Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package perl-Crypt-OpenSSL-RSA for
openSUSE:Factory checked in at 2025-11-12 21:41:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-Crypt-OpenSSL-RSA (Old)
and /work/SRC/openSUSE:Factory/.perl-Crypt-OpenSSL-RSA.new.1980 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-Crypt-OpenSSL-RSA"
Wed Nov 12 21:41:40 2025 rev:25 rq:1317137 version:0.370.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/perl-Crypt-OpenSSL-RSA/perl-Crypt-OpenSSL-RSA.changes
2025-06-03 17:51:14.555889974 +0200
+++
/work/SRC/openSUSE:Factory/.perl-Crypt-OpenSSL-RSA.new.1980/perl-Crypt-OpenSSL-RSA.changes
2025-11-12 21:42:30.640972799 +0100
@@ -1,0 +2,15 @@
+Thu Oct 30 05:32:10 UTC 2025 - Tina Müller <[email protected]>
+
+- updated to 0.370.0 (0.37)
+ see /usr/share/doc/packages/perl-Crypt-OpenSSL-RSA/Changes
+
+ 0.37 Oct 29 2025
+ - Fix libressl bitwise logic error in RSA.xs
+
+ 0.36 Oct 29 2025
+ - Fix old openssl on strawberry does not include whrlpool.h
+ - libressl message digest functions md cannot be NULL
+ - Don't support whirlpool in libressl
+ - Add support for use_pkcs1_pss_padding with fatal error if RSA-PSS is
used for encryption operations
+
+-------------------------------------------------------------------
Old:
----
Crypt-OpenSSL-RSA-0.35.tar.gz
New:
----
Crypt-OpenSSL-RSA-0.37.tar.gz
README.md
_scmsync.obsinfo
build.specials.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-Crypt-OpenSSL-RSA.spec ++++++
--- /var/tmp/diff_new_pack.vQqwwS/_old 2025-11-12 21:42:31.172995147 +0100
+++ /var/tmp/diff_new_pack.vQqwwS/_new 2025-11-12 21:42:31.172995147 +0100
@@ -1,7 +1,7 @@
#
# spec file for package perl-Crypt-OpenSSL-RSA
#
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -18,15 +18,16 @@
%define cpan_name Crypt-OpenSSL-RSA
Name: perl-Crypt-OpenSSL-RSA
-Version: 0.350.0
+Version: 0.370.0
Release: 0
-# 0.35 -> normalize -> 0.350.0
-%define cpan_version 0.35
+# 0.37 -> normalize -> 0.370.0
+%define cpan_version 0.37
License: Artistic-1.0 OR GPL-1.0-or-later
Summary: RSA encoding and decoding, using the openSSL libraries
URL: https://metacpan.org/release/%{cpan_name}
Source0:
https://cpan.metacpan.org/authors/id/T/TO/TODDR/%{cpan_name}-%{cpan_version}.tar.gz
Source1: cpanspec.yml
+Source100: README.md
Patch0: Crypt-OpenSSL-RSA.patch
BuildRequires: perl
BuildRequires: perl-macros
++++++ Crypt-OpenSSL-RSA-0.35.tar.gz -> Crypt-OpenSSL-RSA-0.37.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Crypt-OpenSSL-RSA-0.35/Changes
new/Crypt-OpenSSL-RSA-0.37/Changes
--- old/Crypt-OpenSSL-RSA-0.35/Changes 2025-05-07 18:04:57.000000000 +0200
+++ new/Crypt-OpenSSL-RSA-0.37/Changes 2025-10-29 22:38:08.000000000 +0100
@@ -1,5 +1,14 @@
Revision history for Perl extension Crypt::OpenSSL::RSA.
+0.37 Oct 29 2025
+ - Fix libressl bitwise logic error in RSA.xs
+
+0.36 Oct 29 2025
+ - Fix old openssl on strawberry does not include whrlpool.h
+ - libressl message digest functions md cannot be NULL
+ - Don't support whirlpool in libressl
+ - Add support for use_pkcs1_pss_padding with fatal error if RSA-PSS is
used for encryption operations
+
0.35 May 7 2025
- Disable PKCS#1 v1.5 padding. It's not practical to mitigate marvin
attacks so we will instead disable this and require alternatives to address the
issue.
