Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Factory checked in at 2019-05-16 21:54:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old) and /work/SRC/openSUSE:Factory/.openssl-1_1.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_1" Thu May 16 21:54:39 2019 rev:6 rq:681494 version:1.1.1b Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes 2018-08-07 09:40:54.277082903 +0200 +++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.5148/openssl-1_1.changes 2019-05-16 21:54:43.762922413 +0200 @@ -1,0 +2,208 @@ +Mon Mar 4 13:01:18 UTC 2019 - Dominique Leuenberger <[email protected]> + +- Drop bc and ed BuildRequires: I could not find any reference to + these tools being used during build or check. + +------------------------------------------------------------------- +Fri Mar 1 13:28:03 UTC 2019 - Vítězslav Čížek <[email protected]> + +- Use upstream-approved patch for the handling of strerror_r + * https://github.com/openssl/openssl/pull/8371 +- add openssl-fix-handling-of-GNU-strerror_r.patch +- drop strerror.patch + +------------------------------------------------------------------- +Thu Feb 28 13:37:55 UTC 2019 - Pedro Monreal Gonzalez <[email protected]> + +- Update to 1.1.1b + * Added SCA hardening for modular field inversion in EC_GROUP + through a new dedicated field_inv() pointer in EC_METHOD. + * Change the info callback signals for the start and end of a post-handshake + message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START + and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get + confused by this and assume that a TLSv1.2 renegotiation has started. This + can break KeyUpdate handling. Instead we no longer signal the start and end + of a post handshake message exchange (although the messages themselves are + still signalled). This could break some applications that were expecting + the old signals. However without this KeyUpdate is not usable for many + applications. + * Fix a bug in the computation of the endpoint-pair shared secret used + by DTLS over SCTP. This breaks interoperability with older versions + of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime + switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling + interoperability with such broken implementations. However, enabling + this switch breaks interoperability with correct implementations. + * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a + re-used X509_PUBKEY object if the second PUBKEY is malformed. + * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0() + +------------------------------------------------------------------- +Thu Feb 28 12:10:33 UTC 2019 - Vítězslav Čížek <[email protected]> + +- Add strerror.patch to avoid problems with strerror_r() not setting + the provided buf + +------------------------------------------------------------------- +Mon Feb 11 14:39:12 UTC 2019 - Vítězslav Čížek <[email protected]> + +- Add s390x poly1305 vectorized implementation (fate#326351) + * https://github.com/openssl/openssl/pull/7991 +- add 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch + +------------------------------------------------------------------- +Thu Jan 10 15:20:07 UTC 2019 - Vítězslav Čížek <[email protected]> + +- Add s390x chacha20 vectorized implementation (fate#326561) + * https://github.com/openssl/openssl/pull/6919 +- added patches: + 0001-s390x-assembly-pack-perlasm-support.patch + 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch + +------------------------------------------------------------------- +Tue Nov 20 14:31:28 UTC 2018 - Vítězslav Čížek <[email protected]> + +- Update to 1.1.1a + * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for + the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names + are retained for backwards compatibility. + * Fixed the issue that RAND_add()/RAND_seed() silently discards random input + if its length exceeds 4096 bytes. The limit has been raised to a buffer size + of two gigabytes and the error handling improved. +- drop upstream patches: + * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch + * 0001-DSA-Check-for-sanity-of-input-parameters.patch + * 0001-DSA-mod-inverse-fix.patch + * openssl-CVE-2018-0734.patch + * openssl-CVE-2018-0735.patch + +------------------------------------------------------------------- +Mon Nov 5 12:53:54 UTC 2018 - Vítězslav Čížek <[email protected]> + +- OpenSSL Security Advisory [30 October 2018] + * Timing vulnerability in ECDSA signature generation + (bsc#1113651, CVE-2018-0735) + * Timing vulnerability in DSA signature generation + (bsc#1113652, CVE-2018-0734) + * And more timing fixes +- Add patches: + * openssl-CVE-2018-0734.patch + * openssl-CVE-2018-0735.patch + * 0001-DSA-mod-inverse-fix.patch + * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch + +------------------------------------------------------------------- +Mon Nov 5 11:00:54 UTC 2018 - Vítězslav Čížek <[email protected]> + +- Fix infinite loop in DSA generation with incorrect parameters + (bsc#1112209) + * 0001-DSA-Check-for-sanity-of-input-parameters.patch + +------------------------------------------------------------------- +Thu Oct 25 13:32:33 UTC 2018 - Cristian Rodríguez <[email protected]> + +- Explictly select "getrandom" system call as the seed source, + it is the safer/best performing choice on linux. +- do not force -std=gnu99, pick the compiler default. + +------------------------------------------------------------------- +Tue Sep 11 13:49:06 UTC 2018 - Vítězslav Čížek <[email protected]> + +- Update to 1.1.1 release + * This is the first official release of the OpenSSL 1.1.1 branch + which brings TLS 1.3 support +- remove all TLS 1.3 ciphers from the DEFAULT_SUSE cipher list as they + are configured differently + * modified openssl-DEFAULT_SUSE_cipher.patch +- drop obsolete openssl-pretend_we_are_not_beta.patch + +------------------------------------------------------------------- +Thu Aug 23 13:21:00 UTC 2018 - [email protected] + +- Update to 1.1.1-pre9 (Beta 7) + * Support for TLSv1.3 added + * Move the display of configuration data to configdata.pm. + * Allow GNU style "make variables" to be used with Configure. + * Add a STORE module (OSSL_STORE) + * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes + * Add multi-prime RSA (RFC 8017) support + * Add SM3 implemented according to GB/T 32905-2016 + * Add SM4 implemented according to GB/T 32907-2016. + * Add 'Maximum Fragment Length' TLS extension negotiation and support + * Add ARIA support + * Add SHA3 + * Rewrite of devcrypto engine + * Add support for SipHash + * Grand redesign of the OpenSSL random generator +- pretend the release is not a Beta, to avoid "OpenSSL version mismatch" + with OpenSSH + * add openssl-pretend_we_are_not_beta.patch +- drop FIPS support + * don't build with FIPS mode (not supported in 1.1.1) + * don't create the -hmac subpackages + - drop FIPS patches + * openssl-fips-clearerror.patch + * openssl-fips-dont-fall-back-to-default-digest.patch + * openssl-fips-dont_run_FIPS_module_installed.patch + * openssl-fips-fix-odd-rsakeybits.patch + * openssl-fips-rsagen-d-bits.patch + * openssl-fips-selftests_in_nonfips_mode.patch + * openssl-fips_disallow_ENGINE_loading.patch + * openssl-rsakeygen-minimum-distance.patch + * openssl-1.1.0-fips.patch + * openssl-urandom-reseeding.patch + * openssl-CVE-2018-0737-fips.patch +- add TLS 1.3 ciphers to DEFAULT_SUSE +- merge openssl-1.0.1e-add-suse-default-cipher.patch and + openssl-1.0.1e-add-test-suse-default-cipher-suite.patch to + openssl-DEFAULT_SUSE_cipher.patch +- drop patches: + * openssl-static-deps.patch (upstream) + * 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch + * openssl-disable_rsa_keygen_tests_with_small_modulus.patch + * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch +- drop s390x patches + * 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch + * 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch + * 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch + * 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch + * 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch + * 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch + * 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch + * 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch + * 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch + * 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch + * 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch + +------------------------------------------------------------------- +Tue Aug 14 14:02:22 UTC 2018 - [email protected] + +- Update to 1.1.0i + OpenSSL Security Advisory [12 June 2018] + * Reject excessively large primes in DH key generation + (bsc#1097158, CVE-2018-0732) + * Make EVP_PKEY_asn1_new() a bit stricter about its input + * Revert blinding in ECDSA sign and instead make problematic addition + length-invariant. Switch even to fixed-length Montgomery multiplication. + * Change generating and checking of primes so that the error rate of not + being prime depends on the intended use based on the size of the input. + * Increase the number of Miller-Rabin rounds for DSA key generating to 64. + * Add blinding to ECDSA and DSA signatures to protect against side channel + attacks + * When unlocking a pass phrase protected PEM file or PKCS#8 container, we + now allow empty (zero character) pass phrases. + * Certificate time validation (X509_cmp_time) enforces stricter + compliance with RFC 5280. Fractional seconds and timezone offsets + are no longer allowed. + * Fixed a text canonicalisation bug in CMS +- drop patches (upstream): ++++ 11 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes ++++ and /work/SRC/openSUSE:Factory/.openssl-1_1.new.5148/openssl-1_1.changes Old: ---- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch 0001-Limit-scope-of-CN-name-constraints.patch 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch 0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch openssl-1.0.1e-add-suse-default-cipher.patch openssl-1.0.1e-add-test-suse-default-cipher-suite.patch openssl-1.1.0-fips.patch openssl-1.1.0h.tar.gz openssl-1.1.0h.tar.gz.asc openssl-CVE-2018-0737.patch openssl-disable_rsa_keygen_tests_with_small_modulus.patch openssl-fips-clearerror.patch openssl-fips-dont-fall-back-to-default-digest.patch openssl-fips-dont_run_FIPS_module_installed.patch openssl-fips-fix-odd-rsakeybits.patch openssl-fips-rsagen-d-bits.patch openssl-fips-selftests_in_nonfips_mode.patch openssl-fips_disallow_ENGINE_loading.patch openssl-rsakeygen-minimum-distance.patch openssl-static-deps.patch openssl-urandom-reseeding.patch New: ---- 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch 0001-s390x-assembly-pack-perlasm-support.patch 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch openssl-1.1.1b.tar.gz openssl-1.1.1b.tar.gz.asc openssl-DEFAULT_SUSE_cipher.patch openssl-fix-handling-of-GNU-strerror_r.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_1.spec ++++++ --- /var/tmp/diff_new_pack.8PjcXw/_old 2019-05-16 21:54:46.306921341 +0200 +++ /var/tmp/diff_new_pack.8PjcXw/_new 2019-05-16 21:54:46.330921331 +0200 @@ -1,7 +1,7 @@ # # spec file for package openssl-1_1 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -20,72 +20,37 @@ %define maj_min 1.1 %define _rname openssl Name: openssl-1_1 -Version: 1.1.0h +# Don't forget to update the version in the "openssl" package! +Version: 1.1.1b Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security -Url: https://www.openssl.org/ +URL: https://www.openssl.org/ Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz # to get mtime of file: Source1: %{name}.changes Source2: baselibs.conf -Source42: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc +Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc # https://www.openssl.org/about/ # http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring -Source43: %{_rname}.keyring -Source99: showciphers.c -# https://github.com/openssl/openssl/pull/2045 -Patch0: 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch -# PATCH-FIX-OPENSUSE: upstream won't use glibc -Patch1: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch +Source4: %{_rname}.keyring +Source5: showciphers.c # PATCH-FIX-OPENSUSE: do not install html mans it takes ages -Patch2: openssl-1.1.0-no-html.patch -# PATCH-FIX-UPSTREAM: patch to allow deps and linking to static libs -# needed for fips and taken from upstream -Patch3: openssl-static-deps.patch -Patch4: openssl-truststore.patch -Patch5: openssl-pkgconfig.patch -Patch6: openssl-1.0.1e-add-suse-default-cipher.patch -Patch7: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch -Patch8: openssl-ppc64-config.patch -Patch9: openssl-no-date.patch -# FIPS patches: -Patch51: openssl-1.1.0-fips.patch -Patch52: openssl-fips-dont_run_FIPS_module_installed.patch -Patch53: openssl-fips_disallow_ENGINE_loading.patch -Patch54: openssl-rsakeygen-minimum-distance.patch -Patch55: openssl-urandom-reseeding.patch -Patch56: openssl-fips-rsagen-d-bits.patch -Patch57: openssl-fips-selftests_in_nonfips_mode.patch -Patch58: openssl-fips-fix-odd-rsakeybits.patch -Patch59: openssl-fips-clearerror.patch -Patch60: openssl-fips-dont-fall-back-to-default-digest.patch -Patch61: openssl-disable_rsa_keygen_tests_with_small_modulus.patch -# FATE#321518 Add support for s390x CPACF enhancements (https://fate.suse.com/321518) -Patch62: 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch -Patch63: 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch -Patch64: 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch -Patch65: 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch -Patch66: 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch -Patch67: 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch -Patch68: 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch -Patch69: 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch -Patch70: 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch -Patch71: 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch -Patch72: 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch -# PATCH-FIX-UPSTREAM (boo#1084651) -Patch73: 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch -# PATCH-FIX-UPSTREAM (boo#1091961) -Patch74: 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch -Patch75: openssl-CVE-2018-0737.patch -# PATCH-FIX-UPSTREAM (bsc#1084011) -Patch76: 0001-Limit-scope-of-CN-name-constraints.patch -Patch77: 0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch -BuildRequires: bc -BuildRequires: ed +Patch1: openssl-1.1.0-no-html.patch +Patch2: openssl-truststore.patch +Patch3: openssl-pkgconfig.patch +Patch4: openssl-DEFAULT_SUSE_cipher.patch +Patch5: openssl-ppc64-config.patch +Patch6: openssl-no-date.patch +# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/6919 fate#326561 +Patch7: 0001-s390x-assembly-pack-perlasm-support.patch +Patch8: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch +# PATCH-FIX-UPSTREAM FATE#326351 Add vectorized poly1305 implementation for s390x (https://github.com/openssl/openssl/pull/7991) +Patch9: 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch +# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/8371 +Patch10: openssl-fix-handling-of-GNU-strerror_r.patch BuildRequires: pkgconfig -BuildRequires: pkgconfig(zlib) Conflicts: ssl Provides: ssl Provides: openssl(cli) @@ -102,7 +67,6 @@ %package -n libopenssl1_1 Summary: Secure Sockets and Transport Layer Security -License: OpenSSL Group: Productivity/Networking/Security Recommends: ca-certificates-mozilla # install libopenssl and libopenssl-hmac close together (bsc#1090765) @@ -118,11 +82,9 @@ %package -n libopenssl-1_1-devel Summary: Development files for OpenSSL -License: OpenSSL Group: Development/Libraries/C and C++ -Recommends: %{name} = %{version} Requires: libopenssl1_1 = %{version} -Requires: pkgconfig(zlib) +Recommends: %{name} = %{version} # we need to have around only the exact version we are able to operate with Conflicts: libopenssl-devel < %{version} Conflicts: libopenssl-devel > %{version} @@ -135,21 +97,8 @@ This subpackage contains header files for developing applications that want to make use of the OpenSSL C API. -%package -n libopenssl1_1-hmac -Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries -License: BSD-3-Clause -Group: Productivity/Networking/Security -Requires: libopenssl1_1 = %{version}-%{release} -# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 -Obsoletes: libopenssl1_1_0-hmac - -%description -n libopenssl1_1-hmac -The FIPS compliant operation of the openssl shared libraries is NOT -possible without the HMAC hashes contained in this package! - %package doc Summary: Additional Package Documentation -License: OpenSSL Group: Productivity/Networking/Security Conflicts: openssl-doc Provides: openssl-doc = %{version} @@ -173,20 +122,17 @@ %endif ./config \ - no-rc5 no-idea \ - fips \ - no-ssl3 \ + no-idea \ enable-rfc3779 \ %ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif enable-camellia \ - zlib \ no-ec2m \ --prefix=%{_prefix} \ --libdir=%{_lib} \ --openssldir=%{ssletcdir} \ - %{optflags} -std=gnu99 \ + %{optflags} \ -Wa,--noexecstack \ -Wl,-z,relro,-z,now \ -fno-common \ @@ -195,7 +141,11 @@ -D_GNU_SOURCE \ -DOPENSSL_NO_BUF_FREELISTS \ $(getconf LFS_CFLAGS) \ - -Wall + -Wall \ + --with-rand-seed=getrandom + +# Show build configuration +perl configdata.pm --dump util/mkdef.pl crypto update make depend %{?_smp_mflags} @@ -206,7 +156,7 @@ export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) LD_LIBRARY_PATH=`pwd` make test -j1 # show cyphers -gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE99} -L%{buildroot}%{_libdir} -lssl -lcrypto +gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install @@ -251,30 +201,7 @@ find demos -type f -perm /111 -exec chmod 644 {} \; # Place showciphers.c for %doc macro -cp %{SOURCE99} . - -# the hmac hashes: -# -# this is a hack that re-defines the __os_install_post macro -# for a simple reason: the macro strips the binaries and thereby -# invalidates a HMAC that may have been created earlier. -# solution: create the hashes _after_ the macro runs. -# -# this shows up earlier because otherwise the %expand of -# the macro is too late. -# remark: This is the same as running -# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs' -%{expand:%%global __os_install_post {%__os_install_post - -%{buildroot}%{_bindir}/fips_standalone_hmac \ - %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \ - %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac - -%{buildroot}%{_bindir}/fips_standalone_hmac \ - %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \ - %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac - -}} +cp %{SOURCE5} . %post -n libopenssl1_1 -p /sbin/ldconfig %postun -n libopenssl1_1 -p /sbin/ldconfig @@ -285,10 +212,6 @@ %{_libdir}/libcrypto.so.%{maj_min} %{_libdir}/engines-%{maj_min} -%files -n libopenssl1_1-hmac -%{_libdir}/.libssl.so.%{maj_min}.hmac -%{_libdir}/.libcrypto.so.%{maj_min}.hmac - %files -n libopenssl-1_1-devel %{_includedir}/%{_rname}/ %{_includedir}/ssl @@ -307,10 +230,12 @@ %dir %{ssletcdir} %config (noreplace) %{ssletcdir}/openssl.cnf %attr(700,root,root) %{ssletcdir}/private +%{ssletcdir}/ct_log_list.cnf +%{ssletcdir}/ct_log_list.cnf.dist + %dir %{_datadir}/ssl %{_datadir}/ssl/misc %{_bindir}/c_rehash -%{_bindir}/fips_standalone_hmac %{_bindir}/%{_rname} %changelog ++++++ 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch ++++++ ++++ 1006 lines (skipped) ++++++ 0001-s390x-assembly-pack-perlasm-support.patch ++++++ ++++ 3089 lines (skipped) ++++++ 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch ++++++ ++++ 886 lines (skipped) ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.8PjcXw/_old 2019-05-16 21:54:46.450921281 +0200 +++ /var/tmp/diff_new_pack.8PjcXw/_new 2019-05-16 21:54:46.454921279 +0200 @@ -5,6 +5,3 @@ conflicts "otherproviders(libopenssl-devel-<targettype>)" requires -"openssl-1_1-<targettype>" requires "libopenssl1_1-<targettype> = <version>" -libopenssl1_1-hmac - requires "libopenssl1_1-<targettype> = <version>-%release" - obsoletes "libopenssl1_1_0-hmac-<targettype>" ++++++ openssl-1.1.0h.tar.gz -> openssl-1.1.1b.tar.gz ++++++ /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1.1.0h.tar.gz /work/SRC/openSUSE:Factory/.openssl-1_1.new.5148/openssl-1.1.1b.tar.gz