forked from pool/openssl-1_1
Pedro Monreal Gonzalez
18ecb7a582
- Security fix: [bsc#1227138, CVE-2024-5535] * SSL_select_next_proto buffer overread * Add openssl-CVE-2024-5535.patch - Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free security vulnerability. Calling the function SSL_free_buffers() potentially caused memory to be accessed that was previously freed in some situations and a malicious attacker could attempt to engineer a stituation where this occurs to facilitate a denial-of-service attack. [CVE-2024-4741, bsc#1225551] OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=164
118 lines
3.5 KiB
Diff
118 lines
3.5 KiB
Diff
---
|
|
crypto/asn1/ameth_lib.c | 18 ++++++++++++++++++
|
|
crypto/asn1/standard_methods.h | 29 +++++++++++++++++++++++++++++
|
|
crypto/evp/c_alld.c | 6 +++++-
|
|
3 files changed, 52 insertions(+), 1 deletion(-)
|
|
|
|
Index: openssl-1.1.1w/crypto/asn1/ameth_lib.c
|
|
===================================================================
|
|
--- openssl-1.1.1w.orig/crypto/asn1/ameth_lib.c
|
|
+++ openssl-1.1.1w/crypto/asn1/ameth_lib.c
|
|
@@ -35,7 +35,11 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_P
|
|
|
|
int EVP_PKEY_asn1_get_count(void)
|
|
{
|
|
+#ifdef OPENSSL_FIPS
|
|
+ int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods);
|
|
+#else
|
|
int num = OSSL_NELEM(standard_methods);
|
|
+#endif
|
|
if (app_methods)
|
|
num += sk_EVP_PKEY_ASN1_METHOD_num(app_methods);
|
|
return num;
|
|
@@ -43,11 +47,19 @@ int EVP_PKEY_asn1_get_count(void)
|
|
|
|
const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx)
|
|
{
|
|
+#ifdef OPENSSL_FIPS
|
|
+ int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods);
|
|
+#else
|
|
int num = OSSL_NELEM(standard_methods);
|
|
+#endif
|
|
if (idx < 0)
|
|
return NULL;
|
|
if (idx < num)
|
|
+#ifdef OPENSSL_FIPS
|
|
+ return FIPS_mode() ? standard_fips_methods[idx] : standard_methods[idx];
|
|
+#else
|
|
return standard_methods[idx];
|
|
+#endif
|
|
idx -= num;
|
|
return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx);
|
|
}
|
|
@@ -63,7 +75,13 @@ static const EVP_PKEY_ASN1_METHOD *pkey_
|
|
if (idx >= 0)
|
|
return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx);
|
|
}
|
|
+#ifdef OPENSSL_FIPS
|
|
+ ret = FIPS_mode() ? \
|
|
+ OBJ_bsearch_ameth(&t, standard_fips_methods, OSSL_NELEM(standard_fips_methods)) : \
|
|
+ OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods));
|
|
+#else
|
|
ret = OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods));
|
|
+#endif
|
|
if (!ret || !*ret)
|
|
return NULL;
|
|
return *ret;
|
|
Index: openssl-1.1.1w/crypto/asn1/standard_methods.h
|
|
===================================================================
|
|
--- openssl-1.1.1w.orig/crypto/asn1/standard_methods.h
|
|
+++ openssl-1.1.1w/crypto/asn1/standard_methods.h
|
|
@@ -59,3 +59,32 @@ static const EVP_PKEY_ASN1_METHOD *stand
|
|
#endif
|
|
};
|
|
|
|
+static const EVP_PKEY_ASN1_METHOD *standard_fips_methods[] = {
|
|
+#ifndef OPENSSL_NO_RSA
|
|
+ &rsa_asn1_meths[0],
|
|
+ &rsa_asn1_meths[1],
|
|
+#endif
|
|
+#ifndef OPENSSL_NO_DH
|
|
+ &dh_asn1_meth,
|
|
+#endif
|
|
+#ifndef OPENSSL_NO_DSA
|
|
+ &dsa_asn1_meths[0],
|
|
+ &dsa_asn1_meths[1],
|
|
+ &dsa_asn1_meths[2],
|
|
+ &dsa_asn1_meths[3],
|
|
+ &dsa_asn1_meths[4],
|
|
+#endif
|
|
+#ifndef OPENSSL_NO_EC
|
|
+ &eckey_asn1_meth,
|
|
+#endif
|
|
+ &hmac_asn1_meth,
|
|
+#ifndef OPENSSL_NO_CMAC
|
|
+ &cmac_asn1_meth,
|
|
+#endif
|
|
+#ifndef OPENSSL_NO_RSA
|
|
+ &rsa_pss_asn1_meth,
|
|
+#endif
|
|
+#ifndef OPENSSL_NO_DH
|
|
+ &dhx_asn1_meth,
|
|
+#endif
|
|
+};
|
|
Index: openssl-1.1.1w/crypto/evp/c_alld.c
|
|
===================================================================
|
|
--- openssl-1.1.1w.orig/crypto/evp/c_alld.c
|
|
+++ openssl-1.1.1w/crypto/evp/c_alld.c
|
|
@@ -11,13 +11,18 @@
|
|
#include "internal/cryptlib.h"
|
|
#include <openssl/evp.h>
|
|
#include "crypto/evp.h"
|
|
+#include "crypto/fips_int.h"
|
|
#include <openssl/pkcs12.h>
|
|
#include <openssl/objects.h>
|
|
|
|
void openssl_add_all_digests_int(void)
|
|
{
|
|
#ifdef OPENSSL_FIPS
|
|
- if (!FIPS_mode()) {
|
|
+ /*
|
|
+ * This function is called from FIPS_selftest_ecdsa() before FIPS mode is
|
|
+ * turned on. That is the reason why we need to also check fips_in_post().
|
|
+ */
|
|
+ if (!FIPS_mode() && !fips_in_post()) {
|
|
#endif
|
|
#ifndef OPENSSL_NO_MD4
|
|
EVP_add_digest(EVP_md4());
|