- Resolves #42 - CVE-2024-2467.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Crypt-OpenSSL-RSA-0.35/META.json
new/Crypt-OpenSSL-RSA-0.37/META.json
--- old/Crypt-OpenSSL-RSA-0.35/META.json 2025-05-07 18:51:03.000000000
+0200
+++ new/Crypt-OpenSSL-RSA-0.37/META.json 2025-10-29 22:39:13.000000000
+0100
@@ -4,7 +4,7 @@
"Ian Robertson <[email protected]>"
],
"dynamic_config" : 1,
- "generated_by" : "ExtUtils::MakeMaker version 7.64, CPAN::Meta::Converter
version 2.150010",
+ "generated_by" : "ExtUtils::MakeMaker version 7.76, CPAN::Meta::Converter
version 2.150010",
"license" : [
"perl_5"
],
@@ -56,6 +56,6 @@
"url" : "http://github.com/cpan-authors/Crypt-OpenSSL-RSA";
}
},
- "version" : "0.35",
- "x_serialization_backend" : "JSON::PP version 4.07"
+ "version" : "0.37",
+ "x_serialization_backend" : "JSON::PP version 4.16"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Crypt-OpenSSL-RSA-0.35/META.yml
new/Crypt-OpenSSL-RSA-0.37/META.yml
--- old/Crypt-OpenSSL-RSA-0.35/META.yml 2025-05-07 18:51:03.000000000 +0200
+++ new/Crypt-OpenSSL-RSA-0.37/META.yml 2025-10-29 22:39:13.000000000 +0100
@@ -9,7 +9,7 @@
Crypt::OpenSSL::Guess: '0.11'
ExtUtils::MakeMaker: '0'
dynamic_config: 1
-generated_by: 'ExtUtils::MakeMaker version 7.64, CPAN::Meta::Converter version
2.150010'
+generated_by: 'ExtUtils::MakeMaker version 7.76, CPAN::Meta::Converter version
2.150010'
license: perl
meta-spec:
url: http://module-build.sourceforge.net/META-spec-v1.4.html
@@ -30,5 +30,5 @@
homepage: http://github.com/cpan-authors/Crypt-OpenSSL-RSA
license: http://dev.perl.org/licenses/
repository: http://github.com/cpan-authors/Crypt-OpenSSL-RSA
-version: '0.35'
-x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
+version: '0.37'
+x_serialization_backend: 'CPAN::Meta::YAML version 0.020'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Crypt-OpenSSL-RSA-0.35/RSA.pm
new/Crypt-OpenSSL-RSA-0.37/RSA.pm
--- old/Crypt-OpenSSL-RSA-0.35/RSA.pm 2025-05-07 18:02:52.000000000 +0200
+++ new/Crypt-OpenSSL-RSA-0.37/RSA.pm 2025-10-29 22:37:23.000000000 +0100
@@ -5,7 +5,7 @@
use Carp; # Removing carp will break the XS code.
-our $VERSION = '0.35';
+our $VERSION = '0.37';
use XSLoader;
XSLoader::load 'Crypt::OpenSSL::RSA', $VERSION;
@@ -245,7 +245,7 @@
PKCS #1 v1.5 padding has been disabled as it is nearly impossible to use this
padding method in a secure manner. It is known to be vulnerable to timing
-based side channel attacks. use_pkcs1_padding() results in a fatal error.
+based side channel attacks. use_pkcs1_padding() results in a fatal error.
L<Marvin
Attack|https://github.com/tomato42/marvin-toolkit/blob/master/README.md>
@@ -256,6 +256,16 @@
all new applications. It is the default mode used by
C<Crypt::OpenSSL::RSA>.
+=item use_pkcs1_pss_padding
+
+Use C<RSA-PSS> padding as defined in PKCS#1 v2.1. In general, RSA-PSS
+should be used as a replacement for RSA-PKCS#1 v1.5. The module specifies
+the message digest being requested and the appropriate mgf1 setting and
+salt length for the digest.
