Accepting request 1062222 from security:tls:unstable

- Relax the crypto-policies requirements for the regression tests

- Set OpenSSL 3.0.7 as the default openssl [bsc#1205042]
  * Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch
  * Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
  * Package a copy of the original default config file called
    openssl.cnf and name it as openssl-orig.cnf and warn the user
    if the files differ.
  * Add openssl-3-devel as conflicting with libopenssl-1_1-devel
  * Remove patches:
    - fix-config-in-tests.patch
    - openssl-use-versioned-config.patch

- Create the openssl ca-certificates directory in case the
  ca-certificates package is not installed. This directory is
  required by the nodejs regression tests. [bsc#1207484]

- Compute the hmac files for FIPS 140-3 integrity checking of the
  openssl shared libraries using the brp-50-generate-fips-hmac
  script. Also computed for the 32bit package.

OBS-URL: https://build.opensuse.org/request/show/1062222
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=51
This commit is contained in:
Pedro Monreal Gonzalez 2023-01-31 12:15:10 +00:00 committed by Git OBS Bridge
parent 0028006287
commit 9250deebcd
7 changed files with 200 additions and 255 deletions

View File

@ -1,6 +1,10 @@
libopenssl3 libopenssl3
obsoletes "libopenssl1_1_0-<targettype>"
libopenssl3-hmac
requires "libopenssl3-<targettype> = <version>-%release"
libopenssl-3-devel libopenssl-3-devel
provides "libopenssl-devel-<targettype> = <version>" provides "libopenssl-devel-<targettype> = <version>"
conflicts "otherproviders(libopenssl-devel-<targettype>)" conflicts "otherproviders(libopenssl-devel-<targettype>)"
conflicts "libopenssl-1_1-devel-<targettype>"
requires -"openssl-3-<targettype>" requires -"openssl-3-<targettype>"
requires "libopenssl3-<targettype> = <version>" requires "libopenssl3-<targettype> = <version>"

View File

@ -1,13 +0,0 @@
Index: openssl-3.0.1/test/run_tests.pl
===================================================================
--- openssl-3.0.1.orig/test/run_tests.pl
+++ openssl-3.0.1/test/run_tests.pl
@@ -33,7 +33,7 @@ my $recipesdir = catdir($srctop, "test",
my $libdir = rel2abs(catdir($srctop, "util", "perl"));
my $jobs = $ENV{HARNESS_JOBS} // 1;
-$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl.cnf"));
+$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl3.cnf"));
$ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "test"));
$ENV{OPENSSL_MODULES} = rel2abs(catdir($bldtop, "providers"));
$ENV{OPENSSL_ENGINES} = rel2abs(catdir($bldtop, "engines"));

View File

@ -1,9 +1,42 @@
-------------------------------------------------------------------
Thu Jan 26 08:17:50 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Relax the crypto-policies requirements for the regression tests
-------------------------------------------------------------------
Wed Jan 25 11:09:52 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Set OpenSSL 3.0.7 as the default openssl [bsc#1205042]
* Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch
* Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
* Package a copy of the original default config file called
openssl.cnf and name it as openssl-orig.cnf and warn the user
if the files differ.
* Add openssl-3-devel as conflicting with libopenssl-1_1-devel
* Remove patches:
- fix-config-in-tests.patch
- openssl-use-versioned-config.patch
-------------------------------------------------------------------
Wed Jan 25 09:10:06 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Create the openssl ca-certificates directory in case the
ca-certificates package is not installed. This directory is
required by the nodejs regression tests. [bsc#1207484]
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Dec 14 16:38:05 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com> Wed Dec 14 16:38:05 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>
- Fix X.509 Policy Constraints Double Locking [bsc#1206374, CVE-2022-3996] - Fix X.509 Policy Constraints Double Locking [bsc#1206374, CVE-2022-3996]
* Add patch: openssl-3-Fix-double-locking-problem.patch * Add patch: openssl-3-Fix-double-locking-problem.patch
-------------------------------------------------------------------
Wed Dec 14 12:40:04 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
- Compute the hmac files for FIPS 140-3 integrity checking of the
openssl shared libraries using the brp-50-generate-fips-hmac
script. Also computed for the 32bit package.
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Nov 1 18:29:41 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com> Tue Nov 1 18:29:41 UTC 2022 - Otto Hollmann <otto.hollmann@suse.com>

