Hello community, here is the log from the commit of package openssl for openSUSE:Factory checked in at 2014-12-17 19:18:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl (Old) and /work/SRC/openSUSE:Factory/.openssl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl" Changes: -------- --- /work/SRC/openSUSE:Factory/openssl/openssl.changes 2014-08-25 11:03:36.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssl.new/openssl.changes 2014-12-17 19:17:04.000000000 +0100 @@ -1,0 +2,25 @@ +Tue Nov 18 09:42:50 UTC 2014 - br...@aljex.com + +- suse_version 10.1 & 10.2 x86_64 can not enable-ec_nistp_64_gcc_128 + +------------------------------------------------------------------- +Mon Nov 17 12:34:12 UTC 2014 - meiss...@suse.com + +- openssl-1.0.1i-noec2m-fix.patch: only report the Elliptic Curves + we actually support (not the binary ones) (bnc#905037) + +------------------------------------------------------------------- +Fri Nov 7 22:09:27 UTC 2014 - br...@aljex.com + +- openSUSE < 11.2 doesn't have accept4() + +------------------------------------------------------------------- +Tue Oct 21 19:58:31 UTC 2014 - crrodrig...@opensuse.org + +- openSSL 1.0.1j +* Fix SRTP Memory Leak (CVE-2014-3513) +* Session Ticket Memory Leak (CVE-2014-3567) +* Add SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) +* Build option no-ssl3 is incomplete (CVE-2014-3568) + +------------------------------------------------------------------- Old: ---- openssl-1.0.1i.tar.gz openssl-1.0.1i.tar.gz.asc New: ---- openssl-1.0.1i-noec2m-fix.patch openssl-1.0.1j.tar.gz openssl-1.0.1j.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ --- /var/tmp/diff_new_pack.p3p8Ac/_old 2014-12-17 19:17:06.000000000 +0100 +++ /var/tmp/diff_new_pack.p3p8Ac/_new 2014-12-17 19:17:06.000000000 +0100 @@ -29,7 +29,7 @@ %ifarch ppc64 Obsoletes: openssl-64bit %endif -Version: 1.0.1i +Version: 1.0.1j Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -47,7 +47,9 @@ Patch0: merge_from_0.9.8k.patch Patch1: openssl-1.0.0-c_rehash-compat.diff Patch2: bug610223.patch +%if 0%{?suse_version} >= 1120 Patch3: openssl-ocloexec.patch +%endif Patch4: VIA_padlock_support_on_64systems.patch # PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049 Patch5: openssl-fix-pod-syntax.diff @@ -72,6 +74,7 @@ Patch35: openssl-1.0.1e-add-suse-default-cipher.patch Patch36: openssl-1.0.1e-add-suse-default-cipher-header.patch Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch +Patch38: openssl-1.0.1i-noec2m-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -164,7 +167,9 @@ %patch0 -p1 %patch1 -p1 %patch2 -p1 +%if 0%{?suse_version} >= 1120 %patch3 +%endif %patch4 -p1 %patch5 -p1 %patch6 -p1 @@ -186,6 +191,7 @@ %patch35 -p1 %patch36 -p1 %patch37 -p1 +%patch38 -p1 cp -p %{S:10} . cp -p %{S:11} . echo "adding/overwriting some entries in the 'table' hash in Configure" @@ -243,8 +249,10 @@ enable-rfc3779 \ %endif %ifarch x86_64 aarch64 ppc64le +%if 0%{?suse_version} < 1010 || 0%{?suse_version} > 1020 enable-ec_nistp_64_gcc_128 \ %endif +%endif enable-camellia \ zlib \ no-ec2m \ ++++++ 0001-libcrypto-Hide-library-private-symbols.patch ++++++ ++++ 715 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssl/0001-libcrypto-Hide-library-private-symbols.patch ++++ and /work/SRC/openSUSE:Factory/.openssl.new/0001-libcrypto-Hide-library-private-symbols.patch ++++++ openssl-1.0.1e-fips-ec.patch ++++++ --- /var/tmp/diff_new_pack.p3p8Ac/_old 2014-12-17 19:17:06.000000000 +0100 +++ /var/tmp/diff_new_pack.p3p8Ac/_new 2014-12-17 19:17:06.000000000 +0100 @@ -1,7 +1,5 @@ -Index: openssl-1.0.1g/crypto/ecdh/ecdh.h -=================================================================== ---- openssl-1.0.1g.orig/crypto/ecdh/ecdh.h -+++ openssl-1.0.1g/crypto/ecdh/ecdh.h +--- openssl-1.0.1j.orig/crypto/ecdh/ecdh.h ++++ openssl-1.0.1j/crypto/ecdh/ecdh.h @@ -85,6 +85,8 @@ extern "C" { #endif @@ -11,10 +9,8 @@ const ECDH_METHOD *ECDH_OpenSSL(void); void ECDH_set_default_method(const ECDH_METHOD *); -Index: openssl-1.0.1g/crypto/ecdh/ecdhtest.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/ecdh/ecdhtest.c -+++ openssl-1.0.1g/crypto/ecdh/ecdhtest.c +--- openssl-1.0.1j.orig/crypto/ecdh/ecdhtest.c ++++ openssl-1.0.1j/crypto/ecdh/ecdhtest.c @@ -323,11 +323,15 @@ int main(int argc, char *argv[]) if ((ctx=BN_CTX_new()) == NULL) goto err; @@ -31,10 +27,8 @@ #ifndef OPENSSL_NO_EC2M /* NIST BINARY CURVES TESTS */ if (!test_ecdh_curve(NID_sect163k1, "NIST Binary-Curve K-163", ctx, out)) goto err; -Index: openssl-1.0.1g/crypto/ecdh/ech_lib.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/ecdh/ech_lib.c -+++ openssl-1.0.1g/crypto/ecdh/ech_lib.c +--- openssl-1.0.1j.orig/crypto/ecdh/ech_lib.c ++++ openssl-1.0.1j/crypto/ecdh/ech_lib.c @@ -94,14 +94,7 @@ const ECDH_METHOD *ECDH_get_default_meth { if(!default_ECDH_method) @@ -50,10 +44,8 @@ } return default_ECDH_method; } -Index: openssl-1.0.1g/crypto/ecdh/ech_ossl.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/ecdh/ech_ossl.c -+++ openssl-1.0.1g/crypto/ecdh/ech_ossl.c +--- openssl-1.0.1j.orig/crypto/ecdh/ech_ossl.c ++++ openssl-1.0.1j/crypto/ecdh/ech_ossl.c @@ -79,6 +79,10 @@ #include <openssl/obj_mac.h> #include <openssl/bn.h> @@ -108,10 +100,8 @@ if ((tmp=EC_POINT_new(group)) == NULL) { ECDHerr(ECDH_F_ECDH_COMPUTE_KEY,ERR_R_MALLOC_FAILURE); -Index: openssl-1.0.1g/crypto/ecdsa/ecdsatest.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/ecdsa/ecdsatest.c -+++ openssl-1.0.1g/crypto/ecdsa/ecdsatest.c +--- openssl-1.0.1j.orig/crypto/ecdsa/ecdsatest.c ++++ openssl-1.0.1j/crypto/ecdsa/ecdsatest.c @@ -138,11 +138,14 @@ int restore_rand(void) } @@ -147,10 +137,8 @@ if (!test_builtin(out)) goto err; ret = 0; -Index: openssl-1.0.1g/crypto/ecdsa/ecs_lib.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/ecdsa/ecs_lib.c -+++ openssl-1.0.1g/crypto/ecdsa/ecs_lib.c +--- openssl-1.0.1j.orig/crypto/ecdsa/ecs_lib.c ++++ openssl-1.0.1j/crypto/ecdsa/ecs_lib.c @@ -81,14 +81,7 @@ const ECDSA_METHOD *ECDSA_get_default_me { if(!default_ECDSA_method) @@ -166,10 +154,8 @@ } return default_ECDSA_method; } -Index: openssl-1.0.1g/crypto/ecdsa/ecs_ossl.