Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openssl-3 for openSUSE:Factory checked in at 2023-02-02 18:08:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssl-3 (Old) and /work/SRC/openSUSE:Factory/.openssl-3.new.32243 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssl-3" Thu Feb 2 18:08:02 2023 rev:8 rq:1062224 version:3.0.7 Changes: -------- --- /work/SRC/openSUSE:Factory/openssl-3/openssl-3.changes 2022-12-16 17:50:55.459777450 +0100 +++ /work/SRC/openSUSE:Factory/.openssl-3.new.32243/openssl-3.changes 2023-02-02 18:29:28.979869009 +0100 @@ -1,0 +2,26 @@ +Thu Jan 26 08:17:50 UTC 2023 - Pedro Monreal <[email protected]> + +- Relax the crypto-policies requirements for the regression tests + +------------------------------------------------------------------- +Wed Jan 25 11:09:52 UTC 2023 - Pedro Monreal <[email protected]> + +- Set OpenSSL 3.0.7 as the default openssl [bsc#1205042] + * Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch + * Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * Package a copy of the original default config file called + openssl.cnf and name it as openssl-orig.cnf and warn the user + if the files differ. + * Add openssl-3-devel as conflicting with libopenssl-1_1-devel + * Remove patches: + - fix-config-in-tests.patch + - openssl-use-versioned-config.patch + +------------------------------------------------------------------- +Wed Jan 25 09:10:06 UTC 2023 - Pedro Monreal <[email protected]> + +- Create the openssl ca-certificates directory in case the + ca-certificates package is not installed. This directory is + required by the nodejs regression tests. [bsc#1207484] + +------------------------------------------------------------------- @@ -5,0 +32,7 @@ + +------------------------------------------------------------------- +Wed Dec 14 12:40:04 UTC 2022 - Pedro Monreal <[email protected]> + +- Compute the hmac files for FIPS 140-3 integrity checking of the + openssl shared libraries using the brp-50-generate-fips-hmac + script. Also computed for the 32bit package. Old: ---- fix-config-in-tests.patch openssl-1.1.0-no-html.patch openssl-use-versioned-config.patch New: ---- openssl-no-html-docs.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-3.spec ++++++ --- /var/tmp/diff_new_pack.6Z58eF/_old 2023-02-02 18:29:29.643873076 +0100 +++ /var/tmp/diff_new_pack.6Z58eF/_new 2023-02-02 18:29:29.647873101 +0100 @@ -1,7 +1,7 @@ # # spec file for package openssl-3 # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,8 +19,9 @@ %define ssletcdir %{_sysconfdir}/ssl %define sover 3 %define _rname openssl +%define man_suffix 3ssl Name: openssl-3 -# Don't forget to update the version in the "openssl" package! +# Don't forget to update the version in the "openssl" meta-package! Version: 3.0.7 Release: 0 Summary: Secure Sockets and Transport Layer Security @@ -35,28 +36,32 @@ # http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring Source4: %{_rname}.keyring Source5: showciphers.c -# PATCH-FIX-OPENSUSE: do not install html mans as it takes ages -Patch1: openssl-1.1.0-no-html.patch +# PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages +Patch1: openssl-no-html-docs.patch Patch2: openssl-truststore.patch Patch3: openssl-pkgconfig.patch Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch Patch6: openssl-no-date.patch -# Patches for crypto-policies +# Add crypto-policies support Patch7: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Patch8: openssl-Override-default-paths-for-the-CA-directory-tree.patch -# use openssl3.cnf -Patch9: openssl-use-versioned-config.patch -Patch10: fix-config-in-tests.patch # PATCH-FIX-UPSTREAM bsc#1206374 CVE-2022-3996 X.509 Policy Constraints Double Locking -Patch11: openssl-3-Fix-double-locking-problem.patch +Patch9: openssl-3-Fix-double-locking-problem.patch BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) -# Add requires for ct_log_list.cnf{,.dist} +Requires: libopenssl3 = %{version}-%{release} Requires: openssl +Conflicts: ssl +Provides: ssl +Provides: openssl(cli) %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 Requires: crypto-policies %endif +# Needed for clean upgrade path, boo#1070003 +Obsoletes: openssl-1_0_0 +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: openssl-1_1_0 %description OpenSSL is a software library to be used in applications that need to @@ -70,6 +75,11 @@ Requires: crypto-policies %endif Recommends: ca-certificates-mozilla +# install libopenssl and libopenssl-hmac close together (bsc#1090765) +Suggests: libopenssl3-hmac = %{version}-%{release} +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl1_1_0 +Conflicts: %{name} < %{version}-%{release} %description -n libopenssl3 OpenSSL is a software library to be used in applications that need to @@ -82,11 +92,13 @@ Requires: libopenssl3 = %{version} Requires: pkgconfig(zlib) Recommends: %{name} = %{version} -# We need to have around only the exact version we are able to operate with -Conflicts: libopenssl-devel < %{version} -Conflicts: libopenssl-devel > %{version} Conflicts: libressl-devel -Conflicts: ssl-devel +# Conflicting names with libopenssl-1_1-devel +Conflicts: libopenssl-1_1-devel +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl-1_1_0-devel +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-devel %description -n libopenssl-3-devel This subpackage contains header files for developing applications @@ -103,6 +115,20 @@ This package contains optional documentation provided in addition to this package's base documentation. +%package -n libopenssl3-hmac +Summary: HMAC files for FIPS 140-3 integrity checking of the openssl shared libraries +License: BSD-3-Clause +Requires: libopenssl3 = %{version}-%{release} +BuildRequires: fipscheck +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl1_1_0-hmac +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-hmac + +%description -n libopenssl3-hmac +The FIPS compliant operation of the openssl shared libraries is NOT +possible without the HMAC hashes contained in this package! + %prep %autosetup -p1 -n %{_rname}-%{version} @@ -115,13 +141,12 @@ %endif ./config \ - no-idea \ - no-ec2m \ - enable-rfc3779 \ + no-mdc2 no-ec2m no-sm2 no-sm4 \ + enable-rfc3779 enable-camellia enable-seed \ %ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif - enable-camellia \ + enable-fips \ zlib \ --prefix=%{_prefix} \ --libdir=%{_lib} \ @@ -142,110 +167,133 @@ # Show build configuration perl configdata.pm --dump +# Do not run this in a production package the FIPS symbols must be patched-in # util/mkdef.pl crypto update + %make_build depend %make_build all %check - -# We must revert patch8 before running tests, otherwise they will fail. +# Relax the crypto-policies requirements for the regression tests +# Revert patch8 before running tests patch -p1 -R < %{P:8} +export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) # export HARNESS_VERBOSE=yes -LD_LIBRARY_PATH="$PWD" make TESTS='-test_evp_fetch_prov -test_tsa -test_ssl_new -test_sslapi' test -j1 +LD_LIBRARY_PATH="$PWD" make test -j16 + # show ciphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install -%make_install %{?_smp_mflags} +%make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix} + +rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover} +for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do + chmod 755 ${lib} + ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}) + ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}).%{sover} +done -# Kill static libs +# Remove static libraries rm -f %{buildroot}%{_libdir}/lib*.a + # Remove the cnf.dist -rm -f %{buildroot}%{_sysconfdir}/ssl/openssl3.cnf.dist -mkdir %{buildroot}/%{_datadir}/ssl-3 -mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl-3/ +rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist +rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist + +# Make a copy of the default openssl.cnf file +cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf + +# Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484] +mkdir -p %{buildroot}/var/lib/ca-certificates/openssl +install -d -m 555 %{buildroot}/var/lib/ca-certificates/openssl + +# Remove the fipsmodule.cnf because FIPS module is loaded automatically +rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf + ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl mkdir %{buildroot}/%{_datadir}/ssl -# Rename binary -mv %{buildroot}%{_bindir}/%{_rname} %{buildroot}%{_bindir}/%{name} +mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ + # Avoid file conflicts with man pages from other packages pushd %{buildroot}/%{_mandir} find . -type f -exec chmod 644 {} + -# Some man pages now contain spaces. This makes several -# scripts go havoc, among them /usr/sbin/Check. -# Replace spaces by underscores -# for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done - -touch $OLDPWD/filelist.doc $OLDPWD/filelist -which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } -for i in man?