View File

@ -1,7 +1,7 @@
# #
# spec file for package openssl-3 # spec file for package openssl-3
# #
# Copyright (c) 2022 SUSE LLC # Copyright (c) 2023 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -18,9 +18,10 @@
%define ssletcdir %{_sysconfdir}/ssl %define ssletcdir %{_sysconfdir}/ssl
%define sover 3 %define sover 3
%define _rname openssl %define _rname openssl
%define man_suffix 3ssl
Name: openssl-3 Name: openssl-3
# Don't forget to update the version in the "openssl" package! # Don't forget to update the version in the "openssl" meta-package!
Version: 3.0.7 Version: 3.0.7
Release: 0 Release: 0
Summary: Secure Sockets and Transport Layer Security Summary: Secure Sockets and Transport Layer Security
@ -35,28 +36,32 @@ Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring # http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
Source4: %{_rname}.keyring Source4: %{_rname}.keyring
Source5: showciphers.c Source5: showciphers.c
# PATCH-FIX-OPENSUSE: do not install html mans as it takes ages # PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages
Patch1: openssl-1.1.0-no-html.patch Patch1: openssl-no-html-docs.patch
Patch2: openssl-truststore.patch Patch2: openssl-truststore.patch
Patch3: openssl-pkgconfig.patch Patch3: openssl-pkgconfig.patch
Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch4: openssl-DEFAULT_SUSE_cipher.patch
Patch5: openssl-ppc64-config.patch Patch5: openssl-ppc64-config.patch
Patch6: openssl-no-date.patch Patch6: openssl-no-date.patch
# Patches for crypto-policies # Add crypto-policies support
Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch
# use openssl3.cnf
Patch9: openssl-use-versioned-config.patch
Patch10: fix-config-in-tests.patch
# PATCH-FIX-UPSTREAM bsc#1206374 CVE-2022-3996 X.509 Policy Constraints Double Locking # PATCH-FIX-UPSTREAM bsc#1206374 CVE-2022-3996 X.509 Policy Constraints Double Locking
Patch11: openssl-3-Fix-double-locking-problem.patch Patch9: openssl-3-Fix-double-locking-problem.patch
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(zlib)
# Add requires for ct_log_list.cnf{,.dist} Requires: libopenssl3 = %{version}-%{release}
Requires: openssl Requires: openssl
Conflicts: ssl
Provides: ssl
Provides: openssl(cli)
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
Requires: crypto-policies Requires: crypto-policies
%endif %endif
# Needed for clean upgrade path, boo#1070003
Obsoletes: openssl-1_0_0
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: openssl-1_1_0
%description %description
OpenSSL is a software library to be used in applications that need to OpenSSL is a software library to be used in applications that need to
@ -70,6 +75,11 @@ Summary: Secure Sockets and Transport Layer Security
Requires: crypto-policies Requires: crypto-policies
%endif %endif
Recommends: ca-certificates-mozilla Recommends: ca-certificates-mozilla
# install libopenssl and libopenssl-hmac close together (bsc#1090765)
Suggests: libopenssl3-hmac = %{version}-%{release}
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl1_1_0
Conflicts: %{name} < %{version}-%{release}
