Rebase to upstream version 3.0.0

Related: rhbz#1990814

Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
Sahana Prasad 2021-09-09 13:07:02 +02:00
parent 07de966235
commit 34d46544a5
9 changed files with 33 additions and 232 deletions

View File

@ -309,7 +309,7 @@ diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure
+# +#
# --banner=".." Output specified text instead of default completion banner # --banner=".." Output specified text instead of default completion banner
# #
# --cross-compile-prefix Add specified prefix to binutils components. # -w Don't wait after showing a Configure warning
@@ -385,6 +389,7 @@ $config{prefix}=""; @@ -385,6 +389,7 @@ $config{prefix}="";
$config{openssldir}=""; $config{openssldir}="";
$config{processor}=""; $config{processor}="";

View File

@ -1,22 +0,0 @@
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3579202c22..134c948bcb 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3302,7 +3302,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) {
if (!fatalerrs)
return 1;
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
return 0;
}
@@ -3317,7 +3317,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
if (i == sent_sigslen) {
if (!fatalerrs)
return 1;
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
SSL_R_WRONG_SIGNATURE_TYPE);
return 0;
}

View File

@ -1,38 +0,0 @@
diff -up openssl-3.0.0-beta2/apps/req.c.req-segfault openssl-3.0.0-beta2/apps/req.c
--- openssl-3.0.0-beta2/apps/req.c.req-segfault 2021-08-10 16:24:58.784384336 +0200
+++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:26:38.347688172 +0200
@@ -996,8 +996,8 @@ int req_main(int argc, char **argv)
if (EVP_PKEY_is_a(tpubkey, "RSA")) {
BIGNUM *n = NULL;
- /* Every RSA key has an 'n' */
- EVP_PKEY_get_bn_param(pkey, "n", &n);
+ if (!EVP_PKEY_get_bn_param(tpubkey, "n", &n))
+ goto end;
BN_print(out, n);
BN_free(n);
} else {
diff -up openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault openssl-3.0.0-beta2/test/recipes/25-test_req.t
--- openssl-3.0.0-beta2/test/recipes/25-test_req.t.req-segfault 2021-08-10 16:26:53.305884053 +0200
+++ openssl-3.0.0-beta2/test/recipes/25-test_req.t 2021-08-10 16:28:33.674221058 +0200
@@ -78,7 +78,7 @@ subtest "generating alt certificate requ
subtest "generating certificate requests with RSA" => sub {
- plan tests => 7;
+ plan tests => 8;
SKIP: {
skip "RSA is not supported by this OpenSSL build", 2
@@ -105,6 +105,11 @@ subtest "generating certificate requests
ok(run(app(["openssl", "req",
"-config", srctop_file("test", "test.cnf"),
+ "-modulus", "-in", "testreq-rsa.pem", "-noout"])),
+ "Printing a modulus of the request key");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
"-new", "-out", "testreq_withattrs_pem.pem", "-utf8",
"-key", srctop_file("test", "testrsa_withattrs.pem")])),
"Generating request from a key with extra attributes - PEM");

View File

@ -1,33 +0,0 @@
diff -up openssl-3.0.0-beta2/apps/req.c.req-password openssl-3.0.0-beta2/apps/req.c
--- openssl-3.0.0-beta2/apps/req.c.req-password 2021-08-10 16:31:04.726233653 +0200
+++ openssl-3.0.0-beta2/apps/req.c 2021-08-10 16:31:58.286947297 +0200
@@ -686,7 +686,7 @@ int req_main(int argc, char **argv)
EVP_PKEY_CTX_free(genctx);
genctx = NULL;
}
- if (keyout == NULL) {
+ if (keyout == NULL && keyfile == NULL) {
keyout = NCONF_get_string(req_conf, section, KEYFILE);
if (keyout == NULL)
ERR_clear_error();
diff -up openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in
--- openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in.req-password 2021-08-10 16:32:21.863261416 +0200
+++ openssl-3.0.0-beta2/doc/man1/openssl-req.pod.in 2021-08-10 16:33:19.173025012 +0200
@@ -205,11 +205,12 @@ See L<openssl-format-options(1)> for det
=item B<-keyout> I<filename>
This gives the filename to write any private key to that has been newly created
-or read from B<-key>.
-If the B<-keyout> option is not given the filename specified in the
-configuration file with the B<default_keyfile> option is used, if present.
-If a new key is generated and no filename is specified
-the key is written to standard output.
+or read from B<-key>. If neither the B<-keyout> option nor the B<-key> option
+are given then the filename specified in the configuration file with the
+B<default_keyfile> option is used, if present. Thus, if you want to write the
+private key and the B<-key> option is provided, you should provide the
+B<-keyout> option explicitly. If a new key is generated and no filename is
+specified the key is written to standard output.
=item B<-noenc>

