Rebasing to OpenSSL 3.0.3

Resolves: rhbz#2091987
2022-06-01 13:08:26 +02:00 · 2022-06-01 13:08:26 +02:00 · cf621228d5
parent c22fd8c87d
commit cf621228d5
8 changed files with 64 additions and 2389 deletions
--- a/.gitignore
+++ b/.gitignore
@ -54,3 +54,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-1.1.1k-hobbled.tar.xz
 /openssl-3.0.0-hobbled.tar.xz
 /openssl-3.0.2-hobbled.tar.gz
+/openssl-3.0.3-hobbled.tar.gz
--- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
+++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
@ -272,9 +272,9 @@ index 404a706fab..e81fa9ec3e 100644
 --- a/util/libcrypto.num
 +++ b/util/libcrypto.num
@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure    ?	3_0_0	EXIST::FUNCTION:
- ASN1_TIME_print_ex                      5553	3_0_0	EXIST::FUNCTION:
- EVP_PKEY_get0_provider                  5554	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_get0_provider              5555	3_0_0	EXIST::FUNCTION:
+ OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
+ OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
 +ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
 -- 
 2.26.2
--- a/0049-Allow-disabling-of-SHA1-signatures.patch
+++ b/0049-Allow-disabling-of-SHA1-signatures.patch
@ -493,8 +493,8 @@ index 10b4e57d79..2d3c363bb0 100644
 --- a/util/libcrypto.num
 +++ b/util/libcrypto.num
@@ -5426,3 +5426,5 @@ ASN1_item_d2i_ex                        5552	3_0_0	EXIST::FUNCTION:
- EVP_PKEY_get0_provider                  5554	3_0_0	EXIST::FUNCTION:
- EVP_PKEY_CTX_get0_provider              5555	3_0_0	EXIST::FUNCTION:
+ OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
+ OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
 ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
 +ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
 +ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:
--- a/0056-strcasecmp.patch
+++ b/0056-strcasecmp.patch
--- a/0057-strcasecmp-fix.patch
+++ b/0057-strcasecmp-fix.patch
@ -1,104 +0,0 @@
-From 68f23e3725d9639f5b27d868fee291cabb516677 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Fri, 22 Apr 2022 18:16:56 +0200
-Subject: [PATCH 1/2] Ensure we initialized the locale before
- evp_pkey_name2type
-
-Fixes #18158
---
- crypto/evp/pmeth_lib.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
-index 2b9c6c2351da..92d25de44532 100644
--- a/crypto/evp/pmeth_lib.c
-+++ b/crypto/evp/pmeth_lib.c
-@@ -27,6 +27,7 @@
- #ifndef FIPS_MODULE
- # include "crypto/asn1.h"
- #endif
-+#include "crypto/ctype.h"
- #include "crypto/evp.h"
- #include "crypto/dh.h"
- #include "crypto/ec.h"
-@@ -199,6 +200,7 @@ static EVP_PKEY_CTX *int_ctx_new(OSSL_LIB_CTX *libctx,
-             }
- #ifndef FIPS_MODULE
-             if (keytype != NULL) {
-+                ossl_init_casecmp();
-                 id = evp_pkey_name2type(keytype);
-                 if (id == NID_undef)
-                     id = -1;
-
-From 51c7b2d9c30b72aeb7e8eb69799dc039d5b23e58 Mon Sep 17 00:00:00 2001
-From: Dmitry Belyavskiy <beldmit@gmail.com>
-Date: Fri, 22 Apr 2022 19:26:08 +0200
-Subject: [PATCH 2/2] Testing the EVP_PKEY_CTX_new_from_name without
- preliminary init
-
---
- test/build.info                   |  6 +++++-
- test/evp_pkey_ctx_new_from_name.c | 14 ++++++++++++++
- test/recipes/02-test_localetest.t |  4 +++-
- 3 files changed, 22 insertions(+), 2 deletions(-)
- create mode 100644 test/evp_pkey_ctx_new_from_name.c
-
-diff --git a/test/build.info b/test/build.info
-index 14a84f00a258..ee059973d31a 100644
--- a/test/build.info
-+++ b/test/build.info
-@@ -37,7 +37,7 @@ IF[{- !$disabled{tests} -}]
-           sanitytest rsa_complex exdatatest bntest \
-           ecstresstest gmdifftest pbelutest \
-           destest mdc2test sha_test \
-          exptest pbetest localetest \
-+          exptest pbetest localetest evp_pkey_ctx_new_from_name\
-           evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
-           evp_fetch_prov_test evp_libctx_test ossl_store_test \
-           v3nametest v3ext \
-@@ -139,6 +139,10 @@ IF[{- !$disabled{tests} -}]
-   INCLUDE[localetest]=../include ../apps/include
-   DEPEND[localetest]=../libcrypto libtestutil.a
- 
-+  SOURCE[evp_pkey_ctx_new_from_name]=evp_pkey_ctx_new_from_name.c
-+  INCLUDE[evp_pkey_ctx_new_from_name]=../include ../apps/include
-+  DEPEND[evp_pkey_ctx_new_from_name]=../libcrypto
-+
-   SOURCE[pbetest]=pbetest.c
-   INCLUDE[pbetest]=../include ../apps/include
-   DEPEND[pbetest]=../libcrypto libtestutil.a
-diff --git a/test/evp_pkey_ctx_new_from_name.c b/test/evp_pkey_ctx_new_from_name.c
-new file mode 100644
-index 000000000000..24063ea05ea5
--- /dev/null
-+++ b/test/evp_pkey_ctx_new_from_name.c
-@@ -0,0 +1,14 @@
-+#include <stdio.h>
-+#include <openssl/ec.h>
-+#include <openssl/evp.h>
-+#include <openssl/err.h>
-+
-+int main(int argc, char *argv[])
-+{
-+    EVP_PKEY_CTX *pctx = NULL;
-+
-+    pctx = EVP_PKEY_CTX_new_from_name(NULL, "NO_SUCH_ALGORITHM", NULL);
-+    EVP_PKEY_CTX_free(pctx);
-+
-+    return 0;
-+}
-diff --git a/test/recipes/02-test_localetest.t b/test/recipes/02-test_localetest.t
-index 1bccd57d4c63..77fba7d819ab 100644
--- a/test/recipes/02-test_localetest.t
-+++ b/test/recipes/02-test_localetest.t
-@@ -15,7 +15,9 @@ setup("locale tests");
- plan skip_all => "Locale tests not available on Windows or VMS"
-     if $^O =~ /^(VMS|MSWin32)$/;
- 
-plan tests => 2;
-+plan tests => 3;
-+
-+ok(run(test(["evp_pkey_ctx_new_from_name"])), "running evp_pkey_ctx_new_from_name without explicit context init");
- 
- $ENV{LANG} = "C";
- ok(run(test(["localetest"])), "running localetest");
--- a/0058-replace-expired-certs.patch
+++ b/0058-replace-expired-certs.patch
@ -0,0 +1,38 @@
+diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem
+index 1fa449d5a098..6aa9455f09ed 100644
+--- a/test/certs/embeddedSCTs1_issuer.pem
+++ b/test/certs/embeddedSCTs1_issuer.pem
+@@ -1,18 +1,18 @@
+ -----BEGIN CERTIFICATE-----
+-MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk
+MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk
+ MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX
+-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw
+-MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu
+-c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf
+-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7
+-jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP
+-KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL
+-svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk
+-tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG
+-A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO
+-MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB
+-/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt
+-OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy
+-f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP
+-OwqULg==
+YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw
+ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy
+YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w
+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG
+0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4
+SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG
+acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw
+wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw
+CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB
+MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq
++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo
+2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c
+Doud4XrO
+ -----END CERTIFICATE-----
--- a/openssl.spec
+++ b/openssl.spec
@ -14,8 +14,8 @@

