rpms/openssl
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
396 Commits 35 Branches 198 Tags 8.3 MiB
c7fc8d6daa
Commit Graph

330 Commits

Author SHA1 Message Date
Tomas Mraz
a577400ed8 drop RSA X9.31 from RSA FIPS selftests 
- add Power 8 optimalizations
 2014-08-13 20:03:17 +02:00
Tomas Mraz
a78828f786 new upstream release fixing multiple moderate security issues 
- for now disable only SSLv2 by default
 2014-08-07 16:00:47 +02:00
Tom Callaway
6c0bfa087d fix license handling 2014-07-18 19:31:16 -04:00
Tomas Mraz
6466466115 disable SSLv2 and SSLv3 protocols by default 
(can be enabled via appropriate SSL_CTX_clear_options() call)
 2014-06-30 14:21:11 +02:00
Tomas Mraz
f550490681 use system profile for default cipher list 2014-06-11 15:07:06 +02:00
Tomas Mraz
a98d99a503 fix CVE-2014-0224 fix that broke EAP-FAST session resumption support 
- make FIPS mode keygen bit length restriction enforced only when
  OPENSSL_ENFORCE_MODULUS_BITS is set
 2014-06-10 16:38:56 +02:00
Dennis Gilmore
0a491cd9f2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-07 12:02:05 -05:00
Tomas Mraz
360a4bb67c new upstream release 1.0.1h 2014-06-05 15:05:17 +02:00
Peter Robinson
b5f54ff916 Drop obsolete and irrelevant docs, Move devel docs to appropriate package, they're all rather large and of little use for all but historical reference 2014-05-31 22:49:33 +01:00
Tomas Mraz
0376d8368c new upstream release 1.0.1g 
- do not include ECC ciphersuites in SSLv2 client hello (#1090952)
- fail on hmac integrity check if the .hmac file is empty
 2014-05-07 11:42:32 +02:00
Dennis Gilmore
e55cd2c0e4 pull in upstream patch for CVE-2014-0160 
- removed CHANGES file portion from patch for expediency
 2014-04-07 19:20:31 -05:00
Tomas Mraz
239d122765 add support for ppc64le architecture (#1072633) 2014-04-03 16:24:35 +02:00
Tomas Mraz
477d4a1758 properly detect encryption failure in BIO 
- use 2048 bit RSA key in FIPS selftests
 2014-03-17 17:22:08 +01:00
Tomas Mraz
423ab177c8 use the key length from configuration file if req -newkey rsa is invoked 2014-02-14 16:24:31 +01:00
Tomas Mraz
a9591c7f1f Add macro for performance build on certain arches. 2014-02-12 16:58:49 +01:00
Tomas Mraz
24632bb1db print ephemeral key size negotiated in TLS handshake (#1057715) 
- add DH_compute_key_padded needed for FIPS CAVS testing
 2014-02-12 16:20:03 +01:00
Tomas Mraz
abe62302b2 make expiration and key length changeable by DAYS and KEYLEN 
variables in the certificate Makefile (#1058108)
- change default hash to sha256 (#1062325)
 2014-02-06 18:07:59 +01:00
Tomas Mraz
40825564d8 make 3des strength to be 128 bits instead of 168 (#1056616) 2014-01-22 17:57:22 +01:00
Tomas Mraz
519fe2cc24 Two security fixes 
- fix CVE-2013-4353 - Invalid TLS handshake crash
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
 2014-01-07 15:09:40 +01:00
Tomas Mraz
8978637f3b fix CVE-2013-6449 - crash when version in SSL structure is incorrect 
- more FIPS validation requirement changes
 2013-12-20 14:14:15 +01:00
Tomas Mraz
dc728e2d8b drop weak ciphers from the default TLS ciphersuite list 
- add back some symbols that were dropped with update to 1.0.1 branch
