pool/openssl-1_1
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1128352 from home:ohollmann:branches:security:tls

Browse Source 
- Skip SHA1 test in 20-test_dgst.t when in FIPS mode
  * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch
- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
  * bsc#1190652 - Provide a service to output module name/identifier
    and version
- Sync patches with SLE:
  * Merge openssl-keep_EVP_KDF_functions_version.patch into
    openssl-1.1.1-evp-kdf.patch
  * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
  * Remove openssl-no-date.patch

OBS-URL: https://build.opensuse.org/request/show/1128352
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=152
This commit is contained in:
Otto Hollmann 2023-11-23 14:31:37 +00:00 committed by Git OBS Bridge
parent 6a02bab132
commit f18ebf3adf
8 changed files with 73 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
openssl-1.1.1-evp-kdf.patch
View File

@ -5228,14 +5228,14 @@ Index: openssl-1.1.1n/util/libcrypto.num
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
+EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION:
+EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION:
+EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION:
+EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION:
+EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION:
+EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION:
+EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION:
+EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION:
+EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION:
+EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION:
+EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION:
+EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION:
+EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION:
+EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION:
+EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION:
+EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION:
Index: openssl-1.1.1n/util/private.num
===================================================================
--- openssl-1.1.1n.orig/util/private.num

23
openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch Normal file
View File

@ -0,0 +1,23 @@
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index cbbfab1..7576de8 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -14,6 +14,9 @@
extern "C" {
#endif
+#define SUSE_OPENSSL_STRING_PARAM_FUNCA(x) #x
+#define SUSE_OPENSSL_STRING_PARAM_FUNCB(x) SUSE_OPENSSL_STRING_PARAM_FUNCA(x)
+
/*-
* Numeric release version identifier:
* MNNFFPPS: major minor fix patch status
@@ -40,7 +43,7 @@ extern "C" {
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x1010117fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
/*-
* The macros below are to be used for shared library (.so, .dll, ...)

6
openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
View File

@ -35,11 +35,11 @@
* major minor fix final patch/beta)
*/
# define OPENSSL_VERSION_NUMBER 0x1010117fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023"
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
+# ifdef OPENSSL_FIPS
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w-fips 11 Sep 2023"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w-fips 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
+# else
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
+# endif
/*-

14
openssl-1_1.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Thu Nov 23 09:43:39 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
- Skip SHA1 test in 20-test_dgst.t when in FIPS mode
* Add openssl-Skip_SHA1-test-in-FIPS-mode.patch
- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
* bsc#1190652 - Provide a service to output module name/identifier
and version
- Sync patches with SLE:
* Merge openssl-keep_EVP_KDF_functions_version.patch into
openssl-1.1.1-evp-kdf.patch
* Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
* Remove openssl-no-date.patch
-------------------------------------------------------------------
Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>

18
openssl-1_1.spec
View File

@ -60,7 +60,6 @@ Patch3: openssl-pkgconfig.patch
Patch4: openssl-DEFAULT_SUSE_cipher.patch
Patch5: openssl-ppc64-config.patch
Patch6: openssl-riscv64-config.patch
Patch7: openssl-no-date.patch
# PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
Patch8: 0001-s390x-assembly-pack-perlasm-support.patch
Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
@ -95,7 +94,6 @@ Patch38: openssl-1.1.1-ssh-kdf.patch
Patch40: openssl-fips-selftests_in_nonfips_mode.patch
Patch41: openssl-fips-clearerror.patch
Patch42: openssl-fips-ignore_broken_atexit_test.patch
Patch43: openssl-keep_EVP_KDF_functions_version.patch
Patch45: openssl-fips-add-SHA3-selftest.patch
Patch46: openssl-fips_selftest_upstream_drbg.patch
Patch47: openssl-unknown_dgst.patch
@ -126,15 +124,17 @@ Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch
Patch73: openssl-FIPS-KAT-before-integrity-tests.patch
# PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes
Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch
#PATCH-FIX-SUSE bsc#1190652 FIPS: Add release number to version string
Patch75: openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
# PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode
Patch75: openssl-1_1-paramgen-default_to_rfc7919.patch
Patch76: openssl-1_1-paramgen-default_to_rfc7919.patch
# PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf
Patch76: openssl-1_1-use-include-directive.patch
Patch77: openssl-1_1-use-include-directive.patch
# PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT
Patch77: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
Patch78: bsc1185319-FIPS-KAT-for-ECDSA.patch
Patch79: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
Patch81: openssl-1_1-shortcut-test_afalg_aes_cbc.patch
Patch78: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
Patch79: bsc1185319-FIPS-KAT-for-ECDSA.patch
Patch80: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
Patch82: openssl-1_1-shortcut-test_afalg_aes_cbc.patch
# PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components
Patch84: openssl-1_1-Zeroization.patch
# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
@ -188,6 +188,8 @@ Patch114: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.pat
# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
# checking excessively long X9.42 DH keys or parameters may be very slow
Patch115: openssl-CVE-2023-5678.patch
# PATCH-FIX-OPENSUSE skip SHA1 test in FIPS mode
Patch116: openssl-Skip_SHA1-test-in-FIPS-mode.patch
BuildRequires: jitterentropy-devel >= 3.4.0
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)

15
openssl-Skip_SHA1-test-in-FIPS-mode.patch Normal file
View File

@ -0,0 +1,15 @@
Index: openssl-1.1.1w/test/recipes/20-test_dgst.t
===================================================================
--- openssl-1.1.1w.orig/test/recipes/20-test_dgst.t
+++ openssl-1.1.1w/test/recipes/20-test_dgst.t
@@ -104,8 +105,8 @@ SKIP: {
}
SKIP: {
- skip "dgst with engine is not supported by this OpenSSL build", 1
- if disabled("engine") || disabled("dynamic-engine");
+ skip "dgst with engine is not supported by this OpenSSL build or we are in FIPS mode", 1
+ if disabled("engine") || disabled("dynamic-engine") || ($ENV{OPENSSL_FORCE_FIPS_MODE});
subtest "SHA1 generation by engine with `dgst` CLI" => sub {
plan tests => 1;

24
openssl-keep_EVP_KDF_functions_version.patch
View File

@ -1,24 +0,0 @@
Index: openssl-1.1.1d/util/libcrypto.num
===================================================================
--- openssl-1.1.1d.orig/util/libcrypto.num 2020-01-27 12:07:26.467151662 +0100
+++ openssl-1.1.1d/util/libcrypto.num 2020-01-27 13:18:44.456778054 +0100
@@ -4617,11 +4617,11 @@ FIPS_drbg_get_strength
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
-EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION:
-EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION:
-EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION:
-EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION:
-EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION:
-EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION:
-EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION:
-EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION:
+EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION:
+EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION:
+EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION:
+EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION:
+EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION:
+EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION:
+EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION:
+EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION:

13
openssl-no-date.patch
View File

@ -1,13 +0,0 @@
Index: openssl-1.1.1-pre1/util/mkbuildinf.pl
===================================================================
--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100
+++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100
@@ -28,7 +28,7 @@ print <<"END_OUTPUT";
*/
#define PLATFORM "platform: $platform"
-#define DATE "built on: $date"
+#define DATE ""
/*
* Generate compiler_flags as an array of individual characters. This is a