Hello community, here is the log from the commit of package openssl.2431 for openSUSE:12.2:Update checked in at 2014-01-03 21:14:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/openssl.2431 (Old) and /work/SRC/openSUSE:12.2:Update/.openssl.2431.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl.2431" Changes: -------- New Changes file: --- /dev/null 2013-11-25 01:44:08.036031256 +0100 +++ /work/SRC/openSUSE:12.2:Update/.openssl.2431.new/openssl.changes 2014-01-03 21:14:56.000000000 +0100 @@ -0,0 +1,1418 @@ +------------------------------------------------------------------- +Mon Dec 23 10:32:39 UTC 2013 - shch...@suse.com + +- Fixed bnc#856687, openssl: crash when using TLS 1.2 + Add file: CVE-2013-6449.patch + +------------------------------------------------------------------- +Tue Dec 17 13:57:40 UTC 2013 - meiss...@suse.com + +- compression_methods_switch.patch: setenv might not be successful + if a surrounding library or application filters it, like e.g. sudo. + As setenv() does not seem to be useful anyway, remove it. + bnc#849377 + +------------------------------------------------------------------- +Mon Oct 28 16:11:30 UTC 2013 - meiss...@suse.com + +- compression_methods_switch.patch: + Disable ssl compression by default to mitigate compression oracle + attacks like CRIME or BEAST. + bnc#793420 / CVE-2012-4929 + +------------------------------------------------------------------- +Fri Feb 15 20:48:22 UTC 2013 - meiss...@suse.com + +- Update to 1.0.1e + o Bugfix release (bnc#803004) + +- update to version 1.0.1d, fixing security issues + o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version. + o Include the fips configuration module. + o Fix OCSP bad key DoS attack CVE-2013-0166 bnc#802746 + o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 + bnc#802184 + o Fix for TLS AESNI record handling flaw CVE-2012-2686 + +------------------------------------------------------------------- +Thu Feb 7 04:33:56 UTC 2013 - shch...@suse.com + +- fix bug[ bnc#757773] - c_rehash to accept more filename extensions + Add patch file: openssl-1.0.0-c_rehash_accept_file_exts.patch + +------------------------------------------------------------------- +Tue Nov 13 07:18:12 UTC 2012 - g...@suse.com + +- fix bug[bnc#784994] - VIA padlock support on 64 systems + e_padlock: add support for x86_64 gcc + VIA_padlock_support_on_64systems.patch + +------------------------------------------------------------------- +Thu May 10 19:18:06 UTC 2012 - crrodrig...@opensuse.org + +- Update to version 1.0.1c for the complete list of changes see + NEWS, this only list packaging changes. +- Drop aes-ni patch, no longer needed as it is builtin in openssl + now. +- Define GNU_SOURCE and use -std=gnu99 to build the package. +- Use LFS_CFLAGS in platforms where it matters. + +------------------------------------------------------------------- +Fri May 4 12:09:57 UTC 2012 - lnus...@suse.de + +- don't install any demo or expired certs at all + +------------------------------------------------------------------- +Mon Apr 23 05:57:35 UTC 2012 - g...@suse.com + +- update to latest stable verison 1.0.0i + including the following patches: + CVE-2012-2110.path + Bug748738_Tolerate_bad_MIME_headers.patch + bug749213-Free-headers-after-use.patch + bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch + CVE-2012-1165.patch + CVE-2012-0884.patch + bug749735.patch + +------------------------------------------------------------------- +Tue Mar 27 09:16:37 UTC 2012 - g...@suse.com + +- fix bug[bnc#749735] - Memory leak when creating public keys. + fix bug[bnc#751977] - CMS and S/MIME Bleichenbacher attack + CVE-2012-0884 + +------------------------------------------------------------------- +Thu Mar 22 03:24:20 UTC 2012 - g...@suse.com + +- fix bug[bnc#751946] - S/MIME verification may erroneously fail + CVE-2012-1165 + +------------------------------------------------------------------- +Wed Mar 21 02:44:41 UTC 2012 - g...@suse.com + +- fix bug[bnc#749213]-Free headers after use in error message + and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt + +------------------------------------------------------------------- +Tue Mar 20 14:29:24 UTC 2012 - cfarr...@suse.com + +- license update: OpenSSL + +------------------------------------------------------------------- +Fri Feb 24 02:33:22 UTC 2012 - g...