From 34d46544a52161571d3c035e5649b450eaf705b8 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Thu, 9 Sep 2021 13:07:02 +0200 Subject: [PATCH] Rebase to upstream version 3.0.0 Related: rhbz#1990814 Signed-off-by: Sahana Prasad --- ...PROFILE-SYSTEM-system-default-cipher.patch | 2 +- 0020-sigalgs-fix-alerts.patch | 22 ------ 0021-fix-core-dump-req.patch | 38 ---------- 0022-fix-openssl-req-password.patch | 33 --------- 0023-cms-stdin.patch | 38 ---------- 0024-load-legacy-prov.patch | 42 ++++++----- 0025-cms-stdin2.patch | 70 ------------------- openssl.spec | 18 ++--- sources | 2 +- 9 files changed, 33 insertions(+), 232 deletions(-) delete mode 100644 0020-sigalgs-fix-alerts.patch delete mode 100644 0021-fix-core-dump-req.patch delete mode 100644 0022-fix-openssl-req-password.patch delete mode 100644 0023-cms-stdin.patch delete mode 100644 0025-cms-stdin2.patch diff --git a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 9ad572d..a32c9e8 100644 --- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -309,7 +309,7 @@ diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure +# # --banner=".." Output specified text instead of default completion banner # - # --cross-compile-prefix Add specified prefix to binutils components. + # -w Don't wait after showing a Configure warning @@ -385,6 +389,7 @@ $config{prefix}=""; $config{openssldir}=""; $config{processor}=""; diff --git a/0020-sigalgs-fix-alerts.patch b/0020-sigalgs-fix-alerts.patch deleted file mode 100644 index b1d571a..0000000 --- a/0020-sigalgs-fix-alerts.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 3579202c22..134c948bcb 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -3302,7 +3302,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) - if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { - if (!fatalerrs) - return 1; -- SSLfatal(s, SSL_AD_INTERNAL_ERROR, -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); - return 0; - } -@@ -3317,7 +3317,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs) - if (i == sent_sigslen) { - if (!fatalerrs) - return 1; -- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_WRONG_SIGNATURE_TYPE); - return 0; - } diff --git a/0021-fix-core-dump-req.patch b/0021-fix-core-dump-req.patch deleted file mode 100644 index e4cf377..0000000 --- a/0021-fix-core-dump-req.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -up openssl-3.0.0-beta2/apps/req.c.req-segfault openssl-3.0.0-beta2/apps/req.c ---- openssl-3.0.0-beta2/apps/req.c.req-segfault 2021-08-10 16:24:58.784384336 +0200 -+++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:26:38.347688172 +0200 -@@ -996,8 +996,8 @@ int req_main(int argc, char **argv) - if (EVP_PKEY_is_a(tpubkey, "RSA")) { - BIGNUM *n = NULL; - -- /* Every RSA key has an 'n' */ -- EVP_PKEY_get_bn_param(pkey, "n", &n); -+ if (!EVP_PKEY_get_bn_param(tpubkey, "n", &n)) -+ goto end; - BN_print(out, n); - BN_free(n); - } else { -diff -up openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault openssl-3.0.0-beta2/test/recipes/25-test_req.t ---- openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault 2021-08-10 16:26:53.305884053 +0200 -+++ openssl-3.0.0-beta2/test/recipes/25-test_req.t 2021-08-10 16:28:33.674221058 +0200 -@@ -78,7 +78,7 @@ subtest "generating alt certificate requ - - - subtest "generating certificate requests with RSA" => sub { -- plan tests => 7; -+ plan tests => 8; - - SKIP: { - skip "RSA is not supported by this OpenSSL build", 2 -@@ -105,6 +105,11 @@ subtest "generating certificate requests - - ok(run(app(["openssl", "req", - "-config", srctop_file("test", "test.cnf"), -+ "-modulus", "-in", "testreq-rsa.pem", "-noout"])), -+ "Printing a modulus of the request key"); -+ -+ ok(run(app(["openssl", "req", -+ "-config", srctop_file("test", "test.cnf"), - "-new", "-out", "testreq_withattrs_pem.pem", "-utf8", - "-key", srctop_file("test", "testrsa_withattrs.pem")])), - "Generating request from a key with extra attributes - PEM"); diff --git a/0022-fix-openssl-req-password.patch b/0022-fix-openssl-req-password.patch deleted file mode 100644 index 077b4c5..0000000 --- a/0022-fix-openssl-req-password.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up openssl-3.0.0-beta2/apps/req.c.req-password openssl-3.0.0-beta2/apps/req.c ---- openssl-3.0.0-beta2/apps/req.c.req-password 2021-08-10 16:31:04.726233653 +0200 -+++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:31:58.286947297 +0200 -@@ -686,7 +686,7 @@ int req_main(int argc, char **argv) - EVP_PKEY_CTX_free(genctx); - genctx = NULL; - } -- if (keyout == NULL) { -+ if (keyout == NULL && keyfile == NULL) { - keyout = NCONF_get_string(req_conf, section, KEYFILE); - if (keyout == NULL) - ERR_clear_error(); -diff -up openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in ---- openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password 2021-08-10 16:32:21.863261416 +0200 -+++ openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in 2021-08-10 16:33:19.173025012 +0200 -@@ -205,11 +205,12 @@ See L for