openssl-1_1/openssl-1_1-openssl-config.patch

557 lines
23 KiB
Diff
Raw Normal View History

Accepting request 1063668 from home:ohollmann:branches:security:tls - Update to 1.1.1t: * Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286] This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. * Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. OBS-URL: https://build.opensuse.org/request/show/1063668 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=128
2023-02-08 09:03:11 +01:00
---
Configurations/descrip.mms.tmpl | 4 +--
Configurations/unix-Makefile.tmpl | 22 ++++++++---------
Configure | 2 -
INSTALL | 2 -
NEWS | 3 ++
VMS/openssl_utils.com.in | 2 -
apps/CA.pl.in | 8 +++---
apps/build.info | 6 ++--
apps/tsget.in | 2 -
doc/HOWTO/certificates.txt | 2 -
doc/man1/CA.pl.pod | 36 ++++++++++++++---------------
doc/man1/ca.pod | 4 +--
doc/man1/rehash.pod | 10 ++++----
doc/man1/tsget.pod | 4 +--
doc/man1/verify.pod | 2 -
doc/man1/x509.pod | 2 -
doc/man3/OPENSSL_config.pod | 2 -
doc/man3/SSL_CTX_load_verify_locations.pod | 4 +--
doc/man5/config.pod | 2 -
include/internal/cryptlib.h | 2 -
test/recipes/80-test_ca.t | 10 ++++----
tools/build.info | 2 -
tools/c_rehash.in | 6 ++--
23 files changed, 71 insertions(+), 68 deletions(-)
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/Configurations/descrip.mms.tmpl
===================================================================
--- openssl-1.1.1v.orig/Configurations/descrip.mms.tmpl
+++ openssl-1.1.1v/Configurations/descrip.mms.tmpl
@@ -142,8 +142,8 @@ INSTALL_SHLIBS={- join(", ", map { "-\n\
Accepting request 1063668 from home:ohollmann:branches:security:tls - Update to 1.1.1t: * Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286] This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. * Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. OBS-URL: https://build.opensuse.org/request/show/1063668 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=128
2023-02-08 09:03:11 +01:00
INSTALL_ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{engines}}) -}
INSTALL_PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{install}->{programs}}) -}
{- output_off() if $disabled{apps}; "" -}
-BIN_SCRIPTS=[.tools]c_rehash.pl
-MISC_SCRIPTS=[.apps]CA.pl, [.apps]tsget.pl
+BIN_SCRIPTS=[.tools]c_rehash-1_1.pl
+MISC_SCRIPTS=[.apps]CA-1_1.pl, [.apps]tsget-1_1.pl
{- output_on() if $disabled{apps}; "" -}
APPS_OPENSSL={- use File::Spec::Functions;
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-1.1.1v.orig/Configurations/unix-Makefile.tmpl
+++ openssl-1.1.1v/Configurations/unix-Makefile.tmpl
@@ -140,8 +140,8 @@ INSTALL_SHLIB_INFO={- join(" ", map { "\
INSTALL_ENGINES={- join(" ", map { dso($_) } @{$unified_info{install}->{engines}}) -}
INSTALL_PROGRAMS={- join(" ", map { $_.$exeext } @{$unified_info{install}->{programs}}) -}
{- output_off() if $disabled{apps}; "" -}
-BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash
-MISC_SCRIPTS=$(BLDDIR)/apps/CA.pl $(BLDDIR)/apps/tsget.pl:tsget
+BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash-1_1
+MISC_SCRIPTS=$(BLDDIR)/apps/CA-1_1.pl $(BLDDIR)/apps/tsget-1_1.pl:tsget-1_1
{- output_on() if $disabled{apps}; "" -}
APPS_OPENSSL={- use File::Spec::Functions;
@@ -579,14 +579,14 @@ install_ssldirs:
: {- output_on() if windowsdll(); "" -}; \
fi; \
done
- @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
- @cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
- @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new"
- @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
- @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
- $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
- cp $(SRCDIR)/apps/openssl.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
- chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
+ @$(ECHO) "install $(SRCDIR)/apps/openssl-1_1.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.dist"
+ @cp $(SRCDIR)/apps/openssl-1_1.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new"
+ @chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new"
+ @mv -f "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.new" "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf.dist"
+ @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf" ]; then \
+ $(ECHO) "install $(SRCDIR)/apps/openssl-1_1.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \
+ cp $(SRCDIR)/apps/openssl-1_1.cnf "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \
+ chmod 644 "$(DESTDIR)$(OPENSSLDIR)/openssl-1_1.cnf"; \
fi
@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
@cp $(SRCDIR)/apps/ct_log_list.cnf "$(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new"
@@ -870,7 +870,7 @@ lint:
generate_apps:
( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
- < apps/openssl.cnf > apps/openssl-vms.cnf )
+ < apps/openssl-1_1.cnf > apps/openssl-vms.cnf )
generate_crypto_bn:
( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/Configure
===================================================================
--- openssl-1.1.1v.orig/Configure
+++ openssl-1.1.1v/Configure
@@ -35,7 +35,7 @@ my $usage="Usage: Configure [no-<cipher>
# directories bin, lib, include, share/man, share/doc/openssl
# This becomes the value of INSTALLTOP in Makefile
# (Default: /usr/local)
-# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys.
