Pedro Monreal Gonzalez
6e95485a74
* Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024]
- Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
- Fixed possible buffer overread in SSL_select_next_proto()
(CVE-2024-5535)
* Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024]
- Fixed potential use after free after SSL_free_buffers() is
called (CVE-2024-4741)
- Fixed an issue where checking excessively long DSA keys or
parameters may be very slow (CVE-2024-4603)
- Fixed unbounded memory growth with session handling in TLSv1.3
(CVE-2024-2511)
* Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024]
- Fixed PKCS12 Decoding crashes (CVE-2024-0727)
- Fixed Excessive time spent checking invalid RSA public keys
[CVE-2023-6237)
- Fixed POLY1305 MAC implementation corrupting vector registers
on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129)
- Fix excessive time spent in DH check / generation with large
Q parameter value (CVE-2023-5678)
* Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF
* Rebase patches:
- openssl-Force-FIPS.patch
- openssl-FIPS-embed-hmac.patch
- openssl-FIPS-services-minimize.patch
- openssl-FIPS-RSA-disable-shake.patch
- openssl-CVE-2023-50782.patch
* Remove patches fixed in the update:
- openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
- openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=119
76 lines
2.6 KiB
Diff
76 lines
2.6 KiB
Diff
From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001
|
|
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
|
|
Date: Mon, 21 Aug 2023 16:12:33 +0200
|
|
Subject: [PATCH 46/48]
|
|
0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
|
|
|
Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
|
Patch-id: 112
|
|
---
|
|
providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++--
|
|
1 file changed, 37 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c
|
|
index 11820d1e69..bae2238ab5 100644
|
|
--- a/providers/implementations/kdfs/pbkdf2.c
|
|
+++ b/providers/implementations/kdfs/pbkdf2.c
|
|
@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx,
|
|
|
|
static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[])
|
|
{
|
|
+#ifdef FIPS_MODULE
|
|
+ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx;
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
OSSL_PARAM *p;
|
|
+ int any_valid = 0; /* set to 1 when at least one parameter was valid */
|
|
+
|
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) {
|
|
+ any_valid = 1;
|
|
+
|
|
+ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX))
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+#ifdef FIPS_MODULE
|
|
+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR))
|
|
+ != NULL) {
|
|
+ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED;
|
|
+
|
|
+ /* The lower_bound_checks parameter enables checks required by FIPS. If
|
|
+ * those checks are disabled, the PBKDF2 implementation will also
|
|
+ * support non-approved parameters (e.g., salt lengths < 16 bytes, see
|
|
+ * NIST SP 800-132 section 5.1). */
|
|
+ if (!ctx->lower_bound_checks)
|
|
+ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED;
|
|
|
|
- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL)
|
|
- return OSSL_PARAM_set_size_t(p, SIZE_MAX);
|
|
- return -2;
|
|
+ if (!OSSL_PARAM_set_int(p, fips_indicator))
|
|
+ return 0;
|
|
+
|
|
+ any_valid = 1;
|
|
+ }
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
+
|
|
+ if (!any_valid)
|
|
+ return -2;
|
|
+
|
|
+ return 1;
|
|
}
|
|
|
|
static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
|
@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx,
|
|
{
|
|
static const OSSL_PARAM known_gettable_ctx_params[] = {
|
|
OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL),
|
|
+#ifdef FIPS_MODULE
|
|
+ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL),
|
|
+#endif /* defined(FIPS_MODULE) */
|
|
OSSL_PARAM_END
|
|
};
|
|
return known_gettable_ctx_params;
|
|
--
|
|
2.41.0
|
|
|