View File

@ -1,38 +0,0 @@
diff -up openssl-3.0.0-beta2/apps/cms.c.cms-stdin openssl-3.0.0-beta2/apps/cms.c
--- openssl-3.0.0-beta2/apps/cms.c.cms-stdin 2021-08-10 16:20:07.787573587 +0200
+++ openssl-3.0.0-beta2/apps/cms.c 2021-08-10 16:23:08.500940124 +0200
@@ -278,6 +278,8 @@ static void warn_binary(const char *file
unsigned char linebuf[1024], *cur, *end;
int len;
+ if (file == NULL)
+ return; /* cannot give a warning for stdin input */
if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL)
return; /* cannot give a proper warning since there is an error */
while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) {
@@ -482,13 +484,9 @@ int cms_main(int argc, char **argv)
rr_allorfirst = 1;
break;
case OPT_RCTFORM:
- if (rctformat == FORMAT_ASN1) {
- if (!opt_format(opt_arg(),
- OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
- goto opthelp;
- } else {
- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient");
- }
+ if (!opt_format(opt_arg(),
+ OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
+ goto opthelp;
break;
case OPT_CERTFILE:
certfile = opt_arg();
@@ -954,7 +952,7 @@ int cms_main(int argc, char **argv)
goto end;
}
- rcms = load_content_info(rctformat, rctin, 0, NULL, "recipient");
+ rcms = load_content_info(rctformat, rctin, 0, NULL, "receipt");
if (rcms == NULL)
goto end;
}

View File

@ -1,7 +1,7 @@
diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/apps/openssl.cnf diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
--- openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov 2021-08-16 14:02:48.029645419 +0200 --- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
+++ openssl-3.0.0-beta2/apps/openssl.cnf 2021-08-16 14:14:48.006409467 +0200 +++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
@@ -43,28 +43,29 @@ tsa_policy1 = 1.2.3.4.1 @@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6 tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7 tsa_policy3 = 1.2.3.4.5.7
@ -19,6 +19,11 @@ diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/ap
ssl_conf = ssl_module ssl_conf = ssl_module
-# List of providers to load -# List of providers to load
-[provider_sect]
-default = default_sect
-# The fips section name should match the section name inside the
-# included fipsmodule.cnf.
-# fips = fips_sect
+# Uncomment the sections that start with ## below to enable the legacy provider. +# Uncomment the sections that start with ## below to enable the legacy provider.
+# Loading the legacy provider enables support for the following algorithms: +# Loading the legacy provider enables support for the following algorithms:
+# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 +# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
@ -27,15 +32,18 @@ diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/ap
+# In general it is not recommended to use the above mentioned algorithms for +# In general it is not recommended to use the above mentioned algorithms for
+# security critical operations, as they are cryptographically weak or vulnerable +# security critical operations, as they are cryptographically weak or vulnerable
+# to side-channel attacks and as such have been deprecated. +# to side-channel attacks and as such have been deprecated.
+
[provider_sect] -# If no providers are activated explicitly, the default one is activated implicitly.
-default = default_sect -# See man 7 OSSL_PROVIDER-default for more details.
-# The fips section name should match the section name inside the -#
-# included fipsmodule.cnf. -# If you add a section explicitly activating any other provider(s), you most
-# fips = fips_sect -# probably need to explicitly activate the default provider, otherwise it
- -# becomes unavailable in openssl. As a consequence applications depending on
-# OpenSSL may not work correctly which could lead to significant system
-# problems including inability to remotely access the system.
-[default_sect] -[default_sect]
-# activate = 1 -# activate = 1
+[provider_sect]
+##default = default_sect +##default = default_sect
+##legacy = legacy_sect +##legacy = legacy_sect
+## +##
@ -47,10 +55,10 @@ diff -up openssl-3.0.0-beta2/apps/openssl.cnf.legacy-prov openssl-3.0.0-beta2/ap
[ ssl_module ] [ ssl_module ]
diff -up openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov openssl-3.0.0-beta2/doc/man5/config.pod diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
--- openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov 2021-08-16 14:12:35.021606001 +0200 --- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
+++ openssl-3.0.0-beta2/doc/man5/config.pod 2021-08-16 14:14:47.077396867 +0200 +++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
@@ -269,6 +269,14 @@ significant. @@ -273,6 +273,14 @@ significant.
All parameters in the section as well as sub-sections are made All parameters in the section as well as sub-sections are made
available to the provider. available to the provider.
@ -62,6 +70,6 @@ diff -up openssl-3.0.0-beta2/doc/man5/config.pod.legacy-prov openssl-3.0.0-beta2
+security critical operations, as they are cryptographically weak or vulnerable +security critical operations, as they are cryptographically weak or vulnerable
+to side-channel attacks and as such have been deprecated. +to side-channel attacks and as such have been deprecated.
+ +
=head2 EVP Configuration =head3 Default provider and its activation
The name B<alg_section> in the initialization section names the section If no providers are activated explicitly, the default one is activated implicitly.