- more FIPS validation requirement changes
 2013-12-18 15:55:26 +01:00
Tomas Mraz
ad237d19e6 fix locking and reseeding problems with FIPS drbg 2013-11-19 14:52:30 +01:00
Tomas Mraz
e64d4ea7bb additional changes required for FIPS validation 2013-11-15 16:13:44 +01:00
Tomas Mraz
dcd0fb1ec9 disable verification of certificate, CRL, and OCSP signatures using MD5 
if OPENSSL_ENABLE_MD5_VERIFY environment variable is not set
 2013-11-13 19:42:54 +01:00
Tomas Mraz
83d99a68af add back support for secp521r1 EC curve 
- add aarch64 to Configure (#969692)
 2013-11-08 18:16:49 +01:00
Tomas Mraz
5714047e75 fix misdetection of RDRAND support on Cyrix CPUS (from upstream) (#1022346) 2013-10-29 16:24:08 +01:00
Tomas Mraz
eca676db7a do not advertise ECC curves we do not support (#1022493) 2013-10-24 10:40:18 +02:00
Tomas Mraz
b3551463ca only ECC NIST Suite B curves support 
- drop -fips subpackage
 2013-10-16 14:37:51 +02:00
Tom Callaway
1f19ac14f9 resolve bugzilla 319901 (phew! only took 6 years & 9 days) 2013-10-15 02:08:35 +01:00
Tomas Mraz
7ae1dc1df9 Bump release 2013-09-27 15:46:03 +02:00
Tomas Mraz
4e423c3c50 make DTLS1 work in FIPS mode 
- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode
 2013-09-27 15:43:51 +02:00
Tomas Mraz
df94661da5 avoid dlopening libssl.so from libcrypto (#1010357) 2013-09-23 18:30:01 +02:00
Tomas Mraz
372f3ac997 fix small memory leak in FIPS aes selftest 2013-09-20 16:04:50 +02:00
Tomas Mraz
8c28623e94 fix segfault in openssl speed hmac in the FIPS mode 2013-09-19 15:16:50 +02:00
Tomas Mraz
30ebb4d732 document the nextprotoneg option in manual pages 
original patch by Hubert Kario
 2013-09-12 10:39:33 +02:00
Tomas Mraz
ae08b15c89 document the nextprotoneg option in manual pages 
original patch by Hubert Kario
 2013-09-12 10:23:34 +02:00
Kyle McMartin
cb069618e7 arm: use auxv to figure out armcap.c instead of using signals (#1006474) 2013-09-11 10:36:42 -04:00
Tomas Mraz
eb63cc63df try to avoid some races when updating the -fips subpackage 2013-09-04 13:53:38 +02:00
Tomas Mraz
850ca72b9a use version-release in .hmac suffix to avoid overwrite during upgrade 2013-09-02 15:02:18 +02:00
Tomas Mraz
b5d2711ab6 allow deinitialization of the FIPS mode 2013-08-29 16:41:24 +02:00
Tomas Mraz
1465572e17 always perform the FIPS selftests in library constructor 
if FIPS module is installed
 2013-08-29 11:45:04 +02:00
Tomas Mraz
bb2f3882f2 add -fips subpackage that contains the FIPS module files 2013-08-27 16:03:43 +02:00
Tomas Mraz
9c324da28e fix use of rdrand if available 
- more commits cherry picked from upstream
- documentation fixes
 2013-08-16 16:06:51 +02:00
Petr Písař
a254940dd1 Perl 5.18 rebuild 2013-08-03 12:05:42 +02:00
Tomas Mraz
acdf8a62f6 use symbol versioning also for the textual version 
- additional manual page fix
 2013-07-26 13:16:10 +02:00
Tomas Mraz
9b36f08da8 additional manual page fixes 2013-07-25 15:14:25 +02:00
Tomas Mraz
653e1efa34 use _prefix macro 2013-07-19 11:46:56 +02:00
Petr Písař
49a1fc761b Perl 5.18 rebuild 2013-07-17 16:32:50 +02:00
Tomas Mraz
7ccde74773 add openssl.cnf.5 manpage symlink to config.5 2013-07-11 10:44:55 +02:00
