commit openssl-1_1 for openSUSE:Factory

2020-10-18 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2020-10-18 16:17:49

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.3486 (New)


Package is "openssl-1_1"

Sun Oct 18 16:17:49 2020 rev:19 rq:841379 version:1.1.1h

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2020-05-19 
14:43:26.863424689 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.3486/openssl-1_1.changes
2020-10-18 16:17:53.812396704 +0200
@@ -1,0 +2,16 @@
+Mon Oct 12 15:22:54 UTC 2020 - Dominique Leuenberger 
+
+- Escape rpm command %%expand when used in comment.
+
+---
+Tue Sep 22 20:43:59 UTC 2020 - Vítězslav Čížek 
+
+- Update to 1.1.1h
+  * Disallow explicit curve parameters in verifications chains when 
X509_V_FLAG_X509_STRICT is used
+  * Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS 
contexts
+- refresh openssl-fips_selftest_upstream_drbg.patch
+  * DRBG internals got renamed back:
+reseed_gen_counter  -> generate_counter
+reseed_prop_counter -> reseed_counter
+
+---

Old:

  openssl-1.1.1g.tar.gz
  openssl-1.1.1g.tar.gz.asc

New:

  openssl-1.1.1h.tar.gz
  openssl-1.1.1h.tar.gz.asc



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.RKkvzB/_old  2020-10-18 16:17:54.916397196 +0200
+++ /var/tmp/diff_new_pack.RKkvzB/_new  2020-10-18 16:17:54.920397197 +0200
@@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:   openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:1.1.1g
+Version:1.1.1h
 Release:0
 Summary:Secure Sockets and Transport Layer Security
 License:OpenSSL
@@ -263,7 +263,7 @@
 # invalidates a HMAC that may have been created earlier.
 # solution: create the hashes _after_ the macro runs.
 #
-# this shows up earlier because otherwise the %expand of
+# this shows up earlier because otherwise the %%expand of
 # the macro is too late.
 # remark: This is the same as running
 #   openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'

++ openssl-1.1.1-fips.patch ++
 1396 lines (skipped)
 between /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1.1.1-fips.patch
 and 
/work/SRC/openSUSE:Factory/.openssl-1_1.new.3486/openssl-1.1.1-fips.patch

++ openssl-fips_selftest_upstream_drbg.patch ++
--- /var/tmp/diff_new_pack.RKkvzB/_old  2020-10-18 16:17:55.112397283 +0200
+++ /var/tmp/diff_new_pack.RKkvzB/_new  2020-10-18 16:17:55.116397284 +0200
@@ -419,15 +419,15 @@
 +/* Instantiate again with valid data */
 +if (!instantiate(drbg, td, ))
 +goto err;
-+reseed_counter_tmp = drbg->reseed_gen_counter;
-+drbg->reseed_gen_counter = drbg->reseed_interval;
++reseed_counter_tmp = drbg->generate_counter;
++drbg->generate_counter = drbg->reseed_interval;
 +
 +/* Generate output and check entropy has been requested for reseed */
 +t.entropycnt = 0;
 +if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
 +  td->adin, td->adinlen)
 +|| t.entropycnt != 1
-+|| drbg->reseed_gen_counter != reseed_counter_tmp + 1
++|| drbg->generate_counter != reseed_counter_tmp + 1
 +|| !uninstantiate(drbg))
 +goto err;
 +
@@ -444,15 +444,15 @@
 +/* Test reseed counter works */
 +if (!instantiate(drbg, td, ))
 +goto err;
-+reseed_counter_tmp = drbg->reseed_gen_counter;
-+drbg->reseed_gen_counter = drbg->reseed_interval;
++reseed_counter_tmp = drbg->generate_counter;
++drbg->generate_counter = drbg->reseed_interval;
 +
 +/* Generate output and check entropy has been requested for reseed */
 +t.entropycnt = 0;
 +if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
 +  td->adin, td->adinlen)
 +|| t.entropycnt != 1
-+|| drbg->reseed_gen_counter != reseed_counter_tmp + 1
++|| drbg->generate_counter != reseed_counter_tmp + 1
 +|| !uninstantiate(drbg))
 +goto err;
 +
@@ -642,14 +642,14 @@
 + */
 +
 +/* Test whether seed propagation is enabled */
-+if (master->reseed_prop_counter == 0
-+|| public->reseed_prop_counter == 0
-+|| private->reseed_prop_counter == 0)
++if (master->reseed_counter == 0
++|| public->reseed_counter == 0
++|| private->reseed_counter == 0)
 +return 0;
 +
 +/* Check whether the master DRBG's reseed counter is the largest one */
-+if

commit openssl-1_1 for openSUSE:Factory

2020-05-19 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2020-05-19 14:43:15

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.2738 (New)


Package is "openssl-1_1"

Tue May 19 14:43:15 2020 rev:18 rq:805875 version:1.1.1g

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2020-04-27 
23:27:58.158304185 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.2738/openssl-1_1.changes
2020-05-19 14:43:26.863424689 +0200
@@ -1,0 +2,7 @@
+Fri May 15 09:51:22 UTC 2020 - Vítězslav Čížek 
+
+- Limit the DRBG selftests to not deplete entropy (bsc#1165274)
+  * fixes also Firefox crashing with Kerberos (bsc#1167132)
+  * update openssl-fips_selftest_upstream_drbg.patch
+
+---



Other differences:
--

++ openssl-fips_selftest_upstream_drbg.patch ++
--- /var/tmp/diff_new_pack.s7z8tv/_old  2020-05-19 14:43:28.223427595 +0200
+++ /var/tmp/diff_new_pack.s7z8tv/_new  2020-05-19 14:43:28.227427603 +0200
@@ -1,8 +1,8 @@
-Index: openssl-1.1.1e/crypto/fips/drbgtest.c
+Index: openssl-1.1.1g/crypto/fips/drbgtest.c
 ===
 --- /dev/null  1970-01-01 00:00:00.0 +
-+++ openssl-1.1.1e/crypto/fips/drbgtest.c  2020-03-20 14:15:42.114115340 
+0100
-@@ -0,0 +1,1178 @@
 openssl-1.1.1g/crypto/fips/drbgtest.c  2020-05-15 16:20:15.962172616 
+0200
+@@ -0,0 +1,1179 @@
 +/*
 + * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
 + *
@@ -34,7 +34,6 @@
 +# include 
 +#endif
 +
-+//#include "../../test/testutil.h"
 +#include "../../test/drbgtest.h"
 +
 +typedef struct drbg_selftest_data_st {
@@ -1139,9 +1138,11 @@
 +fin:
 +res = 1;
 +err:
++#if 0
 +if (!res)
-+//TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
-+  //crngt_case, crngt_idx);
++TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
++  crngt_case, crngt_idx);
++#endif
 +uninstantiate(drbg);
 +RAND_DRBG_free(drbg);
 +crngt_get_entropy = _crngt_get_entropy_cb;
@@ -1162,9 +1163,9 @@
 +return 0;
 +}
 +
++#if 0
 +if (!test_rand_drbg_reseed())
 +return 0;
-+#if 0
 +if (!test_rand_seed())
 +return 0;
 +if (!test_rand_add())
@@ -1181,10 +1182,10 @@
 +return 1;
 +}
 +
-Index: openssl-1.1.1e/crypto/fips/drbgtest.h
+Index: openssl-1.1.1g/crypto/fips/drbgtest.h
 ===
 --- /dev/null  1970-01-01 00:00:00.0 +
-+++ openssl-1.1.1e/crypto/fips/drbgtest.h  2020-03-20 14:15:42.114115340 
+0100
 openssl-1.1.1g/crypto/fips/drbgtest.h  2020-05-15 16:19:01.662586731 
+0200
 @@ -0,0 +1,579 @@
 +/*
 + * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
@@ -1765,10 +1766,10 @@
 +0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
 +0xf6, 0x02, 0x32, 0xe2
 +};
-Index: openssl-1.1.1e/crypto/fips/fips_post.c
+Index: openssl-1.1.1g/crypto/fips/fips_post.c
 ===
 openssl-1.1.1e.orig/crypto/fips/fips_post.c2020-03-20 
14:15:40.018104341 +0100
-+++ openssl-1.1.1e/crypto/fips/fips_post.c 2020-03-20 14:15:42.114115340 
+0100
+--- openssl-1.1.1g.orig/crypto/fips/fips_post.c2020-05-15 
16:18:44.030685013 +0200
 openssl-1.1.1g/crypto/fips/fips_post.c 2020-05-15 16:19:01.662586731 
+0200
 @@ -51,7 +51,6 @@
  
