forked from pool/openssl
f7574150c5
- Updated to openssl 1.0.2k - bsc#1009528 / CVE-2016-7055: openssl: Montgomery multiplication may produce incorrect results - bsc#1019334 / CVE-2016-7056: openssl: ECSDA P-256 timing attack key recovery - bsc#1022085 / CVE-2017-3731: openssl: Truncated packet could crash via OOB read - bsc#1022086 / CVE-2017-3732: openssl: BN_mod_exp may produce incorrect results on x86_64 OBS-URL: https://build.opensuse.org/request/show/452919 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=135
129 lines
4.2 KiB
Diff
129 lines
4.2 KiB
Diff
Index: openssl-1.0.2i/apps/dgst.c
|
|
===================================================================
|
|
--- openssl-1.0.2i.orig/apps/dgst.c 2016-09-22 12:23:06.000000000 +0200
|
|
+++ openssl-1.0.2i/apps/dgst.c 2016-09-23 10:20:02.162323196 +0200
|
|
@@ -147,7 +147,7 @@ int MAIN(int argc, char **argv)
|
|
/* first check the program name */
|
|
program_name(argv[0], pname, sizeof pname);
|
|
|
|
- md = EVP_get_digestbyname(pname);
|
|
+ md = EVP_get_digestbyname_fips_disabled(pname);
|
|
|
|
argc--;
|
|
argv++;
|
|
@@ -235,7 +235,7 @@ int MAIN(int argc, char **argv)
|
|
macopts = sk_OPENSSL_STRING_new_null();
|
|
if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
|
|
break;
|
|
- } else if ((m = EVP_get_digestbyname(&((*argv)[1]))) != NULL)
|
|
+ } else if ((m = EVP_get_digestbyname_fips_disabled(&((*argv)[1]))) != NULL)
|
|
md = m;
|
|
else
|
|
break;
|
|
Index: openssl-1.0.2i/apps/apps.c
|
|
===================================================================
|
|
--- openssl-1.0.2i.orig/apps/apps.c 2016-09-22 12:23:06.000000000 +0200
|
|
+++ openssl-1.0.2i/apps/apps.c 2016-09-23 10:20:02.162323196 +0200
|
|
@@ -3266,3 +3266,45 @@ int raw_write_stdout(const void *buf, in
|
|
return write(fileno_stdout(), buf, siz);
|
|
}
|
|
#endif
|
|
+
|
|
+
|
|
+const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name)
|
|
+ {
|
|
+ int saved_fips_mode = FIPS_mode();
|
|
+ EVP_MD *md;
|
|
+
|
|
+ if (saved_fips_mode)
|
|
+ FIPS_mode_set(0);
|
|
+
|
|
+ OpenSSL_add_all_digests();
|
|
+ md=EVP_get_digestbyname(name);
|
|
+
|
|
+ if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) {
|
|
+ ERR_load_crypto_strings();
|
|
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
|
|
+ EXIT(1);
|
|
+ }
|
|
+
|
|
+ return md;
|
|
+ }
|
|
+
|
|
+const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name)
|
|
+ {
|
|
+ int saved_fips_mode = FIPS_mode();
|
|
+ EVP_CIPHER *ciph;
|
|
+
|
|
+ if (saved_fips_mode)
|
|
+ FIPS_mode_set(0);
|
|
+
|
|
+ OpenSSL_add_all_ciphers();
|
|
+ ciph=EVP_get_cipherbyname(name);
|
|
+
|
|
+ if (saved_fips_mode && !FIPS_mode_set(saved_fips_mode)) {
|
|
+ ERR_load_crypto_strings();
|
|
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
|
|
+ EXIT(1);
|
|
+ }
|
|
+
|
|
+ return ciph;
|
|
+ }
|
|
+
|
|
Index: openssl-1.0.2i/apps/apps.h
|
|
===================================================================
|
|
--- openssl-1.0.2i.orig/apps/apps.h 2016-09-22 12:23:06.000000000 +0200
|
|
+++ openssl-1.0.2i/apps/apps.h 2016-09-23 10:20:02.162323196 +0200
|
|
@@ -348,6 +348,9 @@ void print_cert_checks(BIO *bio, X509 *x
|
|
|
|
void store_setup_crl_download(X509_STORE *st);
|
|
|
|
+const EVP_MD *EVP_get_digestbyname_fips_disabled(const char *name);
|
|
+const EVP_CIPHER *EVP_get_cipherbyname_fips_disabled(const char *name);
|
|
+
|
|
# define FORMAT_UNDEF 0
|
|
# define FORMAT_ASN1 1
|
|
# define FORMAT_TEXT 2
|
|
Index: openssl-1.0.2i/apps/enc.c
|
|
===================================================================
|
|
--- openssl-1.0.2i.orig/apps/enc.c 2016-09-22 12:23:06.000000000 +0200
|
|
+++ openssl-1.0.2i/apps/enc.c 2016-09-23 10:20:02.162323196 +0200
|
|
@@ -150,7 +150,7 @@ int MAIN(int argc, char **argv)
|
|
do_zlib = 1;
|
|
#endif
|
|
|
|
- cipher = EVP_get_cipherbyname(pname);
|
|
+ cipher = EVP_get_cipherbyname_fips_disabled(pname);
|
|
#ifdef ZLIB
|
|
if (!do_zlib && !base64 && (cipher == NULL)
|
|
&& (strcmp(pname, "enc") != 0))
|
|
@@ -269,7 +269,7 @@ int MAIN(int argc, char **argv)
|
|
} else if (strcmp(*argv, "-non-fips-allow") == 0)
|
|
non_fips_allow = 1;
|
|
else if ((argv[0][0] == '-') &&
|
|
- ((c = EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) {
|
|
+ ((c = EVP_get_cipherbyname_fips_disabled(&(argv[0][1]))) != NULL)) {
|
|
cipher = c;
|
|
} else if (strcmp(*argv, "-none") == 0)
|
|
cipher = NULL;
|
|
@@ -322,6 +322,10 @@ int MAIN(int argc, char **argv)
|
|
argv++;
|
|
}
|
|
|
|
+ /* drop out of fips mode if we should allow non-fips algos */
|
|
+ if (non_fips_allow)
|
|
+ FIPS_mode_set(0);
|
|
+
|
|
e = setup_engine(bio_err, engine, 0);
|
|
|
|
if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
|
|
@@ -338,7 +342,7 @@ int MAIN(int argc, char **argv)
|
|
goto end;
|
|
}
|
|
|
|
- if (md && (dgst = EVP_get_digestbyname(md)) == NULL) {
|
|
+ if (md && (dgst = EVP_get_digestbyname_fips_disabled(md)) == NULL) {
|
|
BIO_printf(bio_err, "%s is an unsupported message digest type\n", md);
|
|
goto end;
|
|
}
|