%description -n libopenssl3 %description -n libopenssl3
OpenSSL is a software library to be used in applications that need to OpenSSL is a software library to be used in applications that need to
@ -82,11 +92,13 @@ Summary: Development files for OpenSSL
Requires: libopenssl3 = %{version} Requires: libopenssl3 = %{version}
Requires: pkgconfig(zlib) Requires: pkgconfig(zlib)
Recommends: %{name} = %{version} Recommends: %{name} = %{version}
# We need to have around only the exact version we are able to operate with
Conflicts: libopenssl-devel < %{version}
Conflicts: libopenssl-devel > %{version}
Conflicts: libressl-devel Conflicts: libressl-devel
Conflicts: ssl-devel # Conflicting names with libopenssl-1_1-devel
Conflicts: libopenssl-1_1-devel
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl-1_1_0-devel
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
Obsoletes: libopenssl-1_0_0-devel
%description -n libopenssl-3-devel %description -n libopenssl-3-devel
This subpackage contains header files for developing applications This subpackage contains header files for developing applications
@ -103,6 +115,20 @@ BuildArch: noarch
This package contains optional documentation provided in addition to This package contains optional documentation provided in addition to
this package's base documentation. this package's base documentation.
%package -n libopenssl3-hmac
Summary: HMAC files for FIPS 140-3 integrity checking of the openssl shared libraries
License: BSD-3-Clause
Requires: libopenssl3 = %{version}-%{release}
BuildRequires: fipscheck
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl1_1_0-hmac
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
Obsoletes: libopenssl-1_0_0-hmac
%description -n libopenssl3-hmac
The FIPS compliant operation of the openssl shared libraries is NOT
possible without the HMAC hashes contained in this package!
%prep %prep
%autosetup -p1 -n %{_rname}-%{version} %autosetup -p1 -n %{_rname}-%{version}
@ -115,13 +141,12 @@ export MACHINE=armv6l
%endif %endif
./config \ ./config \
no-idea \ no-mdc2 no-ec2m no-sm2 no-sm4 \
no-ec2m \ enable-rfc3779 enable-camellia enable-seed \
enable-rfc3779 \
%ifarch x86_64 aarch64 ppc64le %ifarch x86_64 aarch64 ppc64le
enable-ec_nistp_64_gcc_128 \ enable-ec_nistp_64_gcc_128 \
%endif %endif
enable-camellia \ enable-fips \
zlib \ zlib \
--prefix=%{_prefix} \ --prefix=%{_prefix} \
--libdir=%{_lib} \ --libdir=%{_lib} \
@ -142,110 +167,133 @@ export MACHINE=armv6l
# Show build configuration # Show build configuration
perl configdata.pm --dump perl configdata.pm --dump
# Do not run this in a production package the FIPS symbols must be patched-in
# util/mkdef.pl crypto update # util/mkdef.pl crypto update
%make_build depend %make_build depend
%make_build all %make_build all
%check %check
# Relax the crypto-policies requirements for the regression tests
# We must revert patch8 before running tests, otherwise they will fail. # Revert patch8 before running tests
patch -p1 -R < %{P:8} patch -p1 -R < %{P:8}