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/ecdsa/ecs_ossl.c -+++ openssl-1.0.1g/crypto/ecdsa/ecs_ossl.c +--- openssl-1.0.1j.orig/crypto/ecdsa/ecs_ossl.c ++++ openssl-1.0.1j/crypto/ecdsa/ecs_ossl.c @@ -60,6 +60,9 @@ #include <openssl/err.h> #include <openssl/obj_mac.h> @@ -219,10 +205,8 @@ /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) -Index: openssl-1.0.1g/crypto/ec/ec_key.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/ec/ec_key.c -+++ openssl-1.0.1g/crypto/ec/ec_key.c +--- openssl-1.0.1j.orig/crypto/ec/ec_key.c ++++ openssl-1.0.1j/crypto/ec/ec_key.c @@ -64,9 +64,6 @@ #include <string.h> #include "ec_lcl.h" @@ -319,114 +303,8 @@ { ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, EC_R_COORDINATES_OUT_OF_RANGE); -Index: openssl-1.0.1g/crypto/ec/ecp_mont.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/ec/ecp_mont.c -+++ openssl-1.0.1g/crypto/ec/ecp_mont.c -@@ -63,18 +63,11 @@ - - #include <openssl/err.h> - --#ifdef OPENSSL_FIPS --#include <openssl/fips.h> --#endif -- - #include "ec_lcl.h" - - - const EC_METHOD *EC_GFp_mont_method(void) - { --#ifdef OPENSSL_FIPS -- return fips_ec_gfp_mont_method(); --#else - static const EC_METHOD ret = { - EC_FLAGS_DEFAULT_OCT, - NID_X9_62_prime_field, -@@ -115,7 +108,6 @@ const EC_METHOD *EC_GFp_mont_method(void - ec_GFp_mont_field_set_to_one }; - - return &ret; --#endif - } - - -Index: openssl-1.0.1g/crypto/ec/ecp_nist.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/ec/ecp_nist.c -+++ openssl-1.0.1g/crypto/ec/ecp_nist.c -@@ -67,15 +67,8 @@ - #include <openssl/obj_mac.h> - #include "ec_lcl.h" - --#ifdef OPENSSL_FIPS --#include <openssl/fips.h> --#endif -- - const EC_METHOD *EC_GFp_nist_method(void) - { --#ifdef OPENSSL_FIPS -- return fips_ec_gfp_nist_method(); --#else - static const EC_METHOD ret = { - EC_FLAGS_DEFAULT_OCT, - NID_X9_62_prime_field, -@@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_nist_method(void - 0 /* field_set_to_one */ }; - - return &ret; --#endif - } - - int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src) -Index: openssl-1.0.1g/crypto/ec/ecp_smpl.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/ec/ecp_smpl.c -+++ openssl-1.0.1g/crypto/ec/ecp_smpl.c -@@ -65,17 +65,10 @@ - #include <openssl/err.h> - #include <openssl/symhacks.h> - --#ifdef OPENSSL_FIPS --#include <openssl/fips.h> --#endif -- - #include "ec_lcl.h" - - const EC_METHOD *EC_GFp_simple_method(void) - { --#ifdef OPENSSL_FIPS -- return fips_ec_gfp_simple_method(); --#else - static const EC_METHOD ret = { - EC_FLAGS_DEFAULT_OCT, - NID_X9_62_prime_field, -@@ -116,7 +109,6 @@ const EC_METHOD *EC_GFp_simple_method(vo - 0 /* field_set_to_one */ }; - - return &ret; --#endif - } - - -@@ -186,6 +178,14 @@ int ec_GFp_simple_group_set_curve(EC_GRO - return 0; - } - -+/* we comment the few following lines, temporarily...for avoiding small curves */ -+/* -+ if (BN_num_bits(p) < 256) -+ { -+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); -+ return 0; -+ } -+*/ - if (ctx == NULL) - { - ctx = new_ctx = BN_CTX_new(); -Index: openssl-1.0.1g/crypto/evp/m_ecdsa.