Tomas Mraz
9555809e80 add relro linking flag 2013-07-10 17:54:24 +02:00
Tomas Mraz
30aa9303c7 add support for the -trusted_first option for certificate chain verification 2013-07-10 11:02:41 +02:00
Tomas Mraz
dad6e3ee78 fix build of manual pages with current pod2man (#959439) 2013-05-03 18:38:28 +02:00
Peter Robinson
6705192b85 Enable ARM optimised build 2013-04-21 14:33:34 +01:00
Tomas Mraz
64e30c5369 fix random bad record mac errors (#918981) 2013-03-18 21:34:18 +01:00
Tomas Mraz
9cf55df55b fix up the SHLIB_VERSION_NUMBER 2013-02-19 20:35:16 +01:00
Tomas Mraz
169c3a0ddb disable ZLIB loading by default (due to CRIME attack) 2013-02-19 16:41:14 +01:00
Tomas Mraz
dc696fdac4 new upstream version 2013-02-19 13:57:39 +01:00
Tomas Mraz
0fd0958b75 more fixes from upstream 
- fix errors in manual causing build failure (#904777)
 2013-01-30 18:32:56 +01:00
Tomas Mraz
2ca16b9a24 Add the renew-dummy-cert script to file list 2012-12-21 17:38:32 +01:00
Tomas Mraz
c67ea975b9 add script for renewal of a self-signed cert by Philip Prindeville (#871566) 
- allow X509_issuer_and_serial_hash() produce correct result in
  the FIPS mode (#881336)
 2012-12-21 17:21:50 +01:00
Tomas Mraz
07ac3d216e Fix bogus dates in changelog. 2012-12-07 12:37:49 +01:00
Tomas Mraz
650873ff0e do not load default verify paths if CApath or CAfile specified (#884305) 2012-12-06 18:30:15 +01:00
Tomas Mraz
12aab15a03 more fixes from upstream CVS 
- fix DSA key pairwise check (#878597)
 2012-11-20 22:33:42 +01:00
Tomas Mraz
d8e7bfc73b Add the marker for required patch. 2012-11-19 17:43:07 +01:00
Tomas Mraz
b7eb6f4a5f use 1024 bit DH parameters in s_server as 512 bit is not allowed 
in FIPS mode and it is quite weak anyway
 2012-11-15 21:11:36 +01:00
Tomas Mraz
79971bf194 Use secure_getenv() with new glibc. 2012-09-10 20:25:19 +02:00
Tomas Mraz
c015bd1b1e add missing initialization of str in aes_ccm_init_key (#853963) 
- add important patches from upstream CVS
 2012-09-07 10:48:56 +02:00
Dennis Gilmore
eaa5561c35 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild 2012-07-20 02:06:56 -05:00
Tomas Mraz
af044b4037 use __getenv_secure() instead of __libc_enable_secure 2012-07-13 22:21:05 +02:00
Tomas Mraz
72a1bddddc do not move libcrypto to /lib 
- do not use environment variables if __libc_enable_secure is on
- fix strict aliasing problems in modes
 2012-07-13 14:30:31 +02:00
Tomas Mraz
c2e3151786 do not move libcrypto to /lib 
- do not use environment variables if __libc_enable_secure is on
- fix strict aliasing problems in modes
 2012-07-13 14:23:34 +02:00
Tomas Mraz
55a3598cc7 fix DSA key generation in FIPS mode (#833866) 
- allow duplicate FIPS_mode_set(1)
- enable build on ppc64 subarch (#834652)
 2012-07-12 21:59:56 +02:00
Tomas Mraz
5183d32904 Make it build with new Perl 2012-07-12 00:35:57 +02:00
Tomas Mraz
18ccae20f6 fix s_server with new glibc when no global IPv6 address (#839031) 2012-07-12 00:04:06 +02:00
Tomas Mraz
5e74bace82 new upstream version 2012-05-15 19:40:22 +02:00
Tomas Mraz
651215c12b new upstream version 2012-05-15 19:37:55 +02:00
Tomas Mraz
5eb4589d83 new upstream version 2012-04-26 18:10:52 +02:00