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export MALLOC_CHECK_=3 export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
# export HARNESS_VERBOSE=yes # export HARNESS_VERBOSE=yes
LD_LIBRARY_PATH="$PWD" make TESTS='-test_evp_fetch_prov -test_tsa -test_ssl_new -test_sslapi' test -j1 LD_LIBRARY_PATH="$PWD" make test -j16
# show ciphers # show ciphers
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
%install %install
%make_install %{?_smp_mflags} %make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix}
# Kill static libs rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover}
for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do
chmod 755 ${lib}
ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version})
ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}).%{sover}
done
# Remove static libraries
rm -f %{buildroot}%{_libdir}/lib*.a rm -f %{buildroot}%{_libdir}/lib*.a
# Remove the cnf.dist # Remove the cnf.dist
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl3.cnf.dist rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist
mkdir %{buildroot}/%{_datadir}/ssl-3 rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl-3/
# Make a copy of the default openssl.cnf file
cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf
# Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484]
mkdir -p %{buildroot}/var/lib/ca-certificates/openssl
install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl
# Remove the fipsmodule.cnf because FIPS module is loaded automatically
rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
mkdir %{buildroot}/%{_datadir}/ssl mkdir %{buildroot}/%{_datadir}/ssl
# Rename binary mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
mv %{buildroot}%{_bindir}/%{_rname} %{buildroot}%{_bindir}/%{name}
# Avoid file conflicts with man pages from other packages # Avoid file conflicts with man pages from other packages
pushd %{buildroot}/%{_mandir} pushd %{buildroot}/%{_mandir}
find . -type f -exec chmod 644 {} + find . -type f -exec chmod 644 {} +
# Some man pages now contain spaces. This makes several mv man5/config.5%{man_suffix} man5/openssl.cnf.5
# scripts go havoc, among them /usr/sbin/Check.
# Replace spaces by underscores
# for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
touch $OLDPWD/filelist.doc $OLDPWD/filelist
which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
for i in man?/*; do
if test -L $i ; then
LDEST=`readlink $i`
rm -f $i ${i}ssl
ln -sf ${LDEST}ssl-3 ${i}ssl-3
else
mv $i ${i}ssl-3
fi
case "$i" in
*.1)
# These are the pages mentioned in openssl(1). They go into the main package.
echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist;;
*)
# The rest goes into the openssl-doc package.
echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist.doc;;
esac
done
popd popd
mv %{buildroot}%{_bindir}/c_rehash %{buildroot}%{_bindir}/c_rehash-3
# They are provided by openssl package
rm %{buildroot}%{ssletcdir}/ct_log_list.cnf*
# Do not install demo scripts executable under /usr/share/doc # Do not install demo scripts executable under /usr/share/doc
find demos -type f -perm /111 -exec chmod 644 {} + find demos -type f -perm /111 -exec chmod 644 {} +
