Accepting request 893363 from security:tls:unstable

OBS-URL: https://build.opensuse.org/request/show/893363 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=24
2021-05-17 22:28:37 +00:00 · 2021-05-17 22:28:37 +00:00 · 2830ba6131
commit 2830ba6131
parent fc84692df0
6 changed files with 104 additions and 18 deletions
--- a/openssl-3.0.0-alpha12.tar.gz
+++ b/openssl-3.0.0-alpha12.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8d78239be66af578b969441252e7c125aa134ef3b9bac6179d84275cfe01950c
-size 14142492
--- a/openssl-3.0.0-alpha12.tar.gz.asc
+++ b/openssl-3.0.0-alpha12.tar.gz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAugwsACgkQ2cTSbQ5g
-RJE4Wgf6A+BC1k0BFDx27kWfKX0gT2BrD4CjFqRFVXaYVp5GzV2+Z4t4i1YxO94P
-VsZffgiepSkh9I4a1pnzrv8AQtljkNLInmfWjONL7wBmo7eIu5uevXojUR78xSTA
-gF9TNs3w40krdUlhut7KUQ6BYaqLL1QEBMWRgnMlgtDGB0MIy6u6CMj+Fhhzy7Fx
-PXhb4D74ZSVKNwalWIu3C0NtsNmfNs//o//gYq2k1bkoJlw+pjEHs6SQR0AD9Q+i
-Cu4UIyhke/sURHonykkBRbyemJFzjWt6QUpNfb8f5AJAUFxm6S1FwT+e3iyolOGv
-kjmGBO7H48PAsVnCgg03O9kk1KJurA==
-=Kxt4
-----END PGP SIGNATURE-----
--- a/openssl-3.0.0-alpha16.tar.gz
+++ b/openssl-3.0.0-alpha16.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:08ce8244b59d75f40f91170dfcb012bf25309cdcb1fef9502e39d694f883d1d1
+size 14491795
--- a/openssl-3.0.0-alpha16.tar.gz.asc
+++ b/openssl-3.0.0-alpha16.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEyBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCT3csACgkQ2cTSbQ5g
+RJHKXQf4pr540Byd8XODtO0TE/CL1LSRKMGfkA7b0gtjApNQinuF75RjMAwFrGCe
+kR+ghu+JiSgH7oavVSwzappJcjKhfG0bu6HHUPnss07h3pB22SPuF9dc6DUP62t0
+l1ML0gyBpG/zUI83L8a7Zi7LmVXjgKf18Ie0KPa7NjCdpqmGKICCLxt/fyFGBiaK
+Z9yXYswFHwK8B+pjTn/Fc9LUL5Pwqmhu8plt9XAklT0ANmogoAoazuotAup5nUbf
+uzYvFy3VRanPi0/3xToefG/EjuFCsWnldmpEiCuGBNpsu33N3v2+vzeNK6NEYKKc
+VMmnPyM2kMd4ZeJ5xapUKELS5jzX
+=8r5H
+-----END PGP SIGNATURE-----
--- a/openssl-3.changes
+++ b/openssl-3.changes
@ -1,3 +1,88 @@
+-------------------------------------------------------------------
+Mon May 10 02:13:06 UTC 2021 - Jason Sikes <jsikes@suse.com>
+
+- Update to 3.0.0. Alpha 16
+  * Mark pop/clear error stack in der2key_decode_p8
+
+-------------------------------------------------------------------
+Sat May  1 19:58:48 UTC 2021 - Jason Sikes <jsikes@suse.com>
+
+- Update to 3.0.0 Alpha 15
+  * The default manual page suffix ($MANSUFFIX) has been changed to "ossl"
+  * Added support for Kernel TLS (KTLS). In order to use KTLS, support for it
+    must be compiled in using the "enable-ktls" compile time option. It must
+    also be enabled at run time using the SSL_OP_ENABLE_KTLS option.
+  * The error return values from some control calls (ctrl) have changed.
+    One significant change is that controls which used to return -2 for
+    invalid inputs, now return -1 indicating a generic error condition instead.
+  * Removed EVP_PKEY_set_alias_type().
+  * All of these low level RSA functions have been deprecated without
+    replacement:
+    RSA_blinding_off, RSA_blinding_on, RSA_clear_flags, RSA_get_version,
+    RSAPrivateKey_dup, RSAPublicKey_dup, RSA_set_flags, RSA_setup_blinding and
+    RSA_test_flags.
+  * All of these RSA flags have been deprecated without replacement:
+    RSA_FLAG_BLINDING, RSA_FLAG_CACHE_PRIVATE, RSA_FLAG_CACHE_PUBLIC,
+    RSA_FLAG_EXT_PKEY, RSA_FLAG_NO_BLINDING, RSA_FLAG_THREAD_SAFE and
+    RSA_METHOD_FLAG_NO_CHECK.
+  * These low level DH functions have been deprecated without replacement:
+    DH_clear_flags, DH_get_1024_160, DH_get_2048_224, DH_get_2048_256,
+    DH_set_flags and DH_test_flags.
+    The DH_FLAG_CACHE_MONT_P flag has been deprecated without replacement.
+    The DH_FLAG_TYPE_DH and DH_FLAG_TYPE_DHX have been deprecated.  Use
+    EVP_PKEY_is_a() to determine the type of a key.  There is no replacement for
+    setting these flags.
+  * These low level DSA functions have been deprecated without replacement:
+    DSA_clear_flags, DSA_dup_DH, DSAparams_dup, DSA_set_flags and
+    DSA_test_flags.
+  * The DSA_FLAG_CACHE_MONT_P flag has been deprecated without replacement.
+  * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to
+    automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. This is a breaking
+    change from previous OpenSSL versions.
+    Unlike in previous OpenSSL versions, this means that applications must not
+    call `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations.
+    The `EVP_PKEY_set_alias_type` function has now been removed.
+  * Parameter and key generation is also reworked to make it possible
+    to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate
+    SM2 keys directly and must not create an EVP_PKEY_EC key first.
+    
+-------------------------------------------------------------------
+Wed Apr 14 17:55:21 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.0.0 Alpha 13
+  * A public key check is now performed during EVP_PKEY_derive_set_peer().
+    Previously DH was internally doing this during EVP_PKEY_derive().
+    To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). This
+    may mean that an error can occur in EVP_PKEY_derive_set_peer() rather than
+    during EVP_PKEY_derive().
+  * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT,
+    EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT,
+    EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations
+    are deprecated. They are not invoked by the OpenSSL library anymore and
+    are replaced by direct checks of the key operation against the key type
+    when the operation is initialized.
+  * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for
+    more key types including RSA, DSA, ED25519, X25519, ED448 and X448.
+    Previously (in 1.1.1) they would return -2. For key types that do not have
+    parameters then EVP_PKEY_param_check() will always return 1.
+  * The output from numerous "printing" functions such as X509_signature_print(),
+    X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been
+    amended such that there may be cosmetic differences between the output
+    observed in 1.1.1 and 3.0. This also applies to the "-text" output from the
+    x509 and crl applications.
+  * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035)
+    for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations.
+    As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present.
+    Correct the semantics of checking the validation chain in case ESSCertID{,v2}
+    contains more than one certificate identifier: This means that all
+    certificates referenced there MUST be part of the validation chain.
+  * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA
+    capable processors.
+  * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM
+    parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). Its purpose
+    is to support encryption and decryption of a digital envelope that is both
+    authenticated and encrypted using AES GCM mode.
+
 -------------------------------------------------------------------
 Fri Feb 19 08:58:35 UTC 2021 - Pedro Monreal <pmonreal@suse.com>

