pool/openssl-3
SHA256
4
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1245244 from security:tls

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1245244
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=37
This commit is contained in:
Ana Guerrero 2025-02-12 20:30:27 +00:00 committed by Git OBS Bridge
commit e992b24c38
11 changed files with 210 additions and 328 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
openssl-3-add_EVP_DigestSqueeze_api.patch
View File

@ -26,10 +26,10 @@ Date: Fri Jul 21 15:05:38 2023 +1000
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21511)
Index: openssl-3.2.3/crypto/evp/digest.c
Index: openssl-3.2.4/crypto/evp/digest.c
===================================================================
--- openssl-3.2.3.orig/crypto/evp/digest.c
+++ openssl-3.2.3/crypto/evp/digest.c
--- openssl-3.2.4.orig/crypto/evp/digest.c
+++ openssl-3.2.4/crypto/evp/digest.c
@@ -502,6 +502,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
return ret;
}
@ -105,10 +105,10 @@ Index: openssl-3.2.3/crypto/evp/digest.c
|| (fncnt == 0 && md->digest == NULL)) {
/*
* In order to be a consistent set of functions we either need the
Index: openssl-3.2.3/crypto/evp/legacy_sha.c
Index: openssl-3.2.4/crypto/evp/legacy_sha.c
===================================================================
--- openssl-3.2.3.orig/crypto/evp/legacy_sha.c
+++ openssl-3.2.3/crypto/evp/legacy_sha.c
--- openssl-3.2.4.orig/crypto/evp/legacy_sha.c
+++ openssl-3.2.4/crypto/evp/legacy_sha.c
@@ -37,7 +37,8 @@ static int nm##_update(EVP_MD_CTX *ctx,
} \
static int nm##_final(EVP_MD_CTX *ctx, unsigned char *md) \
@ -119,10 +119,10 @@ Index: openssl-3.2.3/crypto/evp/legacy_sha.c
}
#define IMPLEMENT_LEGACY_EVP_MD_METH_SHAKE(nm, fn, tag) \
static int nm##_init(EVP_MD_CTX *ctx) \
Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv4.pl
Index: openssl-3.2.4/crypto/sha/asm/keccak1600-armv4.pl
===================================================================
--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-armv4.pl
+++ openssl-3.2.3/crypto/sha/asm/keccak1600-armv4.pl
--- openssl-3.2.4.orig/crypto/sha/asm/keccak1600-armv4.pl
+++ openssl-3.2.4/crypto/sha/asm/keccak1600-armv4.pl
@@ -966,6 +966,8 @@ SHA3_squeeze:
stmdb sp!,{r6-r9}
@ -141,10 +141,10 @@ Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv4.pl
mov r0,r14 @ original $A_flat
bl KeccakF1600
Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv8.pl
Index: openssl-3.2.4/crypto/sha/asm/keccak1600-armv8.pl
===================================================================
--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-armv8.pl
+++ openssl-3.2.3/crypto/sha/asm/keccak1600-armv8.pl
--- openssl-3.2.4.orig/crypto/sha/asm/keccak1600-armv8.pl
+++ openssl-3.2.4/crypto/sha/asm/keccak1600-armv8.pl
@@ -483,6 +483,8 @@ SHA3_squeeze:
mov $out,x1
mov $len,x2
@ -163,10 +163,10 @@ Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv8.pl
mov x0,$A_flat
bl KeccakF1600
mov x0,$A_flat
Index: openssl-3.2.3/crypto/sha/asm/keccak1600-ppc64.pl
Index: openssl-3.2.4/crypto/sha/asm/keccak1600-ppc64.pl
===================================================================
--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-ppc64.pl
+++ openssl-3.2.3/crypto/sha/asm/keccak1600-ppc64.pl
--- openssl-3.2.4.orig/crypto/sha/asm/keccak1600-ppc64.pl
+++ openssl-3.2.4/crypto/sha/asm/keccak1600-ppc64.pl
@@ -668,6 +668,8 @@ SHA3_squeeze:
subi $out,r4,1 ; prepare for stbu
mr $len,r5
@ -184,10 +184,10 @@ Index: openssl-3.2.3/crypto/sha/asm/keccak1600-ppc64.pl
mr r3,$A_flat
bl KeccakF1600
subi r3,$A_flat,8 ; prepare for ldu
Index: openssl-3.2.3/crypto/sha/asm/keccak1600-x86_64.pl
Index: openssl-3.2.4/crypto/sha/asm/keccak1600-x86_64.pl
===================================================================
--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-x86_64.pl
+++ openssl-3.2.3/crypto/sha/asm/keccak1600-x86_64.pl
--- openssl-3.2.4.orig/crypto/sha/asm/keccak1600-x86_64.pl
+++ openssl-3.2.4/crypto/sha/asm/keccak1600-x86_64.pl
@@ -503,12 +503,12 @@ SHA3_absorb:
.size SHA3_absorb,.-SHA3_absorb
___
@ -246,10 +246,10 @@ Index: openssl-3.2.3/crypto/sha/asm/keccak1600-x86_64.pl
mov $out,%rdi
mov $len,%rcx
.byte 0xf3,0xa4 # rep movsb
Index: openssl-3.2.3/crypto/sha/keccak1600.c
Index: openssl-3.2.4/crypto/sha/keccak1600.c
===================================================================
--- openssl-3.2.3.orig/crypto/sha/keccak1600.c
+++ openssl-3.2.3/crypto/sha/keccak1600.c
--- openssl-3.2.4.orig/crypto/sha/keccak1600.c
+++ openssl-3.2.4/crypto/sha/keccak1600.c
@@ -13,7 +13,7 @@
size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len,
@ -298,10 +298,10 @@ Index: openssl-3.2.3/crypto/sha/keccak1600.c
}
}
#endif
Index: openssl-3.2.3/crypto/sha/sha3.c
Index: openssl-3.2.4/crypto/sha/sha3.c
===================================================================
--- openssl-3.2.3.orig/crypto/sha/sha3.c
