jonathan/openssl
1
0
Fork 0
forked from rpms/openssl
Code Pull Requests Activity

Rebase to upstream version 3.0.0

Browse Source 
Related: rhbz#1990814

Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
Sahana Prasad 2021-09-09 13:07:02 +02:00
parent 07de966235
commit 34d46544a5
9 changed files with 33 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
View File

@ -309,7 +309,7 @@ diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure
+#
# --banner=".." Output specified text instead of default completion banner
#
# --cross-compile-prefix Add specified prefix to binutils components.
# -w Don't wait after showing a Configure warning
@@ -385,6 +389,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";

22
0020-sigalgs-fix-alerts.patch
View File

@ -1,22 +0,0 @@
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3579202c22..134c948bcb 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3302,7 +3302,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
if (!fatalerrs)
return 1;
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
return 0;
}
@@ -3317,7 +3317,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
if (i == sent_sigslen) {
if (!fatalerrs)
return 1;
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
}

38
0021-fix-core-dump-req.patch
View File

@ -1,38 +0,0 @@
diff -up openssl-3.0.0-beta2/apps/req.c.req-segfault openssl-3.0.0-beta2/apps/req.c
--- openssl-3.0.0-beta2/apps/req.c.req-segfault 2021-08-10 16:24:58.784384336 +0200
+++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:26:38.347688172 +0200
@@ -996,8 +996,8 @@ int req_main(int argc, char **argv)
if (EVP_PKEY_is_a(tpubkey, "RSA")) {
BIGNUM *n = NULL;
- /* Every RSA key has an 'n' */
- EVP_PKEY_get_bn_param(pkey, "n", &n);
+ if (!EVP_PKEY_get_bn_param(tpubkey, "n", &n))
+ goto end;
BN_print(out, n);
BN_free(n);
} else {
diff -up openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault openssl-3.0.0-beta2/test/recipes/25-test_req.t
--- openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault 2021-08-10 16:26:53.305884053 +0200
+++ openssl-3.0.0-beta2/test/recipes/25-test_req.t 2021-08-10 16:28:33.674221058 +0200
@@ -78,7 +78,7 @@ subtest "generating alt certificate requ
subtest "generating certificate requests with RSA" => sub {
- plan tests => 7;
+ plan tests => 8;
SKIP: {
skip "RSA is not supported by this OpenSSL build", 2
@@ -105,6 +105,11 @@ subtest "generating certificate requests
ok(run(app(["openssl", "req",
"-config", srctop_file("test", "test.cnf"),
+ "-modulus", "-in", "testreq-rsa.pem", "-noout"])),
+ "Printing a modulus of the request key");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
"-new", "-out", "testreq_withattrs_pem.pem", "-utf8",
"-key", srctop_file("test", "testrsa_withattrs.pem")])),
"Generating request from a key with extra attributes - PEM");

33
0022-fix-openssl-req-password.patch
View File

@ -1,33 +0,0 @@
diff -up openssl-3.0.0-beta2/apps/req.c.req-password openssl-3.0.0-beta2/apps/req.c
--- openssl-3.0.0-beta2/apps/req.c.req-password 2021-08-10 16:31:04.726233653 +0200
+++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:31:58.286947297 +0200
@@ -686,7 +686,7 @@ int req_main(int argc, char **argv)
EVP_PKEY_CTX_free(genctx);
genctx = NULL;
}
- if (keyout == NULL) {
+ if (keyout == NULL && keyfile == NULL) {
keyout = NCONF_get_string(req_conf, section, KEYFILE);
if (keyout == NULL)
ERR_clear_error();
diff -up openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in
--- openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password 2021-08-10 16:32:21.863261416 +0200
+++ openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in 2021-08-10 16:33:19.173025012 +0200
@@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for det
=item B<-keyout> I<filename>
This gives the filename to write any private key to that has been newly created
-or read from B<-key>.
-If the B<-keyout> option is not given the filename specified in the
-configuration file with the B<default_keyfile> option is used, if present.
-If a new key is generated and no filename is specified
-the key is written to standard output.
+or read from B<-key>. If neither the B<-keyout> option nor the B<-key> option
+are given then the filename specified in the configuration file with the
+B<default_keyfile> option is used, if present. Thus, if you want to write the
+private key and the B<-key> option is provided, you should provide the
+B<-keyout> option explicitly. If a new key is generated and no filename is
+specified the key is written to standard output.
=item B<-noenc>