  #include 
@@ -1777,10 +1778,10 @@
  #include 
  #include 
  #include 
-Index: openssl-1.1.1e/crypto/fips/build.info
+Index: openssl-1.1.1g/crypto/fips/build.info
 ===
 openssl-1.1.1e.orig/crypto/fips/build.info 2020-03-20 14:15:40.018104341 
+0100
-+++ openssl-1.1.1e/crypto/fips/build.info  2020-03-20 14:15:42.114115340 
+0100
+--- openssl-1.1.1g.orig/crypto/fips/build.info 2020-05-15 16:18:44.030685013 
+0200
 openssl-1.1.1g/crypto/fips/build.info  2020-05-15 16:19:01.662586731 
+0200
 @@ -2,7 +2,7 @@ LIBS=../../libcrypto
  SOURCE[../../libcrypto]=\
  fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
@@ -1790,10 +1791,10 @@
  fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c 
\
  fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
  fips_dh_selftest.c fips_ers.c
-Index: openssl-1.1.1e/crypto/fips/fips_drbg_selftest.c
+Index: openssl-1.1.1g/crypto/fips/fips_drbg_selftest.c

commit openssl-1_1 for openSUSE:Factory

2020-04-27 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2020-04-27 23:27:46

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.2738 (New)


Package is "openssl-1_1"

Mon Apr 27 23:27:46 2020 rev:17 rq:796090 version:1.1.1g

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2020-04-02 
17:42:27.029353981 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.2738/openssl-1_1.changes
2020-04-27 23:27:58.158304185 +0200
@@ -1,0 +2,18 @@
+Tue Apr 21 13:47:04 UTC 2020 - Vítězslav Čížek 
+
+- Update to 1.1.1g
+  * Fixed segmentation fault in SSL_check_chain (CVE-2020-1967, bsc#1169407)
+Server or client applications that call the SSL_check_chain() function
+during or after a TLS 1.3 handshake may crash due to a NULL pointer
+dereference as a result of incorrect handling of the
+"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+or unrecognised signature algorithm is received from the peer. This could
+be exploited by a malicious peer in a Denial of Service attack.
+  * Added AES consttime code for no-asm configurations
+an optional constant time support for AES was added
+when building openssl for no-asm.
+- refresh patches:
+   * openssl-1.1.1-fips.patch
+   * openssl-1.1.1-fips-crng-test.patch
+
+---

Old:

  openssl-1.1.1f.tar.gz
  openssl-1.1.1f.tar.gz.asc

New:

  openssl-1.1.1g.tar.gz
  openssl-1.1.1g.tar.gz.asc



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.t8Gg9c/_old  2020-04-27 23:28:01.170310064 +0200
+++ /var/tmp/diff_new_pack.t8Gg9c/_new  2020-04-27 23:28:01.170310064 +0200
@@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:   openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:1.1.1f
+Version:1.1.1g
 Release:0
 Summary:Secure Sockets and Transport Layer Security
 License:OpenSSL

++ openssl-1.1.1-fips-crng-test.patch ++
--- /var/tmp/diff_new_pack.t8Gg9c/_old  2020-04-27 23:28:01.254310228 +0200
+++ /var/tmp/diff_new_pack.t8Gg9c/_new  2020-04-27 23:28:01.258310236 +0200
@@ -1,7 +1,7 @@
-Index: openssl-1.1.1d/include/crypto/rand.h
+Index: openssl-1.1.1g/include/crypto/rand.h
 ===
 openssl-1.1.1d.orig/include/crypto/rand.h  2020-01-23 13:45:11.368633835 
+0100
-+++ openssl-1.1.1d/include/crypto/rand.h   2020-01-23 13:45:11.384633930 
+0100
+--- openssl-1.1.1g.orig/include/crypto/rand.h  2020-04-21 15:59:25.552654754 
+0200
 openssl-1.1.1g/include/crypto/rand.h   2020-04-21 15:59:27.208663772 
+0200
 @@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
  
  void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
@@ -17,20 +17,22 @@
  /*
   * RAND_POOL functions
   */
-Index: openssl-1.1.1d/crypto/rand/build.info
+Index: openssl-1.1.1g/crypto/rand/build.info
 ===
 openssl-1.1.1d.orig/crypto/rand/build.info 2019-09-10 15:13:07.0 
+0200
-+++ openssl-1.1.1d/crypto/rand/build.info  2020-01-23 13:45:11.384633930 
+0100
-@@ -1,4 +1,4 @@
+--- openssl-1.1.1g.orig/crypto/rand/build.info 2020-04-21 15:59:27.208663772 
+0200
 openssl-1.1.1g/crypto/rand/build.info  2020-04-21 16:00:32.869021309 
+0200
+@@ -1,6 +1,6 @@
  LIBS=../../libcrypto
  SOURCE[../../libcrypto]=\
 -randfile.c rand_lib.c rand_err.c rand_egd.c \
 +randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
  rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
-Index: openssl-1.1.1d/crypto/rand/drbg_lib.c
+ 
+ INCLUDE[drbg_ctr.o]=../modes
+Index: openssl-1.1.1g/crypto/rand/drbg_lib.c
 ===
 openssl-1.1.1d.orig/crypto/rand/drbg_lib.c 2020-01-23 13:45:11.368633835 
+0100
-+++ openssl-1.1.1d/crypto/rand/drbg_lib.c  2020-01-23 13:45:11.384633930 
+0100
+--- openssl-1.1.1g.orig/crypto/rand/drbg_lib.c 2020-04-21 15:59:25.552654754 
+0200
 openssl-1.1.1g/crypto/rand/drbg_lib.c  2020-04-21 15:59:27.208663772 
+0200
 @@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
  
  
@@ -54,10 +56,10 @@
  #ifndef RAND_DRBG_GET_RANDOM_NONCE
  drbg->get_nonce = rand_drbg_get_nonce;
  drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
-Index: openssl-1.1.1d/crypto/rand/rand_crng_test.c
+Index: openssl-1.1.1g/crypto/rand/rand_crng_test.c
 ===
 --- /dev/null

commit openssl-1_1 for openSUSE:Factory

2020-04-02 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2020-04-02 17:42:25

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.3248 (New)


Package is "openssl-1_1"

Thu Apr  2 17:42:25 2020 rev:16 rq:790184 version:1.1.1f

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2020-03-01 
21:26:18.388348358 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.3248/openssl-1_1.changes
2020-04-02 17:42:27.029353981 +0200
@@ -1,0 +2,52 @@
+Tue Mar 31 14:05:24 UTC 2020 - Vítězslav Čížek 
+
+- Update to 1.1.1f
+  * Revert the unexpected EOF reporting via SSL_ERROR_SSL
+- refresh openssl-1.1.0-no-html.patch
+
+---
+Fri Mar 20 11:58:08 UTC 2020 - Vítězslav Čížek 
+
+- Update to 1.1.1e
+  * Properly detect EOF while reading in libssl. Previously if we hit an EOF
+while reading in libssl then we would report an error back to the
+application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
+an error to the stack (which means we instead return SSL_ERROR_SSL) and
+therefore give a hint as to what went wrong.
+  * Check that ed25519 and ed448 are allowed by the security level. Previously
+signature algorithms not using an MD were not being checked that they were
+allowed by the security level.
+  * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
+was not quite right. The behaviour was not consistent between resumption
+and normal handshakes, and also not quite consistent with historical
+behaviour. The behaviour in various scenarios has been clarified and
+it has been updated to make it match historical behaviour as closely as
+possible.
+  * Corrected the documentation of the return values from the EVP_DigestSign*
+set of functions.  The documentation mentioned negative values for some
+errors, but this was never the case, so the mention of negative values
+was removed.
+  * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
+The presence of this system service is determined at run-time.
+  * Added newline escaping functionality to a filename when using openssl dgst.
+This output format is to replicate the output format found in the '*sum'
+checksum programs. This aims to preserve backward compatibility.
+  * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
+the first value.
+- Update bunch of patches as the internal crypto headers got reorganized
+- drop openssl-1_1-CVE-2019-1551.patch (upstream)
+
+---
+Fri Mar 20 10:22:27 UTC 2020 - Vítězslav Čížek 
+
+- openssl dgst: default to SHA256 only when called without a digest,
+  not when it couldn't be found (bsc#1166189)
+  * add openssl-unknown_dgst.patch
+
+---
+Wed Mar  4 08:23:23 UTC 2020 - Vítězslav Čížek 
+
+- Limit the DRBG selftests to not deplete entropy (bsc#1165274)
+  * update openssl-fips_selftest_upstream_drbg.patch
+
+---

Old:

  openssl-1.1.1d.tar.gz
  openssl-1.1.1d.tar.gz.asc
  openssl-1_1-CVE-2019-1551.patch

