From 2830ba6131ce81e44a6c45e4ecb8cfe61c6bf4e2ede00bf2d1a3a5047ad92502 Mon Sep 17 00:00:00 2001 From: Jason Sikes Date: Mon, 17 May 2021 22:28:37 +0000 Subject: [PATCH] Accepting request 893363 from security:tls:unstable OBS-URL: https://build.opensuse.org/request/show/893363 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=24 --- openssl-3.0.0-alpha12.tar.gz | 3 -- openssl-3.0.0-alpha12.tar.gz.asc | 11 ----- openssl-3.0.0-alpha16.tar.gz | 3 ++ openssl-3.0.0-alpha16.tar.gz.asc | 11 +++++ openssl-3.changes | 85 ++++++++++++++++++++++++++++++++ openssl-3.spec | 9 ++-- 6 files changed, 104 insertions(+), 18 deletions(-) delete mode 100644 openssl-3.0.0-alpha12.tar.gz delete mode 100644 openssl-3.0.0-alpha12.tar.gz.asc create mode 100644 openssl-3.0.0-alpha16.tar.gz create mode 100644 openssl-3.0.0-alpha16.tar.gz.asc diff --git a/openssl-3.0.0-alpha12.tar.gz b/openssl-3.0.0-alpha12.tar.gz deleted file mode 100644 index 1226da4..0000000 --- a/openssl-3.0.0-alpha12.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8d78239be66af578b969441252e7c125aa134ef3b9bac6179d84275cfe01950c -size 14142492 diff --git a/openssl-3.0.0-alpha12.tar.gz.asc b/openssl-3.0.0-alpha12.tar.gz.asc deleted file mode 100644 index 77192db..0000000 --- a/openssl-3.0.0-alpha12.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmAugwsACgkQ2cTSbQ5g -RJE4Wgf6A+BC1k0BFDx27kWfKX0gT2BrD4CjFqRFVXaYVp5GzV2+Z4t4i1YxO94P -VsZffgiepSkh9I4a1pnzrv8AQtljkNLInmfWjONL7wBmo7eIu5uevXojUR78xSTA -gF9TNs3w40krdUlhut7KUQ6BYaqLL1QEBMWRgnMlgtDGB0MIy6u6CMj+Fhhzy7Fx -PXhb4D74ZSVKNwalWIu3C0NtsNmfNs//o//gYq2k1bkoJlw+pjEHs6SQR0AD9Q+i -Cu4UIyhke/sURHonykkBRbyemJFzjWt6QUpNfb8f5AJAUFxm6S1FwT+e3iyolOGv -kjmGBO7H48PAsVnCgg03O9kk1KJurA== -=Kxt4 ------END PGP SIGNATURE----- diff --git a/openssl-3.0.0-alpha16.tar.gz b/openssl-3.0.0-alpha16.tar.gz new file mode 100644 index 0000000..b7a3da7 --- /dev/null +++ b/openssl-3.0.0-alpha16.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:08ce8244b59d75f40f91170dfcb012bf25309cdcb1fef9502e39d694f883d1d1 +size 14491795 diff --git a/openssl-3.0.0-alpha16.tar.gz.asc b/openssl-3.0.0-alpha16.tar.gz.asc new file mode 100644 index 0000000..1d6a65d --- /dev/null +++ b/openssl-3.0.0-alpha16.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEyBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmCT3csACgkQ2cTSbQ5g +RJHKXQf4pr540Byd8XODtO0TE/CL1LSRKMGfkA7b0gtjApNQinuF75RjMAwFrGCe +kR+ghu+JiSgH7oavVSwzappJcjKhfG0bu6HHUPnss07h3pB22SPuF9dc6DUP62t0 +l1ML0gyBpG/zUI83L8a7Zi7LmVXjgKf18Ie0KPa7NjCdpqmGKICCLxt/fyFGBiaK +Z9yXYswFHwK8B+pjTn/Fc9LUL5Pwqmhu8plt9XAklT0ANmogoAoazuotAup5nUbf +uzYvFy3VRanPi0/3xToefG/EjuFCsWnldmpEiCuGBNpsu33N3v2+vzeNK6NEYKKc +VMmnPyM2kMd4ZeJ5xapUKELS5jzX +=8r5H +-----END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index fdb376e..5413f0f 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,88 @@ +------------------------------------------------------------------- +Mon May 10 02:13:06 UTC 2021 - Jason Sikes + +- Update to 3.0.0. Alpha 16 + * Mark pop/clear error stack in der2key_decode_p8 + +------------------------------------------------------------------- +Sat May 1 19:58:48 UTC 2021 - Jason Sikes + +- Update to 3.0.0 Alpha 15 + * The default manual page suffix ($MANSUFFIX) has been changed to "ossl" + * Added support for Kernel TLS (KTLS). In order to use KTLS, support for it + must be compiled in using the "enable-ktls" compile time option. It must + also be enabled at run time using the SSL_OP_ENABLE_KTLS option. + * The error return values from some control calls (ctrl) have changed. + One significant change is that controls which used to return -2 for + invalid inputs, now return -1 indicating a generic error condition instead. + * Removed EVP_PKEY_set_alias_type(). + * All of these low level RSA functions have been deprecated without + replacement: + RSA_blinding_off, RSA_blinding_on, RSA_clear_flags, RSA_get_version, + RSAPrivateKey_dup, RSAPublicKey_dup, RSA_set_flags, RSA_setup_blinding and + RSA_test_flags. + * All of these RSA flags have been deprecated without replacement: + RSA_FLAG_BLINDING, RSA_FLAG_CACHE_PRIVATE, RSA_FLAG_CACHE_PUBLIC, + RSA_FLAG_EXT_PKEY, RSA_FLAG_NO_BLINDING, RSA_FLAG_THREAD_SAFE and + RSA_METHOD_FLAG_NO_CHECK. + * These low level DH functions have been deprecated without replacement: + DH_clear_flags, DH_get_1024_160, DH_get_2048_224, DH_get_2048_256, + DH_set_flags and DH_test_flags. + The DH_FLAG_CACHE_MONT_P flag has been deprecated without replacement. + The DH_FLAG_TYPE_DH and DH_FLAG_TYPE_DHX have been deprecated. Use + EVP_PKEY_is_a() to determine the type of a