# Place showciphers.c for %%doc macro # Place showciphers.c for %%doc macro
cp %{SOURCE5} . cp %{SOURCE5} .
# Compute the FIPS hmac using the brp-50-generate-fips-hmac script
export BRP_FIPSHMAC_FILES="%{buildroot}%{_libdir}/libssl.so.%{sover} %{buildroot}%{_libdir}/libcrypto.so.%{sover}"
%post -p "/bin/bash"
if [ "$1" -gt 1 ] ; then
# Check if the packaged default config file for openssl-3, called openssl.cnf,
# is the original or if it has been modified and alert the user in that case
# that a copy of the original file openssl-orig.cnf can be used if needed.
cmp --silent %{ssletcdir}/openssl.cnf %{ssletcdir}/openssl-orig.cnf 2>/dev/null
if [ "$?" -eq 1 ] ; then
echo -e " The openssl-3 default config file openssl.cnf is different from" ;
echo -e " the original one shipped by the package. A copy of the original" ;
echo -e " file is packaged and named as openssl-orig.cnf if needed."
fi
fi
%post -n libopenssl3 -p /sbin/ldconfig %post -n libopenssl3 -p /sbin/ldconfig
%postun -n libopenssl3 -p /sbin/ldconfig %postun -n libopenssl3 -p /sbin/ldconfig
%files -n libopenssl3 %files -n libopenssl3
%license LICENSE.txt %license LICENSE.txt
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
%{_libdir}/libssl.so.%{sover} %{_libdir}/libssl.so.%{sover}
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%{_libdir}/libcrypto.so.%{sover} %{_libdir}/libcrypto.so.%{sover}
%{_libdir}/engines-%{sover} %{_libdir}/engines-%{sover}
%dir %{_libdir}/ossl-modules %dir %{_libdir}/ossl-modules
#%%{_libdir}/ossl-modules/fips.so %{_libdir}/ossl-modules/fips.so
%{_libdir}/ossl-modules/legacy.so %{_libdir}/ossl-modules/legacy.so
%files -n libopenssl3-hmac
%{_libdir}/.libssl.so.%{sover}.hmac
%{_libdir}/.libcrypto.so.%{sover}.hmac
%files -n libopenssl-3-devel %files -n libopenssl-3-devel
%doc NOTES*.md CONTRIBUTING.md HACKING.md AUTHORS.md ACKNOWLEDGEMENTS.md
%{_includedir}/%{_rname}/ %{_includedir}/%{_rname}/
%{_includedir}/ssl %{_includedir}/ssl
%{_libdir}/libssl.so %{_libdir}/*.so
%{_libdir}/libcrypto.so %{_libdir}/pkgconfig/*.pc
%{_libdir}/pkgconfig/libcrypto.pc %{_mandir}/man3/*
%{_libdir}/pkgconfig/libssl.pc
%{_libdir}/pkgconfig/openssl.pc
%files doc -f filelist.doc %files doc
%doc doc/* demos %doc README.md
%doc doc/html/* doc/HOWTO/* demos
%doc showciphers.c %doc showciphers.c
%files -f filelist %files
%doc CHANGE* %license LICENSE.txt
%doc CHANGES.md NEWS.md FAQ.md README.md
%dir %{ssletcdir} %dir %{ssletcdir}
%config (noreplace) %{ssletcdir}/openssl3.cnf %config %{ssletcdir}/openssl-orig.cnf
%config (noreplace) %{ssletcdir}/openssl.cnf
%config (noreplace) %{ssletcdir}/ct_log_list.cnf
%attr(700,root,root) %{ssletcdir}/private %attr(700,root,root) %{ssletcdir}/private
%dir %{_datadir}/ssl
%dir %{_datadir}/ssl-3 %{_datadir}/ssl/misc
%{_datadir}/ssl-3/misc %dir /var/lib/ca-certificates/
%{_bindir}/c_rehash-3 %dir /var/lib/ca-certificates/openssl
%{_bindir}/%{name} %{_bindir}/%{_rname}
%{_bindir}/c_rehash
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man7/*
%changelog %changelog