differ: char 5, line 1 ++++++ openssl-DEFAULT_SUSE_cipher.patch ++++++ Index: openssl-1.1.1/ssl/ssl_ciph.c =================================================================== --- openssl-1.1.1.orig/ssl/ssl_ciph.c 2018-09-11 14:48:23.000000000 +0200 +++ openssl-1.1.1/ssl/ssl_ciph.c 2018-09-11 16:38:40.412543331 +0200 @@ -1567,7 +1567,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ */ ok = 1; rule_p = rule_str; - if (strncmp(rule_str, "DEFAULT", 7) == 0) { + if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) { + ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, + &head, &tail, ca_list, c); + rule_p += 12; + if (*rule_p == ':') + rule_p++; + } + else if (strncmp(rule_str, "DEFAULT", 7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail, ca_list, c); rule_p += 7; Index: openssl-1.1.1/include/openssl/ssl.h =================================================================== --- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000 +0200 +++ openssl-1.1.1/include/openssl/ssl.h 2018-09-11 16:45:20.979303981 +0200 @@ -171,6 +171,11 @@ extern "C" { * This applies to ciphersuites for TLSv1.2 and below. */ # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" +# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\ + "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\ + "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ + "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ + "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" /* This is the default set of TLSv1.3 ciphersuites */ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ Index: openssl-1.1.1/test/recipes/99-test_suse_default_ciphers.t =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.1.1/test/recipes/99-test_suse_default_ciphers.t 2018-09-11 16:38:23.292423281 +0200 @@ -0,0 +1,23 @@ +#! /usr/bin/env perl + +use strict; +use warnings; + +use OpenSSL::Test qw/:DEFAULT/; +use OpenSSL::Test::Utils; + +setup("test_default_ciphersuites"); + +plan tests => 6; + +my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT"); + +foreach my $cipherlist (@cipher_suites) { + ok(run(app(["openssl", "ciphers", "-s", $cipherlist])), + "openssl ciphers works with ciphersuite $cipherlist"); + ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)), + "$cipherlist shouldn't contain MD5, DES or RC4\n"); + ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)), + "$cipherlist should contain TLSv1.3 ciphers\n"); +} + ++++++ openssl-fix-handling-of-GNU-strerror_r.patch ++++++ diff --git a/crypto/o_str.c b/crypto/o_str.c index 02578dbf0d..3b271e745b 100644 --- a/crypto/o_str.c +++ b/crypto/o_str.c @@ -223,7 +223,26 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen) #if defined(_MSC_VER) && _MSC_VER>=1400 return !strerror_s(buf, buflen, errnum); #elif defined(_GNU_SOURCE) - return strerror_r(errnum, buf, buflen) != NULL; + char *err; + + /* + * GNU strerror_r may not actually set buf. + * It can return a pointer to some (immutable) static string in which case + * buf is left unused. + */ + err = strerror_r(errnum, buf, buflen); + if (err == NULL) + return 0; + /* + * If err is statically allocated, err != buf and we need to copy the data. + * If err points somewhere inside buf, OPENSSL_strlcpy can handle this, + * since src and dest are not annotated with __restrict and the function + * reads src byte for byte and writes to dest. + * If err == buf we do not have to copy anything. + */ + if (err != buf) + OPENSSL_strlcpy(buf, err, buflen); + return 1; #elif (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE >= 200112L) || \ (defined(_XOPEN_SOURCE) && _XOPEN_SOURCE >= 600) /* @@ -234,6 +253,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen) return !strerror_r(errnum, buf, buflen); #else char *err; + /* Fall back to non-thread safe strerror()...its all we can do */ if (buflen < 2) return 0; @@ -241,8 +261,7 @@ int openssl_strerror_r(int errnum, char *buf, size_t buflen) /* Can this ever happen? */ if (err == NULL) return 0; - strncpy(buf, err, buflen - 1); - buf[buflen - 