pool/openssl-3
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3597e0200f
openssl-3/openssl-crypto-policies-support.patch

36 lines
887 B
Diff
Raw Normal View History

Accepting request 1139750 from security:tls:unstable OBS-URL: https://build.opensuse.org/request/show/1139750 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=85
2024-01-18 16:17:04 +01:00
Add default section to load crypto-policies configuration for TLS.
Accepting request 949760 from security:tls:unstable OBS-URL: https://build.opensuse.org/request/show/949760 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=33
2022-01-28 20:30:29 +01:00
It needs to be reverted before running tests.
---
apps/openssl.cnf | 20 ++++++++++++++++++--
2 files changed, 19 insertions(+), 3 deletions(-)
Accepting request 1129505 from home:ohollmann:branches:security:tls - Update to 3.2.0: * The BLAKE2b hash algorithm supports a configurable output length by setting the "size" parameter. * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES. * Added a function to delete objects from store by URI - OSSL_STORE_delete() and the corresponding provider-storemgmt API function OSSL_FUNC_store_delete(). * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass a passphrase callback when opening a store. * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default value. The additional commandline option 'saltlen' has been added to the OpenSSL command line applications for "pkcs8" and "enc" to allow the salt length to be set to a non default value. * Changed the default value of the ess_cert_id_alg configuration option which is used to calculate the TSA's public key certificate identifier. The default algorithm is updated to be sha256 instead of sha1. * Added optimization for SM2 algorithm on aarch64. It uses a huge precomputed table for point multiplication of the base point, which increases the size of libcrypto from 4.4 MB to 4.9 MB. A new configure option no-sm2-precomp has been added to disable the precomputed table. * Added client side support for QUIC OBS-URL: https://build.opensuse.org/request/show/1129505 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=80
2023-11-28 12:04:23 +01:00
Index: openssl-3.2.0/apps/openssl.cnf
Accepting request 949760 from security:tls:unstable OBS-URL: https://build.opensuse.org/request/show/949760 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=33
2022-01-28 20:30:29 +01:00
===================================================================
Accepting request 1129505 from home:ohollmann:branches:security:tls - Update to 3.2.0: * The BLAKE2b hash algorithm supports a configurable output length by setting the "size" parameter. * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES. * Added a function to delete objects from store by URI - OSSL_STORE_delete() and the corresponding provider-storemgmt API function OSSL_FUNC_store_delete(). * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass a passphrase callback when opening a store. * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default value. The additional commandline option 'saltlen' has been added to the OpenSSL command line applications for "pkcs8" and "enc" to allow the salt length to be set to a non default value. * Changed the default value of the ess_cert_id_alg configuration option which is used to calculate the TSA's public key certificate identifier. The default algorithm is updated to be sha256 instead of sha1. * Added optimization for SM2 algorithm on aarch64. It uses a huge precomputed table for point multiplication of the base point, which increases the size of libcrypto from 4.4 MB to 4.9 MB. A new configure option no-sm2-precomp has been added to disable the precomputed table. * Added client side support for QUIC OBS-URL: https://build.opensuse.org/request/show/1129505 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=80
2023-11-28 12:04:23 +01:00
--- openssl-3.2.0.orig/apps/openssl.cnf
+++ openssl-3.2.0/apps/openssl.cnf
Accepting request 949760 from security:tls:unstable OBS-URL: https://build.opensuse.org/request/show/949760 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=33
2022-01-28 20:30:29 +01:00
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
+# Load default TLS policy configuration
+ssl_conf = ssl_module
# List of providers to load
[provider_sect]
@@ -71,6 +73,13 @@ default = default_sect
[default_sect]
# activate = 1
+[ ssl_module ]
+
+system_default = crypto_policy
+
+[ crypto_policy ]
+
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
####################################################################
[ ca ]
Reference in New Issue Copy Permalink