Revisions of openssl-3
Otto Hollmann (ohollmann)
committed
(revision 72)
- openssl-CVE-2024-0727.patch
Otto Hollmann (ohollmann)
committed
(revision 71)
- Add migration script to move old files (bsc#1219562) /etc/ssl/engines.d/* -> /etc/ssl/engines1.1.d.rpmsave /etc/ssl/engdef.d/* -> /etc/ssl/engdef1.1.d.rpmsave They will be later restored by openssl-1_1 package to engines1.1.d and engdef1.1.d - Security fix: [bsc#1219243, CVE-2024-0727] * Add NULL checks where ContentInfo data can be NULL * Add openssl-CVE-2024-0727.patch
Otto Hollmann (ohollmann)
accepted
request 1143594
from
Otto Hollmann (ohollmann)
(revision 70)
- Update to 3.2.1: * Fixed PKCS12 Decoding crashes (CVE-2024-0727) * Fixed excessive time spent checking invalid RSA public keys (CVE-2023-6237) * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) * Fixed excessive time spent in DH check / generation with large Q parameter value [(CVE-2023-5678)] * Remove patches: - openssl-CVE-2023-6237.patch - openssl-CVE-2023-6129.patch - openssl-CVE-2023-6237.patch - openssl-Remove-the-source-directory-.num-targets.patch - openssl-Enable-BTI-feature-for-md5-on-aarch64.patch - openssl-Fix_test_symbol_presence.patch
Otto Hollmann (ohollmann)
accepted
request 1143581
from
Otto Hollmann (ohollmann)
(revision 69)
- Replace our reverted commit with an upstream version * rename openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch to openssl-Remove-the-source-directory-.num-targets.patch - Update to 3.2.0: * The BLAKE2b hash algorithm supports a configurable output length by setting the "size" parameter. * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES. * Added a function to delete objects from store by URI - OSSL_STORE_delete() and the corresponding provider-storemgmt API function OSSL_FUNC_store_delete(). * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass a passphrase callback when opening a store. * Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as "genrsa" and "pkcs8" and API's such as PEM_write_bio_PrivateKey() that are reliant on the default value. The additional commandline option 'saltlen' has been added to the OpenSSL command line applications for "pkcs8" and "enc" to allow the salt length to be set to a non default value. * Changed the default value of the ess_cert_id_alg configuration option which is used to calculate the TSA's public key certificate identifier. The default algorithm is updated to be sha256 instead of sha1. * Added optimization for SM2 algorithm on aarch64. It uses a huge precomputed table for point multiplication of the base point,
buildservice-autocommit
accepted
request 1139750
from
Otto Hollmann (ohollmann)
(revision 68)
auto commit by copy to link target
Otto Hollmann (ohollmann)
accepted
request 1139749
from
Otto Hollmann (ohollmann)
(revision 67)
- Rename openssl-Override-default-paths-for-the-CA-directory-tree.patch to openssl-crypto-policies.patch - Embed the FIPS hmac. Add openssl-FIPS-embed-hmac.patch - Define SUSE_OPENSSL_FIPS_VERSION for the FIPS provider * Add openssl-FIPS-SUSE-version.patch - Load FIPS the provider and set FIPS properties implicitly (bsc#1218091) * Add openssl-Force-FIPS.patch
buildservice-autocommit
accepted
request 1120051
from
Otto Hollmann (ohollmann)
(revision 66)
auto commit by copy to link target
Otto Hollmann (ohollmann)
accepted
request 1120049
from
Otto Hollmann (ohollmann)
(revision 65)
- Update to 3.1.4: * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters that alter the key or IV length [bsc#1216163, CVE-2023-5363]. - Performance enhancements for cryptography from OpenSSL 3.2 - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
Otto Hollmann (ohollmann)
accepted
request 1119074
from
Otto Hollmann (ohollmann)
(revision 64)
- Performance enhancements for cryptography from OpenSSL 3.x [jsc#PED-5086, jsc#PED-3514] * Add patches: - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
Otto Hollmann (ohollmann)
accepted
request 1118943
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 63)
- FIPS: Add the FIPS_mode() compatibility macro and flag support. * Add patches: - openssl-Add-FIPS_mode-compatibility-macro.patch - openssl-Add-Kernel-FIPS-mode-flag-support.patch
Pedro Monreal Gonzalez (pmonrealgonzalez)
committed
(revision 62)
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 1099203
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 61)
- Security fix: [bsc#1213383, CVE-2023-2975] * AES-SIV implementation ignores empty associated data entries * Add openssl-CVE-2023-2975.patch
Otto Hollmann (ohollmann)
committed
(revision 60)
Otto Hollmann (ohollmann)
accepted
request 1094111
from
Otto Hollmann (ohollmann)
(revision 59)
- Improve cross-package provides/conflicts [boo#1210313] * Add Provides/Conflicts: ssl-devel * Remove explicit conflicts with other devel-libraries * Remove Provides: openssl(cli) - it's managed by meta package
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 1090037
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 58)
- FIPS: Add Kernel FIPS mode flag support OPENSSL_FORCE_FIPS_MODE * Add openssl-Kernel-FIPS-mode-flag-support.patch - FIPS: Add FIPS_mode() compatibility macro: * The macro calls EVP_default_properties_is_fips_enabled() on the default context. * Add openssl-FIPS_mode-compatibility-macro.patch
buildservice-autocommit
accepted
request 1089931
from
Otto Hollmann (ohollmann)
(revision 57)
auto commit by copy to link target
Otto Hollmann (ohollmann)
accepted
request 1089930
from
Otto Hollmann (ohollmann)
(revision 56)
- Update to 3.1.1:
buildservice-autocommit
accepted
request 1089847
from
Otto Hollmann (ohollmann)
(revision 55)
auto commit by copy to link target
Otto Hollmann (ohollmann)
accepted
request 1089846
from
Otto Hollmann (ohollmann)
(revision 54)
- Update to 3.1.0: * Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate (CVE-2023-2650, bsc#1211430) * Multiple algorithm implementation fixes for ARM BE platforms. * Added a -pedantic option to fipsinstall that adjusts the various settings to ensure strict FIPS compliance rather than backwards compatibility. * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can trigger a crash of an application using AES-XTS decryption if the memory just after the buffer being decrypted is not mapped. Thanks to Anton Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714) * Add FIPS provider configuration option to disallow the use of truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The option '-no_drbg_truncated_digests' can optionally be supplied to 'openssl fipsinstall'. * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. (CVE-2023-0466, bsc#1209873) * Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878) * Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. (CVE-2023-0464, bsc#1209624) * Update openssl.keyring with key
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 1089533
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 53)
- FIPS: Merge libopenssl3-hmac package into the library [bsc#1185116]
Displaying revisions 1 - 20 of 72