Accepting request 962004 from security:tls

OBS-URL: https://build.opensuse.org/request/show/962004 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=2
2022-03-16 19:20:36 +00:00 · 2022-03-16 19:20:36 +00:00 · 7eec039543
commit 7eec039543
parent 82eca4c62a 2f2f23d69b
8 changed files with 67 additions and 72 deletions
--- a/openssl-3.0.1.tar.gz
+++ b/openssl-3.0.1.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:c311ad853353bce796edad01a862c50a8a587f62e7e2100ef465ab53ec9b06d1
 size 15011207
--- a/openssl-3.0.1.tar.gz.asc
+++ b/openssl-3.0.1.tar.gz.asc
@ -1,11 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4w10ACgkQ2cTSbQ5g
 RJFu/QgAqWC12aiVe7Ktr3Rhv9Ktee+7QwuGjDsB7LItm6oDX6abdRyfJZfRRVYL
 vAPa+HhISfVDZe5uQ/ZjKubLwnpfBxAmIXHjY5o4qnTtp6jz0owfw8eSsYjjp7iD
 3DfOI6ySVUWSLsG+rcEGrdh3iuYDqjnZ4/gyuY42xoHaYxhAbmz6tSIeB4eodXiU
 1CGMe+UfiKjIQ3WSyCRYrVHCUFdqir2vVy36enHdJ6diR8PHtbUX9txpjW6BqK73
 CdNJn92yx3XSUQhT6C//1tyj18oNhO7MBqEc/lsi9qzF4mCLCO0e52BAntKvLEJ5
 hIFVk6e5DK2qkfDGE/p60bJF9LOouA==
 =51AA
 -----END PGP SIGNATURE-----
--- a/openssl-3.0.2.tar.gz
+++ b/openssl-3.0.2.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:98e91ccead4d4756ae3c9cde5e09191a8e586d9f4d50838e7ec09d6411dfdb63
 size 15038141
--- a/openssl-3.0.2.tar.gz.asc
+++ b/openssl-3.0.2.tar.gz.asc
@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwowMACgkQ2cTSbQ5g
 RJFDvAf/RVYnplRE1x9i/ejoJeTAO7YhibCRpnp+UzkpgMrDL1y9Rpw3ZJCYh9Fq
 HEotKmbuZvNGPgYUxSov00xnhKcpzTHKiZQA767rZpNL4F+g3SpOh06IB6tJzn1k
 dx9oqAmWgIeWLY4kRHXrqqFa95Zu9LNxJ04NuqaaWxeK0/fYl534sYW5DU6uug9u
 4NcBamvnPv1+4A3Ow6jdN96tb7O3HuJ14RvGPzgUx1FPv/zU6NE2fgTnVcBzaYIP
 5rfB1EQa3+1NTtej+uUQb0i0NxFpgggFMF+qCc5Yrl9i3o8Q+wnbaVw4bNURk9En
 gNgfw0J0TG14PgtkF/Q6he++BQoNYQ==
 =pMVy
 -----END PGP SIGNATURE-----
--- a/openssl-3.changes
+++ b/openssl-3.changes
@ -1,3 +1,32 @@
 -------------------------------------------------------------------
 Tue Mar 15 17:41:47 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 - Update to 3.0.2: [bsc#1196877, CVE-2022-0778]
  * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli
    in BN_mod_sqrt() reachable when parsing certificates.
  * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
    (RFC 5489) to the list of ciphersuites providing Perfect Forward
    Secrecy as required by SECLEVEL >= 3.
  * Made the AES constant time code for no-asm configurations
    optional due to the resulting 95% performance degradation.
    The AES constant time code can be enabled, for no assembly
    builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
  * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to
    use empty passphrase strings.
  * The negative return value handling of the certificate
    verification callback was reverted. The replacement is to set
    the verification retry state with the SSL_set_retry_verify()
    function.
  * Rebase openssl-use-versioned-config.patch
 -------------------------------------------------------------------
 Tue Feb 22 18:46:13 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 - Keep CA_default and tsa_config1 default paths in openssl3.cnf
 - Rebase patches:
  * openssl-Override-default-paths-for-the-CA-directory-tree.patch
  * openssl-use-versioned-config.patch
 -------------------------------------------------------------------
 Tue Feb  1 13:55:24 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>
--- a/openssl-3.spec
+++ b/openssl-3.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssl-3
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:           openssl-3
 # Don't forget to update the version in the "openssl" package!
-Version:        3.0.1
+Version:        3.0.2
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        Apache-2.0
@ -52,7 +52,6 @@ BuildRequires:  pkgconfig
 # Add requires for ct_log_list.cnf{,.dist}
 Requires:       openssl
 %description
 OpenSSL is a software library to be used in applications that need to
 secure communications over computer networks against eavesdropping or
--- a/openssl-Override-default-paths-for-the-CA-directory-tree.patch
+++ b/openssl-Override-default-paths-for-the-CA-directory-tree.patch
@ -40,21 +40,3 @@ Index: openssl-3.0.1/apps/openssl.cnf
 ####################################################################
 [ ca ]
@@ -79,7 +88,7 @@ default_ca	= CA_default		# The default c
 ####################################################################
 [ CA_default ]
 -dir		= ./demoCA		# Where everything is kept
 +dir		= /etc/pki/CA		# Where everything is kept
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
@@ -309,7 +318,7 @@ default_tsa = tsa_config1	# the default
 [ tsa_config1 ]
