pool/openssl-3
SHA256
4
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
openssl-3/openssl-FIPS-early-KATS.patch

41 lines
1.3 KiB
Diff
Raw Normal View History

- Update to 3.1.7: * Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024] - Fixed possible denial of service in X.509 name checks (CVE-2024-6119) - Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535) * Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024] - Fixed potential use after free after SSL_free_buffers() is called (CVE-2024-4741) - Fixed an issue where checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) - Fixed unbounded memory growth with session handling in TLSv1.3 (CVE-2024-2511) * Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024] - Fixed PKCS12 Decoding crashes (CVE-2024-0727) - Fixed Excessive time spent checking invalid RSA public keys [CVE-2023-6237) - Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) - Fix excessive time spent in DH check / generation with large Q parameter value (CVE-2023-5678) * Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF * Rebase patches: - openssl-Force-FIPS.patch - openssl-FIPS-embed-hmac.patch - openssl-FIPS-services-minimize.patch - openssl-FIPS-RSA-disable-shake.patch - openssl-CVE-2023-50782.patch * Remove patches fixed in the update: - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch - openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=119
2024-10-22 12:02:36 +00:00
Index: openssl-3.1.4/providers/fips/self_test.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/self_test.c
+++ openssl-3.1.4/providers/fips/self_test.c
@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
if (ev == NULL)
goto end;
+ /*
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
+ */
+ if (kats_already_passed == 0) {
+ if (!SELF_TEST_kats(ev, st->libctx)) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
+ goto end;
+ }
+ }
+
module_checksum = fips_hmac_container;
checksum_len = sizeof(fips_hmac_container);
@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
}
}
- /*
- * Only runs the KAT's during installation OR on_demand().
- * NOTE: If the installation option 'self_test_onload' is chosen then this
- * path will always be run, since kats_already_passed will always be 0.
- */
- if (on_demand_test || kats_already_passed == 0) {
- if (!SELF_TEST_kats(ev, st->libctx)) {
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
- goto end;
- }
- }
-
/* Verify that the RNG has been restored properly */
rng = ossl_rand_get0_private_noncreating(st->libctx);
if (rng != NULL)
Reference in New Issue Copy Permalink