Accepting request 821489 from home:pmonrealgonzalez:branches:security:tls

- Update to 3.0.0 Alpha 5 * Deprecated the 'ENGINE' API. Engines should be replaced with providers going forward. * Reworked the recorded ERR codes to make better space for system errors. To distinguish them, the macro 'ERR_SYSTEM_ERROR()' indicates if the given code is a system error (true) or an OpenSSL error (false). * Reworked the test perl framework to better allow parallel testing. * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported. * 'Configure' has been changed to figure out the configuration target if none is given on the command line. Consequently, the 'config' script is now only a mere wrapper. All documentation is changed to only mention 'Configure'. * Added a library context that applications as well as other libraries can use to form a separate context within which libcrypto operations are performed. - There are two ways this can be used: 1) Directly, by passing a library context to functions that take such an argument, such as 'EVP_CIPHER_fetch' and similar algorithm fetching functions. 2) Indirectly, by creating a new library context and then assigning it as the new default, with 'OPENSSL_CTX_set0_default'. - All public OpenSSL functions that take an 'OPENSSL_CTX' pointer, apart from the functions directly related to 'OPENSSL_CTX', accept NULL to indicate that the default library context should be used. - Library code that changes the default library context using 'OPENSSL_CTX_set0_default' should take care to restore it with a second call before returning to the caller. * The security strength of SHA1 and MD5 based signatures in TLS has been reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer working at the default security level of 1 and instead requires security OBS-URL: https://build.opensuse.org/request/show/821489 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=13
2020-07-17 11:26:23 +00:00 · 2020-07-17 11:26:23 +00:00 · 0a9d203a57
commit 0a9d203a57
parent 18e44c466b
7 changed files with 94 additions and 33 deletions
--- a/openssl-3.0.0-alpha4.tar.gz
+++ b/openssl-3.0.0-alpha4.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d930b650e0899f5baca8b80c50e7401620c129fef6c50198400999776a39bd37
-size 13884897
--- a/openssl-3.0.0-alpha4.tar.gz.asc
+++ b/openssl-3.0.0-alpha4.tar.gz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl70rYcACgkQ2cTSbQ5g
-RJFsRwgAlrEhcEjqVsAVXNB9q7vGKkGzugDwKydXJuYel95dQFR9doiRDPG1iHXa
-MVXIcZoSsOdm+DBm9qRzTbYQgVKbtFJYQVO/Q+AzSi9HihS9Nq9vdXt2xkpQhb5N
-KewzA8LSZOZWJBaqP1JAyAECl8bfgln4x05vrDNpzJfDOkO8z+tgI1BZNaGZk81s
-C5l3MP35gOj7XAdwCQBzRY/0S6OppUL+qtdyORQPf2PcjXoXZ90ncHISb7nMR5Io
-uw2K/AiDSPcoIAuku1JO5HSgr8Py5FfrJMWrfJnsrHRX48wTV2EwDutjWYSd892C
-ft7Yy8C7VFnY6NLB4ts/zmgApScMBA==
-=k+We
-----END PGP SIGNATURE-----
--- a/openssl-3.0.0-alpha5.tar.gz
+++ b/openssl-3.0.0-alpha5.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:09ad89af04cbf36dbbce1fc7063e18fcc333fcaaf3eccecf22c4a99bac83e139
+size 13919931
--- a/openssl-3.0.0-alpha5.tar.gz.asc
+++ b/openssl-3.0.0-alpha5.tar.gz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJIBAABCgAyFiEEeVOsH7w9yLOykjk+1enkP3357owFAl8QVLgUHGxldml0dGVA
+b3BlbnNzbC5vcmcACgkQ1enkP3357oxYpA//REAEr+T8YIxYRWxLUAayzxuWMA1a
+vYWUg6Z2CJWVG1w/JNmrbWNgoeJNdnYe80uFeMLBvJhe7nbq2mOrUQ/IrlzVyT5F
+Tg5upCRTeiCnX36sOG+Bkw6RMIccqQH1Rjrmib6TAfvlmqOoALDM9COSqIEDpG9L
+h0B++LjDfeFwsbXR5dvU5ZJCv+RvO7vg+uTOryphEi8XeyNmelQJSpH7XNVnw81i
+/dac5rup/wkTHA8yUJQ4OpSy2tC8Ht+WdluNEsT6+ewxiuVM3PQ7NAWSYtNiWzG
+eEZPM27yrY+xSBkIPvtzWDZ0e7EUU/SH2dsSYBsuk7lO2fSqBS9er3oe67tw/Gax
+W67ei+aMbEGoSkN1JCtsCjzcMp/QZ+5932pWy/d76I4smCxdmaJd5O/B0y4O1FQv
+6jrquxowzPtirKEm5qEW9xC85fsrCj6kFp3YhhlRh9I4UtZ9DX7cM+FwVE71khE8
+hyZqjGT4aE9auxMI7+rk/xirEmNbIQhEwDVQhuSgSHLDC4P1ITPS8MPMasFLfdI
+crhpjA+N1Q2sSzB2/mlGvgTtvin+Plj7rDJawd69drm59y59Z19nfMYkRPxzXDS/
+kSYAOF42KrUMZf9+MP8hWiaeC1nM8iqz619NNF/WbBh583ujaFNbThgbJoPgTQLD
+fA3L8F13TU3zuXE=
+=L52Y
+-----END PGP SIGNATURE-----
--- a/openssl-3.changes
+++ b/openssl-3.changes
@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Fri Jul 17 08:34:45 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Update to 3.0.0 Alpha 5
+  * Deprecated the 'ENGINE' API. Engines should be replaced with
+    providers going forward.
+  * Reworked the recorded ERR codes to make better space for system errors.
+    To distinguish them, the macro 'ERR_SYSTEM_ERROR()' indicates
+    if the given code is a system error (true) or an OpenSSL error (false).
+  * Reworked the test perl framework to better allow parallel testing.
+  * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and
+    AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported.
+  * 'Configure' has been changed to figure out the configuration target if
+    none is given on the command line. Consequently, the 'config' script is
+    now only a mere wrapper. All documentation is changed to only mention
+    'Configure'.
+  * Added a library context that applications as well as other libraries can use
+    to form a separate context within which libcrypto operations are performed.
+    - There are two ways this can be used:
+      1) Directly, by passing a library context to functions that take
+         such an argument, such as 'EVP_CIPHER_fetch' and similar algorithm
+         fetching functions.
+      2) Indirectly, by creating a new library context and then assigning
+         it as the new default, with 'OPENSSL_CTX_set0_default'.
+    - All public OpenSSL functions that take an 'OPENSSL_CTX' pointer,
+      apart from the functions directly related to 'OPENSSL_CTX', accept
+      NULL to indicate that the default library context should be used.
+    - Library code that changes the default library context using
+      'OPENSSL_CTX_set0_default' should take care to restore it with a
+      second call before returning to the caller.
+  * The security strength of SHA1 and MD5 based signatures in TLS has been
+    reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
+    working at the default security level of 1 and instead requires security
+    level 0. The security level can be changed either using the cipher string
+    with @SECLEVEL, or calling SSL_CTX_set_security_level().
+  * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced. If that option is
+    set, openssl cleanses (zeroize) plaintext bytes from internal buffers
+    after delivering them to the application. Note, the application is still
+    responsible for cleansing other copies (e.g.: data received by SSL_read(3)).
+- Update openssl-ppc64-config.patch
+
 -------------------------------------------------------------------
 Fri Jun 26 07:20:40 UTC 2020 - Vítězslav Čížek <vcizek@suse.com>

