diff --git a/baselibs.conf b/baselibs.conf index 496e94a..1d3616f 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,6 +1,10 @@ libopenssl3 + obsoletes "libopenssl1_1_0-" +libopenssl3-hmac + requires "libopenssl3- = -%release" libopenssl-3-devel provides "libopenssl-devel- = " conflicts "otherproviders(libopenssl-devel-)" + conflicts "libopenssl-1_1-devel-" requires -"openssl-3-" requires "libopenssl3- = " diff --git a/fix-config-in-tests.patch b/fix-config-in-tests.patch deleted file mode 100644 index 5c7900e..0000000 --- a/fix-config-in-tests.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: openssl-3.0.1/test/run_tests.pl -=================================================================== ---- openssl-3.0.1.orig/test/run_tests.pl -+++ openssl-3.0.1/test/run_tests.pl -@@ -33,7 +33,7 @@ my $recipesdir = catdir($srctop, "test", - my $libdir = rel2abs(catdir($srctop, "util", "perl")); - my $jobs = $ENV{HARNESS_JOBS} // 1; - --$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl.cnf")); -+$ENV{OPENSSL_CONF} = rel2abs(catfile($srctop, "apps", "openssl3.cnf")); - $ENV{OPENSSL_CONF_INCLUDE} = rel2abs(catdir($bldtop, "test")); - $ENV{OPENSSL_MODULES} = rel2abs(catdir($bldtop, "providers")); - $ENV{OPENSSL_ENGINES} = rel2abs(catdir($bldtop, "engines")); diff --git a/openssl-3.changes b/openssl-3.changes index 393ba08..b6d0e97 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,9 +1,42 @@ +------------------------------------------------------------------- +Thu Jan 26 08:17:50 UTC 2023 - Pedro Monreal + +- Relax the crypto-policies requirements for the regression tests + +------------------------------------------------------------------- +Wed Jan 25 11:09:52 UTC 2023 - Pedro Monreal + +- Set OpenSSL 3.0.7 as the default openssl [bsc#1205042] + * Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch + * Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * Package a copy of the original default config file called + openssl.cnf and name it as openssl-orig.cnf and warn the user + if the files differ. + * Add openssl-3-devel as conflicting with libopenssl-1_1-devel + * Remove patches: + - fix-config-in-tests.patch + - openssl-use-versioned-config.patch + +------------------------------------------------------------------- +Wed Jan 25 09:10:06 UTC 2023 - Pedro Monreal + +- Create the openssl ca-certificates directory in case the + ca-certificates package is not installed. This directory is + required by the nodejs regression tests. [bsc#1207484] + ------------------------------------------------------------------- Wed Dec 14 16:38:05 UTC 2022 - Otto Hollmann - Fix X.509 Policy Constraints Double Locking [bsc#1206374, CVE-2022-3996] * Add patch: openssl-3-Fix-double-locking-problem.patch +------------------------------------------------------------------- +Wed Dec 14 12:40:04 UTC 2022 - Pedro Monreal + +- Compute the hmac files for FIPS 140-3 integrity checking of the + openssl shared libraries using the brp-50-generate-fips-hmac + script. Also computed for the 32bit package. + ------------------------------------------------------------------- Tue Nov 1 18:29:41 UTC 2022 - Otto Hollmann diff --git a/openssl-3.spec b/openssl-3.spec index 3000ea6..f51d973 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -1,7 +1,7 @@ # # spec file for package openssl-3 # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,9 +18,10 @@ %define ssletcdir %{_sysconfdir}/ssl %define sover 3 -%define _rname openssl +%define _rname openssl +%define man_suffix 3ssl Name: openssl-3 -# Don't forget to update the version in the "openssl" package! +# Don't forget to update the version in the "openssl" meta-package! Version: 3.0.7 Release: 0 Summary: Secure Sockets and Transport Layer Security @@ -35,28 +36,32 @@ Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc # http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring Source4: %{_rname}.keyring Source5: showciphers.c -# PATCH-FIX-OPENSUSE: do not install html mans as it takes ages -Patch1: openssl-1.1.0-no-html.patch +# PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages +Patch1: openssl-no-html-docs.patch Patch2: openssl-truststore.patch Patch3: openssl-pkgconfig.patch Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch Patch6: openssl-no-date.patch -# Patches for crypto-policies +# Add crypto-policies support Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch -# use openssl3.cnf -Patch9: openssl-use-versioned-config.patch -Patch10: fix-config-in-tests.patch # PATCH-FIX-UPSTREAM bsc#1206374 CVE-2022-3996 X.509 Policy Constraints Double Locking -Patch11: openssl-3-Fix-double-locking-problem.patch +Patch9: openssl-3-Fix-double-locking-problem.patch BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) -# Add requires for ct_log_list.cnf{,.dist} +Requires: libopenssl3 = %{version}-%{release} Requires: openssl +Conflicts: ssl +Provides: ssl +Provides: openssl(cli) %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif +# Needed for clean upgrade path, boo#1070003 +Obsoletes: openssl-1_0_0 +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: openssl-1_1_0 %description OpenSSL is a software library to be used in applications that need to @@ -70,6 +75,11 @@ Summary: Secure Sockets and Transport Layer Security Requires: crypto-policies %endif Recommends: ca-certificates-mozilla +# install libopenssl and libopenssl-hmac close together (bsc#1090765) +Suggests: libopenssl3-hmac = %{version}-%{release} +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl1_1_0 +Conflicts: %{name} < %{version}-%{release} %description -n libopenssl3 OpenSSL is a software library to be used in applications that need to @@ -82,11 +92,13 @@ Summary: Development files for OpenSSL Requires: libopenssl3 = %{version} Requires: pkgconfig(zlib) Recommends: %{name} = %{version} -# We need to have around only the exact version we are able to operate with -Conflicts: libopenssl-devel < %{version} -Conflicts: libopenssl-devel > %{version} Conflicts: libressl-devel -Conflicts: ssl-devel +# Conflicting names with libopenssl-1_1-devel +Conflicts: libopenssl-1_1-devel +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl-1_1_0-devel +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-devel %description -n libopenssl-3-devel This subpackage contains header files for developing applications @@ -103,6 +115,20 @@ BuildArch: noarch This package contains optional documentation provided in addition to this package's base documentation. +%package -n libopenssl3-hmac +Summary: HMAC files for FIPS 140-3 integrity checking of the openssl shared libraries +License: BSD-3-Clause +Requires: libopenssl3 = %{version}-%{release} +BuildRequires: fipscheck +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl1_1_0-hmac +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-hmac + +%description -n libopenssl3-hmac +The FIPS compliant operation of the openssl shared libraries is NOT +possible without the HMAC hashes contained in this package! + %prep %autosetup -p1 -n %{_rname}-%{version} @@ -115,13 +141,12 @@ export MACHINE=armv6l %endif ./config \ - no-idea \ - no-ec2m \ - enable-rfc3779 \ + no-mdc2 no-ec2m no-sm2 no-sm4 \ + enable-rfc3779 enable-camellia enable-seed \ %ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif - enable-camellia \ + enable-fips \ zlib \ --prefix=%{_prefix} \ --libdir=%{_lib} \ @@ -142,110 +167,133 @@ export MACHINE=armv6l # Show build configuration perl configdata.pm --dump +# Do not run this in a production package the FIPS symbols must be patched-in # util/mkdef.pl crypto update + %make_build depend %make_build all %check - -# We must revert patch8 before running tests, otherwise they will fail. +# Relax the crypto-policies requirements for the regression tests +# Revert patch8 before running tests patch -p1 -R < %{P:8} +export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) # export HARNESS_VERBOSE=yes -LD_LIBRARY_PATH="$PWD" make TESTS='-test_evp_fetch_prov -test_tsa -test_ssl_new -test_sslapi' test -j1 +LD_LIBRARY_PATH="$PWD" make test -j16 + # show ciphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install -%make_install %{?_smp_mflags} +%make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix} -# Kill static libs +rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover} +for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do + chmod 755 ${lib} + ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}) + ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}).