New:

  openssl-1.1.1f.tar.gz
  openssl-1.1.1f.tar.gz.asc
  openssl-unknown_dgst.patch



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.KEkd81/_old  2020-04-02 17:42:29.101355585 +0200
+++ /var/tmp/diff_new_pack.KEkd81/_new  2020-04-02 17:42:29.101355585 +0200
@@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:   openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:1.1.1d
+Version:1.1.1f
 Release:0
 Summary:Secure Sockets and Transport Layer Security
 License:OpenSSL
@@ -50,9 +50,6 @@
 Patch11:0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
 Patch12:0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
 Patch13:0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
-# OpenSSL Security Advisory [6 December 2019] bsc#1158809 CVE-2019-1551
-# PATCH-FIX-UPSTREAM Integer overflow in RSAZ modular exponentiation on x86_64
-Patch15:openssl-1_1-CVE-2019-1551.patch
 # PATCH-FIX-UPSTREAM bsc#1152695 jsc#SLE-7861 Support for CPACF enhancements - 
part 1 (crypto)
 Patch16:
openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
 Patch17:
openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
@@ -85,6 +82,7 @@
 Patch44:

commit openssl-1_1 for openSUSE:Factory

2020-03-01 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2020-03-01 21:26:08

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.26092 (New)


Package is "openssl-1_1"

Sun Mar  1 21:26:08 2020 rev:15 rq:780187 version:1.1.1d

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2020-02-24 
15:49:55.387140060 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.26092/openssl-1_1.changes   
2020-03-01 21:26:18.388348358 +0100
@@ -1,0 +2,7 @@
+Wed Feb 26 13:28:14 UTC 2020 - Vítězslav Čížek 
+
+- Run FIPS DRBG selftests against the crypto/rand DRBG implementation
+  (bsc#1164557)
+  * add openssl-fips_selftest_upstream_drbg.patch
+
+---

New:

  openssl-fips_selftest_upstream_drbg.patch



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.IRzwoB/_old  2020-03-01 21:26:19.852351332 +0100
+++ /var/tmp/diff_new_pack.IRzwoB/_new  2020-03-01 21:26:19.852351332 +0100
@@ -84,6 +84,7 @@
 Patch43:openssl-keep_EVP_KDF_functions_version.patch
 Patch44:openssl-fips_fix_selftests_return_value.patch
 Patch45:openssl-fips-add-SHA3-selftest.patch
+Patch46:openssl-fips_selftest_upstream_drbg.patch
 # PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 
(crypto)
 Patch50:
openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
 Patch51:
openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch


++ openssl-fips_selftest_upstream_drbg.patch ++
 1836 lines (skipped)

commit openssl-1_1 for openSUSE:Factory

2020-02-24 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2020-02-24 15:49:54

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.26092 (New)


Package is "openssl-1_1"

Mon Feb 24 15:49:54 2020 rev:14 rq:778018 version:1.1.1d

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2020-02-11 
22:16:32.683276966 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.26092/openssl-1_1.changes   
2020-02-24 15:49:55.387140060 +0100
@@ -1,0 +2,19 @@
+Fri Feb 21 08:03:05 UTC 2020 - Vítězslav Čížek 
+
+- Use the newly build libcrypto shared library when computing the hmac
+  checksums in order to avoid a bootstrapping issue by BuildRequiring
+  libopenssl1_1 (bsc#1164102)
+
+---
+Thu Feb 20 13:35:05 UTC 2020 - Vítězslav Čížek 
+
+- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569)
+  * add openssl-fips_fix_selftests_return_value.patch
+
+---
+Tue Feb 18 22:49:46 UTC 2020 - Jason Sikes 
+
+- Added SHA3 FIPS self-tests bsc#1155345
+  * openssl-fips-add-SHA3-selftest.patch
+
+---

New:

  openssl-fips-add-SHA3-selftest.patch
  openssl-fips_fix_selftests_return_value.patch



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.MkXXdR/_old  2020-02-24 15:49:56.759143115 +0100
+++ /var/tmp/diff_new_pack.MkXXdR/_new  2020-02-24 15:49:56.759143115 +0100
@@ -82,9 +82,11 @@
 Patch41:openssl-fips-clearerror.patch
 Patch42:openssl-fips-ignore_broken_atexit_test.patch
 Patch43:openssl-keep_EVP_KDF_functions_version.patch
+Patch44:openssl-fips_fix_selftests_return_value.patch
+Patch45:openssl-fips-add-SHA3-selftest.patch
 # PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 
(crypto)
-Patch44:
openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
-Patch45:
openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
+Patch50:
openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
+Patch51:
openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
 BuildRequires:  pkgconfig
 Conflicts:  ssl
 Provides:   ssl
@@ -268,13 +270,23 @@
 #   openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
 %{expand:%%global __os_install_post {%__os_install_post
 
+# Point linker to the newly installed libcrypto in order to avoid 
BuildRequiring itself (libopenssl1_1)
+export LD_LIBRARY_PATH="%{buildroot}%{_libdir}"
+
 %{buildroot}%{_bindir}/fips_standalone_hmac \
   %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \
 %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac
 
+# As fips_standalone_hmac now uses the very same library it checksums,
+# the libcrypto hmac needs to be saved to a temporary file, otherwise
+# the library will detect the empty hmac and abort due to a wrong checksum
 %{buildroot}%{_bindir}/fips_standalone_hmac \
   %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \
-%{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac
+%{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac
+
+# rename the temporary checksum to its proper name
+mv %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac 
%{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac
+unset LD_LIBRARY_PATH
 
 }}
 


++ openssl-fips-add-SHA3-selftest.patch ++
Index: openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c
===
--- openssl-1.1.1d.orig/crypto/fips/fips_hmac_selftest.c
+++ openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c
@@ -55,12 +55,23 @@
 #include 
 
 #ifdef OPENSSL_FIPS
+
+#define MAX_SHA3_KEY_LENGTH 200
+
 typedef struct {
 const EVP_MD *(*alg) (void);
 const char *key, *iv;
 unsigned char kaval[EVP_MAX_MD_SIZE];
 } HMAC_KAT;
 
+typedef struct {
+const EVP_MD *(*alg) (void);
+unsigned char key[MAX_SHA3_KEY_LENGTH];
+size_t keylen; /* strlen() doesn't work with NIST test vector keys */
+const char *iv;
+unsigned char kaval[EVP_MAX_MD_SIZE];
+} HMAC_KAT_SHA3;
+
 static const HMAC_KAT vector[] = {
 {EVP_sha1,
  /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
@@ -111,6 +122,289 @@ static const HMAC_KAT vector[] = {
  },
 };
 
+static const HMAC_KAT_SHA3 vector_SHA3[] = {
+/* using SHA3-224 from 
https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-224.pdf
 */
+{EVP_sha3_224,
+

commit openssl-1_1 for openSUSE:Factory

2020-02-11 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2020-02-11 22:16:32

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.26092 (New)


Package is "openssl-1_1"

Tue Feb 11 22:16:32 2020 rev:13 rq:770495 version:1.1.1d

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2020-02-03 
11:10:36.765762884 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.26092/openssl-1_1.changes   
2020-02-11 22:16:32.683276966 +0100
@@ -4 +4 @@
-- Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7575]
+- Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7403]



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.mqTd1w/_old  2020-02-11 22:16:33.891277620 +0100
+++ /var/tmp/diff_new_pack.mqTd1w/_new  2020-02-11 22:16:33.899277624 +0100
@@ -82,7 +82,7 @@
 Patch41:openssl-fips-clearerror.patch
 Patch42:openssl-fips-ignore_broken_atexit_test.patch
 Patch43:openssl-keep_EVP_KDF_functions_version.patch
-# PATCH-FIX-UPSTREAM jsc#SLE-7575 Support for CPACF enhancements - part 2 
(crypto)
+# PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 
(crypto)
 Patch44:
openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
 Patch45:
openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
 BuildRequires:  pkgconfig

commit openssl-1_1 for openSUSE:Factory

2020-02-03 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2020-02-03 11:10:35

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.26092 (New)


Package is "openssl-1_1"

Mon Feb  3 11:10:35 2020 rev:12 rq:768078 version:1.1.1d

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2020-01-10 
18:40:29.795493348 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.26092/openssl-1_1.changes   
2020-02-03 11:10:36.765762884 +0100
@@ -1,0 +2,64 @@
+Tue Jan 28 12:14:59 UTC 2020 - Pedro Monreal Gonzalez 

