commit openssl-1_1 for openSUSE:Factory

Source-Sync Fri, 01 Dec 2023 12:25:14 -0800

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package openssl-1_1 for openSUSE:Factory 
checked in at 2023-12-01 21:24:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openssl-1_1 (Old)
 and      /work/SRC/openSUSE:Factory/.openssl-1_1.new.25432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "openssl-1_1"

Fri Dec  1 21:24:50 2023 rev:55 rq:1130033 version:1.1.1w

Changes:
--------
--- /work/SRC/openSUSE:Factory/openssl-1_1/openssl-1_1.changes  2023-11-17 
20:48:48.571523906 +0100
+++ /work/SRC/openSUSE:Factory/.openssl-1_1.new.25432/openssl-1_1.changes       
2023-12-01 21:25:00.817096507 +0100
@@ -1,0 +2,14 @@
+Thu Nov 23 09:43:39 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com>
+
+- Skip SHA1 test in 20-test_dgst.t when in FIPS mode
+  * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch
+- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
+  * bsc#1190652 - Provide a service to output module name/identifier
+    and version
+- Sync patches with SLE:
+  * Merge openssl-keep_EVP_KDF_functions_version.patch into
+    openssl-1.1.1-evp-kdf.patch
+  * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
+  * Remove openssl-no-date.patch
+
+-------------------------------------------------------------------

Old:
----
  openssl-keep_EVP_KDF_functions_version.patch
  openssl-no-date.patch

New:
----
  openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
  openssl-Skip_SHA1-test-in-FIPS-mode.patch

BETA DEBUG BEGIN:
  Old:- Sync patches with SLE:
  * Merge openssl-keep_EVP_KDF_functions_version.patch into
    openssl-1.1.1-evp-kdf.patch
  Old:  * Refresh openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
  * Remove openssl-no-date.patch
BETA DEBUG END:

BETA DEBUG BEGIN:
  New:  * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch
- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
  * bsc#1190652 - Provide a service to output module name/identifier
  New:- Skip SHA1 test in 20-test_dgst.t when in FIPS mode
  * Add openssl-Skip_SHA1-test-in-FIPS-mode.patch
- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
BETA DEBUG END:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openssl-1_1.spec ++++++
--- /var/tmp/diff_new_pack.PesRiw/_old  2023-12-01 21:25:02.493158064 +0100
+++ /var/tmp/diff_new_pack.PesRiw/_new  2023-12-01 21:25:02.493158064 +0100
@@ -60,7 +60,6 @@
 Patch4:         openssl-DEFAULT_SUSE_cipher.patch
 Patch5:         openssl-ppc64-config.patch
 Patch6:         openssl-riscv64-config.patch
-Patch7:         openssl-no-date.patch
 # PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
 Patch8:         0001-s390x-assembly-pack-perlasm-support.patch
 Patch9:         0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
@@ -95,7 +94,6 @@
 Patch40:        openssl-fips-selftests_in_nonfips_mode.patch
 Patch41:        openssl-fips-clearerror.patch
 Patch42:        openssl-fips-ignore_broken_atexit_test.patch
-Patch43:        openssl-keep_EVP_KDF_functions_version.patch
 Patch45:        openssl-fips-add-SHA3-selftest.patch
 Patch46:        openssl-fips_selftest_upstream_drbg.patch
 Patch47:        openssl-unknown_dgst.patch
@@ -126,15 +124,17 @@
 Patch73:        openssl-FIPS-KAT-before-integrity-tests.patch
 # PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes
 Patch74:        openssl-1_1-FIPS-fix-error-reason-codes.patch
+#PATCH-FIX-SUSE bsc#1190652 FIPS: Add release number to version string
+Patch75:        openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
 # PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode
-Patch75:        openssl-1_1-paramgen-default_to_rfc7919.patch
+Patch76:        openssl-1_1-paramgen-default_to_rfc7919.patch
 # PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf
-Patch76:        openssl-1_1-use-include-directive.patch
+Patch77:        openssl-1_1-use-include-directive.patch
 # PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT
-Patch77:        openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
-Patch78:        bsc1185319-FIPS-KAT-for-ECDSA.patch
-Patch79:        bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
-Patch81:        openssl-1_1-shortcut-test_afalg_aes_cbc.patch
+Patch78:        openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
+Patch79:        bsc1185319-FIPS-KAT-for-ECDSA.patch
+Patch80:        bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
+Patch82:        openssl-1_1-shortcut-test_afalg_aes_cbc.patch
 # PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected 
SSPs and key components
 Patch84:        openssl-1_1-Zeroization.patch
 # PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
@@ -188,6 +188,8 @@
 # PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long 
X9.42 DH keys or
 # checking excessively long X9.42 DH keys or parameters may be very slow
 Patch115:       openssl-CVE-2023-5678.patch
+# PATCH-FIX-OPENSUSE skip SHA1 test in FIPS mode
+Patch116:       openssl-Skip_SHA1-test-in-FIPS-mode.patch
 BuildRequires:  jitterentropy-devel >= 3.4.0
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)

