testing/openssl
SHA256
3
0
Fork 0
forked from pool/openssl
Code Pull Requests Activity

Accepting request 363602 from Base:System

Browse Source 
- update to 1.0.2g (bsc#968044)
  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
    Builds that are not configured with "enable-weak-ssl-ciphers" will not
    provide any "EXPORT" or "LOW" strength ciphers.
  * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
    is by default disabled at build-time.  Builds that are not configured with
    "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
    users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
    will need to explicitly call either of:
        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
    or
        SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
    (CVE-2016-0800)
  * Fix a double-free in DSA code
     (CVE-2016-0705)
  * Disable SRP fake user seed to address a server memory leak.
     Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
     (CVE-2016-0798)
  * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
     (CVE-2016-0797)
  *) Side channel attack on modular exponentiation
     http://cachebleed.info.
     (CVE-2016-0702)
  *) Change the req app to generate a 2048-bit RSA/DSA key by default,
     if no keysize is specified with default_bits. This fixes an
     omission in an earlier change that changed all RSA/DSA key generation
     apps to use 2048 bits by default. (forwarded request 363599 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/363602
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=130
This commit is contained in:
Dominique Leuenberger 2016-03-05 10:21:18 +00:00 committed by Git OBS Bridge
parent ed81eb44e1
commit 2ebd052507
9 changed files with 648 additions and 474 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

194
0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
View File

@ -4,10 +4,10 @@ Date: Sun, 4 May 2014 23:36:54 -0400
Subject: [PATCH] Axe builtin printf implementation, use glibc instead
Index: openssl-1.0.2b/crypto/bio/b_print.c
Index: openssl-1.0.2g/crypto/bio/b_print.c
===================================================================
--- openssl-1.0.2b.orig/crypto/bio/b_print.c 2015-06-11 15:01:06.000000000 +0200
+++ openssl-1.0.2b/crypto/bio/b_print.c 2015-06-11 17:50:00.893823977 +0200
--- openssl-1.0.2g.orig/crypto/bio/b_print.c 2016-03-01 14:35:05.000000000 +0100
+++ openssl-1.0.2g/crypto/bio/b_print.c 2016-03-01 15:26:55.597307479 +0100
@@ -56,17 +56,10 @@
* [including the GNU Public Licence.]
*/
@ -28,7 +28,7 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
#include <stdio.h>
#include <string.h>
#include <ctype.h>
@@ -79,668 +72,6 @@
@@ -79,708 +72,6 @@
#include <openssl/bn.h> /* To get BN_LLONG properly defined */
#include <openssl/bio.h>
@ -78,14 +78,14 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
-# define LLONG long
-#endif
-
-static void fmtstr(char **, char **, size_t *, size_t *,
-static int fmtstr(char **, char **, size_t *, size_t *,
- const char *, int, int, int);
-static void fmtint(char **, char **, size_t *, size_t *,
-static int fmtint(char **, char **, size_t *, size_t *,
- LLONG, int, int, int, int);
-static void fmtfp(char **, char **, size_t *, size_t *,
-static int fmtfp(char **, char **, size_t *, size_t *,
- LDOUBLE, int, int, int);
-static void doapr_outch(char **, char **, size_t *, size_t *, int);
-static void _dopr(char **sbuffer, char **buffer,
-static int doapr_outch(char **, char **, size_t *, size_t *, int);
-static int _dopr(char **sbuffer, char **buffer,
- size_t *maxlen, size_t *retlen, int *truncated,
- const char *format, va_list args);
-
@ -118,7 +118,7 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
-#define char_to_int(p) (p - '0')
-#define OSSL_MAX(p,q) ((p >= q) ? p : q)
-
-static void
-static int
-_dopr(char **sbuffer,
- char **buffer,
- size_t *maxlen,
@ -149,7 +149,8 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- if (ch == '%')
- state = DP_S_FLAGS;
- else
- doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
- return 0;
- ch = *format++;
- break;
- case DP_S_FLAGS:
@ -255,8 +256,9 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- value = va_arg(args, int);
- break;
- }
- fmtint(sbuffer, buffer, &currlen, maxlen,
- value, 10, min, max, flags);
- if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min,
- max, flags))
- return 0;
- break;
- case 'X':
- flags |= DP_F_UP;
@ -279,17 +281,19 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- value = (LLONG) va_arg(args, unsigned int);
- break;
- }
- fmtint(sbuffer, buffer, &currlen, maxlen, value,
- if (!fmtint(sbuffer, buffer, &currlen, maxlen, value,
- ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
- min, max, flags);
- min, max, flags))
- return 0;
- break;
- case 'f':
- if (cflags == DP_C_LDOUBLE)
- fvalue = va_arg(args, LDOUBLE);
- else
- fvalue = va_arg(args, double);
- fmtfp(sbuffer, buffer, &currlen, maxlen,
- fvalue, min, max, flags);
- if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
- flags))
- return 0;
- break;
- case 'E':
- flags |= DP_F_UP;
@ -308,8 +312,9 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- fvalue = va_arg(args, double);
- break;
- case 'c':
- doapr_outch(sbuffer, buffer, &currlen, maxlen,
- va_arg(args, int));
- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen,
- va_arg(args, int)))
- return 0;
- break;
- case 's':
- strvalue = va_arg(args, char *);
@ -319,13 +324,15 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- else
- max = *maxlen;
- }
- fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
- flags, min, max);
- if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
- flags, min, max))
- return 0;
- break;
- case 'p':
- value = (long)va_arg(args, void *);
- fmtint(sbuffer, buffer, &currlen, maxlen,
- value, 16, min, max, flags | DP_F_NUM);
- if (!fmtint(sbuffer, buffer, &currlen, maxlen,
- value, 16, min, max, flags | DP_F_NUM))
- return 0;
- break;
- case 'n': /* XXX */
- if (cflags == DP_C_SHORT) {
@ -347,7 +354,8 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- }
- break;
- case '%':
- doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
- return 0;
- break;
- case 'w':
- /* not supported yet, treat as next char */
@ -371,46 +379,56 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- *truncated = (currlen > *maxlen - 1);
- if (*truncated)
- currlen = *maxlen - 1;
- doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0');
- if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'))
- return 0;
- *retlen = currlen - 1;
- return;
- return 1;
-}
-
-static void
-static int
-fmtstr(char **sbuffer,
- char **buffer,
- size_t *currlen,
- size_t *maxlen, const char *value, int flags, int min, int max)
-{
- int padlen, strln;
- int padlen;
- size_t strln;
- int cnt = 0;
-
- if (value == 0)
- value = "<NULL>";
- for (strln = 0; value[strln]; ++strln) ;
-
- strln = strlen(value);
- if (strln > INT_MAX)
- strln = INT_MAX;
-
- padlen = min - strln;
- if (padlen < 0)
- if (min < 0 || padlen < 0)
- padlen = 0;
- if (flags & DP_F_MINUS)
- padlen = -padlen;
-
- while ((padlen > 0) && (cnt < max)) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- --padlen;
- ++cnt;
- }
- while (*value && (cnt < max)) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, *value++);
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++))
