jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

On the s390x, zeroize all the copies of TLS premaster secret

Browse Source 
Related: rhbz#2040448
This commit is contained in:
Dmitry Belyavskiy 2022-01-26 16:50:19 +01:00
parent 92e721fa5d
commit 8c3b745547
2 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
0046-FIPS-s390x-hardening.patch Normal file
View File

@ -0,0 +1,22 @@
diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
index 5c70b2d67840..c5726c638bdd 100644
--- a/crypto/ec/ecp_s390x_nistp.c
+++ b/crypto/ec/ecp_s390x_nistp.c
@@ -116,7 +116,7 @@ static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
/* Otherwise use default. */
if (rc == -1)
rc = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
- OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len);
+ OPENSSL_cleanse(param, sizeof(param));
BN_CTX_end(ctx);
BN_CTX_free(new_ctx);
return rc;
@@ -212,7 +212,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
ok = 1;
ret:
- OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len);
+ OPENSSL_cleanse(param, sizeof(param));
if (ok != 1) {
ECDSA_SIG_free(sig);
sig = NULL;

8
openssl.spec
View File

@ -15,7 +15,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.1 Version: 3.0.1
Release: 4%{?dist} Release: 5%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -67,6 +67,8 @@ Patch34: 0034.fipsinstall_disable.patch
Patch35: 0035-speed-skip-unavailable-dgst.patch Patch35: 0035-speed-skip-unavailable-dgst.patch
# Minimize fips services # Minimize fips services
Patch45: 0045-FIPS-services-minimize.patch Patch45: 0045-FIPS-services-minimize.patch
# Backport of s390x hardening, https://github.com/openssl/openssl/pull/17486
Patch46: 0046-FIPS-s390x-hardening.patch
# Execute KATS before HMAC verification # Execute KATS before HMAC verification
Patch47: 0047-FIPS-early-KATS.patch Patch47: 0047-FIPS-early-KATS.patch
@ -396,6 +398,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Wed Jan 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-5
- On the s390x, zeroize all the copies of TLS premaster secret
- Related: rhbz#2040448
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-4 * Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-4
- rebuilt - rebuilt