Accepting request 841985 from home:pmonrealgonzalez:branches:security:tls

- Update to 3.0.0 Alpha 7
  * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
    interface. Their functionality remains unchanged.
  * Deprecated EVP_PKEY_set_alias_type(). This function was previously
    needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key
    type is internally recognised so the workaround is no longer needed.
  * Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced
    EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred.
  * Changed all "STACK" functions to be macros instead of inline functions.
    Macro parameters are still checked for type safety at compile time via
    helper inline functions.
  * Remove the RAND_DRBG API:
    The RAND_DRBG API did not fit well into the new provider concept as
    implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
    RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
    and some of its API calls are rather low-level. This holds in particular
    for the callback mechanism (RAND_DRBG_set_callbacks()).
    Adding a compatibility layer to continue supporting the RAND_DRBG API as
    a legacy API for a regular deprecation period turned out to come at the
    price of complicating the new provider API unnecessarily. Since the
    RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
    to drop it entirely.
  * Added the options '-crl_lastupdate' and '-crl_nextupdate' to 'openssl ca',
    allowing the 'lastUpdate' and 'nextUpdate' fields in the generated CRL to
    be set explicitly.
  * 'PKCS12_parse' now maintains the order of the parsed certificates
    when outputting them via '*ca' (rather than reversing it).
- Update openssl-DEFAULT_SUSE_cipher.patch

  contained in upstream.

OBS-URL: https://build.opensuse.org/request/show/841985
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=17

openssl-3.0.0-alpha6.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1e8143b152f33f76530da2eaedc5d841121ff9e7247a857390cceac6503f482b
-size 13963353

openssl-3.0.0-alpha6.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl8r/u0ACgkQ2cTSbQ5g
-RJEImgf+INJsre+OZBICUb9rVRgzIzBqP/OmoujzJ4lfGuYmgrpAs+3l5kQpSDpO
-++7375mCGR3KP/mZ4FRbtoVfaALcqtD/egY3iM5jj5fezDtOmf+Zcg2HG2vOwvYw
-RZ6K3vwutcgbEfctLXZvcJaDywKIuav0hetVq6xoAz/x+KqAgDmqV6qru247eSr6
-qy50nmYaLF8xYwSAZX9eWLQz9zpPiqcjeHQ3UK7FPOpgylsJHMW9x3ivls4H/HqK
-oETMZfjgLsakyMNgSD3JI7LdTY/sFRQhyE/iU3lMcxXD1hYiJxED5GYl/VONjJwU
-GXn0xiGy8oiR6LMxHshcFEWQsHCJKA==
-=q+6h
------END PGP SIGNATURE-----

openssl-3.0.0-alpha7.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2884219ad2fae614c0f0d57b77af2f0720f32ffa3a569ac70bbf506bd8732298
+size 14005200

openssl-3.0.0-alpha7.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+IS5sACgkQ2cTSbQ5g
+RJFZOwgAsWw+52pBMN1CABqNRLjtz9DJIqhCKL36tC9cG+6Tb309DCstRZ9NP03I
+X9bDBpgpwJyUt+L8jNOtftK/Cmvt1YPpqRrpu65na8PajeaXKzMpV76yk5Qj2wBT
+uyj0yqR4mRDT16OZ2fYHZ23FHA43K+uEfH/5Bps9WCYcGpd9cASX+AvAeZwEJVMt
+8aneg+HkQoiKNtINFdsGEmC79GyWVIN4PZJpVWXIUtrCx8E8PGc0phKoMOkc69HU
+1ro1Li4mv9WzZZUuDCNUl26L8jRdCrLsBi2+aG2dX7ZniEMdaDXgxjw5GvOkhHp2
+uSGarVNBCQWMNcWlv28NkYIkEHubQg==
+=Wt6S
+-----END PGP SIGNATURE-----