/*; do - if test -L $i ; then - LDEST=`readlink $i` - rm -f $i ${i}ssl - ln -sf ${LDEST}ssl-3 ${i}ssl-3 - else - mv $i ${i}ssl-3 - fi - case "$i" in - *.1) - # These are the pages mentioned in openssl(1). They go into the main package. - echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist;; - *) - # The rest goes into the openssl-doc package. - echo %doc %{_mandir}/${i}ssl-3%{?ext_man} >> $OLDPWD/filelist.doc;; - esac -done +mv man5/config.5%{man_suffix} man5/openssl.cnf.5 popd -mv %{buildroot}%{_bindir}/c_rehash %{buildroot}%{_bindir}/c_rehash-3 - -# They are provided by openssl package -rm %{buildroot}%{ssletcdir}/ct_log_list.cnf* - # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} + # Place showciphers.c for %%doc macro cp %{SOURCE5} . +# Compute the FIPS hmac using the brp-50-generate-fips-hmac script +export BRP_FIPSHMAC_FILES="%{buildroot}%{_libdir}/libssl.so.%{sover} %{buildroot}%{_libdir}/libcrypto.so.%{sover}" + +%post -p "/bin/bash" +if [ "$1" -gt 1 ] ; then + # Check if the packaged default config file for openssl-3, called openssl.cnf, + # is the original or if it has been modified and alert the user in that case + # that a copy of the original file openssl-orig.cnf can be used if needed. + cmp --silent %{ssletcdir}/openssl.cnf %{ssletcdir}/openssl-orig.cnf 2>/dev/null + if [ "$?" -eq 1 ] ; then + echo -e " The openssl-3 default config file openssl.cnf is different from" ; + echo -e " the original one shipped by the package. A copy of the original" ; + echo -e " file is packaged and named as openssl-orig.cnf if needed." + fi +fi + %post -n libopenssl3 -p /sbin/ldconfig %postun -n libopenssl3 -p /sbin/ldconfig %files -n libopenssl3 %license LICENSE.txt +%attr(0755,root,root) %{_libdir}/libssl.so.%{version} %{_libdir}/libssl.so.%{sover} +%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} %{_libdir}/libcrypto.so.%{sover} %{_libdir}/engines-%{sover} %dir %{_libdir}/ossl-modules -#%%{_libdir}/ossl-modules/fips.so +%{_libdir}/ossl-modules/fips.so %{_libdir}/ossl-modules/legacy.so +%files -n libopenssl3-hmac +%{_libdir}/.libssl.so.%{sover}.hmac +%{_libdir}/.libcrypto.so.%{sover}.hmac + %files -n libopenssl-3-devel +%doc NOTES*.md CONTRIBUTING.md HACKING.md AUTHORS.md ACKNOWLEDGEMENTS.md %{_includedir}/%{_rname}/ %{_includedir}/ssl -%{_libdir}/libssl.so -%{_libdir}/libcrypto.so -%{_libdir}/pkgconfig/libcrypto.pc -%{_libdir}/pkgconfig/libssl.pc -%{_libdir}/pkgconfig/openssl.pc - -%files doc -f filelist.doc -%doc doc/* demos +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc +%{_mandir}/man3/* + +%files doc +%doc README.md +%doc doc/html/* doc/HOWTO/* demos %doc showciphers.c -%files -f filelist -%doc CHANGE* +%files +%license LICENSE.txt +%doc CHANGES.md NEWS.md FAQ.md README.md %dir %{ssletcdir} -%config (noreplace) %{ssletcdir}/openssl3.cnf +%config %{ssletcdir}/openssl-orig.cnf +%config (noreplace) %{ssletcdir}/openssl.cnf +%config (noreplace) %{ssletcdir}/ct_log_list.cnf %attr(700,root,root) %{ssletcdir}/private - -%dir %{_datadir}/ssl-3 -%{_datadir}/ssl-3/misc -%{_bindir}/c_rehash-3 -%{_bindir}/%{name} +%dir %{_datadir}/ssl +%{_datadir}/ssl/misc +%dir /var/lib/ca-certificates/ +%dir /var/lib/ca-certificates/openssl +%{_bindir}/%{_rname} +%{_bindir}/c_rehash +%{_mandir}/man1/* +%{_mandir}/man5/* +%{_mandir}/man7/* %changelog ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.6Z58eF/_old 2023-02-02 18:29:29.699873419 +0100 +++ /var/tmp/diff_new_pack.6Z58eF/_new 2023-02-02 18:29:29.703873444 +0100 @@ -1,7 +1,11 @@ libopenssl3 + obsoletes "libopenssl1_1_0-<targettype>" +libopenssl3-hmac + requires "libopenssl3-<targettype> = <version>-%release" libopenssl-3-devel provides "libopenssl-devel-<targettype> = <version>" conflicts "otherproviders(libopenssl-devel-<targettype>)" + conflicts "libopenssl-1_1-devel-<targettype>" requires -"openssl-3-<targettype>" requires "libopenssl3-<targettype> = <version>" ++++++ openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch ++++++ --- /var/tmp/diff_new_pack.6Z58eF/_old 2023-02-02 18:29:29.727873591 +0100 +++ /var/tmp/diff_new_pack.6Z58eF/_new 2023-02-02 18:29:29.727873591 +0100 @@ -15,10 +15,10 @@ util/libcrypto.num | 1 + 8 files changed, 110 insertions(+), 14 deletions(-) -Index: openssl-3.0.5/Configurations/unix-Makefile.tmpl +Index: openssl-3.0.7/Configurations/unix-Makefile.tmpl =================================================================== ---- openssl-3.0.5.orig/Configurations/unix-Makefile.tmpl -+++ openssl-3.0.5/Configurations/unix-Makefile.tmpl +--- openssl-3.0.7.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.0.7/Configurations/unix-Makefile.tmpl @@ -315,6 +315,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -38,10 +38,10 @@ (map { "-I".$_} @{$config{CPPINCLUDES}}), @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} -Index: openssl-3.0.5/doc/man1/openssl-ciphers.pod.in +Index: openssl-3.0.7/doc/man1/openssl-ciphers.pod.in =================================================================== ---- openssl-3.0.5.orig/doc/man1/openssl-ciphers.pod.in -+++ openssl-3.0.5/doc/man1/openssl-ciphers.pod.in +--- openssl-3.0.7.orig/doc/man1/openssl-ciphers.pod.in ++++ openssl-3.0.7/doc/man1/openssl-ciphers.pod.in @@ -186,6 +186,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s The cipher suites not enabled by B<ALL>, currently B<eNULL>. @@ -58,10 +58,10 @@ =item B<HIGH> "High" encryption cipher suites. This currently means those with key lengths -Index: openssl-3.0.5/include/openssl/ssl.h.in +Index: openssl-3.0.7/include/openssl/ssl.h.in =================================================================== ---- openssl-3.0.5.orig/include/openssl/ssl.h.in -+++ openssl-3.0.5/include/openssl/ssl.h.in +--- openssl-3.0.7.orig/include/openssl/ssl.h.in ++++ openssl-3.0.7/include/openssl/ssl.h.in @@ -210,6 +210,11 @@ extern "C" { * throwing out anonymous and unencrypted ciphersuites! (The latter are not * actually enabled by ALL, but "ALL:RSA" would enable some of them.) @@ -74,11 +74,11 @@ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ # define SSL_SENT_SHUTDOWN 1 -Index: openssl-3.0.5/ssl/ssl_ciph.c +Index: openssl-3.0.7/ssl/ssl_ciph.c =================================================================== ---- openssl-3.0.5.orig/ssl/ssl_ciph.c -+++ openssl-3.0.5/ssl/ssl_ciph.c -@@ -1436,6 +1436,53 @@ int SSL_set_ciphersuites(SSL *s, const c +--- openssl-3.0.7.orig/ssl/ssl_ciph.c ++++ openssl-3.0.7/ssl/ssl_ciph.c +@@ -1438,6 +1438,53 @@ int SSL_set_ciphersuites(SSL *s, const c return ret; } @@ -132,7 +132,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1450,15 +1497,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1452,15 +1499,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; const SSL_METHOD *ssl_method = ctx->method; @@ -160,7 +160,7 @@ /* * To reduce the work to do we only want to process the compiled -@@ -1480,7 +1537,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1482,7 +1539,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); if (co_list == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); @@ -169,7 +169,7 @@ } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1546,8 +1603,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1548,8 +1605,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * in force within each class */ if (!ssl_cipher_strength_sort(&head, &tail)) { @@ -179,7 +179,7 @@ } /* -@@ -1591,9 +1647,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1593,9 +1649,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { @@ -190,7 +190,7 @@ } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1626,8 +1681,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1628,8 +1683,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ @@ -200,7 +200,7 @@ } /* -@@ -1635,10 +1689,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1637,10 +1691,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -216,7 +216,7 @@ /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); -@@ -1690,6 +1747,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1692,6 +1749,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ *cipher_list = cipherstack; return cipherstack; @@ -231,10 +231,10 @@ } char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) -Index: openssl-3.0.5/ssl/ssl_lib.c +Index: openssl-3.0.7/ssl/ssl_lib.c =================================================================== ---- openssl-3.0.5.orig/ssl/ssl_lib.c -+++ openssl-3.0.5/ssl/ssl_lib.c +--- openssl-3.0.7.orig/ssl/ssl_lib.c ++++ openssl-3.0.7/ssl/ssl_lib.c @@ -660,7 +660,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx ctx->tls13_ciphersuites, &(ctx->cipher_list), @@ -244,7 +244,7 @@ if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -3271,7 +3271,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li +@@ -3285,7 +3285,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li if (!ssl_create_cipher_list(ret, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, @@ -253,10 +253,10 @@ || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); goto err2; -Index: openssl-3.0.5/test/cipherlist_test.c +Index: openssl-3.0.7/test/cipherlist_test.c =================================================================== ---- openssl-3.0.5.orig/test/cipherlist_test.c -+++ openssl-3.0.5/test/cipherlist_test.c +--- openssl-3.0.7.orig/test/cipherlist_test.c ++++ openssl-3.0.7/test/cipherlist_test.c @@ -246,7 +246,9 @@ end: int setup_tests(void) @@ -267,20 +267,20 @@ ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_clear); return 1; -Index: openssl-3.0.5/util/libcrypto.num +Index: openssl-3.0.7/util/libcrypto.num =================================================================== ---- openssl-3.0.5.orig/util/libcrypto.num -+++ openssl-3.0.5/util/libcrypto.num +--- openssl-3.0.7.orig/util/libcrypto.num ++++ openssl-3.0.7/util/libcrypto.num @@ -5427,3 +5427,4 @@ EVP_PKEY_get0_provider EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: +ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: -Index: openssl-3.0.5/Configure +Index: openssl-3.0.7/Configure =================================================================== ---- openssl-3.0.5.orig/Configure -+++ openssl-3.0.5/Configure -@@ -28,7 +28,7 @@ use OpenSSL::config; +--- openssl-3.0.7.orig/Configure ++++ openssl-3.0.7/Configure +@@ -27,7 +27,7 @@ use OpenSSL::config; my $orig_death_handler = $SIG{__DIE__}; $SIG{__DIE__} = \&death_handler; @@ -289,7 +289,7 @@ my $banner = <<"EOF"; -@@ -62,6 +62,10 @@ EOF +@@ -61,6 +61,10 @@ EOF # given with --prefix. # This becomes the value of OPENSSLDIR in Makefile and in C. # (Default: PREFIX/ssl) @@ -300,7 +300,7 @@ # --banner=".." Output specified text instead of default completion banner # # -w Don't wait after showing a Configure warning -@@ -388,6 +392,7 @@ $config{prefix}=""; +@@ -387,6 +391,7 @@ $config{prefix}=""; $config{openssldir}=""; $config{processor}=""; $config{libdir}=""; @@ -308,14 +308,14 @@ my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -@@ -990,6 +995,10 @@ while (@argvcopy) +@@ -989,6 +994,10 @@ while (@argvcopy) die "FIPS key too long (64 bytes max)\n" if length $1 > 64; } -+ elsif (/^--system-ciphers-file=(.*)$/) -+ { -+ $config{system_ciphers_file}=$1; -+ } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $config{system_ciphers_file}=$1; ++ } elsif (/^--banner=(.*)$/) { $banner = $1 . "\n"; ++++++ openssl-no-html-docs.patch ++++++ Index: openssl-3.0.0-alpha1/Configurations/unix-Makefile.tmpl =================================================================== --- openssl-3.0.0-alpha1.orig/Configurations/unix-Makefile.tmpl 2020-04-23 22:56:27.365853133 +0200 +++ openssl-3.0.0-alpha1/Configurations/unix-Makefile.tmpl 2020-04-23 22:56:52.474004636 +0200 @@ -544,7 +544,7 @@ install_sw: install_dev install_engines uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev -install_docs: install_man_docs install_html_docs +install_docs: install_man_docs uninstall_docs: uninstall_man_docs uninstall_html_docs $(RM) -r $(DESTDIR)$(DOCDIR)
