Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-80811

Rebase OpenSSL to 3.5

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • openssl-3.5.0-1.el10
    • Moderate
    • Rebase
    • 1
    • rhel-security-crypto
    • ssg_security
    • 11
    • 20
    • 1.5
    • QE ack, Dev ack
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto25Q2
    • Hide

      AC1) Unknown entries in SignatureAlgorithms, ClientSignatureAlgorithms, or Groups in config options that start with ? character are ignored and the configuration will still be used.

      AC2) We are not using JITTER RNG in RHEL FIPS, the configuration option enable-fips-jitter is not present

      AC3) CRYPTO-16796

      AC4) CRYPTO-16797

      AC5) CRYPTO-16798

      AC6) CRYPTO-16799

      AC7) CRYPTO-16800

      AC8) CRYPTO-16801

      AC9) All regression tests are passing

      AC10 optional) CRYPTO-16802

      AC11 optional) Test the new EVP_DigestSqueeze() API that allows SHAKE to squeeze multiple times with different output sizes.

      AC12 optional) New RNG JITTER creates unique random hashes

      Show
      AC1) Unknown entries in SignatureAlgorithms, ClientSignatureAlgorithms, or Groups in config options that start with ? character are ignored and the configuration will still be used. AC2) We are not using JITTER RNG in RHEL FIPS, the configuration option enable-fips-jitter is not present AC3) CRYPTO-16796 AC4) CRYPTO-16797 AC5) CRYPTO-16798 AC6) CRYPTO-16799 AC7) CRYPTO-16800 AC8) CRYPTO-16801 AC9) All regression tests are passing AC10 optional) CRYPTO-16802 AC11 optional) Test the new EVP_DigestSqueeze() API that allows SHAKE to squeeze multiple times with different output sizes. AC12 optional) New RNG JITTER creates unique random hashes
    • Pass
    • Not Needed
    • Automated
    • Rebase
    • Hide
      .OpenSSL rebased to 3.5

      OpenSSL is rebased to upstream version 3.5. This version provides important fixes and enhancements, most notably the following:

      * SHA-224 digest is disabled
      * SHAKE-128 and SHAKE-256 implementations no longer have a default digest length. Therefore, these algorithms cannot be used with the `EVP_DigestFinal/_ex()` function unless the `xoflen` param is set.
      Show
      .OpenSSL rebased to 3.5 OpenSSL is rebased to upstream version 3.5. This version provides important fixes and enhancements, most notably the following: * SHA-224 digest is disabled * SHAKE-128 and SHAKE-256 implementations no longer have a default digest length. Therefore, these algorithms cannot be used with the `EVP_DigestFinal/_ex()` function unless the `xoflen` param is set.
    • In Progress
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Goal

      • We want post-quantum cryptography from OpenSSL 3.5, so rebase OpenSSL in RHEL 10 to upstream's new 3.5 LTS release.

      Acceptance criteria

      • OpenSSL is updated to version 3.5
      • ML-DSA, ML-KEM, and SLH-DSA are usable from OpenSSL without loading the oqsprovider.
      • The oqsprovider is deprecated

              dbelyavs@redhat.com Dmitry Belyavskiy
              cllang@redhat.com Clemens Lang
              Dmitry Belyavskiy Dmitry Belyavskiy
              George Pantelakis George Pantelakis
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated: