Accepting request 1128352 from home:ohollmann:branches:security:tls
- Skip SHA1 test in 20-test_dgst.t when in FIPS mode * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch - FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch * bsc#1190652 - Provide a service to output module name/identifier and version - Sync patches with SLE: * Merge openssl-keep_EVP_KDF_functions_version.patch into openssl-1.1.1-evp-kdf.patch * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch * Remove openssl-no-date.patch OBS-URL: https://build.opensuse.org/request/show/1128352 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=152
This commit is contained in:
parent
6a02bab132
commit
f18ebf3adf
@ -5228,14 +5228,14 @@ Index: openssl-1.1.1n/util/libcrypto.num
|
|||||||
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
|
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
|
||||||
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
|
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
|
||||||
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
|
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
|
||||||
+EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION:
|
+EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION:
|
||||||
+EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION:
|
+EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION:
|
||||||
+EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION:
|
+EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION:
|
||||||
+EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION:
|
+EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION:
|
||||||
+EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION:
|
+EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION:
|
||||||
+EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION:
|
+EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION:
|
||||||
+EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION:
|
+EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION:
|
||||||
+EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION:
|
+EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION:
|
||||||
Index: openssl-1.1.1n/util/private.num
|
Index: openssl-1.1.1n/util/private.num
|
||||||
===================================================================
|
===================================================================
|
||||||
--- openssl-1.1.1n.orig/util/private.num
|
--- openssl-1.1.1n.orig/util/private.num
|
||||||
|
@ -0,0 +1,23 @@
|
|||||||
|
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
|
||||||
|
index cbbfab1..7576de8 100644
|
||||||
|
--- a/include/openssl/opensslv.h
|
||||||
|
+++ b/include/openssl/opensslv.h
|
||||||
|
@@ -14,6 +14,9 @@
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#define SUSE_OPENSSL_STRING_PARAM_FUNCA(x) #x
|
||||||
|
+#define SUSE_OPENSSL_STRING_PARAM_FUNCB(x) SUSE_OPENSSL_STRING_PARAM_FUNCA(x)
|
||||||
|
+
|
||||||
|
/*-
|
||||||
|
* Numeric release version identifier:
|
||||||
|
* MNNFFPPS: major minor fix patch status
|
||||||
|
@@ -40,7 +43,7 @@ extern "C" {
|
||||||
|
* major minor fix final patch/beta)
|
||||||
|
*/
|
||||||
|
# define OPENSSL_VERSION_NUMBER 0x1010117fL
|
||||||
|
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023"
|
||||||
|
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
|
||||||
|
|
||||||
|
/*-
|
||||||
|
* The macros below are to be used for shared library (.so, .dll, ...)
|
@ -35,11 +35,11 @@
|
|||||||
* major minor fix final patch/beta)
|
* major minor fix final patch/beta)
|
||||||
*/
|
*/
|
||||||
# define OPENSSL_VERSION_NUMBER 0x1010117fL
|
# define OPENSSL_VERSION_NUMBER 0x1010117fL
|
||||||
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023"
|
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
|
||||||
+# ifdef OPENSSL_FIPS
|
+# ifdef OPENSSL_FIPS
|
||||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w-fips 11 Sep 2023"
|
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w-fips 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
|
||||||
+# else
|
+# else
|
||||||
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023"
|
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
|
||||||
+# endif
|
+# endif
|
||||||
|
|
||||||
/*-
|
/*-
|
||||||
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 23 09:43:39 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
- Skip SHA1 test in 20-test_dgst.t when in FIPS mode
|
||||||
|
* Add openssl-Skip_SHA1-test-in-FIPS-mode.patch
|
||||||
|
- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
|
||||||
|
* bsc#1190652 - Provide a service to output module name/identifier
|
||||||
|
and version
|
||||||
|
- Sync patches with SLE:
|
||||||
|
* Merge openssl-keep_EVP_KDF_functions_version.patch into
|
||||||
|
openssl-1.1.1-evp-kdf.patch
|
||||||
|
* Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
|
||||||
|
* Remove openssl-no-date.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
@ -60,7 +60,6 @@ Patch3: openssl-pkgconfig.patch
|
|||||||
Patch4: openssl-DEFAULT_SUSE_cipher.patch
|
Patch4: openssl-DEFAULT_SUSE_cipher.patch
|
||||||
Patch5: openssl-ppc64-config.patch
|
Patch5: openssl-ppc64-config.patch
|
||||||
Patch6: openssl-riscv64-config.patch
|
Patch6: openssl-riscv64-config.patch
|
||||||
Patch7: openssl-no-date.patch
|
|
||||||
# PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
|
# PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
|
||||||
Patch8: 0001-s390x-assembly-pack-perlasm-support.patch
|
Patch8: 0001-s390x-assembly-pack-perlasm-support.patch
|
||||||
Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
|
Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
|
||||||
@ -95,7 +94,6 @@ Patch38: openssl-1.1.1-ssh-kdf.patch
|
|||||||
Patch40: openssl-fips-selftests_in_nonfips_mode.patch
|
Patch40: openssl-fips-selftests_in_nonfips_mode.patch
|
||||||
Patch41: openssl-fips-clearerror.patch
|
Patch41: openssl-fips-clearerror.patch
|
||||||
Patch42: openssl-fips-ignore_broken_atexit_test.patch
|
Patch42: openssl-fips-ignore_broken_atexit_test.patch
|
||||||
Patch43: openssl-keep_EVP_KDF_functions_version.patch
|
|
||||||
Patch45: openssl-fips-add-SHA3-selftest.patch
|
Patch45: openssl-fips-add-SHA3-selftest.patch
|
||||||
Patch46: openssl-fips_selftest_upstream_drbg.patch
|
Patch46: openssl-fips_selftest_upstream_drbg.patch
|
||||||
Patch47: openssl-unknown_dgst.patch
|
Patch47: openssl-unknown_dgst.patch
|
||||||
@ -126,15 +124,17 @@ Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch
|
|||||||
Patch73: openssl-FIPS-KAT-before-integrity-tests.patch
|
Patch73: openssl-FIPS-KAT-before-integrity-tests.patch
|
||||||
# PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes
|
# PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes
|
||||||
Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch
|
Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch
|
||||||
|
#PATCH-FIX-SUSE bsc#1190652 FIPS: Add release number to version string
|
||||||
|
Patch75: openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
|
||||||
# PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode
|
# PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode
|
||||||
Patch75: openssl-1_1-paramgen-default_to_rfc7919.patch
|
Patch76: openssl-1_1-paramgen-default_to_rfc7919.patch
|
||||||
# PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf
|
# PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf
|
||||||
Patch76: openssl-1_1-use-include-directive.patch
|
Patch77: openssl-1_1-use-include-directive.patch
|
||||||
# PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT
|
# PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT
|
||||||
Patch77: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
|
Patch78: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
|
||||||
Patch78: bsc1185319-FIPS-KAT-for-ECDSA.patch
|
Patch79: bsc1185319-FIPS-KAT-for-ECDSA.patch
|
||||||
Patch79: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
|
Patch80: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
|
||||||
Patch81: openssl-1_1-shortcut-test_afalg_aes_cbc.patch
|
Patch82: openssl-1_1-shortcut-test_afalg_aes_cbc.patch
|
||||||
# PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components
|
# PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components
|
||||||
Patch84: openssl-1_1-Zeroization.patch
|
Patch84: openssl-1_1-Zeroization.patch
|
||||||
# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
|
# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
|
||||||
@ -188,6 +188,8 @@ Patch114: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.pat
|
|||||||
# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
|
# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
|
||||||
# checking excessively long X9.42 DH keys or parameters may be very slow
|
# checking excessively long X9.42 DH keys or parameters may be very slow
|
||||||
Patch115: openssl-CVE-2023-5678.patch
|
Patch115: openssl-CVE-2023-5678.patch
|
||||||
|
# PATCH-FIX-OPENSUSE skip SHA1 test in FIPS mode
|
||||||
|
Patch116: openssl-Skip_SHA1-test-in-FIPS-mode.patch
|
||||||
BuildRequires: jitterentropy-devel >= 3.4.0
|
BuildRequires: jitterentropy-devel >= 3.4.0
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: pkgconfig(zlib)
|
BuildRequires: pkgconfig(zlib)
|
||||||
|
15
openssl-Skip_SHA1-test-in-FIPS-mode.patch
Normal file
15
openssl-Skip_SHA1-test-in-FIPS-mode.patch
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
Index: openssl-1.1.1w/test/recipes/20-test_dgst.t
|
||||||
|
===================================================================
|
||||||
|
--- openssl-1.1.1w.orig/test/recipes/20-test_dgst.t
|
||||||
|
+++ openssl-1.1.1w/test/recipes/20-test_dgst.t
|
||||||
|
@@ -104,8 +105,8 @@ SKIP: {
|
||||||
|
}
|
||||||
|
|
||||||
|
SKIP: {
|
||||||
|
- skip "dgst with engine is not supported by this OpenSSL build", 1
|
||||||
|
- if disabled("engine") || disabled("dynamic-engine");
|
||||||
|
+ skip "dgst with engine is not supported by this OpenSSL build or we are in FIPS mode", 1
|
||||||
|
+ if disabled("engine") || disabled("dynamic-engine") || ($ENV{OPENSSL_FORCE_FIPS_MODE});
|
||||||
|
|
||||||
|
subtest "SHA1 generation by engine with `dgst` CLI" => sub {
|
||||||
|
plan tests => 1;
|
@ -1,24 +0,0 @@
|
|||||||
Index: openssl-1.1.1d/util/libcrypto.num
|
|
||||||
===================================================================
|
|
||||||
--- openssl-1.1.1d.orig/util/libcrypto.num 2020-01-27 12:07:26.467151662 +0100
|
|
||||||
+++ openssl-1.1.1d/util/libcrypto.num 2020-01-27 13:18:44.456778054 +0100
|
|
||||||
@@ -4617,11 +4617,11 @@ FIPS_drbg_get_strength
|
|
||||||
FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION:
|
|
||||||
FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION:
|
|
||||||
FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION:
|
|
||||||
-EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION:
|
|
||||||
-EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION:
|
|
||||||
-EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION:
|
|
||||||
-EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION:
|
|
||||||
-EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION:
|
|
||||||
-EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION:
|
|
||||||
-EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION:
|
|
||||||
-EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION:
|
|
||||||
+EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION:
|
|
||||||
+EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION:
|
|
||||||
+EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION:
|
|
||||||
+EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION:
|
|
||||||
+EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION:
|
|
||||||
+EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION:
|
|
||||||
+EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION:
|
|
||||||
+EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION:
|
|
@ -1,13 +0,0 @@
|
|||||||
Index: openssl-1.1.1-pre1/util/mkbuildinf.pl
|
|
||||||
===================================================================
|
|
||||||
--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100
|
|
||||||
+++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100
|
|
||||||
@@ -28,7 +28,7 @@ print <<"END_OUTPUT";
|
|
||||||
*/
|
|
||||||
|
|
||||||
#define PLATFORM "platform: $platform"
|
|
||||||
-#define DATE "built on: $date"
|
|
||||||
+#define DATE ""
|
|
||||||
|
|
||||||
/*
|
|
||||||
* Generate compiler_flags as an array of individual characters. This is a
|
|
Loading…
Reference in New Issue
Block a user