Rebase to upstream version 3.0.8

Resolves: CVE-2022-4203
Resolves: CVE-2022-4304
Resolves: CVE-2022-4450
Resolves: CVE-2023-0215
Resolves: CVE-2023-0216
Resolves: CVE-2023-0217
Resolves: CVE-2023-0286
Resolves: CVE-2023-0401

.gitignore

@@ -56,3 +56,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-3.0.2-hobbled.tar.gz
 /openssl-3.0.3-hobbled.tar.gz
 /openssl-3.0.5-hobbled.tar.xz
+/openssl-3.0.8-hobbled.tar.gz

0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch

@@ -272,9 +272,9 @@ index 404a706fab..e81fa9ec3e 100644
 --- a/util/libcrypto.num
 +++ b/util/libcrypto.num
 @@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure    ?	3_0_0	EXIST::FUNCTION:
- EVP_PKEY_CTX_get0_provider              5555	3_0_0	EXIST::FUNCTION:
  OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
  OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
+ OSSL_CMP_CTX_reset_geninfo_ITAVs        5558	3_0_8	EXIST::FUNCTION:CMP
 +ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
 -- 
 2.26.2

0011-Remove-EC-curves.patch

@@ -5011,3 +5011,15 @@ diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remov
  Title=prime256v1 curve tests
  
  PrivateKey=ALICE_cf_prime256v1
+diff -up openssl-3.0.7/test/recipes/15-test_ec.t.skipshort openssl-3.0.7/test/recipes/15-test_ec.t
+--- openssl-3.0.7/test/recipes/15-test_ec.t.skipshort	2022-11-23 12:40:55.324395782 +0100
++++ openssl-3.0.7/test/recipes/15-test_ec.t	2022-11-23 12:42:12.478094387 +0100
+@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key
+ 
+ subtest 'Check loading of fips and non-fips keys' => sub {
+     plan skip_all => "FIPS is disabled"
+-        if $no_fips;
++        if 1; #Red Hat specific, original value is $no_fips;
+ 
+     plan tests => 2;
+ 

0012-Disable-explicit-ec.patch

@@ -19,7 +19,7 @@ diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.disable_expl
  
 -        if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)
 -            ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
--                           (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
+-                           (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx) > 0;
 -        else
 -            ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
 +        ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),

0049-Allow-disabling-of-SHA1-signatures.patch

@@ -493,8 +493,8 @@ index 10b4e57d79..2d3c363bb0 100644
 --- a/util/libcrypto.num
 +++ b/util/libcrypto.num
 @@ -5426,3 +5426,5 @@ ASN1_item_d2i_ex                        5552	3_0_0	EXIST::FUNCTION:
- OPENSSL_strcasecmp                      5556	3_0_3	EXIST::FUNCTION:
  OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
+ OSSL_CMP_CTX_reset_geninfo_ITAVs        5558	3_0_8	EXIST::FUNCTION:CMP
  ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
 +ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
 +ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:

0056-strcasecmp.patch

@@ -9,6 +9,6 @@ diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.nu
 -OPENSSL_strncasecmp                     5557	3_0_3	EXIST::FUNCTION:
 +OPENSSL_strcasecmp                      5556	3_0_1	EXIST::FUNCTION:
 +OPENSSL_strncasecmp                     5557	3_0_1	EXIST::FUNCTION:
+ OSSL_CMP_CTX_reset_geninfo_ITAVs        5558	3_0_8	EXIST::FUNCTION:CMP
  ossl_safe_getenv                        ?	3_0_0	EXIST::FUNCTION:
  ossl_ctx_legacy_digest_signatures_allowed ?	3_0_1	EXIST::FUNCTION:
- ossl_ctx_legacy_digest_signatures_allowed_set ?	3_0_1	EXIST::FUNCTION:

openssl.spec

@@ -14,13 +14,13 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 3.0.5
-Release: 2%{?dist}
+Version: 3.0.8
+Release: 1%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
 # The original openssl upstream tarball cannot be shipped in the .src.rpm.
-Source: openssl-%{version}-hobbled.tar.xz
+Source: openssl-%{version}-hobbled.tar.gz
 Source1: hobble-openssl
 Source2: Makefile.certificate
 Source3: genpatches
@@ -414,6 +414,23 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Feb 09 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.8-1
+- Rebase to upstream version 3.0.8
+  Resolves: CVE-2022-4203
+  Resolves: CVE-2022-4304
+  Resolves: CVE-2022-4450
+  Resolves: CVE-2023-0215
+  Resolves: CVE-2023-0216
+  Resolves: CVE-2023-0217
+  Resolves: CVE-2023-0286
+  Resolves: CVE-2023-0401
+
+* Tue Nov 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.5-3
+- CVE-2022-3602: X.509 Email Address Buffer Overflow
+- CVE-2022-3786: X.509 Email Address Buffer Overflow
+  Resolves: CVE-2022-3602
+  Resolves: CVE-2022-3786
+
 * Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.5-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 

sources

@@ -1 +1 @@
-SHA512 (openssl-3.0.5-hobbled.tar.xz) = 2f5531d46a905af8d36bf81c18fa34ccc86f5bd66e6e4227bb17e2f926ef14f78057ab60cd9d55bb9d1bad3d5b56a71170e4a86708fd8352324db2e0747142cf
+SHA512 (openssl-3.0.8-hobbled.tar.gz) = 42f2a59aa8c39c21b66b528329ace126b870f6d7c3a1da2f2ee18ab875923c5bcf3d9046f884201556799a8ab1d915112a1f124cfaf1ab77b2eac834d1f88c60