Accepting request 796090 from security:tls

OBS-URL: https://build.opensuse.org/request/show/796090 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_1?expand=0&rev=17
2020-04-27 21:27:46 +00:00 · 2020-04-27 21:27:46 +00:00 · 0d743beb17
commit 0d743beb17
parent 5b13303a59 5a11d9c32d
8 changed files with 320 additions and 300 deletions
--- a/openssl-1.1.1-fips-crng-test.patch
+++ b/openssl-1.1.1-fips-crng-test.patch
@ -1,7 +1,7 @@
-Index: openssl-1.1.1d/include/crypto/rand.h
+Index: openssl-1.1.1g/include/crypto/rand.h
 ===================================================================
--- openssl-1.1.1d.orig/include/crypto/rand.h	2020-01-23 13:45:11.368633835 +0100
-+++ openssl-1.1.1d/include/crypto/rand.h	2020-01-23 13:45:11.384633930 +0100
+--- openssl-1.1.1g.orig/include/crypto/rand.h	2020-04-21 15:59:25.552654754 +0200
+++ openssl-1.1.1g/include/crypto/rand.h	2020-04-21 15:59:27.208663772 +0200
@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
 
 void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
@ -17,20 +17,22 @@ Index: openssl-1.1.1d/include/crypto/rand.h
 /*
  * RAND_POOL functions
  */
-Index: openssl-1.1.1d/crypto/rand/build.info
+Index: openssl-1.1.1g/crypto/rand/build.info
 ===================================================================
--- openssl-1.1.1d.orig/crypto/rand/build.info	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/crypto/rand/build.info	2020-01-23 13:45:11.384633930 +0100
-@@ -1,4 +1,4 @@
+--- openssl-1.1.1g.orig/crypto/rand/build.info	2020-04-21 15:59:27.208663772 +0200
+++ openssl-1.1.1g/crypto/rand/build.info	2020-04-21 16:00:32.869021309 +0200
+@@ -1,6 +1,6 @@
 LIBS=../../libcrypto
 SOURCE[../../libcrypto]=\
 -        randfile.c rand_lib.c rand_err.c rand_egd.c \
 +        randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
         rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
-Index: openssl-1.1.1d/crypto/rand/drbg_lib.c
+ 
+ INCLUDE[drbg_ctr.o]=../modes
+Index: openssl-1.1.1g/crypto/rand/drbg_lib.c
 ===================================================================
--- openssl-1.1.1d.orig/crypto/rand/drbg_lib.c	2020-01-23 13:45:11.368633835 +0100
-+++ openssl-1.1.1d/crypto/rand/drbg_lib.c	2020-01-23 13:45:11.384633930 +0100
+--- openssl-1.1.1g.orig/crypto/rand/drbg_lib.c	2020-04-21 15:59:25.552654754 +0200
+++ openssl-1.1.1g/crypto/rand/drbg_lib.c	2020-04-21 15:59:27.208663772 +0200
@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
 