+++ openssl-3.2.3/crypto/sha/sha3.c
--- openssl-3.2.4.orig/crypto/sha/sha3.c
+++ openssl-3.2.4/crypto/sha/sha3.c
@@ -10,12 +10,13 @@
#include <string.h>
#include "internal/sha3.h"
@ -440,10 +440,10 @@ Index: openssl-3.2.3/crypto/sha/sha3.c
return 1;
}
Index: openssl-3.2.3/doc/life-cycles/digest.dot
Index: openssl-3.2.4/doc/life-cycles/digest.dot
===================================================================
--- openssl-3.2.3.orig/doc/life-cycles/digest.dot
+++ openssl-3.2.3/doc/life-cycles/digest.dot
--- openssl-3.2.4.orig/doc/life-cycles/digest.dot
+++ openssl-3.2.4/doc/life-cycles/digest.dot
@@ -6,28 +6,30 @@ digraph digest {
initialised [label=initialised, fontcolor="#c94c4c"];
updated [label=updated, fontcolor="#c94c4c"];
@ -486,10 +486,10 @@ Index: openssl-3.2.3/doc/life-cycles/digest.dot
+ color="#034f84", fontcolor="#034f84"];
}
-
Index: openssl-3.2.3/doc/man3/EVP_DigestInit.pod
Index: openssl-3.2.4/doc/man3/EVP_DigestInit.pod
===================================================================
--- openssl-3.2.3.orig/doc/man3/EVP_DigestInit.pod
+++ openssl-3.2.3/doc/man3/EVP_DigestInit.pod
--- openssl-3.2.4.orig/doc/man3/EVP_DigestInit.pod
+++ openssl-3.2.4/doc/man3/EVP_DigestInit.pod
@@ -12,6 +12,7 @@ EVP_MD_CTX_settable_params, EVP_MD_CTX_g
EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags,
EVP_Q_digest, EVP_Digest, EVP_DigestInit_ex2, EVP_DigestInit_ex, EVP_DigestInit,
@ -548,10 +548,10 @@ Index: openssl-3.2.3/doc/man3/EVP_DigestInit.pod
=head1 COPYRIGHT
Index: openssl-3.2.3/doc/man7/EVP_MD-BLAKE2.pod
Index: openssl-3.2.4/doc/man7/EVP_MD-BLAKE2.pod
===================================================================
--- openssl-3.2.3.orig/doc/man7/EVP_MD-BLAKE2.pod
+++ openssl-3.2.3/doc/man7/EVP_MD-BLAKE2.pod
--- openssl-3.2.4.orig/doc/man7/EVP_MD-BLAKE2.pod
+++ openssl-3.2.4/doc/man7/EVP_MD-BLAKE2.pod
@@ -25,6 +25,17 @@ Known names are "BLAKE2B-512" and "BLAKE
=back
@ -570,10 +570,10 @@ Index: openssl-3.2.3/doc/man7/EVP_MD-BLAKE2.pod
=head2 Gettable Parameters
This implementation supports the common gettable parameters described
Index: openssl-3.2.3/doc/man7/EVP_MD-SHAKE.pod
Index: openssl-3.2.4/doc/man7/EVP_MD-SHAKE.pod
===================================================================
--- openssl-3.2.3.orig/doc/man7/EVP_MD-SHAKE.pod
+++ openssl-3.2.3/doc/man7/EVP_MD-SHAKE.pod
--- openssl-3.2.4.orig/doc/man7/EVP_MD-SHAKE.pod
+++ openssl-3.2.4/doc/man7/EVP_MD-SHAKE.pod
@@ -70,8 +70,21 @@ For backwards compatibility reasons the
32 (bytes) which results in a security strength of only 128 bits. To ensure the
maximum security strength of 256 bits, the xoflen should be set to at least 64.
@ -596,10 +596,10 @@ Index: openssl-3.2.3/doc/man7/EVP_MD-SHAKE.pod
=head1 SEE ALSO
L<EVP_MD_CTX_set_params(3)>, L<provider-digest(7)>, L<OSSL_PROVIDER-default(7)>
Index: openssl-3.2.3/doc/man7/life_cycle-digest.pod
Index: openssl-3.2.4/doc/man7/life_cycle-digest.pod
===================================================================
--- openssl-3.2.3.orig/doc/man7/life_cycle-digest.pod
+++ openssl-3.2.3/doc/man7/life_cycle-digest.pod
--- openssl-3.2.4.orig/doc/man7/life_cycle-digest.pod
+++ openssl-3.2.4/doc/man7/life_cycle-digest.pod
@@ -32,6 +32,14 @@ additional input or generating output.
=item finaled
@ -852,10 +852,10 @@ Index: openssl-3.2.3/doc/man7/life_cycle-digest.pod
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Index: openssl-3.2.3/doc/man7/provider-digest.pod
Index: openssl-3.2.4/doc/man7/provider-digest.pod
===================================================================
--- openssl-3.2.3.orig/doc/man7/provider-digest.pod
+++ openssl-3.2.3/doc/man7/provider-digest.pod
--- openssl-3.2.4.orig/doc/man7/provider-digest.pod
+++ openssl-3.2.4/doc/man7/provider-digest.pod
@@ -198,8 +198,7 @@ This digest method can only handle one b
=item B<EVP_MD_FLAG_XOF>
@ -866,10 +866,10 @@ Index: openssl-3.2.3/doc/man7/provider-digest.pod
=item B<EVP_MD_FLAG_DIGALGID_NULL>
Index: openssl-3.2.3/include/crypto/evp.h
Index: openssl-3.2.4/include/crypto/evp.h
===================================================================
--- openssl-3.2.3.orig/include/crypto/evp.h
+++ openssl-3.2.3/include/crypto/evp.h
--- openssl-3.2.4.orig/include/crypto/evp.h
+++ openssl-3.2.4/include/crypto/evp.h
@@ -296,6 +296,7 @@ struct evp_md_st {
OSSL_FUNC_digest_init_fn *dinit;
OSSL_FUNC_digest_update_fn *dupdate;
@ -878,10 +878,10 @@ Index: openssl-3.2.3/include/crypto/evp.h
OSSL_FUNC_digest_digest_fn *digest;
OSSL_FUNC_digest_freectx_fn *freectx;
OSSL_FUNC_digest_dupctx_fn *dupctx;
Index: openssl-3.2.3/include/internal/sha3.h
Index: openssl-3.2.4/include/internal/sha3.h
===================================================================
--- openssl-3.2.3.orig/include/internal/sha3.h
+++ openssl-3.2.3/include/internal/sha3.h
--- openssl-3.2.4.orig/include/internal/sha3.h
+++ openssl-3.2.4/include/internal/sha3.h