@suse.com + +- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's + asn1 parser. + CVE-2006-7250 + +------------------------------------------------------------------- +Thu Feb 2 06:55:12 UTC 2012 - g...@suse.com + +- Update to version 1.0.0g fix the following: + DTLS DoS attack (CVE-2012-0050) + +------------------------------------------------------------------- +Wed Jan 11 05:35:18 UTC 2012 - g...@suse.com + +- Update to version 1.0.0f fix the following: + DTLS Plaintext Recovery Attack (CVE-2011-4108) + Uninitialized SSL 3.0 Padding (CVE-2011-4576) + Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577) + SGC Restart DoS Attack (CVE-2011-4619) + Invalid GOST parameters DoS Attack (CVE-2012-0027) + +------------------------------------------------------------------- +Tue Oct 18 16:43:50 UTC 2011 - crrodrig...@opensuse.org + +- AES-NI: Check the return value of Engine_add() + if the ENGINE_add() call fails: it ends up adding a reference + to a freed up ENGINE which is likely to subsequently contain garbage + This will happen if an ENGINE with the same name is added multiple + times,for example different libraries. [bnc#720601] + +------------------------------------------------------------------- +Sat Oct 8 21:36:58 UTC 2011 - crrodrig...@opensuse.org + +- Build with -DSSL_FORBID_ENULL so servers are not + able to use the NULL encryption ciphers (Those offering no + encryption whatsoever). + +------------------------------------------------------------------- +Wed Sep 7 14:29:41 UTC 2011 - crrodrig...@opensuse.org + +- Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210 + see http://openssl.org/news/secadv_20110906.txt for details. + +------------------------------------------------------------------- +Sat Aug 6 00:33:47 UTC 2011 - crrodrig...@opensuse.org + +- Add upstream patch that calls ENGINE_register_all_complete() + in ENGINE_load_builtin_engines() saving us from adding dozens + of calls to such function to calling applications. + +------------------------------------------------------------------- +Fri Aug 5 19:09:42 UTC 2011 - crrodrig...@opensuse.org + +- remove -fno-strict-aliasing from CFLAGS no longer needed + and is likely to slow down stuff. + +------------------------------------------------------------------- +Mon Jul 25 19:07:32 UTC 2011 - jeng...@medozas.de + +- Edit baselibs.conf to provide libopenssl-devel-32bit too + +------------------------------------------------------------------- +Fri Jun 24 04:51:50 UTC 2011 - g...@novell.com + +- update to latest stable version 1.0.0d. + patch removed(already in the new package): + CVE-2011-0014 + patch added: + ECDSA_signatures_timing_attack.patch + +------------------------------------------------------------------- +Tue May 31 07:07:49 UTC 2011 - g...@novell.com + +- fix bug[bnc#693027]. + Add protection against ECDSA timing attacks as mentioned in the paper + by Billy Bob Brumley and Nicola Tuveri, see: + http://eprint.iacr.org/2011/232.pdf + [Billy Bob Brumley and Nicola Tuveri] + +------------------------------------------------------------------- +Mon May 16 14:38:26 UTC 2011 - and...@opensuse.org + +- added openssl as dependency in the devel package + +------------------------------------------------------------------- +Thu Feb 10 07:42:01 UTC 2011 - g...@novell.com + +- fix bug [bnc#670526] + CVE-2011-0014,OCSP stapling vulnerability + +------------------------------------------------------------------- +Sat Jan 15 19:58:51 UTC 2011 - cristian.rodrig...@opensuse.org + +- Add patch from upstream in order to support AES-NI instruction ++++ 1221 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.openssl.2431.new/openssl.changes New: ---- CVE-2013-6449.patch README.SuSE VIA_padlock_support_on_64systems.patch baselibs.conf bug610223.patch compression_methods_switch.patch merge_from_0.9.8k.patch openssl-1.0.0-c_rehash-compat.diff openssl-1.0.0-c_rehash_accept_file_exts.patch openssl-1.0.1e.tar.gz openssl.changes openssl.spec openssl.test ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl.spec ++++++ # # spec file for package openssl # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: openssl BuildRequires: bc BuildRequires: ed BuildRequires: pkg-config BuildRequires: zlib-devel %define ssletcdir %{_sysconfdir}/ssl #%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g") %define num_version 1.0.0 Provides: ssl # bug437293 %ifarch ppc64 Obsoletes: openssl-64bit %endif Version: 1.0.1e Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security Url: http://www.openssl.org/ Source: http://www.