diff --git a/openssl-3.0.1.tar.gz b/openssl-3.0.1.tar.gz deleted file mode 100644 index 7f01e76..0000000 --- a/openssl-3.0.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c311ad853353bce796edad01a862c50a8a587f62e7e2100ef465ab53ec9b06d1 -size 15011207 diff --git a/openssl-3.0.1.tar.gz.asc b/openssl-3.0.1.tar.gz.asc deleted file mode 100644 index 5ca3080..0000000 --- a/openssl-3.0.1.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4w10ACgkQ2cTSbQ5g -RJFu/QgAqWC12aiVe7Ktr3Rhv9Ktee+7QwuGjDsB7LItm6oDX6abdRyfJZfRRVYL -vAPa+HhISfVDZe5uQ/ZjKubLwnpfBxAmIXHjY5o4qnTtp6jz0owfw8eSsYjjp7iD -3DfOI6ySVUWSLsG+rcEGrdh3iuYDqjnZ4/gyuY42xoHaYxhAbmz6tSIeB4eodXiU -1CGMe+UfiKjIQ3WSyCRYrVHCUFdqir2vVy36enHdJ6diR8PHtbUX9txpjW6BqK73 -CdNJn92yx3XSUQhT6C//1tyj18oNhO7MBqEc/lsi9qzF4mCLCO0e52BAntKvLEJ5 -hIFVk6e5DK2qkfDGE/p60bJF9LOouA== -=51AA ------END PGP SIGNATURE----- diff --git a/openssl-3.0.2.tar.gz b/openssl-3.0.2.tar.gz new file mode 100644 index 0000000..d52d6db --- /dev/null +++ b/openssl-3.0.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:98e91ccead4d4756ae3c9cde5e09191a8e586d9f4d50838e7ec09d6411dfdb63 +size 15038141 diff --git a/openssl-3.0.2.tar.gz.asc b/openssl-3.0.2.tar.gz.asc new file mode 100644 index 0000000..720781c --- /dev/null +++ b/openssl-3.0.2.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwowMACgkQ2cTSbQ5g +RJFDvAf/RVYnplRE1x9i/ejoJeTAO7YhibCRpnp+UzkpgMrDL1y9Rpw3ZJCYh9Fq +HEotKmbuZvNGPgYUxSov00xnhKcpzTHKiZQA767rZpNL4F+g3SpOh06IB6tJzn1k +dx9oqAmWgIeWLY4kRHXrqqFa95Zu9LNxJ04NuqaaWxeK0/fYl534sYW5DU6uug9u +4NcBamvnPv1+4A3Ow6jdN96tb7O3HuJ14RvGPzgUx1FPv/zU6NE2fgTnVcBzaYIP +5rfB1EQa3+1NTtej+uUQb0i0NxFpgggFMF+qCc5Yrl9i3o8Q+wnbaVw4bNURk9En +gNgfw0J0TG14PgtkF/Q6he++BQoNYQ== +=pMVy +-----END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index b20cdfb..bfe1d99 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Tue Mar 15 17:41:47 UTC 2022 - Pedro Monreal + +- Update to 3.0.2: [bsc#1196877, CVE-2022-0778] + * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli + in BN_mod_sqrt() reachable when parsing certificates. + * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK + (RFC 5489) to the list of ciphersuites providing Perfect Forward + Secrecy as required by SECLEVEL >= 3. + * Made the AES constant time code for no-asm configurations + optional due to the resulting 95% performance degradation. + The AES constant time code can be enabled, for no assembly + builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME + * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to + use empty passphrase strings. + * The negative return value handling of the certificate + verification callback was reverted. The replacement is to set + the verification retry state with the SSL_set_retry_verify() + function. + * Rebase openssl-use-versioned-config.patch + +------------------------------------------------------------------- +Tue Feb 22 18:46:13 UTC 2022 - Pedro Monreal + +- Keep CA_default and tsa_config1 default paths in openssl3.cnf +- Rebase patches: + * openssl-Override-default-paths-for-the-CA-directory-tree.patch + * openssl-use-versioned-config.patch + ------------------------------------------------------------------- Tue Feb 1 13:55:24 UTC 2022 - Danilo Spinella diff --git a/openssl-3.spec b/openssl-3.spec index 824ed3d..b60c87f 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -1,7 +1,7 @@ # # spec file for package openssl-3 # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -21,7 +21,7 @@ %define _rname openssl Name: openssl-3 # Don't forget to update the version in the "openssl" package! -Version: 3.0.1 +Version: 3.0.2 Release: 0 Summary: Secure Sockets and Transport Layer Security License: Apache-2.0 @@ -52,7 +52,6 @@ BuildRequires: pkgconfig # Add requires for ct_log_list.cnf{,.dist} Requires: openssl - %description OpenSSL is a software library to be used in applications that need to secure communications over computer networks against eavesdropping or diff --git a/openssl-Override-default-paths-for-the-CA-directory-tree.patch b/openssl-Override-default-paths-for-the-CA-directory-tree.patch index a7996b3..681d082 100644 --- a/openssl-Override-default-paths-for-the-CA-directory-tree.patch +++ b/openssl-Override-default-paths-for-the-CA-directory-tree.patch @@ -40,21 +40,3 @@ Index: openssl-3.0.1/apps/openssl.cnf #################################################################### [ ca ] -@@ -79,7 +88,7 @@ default_ca = CA_default # The default c - #################################################################### - [ CA_default ] - --dir = ./demoCA # Where everything is kept -+dir = /etc/pki/CA # Where everything is kept - certs = $dir/certs # Where the issued certs are kept - crl_dir = $dir/crl # Where the issued crl are kept - database = $dir/index.txt # database index file. -@@ -309,7 +318,7 @@ default_tsa = tsa_config1 # the default - [ tsa_config1 ] - - # These are used by the TSA reply generation only. --dir = ./demoCA # TSA root directory -+dir = /etc/pki/CA # TSA root directory - serial = $dir/tsaserial # The current serial number (mandatory) - crypto_device = builtin # OpenSSL engine to use for signing - signer_cert = $dir/tsacert.pem # The TSA signing certificate diff --git a/openssl-use-versioned-config.patch b/openssl-use-versioned-config.patch index 9e8e60d..c12a6c9 100644 --- a/openssl-use-versioned-config.patch +++ b/openssl-use-versioned-config.patch @@ -6,10 +6,10 @@ Subject: [PATCH] Updates the conf file to openssl11.cnf Resolves: Refactored for SUSE by Simon Lees sflees@suse.de -Index: openssl-3.0.1/include/internal/cryptlib.h +Index: openssl-3.0.2/include/internal/cryptlib.h =================================================================== ---- openssl-3.0.1.orig/include/internal/cryptlib.h -+++ openssl-3.0.1/include/internal/cryptlib.h +--- openssl-3.0.2.orig/include/internal/cryptlib.h ++++ openssl-3.0.2/include/internal/cryptlib.h @@ -61,7 +61,7 @@ DEFINE_STACK_OF(EX_CALLBACK) typedef struct mem_st MEM; DEFINE_LHASH_OF(MEM); @@ -19,19 +19,10 @@ Index: openssl-3.0.1/include/internal/cryptlib.h # ifndef OPENSSL_SYS_VMS # define X509_CERT_AREA OPENSSLDIR -Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl +Index: openssl-3.0.2/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl -+++ openssl-3.0.1/Configurations/unix-Makefile.tmpl -@@ -129,7 +129,7 @@ GENERATED_PODS={- # common0.tmpl provide - fill_lines(" ", $COLUMNS - 15, - map { my $x = $_; - ( -- grep { -+ grep { - $unified_info{attributes}->{depends} - ->{$x}->{$_}->{pod} // 0 - } +--- openssl-3.0.2.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.0.2/Configurations/unix-Makefile.tmpl @@ -675,14 +675,14 @@ install_ssldirs: : {- output_on() if windowsdll(); "" -}; \ fi; \ @@ -71,21 +62,21 @@ Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl -link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf +link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl3.cnf - $(BLDDIR)/util/opensslwrap.sh: configdata.pm + $(BLDDIR)/util/opensslwrap.sh: Makefile @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ -@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: configdat +@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: Makefile ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \ fi --$(BLDDIR)/apps/openssl.cnf: configdata.pm -+$(BLDDIR)/apps/openssl3.cnf: configdata.pm +-$(BLDDIR)/apps/openssl.cnf: Makefile ++$(BLDDIR)/apps/openssl3.cnf: Makefile @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ mkdir -p "$(BLDDIR)/apps"; \ ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \ -Index: openssl-3.0.1/Configure +Index: openssl-3.0.2/Configure =================================================================== ---- openssl-3.0.1.orig/Configure -+++ openssl-3.0.1/Configure +--- openssl-3.0.2.orig/Configure ++++ openssl-3.0.2/Configure @@ -56,7 +56,7 @@ EOF # directories bin, lib, include, share/man, share/doc/openssl # This becomes the value of INSTALLTOP in Makefile @@ -95,10 +86,10 @@ Index: openssl-3.0.1/Configure # If it's a relative directory, it will be added on the directory # given with --prefix. # This becomes the value of OPENSSLDIR in Makefile and in C. -Index: openssl-3.0.1/doc/HOWTO/certificates.txt +Index: openssl-3.0.2/doc/HOWTO/certificates.txt =================================================================== ---- openssl-3.0.1.orig/doc/HOWTO/certificates.txt -+++ openssl-3.0.1/doc/HOWTO/certificates.txt +--- openssl-3.0.2.orig/doc/HOWTO/certificates.txt ++++ openssl-3.0.2/doc/HOWTO/certificates.txt @@ -16,7 +16,7 @@ Certificate authorities should read http In all the cases shown below, the standard configuration file, as compiled into openssl, will be used. You may find it in /etc/, @@ -108,10 +99,10 @@ Index: openssl-3.0.1/doc/HOWTO/certificates.txt You can specify a different configuration file using the '-config {file}' argument with the commands shown below. -Index: openssl-3.0.1/doc/man3/OPENSSL_config.pod +Index: openssl-3.0.2/doc/man3/OPENSSL_config.pod =================================================================== ---- openssl-3.0.1.orig/doc/man3/OPENSSL_config.pod -+++ openssl-3.0.1/doc/man3/OPENSSL_config.pod +--- openssl-3.0.2.orig/doc/man3/OPENSSL_config.pod ++++ openssl-3.0.2/doc/man3/OPENSSL_config.pod @@ -17,7 +17,7 @@ see L: =head1 DESCRIPTION @@ -121,16 +112,10 @@ Index: openssl-3.0.1/doc/man3/OPENSSL_config.pod reads from the application section B. If B is NULL then the default section, B, will be used. Errors are silently ignored. -Index: openssl-3.0.1/INSTALL.md +Index: openssl-3.0.2/INSTALL.md =================================================================== ---- openssl-3.0.1.orig/INSTALL.md -+++ openssl-3.0.1/INSTALL.md -@@ -1,4 +1,4 @@ --Build and Install -+fBuild and Install - ================= - - This document describes installation on all supported operating +--- openssl-3.0.2.orig/INSTALL.md ++++ openssl-3.0.2/INSTALL.md @@ -567,7 +567,7 @@ is an objective. ### no-autoload-config