openssl-1_1/openssl-1.1.0-issuer-hash.patch

Index: openssl-1.1.1j/crypto/x509/x509_cmp.c
===================================================================
--- openssl-1.1.1j.orig/crypto/x509/x509_cmp.c
+++ openssl-1.1.1j/crypto/x509/x509_cmp.c
@@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_has
 
     if (ctx == NULL)
         goto err;
+    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
     f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
     if (f == NULL)
         goto err;
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85 2021-02-22 13:20:01 +01:00			`Index: openssl-1.1.1j/crypto/x509/x509_cmp.c`
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51 2020-01-24 12:52:58 +01:00			`===================================================================`
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85 2021-02-22 13:20:01 +01:00			`--- openssl-1.1.1j.orig/crypto/x509/x509_cmp.c`
			`+++ openssl-1.1.1j/crypto/x509/x509_cmp.c`
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51 2020-01-24 12:52:58 +01:00			`@@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_has`

			`if (ctx == NULL)`
			`goto err;`
			`+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);`
			`f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);`
Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1j * Fixed the X509_issuer_and_serial_hash() function. It attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it was failing to correctly handle any errors that may occur while parsing the issuer field [bsc#1182331, CVE-2021-23841] * Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks. * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions. Previously they could overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call would be 1 (indicating success), but the output length value would be negative. This could cause applications to behave incorrectly or crash. [bsc#1182333, CVE-2021-23840] * Fixed SRP_Calc_client_key so that it runs in constant time. The previous implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. - Rebase patches: * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch - Add version guards for the crypto-policies OBS-URL: https://build.opensuse.org/request/show/873674 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85 2021-02-22 13:20:01 +01:00			`if (f == NULL)`
Accepting request 766865 from home:vitezslav_cizek:branches:security:tls Add million FIPS and s390 patches - Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our layered FIPS initialization * openssl-fips-ignore_broken_atexit_test.patch - Import FIPS patches from SLE-15 * openssl-fips-dont_run_FIPS_module_installed.patch * openssl-fips_mode.patch * openssl-ship_fips_standalone_hmac.patch * openssl-fips-clearerror.patch * openssl-fips-selftests_in_nonfips_mode.patch - Don't run FIPS power-up self-tests when the checksum files aren't installed (bsc#1042392) * add openssl-fips-run_selftests_only_when_module_is_complete.patch - Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553) * openssl-1.1.1-fips-crng-test.patch * openssl-1.1.1-fips-post-rand.patch * openssl-1.1.1-fips.patch * openssl-1.1.0-issuer-hash.patch * openssl-1.1.1-evp-kdf.patch * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch - Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861] - Add patches: * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch * openssl-s390xcpuid.pl-fix-comment.patch OBS-URL: https://build.opensuse.org/request/show/766865 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=51 2020-01-24 12:52:58 +01:00			`goto err;`