%{name}.org/source/%{name}-%{version}.tar.gz # to get mtime of file: Source1: openssl.changes Source2: baselibs.conf Source10: README.SuSE Patch0: merge_from_0.9.8k.patch Patch1: openssl-1.0.0-c_rehash-compat.diff Patch2: bug610223.patch Patch3: VIA_padlock_support_on_64systems.patch Patch4: openssl-1.0.0-c_rehash_accept_file_exts.patch Patch5: compression_methods_switch.patch Patch6: CVE-2013-6449.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. Derivation and License OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get it and to use it for commercial and noncommercial purposes. Authors: -------- Mark J. Cox <m...@openssl.org> Ralf S. Engelschall <r...@openssl.org> Dr. Stephen Henson <st...@openssl.org> Ben Laurie <b...@openssl.org> Bodo Moeller <b...@openssl.org> Ulf Moeller <u...@openssl.org> Holger Reif <hol...@openssl.org> Paul C. Sutton <p...@openssl.org> %package -n libopenssl1_0_0 Summary: Secure Sockets and Transport Layer Security Group: Productivity/Networking/Security Recommends: openssl-certs # bug437293 %ifarch ppc64 Obsoletes: openssl-64bit %endif # %description -n libopenssl1_0_0 The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. Derivation and License OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get it and to use it for commercial and noncommercial purposes. Authors: -------- Mark J. Cox <m...@openssl.org> Ralf S. Engelschall <r...@openssl.org> Dr. Stephen Henson <st...@openssl.org> Ben Laurie <b...@openssl.org> Bodo Moeller <b...@openssl.org> Ulf Moeller <u...@openssl.org> Holger Reif <hol...@openssl.org> Paul C. Sutton <p...@openssl.org> %package -n libopenssl-devel Summary: Include Files and Libraries mandatory for Development Group: Development/Libraries/C and C++ Obsoletes: openssl-devel < %{version} Requires: %name = %version Requires: libopenssl1_0_0 = %{version} Requires: zlib-devel Provides: openssl-devel = %{version} # bug437293 %ifarch ppc64 Obsoletes: openssl-devel-64bit %endif # %description -n libopenssl-devel This package contains all necessary include files and libraries needed to develop applications that require these. Authors: -------- Mark J. Cox <m...@openssl.org> Ralf S. Engelschall <r...@openssl.org> Dr. Stephen <Henson st...@openssl.org> Ben Laurie <b...@openssl.org> Bodo Moeller <b...@openssl.org> Ulf Moeller <u...@openssl.org> Holger Reif <hol...@openssl.org> Paul C. Sutton <p...@openssl.org> %package doc Summary: Additional Package Documentation Group: Productivity/Networking/Security BuildArch: noarch %description doc This package contains optional documentation provided in addition to this package's base documentation. Authors: -------- Mark J. Cox <m...@openssl.org> Ralf S. Engelschall <r...@openssl.org> Dr. Stephen <Henson st...@openssl.org> Ben Laurie <b...@openssl.org> Bodo Moeller <b...@openssl.org> Ulf Moeller <u...@openssl.org> Holger Reif <hol...@openssl.org> Paul C. Sutton <p...@openssl.org> %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::' cat <<EOF_ED | ed -s Configure /^); - i # # local configuration added from specfile # ... MOST of those are now correct in openssl's Configure already, # so only add them for new ports! # #config-string, $cc:$cflags:$unistd:$thread_cflag:$sys_id:$lflags:$bn_ops:$cpuid_obj:$bn_obj:$des_obj:$aes_obj:$bf_obj:$md5_obj:$sha1_obj:$cast_obj:$rc4_obj:$rmd160_obj:$rc5_obj:$wp_obj:$cmll_obj:$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags:$multilib #"linux-elf", "gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG \${x86_gcc_des} \${x86_gcc_opts}:\${x86_elf_asm}:$DSO_SCHEME:", #"linux-ia64", "gcc:-DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:\${ia64_asm}: $DSO_SCHEME:", #"linux-ppc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:\${no_asm}: $DSO_SCHEME:", #"linux-ppc64", "gcc:-DB_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64", "linux-elf-arm","gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG:\${no_asm}: $DSO_SCHEME:", "linux-mips", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:\${no_asm}: $DSO_SCHEME:", "linux-sparcv7","gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:\${no_asm}: $DSO_SCHEME:", #"linux-sparcv8","gcc:-DB_ENDIAN -DBN_DIV2W -mv8 ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::asm/sparcv8.o::::::::::::: $DSO_SCHEME:", #"linux-x86_64", "gcc:-DL_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64", #"linux-s390", "gcc:-DB_ENDIAN ::(unknown): :-ldl:BN_LLONG:\${no_asm}: $DSO_SCHEME:", #"linux-s390x", "gcc:-DB_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64", "linux-parisc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR DES_PTR DES_UNROLL DES_RISC1:\${no_asm}: $DSO_SCHEME:", . wq EOF_ED # fix ENGINESDIR path sed -i 's,/lib/engines,/%_lib/engines,' Configure # Record mtime of changes file instead of build time CHANGES=`stat --format="%y" %SOURCE1` sed -i -e "s|#define DATE \(.