5[7fff85240000+300000]

Backport upstream's fix for this.

Resolves: rhbz#2124845
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-09-09 17:15:32 +02:00
Dmitry Belyavskiy 4855397272 openssl.spec is synced with RHEL
Related: rhbz#2123755
2022-09-02 16:22:10 +02:00
Dmitry Belyavskiy 89541c6ea4 We don't support explicit curves, commenting out the test
Related: rhbz#2123755
2022-09-02 16:21:43 +02:00
Dmitry Belyavskiy 080143cbc1 Sync with RHEL - applying patches
Related: rhbz#2123755
2022-09-02 16:20:26 +02:00
Stephen Gallagher 43e576feab ELN: fix SHA1 signature patch
The util/libcrypto.num patch did not apply cleanly.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-08-17 13:17:58 -04:00
Stephen Gallagher 566546250b ELN: fix SHA1 signature patch
The util/libcrypto.num patch did not apply cleanly.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-08-17 13:00:07 -04:00
Fedora Release Engineering d1b1996624 Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-07-22 02:15:17 +00:00
Clemens Lang 32908974c2 Rebase to upstream version 3.0.5
Also fixes CVE-2022-2097, which only affects i686.

Related: rhbz#2099972
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-07-07 12:36:41 +02:00
Dmitry Belyavskiy 8a03afa13c Rebasing to OpenSSL 3.0.3
Resolves: rhbz#2091987
2022-06-01 17:29:35 +02:00
Clemens Lang efdb8c60a3 Allow MD5-SHA1 in LEGACY c-p to fix TLS 1.0
Fedora supports TLS down to 1.0 in LEGACY crypto-policy, but TLS 1.0
defaults to rsa_pkcs1_md5_sha1 with RSA certificates by default.
However, MD5-SHA1 would require SECLEVEL=0, because its 67 bits of
security do not meet SECLEVEL=1's requirement of 80 bits.

Instead of setting SECLEVEL to 0 in the LEGACY crypto-policy (which
would include all algorithms, regardless of their security level), allow
MD5-SHA1 if rh-allow-sha1-signatures is yes and SECLEVEL is 1.

Related: rhbz#2069239
2022-04-27 12:24:38 +02:00
Alexander Sosedkin 8f08128432 Instrument with USDT probes related to SHA-1 deprecation 2022-04-26 19:08:09 +02:00
Clemens Lang 0eaa0014c9 Fix a FIXME in the openssl.cnf(5) manpage
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-20 15:47:59 +02:00
Clemens Lang 0967bb5953 ELN: Disable SHA-1 by default using CentOS patches
ELN should ideally be ahead of CentOS and RHEL with policy changes, but
due to time constraints was not. Fix that by bringing the current CentOS
9 / RHEL 9 state of SHA-1 disabling to ELN.

Due to differences in their lifecycles, Fedora's packages will stay at
allowing SHA-1 by default for now. There is a plan to gradually catch up
to the ELN state over the next few releases.

Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-20 15:18:07 +02:00
Clemens Lang 82a6212c47 Silence rpmlint false positives
capi.so is only useful on Windows, it does not matter that it does not
have dependency information.

The invalid URL warnings are expected for packages with hobbled source
code archives.

We explicitly allow the use of SSL_CTX_set_cipher_list in the openssl(1)
binary.

Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-07 18:14:35 +02:00
Clemens Lang 432cfa2baa Allow disabling of SHA1 signatures
NOTE: This patch is ported from CentOS 9 / RHEL 9, where it defaults to
denying SHA1 signatures. On Fedora, the default is – for now – to allow
SHA1 signatures.

In order to phase out SHA1 signatures, introduce a new configuration
option in the alg_section named 'rh-allow-sha1-signatures'. This option
defaults to true. If set to false, any signature creation or
verification operations that involve SHA1 as digest will fail.

This also affects TLS, where the signature_algorithms extension of any
ClientHello message sent by OpenSSL will no longer include signatures
with the SHA1 digest if rh-allow-sha1-signatures is false. For servers
that request a client certificate, the same also applies for
CertificateRequest messages sent by them.

