Accepting request 841379 from security:tls

OBS-URL: https://build.opensuse.org/request/show/841379
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-1_1?expand=0&rev=19

openssl-1.1.1g.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46
-size 9801502

openssl-1.1.1g.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6e5ZUACgkQ2cTSbQ5g
-RJHnTQf+KGRLb4BacpX2zWwjEHy/F4ylVcQXV0e5tVcLhdoviUxShb6RQ05uQ9XQ
-Jmm94vFoquPGwhkH4HcT8NE5vYROsGqbgyy8i4D1iq5sJ/vFc1yU6b8Xxpnljk8N
-mxjz69uHftPbJknNhpNzMbRn+UzZZpK7sU4kgr0u0H8FBuX7m61hFLRqJWNbsx5R
-E3ekj06iPvzE+mxxWOOtJx412Ury69atfCP+SzUGLLYvaIm/htInR8uI7uEVh2hu
-Aj1il4BvZX/r11PgSlzbwl9FZorKc+S6vrxnPek8+QKCRluvFe0IhcerLoIPk4Ok
-gmM3j8ng49KW3xVL6IZIMjkfZdTuTw==
-=CJa/
------END PGP SIGNATURE-----

openssl-1.1.1h.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9
+size 9810045

openssl-1.1.1h.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl9p9DIACgkQ2cTSbQ5g
+RJFkgAf/cEJVx8pptVMXRtbh9aBl73I12y+xURVt0WJ7Z6Uwotisq9otypUQH1kb
+H7IULXo7SnCjpouJQzAKCh8muv7jz7yquL19q0s4uh46Qdz57tIdfJap/F/eGwR8
+wPnciGtl9P+8uSsPTro9VlEjQRCTvGKXna35V3CilXx2zpP3X9izcUed8Irfcp0o
+eWi9W0NhG4HJZOA7RNbfp8fGLCpfp364z1fcXeQFaZFdtiqdl5qKQ0/rt52ji+fs
+M71jFvhPU3jyb921cFWO6CQN9O9+MUu02AWCYIm2VPkcqrhOQ5JoCyPsnv3ClE1v
+X0TYTMIwnqNZ9UZsgsnIzAg2VxZDDw==
+=kMzM
+-----END PGP SIGNATURE-----

openssl-1_1.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Mon Oct 12 15:22:54 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Escape rpm command %%expand when used in comment.
+
+-------------------------------------------------------------------
+Tue Sep 22 20:43:59 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
+
+- Update to 1.1.1h
+  * Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used
+  * Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS contexts
+- refresh openssl-fips_selftest_upstream_drbg.patch
+  * DRBG internals got renamed back:
+    reseed_gen_counter  -> generate_counter
+    reseed_prop_counter -> reseed_counter
+
 -------------------------------------------------------------------
 Fri May 15 09:51:22 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>
 

openssl-1_1.spec

@@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:           openssl-1_1
 # Don't forget to update the version in the "openssl" package!
-Version:        1.1.1g
+Version:        1.1.1h
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        OpenSSL
@@ -263,7 +263,7 @@ cp %{SOURCE5} .
 # invalidates a HMAC that may have been created earlier.
 # solution: create the hashes _after_ the macro runs.
 #
-# this shows up earlier because otherwise the %expand of
+# this shows up earlier because otherwise the %%expand of
 # the macro is too late.
 # remark: This is the same as running
 #   openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'