@@ -22,23 +22,31 @@
typedef struct keccak_st KECCAK1600_CTX;
@ -927,10 +927,10 @@ Index: openssl-3.2.3/include/internal/sha3.h
size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len,
size_t r);
Index: openssl-3.2.3/include/openssl/core_dispatch.h
Index: openssl-3.2.4/include/openssl/core_dispatch.h
===================================================================
--- openssl-3.2.3.orig/include/openssl/core_dispatch.h
+++ openssl-3.2.3/include/openssl/core_dispatch.h
--- openssl-3.2.4.orig/include/openssl/core_dispatch.h
+++ openssl-3.2.4/include/openssl/core_dispatch.h
@@ -300,6 +300,7 @@ OSSL_CORE_MAKE_FUNC(int, provider_self_t
# define OSSL_FUNC_DIGEST_GETTABLE_PARAMS 11
# define OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS 12
@ -949,10 +949,10 @@ Index: openssl-3.2.3/include/openssl/core_dispatch.h
OSSL_CORE_MAKE_FUNC(int, digest_digest,
(void *provctx, const unsigned char *in, size_t inl,
unsigned char *out, size_t *outl, size_t outsz))
Index: openssl-3.2.3/include/openssl/evp.h
Index: openssl-3.2.4/include/openssl/evp.h
===================================================================
--- openssl-3.2.3.orig/include/openssl/evp.h
+++ openssl-3.2.3/include/openssl/evp.h
--- openssl-3.2.4.orig/include/openssl/evp.h
+++ openssl-3.2.4/include/openssl/evp.h
@@ -729,8 +729,10 @@ __owur int EVP_MD_CTX_copy(EVP_MD_CTX *o
__owur int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);
__owur int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md,
@ -966,10 +966,10 @@ Index: openssl-3.2.3/include/openssl/evp.h
__owur EVP_MD *EVP_MD_fetch(OSSL_LIB_CTX *ctx, const char *algorithm,
const char *properties);
Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
Index: openssl-3.2.4/providers/implementations/digests/sha3_prov.c
===================================================================
--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c
+++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c
--- openssl-3.2.4.orig/providers/implementations/digests/sha3_prov.c
+++ openssl-3.2.4/providers/implementations/digests/sha3_prov.c
@@ -33,10 +33,12 @@ static OSSL_FUNC_digest_update_fn keccak
static OSSL_FUNC_digest_final_fn keccak_final;
static OSSL_FUNC_digest_freectx_fn keccak_freectx;
@ -1229,16 +1229,16 @@ Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c
PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \
SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \
SHAKE_FLAGS)
Index: openssl-3.2.3/test/build.info
Index: openssl-3.2.4/test/build.info
===================================================================
--- openssl-3.2.3.orig/test/build.info
+++ openssl-3.2.3/test/build.info
--- openssl-3.2.4.orig/test/build.info
+++ openssl-3.2.4/test/build.info
@@ -63,7 +63,7 @@ IF[{- !$disabled{tests} -}]
provfetchtest prov_config_test rand_test ca_internals_test \
bio_tfo_test membio_test bio_dgram_test list_test fips_version_test \
x509_test hpke_test pairwise_fail_test nodefltctxtest \
- x509_load_cert_file_test
+ evp_xof_test x509_load_cert_file_test
- x509_load_cert_file_test bio_pw_callback_test
+ evp_xof_test x509_load_cert_file_test bio_pw_callback_test
IF[{- !$disabled{'rpk'} -}]
PROGRAMS{noinst}=rpktest
@ -1253,10 +1253,10 @@ Index: openssl-3.2.3/test/build.info
SOURCE[evp_pkey_dparams_test]=evp_pkey_dparams_test.c
INCLUDE[evp_pkey_dparams_test]=../include ../apps/include
DEPEND[evp_pkey_dparams_test]=../libcrypto libtestutil.a
Index: openssl-3.2.3/test/evp_xof_test.c
Index: openssl-3.2.4/test/evp_xof_test.c
===================================================================
--- /dev/null
+++ openssl-3.2.3/test/evp_xof_test.c
+++ openssl-3.2.4/test/evp_xof_test.c
@@ -0,0 +1,492 @@
+/*
+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
@ -1750,10 +1750,10 @@ Index: openssl-3.2.3/test/evp_xof_test.c
+ ADD_ALL_TESTS(shake_squeeze_dup_test, OSSL_NELEM(dupoffset_tests));
+ return 1;
+}
Index: openssl-3.2.3/test/recipes/30-test_evp_xof.t
Index: openssl-3.2.4/test/recipes/30-test_evp_xof.t
===================================================================
--- /dev/null
+++ openssl-3.2.3/test/recipes/30-test_evp_xof.t
+++ openssl-3.2.4/test/recipes/30-test_evp_xof.t
@@ -0,0 +1,12 @@
+#! /usr/bin/env perl
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
@ -1767,10 +1767,10 @@ Index: openssl-3.2.3/test/recipes/30-test_evp_xof.t
+use OpenSSL::Test::Simple;
+
+simple_test("test_evp_xof", "evp_xof_test");
Index: openssl-3.2.3/util/libcrypto.num
Index: openssl-3.2.4/util/libcrypto.num
===================================================================
--- openssl-3.2.3.orig/util/libcrypto.num
+++ openssl-3.2.3/util/libcrypto.num
--- openssl-3.2.4.orig/util/libcrypto.num
+++ openssl-3.2.4/util/libcrypto.num
@@ -5536,6 +5536,7 @@ X509_STORE_CTX_set_get_crl
X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION:
OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION:

