testing/openssl-3
SHA256
8
0
Fork 0
forked from pool/openssl-3
Code Pull Requests Activity

Factory #1

Merged
dgarcia merged 43 commits from factory into main 2025-10-08 12:57:06 +02:00
Conversation 0 Commits 43 Files Changed 90 +6239 -13821

43 Commits

Author SHA256 Message Date
Ana Guerrero
00ea7ab7f6 Accepting request 1305335 from security:tls 
- Update to 3.5.3:
  * Added FIPS 140-3 PCT on DH key generation.
  * Fixed the synthesised OPENSSL_VERSION_NUMBER.
- Rebase patches:
  * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
  * openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
  * openssl-FIPS-limit-rsa-encrypt.patch

OBS-URL: https://build.opensuse.org/request/show/1305335
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=46
 2025-09-18 19:07:54 +00:00
Pedro Monreal Gonzalez
f6c710bc56 - Update to 3.5.3: 
* Added FIPS 140-3 PCT on DH key generation.
  * Fixed the synthesised OPENSSL_VERSION_NUMBER.
- Rebase patches:
  * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
  * openssl-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
  * openssl-FIPS-limit-rsa-encrypt.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=155
 2025-09-17 09:11:46 +00:00
Dominique Leuenberger
afe8736aba Accepting request 1297961 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1297961
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=45
 2025-08-09 17:57:12 +00:00
Pedro Monreal Gonzalez
30c6de24df - Update to 3.5.2: 
* Miscellaneous minor bug fixes.
  * The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
    This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
- Rebase patches:
  * openssl-FIPS-140-3-keychecks.patch
  * openssl-FIPS-NO-DES-support.patch
  * openssl-FIPS-enforce-EMS-support.patch
  * openssl-disable-fipsinstall.patch
- Move ssl configuration files to the libopenssl package [bsc#1247463]
- Don't install unneeded NOTES

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=153
 2025-08-06 13:16:19 +00:00
Dominique Leuenberger
97acb0832f Accepting request 1296523 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1296523
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=44
 2025-07-31 15:45:52 +00:00
Pedro Monreal Gonzalez
6046fdcaeb - Disable LTO for userspace livepatching [jsc#PED-13245] 
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=151
 2025-07-30 09:28:14 +00:00
Pedro Monreal Gonzalez
66e88c4add - Use termios instead of obsolete termio 
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=150
 2025-07-29 08:21:34 +00:00
Ana Guerrero
3b25bca574 Accepting request 1291169 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1291169
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=43
 2025-07-09 15:25:32 +00:00
Pedro Monreal Gonzalez
2ae28710e3 Accepting request 1291089 from home:lmulling:branches:security:tls 
- Update to 3.5.1:
  * Fix x509 application adds trusted use instead of rejected use.
    [bsc#1243564, CVE-2025-4575]
- Remove patches:
  * openssl-Fix-P384-on-P8-targets.patch
  * openssl-CVE-2025-4575.patch
- Rebase patches:
  * openssl-Allow-disabling-of-SHA1-signatures.patch
  * openssl-FIPS-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
  * openssl-FIPS-NO-DES-support.patch
- Fix a bogus warning caused by -Wfree-nonheap-object
  * Add patch openssl-Fix-Wfree-nonheap-object-warning.patch

OBS-URL: https://build.opensuse.org/request/show/1291089
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=148
 2025-07-08 06:49:27 +00:00
Dominique Leuenberger
20fff9f8c0 Accepting request 1281096 from security:tls 
- Fix P-384 curve on lower-than-P9 PPC64 targets [bsc#1243014]
  * Add openssl-Fix-P384-on-P8-targets.patch [a72f753c]

- Security fix: [bsc#1243564, CVE-2025-4575]
  * Fix the x509 application adding trusted use instead of rejected use
  * Add openssl-CVE-2025-4575.patch

  * Security fixes:
    - [bsc#1243459, CVE-2025-27587] Minerva side channel vulnerability in P-384

OBS-URL: https://build.opensuse.org/request/show/1281096
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=42
 2025-05-30 12:20:40 +00:00
Pedro Monreal Gonzalez
92e37434ce - Fix P-384 curve on lower-than-P9 PPC64 targets [bsc#1243014] 
* Add openssl-Fix-P384-on-P8-targets.patch [a72f753c]

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=146
 2025-05-29 09:27:54 +00:00
Pedro Monreal Gonzalez
76538713a2 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=145 2025-05-28 09:26:43 +00:00
Pedro Monreal Gonzalez
24d6d64b5c - Fixed CVE-2025-27587 
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=144
 2025-05-28 06:57:23 +00:00
Pedro Monreal Gonzalez
cbc553d55a - bsc#1243564 CVE-2025-4575: Fix the x509 application adding trusted use instead of rejected use 
* Add openssl-CVE-2025-4575.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=143
 2025-05-27 09:21:22 +00:00
Ana Guerrero
2dc845ffe5 Accepting request 1278744 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1278744
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=41
 2025-05-23 12:26:45 +00:00
Pedro Monreal Gonzalez
002501c0b8 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=141 2025-05-20 13:04:16 +00:00
Dominique Leuenberger
5d3e6b585a Accepting request 1270033 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1270033
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=40
 2025-04-29 14:39:52 +00:00
Pedro Monreal Gonzalez
8a00581af4 - Update to 3.5.0: 
* Changes:
    - Default encryption cipher for the req, cms, and smime applications
      changed from des-ede3-cbc to aes-256-cbc.
    - The default TLS supported groups list has been changed to include
      and prefer hybrid PQC KEM groups. Some practically unused groups
      were removed from the default list.
    - The default TLS keyshares have been changed to offer X25519MLKEM768
      and and X25519.
    - All BIO_meth_get_*() functions were deprecated.
  * New features:
    - Support for server side QUIC (RFC 9000)
    - Support for 3rd party QUIC stacks including 0-RTT support
    - Support for PQC algorithms (ML-KEM, ML-DSA and SLH-DSA)
    - A new configuration option no-tls-deprecated-ec to disable support
      for TLS groups deprecated in RFC8422
    - A new configuration option enable-fips-jitter to make the FIPS
      provider to use the JITTER seed source
    - Support for central key generation in CMP
    - Support added for opaque symmetric key objects (EVP_SKEY)
    - Support for multiple TLS keyshares and improved TLS key establishment
      group configurability
    - API support for pipelining in provided cipher algorithms
  * Remove patches:
    - openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
    - openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
    - openssl-3-add-defines-CPACF-funcs.patch
    - openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch
    - openssl-3-add-xof-state-handling-s3_absorb.patch
    - openssl-3-fix-state-handling-sha3_absorb_s390x.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=139
 2025-04-16 13:02:20 +00:00
Ana Guerrero
a91f523eac Accepting request 1255522 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1255522
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=39
 2025-03-27 21:31:30 +00:00
Pedro Monreal Gonzalez
fc3cc89792 Accepting request 1255099 from home:lmulling:branches:security:tls 
- FIPS: Mark SHA-1 as non-approved in the SLI. [jsc#PED-12224]
  * Add openssl-FIPS-Mark-SHA1-as-nonapproved.patch

OBS-URL: https://build.opensuse.org/request/show/1255099
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=137
 2025-03-24 08:13:44 +00:00
Dominique Leuenberger
ab574f714d Accepting request 1251128 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1251128
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=38
 2025-03-08 16:51:16 +00:00
Pedro Monreal Gonzalez
d801e4b1ff - Introduce --without lto. When %{optflags} contains -flto=*, tests cases are 
also built using -flto=* which significantly increases build times, this
  option disables lto which improve iteration times when developing.

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=135
 2025-03-07 08:17:54 +00:00
Ana Guerrero
e992b24c38 Accepting request 1245244 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1245244
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=37
 2025-02-12 20:30:27 +00:00
Pedro Monreal Gonzalez
76e0808cc2 expected. [bsc#1236599, CVE-2024-12797] 
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=133
 2025-02-12 07:58:33 +00:00
Pedro Monreal Gonzalez
ef668cd7fa - Update to 3.2.4: 
* Fixed RFC7250 handshakes with unauthenticated servers don't abort as
    expected. [CVE-2024-12797]
  * Fixed timing side-channel in ECDSA signature computation. [CVE-2024-13176]
  * Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
    curve parameters. [CVE-2024-9143]
- Remove patch openssl-CVE-2024-13176.patch
- Rebase patches:
  * openssl-3-add_EVP_DigestSqueeze_api.patch
  * openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
  * openssl-FIPS-RSA-encapsulate.patch
  * openssl-disable-fipsinstall.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=132
 2025-02-12 07:49:34 +00:00
Dominique Leuenberger
e1389a0ce1 Accepting request 1240110 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1240110
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=36
 2025-01-25 18:09:48 +00:00
Pedro Monreal Gonzalez
e5f6af2c44 - bsc#1236136 CVE-2024-13176: Fix timing side-channel in ECDSA signature computation 
* Add patch openssl-CVE-2024-13176.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=130
 2025-01-24 08:48:18 +00:00
Ana Guerrero
8853ae0bcf Accepting request 1234617 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1234617
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=35
 2025-01-05 14:27:00 +00:00
Pedro Monreal Gonzalez
b062a1d507 - Add support for userspace livepatching on ppc64le (jsc#PED-11850). 
- Fix evp_properties section in the openssl.cnf file [bsc#1234647]
  * Rebase patches:
    - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
    - openssl-TESTS-Disable-default-provider-crypto-policies.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=128
 2025-01-02 18:17:13 +00:00
Pedro Monreal Gonzalez
5afc4138ca - Add support for userspace livepatching on ppc64le (jsc#PED-10952). 
- Use gcc-13 for ppc64le.

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=127
 2025-01-02 08:25:49 +00:00
Ana Guerrero
b3fd9c08d5 Accepting request 1223748 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1223748
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=34
 2024-11-13 14:26:48 +00:00
Pedro Monreal Gonzalez
de90bec471 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=125 2024-11-12 16:03:34 +00:00
Pedro Monreal Gonzalez
5683a46d7c OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=124 2024-11-11 09:13:41 +00:00
Pedro Monreal Gonzalez
a17015e560 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=123 2024-11-11 07:53:58 +00:00
Ana Guerrero
45b932767a Accepting request 1221596 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1221596
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=33
 2024-11-06 15:49:16 +00:00
Pedro Monreal Gonzalez
8c598ed63d - Support MSA 11 HMAC on s390x jsc#PED-10273 
* Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch
  * Add openssl-3-fix-hmac-digest-detection-s390x.patch
  * Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch

- Add hardware acceleration for full AES-XTS  jsc#PED-10273
  * Add openssl-3-hw-acceleration-aes-xts-s390x.patch

- Support MSA 12 SHA3 on s390x jsc#PED-10280
  * Add openssl-3-add_EVP_DigestSqueeze_api.patch
  * Add openssl-3-support-multiple-sha3_squeeze_s390x.patch
  * Add openssl-3-add-xof-state-handling-s3_absorb.patch
  * Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch
  * Add openssl-3-fix-state-handling-sha3_final_s390x.patch
  * Add openssl-3-fix-state-handling-shake_final_s390x.patch
  * Add openssl-3-fix-state-handling-keccak_final_s390x.patch
  * Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch
  * Add openssl-3-add-defines-CPACF-funcs.patch
  * Add openssl-3-add-hw-acceleration-hmac.patch
  * Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch
  * Add openssl-3-fix-s390x_sha3_absorb.patch
  * Add openssl-3-fix-s390x_shake_squeeze.patch

- Update to 3.2.3:
  * Changes between 3.2.2 and 3.2.3:
    - Fixed possible denial of service in X.509 name checks. [CVE-2024-6119]
    - Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535]
  * Changes between 3.2.1 and 3.2.2:
    - Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741]
    - Fixed an issue where checking excessively long DSA keys or parameters may

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=121
 2024-11-05 19:08:08 +00:00
Ana Guerrero
dcc7abb986 Accepting request 1217013 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1217013
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=32
 2024-10-29 13:32:23 +00:00
Pedro Monreal Gonzalez
6e95485a74 - Update to 3.1.7: 
* Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024]
    - Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
    - Fixed possible buffer overread in SSL_select_next_proto()
      (CVE-2024-5535)
  * Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024]
    - Fixed potential use after free after SSL_free_buffers() is
      called (CVE-2024-4741)
    - Fixed an issue where checking excessively long DSA keys or
      parameters may be very slow (CVE-2024-4603)
    - Fixed unbounded memory growth with session handling in TLSv1.3
      (CVE-2024-2511)
  * Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024]
    - Fixed PKCS12 Decoding crashes (CVE-2024-0727)
    - Fixed Excessive time spent checking invalid RSA public keys
      [CVE-2023-6237)
    - Fixed POLY1305 MAC implementation corrupting vector registers
      on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129)
    - Fix excessive time spent in DH check / generation with large
      Q parameter value (CVE-2023-5678)
  * Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF
  * Rebase patches:
    - openssl-Force-FIPS.patch
    - openssl-FIPS-embed-hmac.patch
    - openssl-FIPS-services-minimize.patch
    - openssl-FIPS-RSA-disable-shake.patch
    - openssl-CVE-2023-50782.patch
  * Remove patches fixed in the update:
    - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
    - openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=119
 2024-10-22 12:02:36 +00:00
Ana Guerrero
f15b6cf3be Accepting request 1208827 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1208827
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=31
 2024-10-20 08:02:58 +00:00
Pedro Monreal Gonzalez
05037720cc * Added openssl-CVE-2024-41996.patch 
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=117
 2024-10-18 08:58:53 +00:00
Pedro Monreal Gonzalez
aaffc1c436 - Security fix: [bsc#1231741, CVE-2024-9143] 
* Low-level invalid GF(2^m) parameters lead to OOB memory access
  * Add openssl-CVE-2024-9143.patch

- Security fix: [bsc#1220262, CVE-2023-50782]
  * Implicit rejection in PKCS#1 v1.5
  * Add openssl-CVE-2023-50782.patch

  * Validating the order of the public keys in the Diffie-Hellman
    Key Agreement Protocol, when an approved safe prime is used.
  * Added openssl-3-CVE-2024-41996.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=116
 2024-10-18 08:55:02 +00:00
Ana Guerrero
0ed017ed4c Accepting request 1202944 from security:tls 
OBS-URL: https://build.opensuse.org/request/show/1202944
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=30
 2024-09-25 19:51:14 +00:00
Pedro Monreal Gonzalez
e20eeb46a1 - Security fix: [bsc#1230698, CVE-2024-41996] 
* Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used
  * Added openssl-CVE-2024-41996.patch

OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=114
 2024-09-24 12:22:05 +00:00