Accepting request 796077 from home:vitezslav_cizek:branches:security:tls

- Update to 1.1.1g
  * Fixed segmentation fault in SSL_check_chain (CVE-2020-1967, bsc#1169407)
    Server or client applications that call the SSL_check_chain() function
    during or after a TLS 1.3 handshake may crash due to a NULL pointer
    dereference as a result of incorrect handling of the
    "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
    or unrecognised signature algorithm is received from the peer. This could
    be exploited by a malicious peer in a Denial of Service attack.
  * Added AES consttime code for no-asm configurations
    an optional constant time support for AES was added
    when building openssl for no-asm.
- refresh patches:
   * openssl-1.1.1-fips.patch
   * openssl-1.1.1-fips-crng-test.patch

OBS-URL: https://build.opensuse.org/request/show/796077
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=68

openssl-1.1.1-fips-crng-test.patch

@@ -1,7 +1,7 @@
-Index: openssl-1.1.1d/include/crypto/rand.h
+Index: openssl-1.1.1g/include/crypto/rand.h
 ===================================================================
---- openssl-1.1.1d.orig/include/crypto/rand.h	2020-01-23 13:45:11.368633835 +0100
-+++ openssl-1.1.1d/include/crypto/rand.h	2020-01-23 13:45:11.384633930 +0100
+--- openssl-1.1.1g.orig/include/crypto/rand.h	2020-04-21 15:59:25.552654754 +0200
++++ openssl-1.1.1g/include/crypto/rand.h	2020-04-21 15:59:27.208663772 +0200
 @@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
  
  void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
@@ -17,20 +17,22 @@ Index: openssl-1.1.1d/include/crypto/rand.h
  /*
   * RAND_POOL functions
   */
-Index: openssl-1.1.1d/crypto/rand/build.info
+Index: openssl-1.1.1g/crypto/rand/build.info
 ===================================================================
---- openssl-1.1.1d.orig/crypto/rand/build.info	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/crypto/rand/build.info	2020-01-23 13:45:11.384633930 +0100
-@@ -1,4 +1,4 @@
+--- openssl-1.1.1g.orig/crypto/rand/build.info	2020-04-21 15:59:27.208663772 +0200
++++ openssl-1.1.1g/crypto/rand/build.info	2020-04-21 16:00:32.869021309 +0200
+@@ -1,6 +1,6 @@
  LIBS=../../libcrypto
  SOURCE[../../libcrypto]=\
 -        randfile.c rand_lib.c rand_err.c rand_egd.c \
 +        randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
          rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
-Index: openssl-1.1.1d/crypto/rand/drbg_lib.c
+ 
+ INCLUDE[drbg_ctr.o]=../modes
+Index: openssl-1.1.1g/crypto/rand/drbg_lib.c
 ===================================================================
---- openssl-1.1.1d.orig/crypto/rand/drbg_lib.c	2020-01-23 13:45:11.368633835 +0100
-+++ openssl-1.1.1d/crypto/rand/drbg_lib.c	2020-01-23 13:45:11.384633930 +0100
+--- openssl-1.1.1g.orig/crypto/rand/drbg_lib.c	2020-04-21 15:59:25.552654754 +0200
++++ openssl-1.1.1g/crypto/rand/drbg_lib.c	2020-04-21 15:59:27.208663772 +0200
 @@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
  
