pool/openssl-3
SHA256
11
0
Fork 2
Code Issues Pull Requests Activity
Files
8a00581af4ad0a0b292daa774def0106abcabaf462fbb2aac57d04d6c3d0fc0f
openssl-3/openssl-FIPS-140-3-zeroization.patch
Pedro Monreal Gonzalez 8a00581af4 - Update to 3.5.0: 
* Changes:
    - Default encryption cipher for the req, cms, and smime applications
      changed from des-ede3-cbc to aes-256-cbc.
    - The default TLS supported groups list has been changed to include
      and prefer hybrid PQC KEM groups. Some practically unused groups
      were removed from the default list.
    - The default TLS keyshares have been changed to offer X25519MLKEM768
      and and X25519.
    - All BIO_meth_get_*() functions were deprecated.
  * New features:
    - Support for server side QUIC (RFC 9000)
    - Support for 3rd party QUIC stacks including 0-RTT support
    - Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)
    - A new configuration option no-tls-deprecated-ec to disable support
      for TLS groups deprecated in RFC8422
    - A new configuration option enable-fips-jitter to make the FIPS
      provider to use the JITTER seed source
    - Support for central key generation in CMP
    - Support added for opaque symmetric key objects (EVP_SKEY)
    - Support for multiple TLS keyshares and improved TLS key establishment
      group configurability
    - API support for pipelining in provided cipher algorithms
  * Remove patches:
    - openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
    - openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
    - openssl-3-add-defines-CPACF-funcs.patch
    - openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
    - openssl-3-add-xof-state-handling-s3_absorb.patch
    - openssl-3-fix-state-handling-sha3_absorb_s390x.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=139
2025-04-16 13:02:20 +00:00

82 lines
2.7 KiB
Diff
Raw Blame History

Index: openssl-3.2.3/crypto/ec/ec_lib.c
===================================================================
--- openssl-3.2.3.orig/crypto/ec/ec_lib.c
+++ openssl-3.2.3/crypto/ec/ec_lib.c
@@ -743,12 +743,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g
void EC_POINT_free(EC_POINT *point)
{
+#ifdef FIPS_MODULE
+ EC_POINT_clear_free(point);
+#else
if (point == NULL)
return;
if (point->meth->point_finish != 0)
point->meth->point_finish(point);
OPENSSL_free(point);
+#endif
}
void EC_POINT_clear_free(EC_POINT *point)
Index: openssl-3.2.3/crypto/ffc/ffc_params.c
===================================================================
--- openssl-3.2.3.orig/crypto/ffc/ffc_params.c
+++ openssl-3.2.3/crypto/ffc/ffc_params.c
@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa
void ossl_ffc_params_cleanup(FFC_PARAMS *params)
{
- BN_free(params->p);
- BN_free(params->q);
- BN_free(params->g);
- BN_free(params->j);
+ BN_clear_free(params->p);
+ BN_clear_free(params->q);
+ BN_clear_free(params->g);
+ BN_clear_free(params->j);
OPENSSL_free(params->seed);
ossl_ffc_params_init(params);
}
Index: openssl-3.2.3/crypto/rsa/rsa_lib.c
===================================================================
--- openssl-3.2.3.orig/crypto/rsa/rsa_lib.c
+++ openssl-3.2.3/crypto/rsa/rsa_lib.c
@@ -159,8 +159,8 @@ void RSA_free(RSA *r)
CRYPTO_THREAD_lock_free(r->lock);
CRYPTO_FREE_REF(&r->references);
- BN_free(r->n);
- BN_free(r->e);
+ BN_clear_free(r->n);
+ BN_clear_free(r->e);
BN_clear_free(r->d);
BN_clear_free(r->p);
BN_clear_free(r->q);
Index: openssl-3.2.3/providers/implementations/kdfs/hkdf.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/kdfs/hkdf.c
+++ openssl-3.2.3/providers/implementations/kdfs/hkdf.c
@@ -117,7 +117,7 @@ static void kdf_hkdf_reset(void *vctx)
void *provctx = ctx->provctx;
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_free(ctx->prefix);
OPENSSL_free(ctx->label);
OPENSSL_clear_free(ctx->data, ctx->data_len);
Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/kdfs/pbkdf2.c
+++ openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c
@@ -90,7 +90,7 @@ static void *kdf_pbkdf2_new(void *provct
static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx)
{
ossl_prov_digest_reset(&ctx->digest);
- OPENSSL_free(ctx->salt);
+ OPENSSL_clear_free(ctx->salt, ctx->salt_len);
OPENSSL_clear_free(ctx->pass, ctx->pass_len);
memset(ctx, 0, sizeof(*ctx));
}
Reference in New Issue View Git Blame Copy Permalink