|
|
|
|
Changelog for libopenssl3-3.3.2-102.3.x86_64.rpm :
* Thu Sep 26 2024 Antonio Larrosa - Update to 3.3.2: * Fixed possible denial of service in X.509 name checks. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. (CVE-2024-6119) * Fixed possible buffer overread in SSL_select_next_proto(). Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. (CVE-2024-5535)- Update to 3.3.1: * Fixed potential use after free after SSL_free_buffers() is called. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. (CVE-2024-4741) * Fixed an issue where checking excessively long DSA keys or parameters may be very slow. Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error reason. (CVE-2024-4603) * Improved EC/DSA nonce generation routines to avoid bias and timing side channel leaks.- Update to 3.3.0: * The -verify option to the openssl crl and openssl req will make the program exit with 1 on failure. * The BIO_get_new_index() function can only be called 127 times before it reaches its upper bound of BIO_TYPE_MASK. It will now correctly return an error of -1 once it is exhausted. Users may need to reserve using this function for cases where BIO_find_type() is required. Either BIO_TYPE_NONE or BIO_get_new_index() can be used to supply a type to BIO_meth_new(). * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex() using time_t which is Y2038 safe on 32 bit systems when 64 bit time is enabled (e.g via setting glibc macro _TIME_BITS=64). * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and related functions have been augmented to check for a minimum length of the input string, in accordance with ITU-T X.690 section 11.7 and 11.8. * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms config options and the respective calls to SSL[_CTX]_set1_sigalgs() and SSL[_CTX]_set1_client_sigalgs() that start with ? character are ignored and the configuration will still be used. Similarly unknown entries that start with ? character in a TLS Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored and the configuration will still be used. In both cases if the resulting list is empty, an error is returned. * The EVP_PKEY_fromdata function has been augmented to allow for the derivation of CRT (Chinese Remainder Theorem) parameters when requested. See the OSSL_PKEY_PARAM_RSA_DERIVE_FROM_PQ param in the EVP_PKEY-RSA documentation. * The activate and soft_load configuration settings for providers in openssl.cnf have been updated to require a value of [1|yes|true|on] (in lower or UPPER case) to enable the setting. Conversely a value of [0|no|false|off] will disable the setting. All other values, or the omission of a value for these settings will result in an error. * Added -set_issuer and -set_subject options to openssl x509 to override the Issuer and Subject when creating a certificate. The -subj option now is an alias for -set_subject. * OPENSSL_sk_push() and sk__push() functions now return 0 instead of -1 if called with a NULL stack argument. * In openssl speed, changed the default hash function used with hmac from md5 to sha256. * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483: - certProfile request message header and respective -profile CLI option - support for delayed delivery of all types of response messages * The build of exporters (such as .pc files for pkg-config) cleaned up to be less hard coded in the build file templates, and to allow easier addition of more exporters. With that, an exporter for CMake is also added. * The BLAKE2s hash algorithm matches BLAKE2b\'s support for configurable output length. * New option SSL_OP_PREFER_NO_DHE_KEX, which allows configuring a TLS1.3 server to prefer session resumption using PSK-only key exchange over PSK with DHE, if both are available. * New API SSL_write_ex2, which can be used to send an end-of-stream (FIN) condition in an optimised way when using QUIC. * New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded. This is turned off on NonStop configurations because of loader differences on that platform compared to Linux. * Support for qlog for tracing QUIC connections has been added. The qlog output from OpenSSL currently uses a pre-standard draft version of qlog. The output from OpenSSL will change in incompatible ways in future releases, and is not subject to any format stability or compatibility guarantees at this time. This functionality can be disabled with the build-time option no-unstable-qlog. See the openssl-qlog(7) manpage for details. * Added APIs to allow configuring the negotiated idle timeout for QUIC connections, and to allow determining the number of additional streams that can currently be created for a QUIC connection. * Added APIs to allow disabling implicit QUIC event processing for QUIC SSL objects, allowing applications to control when event handling occurs. Refer to the SSL_get_value_uint(3) manpage for details. * Limited support for polling of QUIC connection and stream objects in a non-blocking manner. Refer to the SSL_poll(3) manpage for details. * Added APIs to allow querying the size and utilisation of a QUIC stream\'s write buffer. Refer to the SSL_get_value_uint(3) manpage for details. * New limit on HTTP response headers is introduced to HTTP client. The default limit is set to 256 header lines. If limit is exceeded the response processing stops with error HTTP_R_RESPONSE_TOO_MANY_HDRLINES. Application may call OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines(3) to change the default. Setting the value to 0 disables the limit. * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100 * Added X509_STORE_get1_objects to avoid issues with the existing X509_STORE_get0_objects API in multi-threaded applications. Refer to the documentation for details. * Added assembly implementation for md5 on loongarch64 * Optimized AES-CTR for ARM Neoverse V1 and V2 * Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems similar to M1/M2. * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes. * Various optimizations for cryptographic routines using RISC-V vector crypto extensions * Accept longer context for TLS 1.2 exporters While RFC 5705 implies that the maximum length of a context for exporters is 65535 bytes as the length is embedded in uint16, the previous implementation enforced a much smaller limit, which is less than 1024 bytes. This restriction has been removed.