Accepting request 708112 from home:vitezslav_cizek:branches:factory

- Use upstream patch for the locale crash (bsc#1135550) - delete openssl-fix_underflow_in_errstr_handling.patch - add 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch - Add s390x vectorized support for ChaCha20 and Poly1305 (jsc#SLE-6126, jsc#SLE-6129) * 0001-s390x-assembly-pack-perlasm-support.patch * 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch * 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch * 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch * 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch * 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch - Update to 1.1.1c (bsc#1133925, jsc#SLE-6430) - drop upstreamed patches: - update keyring by including Richard Levitte's key OBS-URL: https://build.opensuse.org/request/show/708112 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=38
2019-06-06 11:11:21 +00:00 · 2019-06-06 11:11:21 +00:00 · 949eaaafb4
commit 949eaaafb4
parent 0bd53d7b5f
10 changed files with 2868 additions and 73 deletions
--- a/0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
+++ b/0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
@ -0,0 +1,79 @@
 From fac9200a881a83bef038ebed628ebd409786a1a6 Mon Sep 17 00:00:00 2001
 From: Vitezslav Cizek <vcizek@suse.com>
 Date: Tue, 4 Jun 2019 13:24:59 +0200
 Subject: [PATCH] build_SYS_str_reasons: Fix a crash caused by overlong locales
 The 4 kB SPACE_SYS_STR_REASONS in crypto/err/err.c isn't enough for some locales.
 The Russian locales consume 6856 bytes, Ukrainian even 7000.
 build_SYS_str_reasons() contains an overflow check:
 if (cnt > sizeof(strerror_pool))
    cnt = sizeof(strerror_pool);
 But since commit 9f15e5b911ba6053e09578f190354568e01c07d7 it no longer
 works as cnt is incremented once more after the condition.
 cnt greater than sizeof(strerror_pool) results in an unbounded
 OPENSSL_strlcpy() in openssl_strerror_r(), eventually causing a crash.
 When the first received error string was empty or contained only
 spaces, cur would move in front of the start of the strerror_pool.
 Also don't call openssl_strerror_r when the pool is full.
 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
 Reviewed-by: Richard Levitte <levitte@openssl.org>
 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
 (Merged from https://github.com/openssl/openssl/pull/8966)
 ---
 crypto/err/err.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)
 diff --git a/crypto/err/err.c b/crypto/err/err.c
 index 57399f82ad..cf3ae4d3b3 100644
 --- a/crypto/err/err.c
 +++ b/crypto/err/err.c
@@ -188,8 +188,8 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
 }
 #ifndef OPENSSL_NO_ERR
 -/* A measurement on Linux 2018-11-21 showed about 3.5kib */
 -# define SPACE_SYS_STR_REASONS 4 * 1024
 +/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
 +# define SPACE_SYS_STR_REASONS 8 * 1024
 # define NUM_SYS_STR_REASONS 127
 static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
@@ -223,21 +223,23 @@ static void build_SYS_str_reasons(void)
         ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
         str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
 -        if (str->string == NULL) {
 +        /*
 +         * If we have used up all the space in strerror_pool,
 +         * there's no point in calling openssl_strerror_r()
 +         */
 +        if (str->string == NULL && cnt < sizeof(strerror_pool)) {
             if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
                 size_t l = strlen(cur);
                 str->string = cur;
                 cnt += l;
 -                if (cnt > sizeof(strerror_pool))
 -                    cnt = sizeof(strerror_pool);
                 cur += l;
                 /*
                  * VMS has an unusual quirk of adding spaces at the end of
 -                 * some (most? all?) messages.  Lets trim them off.
 +                 * some (most? all?) messages. Lets trim them off.
