SHA256
1
0
forked from pool/openssl-1_1

Accepting request 591684 from home:vitezslav_cizek:branches:security:tls

- Update to 1.1.0h
  OpenSSL Security Advisory [27 Mar 2018]
  * Constructed ASN.1 types with a recursive definition could exceed
    the stack (CVE-2018-0739) (bsc#1087102)
  * rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
    (bsc#1071906)
- refresh patches:
  * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
  * openssl-1.1.0-fips.patch
  * openssl-pkgconfig.patch
  * openssl-rsakeygen-minimum-distance.patch
  * openssl-static-deps.patch

OBS-URL: https://build.opensuse.org/request/show/591684
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=7
This commit is contained in:
Tomáš Chvátal 2018-03-27 15:20:21 +00:00 committed by Git OBS Bridge
parent 861086e436
commit d99d49a007
11 changed files with 334 additions and 319 deletions

View File

@ -4,11 +4,11 @@ Date: Sun, 4 May 2014 23:36:54 -0400
Subject: [PATCH] Axe builtin printf implementation, use glibc instead
Index: openssl-1.1.0g/crypto/bio/b_print.c
Index: openssl-1.1.0h/crypto/bio/b_print.c
===================================================================
--- openssl-1.1.0g.orig/crypto/bio/b_print.c 2017-11-02 15:29:02.000000000 +0100
+++ openssl-1.1.0g/crypto/bio/b_print.c 2017-11-02 20:48:01.240953505 +0100
@@ -21,831 +21,6 @@
--- openssl-1.1.0h.orig/crypto/bio/b_print.c 2018-03-27 15:50:37.000000000 +0200
+++ openssl-1.1.0h/crypto/bio/b_print.c 2018-03-27 16:31:15.425784205 +0200
@@ -21,830 +21,6 @@
* on all source code distributions.
*/
@ -656,7 +656,7 @@ Index: openssl-1.1.0g/crypto/bio/b_print.c
- iconvert[iplace++] = "0123456789"[intpart % 10];
- intpart = (intpart / 10);
- } while (intpart && (iplace < (int)sizeof(iconvert)));
- if (iplace == sizeof iconvert)
- if (iplace == sizeof(iconvert))
- iplace--;
- iconvert[iplace] = 0;
-
@ -674,7 +674,7 @@ Index: openssl-1.1.0g/crypto/bio/b_print.c
- fracpart = (fracpart / 10);
- }
-
- if (fplace == sizeof fconvert)
- if (fplace == sizeof(fconvert))
- fplace--;
- fconvert[fplace] = 0;
-
@ -836,11 +836,10 @@ Index: openssl-1.1.0g/crypto/bio/b_print.c
-}
-
-/***************************************************************************/
-
int BIO_printf(BIO *bio, const char *format, ...)
{
va_list args;
@@ -859,30 +34,36 @@ int BIO_printf(BIO *bio, const char *for
@@ -859,30 +35,36 @@ int BIO_printf(BIO *bio, const char *for
return (ret);
}
@ -898,7 +897,7 @@ Index: openssl-1.1.0g/crypto/bio/b_print.c
return (ret);
}
@@ -898,29 +79,21 @@ int BIO_snprintf(char *buf, size_t n, co
@@ -898,29 +80,21 @@ int BIO_snprintf(char *buf, size_t n, co
int ret;
va_start(args, format);
@ -936,10 +935,10 @@ Index: openssl-1.1.0g/crypto/bio/b_print.c
- return (retlen <= INT_MAX) ? (int)retlen : -1;
+ return (ret);
}
Index: openssl-1.1.0g/test/bioprinttest.c
Index: openssl-1.1.0h/test/bioprinttest.c
===================================================================
--- openssl-1.1.0g.orig/test/bioprinttest.c 2017-11-02 15:29:05.000000000 +0100
+++ openssl-1.1.0g/test/bioprinttest.c 2017-11-02 20:45:03.446174264 +0100
--- openssl-1.1.0h.orig/test/bioprinttest.c 2018-03-27 15:50:40.000000000 +0200
+++ openssl-1.1.0h/test/bioprinttest.c 2018-03-27 16:30:23.096947435 +0200
@@ -200,13 +200,6 @@ int main(int argc, char **argv)
dofptest(test++, 66666.0 + frac, width, prec, &fail);
}

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:de4d501267da39310905cb6dc8c6121f7a2cad45a7707f76df828fe1b85073af
size 5404748