Tomas Mraz
6a4bd67710 new upstream version fixing CVE-2012-2110 2012-04-20 12:30:37 +02:00
Tomas Mraz
e8c18345a4 new upstream version fixing CVE-2012-2110 2012-04-20 12:24:39 +02:00
Tomas Mraz
d46b44c249 add Kerberos 5 libraries to pkgconfig for static linking (#807050) 2012-04-11 16:33:03 +02:00
Tomas Mraz
d7587a26b6 backports from upstream CVS 
fix segfault when /dev/urandom is not available (#809586)
 2012-04-05 19:56:49 +02:00
Tomas Mraz
0f0ab24176 new upstream release 2012-03-14 21:38:58 +01:00
Tomas Mraz
0aa7d61151 add obsoletes to assist multilib updates (#799636) 2012-03-05 10:51:13 +01:00
Tomas Mraz
00c4986d53 new upstream release from the 1.0.1 branch 
- epoch bumped to 1 due to revert to 1.0.0g on Fedora 17
- fix s390x build (#798411)
- versioning for the SSLeay symbol (#794950)
- add -DPURIFY to build flags (#797323)
- filter engine provides
- split the libraries to a separate -libs package
- add make to requires on the base package (#783446)
 2012-02-29 21:54:08 +01:00
Tomas Mraz
ad05b50537 New upstream release from the 1.0.1 branch, ABI compatible 
- also add documentation for the -no_ign_eof option
 2012-02-07 13:46:42 +01:00
Tomas Mraz
d91aea8890 new upstream release fixing CVE-2012-0050 - DoS regression in 
DTLS support introduced by the previous release (#782795)
 2012-01-19 16:48:48 +01:00
Peter Robinson
48bba71e16 mktemp was long obsoleted by coreutils 2012-01-11 10:41:37 +00:00
Tomas Mraz
628d7e4989 new upstream release fixing multiple CVEs 2012-01-05 15:14:10 +01:00
Tomas Mraz
c28bd1cc5f Make the non-upstream tarball comment more clear. 2011-11-25 16:32:43 +01:00
Tomas Mraz
497f2d674c move the libraries needed for static linking to Libs.private 2011-11-22 11:53:40 +01:00
Tomas Mraz
6f65ffce68 do not use AVX instructions when osxsave bit not set 
add direct known answer tests for SHA2 algorithms
 2011-11-03 10:18:52 +01:00
Tomas Mraz
e4008f0b0e fix missing initialization of variable in CHIL engine 2011-09-21 17:34:13 +02:00
Tomas Mraz
3447c41c99 new upstream release fixing CVE-2011-3207 (#736088) 2011-09-07 18:27:06 +02:00
Tomas Mraz
4c970c62c5 drop the separate engine for Intel acceleration improvements 
and merge in the AES-NI, SHA1, and RC4 optimizations
add support for OPENSSL_DISABLE_AES_NI environment variable
that disables the AES-NI support
 2011-08-24 13:12:33 +02:00
Tomas Mraz
0ed17c0652 correct openssl cms help output (#636266) 
more tolerant starttls detection in XMPP protocol (#608239)
 2011-07-26 13:02:17 +02:00
Tomas Mraz
5c4fc08e4d add support for newest Intel acceleration improvements backported 
from upstream by Intel in form of a separate engine
 2011-07-20 14:56:21 +02:00
Tomas Mraz
f4fb8490a9 allow the AES-NI engine in the FIPS mode 2011-06-09 16:22:08 +02:00
Tomas Mraz
19062db533 add API necessary for CAVS testing of the new DSA parameter generation 2011-05-24 14:57:29 +02:00
Tomas Mraz
0b4cee3bc2 Allow easier rebuilds on some multilib arches. 2011-05-19 10:34:38 +02:00
Tomas Mraz
138493a921 add support for VIA Padlock on 64bit arch from upstream (#617539) 
do not return bogus values from load_certs (#652286)
 2011-04-28 21:58:56 +02:00