+
+- Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7575]
+- Add patches:
+  * openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
+  * openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
+
+---
+Thu Jan 23 14:32:28 UTC 2020 - Vítězslav Čížek 
+
+- Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our
+  layered FIPS initialization (bsc#1161789)
+  * openssl-fips-ignore_broken_atexit_test.patch
+
+---
+Wed Jan 22 13:59:15 UTC 2020 - Vítězslav Čížek 
+
+- Import FIPS patches from SLE-15
+  * openssl-fips-dont_run_FIPS_module_installed.patch
+  * openssl-fips_mode.patch
+  * openssl-ship_fips_standalone_hmac.patch
+  * openssl-fips-clearerror.patch
+  * openssl-fips-selftests_in_nonfips_mode.patch
+
+---
+Tue Jan 21 16:08:21 UTC 2020 - Vítězslav Čížek 
+
+- Don't run FIPS power-up self-tests when the checksum files aren't
+  installed (bsc#1042392)
+  * add openssl-fips-run_selftests_only_when_module_is_complete.patch
+
+---
+Tue Jan 21 11:10:42 UTC 2020 - Vítězslav Čížek 
+
+- Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553)
+  * openssl-1.1.1-fips-crng-test.patch
+  * openssl-1.1.1-fips-post-rand.patch
+  * openssl-1.1.1-fips.patch
+  * openssl-1.1.0-issuer-hash.patch
+  * openssl-1.1.1-evp-kdf.patch
+  * openssl-1.1.1-ssh-kdf.patch replaces 
openssl-jsc-SLE-8789-backport_KDF.patch
+- keep EVP_KDF functions at version 1.1.1d for backward compatibility
+  * add openssl-keep_EVP_KDF_functions_version.patch
+
+---
+Fri Dec 20 13:44:06 UTC 2019 - Pedro Monreal Gonzalez 

+
+- Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861]
+- Add patches:
+  * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
+  * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
+  * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
+  * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
+  * openssl-s390xcpuid.pl-fix-comment.patch
+  * openssl-assembly-pack-accelerate-scalar-multiplication.patch
+  * openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
+  * openssl-s390x-assembly-pack-accelerate-ECDSA.patch
+  * openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
+  * openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
+  * openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch
+  * openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch
+  * openssl-Fix-9bf682f-which-broke-nistp224_method.patch
+
+---

Old:

  openssl-jsc-SLE-8789-backport_KDF.patch

New:

  openssl-1.1.0-issuer-hash.patch
  openssl-1.1.1-evp-kdf.patch
  openssl-1.1.1-fips-crng-test.patch
  openssl-1.1.1-fips-post-rand.patch
  openssl-1.1.1-fips.patch
  openssl-1.1.1-ssh-kdf.patch
  openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
  openssl-Fix-9bf682f-which-broke-nistp224_method.patch
  openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
  openssl-assembly-pack-accelerate-scalar-multiplication.patch
  openssl-fips-clearerror.patch
  openssl-fips-dont_run_FIPS_module_installed.patch
  openssl-fips-ignore_broken_atexit_test.patch
  openssl-fips-run_selftests_only_when_module_is_complete.patch
  openssl-fips-selftests_in_nonfips_mode.patch
  openssl-fips_mode.patch
  openssl-keep_EVP_KDF_functions_version.patch
  openssl-s390x-assembly-pack-accelerate-ECDSA.patch
  openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
  openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
  openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
  openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
  openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
  openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch

commit openssl-1_1 for openSUSE:Factory

2020-01-10 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2020-01-10 18:39:55

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.6675 (New)


Package is "openssl-1_1"

Fri Jan 10 18:39:55 2020 rev:11 rq:761577 version:1.1.1d

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2019-12-23 
22:38:14.457841059 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.6675/openssl-1_1.changes
2020-01-10 18:40:29.795493348 +0100
@@ -1,0 +2,8 @@
+Wed Dec 18 16:29:46 UTC 2019 - Vítězslav Čížek 
+
+- Obsolete libopenssl-1_0_0-devel in order to avoid conflict upon
+  upgrade from SLE-12 (bsc#1158499)
+- remove useless Suggests: libopenssl1_1-hmac, there's no such
+  package anymore
+
+---



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.ewHtTN/_old  2020-01-10 18:40:30.807493728 +0100
+++ /var/tmp/diff_new_pack.ewHtTN/_new  2020-01-10 18:40:30.819493733 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package openssl-1_1
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -73,8 +73,6 @@
 Summary:Secure Sockets and Transport Layer Security
 Group:  Productivity/Networking/Security
 Recommends: ca-certificates-mozilla
-# install libopenssl and libopenssl-hmac close together (bsc#1090765)
-Suggests:   libopenssl1_1-hmac = %{version}-%{release}
 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335
 Obsoletes:  libopenssl1_1_0
 
@@ -96,6 +94,8 @@
 Provides:   ssl-devel
 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335
 Obsoletes:  libopenssl-1_1_0-devel
+# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
+Obsoletes:  libopenssl-1_0_0-devel
 
 %description -n libopenssl-1_1-devel
 This subpackage contains header files for developing applications

commit openssl-1_1 for openSUSE:Factory

2019-12-23 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2019-12-23 22:36:03

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.6675 (New)


Package is "openssl-1_1"

Mon Dec 23 22:36:03 2019 rev:10 rq:755725 version:1.1.1d

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2019-11-20 
13:42:39.644285832 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.6675/openssl-1_1.changes
2019-12-23 22:38:14.457841059 +0100
@@ -1,0 +2,8 @@
+Tue Dec 10 16:04:06 UTC 2019 - Pedro Monreal Gonzalez 

+
+- Security fix: [bsc#1158809, CVE-2019-1551]
+  * Overflow bug in the x64_64 Montgomery squaring procedure used
+in exponentiation with 512-bit moduli
+- Add openssl-1_1-CVE-2019-1551.patch
+
+---

New:

  openssl-1_1-CVE-2019-1551.patch



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.1ko1MA/_old  2019-12-23 22:38:15.225841392 +0100
+++ /var/tmp/diff_new_pack.1ko1MA/_new  2019-12-23 22:38:15.233841395 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package openssl-1_1
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -51,6 +51,9 @@
 Patch12:0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
 Patch13:0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
 Patch14:openssl-jsc-SLE-8789-backport_KDF.patch
+# OpenSSL Security Advisory [6 December 2019] bsc#1158809 CVE-2019-1551
+# PATCH-FIX-UPSTREAM Integer overflow in RSAZ modular exponentiation on x86_64
+Patch15:openssl-1_1-CVE-2019-1551.patch
 BuildRequires:  pkgconfig
 Conflicts:  ssl
 Provides:   ssl
@@ -201,7 +204,7 @@
 # Do not install demo scripts executable under /usr/share/doc
 find demos -type f -perm /111 -exec chmod 644 {} \;
 
-# Place showciphers.c for %doc macro
+# Place showciphers.c for %%doc macro
 cp %{SOURCE5} .
 
 %post -n libopenssl1_1 -p /sbin/ldconfig


++ openssl-1_1-CVE-2019-1551.patch ++
 1058 lines (skipped)

commit openssl-1_1 for openSUSE:Factory

2019-11-20 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2019-11-20 13:42:29

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.26869 (New)


Package is "openssl-1_1"

Wed Nov 20 13:42:29 2019 rev:9 rq:738529 version:1.1.1d

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2019-06-18 
14:51:42.281613714 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.26869/openssl-1_1.changes   
2019-11-20 13:42:39.644285832 +0100
@@ -1,0 +2,61 @@
+Mon Oct 14 18:36:37 UTC 2019 - Jason Sikes 
+
+- Merged upstream changes to allow NULL salt values in EVP_PBE_scrypt().
+  * Revealed by nodejs12 during bsc#1149572.
+  * Modified openssl-jsc-SLE-8789-backport_KDF.patch
+
+---
+Mon Oct 14 08:45:39 UTC 2019 - Adam Majer 
+
+- openssl-jsc-SLE-8789-backport_KDF.patch: retain old behaviour
+  of EVP_PBE_scrypt. When key output buffer is not provided,
+  only check if the input parameters are in valid range and
+  ignore passphrase/salt fields as they are only used in
+  the actual calculation.
+
+---
+Wed Sep 11 09:32:16 UTC 2019 - Vítězslav Čížek 
+
+- Update to 1.1.1d (bsc#1133925, jsc#SLE-6430)
+  * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
+number generator (RNG). This was intended to include protection in the
+event of a fork() system call in order to ensure that the parent and child
+processes did not share the same RNG state. However this protection was not
+being used in the default case.
+(bsc#1150247, CVE-2019-1549)
+  * Compute ECC cofactors if not provided during EC_GROUP construction. Before
+this change, EC_GROUP_set_generator would accept order and/or cofactor as
+NULL. After this change, only the cofactor parameter can be NULL.
+(bsc#1150003, CVE-2019-1547)
+  * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+(bsc#1150250, CVE-2019-1563)
+  * For built-in EC curves, ensure an EC_GROUP built from the curve name is
+used even when parsing explicit parameters, when loading a serialized key
+or calling 
EC_GROUP_new_from_ecpkparameters()/EC_GROUP_new_from_ecparameters().
+  * Early start up entropy quality from the DEVRANDOM seed source has been
+improved for older Linux systems.
+  * Changed DH_check to accept parameters with order q and 2q subgroups.
+With order 2q subgroups the bit 0 of the private key is not secret
+but DH_generate_key works around that by clearing bit 0 of the
+private key for those. This avoids leaking bit 0 of the private key.
+  * Significantly reduce secure memory usage by the randomness pools.
+  * Revert the DEVRANDOM_WAIT feature for Linux systems
+- drop 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch 
(upstream)
+- refresh patches
+  * openssl-1.1.0-no-html.patch
+  * openssl-jsc-SLE-8789-backport_KDF.patch
+
+---
+Tue Sep 10 19:26:34 UTC 2019 - Jason Sikes 
+
+- To avoid seperate certification of openssh server / client
+  move the SSH KDF (Key Derivation Function) into openssl.
+  * jsc#SLE-8789
+  * Sourced from commit
+
8d76481b189b7195ef932e0fb8f0e23ab0120771#diff-a9562bc75317360a2e6b8b0748956e34
+in openssl master (introduce the SSH KDF)
+and commit 5a285addbf39f91d567f95f04b2b41764127950d
+in openssl master (backport EVP/KDF API framework)
+  * added openssl-jsc-SLE-8789-backport_KDF.patch
+
+---