View File

@ -1,10 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABCAAGBQJZ+yu1AAoJENnE0m0OYESRZaAH/RYgVpfSwQA/GzxR7BBTU/kT
nhAwrDzCZyZe6UhWJHIvZhWira3+NEMmJRWgxfLRmoO5+8Jo07Ayz6iI9K6j32Hf
NshzdUNerBy1xsvb8Z+mFPu8EPbmOrILJx1TQez4oLbFNDYDDaBXL/z+3H8ffKab
wfdVeJ3Qj3XKUi8v+FncSYn5jlzIlMVhOLLEJjgWbA+YP7WXbWveRf2oBEwVJ/ej
zcgrgJ6iyCXO7xP5t4Y2OzWpJKopflFz9uR7TwA5tanKibnG6GIoHCGf+mtBtU7t
zVMQh8+QnJyGy1qe9QnYrFksP9Fcb0qjMZMB6/DLqJ07t27TkXTB9fIAgElcmK8=
=i4gh
-----END PGP SIGNATURE-----

3
openssl-1.1.0h.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5835626cde9e99656585fc7aaa2302a73a7e1340bf8c14fd635a62c66802a517
size 5422717

10
openssl-1.1.0h.tar.gz.asc Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABCAAGBQJaukw0AAoJENnE0m0OYESRNZoH/jP9DGnLUsEr58XUE1w+q+P/
JXF/yaBr1LUx9e599zlVNkLyNsqIN0mVfMDgdnjefIwrEGBVBh9YdeNeeZ9Lnhc4
PQCN4vzjUcNv7Jo2DSPmuVoUikntIYM4thrBQuVt031h1+1NQmDpcmU8SESFpM5H
A7N6+p/i/ow5g2G/uqc+Wqy/Jdgwtkq+UPHvxajE7pVLhtY+ue5gU3f6Jb8odTdV
VT1QNzaStN40WiUIHtrykB3F8eg5BvwkmLUqbruy9IEEtYoJvxALVLD1B7t047Tf
Ti1AQ4Ld+NNxbhZeeYMeXTAog3w3DudsSQoOmIN2TiAR6WK44XlS/lu9lK/mFpo=
=SK44
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Tue Mar 27 14:42:36 UTC 2018 - vcizek@suse.com
- Update to 1.1.0h
OpenSSL Security Advisory [27 Mar 2018]
* Constructed ASN.1 types with a recursive definition could exceed
the stack (CVE-2018-0739) (bsc#1087102)
* rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
(bsc#1071906)
- refresh patches:
* 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
* openssl-1.1.0-fips.patch
* openssl-pkgconfig.patch
* openssl-rsakeygen-minimum-distance.patch
* openssl-static-deps.patch
-------------------------------------------------------------------
Tue Feb 27 20:13:14 UTC 2018 - dimstar@opensuse.org

View File

@ -20,7 +20,7 @@
%define maj_min 1.1
%define _rname openssl
Name: openssl-1_1
Version: 1.1.0g
Version: 1.1.0h
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL

View File

@ -1,8 +1,8 @@
Index: openssl-1.1.0c/Configurations/unix-Makefile.tmpl
Index: openssl-1.1.0h/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-1.1.0c.orig/Configurations/unix-Makefile.tmpl 2016-11-10 15:03:43.000000000 +0100
+++ openssl-1.1.0c/Configurations/unix-Makefile.tmpl 2016-12-02 14:42:03.547865145 +0100
@@ -790,7 +790,7 @@ libcrypto.pc:
--- openssl-1.1.0h.orig/Configurations/unix-Makefile.tmpl 2018-03-27 16:32:18.922799218 +0200
+++ openssl-1.1.0h/Configurations/unix-Makefile.tmpl 2018-03-27 16:33:19.307764137 +0200
@@ -710,7 +710,7 @@ libcrypto.pc:
echo 'Version: '$(VERSION); \
echo 'Libs: -L$${libdir} -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
@ -11,10 +11,10 @@ Index: openssl-1.1.0c/Configurations/unix-Makefile.tmpl
libssl.pc:
@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -804,7 +804,7 @@ libssl.pc:
@@ -723,7 +723,7 @@ libssl.pc:
echo 'Version: '$(VERSION); \
echo 'Requires.private: libcrypto'; \
echo 'Libs: -L$${libdir} -lssl'; \
echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir}' ) > libssl.pc
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc

View File

@ -1,8 +1,8 @@
Index: openssl-1.1.0f/crypto/rsa/rsa_gen.c
Index: openssl-1.1.0h/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.1.0f.orig/crypto/rsa/rsa_gen.c 2017-05-29 13:02:47.095166778 +0200
+++ openssl-1.1.0f/crypto/rsa/rsa_gen.c 2017-05-29 13:03:29.415824383 +0200
@@ -419,6 +419,19 @@ static int rsa_builtin_keygen(RSA *rsa,
--- openssl-1.1.0h.orig/crypto/rsa/rsa_gen.c 2018-03-27 16:34:44.709128590 +0200
+++ openssl-1.1.0h/crypto/rsa/rsa_gen.c 2018-03-27 16:34:44.753129312 +0200
@@ -420,6 +420,19 @@ static int rsa_builtin_keygen(RSA *rsa,
bitsp = (bits + 1) / 2;
bitsq = bits - bitsp;
@ -22,7 +22,7 @@ Index: openssl-1.1.0f/crypto/rsa/rsa_gen.c
/* We need the RSA components non-NULL */
if (!rsa->n && ((rsa->n = BN_new()) == NULL))
goto err;
@@ -444,6 +457,8 @@ static int rsa_builtin_keygen(RSA *rsa,
@@ -446,6 +459,8 @@ static int rsa_builtin_keygen(RSA *rsa,
for (;;) {
if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
goto err;
@ -30,8 +30,8 @@ Index: openssl-1.1.0f/crypto/rsa/rsa_gen.c
+ continue;
if (!BN_sub(r2, rsa->p, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))
@@ -460,6 +475,13 @@ static int rsa_builtin_keygen(RSA *rsa,
ERR_set_mark();
@@ -471,6 +486,13 @@ static int rsa_builtin_keygen(RSA *rsa,
if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL, cb))
goto err;
} while (BN_cmp(rsa->p, rsa->q) == 0);
@ -44,4 +44,4 @@ Index: openssl-1.1.0f/crypto/rsa/rsa_gen.c
+ continue;
if (!BN_sub(r2, rsa->q, BN_value_one()))
goto err;
if (!BN_gcd(r1, r2, rsa->e, ctx))
ERR_set_mark();