1] = '\0'; + OPENSSL_strlcpy(buf, err, buflen); return 1; #endif } ++++++ openssl-no-date.patch ++++++ --- /var/tmp/diff_new_pack.8PjcXw/_old 2019-05-16 21:54:46.514921254 +0200 +++ /var/tmp/diff_new_pack.8PjcXw/_new 2019-05-16 21:54:46.514921254 +0200 @@ -1,11 +1,13 @@ -Index: openssl-1.1.0f/util/mkbuildinf.pl +Index: openssl-1.1.1-pre1/util/mkbuildinf.pl =================================================================== ---- openssl-1.1.0f.orig/util/mkbuildinf.pl -+++ openssl-1.1.0f/util/mkbuildinf.pl -@@ -37,5 +37,5 @@ print <<"END_OUTPUT"; - '\\0' - }; +--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100 ++++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100 +@@ -28,7 +28,7 @@ print <<"END_OUTPUT"; + */ + #define PLATFORM "platform: $platform" -#define DATE "built on: $date" +#define DATE "" - END_OUTPUT + + /* + * Generate compiler_flags as an array of individual characters. This is a ++++++ openssl-pkgconfig.patch ++++++ --- /var/tmp/diff_new_pack.8PjcXw/_old 2019-05-16 21:54:46.522921250 +0200 +++ /var/tmp/diff_new_pack.8PjcXw/_new 2019-05-16 21:54:46.522921250 +0200 @@ -1,17 +1,17 @@ -Index: openssl-1.1.0h/Configurations/unix-Makefile.tmpl +Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-1.1.0h.orig/Configurations/unix-Makefile.tmpl 2018-03-27 16:32:18.922799218 +0200 -+++ openssl-1.1.0h/Configurations/unix-Makefile.tmpl 2018-03-27 16:33:19.307764137 +0200 -@@ -710,7 +710,7 @@ libcrypto.pc: +--- openssl-1.1.1-pre3.orig/Configurations/unix-Makefile.tmpl 2018-03-20 15:20:03.037124698 +0100 ++++ openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl 2018-03-20 15:21:04.206084731 +0100 +@@ -843,7 +843,7 @@ libcrypto.pc: echo 'Version: '$(VERSION); \ echo 'Libs: -L$${libdir} -lcrypto'; \ - echo 'Libs.private: $(EX_LIBS)'; \ + echo 'Libs.private: $(LIB_EX_LIBS)'; \ - echo 'Cflags: -I$${includedir}' ) > libcrypto.pc + echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libcrypto.pc libssl.pc: @ ( echo 'prefix=$(INSTALLTOP)'; \ -@@ -723,7 +723,7 @@ libssl.pc: +@@ -860,7 +860,7 @@ libssl.pc: echo 'Version: '$(VERSION); \ echo 'Requires.private: libcrypto'; \ echo 'Libs: -L$${libdir} -lssl'; \ ++++++ openssl-ppc64-config.patch ++++++ --- /var/tmp/diff_new_pack.8PjcXw/_old 2019-05-16 21:54:46.534921246 +0200 +++ /var/tmp/diff_new_pack.8PjcXw/_new 2019-05-16 21:54:46.534921246 +0200 @@ -1,12 +1,17 @@ -Index: openssl-1.1.0e/config +Index: openssl-1.1.1-pre3/config =================================================================== ---- openssl-1.1.0e.orig/config -+++ openssl-1.1.0e/config -@@ -550,7 +550,7 @@ case "$GUESSOS" in +--- openssl-1.1.1-pre3.orig/config 2018-03-20 15:24:38.037441210 +0100 ++++ openssl-1.1.1-pre3/config 2018-03-20 15:26:20.163043492 +0100 +@@ -552,12 +552,7 @@ case "$GUESSOS" in OUT="linux-ppc64" else OUT="linux-ppc" -- (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32" +- if (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null); then +- :; +- else +- __CNF_CFLAGS="$__CNF_CFLAGS -m32" +- __CNF_CXXFLAGS="$__CNF_CXXFLAGS -m32" +- fi + (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || OUT="linux-ppc64" fi ;; ++++++ openssl-truststore.patch ++++++ --- /var/tmp/diff_new_pack.8PjcXw/_old 2019-05-16 21:54:46.550921238 +0200 +++ /var/tmp/diff_new_pack.8PjcXw/_new 2019-05-16 21:54:46.558921235 +0200 @@ -1,10 +1,10 @@ Don't use the legacy /etc/ssl/certs directory anymore but rather the p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991) -Index: openssl-1.1.0e/crypto/include/internal/cryptlib.h +Index: openssl-1.1.1-pre1/include/internal/cryptlib.h =================================================================== ---- openssl-1.1.0e.orig/crypto/include/internal/cryptlib.h -+++ openssl-1.1.0e/crypto/include/internal/cryptlib.h -@@ -41,8 +41,8 @@ DEFINE_LHASH_OF(MEM); +--- openssl-1.1.1-pre1.orig/include/internal/cryptlib.h 2018-02-13 14:48:12.000000000 +0100 ++++ openssl-1.1.1-pre1/include/internal/cryptlib.h 2018-02-13 16:30:11.738161984 +0100 +@@ -59,8 +59,8 @@ DEFINE_LHASH_OF(MEM); # ifndef OPENSSL_SYS_VMS # define X509_CERT_AREA OPENSSLDIR
