jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

Remove the listing of brainpool curves in FIPS mode

Browse Source 
Related: rhbz#2188180
Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
Sahana Prasad 2023-06-26 10:15:57 +02:00
parent d1a87553bb
commit 05b87f449d
2 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
0045-FIPS-services-minimize.patch
View File

@ -737,3 +737,19 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen
if (!ossl_prov_is_running()) if (!ossl_prov_is_running())
return 0; return 0;
diff -up openssl-3.0.7/apps/ecparam.c.minfips openssl-3.0.7/apps/ecparam.c
--- openssl-3.0.7/apps/ecparam.c.minfips 2023-06-24 09:58:57.773344910 +0200
+++ openssl-3.0.7/apps/ecparam.c 2023-06-26 09:18:06.843859405 +0200
@@ -79,7 +79,11 @@ static int list_builtin_curves(BIO *out)
const char *comment = curves[n].comment;
const char *sname = OBJ_nid2sn(curves[n].nid);
- if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL))
+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1)
+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1)
+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1)
+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1)
+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL))
continue;
if (comment == NULL)

6
openssl.spec
View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.7 Version: 3.0.7
Release: 20%{?dist} Release: 21%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -520,6 +520,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Mon Jun 26 2023 Sahana Prasad <sahana@redhat.com> - 1:3.0.7-21
- Remove the listing of brainpool curves in FIPS mode.
Related: rhbz#2188180
* Tue May 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-20 * Tue May 30 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-20
- Fix possible DoS translating ASN.1 object identifiers - Fix possible DoS translating ASN.1 object identifiers
Resolves: CVE-2023-2650 Resolves: CVE-2023-2650