Pedro Monreal Gonzalez
18ecb7a582
- Security fix: [bsc#1227138, CVE-2024-5535] * SSL_select_next_proto buffer overread * Add openssl-CVE-2024-5535.patch - Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free security vulnerability. Calling the function SSL_free_buffers() potentially caused memory to be accessed that was previously freed in some situations and a malicious attacker could attempt to engineer a stituation where this occurs to facilitate a denial-of-service attack. [CVE-2024-4741, bsc#1225551] OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=164
27 lines
956 B
Diff
27 lines
956 B
Diff
Index: openssl-1.1.1l/crypto/fips/fips.c
|
|
===================================================================
|
|
--- openssl-1.1.1l.orig/crypto/fips/fips.c
|
|
+++ openssl-1.1.1l/crypto/fips/fips.c
|
|
@@ -453,15 +453,17 @@ int FIPS_module_mode_set(int onoff)
|
|
|
|
fips_post = 1;
|
|
|
|
- if (!verify_checksums()) {
|
|
- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
|
|
- FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
|
+ /* Run the KATs before the HMAC verification for FIPS 140-3 compliance */
|
|
+ if (!FIPS_selftest()) {
|
|
fips_selftest_fail = 1;
|
|
ret = 0;
|
|
goto end;
|
|
}
|
|
|
|
- if (!FIPS_selftest()) {
|
|
+ /* Run the HMAC verification after the KATs for FIPS 140-3 compliance */
|
|
+ if (!verify_checksums()) {
|
|
+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
|
|
+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
|
|
fips_selftest_fail = 1;
|
|
ret = 0;
|
|
goto end;
|