testing/openssl
SHA256
3
0
Fork 0
forked from pool/openssl
Code Pull Requests Activity
021091d55f
openssl/openssl-fips-dont-fall-back-to-default-digest.patch
Dominique Leuenberger 6a01eea162 Accepting request 430498 from Base:System 
- update to openssl-1.0.2j
  * Missing CRL sanity check (CVE-2016-7052 bsc#1001148)

- OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)
  Severity: High
  * OCSP Status Request extension unbounded memory growth
    (CVE-2016-6304) (bsc#999666)
  Severity: Low
  * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)
  * Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249)
  * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)
  * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419)
  * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)
  * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)
  * Birthday attack against 64-bit block ciphers (SWEET32)
    (CVE-2016-2183) (bsc#995359)
  * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)
  * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)
  * Certificate message OOB reads (CVE-2016-6306) (bsc#999668)
- update to openssl-1.0.2i
  * remove patches:
    openssl-1.0.2a-new-fips-reqs.patch
    openssl-1.0.2e-fips.patch
  * add patches:
    openssl-1.0.2i-fips.patch
    openssl-1.0.2i-new-fips-reqs.patch

- fix crash in print_notice (bsc#998190)
  * add openssl-print_notice-NULL_crash.patch

OBS-URL: https://build.opensuse.org/request/show/430498
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=133
2016-09-28 13:03:33 +00:00

129 lines
4.2 KiB
Diff
Raw Blame History

Index: openssl-1.0.2i/apps/dgst.c
===================================================================
--- openssl-1.0.2i.orig/apps/dgst.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/dgst.c 2016-09-23 10:20:02.162323196 +0200
@@ -147,7 +147,7 @@ int MAIN(int argc, char **argv)
/* first check the program name */
program_name(argv[0], pname, sizeof pname);
- md = EVP_get_digestbyname(pname);
+ md = EVP_get_digestbyname_fips_disabled(pname);
argc--;
argv++;
@@ -235,7 +235,7 @@ int MAIN(int argc, char **argv)
macopts = sk_OPENSSL_STRING_new_null();
if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
break;
- } else if ((m = EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+ } else if ((m = EVP_get_digestbyname_fips_disabled(&((*argv)[1]))) != NULL)
md = m;
else
break;
Index: openssl-1.0.2i/apps/apps.c
===================================================================
--- openssl-1.0.2i.orig/apps/apps.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/apps.c 2016-09-23 10:20:02.162323196 +0200
@@ -3266,3 +3266,45 @@ int raw_write_stdout(const void *buf, in
return write(fileno_stdout(), buf, siz);
}
#endif
+
+
+const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name)
+ {
+ int saved_fips_mode = FIPS_mode();
+ EVP_MD *md;
+
+ if (saved_fips_mode)
+ FIPS_mode_set(0);
+
+ OpenSSL_add_all_digests();
+ md=EVP_get_digestbyname(name);
+
+ if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+
+ return md;
+ }
+
+const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name)
+ {
+ int saved_fips_mode = FIPS_mode();
+ EVP_CIPHER *ciph;
+
+ if (saved_fips_mode)
+ FIPS_mode_set(0);
+
+ OpenSSL_add_all_ciphers();
+ ciph=EVP_get_cipherbyname(name);
+
+ if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+
+ return ciph;
+ }
+
Index: openssl-1.0.2i/apps/apps.h
===================================================================
--- openssl-1.0.2i.orig/apps/apps.h 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/apps.h 2016-09-23 10:20:02.162323196 +0200
@@ -348,6 +348,9 @@ void print_cert_checks(BIO *bio, X509 *x
void store_setup_crl_download(X509_STORE *st);
+const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name);
+const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name);
+
# define FORMAT_UNDEF 0
# define FORMAT_ASN1 1
# define FORMAT_TEXT 2
Index: openssl-1.0.2i/apps/enc.c
===================================================================
--- openssl-1.0.2i.orig/apps/enc.c 2016-09-22 12:23:06.000000000 +0200
+++ openssl-1.0.2i/apps/enc.c 2016-09-23 10:20:02.162323196 +0200
@@ -150,7 +150,7 @@ int MAIN(int argc, char **argv)
do_zlib = 1;
#endif
- cipher = EVP_get_cipherbyname(pname);
+ cipher = EVP_get_cipherbyname_fips_disabled(pname);
#ifdef ZLIB
if (!do_zlib && !base64 && (cipher == NULL)
&& (strcmp(pname, "enc") != 0))
@@ -269,7 +269,7 @@ int MAIN(int argc, char **argv)
} else if (strcmp(*argv, "-non-fips-allow") == 0)
non_fips_allow = 1;
else if ((argv[0][0] == '-') &&
- ((c = EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) {
+ ((c = EVP_get_cipherbyname_fips_disabled(&(argv[0][1]))) != NULL)) {
cipher = c;
} else if (strcmp(*argv, "-none") == 0)
cipher = NULL;
@@ -322,6 +322,10 @@ int MAIN(int argc, char **argv)
argv++;
}
+ /* drop out of fips mode if we should allow non-fips algos */
+ if (non_fips_allow)
+ FIPS_mode_set(0);
+
#ifndef OPENSSL_NO_ENGINE
setup_engine(bio_err, engine, 0);
#endif
@@ -338,7 +342,7 @@ int MAIN(int argc, char **argv)
goto end;
}
- if (md && (dgst = EVP_get_digestbyname(md)) == NULL) {
+ if (md && (dgst = EVP_get_digestbyname_fips_disabled(md)) == NULL) {
BIO_printf(bio_err, "%s is an unsupported message digest type\n", md);
goto end;
}
View Git Blame Copy Permalink