openssl-fips_selftest_upstream_drbg.patch

@@ -419,15 +419,15 @@ Index: openssl-1.1.1g/crypto/fips/drbgtest.c
 +    /* Instantiate again with valid data */
 +    if (!instantiate(drbg, td, &t))
 +        goto err;
-+    reseed_counter_tmp = drbg->reseed_gen_counter;
-+    drbg->reseed_gen_counter = drbg->reseed_interval;
++    reseed_counter_tmp = drbg->generate_counter;
++    drbg->generate_counter = drbg->reseed_interval;
 +
 +    /* Generate output and check entropy has been requested for reseed */
 +    t.entropycnt = 0;
 +    if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
 +                                      td->adin, td->adinlen)
 +            || t.entropycnt != 1
-+            || drbg->reseed_gen_counter != reseed_counter_tmp + 1
++            || drbg->generate_counter != reseed_counter_tmp + 1
 +            || !uninstantiate(drbg))
 +        goto err;
 +
@@ -444,15 +444,15 @@ Index: openssl-1.1.1g/crypto/fips/drbgtest.c
 +    /* Test reseed counter works */
 +    if (!instantiate(drbg, td, &t))
 +        goto err;
-+    reseed_counter_tmp = drbg->reseed_gen_counter;
-+    drbg->reseed_gen_counter = drbg->reseed_interval;
++    reseed_counter_tmp = drbg->generate_counter;
++    drbg->generate_counter = drbg->reseed_interval;
 +
 +    /* Generate output and check entropy has been requested for reseed */
 +    t.entropycnt = 0;
 +    if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
 +                                      td->adin, td->adinlen)
 +            || t.entropycnt != 1
-+            || drbg->reseed_gen_counter != reseed_counter_tmp + 1
++            || drbg->generate_counter != reseed_counter_tmp + 1
 +            || !uninstantiate(drbg))
 +        goto err;
 +
@@ -642,14 +642,14 @@ Index: openssl-1.1.1g/crypto/fips/drbgtest.c
 +     */
 +
 +    /* Test whether seed propagation is enabled */
-+    if (master->reseed_prop_counter == 0
-+        || public->reseed_prop_counter == 0
-+        || private->reseed_prop_counter == 0)
++    if (master->reseed_counter == 0
++        || public->reseed_counter == 0
++        || private->reseed_counter == 0)
 +        return 0;
 +
 +    /* Check whether the master DRBG's reseed counter is the largest one */
-+    if (public->reseed_prop_counter > master->reseed_prop_counter
-+        || private->reseed_prop_counter > master->reseed_prop_counter)
++    if (public->reseed_counter > master->reseed_counter
++        || private->reseed_counter > master->reseed_counter)
 +        return 0;
 +
 +    /*
@@ -697,8 +697,8 @@ Index: openssl-1.1.1g/crypto/fips/drbgtest.c
 +
 +    if (expect_success == 1) {
 +        /* Test whether all three reseed counters are synchronized */
-+        if (public->reseed_prop_counter != master->reseed_prop_counter
-+            || private->reseed_prop_counter != master->reseed_prop_counter)
++        if (public->reseed_counter != master->reseed_counter
++            || private->reseed_counter != master->reseed_counter)
 +            return 0;
 +
 +        /* Test whether reseed time of master DRBG is set correctly */
@@ -816,7 +816,7 @@ Index: openssl-1.1.1g/crypto/fips/drbgtest.c
 +     * Test whether the public and private DRBG are both reseeded when their
 +     * reseed counters differ from the master's reseed counter.
 +     */
-+    master->reseed_prop_counter++;
++    master->reseed_counter++;
 +    if (!test_drbg_reseed(1, master, public, private, 0, 1, 1, 0))
 +        goto error;
 +    reset_drbg_hook_ctx();
@@ -825,8 +825,8 @@ Index: openssl-1.1.1g/crypto/fips/drbgtest.c
 +     * Test whether the public DRBG is reseeded when its reseed counter differs
 +     * from the master's reseed counter.
 +     */
-+    master->reseed_prop_counter++;
-+    private->reseed_prop_counter++;
++    master->reseed_counter++;
++    private->reseed_counter++;
 +    if (!test_drbg_reseed(1, master, public, private, 0, 1, 0, 0))
 +        goto error;
 +    reset_drbg_hook_ctx();
@@ -835,8 +835,8 @@ Index: openssl-1.1.1g/crypto/fips/drbgtest.c
 +     * Test whether the private DRBG is reseeded when its reseed counter differs
 +     * from the master's reseed counter.
 +     */
-+    master->reseed_prop_counter++;
-+    public->reseed_prop_counter++;
++    master->reseed_counter++;
++    public->reseed_counter++;
 +    if (!test_drbg_reseed(1, master, public, private, 0, 0, 1, 0))
 +        goto error;
 +    reset_drbg_hook_ctx();
@@ -869,7 +869,7 @@ Index: openssl-1.1.1g/crypto/fips/drbgtest.c
 +     * Test whether none of the DRBGs is reseed if the master fails to reseed
 +     */
 +    master_ctx.fail = 1;
-+    master->reseed_prop_counter++;
++    master->reseed_counter++;
 +    RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
 +    if (!test_drbg_reseed(0, master, public, private, 0, 0, 0, 0))
 +        goto error;