*\).LC_ALL.*date.|#define DATE \1$CHANGES|" crypto/Makefile %build ./config --test-sanity # config_flags="threads shared no-rc5 no-idea \ enable-camellia \ zlib \ --prefix=%{_prefix} \ --libdir=%{_lib} \ --openssldir=%{ssletcdir} \ $RPM_OPT_FLAGS -std=gnu99 \ -Wa,--noexecstack \ -fomit-frame-pointer \ -DTERMIO \ -DPURIFY \ -DSSL_FORBID_ENULL \ -D_GNU_SOURCE \ $(getconf LFS_CFLAGS) \ %ifnarch hppa -Wall \ -fstack-protector " %else -Wall " %endif # #%{!?do_profiling:%define do_profiling 0} #%if %do_profiling # # generate feedback # ./config $config_flags # make depend CC="gcc %cflags_profile_generate" # make CC="gcc %cflags_profile_generate" # LD_LIBRARY_PATH=`pwd` make rehash CC="gcc %cflags_profile_generate" # LD_LIBRARY_PATH=`pwd` make test CC="gcc %cflags_profile_generate" # LD_LIBRARY_PATH=`pwd` apps/openssl speed # make clean # # compile with feedback # # but not if it makes a cipher slower: # #find crypto/aes -name '*.da' | xargs -r rm # ./config $config_flags %cflags_profile_feedback # make depend # make # LD_LIBRARY_PATH=`pwd` make rehash # LD_LIBRARY_PATH=`pwd` make test #%else # OpenSSL relies on uname -m (not good). Thus that little sparc line. ./config \ %ifarch sparc64 linux64-sparcv9 \ %endif $config_flags make depend make LD_LIBRARY_PATH=`pwd` make rehash %ifnarch armv4l LD_LIBRARY_PATH=`pwd` make test %endif #%endif # show settings make TABLE echo $RPM_OPT_FLAGS eval $(egrep PLATFORM='[[:alnum:]]' Makefile) grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE %install rm -rf $RPM_BUILD_ROOT make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/ # ln -s %{ssletcdir}/certs $RPM_BUILD_ROOT/%{_datadir}/ssl/certs # ln -s %{ssletcdir}/private $RPM_BUILD_ROOT/%{_datadir}/ssl/private # ln -s %{ssletcdir}/openssl.cnf $RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf # # avoid file conflicts with man pages from other packages # pushd $RPM_BUILD_ROOT/%{_mandir} # some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check. # replace spaces by underscores #for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } for i in man?/*; do if test -L $i ; then LDEST=`readlink $i` rm -f $i ${i}ssl ln -sf ${LDEST}ssl ${i}ssl else mv $i ${i}ssl fi case `basename ${i%.*}` in asn1parse|ca|config|crl|crl2pkcs7|crypto|dgst|dhparam|dsa|dsaparam|enc|gendsa|genrsa|nseq|openssl|passwd|pkcs12|pkcs7|pkcs8|rand|req|rsa|rsautl|s_client|s_server|smime|spkac|ssl|verify|version|x509) # these are the pages mentioned in openssl(1). They go into the main package. echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist;; *) # the rest goes into the openssl-doc package. echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist.doc;; esac done popd # # check wether some shared library has been installed # ls -l $RPM_BUILD_ROOT%{_libdir} test -f $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} test -f $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} test -L $RPM_BUILD_ROOT%{_libdir}/libssl.so test -L $RPM_BUILD_ROOT%{_libdir}/libcrypto.so # # see what we've got # cat > showciphers.c <<EOF #include <openssl/err.h> #include <openssl/ssl.h> int main(){ unsigned int i; SSL_CTX *ctx; SSL *ssl; SSL_METHOD *meth; meth = SSLv23_client_method(); SSLeay_add_ssl_algorithms(); ctx = SSL_CTX_new(meth); if (ctx == NULL) return 0; ssl = SSL_new(ctx); if (!ssl) return 0; for (i=0; ; i++) { int j, k; SSL_CIPHER *sc; sc = (meth->get_cipher)(i); if (!sc) break; k = SSL_CIPHER_get_bits(sc, &j); printf("%s\n", sc->name); } return 0; }; EOF gcc $RPM_OPT_FLAGS -I${RPM_BUILD_ROOT}%{_includedir} -c showciphers.c gcc -o showciphers showciphers.o -L${RPM_BUILD_ROOT}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=${RPM_BUILD_ROOT}%{_libdir} ./showciphers > AVAILABLE_CIPHERS || true cat AVAILABLE_CIPHERS # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} \; #process openssllib mkdir $RPM_BUILD_ROOT/%{_lib} mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/ mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/ mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/ cd $RPM_BUILD_ROOT%{_libdir}/ ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so %clean if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi %post -n libopenssl1_0_0 /sbin/ldconfig %postun -n libopenssl1_0_0 /sbin/ldconfig %files -n libopenssl1_0_0 %defattr(-, root, root) /%{_lib}/libssl.so.