Update to the 1.1.1i release fixing CVE-2020-1971
This commit is contained in:
parent
3413ff9700
commit
a07706cf0e
1
.gitignore
vendored
1
.gitignore
vendored
@ -49,3 +49,4 @@ openssl-1.0.0a-usa.tar.bz2
|
|||||||
/openssl-1.1.1f-hobbled.tar.xz
|
/openssl-1.1.1f-hobbled.tar.xz
|
||||||
/openssl-1.1.1g-hobbled.tar.xz
|
/openssl-1.1.1g-hobbled.tar.xz
|
||||||
/openssl-1.1.1h-hobbled.tar.xz
|
/openssl-1.1.1h-hobbled.tar.xz
|
||||||
|
/openssl-1.1.1i-hobbled.tar.xz
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
|||||||
diff -up openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand openssl-1.1.1e/crypto/fips/fips.c
|
diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c
|
||||||
--- openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand 2020-03-17 18:06:16.822418854 +0100
|
--- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand 2020-12-09 10:26:41.634106328 +0100
|
||||||
+++ openssl-1.1.1e/crypto/fips/fips.c 2020-03-17 18:06:16.861418172 +0100
|
+++ openssl-1.1.1i/crypto/fips/fips.c 2020-12-09 10:26:41.652106475 +0100
|
||||||
@@ -68,6 +68,7 @@
|
@@ -68,6 +68,7 @@
|
||||||
|
|
||||||
# include <openssl/fips.h>
|
# include <openssl/fips.h>
|
||||||
@ -51,10 +51,10 @@ diff -up openssl-1.1.1e/crypto/fips/fips.c.fips-post-rand openssl-1.1.1e/crypto/
|
|||||||
ret = 1;
|
ret = 1;
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1e/crypto/rand/drbg_lib.c
|
diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c
|
||||||
--- openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
|
--- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
|
||||||
+++ openssl-1.1.1e/crypto/rand/drbg_lib.c 2020-03-17 18:07:35.305045521 +0100
|
+++ openssl-1.1.1i/crypto/rand/drbg_lib.c 2020-12-09 10:26:41.652106475 +0100
|
||||||
@@ -1009,6 +1009,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
|
@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
|
||||||
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
|
return min_entropy > min_entropylen ? min_entropy : min_entropylen;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -75,9 +75,9 @@ diff -up openssl-1.1.1e/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1e/cry
|
|||||||
/* Implements the default OpenSSL RAND_add() method */
|
/* Implements the default OpenSSL RAND_add() method */
|
||||||
static int drbg_add(const void *buf, int num, double randomness)
|
static int drbg_add(const void *buf, int num, double randomness)
|
||||||
{
|
{
|
||||||
diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/crypto/rand/rand_unix.c
|
diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c
|
||||||
--- openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
|
--- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
|
||||||
+++ openssl-1.1.1e/crypto/rand/rand_unix.c 2020-03-17 18:09:01.503537189 +0100
|
+++ openssl-1.1.1i/crypto/rand/rand_unix.c 2020-12-09 10:36:59.531221903 +0100
|
||||||
@@ -17,10 +17,12 @@
|
@@ -17,10 +17,12 @@
|
||||||
#include <openssl/crypto.h>
|
#include <openssl/crypto.h>
|
||||||
#include "rand_local.h"
|
#include "rand_local.h"
|
||||||
@ -91,7 +91,7 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
|
|||||||
# ifdef DEVRANDOM_WAIT
|
# ifdef DEVRANDOM_WAIT
|
||||||
# include <sys/shm.h>
|
# include <sys/shm.h>
|
||||||
# include <sys/utsname.h>
|
# include <sys/utsname.h>
|
||||||
@@ -342,7 +344,7 @@ static ssize_t sysctl_random(char *buf,
|
@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf,
|
||||||
* syscall_random(): Try to get random data using a system call
|
* syscall_random(): Try to get random data using a system call
|
||||||
* returns the number of bytes returned in buf, or < 0 on error.
|
* returns the number of bytes returned in buf, or < 0 on error.
