Accepting request 962003 from home:pmonrealgonzalez:branches:security:tls

- Update to 3.0.2: [bsc#1196877, CVE-2022-0778] * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli in BN_mod_sqrt() reachable when parsing certificates. * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3. * Made the AES constant time code for no-asm configurations optional due to the resulting 95% performance degradation. The AES constant time code can be enabled, for no assembly builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty passphrase strings. * The negative return value handling of the certificate verification callback was reverted. The replacement is to set the verification retry state with the SSL_set_retry_verify() function. * Rebase openssl-use-versioned-config.patch - Keep CA_default and tsa_config1 default paths in openssl3.cnf - Rebase patches: * openssl-Override-default-paths-for-the-CA-directory-tree.patch * openssl-use-versioned-config.patch OBS-URL: https://build.opensuse.org/request/show/962003 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=38
2022-03-15 19:28:22 +00:00 · 2022-03-15 19:28:22 +00:00 · 2f2f23d69b
commit 2f2f23d69b
parent 82eca4c62a
8 changed files with 67 additions and 72 deletions
--- a/openssl-3.0.1.tar.gz
+++ b/openssl-3.0.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c311ad853353bce796edad01a862c50a8a587f62e7e2100ef465ab53ec9b06d1
-size 15011207
--- a/openssl-3.0.1.tar.gz.asc
+++ b/openssl-3.0.1.tar.gz.asc
@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmG4w10ACgkQ2cTSbQ5g
-RJFu/QgAqWC12aiVe7Ktr3Rhv9Ktee+7QwuGjDsB7LItm6oDX6abdRyfJZfRRVYL
-vAPa+HhISfVDZe5uQ/ZjKubLwnpfBxAmIXHjY5o4qnTtp6jz0owfw8eSsYjjp7iD
-3DfOI6ySVUWSLsG+rcEGrdh3iuYDqjnZ4/gyuY42xoHaYxhAbmz6tSIeB4eodXiU
-1CGMe+UfiKjIQ3WSyCRYrVHCUFdqir2vVy36enHdJ6diR8PHtbUX9txpjW6BqK73
-CdNJn92yx3XSUQhT6C//1tyj18oNhO7MBqEc/lsi9qzF4mCLCO0e52BAntKvLEJ5
-hIFVk6e5DK2qkfDGE/p60bJF9LOouA==
-=51AA
-----END PGP SIGNATURE-----
--- a/openssl-3.0.2.tar.gz
+++ b/openssl-3.0.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:98e91ccead4d4756ae3c9cde5e09191a8e586d9f4d50838e7ec09d6411dfdb63
+size 15038141
--- a/openssl-3.0.2.tar.gz.asc
+++ b/openssl-3.0.2.tar.gz.asc
@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmIwowMACgkQ2cTSbQ5g
+RJFDvAf/RVYnplRE1x9i/ejoJeTAO7YhibCRpnp+UzkpgMrDL1y9Rpw3ZJCYh9Fq
+HEotKmbuZvNGPgYUxSov00xnhKcpzTHKiZQA767rZpNL4F+g3SpOh06IB6tJzn1k
+dx9oqAmWgIeWLY4kRHXrqqFa95Zu9LNxJ04NuqaaWxeK0/fYl534sYW5DU6uug9u
+4NcBamvnPv1+4A3Ow6jdN96tb7O3HuJ14RvGPzgUx1FPv/zU6NE2fgTnVcBzaYIP
+5rfB1EQa3+1NTtej+uUQb0i0NxFpgggFMF+qCc5Yrl9i3o8Q+wnbaVw4bNURk9En
+gNgfw0J0TG14PgtkF/Q6he++BQoNYQ==
+=pMVy
+-----END PGP SIGNATURE-----
--- a/openssl-3.changes
+++ b/openssl-3.changes
@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Tue Mar 15 17:41:47 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Update to 3.0.2: [bsc#1196877, CVE-2022-0778]
+  * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli
+    in BN_mod_sqrt() reachable when parsing certificates.
+  * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
+    (RFC 5489) to the list of ciphersuites providing Perfect Forward
+    Secrecy as required by SECLEVEL >= 3.
+  * Made the AES constant time code for no-asm configurations
+    optional due to the resulting 95% performance degradation.
+    The AES constant time code can be enabled, for no assembly
+    builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
+  * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to
+    use empty passphrase strings.
+  * The negative return value handling of the certificate
+    verification callback was reverted. The replacement is to set
+    the verification retry state with the SSL_set_retry_verify()
+    function.
+  * Rebase openssl-use-versioned-config.patch
+
+-------------------------------------------------------------------
+Tue Feb 22 18:46:13 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
+
+- Keep CA_default and tsa_config1 default paths in openssl3.cnf
+- Rebase patches:
+  * openssl-Override-default-paths-for-the-CA-directory-tree.patch
+  * openssl-use-versioned-config.patch
+
 -------------------------------------------------------------------
 Tue Feb  1 13:55:24 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>