- Update to 3.2.2: * Fixed an issue where some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions. An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service (CVE-2024-2511) * Fixed bug where SSL_export_keying_material() could not be used with QUIC connections. (#23560) * Mon May 20 2024 Otto Hollmann - Security fix: [bsc#1224388, CVE-2024-4603] * Check DSA parameters for excessive sizes before validating * Add openssl-CVE-2024-4603.patch * Tue May 07 2024 Giuliano Belinassi - Enable livepatching support (bsc#1223428) * Tue May 07 2024 Otto Hollmann - Add ktls capability [bsc#1216950] Already added in January, but not mentioned in this changelog. * Mon May 06 2024 Otto Hollmann - Security fix: [bsc#1222548, CVE-2024-2511] * Fix unconstrained session cache growth in TLSv1.3 * Add openssl-CVE-2024-2511.patch * Fri Feb 23 2024 Pedro Monreal - Build the 32bit flavor of libopenssl-3-fips-provider [bsc#1220232] * Update baselibs.conf * Mon Feb 05 2024 Otto Hollmann - Add migration script to move old files (bsc#1219562) /etc/ssl/engines.d/ * -> /etc/ssl/engines1.1.d.rpmsave /etc/ssl/engdef.d/ * -> /etc/ssl/engdef1.1.d.rpmsave They will be later restored by openssl-1_1 package to engines1.1.d and engdef1.1.d * Fri Feb 02 2024 Otto Hollmann - Update to 3.2.1: * Fixed PKCS12 Decoding crashes (CVE-2024-0727) * Fixed excessive time spent checking invalid RSA public keys (CVE-2023-6237) * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) * Fixed excessive time spent in DH check / generation with large Q parameter value [(CVE-2023-5678)] * Remove patches: - openssl-CVE-2023-6237.patch - openssl-CVE-2023-6129.patch - openssl-CVE-2023-6237.patch - openssl-CVE-2024-0727.patch - openssl-Remove-the-source-directory-.num-targets.patch - openssl-Enable-BTI-feature-for-md5-on-aarch64.patch - openssl-Fix_test_symbol_presence.patch * Tue Jan 30 2024 Otto Hollmann - Security fix: [bsc#1219243, CVE-2024-0727] * Add NULL checks where ContentInfo data can be NULL * Add openssl-CVE-2024-0727.patch * Mon Jan 29 2024 Pedro Monreal - Encapsulate the fips provider into a new package called libopenssl-3-fips-provider. * Mon Jan 22 2024 Otto Hollmann - Added openssl-3-use-include-directive.patch so that the default /etc/ssl/openssl.cnf file will include any configuration files that other packages might place into /etc/ssl/engines3.d/ and /etc/ssl/engdef3.d/. Also create symbolic links /etc/ssl/engines.d/ and /etc/ssl/engdef.d/ to above versioned directories.- Updated spec file to create the two new necessary directores for the above patch and two symbolic links to above directories. [bsc#1194187, bsc#1207472, bsc#1218933] * Mon Jan 22 2024 Otto Hollmann - Replace our reverted commit with an upstream version * rename openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch to openssl-Remove-the-source-directory-.num-targets.patch * Tue Jan 16 2024 Otto Hollmann - Security fix: [bsc#1218810, CVE-2023-6237] * Limit the execution time of RSA public key check * Add openssl-CVE-2023-6237.patch * Sun Jan 14 2024 Pedro Monreal - Rename openssl-Override-default-paths-for-the-CA-directory-tree.patch to openssl-crypto-policies-support.patch * Sat Jan 13 2024 Pedro Monreal - Embed the FIPS hmac. Add openssl-FIPS-embed-hmac.patch * Sat Jan 13 2024 Pedro Monreal - Load the FIPS provider and set FIPS properties implicitly. * Add openssl-Force-FIPS.patch [bsc#1217934]- Disable the fipsinstall command-line utility. * Add openssl-disable-fipsinstall.patch- Add instructions to load legacy provider in openssl.cnf. * openssl-load-legacy-provider.patch- Disable the default provider for the test suite. * openssl-Disable-default-provider-for-test-suite.patch * Thu Jan 11 2024 Otto Hollmann - Security fix: [bsc#1218690, CVE-2023-6129] * POLY1305: Fix vector register clobbering on PowerPC * Add openssl-CVE-2023-6129.patch * Thu Dec 07 2023 Guillaume GARDET - Add patch to fix BTI enablement on aarch64: * openssl-Enable-BTI-feature-for-md5-on-aarch64.patch * Thu Nov 23 2023 Otto Hollmann - Update to 3.2.0: * The BLAKE2b hash algorithm supports a configurable output length by setting the \"size\" parameter. * Enable extra Arm64 optimization on Windows for GHASH, RAND and AES. * Added a function to delete objects from store by URI - OSSL_STORE_delete() and the corresponding provider-storemgmt API function OSSL_FUNC_store_delete(). * Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass a passphrase callback when opening a store. * Changed the default salt length used by PBES2 KDF\'s (PBKDF2 and scrypt) from 8 bytes to 16 bytes. The PKCS5 (RFC 8018) standard uses a 64 bit salt length for PBE, and recommends a minimum of 64 bits for PBES2. For FIPS compliance PBKDF2 requires a salt length of 128 bits. This affects OpenSSL command line applications such as \"genrsa\" and \"pkcs8\" and API\'s such as PEM_write_bio_PrivateKey() that are reliant on the default value. The additional commandline option \'saltlen\' has been added to the OpenSSL command line applications for \"pkcs8\" and \"enc\" to allow the salt length to be set to a non default value. * Changed the default value of the ess_cert_id_alg configuration option which is used to calculate the TSA\'s public key certificate identifier. The default algorithm is updated to be sha256 instead of sha1. * Added optimization for SM2 algorithm on aarch64. It uses a huge precomputed table for point multiplication of the base point, which increases the size of libcrypto from 4.4 MB to 4.9 MB. A new configure option no-sm2-precomp has been added to disable the precomputed table. * Added client side support for QUIC * Added multiple tutorials on the OpenSSL library and in particular on writing various clients (using TLS and QUIC protocols) with libssl. * Added secp384r1 implementation using Solinas\' reduction to improve speed of the NIST P-384 elliptic curve. To enable the implementation the build option enable-ec_nistp_64_gcc_128 must be used. * Improved RFC7468 compliance of the asn1parse command. * Added SHA256/192 algorithm support. * Added support for securely getting root CA certificate update in CMP. * Improved contention on global write locks by using more read locks where appropriate. * Improved performance of OSSL_PARAM lookups in performance critical provider functions. * Added the SSL_get0_group_name() function to provide access to the name of the group used for the TLS key exchange. * Provide a new configure option no-http that can be used to disable the HTTP support. Provide new configure options no-apps and no-docs to disable building the openssl command line application and the documentation. * Provide a new configure option no-ecx that can be used to disable the X25519, X448, and EdDSA support. * When multiple OSSL_KDF_PARAM_INFO parameters are passed to the EVP_KDF_CTX_set_params() function they are now concatenated not just for the HKDF algorithm but also for SSKDF and X9.63 KDF algorithms. * Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions that get the provider context as a parameter. * TLS round-trip time calculation was added by a Brigham Young University Capstone team partnering with Sandia National Laboratories. A new function in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this value. * Added the \"-quic\" option to s_client to enable connectivity to QUIC servers. QUIC requires the use of ALPN, so this must be specified via the \"-alpn\" option. Use of the \"advanced\" s_client command command via the \"-adv\" option is recommended. * Added an \"advanced\" command mode to s_client. Use this with the \"-adv\" option. The old \"basic\" command mode recognises certain letters that must always appear at the start of a line and cannot be escaped. The advanced command mode enables commands to be entered anywhere and there is an escaping mechanism. After starting s_client with \"-adv\" type \"{help}\" to show a list of available commands. * Add Raw Public Key (RFC7250) support. Authentication is supported by matching keys against either local policy (TLSA records synthesised from the expected keys) or DANE (TLSA records obtained by the