|
||||||
*/
|
*/
|
||||||
@ -100,15 +100,15 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
|
|||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* Note: 'buflen' equals the size of the buffer which is used by the
|
* Note: 'buflen' equals the size of the buffer which is used by the
|
||||||
@@ -364,6 +366,7 @@ static ssize_t syscall_random(void *buf,
|
@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf,
|
||||||
* - Linux since 3.17 with glibc 2.25
|
* Note: Sometimes getentropy() can be provided but not implemented
|
||||||
* - FreeBSD since 12.0 (1200061)
|
* internally. So we need to check errno for ENOSYS
|
||||||
*/
|
*/
|
||||||
+# if 0
|
+# if 0
|
||||||
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
|
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
|
||||||
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
|
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
|
||||||
|
|
||||||
@@ -385,10 +388,10 @@ static ssize_t syscall_random(void *buf,
|
@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf,
|
||||||
if (p_getentropy.p != NULL)
|
if (p_getentropy.p != NULL)
|
||||||
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
|
return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
|
||||||
# endif
|
# endif
|
||||||
@ -122,7 +122,7 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
|
|||||||
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
|
# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
|
||||||
return sysctl_random(buf, buflen);
|
return sysctl_random(buf, buflen);
|
||||||
# else
|
# else
|
||||||
@@ -623,6 +626,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||||
size_t entropy_available;
|
size_t entropy_available;
|
||||||
|
|
||||||
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
|
# if defined(OPENSSL_RAND_SEED_GETRANDOM)
|
||||||
@ -132,7 +132,7 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
|
|||||||
{
|
{
|
||||||
size_t bytes_needed;
|
size_t bytes_needed;
|
||||||
unsigned char *buffer;
|
unsigned char *buffer;
|
||||||
@@ -633,7 +639,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||||
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
|
||||||
while (bytes_needed != 0 && attempts-- > 0) {
|
while (bytes_needed != 0 && attempts-- > 0) {
|
||||||
buffer = rand_pool_add_begin(pool, bytes_needed);
|
buffer = rand_pool_add_begin(pool, bytes_needed);
|
||||||
@ -141,7 +141,7 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
|
|||||||
if (bytes > 0) {
|
if (bytes > 0) {
|
||||||
rand_pool_add_end(pool, bytes, 8 * bytes);
|
rand_pool_add_end(pool, bytes, 8 * bytes);
|
||||||
bytes_needed -= bytes;
|
bytes_needed -= bytes;
|
||||||
@@ -668,8 +674,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||||
int attempts = 3;
|
int attempts = 3;
|
||||||
const int fd = get_random_device(i);
|
const int fd = get_random_device(i);
|
||||||
|
|
||||||
@ -153,7 +153,7 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
|
|||||||
|
|
||||||
while (bytes_needed != 0 && attempts-- > 0) {
|
while (bytes_needed != 0 && attempts-- > 0) {
|
||||||
buffer = rand_pool_add_begin(pool, bytes_needed);
|
buffer = rand_pool_add_begin(pool, bytes_needed);
|
||||||
@@ -732,7 +740,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
|
||||||
return entropy_available;
|
return entropy_available;
|
||||||
}
|
}
|
||||||
# endif
|
# endif
|
||||||
@ -164,9 +164,9 @@ diff -up openssl-1.1.1e/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1e/cr
|
|||||||
return rand_pool_entropy_available(pool);
|
return rand_pool_entropy_available(pool);
|
||||||
# endif
|
# endif
|
||||||
}
|
}
|
||||||
diff -up openssl-1.1.1e/include/crypto/fips.h.fips-post-rand openssl-1.1.1e/include/crypto/fips.h
|
diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h
|
||||||
--- openssl-1.1.1e/include/crypto/fips.h.fips-post-rand 2020-03-17 18:06:16.831418696 +0100
|
--- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand 2020-12-09 10:26:41.639106369 +0100