Old:

  0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
  openssl-1.1.1c.tar.gz
  openssl-1.1.1c.tar.gz.asc

New:

  openssl-1.1.1d.tar.gz
  openssl-1.1.1d.tar.gz.asc
  openssl-jsc-SLE-8789-backport_KDF.patch



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.AbdpKw/_old  2019-11-20 13:42:44.492284351 +0100
+++ /var/tmp/diff_new_pack.AbdpKw/_new  2019-11-20 13:42:44.496284350 +0100
@@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:   openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:1.1.1c
+Version:1.1.1d
 Release:0
 Summary:Secure Sockets and Transport Layer Security
 License:OpenSSL
@@ -43,8 +43,6 @@
 Patch4: openssl-DEFAULT_SUSE_cipher.patch
 Patch5: openssl-ppc64-config.patch
 Patch6: openssl-no-date.patch
-# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/8966
-Patch7: 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch

commit openssl-1_1 for openSUSE:Factory

2019-06-18 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2019-06-18 14:51:37

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.4811 (New)


Package is "openssl-1_1"

Tue Jun 18 14:51:37 2019 rev:8 rq:709893 version:1.1.1c

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2019-06-14 
08:34:57.181061942 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.4811/openssl-1_1.changes
2019-06-18 14:51:42.281613714 +0200
@@ -1,0 +2,55 @@
+Thu Jun  6 10:06:45 UTC 2019 - Vítězslav Čížek 
+
+- Use upstream patch for the locale crash (bsc#1135550)
+  * https://github.com/openssl/openssl/pull/8966
+- delete openssl-fix_underflow_in_errstr_handling.patch
+- add 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
+
+---
+Thu Jun  6 10:03:03 UTC 2019 - Vítězslav Čížek 
+
+- Add s390x vectorized support for ChaCha20 and Poly1305
+  (jsc#SLE-6126, jsc#SLE-6129)
+  * 0001-s390x-assembly-pack-perlasm-support.patch
+  * 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
+  * 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
+  * 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
+  * 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
+  * 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
+- delete 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
+
+---
+Thu May 30 09:55:01 UTC 2019 - Vítězslav Čížek 
+
+- Update to 1.1.1c (bsc#1133925, jsc#SLE-6430)
+  * Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
+ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
+for every encryption operation. RFC 7539 specifies that the nonce value
+(IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length
+and front pads the nonce with 0 bytes if it is less than 12
+bytes. However it also incorrectly allows a nonce to be set of up to 16
+bytes. In this case only the last 12 bytes are significant and any
+additional leading bytes are ignored.
+  * Add build tests for C++.  These are generated files that only do one
+thing, to include one public OpenSSL head file each.  This tests that
+the public header files can be usefully included in a C++ application.
+  * Enable SHA3 pre-hashing for ECDSA and DSA.
+  * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
+This changes the size when using the genpkey app when no size is given. It
+fixes an omission in earlier changes that changed all RSA, DSA and DH
+generation apps to use 2048 bits by default.
+  * Reorganize the manual pages to consistently have RETURN VALUES,
+EXAMPLES, SEE ALSO and HISTORY come in that order, and adjust
+util/fix-doc-nits accordingly.
+  * Add the missing accessor EVP_PKEY_get0_engine()
+  * Have apps like 's_client' and 's_server' output the signature scheme
+along with other cipher suite parameters when debugging.
+  * Make OPENSSL_config() error agnostic again.
+  * Do the error handling in RSA decryption constant time.
+  * Ensure that SM2 only uses SM3 as digest algorithm
+- drop upstreamed patches:
+  * openssl-fix-handling-of-GNU-strerror_r.patch
+  * 0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
+- update keyring by including Richard Levitte's key
+
+---

Old:

  0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
  0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
  openssl-1.1.1b.tar.gz
  openssl-1.1.1b.tar.gz.asc
  openssl-fix-handling-of-GNU-strerror_r.patch
  openssl-fix_underflow_in_errstr_handling.patch

New:

  0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
  0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
  0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
  0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
  0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
  openssl-1.1.1c.tar.gz
  openssl-1.1.1c.tar.gz.asc



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.stoEiN/_old  2019-06-18 14:51:43.825611979 +0200
+++ /var/tmp/diff_new_pack.stoEiN/_new  2019-06-18 14:51:43.829611975 +0200
@@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:   openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:1.1.1b
+Version:1.1.1c
 Release:0
 Summary:Secure Sockets and Transport Layer

commit openssl-1_1 for openSUSE:Factory

2019-06-14 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2019-06-14 08:34:53

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.4811 (New)


Package is "openssl-1_1"

Fri Jun 14 08:34:53 2019 rev:7 rq: version:1.1.1b

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2019-05-16 
21:54:43.762922413 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.4811/openssl-1_1.changes
2019-06-14 08:34:57.181061942 +0200
@@ -1,0 +2,12 @@
+Tue May 28 08:21:52 UTC 2019 - Jiri Slaby 
+
+- add 0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
+  (bnc#1136522)
+
+---
+Mon May 20 16:21:01 UTC 2019 - Vítězslav Čížek 
+
+- Fix a crash caused by long locale messages (bsc#1135550)
+  * add openssl-fix_underflow_in_errstr_handling.patch
+
+---

New:

  0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
  openssl-fix_underflow_in_errstr_handling.patch



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.TQ1f20/_old  2019-06-14 08:34:58.301061683 +0200
+++ /var/tmp/diff_new_pack.TQ1f20/_new  2019-06-14 08:34:58.309061681 +0200
@@ -50,6 +50,9 @@
 Patch9: 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
 # PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/8371
 Patch10:openssl-fix-handling-of-GNU-strerror_r.patch
+Patch11:openssl-fix_underflow_in_errstr_handling.patch
+# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/8649 bnc#1136522
+Patch12:0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
 BuildRequires:  pkgconfig
 Conflicts:  ssl
 Provides:   ssl

++ 0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch ++
From: Tomas Mraz 
Date: Wed, 3 Apr 2019 12:31:32 +0200
Subject: Fix for BIO_get_mem_ptr and related regressions
Patch-mainline: yes
Git-commit: b238fb79709a180ba9b4d837101c9f75e2978dc0
References: bnc#1136522

Reviewed-by: Bernd Edlinger 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/8649)

Signed-off-by: Jiri Slaby 
---
 crypto/bio/bss_mem.c | 40 
 1 file changed, 28 insertions(+), 12 deletions(-)

diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c
index 89c54b2d53df..51fae3b2f0b9 100644
--- a/crypto/bio/bss_mem.c
+++ b/crypto/bio/bss_mem.c
@@ -57,7 +57,12 @@ static const BIO_METHOD secmem_method = {
 NULL,  /* mem_callback_ctrl */
 };
 
-/* BIO memory stores buffer and read pointer  */
+/*
+ * BIO memory stores buffer and read pointer
+ * however the roles are different for read only BIOs.
+ * In that case the readp just stores the original state
+ * to be used for reset.
+ */
 typedef struct bio_buf_mem_st {
 struct buf_mem_st *buf;   /* allocated buffer */
 struct buf_mem_st *readp; /* read pointer */
@@ -192,6 +197,8 @@ static int mem_read(BIO *b, char *out, int outl)
 BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
 BUF_MEM *bm = bbm->readp;
 