BIN
openssl-3.2.3.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
openssl-3.2.3.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmbXBpkACgkQIWCU39DL
ge81Ww//d6tE9XznGxx/+xfBFADDTALPDaO8yogJtECMMxixXn1zuWYheH40z5zO
MTmIeHVLowXlfBl4YO8I+SDGbZy4CKFix3j+r/dojvteiPXrBKd83e67e0mDotAD
w3NYar1Gh8kXnq63zEV8JRBjRhLb2b7uJhi1UUtaCgOfK/wvRVWiBDWyVAkVjR0V
NGCQg6FXCjxXY9G01wyqBlZt4T/h/SxN+iZUWRRPrekTxVNAQxFsMLYupuULpeaz
uHvXXJ1Os/Mh4zD8a/SHrbdw3ncHb7JmCNZu4cPUkNVw0Dc0y64SP+Wviet1oOio
/pTnfq6ptUTpzkSFiI9ZmTS1eiqQ24BLdwu3J/6ss9hZUlFZPUozsH6HTVpRxWhI
edp5fa8rpQ5wX+ftGNxA1tRhWjCrR1VgFhdZX5T4rS5fU3OX5TXPwHKqaFyGlxQd
GV467+BgxixgEU5xMirkJ/WbYrcSEFS1i9EbL6HwJ2vO02jHNfK7Biy+krOZKnx1
Oniv4DoPR1s2De+OinDI30Zo9STizpiFiv27vw+l8Wj6+SnCFoyAZMVYcdYXSAws
Im054SFCpw1cqhhHMBMOodqUv2CEMyBLuUyjjOF6oFteUp/VEe8JUrkQBA+LhDgX
kPNzpSTnX9lB/ALvaedOUyIQf8sV3IEGn7zWGOTBp1QLu6hiId8=
=1Xgs
-----END PGP SIGNATURE-----