Resolves: rhbz#2070977
Related: rhbz#2031742, rhbz#2062640
Signed-off-by: Clemens Lang <cllang@redhat.com>
2022-04-07 18:14:04 +02:00
Miro Hrončok e251b765e5 Restore Python CI tests removed when OpenSSL was updated to 3.0 2022-03-18 10:58:59 +01:00
Dmitry Belyavskiy a0bd929a42 Update to openssl 3.0.2
Related: rhbz#2064453
2022-03-18 10:41:13 +01:00
Fedora Release Engineering b9f33d724e - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2022-01-20 22:29:33 +00:00
Sahana Prasad 347681c6b2 Rebase to upstream version 3.0.0
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-09-09 17:27:21 +02:00
Fedora Release Engineering 5de10d4810 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-07-22 17:20:55 +00:00
Sahana Prasad 0f5f931f9a update to version 1.1.1k
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-03-26 07:37:03 +01:00
Sahana Prasad b023ffe39f Upgrade to version 1.1.1.j
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-03-03 15:08:11 +01:00
Sahana Prasad fb8e66a58f Fix regression in X509_verify_cert() #bz1916594
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-02-10 14:56:08 +01:00
Fedora Release Engineering d34c6392bf - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-26 22:36:18 +00:00
Tom Stellard c89aeae26c Add BuildRequires: make
https://fedoraproject.org/wiki/Changes/Remove_make_from_BuildRoot
2021-01-07 06:39:07 +00:00
Tomas Mraz a07706cf0e Update to the 1.1.1i release fixing CVE-2020-1971 2020-12-09 10:49:38 +01:00
Sahana Prasad 3413ff9700 Upgrade to version 1.1.1h
Signed-off-by: Sahana Prasad <sahana@redhat.com>
2020-11-09 10:41:15 +01:00
Jakub Jelen 261f10a200 Do not ship in main package manuals (or aliases) to tools from perl subpackage 2020-10-23 10:06:51 +02:00
Fedora Release Engineering 7ae2c9cd85 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-07-28 12:48:57 +00:00
Tom Stellard a75e581407 Use make macros
https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
2020-07-21 20:31:48 +00:00
Tomas Mraz 067d5800f2 Additional FIPS mode check for EC key generation 2020-07-20 14:51:05 +02:00
Tomas Mraz 04d5ef4d72 Further changes for SP 800-56A rev3 requirements 2020-07-17 12:41:39 +02:00
Tomas Mraz 7f27ca925c Drop long ago obsolete part of the FIPS patch 2020-06-23 15:55:16 +02:00
Tomas Mraz f023424321 Rewire FIPS_drbg API to use the RAND_DRBG 2020-06-22 13:43:12 +02:00
Tomas Mraz ef93cf994d SHA1 is allowed in @SECLEVEL=2 only if allowed by TLS SigAlgs configuration
Also some small TLS protocol fixes/changes:

Disallow dropping Extended Master Secret extension on renegotiation
Return alert from s_server if ALPN protocol does not match
2020-06-05 17:39:16 +02:00
Tomas Mraz b9c80ecf85 Add FIPS selftest for PBKDF2 and KBKDF
Also more adjustments to the FIPS DH handling
2020-06-03 16:30:12 +02:00
Tomas Mraz 9833eff277 Use the well known DH groups in TLS 2020-05-26 09:28:42 +02:00
Tomas Mraz 8746bcba4c Allow only well known DH groups in the FIPS mode 2020-05-25 18:52:45 +02:00
Adam Williamson 7396eb055e Re-apply change from -2 now we have fixed nosync to work with it 2020-05-21 13:04:18 -07:00
Adam Williamson 6e23655506 Re-apply "FIPS module installed state definition is modified"
This reverts commit 1bc9545b38 and
re-applies the previous change
"FIPS module installed state definition is modified", commit
89a24d69fc . We have updated the
builders to the newer nosync version that should work OK with
this change now, so we can try it again.
2020-05-21 13:01:54 -07:00
Adam Williamson 87eaf879ac Revert the change from -2 as it seems to cause segfaults 2020-05-19 18:35:16 -07:00