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/evp/m_ecdsa.c -+++ openssl-1.0.1g/crypto/evp/m_ecdsa.c +--- openssl-1.0.1j.orig/crypto/evp/m_ecdsa.c ++++ openssl-1.0.1j/crypto/evp/m_ecdsa.c @@ -116,7 +116,6 @@ #include <openssl/x509.h> @@ -449,10 +327,8 @@ } #endif -#endif -Index: openssl-1.0.1g/crypto/fips/cavs/fips_ecdhvs.c -=================================================================== --- /dev/null -+++ openssl-1.0.1g/crypto/fips/cavs/fips_ecdhvs.c ++++ openssl-1.0.1j/crypto/fips/cavs/fips_ecdhvs.c @@ -0,0 +1,496 @@ +/* fips/ecdh/fips_ecdhvs.c */ +/* Written by Dr Stephen N Henson (st...@openssl.org) for the OpenSSL @@ -950,10 +826,8 @@ + } + +#endif -Index: openssl-1.0.1g/crypto/fips/cavs/fips_ecdsavs.c -=================================================================== --- /dev/null -+++ openssl-1.0.1g/crypto/fips/cavs/fips_ecdsavs.c ++++ openssl-1.0.1j/crypto/fips/cavs/fips_ecdsavs.c @@ -0,0 +1,533 @@ +/* fips/ecdsa/fips_ecdsavs.c */ +/* Written by Dr Stephen N Henson (st...@openssl.org) for the OpenSSL @@ -1488,10 +1362,8 @@ + } + +#endif -Index: openssl-1.0.1g/crypto/fips/fips_ecdh_selftest.c -=================================================================== --- /dev/null -+++ openssl-1.0.1g/crypto/fips/fips_ecdh_selftest.c ++++ openssl-1.0.1j/crypto/fips/fips_ecdh_selftest.c @@ -0,0 +1,252 @@ +/* fips/ecdh/fips_ecdh_selftest.c */ +/* Written by Dr Stephen N Henson (st...@openssl.org) for the OpenSSL @@ -1745,10 +1617,8 @@ + } + +#endif -Index: openssl-1.0.1g/crypto/fips/fips_ecdsa_selftest.c -=================================================================== --- /dev/null -+++ openssl-1.0.1g/crypto/fips/fips_ecdsa_selftest.c ++++ openssl-1.0.1j/crypto/fips/fips_ecdsa_selftest.c @@ -0,0 +1,167 @@ +/* fips/ecdsa/fips_ecdsa_selftest.c */ +/* Written by Dr Stephen N Henson (st...@openssl.org) for the OpenSSL @@ -1917,10 +1787,8 @@ + } + +#endif -Index: openssl-1.0.1g/crypto/fips/fips.h -=================================================================== ---- openssl-1.0.1g.orig/crypto/fips/fips.h -+++ openssl-1.0.1g/crypto/fips/fips.h +--- openssl-1.0.1j.orig/crypto/fips/fips.h ++++ openssl-1.0.1j/crypto/fips/fips.h @@ -93,6 +93,8 @@ int FIPS_selftest_rsa(void); void FIPS_corrupt_dsa(void); void FIPS_corrupt_dsa_keygen(void); @@ -1930,10 +1798,8 @@ void FIPS_corrupt_rng(void); void FIPS_rng_stick(void); void FIPS_x931_stick(int onoff); -Index: openssl-1.0.1g/crypto/fips/fips_post.c -=================================================================== ---- openssl-1.0.1g.orig/crypto/fips/fips_post.c -+++ openssl-1.0.1g/crypto/fips/fips_post.c +--- openssl-1.0.1j.orig/crypto/fips/fips_post.c ++++ openssl-1.0.1j/crypto/fips/fips_post.c @@ -95,8 +95,12 @@ int FIPS_selftest(void) rv = 0; if (!FIPS_selftest_rsa()) @@ -1947,10 +1813,8 @@ return rv; } -Index: openssl-1.0.1g/crypto/fips/Makefile -=================================================================== ---- openssl-1.0.1g.orig/crypto/fips/Makefile -+++ openssl-1.0.1g/crypto/fips/Makefile +--- openssl-1.0.1j.orig/crypto/fips/Makefile ++++ openssl-1.0.1j/crypto/fips/Makefile @@ -24,13 +24,13 @@ LIBSRC=fips_aes_selftest.c fips_des_self fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \ fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ @@ -2052,3 +1916,45 @@ fips_post.