openssl: Update to 3.0.7

* Drop 0003 patch - seems no longer to be needed
* Stop changing the default openssl config like Arch.
  This re-enables the idea algo, but I couldn't find anything why it
  should be disabled. Assume openssl knows what's acceptable.
* Run tests in parallel (they pass, with the patch revert workaround)
* Move man7 man pages to openssl-docs, that category gained a lot of
  development related man pages, so move it away from the runtime packages.

openssl/0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch

@@ -1,32 +1,17 @@
-From a6c3a5cb68fb76bddc67fb7bd3164897d7877d05 Mon Sep 17 00:00:00 2001
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
-Date: Wed, 21 Nov 2018 13:55:30 +0100
-Subject: [PATCH 1/3] Use /usr/ssl/ as ca-dir (instead of ./demoCA)
-
----
- apps/CA.pl.in    | 2 +-
- apps/openssl.cnf | 2 +-
- test/CAss.cnf    | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/apps/CA.pl.in b/apps/CA.pl.in
-index db3cc38..fc85f74 100644
 --- a/apps/CA.pl.in
 +++ b/apps/CA.pl.in
-@@ -33,7 +33,7 @@ my $X509 = "$openssl x509";
+@@ -29,7 +29,7 @@
  my $PKCS12 = "$openssl pkcs12";
  
- # default openssl.cnf file has setup as per the following
+ # Default values for various configuration settings.
 -my $CATOP = "./demoCA";
 +my $CATOP = "/usr/ssl";
  my $CAKEY = "cakey.pem";
  my $CAREQ = "careq.pem";
  my $CACERT = "cacert.pem";
-diff --git a/apps/openssl.cnf b/apps/openssl.cnf
-index 6df2878..ca59ecd 100644
 --- a/apps/openssl.cnf
 +++ b/apps/openssl.cnf
-@@ -42,7 +42,7 @@ default_ca	= CA_default		# The default ca section
+@@ -79,7 +79,7 @@
  ####################################################################
  [ CA_default ]
  
@@ -35,19 +20,12 @@ index 6df2878..ca59ecd 100644
  certs		= $dir/certs		# Where the issued certs are kept
  crl_dir		= $dir/crl		# Where the issued crl are kept
  database	= $dir/index.txt	# database index file.
-diff --git a/test/CAss.cnf b/test/CAss.cnf
-index b20a242..edf0d20 100644
---- a/test/CAss.cnf
-+++ b/test/CAss.cnf
-@@ -31,7 +31,7 @@ default_ca	= CA_default		# The default ca section
- ####################################################################
- [ CA_default ]
- 
--dir		= ./demoCA		# Where everything is kept
-+dir		= /usr/ssl		# Where everything is kept
- certs		= $dir/certs		# Where the issued certs are kept
- crl_dir		= $dir/crl		# Where the issued crl are kept
- database	= $dir/index.txt	# database index file.
--- 
-2.19.1
+@@ -309,7 +309,7 @@
+ [ tsa_config1 ]
  
+ # These are used by the TSA reply generation only.
+-dir		= ./demoCA		# TSA root directory
++dir		= /usr/ssl		# TSA root directory
+ serial		= $dir/tsaserial	# The current serial number (mandatory)
+ crypto_device	= builtin		# OpenSSL engine to use for signing
+ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate

openssl/0002-Support-MSYS2.patch

@@ -1,16 +1,14 @@
---- openssl-1.1.1s/build.info.orig	2022-11-01 13:36:10.000000000 +0100
-+++ openssl-1.1.1s/build.info	2022-12-11 19:26:26.709402900 +0100
-@@ -80,8 +80,8 @@
- ENDIF
+--- openssl-3.0.7/Configurations/platform/Cygwin.pm.orig	2022-12-12 21:04:51.674110200 +0100
++++ openssl-3.0.7/Configurations/platform/Cygwin.pm	2022-11-01 15:14:36.000000000 +0100
+@@ -15,7 +15,7 @@
+ sub sharedname {
+     my $class = shift;
+     my $lib = platform::mingw->sharedname(@_);
+-    $lib =~ s|^lib|cyg| if defined $lib;
++    $lib =~ s|^lib|msys-| if defined $lib;
+     return $lib;
+ }
  
