Hello community,
here is the log from the commit of package openssl for openSUSE:Factory checked
in at 2014-12-17 19:18:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl (Old)
and /work/SRC/openSUSE:Factory/.openssl.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl"
Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-08-25
11:03:36.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-12-17
19:17:04.000000000 +0100
@@ -1,0 +2,25 @@
+Tue Nov 18 09:42:50 UTC 2014 - br...@aljex.com
+
+- suse_version 10.1 & 10.2 x86_64 can not enable-ec_nistp_64_gcc_128
+
+-------------------------------------------------------------------
+Mon Nov 17 12:34:12 UTC 2014 - meiss...@suse.com
+
+- openssl-1.0.1i-noec2m-fix.patch: only report the Elliptic Curves
+ we actually support (not the binary ones) (bnc#905037)
+
+-------------------------------------------------------------------
+Fri Nov 7 22:09:27 UTC 2014 - br...@aljex.com
+
+- openSUSE < 11.2 doesn't have accept4()
+
+-------------------------------------------------------------------
+Tue Oct 21 19:58:31 UTC 2014 - crrodrig...@opensuse.org
+
+- openSSL 1.0.1j
+* Fix SRTP Memory Leak (CVE-2014-3513)
+* Session Ticket Memory Leak (CVE-2014-3567)
+* Add SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV)
+* Build option no-ssl3 is incomplete (CVE-2014-3568)
+
+-------------------------------------------------------------------
Old:
----
openssl-1.0.1i.tar.gz
openssl-1.0.1i.tar.gz.asc
New:
----
openssl-1.0.1i-noec2m-fix.patch
openssl-1.0.1j.tar.gz
openssl-1.0.1j.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openssl.spec ++++++
--- /var/tmp/diff_new_pack.p3p8Ac/_old 2014-12-17 19:17:06.000000000 +0100
+++ /var/tmp/diff_new_pack.p3p8Ac/_new 2014-12-17 19:17:06.000000000 +0100
@@ -29,7 +29,7 @@
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
-Version: 1.0.1i
+Version: 1.0.1j
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
@@ -47,7 +47,9 @@
Patch0: merge_from_0.9.8k.patch
Patch1: openssl-1.0.0-c_rehash-compat.diff
Patch2: bug610223.patch
+%if 0%{?suse_version} >= 1120
Patch3: openssl-ocloexec.patch
+%endif
Patch4: VIA_padlock_support_on_64systems.patch
# PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
Patch5: openssl-fix-pod-syntax.diff
@@ -72,6 +74,7 @@
Patch35: openssl-1.0.1e-add-suse-default-cipher.patch
Patch36: openssl-1.0.1e-add-suse-default-cipher-header.patch
Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
+Patch38: openssl-1.0.1i-noec2m-fix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -164,7 +167,9 @@
%patch0 -p1
%patch1 -p1
%patch2 -p1
+%if 0%{?suse_version} >= 1120
%patch3
+%endif
%patch4 -p1
%patch5 -p1
%patch6 -p1
@@ -186,6 +191,7 @@
%patch35 -p1
%patch36 -p1
%patch37 -p1
+%patch38 -p1
cp -p %{S:10} .
cp -p %{S:11} .