--- a/openssl-3.spec
+++ b/openssl-3.spec
@ -20,7 +20,7 @@
 %define sover 3
 %define _rname  openssl
 %define vernum 3.0.0
-%define relnum alpha12
+%define relnum alpha16
 %define dash_version %{vernum}-%{relnum}
 Name:           openssl-3
 # Don't forget to update the version in the "openssl" package!
@ -42,7 +42,7 @@ Source5:        showciphers.c
 Patch1:         openssl-1.1.0-no-html.patch
 Patch2:         openssl-truststore.patch
 Patch3:         openssl-pkgconfig.patch
-Patch4:         openssl-DEFAULT_SUSE_cipher.patch
+#Patch4:         openssl-DEFAULT_SUSE_cipher.patch
 Patch5:         openssl-ppc64-config.patch
 Patch6:         openssl-no-date.patch
 BuildRequires:  pkgconfig
@ -119,7 +119,6 @@ export MACHINE=armv6l
    enable-ec_nistp_64_gcc_128 \
 %endif
    enable-camellia \
-    no-ec2m \
    --prefix=%{_prefix} \
    --libdir=%{_lib} \
    --openssldir=%{ssletcdir} \
@ -168,6 +167,8 @@ find . -type f -exec chmod 644 {} +
 # scripts go havoc, among them /usr/sbin/Check.
 # Replace spaces by underscores
 # for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
+
+touch $OLDPWD/filelist.doc $OLDPWD/filelist
 which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
 for i in man?/*; do
  if test -L $i ; then
@ -203,7 +204,7 @@ cp %{SOURCE5} .
 %{_libdir}/libcrypto.so.%{sover}
 %{_libdir}/engines-%{sover}
 %dir %{_libdir}/ossl-modules
-%{_libdir}/ossl-modules/fips.so
+#%{_libdir}/ossl-modules/fips.so
 %{_libdir}/ossl-modules/legacy.so

 %files -n libopenssl-3-devel