application from DNS). TLSA records will also match the same key in the server certificate, should RPK use not happen to be negotiated. * Added support for modular exponentiation and CRT offloading for the S390x architecture. * Added further assembler code for the RISC-V architecture. * Added EC_GROUP_to_params() which creates an OSSL_PARAM array from a given EC_GROUP. * Improved support for non-default library contexts and property queries when parsing PKCS#12 files. * Implemented support for all five instances of EdDSA from RFC8032: Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph. The streaming is not yet supported for the HashEdDSA variants (Ed25519ph and Ed448ph). * Added SM4 optimization for ARM processors using ASIMD and AES HW instructions. * Implemented SM4-XTS support. * Added platform-agnostic OSSL_sleep() function. * Implemented deterministic ECDSA signatures (RFC6979) support. * Implemented AES-GCM-SIV (RFC8452) support. * Added support for pluggable (provider-based) TLS signature algorithms. This enables TLS 1.3 authentication operations with algorithms embedded in providers not included by default in OpenSSL. In combination with the already available pluggable KEM and X.509 support, this enables for example suitable providers to deliver post-quantum or quantum-safe cryptography to OpenSSL users. * Added support for pluggable (provider-based) CMS signature algorithms. This enables CMS sign and verify operations with algorithms embedded in providers not included by default in OpenSSL. * Added support for Hybrid Public Key Encryption (HPKE) as defined in RFC9180. HPKE is required for TLS Encrypted ClientHello (ECH), Message Layer Security (MLS) and other IETF specifications. HPKE can also be used by other applications that require encrypting \"to\" an ECDH public key. External APIs are defined in include/openssl/hpke.h and documented in doc/man3/OSSL_HPKE_CTX_new.pod * Implemented HPKE DHKEM support in providers used by HPKE (RFC9180) API. * Add support for certificate compression (RFC8879), including library support for Brotli and Zstandard compression. * Add the ability to add custom attributes to PKCS12 files. Add a new API PKCS12_create_ex2, identical to the existing PKCS12_create_ex but allows for a user specified callback and optional argument. Added a new PKCS12_SAFEBAG_set0_attr, which allows for a new attr to be added to the existing STACK_OF attrs. * Major refactor of the libssl record layer. * Add a mac salt length option for the pkcs12 command. * Add more SRTP protection profiles from RFC8723 and RFC8269. * Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload. * Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where supported and enabled. * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3. * Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting. The SSL_CTRL_GET_IANA_GROUPS control code, exposed as the SSL_get0_iana_groups() function-like macro, retrieves the list of supported groups sent by the peer. The function SSL_client_hello_get_extension_order() populates a caller-supplied array with the list of extension types present in the ClientHello, in order of appearance. * Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid() to make it possible to use empty passphrase strings. * The PKCS12_parse() function now supports MAC-less PKCS12 files. * Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions () calls to be able to change functions used for allocating the memory of asynchronous call stack. * Added support for signed BIGNUMs in the OSSL_PARAM APIs. * A failure exit code is returned when using the openssl x509 command to check certificate attributes and the checks fail. * The default SSL/TLS security level has been changed from 1 to 2. RSA, DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys of 160 bits and above and less than 224 bits were previously accepted by default but are now no longer allowed. By default TLS compression was already disabled in previous OpenSSL versions. At security level 2 it cannot be enabled. * The SSL_CTX_set_cipher_list family functions now accept ciphers using their IANA standard names. * The PVK key derivation function has been moved from b2i_PVK_bio_ex () into the legacy crypto provider as an EVP_KDF. Applications requiring this KDF will need to load the legacy crypto provider. * CCM8 cipher suites in TLS have been downgraded to security level zero because they use a short authentication tag which lowers their strength. * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings by default. * Add X.509 certificate codeSigning purpose and related checks on key usage and extended key usage of the leaf certificate according to the CA/Browser Forum. * The x509, ca, and req apps now produce X.509 v3 certificates. The -x509v1 option of req prefers generation of X.509 v1 certificates. X509_sign() and X509_sign_ctx() make sure that the certificate has X.509 version 3 if the certificate information includes X.509 extensions. * Fix and extend certificate handling and the apps x509, verify etc. such as adding a trace facility for debugging certificate chain building. * Various fixes and extensions to the CMP+CRMF implementation and the cmp app in particular supporting requests for central key generation, generalized polling, and various types of genm/genp exchanges defined in CMP Updates. * Fixes and extensions to the HTTP client and to the HTTP server in apps/ like correcting the TLS and proxy support and adding tracing for debugging. * Extended the CMS API for handling CMS_SignedData and CMS_EnvelopedData. * CMS_add0_cert() and CMS_add1_cert() no longer throw an error if a certificate to be added is already present. CMS_sign_ex() and CMS_sign() now ignore any duplicate certificates in their certs argument and no longer throw an error for them. * Fixed and extended util/check-format.pl for checking adherence to the coding style https://www.openssl.org/policies/technical/coding-style.html. The checks are meanwhile more complete and yield fewer false positives. * Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based BIOs with datagram semantics and support for BIO_sendmmsg() and BIO_recvmmsg() calls. They can be used as the transport BIOs for QUIC. * Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow sending and receiving multiple messages in a single call. An implementation is provided for BIO_dgram. For further details, see BIO_sendmmsg(3). * Support for loading root certificates from the Windows certificate store has been added. The support is in the form of a store which recognises the URI string of org.openssl.winstore://. This URI scheme currently takes no arguments. This store is built by default and can be disabled using the new compile-time option no-winstore. This store is not currently used by default and must be loaded explicitly using the above store URI. It is expected to be loaded by default in the future. * Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux kernel versions that support KTLS have a known bug in CCM processing. That has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7, and all releases since 5.16. KTLS with CCM ciphersuites should be only used on these releases. * Added -ktls option to