- return 0;
- ++cnt;
- }
- while ((padlen < 0) && (cnt < max)) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- ++padlen;
- ++cnt;
- }
- return 1;
-}
-
-static void
-static int
-fmtint(char **sbuffer,
- char **buffer,
- size_t *currlen,
@ -470,37 +488,44 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
-
- /* spaces */
- while (spadlen > 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- --spadlen;
- }
-
- /* sign */
- if (signvalue)
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
- return 0;
-
- /* prefix */
- while (*prefix) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix))
- return 0;
- prefix++;
- }
-
- /* zeros */
- if (zpadlen > 0) {
- while (zpadlen > 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
- return 0;
- --zpadlen;
- }
- }
- /* digits */
- while (place > 0)
- doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]);
- while (place > 0) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]))
- return 0;
- }
-
- /* left justified spaces */
- while (spadlen < 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- ++spadlen;
- }
- return;
- return 1;
-}
-
-static LDOUBLE abs_val(LDOUBLE value)
@ -531,7 +556,7 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- return intpart;
-}
-
-static void
-static int
-fmtfp(char **sbuffer,
- char **buffer,
- size_t *currlen,
@ -610,47 +635,61 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
-
- if ((flags & DP_F_ZERO) && (padlen > 0)) {
- if (signvalue) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
- return 0;
- --padlen;
- signvalue = 0;
- }
- while (padlen > 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
- return 0;
- --padlen;
- }
- }
- while (padlen > 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- --padlen;
- }
- if (signvalue)
- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
- if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
- return 0;
-
- while (iplace > 0)
- doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]);
- while (iplace > 0) {
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]))
- return 0;
- }
-
- /*
- * Decimal point. This should probably use locale to find the correct
- * char to print out.
- */
- if (max > 0 || (flags & DP_F_NUM)) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.'))
- return 0;
-
- while (fplace > 0)
- doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]);
- while (fplace > 0) {
- if(!doapr_outch(sbuffer, buffer, currlen, maxlen,
- fconvert[--fplace]))
- return 0;
- }
- }
- while (zpadlen > 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
- return 0;
- --zpadlen;
- }
-
- while (padlen < 0) {
- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
- if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
- return 0;
- ++padlen;
- }
- return 1;
-}
-
-static void
-#define BUFFER_INC 1024
-
-static int
-doapr_outch(char **sbuffer,
- char **buffer, size_t *currlen, size_t *maxlen, int c)
-{
@ -661,24 +700,25 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- assert(*currlen <= *maxlen);
-
- if (buffer && *currlen == *maxlen) {
- *maxlen += 1024;
- if (*maxlen > INT_MAX - BUFFER_INC)
- return 0;
-
- *maxlen += BUFFER_INC;
- if (*buffer == NULL) {
- *buffer = OPENSSL_malloc(*maxlen);
- if (!*buffer) {
- /* Panic! Can't really do anything sensible. Just return */
- return;
- }
- if (*buffer == NULL)
- return 0;
- if (*currlen > 0) {
- assert(*sbuffer != NULL);
- memcpy(*buffer, *sbuffer, *currlen);
- }
- *sbuffer = NULL;
- } else {
- *buffer = OPENSSL_realloc(*buffer, *maxlen);
- if (!*buffer) {
- /* Panic! Can't really do anything sensible. Just return */
- return;
- }
- char *tmpbuf;
- tmpbuf = OPENSSL_realloc(*buffer, *maxlen);
- if (tmpbuf == NULL)
- return 0;
- *buffer = tmpbuf;
- }
- }
-
@ -689,7 +729,7 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- (*buffer)[(*currlen)++] = (char)c;
- }
-
- return;
- return 1;
-}
-
-/***************************************************************************/
@ -697,7 +737,7 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
int BIO_printf(BIO *bio, const char *format, ...)
{
va_list args;
@@ -754,28 +85,36 @@ int BIO_printf(BIO *bio, const char *for
@@ -794,32 +85,36 @@ int BIO_printf(BIO *bio, const char *for
return (ret);
}
@ -726,7 +766,11 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
-
- dynbuf = NULL;
- CRYPTO_push_info("doapr()");
- _dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, args);
- if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format,
- args)) {
- OPENSSL_free(dynbuf);
- return -1;
- }
- if (dynbuf) {
- ret = BIO_write(bio, dynbuf, (int)retlen);
- OPENSSL_free(dynbuf);
@ -753,7 +797,7 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
return (ret);
}
@@ -791,28 +130,22 @@ int BIO_snprintf(char *buf, size_t n, co
@@ -835,29 +130,21 @@ int BIO_snprintf(char *buf, size_t n, co
int ret;
va_start(args, format);
@ -772,10 +816,13 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- size_t retlen;
- int truncated;
+ int ret;
- _dopr(&buf, NULL, &n, &retlen, &truncated, format, args);
+ ret = vsnprintf(buf, n, format, args);
- if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args))
- return -1;
+ if (ret >= n || ret == -1)
+ return (-1);
- if (truncated)
- /*
- * In case of truncation, return -1 like traditional snprintf.
@ -786,8 +833,5 @@ Index: openssl-1.0.2b/crypto/bio/b_print.c
- return -1;
- else
- return (retlen <= INT_MAX) ? (int)retlen : -1;
+ if (ret >= n || ret == -1)
+ return (-1);
+
+ return (ret);
}

