From 0a9d203a57cd6286fc820fa040affc6d30b86f438b31fb2b22ec2f7f71cb8199 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Fri, 17 Jul 2020 11:26:23 +0000 Subject: [PATCH] Accepting request 821489 from home:pmonrealgonzalez:branches:security:tls - Update to 3.0.0 Alpha 5 * Deprecated the 'ENGINE' API. Engines should be replaced with providers going forward. * Reworked the recorded ERR codes to make better space for system errors. To distinguish them, the macro 'ERR_SYSTEM_ERROR()' indicates if the given code is a system error (true) or an OpenSSL error (false). * Reworked the test perl framework to better allow parallel testing. * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported. * 'Configure' has been changed to figure out the configuration target if none is given on the command line. Consequently, the 'config' script is now only a mere wrapper. All documentation is changed to only mention 'Configure'. * Added a library context that applications as well as other libraries can use to form a separate context within which libcrypto operations are performed. - There are two ways this can be used: 1) Directly, by passing a library context to functions that take such an argument, such as 'EVP_CIPHER_fetch' and similar algorithm fetching functions. 2) Indirectly, by creating a new library context and then assigning it as the new default, with 'OPENSSL_CTX_set0_default'. - All public OpenSSL functions that take an 'OPENSSL_CTX' pointer, apart from the functions directly related to 'OPENSSL_CTX', accept NULL to indicate that the default library context should be used. - Library code that changes the default library context using 'OPENSSL_CTX_set0_default' should take care to restore it with a second call before returning to the caller. * The security strength of SHA1 and MD5 based signatures in TLS has been reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer working at the default security level of 1 and instead requires security OBS-URL: https://build.opensuse.org/request/show/821489 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=13 --- openssl-3.0.0-alpha4.tar.gz | 3 --- openssl-3.0.0-alpha4.tar.gz.asc | 11 -------- openssl-3.0.0-alpha5.tar.gz | 3 +++ openssl-3.0.0-alpha5.tar.gz.asc | 17 ++++++++++++ openssl-3.changes | 41 ++++++++++++++++++++++++++++ openssl-3.spec | 4 +-- openssl-ppc64-config.patch | 48 +++++++++++++++++++++------------ 7 files changed, 94 insertions(+), 33 deletions(-) delete mode 100644 openssl-3.0.0-alpha4.tar.gz delete mode 100644 openssl-3.0.0-alpha4.tar.gz.asc create mode 100644 openssl-3.0.0-alpha5.tar.gz create mode 100644 openssl-3.0.0-alpha5.tar.gz.asc diff --git a/openssl-3.0.0-alpha4.tar.gz b/openssl-3.0.0-alpha4.tar.gz deleted file mode 100644 index cbc39f0..0000000 --- a/openssl-3.0.0-alpha4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d930b650e0899f5baca8b80c50e7401620c129fef6c50198400999776a39bd37 -size 13884897 diff --git a/openssl-3.0.0-alpha4.tar.gz.asc b/openssl-3.0.0-alpha4.tar.gz.asc deleted file mode 100644 index 26bd9c6..0000000 --- a/openssl-3.0.0-alpha4.