+
+B<Note>: RSA-PSS cannot be used for encryption/decryption and results in a
+fatal error. Call C<use_pkcs1_oaep_padding> for encryption operations.
+
=item use_sslv23_padding
Use C<PKCS #1 v1.5> padding with an SSL-specific modification that
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Crypt-OpenSSL-RSA-0.35/RSA.xs
new/Crypt-OpenSSL-RSA-0.37/RSA.xs
--- old/Crypt-OpenSSL-RSA-0.35/RSA.xs 2025-05-07 18:02:17.000000000 +0200
+++ new/Crypt-OpenSSL-RSA-0.37/RSA.xs 2025-10-29 22:34:34.000000000 +0100
@@ -10,9 +10,11 @@
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/ripemd.h>
-#if OPENSSL_VERSION_NUMBER < 0x30000000
+#if OPENSSL_VERSION_NUMBER >= 0x10000000 && OPENSSL_VERSION_NUMBER < 0x30000000
+#ifndef LIBRESSL_VERSION_NUMBER
#include <openssl/whrlpool.h>
#endif
+#endif
#include <openssl/rsa.h>
#include <openssl/sha.h>
#include <openssl/ssl.h>
@@ -200,10 +202,10 @@
{
STRLEN text_length;
unsigned char* text;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- static unsigned char md[EVP_MAX_MD_SIZE];
-#endif
+ unsigned char *md;
+ static unsigned char m[EVP_MAX_MD_SIZE];
text = (unsigned char*) SvPV(text_SV, text_length);
+ md = m;
switch(hash_method)
{
@@ -211,36 +213,36 @@
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
return EVP_Q_digest(NULL, "MD5", NULL, text, text_length, md,
NULL) ? md : NULL;
#else
- return MD5(text, text_length, NULL);
+ return MD5(text, text_length, md);
#endif
break;
case NID_sha1:
- return SHA1(text, text_length, NULL);
+ return SHA1(text, text_length, md);
break;
#ifdef SHA512_DIGEST_LENGTH
case NID_sha224:
- return SHA224(text, text_length, NULL);
+ return SHA224(text, text_length, md);
break;
case NID_sha256:
- return SHA256(text, text_length, NULL);
+ return SHA256(text, text_length, md);
break;
case NID_sha384:
- return SHA384(text, text_length, NULL);
+ return SHA384(text, text_length, md);
break;
case NID_sha512:
- return SHA512(text, text_length, NULL);
+ return SHA512(text, text_length, md);
break;
#endif
case NID_ripemd160:
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
return EVP_Q_digest(NULL, "RIPEMD160", NULL, text, text_length,
md, NULL) ? md : NULL;
#else
- return RIPEMD160(text, text_length, NULL);
+ return RIPEMD160(text, text_length, md);
#endif
break;
#ifdef WHIRLPOOL_DIGEST_LENGTH
case NID_whirlpool:
- return WHIRLPOOL(text, text_length, NULL);
+ return WHIRLPOOL(text, text_length, md);
break;
#endif
default:
@@ -321,6 +323,10 @@
size = EVP_PKEY_get_size(p_rsa->rsa);
CHECK_NEW(to, size, UNSIGNED_CHAR);
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+ if(p_rsa->padding == RSA_PKCS1_PSS_PADDING)
+ croak("PKCS#1 v2.1 RSA-PSS cannot be used for encryption operations
call \"use_pkcs1_oaep_padding\" instead.");
+
EVP_PKEY_CTX *ctx;
OSSL_LIB_CTX *ossllibctx = OSSL_LIB_CTX_new();
@@ -933,6 +939,12 @@
CODE:
p_rsa->padding = RSA_PKCS1_OAEP_PADDING;
+void
+use_pkcs1_pss_padding(p_rsa)
+ rsaData* p_rsa;
+ CODE:
+ p_rsa->padding = RSA_PKCS1_PSS_PADDING;
+
#if OPENSSL_VERSION_NUMBER < 0x30000000L
void
@@ -968,14 +980,17 @@
CHECK_OPEN_SSL(ctx);