154
openssl-1.0.2a-new-fips-reqs.patch
View File

@ -1,7 +1,8 @@
diff -up openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2a/crypto/bn/bn_rand.c
--- openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/crypto/bn/bn_rand.c 2015-04-22 15:06:37.907003880 +0200
@@ -136,9 +136,11 @@ static int bnrand(int pseudorand, BIGNUM
Index: openssl-1.0.2f/crypto/bn/bn_rand.c
===================================================================
--- openssl-1.0.2f.orig/crypto/bn/bn_rand.c 2016-01-28 14:38:30.000000000 +0100
+++ openssl-1.0.2f/crypto/bn/bn_rand.c 2016-01-28 15:59:54.945269236 +0100
@@ -141,9 +141,11 @@ static int bnrand(int pseudorand, BIGNUM
goto err;
}
@ -16,9 +17,10 @@ diff -up openssl-1.0.2a/crypto/bn/bn_rand.c.fips-reqs openssl-1.0.2a/crypto/bn/b
if (pseudorand) {
if (RAND_pseudo_bytes(buf, bytes) == -1)
diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2a/crypto/dh/dh_gen.c
--- openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs 2015-04-22 15:06:37.840002285 +0200
+++ openssl-1.0.2a/crypto/dh/dh_gen.c 2015-04-22 15:06:37.907003880 +0200
Index: openssl-1.0.2f/crypto/dh/dh_gen.c
===================================================================
--- openssl-1.0.2f.orig/crypto/dh/dh_gen.c 2016-01-28 15:59:54.912268693 +0100
+++ openssl-1.0.2f/crypto/dh/dh_gen.c 2016-01-28 15:59:54.945269236 +0100
@@ -128,7 +128,7 @@ static int dh_builtin_genparams(DH *ret,
return 0;
}
@ -28,9 +30,10 @@ diff -up openssl-1.0.2a/crypto/dh/dh_gen.c.fips-reqs openssl-1.0.2a/crypto/dh/dh
DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
goto err;
}
diff -up openssl-1.0.2a/crypto/dh/dh.h.fips-reqs openssl-1.0.2a/crypto/dh/dh.h
--- openssl-1.0.2a/crypto/dh/dh.h.fips-reqs 2015-04-22 15:06:37.908003903 +0200
+++ openssl-1.0.2a/crypto/dh/dh.h 2015-04-22 15:07:25.265130812 +0200
Index: openssl-1.0.2f/crypto/dh/dh.h
===================================================================
--- openssl-1.0.2f.orig/crypto/dh/dh.h 2016-01-28 15:59:54.912268693 +0100
+++ openssl-1.0.2f/crypto/dh/dh.h 2016-01-28 15:59:54.945269236 +0100
@@ -78,6 +78,7 @@
# endif
@ -39,44 +42,11 @@ diff -up openssl-1.0.2a/crypto/dh/dh.h.fips-reqs openssl-1.0.2a/crypto/dh/dh.h
# define DH_FLAG_CACHE_MONT_P 0x01
diff -up openssl-1.0.2a/crypto/dh/dh_check.c.fips-reqs openssl-1.0.2a/crypto/dh/dh_check.c
--- openssl-1.0.2a/crypto/dh/dh_check.c.fips-reqs 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/crypto/dh/dh_check.c 2015-04-22 15:06:37.908003903 +0200
@@ -164,7 +164,30 @@ int DH_check_pub_key(const DH *dh, const
BN_sub_word(q, 1);
if (BN_cmp(pub_key, q) >= 0)
*ret |= DH_CHECK_PUBKEY_TOO_LARGE;
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && dh->q != NULL) {
+ BN_CTX *ctx = NULL;
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ if (BN_mod_exp_mont(q, pub_key, dh->q, dh->p, ctx, NULL) <= 0) {
+ BN_CTX_free(ctx);
+ goto err;
+ }
+ if (!BN_is_one(q)) {
+ /* it would be more correct to add new return flag
+ * for this test, but we do not want to do it
+ * so just error out
+ */
+ BN_CTX_free(ctx);
+ goto err;
+ }
+
+ BN_CTX_free(ctx);
+ }
+#endif
ok = 1;
err:
if (q != NULL)
diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2a/crypto/dsa/dsa_gen.c
--- openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs 2015-04-22 15:06:37.841002309 +0200
