Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openssl-1_0_0 for openSUSE:Factory
checked in at 2023-02-21 15:35:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl-1_0_0 (Old)
and /work/SRC/openSUSE:Factory/.openssl-1_0_0.new.22824 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_0_0"
Tue Feb 21 15:35:34 2023 rev:31 rq:1066748 version:1.0.2u
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl-1_0_0/openssl-1_0_0.changes
2023-02-14 16:44:56.402270903 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_0_0.new.22824/openssl-1_0_0.changes
2023-02-21 15:35:35.400131129 +0100
@@ -1,0 +2,7 @@
+Fri Feb 17 14:05:07 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com>
+
+- Fix DH key generation in FIPS mode, add support for constant BN for
+ DH parameters [bsc#1202062]
+ * Add patch: openssl-fips_fix_DH_key_generation.patch
+
+-------------------------------------------------------------------
New:
----
openssl-fips_fix_DH_key_generation.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl-1_0_0.spec ++++++
--- /var/tmp/diff_new_pack.AXCqBl/_old 2023-02-21 15:35:36.492137404 +0100
+++ /var/tmp/diff_new_pack.AXCqBl/_new 2023-02-21 15:35:36.496137427 +0100
@@ -118,6 +118,8 @@
Patch95: openssl-CVE-2023-0215-4of4.patch
#PATCH-FIX-UPSTREAM bsc#1207533 CVE-2023-0286 Address type confusion related
to X.400 address processing
Patch96: openssl-CVE-2023-0286.patch
+# PATCH-FIX-SUSE bsc#1202062 FIPS: Fix DH key generation in FIPS mode
+Patch97: openssl-fips_fix_DH_key_generation.patch
# steam patches
Patch100: openssl-fix-cpuid_setup.patch
# compat patches to build with soversion 10 (bsc#1175429)
@@ -292,6 +294,7 @@
%patch94 -p1
%patch95 -p1
%patch96 -p1
+%patch97 -p1
# clean up patching leftovers
find . -name '*.orig' -delete
++++++ openssl-fips_fix_DH_key_generation.patch ++++++
---
crypto/bn/bn_lib.c | 13 +++++--------
crypto/dh/dh_ameth.c | 19 ++++++++++++-------
crypto/dh/dh_gen.c | 3 +--
3 files changed, 18 insertions(+), 17 deletions(-)
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -244,20 +244,17 @@ int BN_num_bits(const BIGNUM *a)
void BN_clear_free(BIGNUM *a)
{
- int i;
-
if (a == NULL)
return;
bn_check_top(a);
- if (a->d != NULL) {
+ if (a->d != NULL && !BN_get_flags(a, BN_FLG_STATIC_DATA)) {
OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0]));
- if (!(BN_get_flags(a, BN_FLG_STATIC_DATA)))
- OPENSSL_free(a->d);
+ OPENSSL_free(a->d);
}
- i = BN_get_flags(a, BN_FLG_MALLOCED);
- OPENSSL_cleanse(a, sizeof(BIGNUM));
- if (i)
+ if (BN_get_flags(a, BN_FLG_MALLOCED)) {
+ OPENSSL_cleanse(a, sizeof(BIGNUM));
OPENSSL_free(a);
+ }
}
void BN_free(BIGNUM *a)
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -457,14 +457,19 @@ static int dh_cmp_parameters(const EVP_P
static int int_dh_bn_cpy(BIGNUM **dst, const BIGNUM *src)
{
BIGNUM *a;
- if (src) {
- a = BN_dup(src);
- if (!a)
- return 0;
- } else
+
+ /*
+ * If source is read only just copy the pointer, so
+ * we don't have to reallocate it.
+ */
+ if (src == NULL)
a = NULL;
- if (*dst)
- BN_free(*dst);
+ else if (BN_get_flags(src, BN_FLG_STATIC_DATA)
+ && !BN_get_flags(src, BN_FLG_MALLOCED))
+ a = (BIGNUM *)src;
+ else if ((a = BN_dup(src)) == NULL)
+ return 0;
+ BN_clear_free(*dst);
*dst = a;
return 1;
}
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -77,8 +77,7 @@ int DH_generate_parameters_ex(DH *ret, i
BN_GENCB *cb)
{
#ifdef OPENSSL_FIPS
- if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
- && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {
+ if (FIPS_mode()) {
DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
return 0;
}