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl70rYcACgkQ2cTSbQ5g -RJFsRwgAlrEhcEjqVsAVXNB9q7vGKkGzugDwKydXJuYel95dQFR9doiRDPG1iHXa -MVXIcZoSsOdm+DBm9qRzTbYQgVKbtFJYQVO/Q+AzSi9HihS9Nq9vdXt2xkpQhb5N -KewzA8LSZOZWJBaqP1JAyAECl8bfgln4x05vrDNpzJfDOkO8z+tgI1BZNaGZk81s -C5l3MP35gOj7XAdwCQBzRY/0S6OppUL+qtdyORQPf2PcjXoXZ90ncHISb7nMR5Io -uw2K/AiDSPcoIAuku1JO5HSgr8Py5FfrJMWrfJnsrHRX48wTV2EwDutjWYSd892C -ft7Yy8C7VFnY6NLB4ts/zmgApScMBA== -=k+We ------END PGP SIGNATURE----- diff --git a/openssl-3.0.0-alpha5.tar.gz b/openssl-3.0.0-alpha5.tar.gz new file mode 100644 index 0000000..f849d2c --- /dev/null +++ b/openssl-3.0.0-alpha5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:09ad89af04cbf36dbbce1fc7063e18fcc333fcaaf3eccecf22c4a99bac83e139 +size 13919931 diff --git a/openssl-3.0.0-alpha5.tar.gz.asc b/openssl-3.0.0-alpha5.tar.gz.asc new file mode 100644 index 0000000..1cc761f --- /dev/null +++ b/openssl-3.0.0-alpha5.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- + +iQJIBAABCgAyFiEEeVOsH7w9yLOykjk+1enkP3357owFAl8QVLgUHGxldml0dGVA +b3BlbnNzbC5vcmcACgkQ1enkP3357oxYpA//REAEr+T8YIxYRWxLUAayzxuWMA1a +vYWUg6Z2CJWVG1w/JNmrbWNgoeJNdnYe80uFeMLBvJhe7nbq2mOrUQ/IrlzVyT5F +Tg5upCRTeiCnX36sOG+Bkw6RMIccqQH1Rjrmib6TAfvlmqOoALDM9COSqIEDpG9L +h0B++LjDfeFwsbXR5dvU5ZJCv+RvO7vg+uTOryphEi8XeyNmelQJSpH7XNVnw81i ++/dac5rup/wkTHA8yUJQ4OpSy2tC8Ht+WdluNEsT6+ewxiuVM3PQ7NAWSYtNiWzG +eEZPM27yrY+xSBkIPvtzWDZ0e7EUU/SH2dsSYBsuk7lO2fSqBS9er3oe67tw/Gax +W67ei+aMbEGoSkN1JCtsCjzcMp/QZ+5932pWy/d76I4smCxdmaJd5O/B0y4O1FQv +6jrquxowzPtirKEm5qEW9xC85fsrCj6kFp3YhhlRh9I4UtZ9DX7cM+FwVE71khE8 ++hyZqjGT4aE9auxMI7+rk/xirEmNbIQhEwDVQhuSgSHLDC4P1ITPS8MPMasFLfdI +crhpjA+N1Q2sSzB2/mlGvgTtvin+Plj7rDJawd69drm59y59Z19nfMYkRPxzXDS/ +kSYAOF42KrUMZf9+MP8hWiaeC1nM8iqz619NNF/WbBh583ujaFNbThgbJoPgTQLD +fA3L8F13TU3zuXE= +=L52Y +-----END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes index 57b488f..3f4ac8e 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Fri Jul 17 08:34:45 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 3.0.0 Alpha 5 + * Deprecated the 'ENGINE' API. Engines should be replaced with + providers going forward. + * Reworked the recorded ERR codes to make better space for system errors. + To distinguish them, the macro 'ERR_SYSTEM_ERROR()' indicates + if the given code is a system error (true) or an OpenSSL error (false). + * Reworked the test perl framework to better allow parallel testing. + * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and + AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported. + * 'Configure' has been changed to figure out the configuration target if + none is given on the command line. Consequently, the 'config' script is + now only a mere wrapper. All documentation is changed to only mention + 'Configure'. + * Added a library context that applications as well as other libraries can use + to form a separate context within which libcrypto operations are performed. + - There are two ways this can be used: + 1) Directly, by passing a library context to functions that take + such an argument, such as 'EVP_CIPHER_fetch' and similar algorithm + fetching functions. + 2) Indirectly, by creating a new library context and then assigning + it as the new default, with 'OPENSSL_CTX_set0_default'. + - All public OpenSSL functions that take an 'OPENSSL_CTX' pointer, + apart from the functions directly related to 'OPENSSL_CTX', accept + NULL to indicate that the default library context should be used. + - Library code that changes the default library context using + 'OPENSSL_CTX_set0_default' should