3
openssl-3.2.4.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b23ad7fd9f73e43ad1767e636040e88ba7c9e5775bfa5618436a0dd2c17c3716
size 17782746

16
openssl-3.2.4.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmerYbgACgkQIWCU39DL
ge+LMhAAmVXO6X5r3P5P8czf4kT8jFp9xRkp+jlzLZ7+Vt0GOc+8JZRJ/Fmi4fsD
6nMScDzpJAv/KxOsRCC3l+Fz7eIRWvf+qeSTQggCYAlUF+3Y9qXbnOcCj+8/HPYa
bAXq7S4hFi3T7NXFyOOx38KxUuhNpcC/tUvMEmYoR8HTm0n1Utf/h/IC9IVoc7at
raUOo2qTZqwMNFue8fXC7lj6wL81MRD3TYOjePNZAKe2tuPCLoyR+sN8twVbNOLH
9TDwMZLeCRaLebL9x14knhUOT4+/gsTGH84KS56Ry0YYSDGc2u+58HRaGFBbAEId
hy4DYrYMCRlcSofPYlzMaFAZ3PSar+6ZPvvEl+OrOzY9DPoXzj0gXQ/NCWqJu9lg
EQvE6/TnuhXEUxO25eWnIXGBWcmJtECut/rY1sV9OZwaOUPxDWZTxkDuv1dNDqug
EmrfJHM7KdYVwy7JONReF0ODnNIVAa4HoAZ0EF3K3oySA5KmbA3YkkDGo5aqhpAD
LZu4+fEmemq1fsEjAxdAk2Vmx4YUElcHEoQGQxSdPlIgl/z/KQ6ONuYoGIgXUXH8
omXxceapMLP3DkHEpFxOYACCderAxDsZAjgFxM2Rlvp8afCq/C2wFYFDERU9XNIS
SIc4N+NAoDAxSk6ScGSzORO78lFIGzBIX3pLSCCIezGCyfeHtYo=
=HqP/
-----END PGP SIGNATURE-----

16
openssl-3.changes
View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Tue Feb 11 18:21:12 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
- Update to 3.2.4:
* Fixed RFC7250 handshakes with unauthenticated servers don't abort as
expected. [bsc#1236599, CVE-2024-12797]
* Fixed timing side-channel in ECDSA signature computation. [CVE-2024-13176]
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters. [CVE-2024-9143]
- Remove patch openssl-CVE-2024-13176.patch
- Rebase patches:
* openssl-3-add_EVP_DigestSqueeze_api.patch
* openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
* openssl-FIPS-RSA-encapsulate.patch
* openssl-disable-fipsinstall.patch
-------------------------------------------------------------------
Wed Jan 22 13:15:51 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>

7
openssl-3.spec
View File

@ -25,7 +25,7 @@
%define livepatchable 1
Name: openssl-3
Version: 3.2.3
Version: 3.2.4
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: Apache-2.0
@ -144,10 +144,6 @@ Patch64: openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
# PATCH-FIX-UPSTREAM: Fix failing tests on ppc64 jsc#PED-10280
Patch65: openssl-3-fix-sha3-squeeze-ppc64.patch
Patch66: openssl-3-fix-quic_multistream_test.patch
# PATCH-FIX-UPSTREAM: bsc#1236136 CVE-2024-13176: Fix timing side-channel in ECDSA signature computation
Patch67: openssl-CVE-2024-13176.patch
BuildRequires: pkgconfig
# ulp-macros is available according to SUSE version.
%ifarch x86_64
@ -161,7 +157,6 @@ BuildRequires: gcc13
BuildRequires: ulp-macros
%endif
%endif
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Requires: libopenssl3 = %{version}-%{release}

122
openssl-CVE-2024-13176.patch
View File

@ -1,122 +0,0 @@
From 4b1cb94a734a7d4ec363ac0a215a25c181e11f65 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 15 Jan 2025 18:27:02 +0100
Subject: [PATCH] Fix timing side-channel in ECDSA signature computation
There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the
attacker process must either be located in the same physical computer or
must have a very fast network connection with low latency.
Attacks on ECDSA nonce are also known as Minerva attack.
Fixes CVE-2024-13176
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26429)
(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203)
(cherry picked from commit 392dcb336405a0c94486aa6655057f59fd3a0902)
---
crypto/bn/bn_exp.c | 21 +++++++++++++++------
crypto/ec/ec_lib.c | 7 ++++---
include/crypto/bn.h | 3 +++
3 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index b876edbfac36e..af52e2ced6914 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
* out by Colin Percival,
* http://www.daemonology.net/hyperthreading-considered-harmful/)
*/
-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *in_mont)
{
@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
unsigned int t4 = 0;
#endif
- bn_check_top(a);
- bn_check_top(p);
- bn_check_top(m);
-
if (!BN_is_odd(m)) {
ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS);
return 0;
@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
goto err;
} else
#endif
- if (!BN_from_montgomery(rr, &tmp, mont, ctx))
+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
goto err;
ret = 1;
err:
@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
return ret;
}
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx,
+ BN_MONT_CTX *in_mont)
+{
+ bn_check_top(a);
+ bn_check_top(p);
+ bn_check_top(m);
+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
+ return 0;
+ bn_correct_top(rr);
+ return 1;
+}
+
int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
{
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index c92b4dcb0ac45..a79fbb98cf6fa 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -21,6 +21,7 @@
#include <openssl/opensslv.h>
#include <openssl/param_build.h>
#include "crypto/ec.h"
+#include "crypto/bn.h"
#include "internal/nelem.h"
#include "ec_local.h"
@@ -1261,10 +1262,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
if (!BN_sub(e, group->order, e))
goto err;
/*-
- * Exponent e is public.
- * No need for scatter-gather or BN_FLG_CONSTTIME.
+ * Although the exponent is public we want the result to be
+ * fixed top.
*/
- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
goto err;
ret = 1;
diff --git a/include/crypto/bn.h b/include/crypto/bn.h
index 302f031c2ff1d..499e1d10efab0 100644
--- a/include/crypto/bn.h
+++ b/include/crypto/bn.h
@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
*/
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+ const BIGNUM *m, BN_CTX *ctx,
+ BN_MONT_CTX *in_mont);
int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
BN_CTX *ctx);
int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,