echo "adding/overwriting some entries in the 'table' hash in Configure"
@@ -243,8 +249,10 @@
enable-rfc3779 \
%endif
%ifarch x86_64 aarch64 ppc64le
+%if 0%{?suse_version} < 1010 || 0%{?suse_version} > 1020
enable-ec_nistp_64_gcc_128 \
%endif
+%endif
enable-camellia \
zlib \
no-ec2m \
++++++ 0001-libcrypto-Hide-library-private-symbols.patch ++++++
++++ 715 lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/openssl/0001-libcrypto-Hide-library-private-symbols.patch
++++ and
/work/SRC/openSUSE:Factory/.openssl.new/0001-libcrypto-Hide-library-private-symbols.patch
++++++ openssl-1.0.1e-fips-ec.patch ++++++
--- /var/tmp/diff_new_pack.p3p8Ac/_old 2014-12-17 19:17:06.000000000 +0100
+++ /var/tmp/diff_new_pack.p3p8Ac/_new 2014-12-17 19:17:06.000000000 +0100
@@ -1,7 +1,5 @@
-Index: openssl-1.0.1g/crypto/ecdh/ecdh.h
-===================================================================
---- openssl-1.0.1g.orig/crypto/ecdh/ecdh.h
-+++ openssl-1.0.1g/crypto/ecdh/ecdh.h
+--- openssl-1.0.1j.orig/crypto/ecdh/ecdh.h
++++ openssl-1.0.1j/crypto/ecdh/ecdh.h
@@ -85,6 +85,8 @@
extern "C" {
#endif
@@ -11,10 +9,8 @@
const ECDH_METHOD *ECDH_OpenSSL(void);
void ECDH_set_default_method(const ECDH_METHOD *);
-Index: openssl-1.0.1g/crypto/ecdh/ecdhtest.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/ecdh/ecdhtest.c
-+++ openssl-1.0.1g/crypto/ecdh/ecdhtest.c
+--- openssl-1.0.1j.orig/crypto/ecdh/ecdhtest.c
++++ openssl-1.0.1j/crypto/ecdh/ecdhtest.c
@@ -323,11 +323,15 @@ int main(int argc, char *argv[])
if ((ctx=BN_CTX_new()) == NULL) goto err;
@@ -31,10 +27,8 @@
#ifndef OPENSSL_NO_EC2M
/* NIST BINARY CURVES TESTS */
if (!test_ecdh_curve(NID_sect163k1, "NIST Binary-Curve K-163", ctx,
out)) goto err;
-Index: openssl-1.0.1g/crypto/ecdh/ech_lib.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/ecdh/ech_lib.c
-+++ openssl-1.0.1g/crypto/ecdh/ech_lib.c
+--- openssl-1.0.1j.orig/crypto/ecdh/ech_lib.c
++++ openssl-1.0.1j/crypto/ecdh/ech_lib.c
@@ -94,14 +94,7 @@ const ECDH_METHOD *ECDH_get_default_meth
{
if(!default_ECDH_method)
@@ -50,10 +44,8 @@
}
return default_ECDH_method;
}
-Index: openssl-1.0.1g/crypto/ecdh/ech_ossl.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/ecdh/ech_ossl.c
-+++ openssl-1.0.1g/crypto/ecdh/ech_ossl.c
+--- openssl-1.0.1j.orig/crypto/ecdh/ech_ossl.c
++++ openssl-1.0.1j/crypto/ecdh/ech_ossl.c
@@ -79,6 +79,10 @@
#include <openssl/obj_mac.h>
#include <openssl/bn.h>
@@ -108,10 +100,8 @@
if ((tmp=EC_POINT_new(group)) == NULL)
{
ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE);
-Index: openssl-1.0.1g/crypto/ecdsa/ecdsatest.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/ecdsa/ecdsatest.c
-+++ openssl-1.0.1g/crypto/ecdsa/ecdsatest.c
+--- openssl-1.0.1j.orig/crypto/ecdsa/ecdsatest.c
++++ openssl-1.0.1j/crypto/ecdsa/ecdsatest.c
@@ -138,11 +138,14 @@ int restore_rand(void)
}
@@ -147,10 +137,8 @@
if (!test_builtin(out)) goto err;
ret = 0;
-Index: openssl-1.0.1g/crypto/ecdsa/ecs_lib.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/ecdsa/ecs_lib.c
-+++ openssl-1.0.1g/crypto/ecdsa/ecs_lib.c
+--- openssl-1.0.1j.orig/crypto/ecdsa/ecs_lib.c
++++ openssl-1.0.1j/crypto/ecdsa/ecs_lib.c
@@ -81,14 +81,7 @@ const ECDSA_METHOD *ECDSA_get_default_me
