forked from pool/openssl-3
Accepting request 990534 from security:tls:unstable
OBS-URL: https://build.opensuse.org/request/show/990534 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=42
This commit is contained in:
parent
455c14e4eb
commit
9bc98986ac
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:98e91ccead4d4756ae3c9cde5e09191a8e586d9f4d50838e7ec09d6411dfdb63
|
||||
size 15038141
|
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwowMACgkQ2cTSbQ5g
|
||||
RJFDvAf/RVYnplRE1x9i/ejoJeTAO7YhibCRpnp+UzkpgMrDL1y9Rpw3ZJCYh9Fq
|
||||
HEotKmbuZvNGPgYUxSov00xnhKcpzTHKiZQA767rZpNL4F+g3SpOh06IB6tJzn1k
|
||||
dx9oqAmWgIeWLY4kRHXrqqFa95Zu9LNxJ04NuqaaWxeK0/fYl534sYW5DU6uug9u
|
||||
4NcBamvnPv1+4A3Ow6jdN96tb7O3HuJ14RvGPzgUx1FPv/zU6NE2fgTnVcBzaYIP
|
||||
5rfB1EQa3+1NTtej+uUQb0i0NxFpgggFMF+qCc5Yrl9i3o8Q+wnbaVw4bNURk9En
|
||||
gNgfw0J0TG14PgtkF/Q6he++BQoNYQ==
|
||||
=pMVy
|
||||
-----END PGP SIGNATURE-----
|
3
openssl-3.0.5.tar.gz
Normal file
3
openssl-3.0.5.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:aa7d8d9bef71ad6525c55ba11e5f4397889ce49c2c9349dcea6d3e4f0b024a7a
|
||||
size 15074407
|
17
openssl-3.0.5.tar.gz.asc
Normal file
17
openssl-3.0.5.tar.gz.asc
Normal file
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQJIBAABCgAyFiEEeVOsH7w9yLOykjk+1enkP3357owFAmLD/PsUHGxldml0dGVA
|
||||
b3BlbnNzbC5vcmcACgkQ1enkP3357oxVbw/8D1VjnQd7LuFKY7cEvhV9tVRMoYXV
|
||||
ZdVPAHyx6Tj2AK3H+bPMnxnOGGthimCPjtwetZsNZiIofQn9ySIXSBWesfXY1ZuY
|
||||
heln7Fa+Nb9IzpTPjq8ZQrdoNdpWWff1bW5cZLS7f0dwp/YTQWjk9WfFBKN35poC
|
||||
BS7LDzBL0u0Yn8yseioz9AhW7EB6Y53FuJQsXE79WReNnvjRwda2krNjh0Dyo8Pm
|
||||
1RqhX4nvsgYx4Zlo3AgMuzlxnHJG4zAJqJuTYK1gqR8LAJWWQVuozm20MADkScAB
|
||||
n9LCYnNtvD2trHZB/icXQOKV6vDj6HyH/uXF4afgyAboSoUYeFBzWDrItSvdO7w/
|
||||
c7yXe25wK1tZfFWEOxsNIB9wcXJjkt4d28IKHqG2WC8hdfZikPW5Q9WyP+3g0lr4
|
||||
sdKBnnG1OXnNtsYxJ9kcobx4HONyuLo/dj5gqjh32J6LlbWVRD1bd/V+VYqTnrTu
|
||||
ZI8otNi9DIriFFaznr8W6Wto0dX86KSYhdz33rI/ZXLl6k0MiC2VtwtU1L/tAHwS
|
||||
p8UjilhKLTHe77IPoz24KWlae7AOBSXq7pp/L1mWi8rMKq+bPPMTARCXxy31Mdvg
|
||||
o0TCrrVayNsUwDuLYM01Eg9+PELDhMr+BZVAMEsXVK3PT2c2pa28j7ASRvaPH6jy
|
||||
sHq7dMxKkmd4DsE=
|
||||
=o/SA
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,101 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Jul 21 09:09:07 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- Update to 3.0.5:
|
||||
* The OpenSSL 3.0.4 release introduced a serious bug in the RSA
|
||||
implementation for X86_64 CPUs supporting the AVX512IFMA instructions.
|
||||
This issue makes the RSA implementation with 2048 bit private keys
|
||||
incorrect on such machines and memory corruption will happen during
|
||||
the computation. As a consequence of the memory corruption an attacker
|
||||
may be able to trigger a remote code execution on the machine performing
|
||||
the computation.
|
||||
SSL/TLS servers or other servers using 2048 bit RSA private keys running
|
||||
on machines supporting AVX512IFMA instructions of the X86_64 architecture
|
||||
are affected by this issue. [bsc#1201148, CVE-2022-2274]
|
||||
* AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
|
||||
implementation would not encrypt the entirety of the data under some
|
||||
circumstances. This could reveal sixteen bytes of data that was
|
||||
preexisting in the memory that wasn't written. In the special case of
|
||||
"in place" encryption, sixteen bytes of the plaintext would be revealed.