+++ openssl-1.0.2a/crypto/dsa/dsa_gen.c 2015-04-22 15:06:37.908003903 +0200
@@ -165,9 +165,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
Index: openssl-1.0.2f/crypto/dsa/dsa_gen.c
===================================================================
--- openssl-1.0.2f.orig/crypto/dsa/dsa_gen.c 2016-01-28 15:59:54.913268710 +0100
+++ openssl-1.0.2f/crypto/dsa/dsa_gen.c 2016-01-28 15:59:54.945269236 +0100
@@ -157,9 +157,11 @@ int dsa_builtin_paramgen(DSA *ret, size_
}
if (FIPS_module_mode() &&
@ -91,9 +61,10 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_gen.c.fips-reqs openssl-1.0.2a/crypto/dsa
DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN, DSA_R_KEY_SIZE_INVALID);
goto err;
}
diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2a/crypto/dsa/dsa.h
--- openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs 2015-04-22 15:06:37.908003903 +0200
+++ openssl-1.0.2a/crypto/dsa/dsa.h 2015-04-22 15:09:01.291415852 +0200
Index: openssl-1.0.2f/crypto/dsa/dsa.h
===================================================================
--- openssl-1.0.2f.orig/crypto/dsa/dsa.h 2016-01-28 15:59:54.913268710 +0100
+++ openssl-1.0.2f/crypto/dsa/dsa.h 2016-01-28 15:59:54.946269253 +0100
@@ -89,6 +89,7 @@
# endif
@ -114,10 +85,11 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa.h.fips-reqs openssl-1.0.2a/crypto/dsa/dsa
* Rabin-Miller
*/
# define DSA_is_prime(n, callback, cb_arg) \
diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2a/crypto/dsa/dsa_key.c
--- openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs 2015-04-22 15:06:37.905003832 +0200
+++ openssl-1.0.2a/crypto/dsa/dsa_key.c 2015-04-22 15:06:37.908003903 +0200
@@ -125,7 +125,7 @@ static int dsa_builtin_keygen(DSA *dsa)
Index: openssl-1.0.2f/crypto/dsa/dsa_key.c
===================================================================
--- openssl-1.0.2f.orig/crypto/dsa/dsa_key.c 2016-01-28 15:59:54.913268710 +0100
+++ openssl-1.0.2f/crypto/dsa/dsa_key.c 2016-01-28 15:59:54.946269253 +0100
@@ -120,7 +120,7 @@ static int dsa_builtin_keygen(DSA *dsa)
# ifdef OPENSSL_FIPS
if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
@ -126,10 +98,11 @@ diff -up openssl-1.0.2a/crypto/dsa/dsa_key.c.fips-reqs openssl-1.0.2a/crypto/dsa
DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
goto err;
}
diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-reqs openssl-1.0.2a/crypto/fips/fips.c
--- openssl-1.0.2a/crypto/fips/fips.c.fips-reqs 2015-04-22 15:06:37.905003832 +0200
+++ openssl-1.0.2a/crypto/fips/fips.c 2015-04-22 15:06:37.909003927 +0200
@@ -424,26 +424,24 @@ int FIPS_module_mode_set(int onoff, cons
Index: openssl-1.0.2f/crypto/fips/fips.c
===================================================================
--- openssl-1.0.2f.orig/crypto/fips/fips.c 2016-01-28 15:59:54.939269138 +0100
+++ openssl-1.0.2f/crypto/fips/fips.c 2016-01-28 15:59:54.946269253 +0100
@@ -418,26 +418,24 @@ int FIPS_module_mode_set(int onoff, cons
ret = 0;
goto end;
}
@ -162,9 +135,10 @@ diff -up openssl-1.0.2a/crypto/fips/fips.c.fips-reqs openssl-1.0.2a/crypto/fips/
ret = 1;
goto end;
}
diff -up openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_dh_selftest.c
--- openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs 2015-04-22 15:06:37.909003927 +0200
