- Update to 3.2.0:
* The BLAKE2b hash algorithm supports a configurable output length
by setting the "size" parameter.
* Enable extra Arm64 optimization on Windows for GHASH, RAND and
AES.
* Added a function to delete objects from store by URI -
OSSL_STORE_delete() and the corresponding provider-storemgmt API
function OSSL_FUNC_store_delete().
* Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to
pass a passphrase callback when opening a store.
* Changed the default salt length used by PBES2 KDF's (PBKDF2 and
scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard
uses a 64 bit salt length for PBE, and recommends a minimum of 64
bits for PBES2. For FIPS compliance PBKDF2 requires a salt length
of 128 bits. This affects OpenSSL command line applications such
as "genrsa" and "pkcs8" and API's such as
PEM_write_bio_PrivateKey() that are reliant on the default value.
The additional commandline option 'saltlen' has been added to the
OpenSSL command line applications for "pkcs8" and "enc" to allow
the salt length to be set to a non default value.
* Changed the default value of the ess_cert_id_alg configuration
option which is used to calculate the TSA's public key
certificate identifier. The default algorithm is updated to be
sha256 instead of sha1.
* Added optimization for SM2 algorithm on aarch64. It uses a huge
precomputed table for point multiplication of the base point,
which increases the size of libcrypto from 4.4 MB to 4.9 MB. A
new configure option no-sm2-precomp has been added to disable the
precomputed table.
* Added client side support for QUIC
OBS-URL: https://build.opensuse.org/request/show/1129505
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=80
- Security fix: [bsc#1216922, CVE-2023-5678]
* Fix excessive time spent in DH check / generation with large Q
parameter value.
* Applications that use the functions DH_generate_key() to generate
an X9.42 DH key may experience long delays. Likewise,
applications that use DH_check_pub_key(), DH_check_pub_key_ex
() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42
DH parameters may experience long delays. Where the key or
parameters that are being checked have been obtained from an
untrusted source this may lead to a Denial of Service.
* Add openssl-CVE-2023-5678.patch
OBS-URL: https://build.opensuse.org/request/show/1126089
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=78
- Update to 3.1.2:
* Fix excessive time spent checking DH q parameter value
(bsc#1213853, CVE-2023-3817). The function DH_check() performs
various checks on DH parameters. After fixing CVE-2023-3446 it
was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A
correct q value, if present, cannot be larger than the modulus
p parameter, thus it is unnecessary to perform these checks if
q is larger than p. If DH_check() is called with such q parameter
value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
computationally intensive checks are skipped.
* Fix DH_check() excessive time with over sized modulus
(bsc#1213487, CVE-2023-3446). The function DH_check() performs
various checks on DH parameters. One of those checks confirms
that the modulus ("p" parameter) is not too large. Trying to use
a very large modulus is slow and OpenSSL will not normally use
a modulus which is over 10,000 bits in length. However the
DH_check() function checks numerous aspects of the key or
parameters that have been supplied. Some of those checks use the
supplied modulus value even if it has already been found to be
too large. A new limit has been added to DH_check of 32,768 bits.
Supplying a key/parameters with a modulus over this size will
simply cause DH_check() to fail.
* Do not ignore empty associated data entries with AES-SIV
(bsc#1213383, CVE-2023-2975). The AES-SIV algorithm allows for
authentication of multiple associated data entries along with the
encryption. To authenticate empty data the application has to call
EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as
the output buffer and 0 as the input buffer length. The AES-SIV
implementation in OpenSSL just returns success for such call
OBS-URL: https://build.opensuse.org/request/show/1101930
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=70
- Security fix: [bsc#1213487, CVE-2023-3446]
* Fix DH_check() excessive time with over sized modulus.
* The function DH_check() performs various checks on DH parameters.
One of those checks confirms that the modulus ("p" parameter) is
not too large. Trying to use a very large modulus is slow and
OpenSSL will not normally use a modulus which is over 10,000 bits
in length.
However the DH_check() function checks numerous aspects of the
key or parameters that have been supplied. Some of those checks
use the supplied modulus value even if it has already been found
to be too large.
A new limit has been added to DH_check of 32,768 bits. Supplying
a key/parameters with a modulus over this size will simply cause
DH_check() to fail.
* Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
OBS-URL: https://build.opensuse.org/request/show/1099662
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=68
- Update to 3.1.0:
* Add FIPS provider configuration option to enforce the Extended Master
Secret (EMS) check during the TLS1_PRF KDF. The option '-ems-check' can
optionally be supplied to 'openssl fipsinstall'.
* The FIPS provider includes a few non-approved algorithms for backward
compatibility purposes and the "fips=yes" property query must be used for
all algorithm fetches to ensure FIPS compliance. The algorithms that are
included but not approved are Triple DES ECB, Triple DES CBC and EdDSA.
* Added support for KMAC in KBKDF.
* RNDR and RNDRRS support in provider functions to provide random number
generation for Arm CPUs (aarch64).
* s_client and s_server apps now explicitly say when the TLS version does not
include the renegotiation mechanism. This avoids confusion between that
scenario versus when the TLS version includes secure renegotiation but the
peer lacks support for it.
* AES-GCM enabled with AVX512 vAES and vPCLMULQDQ.
* The various OBJ_* functions have been made thread safe.
* Parallel dual-prime 1536/2048-bit modular exponentiation for AVX512_IFMA
capable processors.
* The functions OPENSSL_LH_stats, OPENSSL_LH_node_stats,
OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio,
OPENSSL_LH_node_stats_bio and OPENSSL_LH_node_usage_stats_bio are now
marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining
OPENSSL_NO_DEPRECATED_3_1. The macro DEFINE_LHASH_OF is now deprecated in
favour of the macro DEFINE_LHASH_OF_EX, which omits the corresponding
type-specific function definitions for these functions regardless of
whether OPENSSL_NO_DEPRECATED_3_1 is defined. Users of DEFINE_LHASH_OF may
start receiving deprecation warnings for these functions regardless of
whether they are using them. It is recommended that users transition to the
new macro, DEFINE_LHASH_OF_EX.
OBS-URL: https://build.opensuse.org/request/show/1071820
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=57
- Update to 3.0.8:
* Fixed NULL dereference during PKCS7 data verification.
A NULL pointer can be dereferenced when signatures are being
verified on PKCS7 signed or signedAndEnveloped data. In case the hash
algorithm used for the signature is known to the OpenSSL library but
the implementation of the hash algorithm is not available the digest
initialization will fail. There is a missing check for the return
value from the initialization function which later leads to invalid
usage of the digest API most likely leading to a crash.
([bsc#1207541, CVE-2023-0401])
PKCS7 data is processed by the SMIME library calls and also by the
time stamp (TS) library calls. The TLS implementation in OpenSSL does
not call these functions however third party applications would be
affected if they call these functions to verify signatures on untrusted
data.
* Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but the public structure definition for GENERAL_NAME incorrectly specified
the type of the x400Address field as ASN1_TYPE. This field is subsequently
interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather
than an ASN1_STRING.
When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to
pass arbitrary pointers to a memcmp call, enabling them to read memory
contents or enact a denial of service.
([bsc#1207533, CVE-2023-0286])
* Fixed NULL dereference validating DSA public key.
An invalid pointer dereference on read can be triggered when an
application tries to check a malformed DSA public key by the
OBS-URL: https://build.opensuse.org/request/show/1063662
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=53
- Relax the crypto-policies requirements for the regression tests
- Set OpenSSL 3.0.7 as the default openssl [bsc#1205042]
* Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch
* Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
* Package a copy of the original default config file called
openssl.cnf and name it as openssl-orig.cnf and warn the user
if the files differ.
* Add openssl-3-devel as conflicting with libopenssl-1_1-devel
* Remove patches:
- fix-config-in-tests.patch
- openssl-use-versioned-config.patch
- Create the openssl ca-certificates directory in case the
ca-certificates package is not installed. This directory is
required by the nodejs regression tests. [bsc#1207484]
- Compute the hmac files for FIPS 140-3 integrity checking of the
openssl shared libraries using the brp-50-generate-fips-hmac
script. Also computed for the 32bit package.
OBS-URL: https://build.opensuse.org/request/show/1062222
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=51
- Temporary disable tests test_ssl_new and test_sslapi because they are
failing in openSUSE_Tumbleweed
- Update to 3.0.7: [bsc#1204714, CVE-2022-3602,CVE-2022-3786]
* Fixed two buffer overflows in punycode decoding functions.