|
||||||
+++ openssl-1.1.1e/include/crypto/fips.h 2020-03-17 18:06:16.861418172 +0100
|
+++ openssl-1.1.1i/include/crypto/fips.h 2020-12-09 10:26:41.657106516 +0100
|
||||||
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
|
@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
|
||||||
int FIPS_selftest_drbg(void);
|
int FIPS_selftest_drbg(void);
|
||||||
int FIPS_selftest_cmac(void);
|
int FIPS_selftest_cmac(void);
|
||||||
@ -176,9 +176,9 @@ diff -up openssl-1.1.1e/include/crypto/fips.h.fips-post-rand openssl-1.1.1e/incl
|
|||||||
int fips_pkey_signature_test(EVP_PKEY *pkey,
|
int fips_pkey_signature_test(EVP_PKEY *pkey,
|
||||||
const unsigned char *tbs, int tbslen,
|
const unsigned char *tbs, int tbslen,
|
||||||
const unsigned char *kat,
|
const unsigned char *kat,
|
||||||
diff -up openssl-1.1.1e/include/crypto/rand.h.fips-post-rand openssl-1.1.1e/include/crypto/rand.h
|
diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h
|
||||||
--- openssl-1.1.1e/include/crypto/rand.h.fips-post-rand 2020-03-17 15:31:17.000000000 +0100
|
--- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand 2020-12-08 14:20:59.000000000 +0100
|
||||||
+++ openssl-1.1.1e/include/crypto/rand.h 2020-03-17 18:07:35.303045555 +0100
|
+++ openssl-1.1.1i/include/crypto/rand.h 2020-12-09 10:26:41.657106516 +0100
|
||||||
@@ -24,6 +24,7 @@
|
@@ -24,6 +24,7 @@
|
||||||
typedef struct rand_pool_st RAND_POOL;
|
typedef struct rand_pool_st RAND_POOL;
|
||||||
|
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
diff -up openssl-1.1.1g/include/openssl/opensslv.h.version-override openssl-1.1.1g/include/openssl/opensslv.h
|
diff -up openssl-1.1.1i/include/openssl/opensslv.h.version-override openssl-1.1.1i/include/openssl/opensslv.h
|
||||||
--- openssl-1.1.1g/include/openssl/opensslv.h.version-override 2020-04-23 13:29:37.802673513 +0200
|
--- openssl-1.1.1i/include/openssl/opensslv.h.version-override 2020-12-09 10:25:12.042374409 +0100
|
||||||
+++ openssl-1.1.1g/include/openssl/opensslv.h 2020-04-23 13:30:13.064008458 +0200
|
+++ openssl-1.1.1i/include/openssl/opensslv.h 2020-12-09 10:26:00.362769170 +0100
|
||||||
@@ -40,7 +40,7 @@ extern "C" {
|
@@ -40,7 +40,7 @@ extern "C" {
|
||||||
* major minor fix final patch/beta)
|
* major minor fix final patch/beta)
|
||||||
*/
|
*/
|
||||||
# define OPENSSL_VERSION_NUMBER 0x1010108fL
|
# define OPENSSL_VERSION_NUMBER 0x1010109fL
|
||||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h 22 Sep 2020"
|
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1i 8 Dec 2020"
|
||||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1h FIPS 22 Sep 2020"
|
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1i FIPS 8 Dec 2020"
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
* The macros below are to be used for shared library (.so, .dll, ...)
|
* The macros below are to be used for shared library (.so, .dll, ...)
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
|
|
||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 1.1.1h
|
Version: 1.1.1i
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
@ -473,6 +473,9 @@ export LD_LIBRARY_PATH
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 9 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1i-1
|
||||||
|
- Update to the 1.1.1i release fixing CVE-2020-1971
|
||||||
|
|
||||||
* Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
|
* Mon Nov 9 2020 Sahana Prasad <sahana@redhat.com> - 1.1.1h-1
|
||||||
- Upgrade to version 1.1.1.h
|
- Upgrade to version 1.1.1.h
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
SHA512 (openssl-1.1.1h-hobbled.tar.xz) = 75e1d3f34f93462b97db92aa6538fd4f2f091ad717438e51d147508738be720d7d0bf4a9b1fda3a1943a4c13aae2a39da3add05f7da833b3c6de40a97bc97908
|
SHA512 (openssl-1.1.1i-hobbled.tar.xz) = e131a05e88690a7be7c3d74cbb26620130498ced2ce3d7fd55979aab5ea736ec8b268ba92268bd5bc347989325a3950a066883007cb20c2dd9739fd1eafc513f
|
||||||
|
Loading…
Reference in New Issue
Block a user