--- a/openssl-3.spec
+++ b/openssl-3.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssl-3
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -21,7 +21,7 @@
 %define _rname  openssl
 Name:           openssl-3
 # Don't forget to update the version in the "openssl" package!
-Version:        3.0.1
+Version:        3.0.2
 Release:        0
 Summary:        Secure Sockets and Transport Layer Security
 License:        Apache-2.0
@ -52,7 +52,6 @@ BuildRequires:  pkgconfig
 # Add requires for ct_log_list.cnf{,.dist}
 Requires:       openssl

-
 %description
 OpenSSL is a software library to be used in applications that need to
 secure communications over computer networks against eavesdropping or
--- a/openssl-Override-default-paths-for-the-CA-directory-tree.patch
+++ b/openssl-Override-default-paths-for-the-CA-directory-tree.patch
@ -40,21 +40,3 @@ Index: openssl-3.0.1/apps/openssl.cnf
 
 ####################################################################
 [ ca ]
-@@ -79,7 +88,7 @@ default_ca	= CA_default		# The default c
- ####################################################################
- [ CA_default ]
- 
-dir		= ./demoCA		# Where everything is kept
-+dir		= /etc/pki/CA		# Where everything is kept
- certs		= $dir/certs		# Where the issued certs are kept
- crl_dir		= $dir/crl		# Where the issued crl are kept
- database	= $dir/index.txt	# database index file.
-@@ -309,7 +318,7 @@ default_tsa = tsa_config1	# the default
- [ tsa_config1 ]
- 
- # These are used by the TSA reply generation only.
-dir		= ./demoCA		# TSA root directory
-+dir		= /etc/pki/CA		# TSA root directory
- serial		= $dir/tsaserial	# The current serial number (mandatory)
- crypto_device	= builtin		# OpenSSL engine to use for signing
- signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
--- a/openssl-use-versioned-config.patch
+++ b/openssl-use-versioned-config.patch
@ -6,10 +6,10 @@ Subject: [PATCH] Updates the conf file to openssl11.cnf Resolves:

 Refactored for SUSE by Simon Lees sflees@suse.de

-Index: openssl-3.0.1/include/internal/cryptlib.h
+Index: openssl-3.0.2/include/internal/cryptlib.h
 ===================================================================
--- openssl-3.0.1.orig/include/internal/cryptlib.h
-+++ openssl-3.0.1/include/internal/cryptlib.h
+--- openssl-3.0.2.orig/include/internal/cryptlib.h
+++ openssl-3.0.2/include/internal/cryptlib.h
@@ -61,7 +61,7 @@ DEFINE_STACK_OF(EX_CALLBACK)
 typedef struct mem_st MEM;
 DEFINE_LHASH_OF(MEM);
@ -19,19 +19,10 @@ Index: openssl-3.0.1/include/internal/cryptlib.h
 