|
||||
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
|
||||
they are both unaffected. [bsc#1201099, CVE-2022-2097]
|
||||
- Rebase patches:
|
||||
* openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 18 12:03:55 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- Update to 3.0.4: [bsc#1199166, CVE-2022-1292]
|
||||
* In addition to the c_rehash shell command injection identified in
|
||||
CVE-2022-1292, further bugs where the c_rehash script does not
|
||||
properly sanitise shell metacharacters to prevent command injection
|
||||
have been fixed.
|
||||
When the CVE-2022-1292 was fixed it was not discovered that there
|
||||
are other places in the script where the file names of certificates
|
||||
being hashed were possibly passed to a command executed through the shell.
|
||||
This script is distributed by some operating systems in a manner where
|
||||
it is automatically executed. On such operating systems, an attacker
|
||||
could execute arbitrary commands with the privileges of the script.
|
||||
Use of the c_rehash script is considered obsolete and should be replaced
|
||||
by the OpenSSL rehash command line tool.
|
||||
* Case insensitive string comparison no longer uses locales.
|
||||
It has instead been directly implemented.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 18 12:03:21 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
- Update to 3.0.3:
|
||||
* Case insensitive string comparison is reimplemented via new locale-agnostic
|
||||
comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for
|
||||
comparison. The previous implementation had problems when the Turkish locale
|
||||
was used.
|
||||
* Fixed a bug in the c_rehash script which was not properly sanitising shell
|
||||
metacharacters to prevent command injection. This script is distributed by
|
||||
some operating systems in a manner where it is automatically executed. On
|
||||
such operating systems, an attacker could execute arbitrary commands with the
|
||||
privileges of the script.
|
||||
Use of the c_rehash script is considered obsolete and should be replaced
|
||||
by the OpenSSL rehash command line tool. [bsc#1199166, CVE-2022-1292]
|
||||
* Fixed a bug in the function 'OCSP_basic_verify' that verifies the signer
|
||||
certificate on an OCSP response. The bug caused the function in the case
|
||||
where the (non-default) flag OCSP_NOCHECKS is used to return a postivie
|
||||
response (meaning a successful verification) even in the case where the
|
||||
response signing certificate fails to verify.
|
||||
It is anticipated that most users of 'OCSP_basic_verify' will not use the
|
||||
OCSP_NOCHECKS flag. In this case the 'OCSP_basic_verify' function will return
|
||||
a negative value (indicating a fatal error) in the case of a certificate
|
||||
verification failure. The normal expected return value in this case would be 0.
|
||||
This issue also impacts the command line OpenSSL "ocsp" application. When
|
||||
verifying an ocsp response with the "-no_cert_checks" option the command line
|
||||
application will report that the verification is successful even though it
|
||||
has in fact failed. In this case the incorrect successful response will also
|
||||
be accompanied by error messages showing the failure and contradicting the
|
||||
apparently successful result. [bsc#1199167, CVE-2022-1343]
|
||||
* Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the
|
||||
AAD data as the MAC key. This made the MAC key trivially predictable.
|
||||
An attacker could exploit this issue by performing a man-in-the-middle attack
|
||||
to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such
|
||||
that the modified data would still pass the MAC integrity check.
|
||||
Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0
|
||||
endpoint will always be rejected by the recipient and the connection will
|
||||
fail at that point. Many application protocols require data to be sent from
|
||||
the client to the server first. Therefore, in such a case, only an OpenSSL
|
||||
3.0 server would be impacted when talking to a non-OpenSSL 3.0 client.
|
||||
[bsc#1199168, CVE-2022-1434]
|
||||
* Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory
|
||||
occuppied by the removed hash table entries.
|
||||
This function is used when decoding certificates or keys. If a long lived
|
||||
process periodically decodes certificates or keys its memory usage will
|
||||
expand without bounds and the process might be terminated by the operating
|
||||
system causing a denial of service. Also traversing the empty hash table
|
||||
entries will take increasingly more time. Typically such long lived processes
|
||||
might be TLS clients or TLS servers configured to accept client certificate
|
||||
authentication. [bsc#1199169, CVE-2022-1473]
|
||||
* The functions 'OPENSSL_LH_stats' and 'OPENSSL_LH_stats_bio' now only report
|
||||
the 'num_items', 'num_nodes' and 'num_alloc_nodes' statistics. All other
|
||||
statistics are no longer supported. For compatibility, these statistics are
|
||||
still listed in the output but are now always reported as zero.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Mar 19 10:05:22 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||
|
||||
@ -211,8 +309,8 @@ Sat May 1 19:58:48 UTC 2021 - Jason Sikes <jsikes@suse.com>
|
||||
automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. This is a breaking
|
||||
change from previous OpenSSL versions.