+# --openssldir OpenSSL data area, such as openssl-1_1.cnf, certificates and keys.
# If it's a relative directory, it will be added on the directory
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/INSTALL
===================================================================
--- openssl-1.1.1v.orig/INSTALL
+++ openssl-1.1.1v/INSTALL
@@ -296,7 +296,7 @@
be undesirable if small executable size is an objective.
no-autoload-config
- Don't automatically load the default openssl.cnf file.
+ Don't automatically load the default openssl-1_1.cnf file.
Typically OpenSSL will automatically load a system config
file which configures default ssl options.
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/NEWS
===================================================================
--- openssl-1.1.1v.orig/NEWS
+++ openssl-1.1.1v/NEWS
@@ -10,6 +10,9 @@
o Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
o Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
+ IMPORTANT: For compatibility with OpenSSL 3.0, the OpenSSL master
+ configuration file openssl.cnf has been renamed to openssl-1_1.cnf.
+
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]
o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/VMS/openssl_utils.com.in
===================================================================
--- openssl-1.1.1v.orig/VMS/openssl_utils.com.in
+++ openssl-1.1.1v/VMS/openssl_utils.com.in
@@ -8,7 +8,7 @@ $ OPENSSL :== $OSSL$EXE:OPENSSL'v'
$
$ IF F$TYPE(PERL) .EQS. "STRING"
$ THEN
-$ C_REHASH :== 'PERL' OSSL$EXE:c_rehash.pl
+$ C_REHASH :== 'PERL' OSSL$EXE:c_rehash-1_1.pl
$ ELSE
$ WRITE SYS$ERROR "NOTE: no perl => no C_REHASH"
$ ENDIF
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/apps/CA.pl.in
===================================================================
--- openssl-1.1.1v.orig/apps/CA.pl.in
+++ openssl-1.1.1v/apps/CA.pl.in
@@ -113,10 +113,10 @@ sub run
if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
- print STDERR "usage: CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n";
- print STDERR " CA.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n";
- print STDERR " CA.pl -verify [-extra-verify extra-params] certfile ...\n";
- print STDERR " CA.pl -revoke [-extra-ca extra-params] certfile [reason]\n";
+ print STDERR "usage: CA-1_1.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n";
+ print STDERR " CA-1_1.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n";
+ print STDERR " CA-1_1.pl -verify [-extra-verify extra-params] certfile ...\n";
+ print STDERR " CA-1_1.pl -revoke [-extra-ca extra-params] certfile [reason]\n";
exit 0;
}
if ($WHAT eq '-newcert' ) {
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/apps/build.info
===================================================================
--- openssl-1.1.1v.orig/apps/build.info
+++ openssl-1.1.1v/apps/build.info
@@ -73,7 +73,7 @@ IF[{- !$disabled{apps} -}]
GENERATE[progs.h]=progs.pl $(APPS_OPENSSL)
DEPEND[progs.h]=../configdata.pm
- SCRIPTS=CA.pl tsget.pl
- SOURCE[CA.pl]=CA.pl.in
- SOURCE[tsget.pl]=tsget.in
+ SCRIPTS=CA-1_1.pl tsget-1_1.pl
+ SOURCE[CA-1_1.pl]=CA.pl.in
+ SOURCE[tsget-1_1.pl]=tsget.in
ENDIF
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/apps/tsget.in
===================================================================
--- openssl-1.1.1v.orig/apps/tsget.in
+++ openssl-1.1.1v/apps/tsget.in
@@ -47,7 +47,7 @@ sub create_curl {
$curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
$curl->setopt(CURLOPT_FAILONERROR, 1);
$curl->setopt(CURLOPT_USERAGENT,
- "OpenTSA tsget.pl/openssl-{- $config{version} -}");
+ "OpenTSA tsget-1_1.pl/openssl-{- $config{version} -}");
