Commit Graph

127 Commits

Author SHA256 Message Date
278e4a3148 Accepting request 909235 from security:tls:unstable
OBS-URL: https://build.opensuse.org/request/show/909235
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=29
2021-07-29 18:29:14 +00:00
dac9bbe2ba Accepting request 908852 from security:tls:unstable
OBS-URL: https://build.opensuse.org/request/show/908852
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=28
2021-07-28 10:42:52 +00:00
687459c580 Accepting request 906781 from security:tls:unstable
OBS-URL: https://build.opensuse.org/request/show/906781
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=27
2021-07-17 09:30:23 +00:00
Jason Sikes
2830ba6131 Accepting request 893363 from security:tls:unstable
OBS-URL: https://build.opensuse.org/request/show/893363
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=24
2021-05-17 22:28:37 +00:00
Jason Sikes
fc84692df0 Accepting request 873726 from security:tls:unstable
- Update to 3.0.0 Alpha 12
  * The SRP APIs have been deprecated. The old APIs do not work via
    providers, and there is no EVP interface to them. Unfortunately
    there is no replacement for these APIs at this time.
  * Add a compile time option to prevent the caching of provider
    fetched algorithms. This is enabled by including the
    no-cached-fetch option at configuration time.
  * Combining the Configure options no-ec and no-dh no longer
    disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms
    then it cannot support connections with TLSv1.3. However OpenSSL
    now supports "pluggable" groups through providers.
  * The undocumented function X509_certificate_type() has been
    deprecated; applications can use X509_get0_pubkey() and
    X509_get0_signature() to get the same information.
  * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range()
    functions. They are identical to BN_rand() and BN_rand_range()
    respectively.
  * The default key generation method for the regular 2-prime RSA keys
    was changed to the FIPS 186-4 B.3.6 method (Generation of Probable
    Primes with Conditions Based on Auxiliary Probable Primes). This
    method is slower than the original method.
  * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex()
    functions. They are replaced with the BN_check_prime() function
    that avoids possible misuse and always uses at least 64 rounds of
    the Miller-Rabin primality test.
  * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn()
    as they are not useful with non-deprecated functions.

- Update to 3.0.0 Alpha 11
  * Deprecated the obsolete X9.31 RSA key generation related

OBS-URL: https://build.opensuse.org/request/show/873726
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=23
2021-02-22 15:21:06 +00:00
037d3fe84f - Update to 3.0.0 Alpha 9
* See also https://www.openssl.org/news/changelog.html
  * Deprecated all the libcrypto and libssl error string loading
    functions. Calling these functions is not necessary since
    OpenSSL 1.1.0, as OpenSSL now loads error strings automatically.
  * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as
    well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been
    deprecated. These are used to set the Diffie-Hellman (DH) parameters that
    are to be used by servers requiring ephemeral DH keys. Instead applications
    should consider using the built-in DH parameters that are available by
    calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto().
  * The -crypt option to the passwd command line tool has been removed.
  * The -C option to the x509, dhparam, dsaparam, and ecparam commands
    has been removed.
  * Added several checks to X509_verify_cert() according to requirements in
    RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by
    using the CLI option '-x509_strict'):
    - The basicConstraints of CA certificates must be marked critical.
    - CA certificates must explicitly include the keyUsage extension.
    - If a pathlenConstraint is given the key usage keyCertSign must be allowed.
    - The issuer name of any certificate must not be empty.
    - The subject name of CA certs, certs with keyUsage crlSign,
      and certs without subjectAlternativeName must not be empty.
    - If a subjectAlternativeName extension is given it must not be empty.
    - The signatureAlgorithm field and the cert signature must be consistent.
    - Any given authorityKeyIdentifier and any given subjectKeyIdentifier
      must not be marked critical.
    - The authorityKeyIdentifier must be given for X.509v3 certs
      unless they are self-signed.
    - The subjectKeyIdentifier must be given for all X.509v3 CA certs.

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=22
2020-12-17 11:11:02 +00:00
fb5273867b Accepting request 846431 from security:tls:unstable
OBS-URL: https://build.opensuse.org/request/show/846431
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=21
2020-11-06 13:11:59 +00:00
a7eccb4727 Accepting request 844996 from home:pmonrealgonzalez:branches:security:tls
* Fix tests failing: 30-test_acvp.t and 30-test_evp.t
- Add openssl-AES_XTS.patch for ppc64, ppc64le and aarch64

OBS-URL: https://build.opensuse.org/request/show/844996
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=20
2020-10-30 09:36:36 +00:00
8a70474d1d Accepting request 844831 from home:pmonrealgonzalez:branches:security:tls
OBS-URL: https://build.opensuse.org/request/show/844831
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=19
2020-10-29 10:19:45 +00:00
Tomáš Chvátal
f44a780c3e Accepting request 842137 from home:pmonrealgonzalez:branches:security:tls
- Fix build on ppc* architectures
  * Tests failing: 30-test_acvp.t and 30-test_evp.t
  * https://github.com/openssl/openssl/pull/13133
- Add openssl-AES_XTS.patch ppc64, ppc64le and aarch64

