rpms/mingw-openssl
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 3.0.3

Browse Source
This commit is contained in:
Sandro Mani 2022-06-02 15:09:32 +02:00
parent 9e3708045a
commit bae47f5e5f
16 changed files with 800 additions and 1011 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -13,3 +13,4 @@ openssl-1.0.0a-usa.tar.bz2
/openssl-1.1.1k-hobbled.tar.xz
/openssl-3.0.0-hobbled.tar.xz
/openssl-3.0.2-hobbled.tar.gz
/openssl-3.0.3-hobbled.tar.gz

24
0001-Aarch64-and-ppc64le-use-lib64.patch
View File

@ -1,18 +1,7 @@
From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:01:41 +0200
Subject: Aarch64 and ppc64le use lib64
(Was openssl-1.1.1-build.patch)
---
Configurations/10-main.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index d7580bf3e1..a7dbfd7f40 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -723,6 +723,7 @@ my %targets = (
diff -rupN --no-dereference openssl-3.0.3/Configurations/10-main.conf openssl-3.0.3-new/Configurations/10-main.conf
--- openssl-3.0.3/Configurations/10-main.conf 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/Configurations/10-main.conf 2022-06-02 14:30:31.646053344 +0200
@@ -730,6 +730,7 @@ my %targets = (
lib_cppflags => add("-DL_ENDIAN"),
asm_arch => 'ppc64',
perlasm_scheme => "linux64le",
@ -20,7 +9,7 @@ index d7580bf3e1..a7dbfd7f40 100644
},
"linux-armv4" => {
@@ -765,6 +766,7 @@ my %targets = (
@@ -772,6 +773,7 @@ my %targets = (
inherit_from => [ "linux-generic64" ],
asm_arch => 'aarch64',
perlasm_scheme => "linux64",
@ -28,6 +17,3 @@ index d7580bf3e1..a7dbfd7f40 100644
},
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
inherit_from => [ "linux-generic32" ],
--
2.26.2

31
0002-Use-more-general-default-values-in-openssl.cnf.patch
View File

@ -1,21 +1,7 @@
From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:03:40 +0200
Subject: Use more general default values in openssl.cnf
Also set sha256 as default hash, although that should not be
necessary anymore.
(was openssl-1.1.1-defaults.patch)
---
apps/openssl.cnf | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 97567a67be..eb25a0ac48 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options
diff -rupN --no-dereference openssl-3.0.3/apps/openssl.cnf openssl-3.0.3-new/apps/openssl.cnf
--- openssl-3.0.3/apps/openssl.cnf 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/apps/openssl.cnf 2022-06-02 14:30:31.876053349 +0200
@@ -111,7 +111,7 @@ cert_opt = ca_default # Certificate fi
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
@ -24,7 +10,7 @@ index 97567a67be..eb25a0ac48 100644
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
@@ -136,6 +136,7 @@ emailAddress = optional
@@ -143,6 +143,7 @@ emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
@ -32,7 +18,7 @@ index 97567a67be..eb25a0ac48 100644
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
@@ -158,17 +159,18 @@ string_mask = utf8only
@@ -165,17 +166,18 @@ string_mask = utf8only
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
@ -54,7 +40,7 @@ index 97567a67be..eb25a0ac48 100644
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city)
@@ -184,7 +186,7 @@ localityName = Locality Name (eg, city
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
@ -63,6 +49,3 @@ index 97567a67be..eb25a0ac48 100644
commonName_max = 64
emailAddress = Email Address
--
2.26.2

22
0003-Do-not-install-html-docs.patch
View File

@ -1,18 +1,7 @@
From 3d5755df8d09ca841c0aca2d7344db060f6cc97f Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:05:55 +0200
Subject: Do not install html docs
(was openssl-1.1.1-no-html.patch)
---
Configurations/unix-Makefile.tmpl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 342e46d24d..9f369edf0e 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -554,7 +554,7 @@ install_sw: install_dev install_engines install_modules install_runtime
diff -rupN --no-dereference openssl-3.0.3/Configurations/unix-Makefile.tmpl openssl-3.0.3-new/Configurations/unix-Makefile.tmpl
--- openssl-3.0.3/Configurations/unix-Makefile.tmpl 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/Configurations/unix-Makefile.tmpl 2022-06-02 14:30:32.079053354 +0200
@@ -610,7 +610,7 @@ install_sw: install_dev install_engines
uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev
@ -21,6 +10,3 @@ index 342e46d24d..9f369edf0e 100644
uninstall_docs: uninstall_man_docs uninstall_html_docs
$(RM) -r $(DESTDIR)$(DOCDIR)
--
2.26.2

