openssl-3/openssl-FIPS-Enforce-error-state.patch

Index: openssl-3.1.4/providers/fips/fipsprov.c
===================================================================
--- openssl-3.1.4.orig/providers/fips/fipsprov.c
+++ openssl-3.1.4/providers/fips/fipsprov.c
@@ -805,6 +805,7 @@ int OSSL_provider_init_int(const OSSL_CO
         /* Error already raised */
         goto err;
     }
+#if 0 /* Don't allow to skip the error state */
     /*
      * Disable the conditional error check if it's disabled in the fips config
      * file.
@@ -812,6 +813,7 @@ int OSSL_provider_init_int(const OSSL_CO
     if (fgbl->selftest_params.conditional_error_check != NULL
         && strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0)
         SELF_TEST_disable_conditional_error_state();
+#endif
 
     /* Enable or disable FIPS provider options */
 #define FIPS_SET_OPTION(fgbl, field)                                            \
- Support MSA 11 HMAC on s390x jsc#PED-10273 * Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch * Add openssl-3-fix-hmac-digest-detection-s390x.patch * Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch - Add hardware acceleration for full AES-XTS jsc#PED-10273 * Add openssl-3-hw-acceleration-aes-xts-s390x.patch - Support MSA 12 SHA3 on s390x jsc#PED-10280 * Add openssl-3-add_EVP_DigestSqueeze_api.patch * Add openssl-3-support-multiple-sha3_squeeze_s390x.patch * Add openssl-3-add-xof-state-handling-s3_absorb.patch * Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch * Add openssl-3-fix-state-handling-sha3_final_s390x.patch * Add openssl-3-fix-state-handling-shake_final_s390x.patch * Add openssl-3-fix-state-handling-keccak_final_s390x.patch * Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch * Add openssl-3-add-defines-CPACF-funcs.patch * Add openssl-3-add-hw-acceleration-hmac.patch * Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch * Add openssl-3-fix-s390x_sha3_absorb.patch * Add openssl-3-fix-s390x_shake_squeeze.patch - Update to 3.2.3: * Changes between 3.2.2 and 3.2.3: - Fixed possible denial of service in X.509 name checks. [CVE-2024-6119] - Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535] * Changes between 3.2.1 and 3.2.2: - Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741] - Fixed an issue where checking excessively long DSA keys or parameters may OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=121 2024-11-05 20:08:08 +01:00			`Index: openssl-3.1.4/providers/fips/fipsprov.c`
			`===================================================================`
			`--- openssl-3.1.4.orig/providers/fips/fipsprov.c`
			`+++ openssl-3.1.4/providers/fips/fipsprov.c`
			`@@ -805,6 +805,7 @@ int OSSL_provider_init_int(const OSSL_CO`
			`/* Error already raised */`
			`goto err;`
			`}`
			`+#if 0 /* Don't allow to skip the error state */`
			`/*`
			`* Disable the conditional error check if it's disabled in the fips config`
			`* file.`
			`@@ -812,6 +813,7 @@ int OSSL_provider_init_int(const OSSL_CO`
			`if (fgbl->selftest_params.conditional_error_check != NULL`
			`&& strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0)`
			`SELF_TEST_disable_conditional_error_state();`
			`+#endif`

			`/* Enable or disable FIPS provider options */`
			`#define FIPS_SET_OPTION(fgbl, field) \`