%{sover} +done + +# Remove static libraries rm -f %{buildroot}%{_libdir}/lib*.a + # Remove the cnf.dist -rm -f %{buildroot}%{_sysconfdir}/ssl/openssl3.cnf.dist -mkdir %{buildroot}/%{_datadir}/ssl-3 -mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl-3/ +rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist +rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist + +# Make a copy of the default openssl.cnf file +cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf + +# Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484] +mkdir -p %{buildroot}/var/lib/ca-certificates/openssl +install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl + +# Remove the fipsmodule.cnf because FIPS module is loaded automatically +rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf + ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl mkdir %{buildroot}/%{_datadir}/ssl -# Rename binary -mv %{buildroot}%{_bindir}/%{_rname} %{buildroot}%{_bindir}/%{name} +mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ + # Avoid file conflicts with man pages from other packages pushd %{buildroot}/%{_mandir} find . -type f -exec chmod 644 {} + -# Some man pages now contain spaces. This makes several -# scripts go havoc, among them /usr/sbin/Check. -# Replace spaces by underscores -# for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done - -touch $OLDPWD/filelist.doc $OLDPWD/filelist -which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } -for i in man?/*; do - if test -L $i ; then - LDEST=`readlink $i` - rm -f $i ${i}ssl - ln -sf ${LDEST}ssl-3 ${i}ssl-3 - else - mv $i ${i}ssl-3 - fi - case "$i" in - *.1) - # These are the pages mentioned in openssl(1). They go into the main package. - echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist;; - *) - # The rest goes into the openssl-doc package. - echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist.doc;; - esac -done +mv man5/config.5%{man_suffix} man5/openssl.cnf.5 popd -mv %{buildroot}%{_bindir}/c_rehash %{buildroot}%{_bindir}/c_rehash-3 - -# They are provided by openssl package -rm %{buildroot}%{ssletcdir}/ct_log_list.cnf* - # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} + # Place showciphers.c for %%doc macro cp %{SOURCE5} . +# Compute the FIPS hmac using the brp-50-generate-fips-hmac script +export BRP_FIPSHMAC_FILES="%{buildroot}%{_libdir}/libssl.so.%{sover} %{buildroot}%{_libdir}/libcrypto.so.%{sover}" + +%post -p "/bin/bash" +if [ "$1" -gt 1 ] ; then + # Check if the packaged default config file for openssl-3, called openssl.cnf, + # is the original or if it has been modified and alert the user in that case + # that a copy of the original file openssl-orig.cnf can be used if needed. + cmp --silent %{ssletcdir}/openssl.cnf %{ssletcdir}/openssl-orig.cnf 2>/dev/null + if [ "$?" -eq 1 ] ; then + echo -e " The openssl-3 default config file openssl.cnf is different from" ; + echo -e " the original one shipped by the package. A copy of the original" ; + echo -e " file is packaged and named as openssl-orig.cnf if needed." + fi +fi + %post -n libopenssl3 -p /sbin/ldconfig %postun -n libopenssl3 -p /sbin/ldconfig %files -n libopenssl3 %license LICENSE.txt +%attr(0755,root,root) %{_libdir}/libssl.so.%{version} %{_libdir}/libssl.so.%{sover} +%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} %{_libdir}/libcrypto.so.%{sover} %{_libdir}/engines-%{sover} %dir %{_libdir}/ossl-modules -#%%{_libdir}/ossl-modules/fips.so +%{_libdir}/ossl-modules/fips.so %{_libdir}/ossl-modules/legacy.so +%files -n libopenssl3-hmac +%{_libdir}/.libssl.so.%{sover}.hmac +%{_libdir}/.libcrypto.so.%{sover}.hmac + %files -n libopenssl-3-devel +%doc NOTES*.md CONTRIBUTING.md HACKING.md AUTHORS.md ACKNOWLEDGEMENTS.md %{_includedir}/%{_rname}/ %{_includedir}/ssl -%{_libdir}/libssl.so -%{_libdir}/libcrypto.so -%{_libdir}/pkgconfig/libcrypto.pc -%{_libdir}/pkgconfig/libssl.pc -%{_libdir}/pkgconfig/openssl.pc +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_mandir}/man3/* -%files doc -f filelist.doc -%doc doc/* demos +%files doc +%doc README.md +%doc doc/html/* doc/HOWTO/* demos %doc showciphers.c -%files -f filelist -%doc CHANGE* +%files +%license LICENSE.txt +%doc CHANGES.md NEWS.md FAQ.md README.md %dir %{ssletcdir} -%config (noreplace) %{ssletcdir}/openssl3.cnf +%config %{ssletcdir}/openssl-orig.cnf +%config (noreplace) %{ssletcdir}/openssl.cnf +%config (noreplace) %{ssletcdir}/ct_log_list.cnf %attr(700,root,root) %{ssletcdir}/private - -%dir %{_datadir}/ssl-3 -%{_datadir}/ssl-3/misc -%{_bindir}/c_rehash-3 -%{_bindir}/%{name} +%dir %{_datadir}/ssl +%{_datadir}/ssl/misc +%dir /var/lib/ca-certificates/ +%dir /var/lib/ca-certificates/openssl +%{_bindir}/%{_rname} +%{_bindir}/c_rehash +%{_mandir}/man1/* +%{_mandir}/man5/* +%{_mandir}/man7/* %changelog diff --git a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 2a54b94..506b796 100644 --- a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -15,10 +15,10 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist util/libcrypto.num | 1 + 8 files changed, 110 insertions(+), 14 deletions(-) -Index: openssl-3.0.5/Configurations/unix-Makefile.tmpl +Index: openssl-3.0.7/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-3.0.5.orig/Configurations/unix-Makefile.tmpl -+++ openssl-3.0.5/Configurations/unix-Makefile.tmpl +--- openssl-3.0.7.