38
0023-cms-stdin.patch
View File

@ -1,38 +0,0 @@
diff -up openssl-3.0.0-beta2/apps/cms.c.cms-stdin openssl-3.0.0-beta2/apps/cms.c
--- openssl-3.0.0-beta2/apps/cms.c.cms-stdin 2021-08-10 16:20:07.787573587 +0200
+++ openssl-3.0.0-beta2/apps/cms.c 2021-08-10 16:23:08.500940124 +0200
@@ -278,6 +278,8 @@ static void warn_binary(const char *file
unsigned char linebuf[1024], *cur, *end;
int len;
+ if (file == NULL)
+ return; /* cannot give a warning for stdin input */
if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL)
return; /* cannot give a proper warning since there is an error */
while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) {
@@ -482,13 +484,9 @@ int cms_main(int argc, char **argv)
rr_allorfirst = 1;
break;
case OPT_RCTFORM:
- if (rctformat == FORMAT_ASN1) {
- if (!opt_format(opt_arg(),
- OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
- goto opthelp;
- } else {
- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient");
- }
+ if (!opt_format(opt_arg(),
+ OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
+ goto opthelp;
break;
case OPT_CERTFILE:
certfile = opt_arg();
@@ -954,7 +952,7 @@ int cms_main(int argc, char **argv)
goto end;
}
- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient");
+ rcms = load_content_info(rctformat, rctin, 0, NULL, "receipt");
if (rcms == NULL)
goto end;
}

42
0024-load-legacy-prov.patch
View File

@ -1,7 +1,7 @@
diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/apps/openssl.cnf
--- openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov 2021-08-16 14:02:48.029645419 +0200
+++ openssl-3.0.0-beta2/apps/openssl.cnf 2021-08-16 14:14:48.006409467 +0200
@@ -43,28 +43,29 @@ tsa_policy1 = 1.2.3.4.1
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
@ -19,6 +19,11 @@ diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/ap
ssl_conf = ssl_module
-# List of providers to load
-[provider_sect]
-default = default_sect
-# The fips section name should match the section name inside the
-# included fipsmodule.cnf.
-# fips = fips_sect
+# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
@ -27,15 +32,18 @@ diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/ap
+# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated.
+
[provider_sect]
-default = default_sect
-# The fips section name should match the section name inside the
-# included fipsmodule.cnf.
-# fips = fips_sect
-
-# If no providers are activated explicitly, the default one is activated implicitly.
-# See man 7 OSSL_PROVIDER-default for more details.
-#
-# If you add a section explicitly activating any other provider(s), you most
-# probably need to explicitly activate the default provider, otherwise it
-# becomes unavailable in openssl. As a consequence applications depending on
-# OpenSSL may not work correctly which could lead to significant system
-# problems including inability to remotely access the system.
-[default_sect]
-# activate = 1
+[provider_sect]
+##default = default_sect
+##legacy = legacy_sect
+##
@ -47,10 +55,10 @@ diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/ap
[ ssl_module ]
diff -up openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov openssl-3.0.0-beta2/doc/man5/config.pod
--- openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov 2021-08-16 14:12:35.021606001 +0200
+++ openssl-3.0.0-beta2/doc/man5/config.pod 2021-08-16 14:14:47.077396867 +0200
@@ -269,6 +269,14 @@ significant.
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
@@ -273,6 +273,14 @@ significant.
All parameters in the section as well as sub-sections are made
available to the provider.
@ -62,6 +70,6 @@ diff -up openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov openssl-3.0.0-beta2
+security critical operations, as they are cryptographically weak or vulnerable
+to side-channel attacks and as such have been deprecated.
+
=head2 EVP Configuration
=head3 Default provider and its activation
The name B<alg_section> in the initialization section names the section
If no providers are activated explicitly, the default one is activated implicitly.

