SSL ECDHE Kex fails when pkcs11 engine is set in config file
Resolves: RHEL-20249
This commit is contained in:
parent
0707122b95
commit
08c722bcd1
47
0134-engine-based-ECDHE-kex.patch
Normal file
47
0134-engine-based-ECDHE-kex.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
|
||||||
|
index 448a3c3043c1c..9010fa6c4638c 100644
|
||||||
|
--- a/crypto/evp/ctrl_params_translate.c
|
||||||
|
+++ b/crypto/evp/ctrl_params_translate.c
|
||||||
|
@@ -1134,6 +1134,7 @@ static int fix_ec_paramgen_curve_nid(enum state state,
|
||||||
|
const struct translation_st *translation,
|
||||||
|
struct translation_ctx_st *ctx)
|
||||||
|
{
|
||||||
|
+ char *p2 = NULL;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if ((ret = default_check(state, translation, ctx)) <= 0)
|
||||||
|
@@ -1146,13 +1147,25 @@ static int fix_ec_paramgen_curve_nid(enum state state,
|
||||||
|
if (state == PRE_CTRL_TO_PARAMS) {
|
||||||
|
ctx->p2 = (char *)OBJ_nid2sn(ctx->p1);
|
||||||
|
ctx->p1 = 0;
|
||||||
|
+ } else if (state == PRE_PARAMS_TO_CTRL) {
|
||||||
|
+ /*
|
||||||
|
+ * We're translating from params to ctrl and setting the curve name.
|
||||||
|
+ * The ctrl function needs it to be a NID, but meanwhile, we need
|
||||||
|
+ * space to get the curve name from the param. |ctx->name_buf| is
|
||||||
|
+ * sufficient for that.
|
||||||
|
+ * The double indirection is necessary for default_fixup_args()'s
|
||||||
|
+ * call of OSSL_PARAM_get_utf8_string() to be done correctly.
|
||||||
|
+ */
|
||||||
|
+ p2 = ctx->name_buf;
|
||||||
|
+ ctx->p2 = &p2;
|
||||||
|
+ ctx->sz = sizeof(ctx->name_buf);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((ret = default_fixup_args(state, translation, ctx)) <= 0)
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
if (state == PRE_PARAMS_TO_CTRL) {
|
||||||
|
- ctx->p1 = OBJ_sn2nid(ctx->p2);
|
||||||
|
+ ctx->p1 = OBJ_sn2nid(p2);
|
||||||
|
ctx->p2 = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2789,6 +2802,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
|
||||||
|
if (translation->fixup_args != NULL)
|
||||||
|
fixup = translation->fixup_args;
|
||||||
|
ctx.action_type = translation->action_type;
|
||||||
|
+ ctx.ctrl_cmd = translation->ctrl_num;
|
||||||
|
}
|
||||||
|
ctx.pctx = pctx;
|
||||||
|
ctx.params = params;
|
@ -210,6 +210,8 @@ Patch131: 0131-sslgroups-memleak.patch
|
|||||||
Patch132: 0132-CVE-2023-6129.patch
|
Patch132: 0132-CVE-2023-6129.patch
|
||||||
# https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a
|
# https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a
|
||||||
Patch133: 0133-CVE-2023-6237.patch
|
Patch133: 0133-CVE-2023-6237.patch
|
||||||
|
# https://github.com/openssl/openssl/pull/20780
|
||||||
|
Patch134: 0134-engine-based-ECDHE-kex.patch
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
@ -550,6 +552,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
|
|||||||
Resolves: RHEL-21151
|
Resolves: RHEL-21151
|
||||||
- Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
|
- Excessive time spent checking invalid RSA public keys (CVE-2023-6237)
|
||||||
Resolves: RHEL-21654
|
Resolves: RHEL-21654
|
||||||
|
- SSL ECDHE Kex fails when pkcs11 engine is set in config file
|
||||||
|
Resolves: RHEL-20249
|
||||||
|
|
||||||
* Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
|
* Mon Oct 16 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-25
|
||||||
- Provide relevant diagnostics when FIPS checksum is corrupted
|
- Provide relevant diagnostics when FIPS checksum is corrupted
|
||||||
|
Loading…
Reference in New Issue
Block a user