Pedro Monreal Gonzalez
6e95485a74
* Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024]
- Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
- Fixed possible buffer overread in SSL_select_next_proto()
(CVE-2024-5535)
* Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024]
- Fixed potential use after free after SSL_free_buffers() is
called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or
parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3
(CVE-2024-2511)
* Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024]
- Fixed PKCS12 Decoding crashes (CVE-2024-0727)
- Fixed Excessive time spent checking invalid RSA public keys
[CVE-2023-6237)
- Fixed POLY1305 MAC implementation corrupting vector registers
on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129)
- Fix excessive time spent in DH check / generation with large
Q parameter value (CVE-2023-5678)
* Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF
* Rebase patches:
- openssl-Force-FIPS.patch
- openssl-FIPS-embed-hmac.patch
- openssl-FIPS-services-minimize.patch
- openssl-FIPS-RSA-disable-shake.patch
- openssl-CVE-2023-50782.patch
* Remove patches fixed in the update:
- openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
- openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=119
41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
Index: openssl-3.1.4/providers/fips/self_test.c
|
|
===================================================================
|
|
--- openssl-3.1.4.orig/providers/fips/self_test.c
|
|
+++ openssl-3.1.4/providers/fips/self_test.c
|
|
@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
|
if (ev == NULL)
|
|
goto end;
|
|
|
|
+ /*
|
|
+ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements
|
|
+ */
|
|
+ if (kats_already_passed == 0) {
|
|
+ if (!SELF_TEST_kats(ev, st->libctx)) {
|
|
+ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
|
+ goto end;
|
|
+ }
|
|
+ }
|
|
+
|
|
module_checksum = fips_hmac_container;
|
|
checksum_len = sizeof(fips_hmac_container);
|
|
|
|
@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS
|
|
}
|
|
}
|
|
|
|
- /*
|
|
- * Only runs the KAT's during installation OR on_demand().
|
|
- * NOTE: If the installation option 'self_test_onload' is chosen then this
|
|
- * path will always be run, since kats_already_passed will always be 0.
|
|
- */
|
|
- if (on_demand_test || kats_already_passed == 0) {
|
|
- if (!SELF_TEST_kats(ev, st->libctx)) {
|
|
- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE);
|
|
- goto end;
|
|
- }
|
|
- }
|
|
-
|
|
/* Verify that the RNG has been restored properly */
|
|
rng = ossl_rand_get0_private_noncreating(st->libctx);
|
|
if (rng != NULL)
|