- IF[{- $config{target} =~ /^Cygwin/ -}]
-- SHARED_NAME[libcrypto]=cygcrypto-{- $sover_filename -}
-- SHARED_NAME[libssl]=cygssl-{- $sover_filename -}
-+ SHARED_NAME[libcrypto]=msys-crypto-{- $sover_filename -}
-+ SHARED_NAME[libssl]=msys-ssl-{- $sover_filename -}
- ELSIF[{- $config{target} =~ /^mingw/ -}]
-  SHARED_NAME[libcrypto]=libcrypto-{- $sover_filename -}{- $config{target} eq "mingw64" ? "-x64" : "" -}
-  SHARED_NAME[libssl]=libssl-{- $sover_filename -}{- $config{target} eq "mingw64" ? "-x64" : "" -}
 diff --git a/tools/c_rehash.in b/tools/c_rehash.in
 index 421fd89..640db8c 100644
 --- a/tools/c_rehash.in
@@ -23,15 +21,3 @@ index 421fd89..640db8c 100644
  my $removelinks = 1;
  
  ##  Parse flags.
-diff --git a/util/process_docs.pl b/util/process_docs.pl
-index 30b149e..0f97ce1 100755
---- a/util/process_docs.pl
-+++ b/util/process_docs.pl
-@@ -79,6 +79,7 @@ if ($options{debug}) {
- }
- 
- my $symlink_exists = eval { symlink("",""); 1 };
-+$symlink_exists=0;
- 
- foreach my $section (sort @{$options{section}}) {
-     my $subdir = "man$section";

openssl/0003-tls13secretstest-work-around-multiple-definition-of.patch

@@ -1,138 +0,0 @@
-From 125b6085fc593a37acf521d1834395ff8d33145e Mon Sep 17 00:00:00 2001
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
-Date: Wed, 21 Nov 2018 17:53:41 +0100
-Subject: [PATCH 3/3] tls13secretstest: work around "multiple definition of
- ..."
-
-The way some functions are mocked does not find the favor of current
-mingw-w64's ld.exe. So let's work around it by mocking them differently.
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
----
- test/build.info         |  1 -
- test/tls13secretstest.c | 39 +++++++++++++++++++++++++++------------
- 2 files changed, 27 insertions(+), 13 deletions(-)
-
-diff --git a/test/build.info b/test/build.info
-index b6bb711..9ee1cbb 100644
---- a/test/build.info
-+++ b/test/build.info
-@@ -530,7 +530,6 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
-   IF[{- !$disabled{shared} -}]
-     PROGRAMS_NO_INST=tls13secretstest
-     SOURCE[tls13secretstest]=tls13secretstest.c
--    SOURCE[tls13secretstest]= ../ssl/tls13_enc.c ../ssl/packet.c
-     INCLUDE[tls13secretstest]=.. ../include
-     DEPEND[tls13secretstest]=../libcrypto ../libssl libtestutil.a
-   ENDIF
-diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
-index 724c170..2357751 100644
---- a/test/tls13secretstest.c
-+++ b/test/tls13secretstest.c
-@@ -136,7 +136,8 @@ static unsigned char server_ats_iv[] = {
- };
- 
- /* Mocked out implementations of various functions */
--int ssl3_digest_cached_records(SSL *s, int keep)
-+#define ssl3_digest_cached_records mock_ssl3_digest_cached_records
-+static int mock_ssl3_digest_cached_records(SSL *s, int keep)
- {
-     return 1;
- }
-@@ -144,7 +145,8 @@ int ssl3_digest_cached_records(SSL *s, int keep)
- static int full_hash = 0;
- 
- /* Give a hash of the currently set handshake */
--int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
-+#define ssl_handshake_hash mock_ssl_handshake_hash
-+static int mock_ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
-                        size_t *hashlen)
- {
-     if (sizeof(hs_start_hash) > outlen
-@@ -162,20 +164,24 @@ int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
-     return 1;
- }
- 
--const EVP_MD *ssl_handshake_md(SSL *s)
-+#define ssl_handshake_md mock_ssl_handshake_md
-+static const EVP_MD *mock_ssl_handshake_md(SSL *s)
- {
-     return EVP_sha256();
- }
- 
--void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
-+#define RECORD_LAYER_reset_read_sequence mock_RECORD_LAYER_reset_read_sequence
-+static void mock_RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
- {
- }
- 
--void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
-+#define RECORD_LAYER_reset_write_sequence mock_RECORD_LAYER_reset_write_sequence
-+static void mock_RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
- {
- }
- 
--int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
-+#define ssl_cipher_get_evp mock_ssl_cipher_get_evp
-+static int mock_ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
-                        const EVP_MD **md, int *mac_pkey_type,
-                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
- 
-@@ -183,12 +189,14 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
-     return 0;
- }
- 
--int tls1_alert_code(int code)
-+#define tls1_alert_code mock_tls1_alert_code
-+static int mock_tls1_alert_code(int code)
- {
-     return code;
- }
- 
--int ssl_log_secret(SSL *ssl,
-+#define ssl_log_secret mock_ssl_log_secret
-+static int mock_ssl_log_secret(SSL *ssl,
-                    const char *label,
-                    const uint8_t *secret,
-                    size_t secret_len)
-@@ -196,22 +204,26 @@ int ssl_log_secret(SSL *ssl,
-     return 1;
- }
- 
--const EVP_MD *ssl_md(int idx)
-+#define ssl_md mock_ssl_md
-+static const EVP_MD *mock_ssl_md(int idx)
- {
-     return EVP_sha256();
- }
- 
--void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
-+#define ossl_statem_fatal mock_ossl_statem_fatal
-+static void mock_ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
-                            int line)
- {
- }
- 
--int ossl_statem_export_allowed(SSL *s)
-+#define ossl_statem_export_allowed mock_ossl_statem_export_allowed
-+static int mock_ossl_statem_export_allowed(SSL *s)
- {
-     return 1;
- }
- 
--int ossl_statem_export_early_allowed(SSL *s)
-+#define ossl_statem_export_early_allowed mock_ossl_statem_export_early_allowed
-+static int mock_ossl_statem_export_early_allowed(SSL *s)
- {
-     return 1;
- }
-@@ -398,3 +410,6 @@ int setup_tests(void)
-     ADD_TEST(test_handshake_secrets);
-     return 1;
- }
-+
-+#include "../ssl/tls13_enc.c"
-+#include "../ssl/packet.c"
--- 
-2.19.1
-