|
||||
Unlike in previous OpenSSL versions, this means that applications must not
|
||||
call `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations.
|
||||
The `EVP_PKEY_set_alias_type` function has now been removed.
|
||||
call 'EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)' to get SM2 computations.
|
||||
The 'EVP_PKEY_set_alias_type' function has now been removed.
|
||||
* Parameter and key generation is also reworked to make it possible
|
||||
to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate
|
||||
SM2 keys directly and must not create an EVP_PKEY_EC key first.
|
||||
@ -612,7 +710,7 @@ Thu Jun 4 20:24:04 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
|
||||
-------------------------------------------------------------------
|
||||
Sat May 23 14:06:54 UTC 2020 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
- Use find -exec +. Replace `pwd` by simply $PWD.
|
||||
- Use find -exec +. Replace 'pwd' by simply $PWD.
|
||||
- Drop Obsoletes on libopenssl1*. libopenssl3 has a new SONAME and
|
||||
does not conflict with anything previously.
|
||||
|
||||
|
@ -21,7 +21,7 @@
|
||||
%define _rname openssl
|
||||
Name: openssl-3
|
||||
# Don't forget to update the version in the "openssl" package!
|
||||
Version: 3.0.2
|
||||
Version: 3.0.5
|
||||
Release: 0
|
||||
Summary: Secure Sockets and Transport Layer Security
|
||||
License: Apache-2.0
|
||||
|
@ -15,10 +15,10 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
||||
util/libcrypto.num | 1 +
|
||||
8 files changed, 110 insertions(+), 14 deletions(-)
|
||||
|
||||
Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
|
||||
Index: openssl-3.0.5/Configurations/unix-Makefile.tmpl
|
||||
===================================================================
|
||||
--- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl
|
||||
+++ openssl-3.0.1/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-3.0.5.orig/Configurations/unix-Makefile.tmpl
|
||||
+++ openssl-3.0.5/Configurations/unix-Makefile.tmpl
|
||||
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||
HTMLDIR=$(DOCDIR)/html
|
||||
@ -38,10 +38,10 @@ Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
|
||||
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||
@{$config{CPPFLAGS}}) -}
|
||||
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||
Index: openssl-3.0.1/doc/man1/openssl-ciphers.pod.in
|
||||
Index: openssl-3.0.5/doc/man1/openssl-ciphers.pod.in
|
||||
===================================================================
|
||||
--- openssl-3.0.1.orig/doc/man1/openssl-ciphers.pod.in
|
||||
+++ openssl-3.0.1/doc/man1/openssl-ciphers.pod.in
|
||||
--- openssl-3.0.5.orig/doc/man1/openssl-ciphers.pod.in
|
||||
+++ openssl-3.0.5/doc/man1/openssl-ciphers.pod.in
|
||||
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||
|
||||
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||
@ -58,10 +58,10 @@ Index: openssl-3.0.1/doc/man1/openssl-ciphers.pod.in
|
||||
=item B<HIGH>
|
||||
|
||||
"High" encryption cipher suites. This currently means those with key lengths
|
||||
Index: openssl-3.0.1/include/openssl/ssl.h.in
|
||||
Index: openssl-3.0.5/include/openssl/ssl.h.in
|
||||
===================================================================
|
||||
--- openssl-3.0.1.orig/include/openssl/ssl.h.in
|
||||
+++ openssl-3.0.1/include/openssl/ssl.h.in
|
||||
--- openssl-3.0.5.orig/include/openssl/ssl.h.in
|
||||
+++ openssl-3.0.5/include/openssl/ssl.h.in
|
||||
@@ -210,6 +210,11 @@ extern "C" {
|
||||
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||
@ -74,10 +74,10 @@ Index: openssl-3.0.1/include/openssl/ssl.h.in
|
||||
|
||||
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||
# define SSL_SENT_SHUTDOWN 1
|
||||
Index: openssl-3.0.1/ssl/ssl_ciph.c
|
||||
Index: openssl-3.0.5/ssl/ssl_ciph.c
|
||||
===================================================================
|
||||
--- openssl-3.0.1.orig/ssl/ssl_ciph.c
|
||||
+++ openssl-3.0.1/ssl/ssl_ciph.c
|
||||
--- openssl-3.0.5.orig/ssl/ssl_ciph.c
|
||||
+++ openssl-3.0.5/ssl/ssl_ciph.c
|
||||
@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
||||
return ret;
|
||||
}
|
||||
@ -216,7 +216,7 @@ Index: openssl-3.0.1/ssl/ssl_ciph.c
|
||||
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
||||
@@ -1690,6 +1748,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
