From: Michael Tremer Date: Mon, 22 Jun 2020 10:06:44 +0000 (+0100) Subject: openssl: Update to 1.1.1g X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fdc5d5ce5467b24bee15a10bd443bc0f7bf71cc;p=ipfire-3.x.git openssl: Update to 1.1.1g Signed-off-by: Michael Tremer --- diff --git a/openssl/openssl.nm b/openssl/openssl.nm index 6b0cd8d6e..3e8ed1b1f 100644 --- a/openssl/openssl.nm +++ b/openssl/openssl.nm @@ -4,7 +4,7 @@ ############################################################################### name = openssl -version = 1.1.0g +version = 1.1.1g release = 1 maintainer = Michael Tremer @@ -89,9 +89,6 @@ build end test - # Revert ca-dir patch. Otherwise the tests will fail. - patch -Np1 -R < %{DIR_PATCHES}/openssl-1.1.0-ca-dir.patch - make test end @@ -118,9 +115,6 @@ build # Remove dist config rm -vf %{BUILDROOT}%{sysconfdir}/pki/tls/openssl.cnf.dist - - # Move executable stuff to %{bindir} - mv -v %{BUILDROOT}%{sysconfdir}/pki/tls/misc/{CA.pl,tsget} %{BUILDROOT}%{bindir} end end diff --git a/openssl/patches/openssl-1.1.0-build.patch b/openssl/patches/openssl-1.1.0-build.patch deleted file mode 100644 index bedd95796..000000000 --- a/openssl/patches/openssl-1.1.0-build.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff -up openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build openssl-1.1.0f/Configurations/unix-Makefile.tmpl ---- openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build 2017-06-02 13:51:39.621289504 +0200 -+++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl 2017-06-02 13:54:45.298654812 +0200 -@@ -553,7 +553,7 @@ uninstall_runtime: - install_man_docs: - @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @echo "*** Installing manpages" -- $(PERL) $(SRCDIR)/util/process_docs.pl \ -+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX) - - uninstall_man_docs: -@@ -565,7 +565,7 @@ uninstall_man_docs: - install_html_docs: - @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @echo "*** Installing HTML manpages" -- $(PERL) $(SRCDIR)/util/process_docs.pl \ -+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ - --destdir=$(DESTDIR)$(HTMLDIR) --type=html - - uninstall_html_docs: -diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configurations/10-main.conf ---- openssl-1.1.0f/Configurations/10-main.conf.build 2017-05-25 14:46:17.000000000 +0200 -+++ openssl-1.1.0f/Configurations/10-main.conf 2017-06-02 13:51:39.622289528 +0200 -@@ -662,6 +662,7 @@ sub vms_info { - cflags => add("-m64 -DL_ENDIAN"), - perlasm_scheme => "linux64le", - shared_ldflag => add("-m64"), -+ multilib => "64", - }, - - "linux-armv4" => { -@@ -702,6 +703,7 @@ sub vms_info { - "linux-aarch64" => { - inherit_from => [ "linux-generic64", asm("aarch64_asm") ], - perlasm_scheme => "linux64", -+ multilib => "64", - }, - "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 - inherit_from => [ "linux-generic32", asm("aarch64_asm") ], -diff -up openssl-1.1.0g/test/evptests.txt.build openssl-1.1.0g/test/evptests.txt ---- openssl-1.1.0g/test/evptests.txt.build 2017-11-02 15:29:05.000000000 +0100 -+++ openssl-1.1.0g/test/evptests.txt 2017-11-03 16:37:01.253671494 +0100 -@@ -3707,14 +3707,6 @@ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+D - - PrivPubKeyPair = Bob-25519:Bob-25519-PUBLIC - --Derive=Alice-25519 --PeerKey=Bob-25519-PUBLIC --SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742 -- --Derive=Bob-25519 --PeerKey=Alice-25519-PUBLIC --SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742 -- - # Illegal sign/verify operations with X25519 key - - Sign=Alice-25519 -@@ -3727,6 +3719,14 @@ Result = KEYOP_INIT_ERROR - Function = EVP_PKEY_verify_init - Reason = operation not supported for this keytype - -+Derive=Alice-25519 -+PeerKey=Bob-25519-PUBLIC -+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742 -+ -+Derive=Bob-25519 -+PeerKey=Alice-25519-PUBLIC -+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742 -+ - ## ECDH Tests: test with randomly generated keys for all the listed curves - - diff --git a/openssl/patches/openssl-1.1.0-ca-dir.patch b/openssl/patches/openssl-1.1.0-ca-dir.patch deleted file mode 100644 index 421559de5..000000000 --- a/openssl/patches/openssl-1.1.0-ca-dir.