# Options for POST method.
$curl->setopt(CURLOPT_UPLOAD, 1);
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/doc/HOWTO/certificates.txt
===================================================================
--- openssl-1.1.1v.orig/doc/HOWTO/certificates.txt
+++ openssl-1.1.1v/doc/HOWTO/certificates.txt
Accepting request 1063668 from home:ohollmann:branches:security:tls - Update to 1.1.1t: * Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286] This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. * Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. OBS-URL: https://build.opensuse.org/request/show/1063668 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=128
2023-02-08 09:03:11 +01:00
@@ -16,7 +16,7 @@ Certificate authorities should read http
In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
/usr/local/ssl/ or somewhere else. By default the file is named
-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+openssl-1_1.cnf and is described at https://www.openssl.org/docs/apps/config.html.
You can specify a different configuration file using the
'-config {file}' argument with the commands shown below.
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/doc/man1/CA.pl.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/CA.pl.pod
+++ openssl-1.1.1v/doc/man1/CA.pl.pod
@@ -2,16 +2,16 @@
=head1 NAME
-CA.pl - friendlier interface for OpenSSL certificate programs
+CA-1_1.pl - friendlier interface for OpenSSL certificate programs
=head1 SYNOPSIS
-B<CA.pl>
+B<CA-1_1.pl>
B<-?> |
B<-h> |
B<-help>
-B<CA.pl>
+B<CA-1_1.pl>
B<-newcert> |
B<-newreq> |
B<-newreq-nodes> |
@@ -23,15 +23,15 @@ B<-crl> |
B<-newca>
[B<-extra-cmd> extra-params]
-B<CA.pl> B<-pkcs12> [B<-extra-pkcs12> extra-params] [B<certname>]
+B<CA-1_1.pl> B<-pkcs12> [B<-extra-pkcs12> extra-params] [B<certname>]
-B<CA.pl> B<-verify> [B<-extra-verify> extra-params] B<certfile>...
+B<CA-1_1.pl> B<-verify> [B<-extra-verify> extra-params] B<certfile>...
-B<CA.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
+B<CA-1_1.pl> B<-revoke> [B<-extra-ca> extra-params] B<certfile> [B<reason>]
=head1 DESCRIPTION
-The B<CA.pl> script is a perl script that supplies the relevant command line
+The B<CA-1_1.pl> script is a perl script that supplies the relevant command line
arguments to the B<openssl> command for some common certificate operations.
It is intended to simplify the process of certificate creation and management
by the use of some simple options.
@@ -136,19 +136,19 @@ Users should consult B<openssl> command
Create a CA hierarchy:
- CA.pl -newca
+ CA-1_1.pl -newca
Complete certificate creation example: create a CA, create a request, sign
the request and finally create a PKCS#12 file containing it.
- CA.pl -newca
- CA.pl -newreq
- CA.pl -sign
- CA.pl -pkcs12 "My Test Certificate"
+ CA-1_1.pl -newca
+ CA-1_1.pl -newreq
+ CA-1_1.pl -sign
+ CA-1_1.pl -pkcs12 "My Test Certificate"
=head1 DSA CERTIFICATES
-Although the B<CA.pl> creates RSA CAs and requests it is still possible to
+Although the B<CA-1_1.pl> creates RSA CAs and requests it is still possible to
use it with DSA certificates and requests using the L<req(1)> command
directly. The following example shows the steps that would typically be taken.