- Re-enable test 81-test_cmp_cli.t fixed upstream

OBS-URL: https://build.opensuse.org/request/show/842137
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=18
2020-10-17 06:43:41 +00:00
Vítězslav Čížek
3008f4bc60 Accepting request 841985 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.0.0 Alpha 7
  * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
    interface. Their functionality remains unchanged.
  * Deprecated EVP_PKEY_set_alias_type(). This function was previously
    needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key
    type is internally recognised so the workaround is no longer needed.
  * Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced
    EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred.
  * Changed all "STACK" functions to be macros instead of inline functions.
    Macro parameters are still checked for type safety at compile time via
    helper inline functions.
  * Remove the RAND_DRBG API:
    The RAND_DRBG API did not fit well into the new provider concept as
    implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
    RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
    and some of its API calls are rather low-level. This holds in particular
    for the callback mechanism (RAND_DRBG_set_callbacks()).
    Adding a compatibility layer to continue supporting the RAND_DRBG API as
    a legacy API for a regular deprecation period turned out to come at the
    price of complicating the new provider API unnecessarily. Since the
    RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
    to drop it entirely.
  * Added the options '-crl_lastupdate' and '-crl_nextupdate' to 'openssl ca',
    allowing the 'lastUpdate' and 'nextUpdate' fields in the generated CRL to
    be set explicitly.
  * 'PKCS12_parse' now maintains the order of the parsed certificates
    when outputting them via '*ca' (rather than reversing it).
- Update openssl-DEFAULT_SUSE_cipher.patch

  contained in upstream.

OBS-URL: https://build.opensuse.org/request/show/841985
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=17
2020-10-15 19:22:03 +00:00
Vítězslav Čížek
e5a0c2d0fd Accepting request 824882 from home:gmbr3:openssl
OBS-URL: https://build.opensuse.org/request/show/824882
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=16
2020-08-17 09:37:15 +00:00
Tomáš Chvátal
2d441cd663 Accepting request 826265 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.0.0 Alpha 6
  * Allow SSL_set1_host() and SSL_add1_host() to take IP literal
    addresses as well as actual hostnames. (David Woodhouse)
  * The 'MinProtocol' and 'MaxProtocol' configuration commands now
    silently ignore TLS protocol version bounds when configuring
    DTLS-based contexts, and conversely, silently ignore DTLS protocol
    version bounds when configuring TLS-based contexts. The commands
    can be repeated to set bounds of both types. The same applies with
    the corresponding 'min_protocol' and 'max_protocol' command-line
    switches, in case some application uses both TLS and DTLS.
  * SSL_CTX instances that are created for a fixed protocol version
    (e.g. TLSv1_server_method()) also silently ignore version bounds.
    Previously attempts to apply bounds to these protocol versions
    would result in an error. Now only the 'version-flexible' SSL_CTX
    instances are subject to limits in configuration files in
    command-line options. (Viktor Dukhovni)
- Add lsof dependency during build to fix tests failures
- Enable test 81-test_cmp_cli.t fixed upstream
- Remove 0001-Fix-typo-for-SSL_get_peer_certificate.patch

OBS-URL: https://build.opensuse.org/request/show/826265
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=15
2020-08-13 20:20:33 +00:00
Vítězslav Čížek
bda45a31f3 - Fix linking when the deprecated SSL_get_per_certificate() is in use
* https://github.com/openssl/openssl/pull/12468
  * add 0001-Fix-typo-for-SSL_get_peer_certificate.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=14
2020-07-20 09:26:52 +00:00
Tomáš Chvátal
0a9d203a57 Accepting request 821489 from home:pmonrealgonzalez:branches:security:tls
- Update to 3.0.0 Alpha 5
  * Deprecated the 'ENGINE' API. Engines should be replaced with
    providers going forward.
  * Reworked the recorded ERR codes to make better space for system errors.
    To distinguish them, the macro 'ERR_SYSTEM_ERROR()' indicates
    if the given code is a system error (true) or an OpenSSL error (false).
  * Reworked the test perl framework to better allow parallel testing.
  * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
    AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
  * 'Configure' has been changed to figure out the configuration target if
    none is given on the command line. Consequently, the 'config' script is
    now only a mere wrapper. All documentation is changed to only mention
    'Configure'.
  * Added a library context that applications as well as other libraries can use
    to form a separate context within which libcrypto operations are performed.
    - There are two ways this can be used:
      1) Directly, by passing a library context to functions that take
         such an argument, such as 'EVP_CIPHER_fetch' and similar algorithm
         fetching functions.
      2) Indirectly, by creating a new library context and then assigning
         it as the new default, with 'OPENSSL_CTX_set0_default'.
    - All public OpenSSL functions that take an 'OPENSSL_CTX' pointer,
      apart from the functions directly related to 'OPENSSL_CTX', accept
      NULL to indicate that the default library context should be used.
    - Library code that changes the default library context using
      'OPENSSL_CTX_set0_default' should take care to restore it with a
      second call before returning to the caller.
  * The security strength of SHA1 and MD5 based signatures in TLS has been
    reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
    working at the default security level of 1 and instead requires security

