Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-1_1 for openSUSE:Factory checked in at 2023-12-01 21:24:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old) and /work/SRC/openSUSE:Factory/.openssl-1_1.new.25432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-1_1" Fri Dec 1 21:24:50 2023 rev:55 rq:1130033 version:1.1.1w Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes 2023-11-17 20:48:48.571523906 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.25432/openssl-1_1.changes 2023-12-01 21:25:00.817096507 +0100 @@ -1,0 +2,14 @@ +Thu Nov 23 09:43:39 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com> + +- Skip SHA1 test in 20-test_dgst.t when in FIPS mode + * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch +- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch + * bsc#1190652 - Provide a service to output module name/identifier + and version +- Sync patches with SLE: + * Merge openssl-keep_EVP_KDF_functions_version.patch into + openssl-1.1.1-evp-kdf.patch + * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch + * Remove openssl-no-date.patch + +------------------------------------------------------------------- Old: ---- openssl-keep_EVP_KDF_functions_version.patch openssl-no-date.patch New: ---- openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch openssl-Skip_SHA1-test-in-FIPS-mode.patch BETA DEBUG BEGIN: Old:- Sync patches with SLE: * Merge openssl-keep_EVP_KDF_functions_version.patch into openssl-1.1.1-evp-kdf.patch Old: * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch * Remove openssl-no-date.patch BETA DEBUG END: BETA DEBUG BEGIN: New: * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch - FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch * bsc#1190652 - Provide a service to output module name/identifier New:- Skip SHA1 test in 20-test_dgst.t when in FIPS mode * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch - FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-1_1.spec ++++++ --- /var/tmp/diff_new_pack.PesRiw/_old 2023-12-01 21:25:02.493158064 +0100 +++ /var/tmp/diff_new_pack.PesRiw/_new 2023-12-01 21:25:02.493158064 +0100 @@ -60,7 +60,6 @@ Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch Patch6: openssl-riscv64-config.patch -Patch7: openssl-no-date.patch # PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129 Patch8: 0001-s390x-assembly-pack-perlasm-support.patch Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch @@ -95,7 +94,6 @@ Patch40: openssl-fips-selftests_in_nonfips_mode.patch Patch41: openssl-fips-clearerror.patch Patch42: openssl-fips-ignore_broken_atexit_test.patch -Patch43: openssl-keep_EVP_KDF_functions_version.patch Patch45: openssl-fips-add-SHA3-selftest.patch Patch46: openssl-fips_selftest_upstream_drbg.patch Patch47: openssl-unknown_dgst.patch @@ -126,15 +124,17 @@ Patch73: openssl-FIPS-KAT-before-integrity-tests.patch # PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch +#PATCH-FIX-SUSE bsc#1190652 FIPS: Add release number to version string +Patch75: openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch # PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode -Patch75: openssl-1_1-paramgen-default_to_rfc7919.patch +Patch76: openssl-1_1-paramgen-default_to_rfc7919.patch # PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf -Patch76: openssl-1_1-use-include-directive.patch +Patch77: openssl-1_1-use-include-directive.patch # PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT -Patch77: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch -Patch78: bsc1185319-FIPS-KAT-for-ECDSA.patch -Patch79: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch -Patch81: openssl-1_1-shortcut-test_afalg_aes_cbc.patch +Patch78: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch +Patch79: bsc1185319-FIPS-KAT-for-ECDSA.patch +Patch80: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch +Patch82: openssl-1_1-shortcut-test_afalg_aes_cbc.patch # PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components Patch84: openssl-1_1-Zeroization.patch # PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator @@ -188,6 +188,8 @@ # PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or # checking excessively long X9.42 DH keys or parameters may be very slow Patch115: openssl-CVE-2023-5678.patch +# PATCH-FIX-OPENSUSE skip SHA1 test in FIPS mode +Patch116: openssl-Skip_SHA1-test-in-FIPS-mode.patch BuildRequires: jitterentropy-devel >= 3.4.0 BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) ++++++ openssl-1.1.1-evp-kdf.patch ++++++ --- /var/tmp/diff_new_pack.PesRiw/_old 2023-12-01 21:25:02.629163059 +0100 +++ /var/tmp/diff_new_pack.PesRiw/_new 2023-12-01 21:25:02.637163353 +0100 @@ -5228,14 +5228,14 @@ FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: -+EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION: -+EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION: -+EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION: -+EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION: -+EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION: -+EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: -+EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: -+EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: ++EVP_KDF_CTX_new_id 6590 1_1_1d EXIST::FUNCTION: ++EVP_KDF_CTX_free 6591 1_1_1d EXIST::FUNCTION: ++EVP_KDF_reset 6592 1_1_1d EXIST::FUNCTION: ++EVP_KDF_ctrl 6593 1_1_1d EXIST::FUNCTION: ++EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION: ++EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION: ++EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION: ++EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: Index: openssl-1.1.1n/util/private.num =================================================================== --- openssl-1.1.1n.orig/util/private.num ++++++ openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch ++++++ diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index cbbfab1..7576de8 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -14,6 +14,9 @@ extern "C" { #endif +#define SUSE_OPENSSL_STRING_PARAM_FUNCA(x) #x +#define SUSE_OPENSSL_STRING_PARAM_FUNCB(x) SUSE_OPENSSL_STRING_PARAM_FUNCA(x) + /*- * Numeric release version identifier: * MNNFFPPS: major minor fix patch status @@ -40,7 +43,7 @@ extern "C" { * major minor fix final patch/beta) */ # define OPENSSL_VERSION_NUMBER 0x1010117fL -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) /*- * The macros below are to be used for shared library (.so, .dll, ...) ++++++ openssl-1_1-fips-bsc1215215_fips_in_version_string.patch ++++++ --- /var/tmp/diff_new_pack.PesRiw/_old 2023-12-01 21:25:02.749167467 +0100 +++ /var/tmp/diff_new_pack.PesRiw/_new 2023-12-01 21:25:02.753167613 +0100 @@ -35,11 +35,11 @@ * major minor fix final patch/beta) */ # define OPENSSL_VERSION_NUMBER 0x1010117fL --# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023" +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) +# ifdef OPENSSL_FIPS -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w-fips 11 Sep 2023" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w-fips 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) +# else -+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE) +# endif /*- ++++++ openssl-Skip_SHA1-test-in-FIPS-mode.patch ++++++ Index: openssl-1.1.1w/test/recipes/20-test_dgst.t =================================================================== --- openssl-1.1.1w.orig/test/recipes/20-test_dgst.t +++ openssl-1.1.1w/test/recipes/20-test_dgst.t @@ -104,8 +105,8 @@ SKIP: { } SKIP: { - skip "dgst with engine is not supported by this OpenSSL build", 1 - if disabled("engine") || disabled("dynamic-engine"); + skip "dgst with engine is not supported by this OpenSSL build or we are in FIPS mode", 1 + if disabled("engine") || disabled("dynamic-engine") || ($ENV{OPENSSL_FORCE_FIPS_MODE}); subtest "SHA1 generation by engine with `dgst` CLI" => sub { plan tests => 1;