openssl-3.changes

@@ -1,8 +1,40 @@
+-------------------------------------------------------------------
+Thu Oct 15 16:44:44 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.0.0 Alpha 7
+  * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public
+    interface. Their functionality remains unchanged.
+  * Deprecated EVP_PKEY_set_alias_type(). This function was previously
+    needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key
+    type is internally recognised so the workaround is no longer needed.
+  * Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced
+    EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred.
+  * Changed all "STACK" functions to be macros instead of inline functions.
+    Macro parameters are still checked for type safety at compile time via
+    helper inline functions.
+  * Remove the RAND_DRBG API:
+    The RAND_DRBG API did not fit well into the new provider concept as
+    implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
+    RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
+    and some of its API calls are rather low-level. This holds in particular
+    for the callback mechanism (RAND_DRBG_set_callbacks()).
+    Adding a compatibility layer to continue supporting the RAND_DRBG API as
+    a legacy API for a regular deprecation period turned out to come at the
+    price of complicating the new provider API unnecessarily. Since the
+    RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
+    to drop it entirely.
+  * Added the options '-crl_lastupdate' and '-crl_nextupdate' to 'openssl ca',
+    allowing the 'lastUpdate' and 'nextUpdate' fields in the generated CRL to
+    be set explicitly.
+  * 'PKCS12_parse' now maintains the order of the parsed certificates
+    when outputting them via '*ca' (rather than reversing it).
+- Update openssl-DEFAULT_SUSE_cipher.patch
+
 -------------------------------------------------------------------
 Fri Aug  7 14:42:42 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com>
 
 - Removed 0001-Fix-typo-for-SSL_get_peer_certificate.patch:
-  contained in upstream. 
+  contained in upstream.
 - Update to 3.0.0 Alpha 6
   * Added util/check-format.pl for checking adherence to the coding guidelines.
   * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses

openssl-3.spec

@@ -20,7 +20,7 @@
 %define sover 3
 %define _rname  openssl
 %define vernum 3.0.0
-%define relnum alpha6
+%define relnum alpha7
 %define dash_version %{vernum}-%{relnum}
 Name:           openssl-3
 # Don't forget to update the version in the "openssl" package!

openssl-DEFAULT_SUSE_cipher.patch

@@ -1,8 +1,8 @@
-Index: openssl-3.0.0-alpha1/ssl/ssl_ciph.c
+Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c
 ===================================================================
---- openssl-3.0.0-alpha1.orig/ssl/ssl_ciph.c	2020-04-23 23:08:16.314084552 +0200
-+++ openssl-3.0.0-alpha1/ssl/ssl_ciph.c	2020-04-23 23:13:58.721873018 +0200
-@@ -1564,7 +1564,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+--- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c
++++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c
+@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
       */
      ok = 1;
      rule_p = rule_str;
@@ -18,26 +18,10 @@ Index: openssl-3.0.0-alpha1/ssl/ssl_ciph.c
          ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
                                          &head, &tail, ca_list, c);
          rule_p += 7;
-Index: openssl-3.0.0-alpha1/include/openssl/ssl.h
+Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
 ===================================================================
---- openssl-3.0.0-alpha1.orig/include/openssl/ssl.h	2020-04-23 23:08:16.318084577 +0200
-+++ openssl-3.0.0-alpha1/include/openssl/ssl.h	2020-04-23 23:11:04.799122008 +0200
-@@ -181,6 +181,11 @@ extern "C" {
-  */
- # ifndef OPENSSL_NO_DEPRECATED_3_0
- #  define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
-+#  define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
-+    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
-+    "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
-+    "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
-+    "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
- /*
-  * This is the default set of TLSv1.3 ciphersuites
-  * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
-Index: openssl-3.0.0-alpha1/test/recipes/99-test_suse_default_ciphers.t
-===================================================================
---- /dev/null	1970-01-01 00:00:00.000000000 +0000
-+++ openssl-3.0.0-alpha1/test/recipes/99-test_suse_default_ciphers.t	2020-04-23 23:08:16.318084577 +0200
+--- /dev/null
++++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t
 @@ -0,0 +1,23 @@
 +#! /usr/bin/env perl
 +
@@ -62,3 +46,19 @@ Index: openssl-3.0.0-alpha1/test/recipes/99-test_suse_default_ciphers.t
 +         "$cipherlist should contain TLSv1.3 ciphers\n");
 +}
 +
+Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in
+===================================================================
+--- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in
++++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in
+@@ -189,6 +189,11 @@ extern "C" {
+  */
+ # ifndef OPENSSL_NO_DEPRECATED_3_0
+ #  define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
++#  define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
++    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
++    "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
++    "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
++    "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
+ /*
+  * This is the default set of TLSv1.3 ciphersuites
+  * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()