Hello community, here is the log from the commit of package openssl-1_1_0 for openSUSE:Factory checked in at 2017-05-29 22:20:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-1_1_0 (Old) and /work/SRC/openSUSE:Factory/.openssl-1_1_0.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_1_0" Mon May 29 22:20:14 2017 rev:2 rq:499448 version:1.1.0f Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-1_1_0/openssl-1_1_0.changes 2017-05-18 20:46:47.780163434 +0200 +++ /work/SRC/openSUSE:Factory/.openssl-1_1_0.new/openssl-1_1_0.changes 2017-05-29 22:20:21.801943478 +0200 @@ -1,0 +2,11 @@ +Mon May 29 09:57:39 UTC 2017 - [email protected] + +- update to 1.1.0f + * bugfix only release +- disable RSA keygen tests, because they use too small modulus, which + is rejected by our CC/FIPS hardening patches + * added openssl-disable_rsa_keygen_tests_with_small_modulus.patch +- refreshed openssl-rsakeygen-minimum-distance.patch and + 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + +------------------------------------------------------------------- Old: ---- openssl-1.1.0e.tar.gz openssl-1.1.0e.tar.gz.asc New: ---- openssl-1.1.0f.tar.gz openssl-1.1.0f.tar.gz.asc openssl-disable_rsa_keygen_tests_with_small_modulus.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_1_0.spec ++++++ --- /var/tmp/diff_new_pack.rM8XUW/_old 2017-05-29 22:20:23.617687089 +0200 +++ /var/tmp/diff_new_pack.rM8XUW/_new 2017-05-29 22:20:23.621686524 +0200 @@ -1,5 +1,5 @@ # -# spec file for package openssl +# spec file for package openssl-1_1_0 # # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # @@ -24,7 +24,7 @@ %define maj_min 1.1 %define _rname openssl Name: openssl-1_1_0 -Version: 1.1.0e +Version: 1.1.0f Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -64,6 +64,7 @@ Patch58: openssl-fips-fix-odd-rsakeybits.patch Patch59: openssl-fips-clearerror.patch Patch60: openssl-fips-dont-fall-back-to-default-digest.patch +Patch61: openssl-disable_rsa_keygen_tests_with_small_modulus.patch BuildRequires: bc BuildRequires: ed BuildRequires: pkgconfig @@ -172,6 +173,7 @@ %patch58 -p1 %patch59 -p1 %patch60 -p1 +%patch61 -p1 %build %ifarch armv5el armv5tel @@ -210,7 +212,6 @@ $(getconf LFS_CFLAGS) \ -Wall - util/mkdef.pl crypto update make depend -j1 make all %{?_smp_mflags} ++++++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++++++ --- /var/tmp/diff_new_pack.rM8XUW/_old 2017-05-29 22:20:23.669679747 +0200 +++ /var/tmp/diff_new_pack.rM8XUW/_new 2017-05-29 22:20:23.669679747 +0200 @@ -4,47 +4,24 @@ Subject: [PATCH] Axe builtin printf implementation, use glibc instead -Index: openssl-1.1.0e/crypto/bio/b_print.c +Index: openssl-1.1.0f/crypto/bio/b_print.c =================================================================== ---- openssl-1.1.0e.orig/crypto/bio/b_print.c -+++ openssl-1.1.0e/crypto/bio/b_print.c -@@ -18,852 +18,6 @@ - #include <openssl/bn.h> /* To get BN_LLONG properly defined */ - #include <openssl/bio.h> +--- openssl-1.1.0f.orig/crypto/bio/b_print.c 2017-05-25 14:46:18.000000000 +0200 ++++ openssl-1.1.0f/crypto/bio/b_print.c 2017-05-29 11:59:37.293885541 +0200 +@@ -21,829 +21,6 @@ + * on all source code distributions. + */ --#if defined(BN_LLONG) || defined(SIXTY_FOUR_BIT) --# ifndef HAVE_LONG_LONG --# define HAVE_LONG_LONG 1 --# endif --#endif -- --/* -- * Copyright Patrick Powell 1995 -- * This code is based on code written by Patrick Powell <[email protected]> -- * It may be used for any purpose as long as this notice remains intact -- * on all source