37
0004-Override-default-paths-for-the-CA-directory-tree.patch
View File

@ -1,23 +1,6 @@
From 6790960076742a9053c624e26fbb87fcd5789e27 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:17:26 +0200
Subject: Override default paths for the CA directory tree
Also add default section to load crypto-policies configuration
for TLS.
It needs to be reverted before running tests.
(was openssl-1.1.1-conf-paths.patch)
---
apps/CA.pl.in | 2 +-
apps/openssl.cnf | 20 ++++++++++++++++++--
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index c0afb96716..d6a5fabd16 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
diff -rupN --no-dereference openssl-3.0.3/apps/CA.pl.in openssl-3.0.3-new/apps/CA.pl.in
--- openssl-3.0.3/apps/CA.pl.in 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/apps/CA.pl.in 2022-06-02 14:30:32.267053358 +0200
@@ -29,7 +29,7 @@ my $X509 = "$openssl x509";
my $PKCS12 = "$openssl pkcs12";
@ -27,10 +10,10 @@ index c0afb96716..d6a5fabd16 100644
my $CAKEY = "cakey.pem";
my $CAREQ = "careq.pem";
my $CACERT = "cacert.pem";
diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf
--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200
+++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200
@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7
diff -rupN --no-dereference openssl-3.0.3/apps/openssl.cnf openssl-3.0.3-new/apps/openssl.cnf
--- openssl-3.0.3/apps/openssl.cnf 2022-06-02 14:30:32.076053354 +0200
+++ openssl-3.0.3-new/apps/openssl.cnf 2022-06-02 14:30:32.267053358 +0200
@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7
[openssl_init]
providers = provider_sect
@ -39,7 +22,7 @@ diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha1
# List of providers to load
[provider_sect]
@@ -64,6 +66,13 @@ default = default_sect
@@ -71,6 +73,13 @@ default = default_sect
[default_sect]
# activate = 1
@ -53,7 +36,7 @@ diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha1
####################################################################
[ ca ]
@@ -72,7 +81,7 @@ default_ca = CA_default # The default c
@@ -79,7 +88,7 @@ default_ca = CA_default # The default c
####################################################################
[ CA_default ]
@ -62,7 +45,7 @@ diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha1
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default
@@ -311,7 +320,7 @@ default_tsa = tsa_config1 # the default
[ tsa_config1 ]
# These are used by the TSA reply generation only.

24
0005-apps-ca-fix-md-option-help-text.patch
View File

@ -1,20 +1,7 @@
From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:27:18 +0200
Subject: apps/ca: fix md option help text
upstreamable
(was openssl-1.1.1-apps-dgst.patch)
---
apps/ca.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/ca.c b/apps/ca.c
index 0f21b4fa1c..3d4b2c1673 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = {
diff -rupN --no-dereference openssl-3.0.3/apps/ca.c openssl-3.0.3-new/apps/ca.c
--- openssl-3.0.3/apps/ca.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/apps/ca.c 2022-06-02 14:30:32.456053362 +0200
@@ -210,7 +210,7 @@ const OPTIONS ca_options[] = {
{"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"},
OPT_SECTION("Signing"),
@ -23,6 +10,3 @@ index 0f21b4fa1c..3d4b2c1673 100755
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
{"keyform", OPT_KEYFORM, 'f',
"Private key file format (ENGINE, other values ignored)"},
--
2.26.2

22
0006-Disable-signature-verification-with-totally-unsafe-h.patch
View File

@ -1,18 +1,7 @@
From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 09:51:34 +0200
Subject: Disable signature verification with totally unsafe hash algorithms
(was openssl-1.1.1-no-weak-verify.patch)
---
crypto/asn1/a_verify.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index b7eed914b0..af62f0ef08 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
diff -rupN --no-dereference openssl-3.0.3/crypto/asn1/a_verify.c openssl-3.0.3-new/crypto/asn1/a_verify.c
--- openssl-3.0.3/crypto/asn1/a_verify.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/crypto/asn1/a_verify.c 2022-06-02 14:30:32.645053367 +0200
@@ -153,6 +153,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM
ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB);
if (ret <= 1)
goto err;
@ -24,6 +13,3 @@ index b7eed914b0..af62f0ef08 100644
} else {
const EVP_MD *type = NULL;
--
2.26.2

