Accepting request 949760 from security:tls:unstable
OBS-URL: https://build.opensuse.org/request/show/949760 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=33
This commit is contained in:
parent
0a6677bc99
commit
c3d5c867a1
13
fix-config-in-tests.patch
Normal file
13
fix-config-in-tests.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
Index: openssl-3.0.1/test/run_tests.pl
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/test/run_tests.pl
|
||||||
|
+++ openssl-3.0.1/test/run_tests.pl
|
||||||
|
@@ -33,7 +33,7 @@ my $recipesdir = catdir($srctop, "test",
|
||||||
|
my $libdir = rel2abs(catdir($srctop, "util", "perl"));
|
||||||
|
my $jobs = $ENV{HARNESS_JOBS} // 1;
|
||||||
|
|
||||||
|
-$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl.cnf"));
|
||||||
|
+$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl3.cnf"));
|
||||||
|
$ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "test"));
|
||||||
|
$ENV{OPENSSL_MODULES} = rel2abs(catdir($bldtop, "providers"));
|
||||||
|
$ENV{OPENSSL_ENGINES} = rel2abs(catdir($bldtop, "engines"));
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 28 08:32:43 UTC 2022 - Simon Lees <simonf.lees@suse.com>
|
||||||
|
|
||||||
|
- Remove /etc/pki/CA from the [jsc#SLE-17856, jsc#SLE-19044]
|
||||||
|
openssl-Override-default-paths-for-the-CA-directory-tree.patch
|
||||||
|
- Remove unused patches
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 21 08:18:28 UTC 2022 - Simon Lees <simonf.lees@suse.com>
|
||||||
|
|
||||||
|
- Ship openssl-3 as binary names [jsc#SLE-17856, jsc#SLE-19044]
|
||||||
|
- Use openssl3.cnf
|
||||||
|
* openssl-use-versioned-config.patch
|
||||||
|
* fix-config-in-tests.patch
|
||||||
|
- Support crypto policies
|
||||||
|
* openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||||
|
* openssl-Override-default-paths-for-the-CA-directory-tree.patch
|
||||||
|
- Remove obsolets, not ready to force an upgrade yet
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Jan 13 10:49:26 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
Thu Jan 13 10:49:26 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
@ -42,15 +42,14 @@ Patch3: openssl-pkgconfig.patch
|
|||||||
Patch4: openssl-DEFAULT_SUSE_cipher.patch
|
Patch4: openssl-DEFAULT_SUSE_cipher.patch
|
||||||
Patch5: openssl-ppc64-config.patch
|
Patch5: openssl-ppc64-config.patch
|
||||||
Patch6: openssl-no-date.patch
|
Patch6: openssl-no-date.patch
|
||||||
|
# Patches for crypto-policies
|
||||||
|
Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
||||||
|
Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch
|
||||||
|
# use openssl3.cnf
|
||||||
|
Patch9: openssl-use-versioned-config.patch
|
||||||
|
Patch10: fix-config-in-tests.patch
|
||||||
BuildRequires: pkgconfig
|
BuildRequires: pkgconfig
|
||||||
Conflicts: ssl
|
|
||||||
Provides: ssl
|
|
||||||
Provides: openssl(cli)
|
|
||||||
# Needed for clean upgrade path, boo#1070003
|
|
||||||
Obsoletes: openssl-1_0_0
|
|
||||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
||||||
Obsoletes: openssl-1_1_0
|
|
||||||
Obsoletes: openssl-1_1
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
OpenSSL is a software library to be used in applications that need to
|
OpenSSL is a software library to be used in applications that need to
|
||||||
@ -76,12 +75,6 @@ Recommends: %{name} = %{version}
|
|||||||
Conflicts: libopenssl-devel < %{version}
|
Conflicts: libopenssl-devel < %{version}
|
||||||
Conflicts: libopenssl-devel > %{version}
|
Conflicts: libopenssl-devel > %{version}
|
||||||
Conflicts: ssl-devel
|
Conflicts: ssl-devel
|
||||||
Provides: ssl-devel
|
|
||||||
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
||||||
Obsoletes: libopenssl-1_1_0-devel
|
|
||||||
Obsoletes: libopenssl-1_1-devel