{
if(!default_ECDSA_method)
@@ -166,10 +154,8 @@
}
return default_ECDSA_method;
}
-Index: openssl-1.0.1g/crypto/ecdsa/ecs_ossl.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/ecdsa/ecs_ossl.c
-+++ openssl-1.0.1g/crypto/ecdsa/ecs_ossl.c
+--- openssl-1.0.1j.orig/crypto/ecdsa/ecs_ossl.c
++++ openssl-1.0.1j/crypto/ecdsa/ecs_ossl.c
@@ -60,6 +60,9 @@
#include <openssl/err.h>
#include <openssl/obj_mac.h>
@@ -219,10 +205,8 @@
/* check input values */
if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
(pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL)
-Index: openssl-1.0.1g/crypto/ec/ec_key.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/ec/ec_key.c
-+++ openssl-1.0.1g/crypto/ec/ec_key.c
+--- openssl-1.0.1j.orig/crypto/ec/ec_key.c
++++ openssl-1.0.1j/crypto/ec/ec_key.c
@@ -64,9 +64,6 @@
#include <string.h>
#include "ec_lcl.h"
@@ -319,114 +303,8 @@
{
ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
EC_R_COORDINATES_OUT_OF_RANGE);
-Index: openssl-1.0.1g/crypto/ec/ecp_mont.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/ec/ecp_mont.c
-+++ openssl-1.0.1g/crypto/ec/ecp_mont.c
-@@ -63,18 +63,11 @@
-
- #include <openssl/err.h>
-
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
--
- #include "ec_lcl.h"
-
-
- const EC_METHOD *EC_GFp_mont_method(void)
- {
--#ifdef OPENSSL_FIPS
-- return fips_ec_gfp_mont_method();
--#else
- static const EC_METHOD ret = {
- EC_FLAGS_DEFAULT_OCT,
- NID_X9_62_prime_field,
-@@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_mont_method(void
- ec_GFp_mont_field_set_to_one };
-
- return &ret;
--#endif
- }
-
-
-Index: openssl-1.0.1g/crypto/ec/ecp_nist.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/ec/ecp_nist.c
-+++ openssl-1.0.1g/crypto/ec/ecp_nist.c
-@@ -67,15 +67,8 @@
- #include <openssl/obj_mac.h>
- #include "ec_lcl.h"
-
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
--
- const EC_METHOD *EC_GFp_nist_method(void)
- {
--#ifdef OPENSSL_FIPS
-- return fips_ec_gfp_nist_method();
--#else
- static const EC_METHOD ret = {
- EC_FLAGS_DEFAULT_OCT,
- NID_X9_62_prime_field,
-@@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void
- 0 /* field_set_to_one */ };
-
- return &ret;
--#endif
- }
-
- int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
-Index: openssl-1.0.1g/crypto/ec/ecp_smpl.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/ec/ecp_smpl.c
-+++ openssl-1.0.1g/crypto/ec/ecp_smpl.c
-@@ -65,17 +65,10 @@
- #include <openssl/err.h>
- #include <openssl/symhacks.h>
-
--#ifdef OPENSSL_FIPS
--#include <openssl/fips.h>
--#endif
--
- #include "ec_lcl.h"
-
- const EC_METHOD *EC_GFp_simple_method(void)
- {
--#ifdef OPENSSL_FIPS
-- return fips_ec_gfp_simple_method();
--#else
- static const EC_METHOD ret = {
- EC_FLAGS_DEFAULT_OCT,
- NID_X9_62_prime_field,
-@@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_simple_method(vo
- 0 /* field_set_to_one */ };
-
- return &ret;
--#endif
- }
-
-
-@@ -186,6 +178,14 @@ int ec_GFp_simple_group_set_curve(EC_GRO
- return 0;
- }
-
-+/* we comment the few following lines, temporarily...for avoiding small
curves */
-+/*
-+ if (BN_num_bits(p) < 256)
-+ {
-+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE,