191
0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
View File

@ -1,25 +1,7 @@
From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 24 Sep 2020 10:16:46 +0200
Subject: Add support for PROFILE=SYSTEM system default cipherlist
(was openssl-1.1.1-system-cipherlist.patch)
---
Configurations/unix-Makefile.tmpl | 5 ++
Configure | 10 +++-
doc/man1/openssl-ciphers.pod.in | 9 ++++
include/openssl/ssl.h.in | 5 ++
ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++----
ssl/ssl_lib.c | 4 +-
test/cipherlist_test.c | 2 +
util/libcrypto.num | 1 +
8 files changed, 110 insertions(+), 14 deletions(-)
diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
index 9f369edf0e..c52389f831 100644
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -269,6 +269,10 @@ MANDIR=$(INSTALLTOP)/share/man
diff -rupN --no-dereference openssl-3.0.3/Configurations/unix-Makefile.tmpl openssl-3.0.3-new/Configurations/unix-Makefile.tmpl
--- openssl-3.0.3/Configurations/unix-Makefile.tmpl 2022-06-02 14:30:32.263053358 +0200
+++ openssl-3.0.3-new/Configurations/unix-Makefile.tmpl 2022-06-02 14:30:32.842053371 +0200
@@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
HTMLDIR=$(DOCDIR)/html
@ -30,7 +12,7 @@ index 9f369edf0e..c52389f831 100644
# MANSUFFIX is for the benefit of anyone who may want to have a suffix
# appended after the manpage file section number. "ssl" is popular,
# resulting in files such as config.5ssl rather than config.5.
@@ -292,6 +296,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
@@ -338,6 +342,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
CPPFLAGS={- our $cppflags1 = join(" ",
(map { "-D".$_} @{$config{CPPDEFINES}}),
@ -38,11 +20,52 @@ index 9f369edf0e..c52389f831 100644
(map { "-I".$_} @{$config{CPPINCLUDES}}),
@{$config{CPPFLAGS}}) -}
CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in
index b4ed3e51d5..2122e6bdfd 100644
--- a/doc/man1/openssl-ciphers.pod.in
+++ b/doc/man1/openssl-ciphers.pod.in
@@ -187,6 +187,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher suites are sensibly ordered by default.
diff -rupN --no-dereference openssl-3.0.3/Configure openssl-3.0.3-new/Configure
--- openssl-3.0.3/Configure 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/Configure 2022-06-02 14:30:32.847053371 +0200
@@ -27,7 +27,7 @@ use OpenSSL::config;
my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler;
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
my $banner = <<"EOF";
@@ -61,6 +61,10 @@ EOF
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
# (Default: PREFIX/ssl)
+#
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
+# cipher is specified (default).
+#
# --banner=".." Output specified text instead of default completion banner
#
# -w Don't wait after showing a Configure warning
@@ -387,6 +391,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
+$config{system_ciphers_file}="";
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
@@ -989,6 +994,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
+ elsif (/^--system-ciphers-file=(.*)$/)
+ {
+ $config{system_ciphers_file}=$1;
+ }
elsif (/^--banner=(.*)$/)
{
$banner = $1 . "\n";
diff -rupN --no-dereference openssl-3.0.3/doc/man1/openssl-ciphers.pod.in openssl-3.0.3-new/doc/man1/openssl-ciphers.pod.in
--- openssl-3.0.3/doc/man1/openssl-ciphers.pod.in 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/doc/man1/openssl-ciphers.pod.in 2022-06-02 14:30:32.843053371 +0200
@@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
The cipher suites not enabled by B<ALL>, currently B<eNULL>.
@ -58,11 +81,10 @@ index b4ed3e51d5..2122e6bdfd 100644
=item B<HIGH>
"High" encryption cipher suites. This currently means those with key lengths
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index f9a61609e4..c6f95fed3f 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -209,6 +209,11 @@ extern "C" {
diff -rupN --no-dereference openssl-3.0.3/include/openssl/ssl.h.in openssl-3.0.3-new/include/openssl/ssl.h.in
--- openssl-3.0.3/include/openssl/ssl.h.in 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/include/openssl/ssl.h.in 2022-06-02 14:30:32.843053371 +0200
@@ -205,6 +205,11 @@ extern "C" {
* throwing out anonymous and unencrypted ciphersuites! (The latter are not
* actually enabled by ALL, but "ALL:RSA" would enable some of them.)
*/
@ -74,11 +96,10 @@ index f9a61609e4..c6f95fed3f 100644
/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
# define SSL_SENT_SHUTDOWN 1
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index b1d3f7919e..f7cc7fed48 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1411,6 +1411,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str)
diff -rupN --no-dereference openssl-3.0.3/ssl/ssl_ciph.c openssl-3.0.3-new/ssl/ssl_ciph.c
--- openssl-3.0.3/ssl/ssl_ciph.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/ssl/ssl_ciph.c 2022-06-02 14:30:32.844053371 +0200
@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c
return ret;
}
@ -132,7 +153,7 @@ index b1d3f7919e..f7cc7fed48 100644
STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
STACK_OF(SSL_CIPHER) **cipher_list,
@@ -1425,15 +1472,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1450,15 +1497,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
const SSL_CIPHER **ca_list = NULL;
const SSL_METHOD *ssl_method = ctx->method;
@ -153,14 +174,14 @@ index b1d3f7919e..f7cc7fed48 100644
if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
- return NULL;
+ goto err;
if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
- return NULL;
+ goto err;
/*
* To reduce the work to do we only want to process the compiled
@@ -1456,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1480,7 +1537,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
if (co_list == NULL) {
ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
@ -169,7 +190,7 @@ index b1d3f7919e..f7cc7fed48 100644
}
ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
@@ -1522,8 +1579,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1546,8 +1603,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* in force within each class
*/
if (!ssl_cipher_strength_sort(&head, &tail)) {
@ -179,7 +200,7 @@ index b1d3f7919e..f7cc7fed48 100644
}
/*
@@ -1568,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1591,9 +1647,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
if (ca_list == NULL) {
@ -190,7 +211,7 @@ index b1d3f7919e..f7cc7fed48 100644
}
ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
disabled_mkey, disabled_auth, disabled_enc,
@@ -1596,8 +1651,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1619,8 +1674,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
OPENSSL_free(ca_list); /* Not needed anymore */
if (!ok) { /* Rule processing failure */
@ -200,7 +221,7 @@ index b1d3f7919e..f7cc7fed48 100644
}
/*
@@ -1605,10 +1659,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1628,10 +1682,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
* if we cannot get one.
*/
if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
@ -216,7 +237,7 @@ index b1d3f7919e..f7cc7fed48 100644
/* Add TLSv1.3 ciphers first - we always prefer those if possible */
for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
@@ -1656,6 +1714,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
@@ -1683,6 +1740,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
*cipher_list = cipherstack;
return cipherstack;
@ -231,11 +252,10 @@ index b1d3f7919e..f7cc7fed48 100644
}
char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d14d5819ba..48d491219a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth)
diff -rupN --no-dereference openssl-3.0.3/ssl/ssl_lib.c openssl-3.0.3-new/ssl/ssl_lib.c
--- openssl-3.0.3/ssl/ssl_lib.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/ssl/ssl_lib.c 2022-06-02 14:30:32.845053371 +0200
@@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
ctx->tls13_ciphersuites,
&(ctx->cipher_list),
&(ctx->cipher_list_by_id),
@ -244,7 +264,7 @@ index d14d5819ba..48d491219a 100644
if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
return 0;
@@ -3193,7 +3193,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
@@ -3271,7 +3271,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li
if (!ssl_create_cipher_list(ret,
ret->tls13_ciphersuites,
&ret->cipher_list, &ret->cipher_list_by_id,
@ -253,11 +273,10 @@ index d14d5819ba..48d491219a 100644
|| sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS);
goto err2;
diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c
index 380f0727fc..6922a87c30 100644
--- a/test/cipherlist_test.c
+++ b/test/cipherlist_test.c
@@ -244,7 +244,9 @@ end:
diff -rupN --no-dereference openssl-3.0.3/test/cipherlist_test.c openssl-3.0.3-new/test/cipherlist_test.c
--- openssl-3.0.3/test/cipherlist_test.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/test/cipherlist_test.c 2022-06-02 14:30:32.845053371 +0200
@@ -246,7 +246,9 @@ end:
int setup_tests(void)
{
@ -267,57 +286,11 @@ index 380f0727fc..6922a87c30 100644
ADD_TEST(test_default_cipherlist_explicit);
ADD_TEST(test_default_cipherlist_clear);
return 1;
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 404a706fab..e81fa9ec3e 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION:
ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION:
EVP_PKEY_get0_provider 5554 3_0_0 EXIST::FUNCTION:
diff -rupN --no-dereference openssl-3.0.3/util/libcrypto.num openssl-3.0.3-new/util/libcrypto.num
--- openssl-3.0.3/util/libcrypto.num 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/util/libcrypto.num 2022-06-02 14:30:32.846053371 +0200
@@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider
EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION:
OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION:
OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION:
+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION:
--
2.26.2
diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure
--- openssl-3.0.0-beta1/Configure.sys-default 2021-06-29 11:47:58.978144386 +0200
+++ openssl-3.0.0-beta1/Configure 2021-06-29 11:52:01.631126260 +0200
@@ -27,7 +27,7 @@ use OpenSSL::config;
my $orig_death_handler = $SIG{__DIE__};
$SIG{__DIE__} = \&death_handler;
-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
my $banner = <<"EOF";
@@ -61,6 +61,10 @@ EOF
# given with --prefix.
# This becomes the value of OPENSSLDIR in Makefile and in C.
# (Default: PREFIX/ssl)
+#
+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM
+# cipher is specified (default).
+#
# --banner=".." Output specified text instead of default completion banner
#
# -w Don't wait after showing a Configure warning
@@ -385,6 +389,7 @@ $config{prefix}="";
$config{openssldir}="";
$config{processor}="";
$config{libdir}="";
+$config{system_ciphers_file}="";
my $auto_threads=1; # enable threads automatically? true by default
my $default_ranlib;
@@ -987,6 +992,10 @@ while (@argvcopy)
die "FIPS key too long (64 bytes max)\n"
if length $1 > 64;
}
+ elsif (/^--system-ciphers-file=(.*)$/)
+ {
+ $config{system_ciphers_file}=$1;
+ }
elsif (/^--banner=(.*)$/)
{
$banner = $1 . "\n";

