openssl: Update to 3.0.7

* Drop 0003 patch - seems no longer to be needed * Stop changing the default openssl config like Arch. This re-enables the idea algo, but I couldn't find anything why it should be disabled. Assume openssl knows what's acceptable. * Run tests in parallel (they pass, with the patch revert workaround) * Move man7 man pages to openssl-docs, that category gained a lot of development related man pages, so move it away from the runtime packages.
2022-12-13 07:54:33 +01:00 · 2022-12-13 07:54:33 +01:00 · 0d14727c3e
commit 0d14727c3e
parent 173931fd04
5 changed files with 46 additions and 240 deletions
--- a/openssl/0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch
+++ b/openssl/0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch
@ -1,32 +1,17 @@
 From a6c3a5cb68fb76bddc67fb7bd3164897d7877d05 Mon Sep 17 00:00:00 2001
 From: Johannes Schindelin <johannes.schindelin@gmx.de>
 Date: Wed, 21 Nov 2018 13:55:30 +0100
 Subject: [PATCH 1/3] Use /usr/ssl/ as ca-dir (instead of ./demoCA)
 ---
 apps/CA.pl.in    | 2 +-
 apps/openssl.cnf | 2 +-
 test/CAss.cnf    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)
 diff --git a/apps/CA.pl.in b/apps/CA.pl.in
 index db3cc38..fc85f74 100644
 --- a/apps/CA.pl.in
 +++ b/apps/CA.pl.in
-@@ -33,7 +33,7 @@ my $X509 = "$openssl x509";
+@@ -29,7 +29,7 @@
 my $PKCS12 = "$openssl pkcs12";
- # default openssl.cnf file has setup as per the following
+ # Default values for various configuration settings.
 -my $CATOP = "./demoCA";
 +my $CATOP = "/usr/ssl";
 my $CAKEY = "cakey.pem";
 my $CAREQ = "careq.pem";
 my $CACERT = "cacert.pem";
 diff --git a/apps/openssl.cnf b/apps/openssl.cnf
 index 6df2878..ca59ecd 100644
 --- a/apps/openssl.cnf
 +++ b/apps/openssl.cnf
-@@ -42,7 +42,7 @@ default_ca	= CA_default		# The default ca section
+@@ -79,7 +79,7 @@
 ####################################################################
 [ CA_default ]
@ -35,19 +20,12 @@ index 6df2878..ca59ecd 100644
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
-diff --git a/test/CAss.cnf b/test/CAss.cnf
+@@ -309,7 +309,7 @@
-index b20a242..edf0d20 100644
+ [ tsa_config1 ]
 --- a/test/CAss.cnf
 +++ b/test/CAss.cnf
@@ -31,7 +31,7 @@ default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]
-dir		= ./demoCA		# Where everything is kept
+ # These are used by the TSA reply generation only.
-+dir		= /usr/ssl		# Where everything is kept
+-dir		= ./demoCA		# TSA root directory
- certs		= $dir/certs		# Where the issued certs are kept
+dir		= /usr/ssl		# TSA root directory
- crl_dir		= $dir/crl		# Where the issued crl are kept
+ serial		= $dir/tsaserial	# The current serial number (mandatory)
- database	= $dir/index.txt	# database index file.
+ crypto_device	= builtin		# OpenSSL engine to use for signing
-- 
+ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 2.19.1
--- a/openssl/0002-Support-MSYS2.patch
+++ b/openssl/0002-Support-MSYS2.patch
@ -1,16 +1,14 @@
--- openssl-1.1.1s/build.info.orig	2022-11-01 13:36:10.000000000 +0100
+--- openssl-3.0.7/Configurations/platform/Cygwin.pm.orig	2022-12-12 21:04:51.674110200 +0100
-+++ openssl-1.1.1s/build.info	2022-12-11 19:26:26.709402900 +0100
+++ openssl-3.0.7/Configurations/platform/Cygwin.pm	2022-11-01 15:14:36.000000000 +0100
-@@ -80,8 +80,8 @@
+@@ -15,7 +15,7 @@
- ENDIF
+ sub sharedname {
     my $class = shift;
     my $lib = platform::mingw->sharedname(@_);
 -    $lib =~ s|^lib|cyg| if defined $lib;
 +    $lib =~ s|^lib|msys-| if defined $lib;
     return $lib;
 }
 IF[{- $config{target} =~ /^Cygwin/ -}]
 - SHARED_NAME[libcrypto]=cygcrypto-{- $sover_filename -}
 - SHARED_NAME[libssl]=cygssl-{- $sover_filename -}
 + SHARED_NAME[libcrypto]=msys-crypto-{- $sover_filename -}
 + SHARED_NAME[libssl]=msys-ssl-{- $sover_filename -}
 ELSIF[{- $config{target} =~ /^mingw/ -}]
  SHARED_NAME[libcrypto]=libcrypto-{- $sover_filename -}{- $config{target} eq "mingw64" ? "-x64" : "" -}
  SHARED_NAME[libssl]=libssl-{- $sover_filename -}{- $config{target} eq "mingw64" ? "-x64" : "" -}
 diff --git a/tools/c_rehash.in b/tools/c_rehash.in
 index 421fd89..640db8c 100644
 --- a/tools/c_rehash.in
@ -23,15 +21,3 @@ index 421fd89..640db8c 100644
 my $removelinks = 1;