s_server and s_client commands to enable the KTLS support. * Zerocopy KTLS sendfile() support on Linux. * The OBJ_ calls are now thread safe using a global lock. * New parameter -digest for openssl cms command allowing signing pre-computed digests and new CMS API functions supporting that functionality. * OPENSSL_malloc() and other allocation functions now raise errors on allocation failures. The callers do not need to explicitly raise errors unless they want to for tracing purposes. * Added and enabled by default implicit rejection in RSA PKCS#1 v1.5 decryption as a protection against Bleichenbacher-like attacks. The RSA decryption API will now return a randomly generated deterministic message instead of an error in case it detects an error when checking padding during PKCS#1 v1.5 decryption. This is a general protection against issues like CVE-2020-25659 and CVE-2020-25657. This protection can be disabled by calling EVP_PKEY_CTX_ctrl_str (ctx, \"rsa_pkcs1_implicit_rejection\". \"0\") on the RSA decryption context. * Added support for Brainpool curves in TLS-1.3. * Added OpenBSD specific build targets. * Support for Argon2d, Argon2i, Argon2id KDFs has been added along with a basic thread pool implementation for select platforms.- Revert 0e55c3ab to resolve \'libssl.so: undefined reference to `ossl_safe_getenv\' introduced by our patch openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * Add openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch- Remove patches (already upsteram): * openssl-Add_support_for_Windows_CA_certificate_store.patch * openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch * openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch * openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch * openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch * openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch * openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch * openssl-CVE-2023-5678.patch- Refresh patches: * openssl-no-html-docs.patch * openssl-truststore.patch * openssl-pkgconfig.patch * openssl-DEFAULT_SUSE_cipher.patch * openssl-ppc64-config.patch * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * openssl-Override-default-paths-for-the-CA-directory-tree.patch * openssl-Add-FIPS_mode-compatibility-macro.patch * openssl-Add-Kernel-FIPS-mode-flag-support.patch- Drop openssl-no-date.patch Upstream added support for reproducible builds via SOURCE_DATE_EPOCH in https://github.com/openssl/openssl/commit/8a8d9e190533ee41e8b231b18c7837f98f1ae231 thereby making this patch obsolete as builds *should * still be reproducible.- Add openssl-Fix_test_symbol_presence.patch * Mon Nov 13 2023 Otto Hollmann - Security fix: [bsc#1216922, CVE-2023-5678] * Fix excessive time spent in DH check / generation with large Q parameter value. * Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. * Add openssl-CVE-2023-5678.patch * Tue Oct 24 2023 Otto Hollmann - Update to 3.1.4: * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters that alter the key or IV length [bsc#1216163, CVE-2023-5363]. * Thu Oct 19 2023 Otto Hollmann - Performance enhancements for cryptography from OpenSSL 3.2 [jsc#PED-5086, jsc#PED-3514] * Add patches: - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch * Thu Oct 19 2023 Pedro Monreal - FIPS: Add the FIPS_mode() compatibility macro and flag support. * Add patches: - openssl-Add-FIPS_mode-compatibility-macro.patch - openssl-Add-Kernel-FIPS-mode-flag-support.patch * Thu Oct 12 2023 - As of openssl 3.1.3, the devel package installs at least 5200 manpage files and is the owner of the most files in the man3 directory (in second place after lapack-man); move these manpages off to the -doc subpackage to reduce the walltime to install just openssl-3-devel (because there is also an invocation of mandb that runs at some point). * Tue Sep 19 2023 Otto Hollmann - Update to 3.1.3: * Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807) * Tue Aug 01 2023 Pedro Monreal - Update to 3.1.2: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus (\"p\" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Do not ignore empty associated data entries with AES-SIV (bsc#1213383, CVE-2023-2975). The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. The fix changes the authentication tag value and the ciphertext for applications that use empty associated data entries with AES-SIV. To decrypt data encrypted with previous versions of OpenSSL the application has to skip calls to EVP_DecryptUpdate() for empty associated data entries. * When building with the enable-fips option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will not operate with truncated digests (FIPS 140-3 IG G.R). * Update openssl.keyring with the OTC members that sign releases * Remove openssl-z16-s390x.patch fixed upstream in https://github.com/openssl/openssl/pull/21284 * Remove security patches fixed upstream: - openssl-CVE-2023-2975.patch - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch * Thu Jul 20 2023 Pedro Monreal - Security fix: [bsc#1213487, CVE-2023-3446] * Fix DH_check() excessive time with over sized modulus. * The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus (\"p\" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch * Tue Jul 18 2023 Pedro Monreal - Security fix: [bsc#1213383, CVE-2023-2975] * AES-SIV implementation ignores empty associated data entries * Add openssl-CVE-2023-2975.patch * Tue Jun 20 2023 Otto Hollmann - Improve cross-package provides/conflicts [boo#1210313] * Add Provides/Conflicts: ssl-devel * Remove explicit conflicts with other devel-libraries * Remove Provides: openssl(cli) - it\'s managed by meta package * Tue May 30 2023 Otto Hollmann - Update to 3.1.1: * Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate (CVE-2023-2650, bsc#1211430) * Multiple algorithm implementation fixes for ARM BE platforms. * Added a -pedantic option to fipsinstall that adjusts the various settings to ensure strict FIPS compliance rather than backwards compatibility. * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can trigger a crash of an application using AES-XTS decryption if the memory just after the buffer being decrypted is not mapped. Thanks to Anton Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714) * Add FIPS provider configuration option to disallow the use of truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The option \'-no_drbg_truncated_digests\' can optionally be supplied to \'openssl fipsinstall\'. * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. (CVE-2023-0466, bsc#1209873) * Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878) * Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. (CVE-2023-0464, bsc#1209624) * Update openssl.keyring with key A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C (Tomas Mraz) * Rebased patches: - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch - openssl-Add_support_for_Windows_CA_certificate_store.patch * Removed patches: - openssl-CVE-2023-0464.patch - openssl-Fix-OBJ_nid2obj-regression.patch - openssl-CVE-2023-0465.patch - openssl-CVE-2023-0466.patch * Mon May 29 2023 Pedro Monreal - FIPS: Merge libopenssl3-hmac package into the library [bsc#1185116] * Mon May 15 