forked from pool/openssl-1_1
Pedro Monreal Gonzalez
18ecb7a582
- Security fix: [bsc#1227138, CVE-2024-5535] * SSL_select_next_proto buffer overread * Add openssl-CVE-2024-5535.patch - Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free security vulnerability. Calling the function SSL_free_buffers() potentially caused memory to be accessed that was previously freed in some situations and a malicious attacker could attempt to engineer a stituation where this occurs to facilitate a denial-of-service attack. [CVE-2024-4741, bsc#1225551] OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=164
112 lines
4.7 KiB
Diff
112 lines
4.7 KiB
Diff
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
|
|
index 43c916fc1..fab410b9e 100644
|
|
--- a/crypto/ec/ec_key.c
|
|
+++ b/crypto/ec/ec_key.c
|
|
@@ -472,16 +472,16 @@ int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx)
|
|
*/
|
|
if (eckey->priv_key != NULL) {
|
|
if (BN_cmp(eckey->priv_key, order) >= 0) {
|
|
- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_WRONG_ORDER);
|
|
+ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, EC_R_WRONG_ORDER);
|
|
goto err;
|
|
}
|
|
if (!EC_POINT_mul(eckey->group, point, eckey->priv_key,
|
|
NULL, NULL, ctx)) {
|
|
- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_EC_LIB);
|
|
+ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, ERR_R_EC_LIB);
|
|
goto err;
|
|
}
|
|
if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, ctx) != 0) {
|
|
- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY);
|
|
+ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, EC_R_INVALID_PRIVATE_KEY);
|
|
goto err;
|
|
}
|
|
}
|
|
diff --git a/crypto/ec/ecdh_ossl.c b/crypto/ec/ecdh_ossl.c
|
|
index 8794a6781..f38137388 100644
|
|
--- a/crypto/ec/ecdh_ossl.c
|
|
+++ b/crypto/ec/ecdh_ossl.c
|
|
@@ -28,7 +28,7 @@ int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
|
|
{
|
|
#ifdef OPENSSL_FIPS
|
|
if (FIPS_selftest_failed()) {
|
|
- FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
|
|
+ FIPSerr(FIPS_F_OSSL_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
|
|
return -1;
|
|
}
|
|
#endif
|
|
diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c
|
|
index 3445abd02..9e9526241 100644
|
|
--- a/crypto/ec/ecdsa_ossl.c
|
|
+++ b/crypto/ec/ecdsa_ossl.c
|
|
@@ -204,7 +204,7 @@ ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
|
|
|
|
#ifdef OPENSSL_FIPS
|
|
if (FIPS_selftest_failed()) {
|
|
- FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
|
|
+ FIPSerr(FIPS_F_ECDSA_SIMPLE_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
|
|
return NULL;
|
|
}
|
|
#endif
|
|
@@ -373,7 +373,7 @@ int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
|
|
|
|
#ifdef OPENSSL_FIPS
|
|
if (FIPS_selftest_failed()) {
|
|
- FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
|
|
+ FIPSerr(FIPS_F_ECDSA_SIMPLE_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
|
|
return -1;
|
|
}
|
|
#endif
|
|
diff --git a/crypto/fips/fips_sha_selftest.c b/crypto/fips/fips_sha_selftest.c
|
|
index 035c2c092..4a6336248 100644
|
|
--- a/crypto/fips/fips_sha_selftest.c
|
|
+++ b/crypto/fips/fips_sha_selftest.c
|
|
@@ -195,25 +195,25 @@ int FIPS_selftest_sha3(void)
|
|
|
|
EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL);
|
|
if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) {
|
|
- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
|
|
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED);
|
|
return 0;
|
|
}
|
|
|
|
EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL);
|
|
if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) {
|
|
- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
|
|
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED);
|
|
return 0;
|
|
}
|
|
|
|
EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL);
|
|
if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) {
|
|
- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
|
|
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED);
|
|
return 0;
|
|
}
|
|
|
|
EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL);
|
|
if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) {
|
|
- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
|
|
+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED);
|
|
return 0;
|
|
}
|
|
|
|
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
|
|
index e4208cbfa..7af006e7b 100644
|
|
--- a/include/openssl/fips.h
|
|
+++ b/include/openssl/fips.h
|
|
@@ -130,8 +130,13 @@ extern "C" {
|
|
# define FIPS_F_FIPS_SELFTEST_HKDF 155
|
|
# define FIPS_F_FIPS_SELFTEST_SHA1 115
|
|
# define FIPS_F_FIPS_SELFTEST_SHA2 105
|
|
+# define FIPS_F_FIPS_SELFTEST_SHA3 156
|
|
+# define FIPS_F_ECDSA_SIMPLE_VERIFY_SIG 157
|
|
+# define FIPS_F_ECDSA_SIMPLE_SIGN_SIG 158
|
|
# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143
|
|
# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148
|
|
+# define FIPS_F_OSSL_ECDSA_SIMPLE_VERIFY_SIG 159
|
|
+# define FIPS_F_OSSL_ECDH_COMPUTE_KEY 160
|
|
# define FIPS_F_RSA_BUILTIN_KEYGEN 116
|
|
# define FIPS_F_RSA_OSSL_INIT 149
|
|
# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117
|