147
openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
View File

@ -21,11 +21,11 @@ Patch-id: 93
test/recipes/80-test_ssl_old.t | 3 +
12 files changed, 118 insertions(+), 20 deletions(-)
diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c
index 726843fd30..24c65ca84f 100644
--- a/crypto/dh/dh_backend.c
+++ b/crypto/dh/dh_backend.c
@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[])
Index: openssl-3.2.4/crypto/dh/dh_backend.c
===================================================================
--- openssl-3.2.4.orig/crypto/dh/dh_backend.c
+++ openssl-3.2.4/crypto/dh/dh_backend.c
@@ -47,6 +47,16 @@ int ossl_dh_params_fromdata(DH *dh, cons
if (!dh_ffc_params_fromdata(dh, params))
return 0;
@ -42,11 +42,11 @@ index 726843fd30..24c65ca84f 100644
param_priv_len =
OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN);
if (param_priv_len != NULL
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index 0b391910d6..75581ca347 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret)
Index: openssl-3.2.4/crypto/dh/dh_check.c
===================================================================
--- openssl-3.2.4.orig/crypto/dh/dh_check.c
+++ openssl-3.2.4/crypto/dh/dh_check.c
@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *r
nid = DH_get_nid((DH *)dh);
if (nid != NID_undef)
return 1;
@ -67,11 +67,11 @@ index 0b391910d6..75581ca347 100644
}
#else
int DH_check_params(const DH *dh, int *ret)
diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c
index 204662a81c..9961f21920 100644
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
Index: openssl-3.2.4/crypto/dh/dh_gen.c
===================================================================
--- openssl-3.2.4.orig/crypto/dh/dh_gen.c
+++ openssl-3.2.4/crypto/dh/dh_gen.c
@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret,
int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits,
BN_GENCB *cb)
{
@ -100,11 +100,11 @@ index 204662a81c..9961f21920 100644
if (ret > 0)
dh->dirty_cnt++;
return ret;
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 83773cceea..7e988368d3 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -321,8 +321,12 @@ static int generate_key(DH *dh)
Index: openssl-3.2.4/crypto/dh/dh_key.c
===================================================================
--- openssl-3.2.4.orig/crypto/dh/dh_key.c
+++ openssl-3.2.4/crypto/dh/dh_key.c
@@ -336,8 +336,12 @@ static int generate_key(DH *dh)
goto err;
} else {
#ifdef FIPS_MODULE
@ -119,7 +119,7 @@ index 83773cceea..7e988368d3 100644
#else
if (dh->params.q == NULL) {
/* secret exponent length, must satisfy 2^(l-1) <= p */
@@ -343,9 +347,7 @@ static int generate_key(DH *dh)
@@ -358,9 +362,7 @@ static int generate_key(DH *dh)
if (!BN_clear_bit(priv_key, 0))
goto err;
}
@ -130,7 +130,7 @@ index 83773cceea..7e988368d3 100644
/* Do a partial check for invalid p, q, g */
if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params,
FFC_PARAM_TYPE_DH, NULL))
@@ -361,6 +363,7 @@ static int generate_key(DH *dh)
@@ -376,6 +378,7 @@ static int generate_key(DH *dh)
priv_key))
goto err;
}
@ -138,11 +138,11 @@ index 83773cceea..7e988368d3 100644
}
}
diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c
index f201eede0d..30f90d15be 100644
--- a/crypto/dh/dh_pmeth.c
+++ b/crypto/dh/dh_pmeth.c
@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx,
Index: openssl-3.2.4/crypto/dh/dh_pmeth.c
===================================================================
--- openssl-3.2.4.orig/crypto/dh/dh_pmeth.c
+++ openssl-3.2.4/crypto/dh/dh_pmeth.c
@@ -303,13 +303,17 @@ static DH *ffc_params_generate(OSSL_LIB_
prime_len, subprime_len, &res,
pcb);
else
@ -163,11 +163,11 @@ index f201eede0d..30f90d15be 100644
if (rv <= 0) {
DH_free(ret);
return NULL;
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 9a7dde7c66..b3e7bca5ac 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype)
Index: openssl-3.2.4/providers/implementations/keymgmt/dh_kmgmt.c
===================================================================
--- openssl-3.2.4.orig/providers/implementations/keymgmt/dh_kmgmt.c
+++ openssl-3.2.4/providers/implementations/keymgmt/dh_kmgmt.c
@@ -417,6 +417,11 @@ static int dh_validate(const void *keyda
if ((selection & DH_POSSIBLE_SELECTIONS) == 0)
return 1; /* nothing to validate */
@ -179,11 +179,11 @@ index 9a7dde7c66..b3e7bca5ac 100644
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
/*
* Both of these functions check parameters. DH_check_params_ex()
diff --git a/test/endecode_test.c b/test/endecode_test.c
