From 90121b0c9d9f2dd632533e6e51bc7bc3e2550e3c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Sep 06 2018 11:48:54 +0000 Subject: Multiple fixes do not try to initialize RNG in cleanup if it was not initialized before (#1624554) use only /dev/urandom if getrandom() is not available disable SM4 --- diff --git a/openssl-1.1.1-rand-cleanup.patch b/openssl-1.1.1-rand-cleanup.patch new file mode 100644 index 0000000..5f886c5 --- /dev/null +++ b/openssl-1.1.1-rand-cleanup.patch @@ -0,0 +1,13 @@ +diff -up openssl-1.1.1-pre9/crypto/rand/rand_lib.c.rand-cleanup openssl-1.1.1-pre9/crypto/rand/rand_lib.c +--- openssl-1.1.1-pre9/crypto/rand/rand_lib.c.rand-cleanup 2018-09-06 08:18:19.481566808 +0200 ++++ openssl-1.1.1-pre9/crypto/rand/rand_lib.c 2018-09-06 13:28:32.531777065 +0200 +@@ -353,7 +353,8 @@ void rand_cleanup_int(void) + if (meth != NULL && meth->cleanup != NULL) + meth->cleanup(); + rand_pool_cleanup(); +- RAND_set_rand_method(NULL); ++ if (meth != NULL) ++ RAND_set_rand_method(NULL); + #ifndef OPENSSL_NO_ENGINE + CRYPTO_THREAD_lock_free(rand_engine_lock); + rand_engine_lock = NULL; diff --git a/openssl.spec b/openssl.spec index f3fdd2a..b20e505 100644 --- a/openssl.spec +++ b/openssl.spec @@ -24,7 +24,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.1.1 -Release: 0.%{prerelease}.2%{?dist} +Release: 0.%{prerelease}.3%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -59,6 +59,7 @@ Patch42: openssl-1.1.1-fips.patch Patch43: openssl-1.1.1-ignore-bound.patch Patch44: openssl-1.1.1-version-override.patch Patch45: openssl-1.1.0-weak-ciphers.patch +Patch46: openssl-1.1.1-rand-cleanup.patch # Backported fixes including security fixes Patch70: openssl-1.1.1-seclevel-check.patch @@ -162,6 +163,7 @@ cp %{SOURCE13} test/ %patch43 -p1 -b .ignore-bound %patch44 -p1 -b .version-override %patch45 -p1 -b .weak-ciphers +%patch46 -p1 -b .rand-cleanup %patch70 -p1 -b .seclevel-check @@ -243,8 +245,8 @@ export HASHBANGPERL=/usr/bin/perl zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ enable-weak-ssl-ciphers \ - no-mdc2 no-ec2m no-sm2 \ - shared ${sslarch} $RPM_OPT_FLAGS + no-mdc2 no-ec2m no-sm2 no-sm4 \ + shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update @@ -451,6 +453,12 @@ export LD_LIBRARY_PATH %postun libs -p /sbin/ldconfig %changelog +* Thu Sep 6 2018 Tomáš Mráz 1.1.1-0.pre9.3 +- do not try to initialize RNG in cleanup if it was not initialized + before (#1624554) +- use only /dev/urandom if getrandom() is not available +- disable SM4 + * Wed Aug 29 2018 Tomáš Mráz 1.1.1-0.pre9.2 - fix dangling symlinks to manual pages - make SSLv3_method work