+++ openssl-1.0.2a/crypto/fips/fips_dh_selftest.c 2015-04-22 15:06:37.909003927 +0200
Index: openssl-1.0.2f/crypto/fips/fips_dh_selftest.c
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ openssl-1.0.2f/crypto/fips/fips_dh_selftest.c 2016-01-28 15:59:54.946269253 +0100
@@ -0,0 +1,162 @@
+/* ====================================================================
+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
@ -328,9 +302,10 @@ diff -up openssl-1.0.2a/crypto/fips/fips_dh_selftest.c.fips-reqs openssl-1.0.2a/
+ return ret;
+}
+#endif
diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-reqs openssl-1.0.2a/crypto/fips/fips.h
--- openssl-1.0.2a/crypto/fips/fips.h.fips-reqs 2015-04-22 15:06:37.899003689 +0200
+++ openssl-1.0.2a/crypto/fips/fips.h 2015-04-22 15:06:37.909003927 +0200
Index: openssl-1.0.2f/crypto/fips/fips.h
===================================================================
--- openssl-1.0.2f.orig/crypto/fips/fips.h 2016-01-28 15:59:54.939269138 +0100
+++ openssl-1.0.2f/crypto/fips/fips.h 2016-01-28 15:59:54.946269253 +0100
@@ -96,6 +96,7 @@ extern "C" {
int FIPS_selftest_dsa(void);
int FIPS_selftest_ecdsa(void);
@ -339,9 +314,10 @@ diff -up openssl-1.0.2a/crypto/fips/fips.h.fips-reqs openssl-1.0.2a/crypto/fips/
void FIPS_corrupt_rng(void);
void FIPS_rng_stick(void);
void FIPS_x931_stick(int onoff);
diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_post.c
--- openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs 2015-04-22 15:06:37.895003594 +0200
+++ openssl-1.0.2a/crypto/fips/fips_post.c 2015-04-22 15:06:37.909003927 +0200
Index: openssl-1.0.2f/crypto/fips/fips_post.c
===================================================================
--- openssl-1.0.2f.orig/crypto/fips/fips_post.c 2016-01-28 15:59:54.933269039 +0100
+++ openssl-1.0.2f/crypto/fips/fips_post.c 2016-01-28 15:59:54.946269253 +0100
@@ -99,6 +99,8 @@ int FIPS_selftest(void)
rv = 0;
if (!FIPS_selftest_dsa())
@ -351,9 +327,10 @@ diff -up openssl-1.0.2a/crypto/fips/fips_post.c.fips-reqs openssl-1.0.2a/crypto/
if (!FIPS_selftest_ecdh())
rv = 0;
return rv;
diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c
--- openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs 2015-04-22 15:06:37.854002618 +0200
+++ openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c 2015-04-22 15:06:37.910003951 +0200
Index: openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c
===================================================================
--- openssl-1.0.2f.orig/crypto/fips/fips_rsa_selftest.c 2016-01-28 15:59:54.920268825 +0100
+++ openssl-1.0.2f/crypto/fips/fips_rsa_selftest.c 2016-01-28 15:59:54.947269270 +0100
@@ -60,68 +60,107 @@
#ifdef OPENSSL_FIPS
@ -1008,9 +985,10 @@ diff -up openssl-1.0.2a/crypto/fips/fips_rsa_selftest.c.fips-reqs openssl-1.0.2a
RSA_free(key);
return ret;
}
diff -up openssl-1.0.2a/crypto/fips/Makefile.fips-reqs openssl-1.0.2a/crypto/fips/Makefile
--- openssl-1.0.2a/crypto/fips/Makefile.fips-reqs 2015-04-22 15:06:37.895003594 +0200
+++ openssl-1.0.2a/crypto/fips/Makefile 2015-04-22 15:06:37.910003951 +0200
Index: openssl-1.0.2f/crypto/fips/Makefile
===================================================================