View File

@ -15,10 +15,10 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist
util/libcrypto.num | 1 + util/libcrypto.num | 1 +
8 files changed, 110 insertions(+), 14 deletions(-) 8 files changed, 110 insertions(+), 14 deletions(-)
Index: openssl-3.0.5/Configurations/unix-Makefile.tmpl Index: openssl-3.0.7/Configurations/unix-Makefile.tmpl
=================================================================== ===================================================================
--- openssl-3.0.5.orig/Configurations/unix-Makefile.tmpl --- openssl-3.0.7.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.0.5/Configurations/unix-Makefile.tmpl +++ openssl-3.0.7/Configurations/unix-Makefile.tmpl
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man @@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html HTMLDIR=$(DOCDIR)/html
@ -38,10 +38,10 @@ Index: openssl-3.0.5/Configurations/unix-Makefile.tmpl
(map { "-I".$_} @{$config{CPPINCLUDES}}), (map { "-I".$_} @{$config{CPPINCLUDES}}),
@{$config{CPPFLAGS}}) -} @{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
Index: openssl-3.0.5/doc/man1/openssl-ciphers.pod.in Index: openssl-3.0.7/doc/man1/openssl-ciphers.pod.in
=================================================================== ===================================================================
--- openssl-3.0.5.orig/doc/man1/openssl-ciphers.pod.in --- openssl-3.0.7.orig/doc/man1/openssl-ciphers.pod.in
+++ openssl-3.0.5/doc/man1/openssl-ciphers.pod.in +++ openssl-3.0.7/doc/man1/openssl-ciphers.pod.in
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s @@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
The cipher suites not enabled by B<ALL>, currently B<eNULL>. The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@ -58,10 +58,10 @@ Index: openssl-3.0.5/doc/man1/openssl-ciphers.pod.in
=item B<HIGH> =item B<HIGH>
"High" encryption cipher suites. This currently means those with key lengths "High" encryption cipher suites. This currently means those with key lengths
Index: openssl-3.0.5/include/openssl/ssl.h.in Index: openssl-3.0.7/include/openssl/ssl.h.in
=================================================================== ===================================================================
--- openssl-3.0.5.orig/include/openssl/ssl.h.in --- openssl-3.0.7.orig/include/openssl/ssl.h.in
+++ openssl-3.0.5/include/openssl/ssl.h.in +++ openssl-3.0.7/include/openssl/ssl.h.in
@@ -210,6 +210,11 @@ extern "C" { @@ -210,6 +210,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not * throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.) * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
@ -74,11 +74,11 @@ Index: openssl-3.0.5/include/openssl/ssl.h.in
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1 # define SSL_SENT_SHUTDOWN 1
Index: openssl-3.0.5/ssl/ssl_ciph.c Index: openssl-3.0.7/ssl/ssl_ciph.c
=================================================================== ===================================================================
--- openssl-3.0.5.orig/ssl/ssl_ciph.c --- openssl-3.0.7.orig/ssl/ssl_ciph.c
+++ openssl-3.0.5/ssl/ssl_ciph.c +++ openssl-3.0.7/ssl/ssl_ciph.c
@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c @@ -1438,6 +1438,53 @@ int SSL_set_ciphersuites(SSL *s, const c
return ret; return ret;
} }
@ -132,7 +132,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1450,15 +1497,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1452,15 +1499,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL; const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method; const SSL_METHOD *ssl_method = ctx->method;
@ -160,7 +160,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
/* /*
* To reduce the work to do we only want to process the compiled * To reduce the work to do we only want to process the compiled
@@ -1480,7 +1537,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1482,7 +1539,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) { if (co_list == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
@ -169,7 +169,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
} }
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1546,8 +1603,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1548,8 +1605,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* in force within each class * in force within each class
*/ */
if (!ssl_cipher_strength_sort(&head, &tail)) { if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -179,7 +179,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
} }
/* /*
@@ -1591,9 +1647,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1593,9 +1649,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) { if (ca_list == NULL) {
@ -190,7 +190,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
} }
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc, disabled_mkey, disabled_auth, disabled_enc,
@@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1628,8 +1683,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
OPENSSL_free(ca_list); /* Not needed anymore */ OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */ if (!ok) { /* Rule processing failure */
@ -200,7 +200,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
