fix SECLEVEL 3 support
fix some issues found in Coverity scan
This commit is contained in:
parent
a985e4b118
commit
68f387b1c4
@ -453,11 +453,11 @@ diff -up openssl-1.1.1/crypto/dsa/dsa_gen.c.fips openssl-1.1.1/crypto/dsa/dsa_ge
|
|||||||
+ ctx = BN_CTX_new();
|
+ ctx = BN_CTX_new();
|
||||||
+ if (ctx == NULL)
|
+ if (ctx == NULL)
|
||||||
+ return -1;
|
+ return -1;
|
||||||
+ BN_CTX_start(ctx);
|
|
||||||
+ if (BN_cmp(dsa->g, BN_value_one()) <= 0)
|
+ if (BN_cmp(dsa->g, BN_value_one()) <= 0)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+ if (BN_cmp(dsa->g, dsa->p) >= 0)
|
+ if (BN_cmp(dsa->g, dsa->p) >= 0)
|
||||||
+ return 0;
|
+ return 0;
|
||||||
|
+ BN_CTX_start(ctx);
|
||||||
+ tmp = BN_CTX_get(ctx);
|
+ tmp = BN_CTX_get(ctx);
|
||||||
+ if (tmp == NULL)
|
+ if (tmp == NULL)
|
||||||
+ goto err;
|
+ goto err;
|
||||||
@ -697,7 +697,7 @@ diff -up openssl-1.1.1/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1/crypto/ec/ecdsa
|
|||||||
+#ifdef OPENSSL_FIPS
|
+#ifdef OPENSSL_FIPS
|
||||||
+ if (FIPS_selftest_failed()) {
|
+ if (FIPS_selftest_failed()) {
|
||||||
+ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
|
+ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
|
||||||
+ return NULL;
|
+ return -1;
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
@ -2093,7 +2093,7 @@ diff -up openssl-1.1.1/crypto/fips/fips.c.fips openssl-1.1.1/crypto/fips/fips.c
|
|||||||
+ int ret = 0;
|
+ int ret = 0;
|
||||||
+
|
+
|
||||||
+ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
|
+ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
|
||||||
+ return NULL;
|
+ return 0;
|
||||||
+
|
+
|
||||||
+ fips_w_lock();
|
+ fips_w_lock();
|
||||||
+ fips_started = 1;
|
+ fips_started = 1;
|
||||||
@ -4255,7 +4255,7 @@ diff -up openssl-1.1.1/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1/crypto/fip
|
|||||||
diff -up openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1/crypto/fips/fips_drbg_rand.c
|
diff -up openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1/crypto/fips/fips_drbg_rand.c
|
||||||
--- openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips 2018-09-13 08:51:22.110520923 +0200
|
--- openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips 2018-09-13 08:51:22.110520923 +0200
|
||||||
+++ openssl-1.1.1/crypto/fips/fips_drbg_rand.c 2018-09-13 08:51:22.110520923 +0200
|
+++ openssl-1.1.1/crypto/fips/fips_drbg_rand.c 2018-09-13 08:51:22.110520923 +0200
|
||||||
@@ -0,0 +1,183 @@
|
@@ -0,0 +1,185 @@
|
||||||
+/* fips/rand/fips_drbg_rand.c */
|
+/* fips/rand/fips_drbg_rand.c */
|
||||||
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
|
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
|
||||||
+ * project.
|
+ * project.