--- a/openssl-3.spec
+++ b/openssl-3.spec
@ -20,7 +20,7 @@
 %define sover 3
 %define _rname  openssl
 %define vernum 3.0.0
-%define relnum alpha4
+%define relnum alpha5
 %define dash_version %{vernum}-%{relnum}
 Name:           openssl-3
 # Don't forget to update the version in the "openssl" package!
@ -199,7 +199,7 @@ cp %{SOURCE5} .
 %postun -n libopenssl3 -p /sbin/ldconfig

 %files -n libopenssl3
-%license LICENSE
+%license LICENSE.txt
 %{_libdir}/libssl.so.%{sover}
 %{_libdir}/libcrypto.so.%{sover}
 %{_libdir}/engines-%{sover}
--- a/openssl-ppc64-config.patch
+++ b/openssl-ppc64-config.patch
@ -1,18 +1,32 @@
-Index: openssl-1.1.1-pre3/config
+Index: openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm
 ===================================================================
--- openssl-1.1.1-pre3.orig/config	2018-03-20 15:24:38.037441210 +0100
-+++ openssl-1.1.1-pre3/config	2018-03-20 15:26:20.163043492 +0100
-@@ -552,12 +552,7 @@ case "$GUESSOS" in
- 	    OUT="linux-ppc64"
- 	else
- 	    OUT="linux-ppc"
-	    if (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null); then
-		:;
-	    else
-		__CNF_CFLAGS="$__CNF_CFLAGS -m32"
-		__CNF_CXXFLAGS="$__CNF_CXXFLAGS -m32"
-	    fi
-+	    (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || OUT="linux-ppc64"
- 	fi
- 	;;
-   ppc64le-*-linux2) OUT="linux-ppc64le" ;;
+--- openssl-3.0.0-alpha5.orig/util/perl/OpenSSL/config.pm
+++ openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm
+@@ -525,14 +525,19 @@ EOF
+             return { target => "linux-ppc64" } if $KERNEL_BITS eq '64';
+ 
+             my %config = ();
+-            if (!okrun('echo __LP64__',
+-                       'gcc -E -x c - 2>/dev/null',
+-                       'grep "^__LP64__" 2>&1 >/dev/null') ) {
+-                %config = ( cflags => [ '-m32' ],
+-                            cxxflags =>  [ '-m32' ] );
+-            }
+-            return { target => "linux-ppc",
+-                     %config };
+	    # ##
+            # if (!okrun('echo __LP64__', 'gcc -E -x c - 2>/dev/null', 'grep "^__LP64__" 2>&1 >/dev/null') ) { %config = ( cflags => [ '-m32' ], cxxflags =>  [ '-m32' ] ); }
+            # return { target => "linux-ppc",
+            #          %config };
+	    # ##
+            if (okrun('echo __LP64__', 'gcc -E -x c - 2>/dev/null',
+                      'grep "^__LP64__" 2>&1 >/dev/null') )
+                {
+                    return { target => "linux-ppc", %config };
+                } else {
+                    return { target => "linux-ppc64", %config };
+                }
+            ##
+         }
+       ],
+       [ 'ppc64le-.*-linux2',      { target => "linux-ppc64le" } ],