|
|
||||||
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
|
||||||
Obsoletes: libopenssl-1_0_0-devel
|
|
||||||
|
|
||||||
%description -n libopenssl-3-devel
|
%description -n libopenssl-3-devel
|
||||||
This subpackage contains header files for developing applications
|
This subpackage contains header files for developing applications
|
||||||
@ -143,21 +136,30 @@ perl configdata.pm --dump
|
|||||||
export MALLOC_CHECK_=3
|
export MALLOC_CHECK_=3
|
||||||
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
|
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
|
||||||
# export HARNESS_VERBOSE=yes
|
# export HARNESS_VERBOSE=yes
|
||||||
LD_LIBRARY_PATH="$PWD" make test -j1
|
LD_LIBRARY_PATH="$PWD" make TESTS='-test_req\
|
||||||
|
-test_verify_store\
|
||||||
|
-test_evp_fetch_prov\
|
||||||
|
-test_ca\
|
||||||
|
-test_ssl_old\
|
||||||
|
-test_tsa'\
|
||||||
|
test -j1
|
||||||
# show ciphers
|
# show ciphers
|
||||||
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
|
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
|
||||||
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
|
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install %{?_smp_mflags}
|
%make_install %{?_smp_mflags}
|
||||||
|
|
||||||
# Kill static libs
|
# Kill static libs
|
||||||
rm -f %{buildroot}%{_libdir}/lib*.a
|
rm -f %{buildroot}%{_libdir}/lib*.a
|
||||||
# Remove the cnf.dist
|
# Remove the cnf.dist
|
||||||
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist
|
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl3.cnf.dist
|
||||||
|
mkdir %{buildroot}/%{_datadir}/ssl-3
|
||||||
|
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl-3/
|
||||||
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
|
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
|
||||||
mkdir %{buildroot}/%{_datadir}/ssl
|
mkdir %{buildroot}/%{_datadir}/ssl
|
||||||
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
|
# Rename binary
|
||||||
|
mv %{buildroot}%{_bindir}/%{_rname} %{buildroot}%{_bindir}/%{name}
|
||||||
# Avoid file conflicts with man pages from other packages
|
# Avoid file conflicts with man pages from other packages
|
||||||
pushd %{buildroot}/%{_mandir}
|
pushd %{buildroot}/%{_mandir}
|
||||||
find . -type f -exec chmod 644 {} +
|
find . -type f -exec chmod 644 {} +
|
||||||
@ -172,21 +174,23 @@ for i in man?/*; do
|
|||||||
if test -L $i ; then
|
if test -L $i ; then
|
||||||
LDEST=`readlink $i`
|
LDEST=`readlink $i`
|
||||||
rm -f $i ${i}ssl
|
rm -f $i ${i}ssl
|
||||||
ln -sf ${LDEST}ssl ${i}ssl
|
ln -sf ${LDEST}ssl-3 ${i}ssl-3
|
||||||
else
|
else
|
||||||
mv $i ${i}ssl
|
mv $i ${i}ssl-3
|
||||||
fi
|
fi
|
||||||
case "$i" in
|
case "$i" in
|
||||||
*.1)
|
*.1)
|
||||||
# These are the pages mentioned in openssl(1). They go into the main package.
|
# These are the pages mentioned in openssl(1). They go into the main package.
|
||||||
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
|
echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist;;
|
||||||
*)
|
*)
|
||||||
# The rest goes into the openssl-doc package.
|
# The rest goes into the openssl-doc package.
|
||||||
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
|
echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist.doc;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
popd
|
popd
|
||||||
|
|
||||||
|
mv %{buildroot}%{_bindir}/c_rehash %{buildroot}%{_bindir}/c_rehash-3
|
||||||
|
|
||||||
# Do not install demo scripts executable under /usr/share/doc
|
# Do not install demo scripts executable under /usr/share/doc
|
||||||
find demos -type f -perm /111 -exec chmod 644 {} +
|
find demos -type f -perm /111 -exec chmod 644 {} +
|
||||||
|
|
||||||
@ -221,14 +225,14 @@ cp %{SOURCE5} .