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.0.7/Configurations/unix-Makefile.tmpl @@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -38,10 +38,10 @@ Index: openssl-3.0.5/Configurations/unix-Makefile.tmpl (map { "-I".$_} @{$config{CPPINCLUDES}}), @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} -Index: openssl-3.0.5/doc/man1/openssl-ciphers.pod.in +Index: openssl-3.0.7/doc/man1/openssl-ciphers.pod.in =================================================================== ---- openssl-3.0.5.orig/doc/man1/openssl-ciphers.pod.in -+++ openssl-3.0.5/doc/man1/openssl-ciphers.pod.in +--- openssl-3.0.7.orig/doc/man1/openssl-ciphers.pod.in ++++ openssl-3.0.7/doc/man1/openssl-ciphers.pod.in @@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B cipher s The cipher suites not enabled by B, currently B. @@ -58,10 +58,10 @@ Index: openssl-3.0.5/doc/man1/openssl-ciphers.pod.in =item B "High" encryption cipher suites. This currently means those with key lengths -Index: openssl-3.0.5/include/openssl/ssl.h.in +Index: openssl-3.0.7/include/openssl/ssl.h.in =================================================================== ---- openssl-3.0.5.orig/include/openssl/ssl.h.in -+++ openssl-3.0.5/include/openssl/ssl.h.in +--- openssl-3.0.7.orig/include/openssl/ssl.h.in ++++ openssl-3.0.7/include/openssl/ssl.h.in @@ -210,6 +210,11 @@ extern "C" { * throwing out anonymous and unencrypted ciphersuites! (The latter are not * actually enabled by ALL, but "ALL:RSA" would enable some of them.) @@ -74,11 +74,11 @@ Index: openssl-3.0.5/include/openssl/ssl.h.in /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ # define SSL_SENT_SHUTDOWN 1 -Index: openssl-3.0.5/ssl/ssl_ciph.c +Index: openssl-3.0.7/ssl/ssl_ciph.c =================================================================== ---- openssl-3.0.5.orig/ssl/ssl_ciph.c -+++ openssl-3.0.5/ssl/ssl_ciph.c -@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c +--- openssl-3.0.7.orig/ssl/ssl_ciph.c ++++ openssl-3.0.7/ssl/ssl_ciph.c +@@ -1438,6 +1438,53 @@ int SSL_set_ciphersuites(SSL *s, const c return ret; } @@ -132,7 +132,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1450,15 +1497,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1452,15 +1499,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; const SSL_METHOD *ssl_method = ctx->method; @@ -160,7 +160,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c /* * To reduce the work to do we only want to process the compiled -@@ -1480,7 +1537,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1482,7 +1539,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); if (co_list == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); @@ -169,7 +169,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1546,8 +1603,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1548,8 +1605,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * in force within each class */ if (!ssl_cipher_strength_sort(&head, &tail)) { @@ -179,7 +179,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c } /* -@@ -1591,9 +1647,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1593,9 +1649,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { @@ -190,7 +190,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1628,8 +1683,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ @@ -200,7 +200,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c } /* -@@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1637,10 +1691,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -216,7 +216,7 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1690,6 +1747,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1692,6 +1749,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ *cipher_list = cipherstack; return cipherstack; @@ -231,10 +231,10 @@ Index: openssl-3.0.5/ssl/ssl_ciph.c } char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) -Index: openssl-3.0.5/ssl/ssl_lib.c +Index: openssl-3.0.7/ssl/ssl_lib.c =================================================================== ---- openssl-3.0.5.orig/ssl/ssl_lib.c -+++ openssl-3.0.5/ssl/ssl_lib.c +--- openssl-3.0.7.orig/ssl/ssl_lib.c ++++ openssl-3.0.7/ssl/ssl_lib.c @@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx ctx->tls13_ciphersuites, &(ctx->cipher_list), @@ -244,7 +244,7 @@ Index: openssl-3.0.5/ssl/ssl_lib.c if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -3271,7 +3271,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li +@@ -3285,7 +3285,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li if (!ssl_create_cipher_list(ret, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, @@ -253,10 +253,10 @@ Index: openssl-3.0.5/ssl/ssl_lib.c || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; -Index: openssl-3.0.5/test/cipherlist_test.c +Index: openssl-3.0.7/test/cipherlist_test.c =================================================================== ---- openssl-3.0.5.orig/test/cipherlist_test.c -+++ openssl-3.0.5/test/cipherlist_test.c +--- openssl-3.0.7.orig/test/cipherlist_test.c ++++ openssl-3.0.7/test/cipherlist_test.c @@ -246,7 +246,9 @@ end: int setup_tests(void) @@ -267,20 +267,20 @@ Index: openssl-3.0.5/test/cipherlist_test.c ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_clear); return 1; -Index: openssl-3.0.5/util/libcrypto.num +Index: openssl-3.0.7/util/libcrypto.num =================================================================== ---- openssl-3.0.5.orig/util/libcrypto.num -+++ openssl-3.0.5/util/libcrypto.num +--- openssl-3.0.7.orig/util/libcrypto.num ++++ openssl-3.0.7/util/libcrypto.num @@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: +ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: -Index: openssl-3.0.5/Configure +Index: openssl-3.0.7/Configure =================================================================== ---- openssl-3.0.5.orig/Configure -+++ openssl-3.0.5/Configure -@@ -28,7 +28,7 @@ use OpenSSL::config; +--- openssl-3.0.7.orig/Configure ++++ openssl-3.0.7/Configure +@@ -27,7 +27,7 @@ use OpenSSL::config; my $orig_death_handler = $SIG{__DIE__}; $SIG{__DIE__} = \&death_handler; @@ -289,7 +289,7 @@ Index: openssl-3.0.5/Configure my $banner = <<"EOF"; -@@ -62,6 +62,10 @@ EOF +@@ -61,6 +61,10 @@ EOF # given with --prefix. # This becomes the value of OPENSSLDIR in Makefile and in C. # (Default: PREFIX/ssl) @@ -300,7 +300,7 @@ Index: openssl-3.0.5/Configure # --banner=".." Output specified text instead of default completion banner # # -w Don't wait after showing a Configure warning -@@ -388,6 +392,7 @@ $config{prefix}=""; +@@ -387,6 +391,7 @@ $config{prefix}=""; $config{openssldir}=""; $config{processor}=""; $config{libdir}=""; @@ -308,14 +308,14 @@ Index: openssl-3.0.5/Configure my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -@@ -990,6 +995,10 @@ while (@argvcopy) +@@ -989,6 +994,10 @@ while (@argvcopy) die "FIPS key too long (64 bytes max)\n" if length $1 > 64; } -+ elsif (/^--system-ciphers-file=(.*)$/) -+ { -+ $config{system_ciphers_file}=$1; -+ } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $config{system_ciphers_file}=$1; ++ } elsif (/^--banner=(.*)$/) { $banner = $1 . "\n"; diff --git a/openssl-1.1.0-no-html.patch b/openssl-no-html-docs.patch similarity index 100% rename from openssl-1.1.0-no-html.patch rename to openssl-no-html-docs.patch diff --git a/openssl-use-versioned-config.patch b/openssl-use-versioned-config.patch deleted file mode 100644 index c12a6c9..0000000 --- a/openssl-use-versioned-config.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 300d2b56166aee85d9ce4c1275da1ad79c876e31 Mon Sep 17 00:00:00 2001 -From: Sahana Prasad -Date: Tue, 5 Oct 2021 12:10:42 +0200 -Subject: [PATCH] Updates the conf file to openssl11.cnf Resolves: - rhbz#1947584, rhbz#2003123 Signed-off-by: Sahana Prasad - -Refactored for SUSE by Simon Lees sflees@suse.de - -Index: openssl-3.0.2/include/internal/cryptlib.h -=================================================================== ---- openssl-3.0.2.orig/include/internal/cryptlib.h -+++ openssl-3.0.2/include/internal/cryptlib.h -@@ -61,7 +61,7 @@ DEFINE_STACK_OF(EX_CALLBACK) - typedef struct mem_st MEM; - DEFINE_LHASH_OF(MEM); - --# define OPENSSL_CONF "openssl.cnf" -+# define OPENSSL_CONF "openssl3.cnf" - - # ifndef OPENSSL_SYS_VMS - # define X509_CERT_AREA OPENSSLDIR -Index: openssl-3.0.2/Configurations/unix-Makefile.tmpl -=================================================================== ---- openssl-3.0.2.orig/Configurations/unix-Makefile.tmpl -+++ openssl-3.0.2/Configurations/unix-Makefile.tmpl -@@ -675,14 +675,14 @@ install_ssldirs: - : {- output_on() if windowsdll(); "" -}; \ - fi; \ - done -- @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist" -- @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new -- @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new -- @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.dist -- @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl.cnf" ]; then \ -- $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"; \ -- cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \ -- chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf; \ -+ @$(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist" -+ @cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new -+ @chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new -+ @mv -f $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf.dist -+ @if [ ! -f "$(DESTDIR)$(OPENSSLDIR)/openssl3.cnf" ]; then \ -+ $(ECHO) "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf"; \ -+ cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \ -+ chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl3.cnf; \ - fi - @$(ECHO) "install $(SRCDIR)/apps/ct_log_list.cnf -> $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.dist" - @cp $(SRCDIR)/apps/ct_log_list.cnf $(DESTDIR)$(OPENSSLDIR)/ct_log_list.cnf.new -@@ -1136,7 +1136,7 @@ lint: - - generate_apps: - ( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \ -- < apps/openssl.cnf > apps/openssl-vms.cnf ) -+ < apps/openssl3.cnf > apps/openssl-vms.cnf ) - - generate_crypto_bn: - ( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h ) -@@ -1374,7 +1374,7 @@ tar: - - # Helper targets ##################################################### - --link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl.cnf -+link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/apps/openssl3.cnf - - $(BLDDIR)/util/opensslwrap.sh: Makefile - @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ -@@ -1382,7 +1382,7 @@ $(BLDDIR)/util/opensslwrap.sh: Makefile - ln -sf "../$(SRCDIR)/util/`basename "$@"`" "$(BLDDIR)/util"; \ - fi - --$(BLDDIR)/apps/openssl.cnf: Makefile -+$(BLDDIR)/apps/openssl3.cnf: Makefile - @if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \ - mkdir -p "$(BLDDIR)/apps"; \ - ln -sf "../$(SRCDIR)/apps/`basename "$@"`" "$(BLDDIR)/apps"; \ -Index: openssl-3.0.2/Configure -=================================================================== ---- openssl-3.0.2.orig/Configure -+++ openssl-3.0.2/Configure -@@ -56,7 +56,7 @@ EOF - # directories bin, lib, include, share/man, share/doc/openssl - # This becomes the value of INSTALLTOP in Makefile - # (Default: /usr/local) --# --openssldir OpenSSL data area, such as openssl.cnf, certificates and keys. -+# --openssldir OpenSSL data area, such as openssl3.cnf, certificates and keys. - # If it's a relative directory, it will be added on the directory - # given with --prefix. - # This becomes the value of OPENSSLDIR in Makefile and in C. -Index: openssl-3.0.2/doc/HOWTO/certificates.txt -=================================================================== ---- openssl-3.0.2.orig/doc/HOWTO/certificates.txt -+++ openssl-3.0.2/doc/HOWTO/certificates.txt -@@ -16,7 +16,7 @@ Certificate authorities should read http - In all the cases shown below, the standard configuration file, as - compiled into openssl, will be used. You may find it in /etc/, - /usr/local/ssl/ or somewhere else. By default the file is named --openssl.cnf and is described at https://www.openssl.org/docs/apps/config.html. -+openssl3.cnf and is described at https://www.openssl.org/docs/apps/config.html. - You can specify a different configuration file using the - '-config {file}' argument with the commands shown below. - -Index: openssl-3.0.2/doc/man3/OPENSSL_config.pod -=================================================================== ---- openssl-3.0.2.orig/doc/man3/OPENSSL_config.pod -+++ openssl-3.0.2/doc/man3/OPENSSL_config.pod -@@ -17,7 +17,7 @@ see L: - - =head1 DESCRIPTION - --OPENSSL_config() configures OpenSSL using the standard B and -+OPENSSL_config() configures OpenSSL using the standard B and - reads from the application section B. If B is NULL then - the default section, B, will be used. - Errors are silently ignored. -Index: openssl-3.0.2/INSTALL.md -=================================================================== ---- openssl-3.0.2.orig/INSTALL.md -+++ openssl-3.0.2/INSTALL.md -@@ -567,7 +567,7 @@ is an objective. - - ### no-autoload-config - --Don't automatically load the default `openssl.cnf` file. -+Don't automatically load the default `openssl3.cnf` file. - - Typically OpenSSL will automatically load a system config file which configures - default SSL options.