++++++ openssl-1.1.1-evp-kdf.patch ++++++
--- /var/tmp/diff_new_pack.PesRiw/_old  2023-12-01 21:25:02.629163059 +0100
+++ /var/tmp/diff_new_pack.PesRiw/_new  2023-12-01 21:25:02.637163353 +0100
@@ -5228,14 +5228,14 @@
  FIPS_rand_strength                      6380  1_1_0g  EXIST::FUNCTION:
  FIPS_drbg_get_blocklength               6381  1_1_0g  EXIST::FUNCTION:
  FIPS_drbg_init                          6382  1_1_0g  EXIST::FUNCTION:
-+EVP_KDF_CTX_new_id                      6590  1_1_1b  EXIST::FUNCTION:
-+EVP_KDF_CTX_free                        6591  1_1_1b  EXIST::FUNCTION:
-+EVP_KDF_reset                           6592  1_1_1b  EXIST::FUNCTION:
-+EVP_KDF_ctrl                            6593  1_1_1b  EXIST::FUNCTION:
-+EVP_KDF_vctrl                           6594  1_1_1b  EXIST::FUNCTION:
-+EVP_KDF_ctrl_str                        6595  1_1_1b  EXIST::FUNCTION:
-+EVP_KDF_size                            6596  1_1_1b  EXIST::FUNCTION:
-+EVP_KDF_derive                          6597  1_1_1b  EXIST::FUNCTION:
++EVP_KDF_CTX_new_id                      6590  1_1_1d  EXIST::FUNCTION:
++EVP_KDF_CTX_free                        6591  1_1_1d  EXIST::FUNCTION:
++EVP_KDF_reset                           6592  1_1_1d  EXIST::FUNCTION:
++EVP_KDF_ctrl                            6593  1_1_1d  EXIST::FUNCTION:
++EVP_KDF_vctrl                           6594  1_1_1d  EXIST::FUNCTION:
++EVP_KDF_ctrl_str                        6595  1_1_1d  EXIST::FUNCTION:
++EVP_KDF_size                            6596  1_1_1d  EXIST::FUNCTION:
++EVP_KDF_derive                          6597  1_1_1d  EXIST::FUNCTION:
 Index: openssl-1.1.1n/util/private.num
 ===================================================================
 --- openssl-1.1.1n.orig/util/private.num


++++++ openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch ++++++
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index cbbfab1..7576de8 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -14,6 +14,9 @@
 extern "C" {
 #endif
 
+#define SUSE_OPENSSL_STRING_PARAM_FUNCA(x) #x
+#define SUSE_OPENSSL_STRING_PARAM_FUNCB(x) SUSE_OPENSSL_STRING_PARAM_FUNCA(x)
+
 /*-
  * Numeric release version identifier:
  * MNNFFPPS: major minor fix patch status
@@ -40,7 +43,7 @@ extern "C" {
  *  major minor fix final patch/beta)
  */
 # define OPENSSL_VERSION_NUMBER  0x1010117fL
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023"
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023 SUSE release " 
SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)

++++++ openssl-1_1-fips-bsc1215215_fips_in_version_string.patch ++++++
--- /var/tmp/diff_new_pack.PesRiw/_old  2023-12-01 21:25:02.749167467 +0100
+++ /var/tmp/diff_new_pack.PesRiw/_new  2023-12-01 21:25:02.753167613 +0100
@@ -35,11 +35,11 @@
   *  major minor fix final patch/beta)
   */
  # define OPENSSL_VERSION_NUMBER  0x1010117fL
--# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023"
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023 SUSE release " 
SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
 +# ifdef OPENSSL_FIPS
-+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w-fips  11 Sep 2023"
++#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w-fips  11 Sep 2023 SUSE 
release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
 +# else
-+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023"
++#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1w  11 Sep 2023 SUSE release " 
SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
 +# endif
  
  /*-

++++++ openssl-Skip_SHA1-test-in-FIPS-mode.patch ++++++
Index: openssl-1.1.1w/test/recipes/20-test_dgst.t
===================================================================
--- openssl-1.1.1w.orig/test/recipes/20-test_dgst.t
+++ openssl-1.1.1w/test/recipes/20-test_dgst.t
@@ -104,8 +105,8 @@ SKIP: {
 }
 
 SKIP: {
-    skip "dgst with engine is not supported by this OpenSSL build", 1
-        if disabled("engine") || disabled("dynamic-engine");
+    skip "dgst with engine is not supported by this OpenSSL build or we are in 
FIPS mode", 1
+        if disabled("engine") || disabled("dynamic-engine") || 
($ENV{OPENSSL_FORCE_FIPS_MODE});
 
     subtest "SHA1 generation by engine with `dgst` CLI" => sub {
         plan tests => 1;

commit openssl-1_1 for openSUSE:Factory

Reply via email to