%{num_version} /%{_lib}/libcrypto.so.%{num_version} /%{_lib}/engines %files -n libopenssl-devel %defattr(-, root, root) %{_includedir}/%{name}/ %{_includedir}/ssl %exclude %{_libdir}/libcrypto.a %exclude %{_libdir}/libssl.a %{_libdir}/libssl.so %{_libdir}/libcrypto.so %_libdir/pkgconfig/libcrypto.pc %_libdir/pkgconfig/libssl.pc %_libdir/pkgconfig/openssl.pc %files doc -f filelist.doc %defattr(-, root, root) %doc doc/* demos %doc showciphers.c %files -f filelist %defattr(-, root, root) %doc CHANGE* INSTAL* AVAILABLE_CIPHERS %doc LICENSE NEWS README README.SuSE %dir %{ssletcdir} %dir %{ssletcdir}/certs %config (noreplace) %{ssletcdir}/openssl.cnf %attr(700,root,root) %{ssletcdir}/private %dir %{_datadir}/ssl %{_datadir}/ssl/misc %{_bindir}/c_rehash %{_bindir}/%{name} %changelog ++++++ CVE-2013-6449.patch ++++++ Index: openssl-1.0.1e/ssl/s3_lib.c =================================================================== --- openssl-1.0.1e.orig/ssl/s3_lib.c +++ openssl-1.0.1e/ssl/s3_lib.c @@ -4274,7 +4274,7 @@ need to go to SSL_ST_ACCEPT. long ssl_get_algorithm2(SSL *s) { long alg2 = s->s3->tmp.new_cipher->algorithm2; - if (TLS1_get_version(s) >= TLS1_2_VERSION && + if (s->method->version == TLS1_2_VERSION && alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; return alg2; Index: openssl-1.0.1e/ssl/s3_both.c =================================================================== --- openssl-1.0.1e.orig/ssl/s3_both.c +++ openssl-1.0.1e/ssl/s3_both.c @@ -161,6 +161,10 @@ int ssl3_send_finished(SSL *s, int a, in i=s->method->ssl3_enc->final_finish_mac(s, sender,slen,s->s3->tmp.finish_md); + + if (i == 0) + return 0; + s->s3->tmp.finish_md_len = i; memcpy(p, s->s3->tmp.finish_md, i); p+=i; Index: openssl-1.0.1e/ssl/s3_pkt.c =================================================================== --- openssl-1.0.1e.orig/ssl/s3_pkt.c +++ openssl-1.0.1e/ssl/s3_pkt.c @@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s) slen=s->method->ssl3_enc->client_finished_label_len; } - s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, + i = s->method->ssl3_enc->final_finish_mac(s, sender,slen,s->s3->tmp.peer_finish_md); + if (i == 0) + { + SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); + return 0; + } + s->s3->tmp.peer_finish_md_len = i; return(1); } Index: openssl-1.0.1e/ssl/t1_enc.c =================================================================== --- openssl-1.0.1e.orig/ssl/t1_enc.c +++ openssl-1.0.1e/ssl/t1_enc.c @@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s, if (mask & ssl_get_algorithm2(s)) { int hashsize = EVP_MD_size(md); - if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) + EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; + if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) { /* internal error: 'buf' is too small for this cipersuite! */ err = 1; } else { - EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); - EVP_DigestFinal_ex(&ctx,q,&i); - if (i != (unsigned int)hashsize) /* can't really happen */ + if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || + !EVP_DigestFinal_ex(&ctx,q,&i) || + (i != (unsigned int)hashsize)) err = 1; - q+=i; + q+=hashsize; } } } ++++++ README.SuSE ++++++ Please note that the man pages for the openssl libraries and tools have been placed in a package on its own right: openssl-doc Please install the openssl-doc package if you need the man pages, HTML documentation or sample C programs. The C header files and static libraries have also been extracted, they can now be found in the openssl-devel package. Your SuSE Team. ++++++ VIA_padlock_support_on_64systems.patch ++++++ Index: openssl-1.0.1c/engines/e_padlock.c =================================================================== --- openssl-1.0.1c.orig/engines/e_padlock.c +++ openssl-1.0.1c/engines/e_padlock.c @@ -101,7 +101,10 @@ compiler choice is limited to GCC and Microsoft C. */ #undef COMPILE_HW_PADLOCK #if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM) -# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \ +# if (defined(__GNUC__) && __GNUC__>=2 && \ + (defined(__i386__) || defined(__i386) || \ + defined(__x86_64__) || defined(__x86_64)) \ + ) || \ (defined(_MSC_VER) && defined(_M_IX86)) # define COMPILE_HW_PADLOCK # endif @@ -304,6 +307,7 @@ static volatile struct padlock_cipher_da * ======================================================= */ #if defined(__GNUC__) && __GNUC__>=2 +#if defined(__i386__) || defined(__i386) /* * As for excessive "push %ebx"/"pop %ebx" found all over. * When generating position-independent code GCC won't let @@ -383,21 +387,6 @@ padlock_available(void) return padlock_use_ace + padlock_use_rng; } -#ifndef OPENSSL_NO_AES -/* Our own htonl()/ntohl() */ -static inline void -padlock_bswapl(AES_KEY *ks) -{ - size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]); - unsigned int *key = ks->rd_key; - - while (i--) { - asm volatile ("bswapl %0" : "+r"(*key)); - key++; - } -} -#endif - /* Force key reload from memory to the CPU microcode. Loading EFLAGS from the stack clears EFLAGS[30] which does the trick. */ @@ -456,11 +445,130 @@ static inline void *name(size_t cnt, \ return iv; \ } + +#endif + +#elif defined(__x86_64__) || defined(__x86_64) + +/* Load supported features of the CPU to see if + the PadLock is available. */ + static int +padlock_available(void) +{ + char vendor_string[16]; + unsigned int eax, edx; + + /* Are we running on the Centaur (VIA) CPU? */ + eax = 0x00000000; + vendor_string[12] = 0; + asm volatile ( + "cpuid\n" + "movl %%ebx,(%1)\n" + "movl %%edx,4(%1)\n" + "movl %%ecx,8(%1)\n" + : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx"); + if (strcmp(vendor_string, "CentaurHauls") != 0) + return 0; + + /* Check for Centaur Extended Feature Flags presence */ + eax = 0xC0000000; + asm volatile ("cpuid" + : "+a"(eax) : : "rbx", "rcx", "rdx"); + if (eax < 0xC0000001) + return 0; + + /* Read the Centaur Extended Feature Flags */ + eax = 0xC0000001; + asm volatile ("cpuid" + : "+a"(eax), "=d"(edx) : : "rbx", "rcx"); + + /* Fill up some flags */ + padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6)); + padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2)); + + return padlock_use_ace + padlock_use_rng; +} + +/* Force key reload from memory to the CPU microcode. + Loading EFLAGS from the stack clears EFLAGS[30] + which does the trick. */ + static inline void +padlock_reload_key(void) +{ + asm volatile ("pushfq; popfq"); +} + +#ifndef OPENSSL_NO_AES +/* + * This is heuristic key context tracing. At first one + * believes that one should use atomic swap instructions, + * but it's not actually necessary. Point is that if + * padlock_saved_context was changed by another thread + * after we've read it and before we compare it with cdata, + * our key *shall* be reloaded upon thread context switch + * and we are therefore set in either case... + */ + static inline void +padlock_verify_context(struct padlock_cipher_data *cdata) +{ + asm volatile ( + "pushfq\n" + " btl $30,(%%rsp)\n" + " jnc 1f\n" + " cmpq %2,%1\n" + " je 1f\n" + " popfq\n" + " subq $8,%%rsp\n" + "1: addq $8,%%rsp\n" + " movq %2,%0" + :"+m"(padlock_saved_context) + : "r"(padlock_saved_context), "r"(cdata) : "cc"); +} + +/* Template for padlock_xcrypt_* modes */ +/* BIG FAT WARNING: + * The offsets used with 'leal' instructions + * describe items of the 'padlock_cipher_data' + * structure. + */ +#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \ + static inline void *name(size_t cnt, \ + struct padlock_cipher_data *cdata, \ + void *out, const void *inp) \ +{ void *iv; \ + asm volatile ( "leaq 16(%0),%%rdx\n" \ + " leaq 32(%0),%%rbx\n" \ + rep_xcrypt "\n" \ + : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \ + : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \ + : "rbx", "rdx", "cc", "memory"); \ + return iv; \ +} +#endif + +#endif /* cpu */ + +#ifndef OPENSSL_NO_AES + + /* Generate all functions with appropriate opcodes */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8") /* rep xcryptecb */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cbc, ".byte 0xf3,0x0f,0xa7,0xd0") /* rep xcryptcbc */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0") /* rep xcryptcfb */ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8") /* rep xcryptofb */ + +/* Our own htonl()/ntohl() */ +static inline void +padlock_bswapl(AES_KEY *ks) +{ + size_t i = sizeof(ks->rd_key)/sizeof(ks->rd_key[0]); + unsigned int *key = ks->rd_key; + + while (i--) { + asm volatile ("bswapl %0" : "+r"(*key)); + key++; + } +} #endif /* The RNG call itself */ @@ -491,8 +599,8 @@ padlock_xstore(void *addr, unsigned int static inline