A buffer overrun can be triggered in X.509 certificate verification,
specifically in name constraint checking. Note that this occurs after
certificate chain signature verification and requires either a CA to
have signed the malicious certificate or for the application to continue
certificate verification despite failure to construct a path to a trusted
issuer.
In a TLS client, this can be triggered by connecting to a malicious
server. In a TLS server, this can be triggered if the server requests
client authentication and a malicious client connects.
An attacker can craft a malicious email address to overflow
an arbitrary number of bytes containing the `.` character (decimal 46)
on the stack. This buffer overflow could result in a crash (causing a
denial of service).
([CVE-2022-3786])
An attacker can craft a malicious email address to overflow four
attacker-controlled bytes on the stack. This buffer overflow could
result in a crash (causing a denial of service) or potentially remote code
execution depending on stack layout for any given platform/compiler.
([CVE-2022-3602])
* Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT
parameters in OpenSSL code.
Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR,
OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT.
Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead.
Using these invalid names may cause algorithms to use slower methods
OBS-URL: https://build.opensuse.org/request/show/1032747
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=47
- Update to 3.0.2: [bsc#1196877, CVE-2022-0778]
* Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli
in BN_mod_sqrt() reachable when parsing certificates.
* Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
(RFC 5489) to the list of ciphersuites providing Perfect Forward
Secrecy as required by SECLEVEL >= 3.
* Made the AES constant time code for no-asm configurations
optional due to the resulting 95% performance degradation.
The AES constant time code can be enabled, for no assembly
builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
* Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to
use empty passphrase strings.
* The negative return value handling of the certificate
verification callback was reverted. The replacement is to set
the verification retry state with the SSL_set_retry_verify()
function.
* Rebase openssl-use-versioned-config.patch
- Keep CA_default and tsa_config1 default paths in openssl3.cnf
- Rebase patches:
* openssl-Override-default-paths-for-the-CA-directory-tree.patch
* openssl-use-versioned-config.patch
OBS-URL: https://build.opensuse.org/request/show/962003
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=38
- Update to 3.0.0 Alpha 12
* The SRP APIs have been deprecated. The old APIs do not work via
providers, and there is no EVP interface to them. Unfortunately
there is no replacement for these APIs at this time.
* Add a compile time option to prevent the caching of provider
fetched algorithms. This is enabled by including the
no-cached-fetch option at configuration time.
* Combining the Configure options no-ec and no-dh no longer
disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms
then it cannot support connections with TLSv1.3. However OpenSSL
now supports "pluggable" groups through providers.
* The undocumented function X509_certificate_type() has been
deprecated; applications can use X509_get0_pubkey() and
X509_get0_signature() to get the same information.
* Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range()
functions. They are identical to BN_rand() and BN_rand_range()
respectively.
* The default key generation method for the regular 2-prime RSA keys
was changed to the FIPS 186-4 B.3.6 method (Generation of Probable
Primes with Conditions Based on Auxiliary Probable Primes). This
method is slower than the original method.
* Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex()
functions. They are replaced with the BN_check_prime() function
that avoids possible misuse and always uses at least 64 rounds of
the Miller-Rabin primality test.
* Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn()
as they are not useful with non-deprecated functions.
- Update to 3.0.0 Alpha 11
* Deprecated the obsolete X9.31 RSA key generation related
OBS-URL: https://build.opensuse.org/request/show/873726
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=23
* See also https://www.openssl.org/news/changelog.html
* Deprecated all the libcrypto and libssl error string loading
functions. Calling these functions is not necessary since
OpenSSL 1.1.0, as OpenSSL now loads error strings automatically.
* The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as
well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been
deprecated. These are used to set the Diffie-Hellman (DH) parameters that
are to be used by servers requiring ephemeral DH keys. Instead applications
should consider using the built-in DH parameters that are available by
calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto().
* The -crypt option to the passwd command line tool has been removed.
* The -C option to the x509, dhparam, dsaparam, and ecparam commands
has been removed.
* Added several checks to X509_verify_cert() according to requirements in
RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by
using the CLI option '-x509_strict'):
- The basicConstraints of CA certificates must be marked critical.
- CA certificates must explicitly include the keyUsage extension.
- If a pathlenConstraint is given the key usage keyCertSign must be allowed.
- The issuer name of any certificate must not be empty.
- The subject name of CA certs, certs with keyUsage crlSign,
and certs without subjectAlternativeName must not be empty.
