forked from pool/openssl-1_1
02427a3414
* All the minor versions of the 1.1.x openssl branch have the same
sonum and keep ABI compatibility
- Remove bit obsolete syntax
- Use %license macro
- Don't disable afalgeng on aarch64
- Add support for s390x CPACF enhancements (fate#321518)
patches taken from https://github.com/openssl/openssl/pull/2859:
* 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch
* 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
* 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
* 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch
* 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch
* 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch
* 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch
* 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch
* 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
* 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
* 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
- Do not filter pkgconfig() provides/requires.
- Obsolete openssl-1_0_0 by openssl-1_1_0: this is required for a
clean upgrade path as an aid to zypp (boo#1070003).
- Update to 1.1.0g
OpenSSL Security Advisory [02 Nov 2017]
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=2
75 lines
2.9 KiB
Diff
75 lines
2.9 KiB
Diff
Index: openssl-1.1.0c/crypto/fips/fips.c
|
|
===================================================================
|
|
--- openssl-1.1.0c.orig/crypto/fips/fips.c 2016-12-09 11:34:28.778291575 +0100
|
|
+++ openssl-1.1.0c/crypto/fips/fips.c 2016-12-09 11:37:18.192847119 +0100
|
|
@@ -472,6 +472,44 @@ int FIPS_module_mode_set(int onoff)
|
|
return ret;
|
|
}
|
|
|
|
+/* In non-FIPS mode, the selftests must succeed if the
|
|
+ * checksum files are present
|
|
+ */
|
|
+void NONFIPS_selftest_check(void)
|
|
+{
|
|
+ int rv;
|
|
+ char *hmacpath;
|
|
+ char path[PATH_MAX+1];
|
|
+
|
|
+ if (fips_selftest_fail)
|
|
+ {
|
|
+ /* check if the checksum files are installed */
|
|
+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
|
|
+ if (rv < 0)
|
|
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
|
|
+
|
|
+ hmacpath = make_hmac_path(path);
|
|
+ if (hmacpath == NULL)
|
|
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
|
|
+
|
|
+ if (access(hmacpath, F_OK))
|
|
+ {
|
|
+ /* no hmac file is present, ignore the failed selftests */
|
|
+ if (errno == ENOENT)
|
|
+ {
|
|
+ free(hmacpath);
|
|
+ return;
|
|
+ }
|
|
+ /* we fail on any other error */
|
|
+ }
|
|
+ /* if the file exists, but the selftests failed
|
|
+ (eg wrong checksum), we fail too */
|
|
+ free(hmacpath);
|
|
+ OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
|
|
+ }
|
|
+ /* otherwise ok, selftests were successful */
|
|
+}
|
|
+
|
|
static CRYPTO_THREAD_ID fips_threadid;
|
|
static int fips_thread_set = 0;
|
|
|
|
Index: openssl-1.1.0c/crypto/o_init.c
|
|
===================================================================
|
|
--- openssl-1.1.0c.orig/crypto/o_init.c 2016-12-09 11:34:28.726290785 +0100
|
|
+++ openssl-1.1.0c/crypto/o_init.c 2016-12-09 11:34:28.778291575 +0100
|
|
@@ -44,6 +44,8 @@ static void init_fips_mode(void)
|
|
*/
|
|
|
|
if (buf[0] != '1') {
|
|
+ /* abort if selftest failed and the module is complete */
|
|
+ NONFIPS_selftest_check();
|
|
/* drop down to non-FIPS mode if it is not requested */
|
|
FIPS_mode_set(0);
|
|
} else {
|
|
Index: openssl-1.1.0c/include/openssl/fips.h
|
|
===================================================================
|
|
--- openssl-1.1.0c.orig/include/openssl/fips.h 2016-12-09 11:34:28.654289692 +0100
|
|
+++ openssl-1.1.0c/include/openssl/fips.h 2016-12-09 11:38:18.553750517 +0100
|
|
@@ -65,6 +65,7 @@ extern "C" {
|
|
int FIPS_selftest(void);
|
|
int FIPS_selftest_failed(void);
|
|
int FIPS_selftest_drbg_all(void);
|
|
+ void NONFIPS_selftest_check(void);
|
|
|
|
int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
|
|
const EVP_MD *evpmd, const unsigned char *seed_in,
|