} }
/* /*
@@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1637,10 +1691,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* if we cannot get one. * if we cannot get one.
*/ */
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -216,7 +216,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
/* Add TLSv1.3 ciphers first - we always prefer those if possible */ /* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1690,6 +1747,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ @@ -1692,6 +1749,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack; *cipher_list = cipherstack;
return cipherstack; return cipherstack;
@ -231,10 +231,10 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c
} }
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
Index: openssl-3.0.5/ssl/ssl_lib.c Index: openssl-3.0.7/ssl/ssl_lib.c
=================================================================== ===================================================================
--- openssl-3.0.5.orig/ssl/ssl_lib.c --- openssl-3.0.7.orig/ssl/ssl_lib.c
+++ openssl-3.0.5/ssl/ssl_lib.c +++ openssl-3.0.7/ssl/ssl_lib.c
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx @@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
ctx->tls13_ciphersuites, ctx->tls13_ciphersuites,
&(ctx->cipher_list), &(ctx->cipher_list),
@ -244,7 +244,7 @@ Index: openssl-3.0.5/ssl/ssl_lib.c
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0; return 0;
@@ -3271,7 +3271,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li @@ -3285,7 +3285,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
if (!ssl_create_cipher_list(ret, if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites, ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id, &ret->cipher_list, &ret->cipher_list_by_id,
@ -253,10 +253,10 @@ Index: openssl-3.0.5/ssl/ssl_lib.c
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2; goto err2;
Index: openssl-3.0.5/test/cipherlist_test.c Index: openssl-3.0.7/test/cipherlist_test.c
=================================================================== ===================================================================
--- openssl-3.0.5.orig/test/cipherlist_test.c --- openssl-3.0.7.orig/test/cipherlist_test.c
+++ openssl-3.0.5/test/cipherlist_test.c +++ openssl-3.0.7/test/cipherlist_test.c
@@ -246,7 +246,9 @@ end: @@ -246,7 +246,9 @@ end:
int setup_tests(void) int setup_tests(void)
@ -267,20 +267,20 @@ Index: openssl-3.0.5/test/cipherlist_test.c
ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_explicit);
ADD_TEST(test_default_cipherlist_clear); ADD_TEST(test_default_cipherlist_clear);
return 1; return 1;
Index: openssl-3.0.5/util/libcrypto.num Index: openssl-3.0.7/util/libcrypto.num
=================================================================== ===================================================================
--- openssl-3.0.5.orig/util/libcrypto.num --- openssl-3.0.7.orig/util/libcrypto.num
+++ openssl-3.0.5/util/libcrypto.num +++ openssl-3.0.7/util/libcrypto.num
@@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider @@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
Index: openssl-3.0.5/Configure Index: openssl-3.0.7/Configure
=================================================================== ===================================================================
--- openssl-3.0.5.orig/Configure --- openssl-3.0.7.orig/Configure
+++ openssl-3.0.5/Configure +++ openssl-3.0.7/Configure
@@ -28,7 +28,7 @@ use OpenSSL::config; @@ -27,7 +27,7 @@ use OpenSSL::config;
my $orig_death_handler = $SIG{__DIE__}; my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler; $SIG{__DIE__} = \&death_handler;
@ -289,7 +289,7 @@ Index: openssl-3.0.5/Configure
my $banner = <<"EOF"; my $banner = <<"EOF";
@@ -62,6 +62,10 @@ EOF @@ -61,6 +61,10 @@ EOF
# given with --prefix. # given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C. # This becomes the value of OPENSSLDIR in Makefile and in C.
# (Default: PREFIX/ssl) # (Default: PREFIX/ssl)
@ -300,7 +300,7 @@ Index: openssl-3.0.5/Configure
# --banner=".." Output specified text instead of default completion banner # --banner=".." Output specified text instead of default completion banner
# #
# -w Don't wait after showing a Configure warning # -w Don't wait after showing a Configure warning
@@ -388,6 +392,7 @@ $config{prefix}=""; @@ -387,6 +391,7 @@ $config{prefix}="";
$config{openssldir}=""; $config{openssldir}="";
$config{processor}=""; $config{processor}="";
$config{libdir}=""; $config{libdir}="";
@ -308,14 +308,14 @@ Index: openssl-3.0.5/Configure
my $auto_threads=1; # enable threads automatically? true by default my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib; my $default_ranlib;
@@ -990,6 +995,10 @@ while (@argvcopy) @@ -989,6 +994,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n" die "FIPS key too long (64 bytes max)\n"
if length $1 > 64; if length $1 > 64;
} }
+ elsif (/^--system-ciphers-file=(.*)$/) + elsif (/^--system-ciphers-file=(.*)$/)
+ { + {
+ $config{system_ciphers_file}=$1; + $config{system_ciphers_file}=$1;
+ } + }
elsif (/^--banner=(.*)$/) elsif (/^--banner=(.*)$/)
{ {
$banner = $1 . "\n"; $banner = $1 . "\n";

