Accepting request 631308 from home:vitezslav_cizek:branches:security:tls
* openssl-1.1.0-fips.patch * openssl-urandom-reseeding.patch OBS-URL: https://build.opensuse.org/request/show/631308 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=20
This commit is contained in:
parent
3e8cec6722
commit
d71b6985eb
12282
openssl-1.1.0-fips.patch
12282
openssl-1.1.0-fips.patch
File diff suppressed because it is too large
Load Diff
@ -31,6 +31,8 @@ Thu Aug 23 13:21:00 UTC 2018 - vcizek@suse.com
|
||||
* openssl-fips-selftests_in_nonfips_mode.patch
|
||||
* openssl-fips_disallow_ENGINE_loading.patch
|
||||
* openssl-rsakeygen-minimum-distance.patch
|
||||
* openssl-1.1.0-fips.patch
|
||||
* openssl-urandom-reseeding.patch
|
||||
* openssl-CVE-2018-0737-fips.patch
|
||||
- add TLS 1.3 ciphers to DEFAULT_SUSE
|
||||
- merge openssl-1.0.1e-add-suse-default-cipher.patch and
|
||||
|
@ -1,100 +0,0 @@
|
||||
Index: openssl-1.1.0c/crypto/rand/rand_unix.c
|
||||
===================================================================
|
||||
--- openssl-1.1.0c.orig/crypto/rand/rand_unix.c 2016-12-12 17:33:05.654295693 +0100
|
||||
+++ openssl-1.1.0c/crypto/rand/rand_unix.c 2016-12-12 17:44:44.608814886 +0100
|
||||
@@ -144,7 +144,8 @@ int RAND_poll(void)
|
||||
unsigned long l;
|
||||
pid_t curr_pid = getpid();
|
||||
# if defined(DEVRANDOM) || (!defined(OPENSS_NO_EGD) && defined(DEVRANDOM_EGD))
|
||||
- unsigned char tmpbuf[ENTROPY_NEEDED];
|
||||
+ /* STATE_SIZE is 1023 ... but it was suggested to seed with 1024 bytes */
|
||||
+ unsigned char tmpbuf[1024];
|
||||
int n = 0;
|
||||
# endif
|
||||
# ifdef DEVRANDOM
|
||||
@@ -166,7 +167,7 @@ int RAND_poll(void)
|
||||
* out of random entries.
|
||||
*/
|
||||
|
||||
- for (i = 0; (i < OSSL_NELEM(randomfiles)) && (n < ENTROPY_NEEDED); i++) {
|
||||
+ for (i = 0; (i < OSSL_NELEM(randomfiles)) && (n < sizeof(tmpbuf)); i++) {
|
||||
if ((fd = open(randomfiles[i], O_RDONLY
|
||||
# ifdef O_NONBLOCK
|
||||
| O_NONBLOCK
|
||||
@@ -246,7 +247,7 @@ int RAND_poll(void)
|
||||
|
||||
if (try_read) {
|
||||
r = read(fd, (unsigned char *)tmpbuf + n,
|
||||
- ENTROPY_NEEDED - n);
|
||||
+ sizeof(tmpbuf) - n);
|
||||
if (r > 0)
|
||||
n += r;
|
||||
} else
|
||||
@@ -263,7 +264,7 @@ int RAND_poll(void)
|
||||
}
|
||||
while ((r > 0 ||
|
||||
(errno == EINTR || errno == EAGAIN)) && usec != 0
|
||||
- && n < ENTROPY_NEEDED);
|
||||
+ && n < sizeof(tmpbuf));
|
||||
|
||||
close(fd);
|
||||
}
|
||||
@@ -276,12 +277,12 @@ int RAND_poll(void)
|
||||
* collecting daemon.
|
||||
*/
|
||||
|
||||
- for (egdsocket = egdsockets; *egdsocket && n < ENTROPY_NEEDED;
|
||||
+ for (egdsocket = egdsockets; *egdsocket && n < sizeof(tmpbuf);
|
||||
egdsocket++) {
|
||||
int r;
|
||||
|
||||
r = RAND_query_egd_bytes(*egdsocket, (unsigned char *)tmpbuf + n,
|
||||
- ENTROPY_NEEDED - n);
|
||||
+ sizeof(tmpbuf) - n);
|
||||
if (r > 0)
|
||||
n += r;
|
||||
}
|
||||
Index: openssl-1.1.0c/crypto/rand/md_rand.c
|
||||
===================================================================
|
||||
--- openssl-1.1.0c.orig/crypto/rand/md_rand.c 2016-12-12 17:33:05.690296235 +0100
|
||||
+++ openssl-1.1.0c/crypto/rand/md_rand.c 2016-12-12 18:01:49.036286763 +0100
|
||||
@@ -318,6 +318,10 @@ static int rand_bytes(unsigned char *buf
|
||||
if (num <= 0)
|
||||
return 1;
|
||||
|
||||
+ /* special rule for /dev/urandom seeding ... seed with as much bytes
|
||||
+ * from /dev/urandom as you get out */
|
||||
+ RAND_load_file("/dev/urandom", num);
|
||||
+
|
||||
m = EVP_MD_CTX_new();
|
||||
if (m == NULL)
|
||||
goto err_mem;
|
||||
Index: openssl-1.1.0c/crypto/fips/fips_drbg_rand.c
|
||||
===================================================================
|
||||
--- openssl-1.1.0c.orig/crypto/fips/fips_drbg_rand.c 2016-12-12 17:33:05.690296235 +0100
|
||||
+++ openssl-1.1.0c/crypto/fips/fips_drbg_rand.c 2016-12-12 18:05:52.779971206 +0100
|
||||
@@ -90,6 +90,11 @@ static int fips_drbg_bytes(unsigned char
|
||||
int rv = 0;
|
||||
unsigned char *adin = NULL;
|
||||
size_t adinlen = 0;
|
||||
+
|
||||
+ /* add entropy in 1:1 relation (number pulled bytes / number pushed from /dev/urandom) */
|
||||
+ if (count > dctx->min_entropy)
|
||||
+ RAND_load_file("/dev/urandom", count - dctx->min_entropy);
|
||||
+
|
||||
CRYPTO_THREAD_write_lock(fips_rand_lock);
|
||||
do {
|
||||
size_t rcnt;
|
||||
Index: openssl-1.1.0c/crypto/rand/rand_lib.c
|
||||
===================================================================
|
||||
--- openssl-1.1.0c.orig/crypto/rand/rand_lib.c 2016-12-12 17:33:05.690296235 +0100
|
||||
+++ openssl-1.1.0c/crypto/rand/rand_lib.c 2016-12-12 18:05:01.499195179 +0100
|
||||
@@ -188,7 +188,7 @@ static int drbg_rand_add(DRBG_CTX *ctx,
|
||||
{
|
||||
RAND_OpenSSL()->add(in, inlen, entropy);
|
||||
if (FIPS_rand_status()) {
|
||||
- FIPS_drbg_reseed(ctx, NULL, 0);
|
||||
+ FIPS_drbg_reseed(ctx, in, inlen);
|
||||
}
|
||||
return 1;
|
||||
}
|
Loading…
Reference in New Issue
Block a user