Accepting request 1141236 from home:ohollmann:branches:security:tls

- Added openssl-3-use-include-directive.patch so that the default /etc/ssl/openssl.cnf file will include any configuration files that other packages might place into /etc/ssl/engines3.d/ and /etc/ssl/engdef3.d/. Also create symbolic links /etc/ssl/engines.d/ and /etc/ssl/engdef.d/ to above versioned directories. - Updated spec file to create the two new necessary directores for the above patch and two symbolic links to above directories. [bsc#1194187, bsc#1207472, bsc#1218933] - Replace our reverted commit with an upstream version * rename openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch to openssl-Remove-the-source-directory-.num-targets.patch OBS-URL: https://build.opensuse.org/request/show/1141236 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=88
2024-01-24 12:36:32 +00:00 · 2024-01-24 12:36:32 +00:00 · be2dc0eb62
commit be2dc0eb62
parent 53a0a66cd9
5 changed files with 164 additions and 42 deletions
--- a/openssl-3-use-include-directive.patch
+++ b/openssl-3-use-include-directive.patch
@ -0,0 +1,67 @@
+---
+ apps/openssl.cnf     |   13 +++++++++++++
+ apps/openssl-vms.cnf |   13 +++++++++++++
+ 2 file changed, 26 insertions(+)
+
+Index: openssl-3.2.0/apps/openssl.cnf
+===================================================================
+--- openssl-3.2.0.orig/apps/openssl.cnf
+++ openssl-3.2.0/apps/openssl.cnf
+@@ -19,6 +19,7 @@ openssl_conf = openssl_init
+ # Comment out the next line to ignore configuration errors
+ config_diagnostics = 1
+ 
+[ oid_section ]
+ # Extra OBJECT IDENTIFIER info:
+ # oid_file       = $ENV::HOME/.oid
+ oid_section = new_oids
+@@ -55,6 +56,18 @@ providers = provider_sect
+ # Load default TLS policy configuration
+ ssl_conf = ssl_module
+ 
+engines = engine_section
+
+[ engine_section ]
+
+# This include will look through the directory that will contain the
+# engine declarations for any engines provided by other packages.
+.include /etc/ssl/engines3.d
+
+# This include will look through the directory that will contain the
+# definitions of the engines declared in the engine section.
+.include /etc/ssl/engdef3.d
+
+ # List of providers to load
+ [provider_sect]
+ default = default_sect
+Index: openssl-3.2.0/apps/openssl-vms.cnf
+===================================================================
+--- openssl-3.2.0.orig/apps/openssl-vms.cnf
+++ openssl-3.2.0/apps/openssl-vms.cnf
+@@ -19,6 +19,7 @@ openssl_conf = openssl_init
+ # Comment out the next line to ignore configuration errors
+ config_diagnostics = 1
+ 
+[ oid_section ]
+ # Extra OBJECT IDENTIFIER info:
+ # oid_file       = $ENV::HOME/.oid
+ oid_section = new_oids
+@@ -53,6 +54,18 @@ tsa_policy3 = 1.2.3.4.5.7
+ [openssl_init]
+ providers = provider_sect
+ 
+engines = engine_section
+
+[ engine_section ]
+
+# This include will look through the directory that will contain the
+# engine declarations for any engines provided by other packages.
+.include /etc/ssl/engines3.d
+
+# This include will look through the directory that will contain the
+# definitions of the engines declared in the engine section.
+.include /etc/ssl/engdef3.d
+
+ # List of providers to load
+ [provider_sect]
+ default = default_sect
--- a/openssl-3.changes
+++ b/openssl-3.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Mon Jan 22 09:34:28 UTC 2024 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Added openssl-3-use-include-directive.patch so that the default
+  /etc/ssl/openssl.cnf file will include any configuration files that
+  other packages might place into /etc/ssl/engines3.d/ and
+  /etc/ssl/engdef3.d/. Also create symbolic links /etc/ssl/engines.d/
+  and /etc/ssl/engdef.d/ to above versioned directories.
+- Updated spec file to create the two new necessary directores for
+  the above patch and two symbolic links to above directories.