View File

@ -1,127 +0,0 @@
From 300d2b56166aee85d9ce4c1275da1ad79c876e31 Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Tue, 5 Oct 2021 12:10:42 +0200
Subject: [PATCH] Updates the conf file to openssl11.cnf Resolves:
rhbz#1947584, rhbz#2003123 Signed-off-by: Sahana Prasad <sahana@redhat.com>
Refactored for SUSE by Simon Lees sflees@suse.de
Index: openssl-3.0.2/include/internal/cryptlib.h
===================================================================
--- openssl-3.0.2.orig/include/internal/cryptlib.h
+++ openssl-3.0.2/include/internal/cryptlib.h
@@ -61,7 +61,7 @@ DEFINE_STACK_OF(EX_CALLBACK)
typedef struct mem_st MEM;
DEFINE_LHASH_OF(MEM);
-# define OPENSSL_CONF "openssl.cnf"
+# define OPENSSL_CONF "openssl3.cnf"
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
Index: openssl-3.0.2/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-3.0.2.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.0.2/Configurations/unix-Makefile.tmpl
@@ -675,14 +675,14 @@ install_ssldirs:
: {- output_on() if windowsdll(); "" -}; \
fi; \
done
- @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
- @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
- @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
- @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist
- @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
- $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
- cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
- chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
+ @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist"
+ @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new
+ @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new
+ @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist
+ @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl3.cnf" ]; then \
+ $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf"; \
+ cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \
+ chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \
fi
@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
@cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
@@ -1136,7 +1136,7 @@ lint:
generate_apps:
( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
- < apps/openssl.cnf > apps/openssl-vms.cnf )
+ < apps/openssl3.cnf > apps/openssl-vms.cnf )
generate_crypto_bn:
( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
@@ -1374,7 +1374,7 @@ tar:
# Helper targets #####################################################
-link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf
+link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl3.cnf
$(BLDDIR)/util/opensslwrap.sh: Makefile
@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: Makefile
ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \
fi
-$(BLDDIR)/apps/openssl.cnf: Makefile
+$(BLDDIR)/apps/openssl3.cnf: Makefile
@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
mkdir -p "$(BLDDIR)/apps"; \
ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \
Index: openssl-3.0.2/Configure
===================================================================
--- openssl-3.0.2.orig/Configure
+++ openssl-3.0.2/Configure
@@ -56,7 +56,7 @@ EOF
# directories bin, lib, include, share/man, share/doc/openssl
# This becomes the value of INSTALLTOP in Makefile
# (Default: /usr/local)
-# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys.
+# --openssldir OpenSSL data area, such as openssl3.cnf, certificates and keys.
# If it's a relative directory, it will be added on the directory
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
Index: openssl-3.0.2/doc/HOWTO/certificates.txt
===================================================================
--- openssl-3.0.2.orig/doc/HOWTO/certificates.txt
+++ openssl-3.0.2/doc/HOWTO/certificates.txt
@@ -16,7 +16,7 @@ Certificate authorities should read http
In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
/usr/local/ssl/ or somewhere else. By default the file is named
-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+openssl3.cnf and is described at https://www.openssl.org/docs/apps/config.html.
You can specify a different configuration file using the
'-config {file}' argument with the commands shown below.
Index: openssl-3.0.2/doc/man3/OPENSSL_config.pod
===================================================================
--- openssl-3.0.2.orig/doc/man3/OPENSSL_config.pod
+++ openssl-3.0.2/doc/man3/OPENSSL_config.pod
@@ -17,7 +17,7 @@ see L<openssl_user_macros(7)>:
=head1 DESCRIPTION
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
+OPENSSL_config() configures OpenSSL using the standard B<openssl3.cnf> and
reads from the application section B<appname>. If B<appname> is NULL then
the default section, B<openssl_conf>, will be used.
Errors are silently ignored.
Index: openssl-3.0.2/INSTALL.md
===================================================================
--- openssl-3.0.2.orig/INSTALL.md
+++ openssl-3.0.2/INSTALL.md
@@ -567,7 +567,7 @@ is an objective.
### no-autoload-config
-Don't automatically load the default `openssl.cnf` file.
+Don't automatically load the default `openssl3.cnf` file.
Typically OpenSSL will automatically load a system config file which configures
default SSL options.