 # These are used by the TSA reply generation only.
 -dir		= ./demoCA		# TSA root directory
 +dir		= /etc/pki/CA		# TSA root directory
 serial		= $dir/tsaserial	# The current serial number (mandatory)
 crypto_device	= builtin		# OpenSSL engine to use for signing
 signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
--- a/openssl-use-versioned-config.patch
+++ b/openssl-use-versioned-config.patch
@ -6,10 +6,10 @@ Subject: [PATCH] Updates the conf file to openssl11.cnf Resolves:
 Refactored for SUSE by Simon Lees sflees@suse.de
-Index: openssl-3.0.1/include/internal/cryptlib.h
+Index: openssl-3.0.2/include/internal/cryptlib.h
 ===================================================================
--- openssl-3.0.1.orig/include/internal/cryptlib.h
+--- openssl-3.0.2.orig/include/internal/cryptlib.h
-+++ openssl-3.0.1/include/internal/cryptlib.h
+++ openssl-3.0.2/include/internal/cryptlib.h
@@ -61,7 +61,7 @@ DEFINE_STACK_OF(EX_CALLBACK)
 typedef struct mem_st MEM;
 DEFINE_LHASH_OF(MEM);
@ -19,19 +19,10 @@ Index: openssl-3.0.1/include/internal/cryptlib.h
 # ifndef OPENSSL_SYS_VMS
 #  define X509_CERT_AREA          OPENSSLDIR
-Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
+Index: openssl-3.0.2/Configurations/unix-Makefile.tmpl
 ===================================================================
--- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl
+--- openssl-3.0.2.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-3.0.1/Configurations/unix-Makefile.tmpl
+++ openssl-3.0.2/Configurations/unix-Makefile.tmpl
@@ -129,7 +129,7 @@ GENERATED_PODS={- # common0.tmpl provide
                        fill_lines(" ", $COLUMNS - 15,
                                   map { my $x = $_;
                                         (
 -                                          grep { 
 +                                          grep {
                                                  $unified_info{attributes}->{depends}
                                                  ->{$x}->{$_}->{pod} // 0
                                                }
@@ -675,14 +675,14 @@ install_ssldirs:
 			: {- output_on() if windowsdll(); "" -}; \
 		fi; \
@ -71,21 +62,21 @@ Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
 -link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf
 +link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl3.cnf
- $(BLDDIR)/util/opensslwrap.sh: configdata.pm
+ $(BLDDIR)/util/opensslwrap.sh: Makefile
 	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
-@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: configdat
+@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: Makefile
 	    ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \
 	fi
-$(BLDDIR)/apps/openssl.cnf: configdata.pm
+-$(BLDDIR)/apps/openssl.cnf: Makefile
-+$(BLDDIR)/apps/openssl3.cnf: configdata.pm
+$(BLDDIR)/apps/openssl3.cnf: Makefile
 	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
 	    mkdir -p "$(BLDDIR)/apps"; \
 	    ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \
-Index: openssl-3.0.1/Configure
+Index: openssl-3.0.2/Configure
 ===================================================================
--- openssl-3.0.1.orig/Configure
+--- openssl-3.0.2.orig/Configure
-+++ openssl-3.0.1/Configure
+++ openssl-3.0.2/Configure
@@ -56,7 +56,7 @@ EOF
 #               directories bin, lib, include, share/man, share/doc/openssl
 #               This becomes the value of INSTALLTOP in Makefile
@ -95,10 +86,10 @@ Index: openssl-3.0.1/Configure
 #               If it's a relative directory, it will be added on the directory
 #               given with --prefix.
 #               This becomes the value of OPENSSLDIR in Makefile and in C.
-Index: openssl-3.0.1/doc/HOWTO/certificates.txt
+Index: openssl-3.0.2/doc/HOWTO/certificates.txt
 ===================================================================
--- openssl-3.0.1.orig/doc/HOWTO/certificates.txt
+--- openssl-3.0.2.orig/doc/HOWTO/certificates.txt
-+++ openssl-3.0.1/doc/HOWTO/certificates.txt
+++ openssl-3.0.2/doc/HOWTO/certificates.txt
@@ -16,7 +16,7 @@ Certificate authorities should read http
 In all the cases shown below, the standard configuration file, as
 compiled into openssl, will be used.  You may find it in /etc/,
@ -108,10 +99,10 @@ Index: openssl-3.0.1/doc/HOWTO/certificates.txt
 You can specify a different configuration file using the
 '-config {file}' argument with the commands shown below.
-Index: openssl-3.0.1/doc/man3/OPENSSL_config.pod
+Index: openssl-3.0.2/doc/man3/OPENSSL_config.pod
 ===================================================================
--- openssl-3.0.1.orig/doc/man3/OPENSSL_config.pod
+--- openssl-3.0.2.orig/doc/man3/OPENSSL_config.pod
-+++ openssl-3.0.1/doc/man3/OPENSSL_config.pod
+++ openssl-3.0.2/doc/man3/OPENSSL_config.pod
@@ -17,7 +17,7 @@ see L<openssl_user_macros(7)>:
 =head1 DESCRIPTION
@ -121,16 +112,10 @@ Index: openssl-3.0.1/doc/man3/OPENSSL_config.pod
 reads from the application section B<appname>. If B<appname> is NULL then
 the default section, B<openssl_conf>, will be used.
 Errors are silently ignored.
-Index: openssl-3.0.1/INSTALL.md
+Index: openssl-3.0.2/INSTALL.md
 ===================================================================
--- openssl-3.0.1.orig/INSTALL.md
+--- openssl-3.0.2.orig/INSTALL.md
-+++ openssl-3.0.1/INSTALL.md
+++ openssl-3.0.2/INSTALL.md
@@ -1,4 +1,4 @@
 -Build and Install
 +fBuild and Install
 =================
 This document describes installation on all supported operating
@@ -567,7 +567,7 @@ is an objective.
 ### no-autoload-config