@@ -162,7 +162,7 @@ Create a DSA CA certificate and private
Create the CA directories and files:
- CA.pl -newca
+ CA-1_1.pl -newca
enter cacert.pem when prompted for the CA filename.
@@ -173,22 +173,22 @@ can optionally be created first):
Sign the request:
- CA.pl -sign
+ CA-1_1.pl -sign
=head1 NOTES
-Most of the filenames mentioned can be modified by editing the B<CA.pl> script.
+Most of the filenames mentioned can be modified by editing the B<CA-1_1.pl> script.
If the demoCA directory already exists then the B<-newca> command will not
overwrite it and will do nothing. This can happen if a previous call using
the B<-newca> option terminated abnormally. To get the correct behaviour
delete the demoCA directory if it already exists.
-Under some environments it may not be possible to run the B<CA.pl> script
+Under some environments it may not be possible to run the B<CA-1_1.pl> script
directly (for example Win32) and the default configuration file location may
be wrong. In this case the command:
- perl -S CA.pl
+ perl -S CA-1_1.pl
can be used and the B<OPENSSL_CONF> environment variable changed to point to
the correct path of the configuration file.
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/doc/man1/ca.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/ca.pod
+++ openssl-1.1.1v/doc/man1/ca.pod
@@ -698,7 +698,7 @@ the database has to be kept in memory.
The B<ca> command really needs rewriting or the required functionality
exposed at either a command or interface level so a more friendly utility
(perl script or GUI) can handle things properly. The script
-B<CA.pl> helps a little but not very much.
+B<CA-1_1.pl> helps a little but not very much.
Any fields in a request that are not present in a policy are silently
deleted. This does not happen if the B<-preserveDN> option is used. To
@@ -754,7 +754,7 @@ are in year 2050 or later.
=head1 SEE ALSO
-L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA.pl(1)>,
+L<req(1)>, L<spkac(1)>, L<x509(1)>, L<CA-1_1.pl(1)>,
L<config(5)>, L<x509v3_config(5)>
=head1 COPYRIGHT
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/doc/man1/rehash.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/rehash.pod
+++ openssl-1.1.1v/doc/man1/rehash.pod
@@ -6,7 +6,7 @@ Original text by James Westby, contribut
=head1 NAME
openssl-c_rehash, openssl-rehash,
-c_rehash, rehash - Create symbolic links to files named by the hash values
+c_rehash-1_1, rehash - Create symbolic links to files named by the hash values
=head1 SYNOPSIS
@@ -19,13 +19,13 @@ B<[-n]>
B<[-v]>
[ I<directory>...]
-B<c_rehash>
+B<c_rehash-1_1>
I<flags...>
=head1 DESCRIPTION
-On some platforms, the OpenSSL B<rehash> command is available as
-an external script called B<c_rehash>. They are functionally equivalent,
+On some platforms, the OpenSSL B<rehash-1_1> command is available as
+an external script called B<c_rehash-1_1>. They are functionally equivalent,
except for minor differences noted below.
B<rehash> scans directories and calculates a hash value of each
@@ -66,7 +66,7 @@ more than one such object appears in the
=head2 Script Configuration
-The B<c_rehash> script
+The B<c_rehash-1_1> script
uses the B<openssl> program to compute the hashes and
fingerprints. If not found in the user's B<PATH>, then set the
B<OPENSSL> environment variable to the full pathname.
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/doc/man1/tsget.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/tsget.pod
+++ openssl-1.1.1v/doc/man1/tsget.pod
@@ -35,7 +35,7 @@ line.