2023 Otto Hollmann - Add support for Windows CA certificate store [bsc#1209430] https://github.com/openssl/openssl/pull/18070 * Add openssl-Add_support_for_Windows_CA_certificate_store.patch * Wed Mar 29 2023 Otto Hollmann - Security Fix: [CVE-2023-0465, bsc#1209878] * Invalid certificate policies in leaf certificates are silently ignored * Add openssl-CVE-2023-0465.patch- Security Fix: [CVE-2023-0466, bsc#1209873] * Certificate policy check not enabled * Add openssl-CVE-2023-0466.patch * Tue Mar 28 2023 Pedro Monreal - Fix regression in the OBJ_nid2obj() function: [bsc#1209430] * Upstream https://github.com/openssl/openssl/issues/20555 * Add openssl-Fix-OBJ_nid2obj-regression.patch * Mon Mar 27 2023 Otto Hollmann - Fix compiler error \"initializer element is not constant\" on s390 * Add openssl-z16-s390x.patch * Fri Mar 24 2023 Otto Hollmann - Security Fix: [CVE-2023-0464, bsc#1209624] * Excessive Resource Usage Verifying X.509 Policy Constraints * Add openssl-CVE-2023-0464.patch * Wed Mar 15 2023 Otto Hollmann - Pass over with spec-cleaner * Tue Mar 14 2023 Otto Hollmann - Update to 3.1.0: * Add FIPS provider configuration option to enforce the Extended Master Secret (EMS) check during the TLS1_PRF KDF. The option \'-ems-check\' can optionally be supplied to \'openssl fipsinstall\'. * The FIPS provider includes a few non-approved algorithms for backward compatibility purposes and the \"fips=yes\" property query must be used for all algorithm fetches to ensure FIPS compliance. The algorithms that are included but not approved are Triple DES ECB, Triple DES CBC and EdDSA. * Added support for KMAC in KBKDF. * RNDR and RNDRRS support in provider functions to provide random number generation for Arm CPUs (aarch64). * s_client and s_server apps now explicitly say when the TLS version does not include the renegotiation mechanism. This avoids confusion between that scenario versus when the TLS version includes secure renegotiation but the peer lacks support for it. * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. * The various OBJ_ * functions have been made thread safe. * Parallel dual-prime 1536/2048-bit modular exponentiation for AVX512_IFMA capable processors. * The functions OPENSSL_LH_stats, OPENSSL_LH_node_stats, OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio, OPENSSL_LH_node_stats_bio and OPENSSL_LH_node_usage_stats_bio are now marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining OPENSSL_NO_DEPRECATED_3_1. The macro DEFINE_LHASH_OF is now deprecated in favour of the macro DEFINE_LHASH_OF_EX, which omits the corresponding type-specific function definitions for these functions regardless of whether OPENSSL_NO_DEPRECATED_3_1 is defined. Users of DEFINE_LHASH_OF may start receiving deprecation warnings for these functions regardless of whether they are using them. It is recommended that users transition to the new macro, DEFINE_LHASH_OF_EX. * When generating safe-prime DH parameters set the recommended private key length equivalent to minimum key lengths as in RFC 7919. * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the maximum size that is smaller or equal to the digest length to comply with FIPS 186-4 section 5. This is implemented by a new option OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX (\"auto-digestmax\") for the rsa_pss_saltlen parameter, which is now the default. Signature verification is not affected by this change and continues to work as before. * Update openssl.keyring with key 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 (Matt Caswell) * Wed Mar 08 2023 Martin Pluskal - Build AVX2 enabled hwcaps library for x86_64-v3 * Tue Feb 07 2023 Otto Hollmann - Update to 3.0.8: * Fixed NULL dereference during PKCS7 data verification. A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. ([bsc#1207541, CVE-2023-0401]) PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data. * Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. ([bsc#1207533, CVE-2023-0286]) * Fixed NULL dereference validating DSA public key. An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3. ([bsc#1207540, CVE-2023-0217]) * Fixed Invalid pointer dereference in d2i_PKCS7 functions. An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data. ([bsc#1207539, CVE-2023-0216]) * Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. ([bsc#1207536, CVE-2023-0215]) * Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the \"name\" (e.g. \"CERTIFICATE\"), any header data and the payload data. If the function succeeds then the \"name_out\", \"header\" and \"data\" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. ([bsc#1207538, CVE-2022-4450]) * Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. ([bsc#1207534, CVE-2022-4304]) * Fixed X.509 Name Constraints Read Buffer Overflow. A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. The read buffer overrun might result in a crash which could lead to a denial of service attack. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. ([bsc#1207535, CVE-2022-4203]) * Fixed X.509 Policy Constraints Double Locking security issue. If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. ([CVE-2022-3996]) * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases. For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to` for legacy EC and SM2 keys is also changed similarly to honor the equivalent conversion format flag as specified in the underlying `EC_KEY` object being exported to a provider, when this function is called through `EVP_PKEY_export()`. * Removed openssl-3-Fix-double-locking-problem.patch, contained in upstream. * Rebased openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * Update openssl.keyring with key 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C (Richard Levitte) * Thu Jan 26 2023 Pedro Monreal - Relax the crypto-policies requirements for the regression tests * Wed Jan 25 2023 Pedro Monreal - Set OpenSSL 3.0.7 as the default openssl [bsc#1205042] * Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch * Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * Package a copy of the original default config file called openssl.cnf and name it as openssl-orig.cnf and warn the user if the files differ. * Add openssl-3-devel as conflicting with libopenssl-1_1-devel * Remove patches: - fix-config-in-tests.patch - openssl-use-versioned-config.patch * Wed Jan 25 2023 Pedro Monreal - Create the openssl ca-certificates directory in case the ca-certificates package is not installed. This directory is required by the nodejs regression tests. [bsc#1207484] * Wed Dec 14 2022 Otto Hollmann - Fix X.509 Policy Constraints Double Locking [bsc#1206374, CVE-2022-3996] * Add patch: openssl-3-Fix-double-locking-problem.patch * Wed Dec 14 2022 Pedro Monreal - Compute the hmac files for FIPS 140-3 integrity checking of the openssl shared libraries using the brp-50-generate-fips-hmac script. Also computed for the 32bit package. * Tue Nov 01 2022 Otto Hollmann - Temporary disable tests test_ssl_new and test_sslapi because they are failing in openSUSE_Tumbleweed * Tue Nov 01 2022 Otto Hollmann - Update to 3.0.7: [bsc#1204714, CVE-2022-3602,CVE-2022-3786] * Fixed two buffer overflows in punycode decoding functions. A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the `.