 ##  Parse flags.
 diff --git a/util/process_docs.pl b/util/process_docs.pl
 index 30b149e..0f97ce1 100755
 --- a/util/process_docs.pl
 +++ b/util/process_docs.pl
@@ -79,6 +79,7 @@ if ($options{debug}) {
 }
 my $symlink_exists = eval { symlink("",""); 1 };
 +$symlink_exists=0;
 foreach my $section (sort @{$options{section}}) {
     my $subdir = "man$section";
--- a/openssl/0003-tls13secretstest-work-around-multiple-definition-of.patch
+++ b/openssl/0003-tls13secretstest-work-around-multiple-definition-of.patch
@ -1,138 +0,0 @@
 From 125b6085fc593a37acf521d1834395ff8d33145e Mon Sep 17 00:00:00 2001
 From: Johannes Schindelin <johannes.schindelin@gmx.de>
 Date: Wed, 21 Nov 2018 17:53:41 +0100
 Subject: [PATCH 3/3] tls13secretstest: work around "multiple definition of
 ..."
 The way some functions are mocked does not find the favor of current
 mingw-w64's ld.exe. So let's work around it by mocking them differently.
 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 ---
 test/build.info         |  1 -
 test/tls13secretstest.c | 39 +++++++++++++++++++++++++++------------
 2 files changed, 27 insertions(+), 13 deletions(-)
 diff --git a/test/build.info b/test/build.info
 index b6bb711..9ee1cbb 100644
 --- a/test/build.info
 +++ b/test/build.info
@@ -530,7 +530,6 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
   IF[{- !$disabled{shared} -}]
     PROGRAMS_NO_INST=tls13secretstest
     SOURCE[tls13secretstest]=tls13secretstest.c
 -    SOURCE[tls13secretstest]= ../ssl/tls13_enc.c ../ssl/packet.c
     INCLUDE[tls13secretstest]=.. ../include
     DEPEND[tls13secretstest]=../libcrypto ../libssl libtestutil.a
   ENDIF
 diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
 index 724c170..2357751 100644
 --- a/test/tls13secretstest.c
 +++ b/test/tls13secretstest.c
@@ -136,7 +136,8 @@ static unsigned char server_ats_iv[] = {
 };
 /* Mocked out implementations of various functions */
 -int ssl3_digest_cached_records(SSL *s, int keep)
 +#define ssl3_digest_cached_records mock_ssl3_digest_cached_records
 +static int mock_ssl3_digest_cached_records(SSL *s, int keep)
 {
     return 1;
 }
@@ -144,7 +145,8 @@ int ssl3_digest_cached_records(SSL *s, int keep)
 static int full_hash = 0;
 /* Give a hash of the currently set handshake */
 -int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
 +#define ssl_handshake_hash mock_ssl_handshake_hash
 +static int mock_ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
                        size_t *hashlen)
 {
     if (sizeof(hs_start_hash) > outlen
@@ -162,20 +164,24 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
     return 1;
 }
 -const EVP_MD *ssl_handshake_md(SSL *s)
 +#define ssl_handshake_md mock_ssl_handshake_md
 +static const EVP_MD *mock_ssl_handshake_md(SSL *s)
 {
     return EVP_sha256();
 }
 -void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 +#define RECORD_LAYER_reset_read_sequence mock_RECORD_LAYER_reset_read_sequence
 +static void mock_RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 {
 }
 -void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 +#define RECORD_LAYER_reset_write_sequence mock_RECORD_LAYER_reset_write_sequence
 +static void mock_RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 {
 }
 -int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 +#define ssl_cipher_get_evp mock_ssl_cipher_get_evp
 +static int mock_ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                        const EVP_MD **md, int *mac_pkey_type,
                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
@@ -183,12 +189,14 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
