Multiple fixes

do not try to initialize RNG in cleanup if it was not initialized
  before (#1624554)
use only /dev/urandom if getrandom() is not available
disable SM4
This commit is contained in:
Tomas Mraz 2018-09-06 13:48:54 +02:00
parent cfeae6fcb3
commit 90121b0c9d
2 changed files with 24 additions and 3 deletions

View File

@ -0,0 +1,13 @@
diff -up openssl-1.1.1-pre9/crypto/rand/rand_lib.c.rand-cleanup openssl-1.1.1-pre9/crypto/rand/rand_lib.c
--- openssl-1.1.1-pre9/crypto/rand/rand_lib.c.rand-cleanup 2018-09-06 08:18:19.481566808 +0200
+++ openssl-1.1.1-pre9/crypto/rand/rand_lib.c 2018-09-06 13:28:32.531777065 +0200
@@ -353,7 +353,8 @@ void rand_cleanup_int(void)
if (meth != NULL && meth->cleanup != NULL)
meth->cleanup();
rand_pool_cleanup();
- RAND_set_rand_method(NULL);
+ if (meth != NULL)
+ RAND_set_rand_method(NULL);
#ifndef OPENSSL_NO_ENGINE
CRYPTO_THREAD_lock_free(rand_engine_lock);
rand_engine_lock = NULL;

View File

@ -24,7 +24,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 1.1.1 Version: 1.1.1
Release: 0.%{prerelease}.2%{?dist} Release: 0.%{prerelease}.3%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -59,6 +59,7 @@ Patch42: openssl-1.1.1-fips.patch
Patch43: openssl-1.1.1-ignore-bound.patch Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.0-weak-ciphers.patch Patch45: openssl-1.1.0-weak-ciphers.patch
Patch46: openssl-1.1.1-rand-cleanup.patch
# Backported fixes including security fixes # Backported fixes including security fixes
Patch70: openssl-1.1.1-seclevel-check.patch Patch70: openssl-1.1.1-seclevel-check.patch
@ -162,6 +163,7 @@ cp %{SOURCE13} test/
%patch43 -p1 -b .ignore-bound %patch43 -p1 -b .ignore-bound
%patch44 -p1 -b .version-override %patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers %patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .rand-cleanup
%patch70 -p1 -b .seclevel-check %patch70 -p1 -b .seclevel-check
@ -243,8 +245,8 @@ export HASHBANGPERL=/usr/bin/perl
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
enable-weak-ssl-ciphers \ enable-weak-ssl-ciphers \
no-mdc2 no-ec2m no-sm2 \ no-mdc2 no-ec2m no-sm2 no-sm4 \
shared ${sslarch} $RPM_OPT_FLAGS shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
# Do not run this in a production package the FIPS symbols must be patched-in # Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update #util/mkdef.pl crypto update
@ -451,6 +453,12 @@ export LD_LIBRARY_PATH
%postun libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig
%changelog %changelog
* Thu Sep 6 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.3
- do not try to initialize RNG in cleanup if it was not initialized
before (#1624554)
- use only /dev/urandom if getrandom() is not available
- disable SM4
* Wed Aug 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.2 * Wed Aug 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.2
- fix dangling symlinks to manual pages - fix dangling symlinks to manual pages
- make SSLv3_method work - make SSLv3_method work