41
0008-Add-FIPS_mode-compatibility-macro.patch
View File

@ -1,22 +1,7 @@
From 5b2ec9a54037d7b007324bf53e067e73511cdfe4 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 26 Nov 2020 14:00:16 +0100
Subject: Add FIPS_mode() compatibility macro
The macro calls EVP_default_properties_is_fips_enabled() on the
default context.
---
include/openssl/crypto.h.in | 1 +
include/openssl/fips.h | 25 +++++++++++++++++++++++++
test/property_test.c | 13 +++++++++++++
3 files changed, 39 insertions(+)
create mode 100644 include/openssl/fips.h
diff --git a/include/openssl/crypto.h.in b/include/openssl/crypto.h.in
index 1036da9a2b..9d4896fcaf 100644
--- a/include/openssl/crypto.h.in
+++ b/include/openssl/crypto.h.in
@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack_macros);
diff -rupN --no-dereference openssl-3.0.3/include/openssl/crypto.h.in openssl-3.0.3-new/include/openssl/crypto.h.in
--- openssl-3.0.3/include/openssl/crypto.h.in 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/include/openssl/crypto.h.in 2022-06-02 14:30:33.049053376 +0200
@@ -38,6 +38,7 @@ use OpenSSL::stackhash qw(generate_stack
# include <openssl/opensslconf.h>
# include <openssl/cryptoerr.h>
# include <openssl/core.h>
@ -24,11 +9,9 @@ index 1036da9a2b..9d4896fcaf 100644
# ifdef CHARSET_EBCDIC
# include <openssl/ebcdic.h>
diff --git a/include/openssl/fips.h b/include/openssl/fips.h
new file mode 100644
index 0000000000..c64f0f8e8f
--- /dev/null
+++ b/include/openssl/fips.h
diff -rupN --no-dereference openssl-3.0.3/include/openssl/fips.h openssl-3.0.3-new/include/openssl/fips.h
--- openssl-3.0.3/include/openssl/fips.h 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.3-new/include/openssl/fips.h 2022-06-02 14:30:33.049053376 +0200
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
@ -55,10 +38,10 @@ index 0000000000..c64f0f8e8f
+}
+# endif
+#endif
diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1/test/property_test.c
--- openssl-3.0.0-beta1/test/property_test.c.fips-macro 2021-06-29 12:14:58.851557698 +0200
+++ openssl-3.0.0-beta1/test/property_test.c 2021-06-29 12:17:14.630143832 +0200
@@ -488,6 +488,18 @@ static int test_property_list_to_string(
diff -rupN --no-dereference openssl-3.0.3/test/property_test.c openssl-3.0.3-new/test/property_test.c
--- openssl-3.0.3/test/property_test.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/test/property_test.c 2022-06-02 14:30:33.050053376 +0200
@@ -624,6 +624,18 @@ static int test_property_list_to_string(
return ret;
}
@ -77,7 +60,7 @@ diff -up openssl-3.0.0-beta1/test/property_test.c.fips-macro openssl-3.0.0-beta1
int setup_tests(void)
{
ADD_TEST(test_property_string);
@@ -500,6 +512,7 @@ int setup_tests(void)
@@ -637,6 +649,7 @@ int setup_tests(void)
ADD_TEST(test_property);
ADD_TEST(test_query_cache_stochastic);
ADD_TEST(test_fips_mode);