openssl/0004-Override-engines-directory.patch

@@ -1,26 +1,11 @@
-From b6518c65d63b5d910594fae100d75f42900a5055 Mon Sep 17 00:00:00 2001
-From: Johannes Schindelin <johannes.schindelin@gmx.de>
-Date: Mon, 3 Dec 2018 17:08:57 +0100
-Subject: [PATCH 4/4] Override engines directory
-
-Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
----
- Configurations/unix-Makefile.tmpl | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index df5a5ae..969ed4b 100644
---- a/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
-@@ -170,7 +170,7 @@ LIBDIR={- our $libdir = $config{libdir};
+--- openssl-3.0.7/Configurations/unix-Makefile.tmpl.orig	2022-12-12 20:42:42.640227800 +0100
++++ openssl-3.0.7/Configurations/unix-Makefile.tmpl	2022-12-12 20:43:33.810678900 +0100
+@@ -304,7 +304,7 @@
  # $(libdir) is chosen to be compatible with the GNU coding standards
  libdir={- file_name_is_absolute($libdir)
            ? $libdir : '$(INSTALLTOP)/$(LIBDIR)' -}
 -ENGINESDIR=$(libdir)/engines-{- $sover_dirname -}
 +ENGINESDIR=$(libdir)/openssl/engines-{- $sover_dirname -}
+ MODULESDIR=$(libdir)/ossl-modules
  
  # Convenience variable for those who want to set the rpath in shared
- # libraries and applications
--- 
-2.19.1
-

openssl/PKGBUILD

@@ -1,28 +1,24 @@
 # Maintainer: Alexey Pavlov <alexpux@gmail.com>
 
 pkgname=('openssl' 'libopenssl' 'openssl-devel' 'openssl-docs')
-_ver=1.1.1s
-# use a pacman compatible version scheme
-pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
-pkgrel=2
+pkgver=3.0.7
+pkgrel=1
 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
 arch=('i686' 'x86_64')
 url='https://www.openssl.org'
-license=('custom:BSD')
+license=('spdx:Apache-2.0')
 depends=('zlib')
 makedepends=('gcc' 'tar' 'perl' 'zlib-devel' 'diffutils' 'nasm')
-noextract=(${pkgname}-${_ver}.tar.gz)
-source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz"{,.asc}
+noextract=(${pkgname}-${pkgver}.tar.gz)
+source=("https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz"{,.asc}
         '0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch'
         '0002-Support-MSYS2.patch'
-        '0003-tls13secretstest-work-around-multiple-definition-of.patch'
         '0004-Override-engines-directory.patch')
-sha256sums=('c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa'
+sha256sums=('83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e'
             'SKIP'
-            '35f5508bc3e651bb2ef1bf9f4e052f531aeaefbbdeff95b9746fff71137fff31'
-            '066a51e209a1afdcae19f8a8b72edc63468227a128583b2b86618065c8e8dece'
-            'a83dcfeec646724f081f8ff89beccee83c962758aa74d724f263138aa21b2438'
-            '79765cc10799691ae47880556255287c64b8c1f26ea3907ad2e0add97bc9f1fc')
+            '7ff3213d8d085238695f076d254f16d15b16a9baca1f9393c1bed0057006da2c'
+            'b73a45cf26830bbb3c110a8f9e042ea5c71a9627204d5d172b04c43aff5b0f1a'
+            '345350546bf55dd069133e0c56b2c5f7e037db237a30f7ad38159bd61b6d4daf')
 # https://www.openssl.org/community/otc.html
 validpgpkeys=(
   '8657ABB260F056B1E5190839D9C4D26D0E604491' # Matt Caswell <matt@openssl.org>
@@ -32,17 +28,16 @@ validpgpkeys=(
 )
 