EC_R_UNSUPPORTED_FIELD);
-+ return 0;
-+ }
-+*/
- if (ctx == NULL)
- {
- ctx = new_ctx = BN_CTX_new();
-Index: openssl-1.0.1g/crypto/evp/m_ecdsa.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/evp/m_ecdsa.c
-+++ openssl-1.0.1g/crypto/evp/m_ecdsa.c
+--- openssl-1.0.1j.orig/crypto/evp/m_ecdsa.c
++++ openssl-1.0.1j/crypto/evp/m_ecdsa.c
@@ -116,7 +116,6 @@
#include <openssl/x509.h>
@@ -449,10 +327,8 @@
}
#endif
-#endif
-Index: openssl-1.0.1g/crypto/fips/cavs/fips_ecdhvs.c
-===================================================================
--- /dev/null
-+++ openssl-1.0.1g/crypto/fips/cavs/fips_ecdhvs.c
++++ openssl-1.0.1j/crypto/fips/cavs/fips_ecdhvs.c
@@ -0,0 +1,496 @@
+/* fips/ecdh/fips_ecdhvs.c */
+/* Written by Dr Stephen N Henson (st...@openssl.org) for the OpenSSL
@@ -950,10 +826,8 @@
+ }
+
+#endif
-Index: openssl-1.0.1g/crypto/fips/cavs/fips_ecdsavs.c
-===================================================================
--- /dev/null
-+++ openssl-1.0.1g/crypto/fips/cavs/fips_ecdsavs.c
++++ openssl-1.0.1j/crypto/fips/cavs/fips_ecdsavs.c
@@ -0,0 +1,533 @@
+/* fips/ecdsa/fips_ecdsavs.c */
+/* Written by Dr Stephen N Henson (st...@openssl.org) for the OpenSSL
@@ -1488,10 +1362,8 @@
+ }
+
+#endif
-Index: openssl-1.0.1g/crypto/fips/fips_ecdh_selftest.c
-===================================================================
--- /dev/null
-+++ openssl-1.0.1g/crypto/fips/fips_ecdh_selftest.c
++++ openssl-1.0.1j/crypto/fips/fips_ecdh_selftest.c
@@ -0,0 +1,252 @@
+/* fips/ecdh/fips_ecdh_selftest.c */
+/* Written by Dr Stephen N Henson (st...@openssl.org) for the OpenSSL
@@ -1745,10 +1617,8 @@
+ }
+
+#endif
-Index: openssl-1.0.1g/crypto/fips/fips_ecdsa_selftest.c
-===================================================================
--- /dev/null
-+++ openssl-1.0.1g/crypto/fips/fips_ecdsa_selftest.c
++++ openssl-1.0.1j/crypto/fips/fips_ecdsa_selftest.c
@@ -0,0 +1,167 @@
+/* fips/ecdsa/fips_ecdsa_selftest.c */
+/* Written by Dr Stephen N Henson (st...@openssl.org) for the OpenSSL
@@ -1917,10 +1787,8 @@
+ }
+
+#endif
-Index: openssl-1.0.1g/crypto/fips/fips.h
-===================================================================
---- openssl-1.0.1g.orig/crypto/fips/fips.h
-+++ openssl-1.0.1g/crypto/fips/fips.h
+--- openssl-1.0.1j.orig/crypto/fips/fips.h
++++ openssl-1.0.1j/crypto/fips/fips.h
@@ -93,6 +93,8 @@ int FIPS_selftest_rsa(void);
void FIPS_corrupt_dsa(void);
void FIPS_corrupt_dsa_keygen(void);
@@ -1930,10 +1798,8 @@
void FIPS_corrupt_rng(void);
void FIPS_rng_stick(void);
void FIPS_x931_stick(int onoff);
-Index: openssl-1.0.1g/crypto/fips/fips_post.c
-===================================================================
---- openssl-1.0.1g.orig/crypto/fips/fips_post.c
-+++ openssl-1.0.1g/crypto/fips/fips_post.c
+--- openssl-1.0.1j.orig/crypto/fips/fips_post.c
++++ openssl-1.0.1j/crypto/fips/fips_post.c
@@ -95,8 +95,12 @@ int FIPS_selftest(void)
rv = 0;
if (!FIPS_selftest_rsa())
@@ -1947,10 +1813,8 @@
return rv;
}
-Index: openssl-1.0.1g/crypto/fips/Makefile
-===================================================================
---- openssl-1.0.1g.orig/crypto/fips/Makefile
-+++ openssl-1.0.1g/crypto/fips/Makefile