1192
0011-Remove-EC-curves.patch
View File

File diff suppressed because it is too large Load Diff

70
0012-Disable-explicit-ec.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/crypto/ec/ec_lib.c
--- openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec 2022-02-22 09:08:48.557823665 +0100
+++ openssl-3.0.1/crypto/ec/ec_lib.c 2022-02-22 09:09:26.634133847 +0100
diff -rupN --no-dereference openssl-3.0.3/crypto/ec/ec_lib.c openssl-3.0.3-new/crypto/ec/ec_lib.c
--- openssl-3.0.3/crypto/ec/ec_lib.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/crypto/ec/ec_lib.c 2022-06-02 14:30:33.453053385 +0200
@@ -1458,7 +1458,7 @@ static EC_GROUP *ec_group_explicit_to_na
goto err;
}
@ -10,38 +10,10 @@ diff -up openssl-3.0.1/crypto/ec/ec_lib.c.disable_explicit_ec openssl-3.0.1/cryp
}
EC_GROUP_free(dup);
return ret_group;
diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c
--- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_explicit_ec 2022-02-22 13:04:16.850856612 +0100
+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-02-22 14:16:19.848369641 +0100
@@ -936,11 +936,8 @@ int ec_validate(const void *keydata, int
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
int flags = EC_KEY_get_flags(eck);
- if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)
- ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
- (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
- else
- ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
+ ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
+ (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
}
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
@@ -1217,6 +1214,10 @@ static int ec_gen_assign_group(EC_KEY *e
ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET);
return 0;
}
+ if (EC_GROUP_get_curve_name(group) == NID_undef) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
+ return 0;
+ }
return EC_KEY_set_group(ec, group) > 0;
}
diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec openssl-3.0.1/providers/common/securitycheck.c
--- openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec 2022-02-25 11:44:19.554673396 +0100
+++ openssl-3.0.1/providers/common/securitycheck.c 2022-02-25 12:16:38.168610089 +0100
@@ -93,22 +93,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx
diff -rupN --no-dereference openssl-3.0.3/providers/common/securitycheck.c openssl-3.0.3-new/providers/common/securitycheck.c
--- openssl-3.0.3/providers/common/securitycheck.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/providers/common/securitycheck.c 2022-06-02 14:30:33.454053385 +0200
@@ -92,22 +92,22 @@ int ossl_rsa_check_key(OSSL_LIB_CTX *ctx
int ossl_ec_check_key(OSSL_LIB_CTX *ctx, const EC_KEY *ec, int protect)
{
# if !defined(OPENSSL_NO_FIPS_SECURITYCHECKS)
@ -78,3 +50,31 @@ diff -up openssl-3.0.1/providers/common/securitycheck.c.disable_explicit_ec open
curve_name = EC_curve_nid2nist(nid);
if (curve_name == NULL) {
ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
diff -rupN --no-dereference openssl-3.0.3/providers/implementations/keymgmt/ec_kmgmt.c openssl-3.0.3-new/providers/implementations/keymgmt/ec_kmgmt.c
--- openssl-3.0.3/providers/implementations/keymgmt/ec_kmgmt.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/providers/implementations/keymgmt/ec_kmgmt.c 2022-06-02 14:30:33.454053385 +0200
@@ -932,11 +932,8 @@ int ec_validate(const void *keydata, int
if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
int flags = EC_KEY_get_flags(eck);
- if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)
- ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
- (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
- else
- ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
+ ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
+ (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
}
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
@@ -1213,6 +1210,10 @@ static int ec_gen_assign_group(EC_KEY *e
ERR_raise(ERR_LIB_PROV, PROV_R_NO_PARAMETERS_SET);
return 0;
}
+ if (EC_GROUP_get_curve_name(group) == NID_undef) {
+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CURVE);
+ return 0;
+ }
return EC_KEY_set_group(ec, group) > 0;
}

12
0024-load-legacy-prov.patch
View File

@ -1,6 +1,6 @@
diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf
--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200
+++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200
diff -rupN --no-dereference openssl-3.0.3/apps/openssl.cnf openssl-3.0.3-new/apps/openssl.cnf
--- openssl-3.0.3/apps/openssl.cnf 2022-06-02 14:30:32.453053362 +0200
+++ openssl-3.0.3-new/apps/openssl.cnf 2022-06-02 14:30:33.645053389 +0200
@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
@ -55,9 +55,9 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c
[ ssl_module ]
diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod
--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200
+++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200
diff -rupN --no-dereference openssl-3.0.3/doc/man5/config.pod openssl-3.0.3-new/doc/man5/config.pod
--- openssl-3.0.3/doc/man5/config.pod 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/doc/man5/config.pod 2022-06-02 14:30:33.646053389 +0200
@@ -273,6 +273,14 @@ significant.
All parameters in the section as well as sub-sections are made
available to the provider.