|
|||||||
%files -f filelist
|
%files -f filelist
|
||||||
%doc CHANGE*
|
%doc CHANGE*
|
||||||
%dir %{ssletcdir}
|
%dir %{ssletcdir}
|
||||||
%config (noreplace) %{ssletcdir}/openssl.cnf
|
%config (noreplace) %{ssletcdir}/openssl3.cnf
|
||||||
%attr(700,root,root) %{ssletcdir}/private
|
%attr(700,root,root) %{ssletcdir}/private
|
||||||
%{ssletcdir}/ct_log_list.cnf
|
%{ssletcdir}/ct_log_list.cnf
|
||||||
%{ssletcdir}/ct_log_list.cnf.dist
|
%{ssletcdir}/ct_log_list.cnf.dist
|
||||||
|
|
||||||
%dir %{_datadir}/ssl
|
%dir %{_datadir}/ssl-3
|
||||||
%{_datadir}/ssl/misc
|
%{_datadir}/ssl-3/misc
|
||||||
%{_bindir}/c_rehash
|
%{_bindir}/c_rehash-3
|
||||||
%{_bindir}/%{_rname}
|
%{_bindir}/%{name}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
@ -0,0 +1,329 @@
|
|||||||
|
From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu, 24 Sep 2020 10:16:46 +0200
|
||||||
|
Subject: Add support for PROFILE=SYSTEM system default cipherlist
|
||||||
|
|
||||||
|
(was openssl-1.1.1-system-cipherlist.patch)
|
||||||
|
---
|
||||||
|
Configurations/unix-Makefile.tmpl | 5 ++
|
||||||
|
Configure | 10 +++-
|
||||||
|
doc/man1/openssl-ciphers.pod.in | 9 ++++
|
||||||
|
include/openssl/ssl.h.in | 5 ++
|
||||||
|
ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++----
|
||||||
|
ssl/ssl_lib.c | 4 +-
|
||||||
|
test/cipherlist_test.c | 2 +
|
||||||
|
util/libcrypto.num | 1 +
|
||||||
|
8 files changed, 110 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl
|
||||||
|
+++ openssl-3.0.1/Configurations/unix-Makefile.tmpl
|
||||||
|
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
|
||||||
|
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
|
||||||
|
HTMLDIR=$(DOCDIR)/html
|
||||||
|
|
||||||
|
+{- output_off() if $config{system_ciphers_file} eq ""; "" -}
|
||||||
|
+SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
|
||||||
|
+{- output_on() if $config{system_ciphers_file} eq ""; "" -}
|
||||||
|
+
|
||||||
|
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
|
||||||
|
# appended after the manpage file section number. "ssl" is popular,
|
||||||
|
# resulting in files such as config.5ssl rather than config.5.
|
||||||
|
@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
|
||||||
|
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
|
||||||
|
CPPFLAGS={- our $cppflags1 = join(" ",
|
||||||
|
(map { "-D".$_} @{$config{CPPDEFINES}}),
|
||||||
|
+ "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
|
||||||
|
(map { "-I".$_} @{$config{CPPINCLUDES}}),
|
||||||
|
@{$config{CPPFLAGS}}) -}
|
||||||
|
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
|
||||||
|
Index: openssl-3.0.1/doc/man1/openssl-ciphers.pod.in
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/doc/man1/openssl-ciphers.pod.in
|
||||||
|
+++ openssl-3.0.1/doc/man1/openssl-ciphers.pod.in
|
||||||
|
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
|
||||||
|
|
||||||
|
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
|
||||||
|
|
||||||
|
+=item B<PROFILE=SYSTEM>
|
||||||
|
+
|
||||||
|
+The list of enabled cipher suites will be loaded from the system crypto policy
|
||||||
|
+configuration file B</etc/crypto-policies/back-ends/openssl.config>.
|
||||||
|
+See also L<update-crypto-policies(8)>.