key. There is no replacement for + setting these flags. + * These low level DSA functions have been deprecated without replacement: + DSA_clear_flags, DSA_dup_DH, DSAparams_dup, DSA_set_flags and + DSA_test_flags. + * The DSA_FLAG_CACHE_MONT_P flag has been deprecated without replacement. + * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to + automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. This is a breaking + change from previous OpenSSL versions. + Unlike in previous OpenSSL versions, this means that applications must not + call `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations. + The `EVP_PKEY_set_alias_type` function has now been removed. + * Parameter and key generation is also reworked to make it possible + to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate + SM2 keys directly and must not create an EVP_PKEY_EC key first. + +------------------------------------------------------------------- +Wed Apr 14 17:55:21 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 13 + * A public key check is now performed during EVP_PKEY_derive_set_peer(). + Previously DH was internally doing this during EVP_PKEY_derive(). + To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). This + may mean that an error can occur in EVP_PKEY_derive_set_peer() rather than + during EVP_PKEY_derive(). + * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, + EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, + EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations + are deprecated. They are not invoked by the OpenSSL library anymore and + are replaced by direct checks of the key operation against the key type + when the operation is initialized. + * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for + more key types including RSA, DSA, ED25519, X25519, ED448 and X448. + Previously (in 1.1.1) they would return -2. For key types that do not have + parameters then EVP_PKEY_param_check() will always return 1. + * The output from numerous "printing" functions such as X509_signature_print(), + X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been + amended such that there may be cosmetic differences between the output + observed in 1.1.1 and 3.0. This also applies to the "-text" output from the + x509 and crl applications. + * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) + for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. + As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. + Correct the semantics of checking the validation chain in case ESSCertID{,v2} + contains more than one certificate identifier: This means that all + certificates referenced there MUST be part of the validation chain. + * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA + capable processors. + * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM + parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). Its purpose + is to support encryption and decryption of a digital envelope that is both + authenticated and encrypted using AES GCM mode. + ------------------------------------------------------------------- Fri Feb 19 08:58:35 UTC 2021 - Pedro Monreal diff --git a/openssl-3.spec b/openssl-3.spec index bbf8575..32c83c0 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -20,7 +20,7 @@ %define sover 3 %define _rname openssl %define vernum 3.0.0 -%define relnum alpha12 +%define relnum alpha16 %define dash_version %{vernum}-%{relnum} Name: openssl-3 # Don't forget to update the version in the "openssl" package! @@ -42,7 +42,7 @@ Source5: showciphers.c Patch1: openssl-1.1.0-no-html.patch Patch2: openssl-truststore.patch Patch3: openssl-pkgconfig.patch -Patch4: openssl-DEFAULT_SUSE_cipher.patch +#Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch Patch6: openssl-no-date.patch BuildRequires: pkgconfig @@ -119,7 +119,6 @@ export MACHINE=armv6l enable-ec_nistp_64_gcc_128 \ %endif enable-camellia \ - no-ec2m \ --prefix=%{_prefix} \ --libdir=%{_lib} \ --openssldir=%{ssletcdir} \ @@ -168,6 +167,8 @@ find . -type f -exec chmod 644 {} + # scripts go havoc, among them /usr/sbin/Check. # Replace spaces by underscores # for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done + +touch $OLDPWD/filelist.doc $OLDPWD/filelist which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } for i in man?/*; do if test -L $i ; then @@ -203,7 +204,7 @@ cp %{SOURCE5} . %{_libdir}/libcrypto.so.%{sover} %{_libdir}/engines-%{sover} %dir %{_libdir}/ossl-modules -%{_libdir}/ossl-modules/fips.so +#%{_libdir}/ossl-modules/fips.so %{_libdir}/ossl-modules/legacy.so %files -n libopenssl-3-devel