pool/openssl-3
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
896b1d2d57
openssl-3/openssl-use-versioned-config.patch
Pedro Monreal Gonzalez 2f2f23d69b Accepting request 962003 from home:pmonrealgonzalez:branches:security:tls 
- Update to 3.0.2: [bsc#1196877, CVE-2022-0778]
  * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli
    in BN_mod_sqrt() reachable when parsing certificates.
  * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
    (RFC 5489) to the list of ciphersuites providing Perfect Forward
    Secrecy as required by SECLEVEL >= 3.
  * Made the AES constant time code for no-asm configurations
    optional due to the resulting 95% performance degradation.
    The AES constant time code can be enabled, for no assembly
    builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME
  * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to
    use empty passphrase strings.
  * The negative return value handling of the certificate
    verification callback was reverted. The replacement is to set
    the verification retry state with the SSL_set_retry_verify()
    function.
  * Rebase openssl-use-versioned-config.patch

- Keep CA_default and tsa_config1 default paths in openssl3.cnf
- Rebase patches:
  * openssl-Override-default-paths-for-the-CA-directory-tree.patch
  * openssl-use-versioned-config.patch

OBS-URL: https://build.opensuse.org/request/show/962003
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=38
2022-03-15 19:28:22 +00:00

128 lines
5.9 KiB
Diff
Raw Blame History

From 300d2b56166aee85d9ce4c1275da1ad79c876e31 Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Tue, 5 Oct 2021 12:10:42 +0200
Subject: [PATCH] Updates the conf file to openssl11.cnf Resolves:
rhbz#1947584, rhbz#2003123 Signed-off-by: Sahana Prasad <sahana@redhat.com>
Refactored for SUSE by Simon Lees sflees@suse.de
Index: openssl-3.0.2/include/internal/cryptlib.h
===================================================================
--- openssl-3.0.2.orig/include/internal/cryptlib.h
+++ openssl-3.0.2/include/internal/cryptlib.h
@@ -61,7 +61,7 @@ DEFINE_STACK_OF(EX_CALLBACK)
typedef struct mem_st MEM;
DEFINE_LHASH_OF(MEM);
-# define OPENSSL_CONF "openssl.cnf"
+# define OPENSSL_CONF "openssl3.cnf"
# ifndef OPENSSL_SYS_VMS
# define X509_CERT_AREA OPENSSLDIR
Index: openssl-3.0.2/Configurations/unix-Makefile.tmpl
===================================================================
--- openssl-3.0.2.orig/Configurations/unix-Makefile.tmpl
+++ openssl-3.0.2/Configurations/unix-Makefile.tmpl
@@ -675,14 +675,14 @@ install_ssldirs:
: {- output_on() if windowsdll(); "" -}; \
fi; \
done
- @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist"
- @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
- @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
- @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist
- @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \
- $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \
- cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
- chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \
+ @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist"
+ @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new
+ @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new
+ @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist
+ @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl3.cnf" ]; then \
+ $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf"; \
+ cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \
+ chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \
fi
@$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist"
@cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new
@@ -1136,7 +1136,7 @@ lint:
generate_apps:
( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
- < apps/openssl.cnf > apps/openssl-vms.cnf )
+ < apps/openssl3.cnf > apps/openssl-vms.cnf )
generate_crypto_bn:
( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
@@ -1374,7 +1374,7 @@ tar:
# Helper targets #####################################################
-link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf
+link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl3.cnf
$(BLDDIR)/util/opensslwrap.sh: Makefile
@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: Makefile
ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \
fi
-$(BLDDIR)/apps/openssl.cnf: Makefile
+$(BLDDIR)/apps/openssl3.cnf: Makefile
@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
mkdir -p "$(BLDDIR)/apps"; \
ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \
Index: openssl-3.0.2/Configure
===================================================================
--- openssl-3.0.2.orig/Configure
+++ openssl-3.0.2/Configure
@@ -56,7 +56,7 @@ EOF
# directories bin, lib, include, share/man, share/doc/openssl
# This becomes the value of INSTALLTOP in Makefile
# (Default: /usr/local)
-# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys.
+# --openssldir OpenSSL data area, such as openssl3.cnf, certificates and keys.
# If it's a relative directory, it will be added on the directory
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
Index: openssl-3.0.2/doc/HOWTO/certificates.txt
===================================================================
--- openssl-3.0.2.orig/doc/HOWTO/certificates.txt
+++ openssl-3.0.2/doc/HOWTO/certificates.txt
@@ -16,7 +16,7 @@ Certificate authorities should read http
In all the cases shown below, the standard configuration file, as
compiled into openssl, will be used. You may find it in /etc/,
/usr/local/ssl/ or somewhere else. By default the file is named
-openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html.
+openssl3.cnf and is described at https://www.openssl.org/docs/apps/config.html.
You can specify a different configuration file using the
'-config {file}' argument with the commands shown below.
Index: openssl-3.0.2/doc/man3/OPENSSL_config.pod
===================================================================
--- openssl-3.0.2.orig/doc/man3/OPENSSL_config.pod
+++ openssl-3.0.2/doc/man3/OPENSSL_config.pod
@@ -17,7 +17,7 @@ see L<openssl_user_macros(7)>:
=head1 DESCRIPTION
-OPENSSL_config() configures OpenSSL using the standard B<openssl.cnf> and
+OPENSSL_config() configures OpenSSL using the standard B<openssl3.cnf> and
reads from the application section B<appname>. If B<appname> is NULL then
the default section, B<openssl_conf>, will be used.
Errors are silently ignored.
Index: openssl-3.0.2/INSTALL.md
===================================================================
--- openssl-3.0.2.orig/INSTALL.md
+++ openssl-3.0.2/INSTALL.md
@@ -567,7 +567,7 @@ is an objective.
### no-autoload-config
-Don't automatically load the default `openssl.cnf` file.
+Don't automatically load the default `openssl3.cnf` file.
Typically OpenSSL will automatically load a system config file which configures
default SSL options.
Reference in New Issue View Git Blame Copy Permalink