The tool sends the following HTTP request for each timestamp request:
POST url HTTP/1.1
- User-Agent: OpenTSA tsget.pl/<version>
+ User-Agent: OpenTSA tsget-1_1.pl/<version>
Host: <host>:<port>
Pragma: no-cache
Content-Type: application/timestamp-query
@@ -108,7 +108,7 @@ Either option B<-C> or option B<-P> must
=item B<-P> CA_path
(HTTPS) The path containing the trusted CA certificates to verify the peer's
-certificate. The directory must be prepared with the B<c_rehash>
+certificate. The directory must be prepared with the B<c_rehash-1_1>
OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of
HTTPS. (Optional)
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/doc/man1/verify.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/verify.pod
+++ openssl-1.1.1v/doc/man1/verify.pod
@@ -75,7 +75,7 @@ The file should contain one or more cert
A directory of trusted certificates. The certificates should have names
of the form: hash.0 or have symbolic links to them of this
form ("hash" is the hashed certificate subject name: see the B<-hash> option
-of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
+of the B<x509> utility). Under Unix the B<c_rehash-1_1> script will automatically
create symbolic links to a directory of certificates.
=item B<-no-CAfile>
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/doc/man1/x509.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man1/x509.pod
+++ openssl-1.1.1v/doc/man1/x509.pod
@@ -932,7 +932,7 @@ The hash algorithm used in the B<-subjec
before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding
of the distinguished name. In OpenSSL 1.0.0 and later it is based on a
canonical version of the DN using SHA1. This means that any directories using
-the old form must have their links rebuilt using B<c_rehash> or similar.
+the old form must have their links rebuilt using B<c_rehash-1_1> or similar.
=head1 COPYRIGHT
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/doc/man3/OPENSSL_config.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man3/OPENSSL_config.pod
+++ openssl-1.1.1v/doc/man3/OPENSSL_config.pod
Accepting request 1063668 from home:ohollmann:branches:security:tls - Update to 1.1.1t: * Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286] This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. * Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. OBS-URL: https://build.opensuse.org/request/show/1063668 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=128
2023-02-08 09:03:11 +01:00
@@ -15,7 +15,7 @@ OPENSSL_config, OPENSSL_no_config - simp
=head1 DESCRIPTION
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
+OPENSSL_config() configures OpenSSL using the standard B<openssl-1_1.cnf> and
reads from the application section B<appname>. If B<appname> is NULL then
the default section, B<openssl_conf>, will be used.
Errors are silently ignored.
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/doc/man3/SSL_CTX_load_verify_locations.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man3/SSL_CTX_load_verify_locations.pod
+++ openssl-1.1.1v/doc/man3/SSL_CTX_load_verify_locations.pod
@@ -63,7 +63,7 @@ If more than one CA certificate with the
extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search
is performed in the ordering of the extension number, regardless of other
properties of the certificates.
-Use the B<c_rehash> utility to create the necessary links.
+Use the B<c_rehash-1_1> utility to create the necessary links.
The certificates in B<CApath> are only looked up when required, e.g. when
building the certificate chain or when actually performing the verification
@@ -137,7 +137,7 @@ Prepare the directory /some/where/certs
for use as B<CApath>:
cd /some/where/certs
- c_rehash .
+ c_rehash-1_1 .
=head1 SEE ALSO
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/doc/man5/config.pod
===================================================================
--- openssl-1.1.1v.orig/doc/man5/config.pod
+++ openssl-1.1.1v/doc/man5/config.pod
Accepting request 1063668 from home:ohollmann:branches:security:tls - Update to 1.1.1t: * Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286] This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. * Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. OBS-URL: https://build.opensuse.org/request/show/1063668 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=128
2023-02-08 09:03:11 +01:00
@@ -7,7 +7,7 @@ config - OpenSSL CONF library configurat
=head1 DESCRIPTION
The OpenSSL CONF library can be used to read configuration files.
-It is used for the OpenSSL master configuration file B<openssl.cnf>
+It is used for the OpenSSL master configuration file B<openssl-1_1.cnf>
and in a few other places like B<SPKAC> files and certificate extension
files for the B<x509> utility. OpenSSL applications can also use the
CONF library for their own purposes.
