diff --git a/backport-Avoid-potential-memory-leak.patch b/backport-Avoid-potential-memory-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..761057aded22dfe3e8b39ee47c1f475e93eafd84 --- /dev/null +++ b/backport-Avoid-potential-memory-leak.patch @@ -0,0 +1,36 @@ +From c02fff5aecd4d002143a0e901f3dde3d14934a18 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 7 Mar 2022 17:05:57 +0100 +Subject: [PATCH] Avoid potential memory leak + +Resolves #17827 + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/17828) + +(cherry picked from commit 175355923046921a689b500f7a72455f7095708f) +--- + crypto/x509v3/v3_utl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c +index 40d8f31554..83a4bc8a06 100644 +--- a/crypto/x509v3/v3_utl.c ++++ b/crypto/x509v3/v3_utl.c +@@ -538,8 +538,11 @@ static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email + return 0; + + emtmp = OPENSSL_strndup((char *)email->data, email->length); +- if (emtmp == NULL) ++ if (emtmp == NULL) { ++ X509_email_free(*sk); ++ *sk = NULL; + return 0; ++ } + + /* Don't add duplicates */ + if (sk_OPENSSL_STRING_find(*sk, emtmp) != -1) { +-- +2.17.1 + diff --git a/backport-Fix-NULL-pointer-dereference-for-BN_mod_exp2_mont.patch b/backport-Fix-NULL-pointer-dereference-for-BN_mod_exp2_mont.patch new file mode 100644 index 0000000000000000000000000000000000000000..1a02df857c758432e198de155d3d42eedeacd64d --- /dev/null +++ b/backport-Fix-NULL-pointer-dereference-for-BN_mod_exp2_mont.patch @@ -0,0 +1,98 @@ +From 8845aeb3ed528491b9eccba365182f90540e5b95 Mon Sep 17 00:00:00 2001 +From: Hugo Landau +Date: Tue, 1 Mar 2022 14:08:12 +0000 +Subject: [PATCH] Fix NULL pointer dereference for BN_mod_exp2_mont + +This fixes a bug whereby BN_mod_exp2_mont can dereference a NULL pointer +if BIGNUM argument m represents zero. + +Regression test added. Fixes #17648. Backport from master to 1.1. + +Reviewed-by: Matt Caswell +Reviewed-by: Todd Short +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/17787) +--- + crypto/bn/bn_exp2.c | 2 +- + test/bntest.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 46 insertions(+), 1 deletion(-) + +diff --git a/crypto/bn/bn_exp2.c b/crypto/bn/bn_exp2.c +index e542abe46f..de3e249d78 100644 +--- a/crypto/bn/bn_exp2.c ++++ b/crypto/bn/bn_exp2.c +@@ -32,7 +32,7 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, + bn_check_top(p2); + bn_check_top(m); + +- if (!(m->d[0] & 1)) { ++ if (!BN_is_odd(m)) { + BNerr(BN_F_BN_MOD_EXP2_MONT, BN_R_CALLED_WITH_EVEN_MODULUS); + return 0; + } +diff --git a/test/bntest.c b/test/bntest.c +index bab34ba54b..390dd80073 100644 +--- a/test/bntest.c ++++ b/test/bntest.c +@@ -2798,6 +2798,50 @@ static int test_mod_exp_consttime(int i) + return res; + } + ++/* ++ * Regression test to ensure BN_mod_exp2_mont fails safely if argument m is ++ * zero. ++ */ ++static int test_mod_exp2_mont(void) ++{ ++ int res = 0; ++ BIGNUM *exp_result = NULL; ++ BIGNUM *exp_a1 = NULL, *exp_p1 = NULL, *exp_a2 = NULL, *exp_p2 = NULL, ++ *exp_m = NULL; ++ ++ if (!TEST_ptr(exp_result = BN_new()) ++ || !TEST_ptr(exp_a1 = BN_new()) ++ || !TEST_ptr(exp_p1 = BN_new()) ++ || !TEST_ptr(exp_a2 = BN_new()) ++ || !TEST_ptr(exp_p2 = BN_new()) ++ || !TEST_ptr(exp_m = BN_new())) ++ goto err; ++ ++ if (!TEST_true(BN_one(exp_a1)) ++ || !TEST_true(BN_one(exp_p1)) ++ || !TEST_true(BN_one(exp_a2)) ++ || !TEST_true(BN_one(exp_p2))) ++ goto err; ++ ++ BN_zero(exp_m); ++ ++ /* input of 0 is even, so must fail */ ++ if (!TEST_int_eq(BN_mod_exp2_mont(exp_result, exp_a1, exp_p1, exp_a2, ++ exp_p2, exp_m, ctx, NULL), 0)) ++ goto err; ++ ++ res = 1; ++ ++err: ++ BN_free(exp_result); ++ BN_free(exp_a1); ++ BN_free(exp_p1); ++ BN_free(exp_a2); ++ BN_free(exp_p2); ++ BN_free(exp_m); ++ return res; ++} ++ + static int file_test_run(STANZA *s) + { + static const FILETEST filetests[] = { +@@ -2906,6 +2950,7 @@ int setup_tests(void) + ADD_TEST(test_gcd_prime); + ADD_ALL_TESTS(test_mod_exp, (int)OSSL_NELEM(ModExpTests)); + ADD_ALL_TESTS(test_mod_exp_consttime, (int)OSSL_NELEM(ModExpTests)); ++ ADD_TEST(test_mod_exp2_mont); + } else { + ADD_ALL_TESTS(run_file_tests, n); + } +-- +2.17.1 + diff --git a/backport-Fix-failure-to-check-result-of-bn_rshift_fixed_top.patch b/backport-Fix-failure-to-check-result-of-bn_rshift_fixed_top.patch new file mode 100644 index 0000000000000000000000000000000000000000..61e4595fac1062dad37110dba333a65c20236032 --- /dev/null +++ b/backport-Fix-failure-to-check-result-of-bn_rshift_fixed_top.patch @@ -0,0 +1,36 @@ +From 93ac3b8dd1cc49b27c402278cbe73a1c4ac91f9b Mon Sep 17 00:00:00 2001 +From: Hugo Landau +Date: Mon, 4 Apr 2022 12:25:16 +0100 +Subject: [PATCH] Fix failure to check result of bn_rshift_fixed_top + +Fixes #18010. + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/18034) + +(cherry picked from commit bc6bac8561ead83d6135f376ffcbbb0b657e64fe) +--- + crypto/bn/bn_div.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c +index 0da9f39b31..e2821fb6cd 100644 +--- a/crypto/bn/bn_div.c ++++ b/crypto/bn/bn_div.c +@@ -446,8 +446,10 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, + snum->neg = num_neg; + snum->top = div_n; + snum->flags |= BN_FLG_FIXED_TOP; +- if (rm != NULL) +- bn_rshift_fixed_top(rm, snum, norm_shift); ++ ++ if (rm != NULL && bn_rshift_fixed_top(rm, snum, norm_shift) == 0) ++ goto err; ++ + BN_CTX_end(ctx); + return 1; + err: +-- +2.17.1 + diff --git a/backport-Fix-password_callback-to-handle-short-passwords.patch b/backport-Fix-password_callback-to-handle-short-passwords.patch new file mode 100644 index 0000000000000000000000000000000000000000..5eb5758b0c180805d8ec98442445a21718a4dc96 --- /dev/null +++ b/backport-Fix-password_callback-to-handle-short-passwords.patch @@ -0,0 +1,72 @@ +From f4942134815f95845706993c15ca7e4fd6e44627 Mon Sep 17 00:00:00 2001 +From: Bernd Edlinger +Date: Fri, 7 Jan 2022 10:18:58 +0100 +Subject: [PATCH] Fix password_callback to handle short passwords + +Fixes #17426 + +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/17439) +--- + apps/apps.c | 8 ++++++-- + test/recipes/15-test_genrsa.t | 7 ++++++- + 2 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/apps/apps.c b/apps/apps.c +index c06241abb9..531fbec551 100644 +--- a/apps/apps.c ++++ b/apps/apps.c +@@ -300,9 +300,13 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) + int ui_flags = 0; + const char *prompt_info = NULL; + char *prompt; ++ int pw_min_len = PW_MIN_LENGTH; + + if (cb_data != NULL && cb_data->prompt_info != NULL) + prompt_info = cb_data->prompt_info; ++ if (cb_data != NULL && cb_data->password != NULL ++ && *(const char*)cb_data->password != '\0') ++ pw_min_len = 1; + prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); + if (!prompt) { + BIO_printf(bio_err, "Out of memory\n"); +@@ -317,12 +321,12 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) + (void)UI_add_user_data(ui, cb_data); + + ok = UI_add_input_string(ui, prompt, ui_flags, buf, +- PW_MIN_LENGTH, bufsiz - 1); ++ pw_min_len, bufsiz - 1); + + if (ok >= 0 && verify) { + buff = app_malloc(bufsiz, "password buffer"); + ok = UI_add_verify_string(ui, prompt, ui_flags, buff, +- PW_MIN_LENGTH, bufsiz - 1, buf); ++ pw_min_len, bufsiz - 1, buf); + } + if (ok >= 0) + do { +diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t +index e16a9a4042..c9bc6bdc8a 100644 +--- a/test/recipes/15-test_genrsa.t ++++ b/test/recipes/15-test_genrsa.t +@@ -16,7 +16,7 @@ use OpenSSL::Test::Utils; + + setup("test_genrsa"); + +-plan tests => 5; ++plan tests => 7; + + # We want to know that an absurdly small number of bits isn't support + is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8"); +@@ -52,3 +52,8 @@ ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])), + "genrsa -f4 $good"); + ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])), + "rsa -check"); ++ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest.pem', '-out', 'genrsatest-enc.pem', ++ '-aes256', '-passout', 'pass:x' ])), ++ "rsa encrypt"); ++ok(run(app([ 'openssl', 'rsa', '-in', 'genrsatest-enc.pem', '-passin', 'pass:x' ])), ++ "rsa decrypt"); +-- +2.17.1 + diff --git a/backport-Fix-usage-of-SSLfatal.patch b/backport-Fix-usage-of-SSLfatal.patch new file mode 100644 index 0000000000000000000000000000000000000000..abc72ce6a1976aaf6548d741e03f7c93f8304122 --- /dev/null +++ b/backport-Fix-usage-of-SSLfatal.patch @@ -0,0 +1,36 @@ +From 3e8f70c30d84861fcd257a6e280dc49e104eb145 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 30 Mar 2022 14:49:24 +0100 +Subject: [PATCH] Fix usage of SSLfatal + +A cherry-pick from the master branch incorrectly introduced a usage of +3 argument SSLfatal. In 1.1.1 the function code is also required. + +Fixes #17999 + +Reviewed-by: Bernd Edlinger +Reviewed-by: Tomas Mraz +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/18000) +--- + ssl/statem/statem_clnt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +index e3aba393f9..2bc5cf5ec3 100644 +--- a/ssl/statem/statem_clnt.c ++++ b/ssl/statem/statem_clnt.c +@@ -1423,7 +1423,8 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) + && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE + && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { + if (s->hello_retry_request != SSL_HRR_NONE) { +- SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); ++ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, ++ SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNEXPECTED_MESSAGE); + goto err; + } + s->hello_retry_request = SSL_HRR_PENDING; +-- +2.17.1 + diff --git a/backport-Test-processing-of-a-duplicated-HRR.patch b/backport-Test-processing-of-a-duplicated-HRR.patch new file mode 100644 index 0000000000000000000000000000000000000000..2db37448c7e06a86d87122e8a3a76ec94c827cc5 --- /dev/null +++ b/backport-Test-processing-of-a-duplicated-HRR.patch @@ -0,0 +1,100 @@ +From f29ec6563ddf81db46c464d14f2bb29a3fa5592f Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 22 Mar 2022 16:33:52 +0100 +Subject: [PATCH] Test processing of a duplicated HRR + +Reviewed-by: Todd Short +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/17936) + +(cherry picked from commit db44b55aaa42141921217183667800425227b658) +--- + test/recipes/70-test_tls13hrr.t | 51 +++++++++++++++++++++++++++++++-- + 1 file changed, 49 insertions(+), 2 deletions(-) + +diff --git a/test/recipes/70-test_tls13hrr.t b/test/recipes/70-test_tls13hrr.t +index e0b47ed359..411e749971 100644 +--- a/test/recipes/70-test_tls13hrr.t ++++ b/test/recipes/70-test_tls13hrr.t +@@ -37,7 +37,8 @@ my $proxy = TLSProxy::Proxy->new( + + use constant { + CHANGE_HRR_CIPHERSUITE => 0, +- CHANGE_CH1_CIPHERSUITE => 1 ++ CHANGE_CH1_CIPHERSUITE => 1, ++ DUPLICATE_HRR => 2 + }; + + #Test 1: A client should fail if the server changes the ciphersuite between the +@@ -46,7 +47,7 @@ $proxy->filter(\&hrr_filter); + $proxy->serverflags("-curves P-256"); + my $testtype = CHANGE_HRR_CIPHERSUITE; + $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; +-plan tests => 2; ++plan tests => 3; + ok(TLSProxy::Message->fail(), "Server ciphersuite changes"); + + #Test 2: It is an error if the client changes the offered ciphersuites so that +@@ -58,6 +59,19 @@ $testtype = CHANGE_CH1_CIPHERSUITE; + $proxy->start(); + ok(TLSProxy::Message->fail(), "Client ciphersuite changes"); + ++#Test 3: A client should fail with unexpected_message alert if the server ++# sends more than 1 HRR ++my $fatal_alert = 0; ++$proxy->clear(); ++if (disabled("ec")) { ++ $proxy->serverflags("-curves ffdhe3072"); ++} else { ++ $proxy->serverflags("-curves P-256"); ++} ++$testtype = DUPLICATE_HRR; ++$proxy->start(); ++ok($fatal_alert, "Server duplicated HRR"); ++ + sub hrr_filter + { + my $proxy = shift; +@@ -78,6 +92,39 @@ sub hrr_filter + return; + } + ++ if ($testtype == DUPLICATE_HRR) { ++ # We're only interested in the HRR ++ # and the unexpected_message alert from client ++ if ($proxy->flight == 4) { ++ $fatal_alert = 1 ++ if @{$proxy->record_list}[-1]->is_fatal_alert(0) == 10; ++ return; ++ } ++ if ($proxy->flight != 3) { ++ return; ++ } ++ ++ # Find ServerHello record (HRR actually) and insert after that ++ my $i; ++ for ($i = 0; ${$proxy->record_list}[$i]->flight() < 1; $i++) { ++ next; ++ } ++ my $hrr_record = ${$proxy->record_list}[$i]; ++ my $dup_hrr = TLSProxy::Record->new(3, ++ $hrr_record->content_type(), ++ $hrr_record->version(), ++ $hrr_record->len(), ++ $hrr_record->sslv2(), ++ $hrr_record->len_real(), ++ $hrr_record->decrypt_len(), ++ $hrr_record->data(), ++ $hrr_record->decrypt_data()); ++ ++ $i++; ++ splice @{$proxy->record_list}, $i, 0, $dup_hrr; ++ return; ++ } ++ + # CHANGE_CH1_CIPHERSUITE + if ($proxy->flight != 0) { + return; +-- +2.17.1 + diff --git a/backport-crypto-x509-v3_utl.c-Add-missing-check-for-OPENSSL_s.patch b/backport-crypto-x509-v3_utl.c-Add-missing-check-for-OPENSSL_s.patch new file mode 100644 index 0000000000000000000000000000000000000000..e4630573b1578adc2e1c6d05dfe2fdbcb823ea3f --- /dev/null +++ b/backport-crypto-x509-v3_utl.c-Add-missing-check-for-OPENSSL_s.patch @@ -0,0 +1,58 @@ +From 999cce6ea7393e1daa40e9994064b2955b24a831 Mon Sep 17 00:00:00 2001 +From: Jiasheng Jiang +Date: Mon, 21 Feb 2022 09:51:54 +0800 +Subject: [PATCH] crypto/x509/v3_utl.c: Add missing check for OPENSSL_strndup + +Since the potential failure of memory allocation, it +should be better to check the return value of the +OPENSSL_strndup(), like x509v3_add_len_value(). +And following the comment of 'if (astrlen < 0)', +return -1 if fails. + +Signed-off-by: Jiasheng Jiang + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/17737) + +(cherry picked from commit 366a16263959c0b6599f0b9ec18124d75560c6ef) +--- + crypto/x509v3/v3_utl.