SHA256
1
0
forked from pool/openssl-1_1
Commit Graph

63 Commits

Author SHA256 Message Date
Vítězslav Čížek
332d0e46eb Accepting request 644654 from home:elvigia:branches:security:tls
- Explictly select "getrandom" system call as the seed source,
  it is the safer/best performing choice on linux.
- do not force -std=gnu99, pick the compiler default.

OBS-URL: https://build.opensuse.org/request/show/644654
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=23
2018-10-25 13:55:29 +00:00
Vítězslav Čížek
a3426a21a5 Accepting request 635009 from home:vitezslav_cizek:branches:security:tls
- Update to 1.1.1 release
  * This is the first official release of the OpenSSL 1.1.1 branch
    which brings TLS 1.3 support
- remove all TLS 1.3 ciphers from the DEFAULT_SUSE cipher list as they
  are configured differently
  * modified openssl-DEFAULT_SUSE_cipher.patch
- drop obsolete openssl-pretend_we_are_not_beta.patch

OBS-URL: https://build.opensuse.org/request/show/635009
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=22
2018-09-11 15:12:55 +00:00
Vítězslav Čížek
725b77cd89 Accepting request 631345 from home:vitezslav_cizek:branches:security:tls
drop zlib dependency

OBS-URL: https://build.opensuse.org/request/show/631345
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=21
2018-08-24 11:53:29 +00:00
Vítězslav Čížek
3e8cec6722 Accepting request 631304 from home:vitezslav_cizek:branches:security:tls
- Update to 1.1.1-pre9 (Beta 7)
  * Support for TLSv1.3 added
  * Move the display of configuration data to configdata.pm.
  * Allow GNU style "make variables" to be used with Configure.
  * Add a STORE module (OSSL_STORE)
  * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
  * Add multi-prime RSA (RFC 8017) support
  * Add SM3 implemented according to GB/T 32905-2016
  * Add SM4 implemented according to GB/T 32907-2016.
  * Add 'Maximum Fragment Length' TLS extension negotiation and support
  * Add ARIA support
  * Add SHA3
  * Rewrite of devcrypto engine
  * Add support for SipHash
  * Grand redesign of the OpenSSL random generator
- pretend the release is not a Beta, to avoid "OpenSSL version mismatch"
  with OpenSSH
  * add openssl-pretend_we_are_not_beta.patch
- drop FIPS support
  * don't build with FIPS mode (not supported in 1.1.1)
  * don't create the -hmac subpackages
  - drop FIPS patches
    * openssl-fips-clearerror.patch
    * openssl-fips-dont-fall-back-to-default-digest.patch
    * openssl-fips-dont_run_FIPS_module_installed.patch
    * openssl-fips-fix-odd-rsakeybits.patch
    * openssl-fips-rsagen-d-bits.patch
    * openssl-fips-selftests_in_nonfips_mode.patch
    * openssl-fips_disallow_ENGINE_loading.patch
    * openssl-rsakeygen-minimum-distance.patch

OBS-URL: https://build.opensuse.org/request/show/631304
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=19
2018-08-24 10:39:49 +00:00
Vítězslav Čížek
1434a42e91 - Update to 1.1.0i
OpenSSL Security Advisory [12 June 2018]
  * Reject excessively large primes in DH key generation
    (bsc#1097158, CVE-2018-0732)
  * Make EVP_PKEY_asn1_new() a bit stricter about its input
  * Revert blinding in ECDSA sign and instead make problematic addition
    length-invariant. Switch even to fixed-length Montgomery multiplication.
  * Change generating and checking of primes so that the error rate of not
    being prime depends on the intended use based on the size of the input.
  * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
  * Add blinding to ECDSA and DSA signatures to protect against side channel
    attacks
  * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
    now allow empty (zero character) pass phrases.
  * Certificate time validation (X509_cmp_time) enforces stricter
    compliance with RFC 5280. Fractional seconds and timezone offsets
    are no longer allowed.
  * Fixed a text canonicalisation bug in CMS
- drop patches (upstream):
  * 0001-Limit-scope-of-CN-name-constraints.patch
  * 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
  * 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch
  * 0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch
- refresh patches:
  * openssl-1.1.0-fips.patch
  * openssl-disable_rsa_keygen_tests_with_small_modulus.patch
- rename openssl-CVE-2018-0737.patch to openssl-CVE-2018-0737-fips.patch
  as it now only includes changes to the fips code