det - =item B<-keyout> I - - This gives the filename to write any private key to that has been newly created --or read from B<-key>. --If the B<-keyout> option is not given the filename specified in the --configuration file with the B option is used, if present. --If a new key is generated and no filename is specified --the key is written to standard output. -+or read from B<-key>. If neither the B<-keyout> option nor the B<-key> option -+are given then the filename specified in the configuration file with the -+B option is used, if present. Thus, if you want to write the -+private key and the B<-key> option is provided, you should provide the -+B<-keyout> option explicitly. If a new key is generated and no filename is -+specified the key is written to standard output. - - =item B<-noenc> - diff --git a/0023-cms-stdin.patch b/0023-cms-stdin.patch deleted file mode 100644 index 0c18c12..0000000 --- a/0023-cms-stdin.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -up openssl-3.0.0-beta2/apps/cms.c.cms-stdin openssl-3.0.0-beta2/apps/cms.c ---- openssl-3.0.0-beta2/apps/cms.c.cms-stdin 2021-08-10 16:20:07.787573587 +0200 -+++ openssl-3.0.0-beta2/apps/cms.c 2021-08-10 16:23:08.500940124 +0200 -@@ -278,6 +278,8 @@ static void warn_binary(const char *file - unsigned char linebuf[1024], *cur, *end; - int len; - -+ if (file == NULL) -+ return; /* cannot give a warning for stdin input */ - if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL) - return; /* cannot give a proper warning since there is an error */ - while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) { -@@ -482,13 +484,9 @@ int cms_main(int argc, char **argv) - rr_allorfirst = 1; - break; - case OPT_RCTFORM: -- if (rctformat == FORMAT_ASN1) { -- if (!opt_format(opt_arg(), -- OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) -- goto opthelp; -- } else { -- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient"); -- } -+ if (!opt_format(opt_arg(), -+ OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) -+ goto opthelp; - break; - case OPT_CERTFILE: - certfile = opt_arg(); -@@ -954,7 +952,7 @@ int cms_main(int argc, char **argv) - goto end; - } - -- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient"); -+ rcms = load_content_info(rctformat, rctin, 0, NULL, "receipt"); - if (rcms == NULL) - goto end; - } diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch index be0b354..0c182e7 100644 --- a/0024-load-legacy-prov.patch +++ b/0024-load-legacy-prov.patch @@ -1,7 +1,7 @@ -diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/apps/openssl.cnf ---- openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov 2021-08-16 14:02:48.029645419 +0200 -+++ openssl-3.0.0-beta2/apps/openssl.cnf 2021-08-16 14:14:48.006409467 +0200 -@@ -43,28 +43,29 @@ tsa_policy1 = 1.2.3.4.1 +diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf +--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200 ++++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200 +@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 @@ -19,6 +19,11 @@ diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/ap ssl_conf = ssl_module -# List of providers to load +-[provider_sect] +-default = default_sect +-# The fips section name should match the section name inside the +-# included fipsmodule.cnf. +-# fips = fips_sect +# Uncomment the sections that start with ## below to enable the legacy provider. +# Loading the legacy provider enables support for the following algorithms: +# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 @@ -27,15 +32,18 @@ diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/ap +# In general it is not recommended to use the above mentioned algorithms for +# security critical operations, as they are cryptographically weak or vulnerable +# to side-channel attacks and as such have been deprecated. -+ - [provider_sect] --default = default_sect --# The fips section name should match the section name inside the --# included fipsmodule.cnf. --# fips = fips_sect -- + +-# If no providers are activated explicitly, the default one is activated implicitly. +-# See man 7 OSSL_PROVIDER-default for more details. +-# +-# If you add a section explicitly activating any other provider(s), you most +-# probably need to explicitly activate the default provider, otherwise it +-# becomes unavailable in openssl. As a consequence applications depending on +-# OpenSSL may not work correctly which could lead to significant system +-# problems including inability to remotely access the system. -[default_sect] -# activate = 1 ++[provider_sect] +##default = default_sect +##legacy = legacy_sect +## @@ -47,10 +55,10 @@ diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/ap [ ssl_module ] -diff -up openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov openssl-3.0.0-beta2/doc/man5/config.pod ---- openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov 2021-08-16 14:12:35.021606001 +0200 -+++ openssl-3.0.0-beta2/doc/man5/config.pod 2021-08-16 14:14:47.077396867 +0200 -@@ -269,6 +269,14 @@ significant. +diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod +--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200 ++++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200 +@@ -273,6 +273,14 @@ significant. All parameters in the section as well as sub-sections are made available to the provider. @@ -62,6 +70,6 @@ diff -up openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov openssl-3.0.0-beta2 +security critical operations, as they are cryptographically weak or vulnerable +to side-channel attacks and as such have been deprecated. + - =head2 EVP Configuration + =head3 Default provider and its activation - The name B in the initialization section names the section + If no providers are activated explicitly, the default one is activated implicitly. diff --git a/0025-cms-stdin2.patch b/0025-cms-stdin2.patch deleted file mode 100644 index 6a76025..0000000 --- a/0025-cms-stdin2.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 9bdf6bb619543248c1bee1d8207b455c1ee40ab6 Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Fri, 20 Aug 2021 16:45:15 +0200 -Subject: [PATCH] Get rid of warn_binary - -Current implementation of warn_binary introduces a regression -when the content is passed in /dev/stdin as an explicit file name -and reads the file to be processed twice otherwise. - -I suggest to reimplement this functionality after 3.0 if necessary. - -Fixes #16359 ---- - apps/cms.c | 29 ----------------------------- - 1 file changed, 29 deletions(-) - -diff --git a/apps/cms.c b/apps/cms.c -index c22027e3b198..b30273f1710d 100644 ---- a/apps/cms.c -+++ b/apps/cms.c -@@ -272,31 +272,6 @@ static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags, - return NULL; - } - --static void warn_binary(const char *file) --{ -- BIO *bio; -- unsigned char linebuf[1024], *cur, *end; -- int len; -- -- if (file == NULL) -- return; /* cannot give a warning for stdin input */ -- if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL) -- return; /* cannot give a proper warning since there is an error */ -- while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) { -- end = linebuf + len; -- for (cur = linebuf; cur < end; cur++) { -- if (*cur == '\0' || *cur >= 0x80) { -- BIO_printf(bio_err, "Warning: input file '%s' contains %s" -- " character; better use -binary option\n", -- file, *cur == '\0' ? "NUL" : "8-bit"); -- goto end; -- } -- } -- } -- end: -- BIO_free(bio); --} -- - int cms_main(int argc, char **argv) - { - CONF *conf = NULL; -@@ -911,8 +886,6 @@ int cms_main(int argc, char **argv) - goto end; - } - -- if ((flags & CMS_BINARY) == 0) -- warn_binary(infile); - in = bio_open_default(infile, 'r', - binary_files ? FORMAT_BINARY : informat); - if (in == NULL) -@@ -924,8 +897,6 @@ int cms_main(int argc, char **argv) - goto end; - if (contfile != NULL) { - BIO_free(indata); -- if ((flags & CMS_BINARY) == 0) -- warn_binary(contfile); - if ((indata = BIO_new_file(contfile, "rb")) == NULL) { - BIO_printf(bio_err, "Can't read content file %s\n", contfile); - goto end; diff --git a/openssl.spec b/openssl.spec index d372835..c1110d5 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.0 -Release: 0.beta2.7%{?dist} +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -52,18 +52,8 @@ Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch #Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch # remove unsupported EC curves Patch11: 0011-Remove-EC-curves.patch -# Update alerts according to #1965017 -Patch20: 0020-sigalgs-fix-alerts.patch -# Fixes core dump in openssl req -modulus -Patch21: 0021-fix-core-dump-req.patch -# Fixes 'openssl req' to not ask for password when non-encrypted key -Patch22: 0022-fix-openssl-req-password.patch -# cms: Do not try to check binary format on stdin and -rctform fix -Patch23: 0023-cms-stdin.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch -# cms: don't read /dev/stdin twice -Patch25: 0025-cms-stdin2.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -119,7 +109,7 @@ package provides Perl scripts for converting certificates and keys from other formats to the formats used by the OpenSSL toolkit. %prep -%autosetup -S git -n %{name}-%{version}-beta2 +%autosetup -S git -n %{name}-%{version} # The hobble_openssl is called here redundantly, just to be sure. # The tarball has already the sources removed. @@ -386,6 +376,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Sep 09 2021 Sahana Prasad - 1:3.0.0-1 +- Rebase to upstream version 3.0.0 +- Related: rhbz#1990814 + * Wed Aug 25 2021 Sahana Prasad - 1:3.0.0-0.beta2.7 - Removes the dual-abi build as it not required anymore. The mass rebuild was completed and all packages are rebuilt against Beta version. diff --git a/sources b/sources index 8b1e2d7..4173974 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.0.0-hobbled.tar.xz) = 096758a79680921d2b18929177d2ee43b7fb62fa30164a16ab1749b8349aac5e6e3d0761419b6c9f0a591c8991c133d142e56ab92f197d142649b58e66d876f7 +SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27