diff --git a/openssl-3-use-include-directive.patch b/openssl-3-use-include-directive.patch new file mode 100644 index 0000000..433d81f --- /dev/null +++ b/openssl-3-use-include-directive.patch @@ -0,0 +1,67 @@ +--- + apps/openssl.cnf | 13 +++++++++++++ + apps/openssl-vms.cnf | 13 +++++++++++++ + 2 file changed, 26 insertions(+) + +Index: openssl-3.2.0/apps/openssl.cnf +=================================================================== +--- openssl-3.2.0.orig/apps/openssl.cnf ++++ openssl-3.2.0/apps/openssl.cnf +@@ -19,6 +19,7 @@ openssl_conf = openssl_init + # Comment out the next line to ignore configuration errors + config_diagnostics = 1 + ++[ oid_section ] + # Extra OBJECT IDENTIFIER info: + # oid_file = $ENV::HOME/.oid + oid_section = new_oids +@@ -55,6 +56,18 @@ providers = provider_sect + # Load default TLS policy configuration + ssl_conf = ssl_module + ++engines = engine_section ++ ++[ engine_section ] ++ ++# This include will look through the directory that will contain the ++# engine declarations for any engines provided by other packages. ++.include /etc/ssl/engines3.d ++ ++# This include will look through the directory that will contain the ++# definitions of the engines declared in the engine section. ++.include /etc/ssl/engdef3.d ++ + # List of providers to load + [provider_sect] + default = default_sect +Index: openssl-3.2.0/apps/openssl-vms.cnf +=================================================================== +--- openssl-3.2.0.orig/apps/openssl-vms.cnf ++++ openssl-3.2.0/apps/openssl-vms.cnf +@@ -19,6 +19,7 @@ openssl_conf = openssl_init + # Comment out the next line to ignore configuration errors + config_diagnostics = 1 + ++[ oid_section ] + # Extra OBJECT IDENTIFIER info: + # oid_file = $ENV::HOME/.oid + oid_section = new_oids +@@ -53,6 +54,18 @@ tsa_policy3 = 1.2.3.4.5.7 + [openssl_init] + providers = provider_sect + ++engines = engine_section ++ ++[ engine_section ] ++ ++# This include will look through the directory that will contain the ++# engine declarations for any engines provided by other packages. ++.include /etc/ssl/engines3.d ++ ++# This include will look through the directory that will contain the ++# definitions of the engines declared in the engine section. ++.include /etc/ssl/engdef3.d ++ + # List of providers to load + [provider_sect] + default = default_sect diff --git a/openssl-3.changes b/openssl-3.changes index bc6022b..d904115 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Mon Jan 22 09:34:28 UTC 2024 - Otto Hollmann + +- Added openssl-3-use-include-directive.patch so that the default + /etc/ssl/openssl.cnf file will include any configuration files that + other packages might place into /etc/ssl/engines3.d/ and + /etc/ssl/engdef3.d/. Also create symbolic links /etc/ssl/engines.d/ + and /etc/ssl/engdef.d/ to above versioned directories. +- Updated spec file to create the two new necessary directores for + the above patch and two symbolic links to above directories. + [bsc#1194187, bsc#1207472, bsc#1218933] + +------------------------------------------------------------------- +Mon Jan 22 07:50:16 UTC 2024 - Otto Hollmann + +- Replace our reverted commit with an upstream version + * rename openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch + to openssl-Remove-the-source-directory-.num-targets.patch + ------------------------------------------------------------------- Tue Jan 16 09:45:24 UTC 2024 - Otto Hollmann diff --git a/openssl-3.spec b/openssl-3.spec index 85fb3cb..908da36 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -20,6 +20,8 @@ %define sover 3 %define _rname openssl %define man_suffix 3ssl +%global sslengcnf %{ssletcdir}/engines%{sover}.d +%global sslengdef %{ssletcdir}/engdef%{sover}.d Name: openssl-3 # Don't forget to update the version in the "openssl" meta-package! Version: 3.2.0 @@ -45,9 +47,8 @@ Patch5: openssl-ppc64-config.patch # Add crypto-policies support Patch6: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Patch7: openssl-crypto-policies-support.patch -# PATCH-FIX-OPENSUSE: Revert of 0e55c3ab8d702ffc897c9beb51d19b14b789618 -# Makefile: Call mknum.pl on 'make ordinals' only if needed -Patch8: openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch +# PATCH-FIX-UPSTREAM: Remove the source directory .num targets +Patch8: openssl-Remove-the-source-directory-.num-targets.patch # PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support Patch9: openssl-Add-FIPS_mode-compatibility-macro.patch Patch10: openssl-Add-Kernel-FIPS-mode-flag-support.patch @@ -63,6 +64,8 @@ Patch14: openssl-Force-FIPS.patch Patch15: openssl-FIPS-embed-hmac.patch # PATCH-FIX-UPSTREAM: bsc#1218810 CVE-2023-6237: Excessive time spent checking invalid RSA public keys Patch16: openssl-CVE-2023-6237.patch +# PATCH-FIX-SUSE bsc#1194187, bsc#1207472, bsc#1218933 - Add engines section in openssl.cnf +Patch17: openssl-3-use-include-directive.patch BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) Requires: libopenssl3 = %{version}-%{release} @@ -169,8 +172,7 @@ export MACHINE=armv6l $(getconf LFS_CFLAGS) \ -Wall \ --with-rand-seed=getrandom \ - --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ - -DSUSE_OPENSSL_FIPS_VERSION=%{release} + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config # Show build configuration perl configdata.pm --dump @@ -185,6 +187,10 @@ perl configdata.pm --dump # Relax the crypto-policies requirements for the regression tests # Revert patch7 before running tests patch -p1 -R < %{PATCH7} +# Revert openssl-3-use-include-directive.patch because these directories +# exists only in buildroot but not in build system and some tests are failing +# because of it. +patch -p1 -R < %{PATCH17} export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) @@ -248,6 +254,14 @@ ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl mkdir %{buildroot}/%{_datadir}/ssl mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ +# Create the two directories into which packages will drop their configuration +# files. +mkdir %{buildroot}/%{sslengcnf} +mkdir %{buildroot}/%{sslengdef} +# Create unversioned symbolic links to above directories +ln -s %{sslengcnf} %{buildroot}/%{ssletcdir}/engines.d +ln -s %{sslengdef} %{buildroot}/%{ssletcdir}/engdef.d + # Avoid file conflicts with man pages from other packages pushd %{buildroot}/%{_mandir} find . -type f -exec chmod 644 {} + @@ -313,6 +327,11 @@ fi %config (noreplace) %{ssletcdir}/openssl.cnf %config (noreplace) %{ssletcdir}/ct_log_list.cnf %attr(700,root,root) %{ssletcdir}/private +%dir %{sslengcnf} +%dir %{sslengdef} +# symbolic link to above directories +%{ssletcdir}/engines.d +%{ssletcdir}/engdef.d %dir %{_datadir}/ssl %{_datadir}/ssl/misc %dir %{_localstatedir}/lib/ca-certificates/ diff --git a/openssl-Remove-the-source-directory-.num-targets.patch b/openssl-Remove-the-source-directory-.num-targets.patch new file mode 100644 index 0000000..58476d7 --- /dev/null +++ b/openssl-Remove-the-source-directory-.num-targets.patch @@ -0,0 +1,54 @@ +From 9e8d114bd69619f245b103b70d051cd6e5e6468e Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Thu, 30 