+if (b->flags & BIO_FLAGS_MEM_RDONLY)
+bm = bbm->buf;
 BIO_clear_retry_flags(b);
 ret = (outl >= 0 && (size_t)outl > bm->length) ? (int)bm->length : outl;
 if ((out != NULL) && (ret > 0)) {
@@ -241,29 +248,36 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
 BIO_BUF_MEM *bbm = (BIO_BUF_MEM *)b->ptr;
 BUF_MEM *bm;
 
+if (b->flags & BIO_FLAGS_MEM_RDONLY)
+bm = bbm->buf;
+else
+bm = bbm->readp;
+
 switch (cmd) {
 case BIO_CTRL_RESET:
 bm = bbm->buf;
 if (bm->data != NULL) {
-/* For read only case reset to the start again */
-if ((b->flags & BIO_FLAGS_MEM_RDONLY) || (b->flags & 
BIO_FLAGS_NONCLEAR_RST)) {
-bm->length = bm->max;
+if (!(b->flags & BIO_FLAGS_MEM_RDONLY)) {
+if (b->flags & BIO_FLAGS_NONCLEAR_RST) {
+bm->length = bm->max;
+} else {
+memset(bm->data, 0, bm->max);
+bm->length = 0;
+}
+*bbm->readp = *bbm->buf;
 } else {
-memset(bm->data, 0, bm->max);
-bm->length = 0;
+/* For read only case just reset to the start again */
+*bbm->buf = *bbm->readp;
 }
-*bbm->readp = *bbm->buf;
 }
 break;
 case BIO_CTRL_EOF:
-bm = bbm->readp;
 ret = (long)(bm->length == 0);
 break;
 case BIO_C_SET_BUF_MEM_EOF_RETURN:

commit openssl-1_1 for openSUSE:Factory

2019-05-16 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2019-05-16 21:54:39

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new.5148 (New)


Package is "openssl-1_1"

Thu May 16 21:54:39 2019 rev:6 rq:681494 version:1.1.1b

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2018-08-07 
09:40:54.277082903 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.5148/openssl-1_1.changes
2019-05-16 21:54:43.762922413 +0200
@@ -1,0 +2,208 @@
+Mon Mar  4 13:01:18 UTC 2019 - Dominique Leuenberger 
+
+- Drop bc and ed BuildRequires: I could not find any reference to
+  these tools being used during build or check.
+
+---
+Fri Mar  1 13:28:03 UTC 2019 - Vítězslav Čížek 
+
+- Use upstream-approved patch for the handling of strerror_r
+  * https://github.com/openssl/openssl/pull/8371
+- add openssl-fix-handling-of-GNU-strerror_r.patch
+- drop strerror.patch
+
+---
+Thu Feb 28 13:37:55 UTC 2019 - Pedro Monreal Gonzalez 

+
+- Update to 1.1.1b
+  * Added SCA hardening for modular field inversion in EC_GROUP
+through a new dedicated field_inv() pointer in EC_METHOD.
+  * Change the info callback signals for the start and end of a post-handshake
+message exchange in TLSv1.3. In 1.1.1/1.1.1a we used SSL_CB_HANDSHAKE_START
+and SSL_CB_HANDSHAKE_DONE. Experience has shown that many applications get
+confused by this and assume that a TLSv1.2 renegotiation has started. This
+can break KeyUpdate handling. Instead we no longer signal the start and end
+of a post handshake message exchange (although the messages themselves are
+still signalled). This could break some applications that were expecting
+the old signals. However without this KeyUpdate is not usable for many
+applications.
+  * Fix a bug in the computation of the endpoint-pair shared secret used
+by DTLS over SCTP. This breaks interoperability with older versions
+of OpenSSL like OpenSSL 1.1.0 and OpenSSL 1.0.2. There is a runtime
+switch SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG (off by default) enabling
+interoperability with such broken implementations. However, enabling
+this switch breaks interoperability with correct implementations.
+  * Fix a use after free bug in d2i_X509_PUBKEY when overwriting a
+re-used X509_PUBKEY object if the second PUBKEY is malformed.
+  * Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0()
+
+---
+Thu Feb 28 12:10:33 UTC 2019 - Vítězslav Čížek 
+
+- Add strerror.patch to avoid problems with strerror_r() not setting
+  the provided buf
+
+---
+Mon Feb 11 14:39:12 UTC 2019 - Vítězslav Čížek 
+
+- Add s390x poly1305 vectorized implementation (fate#326351)
+  * https://github.com/openssl/openssl/pull/7991
+- add 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
+
+---
+Thu Jan 10 15:20:07 UTC 2019 - Vítězslav Čížek 
+
+- Add s390x chacha20 vectorized implementation (fate#326561)
+  * https://github.com/openssl/openssl/pull/6919
+- added patches:
+  0001-s390x-assembly-pack-perlasm-support.patch
+  0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
+
+---
+Tue Nov 20 14:31:28 UTC 2018 - Vítězslav Čížek 
+
+- Update to 1.1.1a
+  * Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
+the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
+are retained for backwards compatibility.
+  * Fixed the issue that RAND_add()/RAND_seed() silently discards random input
+if its length exceeds 4096 bytes. The limit has been raised to a buffer 
size
+of two gigabytes and the error handling improved.
+- drop upstream patches:
+  * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch
+  * 0001-DSA-Check-for-sanity-of-input-parameters.patch
+  * 0001-DSA-mod-inverse-fix.patch
+  * openssl-CVE-2018-0734.patch
+  * openssl-CVE-2018-0735.patch
+
+---
+Mon Nov  5 12:53:54 UTC 2018 - Vítězslav Čížek 
+
+- OpenSSL Security Advisory [30 October 2018]
+  * Timing vulnerability in ECDSA signature generation
+(bsc#1113651, CVE-2018-0735)
+  * Timing vulnerability in DSA signature generation
+(bsc#1113652, CVE-2018-0734)
+  * And more timing fixes
+- Add patches:
+  * openssl-CVE-2018-0734.patch
+  * openssl-CVE-2018-0735.patch
+  * 0001-DSA-mod-inverse-fix.patch
+  *

commit openssl-1_1 for openSUSE:Factory

2018-08-07 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2018-08-07 09:40:53

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new (New)


Package is "openssl-1_1"

Tue Aug  7 09:40:53 2018 rev:5 rq:627061 version:1.1.0h

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2018-06-03 
12:32:28.260392395 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new/openssl-1_1.changes 
2018-08-07 09:40:54.277082903 +0200
@@ -1,0 +2,8 @@
+Thu Aug  2 10:41:20 UTC 2018 - vci...@suse.com
+
+- Add openssl(cli) Provide so the packages that require the openssl
+  binary can require this instead of the new openssl meta package
+  (bsc#1101470)
+- Don't Require openssl-1_1 from the devel package, just Recommend it
+
+---



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.qN9Clc/_old  2018-08-07 09:40:55.065084276 +0200
+++ /var/tmp/diff_new_pack.qN9Clc/_new  2018-08-07 09:40:55.069084283 +0200
@@ -88,6 +88,7 @@
 BuildRequires:  pkgconfig(zlib)
 Conflicts:  ssl
 Provides:   ssl
+Provides:   openssl(cli)
 # Needed for clean upgrade path, boo#1070003
 Obsoletes:  openssl-1_0_0
 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335
@@ -104,6 +105,7 @@
 License:OpenSSL
 Group:  Productivity/Networking/Security
 Recommends: ca-certificates-mozilla
+# install libopenssl and libopenssl-hmac close together (bsc#1090765)
 Suggests:   libopenssl1_1-hmac = %{version}-%{release}
 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335
 Obsoletes:  libopenssl1_1_0
@@ -118,7 +120,7 @@
 Summary:Development files for OpenSSL
 License:OpenSSL
 Group:  Development/Libraries/C and C++
-Requires:   %{name} = %{version}
+Recommends: %{name} = %{version}
 Requires:   libopenssl1_1 = %{version}
 Requires:   pkgconfig(zlib)
 # we need to have around only the exact version we are able to operate with

commit openssl-1_1 for openSUSE:Factory

2018-06-03 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2018-06-03 12:32:23

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new (New)


Package is "openssl-1_1"

Sun Jun  3 12:32:23 2018 rev:4 rq:613477 version:1.1.0h

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2018-05-13 
15:56:46.876466436 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new/openssl-1_1.changes 
2018-06-03 12:32:28.260392395 +0200
@@ -1,0 +2,14 @@
+Fri Jun  1 11:37:06 UTC 2018 - vci...@suse.com
+
+- Suggest libopenssl1_1-hmac from libopenssl1_1 package to avoid
+  dependency issues during updates (bsc#1090765)
+
+---
+Tue May 29 08:53:01 UTC 2018 - vci...@suse.com
+
+- Relax CN name restrictions (bsc#1084011)
+  * added patches:
+0001-Limit-scope-of-CN-name-constraints.patch
+0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch
+
+---