 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 3.0.2
-Release: 5%{?dist}
+Version: 3.0.3
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -70,9 +70,11 @@ Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
 Patch53: 0053-Add-SHA1-probes.patch
 %endif
 # https://github.com/openssl/openssl/pull/18103
+# The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
+# so the patch should persist
 Patch56: 0056-strcasecmp.patch
-# https://github.com/openssl/openssl/pull/18175
-Patch57: 0057-strcasecmp-fix.patch
+# https://github.com/openssl/openssl/pull/18444
+Patch58: 0058-replace-expired-certs.patch

 License: ASL 2.0
 URL: http://www.openssl.org/
@ -400,6 +402,9 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs

 %changelog
+* Wed Jun 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.3-1
+- Rebase to upstream version 3.0.3
+
 * Thu Apr 28 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.2-5
 - Instrument with USDT probes related to SHA-1 deprecation

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (openssl-3.0.2-hobbled.tar.gz) = e62f95ef9a81555f8c7bb4e68bfbd14bd81040f112dd88a1e515160623e6d3a0b68d0d8b9b12905f67b06834bd152edfbabca4b528a4887b15dd153d60ad36d5
+SHA512 (openssl-3.0.3-hobbled.tar.gz) = 474a6309e0457ad33ec4b5f98606ba7ee6fa15dd0abb26a1da80fa37e3fc0ec535b858e03aceb4ce675dcce6a26796c802d8bf8ebb4adc350e6b3ea95810a61b