Nov 2023 16:38:43 +0100 +Subject: [PATCH] Remove the source directory .num targets + +$(SRCDIR)/util/libcrypto.num and $(SRCDIR)/util/libssl.num were made their +own targets to have 'make ordinals' reproduce them (run mknum.pl) only if +needed. + +Unfortunately, because the shared library linker scripts depend on these +.num files, we suddenly have mknum.pl run at random times when building. +Furthermore, this created a diamond dependency, which disturbs parallell +building because multiple mknum.pl on the same file could run at the same +time. + +This reverts commit 0e55c3ab8d702ffc897c9beb51d19b14b7896182. + +Fixes #21999 +Partially fixes #22841 + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/22890) + +(cherry picked from commit c08b21a2c95c2925e9c7ab11eb667d95e7b1fe3a) +--- + Configurations/unix-Makefile.tmpl | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 8ddb1282af7b6..6714699178dd9 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -1363,18 +1363,16 @@ renumber: build_generated + --renumber \ + $(SSLHEADERS) + +-$(SRCDIR)/util/libcrypto.num: $(CRYPTOHEADERS) $(SRCDIR)/include/openssl/symhacks.h ++.PHONY: ordinals ++ordinals: build_generated + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ + --ordinals $(SRCDIR)/util/libcrypto.num \ + --symhacks $(SRCDIR)/include/openssl/symhacks.h \ + $(CRYPTOHEADERS) +-$(SRCDIR)/util/libssl.num: $(SSLHEADERS) $(SRCDIR)/include/openssl/symhacks.h + $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ + --ordinals $(SRCDIR)/util/libssl.num \ + --symhacks $(SRCDIR)/include/openssl/symhacks.h \ + $(SSLHEADERS) +-.PHONY: ordinals +-ordinals: build_generated $(SRCDIR)/util/libcrypto.num $(SRCDIR)/util/libssl.num + + test_ordinals: + $(MAKE) run_tests TESTS=test_ordinals diff --git a/openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch b/openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch deleted file mode 100644 index 1b52f21..0000000 --- a/openssl-Revert-Makefile-Call-mknum.pl-on-make-ordinals-only-if.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 0e55c3ab8d702ffc897c9beb51d19b14b7896182 Mon Sep 17 00:00:00 2001 -From: "Dr. David von Oheimb" -Date: Tue, 11 May 2021 12:59:03 +0200 -Subject: [PATCH] Makefile: Call mknum.pl on 'make ordinals' only if needed - -Reviewed-by: Richard Levitte -Reviewed-by: Tomas Mraz -Reviewed-by: David von Oheimb -(Merged from https://github.com/openssl/openssl/pull/15224) ---- - Configurations/unix-Makefile.tmpl | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -Index: openssl-3.2.0/Configurations/unix-Makefile.tmpl -=================================================================== ---- openssl-3.2.0.orig/Configurations/unix-Makefile.tmpl -+++ openssl-3.2.0/Configurations/unix-Makefile.tmpl -@@ -1368,18 +1368,15 @@ renumber: build_generated - --renumber \ - $(SSLHEADERS) - --$(SRCDIR)/util/libcrypto.num: $(CRYPTOHEADERS) $(SRCDIR)/include/openssl/symhacks.h -+ordinals: build_generated - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ - --ordinals $(SRCDIR)/util/libcrypto.num \ - --symhacks $(SRCDIR)/include/openssl/symhacks.h \ - $(CRYPTOHEADERS) --$(SRCDIR)/util/libssl.num: $(SSLHEADERS) $(SRCDIR)/include/openssl/symhacks.h - $(PERL) $(SRCDIR)/util/mknum.pl --version $(VERSION_NUMBER) --no-warnings \ - --ordinals $(SRCDIR)/util/libssl.num \ - --symhacks $(SRCDIR)/include/openssl/symhacks.h \ - $(SSLHEADERS) --.PHONY: ordinals --ordinals: build_generated $(SRCDIR)/util/libcrypto.num $(SRCDIR)/util/libssl.num - - test_ordinals: - $(MAKE) run_tests TESTS=test_ordinals