119
0051-Support-different-R_BITS-lengths-for-KBKDF.patch
View File

@ -1,27 +1,7 @@
From 0e9a265e42890699dfce82f1ff6905de6aafbd41 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Thu, 18 Nov 2021 10:47:14 +0100
Subject: [PATCH] Support different R_BITS lengths for KBKDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17063)
---
doc/man7/EVP_KDF-KB.pod | 7 +
include/openssl/core_names.h | 1 +
providers/implementations/kdfs/kbkdf.c | 30 +-
test/evp_kdf_test.c | 47 +-
test/evp_test.c | 6 +
test/recipes/30-test_evp.t | 1 +
.../30-test_evp_data/evpkdf_kbkdf_counter.txt | 1843 +++++++++++++++++
7 files changed, 1924 insertions(+), 11 deletions(-)
create mode 100644 test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
diff --git a/doc/man7/EVP_KDF-KB.pod b/doc/man7/EVP_KDF-KB.pod
index d4fad66f7654..a67268afa7d5 100644
--- a/doc/man7/EVP_KDF-KB.pod
+++ b/doc/man7/EVP_KDF-KB.pod
@@ -58,6 +58,13 @@ Set to B<0> to disable use of the optional Fixed Input data 'zero separator'
diff -rupN --no-dereference openssl-3.0.3/doc/man7/EVP_KDF-KB.pod openssl-3.0.3-new/doc/man7/EVP_KDF-KB.pod
--- openssl-3.0.3/doc/man7/EVP_KDF-KB.pod 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/doc/man7/EVP_KDF-KB.pod 2022-06-02 14:30:33.841053393 +0200
@@ -58,6 +58,13 @@ Set to B<0> to disable use of the option
(see SP800-108) that is placed between the Label and Context.
The default value of B<1> will be used if unspecified.
@ -35,10 +15,9 @@ index d4fad66f7654..a67268afa7d5 100644
=back
Depending on whether mac is CMAC or HMAC, either digest or cipher is required
diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index b549dae9167c..78418dc6e0a2 100644
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
diff -rupN --no-dereference openssl-3.0.3/include/openssl/core_names.h openssl-3.0.3-new/include/openssl/core_names.h
--- openssl-3.0.3/include/openssl/core_names.h 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/include/openssl/core_names.h 2022-06-02 14:30:33.842053393 +0200
@@ -217,6 +217,7 @@ extern "C" {
#define OSSL_KDF_PARAM_PKCS12_ID "id" /* int */
#define OSSL_KDF_PARAM_KBKDF_USE_L "use-l" /* int */
@ -47,10 +26,9 @@ index b549dae9167c..78418dc6e0a2 100644
#define OSSL_KDF_PARAM_X942_ACVPINFO "acvp-info"
#define OSSL_KDF_PARAM_X942_PARTYUINFO "partyu-info"
#define OSSL_KDF_PARAM_X942_PARTYVINFO "partyv-info"
diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c
index 01f7f0d4fd2e..a81cc6e0c0d6 100644
--- a/providers/implementations/kdfs/kbkdf.c
+++ b/providers/implementations/kdfs/kbkdf.c
diff -rupN --no-dereference openssl-3.0.3/providers/implementations/kdfs/kbkdf.c openssl-3.0.3-new/providers/implementations/kdfs/kbkdf.c
--- openssl-3.0.3/providers/implementations/kdfs/kbkdf.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/providers/implementations/kdfs/kbkdf.c 2022-06-02 14:30:33.842053393 +0200
@@ -60,6 +60,7 @@ typedef struct {
EVP_MAC_CTX *ctx_init;
@ -67,7 +45,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644
ctx->use_l = 1;
ctx->use_separator = 1;
}
@@ -152,7 +154,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv,
@@ -152,7 +154,7 @@ static int derive(EVP_MAC_CTX *ctx_init,
size_t iv_len, unsigned char *label, size_t label_len,
unsigned char *context, size_t context_len,
unsigned char *k_i, size_t h, uint32_t l, int has_separator,
@ -76,7 +54,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644
{
int ret = 0;
EVP_MAC_CTX *ctx = NULL;
@@ -186,7 +188,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv,
@@ -186,7 +188,7 @@ static int derive(EVP_MAC_CTX *ctx_init,
if (mode == FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len))
goto done;
@ -85,7 +63,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644
|| !EVP_MAC_update(ctx, label, label_len)
|| (has_separator && !EVP_MAC_update(ctx, &zero, 1))
|| !EVP_MAC_update(ctx, context, context_len)
@@ -217,6 +219,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -217,6 +219,7 @@ static int kbkdf_derive(void *vctx, unsi
unsigned char *k_i = NULL;
uint32_t l = 0;
size_t h = 0;
@ -93,7 +71,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644
if (!ossl_prov_is_running() || !kbkdf_set_ctx_params(ctx, params))
return 0;
@@ -248,6 +251,15 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -248,6 +251,15 @@ static int kbkdf_derive(void *vctx, unsi
goto done;
}
@ -109,7 +87,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644
if (ctx->use_l != 0)
l = be32(keylen * 8);
@@ -257,7 +269,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen,
@@ -257,7 +269,7 @@ static int kbkdf_derive(void *vctx, unsi
ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label,
ctx->label_len, ctx->context, ctx->context_len, k_i, h, l,
@ -118,7 +96,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644
done:
if (ret != 1)
OPENSSL_cleanse(key, keylen);
@@ -328,6 +340,17 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[])
@@ -329,6 +341,17 @@ static int kbkdf_set_ctx_params(void *vc
if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_l))
return 0;
@ -136,7 +114,7 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644
p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR);
if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_separator))
return 0;
@@ -354,6 +377,7 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx,
@@ -355,6 +378,7 @@ static const OSSL_PARAM *kbkdf_settable_
OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0),
OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_L, NULL),
OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR, NULL),
@ -144,10 +122,9 @@ index 01f7f0d4fd2e..a81cc6e0c0d6 100644
