SHA256
1
0
forked from pool/openssl-1_1
openssl-1_1/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch
Pedro Monreal Gonzalez 18ecb7a582 - Build with no-afalgeng [bsc#1226463]
- Security fix: [bsc#1227138, CVE-2024-5535]
  * SSL_select_next_proto buffer overread
  * Add openssl-CVE-2024-5535.patch

- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
  security vulnerability. Calling the function SSL_free_buffers()
  potentially caused memory to be accessed that was previously
  freed in some situations and a malicious attacker could attempt
  to engineer a stituation where this occurs to facilitate a
  denial-of-service attack. [CVE-2024-4741, bsc#1225551]

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=164
2024-07-25 08:07:48 +00:00

40 lines
1.5 KiB
Diff

diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 6adff696c..29b23f9f7 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -4366,6 +4366,21 @@ FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher) {
/* intended fall-through */
case 256:
return FIPS_APPROVED;
+ case 512:
+ if (cipher->do_cipher == aes_xts_cipher
+ #if defined(OPENSSL_CPUID_OBJ) && ( \
+ ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\
+ && defined(OPENSSL_IA32_SSE2)) \
+ || defined(__x86_64) || defined(__x86_64__) \
+ || defined(_M_AMD64) || defined(_M_X64))
+ || cipher->do_cipher == aesni_xts_cipher
+ #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
+ || cipher->do_cipher == s390x_aes_xts_cipher
+ #endif
+ )
+ return FIPS_APPROVED;
+ else
+ return FIPS_ERROR;
}
}
/* disapproved for enc and dec: all others, including
diff --git a/test/fips_slitest.c b/test/fips_slitest.c
index d32f748a6..9e37cf36b 100644
--- a/test/fips_slitest.c
+++ b/test/fips_slitest.c
@@ -260,6 +260,8 @@ static const SLI_CIPHER_TEST cipher_tests[] = {
{0, NID_des_ede_ecb},
{0, NID_des_ede_ofb64},
{0, NID_idea_cbc},
+ {1, NID_aes_128_xts},
+ {1, NID_aes_256_xts},
};
static const size_t cipher_tests_len = sizeof(cipher_tests) / sizeof(cipher_tests[0]);