+  [bsc#1194187, bsc#1207472, bsc#1218933]
+
+-------------------------------------------------------------------
+Mon Jan 22 07:50:16 UTC 2024 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Replace our reverted commit with an upstream version
+  * rename openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch
+  to openssl-Remove-the-source-directory-.num-targets.patch
+
 -------------------------------------------------------------------
 Tue Jan 16 09:45:24 UTC 2024 - Otto Hollmann <otto.hollmann@suse.com>

--- a/openssl-3.spec
+++ b/openssl-3.spec
@ -20,6 +20,8 @@
 %define sover 3
 %define _rname openssl
 %define man_suffix 3ssl
+%global sslengcnf %{ssletcdir}/engines%{sover}.d
+%global sslengdef %{ssletcdir}/engdef%{sover}.d
 Name:           openssl-3
 # Don't forget to update the version in the "openssl" meta-package!
 Version:        3.2.0
@ -45,9 +47,8 @@ Patch5:         openssl-ppc64-config.patch
 # Add crypto-policies support
 Patch6:         openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
 Patch7:         openssl-crypto-policies-support.patch
-# PATCH-FIX-OPENSUSE: Revert of 0e55c3ab8d702ffc897c9beb51d19b14b789618
-# Makefile: Call mknum.pl on 'make ordinals' only if needed
-Patch8:         openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch
+# PATCH-FIX-UPSTREAM: Remove the source directory .num targets
+Patch8:         openssl-Remove-the-source-directory-.num-targets.patch
 # PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support
 Patch9:         openssl-Add-FIPS_mode-compatibility-macro.patch
 Patch10:        openssl-Add-Kernel-FIPS-mode-flag-support.patch
@ -63,6 +64,8 @@ Patch14:        openssl-Force-FIPS.patch
 Patch15:        openssl-FIPS-embed-hmac.patch
 # PATCH-FIX-UPSTREAM: bsc#1218810 CVE-2023-6237: Excessive time spent checking invalid RSA public keys
 Patch16:        openssl-CVE-2023-6237.patch
+# PATCH-FIX-SUSE bsc#1194187, bsc#1207472, bsc#1218933  - Add engines section in openssl.cnf
+Patch17:        openssl-3-use-include-directive.patch
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)
 Requires:       libopenssl3 = %{version}-%{release}
@ -169,8 +172,7 @@ export MACHINE=armv6l
    $(getconf LFS_CFLAGS) \
    -Wall \
    --with-rand-seed=getrandom \
-    --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
-    -DSUSE_OPENSSL_FIPS_VERSION=%{release}
+    --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config

 # Show build configuration
 perl configdata.pm --dump
@ -185,6 +187,10 @@ perl configdata.pm --dump
 # Relax the crypto-policies requirements for the regression tests
 # Revert patch7 before running tests
 patch -p1 -R < %{PATCH7}
+# Revert openssl-3-use-include-directive.patch because these directories
+# exists only in buildroot but not in build system and some tests are failing
+# because of it.
+patch -p1 -R < %{PATCH17}
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
 export MALLOC_CHECK_=3
 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
@ -248,6 +254,14 @@ ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
 mkdir %{buildroot}/%{_datadir}/ssl
 mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/

+# Create the two directories into which packages will drop their configuration
+# files.
+mkdir %{buildroot}/%{sslengcnf}
+mkdir %{buildroot}/%{sslengdef}
+# Create unversioned symbolic links to above directories
+ln -s %{sslengcnf} %{buildroot}/%{ssletcdir}/engines.d
+ln -s %{sslengdef} %{buildroot}/%{ssletcdir}/engdef.d
+
 # Avoid file conflicts with man pages from other packages
 pushd %{buildroot}/%{_mandir}
 find . -type f -exec chmod 644 {} +
@ -313,6 +327,11 @@ fi
 %config (noreplace) %{ssletcdir}/openssl.cnf
 %config (noreplace) %{ssletcdir}/ct_log_list.cnf
 %attr(700,root,root) %{ssletcdir}/private
+%dir %{sslengcnf}
+%dir %{sslengdef}
+# symbolic link to above directories
+%{ssletcdir}/engines.d
+%{ssletcdir}/engdef.d
 %dir %{_datadir}/ssl
 %{_datadir}/ssl/misc
 %dir %{_localstatedir}/lib/ca-certificates/
--- a/openssl-Remove-the-source-directory-.num-targets.patch
+++ b/openssl-Remove-the-source-directory-.num-targets.patch
@ -0,0 +1,54 @@
+From 9e8d114bd69619f245b103b70d051cd6e5e6468e Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Thu, 30 Nov 2023 16:38:43 +0100
+Subject: [PATCH] Remove the source directory .num targets
+
+$(SRCDIR)/util/libcrypto.num and $(SRCDIR)/util/libssl.num were made their
+own targets to have 'make ordinals' reproduce them (run mknum.pl) only if
+needed.
