Accepting request 846431 from security:tls:unstable

OBS-URL: https://build.opensuse.org/request/show/846431
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=21

openssl-3.0.0-alpha7.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2884219ad2fae614c0f0d57b77af2f0720f32ffa3a569ac70bbf506bd8732298
-size 14005200

openssl-3.0.0-alpha7.tar.gz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+IS5sACgkQ2cTSbQ5g
-RJFZOwgAsWw+52pBMN1CABqNRLjtz9DJIqhCKL36tC9cG+6Tb309DCstRZ9NP03I
-X9bDBpgpwJyUt+L8jNOtftK/Cmvt1YPpqRrpu65na8PajeaXKzMpV76yk5Qj2wBT
-uyj0yqR4mRDT16OZ2fYHZ23FHA43K+uEfH/5Bps9WCYcGpd9cASX+AvAeZwEJVMt
-8aneg+HkQoiKNtINFdsGEmC79GyWVIN4PZJpVWXIUtrCx8E8PGc0phKoMOkc69HU
-1ro1Li4mv9WzZZUuDCNUl26L8jRdCrLsBi2+aG2dX7ZniEMdaDXgxjw5GvOkhHp2
-uSGarVNBCQWMNcWlv28NkYIkEHubQg==
-=Wt6S
------END PGP SIGNATURE-----

openssl-3.0.0-alpha8.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a6c7b618a6a37cf0cebbc583b49e6d22d86e2d777e60173433eada074c32eea4
+size 14011376

openssl-3.0.0-alpha8.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl+kBlYACgkQ2cTSbQ5g
+RJEo6gf/fZkWKzMPfeQ9u6ZSfWTtHrbS8Iln6tQNDwwK+L5y3knurtbQxvC7ym6i
+fapE7/DijmK0YX7YxoiXaFgm/ZjebtD8Ny8aqQ8qWSvRzSYsarvrBTQ74gwC5ATO
+J5kzwRkVny4xR8sdot332drk4NpVoPNeMPQ0kyNr4PE/9u393+XyE2nMSpD89pnC
+/3l9YZKoDnyEd6fN4BfPwhpzuJxqY9ubshTqy+PKNC81DvIOHN2y7cnRHHrTOYdo
+YOrrLFFNhNGDwuLNFUcS5kzo/Ucobf1WziQsC3QMPfPzvVg45y4pwQW7g40ih5i7
+dmxUUQGliNB8knFs534mhcu8PoaEnQ==
+=xcGS
+-----END PGP SIGNATURE-----

openssl-3.changes

@@ -1,3 +1,36 @@
+-------------------------------------------------------------------
+Thu Nov  5 18:36:23 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.0.0 Alpha 8
+  * Add support for AES Key Wrap inverse ciphers to the EVP layer.
+    The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV",
+    "AES-256-WRAP-INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV"
+    and "AES-256-WRAP-PAD-INV". The inverse ciphers use AES decryption
+    for wrapping, and AES encryption for unwrapping.
+  * Deprecated EVP_PKEY_set1_tls_encodedpoint() and
+    EVP_PKEY_get1_tls_encodedpoint(). These functions were previously
+    used by libssl to set or get an encoded public key in/from an
+    EVP_PKEY object. With OpenSSL 3.0 these are replaced by the more
+    generic functions EVP_PKEY_set1_encoded_public_key() and
+    EVP_PKEY_get1_encoded_public_key(). The old versions have been
+    converted to deprecated macros that just call the new functions.
+  * The security callback, which can be customised by application
+    code, supports the security operation SSL_SECOP_TMP_DH. This is
+    defined to take an EVP_PKEY in the "other" parameter. In most
+    places this is what is passed. All these places occur server side.
+    However there was one client side call of this security operation
+    and it passed a DH object instead. This is incorrect according to
+    the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
+    of the other locations. Therefore this client side call has been
+    changed to pass an EVP_PKEY instead.
+  * Added new option for 'openssl list', '-providers', which will
+    display the list of loaded providers, their names, version and
+    status. It optionally displays their gettable parameters.
+  * Deprecated pthread fork support methods. These were unused so no
+    replacement is required. OPENSSL_fork_prepare(),
+    OPENSSL_fork_parent() and OPENSSL_fork_child().
+- Remove openssl-AES_XTS.patch fixed upstream
+
 -------------------------------------------------------------------
 Fri Oct 16 10:58:53 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
 

openssl-3.spec

@@ -20,7 +20,7 @@
 %define sover 3
 %define _rname  openssl
 %define vernum 3.0.0
-%define relnum alpha7
+%define relnum alpha8
 %define dash_version %{vernum}-%{relnum}
 Name:           openssl-3
 # Don't forget to update the version in the "openssl" package!
@@ -45,10 +45,6 @@ Patch3:         openssl-pkgconfig.patch
 Patch4:         openssl-DEFAULT_SUSE_cipher.patch
 Patch5:         openssl-ppc64-config.patch
 Patch6:         openssl-no-date.patch
-%ifarch aarch64 ppc ppc64 ppc64le
-# PATCH-FIX-UPSTREAM: https://github.com/openssl/openssl/pull/13133
-Patch7:         openssl-AES_XTS.patch
-%endif
 BuildRequires:  pkgconfig
 Conflicts:      ssl
 Provides:       ssl

openssl-AES_XTS.patch

@@ -1,27 +0,0 @@
-From ec5059c3effc59457f4b539ed105123c0b702307 Mon Sep 17 00:00:00 2001
-From: XiaokangQian <xiaokang.qian@arm.com>
-Date: Tue, 13 Oct 2020 09:53:58 +0000
-Subject: [PATCH] Fix Aes-xts potential failure on aarch64
-
-Add return value for aarch64 in the init key function.
-This will avoid overwriting the stream pointers of aarch64.
-
-Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
-Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
-(Merged from https://github.com/openssl/openssl/pull/13133)
----
- providers/implementations/ciphers/cipher_aes_xts_hw.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c
-index 15c136bafd8c..c45d67b825b1 100644
---- a/providers/implementations/ciphers/cipher_aes_xts_hw.c
-+++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c
-@@ -59,6 +59,7 @@ static int cipher_hw_aes_xts_generic_initkey(PROV_CIPHER_CTX *ctx,
-         XTS_SET_KEY_FN(HWAES_set_encrypt_key, HWAES_set_decrypt_key,
-                        HWAES_encrypt, HWAES_decrypt,
-                        stream_enc, stream_dec);
-+        return 1;
-     } else
- #endif /* HWAES_CAPABLE */
-