 prepare() {
-  [[ -d ${srcdir}/${pkgname}-${_ver} ]] || tar -xzvf ${srcdir}/${pkgname}-${_ver}.tar.gz -C ${srcdir}
-  cd ${srcdir}/${pkgname}-${_ver}
+  [[ -d ${srcdir}/${pkgname}-${pkgver} ]] || tar -xzvf ${srcdir}/${pkgname}-${pkgver}.tar.gz -C ${srcdir}
+  cd ${srcdir}/${pkgname}-${pkgver}
 
   patch -p1 -i ${srcdir}/0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch
   patch -p1 -i ${srcdir}/0002-Support-MSYS2.patch
-  patch -p1 -i ${srcdir}/0003-tls13secretstest-work-around-multiple-definition-of.patch
   patch -p1 -i ${srcdir}/0004-Override-engines-directory.patch
 }
 
 build() {
-  cd ${srcdir}/${pkgname}-${_ver}
+  cd ${srcdir}/${pkgname}-${pkgver}
 
   if [ "${CARCH}" == 'x86_64' ]; then
     openssltarget='Cygwin-x86_64'
@@ -57,9 +52,7 @@ build() {
     --libdir=lib \
     shared \
     zlib \
-    no-idea \
-    no-rc5 \
-    ${openssltarget}
+    "${openssltarget}"
 
   make depend
   make all
@@ -67,12 +60,14 @@ build() {
 }
 
 check() {
-  cd ${srcdir}/${pkgname}-${_ver}
+  cd ${srcdir}/${pkgname}-${pkgver}
 
   # the test would write test data into /usr/ssl, which we do not want
   patch -R -p1 -i ${srcdir}/0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch
-  make test
+  make HARNESS_JOBS="$(nproc)" test
   patch -p1 -i ${srcdir}/0001-Use-usr-ssl-as-ca-dir-instead-of-.-demoCA.patch
+  # re-run make to re-generate CA.pl from the patched .in file.
+  make apps/CA.pl
 }
 
 package_openssl() {
@@ -85,13 +80,13 @@ package_openssl() {
   mkdir -p ${pkgdir}/usr/share/man
   cp -rf ${srcdir}/dest/usr/share/man/man1 ${pkgdir}/usr/share/man
   cp -rf ${srcdir}/dest/usr/share/man/man5 ${pkgdir}/usr/share/man
-  cp -rf ${srcdir}/dest/usr/share/man/man7 ${pkgdir}/usr/share/man
   cp -rf ${srcdir}/dest/usr/ssl ${pkgdir}/usr/
 }
 
 package_openssl-docs() {
   mkdir -p ${pkgdir}/usr/share/man
   cp -rf ${srcdir}/dest/usr/share/man/man3 ${pkgdir}/usr/share/man
+  cp -rf ${srcdir}/dest/usr/share/man/man7 ${pkgdir}/usr/share/man
   cp -rf ${srcdir}/dest/usr/share/doc ${pkgdir}/usr/share
 }
 
@@ -103,10 +98,10 @@ package_libopenssl() {
   cp -f ${srcdir}/dest/usr/bin/*.dll ${pkgdir}/usr/bin/
 
   mkdir -p ${pkgdir}/usr/lib/openssl
-  cp -rf ${srcdir}/dest/usr/lib/openssl/engines-1.1 ${pkgdir}/usr/lib/openssl/
-  chmod -R 755 ${pkgdir}/usr/lib/openssl/engines-1.1
+  cp -rf ${srcdir}/dest/usr/lib/openssl/engines-3 ${pkgdir}/usr/lib/openssl/
+  chmod -R 755 ${pkgdir}/usr/lib/openssl/engines-3
 
-  install -D -m644 ${srcdir}/openssl-${_ver}/LICENSE ${pkgdir}/usr/share/licenses/${pkgname}/LICENSE
+  install -D -m644 ${srcdir}/openssl-${pkgver}/LICENSE.txt ${pkgdir}/usr/share/licenses/${pkgname}/LICENSE.txt
 }
 
 package_openssl-devel() {