70
0025-cms-stdin2.patch
View File

@ -1,70 +0,0 @@
From 9bdf6bb619543248c1bee1d8207b455c1ee40ab6 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 20 Aug 2021 16:45:15 +0200
Subject: [PATCH] Get rid of warn_binary
Current implementation of warn_binary introduces a regression
when the content is passed in /dev/stdin as an explicit file name
and reads the file to be processed twice otherwise.
I suggest to reimplement this functionality after 3.0 if necessary.
Fixes #16359
---
apps/cms.c | 29 -----------------------------
1 file changed, 29 deletions(-)
diff --git a/apps/cms.c b/apps/cms.c
index c22027e3b198..b30273f1710d 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -272,31 +272,6 @@ static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags,
return NULL;
}
-static void warn_binary(const char *file)
-{
- BIO *bio;
- unsigned char linebuf[1024], *cur, *end;
- int len;
-
- if (file == NULL)
- return; /* cannot give a warning for stdin input */
- if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL)
- return; /* cannot give a proper warning since there is an error */
- while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) {
- end = linebuf + len;
- for (cur = linebuf; cur < end; cur++) {
- if (*cur == '\0' || *cur >= 0x80) {
- BIO_printf(bio_err, "Warning: input file '%s' contains %s"
- " character; better use -binary option\n",
- file, *cur == '\0' ? "NUL" : "8-bit");
- goto end;
- }
- }
- }
- end:
- BIO_free(bio);
-}
-
int cms_main(int argc, char **argv)
{
CONF *conf = NULL;
@@ -911,8 +886,6 @@ int cms_main(int argc, char **argv)
goto end;
}
- if ((flags & CMS_BINARY) == 0)
- warn_binary(infile);
in = bio_open_default(infile, 'r',
binary_files ? FORMAT_BINARY : informat);
if (in == NULL)
@@ -924,8 +897,6 @@ int cms_main(int argc, char **argv)
goto end;
if (contfile != NULL) {
BIO_free(indata);
- if ((flags & CMS_BINARY) == 0)
- warn_binary(contfile);
if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
BIO_printf(bio_err, "Can't read content file %s\n", contfile);
goto end;

18
openssl.spec
View File

@ -15,7 +15,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.0
Release: 0.beta2.7%{?dist}
Release: 1%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -52,18 +52,8 @@ Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
# remove unsupported EC curves
Patch11: 0011-Remove-EC-curves.patch
# Update alerts according to #1965017
Patch20: 0020-sigalgs-fix-alerts.patch
# Fixes core dump in openssl req -modulus
Patch21: 0021-fix-core-dump-req.patch
# Fixes 'openssl req' to not ask for password when non-encrypted key
Patch22: 0022-fix-openssl-req-password.patch
# cms: Do not try to check binary format on stdin and -rctform fix
Patch23: 0023-cms-stdin.patch
# Instructions to load legacy provider in openssl.cnf
Patch24: 0024-load-legacy-prov.patch
# cms: don't read /dev/stdin twice
Patch25: 0025-cms-stdin2.patch
License: ASL 2.0
URL: http://www.openssl.org/
@ -119,7 +109,7 @@ package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.
%prep
%autosetup -S git -n %{name}-%{version}-beta2
%autosetup -S git -n %{name}-%{version}
# The hobble_openssl is called here redundantly, just to be sure.
# The tarball has already the sources removed.
@ -386,6 +376,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Thu Sep 09 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-1
- Rebase to upstream version 3.0.0
- Related: rhbz#1990814
* Wed Aug 25 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-0.beta2.7
- Removes the dual-abi build as it not required anymore. The mass rebuild
was completed and all packages are rebuilt against Beta version.

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-3.0.0-hobbled.tar.xz) = 096758a79680921d2b18929177d2ee43b7fb62fa30164a16ab1749b8349aac5e6e3d0761419b6c9f0a591c8991c133d142e56ab92f197d142649b58e66d876f7
SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27