unsigned char * padlock_memcpy(void *dst,const void *src,size_t n) { - long *d=dst; - const long *s=src; + size_t *d=dst; + const size_t *s=src; n /= sizeof(*d); do { *d++ = *s++; } while (--n); Index: openssl-1.0.1c/engines/e_padlock.c =================================================================== --- openssl-1.0.1c.orig/engines/e_padlock.c +++ openssl-1.0.1c/engines/e_padlock.c @@ -457,30 +457,33 @@ padlock_available(void) { char vendor_string[16]; unsigned int eax, edx; + size_t scratch; /* Are we running on the Centaur (VIA) CPU? */ eax = 0x00000000; vendor_string[12] = 0; asm volatile ( + "movq %%rbx,%1\n" "cpuid\n" - "movl %%ebx,(%1)\n" - "movl %%edx,4(%1)\n" - "movl %%ecx,8(%1)\n" - : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx"); + "movl %%ebx,(%2)\n" + "movl %%edx,4(%2)\n" + "movl %%ecx,8(%2)\n" + "movq %1,%%rbx" + : "+a"(eax), "=&r"(scratch) : "r"(vendor_string) : "rcx", "rdx"); if (strcmp(vendor_string, "CentaurHauls") != 0) return 0; /* Check for Centaur Extended Feature Flags presence */ eax = 0xC0000000; - asm volatile ("cpuid" - : "+a"(eax) : : "rbx", "rcx", "rdx"); + asm volatile ("movq %%rbx,%1; cpuid; movq %1,%%rbx" + : "+a"(eax), "=&r"(scratch) : : "rcx", "rdx"); if (eax < 0xC0000001) return 0; /* Read the Centaur Extended Feature Flags */ eax = 0xC0000001; - asm volatile ("cpuid" - : "+a"(eax), "=d"(edx) : : "rbx", "rcx"); + asm volatile ("movq %%rbx,%2; cpuid; movq %2,%%rbx" + : "+a"(eax), "=d"(edx), "=&r"(scratch) : : "rcx"); /* Fill up some flags */ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6)); @@ -536,12 +539,15 @@ padlock_verify_context(struct padlock_ci struct padlock_cipher_data *cdata, \ void *out, const void *inp) \ { void *iv; \ - asm volatile ( "leaq 16(%0),%%rdx\n" \ + size_t scratch; \ + asm volatile ( "movq %%rbx,%4\n" \ + " leaq 16(%0),%%rdx\n" \ " leaq 32(%0),%%rbx\n" \ rep_xcrypt "\n" \ - : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \ + " movq %4,%%rbx" \ + : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp), "=&r"(scratch) \ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \ - : "rbx", "rdx", "cc", "memory"); \ + : "rdx", "cc", "memory"); \ return iv; \ } #endif ++++++ baselibs.conf ++++++ libopenssl1_0_0 obsoletes "openssl-<targettype> <= <version>" libopenssl-devel requires -libopenssl-<targettype> requires "libopenssl1_0_0-<targettype> = <version>" ++++++ bug610223.patch ++++++ Index: openssl-1.0.0/Configure =================================================================== --- openssl-1.0.0.orig/Configure +++ openssl-1.0.0/Configure @@ -1673,7 +1673,8 @@ while (<IN>) } elsif (/^#define\s+ENGINESDIR/) { - my $foo = "$prefix/$libdir/engines"; + #my $foo = "$prefix/$libdir/engines"; + my $foo = "/$libdir/engines"; $foo =~ s/\\/\\\\/g; print OUT "#define ENGINESDIR \"$foo\"\n"; } ++++++ compression_methods_switch.patch ++++++ Index: openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod =================================================================== --- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod +++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod @@ -41,6 +41,24 @@ of compression methods supported on a pe The OpenSSL library has the compression methods B<COMP_rle()> and (when especially enabled during compilation) B<COMP_zlib()> available. +And, there is an environment variable to switch the compression +methods off and on. In default the compression is off to mitigate +the so called CRIME attack ( CVE-2012-4929). If you want to enable +compression again set OPENSSL_NO_DEFAULT_ZLIB to "no". + +The variable can be switched on and off at runtime; when this variable +is set "no" compression is enabled, otherwise no, for example: + +in shell 'export OPENSSL_NO_DEFAULT_ZLIB=no' +or in C to call +int setenv(const char *name, const char *value, int overwrite); and +int unsetenv(const char *name); + +Note: This reverts the behavior of the variable as it was before! + +And pay attention that this freaure is temporary, it maybe changed by +the following updates. + =head1 WARNINGS Once the identities of the compression methods for the TLS protocol have Index: openssl-1.0.1e/ssl/ssl_ciph.c =================================================================== --- openssl-1.0.1e.orig/ssl/ssl_ciph.c +++ openssl-1.0.1e/ssl/ssl_ciph.c @@ -452,10 +452,16 @@ static void load_builtin_compressions(vo if (ssl_comp_methods == NULL) { SSL_COMP *comp = NULL; + const char *nodefaultzlib; MemCheck_off(); ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp); - if (ssl_comp_methods != NULL) + + /* The default is "no" compression to avoid CRIME/BEAST */ + nodefaultzlib = getenv("OPENSSL_NO_DEFAULT_ZLIB"); + if ( ssl_comp_methods != NULL && + nodefaultzlib && + strncmp( nodefaultzlib, "no", 2) == 0) { comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); if (comp != NULL) ++++++ merge_from_0.9.8k.patch ++++++ --- openssl-1.0.1c.orig/Configure +++ openssl-1.0.1c/Configure @@ -931,7 +931,7 @@ PROCESS_ARGS: } else { - die "target already defined - $target (offending arg: $_)\n" if ($target ne ""); + warn "target already defined - $target (offending arg: $_)\n" if ($target ne ""); $target=$_; } @@ -1204,7 +1204,7 @@ if ($target =~ /^mingw/ && `$cc --target my $no_shared_warn=0; my $no_user_cflags=0; -if ($flags ne "") { $cflags="$flags$cflags"; } +if ($flags ne "") { $cflags="$cflags $flags"; } else { $no_user_cflags=1; } # Kerberos settings. The flavor must be provided from outside, either through --- openssl-1.0.1c.orig/config +++ openssl-1.0.1c/config @@ -573,7 +573,8 @@ case "$GUESSOS" in options="$options -arch%20${MACHINE}" OUT="iphoneos-cross" ;; alpha-*-linux2) - ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` + #ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` + ISA=EV56 case ${ISA:-generic} in *[678]) OUT="linux-alpha+bwx-$CC" ;; *) OUT="linux-alpha-$CC" ;; @@ -593,7 +594,8 @@ case "$GUESSOS" in echo " You have about 5 seconds to press Ctrl-C to abort." (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 fi - OUT="linux-ppc" + # we have the target and force it here + OUT="linux-ppc64" ;; ppc-*-linux2) OUT="linux-ppc" ;; ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;; @@ -614,10 +616,10 @@ case "$GUESSOS" in sparc-*-linux2) KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo` case ${KARCH:-sun4} in - sun4u*) OUT="linux-sparcv9" ;; - sun4m) OUT="linux-sparcv8" ;; - sun4d) OUT="linux-sparcv8" ;; - *) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;; +# sun4u*) OUT="linux-sparcv9" ;; +# sun4m) OUT="linux-sparcv8" ;; +# sun4d) OUT="linux-sparcv8" ;; + *) OUT="linux-sparcv8" ;; esac ;; parisc*-*-linux2) # 64-bit builds under parisc64 linux are not supported and @@ -636,7 +638,11 @@ case "$GUESSOS" in # PA8500 -> 8000 (2.0) # PA8600 -> 8000 (2.0) - CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'` + # CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'` + # lets have CPUSCHEDULE for 1.1: + CPUSCHEDULE=7100LC + # we want to support 1.1 CPUs as well: + CPUARCH=1.1 # Finish Model transformations options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH" ++++++ openssl-1.0.0-c_rehash-compat.diff ++++++ >From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nus...@suse.de> Date: Wed, 21 Apr 2010 15:52:10 +0200 Subject: [PATCH] also create old hash for compatibility --- tools/c_rehash.in | 8 +++++++- 1 files changed, 7 insertions(+), 1 deletions(-) diff --git a/tools/c_rehash.in b/tools/c_rehash.in index bfc4a69..f8d0ce1 100644 --- a/tools/c_rehash.in +++ b/tools/c_rehash.in @@ -83,6 +83,7 @@ sub hash_dir { next; } link_hash_cert($fname) if($cert); + link_hash_cert_old($fname) if($cert); link_hash_crl($fname) if($crl); } } @@ -116,8 +117,9 @@ sub check_file { sub link_hash_cert { my $fname = $_[0]; + my $hashopt = $_[1] || '-subject_hash'; $fname =~ s/'/'\\''/g; - my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`; + my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`; chomp $hash; chomp $fprint; $fprint =~ s/^.*=//; @@ -147,6 +149,10 @@ sub link_hash_cert { $hashlist{$hash} = $fprint; } +sub link_hash_cert_old { + link_hash_cert($_[0], '-subject_hash_old'); +} + # Same as above except for a CRL. CRL links are of the form <hash>.r<n> sub link_hash_crl { -- 1.6.4.2 ++++++ openssl-1.0.0-c_rehash_accept_file_exts.patch ++++++ Index: openssl-1.0.1c/tools/c_rehash.in =================================================================== --- openssl-1.0.1c.orig/tools/c_rehash.in +++ openssl-1.0.1c/tools/c_rehash.in @@ -75,7 +75,7 @@ sub hash_dir { } } closedir DIR; - FILE: foreach $fname (grep {/\.pem$/} @flist) { + FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { # Check to see if certificates and/or CRLs present. my ($cert, $crl) = check_file($fname); if(!$cert && !$crl) { ++++++ openssl.test ++++++ openssl autmatically tests iteslf, no further testing needed -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