OSSL_PARAM_END,
};
return known_settable_ctx_params;
diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c
index 7fde5ea4111c..173d8cb8b87b 100644
--- a/test/evp_kdf_test.c
+++ b/test/evp_kdf_test.c
diff -rupN --no-dereference openssl-3.0.3/test/evp_kdf_test.c openssl-3.0.3-new/test/evp_kdf_test.c
--- openssl-3.0.3/test/evp_kdf_test.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/test/evp_kdf_test.c 2022-06-02 14:30:33.842053393 +0200
@@ -1068,9 +1068,9 @@ static int test_kdf_kbkdf_6803_256(void)
#endif
@ -160,7 +137,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644
OSSL_PARAM *p = params;
if (params == NULL)
@@ -1088,6 +1088,8 @@ static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char
@@ -1088,6 +1088,8 @@ static OSSL_PARAM *construct_kbkdf_param
OSSL_KDF_PARAM_SALT, salt, strlen(salt));
*p++ = OSSL_PARAM_construct_octet_string(
OSSL_KDF_PARAM_INFO, info, strlen(info));
@ -169,7 +146,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644
*p = OSSL_PARAM_construct_end();
return params;
@@ -1100,8 +1102,9 @@ static int test_kdf_kbkdf_invalid_digest(void)
@@ -1100,8 +1102,9 @@ static int test_kdf_kbkdf_invalid_digest
OSSL_PARAM *params;
static unsigned char key[] = {0x01};
@ -180,7 +157,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644
if (!TEST_ptr(params))
return 0;
@@ -1122,8 +1125,9 @@ static int test_kdf_kbkdf_invalid_mac(void)
@@ -1122,8 +1125,9 @@ static int test_kdf_kbkdf_invalid_mac(vo
OSSL_PARAM *params;
static unsigned char key[] = {0x01};
@ -191,7 +168,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644
if (!TEST_ptr(params))
return 0;
@@ -1137,6 +1141,30 @@ static int test_kdf_kbkdf_invalid_mac(void)
@@ -1137,6 +1141,30 @@ static int test_kdf_kbkdf_invalid_mac(vo
return ret;
}
@ -222,7 +199,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644
static int test_kdf_kbkdf_empty_key(void)
{
int ret;
@@ -1145,8 +1173,9 @@ static int test_kdf_kbkdf_empty_key(void)
@@ -1145,8 +1173,9 @@ static int test_kdf_kbkdf_empty_key(void
static unsigned char key[] = {0x01};
unsigned char result[32] = { 0 };
@ -233,7 +210,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644
if (!TEST_ptr(params))
return 0;
@@ -1169,8 +1198,9 @@ static int test_kdf_kbkdf_1byte_key(void)
@@ -1169,8 +1198,9 @@ static int test_kdf_kbkdf_1byte_key(void
static unsigned char key[] = {0x01};
unsigned char result[32] = { 0 };
@ -244,7 +221,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644
if (!TEST_ptr(params))
return 0;
@@ -1191,8 +1221,9 @@ static int test_kdf_kbkdf_zero_output_size(void)
@@ -1191,8 +1221,9 @@ static int test_kdf_kbkdf_zero_output_si
static unsigned char key[] = {0x01};
unsigned char result[32] = { 0 };
@ -255,7 +232,7 @@ index 7fde5ea4111c..173d8cb8b87b 100644
if (!TEST_ptr(params))
return 0;
@@ -1298,7 +1329,6 @@ static int test_kdf_kbkdf_8009_prf2(void)
@@ -1298,7 +1329,6 @@ static int test_kdf_kbkdf_8009_prf2(void
* Test vector taken from
* https://csrc.nist.gov/CSRC/media/Projects/
* Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip
@ -271,11 +248,10 @@ index 7fde5ea4111c..173d8cb8b87b 100644
ADD_TEST(test_kdf_kbkdf_zero_output_size);
ADD_TEST(test_kdf_kbkdf_empty_key);
ADD_TEST(test_kdf_kbkdf_1byte_key);
diff --git a/test/evp_test.c b/test/evp_test.c
index 70996195f0cb..6ae862b04403 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -2639,6 +2639,12 @@ static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx,
diff -rupN --no-dereference openssl-3.0.3/test/evp_test.c openssl-3.0.3-new/test/evp_test.c
--- openssl-3.0.3/test/evp_test.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/test/evp_test.c 2022-06-02 14:30:33.843053393 +0200
@@ -2742,6 +2742,12 @@ static int kdf_test_ctrl(EVP_TEST *t, EV
TEST_info("skipping, '%s' is disabled", p);
t->skip = 1;
}
@ -288,23 +264,9 @@ index 70996195f0cb..6ae862b04403 100644
OPENSSL_free(name);
return 1;
}
diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t
index 7ae546e1d70c..7b976c0a1b5e 100644
--- a/test/recipes/30-test_evp.t
+++ b/test/recipes/30-test_evp.t
@@ -45,6 +45,7 @@ my @files = qw(
evpciph_aes_stitched.txt
evpciph_des3_common.txt
evpkdf_hkdf.txt
+ evpkdf_kbkdf_counter.txt
evpkdf_pbkdf1.txt
evpkdf_pbkdf2.txt
evpkdf_ss.txt
diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
new file mode 100644
index 000000000000..04ab8ff0fad7
--- /dev/null
+++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
diff -rupN --no-dereference openssl-3.0.3/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt openssl-3.0.3-new/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt
--- openssl-3.0.3/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt 1970-01-01 01:00:00.000000000 +0100
+++ openssl-3.0.3-new/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt 2022-06-02 14:30:33.847053394 +0200
@@ -0,0 +1,1843 @@
+#
+# Copyright 2021-2021 The OpenSSL Project Authors. All Rights Reserved.
@ -2149,3 +2111,14 @@ index 000000000000..04ab8ff0fad7
+Ctrl.hexinfo = hexinfo:8e9db3335779db688bcfe096668d9c3bc64e193e3529c430e68d09d56c837dd6c0f94678f121a68ee1feea4735da85a49d34a5290aa39f7b40de435f
+Output = 6db880daac98b078ee389a2164252ded61322d661e2b49247ea921e544675d8f17af2bf66dd40d81
+
diff -rupN --no-dereference openssl-3.0.3/test/recipes/30-test_evp.t openssl-3.0.3-new/test/recipes/30-test_evp.t
--- openssl-3.0.3/test/recipes/30-test_evp.t 2022-06-02 14:30:33.449053385 +0200
+++ openssl-3.0.3-new/test/recipes/30-test_evp.t 2022-06-02 14:30:33.843053393 +0200
@@ -45,6 +45,7 @@ my @files = qw(
evpciph_aes_stitched.txt
evpciph_des3_common.txt
evpkdf_hkdf.txt
+ evpkdf_kbkdf_counter.txt
evpkdf_pbkdf1.txt
evpkdf_pbkdf2.txt
evpkdf_ss.txt