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir openssl-1.1.0-pre5/apps/CA.pl.in ---- openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir 2016-07-18 15:19:40.118110405 +0200 -+++ openssl-1.1.0-pre5/apps/CA.pl.in 2016-07-18 15:21:06.531061337 +0200 -@@ -26,7 +26,7 @@ my $X509 = "$openssl x509"; - my $PKCS12 = "$openssl pkcs12"; - - # default openssl.cnf file has setup as per the following --my $CATOP = "./demoCA"; -+my $CATOP = "/etc/pki/CA"; - my $CAKEY = "cakey.pem"; - my $CAREQ = "careq.pem"; - my $CACERT = "cacert.pem"; -diff -up openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir openssl-1.1.0-pre5/apps/openssl.cnf ---- openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir 2016-07-18 15:19:40.114110315 +0200 -+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 15:19:48.492299467 +0200 -@@ -39,7 +39,7 @@ default_ca = CA_default # The default c - #################################################################### - [ CA_default ] - --dir = ./demoCA # Where everything is kept -+dir = /etc/pki/CA # Where everything is kept - certs = $dir/certs # Where the issued certs are kept - crl_dir = $dir/crl # Where the issued crl are kept - database = $dir/index.txt # database index file. diff --git a/openssl/patches/openssl-1.1.0-defaults.patch b/openssl/patches/openssl-1.1.0-defaults.patch deleted file mode 100644 index 2a88cef92..000000000 --- a/openssl/patches/openssl-1.1.0-defaults.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf ---- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200 -+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200 -@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi - - default_days = 365 # how long to certify for - default_crl_days= 30 # how long before next CRL --default_md = default # use public key default MD -+default_md = sha256 # use SHA-256 by default - preserve = no # keep passed DN ordering - - # A few difference way of specifying how similar the request should look -@@ -104,6 +104,7 @@ emailAddress = optional - #################################################################### - [ req ] - default_bits = 2048 -+default_md = sha256 - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - attributes = req_attributes -@@ -126,17 +127,18 @@ string_mask = utf8only - - [ req_distinguished_name ] - countryName = Country Name (2 letter code) --countryName_default = AU -+countryName_default = XX - countryName_min = 2 - countryName_max = 2 - - stateOrProvinceName = State or Province Name (full name) --stateOrProvinceName_default = Some-State -+#stateOrProvinceName_default = Default Province - - localityName = Locality Name (eg, city) -+localityName_default = Default City - - 0.organizationName = Organization Name (eg, company) --0.organizationName_default = Internet Widgits Pty Ltd -+0.organizationName_default = Default Company Ltd - - # we can do this but it is not needed normally :-) - #1.organizationName = Second Organization Name (eg, company) -@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city - organizationalUnitName = Organizational Unit Name (eg, section) - #organizationalUnitName_default = - --commonName = Common Name (e.g. server FQDN or YOUR name) -+commonName = Common Name (eg, your name or your server\'s hostname) - commonName_max = 64 - - emailAddress = Email Address diff --git a/openssl/patches/openssl-1.1.0-disable-ssl3.patch b/openssl/patches/openssl-1.1.0-disable-ssl3.patch deleted file mode 100644 index 267c02c62..000000000 --- a/openssl/patches/openssl-1.1.0-disable-ssl3.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c ---- openssl-1.1.0f/apps/s_client.c.disable-ssl3 2017-06-05 15:42:44.838853312 +0200 -+++ openssl-1.1.0f/apps/s_client.c 2017-07-17 14:50:06.468821871 +0200 -@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv) - if (sdebug) - ssl_ctx_security_debug(ctx, sdebug); - -+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) -+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ - if (ssl_config) { - if (SSL_CTX_config(ctx, ssl_config) == 0) { - BIO_printf(bio_err, "Error using configuration \"%s\"\n", -diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c ---- openssl-1.1.0f/apps/s_server.c.disable-ssl3 2017-05-25 14:46:18.000000000 +0200 -+++ openssl-1.1.0f/apps/s_server.c 2017-07-17 14:49:50.434447583 +0200 -@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[] - } - if (sdebug) - ssl_ctx_security_debug(ctx, sdebug); -+ -+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION) -+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ - if (ssl_config) { - if (SSL_CTX_config(ctx, ssl_config) == 0) { - BIO_printf(bio_err, "Error using configuration \"%s\"\n", -diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c ---- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200 -+++ openssl-1.1.0/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200 -@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - * or by using the SSL_CONF library. - */ - ret->options |= SSL_OP_NO_COMPRESSION; -+ /* -+ * Disable SSLv3 by default. Applications can -+ * re-enable it by configuring -+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); -+ * or by using the SSL_CONF library. -+ */ -+ ret->options |= SSL_OP_NO_SSLv3; - - ret->tlsext_status_type = -1; - -diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c ---- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200 -+++ openssl-1.1.0/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200 -@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE - SSL_TEST_SERVERNAME_CB_NONE) { - server2_ctx = SSL_CTX_new(TLS_server_method()); - TEST_check(server2_ctx != NULL); -+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3); - } - client_ctx = SSL_CTX_new(TLS_client_method()); - -@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE - resume_client_ctx = SSL_CTX_new(TLS_client_method()); - TEST_check(resume_server_ctx != NULL); - TEST_check(resume_client_ctx != NULL); -+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3); - } - } - - TEST_check(server_ctx != NULL); - TEST_check(client_ctx != NULL); -+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3); - - TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0); - -diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c ---- openssl-1.1.0/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200 -+++ openssl-1.1.0/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200 -@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[]) - ERR_print_errors(bio_err); - goto end; - } -+ -+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3); -+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3); -+ - /* - * Since we will use low security ciphersuites and keys for testing set - * security level to zero by default. Tests can override this by adding diff --git a/openssl/patches/openssl-1.1.0-no-html.patch b/openssl/patches/openssl-1.1.0-no-html.patch deleted file mode 100644 index f6a941ea0..000000000 --- a/openssl/patches/openssl-1.1.0-no-html.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl ---- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200 -+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200 -@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi - - uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev - --install_docs: install_man_docs install_html_docs -+install_docs: install_man_docs - - uninstall_docs: uninstall_man_docs uninstall_html_docs - $(RM) -r -v $(DESTDIR)$(DOCDIR) diff --git a/openssl/patches/openssl-1.1.0g-tests.patch b/openssl/patches/openssl-1.1.0g-tests.patch deleted file mode 100644 index c16c53311..000000000 --- a/openssl/patches/openssl-1.1.0g-tests.patch +++ /dev/null @@ -1,33 +0,0 @@ ---- openssl-1.1.0g/test/recipes/40-test_rehash.t~ 2018-01-28 19:08:01.151912658 +0000 -+++ openssl-1.1.0g/test/recipes/40-test_rehash.t 2018-01-28 19:09:19.408454430 +0000 -@@ -23,7 +23,7 @@ - plan skip_all => "test_rehash is not available on this platform" - unless run(app(["openssl", "rehash", "-help"])); - --plan tests => 5; -+plan tests => 3; - - indir "rehash.$$" => sub { - prepare(); -@@ -42,21 +42,6 @@ - 'Testing rehash operations on empty directory'); - }, create => 1, cleanup => 1; - --indir "rehash.$$" => sub { -- prepare(); -- chmod 0500, curdir(); -- SKIP: { -- if (!ok(!open(FOO, ">unwritable.txt"), -- "Testing that we aren't running as a privileged user, such as root")) { -- close FOO; -- skip "It's pointless to run the next test as root", 1; -- } -- isnt(run(app(["openssl", "rehash", curdir()])), 1, -- 'Testing rehash operations on readonly directory'); -- } -- chmod 0700, curdir(); # make it writable again, so cleanup works --}, create => 1, cleanup => 1; -- - sub prepare { - my @pemsourcefiles = sort glob(srctop_file('test', "*.pem")); - my @destfiles = ();