- If a subjectAlternativeName extension is given it must not be empty.
- The signatureAlgorithm field and the cert signature must be consistent.
- Any given authorityKeyIdentifier and any given subjectKeyIdentifier
must not be marked critical.
- The authorityKeyIdentifier must be given for X.509v3 certs
unless they are self-signed.
- The subjectKeyIdentifier must be given for all X.509v3 CA certs.
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=22
- Update to 3.0.0 Alpha 7
* Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
interface. Their functionality remains unchanged.
* Deprecated EVP_PKEY_set_alias_type(). This function was previously
needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key
type is internally recognised so the workaround is no longer needed.
* Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced
EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred.
* Changed all "STACK" functions to be macros instead of inline functions.
Macro parameters are still checked for type safety at compile time via
helper inline functions.
* Remove the RAND_DRBG API:
The RAND_DRBG API did not fit well into the new provider concept as
implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
and some of its API calls are rather low-level. This holds in particular
for the callback mechanism (RAND_DRBG_set_callbacks()).
Adding a compatibility layer to continue supporting the RAND_DRBG API as
a legacy API for a regular deprecation period turned out to come at the
price of complicating the new provider API unnecessarily. Since the
RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
to drop it entirely.
* Added the options '-crl_lastupdate' and '-crl_nextupdate' to 'openssl ca',
allowing the 'lastUpdate' and 'nextUpdate' fields in the generated CRL to
be set explicitly.
* 'PKCS12_parse' now maintains the order of the parsed certificates
when outputting them via '*ca' (rather than reversing it).
- Update openssl-DEFAULT_SUSE_cipher.patch
contained in upstream.
OBS-URL: https://build.opensuse.org/request/show/841985
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=17
- Update to 3.0.0 Alpha 6
* Allow SSL_set1_host() and SSL_add1_host() to take IP literal
addresses as well as actual hostnames. (David Woodhouse)
* The 'MinProtocol' and 'MaxProtocol' configuration commands now
silently ignore TLS protocol version bounds when configuring
DTLS-based contexts, and conversely, silently ignore DTLS protocol
version bounds when configuring TLS-based contexts. The commands
can be repeated to set bounds of both types. The same applies with
the corresponding 'min_protocol' and 'max_protocol' command-line
switches, in case some application uses both TLS and DTLS.
* SSL_CTX instances that are created for a fixed protocol version
(e.g. TLSv1_server_method()) also silently ignore version bounds.
Previously attempts to apply bounds to these protocol versions
would result in an error. Now only the 'version-flexible' SSL_CTX
instances are subject to limits in configuration files in
command-line options. (Viktor Dukhovni)
- Add lsof dependency during build to fix tests failures
- Enable test 81-test_cmp_cli.t fixed upstream
- Remove 0001-Fix-typo-for-SSL_get_peer_certificate.patch
OBS-URL: https://build.opensuse.org/request/show/826265
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=15
- Update to 3.0.0 Alpha 5
* Deprecated the 'ENGINE' API. Engines should be replaced with
providers going forward.
* Reworked the recorded ERR codes to make better space for system errors.
To distinguish them, the macro 'ERR_SYSTEM_ERROR()' indicates
if the given code is a system error (true) or an OpenSSL error (false).
* Reworked the test perl framework to better allow parallel testing.
* Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
* 'Configure' has been changed to figure out the configuration target if
none is given on the command line. Consequently, the 'config' script is
now only a mere wrapper. All documentation is changed to only mention
'Configure'.
* Added a library context that applications as well as other libraries can use
to form a separate context within which libcrypto operations are performed.
- There are two ways this can be used:
1) Directly, by passing a library context to functions that take
such an argument, such as 'EVP_CIPHER_fetch' and similar algorithm
fetching functions.
2) Indirectly, by creating a new library context and then assigning
it as the new default, with 'OPENSSL_CTX_set0_default'.
- All public OpenSSL functions that take an 'OPENSSL_CTX' pointer,
apart from the functions directly related to 'OPENSSL_CTX', accept
NULL to indicate that the default library context should be used.
- Library code that changes the default library context using
'OPENSSL_CTX_set0_default' should take care to restore it with a
second call before returning to the caller.
* The security strength of SHA1 and MD5 based signatures in TLS has been
reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
working at the default security level of 1 and instead requires security
OBS-URL: https://build.opensuse.org/request/show/821489
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=13
