Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Factory checked in at 2018-03-30 12:01:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old) and /work/SRC/openSUSE:Factory/.openssl-1_1.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_1" Fri Mar 30 12:01:42 2018 rev:2 rq:592073 version:1.1.0h Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes 2018-03-01 12:05:25.379235790 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-1_1.new/openssl-1_1.changes 2018-03-30 12:01:45.154035547 +0200 @@ -1,0 +2,24 @@ +Wed Mar 28 14:34:49 UTC 2018 - vci...@suse.com + +- Tolerate a Certificate using a non-supported group on server side + (boo#1084651) + * https://github.com/openssl/openssl/pull/5607 + * add 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch + +------------------------------------------------------------------- +Tue Mar 27 14:42:36 UTC 2018 - vci...@suse.com + +- Update to 1.1.0h + OpenSSL Security Advisory [27 Mar 2018] + * Constructed ASN.1 types with a recursive definition could exceed + the stack (CVE-2018-0739) (bsc#1087102) + * rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) + (bsc#1071906) +- refresh patches: + * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch + * openssl-1.1.0-fips.patch + * openssl-pkgconfig.patch + * openssl-rsakeygen-minimum-distance.patch + * openssl-static-deps.patch + +------------------------------------------------------------------- Old: ---- openssl-1.1.0g.tar.gz openssl-1.1.0g.tar.gz.asc New: ---- 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch openssl-1.1.0h.tar.gz openssl-1.1.0h.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_1.spec ++++++ --- /var/tmp/diff_new_pack.1tc961/_old 2018-03-30 12:01:46.090001702 +0200 +++ /var/tmp/diff_new_pack.1tc961/_new 2018-03-30 12:01:46.090001702 +0200 @@ -20,7 +20,7 @@ %define maj_min 1.1 %define _rname openssl Name: openssl-1_1 -Version: 1.1.0g +Version: 1.1.0h Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -74,6 +74,8 @@ Patch70: 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch Patch71: 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch Patch72: 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch +# PATCH-FIX-UPSTREAM (boo#1084651) +Patch73: 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch BuildRequires: bc BuildRequires: ed BuildRequires: pkgconfig ++++++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++++++ --- /var/tmp/diff_new_pack.1tc961/_old 2018-03-30 12:01:46.141999822 +0200 +++ /var/tmp/diff_new_pack.1tc961/_new 2018-03-30 12:01:46.141999822 +0200 @@ -4,11 +4,11 @@ Subject: [PATCH] Axe builtin printf implementation, use glibc instead -Index: openssl-1.1.0g/crypto/bio/b_print.c +Index: openssl-1.1.0h/crypto/bio/b_print.c =================================================================== ---- openssl-1.1.0g.orig/crypto/bio/b_print.c 2017-11-02 15:29:02.000000000 +0100 -+++ openssl-1.1.0g/crypto/bio/b_print.c 2017-11-02 20:48:01.240953505 +0100 -@@ -21,831 +21,6 @@ +--- openssl-1.1.0h.orig/crypto/bio/b_print.c 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/crypto/bio/b_print.c 2018-03-27 16:31:15.425784205 +0200 +@@ -21,830 +21,6 @@ * on all source code distributions. */ @@ -656,7 +656,7 @@ - iconvert[iplace++] = "0123456789"[intpart % 10]; - intpart = (intpart / 10); - } while (intpart && (iplace < (int)sizeof(iconvert))); -- if (iplace == sizeof iconvert) +- if (iplace == sizeof(iconvert)) - iplace--; - iconvert[iplace] = 0; - @@ -674,7 +674,7 @@ - fracpart = (fracpart / 10); - } - -- if (fplace == sizeof fconvert) +- if (fplace == sizeof(fconvert)) - fplace--; - fconvert[fplace] = 0; - @@ -836,11 +836,10 @@ -} - -/***************************************************************************/ -- + int BIO_printf(BIO *bio, const char *format, ...) { - va_list args; -@@ -859,30 +34,36 @@ int BIO_printf(BIO *bio, const char *for +@@ -859,30 +35,36 @@ int BIO_printf(BIO *bio, const char *for return (ret); } @@ -898,7 +897,7 @@ return (ret); } -@@ -898,29 +79,21 @@ int BIO_snprintf(char *buf, size_t n, co +@@ -898,29 +80,21 @@ int BIO_snprintf(char *buf, size_t n, co int ret; va_start(args, format); @@ -936,10 +935,10 @@ - return (retlen <= INT_MAX) ? (int)retlen : -1; + return (ret); } -Index: openssl-1.1.0g/test/bioprinttest.c +Index: openssl-1.1.0h/test/bioprinttest.c =================================================================== ---- openssl-1.1.0g.orig/test/bioprinttest.c 2017-11-02 15:29:05.000000000 +0100 -+++ openssl-1.1.0g/test/bioprinttest.c 2017-11-02 20:45:03.446174264 +0100 +--- openssl-1.1.0h.orig/test/bioprinttest.c 2018-03-27 15:50:40.000000000 +0200 ++++ openssl-1.1.0h/test/bioprinttest.c 2018-03-27 16:30:23.096947435 +0200 @@ -200,13 +200,6 @@ int main(int argc, char **argv) dofptest(test++, 66666.0 + frac, width, prec, &fail); } ++++++ 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch ++++++ >From e9d26dc85238c071117d911704f5f769e79b46a1 Mon Sep 17 00:00:00 2001 From: Matt Caswell <m...@openssl.org> Date: Tue, 13 Mar 2018 17:23:10 +0000 Subject: [PATCH] Tolerate a Certificate using a non-supported group on server side If a server has been configured to use an ECDSA certificate, we should allow it regardless of whether the server's own supported groups list includes the certificate's group. Fixes #2033 Reviewed-by: Bernd Edlinger <bernd.edlin...@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5607) --- ssl/t1_lib.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 7a5721a1e2..dc4e6526d6 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -490,13 +490,16 @@ static int tls1_set_ec_id(unsigned char *curve_id, unsigned char *comp_id, return 1; } +# define DONT_CHECK_OWN_GROUPS 0 +# define CHECK_OWN_GROUPS 1 /* Check an EC key is compatible with extensions */ -static int tls1_check_ec_key(SSL *s, - unsigned char *curve_id, unsigned char *comp_id) +static int tls1_check_ec_key(SSL *s, unsigned char *curve_id, + unsigned char *comp_id, int check_own_groups) { const unsigned char *pformats, *pcurves; size_t num_formats, num_curves, i; int j; + /* * If point formats extension present check it, otherwise everything is * supported (see RFC4492). @@ -513,8 +516,12 @@ static int tls1_check_ec_key(SSL *s, } if (!curve_id) return 1; + + if (!s->server && !check_own_groups) + return 1; + /* Check curve is consistent with client and server preferences */ - for (j = 0; j <= 1; j++) { + for (j = check_own_groups ? 