     return 0;
 }
 -int tls1_alert_code(int code)
 +#define tls1_alert_code mock_tls1_alert_code
 +static int mock_tls1_alert_code(int code)
 {
     return code;
 }
 -int ssl_log_secret(SSL *ssl,
 +#define ssl_log_secret mock_ssl_log_secret
 +static int mock_ssl_log_secret(SSL *ssl,
                    const char *label,
                    const uint8_t *secret,
                    size_t secret_len)
@@ -196,22 +204,26 @@ int ssl_log_secret(SSL *ssl,
     return 1;
 }
 -const EVP_MD *ssl_md(int idx)
 +#define ssl_md mock_ssl_md
 +static const EVP_MD *mock_ssl_md(int idx)
 {
     return EVP_sha256();
 }
 -void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
 +#define ossl_statem_fatal mock_ossl_statem_fatal
 +static void mock_ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
                            int line)
 {
 }
 -int ossl_statem_export_allowed(SSL *s)
 +#define ossl_statem_export_allowed mock_ossl_statem_export_allowed
 +static int mock_ossl_statem_export_allowed(SSL *s)
 {
     return 1;
 }
 -int ossl_statem_export_early_allowed(SSL *s)
 +#define ossl_statem_export_early_allowed mock_ossl_statem_export_early_allowed
 +static int mock_ossl_statem_export_early_allowed(SSL *s)
 {
     return 1;
 }
@@ -398,3 +410,6 @@ int setup_tests(void)
     ADD_TEST(test_handshake_secrets);
     return 1;
 }
 +
 +#include "../ssl/tls13_enc.c"
 +#include "../ssl/packet.c"
 -- 
 2.19.1
--- a/openssl/0004-Override-engines-directory.patch
+++ b/openssl/0004-Override-engines-directory.patch
@ -1,26 +1,11 @@
-From b6518c65d63b5d910594fae100d75f42900a5055 Mon Sep 17 00:00:00 2001
+--- openssl-3.0.7/Configurations/unix-Makefile.tmpl.orig	2022-12-12 20:42:42.640227800 +0100
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
+++ openssl-3.0.7/Configurations/unix-Makefile.tmpl	2022-12-12 20:43:33.810678900 +0100
-Date: Mon, 3 Dec 2018 17:08:57 +0100
+@@ -304,7 +304,7 @@
 Subject: [PATCH 4/4] Override engines directory
 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
 ---
 Configurations/unix-Makefile.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
 index df5a5ae..969ed4b 100644
 --- a/Configurations/unix-Makefile.tmpl
 +++ b/Configurations/unix-Makefile.tmpl
@@ -170,7 +170,7 @@ LIBDIR={- our $libdir = $config{libdir};
 # $(libdir) is chosen to be compatible with the GNU coding standards
 libdir={- file_name_is_absolute($libdir)
           ? $libdir : '$(INSTALLTOP)/$(LIBDIR)' -}
 -ENGINESDIR=$(libdir)/engines-{- $sover_dirname -}
 +ENGINESDIR=$(libdir)/openssl/engines-{- $sover_dirname -}
 MODULESDIR=$(libdir)/ossl-modules
 # Convenience variable for those who want to set the rpath in shared
 # libraries and applications
 -- 
 2.19.1
--- a/openssl/PKGBUILD
+++ b/openssl/PKGBUILD
@ -1,28 +1,24 @@
 # Maintainer: Alexey Pavlov <alexpux@gmail.com>
 pkgname=('openssl' 'libopenssl' 'openssl-devel' 'openssl-docs')
-_ver=1.1.1s
+pkgver=3.0.7
-# use a pacman compatible version scheme
+pkgrel=1
 pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
 pkgrel=2
 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
 arch=('i686' 'x86_64')
 url='https://www.openssl.org'
-license=('custom:BSD')
+license=('spdx:Apache-2.0')
 depends=('zlib')
 makedepends=('gcc' 'tar' 'perl' 'zlib-devel' 'diffutils' 'nasm')
-noextract=(${pkgname}-${_ver}.tar.gz)
+noextract=(${pkgname}-${pkgver}.tar.gz)
-source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz"{,.asc}
+source=("https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz"{,.asc}
        '0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch'
        '0002-Support-MSYS2.patch'
        '0003-tls13secretstest-work-around-multiple-definition-of.patch'