                  */
 -                while (ossl_isspace(cur[-1])) {
 +                while (cur > strerror_pool && ossl_isspace(cur[-1])) {
                     cur--;
                     cnt--;
                 }
 -- 
 2.21.0
--- a/0001-s390x-assembly-pack-perlasm-support.patch
+++ b/0001-s390x-assembly-pack-perlasm-support.patch
@ -3085,5 +3085,5 @@ index 0000000000..5f3a49dd0c
 +
 +1;
 -- 
-2.20.1
+2.21.0
--- a/0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
+++ b/0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
@ -15,8 +15,8 @@ Reviewed-by: Richard Levitte <levitte@openssl.org>
 Index: openssl-1.1.1c/crypto/chacha/asm/chacha-s390x.pl
 ===================================================================
--- openssl-1.1.1c.orig/crypto/chacha/asm/chacha-s390x.pl	2019-05-30 11:52:55.786294410 +0200
+--- openssl-1.1.1c.orig/crypto/chacha/asm/chacha-s390x.pl	2019-06-06 12:15:57.271195550 +0200
-+++ openssl-1.1.1c/crypto/chacha/asm/chacha-s390x.pl	2019-05-30 11:52:58.122308974 +0200
+++ openssl-1.1.1c/crypto/chacha/asm/chacha-s390x.pl	2019-06-06 12:16:43.787489780 +0200
@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
 -# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
--- a/0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
+++ b/0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
@ -1002,5 +1002,5 @@ index 21ca86055e..390f9eefe7 100755
 +
 +PERLASM_END();
 -- 
-2.20.1
+2.21.0
--- a/0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
+++ b/0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
@ -0,0 +1,31 @@
 From b2b580fe445e064da50c13d3e00f71022da16ece Mon Sep 17 00:00:00 2001
 From: Patrick Steuer <patrick.steuer@de.ibm.com>
 Date: Fri, 15 Feb 2019 22:59:09 +0100
 Subject: [PATCH] s390x assembly pack: fix formal interface bug in chacha
 module
 Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
 Reviewed-by: Tim Hudson <tjh@openssl.org>
 Reviewed-by: Richard Levitte <levitte@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/8257)
 ---
 crypto/chacha/asm/chacha-s390x.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/crypto/chacha/asm/chacha-s390x.pl b/crypto/chacha/asm/chacha-s390x.pl
 index 005c810e20..abf7283dd8 100755
 --- a/crypto/chacha/asm/chacha-s390x.pl
 +++ b/crypto/chacha/asm/chacha-s390x.pl
@@ -225,7 +225,7 @@ LABEL	("ChaCha20_ctr32");
 	larl	("%r1","OPENSSL_s390xcap_P");
 	lghi	("%r0",64);
 -&{$z?	\&cgr:\&cr}	($len,"%r0");
 +&{$z?	\&clgr:\&clr}	($len,"%r0");
 	jle	("_s390x_chacha_novx");
 	lg	("%r0","S390X_STFLE+16(%r1)");
 -- 
 2.21.0
--- a/0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
+++ b/0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
--- a/0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
+++ b/0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,15 +1,27 @@
 -------------------------------------------------------------------
-Thu May 30 12:19:51 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
+Thu Jun  6 10:06:45 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- Update openssl-fix_underflow_in_errstr_handling.patch to use
+- Use upstream patch for the locale crash (bsc#1135550)
  upstream approved code
  * https://github.com/openssl/openssl/pull/8966
- update openssl.keyring to include Richard Levitte's key
+- delete openssl-fix_underflow_in_errstr_handling.patch
 - add 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
 -------------------------------------------------------------------
 Thu Jun  6 10:03:03 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
 - Add s390x vectorized support for ChaCha20 and Poly1305
  (jsc#SLE-6126, jsc#SLE-6129)
  * 0001-s390x-assembly-pack-perlasm-support.patch
  * 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
  * 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
  * 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
  * 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
  * 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
 -------------------------------------------------------------------
 Thu May 30 09:55:01 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- Update to 1.1.1c
+- Update to 1.1.1c (bsc#1133925, jsc#SLE-6430)
  * Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
    ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input
    for every encryption operation. RFC 7539 specifies that the nonce value
@ -35,10 +47,10 @@ Thu May 30 09:55:01 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
  * Make OPENSSL_config() error agnostic again.
  * Do the error handling in RSA decryption constant time.