View File

@ -1,70 +0,0 @@
From 9bdf6bb619543248c1bee1d8207b455c1ee40ab6 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <beldmit@gmail.com>
Date: Fri, 20 Aug 2021 16:45:15 +0200
Subject: [PATCH] Get rid of warn_binary
Current implementation of warn_binary introduces a regression
when the content is passed in /dev/stdin as an explicit file name
and reads the file to be processed twice otherwise.
I suggest to reimplement this functionality after 3.0 if necessary.
Fixes #16359
---
apps/cms.c | 29 -----------------------------
1 file changed, 29 deletions(-)
diff --git a/apps/cms.c b/apps/cms.c
index c22027e3b198..b30273f1710d 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -272,31 +272,6 @@ static CMS_ContentInfo *load_content_info(int informat, BIO *in, int flags,
return NULL;
}
-static void warn_binary(const char *file)
-{
- BIO *bio;
- unsigned char linebuf[1024], *cur, *end;
- int len;
-
- if (file == NULL)
- return; /* cannot give a warning for stdin input */
- if ((bio = bio_open_default(file, 'r', FORMAT_BINARY)) == NULL)
- return; /* cannot give a proper warning since there is an error */
- while ((len = BIO_read(bio, linebuf, sizeof(linebuf))) > 0) {
- end = linebuf + len;
- for (cur = linebuf; cur < end; cur++) {
- if (*cur == '\0' || *cur >= 0x80) {
- BIO_printf(bio_err, "Warning: input file '%s' contains %s"
- " character; better use -binary option\n",
- file, *cur == '\0' ? "NUL" : "8-bit");
- goto end;
- }
- }
- }
- end:
- BIO_free(bio);
-}
-
int cms_main(int argc, char **argv)
{
CONF *conf = NULL;
@@ -911,8 +886,6 @@ int cms_main(int argc, char **argv)
goto end;
}
- if ((flags & CMS_BINARY) == 0)
- warn_binary(infile);
in = bio_open_default(infile, 'r',
binary_files ? FORMAT_BINARY : informat);
if (in == NULL)
@@ -924,8 +897,6 @@ int cms_main(int argc, char **argv)
goto end;
if (contfile != NULL) {
BIO_free(indata);
- if ((flags & CMS_BINARY) == 0)
- warn_binary(contfile);
if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
BIO_printf(bio_err, "Can't read content file %s\n", contfile);
goto end;

View File

@ -15,7 +15,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.0 Version: 3.0.0
Release: 0.beta2.7%{?dist} Release: 1%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -52,18 +52,8 @@ Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch #Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
# remove unsupported EC curves # remove unsupported EC curves
Patch11: 0011-Remove-EC-curves.patch Patch11: 0011-Remove-EC-curves.patch
# Update alerts according to #1965017
Patch20: 0020-sigalgs-fix-alerts.patch
# Fixes core dump in openssl req -modulus
Patch21: 0021-fix-core-dump-req.patch
# Fixes 'openssl req' to not ask for password when non-encrypted key
Patch22: 0022-fix-openssl-req-password.patch
# cms: Do not try to check binary format on stdin and -rctform fix
Patch23: 0023-cms-stdin.patch
# Instructions to load legacy provider in openssl.cnf # Instructions to load legacy provider in openssl.cnf
Patch24: 0024-load-legacy-prov.patch Patch24: 0024-load-legacy-prov.patch
# cms: don't read /dev/stdin twice
Patch25: 0025-cms-stdin2.patch
License: ASL 2.0 License: ASL 2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
@ -119,7 +109,7 @@ package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit. from other formats to the formats used by the OpenSSL toolkit.
%prep %prep
%autosetup -S git -n %{name}-%{version}-beta2 %autosetup -S git -n %{name}-%{version}
# The hobble_openssl is called here redundantly, just to be sure. # The hobble_openssl is called here redundantly, just to be sure.
# The tarball has already the sources removed. # The tarball has already the sources removed.
@ -386,6 +376,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Thu Sep 09 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-1
- Rebase to upstream version 3.0.0
- Related: rhbz#1990814
* Wed Aug 25 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-0.beta2.7 * Wed Aug 25 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-0.beta2.7
- Removes the dual-abi build as it not required anymore. The mass rebuild - Removes the dual-abi build as it not required anymore. The mass rebuild
was completed and all packages are rebuilt against Beta version. was completed and all packages are rebuilt against Beta version.

View File

@ -1 +1 @@
SHA512 (openssl-3.0.0-hobbled.tar.xz) = 096758a79680921d2b18929177d2ee43b7fb62fa30164a16ab1749b8349aac5e6e3d0761419b6c9f0a591c8991c133d142e56ab92f197d142649b58e66d876f7 SHA512 (openssl-3.0.0-hobbled.tar.xz) = aeb6834de96bbf53b0e287c9f0ed866100d30dd02b694fd7142da855ac10074c9ad77cd7c1c688890094f31fd2ee5b5610a7ba1112775b94ae80ba51c66e0b27