New:

  0001-Limit-scope-of-CN-name-constraints.patch
  0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.flW46I/_old  2018-06-03 12:32:29.832334847 +0200
+++ /var/tmp/diff_new_pack.flW46I/_new  2018-06-03 12:32:29.836334701 +0200
@@ -79,6 +79,9 @@
 # PATCH-FIX-UPSTREAM (boo#1091961)
 Patch74:0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
 Patch75:openssl-CVE-2018-0737.patch
+# PATCH-FIX-UPSTREAM (bsc#1084011)
+Patch76:0001-Limit-scope-of-CN-name-constraints.patch
+Patch77:0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch
 BuildRequires:  bc
 BuildRequires:  ed
 BuildRequires:  pkgconfig
@@ -101,6 +104,7 @@
 License:OpenSSL
 Group:  Productivity/Networking/Security
 Recommends: ca-certificates-mozilla
+Suggests:   libopenssl1_1-hmac = %{version}-%{release}
 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335
 Obsoletes:  libopenssl1_1_0
 

++ 0001-Limit-scope-of-CN-name-constraints.patch ++
 802 lines (skipped)

++ 0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch ++
>From 6d3cfd13a904a03fc3522da935136dcdd12e9014 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni 
Date: Tue, 22 May 2018 14:46:02 -0400
Subject: [PATCH 2/2] Skip CN DNS name constraint checks when not needed

Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.

Add pertinent documentation, and touch up some stale text about
name checks and DANE.

Reviewed-by: Matt Caswell 
Reviewed-by: Tim Hudson 
---
 crypto/x509/x509_vfy.c | 28 ++-
 crypto/x509v3/v3_ncons.c   | 31 +++---
 doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 21 ---
 doc/crypto/X509_check_host.pod |  7 +++--
 doc/ssl/SSL_set1_host.pod  |  2 +-
 5 files changed, 61 insertions(+), 28 deletions(-)

Index: openssl-1.1.0h/crypto/x509/x509_vfy.c
===
--- openssl-1.1.0h.orig/crypto/x509/x509_vfy.c  2018-03-27 15:50:39.0 
+0200
+++ openssl-1.1.0h/crypto/x509/x509_vfy.c   2018-05-29 10:52:23.753159887 
+0200
@@ -557,6 +557,27 @@ static int check_chain_extensions(X509_S
 return 1;
 }
 
+static int has_san_id(X509 *x, int gtype)
+{
+int i;
+int ret = 0;
+GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
+
+if (gs == NULL)
+return 0;
+
+for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) {
+GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i);
+
+if (g->type == gtype) {
+ret = 1;
+break;
+}
+}
+GENERAL_NAMES_free(gs);
+return ret;
+}
+
 static int check_name_constraints(X509_STORE_CTX *ctx)
 {
 int i;
@@ -655,7 +676,12 @@ static int check_name_constraints(X509_S
 int rv = NAME_CONSTRAINTS_check(x, nc);
 
 /* If EE certificate check commonName too */
-if (rv == X509_V_OK && i == 0)
+if (rv == X509_V_OK && i == 0
+&& (ctx->param->hostflags
+& X509_CHECK_FLAG_NEVER_CHECK_SUBJECT) == 0
+&& ((ctx->param->hostflags
+ & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT) != 0
+|| !has_san_id(x, GEN_DNS)))
 rv =

commit openssl-1_1 for openSUSE:Factory

2018-05-13 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2018-05-13 15:56:45

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new (New)


Package is "openssl-1_1"

Sun May 13 15:56:45 2018 rev:3 rq:606163 version:1.1.0h

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2018-03-30 
12:01:45.154035547 +0200
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new/openssl-1_1.changes 
2018-05-13 15:56:46.876466436 +0200
@@ -1,0 +2,14 @@
+Thu May 10 09:37:19 UTC 2018 - vci...@suse.com
+
+- OpenSSL Security Advisory [16 Apr 2018]
+  * Cache timing vulnerability in RSA Key Generation
+(CVE-2018-0737, bsc#1089039)
+  * add openssl-CVE-2018-0737.patch
+
+---
+Thu May 10 09:32:43 UTC 2018 - vci...@suse.com
+
+- Fix escaping in c_rehash (boo#1091961, bsc#1091963)
+  * add 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
+
+---

New:

  0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
  openssl-CVE-2018-0737.patch



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.wGRR7N/_old  2018-05-13 15:56:47.688436807 +0200
+++ /var/tmp/diff_new_pack.wGRR7N/_new  2018-05-13 15:56:47.692436661 +0200
@@ -76,6 +76,9 @@
 Patch72:0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
 # PATCH-FIX-UPSTREAM (boo#1084651)
 Patch73:0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch
+# PATCH-FIX-UPSTREAM (boo#1091961)
+Patch74:0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
+Patch75:openssl-CVE-2018-0737.patch
 BuildRequires:  bc
 BuildRequires:  ed
 BuildRequires:  pkgconfig

++ 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch ++
>From 7ee2a43069913fb7c444c656048996ea92cc465e Mon Sep 17 00:00:00 2001
From: Richard Levitte 
Date: Wed, 28 Mar 2018 14:46:27 +0200
Subject: [PATCH] Revert "util/dofile.pl: only quote stuff that actually needs
 quoting"

This wasn't a good solution, too many things depend on the quotes being
there consistently.

This reverts commit 49cd47eaababc8c57871b929080fc1357e2ad7b8.

Fixes #5772

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5773)

(cherry picked from commit 00701e5ea84861b74d9d624f21a6b3fcb12e8acd)
---
 util/dofile.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util/dofile.pl b/util/dofile.pl
index fc72989b0f..a932941cd5 100644
--- a/util/dofile.pl
+++ b/util/dofile.pl
@@ -99,9 +99,9 @@ package main;
 # This adds quotes (") around the given string, and escapes any $, @, \,
 # " and ' by prepending a \ to them.
 sub quotify1 {
-my $s = my $orig = shift @_;
+my $s = shift @_;
 $s =~ s/([\$\@\\"'])/\\$1/g;
-$s ne $orig || $s =~ /\s/ ? '"'.$s.'"' : $s;
+'"'.$s.'"';
 }
 
 # quotify_l LIST
-- 
2.16.3


++ openssl-CVE-2018-0737.patch ++
The CVE-2018-0737 fix consists of commits:
9db724cfede4ba7a3668bff533973ee70145ec07
011f82e66f4bf131c733fd41a8390039859aafb2
7150a4720af7913cae16f2e4eaf768b578c0b298
(the three above are included in 1.1.0h)
6939eab03a6e23d2bd2c3f5e34fe1d48e542e787
and additional changes to our fips_rsa_keygen()

>From 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787 Mon Sep 17 00:00:00 2001
From: Billy Brumley 
Date: Wed, 11 Apr 2018 10:10:58 +0300
Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont
 both get called with BN_FLG_CONSTTIME flag set.

CVE-2018-0737

Reviewed-by: Rich Salz 
Reviewed-by: Matt Caswell 
---
 crypto/rsa/rsa_gen.c | 2 ++
 1 file changed, 2 insertions(+)

Index: openssl-1.1.0h/crypto/rsa/rsa_gen.c
===
--- openssl-1.1.0h.orig/crypto/rsa/rsa_gen.c2018-05-10 11:50:53.298706226 
+0200
+++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-05-10 12:55:39.394968170 +0200
@@ -123,6 +123,7 @@ static int fips_rsa_builtin_keygen(RSA *
 int n = 0;
 int test = 0;
 int pbits = bits / 2;
+unsigned long error = 0;
 
 if (FIPS_selftest_failed()) {
 FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
@@ -191,6 +192,10 @@ retry:
 if (!BN_lshift(r3, r3, pbits - 100))
 goto err;
 
+BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
+BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+BN_set_flags(r2, BN_FLG_CONSTTIME);
+
 /* generate p and q */
 for (i = 0; i < 5 * pbits; i++) {
  ploop:
@@ -205,9 +210,9 @@ retry:
 
 if

commit openssl-1_1 for openSUSE:Factory

2018-03-30 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2018-03-30 12:01:42

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new (New)


Package is "openssl-1_1"

Fri Mar 30 12:01:42 2018 rev:2 rq:592073 version:1.1.0h

Changes:

--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2018-03-01 
12:05:25.379235790 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new/openssl-1_1.changes 
2018-03-30 12:01:45.154035547 +0200
@@ -1,0 +2,24 @@
+Wed Mar 28 14:34:49 UTC 2018 - vci...@suse.com
+
+- Tolerate a Certificate using a non-supported group on server side
+  (boo#1084651)
+  * https://github.com/openssl/openssl/pull/5607
+  * add 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch
+
+---
+Tue Mar 27 14:42:36 UTC 2018 - vci...@suse.com
+
+- Update to 1.1.0h
+  OpenSSL Security Advisory [27 Mar 2018]
+  * Constructed ASN.1 types with a recursive definition could exceed
+the stack (CVE-2018-0739) (bsc#1087102)
+  * rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
+(bsc#1071906)
+- refresh patches:
+  * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+  * openssl-1.1.0-fips.patch
+  * openssl-pkgconfig.patch
+  * openssl-rsakeygen-minimum-distance.patch
+  * openssl-static-deps.patch
+
+---

Old:

  openssl-1.1.0g.tar.gz
  openssl-1.1.0g.tar.gz.asc

New:

  0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch
  openssl-1.1.0h.tar.gz
  openssl-1.1.0h.tar.gz.asc



Other differences:
--
++ openssl-1_1.spec ++
--- /var/tmp/diff_new_pack.1tc961/_old  2018-03-30 12:01:46.090001702 +0200
+++ /var/tmp/diff_new_pack.1tc961/_new  2018-03-30 12:01:46.090001702 +0200
@@ -20,7 +20,7 @@
 %define maj_min 1.1
 %define _rname  openssl
 Name:   openssl-1_1
-Version:1.1.0g
+Version:1.1.0h
 Release:0
 Summary:Secure Sockets and Transport Layer Security
 License:OpenSSL
@@ -74,6 +74,8 @@
 Patch70:0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
 Patch71:0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
 Patch72:0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
+# PATCH-FIX-UPSTREAM (boo#1084651)
+Patch73:0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch
 BuildRequires:  bc
 BuildRequires:  ed
 BuildRequires:  pkgconfig

++ 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch ++
--- /var/tmp/diff_new_pack.1tc961/_old  2018-03-30 12:01:46.141999822 +0200
+++ /var/tmp/diff_new_pack.1tc961/_new  2018-03-30 12:01:46.141999822 +0200
@@ -4,11 +4,11 @@
 Subject: [PATCH] Axe builtin printf implementation, use glibc instead
 
 
-Index: openssl-1.1.0g/crypto/bio/b_print.c
+Index: openssl-1.1.0h/crypto/bio/b_print.c
 ===
 openssl-1.1.0g.orig/crypto/bio/b_print.c   2017-11-02 15:29:02.0 
+0100
-+++ openssl-1.1.0g/crypto/bio/b_print.c2017-11-02 20:48:01.240953505 
+0100
-@@ -21,831 +21,6 @@
+--- openssl-1.1.0h.orig/crypto/bio/b_print.c   2018-03-27 15:50:37.0 
+0200
 openssl-1.1.0h/crypto/bio/b_print.c2018-03-27 16:31:15.425784205 
+0200
+@@ -21,830 +21,6 @@
   * on all source code distributions.
   */
  
@@ -656,7 +656,7 @@
 -iconvert[iplace++] = "0123456789"[intpart % 10];
 -intpart = (intpart / 10);
 -} while (intpart && (iplace < (int)sizeof(iconvert)));
--if (iplace == sizeof iconvert)
+-if (iplace == sizeof(iconvert))
 -iplace--;
 -iconvert[iplace] = 0;
 -
@@ -674,7 +674,7 @@
 -fracpart = (fracpart / 10);
 -}
 -
--if (fplace == sizeof fconvert)
+-if (fplace == sizeof(fconvert))
 -fplace--;
 -fconvert[fplace] = 0;
 -
@@ -836,11 +836,10 @@
 -}
 -
 -/***/
--
+ 
  int BIO_printf(BIO *bio, const char *format, ...)
  {
- va_list args;
-@@ -859,30 +34,36 @@ int BIO_printf(BIO *bio, const char *for
+@@ -859,30 +35,36 @@ int BIO_printf(BIO *bio, const char *for
  return (ret);
  }
  
@@ -898,7 +897,7 @@
  return (ret);
  }
  
-@@ -898,29 +79,21 @@ int BIO_snprintf(char *buf, size_t n, co
+@@ -898,29 +80,21 @@ int BIO_snprintf(char *buf, size_t n, co
  int ret;
  
  va_start(args, format);
@@ -936,10 +935,10 @@
 -return (retlen <= INT_MAX) ? (int)retlen : -1;
 +return (ret);
  }
-Index: openssl-1.1.0g/test/bioprinttest.c
+Index: openssl-1.1.0h/test/bioprinttest.c

commit openssl-1_1 for openSUSE:Factory

2018-03-01 Thread root 
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2018-03-01 12:05:23

Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and  /work/SRC/openSUSE:Factory/.openssl-1_1.new (New)


Package is "openssl-1_1"

Thu Mar  1 12:05:23 2018 rev:1 rq:580922 version:1.1.0g

Changes:

New Changes file:

--- /dev/null   2018-03-01 08:56:54.644963210 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new/openssl-1_1.changes 
2018-03-01 12:05:25.379235790 +0100
@@ -0,0 +1,2626 @@
+---
+Tue Feb 27 20:13:14 UTC 2018 - dims...@opensuse.org
+
+- Move the libopenssl1_1_0-32bit obsoletes in baselibs.conf to the
+  new libopenssl1_1-32bit: it does not belong to the devel
+  package.
+
+---
+Fri Feb 16 12:01:50 UTC 2018 - vci...@suse.com
+
+- Renamed from openssl-1_1_0 (bsc#1081335)
+  * All the minor versions of the 1.1.x openssl branch have the same
+sonum and keep ABI compatibility
+  * obsolete the 1_1_0 packages
+- update baselibs.conf with the new version names
+
+---
+Thu Feb 15 15:47:07 UTC 2018 - tchva...@suse.com
+
+- Remove bit obsolete syntax
+- Use %license macro
+
+---
+Mon Jan 22 15:29:33 UTC 2018 - sch...@suse.de
+
+- Don't disable afalgeng on aarch64
+
+---
+Tue Jan  9 17:37:39 UTC 2018 - vci...@suse.com
+
+- Add support for s390x CPACF enhancements (fate#321518)
+  patches taken from https://github.com/openssl/openssl/pull/2859:
+  * 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch
+  * 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
+  * 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
+  * 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch
+  * 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch
+  * 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch
+  * 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch
+  * 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch
+  * 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
+  * 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
+  * 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
+
+---
+Tue Nov 28 09:54:38 UTC 2017 - dims...@opensuse.org
+
+- Do not filter pkgconfig() provides/requires.
+
+---
+Tue Nov 28 08:24:53 UTC 2017 - dims...@opensuse.org
+
+- Obsolete openssl-1_0_0 by openssl-1_1_0: this is required for a
+  clean upgrade path as an aid to zypp (boo#1070003).
+
+---
+Thu Nov  2 19:56:54 UTC 2017 - vci...@suse.com
+
+- Update to 1.1.0g
+  OpenSSL Security Advisory [02 Nov 2017]
+  * bn_sqrx8x_internal carry bug on x86_64
+(CVE-2017-3736) (bsc#1066242)
+  * Malformed X.509 IPAddressFamily could cause OOB read
+(CVE-2017-3735) (bsc#1056058)
+- drop 0001-Fix-a-TLSProxy-race-condition.patch (upstream)
+- refresh 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+
+---
+Fri Sep  1 11:33:46 UTC 2017 - vci...@suse.com
+
+- update DEFAULT_SUSE cipher list (bsc#1055825)
+  * add CHACHA20-POLY1305
+  * add ECDSA ciphers
+  * remove 3DES
+- modified openssl-1.0.1e-add-suse-default-cipher.patch
+
+---
+Tue Aug 15 08:48:59 UTC 2017 - meiss...@suse.com
+
+- do not require openssl1_1_0-targettype in devel-targettype, as it
+  is not built (it has no libraries)
+
+---
+Mon Aug  7 23:29:33 UTC 2017 - jeng...@inai.de
+
+- The description is supposed to describe the package, not the
+  development process or history. (Synchronize with the
+  already-updates descriptions in openssl-1_0_0.)
+- Update historic copypasted boilerplate summaries
+  ("include files mandatory for development")
+
+---
+Thu Aug  3 07:04:30 UTC 2017 - tchva...@suse.com
+
+- Disable the verbosity of the tests as we expose yet another race
+  condition in that
+
+---
+Tue Jul 18 11:06:41 UTC 2017 - vci...@suse.com
+
+- Fix a race condition in tests to make the package build reliably
+  * https://github.com/openssl/openssl/issues/3562
+  * 0001-Fix-a-TLSProxy-race-condition.patch
+