  * Ensure that SM2 only uses SM3 as digest algorithm
- drop upstream integrated patches
+- drop upstreamed patches:
  * openssl-fix-handling-of-GNU-strerror_r.patch
  * 0001-Fix-for-BIO_get_mem_ptr-and-related-regressions.patch
- refresh 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
+- update keyring by including Richard Levitte's key
 -------------------------------------------------------------------
 Tue May 28 08:21:52 UTC 2019 - Jiri Slaby <jslaby@suse.com>
--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -32,6 +32,7 @@ Source:         https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
 Source1:        %{name}.changes
 Source2:        baselibs.conf
 Source3:        https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
 # https://www.openssl.org/about/
 # http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
 Source4:        %{_rname}.keyring
 Source5:        showciphers.c
@ -42,12 +43,15 @@ Patch3:         openssl-pkgconfig.patch
 Patch4:         openssl-DEFAULT_SUSE_cipher.patch
 Patch5:         openssl-ppc64-config.patch
 Patch6:         openssl-no-date.patch
-# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/6919 fate#326561
+# PATCH-FIX-UPSTREAM https://github.com/openssl/openssl/pull/8966
-Patch7:         0001-s390x-assembly-pack-perlasm-support.patch
+Patch7:         0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
-Patch8:         0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
+# PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
-# PATCH-FIX-UPSTREAM FATE#326351 Add vectorized poly1305 implementation for s390x (https://github.com/openssl/openssl/pull/7991)
+Patch8:         0001-s390x-assembly-pack-perlasm-support.patch
-Patch9:         0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
+Patch9:         0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
-Patch11:        openssl-fix_underflow_in_errstr_handling.patch
+Patch10:        0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
 Patch11:        0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
 Patch12:        0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
 Patch13:        0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
 BuildRequires:  pkgconfig
 Conflicts:      ssl
 Provides:       ssl
--- a/openssl-fix_underflow_in_errstr_handling.patch
+++ b/openssl-fix_underflow_in_errstr_handling.patch
@ -1,56 +0,0 @@
 diff --git a/crypto/err/err.c b/crypto/err/err.c
 index 345d230206..84ef2fa3d4 100644
 --- a/crypto/err/err.c
 +++ b/crypto/err/err.c
@@ -187,8 +187,8 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
 }
 #ifndef OPENSSL_NO_ERR
 -/* A measurement on Linux 2018-11-21 showed about 3.5kib */
 -# define SPACE_SYS_STR_REASONS 4 * 1024
 +/* 2019-05-21: Russian and Ukrainian locales on Linux require more than 6,5 kB */
 +# define SPACE_SYS_STR_REASONS 4 * 1024
 # define NUM_SYS_STR_REASONS 127
 static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
@@ -222,26 +222,30 @@ static void build_SYS_str_reasons(void)
         ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
         str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
 -        if (str->string == NULL) {
 +        /*
 +         * If we have used up all the space in strerror_pool,
 +         * there's no point in calling openssl_strerror_r()
 +         */
 +        if (str->string == NULL && cnt < sizeof(strerror_pool)) {
             if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
 -                size_t l = strlen(cur);
 +                size_t l = strlen(cur) + 1;
                 str->string = cur;
                 cnt += l;
 -                if (cnt > sizeof(strerror_pool))
 -                    cnt = sizeof(strerror_pool);
                 cur += l;
                 /*
                  * VMS has an unusual quirk of adding spaces at the end of
 -                 * some (most? all?) messages.  Lets trim them off.
 +                 * some (most? all?) messages. Lets trim them off.
                  */
 -                while (ossl_isspace(cur[-1])) {
 -                    cur--;
 -                    cnt--;
 +                if (cur > strerror_pool && ossl_isspace(cur[-1])) {
 +                    while (cur > strerror_pool && ossl_isspace(cur[-1])) {
 +                        cur--;
 +                        cnt--;
 +                    }
 +                    *cur++ = '\0';
 +                    cnt++;
                 }
 -                *cur++ = '\0';
 -                cnt++;
             }
         }
         if (str->string == NULL)
 +
 +1;
 --
-.20.1
+.21.0