--- openssl-1.0.2f.orig/crypto/fips/Makefile 2016-01-28 15:59:54.933269039 +0100
+++ openssl-1.0.2f/crypto/fips/Makefile 2016-01-28 15:59:54.947269270 +0100
@@ -24,13 +24,15 @@ LIBSRC=fips_aes_selftest.c fips_des_self
fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c fips_rand.c \
fips_rsa_x931g.c fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
@ -1029,9 +1007,10 @@ diff -up openssl-1.0.2a/crypto/fips/Makefile.fips-reqs openssl-1.0.2a/crypto/fip
LIBCRYPTO=-L.. -lcrypto
diff -up openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2a/crypto/rand/rand_lcl.h
--- openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs 2015-04-22 15:06:37.599996574 +0200
+++ openssl-1.0.2a/crypto/rand/rand_lcl.h 2015-04-22 15:06:37.910003951 +0200
Index: openssl-1.0.2f/crypto/rand/rand_lcl.h
===================================================================
--- openssl-1.0.2f.orig/crypto/rand/rand_lcl.h 2016-01-28 14:38:31.000000000 +0100
+++ openssl-1.0.2f/crypto/rand/rand_lcl.h 2016-01-28 15:59:54.947269270 +0100
@@ -112,7 +112,7 @@
#ifndef HEADER_RAND_LCL_H
# define HEADER_RAND_LCL_H
@ -1041,9 +1020,10 @@ diff -up openssl-1.0.2a/crypto/rand/rand_lcl.h.fips-reqs openssl-1.0.2a/crypto/r
# if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
# if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
diff -up openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2a/crypto/rand/rand_lib.c
--- openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs 2015-03-19 14:19:00.000000000 +0100
+++ openssl-1.0.2a/crypto/rand/rand_lib.c 2015-04-22 15:06:37.910003951 +0200
Index: openssl-1.0.2f/crypto/rand/rand_lib.c
===================================================================
--- openssl-1.0.2f.orig/crypto/rand/rand_lib.c 2016-01-28 14:38:31.000000000 +0100
+++ openssl-1.0.2f/crypto/rand/rand_lib.c 2016-01-28 15:59:54.947269270 +0100
@@ -236,12 +236,22 @@ static int drbg_rand_add(DRBG_CTX *ctx,
double entropy)
{
@ -1067,9 +1047,10 @@ diff -up openssl-1.0.2a/crypto/rand/rand_lib.c.fips-reqs openssl-1.0.2a/crypto/r
return 1;
}
diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2a/crypto/rsa/rsa_gen.c
--- openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs 2015-04-22 15:06:37.858002714 +0200
+++ openssl-1.0.2a/crypto/rsa/rsa_gen.c 2015-04-22 15:06:37.910003951 +0200
Index: openssl-1.0.2f/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.0.2f.orig/crypto/rsa/rsa_gen.c 2016-01-28 15:59:54.923268874 +0100
+++ openssl-1.0.2f/crypto/rsa/rsa_gen.c 2016-01-28 15:59:54.947269270 +0100
@@ -1,5 +1,6 @@
/* crypto/rsa/rsa_gen.c */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
@ -1371,9 +1352,10 @@ diff -up openssl-1.0.2a/crypto/rsa/rsa_gen.c.fips-reqs openssl-1.0.2a/crypto/rsa
ok = 1;
err:
if (ok == -1) {
diff -up openssl-1.0.2a/ssl/t1_enc.c.fips-reqs openssl-1.0.2a/ssl/t1_enc.c
--- openssl-1.0.2a/ssl/t1_enc.c.fips-reqs 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/ssl/t1_enc.c 2015-04-22 15:06:37.911003975 +0200
Index: openssl-1.0.2f/ssl/t1_enc.c
===================================================================
--- openssl-1.0.2f.orig/ssl/t1_enc.c 2016-01-28 14:56:08.000000000 +0100
+++ openssl-1.0.2f/ssl/t1_enc.c 2016-01-28 15:59:54.947269270 +0100
@@ -292,6 +292,23 @@ static int tls1_PRF(long digest_mask,
return ret;
}