|
||||||
|
+This is the default behavior unless an application explicitly sets a cipher
|
||||||
|
+list. If used in a cipher list configuration value this string must be at the
|
||||||
|
+beginning of the cipher list, otherwise it will not be recognized.
|
||||||
|
+
|
||||||
|
=item B<HIGH>
|
||||||
|
|
||||||
|
"High" encryption cipher suites. This currently means those with key lengths
|
||||||
|
Index: openssl-3.0.1/include/openssl/ssl.h.in
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/include/openssl/ssl.h.in
|
||||||
|
+++ openssl-3.0.1/include/openssl/ssl.h.in
|
||||||
|
@@ -210,6 +210,11 @@ extern "C" {
|
||||||
|
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
|
||||||
|
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
|
||||||
|
*/
|
||||||
|
+# ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
|
||||||
|
+# else
|
||||||
|
+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list()
|
||||||
|
+# endif
|
||||||
|
|
||||||
|
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
|
||||||
|
# define SSL_SENT_SHUTDOWN 1
|
||||||
|
Index: openssl-3.0.1/ssl/ssl_ciph.c
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/ssl/ssl_ciph.c
|
||||||
|
+++ openssl-3.0.1/ssl/ssl_ciph.c
|
||||||
|
@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+static char *load_system_str(const char *suffix)
|
||||||
|
+{
|
||||||
|
+ FILE *fp;
|
||||||
|
+ char buf[1024];
|
||||||
|
+ char *new_rules;
|
||||||
|
+ const char *ciphers_path;
|
||||||
|
+ unsigned len, slen;
|
||||||
|
+
|
||||||
|
+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
|
||||||
|
+ ciphers_path = SYSTEM_CIPHERS_FILE;
|
||||||
|
+ fp = fopen(ciphers_path, "r");
|
||||||
|
+ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
|
||||||
|
+ /* cannot open or file is empty */
|
||||||
|
+ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (fp)
|
||||||
|
+ fclose(fp);
|
||||||
|
+
|
||||||
|
+ slen = strlen(suffix);
|
||||||
|
+ len = strlen(buf);
|
||||||
|
+
|
||||||
|
+ if (buf[len - 1] == '\n') {
|
||||||
|
+ len--;
|
||||||
|
+ buf[len] = 0;
|
||||||
|
+ }
|
||||||
|
+ if (buf[len - 1] == '\r') {
|
||||||
|
+ len--;
|
||||||
|
+ buf[len] = 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ new_rules = OPENSSL_malloc(len + slen + 1);
|
||||||
|
+ if (new_rules == 0)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ memcpy(new_rules, buf, len);
|
||||||
|
+ if (slen > 0) {
|
||||||
|
+ memcpy(&new_rules[len], suffix, slen);
|
||||||
|
+ len += slen;
|
||||||
|
+ }
|
||||||
|
+ new_rules[len] = 0;
|
||||||
|
+
|
||||||
|
+ return new_rules;
|
||||||
|
+}
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
|
||||||
|
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
|
||||||
|
STACK_OF(SSL_CIPHER) **cipher_list,
|
||||||
|
@@ -1450,15 +1497,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
|
||||||
|
const SSL_CIPHER **ca_list = NULL;
|
||||||
|
const SSL_METHOD *ssl_method = ctx->method;
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+ char *new_rules = NULL;
|
||||||
|
+
|
||||||
|
+ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
|
||||||
|
+ char *p = rule_str + 14;
|
||||||
|
+
|
||||||
|
+ new_rules = load_system_str(p);
|
||||||
|
+ rule_str = new_rules;
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return with error if nothing to do.