OBS-URL: https://build.opensuse.org/request/show/821489
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=13
2020-07-17 11:26:23 +00:00
Tomáš Chvátal
18e44c466b Accepting request 817891 from home:vitezslav_cizek:branches:security:tls
* general improvements to the built-in providers, the providers API and the internal plumbing and the provider-aware mechanisms for libssl
  * general improvements and fixes in the CLI apps
  * support for Automated Cryptographic Validation Protocol (ACVP) tests
  * fully pluggable TLS key exchange capability from providers
  * finalization of the Certificate Management Protocol (CMP) contribution, adding an impressive amount of tests for the new features
  * default to the newer SP800-56B compliant algorithm for RSA keygen
  * provider-rand: PRNG functionality backed by providers
  * refactored naming scheme for dispatched functions (#12222)
  * fixes for various issues
  * extended and improved test coverage
  * additions and improvements to the documentations
- Fix license: Apache-2.0

OBS-URL: https://build.opensuse.org/request/show/817891
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=12
2020-07-01 07:09:05 +00:00
Vítězslav Čížek
d257654006 Accepting request 817865 from home:vitezslav_cizek:branches:security:tls
- Update to 3.0.0 Alpha 4
  * No changelog available
- The license is now Apache-2.0
- temporarily disable broken 81-test_cmp_cli.t test
  * https://github.com/openssl/openssl/issues/12324

OBS-URL: https://build.opensuse.org/request/show/817865
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=11
2020-06-30 12:20:26 +00:00
Vítězslav Čížek
1e33ca551f Update changelogs from openssl blogs
* general improvements to the built-in providers, the providers API and the internal plumbing and the provider-aware mechanisms for libssl;
  * general improvements and fixes in the CLI apps;
  * cleanup of the EC API:
    EC_METHOD became an internal-only concept, and functions using or returning EC_METHOD arguments have been deprecated;
    EC_POINT_make_affine() and EC_POINTs_make_affine() have been deprecated in favor of automatic internal handling of conversions when needed;
    EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and EC_KEY_precompute_mult() have been deprecated, as such precomputation data is now rarely used;
    EC_POINTs_mul() has been deprecated, as for cryptographic applications EC_POINT_mul() is enough.
  * the CMS API got support for CAdES-BES signature verification;
  * introduction of a new SSL_OP_IGNORE_UNEXPECTED_EOF option;
  * improvements to the RSA OAEP support;
  * FFDH support in the speed app;
  * CI: added external testing through the GOST engine;
  * fixes for various issues;
  * extended and improved test coverage;
  * additions and improvements to the documentations.
  * general improvements to the built-in providers, the providers API and the internal plumbing;
  * the removal of legacy API functions related to FIPS mode, replaced by new provider-based mechanisms;
  * the addition of a new cmp app for RFC 4210;
  * extended and improved test coverage;
  * improvements to the documentations;
  * fixes for various issues.

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=10
2020-06-05 12:22:29 +00:00
Vítězslav Čížek
370de93354 - Update to 3.0.0 Alpha 3
* No changelog available

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=9
2020-06-04 20:25:17 +00:00
Tomáš Chvátal
1a7003e813 Accepting request 808417 from home:jengelh:branches:security:tls
- Use find -exec +. Replace `pwd` by simply $PWD.
- Drop Obsoletes on libopenssl1*. libopenssl3 has a new SONAME and
  does not conflict with anything previously.

OBS-URL: https://build.opensuse.org/request/show/808417
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=8
2020-05-24 07:32:32 +00:00
Vítězslav Čížek
6596d9810e - Set man page permissions to 644
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=7
2020-05-22 12:52:31 +00:00
Vítězslav Čížek
bbde3bbda5 - Fix file permissions
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=6
2020-05-21 14:09:51 +00:00
Vítězslav Čížek
e195012a52 - Update baselibs.conf
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=5
2020-05-20 14:04:31 +00:00
Vítězslav Čížek
d69e9971a8 Fix versioning
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=4
2020-05-20 13:10:34 +00:00
Vítězslav Čížek
703666d411 - Obsolete openssl 1.1
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=3
2020-05-20 12:46:55 +00:00
Vítězslav Čížek
2ca2d6a366 Accepting request 805880 from home:vitezslav_cizek:branches:security:tls
- Update to 3.0.0 Alpha 2
- drop obsolete version.patch

OBS-URL: https://build.opensuse.org/request/show/805880
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=2
2020-05-15 16:11:43 +00:00
Martin Pluskal
ce587b2631 Accepting request 796816 from home:vitezslav_cizek
enable tests

OBS-URL: https://build.opensuse.org/request/show/796816
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=1
2020-04-24 08:03:40 +00:00