index 53385028fc..169f3ccd73 100644
--- a/test/endecode_test.c
+++ b/test/endecode_test.c
@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams)
Index: openssl-3.2.4/test/endecode_test.c
===================================================================
--- openssl-3.2.4.orig/test/endecode_test.c
+++ openssl-3.2.4/test/endecode_test.c
@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const cha
* for testing only. Use a minimum key size of 2048 for security purposes.
*/
if (strcmp(type, "DH") == 0)
@ -196,11 +196,11 @@ index 53385028fc..169f3ccd73 100644
# endif
/*
diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c
index a7913cda4c..96a35ac1cc 100644
--- a/test/evp_libctx_test.c
+++ b/test/evp_libctx_test.c
@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn)
Index: openssl-3.2.4/test/evp_libctx_test.c
===================================================================
--- openssl-3.2.4.orig/test/evp_libctx_test.c
+++ openssl-3.2.4/test/evp_libctx_test.c
@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid,
if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL))
|| !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0)
@ -209,11 +209,11 @@ index a7913cda4c..96a35ac1cc 100644
goto err;
if (expected) {
diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c
index 4bdadc4143..e5186e4b4a 100644
--- a/test/helpers/predefined_dhparams.c
+++ b/test/helpers/predefined_dhparams.c
@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx)
Index: openssl-3.2.4/test/helpers/predefined_dhparams.c
===================================================================
--- openssl-3.2.4.orig/test/helpers/predefined_dhparams.c
+++ openssl-3.2.4/test/helpers/predefined_dhparams.c
@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libct
dhx512_q, sizeof(dhx512_q));
}
@ -282,10 +282,10 @@ index 4bdadc4143..e5186e4b4a 100644
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
{
static unsigned char dh1024_p[] = {
diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h
index f0e8709062..2ff6d6e721 100644
--- a/test/helpers/predefined_dhparams.h
+++ b/test/helpers/predefined_dhparams.h
Index: openssl-3.2.4/test/helpers/predefined_dhparams.h
===================================================================
--- openssl-3.2.4.orig/test/helpers/predefined_dhparams.h
+++ openssl-3.2.4/test/helpers/predefined_dhparams.h
@@ -12,6 +12,7 @@
#ifndef OPENSSL_NO_DH
EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
@ -294,27 +294,27 @@ index f0e8709062..2ff6d6e721 100644
EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct);
EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx);
EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx);
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 2a459856f0..afac836fa3 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -627,10 +627,10 @@ my @smime_cms_param_tests = (
],
[ "enveloped content test streaming S/MIME format, X9.42 DH",
- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
"-stream", "-out", "{output}.cms",
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
"-in", "{output}.cms", "-out", "{output}.txt" ],
\&final_compare
]
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 527abcea6e..e1d38b1e62 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
Index: openssl-3.2.4/test/recipes/80-test_cms.t
===================================================================
--- openssl-3.2.4.orig/test/recipes/80-test_cms.t
+++ openssl-3.2.4/test/recipes/80-test_cms.t
@@ -647,10 +647,10 @@ if ($no_fips || $old_fips) {
# Only SHA1 supported in dh_cms_encrypt()
push(@smime_cms_param_tests,
[ "enveloped content test streaming S/MIME format, X9.42 DH",
- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont,
+ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont,
"-stream", "-out", "{output}.cms",
"-recip", catfile($smdir, "smdh.pem"), "-aes128" ],
- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
+ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"),
"-in", "{output}.cms", "-out", "{output}.txt" ],
\&final_compare
]
Index: openssl-3.2.4/test/recipes/80-test_ssl_old.t
===================================================================
--- openssl-3.2.4.orig/test/recipes/80-test_ssl_old.t
+++ openssl-3.2.4/test/recipes/80-test_ssl_old.t
@@ -390,6 +390,9 @@ sub testssl {
skip "skipping dhe1024dsa test", 1
if ($no_dh);
@ -325,6 +325,3 @@ index 527abcea6e..e1d38b1e62 100644
ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])),
'test sslv2/sslv3 with 1024bit DHE via BIO pair');
}
--
2.41.0