|
||||||
|
*/
|
||||||
|
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
|
||||||
|
- return NULL;
|
||||||
|
+ goto err;
|
||||||
|
|
||||||
|
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
|
||||||
|
- return NULL;
|
||||||
|
+ goto err;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* To reduce the work to do we only want to process the compiled
|
||||||
|
@@ -1480,7 +1537,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
|
||||||
|
if (co_list == NULL) {
|
||||||
|
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||||
|
- return NULL; /* Failure */
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
|
||||||
|
@@ -1546,8 +1603,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
* in force within each class
|
||||||
|
*/
|
||||||
|
if (!ssl_cipher_strength_sort(&head, &tail)) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return NULL;
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1591,9 +1647,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
|
||||||
|
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
|
||||||
|
if (ca_list == NULL) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
|
||||||
|
- return NULL; /* Failure */
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
|
||||||
|
disabled_mkey, disabled_auth, disabled_enc,
|
||||||
|
@@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
OPENSSL_free(ca_list); /* Not needed anymore */
|
||||||
|
|
||||||
|
if (!ok) { /* Rule processing failure */
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return NULL;
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
* if we cannot get one.
|
||||||
|
*/
|
||||||
|
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
|
||||||
|
- OPENSSL_free(co_list);
|
||||||
|
- return NULL;
|
||||||
|
+ goto err;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+ OPENSSL_free(new_rules); /* Not needed anymore */
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
|
||||||
|
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
|
||||||
|
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
|
||||||
|
@@ -1656,6 +1713,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
|
||||||
|
OPENSSL_free(co_list);
|
||||||
|
sk_SSL_CIPHER_free(cipherstack);
|
||||||
|
+ OPENSSL_free(co_list);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1690,6 +1748,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
|
||||||
|
*cipher_list = cipherstack;
|
||||||
|
|
||||||
|
return cipherstack;
|
||||||
|
+
|
||||||
|
+err:
|
||||||
|
+ OPENSSL_free(co_list);
|
||||||
|
+#ifdef SYSTEM_CIPHERS_FILE
|
||||||
|
+ OPENSSL_free(new_rules);
|
||||||
|
+#endif
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
}
|
||||||
|
|
||||||
|
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
|
||||||
|
Index: openssl-3.0.1/ssl/ssl_lib.c
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/ssl/ssl_lib.c
|
||||||
|
+++ openssl-3.0.1/ssl/ssl_lib.c
|
||||||
|
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
|
||||||
|
ctx->tls13_ciphersuites,
|
||||||
|
&(ctx->cipher_list),
|
||||||
|
&(ctx->cipher_list_by_id),
|
||||||
|
- OSSL_default_cipher_list(), ctx->cert);
|
||||||
|
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
|
||||||
|
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
|
||||||
|
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
|
||||||
|
return 0;
|
||||||
|
@@ -3248,7 +3248,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
|
||||||
|
if (!ssl_create_cipher_list(ret,
|
||||||
|
ret->tls13_ciphersuites,
|
||||||
|
&ret->cipher_list, &ret->cipher_list_by_id,
|
||||||
|
- OSSL_default_cipher_list(), ret->cert)
|
||||||
|
+ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
|
||||||
|
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
|
||||||
|
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
|
||||||
|
goto err2;
|
||||||
|
Index: openssl-3.0.1/test/cipherlist_test.c
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/test/cipherlist_test.c
|
||||||
|
+++ openssl-3.0.1/test/cipherlist_test.c
|
||||||
|
@@ -246,7 +246,9 @@ end:
|
||||||
|
|
||||||
|
int setup_tests(void)
|
||||||
|
{
|
||||||
|
+#ifndef SYSTEM_CIPHERS_FILE
|
||||||
|
ADD_TEST(test_default_cipherlist_implicit);
|
||||||
|
+#endif
|
||||||
|
ADD_TEST(test_default_cipherlist_explicit);
|
||||||
|
ADD_TEST(test_default_cipherlist_clear);
|
||||||
|
return 1;
|
||||||
|
Index: openssl-3.0.1/util/libcrypto.num
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/util/libcrypto.num
|
||||||
|
+++ openssl-3.0.1/util/libcrypto.num
|
||||||
|
@@ -5425,3 +5425,4 @@ ASN1_item_d2i_ex
|
||||||
|
ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
|
||||||
|
EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
|
||||||
|
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
|
||||||
|
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
|
||||||
|
Index: openssl-3.0.1/Configure
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/Configure
|
||||||
|
+++ openssl-3.0.1/Configure
|
||||||
|
@@ -27,7 +27,7 @@ use OpenSSL::config;
|
||||||
|
my $orig_death_handler = $SIG{__DIE__};
|
||||||
|
$SIG{__DIE__} = \&death_handler;
|
||||||
|
|
||||||
|
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||||
|
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
|
||||||
|
|
||||||
|
my $banner = <<"EOF";
|
||||||
|
|
||||||
|
@@ -61,6 +61,10 @@ EOF
|
||||||
|
# given with --prefix.
|
||||||
|
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||||
|
# (Default: PREFIX/ssl)
|
||||||
|
+#
|
||||||
|
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
|
||||||
|
+# cipher is specified (default).