  
@@ -54,10 +56,10 @@ Index: openssl-1.1.1d/crypto/rand/drbg_lib.c
  #ifndef RAND_DRBG_GET_RANDOM_NONCE
          drbg->get_nonce = rand_drbg_get_nonce;
          drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
-Index: openssl-1.1.1d/crypto/rand/rand_crng_test.c
+Index: openssl-1.1.1g/crypto/rand/rand_crng_test.c
 ===================================================================
 --- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.1.1d/crypto/rand/rand_crng_test.c	2020-01-23 13:45:11.384633930 +0100
++++ openssl-1.1.1g/crypto/rand/rand_crng_test.c	2020-04-21 15:59:27.208663772 +0200
 @@ -0,0 +1,118 @@
 +/*
 + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
@@ -177,10 +179,10 @@ Index: openssl-1.1.1d/crypto/rand/rand_crng_test.c
 +{
 +    OPENSSL_secure_clear_free(out, outlen);
 +}
-Index: openssl-1.1.1d/crypto/rand/rand_local.h
+Index: openssl-1.1.1g/crypto/rand/rand_local.h
 ===================================================================
---- openssl-1.1.1d.orig/crypto/rand/rand_local.h	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/crypto/rand/rand_local.h	2020-01-23 13:45:11.384633930 +0100
+--- openssl-1.1.1g.orig/crypto/rand/rand_local.h	2020-04-21 15:59:25.552654754 +0200
++++ openssl-1.1.1g/crypto/rand/rand_local.h	2020-04-21 15:59:27.208663772 +0200
 @@ -33,7 +33,15 @@
  # define MASTER_RESEED_TIME_INTERVAL             (60*60)   /* 1 hour */
  # define SLAVE_RESEED_TIME_INTERVAL              (7*60)    /* 7 minutes */
@@ -230,10 +232,10 @@ Index: openssl-1.1.1d/crypto/rand/rand_local.h
 +int rand_crngt_single_init(void);
 +
  #endif
-Index: openssl-1.1.1d/test/drbgtest.c
+Index: openssl-1.1.1g/test/drbgtest.c
 ===================================================================
---- openssl-1.1.1d.orig/test/drbgtest.c	2019-09-10 15:13:07.000000000 +0200
-+++ openssl-1.1.1d/test/drbgtest.c	2020-01-23 13:45:11.384633930 +0100
+--- openssl-1.1.1g.orig/test/drbgtest.c	2020-04-21 15:59:25.552654754 +0200
++++ openssl-1.1.1g/test/drbgtest.c	2020-04-21 15:59:27.208663772 +0200
 @@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
      return t->noncelen;
  }

openssl-1.1.1f.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:186c6bfe6ecfba7a5b48c47f8a1673d0f3b0e5ba2e25602dd23b629975da3f35
-size 9792828

openssl-1.1.1f.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6DNO8ACgkQ2cTSbQ5g
-RJEcRQf+PEPY47eqigmUqN26vlOu/QUjYFlB5R9K90DFJvS+UM/KoS4UwdTSuska
-hk010MFZlhlFKvzFX6pkyq4AHW1Ta3la3VqRwHAv/TYVCWKIsSKpm07tW6Z/aF4w
-N4JAciN9I1+nsnEYvVZUbDvXw64B35Hxgd6mRc6gRbp8yQwkPNUspZxS6DcUIPPV
-bgU/s/+aB1kqjG6oBbe7HFBqD8xbnvL8/unsi3OLLxUp2dUvndHDmKX/sW6+T8S2
-BL3Czskk25hV2fYMZY/97oiUDkTNH3Tfa1WlwLRF/NPAakem2m47biwgJv74mKAm
-8D6M7om3dh3FsBYMq2JkfHIfUTvhRw==
-=WoEF
------END PGP SIGNATURE-----

openssl-1.1.1g.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46
+size 9801502

openssl-1.1.1g.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e5ZUACgkQ2cTSbQ5g
+RJHnTQf+KGRLb4BacpX2zWwjEHy/F4ylVcQXV0e5tVcLhdoviUxShb6RQ05uQ9XQ
+Jmm94vFoquPGwhkH4HcT8NE5vYROsGqbgyy8i4D1iq5sJ/vFc1yU6b8Xxpnljk8N
+mxjz69uHftPbJknNhpNzMbRn+UzZZpK7sU4kgr0u0H8FBuX7m61hFLRqJWNbsx5R
+E3ekj06iPvzE+mxxWOOtJx412Ury69atfCP+SzUGLLYvaIm/htInR8uI7uEVh2hu
+Aj1il4BvZX/r11PgSlzbwl9FZorKc+S6vrxnPek8+QKCRluvFe0IhcerLoIPk4Ok
+gmM3j8ng49KW3xVL6IZIMjkfZdTuTw==
+=CJa/
+-----END PGP SIGNATURE-----

openssl-1_1.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Apr 21 13:47:04 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 1.1.1g
+  * Fixed segmentation fault in SSL_check_chain (CVE-2020-1967, bsc#1169407)
+    Server or client applications that call the SSL_check_chain() function
+    during or after a TLS 1.3 handshake may crash due to a NULL pointer
+    dereference as a result of incorrect handling of the
+    "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+    or unrecognised signature algorithm is received from the peer. This could
+    be exploited by a malicious peer in a Denial of Service attack.
+  * Added AES consttime code for no-asm configurations
+    an optional constant time support for AES was added
+    when building openssl for no-asm.
+- refresh patches:
+   * openssl-1.1.1-fips.patch
+   * openssl-1.1.1-fips-crng-test.patch
+
 -------------------------------------------------------------------
 Tue Mar 31 14:05:24 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
 

openssl-1_1.spec

@@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:           openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:        1.1.1f
+Version:        1.1.1g
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        OpenSSL