Accepting request 960455 from home:pmonrealgonzalez:branches:security:tls

- Security fix: [bsc#1192820, CVE-2002-20001] * Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE calculation. * Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST * Rebase openssl-DEFAULT_SUSE_cipher.patch - Fix the engines section in /etc/ssl/openssl.cnf [bsc#1194187] * In an INI-type file, the sections begin with a [section_name] and they run until the next section begins. * Rebase openssl-1_1-use-include-directive.patch OBS-URL: https://build.opensuse.org/request/show/960455 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=107
2022-03-09 11:25:28 +00:00 · 2022-03-09 11:25:28 +00:00 · 8cce2e6a14
commit 8cce2e6a14
parent 66f0a2e283
3 changed files with 41 additions and 20 deletions
--- a/openssl-1_1-use-include-directive.patch
+++ b/openssl-1_1-use-include-directive.patch
@ -1,26 +1,29 @@
--- a/apps/openssl.cnf	2021-08-24 09:38:47.000000000 -0400
+Index: openssl-1.1.1m/apps/openssl.cnf
-+++ b/apps/openssl.cnf	2021-12-06 17:13:34.549291242 -0500
+===================================================================
-@@ -11,9 +11,23 @@
+--- openssl-1.1.1m.orig/apps/openssl.cnf
 +++ openssl-1.1.1m/apps/openssl.cnf
@@ -11,6 +11,24 @@
 # defined.
 HOME			= .
-+openssl_conf = openssl_init
+openssl_conf 		= openssl_init
 +
-+[openssl_init]
+[ openssl_init ]
 +
 +engines		= engine_section
 +
 +[ engine_section ]
 +
 +# This include will look through the directory that will contain the
 +# engine declarations for any engines provided by other packages.
 +.include /etc/ssl/engines.d
 +
 +# This include will look through the directory that will contain the
 +# definitions of the engines declared in the engine section.
 +.include /etc/ssl/engdef.d
 +
 +[ oid_section ]
 +
 # Extra OBJECT IDENTIFIER info:
 #oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
 +engines			= engine_section
 +
 +# This include will look through the directory that will contain the
 +# engine declarations for any engines provided by other packages.
 +[engine_section]
 +.include /etc/ssl/engines.d/
 +
 +# This include will look through the directory that will contain the
 +# definitions of the engines declared in the engine section.
 +.include /etc/ssl/engdef.d/
 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,22 @@
 -------------------------------------------------------------------
 Fri Mar  4 13:11:14 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 - Security fix: [bsc#1192820, CVE-2002-20001]
  * Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows
    remote attackers (from the client side) to send arbitrary
    numbers that are actually not public keys, and trigger
    expensive server-side DHE calculation.
  * Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST
  * Rebase openssl-DEFAULT_SUSE_cipher.patch
 -------------------------------------------------------------------
 Tue Feb 22 17:35:53 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 - Fix the engines section in /etc/ssl/openssl.cnf [bsc#1194187]
  * In an INI-type file, the sections begin with a [section_name]
    and they run until the next section begins.
  * Rebase openssl-1_1-use-include-directive.patch
 -------------------------------------------------------------------
 Fri Feb 11 12:32:11 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
--- a/openssl-DEFAULT_SUSE_cipher.patch
+++ b/openssl-DEFAULT_SUSE_cipher.patch
@ -22,14 +22,13 @@ Index: openssl-1.1.1/include/openssl/ssl.h
 ===================================================================
 --- openssl-1.1.1.orig/include/openssl/ssl.h	2018-09-11 14:48:23.000000000 +0200
 +++ openssl-1.1.1/include/openssl/ssl.h	2018-09-11 16:45:20.979303981 +0200
-@@ -171,6 +171,11 @@ extern "C" {
+@@ -171,6 +171,10 @@ extern "C" {
  * This applies to ciphersuites for TLSv1.2 and below.
  */
 # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
 +# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
 +    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
 +    "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
 +    "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
 +    "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
 /* This is the default set of TLSv1.3 ciphersuites */
 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)