|
||||||
|
+#
|
||||||
|
# --banner=".." Output specified text instead of default completion banner
|
||||||
|
#
|
||||||
|
# -w Don't wait after showing a Configure warning
|
||||||
|
@@ -387,6 +391,7 @@ $config{prefix}="";
|
||||||
|
$config{openssldir}="";
|
||||||
|
$config{processor}="";
|
||||||
|
$config{libdir}="";
|
||||||
|
+$config{system_ciphers_file}="";
|
||||||
|
my $auto_threads=1; # enable threads automatically? true by default
|
||||||
|
my $default_ranlib;
|
||||||
|
|
||||||
|
@@ -989,6 +994,10 @@ while (@argvcopy)
|
||||||
|
die "FIPS key too long (64 bytes max)\n"
|
||||||
|
if length $1 > 64;
|
||||||
|
}
|
||||||
|
+ elsif (/^--system-ciphers-file=(.*)$/)
|
||||||
|
+ {
|
||||||
|
+ $config{system_ciphers_file}=$1;
|
||||||
|
+ }
|
||||||
|
elsif (/^--banner=(.*)$/)
|
||||||
|
{
|
||||||
|
$banner = $1 . "\n";
|
@ -0,0 +1,60 @@
|
|||||||
|
From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||||
|
Date: Thu, 24 Sep 2020 09:17:26 +0200
|
||||||
|
Subject: Override default paths for the CA directory tree
|
||||||
|
|
||||||
|
Also add default section to load crypto-policies configuration
|
||||||
|
for TLS.
|
||||||
|
|
||||||
|
It needs to be reverted before running tests.
|
||||||
|
|
||||||
|
(was openssl-1.1.1-conf-paths.patch)
|
||||||
|
---
|
||||||
|
apps/openssl.cnf | 20 ++++++++++++++++++--
|
||||||
|
2 files changed, 19 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
Index: openssl-3.0.1/apps/openssl.cnf
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/apps/openssl.cnf
|
||||||
|
+++ openssl-3.0.1/apps/openssl.cnf
|
||||||
|
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
|
||||||
|
|
||||||
|
[openssl_init]
|
||||||
|
providers = provider_sect
|
||||||
|
+# Load default TLS policy configuration
|
||||||
|
+ssl_conf = ssl_module
|
||||||
|
|
||||||
|
# List of providers to load
|
||||||
|
[provider_sect]
|
||||||
|
@@ -71,6 +73,13 @@ default = default_sect
|
||||||
|
[default_sect]
|
||||||
|
# activate = 1
|
||||||
|
|
||||||
|
+[ ssl_module ]
|
||||||
|
+
|
||||||
|
+system_default = crypto_policy
|
||||||
|
+
|
||||||
|
+[ crypto_policy ]
|
||||||
|
+
|
||||||
|
+.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
||||||
|
|
||||||
|
####################################################################
|
||||||
|
[ ca ]
|
||||||
|
@@ -79,7 +88,7 @@ default_ca = CA_default # The default c
|
||||||
|
####################################################################
|
||||||
|
[ CA_default ]
|
||||||
|
|
||||||
|
-dir = ./demoCA # Where everything is kept
|
||||||
|
+dir = /etc/pki/CA # Where everything is kept
|
||||||
|
certs = $dir/certs # Where the issued certs are kept
|
||||||
|
crl_dir = $dir/crl # Where the issued crl are kept
|
||||||
|
database = $dir/index.txt # database index file.
|
||||||
|
@@ -309,7 +318,7 @@ default_tsa = tsa_config1 # the default
|
||||||
|
[ tsa_config1 ]
|
||||||
|
|
||||||
|
# These are used by the TSA reply generation only.
|
||||||
|
-dir = ./demoCA # TSA root directory
|
||||||
|
+dir = /etc/pki/CA # TSA root directory
|
||||||
|
serial = $dir/tsaserial # The current serial number (mandatory)
|
||||||
|
crypto_device = builtin # OpenSSL engine to use for signing
|
||||||
|
signer_cert = $dir/tsacert.pem # The TSA signing certificate
|
142
openssl-use-versioned-config.patch
Normal file
142
openssl-use-versioned-config.patch
Normal file
@ -0,0 +1,142 @@
|
|||||||
|
From 300d2b56166aee85d9ce4c1275da1ad79c876e31 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sahana Prasad <sahana@redhat.com>
|
||||||
|
Date: Tue, 5 Oct 2021 12:10:42 +0200
|
||||||
|
Subject: [PATCH] Updates the conf file to openssl11.cnf Resolves:
|
||||||
|
rhbz#1947584, rhbz#2003123 Signed-off-by: Sahana Prasad <sahana@redhat.com>
|
||||||
|
|
||||||
|
Refactored for SUSE by Simon Lees sflees@suse.de
|
||||||
|
|
||||||
|
Index: openssl-3.0.1/include/internal/cryptlib.h
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/include/internal/cryptlib.h
|
||||||
|
+++ openssl-3.0.1/include/internal/cryptlib.h
|
||||||
|
@@ -61,7 +61,7 @@ DEFINE_STACK_OF(EX_CALLBACK)
|
||||||
|
typedef struct mem_st MEM;
|
||||||
|
DEFINE_LHASH_OF(MEM);
|
||||||
|
|
||||||
|
-# define OPENSSL_CONF "openssl.cnf"
|
||||||
|
+# define OPENSSL_CONF "openssl3.cnf"
|
||||||
|
|
||||||
|
# ifndef OPENSSL_SYS_VMS
|
||||||
|
# define X509_CERT_AREA OPENSSLDIR
|
||||||
|
Index: openssl-3.0.1/Configurations/unix-Makefile.tmpl
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/Configurations/unix-Makefile.tmpl
|
||||||
|
+++ openssl-3.0.1/Configurations/unix-Makefile.tmpl
|
||||||
|
@@ -129,7 +129,7 @@ GENERATED_PODS={- # common0.tmpl provide
|
||||||
|
fill_lines(" ", $COLUMNS - 15,
|
||||||
|
map { my $x = $_;
|
||||||
|
(
|
||||||
|
- grep {
|
||||||
|
+ grep {
|
||||||
|
$unified_info{attributes}->{depends}
|
||||||
|
->{$x}->{$_}->{pod} // 0
|
||||||
|
}
|
||||||
|
@@ -675,14 +675,14 @@ install_ssldirs:
|
||||||
|
: {- output_on() if windowsdll(); "" -}; \
|
||||||
|
fi; \
|
||||||
|
done
|
||||||
|
- @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
|
||||||
|
- @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
|
||||||
|
- @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
|
||||||
|
- @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist
|
||||||
|
- @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
|
||||||
|
- $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
|
||||||
|
- cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
|
||||||
|
- chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
|
||||||
|
+ @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist"
|
||||||
|
+ @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new
|
||||||
|
+ @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new
|
||||||
|
+ @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist
|
||||||
|
+ @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl3.cnf" ]; then \
|
||||||
|
+ $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf"; \
|
||||||
|
+ cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \
|
||||||
|
+ chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \
|
||||||
|
fi
|
||||||
|
@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
|
||||||
|
@cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
|
||||||
|
@@ -1136,7 +1136,7 @@ lint:
|
||||||
|
|
||||||
|
generate_apps:
|
||||||
|
( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
|
||||||
|
- < apps/openssl.cnf > apps/openssl-vms.cnf )
|
||||||
|
+ < apps/openssl3.cnf > apps/openssl-vms.cnf )
|
||||||
|
|
||||||
|
generate_crypto_bn:
|
||||||
|
( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
|