View File

@ -19,10 +19,10 @@ Reviewed-by: Rich Salz <rsalz@openssl.org>
Configure | 7 +++++++
5 files changed, 47 insertions(+), 20 deletions(-)
Index: openssl-1.1.0e/Configurations/common.tmpl
Index: openssl-1.1.0h/Configurations/common.tmpl
===================================================================
--- openssl-1.1.0e.orig/Configurations/common.tmpl
+++ openssl-1.1.0e/Configurations/common.tmpl
--- openssl-1.1.0h.orig/Configurations/common.tmpl 2018-03-27 15:50:37.000000000 +0200
+++ openssl-1.1.0h/Configurations/common.tmpl 2018-03-27 16:31:37.126131133 +0200
@@ -9,15 +9,22 @@
# there are no duplicate dependencies and that they are in the
# right order. This is especially used to sort the list of
@ -59,11 +59,11 @@ Index: openssl-1.1.0e/Configurations/common.tmpl
}
@newlist;
}
Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl
Index: openssl-1.1.0h/Configurations/descrip.mms.tmpl
===================================================================
--- openssl-1.1.0e.orig/Configurations/descrip.mms.tmpl
+++ openssl-1.1.0e/Configurations/descrip.mms.tmpl
@@ -524,6 +524,17 @@ configdata.pm : $(SRCDIR)Configure $(SRC
--- openssl-1.1.0h.orig/Configurations/descrip.mms.tmpl 2018-03-27 15:50:37.000000000 +0200
+++ openssl-1.1.0h/Configurations/descrip.mms.tmpl 2018-03-27 16:31:37.126131133 +0200
@@ -537,6 +537,17 @@ configdata.pm : $(SRCDIR)Configure $(SRC
use File::Basename;
use File::Spec::Functions qw/abs2rel rel2abs catfile catdir/;
@ -81,7 +81,7 @@ Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl
sub generatesrc {
my %args = @_;
my $generator = join(" ", @{$args{generator}});
@@ -619,9 +630,7 @@ EOF
@@ -632,9 +643,7 @@ EOF
my $libd = dirname($lib);
my $libn = basename($lib);
(my $mkdef_key = $libn) =~ s/^${osslprefix_q}lib([^0-9]*)\d*/$1/i;
@ -92,7 +92,7 @@ Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl
my $deps = join(", -\n\t\t", @deps);
my $shlib_target = $disabled{shared} ? "" : $target{shared_target};
my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
@@ -667,9 +676,7 @@ EOF
@@ -680,9 +689,7 @@ EOF
my $libn = basename($lib);
(my $libn_nolib = $libn) =~ s/^lib//;
my @objs = map { "$_.OBJ" } @{$args{objs}};
@ -103,7 +103,7 @@ Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl
my $deps = join(", -\n\t\t", @objs, @deps);
my $shlib_target = $disabled{shared} ? "" : $target{shared_target};
my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir},
@@ -719,9 +726,7 @@ EOF
@@ -732,9 +739,7 @@ EOF
my $bind = dirname($bin);
my $binn = basename($bin);
my @objs = map { "$_.OBJ" } @{$args{objs}};
@ -114,11 +114,11 @@ Index: openssl-1.1.0e/Configurations/descrip.mms.tmpl
my $deps = join(", -\n\t\t", @objs, @deps);
# The "[]" hack is because in .OPT files, each line inherits the
# previous line's file spec as default, so if no directory spec
Index: openssl-1.1.0e/Configurations/unix-Makefile.tmpl
Index: openssl-1.1.0h/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-1.1.0e.orig/Configurations/unix-Makefile.tmpl
+++ openssl-1.1.0e/Configurations/unix-Makefile.tmpl
@@ -837,13 +837,13 @@ configdata.pm: $(SRCDIR)/Configure $(SRC
--- openssl-1.1.0h.orig/Configurations/unix-Makefile.tmpl 2018-03-27 16:31:37.110130877 +0200
+++ openssl-1.1.0h/Configurations/unix-Makefile.tmpl 2018-03-27 16:31:37.126131133 +0200
@@ -755,13 +755,13 @@ configdata.pm: $(SRCDIR)/Configure $(SRC
# It takes a list of library names and outputs a list of dependencies
sub compute_lib_depends {
if ($disabled{shared}) {
@ -134,7 +134,7 @@ Index: openssl-1.1.0e/Configurations/unix-Makefile.tmpl
}
sub generatesrc {
@@ -1056,11 +1056,16 @@ EOF
@@ -976,11 +976,16 @@ EOF
my $binn = basename($bin);
my $objs = join(" ", map { $_.$objext } @{$args{objs}});
my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
@ -156,11 +156,11 @@ Index: openssl-1.1.0e/Configurations/unix-Makefile.tmpl
my $shlib_target = $disabled{shared} ? "" : $target{shared_target};
return <<"EOF";
$bin$exeext: $objs $deps
Index: openssl-1.1.0e/Configurations/windows-makefile.tmpl
Index: openssl-1.1.0h/Configurations/windows-makefile.tmpl
===================================================================
--- openssl-1.1.0e.orig/Configurations/windows-makefile.tmpl
+++ openssl-1.1.0e/Configurations/windows-makefile.tmpl
@@ -342,8 +342,10 @@ configdata.pm: "$(SRCDIR)\Configure" {-
--- openssl-1.1.0h.orig/Configurations/windows-makefile.tmpl 2018-03-27 15:50:37.000000000 +0200
+++ openssl-1.1.0h/Configurations/windows-makefile.tmpl 2018-03-27 16:31:37.126131133 +0200
@@ -361,8 +361,10 @@ configdata.pm: "$(SRCDIR)\Configure" {-
# It takes a list of library names and outputs a list of dependencies
sub compute_lib_depends {
if ($disabled{shared}) {
@ -172,11 +172,11 @@ Index: openssl-1.1.0e/Configurations/windows-makefile.tmpl
return map { shlib_import($_) } @_;
}
Index: openssl-1.1.0e/Configure
Index: openssl-1.1.0h/Configure
===================================================================
--- openssl-1.1.0e.orig/Configure
+++ openssl-1.1.0e/Configure
@@ -1838,9 +1838,16 @@ EOF
--- openssl-1.1.0h.orig/Configure 2018-03-27 15:50:37.000000000 +0200
+++ openssl-1.1.0h/Configure 2018-03-27 16:31:37.126131133 +0200
@@ -1844,9 +1844,16 @@ EOF
$d = cleanfile($buildd, $_, $blddir);
}
# Take note if the file to depend on is being renamed
@ -191,5 +191,5 @@ Index: openssl-1.1.0e/Configure
}
+ $d .= $e;
$unified_info{depends}->{$ddest}->{$d} = 1;
# If we depend on a header file or a perl module, let's make
# sure it can get included
}
}