|
||||||
@ -4409,21 +4409,23 @@ diff -up openssl-1.1.1/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1/crypto/fi
|
|||||||
+static int fips_drbg_seed(const void *seed, int seedlen)
|
+static int fips_drbg_seed(const void *seed, int seedlen)
|
||||||
+{
|
+{
|
||||||
+ DRBG_CTX *dctx = &ossl_dctx;
|
+ DRBG_CTX *dctx = &ossl_dctx;
|
||||||
|
+ int ret = 1;
|
||||||
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
|
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
|
||||||
+ if (dctx->rand_seed_cb)
|
+ if (dctx->rand_seed_cb)
|
||||||
+ return dctx->rand_seed_cb(dctx, seed, seedlen);
|
+ ret = dctx->rand_seed_cb(dctx, seed, seedlen);
|
||||||
+ CRYPTO_THREAD_unlock(fips_rand_lock);
|
+ CRYPTO_THREAD_unlock(fips_rand_lock);
|
||||||
+ return 1;
|
+ return ret;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
|
+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
|
||||||
+{
|
+{
|
||||||
+ DRBG_CTX *dctx = &ossl_dctx;
|
+ DRBG_CTX *dctx = &ossl_dctx;
|
||||||
|
+ int ret = 1;
|
||||||
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
|
+ CRYPTO_THREAD_write_lock(fips_rand_lock);
|
||||||
+ if (dctx->rand_add_cb)
|
+ if (dctx->rand_add_cb)
|
||||||
+ return dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
|
+ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
|
||||||
+ CRYPTO_THREAD_unlock(fips_rand_lock);
|
+ CRYPTO_THREAD_unlock(fips_rand_lock);
|
||||||
+ return 1;
|
+ return ret;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+static const RAND_METHOD rand_drbg_meth = {
|
+static const RAND_METHOD rand_drbg_meth = {
|
||||||
@ -9699,7 +9701,7 @@ diff -up openssl-1.1.1/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1/cry
|
|||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ for (;;) {
|
+ for (;;) {
|
||||||
+ char buf[1024];
|
+ unsigned char buf[1024];
|
||||||
+ size_t l = fread(buf, 1, sizeof buf, f);
|
+ size_t l = fread(buf, 1, sizeof buf, f);
|
||||||
+
|
+
|
||||||
+ if (l == 0) {
|
+ if (l == 0) {
|
||||||
@ -9856,8 +9858,12 @@ diff -up openssl-1.1.1/crypto/include/internal/fips_int.h.fips openssl-1.1.1/cry
|
|||||||
+#endif
|
+#endif
|
||||||
diff -up openssl-1.1.1/crypto/o_fips.c.fips openssl-1.1.1/crypto/o_fips.c
|
diff -up openssl-1.1.1/crypto/o_fips.c.fips openssl-1.1.1/crypto/o_fips.c
|
||||||
--- openssl-1.1.1/crypto/o_fips.c.fips 2018-09-11 14:48:21.000000000 +0200
|
--- openssl-1.1.1/crypto/o_fips.c.fips 2018-09-11 14:48:21.000000000 +0200
|
||||||
+++ openssl-1.1.1/crypto/o_fips.c 2018-09-13 08:51:22.114520830 +0200
|
+++ openssl-1.1.1/crypto/o_fips.c 2018-10-09 18:12:06.787802422 +0200
|
||||||
@@ -11,14 +11,25 @@
|
@@ -8,17 +8,28 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "internal/cryptlib.h"
|
||||||
|
+#include "internal/fips_int.h"
|
||||||
|
|
||||||
int FIPS_mode(void)
|
int FIPS_mode(void)
|
||||||
{
|
{
|
||||||
@ -9874,8 +9880,7 @@ diff -up openssl-1.1.1/crypto/o_fips.c.fips openssl-1.1.1/crypto/o_fips.c
|
|||||||
+#ifdef OPENSSL_FIPS
|
+#ifdef OPENSSL_FIPS
|
||||||
+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
|
+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
|
||||||
+ return 1;
|
+ return 1;
|
||||||
+ if (!FIPS_module_mode_set(r))
|
+ return FIPS_module_mode_set(r);
|
||||||
+ return 0;
|
|
||||||
+#else
|
+#else
|
||||||
if (r == 0)
|
if (r == 0)
|
||||||
return 1;
|
return 1;
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
|
diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509/x509_vfy.c
|
||||||
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
|
--- openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel 2018-09-11 14:48:22.000000000 +0200
|
||||||
+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-09-14 11:47:39.715317617 +0200
|
+++ openssl-1.1.1/crypto/x509/x509_vfy.c 2018-10-01 09:52:23.535298908 +0200
|
||||||
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
|
@@ -3220,6 +3220,7 @@ static int build_chain(X509_STORE_CTX *c
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -22,7 +22,7 @@ diff -up openssl-1.1.1/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1/crypto/x509
|
|||||||
}
|
}
|
||||||
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
|
diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod
|
||||||
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
|
--- openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel 2018-09-11 14:48:22.000000000 +0200
|
||||||
+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-09-14 11:47:39.715317617 +0200
|
+++ openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod 2018-10-01 09:52:23.535298908 +0200
|
||||||
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
|
@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
|
||||||
|
|
||||||
=item B<Level 2>
|
=item B<Level 2>
|
||||||
@ -38,7 +38,18 @@ diff -up openssl-1.1.1/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-
|
|||||||
|
|
||||||
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
|
diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
|
||||||
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
|
--- openssl-1.1.1/ssl/ssl_cert.c.seclevel 2018-09-11 14:48:23.000000000 +0200
|
||||||
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-09-14 11:47:39.716317598 +0200
|
+++ openssl-1.1.1/ssl/ssl_cert.c 2018-10-12 15:29:12.673799305 +0200
|
||||||
|
@@ -951,8 +951,8 @@ static int ssl_security_default_callback
|
||||||
|
if (level >= 2 && c->algorithm_enc == SSL_RC4)
|
||||||
|
return 0;
|
||||||
|
/* Level 3: forward secure ciphersuites only */
|
||||||
|
- if (level >= 3 && (c->min_tls != TLS1_3_VERSION ||
|
||||||
|
- !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH))))
|
||||||
|
+ if (level >= 3 && c->min_tls != TLS1_3_VERSION &&
|
||||||
|
+ !(c->algorithm_mkey & (SSL_kEDH | SSL_kEECDH)))
|
||||||
|
return 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
|
@@ -983,6 +983,9 @@ static int ssl_security_default_callback
|
||||||
return 0;
|
return 0;
|
||||||
break;
|
break;
|
||||||
@ -51,7 +62,7 @@ diff -up openssl-1.1.1/ssl/ssl_cert.c.seclevel openssl-1.1.1/ssl/ssl_cert.c
|
|||||||
}
|
}
|
||||||
diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
|
diff -up openssl-1.1.1/test/recipes/25-test_verify.t.seclevel openssl-1.1.1/test/recipes/25-test_verify.t
|
||||||
--- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
|
--- openssl-1.1.1/test/recipes/25-test_verify.t.seclevel 2018-09-11 14:48:24.000000000 +0200
|
||||||
+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-09-14 12:36:40.021812399 +0200
|
+++ openssl-1.1.1/test/recipes/25-test_verify.t 2018-10-01 09:52:23.535298908 +0200
|
||||||
@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
|
@@ -342,8 +342,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
|
||||||
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
|
ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
|
||||||
"CA with PSS signature using SHA256");
|
"CA with PSS signature using SHA256");
|
||||||
|
@ -22,7 +22,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.1.1
|
Version: 1.1.1
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -227,7 +227,7 @@ sslarch=linux-generic64
|
|||||||
# marked as not requiring an executable stack.
|
# marked as not requiring an executable stack.
|
||||||
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
|
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
|
||||||
# want to depend on the uninitialized memory as a source of entropy anyway.
|
# want to depend on the uninitialized memory as a source of entropy anyway.
|
||||||
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
|
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
|
||||||
|
|
||||||
export HASHBANGPERL=/usr/bin/perl
|
export HASHBANGPERL=/usr/bin/perl
|
||||||
|
|
||||||
@ -449,6 +449,10 @@ export LD_LIBRARY_PATH
|
|||||||
%postun libs -p /sbin/ldconfig
|
%postun libs -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Oct 12 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-6
|
||||||
|
- fix SECLEVEL 3 support
|
||||||
|
- fix some issues found in Coverity scan
|
||||||
|
|
||||||
* Thu Sep 27 2018 Charalampos Stratakis <cstratak@redhat.com> - 1:1.1.1-5
|
* Thu Sep 27 2018 Charalampos Stratakis <cstratak@redhat.com> - 1:1.1.1-5
|
||||||
- Correctly invoke sed for defining OPENSSL_NO_SSL3
|
- Correctly invoke sed for defining OPENSSL_NO_SSL3
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user