7
mingw-openssl.spec
View File

@ -14,8 +14,8 @@
%global run_tests 0
Name: mingw-openssl
Version: 3.0.2
Release: 2%{?dist}
Version: 3.0.3
Release: 1%{?dist}
Summary: MinGW port of the OpenSSL toolkit
License: OpenSSL
@ -376,6 +376,9 @@ mkdir -m700 %{buildroot}%{mingw64_sysconfdir}/pki/CA/private
%changelog
* Thu Jun 02 2022 Sandro Mani <manisandro@gmail.com> - 3.0.3-1
- Update to 3.0.3
* Fri Mar 25 2022 Sandro Mani <manisandro@gmail.com> - 3.0.2-2
- Rebuild with mingw-gcc-12

16
openssl_compute_moddir.patch
View File

@ -1,7 +1,7 @@
diff -rupN openssl-3.0.0/Configurations/10-main.conf openssl-3.0.0-new/Configurations/10-main.conf
--- openssl-3.0.0/Configurations/10-main.conf 2021-09-07 13:46:32.000000000 +0200
+++ openssl-3.0.0-new/Configurations/10-main.conf 2022-02-21 20:18:52.135333228 +0100
@@ -1469,7 +1469,7 @@ my %targets = (
diff -rupN --no-dereference openssl-3.0.3/Configurations/10-main.conf openssl-3.0.3-new/Configurations/10-main.conf
--- openssl-3.0.3/Configurations/10-main.conf 2022-06-02 14:30:31.872053349 +0200
+++ openssl-3.0.3-new/Configurations/10-main.conf 2022-06-02 14:30:34.045053398 +0200
@@ -1479,7 +1479,7 @@ my %targets = (
cppflags => combine("-DUNICODE -D_UNICODE -DWIN32_LEAN_AND_MEAN",
threads("-D_MT")),
lib_cppflags => "-DL_ENDIAN",
@ -10,9 +10,9 @@ diff -rupN openssl-3.0.0/Configurations/10-main.conf openssl-3.0.0-new/Configura
thread_scheme => "winthreads",
dso_scheme => "win32",
shared_target => "mingw-shared",
diff -rupN openssl-3.0.0/crypto/provider_core.c openssl-3.0.0-new/crypto/provider_core.c
--- openssl-3.0.0/crypto/provider_core.c 2021-09-07 13:46:32.000000000 +0200
+++ openssl-3.0.0-new/crypto/provider_core.c 2022-02-21 20:02:05.674653366 +0100
diff -rupN --no-dereference openssl-3.0.3/crypto/provider_core.c openssl-3.0.3-new/crypto/provider_core.c
--- openssl-3.0.3/crypto/provider_core.c 2022-05-03 15:32:01.000000000 +0200
+++ openssl-3.0.3-new/crypto/provider_core.c 2022-06-02 14:30:34.045053398 +0200
@@ -27,6 +27,10 @@
#ifndef FIPS_MODULE
# include <openssl/self_test.h>
@ -24,7 +24,7 @@ diff -rupN openssl-3.0.0/crypto/provider_core.c openssl-3.0.0-new/crypto/provide
/*
* This file defines and uses a number of different structures:
@@ -865,6 +869,27 @@ static int provider_init(OSSL_PROVIDER *
@@ -872,6 +876,27 @@ static int provider_init(OSSL_PROVIDER *
if (load_dir == NULL) {
load_dir = ossl_safe_getenv("OPENSSL_MODULES");

2
sources
View File

@ -1 +1 @@
SHA512 (openssl-3.0.2-hobbled.tar.gz) = e62f95ef9a81555f8c7bb4e68bfbd14bd81040f112dd88a1e515160623e6d3a0b68d0d8b9b12905f67b06834bd152edfbabca4b528a4887b15dd153d60ad36d5
SHA512 (openssl-3.0.3-hobbled.tar.gz) = 474a6309e0457ad33ec4b5f98606ba7ee6fa15dd0abb26a1da80fa37e3fc0ec535b858e03aceb4ce675dcce6a26796c802d8bf8ebb4adc350e6b3ea95810a61b