0 : 1; j <= 1; j++) { if (!tls1_get_curvelist(s, j, &pcurves, &num_curves)) return 0; if (j == 1 && num_curves == 0) { @@ -579,9 +586,12 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) return 0; /* * Can't check curve_id for client certs as we don't have a supported - * curves extension. + * curves extension. For server certs we will tolerate certificates that + * aren't in our own list of curves. If we've been configured to use an EC + * cert then we should use it - therefore we use DONT_CHECK_OWN_GROUPS here. */ - rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id); + rv = tls1_check_ec_key(s, s->server ? curve_id : NULL, &comp_id, + DONT_CHECK_OWN_GROUPS); if (!rv) return 0; /* @@ -644,7 +654,7 @@ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) return 0; curve_id[0] = 0; /* Check this curve is acceptable */ - if (!tls1_check_ec_key(s, curve_id, NULL)) + if (!tls1_check_ec_key(s, curve_id, NULL, CHECK_OWN_GROUPS)) return 0; return 1; } @@ -746,8 +756,9 @@ size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs) } /* - * Check signature algorithm is consistent with sent supported signature - * algorithms and if so return relevant digest. + * Check signature algorithm received from the peer with a signature is + * consistent with the sent supported signature algorithms and if so return + * relevant digest. */ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, const unsigned char *sig, EVP_PKEY *pkey) @@ -769,7 +780,8 @@ int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s, /* Check compression and curve matches extensions */ if (!tls1_set_ec_id(curve_id, &comp_id, EVP_PKEY_get0_EC_KEY(pkey))) return 0; - if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id)) { + if (!s->server && !tls1_check_ec_key(s, curve_id, &comp_id, + CHECK_OWN_GROUPS)) { SSLerr(SSL_F_TLS12_CHECK_PEER_SIGALG, SSL_R_WRONG_CURVE); return 0; } -- 2.16.2 ++++++ openssl-1.1.0-fips.patch ++++++ ++++ 1342 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1.1.0-fips.patch ++++ and /work/SRC/openSUSE:Factory/.openssl-1_1.new/openssl-1.1.0-fips.patch ++++++ openssl-pkgconfig.patch ++++++ --- /var/tmp/diff_new_pack.1tc961/_old 2018-03-30 12:01:46.273995049 +0200 +++ /var/tmp/diff_new_pack.1tc961/_new 2018-03-30 12:01:46.277994904 +0200 @@ -1,8 +1,8 @@ -Index: openssl-1.1.0c/Configurations/unix-Makefile.tmpl +Index: openssl-1.1.0h/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-1.1.0c.orig/Configurations/unix-Makefile.tmpl 2016-11-10 15:03:43.000000000 +0100 -+++ openssl-1.1.0c/Configurations/unix-Makefile.tmpl 2016-12-02 14:42:03.547865145 +0100 -@@ -790,7 +790,7 @@ libcrypto.pc: +--- openssl-1.1.0h.orig/Configurations/unix-Makefile.tmpl 2018-03-27 16:32:18.922799218 +0200 ++++ openssl-1.1.0h/Configurations/unix-Makefile.tmpl 2018-03-27 16:33:19.307764137 +0200 +@@ -710,7 +710,7 @@ libcrypto.pc: echo 'Version: '$(VERSION); \ echo 'Libs: -L$${libdir} -lcrypto'; \ echo 'Libs.private: $(EX_LIBS)'; \ @@ -11,10 +11,10 @@ libssl.pc: @ ( echo 'prefix=$(INSTALLTOP)'; \ -@@ -804,7 +804,7 @@ libssl.pc: +@@ -723,7 +723,7 @@ libssl.pc: + echo 'Version: '$(VERSION); \ echo 'Requires.private: libcrypto'; \ echo 'Libs: -L$${libdir} -lssl'; \ - echo 'Libs.private: $(EX_LIBS)'; \ - echo 'Cflags: -I$${includedir}' ) > libssl.pc + echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc ++++++ openssl-rsakeygen-minimum-distance.patch ++++++ --- /var/tmp/diff_new_pack.1tc961/_old 2018-03-30 12:01:46.289994470 +0200 +++ /var/tmp/diff_new_pack.1tc961/_new 2018-03-30 12:01:46.289994470 +0200 @@ -1,8 +1,8 @@ -Index: openssl-1.1.0f/crypto/rsa/rsa_gen.c +Index: openssl-1.1.0h/crypto/rsa/rsa_gen.c =================================================================== ---- openssl-1.1.0f.orig/crypto/rsa/rsa_gen.c 2017-05-29 13:02:47.095166778 +0200 -+++ openssl-1.1.0f/crypto/rsa/rsa_gen.c 2017-05-29 13:03:29.415824383 +0200 -@@ -419,6 +419,19 @@ static int rsa_builtin_keygen(RSA *rsa, +--- openssl-1.1.0h.orig/crypto/rsa/rsa_gen.c 2018-03-27 16:34:44.709128590 +0200 ++++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-03-27 16:34:44.753129312 +0200 +@@ -420,6 +420,19 @@ static int rsa_builtin_keygen(RSA *rsa, bitsp = (bits + 1) / 2; bitsq = bits - bitsp; @@ -22,7 +22,7 @@ /* We need the RSA components non-NULL */ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) goto err; -@@ -444,6 +457,8 @@ static int rsa_builtin_keygen(RSA *rsa, +@@ -446,6 +459,8 @@ static int rsa_builtin_keygen(RSA *rsa, for (;;) { if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb)) goto err; @@ -30,8 +30,8 @@ + continue; if (!BN_sub(r2, rsa->p, BN_value_one())) goto err; - if (!BN_gcd(r1, r2, rsa->e, ctx)) -@@ -460,6 +475,13 @@ static int rsa_builtin_keygen(RSA *rsa, + ERR_set_mark(); +@@ -471,6 +486,13 @@ static int rsa_builtin_keygen(RSA *rsa, if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb)) goto err; } while (BN_cmp(rsa->p, rsa->q) == 0); @@ -44,4 +44,4 @@ + continue; if (!BN_sub(r2, rsa->q, BN_value_one())) goto err; - if (!BN_gcd(r1, r2, rsa->e, ctx)) + ERR_set_mark(); ++++++ openssl-static-deps.patch ++++++ --- /var/tmp/diff_new_pack.1tc961/_old 2018-03-30 12:01:46.305993891 +0200 +++ /var/tmp/diff_new_pack.1tc961/_new 2018-03-30 12:01:46.309993747 +0200 @@ -19,10 +19,10 @@ Configure | 7 +++++++ 5 files changed, 47 insertions(+), 20 deletions(-) -Index: openssl-1.1.0e/Configurations/common.tmpl +Index: openssl-1.1.0h/Configurations/common.tmpl =================================================================== ---- openssl-1.1.0e.orig/Configurations/common.tmpl -+++ openssl-1.1.0e/Configurations/common.tmpl +--- openssl-1.1.0h.orig/Configurations/common.tmpl 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/Configurations/common.tmpl 2018-03-27 16:31:37.126131133 +0200 @@ -9,15 +9,22 @@ # there are no duplicate dependencies and that they are in the # right order. This is especially used to sort the list of @@ -59,11 +59,11 @@ } @newlist; } -Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl +Index: openssl-1.1.0h/Configurations/descrip.mms.tmpl =================================================================== ---- openssl-1.1.0e.orig/Configurations/descrip.mms.tmpl -+++ openssl-1.1.0e/Configurations/descrip.mms.tmpl -@@ -524,6 +524,17 @@ configdata.pm : $(SRCDIR)Configure $(SRC +--- openssl-1.1.0h.orig/Configurations/descrip.mms.tmpl 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/Configurations/descrip.mms.tmpl 2018-03-27 16:31:37.126131133 +0200 +@@ -537,6 +537,17 @@ configdata.pm : $(SRCDIR)Configure $(SRC use File::Basename; use File::Spec::Functions qw/abs2rel rel2abs catfile catdir/; @@ -81,7 +81,7 @@ sub generatesrc { my %args = @_; my $generator = join(" ", @{$args{generator}}); -@@ -619,9 +630,7 @@ EOF +@@ -632,9 +643,7 @@ EOF my $libd = dirname($lib); my $libn = basename($lib); (my $mkdef_key = $libn) =~ s/^${osslprefix_q}lib([^0-9]*)\d*/$1/i; @@ -92,7 +92,7 @@ my $deps = join(", -\n\t\t", @deps); my $shlib_target = $disabled{shared} ? "" : $target{shared_target}; my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : ""; -@@ -667,9 +676,7 @@ EOF +@@ -680,9 +689,7 @@ EOF my $libn = basename($lib); (my $libn_nolib = $libn) =~ s/^lib//; my @objs = map { "$_.OBJ" } @{$args{objs}}; @@ -103,7 +103,7 @@ my $deps = join(", -\n\t\t", @objs, @deps); my $shlib_target = $disabled{shared} ? "" : $target{shared_target}; my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir}, -@@ -719,9 +726,7 @@ EOF +@@ -732,9 +739,7 @@ EOF my $bind = dirname($bin); my $binn = basename($bin); my @objs = map { "$_.OBJ" } @{$args{objs}}; @@ -114,11 +114,11 @@ my $deps = join(", -\n\t\t", @objs, @deps); # The "[]" hack is because in .OPT files, each line inherits the # previous line's file spec as default, so if no directory spec -Index: openssl-1.1.0e/Configurations/unix-Makefile.tmpl +Index: openssl-1.1.0h/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-1.1.0e.orig/Configurations/unix-Makefile.tmpl -+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl -@@ -837,13 +837,13 @@ configdata.pm: $(SRCDIR)/Configure $(SRC +--- openssl-1.1.0h.orig/Configurations/unix-Makefile.tmpl 2018-03-27 16:31:37.110130877 +0200 ++++ openssl-1.1.0h/Configurations/unix-Makefile.tmpl 2018-03-27 16:31:37.126131133 +0200 +@@ -755,13 +755,13 @@ configdata.pm: $(SRCDIR)/Configure $(SRC # It takes a list of library names and outputs a list of dependencies sub compute_lib_depends { if ($disabled{shared}) { @@ -134,7 +134,7 @@ } sub generatesrc { -@@ -1056,11 +1056,16 @@ EOF +@@ -976,11 +976,16 @@ EOF my $binn = basename($bin); my $objs = join(" ", map { $_.$objext } @{$args{objs}}); my $deps = join(" ",compute_lib_depends(@{$args{deps}})); @@ -156,11 +156,11 @@ my $shlib_target = $disabled{shared} ? "" : $target{shared_target}; return <<"EOF"; $bin$exeext: $objs $deps -Index: openssl-1.1.0e/Configurations/windows-makefile.tmpl +Index: openssl-1.1.0h/Configurations/windows-makefile.tmpl =================================================================== ---- openssl-1.1.0e.orig/Configurations/windows-makefile.tmpl -+++ openssl-1.1.0e/Configurations/windows-makefile.tmpl -@@ -342,8 +342,10 @@ configdata.pm: "$(SRCDIR)\Configure" {- +--- openssl-1.1.0h.orig/Configurations/windows-makefile.tmpl 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/Configurations/windows-makefile.tmpl 2018-03-27 16:31:37.126131133 +0200 +@@ -361,8 +361,10 @@ configdata.pm: "$(SRCDIR)\Configure" {- # It takes a list of library names and outputs a list of dependencies sub compute_lib_depends { if ($disabled{shared}) { @@ -172,11 +172,11 @@ return map { shlib_import($_) } @_; } -Index: openssl-1.1.0e/Configure +Index: openssl-1.1.0h/Configure =================================================================== ---- openssl-1.1.0e.orig/Configure -+++ openssl-1.1.0e/Configure -@@ -1838,9 +1838,16 @@ EOF +--- openssl-1.1.0h.orig/Configure 2018-03-27 15:50:37.000000000 +0200 ++++ openssl-1.1.0h/Configure 2018-03-27 16:31:37.126131133 +0200 +@@ -1844,9 +1844,16 @@ EOF $d = cleanfile($buildd, $_, $blddir); } # Take note if the file to depend on is being renamed @@ -191,5 +191,5 @@ } + $d .= $e; $unified_info{depends}->{$ddest}->{$d} = 1; - # If we depend on a header file or a perl module, let's make - # sure it can get included + } + }