` character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). ([CVE-2022-3786]) An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution depending on stack layout for any given platform/compiler. ([CVE-2022-3602]) * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT parameters in OpenSSL code. Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR, OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT. Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead. Using these invalid names may cause algorithms to use slower methods that ignore the CRT parameters. * Fixed a regression introduced in 3.0.6 version raising errors on some stack operations. * Fixed a regression introduced in 3.0.6 version not refreshing the certificate data to be signed before signing the certificate. * Added RIPEMD160 to the default provider. * Ensured that the key share group sent or accepted for the key exchange is allowed for the protocol version. * Tue Nov 01 2022 Otto Hollmann - Update to 3.0.6: [bsc#1204226, CVE-2022-3358] * OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. * OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. * Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. ([CVE-2022-3358]) * Fix LLVM vs Apple LLVM version numbering confusion that caused build failures on MacOS 10.11 * Fixed the linux-mips64 Configure target which was missing the SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that platform. * Fix handling of a ticket key callback that returns 0 in TLSv1.3 to not send a ticket * Correctly handle a retransmitted ClientHello in DTLS * Fixed detection of ktls support in cross-compile environment on Linux * Fixed some regressions and test failures when running the 3.0.0 FIPS provider against 3.0.x * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to report correct results in some cases * Fix UWP builds by defining VirtualLock * For known safe primes use the minimum key length according to RFC 7919. Longer private key sizes unnecessarily raise the cycles needed to compute the shared secret without any increase of the real security. This fixes a regression from 1.1.1 where these shorter keys were generated for the known safe primes. * Added the loongarch64 target * Fixed EC ASM flag passing. Flags for ASM implementations of EC curves were only passed to the FIPS provider and not to the default or legacy provider. * Fixed reported performance degradation on aarch64. Restored the implementation prior to commit 2621751 (\"aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode\") for 64bit targets only, since it is reportedly 2-17% slower and the silicon errata only affects 32bit targets. The new algorithm is still used for 32 bit targets. * Added a missing header for memcmp that caused compilation failure on some platforms * Wed Sep 14 2022 Bruno Pitrus - Do not make libopenssl3-32bit obsolete libopenssl1_1-32bit. They are independent libraries and can be installed simultaneously. * Thu Jul 21 2022 Pedro Monreal - Update to 3.0.5: * The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue. [bsc#1201148, CVE-2022-2274] * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation would not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn\'t written. In the special case of \"in place\" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. [bsc#1201099, CVE-2022-2097]- Rebase patches: * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * Mon Jul 18 2022 Pedro Monreal - Update to 3.0.4: [bsc#1199166, CVE-2022-1292] * In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. * Case insensitive string comparison no longer uses locales. It has instead been directly implemented. * Mon Jul 18 2022 Pedro Monreal - Update to 3.0.3: * Case insensitive string comparison is reimplemented via new locale-agnostic comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for comparison. The previous implementation had problems when the Turkish locale was used. * Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. [bsc#1199166, CVE-2022-1292] * Fixed a bug in the function \'OCSP_basic_verify\' that verifies the signer certificate on an OCSP response. The bug caused the function in the case where the (non-default) flag OCSP_NOCHECKS is used to return a postivie response (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of \'OCSP_basic_verify\' will not use the OCSP_NOCHECKS flag. In this case the \'OCSP_basic_verify\' function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL \"ocsp\" application. When verifying an ocsp response with the \"-no_cert_checks\" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. [bsc#1199167, CVE-2022-1343] * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the AAD data as the MAC key. This made the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. [bsc#1199168, CVE-2022-1434] * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. [bsc#1199169, CVE-2022-1473] * The functions \'OPENSSL_LH_stats\' and \'OPENSSL_LH_stats_bio\' now only report the \'num_items\', \'num_nodes\' and \'num_alloc_nodes\' statistics. All other statistics are no longer supported. For compatibility, these statistics are still listed in the output but are now always reported as zero. * Sat Mar 19 2022 Pedro Monreal - Enable zlib compression support [bsc#1195149] * Fri Mar 18 2022 Pedro Monreal - Add crypto-policies support. * Fix some tests that couldn\'t find the openssl3.cnf location * Rebase patch: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * Tue Mar 15 2022 Pedro Monreal - Update to 3.0.2: [bsc#1196877, CVE-2022-0778] * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli in BN_mod_sqrt() reachable when parsing certificates. * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3. * Made the AES constant time code for no-asm configurations optional due to the resulting 95% performance degradation. The AES constant time code can be enabled, for no assembly builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty passphrase strings. * The negative return value handling of the certificate verification callback was reverted. The replacement is to set the verification retry state with the SSL_set_retry_verify() function. * Rebase openssl-use-versioned-config.patch * Tue Feb 22 2022 Pedro Monreal - Keep CA_default and tsa_config1 default paths in openssl3.cnf- Rebase patches: * openssl-Override-default-paths-for-the-CA-directory-tree.patch * openssl-use-versioned-config.patch * Tue Feb 01 2022 Danilo Spinella - Fix conflict with openssl and libressl * Fri Jan 28 2022 Simon Lees - Remove /etc/pki/CA from the [jsc#SLE-17856, jsc#SLE-19044] openssl-Override-default-paths-for-the-CA-directory-tree.patch- Remove unused patches * Fri Jan 21 2022 Simon Lees - Ship openssl-3 as binary names [jsc#SLE-17856, jsc#SLE-19044]- Use openssl3.cnf * openssl-use-versioned-config.patch * fix-config-in-tests.patch- Support crypto policies * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * openssl-Override-default-paths-for-the-CA-directory-tree.patch- Remove obsolets, not ready to force an upgrade yet * Thu Jan 13 2022 Pedro Monreal - Update to 3.0.1: [bsc#1193740, CVE-2021-4044] * RNDR and RNDRRS support in provider functions