26
openssl-FIPS-RSA-encapsulate.patch
View File

@ -9,15 +9,14 @@ Patch-id: 91
providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
index 365ae3d7d6..8a6f585d0b 100644
--- a/providers/implementations/kem/rsa_kem.c
+++ b/providers/implementations/kem/rsa_kem.c
@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
*secretlen = nlen;
return 1;
Index: openssl-3.2.4/providers/implementations/kem/rsa_kem.c
===================================================================
--- openssl-3.2.4.orig/providers/implementations/kem/rsa_kem.c
+++ openssl-3.2.4/providers/implementations/kem/rsa_kem.c
@@ -276,6 +276,13 @@ static int rsasve_generate(PROV_RSA_CTX
return 0;
}
+
+#ifdef FIPS_MODULE
+ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL);
@ -28,7 +27,7 @@ index 365ae3d7d6..8a6f585d0b 100644
/*
* Step (2): Generate a random byte string z of nlen bytes where
* 1 < z < n - 1
@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx,
@@ -337,6 +344,13 @@ static int rsasve_recover(PROV_RSA_CTX *
return 1;
}
@ -39,9 +38,6 @@ index 365ae3d7d6..8a6f585d0b 100644
+ }
+#endif
+
/* Step (2): check the input ciphertext 'inlen' matches the nlen */
if (inlen != nlen) {
ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH);
--
2.41.0
/*
* Step (2): check the input ciphertext 'inlen' matches the nlen
* and that outlen is at least nlen bytes

44
openssl-disable-fipsinstall.patch
View File

@ -17,11 +17,11 @@ From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd
doc/man7/OSSL_PROVIDER-FIPS.pod | 1 -
6 files changed, 10 insertions(+), 375 deletions(-)
Index: openssl-3.1.4/apps/fipsinstall.c
Index: openssl-3.2.4/apps/fipsinstall.c
===================================================================
--- openssl-3.1.4.orig/apps/fipsinstall.c
+++ openssl-3.1.4/apps/fipsinstall.c
@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **ar
--- openssl-3.2.4.orig/apps/fipsinstall.c
+++ openssl-3.2.4/apps/fipsinstall.c
@@ -374,6 +374,9 @@ int fipsinstall_main(int argc, char **ar
EVP_MAC *mac = NULL;
CONF *conf = NULL;
@ -31,10 +31,10 @@ Index: openssl-3.1.4/apps/fipsinstall.c
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
goto end;
Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in
Index: openssl-3.2.4/doc/man1/openssl-fipsinstall.pod.in
===================================================================
--- openssl-3.1.4.orig/doc/man1/openssl-fipsinstall.pod.in
+++ openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in
--- openssl-3.2.4.orig/doc/man1/openssl-fipsinstall.pod.in
+++ openssl-3.2.4/doc/man1/openssl-fipsinstall.pod.in
@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS confi
=head1 SYNOPSIS
@ -312,13 +312,13 @@ Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in
+Please consult the SUSE/openSUSE documentation to learn how to correctly
+enable FIPS mode.
=head1 COPYRIGHT
=head1 HISTORY
Index: openssl-3.1.4/doc/man1/openssl.pod
Index: openssl-3.2.4/doc/man1/openssl.pod
===================================================================
--- openssl-3.1.4.orig/doc/man1/openssl.pod
+++ openssl-3.1.4/doc/man1/openssl.pod
@@ -135,10 +135,6 @@ Engine (loadable module) information and
--- openssl-3.2.4.orig/doc/man1/openssl.pod
+++ openssl-3.2.4/doc/man1/openssl.pod
@@ -137,10 +137,6 @@ Engine (loadable module) information and
Error Number to Error String Conversion.
@ -329,10 +329,10 @@ Index: openssl-3.1.4/doc/man1/openssl.pod
=item B<gendsa>
Generation of DSA Private Key from Parameters. Superseded by
Index: openssl-3.1.4/doc/man5/config.pod
Index: openssl-3.2.4/doc/man5/config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/config.pod
+++ openssl-3.1.4/doc/man5/config.pod
--- openssl-3.2.4.orig/doc/man5/config.pod
+++ openssl-3.2.4/doc/man5/config.pod
@@ -565,7 +565,6 @@ configuration files using that syntax wi
=head1 SEE ALSO
@ -341,10 +341,10 @@ Index: openssl-3.1.4/doc/man5/config.pod
L<ASN1_generate_nconf(3)>,
L<EVP_set_default_properties(3)>,
L<CONF_modules_load(3)>,
Index: openssl-3.1.4/doc/man5/fips_config.pod
Index: openssl-3.2.4/doc/man5/fips_config.pod
===================================================================
--- openssl-3.1.4.orig/doc/man5/fips_config.pod
+++ openssl-3.1.4/doc/man5/fips_config.pod
--- openssl-3.2.4.orig/doc/man5/fips_config.pod
+++ openssl-3.2.4/doc/man5/fips_config.pod
@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration
=head1 DESCRIPTION
@ -456,11 +456,11 @@ Index: openssl-3.1.4/doc/man5/fips_config.pod
=head1 HISTORY
Index: openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod
Index: openssl-3.2.4/doc/man7/OSSL_PROVIDER-FIPS.pod
===================================================================
--- openssl-3.1.4.orig/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -455,7 +455,6 @@ want to operate in a FIPS approved manne
--- openssl-3.2.4.orig/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ openssl-3.2.4/doc/man7/OSSL_PROVIDER-FIPS.pod
@@ -489,7 +489,6 @@ want to operate in a FIPS approved manne
=head1 SEE ALSO