 # ifndef OPENSSL_SYS_VMS
 #  define X509_CERT_AREA          OPENSSLDIR
-Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
+Index: openssl-3.0.2/Configurations/unix-Makefile.tmpl
 ===================================================================
--- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-3.0.1/Configurations/unix-Makefile.tmpl
-@@ -129,7 +129,7 @@ GENERATED_PODS={- # common0.tmpl provide
-                        fill_lines(" ", $COLUMNS - 15,
-                                   map { my $x = $_;
-                                         (
-                                          grep { 
-+                                          grep {
-                                                  $unified_info{attributes}->{depends}
-                                                  ->{$x}->{$_}->{pod} // 0
-                                                }
+--- openssl-3.0.2.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.0.2/Configurations/unix-Makefile.tmpl
@@ -675,14 +675,14 @@ install_ssldirs:
 			: {- output_on() if windowsdll(); "" -}; \
 		fi; \
@ -71,21 +62,21 @@ Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
 -link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf
 +link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl3.cnf
 
- $(BLDDIR)/util/opensslwrap.sh: configdata.pm
+ $(BLDDIR)/util/opensslwrap.sh: Makefile
 	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
-@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: configdat
+@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: Makefile
 	    ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \
 	fi
 
-$(BLDDIR)/apps/openssl.cnf: configdata.pm
-+$(BLDDIR)/apps/openssl3.cnf: configdata.pm
+-$(BLDDIR)/apps/openssl.cnf: Makefile
+$(BLDDIR)/apps/openssl3.cnf: Makefile
 	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
 	    mkdir -p "$(BLDDIR)/apps"; \
 	    ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \
-Index: openssl-3.0.1/Configure
+Index: openssl-3.0.2/Configure
 ===================================================================
--- openssl-3.0.1.orig/Configure
-+++ openssl-3.0.1/Configure
+--- openssl-3.0.2.orig/Configure
+++ openssl-3.0.2/Configure
@@ -56,7 +56,7 @@ EOF
 #               directories bin, lib, include, share/man, share/doc/openssl
 #               This becomes the value of INSTALLTOP in Makefile
@ -95,10 +86,10 @@ Index: openssl-3.0.1/Configure
 #               If it's a relative directory, it will be added on the directory
 #               given with --prefix.
 #               This becomes the value of OPENSSLDIR in Makefile and in C.
-Index: openssl-3.0.1/doc/HOWTO/certificates.txt
+Index: openssl-3.0.2/doc/HOWTO/certificates.txt
 ===================================================================
--- openssl-3.0.1.orig/doc/HOWTO/certificates.txt
-+++ openssl-3.0.1/doc/HOWTO/certificates.txt
+--- openssl-3.0.2.orig/doc/HOWTO/certificates.txt
+++ openssl-3.0.2/doc/HOWTO/certificates.txt
@@ -16,7 +16,7 @@ Certificate authorities should read http
 In all the cases shown below, the standard configuration file, as
 compiled into openssl, will be used.  You may find it in /etc/,
@ -108,10 +99,10 @@ Index: openssl-3.0.1/doc/HOWTO/certificates.txt
 You can specify a different configuration file using the
 '-config {file}' argument with the commands shown below.
 
-Index: openssl-3.0.1/doc/man3/OPENSSL_config.pod
+Index: openssl-3.0.2/doc/man3/OPENSSL_config.pod
 ===================================================================
--- openssl-3.0.1.orig/doc/man3/OPENSSL_config.pod
-+++ openssl-3.0.1/doc/man3/OPENSSL_config.pod
+--- openssl-3.0.2.orig/doc/man3/OPENSSL_config.pod
+++ openssl-3.0.2/doc/man3/OPENSSL_config.pod
@@ -17,7 +17,7 @@ see L<openssl_user_macros(7)>:
 
 =head1 DESCRIPTION
@ -121,16 +112,10 @@ Index: openssl-3.0.1/doc/man3/OPENSSL_config.pod
 reads from the application section B<appname>. If B<appname> is NULL then
 the default section, B<openssl_conf>, will be used.
 Errors are silently ignored.
-Index: openssl-3.0.1/INSTALL.md
+Index: openssl-3.0.2/INSTALL.md
 ===================================================================
--- openssl-3.0.1.orig/INSTALL.md
-+++ openssl-3.0.1/INSTALL.md
-@@ -1,4 +1,4 @@
-Build and Install
-+fBuild and Install
- =================
- 
- This document describes installation on all supported operating
+--- openssl-3.0.2.orig/INSTALL.md
+++ openssl-3.0.2/INSTALL.md
@@ -567,7 +567,7 @@ is an objective.
 
 ### no-autoload-config