code distributions. -- */ -- -#ifdef HAVE_LONG_DOUBLE -# define LDOUBLE long double -#else -# define LDOUBLE double -#endif - --#ifdef HAVE_LONG_LONG --# if defined(_WIN32) && !defined(__GNUC__) --# define LLONG __int64 --# else --# define LLONG long long --# endif --#else --# define LLONG long --#endif -- -static int fmtstr(char **, char **, size_t *, size_t *, - const char *, int, int, int); -static int fmtint(char **, char **, size_t *, size_t *, -- LLONG, int, int, int, int); +- int64_t, int, int, int, int); -static int fmtfp(char **, char **, size_t *, size_t *, - LDOUBLE, int, int, int, int); -static int doapr_outch(char **, char **, size_t *, size_t *, int); @@ -100,7 +77,7 @@ - size_t *retlen, int *truncated, const char *format, va_list args) -{ - char ch; -- LLONG value; +- int64_t value; - LDOUBLE fvalue; - char *strvalue; - int min; @@ -225,7 +202,7 @@ - value = va_arg(args, long int); - break; - case DP_C_LLONG: -- value = va_arg(args, LLONG); +- value = va_arg(args, int64_t); - break; - default: - value = va_arg(args, int); @@ -247,13 +224,13 @@ - value = (unsigned short int)va_arg(args, unsigned int); - break; - case DP_C_LONG: -- value = (LLONG) va_arg(args, unsigned long int); +- value = va_arg(args, unsigned long int); - break; - case DP_C_LLONG: -- value = va_arg(args, unsigned LLONG); +- value = va_arg(args, uint64_t); - break; - default: -- value = (LLONG) va_arg(args, unsigned int); +- value = va_arg(args, unsigned int); - break; - } - if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, @@ -325,9 +302,9 @@ - num = va_arg(args, long int *); - *num = (long int)currlen; - } else if (cflags == DP_C_LLONG) { /* XXX */ -- LLONG *num; -- num = va_arg(args, LLONG *); -- *num = (LLONG) currlen; +- int64_t *num; +- num = va_arg(args, int64_t *); +- *num = (int64_t)currlen; - } else { - int *num; - num = va_arg(args, int *); @@ -428,11 +405,11 @@ -fmtint(char **sbuffer, - char **buffer, - size_t *currlen, -- size_t *maxlen, LLONG value, int base, int min, int max, int flags) +- size_t *maxlen, int64_t value, int base, int min, int max, int flags) -{ - int signvalue = 0; - const char *prefix = ""; -- unsigned LLONG uvalue; +- uint64_t uvalue; - char convert[DECIMAL_SIZE(value) + 3]; - int place = 0; - int spadlen = 0; @@ -445,7 +422,7 @@ - if (!(flags & DP_F_UNSIGNED)) { - if (value < 0) { - signvalue = '-'; -- uvalue = 0 - (unsigned LLONG)value; +- uvalue = 0 - (uint64_t)value; - } else if (flags & DP_F_PLUS) - signvalue = '+'; - else if (flags & DP_F_SPACE) @@ -861,7 +838,7 @@ int BIO_printf(BIO *bio, const char *format, ...) { va_list args; -@@ -877,30 +31,36 @@ int BIO_printf(BIO *bio, const char *for +@@ -857,30 +34,36 @@ int BIO_printf(BIO *bio, const char *for return (ret); } @@ -919,7 +896,7 @@ return (ret); } -@@ -916,29 +76,21 @@ int BIO_snprintf(char *buf, size_t n, co +@@ -896,29 +79,21 @@ int BIO_snprintf(char *buf, size_t n, co int ret; va_start(args, format); @@ -957,10 +934,10 @@ - return (retlen <= INT_MAX) ? (int)retlen : -1; + return (ret); } -Index: openssl-1.1.0e/test/bioprinttest.c +Index: openssl-1.1.0f/test/bioprinttest.c =================================================================== ---- openssl-1.1.0e.orig/test/bioprinttest.c -+++ openssl-1.1.0e/test/bioprinttest.c +--- openssl-1.1.0f.orig/test/bioprinttest.c 2017-05-25 14:46:20.000000000 +0200 ++++ openssl-1.1.0f/test/bioprinttest.c 2017-05-29 11:58:41.305051621 +0200 @@ -200,13 +200,6 @@ int main(int argc, char **argv) dofptest(test++, 