to provide random number generation for Arm CPUs (aarch64). * s_client and s_server apps now explicitly say when the TLS version does not include the renegotiation mechanism. This avoids confusion between that scenario versus when the TLS version includes secure renegotiation but the peer lacks support for it. * The default SSL/TLS security level has been changed from 1 to 2. RSA, DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys of 160 bits and above and less than 224 bits were previously accepted by default but are now no longer allowed. By default TLS compression was already disabled in previous OpenSSL versions. At security level 2 it cannot be enabled. * The SSL_CTX_set_cipher_list family functions now accept ciphers using their IANA standard names. * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into the legacy crypto provider as an EVP_KDF. Applications requiring this KDF will need to load the legacy crypto provider. * The various OBJ_ * functions have been made thread safe. * CCM8 cipher suites in TLS have been downgraded to security level zero because they use a short authentication tag which lowers their strength. * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings by default. * Parallel dual-prime 1536/2048-bit modular exponentiation for AVX512_IFMA capable processors. * Tue Sep 07 2021 Pedro Monreal - Update to 3.0.0 * The full list of changes since version 1.1.1 can be found in: https://github.com/openssl/openssl/blob/master/CHANGES.md#openssl-30 * OpenSSL 3.0 wiki: https://wiki.openssl.org/index.php/OpenSSL_3.0 * The Migration guide: https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod * Thu Jul 29 2021 Pedro Monreal - Update to 3.0.0 Beta 2 * The ERR_GET_FUNC() function was removed. With the loss of meaningful function codes, this function can only cause problems for calling applications. * While a callback function set via \'SSL_CTX_set_cert_verify_callback()\' is not allowed to return a value > 1, this is no more taken as failure. * Deprecated the obsolete X9.31 RSA key generation related functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and BN_X931_generate_prime_ex().- Remove openssl-ppc64-fix-build.patch fixed upstream * Mon Jul 05 2021 Pedro Monreal - Update to 3.0.0 Beta 1 * Add a configurable flag to output date formats as ISO 8601. Does not change the default date format. * Version of MSVC earlier than 1300 could get link warnings, which could be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set. Support for this flag has been removed. * Rework and make DEBUG macros consistent. Remove unused - DCONF_DEBUG, -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for printing reference counts. Rename - DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG. Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency. * The public definitions of conf_method_st and conf_st have been deprecated. They will be made opaque in a future release. * Many functions in the EVP_ namespace that are getters of values from implementations or contexts were renamed to include get or get0 in their names. Old names are provided as macro aliases for compatibility and are not deprecated. * PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into the legacy crypto provider as an EVP_KDF. Applications requiring this KDF will need to load the legacy crypto provider. This includes these PBE algorithms which use this KDF: - NID_pbeWithMD2AndDES_CBC - NID_pbeWithMD5AndDES_CBC - NID_pbeWithSHA1AndRC2_CBC - NID_pbeWithMD2AndRC2_CBC - NID_pbeWithMD5AndRC2_CBC - NID_pbeWithSHA1AndDES_CBC * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and BIO_debug_callback() functions.- Fix build on ppc and ppc64 * Add openssl-ppc64-fix-build.patch * See https://github.com/openssl/openssl/issues/15923 * Fri Jun 11 2021 Pedro Monreal - Update to 3.0.0 Alpha 17 * Added migration guide to man7 * Implemented support for fully \"pluggable\" TLSv1.3 groups * Added convenience functions for generating asymmetric key pairs. * Added a proper HTTP client supporting GET with optional redirection, POST, arbitrary request and response content types, TLS, persistent connections, connections via HTTP(s) proxies, connections and exchange via user-defined BIOs (allowing implicit connections), and timeout checks. * Mon May 10 2021 Jason Sikes - Update to 3.0.0. Alpha 16 * Mark pop/clear error stack in der2key_decode_p8 * Sat May 01 2021 Jason Sikes - Update to 3.0.0 Alpha 15 * The default manual page suffix ($MANSUFFIX) has been changed to \"ossl\" * Added support for Kernel TLS (KTLS). In order to use KTLS, support for it must be compiled in using the \"enable-ktls\" compile time option. It must also be enabled at run time using the SSL_OP_ENABLE_KTLS option. * The error return values from some control calls (ctrl) have changed. One significant change is that controls which used to return -2 for invalid inputs, now return -1 indicating a generic error condition instead. * Removed EVP_PKEY_set_alias_type(). * All of these low level RSA functions have been deprecated without replacement: RSA_blinding_off, RSA_blinding_on, RSA_clear_flags, RSA_get_version, RSAPrivateKey_dup, RSAPublicKey_dup, RSA_set_flags, RSA_setup_blinding and RSA_test_flags. * All of these RSA flags have been deprecated without replacement: RSA_FLAG_BLINDING, RSA_FLAG_CACHE_PRIVATE, RSA_FLAG_CACHE_PUBLIC, RSA_FLAG_EXT_PKEY, RSA_FLAG_NO_BLINDING, RSA_FLAG_THREAD_SAFE and RSA_METHOD_FLAG_NO_CHECK. * These low level DH functions have been deprecated without replacement: DH_clear_flags, DH_get_1024_160, DH_get_2048_224, DH_get_2048_256, DH_set_flags and DH_test_flags. The DH_FLAG_CACHE_MONT_P flag has been deprecated without replacement. The DH_FLAG_TYPE_DH and DH_FLAG_TYPE_DHX have been deprecated. Use EVP_PKEY_is_a() to determine the type of a key. There is no replacement for setting these flags. * These low level DSA functions have been deprecated without replacement: DSA_clear_flags, DSA_dup_DH, DSAparams_dup, DSA_set_flags and DSA_test_flags. * The DSA_FLAG_CACHE_MONT_P flag has been deprecated without replacement. * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. This is a breaking change from previous OpenSSL versions. Unlike in previous OpenSSL versions, this means that applications must not call \'EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)\' to get SM2 computations. The \'EVP_PKEY_set_alias_type\' function has now been removed. * Parameter and key generation is also reworked to make it possible to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate SM2 keys directly and must not create an EVP_PKEY_EC key first. * Mon Apr 19 2021 Pedro Monreal - Update to 3.0.0 Alpha 14 * A public key check is now performed during EVP_PKEY_derive_set_peer(). Previously DH was internally doing this during EVP_PKEY_derive(). * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations are deprecated. They are not invoked by the OpenSSL library anymore and are replaced by direct checks of the key operation against the key type when the operation is initialized. * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for more key types including RSA, DSA, ED25519, X25519, ED448 and X448. Previously (in 1.1.1) they would return -2. For