CHECK_OPEN_SSL(EVP_PKEY_sign_init(ctx));
/* FIXME: Issue setting padding in some cases */
- EVP_PKEY_CTX_set_rsa_padding(ctx, p_rsa->padding);
+ CHECK_OPEN_SSL(EVP_PKEY_CTX_set_rsa_padding(ctx, p_rsa->padding) > 0);
EVP_MD* md = get_md_bynid(p_rsa->hashMode);
CHECK_OPEN_SSL(md != NULL);
int md_status;
CHECK_OPEN_SSL((md_status = EVP_PKEY_CTX_set_signature_md(ctx, md)) > 0);
-
+ if (p_rsa->padding == RSA_PKCS1_PSS_PADDING) {
+ CHECK_OPEN_SSL((md_status = EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md)) >
0);
+ CHECK_OPEN_SSL(EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx,
RSA_PSS_SALTLEN_DIGEST) > 0);
+ }
CHECK_OPEN_SSL(EVP_PKEY_sign(ctx, NULL, &signature_length, digest,
get_digest_length(p_rsa->hashMode)) == 1);
//signature = OPENSSL_malloc(signature_length);
@@ -1025,13 +1040,17 @@
CHECK_OPEN_SSL(ctx);
CHECK_OPEN_SSL(EVP_PKEY_verify_init(ctx) == 1);
/* FIXME: Issue setting padding in some cases */
- EVP_PKEY_CTX_set_rsa_padding(ctx, p_rsa->padding);
+ CHECK_OPEN_SSL(EVP_PKEY_CTX_set_rsa_padding(ctx, p_rsa->padding) > 0);
EVP_MD* md = get_md_bynid(p_rsa->hashMode);
CHECK_OPEN_SSL(md != NULL);
int md_status;
CHECK_OPEN_SSL((md_status = EVP_PKEY_CTX_set_signature_md(ctx, md)) > 0);
+ if (p_rsa->padding == RSA_PKCS1_PSS_PADDING) {
+ CHECK_OPEN_SSL((md_status = EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md)) >
0);
+ CHECK_OPEN_SSL(EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx,
RSA_PSS_SALTLEN_DIGEST) > 0);
+ }
switch (EVP_PKEY_verify(ctx, sig, sig_length, digest,
get_digest_length(p_rsa->hashMode)))
#else
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Crypt-OpenSSL-RSA-0.35/t/rsa.t
new/Crypt-OpenSSL-RSA-0.37/t/rsa.t
--- old/Crypt-OpenSSL-RSA-0.35/t/rsa.t 2025-05-07 18:02:17.000000000 +0200
+++ new/Crypt-OpenSSL-RSA-0.37/t/rsa.t 2025-10-29 22:36:09.000000000 +0100
@@ -6,7 +6,7 @@
use Crypt::OpenSSL::Guess qw(openssl_version);
BEGIN {
- plan tests => 37 + ( UNIVERSAL::can( "Crypt::OpenSSL::RSA",
"use_sha512_hash" ) ? 4 * 5 : 0 ) + ( UNIVERSAL::can( "Crypt::OpenSSL::RSA",
"use_whirlpool_hash" ) ? 1 * 5 : 0 );
+ plan tests => 67 + ( UNIVERSAL::can( "Crypt::OpenSSL::RSA",
"use_sha512_hash" ) ? 4 * 5 : 0 ) + ( UNIVERSAL::can( "Crypt::OpenSSL::RSA",
"use_whirlpool_hash" ) ? 1 * 5 : 0 );
}
sub _Test_Encrypt_And_Decrypt {
@@ -37,16 +37,17 @@
my $sig = eval { $rsa->sign($plaintext) };
SKIP: {
skip "OpenSSL error: illegal or unsupported padding mode - $hash", 5
if $@ =~ /illegal or unsupported padding mode/i;
- ok( $rsa_pub->verify( $plaintext, $sig ) );
+ skip "OpenSSL error: invalid digest - $hash", 5 if $@ =~ /invalid
digest/i;
+ ok( $rsa_pub->verify( $plaintext, $sig ), "rsa_pub verify $hash");
my $false_sig = unpack "H*", $sig;
$false_sig =~ tr/[a-f]/[0a-d]/;
- ok( !$rsa_pub->verify( $plaintext, pack( "H*", $false_sig ) ) );
- ok( !$rsa->verify( $plaintext, pack( "H*", $false_sig ) ) );
+ ok( !$rsa_pub->verify( $plaintext, pack( "H*", $false_sig ) ),
"rsa_pub do not verify invalid $hash" );
+ ok( !$rsa->verify( $plaintext, pack( "H*", $false_sig ) ), "rsa do not