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/include/internal/cryptlib.h
===================================================================
--- openssl-1.1.1v.orig/include/internal/cryptlib.h
+++ openssl-1.1.1v/include/internal/cryptlib.h
Accepting request 1063668 from home:ohollmann:branches:security:tls - Update to 1.1.1t: * Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. [bsc#1207533, CVE-2023-0286] This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. * Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. OBS-URL: https://build.opensuse.org/request/show/1063668 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=128
2023-02-08 09:03:11 +01:00
@@ -51,7 +51,7 @@ typedef struct app_mem_info_st APP_INFO;
typedef struct mem_st MEM;
DEFINE_LHASH_OF(MEM);
-# define OPENSSL_CONF "openssl.cnf"
+# define OPENSSL_CONF "openssl-1_1.cnf"
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/test/recipes/80-test_ca.t
===================================================================
--- openssl-1.1.1v.orig/test/recipes/80-test_ca.t
+++ openssl-1.1.1v/test/recipes/80-test_ca.t
@@ -27,27 +27,27 @@ plan tests => 5;
SKIP: {
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "CAss.cnf").'"';
skip "failed creating CA structure", 4
- if !ok(run(perlapp(["CA.pl","-newca"], stdin => undef)),
+ if !ok(run(perlapp(["CA-1_1.pl","-newca"], stdin => undef)),
'creating CA structure');
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
skip "failed creating new certificate request", 3
- if !ok(run(perlapp(["CA.pl","-newreq"])),
+ if !ok(run(perlapp(["CA-1_1.pl","-newreq"])),
'creating certificate request');
$ENV{OPENSSL_CONFIG} = '-rand_serial -config "'.$std_openssl_cnf.'"';
skip "failed to sign certificate request", 2
- if !is(yes(cmdstr(perlapp(["CA.pl", "-sign"]))), 0,
+ if !is(yes(cmdstr(perlapp(["CA-1_1.pl", "-sign"]))), 0,
'signing certificate request');
- ok(run(perlapp(["CA.pl", "-verify", "newcert.pem"])),
+ ok(run(perlapp(["CA-1_1.pl", "-verify", "newcert.pem"])),
'verifying new certificate');
skip "CT not configured, can't use -precert", 1
if disabled("ct");
$ENV{OPENSSL_CONFIG} = '-config "'.srctop_file("test", "Uss.cnf").'"';
- ok(run(perlapp(["CA.pl", "-precert"], stderr => undef)),
+ ok(run(perlapp(["CA-1_1.pl", "-precert"], stderr => undef)),
'creating new pre-certificate');
}
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/tools/build.info
===================================================================
--- openssl-1.1.1v.orig/tools/build.info
+++ openssl-1.1.1v/tools/build.info
@@ -1,5 +1,5 @@
{- our $c_rehash_name =
- $config{target} =~ /^(VC|vms)-/ ? "c_rehash.pl" : "c_rehash";
+ $config{target} =~ /^(VC|vms)-/ ? "c_rehash-1_1.pl" : "c_rehash-1_1";
"" -}
IF[{- !$disabled{apps} -}]
SCRIPTS={- $c_rehash_name -}
Accepting request 1101915 from home:pmonrealgonzalez:branches:security:tls - Update to 1.1.1v: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Rebase openssl-1_1-openssl-config.patch * Remove security patches fixed upstream: - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch OBS-URL: https://build.opensuse.org/request/show/1101915 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=141
2023-08-02 12:03:45 +02:00
Index: openssl-1.1.1v/tools/c_rehash.in
===================================================================
--- openssl-1.1.1v.orig/tools/c_rehash.in
+++ openssl-1.1.1v/tools/c_rehash.in
@@ -8,7 +8,7 @@
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
-# Perl c_rehash script, scan all files in a directory
+# Perl c_rehash-1_1 script, scan all files in a directory
# and add symbolic links to their hash values.
my $dir = {- quotify1($config{openssldir}) -};
@@ -44,7 +44,7 @@ while ( $ARGV[0] =~ /^-/ ) {
}
sub help {
- print "Usage: c_rehash [-old] [-h] [-help] [-v] [dirs...]\n";
+ print "Usage: c_rehash-1_1 [-old] [-h] [-help] [-v] [dirs...]\n";
print " -old use old-style digest\n";
print " -h or -help print this help text\n";
print " -v print files removed and linked\n";
@@ -73,7 +73,7 @@ if (! -x $openssl) {
}
}
if ($found == 0) {
- print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
+ print STDERR "c_rehash-1_1: rehashing skipped ('openssl-1_1' program not available)\n";
exit 0;
}
}