key types that do not have parameters then EVP_PKEY_param_check() will always return 1. * The output from numerous \"printing\" functions such as X509_signature_print(), X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been amended such that there may be cosmetic differences between the output observed in 1.1.1 and 3.0. This also applies to the \"-text\" output from the x509 and crl applications. * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. Correct the semantics of checking the validation chain in case ESSCertID{,v2} contains more than one certificate identifier: This means that all certificates referenced there MUST be part of the validation chain. * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA capable processors. * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). Its purpose is to support encryption and decryption of a digital envelope that is both authenticated and encrypted using AES GCM mode. * Wed Apr 14 2021 Pedro Monreal - Update to 3.0.0 Alpha 13 * A public key check is now performed during EVP_PKEY_derive_set_peer(). Previously DH was internally doing this during EVP_PKEY_derive(). To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). This may mean that an error can occur in EVP_PKEY_derive_set_peer() rather than during EVP_PKEY_derive(). * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations are deprecated. They are not invoked by the OpenSSL library anymore and are replaced by direct checks of the key operation against the key type when the operation is initialized. * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for more key types including RSA, DSA, ED25519, X25519, ED448 and X448. Previously (in 1.1.1) they would return -2. For key types that do not have parameters then EVP_PKEY_param_check() will always return 1. * The output from numerous \"printing\" functions such as X509_signature_print(), X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been amended such that there may be cosmetic differences between the output observed in 1.1.1 and 3.0. This also applies to the \"-text\" output from the x509 and crl applications. * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. Correct the semantics of checking the validation chain in case ESSCertID{,v2} contains more than one certificate identifier: This means that all certificates referenced there MUST be part of the validation chain. * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA capable processors. * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). Its purpose is to support encryption and decryption of a digital envelope that is both authenticated and encrypted using AES GCM mode. * Fri Feb 19 2021 Pedro Monreal - Update to 3.0.0 Alpha 12 * The SRP APIs have been deprecated. The old APIs do not work via providers, and there is no EVP interface to them. Unfortunately there is no replacement for these APIs at this time. * Add a compile time option to prevent the caching of provider fetched algorithms. This is enabled by including the no-cached-fetch option at configuration time. * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms then it cannot support connections with TLSv1.3. However OpenSSL now supports \"pluggable\" groups through providers. * The undocumented function X509_certificate_type() has been deprecated; applications can use X509_get0_pubkey() and X509_get0_signature() to get the same information. * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range() functions. They are identical to BN_rand() and BN_rand_range() respectively. * The default key generation method for the regular 2-prime RSA keys was changed to the FIPS 186-4 B.3.6 method (Generation of Probable Primes with Conditions Based on Auxiliary Probable Primes). This method is slower than the original method. * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions. They are replaced with the BN_check_prime() function that avoids possible misuse and always uses at least 64 rounds of the Miller-Rabin primality test. * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() as they are not useful with non-deprecated functions. * Fri Feb 12 2021 Pedro Monreal - Update to 3.0.0 Alpha 11 * Deprecated the obsolete X9.31 RSA key generation related functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and BN_X931_generate_prime_ex(). * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_ *(). These were used to collect all necessary data to form a HTTP request, and to perform the HTTP transfer with that request. With OpenSSL 3.0, the type is OSSL_HTTP_REQ_CTX, and the deprecated functions are replaced with OSSL_HTTP_REQ_CTX_ *(). * Validation of SM2 keys has been separated from the validation of regular EC keys, allowing to improve the SM2 validation process to reject loaded private keys that are not conforming to the SM2 ISO standard. In particular, a private scalar \'k\' outside the range \'1 <= k < n-1\' is now correctly rejected. * Behavior of the \'pkey\' app is changed, when using the \'-check\' or \'-pubcheck\' switches: a validation failure triggers an early exit, returning a failure exit status to the parent process. * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() to ignore unknown ciphers. * All of the low level EC_KEY functions have been deprecated. * Functions that read and write EC_KEY objects and that assign or obtain EC_KEY objects from an EVP_PKEY are also deprecated. * Added the \'-copy_extensions\' option to the \'x509\' command for use with \'-req\' and \'-x509toreq\'. When given with the \'copy\' or \'copyall\' argument, all extensions in the request are copied to the certificate or vice versa. * Added the \'-copy_extensions\' option to the \'req\' command for use with \'-x509\'. When given with the \'copy\' or \'copyall\' argument, all extensions in the certification request are copied to the certificate. * The \'x509\', \'req\', and \'ca\' commands now make sure that X.509v3 certificates they generate are by default RFC 5280 compliant in the following sense: There is a subjectKeyIdentifier extension with a hash value of the public key and for not self-signed certs there is an authorityKeyIdentifier extension with a keyIdentifier field or issuer information identifying the signing key. This is done unless some configuration overrides the new default behavior, such as \'subjectKeyIdentifier = none\' and \'authorityKeyIdentifier = none\'. * Sat Jan 09 2021 Pedro Monreal - Update to 3.0.0 Alpha 10 (CVE-2020-1971) * See full changelog: www.openssl.org/news/changelog.html * Fixed NULL pointer deref in the GENERAL_NAME_cmp function This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME. If an attacker can control both items being compared then this could lead to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) * The -cipher-commands and -digest-commands options of the command line utility list has been deprecated. Instead use the -cipher-algorithms and -digest-algorithms options. * Additionally functions that read and write DH objects such as d2i_DHparams, i2d_DHparams, PEM_read_DHparam, PEM_write_DHparams and other similar functions have also been deprecated. Applications should instead use the OSSL_DECODER and OSSL_ENCODER APIs to read and write DH files.
|
|
|