Pedro Monreal Gonzalez
8c598ed63d
* Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch * Add openssl-3-fix-hmac-digest-detection-s390x.patch * Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch - Add hardware acceleration for full AES-XTS jsc#PED-10273 * Add openssl-3-hw-acceleration-aes-xts-s390x.patch - Support MSA 12 SHA3 on s390x jsc#PED-10280 * Add openssl-3-add_EVP_DigestSqueeze_api.patch * Add openssl-3-support-multiple-sha3_squeeze_s390x.patch * Add openssl-3-add-xof-state-handling-s3_absorb.patch * Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch * Add openssl-3-fix-state-handling-sha3_final_s390x.patch * Add openssl-3-fix-state-handling-shake_final_s390x.patch * Add openssl-3-fix-state-handling-keccak_final_s390x.patch * Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch * Add openssl-3-add-defines-CPACF-funcs.patch * Add openssl-3-add-hw-acceleration-hmac.patch * Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch * Add openssl-3-fix-s390x_sha3_absorb.patch * Add openssl-3-fix-s390x_shake_squeeze.patch - Update to 3.2.3: * Changes between 3.2.2 and 3.2.3: - Fixed possible denial of service in X.509 name checks. [CVE-2024-6119] - Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535] * Changes between 3.2.1 and 3.2.2: - Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741] - Fixed an issue where checking excessively long DSA keys or parameters may OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=121
50 lines
1.5 KiB
Diff
50 lines
1.5 KiB
Diff
commit d5b3c0e24bc56614e92ffafdd705622beaef420a
|
|
Author: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Date: Wed Aug 28 14:56:33 2024 +0200
|
|
|
|
s390x: Fix HMAC digest detection
|
|
|
|
Use EVP_MD_is_a() instead of EVP_MD_get_type() to detect the digest
|
|
type. EVP_MD_get_type() does not always return the expected NID, e.g.
|
|
when running in the FIPS provider, EVP_MD_get_type() returns zero,
|
|
causing to skip the HMAC acceleration path.
|
|
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
|
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
(Merged from https://github.com/openssl/openssl/pull/25304)
|
|
|
|
diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c
|
|
index 8b0da0d59d..5db7e9a221 100644
|
|
--- a/crypto/hmac/hmac_s390x.c
|
|
+++ b/crypto/hmac/hmac_s390x.c
|
|
@@ -18,22 +18,16 @@ static int s390x_fc_from_md(const EVP_MD *md)
|
|
{
|
|
int fc;
|
|
|
|
- switch (EVP_MD_get_type(md)) {
|
|
- case NID_sha224:
|
|
+ if (EVP_MD_is_a(md, "SHA2-224"))
|
|
fc = S390X_HMAC_SHA_224;
|
|
- break;
|
|
- case NID_sha256:
|
|
+ else if (EVP_MD_is_a(md, "SHA2-256"))
|
|
fc = S390X_HMAC_SHA_256;
|
|
- break;
|
|
- case NID_sha384:
|
|
+ else if (EVP_MD_is_a(md, "SHA2-384"))
|
|
fc = S390X_HMAC_SHA_384;
|
|
- break;
|
|
- case NID_sha512:
|
|
+ else if (EVP_MD_is_a(md, "SHA2-512"))
|
|
fc = S390X_HMAC_SHA_512;
|
|
- break;
|
|
- default:
|
|
+ else
|
|
return 0;
|
|
- }
|
|
|
|
if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0)
|
|
return 0;
|