675
openssl-1.0.2e-fips.patch
View File

File diff suppressed because it is too large Load Diff

3
openssl-1.0.2e.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff
size 5256555

11
openssl-1.0.2e.tar.gz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJWYIyiAAoJENnE0m0OYESRdSwIAIlfOOvtTaKbsY1gDhM8LaAM
gC2HYR18ipcz0ZdZzNch/mGy8gpVNmBWDhWzTd5Yz0AHRFX0fpOX7QZXHozV/QaB
2LmQ9N1QbztqSq0MW+2VCX31BR79wWYHVQF4A9QT7MOwCSA3RhGfEiZiIHNNloRa
j55Dpe0CMVdpdQc2WxlUC1A8O837bwr6ruPxctneJAvHK/XyeS/ta7a4eI8UQxMS
zkBNlsuiWQRzlAqMyiAkqu9NBkuLdBhP5Gkh2D8XP/yt1KwECFJiyAc0PFXTMILi
cNG5KdPe3tN3xCgR38k4/DKRNi4F1IVoe5YE7sk7U2wmG4dc5Z/9zGCTx+2atc0=
=PIJl
-----END PGP SIGNATURE-----

3
openssl-1.0.2g.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33
size 5266102

11
openssl-1.0.2g.tar.gz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJW1Zr6AAoJENnE0m0OYESRRpkH/0SkDJcp4rvICbxuaD9jyJCa
UJLH3vSMfJ9QNMdIp8yemixGSvjr0mPhFOcZPysXRZo88IwuIV0+Q5I7hvCQ0PSt
YH/HzBZO0eShhUyDxb397odbbhsAkZFJytT+EXdFqd0HJLtWuPxaBF0WPgkklOQC
3R/sv+M8FAaZiIbdBwNv1FNgGG26T4up0RgV0ETpXXv9Da+AViGrefA5szKAj9aL
SOCRuUnzQO7ohSh5AZvgHylh1m7CGpH4MIyoAtNFtyogukO3yS3CzZ1iFcjsdHDn
sDIRZ18a5JOX/vWU0OmUXGhF7XXV93S1/1mKAAEXRJZOxzrneFuyv5b61t/xXCE=
=/pDQ
-----END PGP SIGNATURE-----

55
openssl.changes
View File

@ -1,3 +1,58 @@
-------------------------------------------------------------------
Tue Mar 1 14:40:18 UTC 2016 - vcizek@suse.com
- update to 1.0.2g (bsc#968044)
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
Builds that are not configured with "enable-weak-ssl-ciphers" will not
provide any "EXPORT" or "LOW" strength ciphers.
* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
is by default disabled at build-time. Builds that are not configured with
"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
(CVE-2016-0800)
* Fix a double-free in DSA code
(CVE-2016-0705)
* Disable SRP fake user seed to address a server memory leak.
Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
(CVE-2016-0798)
* Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
(CVE-2016-0797)
*) Side channel attack on modular exponentiation
http://cachebleed.info.
(CVE-2016-0702)
*) Change the req app to generate a 2048-bit RSA/DSA key by default,
if no keysize is specified with default_bits. This fixes an
omission in an earlier change that changed all RSA/DSA key generation
apps to use 2048 bits by default.
-------------------------------------------------------------------
Thu Jan 28 15:10:38 UTC 2016 - vcizek@suse.com
- update to 1.0.2f (boo#963410)
*) DH small subgroups (boo#963413)
Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC 5114
support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that are
not "safe" then an attacker could use this fact to find a peer's private
DH exponent. This attack requires that the attacker complete multiple
handshakes in which the peer uses the same private DH exponent. For example
this could be used to discover a TLS server's private DH exponent if it's
reusing the private DH exponent or it's using a static DH ciphersuite.
(CVE-2016-0701)
*) SSLv2 doesn't block disabled ciphers (boo#963415)
A malicious client can negotiate SSLv2 ciphers that have been disabled on
the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
been disabled, provided that the SSLv2 protocol was not also disabled via
SSL_OP_NO_SSLv2.
(CVE-2015-3197)
*) Reject DH handshakes with parameters shorter than 1024 bits.
-------------------------------------------------------------------
Fri Dec 4 23:06:18 UTC 2015 - vcizek@suse.com

4
openssl.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package openssl
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -29,7 +29,7 @@ Provides: ssl
%ifarch ppc64
Obsoletes: openssl-64bit
%endif
Version: 1.0.2e
Version: 1.0.2g
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL