testing/openssl-3
SHA256
3
0
Fork 0
forked from pool/openssl-3
Code Pull Requests Activity
53a0a66cd9
openssl-3/openssl-DEFAULT_SUSE_cipher.patch
Otto Hollmann 259f0441ec Accepting request 1129505 from home:ohollmann:branches:security:tls 
- Update to 3.2.0:
  * The BLAKE2b hash algorithm supports a configurable output length
    by setting the "size" parameter.
  * Enable extra Arm64 optimization on Windows for GHASH, RAND and
    AES.
  * Added a function to delete objects from store by URI -
    OSSL_STORE_delete() and the corresponding provider-storemgmt API
    function OSSL_FUNC_store_delete().
  * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to
    pass a passphrase callback when opening a store.
  * Changed the default salt length used by PBES2 KDF's (PBKDF2 and
    scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard
    uses a 64 bit salt length for PBE, and recommends a minimum of 64
    bits for PBES2. For FIPS compliance PBKDF2 requires a salt length
    of 128 bits. This affects OpenSSL command line applications such
    as "genrsa" and "pkcs8" and API's such as
    PEM_write_bio_PrivateKey() that are reliant on the default value.
    The additional commandline option 'saltlen' has been added to the
    OpenSSL command line applications for "pkcs8" and "enc" to allow
    the salt length to be set to a non default value.
  * Changed the default value of the ess_cert_id_alg configuration
    option which is used to calculate the TSA's public key
    certificate identifier. The default algorithm is updated to be
    sha256 instead of sha1.
  * Added optimization for SM2 algorithm on aarch64. It uses a huge
    precomputed table for point multiplication of the base point,
    which increases the size of libcrypto from 4.4 MB to 4.9 MB. A
    new configure option no-sm2-precomp has been added to disable the
    precomputed table.
  * Added client side support for QUIC

OBS-URL: https://build.opensuse.org/request/show/1129505
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=80
2023-11-28 11:04:23 +00:00

65 lines
2.9 KiB
Diff
Raw Blame History

Index: openssl-3.2.0/test/recipes/99-test_suse_default_ciphers.t
===================================================================
--- /dev/null
+++ openssl-3.2.0/test/recipes/99-test_suse_default_ciphers.t
@@ -0,0 +1,23 @@
+#! /usr/bin/env perl
+
+use strict;
+use warnings;
+
+use OpenSSL::Test qw/:DEFAULT/;
+use OpenSSL::Test::Utils;
+
+setup("test_default_ciphersuites");
+
+plan tests => 6;
+
+my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
+
+foreach my $cipherlist (@cipher_suites) {
+ ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
+ "openssl ciphers works with ciphersuite $cipherlist");
+ ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
+ "$cipherlist shouldn't contain MD5, DES or RC4\n");
+ ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
+ "$cipherlist should contain TLSv1.3 ciphers\n");
+}
+
Index: openssl-3.2.0/include/openssl/ssl.h.in
===================================================================
--- openssl-3.2.0.orig/include/openssl/ssl.h.in
+++ openssl-3.2.0/include/openssl/ssl.h.in
@@ -194,6 +194,11 @@ extern "C" {
*/
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
+ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
+ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
+ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
+ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
/*
* This is the default set of TLSv1.3 ciphersuites
* DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
Index: openssl-3.2.0/ssl/ssl_ciph.c
===================================================================
--- openssl-3.2.0.orig/ssl/ssl_ciph.c
+++ openssl-3.2.0/ssl/ssl_ciph.c
@@ -1623,7 +1623,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*/
ok = 1;
rule_p = rule_str;
- if (HAS_PREFIX(rule_str, "DEFAULT")) {
+ if (HAS_PREFIX(rule_str, "DEFAULT_SUSE")) {
+ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
+ &head, &tail, ca_list, c);
+ rule_p += 12;
+ if (*rule_p == ':')
+ rule_p++;
+ }
+ else if (HAS_PREFIX(rule_str, "DEFAULT")) {
ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
&head, &tail, ca_list, c);
rule_p += 7;
View Git Blame Copy Permalink