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=17
2018-08-14 14:11:16 +00:00
Tomáš Chvátal
fff0b397cb Accepting request 627059 from home:vitezslav_cizek:branches:security:tls
- Add openssl(cli) Provide so the packages that require the openssl
  binary can require this instead of the new openssl meta package
  (bsc#1101470)
- Don't Require openssl-1_1 from the devel package, just Recommend it

OBS-URL: https://build.opensuse.org/request/show/627059
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=15
2018-08-02 11:19:07 +00:00
Tomáš Chvátal
ae6dfc8494 Accepting request 613454 from home:vitezslav_cizek:branches:security:tls
- Suggest libopenssl1_1-hmac from libopenssl1_1 package to avoid
  dependency issues during updates (bsc#1090765)

OBS-URL: https://build.opensuse.org/request/show/613454
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=13
2018-06-01 13:28:44 +00:00
Tomáš Chvátal
20fb199cba Accepting request 612812 from home:vitezslav_cizek:branches:security:tls
- Relax CN name restrictions (bsc#1084011)
  * added patches:
    0001-Limit-scope-of-CN-name-constraints.patch
    0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch

OBS-URL: https://build.opensuse.org/request/show/612812
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=12
2018-05-29 09:17:53 +00:00
Tomáš Chvátal
1d99f4ef85 Accepting request 606162 from home:vitezslav_cizek:branches:security:tls
- OpenSSL Security Advisory [16 Apr 2018]
  * Cache timing vulnerability in RSA Key Generation
    (CVE-2018-0737, bsc#1089039)
  * add openssl-CVE-2018-0737.patch

- Fix escaping in c_rehash (boo#1091961, bsc#1091963)
  * add 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch

OBS-URL: https://build.opensuse.org/request/show/606162
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=10
2018-05-10 13:45:22 +00:00
Vítězslav Čížek
54892abfae Accepting request 592071 from home:vitezslav_cizek:branches:security:tls
- Tolerate a Certificate using a non-supported group on server side
  (boo#1084651)
  * https://github.com/openssl/openssl/pull/5607
  * add 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch

OBS-URL: https://build.opensuse.org/request/show/592071
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=8
2018-03-28 14:56:27 +00:00
Tomáš Chvátal
d99d49a007 Accepting request 591684 from home:vitezslav_cizek:branches:security:tls
- Update to 1.1.0h
  OpenSSL Security Advisory [27 Mar 2018]
  * Constructed ASN.1 types with a recursive definition could exceed
    the stack (CVE-2018-0739) (bsc#1087102)
  * rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
    (bsc#1071906)
- refresh patches:
  * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
  * openssl-1.1.0-fips.patch
  * openssl-pkgconfig.patch
  * openssl-rsakeygen-minimum-distance.patch
  * openssl-static-deps.patch

OBS-URL: https://build.opensuse.org/request/show/591684
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=7
2018-03-27 15:20:21 +00:00
Vítězslav Čížek
e248990eb1 Accepting request 578316 from home:vitezslav_cizek:branches:security:tls
* obsolete the 1_1_0 packages

OBS-URL: https://build.opensuse.org/request/show/578316
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=4
2018-02-20 11:18:48 +00:00
Vítězslav Čížek
02427a3414 - Renamed from openssl-1_1_0 (bsc#1081335)
* All the minor versions of the 1.1.x openssl branch have the same
    sonum and keep ABI compatibility

- Remove bit obsolete syntax
- Use %license macro

- Don't disable afalgeng on aarch64

- Add support for s390x CPACF enhancements (fate#321518)
  patches taken from https://github.com/openssl/openssl/pull/2859:
  * 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch
  * 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
  * 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
  * 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch
  * 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch
  * 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch
  * 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch
  * 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch
  * 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
  * 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
  * 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch

- Do not filter pkgconfig() provides/requires.

- Obsolete openssl-1_0_0 by openssl-1_1_0: this is required for a
  clean upgrade path as an aid to zypp (boo#1070003).

- Update to 1.1.0g
  OpenSSL Security Advisory [02 Nov 2017]

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=2
2018-02-16 12:13:08 +00:00