+
+Unfortunately, because the shared library linker scripts depend on these
+.num files, we suddenly have mknum.pl run at random times when building.
+Furthermore, this created a diamond dependency, which disturbs parallell
+building because multiple mknum.pl on the same file could run at the same
+time.
+
+This reverts commit 0e55c3ab8d702ffc897c9beb51d19b14b7896182.
+
+Fixes #21999
+Partially fixes #22841
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/22890)
+
+(cherry picked from commit c08b21a2c95c2925e9c7ab11eb667d95e7b1fe3a)
+---
+ Configurations/unix-Makefile.tmpl | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 8ddb1282af7b6..6714699178dd9 100644
+--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
+@@ -1363,18 +1363,16 @@ renumber: build_generated
+                 --renumber \
+                 $(SSLHEADERS)
+ 
+-$(SRCDIR)/util/libcrypto.num: $(CRYPTOHEADERS) $(SRCDIR)/include/openssl/symhacks.h
+.PHONY: ordinals
+ordinals: build_generated
+ 	$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
+                 --ordinals $(SRCDIR)/util/libcrypto.num \
+                 --symhacks $(SRCDIR)/include/openssl/symhacks.h \
+                 $(CRYPTOHEADERS)
+-$(SRCDIR)/util/libssl.num: $(SSLHEADERS) $(SRCDIR)/include/openssl/symhacks.h
+ 	$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
+                 --ordinals $(SRCDIR)/util/libssl.num \
+                 --symhacks $(SRCDIR)/include/openssl/symhacks.h \
+                 $(SSLHEADERS)
+-.PHONY: ordinals
+-ordinals: build_generated $(SRCDIR)/util/libcrypto.num $(SRCDIR)/util/libssl.num
+ 
+ test_ordinals:
+ 	$(MAKE) run_tests TESTS=test_ordinals
--- a/openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch
+++ b/openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch
@ -1,37 +0,0 @@
-From 0e55c3ab8d702ffc897c9beb51d19b14b7896182 Mon Sep 17 00:00:00 2001
-From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
-Date: Tue, 11 May 2021 12:59:03 +0200
-Subject: [PATCH] Makefile: Call mknum.pl on 'make ordinals' only if needed
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
-(Merged from https://github.com/openssl/openssl/pull/15224)
---
- Configurations/unix-Makefile.tmpl | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-Index: openssl-3.2.0/Configurations/unix-Makefile.tmpl
-===================================================================
--- openssl-3.2.0.orig/Configurations/unix-Makefile.tmpl
-+++ openssl-3.2.0/Configurations/unix-Makefile.tmpl
-@@ -1368,18 +1368,15 @@ renumber: build_generated
-                 --renumber \
-                 $(SSLHEADERS)
- 
-$(SRCDIR)/util/libcrypto.num: $(CRYPTOHEADERS) $(SRCDIR)/include/openssl/symhacks.h
-+ordinals: build_generated
- 	$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
-                 --ordinals $(SRCDIR)/util/libcrypto.num \
-                 --symhacks $(SRCDIR)/include/openssl/symhacks.h \
-                 $(CRYPTOHEADERS)
-$(SRCDIR)/util/libssl.num: $(SSLHEADERS) $(SRCDIR)/include/openssl/symhacks.h
- 	$(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \
-                 --ordinals $(SRCDIR)/util/libssl.num \
-                 --symhacks $(SRCDIR)/include/openssl/symhacks.h \
-                 $(SSLHEADERS)
-.PHONY: ordinals
-ordinals: build_generated $(SRCDIR)/util/libcrypto.num $(SRCDIR)/util/libssl.num
- 
- test_ordinals:
- 	$(MAKE) run_tests TESTS=test_ordinals