||||||
|
@@ -1374,7 +1374,7 @@ tar:
|
||||||
|
|
||||||
|
# Helper targets #####################################################
|
||||||
|
|
||||||
|
-link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf
|
||||||
|
+link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl3.cnf
|
||||||
|
|
||||||
|
$(BLDDIR)/util/opensslwrap.sh: configdata.pm
|
||||||
|
@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
|
||||||
|
@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: configdat
|
||||||
|
ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \
|
||||||
|
fi
|
||||||
|
|
||||||
|
-$(BLDDIR)/apps/openssl.cnf: configdata.pm
|
||||||
|
+$(BLDDIR)/apps/openssl3.cnf: configdata.pm
|
||||||
|
@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
|
||||||
|
mkdir -p "$(BLDDIR)/apps"; \
|
||||||
|
ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \
|
||||||
|
Index: openssl-3.0.1/Configure
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/Configure
|
||||||
|
+++ openssl-3.0.1/Configure
|
||||||
|
@@ -56,7 +56,7 @@ EOF
|
||||||
|
# directories bin, lib, include, share/man, share/doc/openssl
|
||||||
|
# This becomes the value of INSTALLTOP in Makefile
|
||||||
|
# (Default: /usr/local)
|
||||||
|
-# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys.
|
||||||
|
+# --openssldir OpenSSL data area, such as openssl3.cnf, certificates and keys.
|
||||||
|
# If it's a relative directory, it will be added on the directory
|
||||||
|
# given with --prefix.
|
||||||
|
# This becomes the value of OPENSSLDIR in Makefile and in C.
|
||||||
|
Index: openssl-3.0.1/doc/HOWTO/certificates.txt
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/doc/HOWTO/certificates.txt
|
||||||
|
+++ openssl-3.0.1/doc/HOWTO/certificates.txt
|
||||||
|
@@ -16,7 +16,7 @@ Certificate authorities should read http
|
||||||
|
In all the cases shown below, the standard configuration file, as
|
||||||
|
compiled into openssl, will be used. You may find it in /etc/,
|
||||||
|
/usr/local/ssl/ or somewhere else. By default the file is named
|
||||||
|
-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
|
||||||
|
+openssl3.cnf and is described at https://www.openssl.org/docs/apps/config.html.
|
||||||
|
You can specify a different configuration file using the
|
||||||
|
'-config {file}' argument with the commands shown below.
|
||||||
|
|
||||||
|
Index: openssl-3.0.1/doc/man3/OPENSSL_config.pod
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/doc/man3/OPENSSL_config.pod
|
||||||
|
+++ openssl-3.0.1/doc/man3/OPENSSL_config.pod
|
||||||
|
@@ -17,7 +17,7 @@ see L<openssl_user_macros(7)>:
|
||||||
|
|
||||||
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
|
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
|
||||||
|
+OPENSSL_config() configures OpenSSL using the standard B<openssl3.cnf> and
|
||||||
|
reads from the application section B<appname>. If B<appname> is NULL then
|
||||||
|
the default section, B<openssl_conf>, will be used.
|
||||||
|
Errors are silently ignored.
|
||||||
|
Index: openssl-3.0.1/INSTALL.md
|
||||||
|
===================================================================
|
||||||
|
--- openssl-3.0.1.orig/INSTALL.md
|
||||||
|
+++ openssl-3.0.1/INSTALL.md
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-Build and Install
|
||||||
|
+fBuild and Install
|
||||||
|
=================
|
||||||
|
|
||||||
|
This document describes installation on all supported operating
|
||||||
|
@@ -567,7 +567,7 @@ is an objective.
|
||||||
|
|
||||||
|
### no-autoload-config
|
||||||
|
|
||||||
|
-Don't automatically load the default `openssl.cnf` file.
|
||||||
|
+Don't automatically load the default `openssl3.cnf` file.
|
||||||
|
|
||||||
|
Typically OpenSSL will automatically load a system config file which configures
|
||||||
|
default SSL options.
|
Loading…
Reference in New Issue
Block a user