66666.0 + frac, width, prec, &fail); } ++++++ openssl-1.1.0-fips.patch ++++++ ++++ 1285 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssl-1_1_0/openssl-1.1.0-fips.patch ++++ and /work/SRC/openSUSE:Factory/.openssl-1_1_0.new/openssl-1.1.0-fips.patch ++++++ openssl-1.1.0e.tar.gz -> openssl-1.1.0f.tar.gz ++++++ ++++ 38898 lines of diff (skipped) ++++++ openssl-disable_rsa_keygen_tests_with_small_modulus.patch ++++++ Index: openssl-1.1.0f/test/recipes/15-test_genrsa.t =================================================================== --- openssl-1.1.0f.orig/test/recipes/15-test_genrsa.t 2017-05-25 14:46:21.000000000 +0200 +++ openssl-1.1.0f/test/recipes/15-test_genrsa.t 2017-05-29 17:56:31.900331435 +0200 @@ -16,6 +16,7 @@ use OpenSSL::Test::Utils; setup("test_genrsa"); +plan skip_all => 'Minimal RSA modulus size is 200 bits'; plan tests => 5; is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8"); ++++++ openssl-rsakeygen-minimum-distance.patch ++++++ --- /var/tmp/diff_new_pack.rM8XUW/_old 2017-05-29 22:20:24.669538563 +0200 +++ /var/tmp/diff_new_pack.rM8XUW/_new 2017-05-29 22:20:24.669538563 +0200 @@ -1,8 +1,8 @@ -Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c +Index: openssl-1.1.0f/crypto/rsa/rsa_gen.c =================================================================== ---- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c 2016-04-13 15:18:47.520016582 +0200 -+++ openssl-1.0.2g/crypto/rsa/rsa_gen.c 2016-04-13 15:36:32.309233030 +0200 -@@ -465,6 +465,19 @@ static int rsa_builtin_keygen(RSA *rsa, +--- openssl-1.1.0f.orig/crypto/rsa/rsa_gen.c 2017-05-29 13:02:47.095166778 +0200 ++++ openssl-1.1.0f/crypto/rsa/rsa_gen.c 2017-05-29 13:03:29.415824383 +0200 +@@ -419,6 +419,19 @@ static int rsa_builtin_keygen(RSA *rsa, bitsp = (bits + 1) / 2; bitsq = bits - bitsp; @@ -22,7 +22,7 @@ /* We need the RSA components non-NULL */ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) goto err; -@@ -489,6 +502,8 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -444,6 +457,8 @@ static int rsa_builtin_keygen(RSA *rsa, for (;;) { if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) goto err; @@ -31,33 +31,15 @@ if (!BN_sub(r2, rsa->p, BN_value_one())) goto err; if (!BN_gcd(r1, r2, rsa->e, ctx)) -@@ -501,21 +516,17 @@ static int rsa_builtin_keygen(RSA *rsa, - if (!BN_GENCB_call(cb, 3, 0)) - goto err; - for (;;) { -- /* -- * When generating ridiculously small keys, we can get stuck -- * continually regenerating the same prime values. Check for this and -- * bail if it happens 3 times. -- */ -- unsigned int degenerate = 0; -- do { -- if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) -- goto err; -- } while ((BN_cmp(rsa->p, rsa->q) == 0) && (++degenerate < 3)); -- if (degenerate == 3) { -- ok = 0; /* we set our own err */ -- RSAerr(RSA_F_RSA_BUILTIN_KEYGEN, RSA_R_KEY_SIZE_TOO_SMALL); -+ /* This function will take care of setting the topmost bit via BN_rand(..,1,1), so -+ * the maximum distance between p and q is less than 2^bitsq */ -+ if(!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) -+ goto err; +@@ -460,6 +475,13 @@ static int rsa_builtin_keygen(RSA *rsa, + if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) + goto err; + } while (BN_cmp(rsa->p, rsa->q) == 0); + if (BN_cmp(rsa->q, r0) < 0) + continue; + /* check for minimum distance between p and q, 2^(bitsp-100) */ + if (!BN_sub(r2, rsa->q, rsa->p)) - goto err; -- } ++ goto err; + if (BN_ucmp(r2, r3) <= 0) + continue; if (!BN_sub(r2, rsa->q, BN_value_one()))
