Accepting request 1234617 from security:tls

OBS-URL: https://build.opensuse.org/request/show/1234617 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl-3?expand=0&rev=35
2025-01-05 14:27:00 +00:00 · 2025-01-05 14:27:00 +00:00 · 8853ae0bcf
commit 8853ae0bcf
parent b3fd9c08d5 b062a1d507
4 changed files with 43 additions and 11 deletions
--- a/openssl-3.changes
+++ b/openssl-3.changes
@ -1,3 +1,17 @@
 -------------------------------------------------------------------
 Mon Dec 23 20:14:08 UTC 2024 - Giuliano Belinassi <giuliano.belinassi@suse.com>
 - Add support for userspace livepatching on ppc64le (jsc#PED-11850).
 - Use gcc-13 for ppc64le.
 -------------------------------------------------------------------
 Tue Dec 17 12:42:19 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 - Fix evp_properties section in the openssl.cnf file [bsc#1234647]
  * Rebase patches:
    - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
    - openssl-TESTS-Disable-default-provider-crypto-policies.patch
 -------------------------------------------------------------------
 Tue Nov 12 15:46:20 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
--- a/openssl-3.spec
+++ b/openssl-3.spec
@ -1,7 +1,7 @@
 #
 # spec file for package openssl-3
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -146,13 +146,20 @@ Patch65:        openssl-3-fix-sha3-squeeze-ppc64.patch
 Patch66:        openssl-3-fix-quic_multistream_test.patch
 BuildRequires:  pkgconfig
-%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
+
 # ulp-macros is available according to SUSE version.
 %ifarch x86_64
 %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1540
 BuildRequires:  ulp-macros
 %else
 # Define ulp-macros macros as empty
 %define cflags_livepatching ""
 %define pack_ipa_dumps      echo "Livepatching is disabled in this build"
 %endif
 %endif
 %ifarch ppc64le
 %if 0%{?sle_version} >= 150700 || 0%{?suse_version} >= 1570
 BuildRequires:  gcc13
 BuildRequires:  ulp-macros
 %endif
 %endif
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)
 Requires:       libopenssl3 = %{version}-%{release}
@ -246,6 +253,14 @@ export MACHINE=armv5el
 export MACHINE=armv6l
 %endif
 # In ppc64le we need gcc-13 for userspace livepatching until we have the
 # required -fpatchable-functions-entry patch merged into the mainline
 %ifarch ppc64le
 %if 0%{?sle_version} >= 150700 || 0%{?suse_version} >= 1570
 export CC=gcc-13
 export CXX=g++-13
 %endif
 %endif
 ./Configure \
    enable-camellia \
 %ifarch x86_64 aarch64 ppc64le
@ -264,7 +279,7 @@ export MACHINE=armv6l
    --libdir=%{_lib} \
    --openssldir=%{ssletcdir} \
    %{optflags} \
-    %{cflags_livepatching} \
+    %{?cflags_livepatching} \
    -Wa,--noexecstack \
    -Wl,-z,relro,-z,now \
    -fno-common \
@ -324,7 +339,7 @@ gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{build
 LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
 %install
-%{pack_ipa_dumps}
+%{?pack_ipa_dumps}
 %make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix}
 rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover}
--- a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+++ b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@ -322,12 +322,13 @@ Index: openssl-3.2.3/apps/openssl.cnf
 ===================================================================
 --- openssl-3.2.3.orig/apps/openssl.cnf
 +++ openssl-3.2.3/apps/openssl.cnf
-@@ -52,6 +52,11 @@ tsa_policy3 = 1.2.3.4.5.7
+@@ -52,6 +52,12 @@ tsa_policy3 = 1.2.3.4.5.7
 [openssl_init]
 providers = provider_sect
 +# Load default TLS policy configuration
 +ssl_conf = ssl_module
 +alg_section = evp_properties
 +
 +[ evp_properties ]
 +# This section is intentionally added empty here to be tuned on particular systems
--- a/openssl-TESTS-Disable-default-provider-crypto-policies.patch
+++ b/openssl-TESTS-Disable-default-provider-crypto-policies.patch
@ -2,16 +2,18 @@ Index: openssl-3.2.3/apps/openssl.cnf
 ===================================================================
 --- openssl-3.2.3.orig/apps/openssl.cnf
 +++ openssl-3.2.3/apps/openssl.cnf
-@@ -45,7 +45,7 @@ tsa_policy3 = 1.2.3.4.5.7
+@@ -45,8 +45,8 @@ tsa_policy3 = 1.2.3.4.5.7
 [openssl_init]
 providers = provider_sect
 # Load default TLS policy configuration
 -ssl_conf = ssl_module
 -alg_section = evp_properties
 +##ssl_conf = ssl_module
 +##alg_section = evp_properties
 [ evp_properties ]
 # This section is intentionally added empty here to be tuned on particular systems
-@@ -60,20 +60,20 @@ ssl_conf = ssl_module
+@@ -61,20 +61,20 @@ alg_section = evp_properties
 # to side-channel attacks and as such have been deprecated.
 [provider_sect]