pool/openssl-1_1
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
factory
openssl-1_1/openssl-1.1.0-issuer-hash.patch
Pedro Monreal Gonzalez a13839c7c6 Accepting request 873674 from home:pmonrealgonzalez:branches:security:tls 
- Update to 1.1.1j
  * Fixed the X509_issuer_and_serial_hash() function. It attempts
    to create a unique hash value based on the issuer and serial
    number data contained within an X509 certificate. However it
    was failing to correctly handle any errors that may occur
    while parsing the issuer field [bsc#1182331, CVE-2021-23841]
  * Fixed the RSA_padding_check_SSLv23() function and the
    RSA_SSLV23_PADDING padding mode to correctly check for
    rollback attacks.
  * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and
    EVP_DecryptUpdate functions. Previously they could overflow the
    output length argument in some cases where the input length is
    close to the maximum permissable length for an integer on the
    platform. In such cases the return value from the function call
    would be 1 (indicating success), but the output length value
    would be negative. This could cause applications to behave
    incorrectly or crash. [bsc#1182333, CVE-2021-23840]
  * Fixed SRP_Calc_client_key so that it runs in constant time.
    The previous implementation called BN_mod_exp without setting
    BN_FLG_CONSTTIME. This could be exploited in a side channel
    attack to recover the password. Since the attack is local host
    only this is outside of the current OpenSSL threat model and
    therefore no CVE is assigned.
- Rebase patches:
  * openssl-1.1.1-fips.patch
  * openssl-1.1.0-issuer-hash.patch
  * openssl-1.1.1-evp-kdf.patch

- Add version guards for the crypto-policies

OBS-URL: https://build.opensuse.org/request/show/873674
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=85
2021-02-22 12:20:01 +00:00

13 lines
465 B
Diff
Raw Permalink Blame History

Index: openssl-1.1.1j/crypto/x509/x509_cmp.c
===================================================================
--- openssl-1.1.1j.orig/crypto/x509/x509_cmp.c
+++ openssl-1.1.1j/crypto/x509/x509_cmp.c
@@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_has
if (ctx == NULL)
goto err;
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
if (f == NULL)
goto err;
Reference in New Issue View Git Blame Copy Permalink