take care to restore it with a + second call before returning to the caller. + * The security strength of SHA1 and MD5 based signatures in TLS has been + reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer + working at the default security level of 1 and instead requires security + level 0. The security level can be changed either using the cipher string + with @SECLEVEL, or calling SSL_CTX_set_security_level(). + * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced. If that option is + set, openssl cleanses (zeroize) plaintext bytes from internal buffers + after delivering them to the application. Note, the application is still + responsible for cleansing other copies (e.g.: data received by SSL_read(3)). +- Update openssl-ppc64-config.patch + ------------------------------------------------------------------- Fri Jun 26 07:20:40 UTC 2020 - Vítězslav Čížek diff --git a/openssl-3.spec b/openssl-3.spec index a5557ba..ee7eddf 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -20,7 +20,7 @@ %define sover 3 %define _rname openssl %define vernum 3.0.0 -%define relnum alpha4 +%define relnum alpha5 %define dash_version %{vernum}-%{relnum} Name: openssl-3 # Don't forget to update the version in the "openssl" package! @@ -199,7 +199,7 @@ cp %{SOURCE5} . %postun -n libopenssl3 -p /sbin/ldconfig %files -n libopenssl3 -%license LICENSE +%license LICENSE.txt %{_libdir}/libssl.so.%{sover} %{_libdir}/libcrypto.so.%{sover} %{_libdir}/engines-%{sover} diff --git a/openssl-ppc64-config.patch b/openssl-ppc64-config.patch index 02724c0..1efc39d 100644 --- a/openssl-ppc64-config.patch +++ b/openssl-ppc64-config.patch @@ -1,18 +1,32 @@ -Index: openssl-1.1.1-pre3/config +Index: openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm =================================================================== ---- openssl-1.1.1-pre3.orig/config 2018-03-20 15:24:38.037441210 +0100 -+++ openssl-1.1.1-pre3/config 2018-03-20 15:26:20.163043492 +0100 -@@ -552,12 +552,7 @@ case "$GUESSOS" in - OUT="linux-ppc64" - else - OUT="linux-ppc" -- if (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null); then -- :; -- else -- __CNF_CFLAGS="$__CNF_CFLAGS -m32" -- __CNF_CXXFLAGS="$__CNF_CXXFLAGS -m32" -- fi -+ (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || OUT="linux-ppc64" - fi - ;; - ppc64le-*-linux2) OUT="linux-ppc64le" ;; +--- openssl-3.0.0-alpha5.orig/util/perl/OpenSSL/config.pm ++++ openssl-3.0.0-alpha5/util/perl/OpenSSL/config.pm +@@ -525,14 +525,19 @@ EOF + return { target => "linux-ppc64" } if $KERNEL_BITS eq '64'; + + my %config = (); +- if (!okrun('echo __LP64__', +- 'gcc -E -x c - 2>/dev/null', +- 'grep "^__LP64__" 2>&1 >/dev/null') ) { +- %config = ( cflags => [ '-m32' ], +- cxxflags => [ '-m32' ] ); +- } +- return { target => "linux-ppc", +- %config }; ++ # ## ++ # if (!okrun('echo __LP64__', 'gcc -E -x c - 2>/dev/null', 'grep "^__LP64__" 2>&1 >/dev/null') ) { %config = ( cflags => [ '-m32' ], cxxflags => [ '-m32' ] ); } ++ # return { target => "linux-ppc", ++ # %config }; ++ # ## ++ if (okrun('echo __LP64__', 'gcc -E -x c - 2>/dev/null', ++ 'grep "^__LP64__" 2>&1 >/dev/null') ) ++ { ++ return { target => "linux-ppc", %config }; ++ } else { ++ return { target => "linux-ppc64", %config }; ++ } ++ ## + } + ], + [ 'ppc64le-.*-linux2', { target => "linux-ppc64le" } ],