        '0004-Override-engines-directory.patch')
-sha256sums=('c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa'
+sha256sums=('83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e'
            'SKIP'
-            '35f5508bc3e651bb2ef1bf9f4e052f531aeaefbbdeff95b9746fff71137fff31'
+            '7ff3213d8d085238695f076d254f16d15b16a9baca1f9393c1bed0057006da2c'
-            '066a51e209a1afdcae19f8a8b72edc63468227a128583b2b86618065c8e8dece'
+            'b73a45cf26830bbb3c110a8f9e042ea5c71a9627204d5d172b04c43aff5b0f1a'
-            'a83dcfeec646724f081f8ff89beccee83c962758aa74d724f263138aa21b2438'
+            '345350546bf55dd069133e0c56b2c5f7e037db237a30f7ad38159bd61b6d4daf')
            '79765cc10799691ae47880556255287c64b8c1f26ea3907ad2e0add97bc9f1fc')
 # https://www.openssl.org/community/otc.html
 validpgpkeys=(
  '8657ABB260F056B1E5190839D9C4D26D0E604491' # Matt Caswell <matt@openssl.org>
@ -32,17 +28,16 @@ validpgpkeys=(
 )
 prepare() {
-  [[ -d ${srcdir}/${pkgname}-${_ver} ]] || tar -xzvf ${srcdir}/${pkgname}-${_ver}.tar.gz -C ${srcdir}
+  [[ -d ${srcdir}/${pkgname}-${pkgver} ]] || tar -xzvf ${srcdir}/${pkgname}-${pkgver}.tar.gz -C ${srcdir}
-  cd ${srcdir}/${pkgname}-${_ver}
+  cd ${srcdir}/${pkgname}-${pkgver}
  patch -p1 -i ${srcdir}/0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch
  patch -p1 -i ${srcdir}/0002-Support-MSYS2.patch
  patch -p1 -i ${srcdir}/0003-tls13secretstest-work-around-multiple-definition-of.patch
  patch -p1 -i ${srcdir}/0004-Override-engines-directory.patch
 }
 build() {
-  cd ${srcdir}/${pkgname}-${_ver}
+  cd ${srcdir}/${pkgname}-${pkgver}
  if [ "${CARCH}" == 'x86_64' ]; then
    openssltarget='Cygwin-x86_64'
@ -57,9 +52,7 @@ build() {
    --libdir=lib \
    shared \
    zlib \
-    no-idea \
+    "${openssltarget}"
    no-rc5 \
    ${openssltarget}
  make depend
  make all
@ -67,12 +60,14 @@ build() {
 }
 check() {
-  cd ${srcdir}/${pkgname}-${_ver}
+  cd ${srcdir}/${pkgname}-${pkgver}
  # the test would write test data into /usr/ssl, which we do not want
  patch -R -p1 -i ${srcdir}/0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch
-  make test
+  make HARNESS_JOBS="$(nproc)" test
  patch -p1 -i ${srcdir}/0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch
  # re-run make to re-generate CA.pl from the patched .in file.
  make apps/CA.pl
 }
 package_openssl() {
@ -85,13 +80,13 @@ package_openssl() {
  mkdir -p ${pkgdir}/usr/share/man
  cp -rf ${srcdir}/dest/usr/share/man/man1 ${pkgdir}/usr/share/man
  cp -rf ${srcdir}/dest/usr/share/man/man5 ${pkgdir}/usr/share/man
  cp -rf ${srcdir}/dest/usr/share/man/man7 ${pkgdir}/usr/share/man
  cp -rf ${srcdir}/dest/usr/ssl ${pkgdir}/usr/
 }
 package_openssl-docs() {
  mkdir -p ${pkgdir}/usr/share/man
  cp -rf ${srcdir}/dest/usr/share/man/man3 ${pkgdir}/usr/share/man
  cp -rf ${srcdir}/dest/usr/share/man/man7 ${pkgdir}/usr/share/man
  cp -rf ${srcdir}/dest/usr/share/doc ${pkgdir}/usr/share
 }
@ -103,10 +98,10 @@ package_libopenssl() {
  cp -f ${srcdir}/dest/usr/bin/*.dll ${pkgdir}/usr/bin/
  mkdir -p ${pkgdir}/usr/lib/openssl
-  cp -rf ${srcdir}/dest/usr/lib/openssl/engines-1.1 ${pkgdir}/usr/lib/openssl/
+  cp -rf ${srcdir}/dest/usr/lib/openssl/engines-3 ${pkgdir}/usr/lib/openssl/
-  chmod -R 755 ${pkgdir}/usr/lib/openssl/engines-1.1
+  chmod -R 755 ${pkgdir}/usr/lib/openssl/engines-3
-  install -D -m644 ${srcdir}/openssl-${_ver}/LICENSE ${pkgdir}/usr/share/licenses/${pkgname}/LICENSE
+  install -D -m644 ${srcdir}/openssl-${pkgver}/LICENSE.txt ${pkgdir}/usr/share/licenses/${pkgname}/LICENSE.txt
 }
 package_openssl-devel() {