@@ -1690,6 +1747,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||
*cipher_list = cipherstack;
|
||||
|
||||
return cipherstack;
|
||||
@ -231,10 +231,10 @@ Index: openssl-3.0.1/ssl/ssl_ciph.c
|
||||
}
|
||||
|
||||
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||
Index: openssl-3.0.1/ssl/ssl_lib.c
|
||||
Index: openssl-3.0.5/ssl/ssl_lib.c
|
||||
===================================================================
|
||||
--- openssl-3.0.1.orig/ssl/ssl_lib.c
|
||||
+++ openssl-3.0.1/ssl/ssl_lib.c
|
||||
--- openssl-3.0.5.orig/ssl/ssl_lib.c
|
||||
+++ openssl-3.0.5/ssl/ssl_lib.c
|
||||
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||
ctx->tls13_ciphersuites,
|
||||
&(ctx->cipher_list),
|
||||
@ -244,7 +244,7 @@ Index: openssl-3.0.1/ssl/ssl_lib.c
|
||||
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||
return 0;
|
||||
@@ -3248,7 +3248,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
|
||||
@@ -3271,7 +3271,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
|
||||
if (!ssl_create_cipher_list(ret,
|
||||
ret->tls13_ciphersuites,
|
||||
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||
@ -253,10 +253,10 @@ Index: openssl-3.0.1/ssl/ssl_lib.c
|
||||
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||
goto err2;
|
||||
Index: openssl-3.0.1/test/cipherlist_test.c
|
||||
Index: openssl-3.0.5/test/cipherlist_test.c
|
||||
===================================================================
|
||||
--- openssl-3.0.1.orig/test/cipherlist_test.c
|
||||
+++ openssl-3.0.1/test/cipherlist_test.c
|
||||
--- openssl-3.0.5.orig/test/cipherlist_test.c
|
||||
+++ openssl-3.0.5/test/cipherlist_test.c
|
||||
@@ -246,7 +246,9 @@ end:
|
||||
|
||||
int setup_tests(void)
|
||||
@ -267,20 +267,20 @@ Index: openssl-3.0.1/test/cipherlist_test.c
|
||||
ADD_TEST(test_default_cipherlist_explicit);
|
||||
ADD_TEST(test_default_cipherlist_clear);
|
||||
return 1;
|
||||
Index: openssl-3.0.1/util/libcrypto.num
|
||||
Index: openssl-3.0.5/util/libcrypto.num
|
||||
===================================================================
|
||||
--- openssl-3.0.1.orig/util/libcrypto.num
|
||||
+++ openssl-3.0.1/util/libcrypto.num
|
||||
@@ -5425,3 +5425,4 @@ ASN1_item_d2i_ex
|
||||
ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
|
||||
EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
|
||||
--- openssl-3.0.5.orig/util/libcrypto.num
|
||||
+++ openssl-3.0.5/util/libcrypto.num
|
||||
@@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider
|
||||
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
||||
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
|
||||
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
|
||||
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||
Index: openssl-3.0.1/Configure
|
||||
Index: openssl-3.0.5/Configure
|
||||
===================================================================
|
||||
--- openssl-3.0.1.orig/Configure
|
||||
+++ openssl-3.0.1/Configure
|
||||
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
||||
--- openssl-3.0.5.orig/Configure
|
||||
+++ openssl-3.0.5/Configure
|
||||
@@ -28,7 +28,7 @@ use OpenSSL::config;
|
||||
my $orig_death_handler = $SIG{__DIE__};
|
||||
$SIG{__DIE__} = \&death_handler;
|
||||
|
||||
@ -289,7 +289,7 @@ Index: openssl-3.0.1/Configure
|
||||
|
||||
my $banner = <<"EOF";
|
||||
|
||||
@@ -61,6 +61,10 @@ EOF
|
||||
@@ -62,6 +62,10 @@ EOF
|
||||
# given with --prefix.
|
||||
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||
# (Default: PREFIX/ssl)
|
||||
@ -300,7 +300,7 @@ Index: openssl-3.0.1/Configure
|
||||
# --banner=".." Output specified text instead of default completion banner
|
||||
#
|
||||
# -w Don't wait after showing a Configure warning
|
||||
@@ -387,6 +391,7 @@ $config{prefix}="";
|
||||
@@ -388,6 +392,7 @@ $config{prefix}="";
|
||||
$config{openssldir}="";
|
||||
$config{processor}="";
|
||||
$config{libdir}="";
|
||||
@ -308,7 +308,7 @@ Index: openssl-3.0.1/Configure
|
||||
my $auto_threads=1; # enable threads automatically? true by default
|
||||
my $default_ranlib;
|
||||
|
||||
@@ -989,6 +994,10 @@ while (@argvcopy)
|
||||
@@ -990,6 +995,10 @@ while (@argvcopy)
|
||||
die "FIPS key too long (64 bytes max)\n"
|
||||
if length $1 > 64;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user