verify invalid $hash" );
my $sig_of_other = $rsa->sign("different");
- ok( !$rsa_pub->verify( $plaintext, $sig_of_other ) );
- ok( !$rsa->verify( $plaintext, $sig_of_other ) );
+ ok( !$rsa_pub->verify( $plaintext, $sig_of_other ), "rsa_pub do not
verify unmatching message" );
+ ok( !$rsa->verify( $plaintext, $sig_of_other ), "rsa do not verify
unmatching message");
}
}
@@ -69,8 +70,8 @@
ok( Crypt::OpenSSL::RSA->generate_key(512)->size() * 8 == 512 );
-my $rsa = Crypt::OpenSSL::RSA->generate_key(1024);
-ok( $rsa->size() * 8 == 1024 );
+my $rsa = Crypt::OpenSSL::RSA->generate_key(2048);
+ok( $rsa->size() * 8 == 2048 );
ok( $rsa->check_key() );
$rsa->use_no_padding();
@@ -121,31 +122,38 @@
$plaintext .= $plaintext x 5;
-# check signature algorithms
-$rsa->use_md5_hash();
-$rsa_pub->use_md5_hash();
-_Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "md5" );
-
-$rsa->use_sha1_hash();
-$rsa_pub->use_sha1_hash();
-_Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "sha1" );
+my @paddings = qw/pkcs1_oaep pkcs1_pss/;
+foreach my $padding (@paddings) {
+ my $p = "use_${padding}_padding";
+
+ $rsa->$p;
+ $rsa_pub->$p;
+ # check signature algorithms
+ $rsa->use_md5_hash();
+ $rsa_pub->use_md5_hash();
+ _Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "md5 with $padding
padding" );
+
+ $rsa->use_sha1_hash();
+ $rsa_pub->use_sha1_hash();
+ _Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "sha1 with $padding
padding" );
-if ( UNIVERSAL::can( "Crypt::OpenSSL::RSA", "use_sha512_hash" ) ) {
+ if ( UNIVERSAL::can( "Crypt::OpenSSL::RSA", "use_sha512_hash" ) ) {
$rsa->use_sha224_hash();
$rsa_pub->use_sha224_hash();
- _Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "sha224" );
+ _Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "sha224 with $padding
padding" );
$rsa->use_sha256_hash();
$rsa_pub->use_sha256_hash();
- _Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "sha256" );
+ _Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "sha256 with $padding
padding" );
$rsa->use_sha384_hash();
$rsa_pub->use_sha384_hash();
- _Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "sha384" );
+ _Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "sha384 with $padding
padding" );
$rsa->use_sha512_hash();
$rsa_pub->use_sha512_hash();
- _Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "sha512" );
+ _Test_Sign_And_Verify( $plaintext, $rsa, $rsa_pub, "sha512 with $padding
padding" );
+ }
}
my ( $major, $minor, $patch ) = openssl_version();
++++++ README.md ++++++
## Build Results
Current state of perl in openSUSE:Factory is
The current state of perl in the devel project build (devel:languages:perl)
++++++ _scmsync.obsinfo ++++++
mtime: 1761802331
commit: 2ca62f7cf4b296d01f16e518a391d9c8360123a3ab5457b7c859edbaee063304
url: https://src.opensuse.org/perl/perl-Crypt-OpenSSL-RSA.git
revision: 2ca62f7cf4b296d01f16e518a391d9c8360123a3ab5457b7c859edbaee063304
projectscmsync: https://src.opensuse.org/perl/_ObsPrj
++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore 2025-11-09 16:58:17.000000000 +0100
@@ -0,0 +1 @@
+.osc