 
@ -54,10 +56,10 @@ Index: openssl-1.1.1d/crypto/rand/drbg_lib.c
 #ifndef RAND_DRBG_GET_RANDOM_NONCE
         drbg->get_nonce = rand_drbg_get_nonce;
         drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
-Index: openssl-1.1.1d/crypto/rand/rand_crng_test.c
+Index: openssl-1.1.1g/crypto/rand/rand_crng_test.c
 ===================================================================
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1d/crypto/rand/rand_crng_test.c	2020-01-23 13:45:11.384633930 +0100
+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c	2020-04-21 15:59:27.208663772 +0200
@@ -0,0 +1,118 @@
 +/*
 + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@ -177,10 +179,10 @@ Index: openssl-1.1.1d/crypto/rand/rand_crng_test.c
 +{
 +    OPENSSL_secure_clear_free(out, outlen);
 +}
-Index: openssl-1.1.1d/crypto/rand/rand_local.h
+Index: openssl-1.1.1g/crypto/rand/rand_local.h
 ===================================================================
--- openssl-1.1.1d.orig/crypto/rand/rand_local.h	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/crypto/rand/rand_local.h	2020-01-23 13:45:11.384633930 +0100
+--- openssl-1.1.1g.orig/crypto/rand/rand_local.h	2020-04-21 15:59:25.552654754 +0200
+++ openssl-1.1.1g/crypto/rand/rand_local.h	2020-04-21 15:59:27.208663772 +0200
@@ -33,7 +33,15 @@
 # define MASTER_RESEED_TIME_INTERVAL             (60*60)   /* 1 hour */
 # define SLAVE_RESEED_TIME_INTERVAL              (7*60)    /* 7 minutes */
@ -230,10 +232,10 @@ Index: openssl-1.1.1d/crypto/rand/rand_local.h
 +int rand_crngt_single_init(void);
 +
 #endif
-Index: openssl-1.1.1d/test/drbgtest.c
+Index: openssl-1.1.1g/test/drbgtest.c
 ===================================================================
--- openssl-1.1.1d.orig/test/drbgtest.c	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/test/drbgtest.c	2020-01-23 13:45:11.384633930 +0100
+--- openssl-1.1.1g.orig/test/drbgtest.c	2020-04-21 15:59:25.552654754 +0200
+++ openssl-1.1.1g/test/drbgtest.c	2020-04-21 15:59:27.208663772 +0200
@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
     return t->noncelen;
 }
--- a/openssl-1.1.1-fips.patch
+++ b/openssl-1.1.1-fips.patch
--- a/openssl-1.1.1f.tar.gz
+++ b/openssl-1.1.1f.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35
-size 9792828
--- a/openssl-1.1.1f.tar.gz.asc
+++ b/openssl-1.1.1f.tar.gz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6DNO8ACgkQ2cTSbQ5g
-RJEcRQf+PEPY47eqigmUqN26vlOu/QUjYFlB5R9K90DFJvS+UM/KoS4UwdTSuska
-hk010MFZlhlFKvzFX6pkyq4AHW1Ta3la3VqRwHAv/TYVCWKIsSKpm07tW6Z/aF4w
-N4JAciN9I1+nsnEYvVZUbDvXw64B35Hxgd6mRc6gRbp8yQwkPNUspZxS6DcUIPPV
-bgU/s/+aB1kqjG6oBbe7HFBqD8xbnvL8/unsi3OLLxUp2dUvndHDmKX/sW6+T8S2
-BL3Czskk25hV2fYMZY/97oiUDkTNH3Tfa1WlwLRF/NPAakem2m47biwgJv74mKAm
-8D6M7om3dh3FsBYMq2JkfHIfUTvhRw==
-=WoEF
-----END PGP SIGNATURE-----
--- a/openssl-1.1.1g.tar.gz
+++ b/openssl-1.1.1g.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46
+size 9801502
--- a/openssl-1.1.1g.tar.gz.asc
+++ b/openssl-1.1.1g.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e5ZUACgkQ2cTSbQ5g
+RJHnTQf+KGRLb4BacpX2zWwjEHy/F4ylVcQXV0e5tVcLhdoviUxShb6RQ05uQ9XQ
+Jmm94vFoquPGwhkH4HcT8NE5vYROsGqbgyy8i4D1iq5sJ/vFc1yU6b8Xxpnljk8N
+mxjz69uHftPbJknNhpNzMbRn+UzZZpK7sU4kgr0u0H8FBuX7m61hFLRqJWNbsx5R
+E3ekj06iPvzE+mxxWOOtJx412Ury69atfCP+SzUGLLYvaIm/htInR8uI7uEVh2hu
+Aj1il4BvZX/r11PgSlzbwl9FZorKc+S6vrxnPek8+QKCRluvFe0IhcerLoIPk4Ok
+gmM3j8ng49KW3xVL6IZIMjkfZdTuTw==
+=CJa/
+-----END PGP SIGNATURE-----
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Apr 21 13:47:04 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 1.1.1g
+  * Fixed segmentation fault in SSL_check_chain (CVE-2020-1967, bsc#1169407)
+    Server or client applications that call the SSL_check_chain() function
+    during or after a TLS 1.3 handshake may crash due to a NULL pointer
+    dereference as a result of incorrect handling of the
+    "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+    or unrecognised signature algorithm is received from the peer. This could
+    be exploited by a malicious peer in a Denial of Service attack.
+  * Added AES consttime code for no-asm configurations
+    an optional constant time support for AES was added
+    when building openssl for no-asm.
+- refresh patches:
+   * openssl-1.1.1-fips.patch
+   * openssl-1.1.1-fips-crng-test.patch
+
 -------------------------------------------------------------------
 Tue Mar 31 14:05:24 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>

--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:           openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:        1.1.1f
+Version:        1.1.1g
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        OpenSSL