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h fips_post.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h fips_post.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h +--- openssl-1.0.1j.orig/crypto/ec/ecp_nist.c ++++ openssl-1.0.1j/crypto/ec/ecp_nist.c +@@ -112,11 +112,6 @@ const EC_METHOD *EC_GFp_nist_method(void + 0 /* field_decode */, + 0 /* field_set_to_one */ }; + +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return fips_ec_gfp_nist_method(); +-#endif +- + return &ret; + } + +--- openssl-1.0.1j.orig/crypto/ec/ecp_smpl.c ++++ openssl-1.0.1j/crypto/ec/ecp_smpl.c +@@ -112,11 +112,6 @@ const EC_METHOD *EC_GFp_simple_method(vo + 0 /* field_decode */, + 0 /* field_set_to_one */ }; + +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return fips_ec_gfp_simple_method(); +-#endif +- + return &ret; + } + +--- openssl-1.0.1j.orig/crypto/ec/ecp_mont.c ++++ openssl-1.0.1j/crypto/ec/ecp_mont.c +@@ -111,11 +111,6 @@ const EC_METHOD *EC_GFp_mont_method(void + ec_GFp_mont_field_decode, + ec_GFp_mont_field_set_to_one }; + +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return fips_ec_gfp_mont_method(); +-#endif +- + return &ret; + } + ++++++ openssl-1.0.1e-fips.patch ++++++ ++++ 1538 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssl/openssl-1.0.1e-fips.patch ++++ and /work/SRC/openSUSE:Factory/.openssl.new/openssl-1.0.1e-fips.patch ++++++ openssl-1.0.1i-noec2m-fix.patch ++++++ >From 90fec44393443f93d6f7fb00662472bb2a8a6c9b Mon Sep 17 00:00:00 2001 From: Matt Caswell <m...@openssl.org> Date: Mon, 10 Nov 2014 23:42:50 +0000 Subject: [PATCH] Added OPENSSL_NO_EC2M guards around the preferred EC curve list --- ssl/t1_lib.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index d6aff4b..8dafc6e 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -204,28 +204,40 @@ static int nid_list[] = static int pref_list[] = { +#ifndef OPENSSL_NO_EC2M NID_sect571r1, /* sect571r1 (14) */ NID_sect571k1, /* sect571k1 (13) */ +#endif NID_secp521r1, /* secp521r1 (25) */ +#ifndef OPENSSL_NO_EC2M NID_sect409k1, /* sect409k1 (11) */ NID_sect409r1, /* sect409r1 (12) */ +#endif NID_secp384r1, /* secp384r1 (24) */ +#ifndef OPENSSL_NO_EC2M NID_sect283k1, /* sect283k1 (9) */ NID_sect283r1, /* sect283r1 (10) */ +#endif NID_secp256k1, /* secp256k1 (22) */ NID_X9_62_prime256v1, /* secp256r1 (23) */ +#ifndef OPENSSL_NO_EC2M NID_sect239k1, /* sect239k1 (8) */ NID_sect233k1, /* sect233k1 (6) */ NID_sect233r1, /* sect233r1 (7) */ +#endif NID_secp224k1, /* secp224k1 (20) */ NID_secp224r1, /* secp224r1 (21) */ +#ifndef OPENSSL_NO_EC2M NID_sect193r1, /* sect193r1 (4) */ NID_sect193r2, /* sect193r2 (5) */ +#endif NID_secp192k1, /* secp192k1 (18) */ NID_X9_62_prime192v1, /* secp192r1 (19) */ +#ifndef OPENSSL_NO_EC2M NID_sect163k1, /* sect163k1 (1) */ NID_sect163r1, /* sect163r1 (2) */ NID_sect163r2, /* sect163r2 (3) */ +#endif NID_secp160k1, /* secp160k1 (15) */ NID_secp160r1, /* secp160r1 (16) */ NID_secp160r2, /* secp160r2 (17) */ -- 2.1.0 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org