Pedro Monreal Gonzalez
8c598ed63d
* Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
* Add openssl-3-fix-hmac-digest-detection-s390x.patch
* Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
- Add hardware acceleration for full AES-XTS jsc#PED-10273
* Add openssl-3-hw-acceleration-aes-xts-s390x.patch
- Support MSA 12 SHA3 on s390x jsc#PED-10280
* Add openssl-3-add_EVP_DigestSqueeze_api.patch
* Add openssl-3-support-multiple-sha3_squeeze_s390x.patch
* Add openssl-3-add-xof-state-handling-s3_absorb.patch
* Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch
* Add openssl-3-fix-state-handling-sha3_final_s390x.patch
* Add openssl-3-fix-state-handling-shake_final_s390x.patch
* Add openssl-3-fix-state-handling-keccak_final_s390x.patch
* Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
* Add openssl-3-add-defines-CPACF-funcs.patch
* Add openssl-3-add-hw-acceleration-hmac.patch
* Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
* Add openssl-3-fix-s390x_sha3_absorb.patch
* Add openssl-3-fix-s390x_shake_squeeze.patch
- Update to 3.2.3:
* Changes between 3.2.2 and 3.2.3:
- Fixed possible denial of service in X.509 name checks. [CVE-2024-6119]
- Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535]
* Changes between 3.2.1 and 3.2.2:
- Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741]
- Fixed an issue where checking excessively long DSA keys or parameters may
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=121
51 lines
2.1 KiB
Diff
51 lines
2.1 KiB
Diff
From 979dc530010e3c0f045edf6e38c7ab894ffba7f2 Mon Sep 17 00:00:00 2001
|
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Date: Thu, 5 Sep 2024 08:45:29 +0200
|
|
Subject: [PATCH] s390x: Fix s390x_sha3_absorb() when no data is processed by
|
|
KIMD
|
|
|
|
If the data to absorb is less than a block, then the KIMD instruction is
|
|
called with zero bytes. This is superfluous, and causes incorrect hash
|
|
output later on if this is the very first absorb call, i.e. when the
|
|
xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case
|
|
the NIP flag is set in the function code for KIMD, but KIMD ignores the
|
|
NIP flag when it is called with zero bytes to process.
|
|
|
|
Skip any KIMD calls for zero length data. Also do not set the xof_state
|
|
to XOF_STATE_ABSORB until the first call to KIMD with data. That way,
|
|
the next KIMD (with non-zero length data) or KLMD call will get the NIP
|
|
flag set and will then honor it to produce correct output.
|
|
|
|
Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54
|
|
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
|
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
|
(Merged from https://github.com/openssl/openssl/pull/25388)
|
|
---
|
|
providers/implementations/digests/sha3_prov.c | 10 ++++++----
|
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
|
|
Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
|
|
===================================================================
|
|
--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
|
|
+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
|
|
@@ -192,10 +192,12 @@ static size_t s390x_sha3_absorb(void *vc
|
|
if (!(ctx->xof_state == XOF_STATE_INIT ||
|
|
ctx->xof_state == XOF_STATE_ABSORB))
|
|
return 0;
|
|
- fc = ctx->pad;
|
|
- fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
|
|
- ctx->xof_state = XOF_STATE_ABSORB;
|
|
- s390x_kimd(inp, len - rem, fc, ctx->A);
|
|
+ if (len - rem > 0) {
|
|
+ fc = ctx->pad;
|
|
+ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0;
|
|
+ ctx->xof_state = XOF_STATE_ABSORB;
|
|
+ s390x_kimd(inp, len - rem, fc, ctx->A);
|
|
+ }
|
|
return rem;
|
|
}
|
|
|