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c +index f41c699b5a..40d8f31554 100644 +--- a/crypto/x509v3/v3_utl.c ++++ b/crypto/x509v3/v3_utl.c +@@ -828,8 +828,11 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal, + rv = equal(a->data, a->length, (unsigned char *)b, blen, flags); + else if (a->length == (int)blen && !memcmp(a->data, b, blen)) + rv = 1; +- if (rv > 0 && peername) ++ if (rv > 0 && peername != NULL) { + *peername = OPENSSL_strndup((char *)a->data, a->length); ++ if (*peername == NULL) ++ return -1; ++ } + } else { + int astrlen; + unsigned char *astr; +@@ -842,8 +845,13 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal, + return -1; + } + rv = equal(astr, astrlen, (unsigned char *)b, blen, flags); +- if (rv > 0 && peername) ++ if (rv > 0 && peername != NULL) { + *peername = OPENSSL_strndup((char *)astr, astrlen); ++ if (*peername == NULL) { ++ OPENSSL_free(astr); ++ return -1; ++ } ++ } + OPENSSL_free(astr); + } + return rv; +-- +2.17.1 + diff --git a/backport-tls_process_server_hello-Disallow-repeated-HRR.patch b/backport-tls_process_server_hello-Disallow-repeated-HRR.patch new file mode 100644 index 0000000000000000000000000000000000000000..3c9576c706dcb8f24729e3799768d4069426c4fc --- /dev/null +++ b/backport-tls_process_server_hello-Disallow-repeated-HRR.patch @@ -0,0 +1,36 @@ +From fb67978a9eb076b23ddf17f6b95f697ed526c584 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 22 Mar 2022 12:34:07 +0100 +Subject: [PATCH] tls_process_server_hello: Disallow repeated HRR + +Repeated HRR must be rejected. + +Fixes #17934 + +Reviewed-by: Todd Short +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/17936) + +(cherry picked from commit d204a50b898435fbf937316d5693008cebf62eef) +--- + ssl/statem/statem_clnt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c +index d1a3969812..e3aba393f9 100644 +--- a/ssl/statem/statem_clnt.c ++++ b/ssl/statem/statem_clnt.c +@@ -1422,6 +1422,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) + && sversion == TLS1_2_VERSION + && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE + && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) { ++ if (s->hello_retry_request != SSL_HRR_NONE) { ++ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } + s->hello_retry_request = SSL_HRR_PENDING; + hrr = 1; + if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) { +-- +2.17.1 + diff --git a/openssl.spec b/openssl.spec index 427817b3fe3cace2dedaa356d61506297f6a737b..a03d135b8032eb08dc36f0d6b47dff74a3e63a20 100644 --- a/openssl.spec +++ b/openssl.spec @@ -2,7 +2,7 @@ Name: openssl Epoch: 1 Version: 1.1.1m -Release: 12 +Release: 13 Summary: Cryptography and SSL/TLS Toolkit License: OpenSSL and SSLeay URL: https://www.openssl.org/ @@ -38,6 +38,14 @@ Patch27: Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch Patch28: Backport-SM3-acceleration-with-SM3-hardware-instruction-on-aa.patch Patch29: Backport-SM4-optimization-for-ARM-by-HW-instruction.patch Patch30: Feature-SM4-XTS-optimization-for-ARM-by-HW-instruction.patch +Patch31: backport-Fix-failure-to-check-result-of-bn_rshift_fixed_top.patch +Patch32: backport-Test-processing-of-a-duplicated-HRR.patch +Patch33: backport-tls_process_server_hello-Disallow-repeated-HRR.patch +Patch34: backport-Avoid-potential-memory-leak.patch +Patch35: backport-Fix-NULL-pointer-dereference-for-BN_mod_exp2_mont.patch +Patch36: backport-crypto-x509-v3_utl.c-Add-missing-check-for-OPENSSL_s.patch +Patch37: backport-Fix-password_callback-to-handle-short-passwords.patch +Patch38: backport-Fix-usage-of-SSLfatal.patch BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel Requires: coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} @@ -240,6 +248,9 @@ make test || : %ldconfig_scriptlets libs %changelog +* Fri Nov 4 2022 wangcheng - 1:1.1.1m-13 +- backport some patches + * Wed Nov 2 2022 Xu Yizhou - 1:1.1.1m-12 - SM3 acceleration with SM3 hardware instruction on aarch64 - SM4 optimization for ARM by HW instruction