+--- openssl-1.0.1j.orig/crypto/fips/Makefile
++++ openssl-1.0.1j/crypto/fips/Makefile
@@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_self
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c
fips_rand.c \
fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c
fips_drbg_hmac.c \
@@ -2052,3 +1916,45 @@
fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+--- openssl-1.0.1j.orig/crypto/ec/ecp_nist.c
++++ openssl-1.0.1j/crypto/ec/ecp_nist.c
+@@ -112,11 +112,6 @@ const EC_METHOD *EC_GFp_nist_method(void
+ 0 /* field_decode */,
+ 0 /* field_set_to_one */ };
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return fips_ec_gfp_nist_method();
+-#endif
+-
+ return &ret;
+ }
+
+--- openssl-1.0.1j.orig/crypto/ec/ecp_smpl.c
++++ openssl-1.0.1j/crypto/ec/ecp_smpl.c
+@@ -112,11 +112,6 @@ const EC_METHOD *EC_GFp_simple_method(vo
+ 0 /* field_decode */,
+ 0 /* field_set_to_one */ };
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return fips_ec_gfp_simple_method();
+-#endif
+-
+ return &ret;
+ }
+
+--- openssl-1.0.1j.orig/crypto/ec/ecp_mont.c
++++ openssl-1.0.1j/crypto/ec/ecp_mont.c
+@@ -111,11 +111,6 @@ const EC_METHOD *EC_GFp_mont_method(void
+ ec_GFp_mont_field_decode,
+ ec_GFp_mont_field_set_to_one };
+
+-#ifdef OPENSSL_FIPS
+- if (FIPS_mode())
+- return fips_ec_gfp_mont_method();
+-#endif
+-
+ return &ret;
+ }
+
++++++ openssl-1.0.1e-fips.patch ++++++
++++ 1538 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/openssl/openssl-1.0.1e-fips.patch
++++ and /work/SRC/openSUSE:Factory/.openssl.new/openssl-1.0.1e-fips.patch
++++++ openssl-1.0.1i-noec2m-fix.patch ++++++
>From 90fec44393443f93d6f7fb00662472bb2a8a6c9b Mon Sep 17 00:00:00 2001
From: Matt Caswell <m...@openssl.org>
Date: Mon, 10 Nov 2014 23:42:50 +0000
Subject: [PATCH] Added OPENSSL_NO_EC2M guards around the preferred EC curve
list
---
ssl/t1_lib.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d6aff4b..8dafc6e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -204,28 +204,40 @@ static int nid_list[] =
static int pref_list[] =
{
+#ifndef OPENSSL_NO_EC2M
NID_sect571r1, /* sect571r1 (14) */
NID_sect571k1, /* sect571k1 (13) */
+#endif
NID_secp521r1, /* secp521r1 (25) */
+#ifndef OPENSSL_NO_EC2M
NID_sect409k1, /* sect409k1 (11) */
NID_sect409r1, /* sect409r1 (12) */
+#endif
NID_secp384r1, /* secp384r1 (24) */
+#ifndef OPENSSL_NO_EC2M
NID_sect283k1, /* sect283k1 (9) */
NID_sect283r1, /* sect283r1 (10) */
+#endif
NID_secp256k1, /* secp256k1 (22) */
NID_X9_62_prime256v1, /* secp256r1 (23) */
+#ifndef OPENSSL_NO_EC2M
NID_sect239k1, /* sect239k1 (8) */
NID_sect233k1, /* sect233k1 (6) */
NID_sect233r1, /* sect233r1 (7) */
+#endif
NID_secp224k1, /* secp224k1 (20) */
NID_secp224r1, /* secp224r1 (21) */
+#ifndef OPENSSL_NO_EC2M
NID_sect193r1, /* sect193r1 (4) */
NID_sect193r2, /* sect193r2 (5) */
+#endif
NID_secp192k1, /* secp192k1 (18) */
NID_X9_62_prime192v1, /* secp192r1 (19) */
+#ifndef OPENSSL_NO_EC2M
NID_sect163k1, /* sect163k1 (1) */
NID_sect163r1, /* sect163r1 (2) */
NID_sect163r2, /* sect163r2 (3) */
+#endif
NID_secp160k1, /* secp160k1 (15) */
NID_secp160r1, /* secp160r1 (16) */
NID_secp160r2, /* secp160r2 (17) */
--
2.1.0
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
