Pedro Monreal Gonzalez
6e95485a74
* Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024]
- Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
- Fixed possible buffer overread in SSL_select_next_proto()
(CVE-2024-5535)
* Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024]
- Fixed potential use after free after SSL_free_buffers() is
called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or
parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3
(CVE-2024-2511)
* Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024]
- Fixed PKCS12 Decoding crashes (CVE-2024-0727)
- Fixed Excessive time spent checking invalid RSA public keys
[CVE-2023-6237)
- Fixed POLY1305 MAC implementation corrupting vector registers
on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129)
- Fix excessive time spent in DH check / generation with large
Q parameter value (CVE-2023-5678)
* Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF
* Rebase patches:
- openssl-Force-FIPS.patch
- openssl-FIPS-embed-hmac.patch
- openssl-FIPS-services-minimize.patch
- openssl-FIPS-RSA-disable-shake.patch
- openssl-CVE-2023-50782.patch
* Remove patches fixed in the update:
- openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
- openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=119
87 lines
2.2 KiB
Diff
87 lines
2.2 KiB
Diff
From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001
|
|
From: rpm-build <rpm-build>
|
|
Date: Mon, 31 Jul 2023 09:41:27 +0200
|
|
Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
|
|
|
Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
|
Patch-id: 9
|
|
Patch-status: |
|
|
# Add check to see if fips flag is enabled in kernel
|
|
From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
|
|
---
|
|
crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++
|
|
include/internal/provider.h | 3 +++
|
|
2 files changed, 39 insertions(+)
|
|
|
|
diff --git a/crypto/context.c b/crypto/context.c
|
|
index e294ea1512..51002ba79a 100644
|
|
--- a/crypto/context.c
|
|
+++ b/crypto/context.c
|
|
@@ -16,6 +16,41 @@
|
|
#include "internal/provider.h"
|
|
#include "crypto/context.h"
|
|
|
|
+# include <sys/types.h>
|
|
+# include <sys/stat.h>
|
|
+# include <fcntl.h>
|
|
+# include <unistd.h>
|
|
+# include <openssl/evp.h>
|
|
+
|
|
+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
|
|
+
|
|
+static int kernel_fips_flag;
|
|
+
|
|
+static void read_kernel_fips_flag(void)
|
|
+{
|
|
+ char buf[2] = "0";
|
|
+ int fd;
|
|
+
|
|
+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
|
|
+ buf[0] = '1';
|
|
+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
|
|
+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
|
|
+ close(fd);
|
|
+ }
|
|
+
|
|
+ if (buf[0] == '1') {
|
|
+ kernel_fips_flag = 1;
|
|
+ }
|
|
+
|
|
+ return;
|
|
+}
|
|
+
|
|
+int ossl_get_kernel_fips_flag()
|
|
+{
|
|
+ return kernel_fips_flag;
|
|
+}
|
|
+
|
|
+
|
|
struct ossl_lib_ctx_st {
|
|
CRYPTO_RWLOCK *lock, *rand_crngt_lock;
|
|
OSSL_EX_DATA_GLOBAL global;
|
|
@@ -336,6 +371,7 @@ static int default_context_inited = 0;
|
|
|
|
DEFINE_RUN_ONCE_STATIC(default_context_do_init)
|
|
{
|
|
+ read_kernel_fips_flag();
|
|
if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL))
|
|
goto err;
|
|
|
|
diff --git a/include/internal/provider.h b/include/internal/provider.h
|
|
index 18937f84c7..1446bf7afb 100644
|
|
--- a/include/internal/provider.h
|
|
+++ b/include/internal/provider.h
|
|
@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx,
|
|
const OSSL_DISPATCH *in);
|
|
void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx);
|
|
|
|
+/* FIPS flag access */
|
|
+int ossl_get_kernel_fips_flag(void);
|
|
+
|
|
# ifdef __cplusplus
|
|
}
|
|
# endif
|
|
--
|
|
2.41.0
|
|
|