From 6e00126f8c2f8c0e58a74d51606e666ab5e25102 Mon Sep 17 00:00:00 2001 From: YellowJacketLinux Date: Sun, 7 May 2023 23:35:11 -0700 Subject: [PATCH] libressl --- SOURCES/README.DHE.md | 93 ++ SOURCES/group14.pem | 8 + SOURCES/group15.pem | 11 + SOURCES/group16.pem | 13 + SOURCES/group17.pem | 19 + SOURCES/group18.pem | 24 + SOURCES/libressl-3.7.2-cnf-name.patch | 96 ++ SOURCES/libressl-3.7.2-manpage.patch | 1165 +++++++++++++++++++++++++ SOURCES/libressl-yjl-additions.cnf | 223 +++++ SPECS/libressl.spec | 300 +++++++ 10 files changed, 1952 insertions(+) create mode 100644 SOURCES/README.DHE.md create mode 100644 SOURCES/group14.pem create mode 100644 SOURCES/group15.pem create mode 100644 SOURCES/group16.pem create mode 100644 SOURCES/group17.pem create mode 100644 SOURCES/group18.pem create mode 100644 SOURCES/libressl-3.7.2-cnf-name.patch create mode 100644 SOURCES/libressl-3.7.2-manpage.patch create mode 100644 SOURCES/libressl-yjl-additions.cnf create mode 100644 SPECS/libressl.spec diff --git a/SOURCES/README.DHE.md b/SOURCES/README.DHE.md new file mode 100644 index 0000000..683a6f5 --- /dev/null +++ b/SOURCES/README.DHE.md @@ -0,0 +1,93 @@ +DH Paramaters +============= + +It is the opinion of the LibreSSL packager that whenever possible, DHE +key exchange should be avoided and ECDHE key exchange should be used +instead. + +Some TLS clients do not support ECDHE key exchange, so DHE may still +need to be supported on some servers. + +MODP IKE DH Paramaters +---------------------- + +RFC 3526 defines several Diffie-Hellman groups for the Internet Key +Exchange (IKE) protocol. + +The RFC may be retrieved at https://www.ietf.org/rfc/rfc3526.txt + +From that RFC, the following DH groups are provided in PEM format: + +* `/etc/pki/tls/MODP-IKE-2048-group14.pem` +* `/etc/pki/tls/MODP-IKE-3072-group15.pem` +* `/etc/pki/tls/MODP-IKE-4096-group16.pem` +* `/etc/pki/tls/MODP-IKE-6144-group17.pem` +* `/etc/pki/tls/MODP-IKE-8192-group18.pem` + +The `.pem` files were retrieved from https://bettercrypto.org/static/dhparams/ + +At this point in time it is no longer recommended to use DH groups less +than 2048-bit and if you must, they should be uniquely generated and +fairly frequently so. For this reason, the 1536-bit MODP parameters are +not included here. + +LibreSSL DH Parameters +---------------------- + +DH parameters < 1024-bit should never be used and are not supported by +the LibreSSL library. They are vulnerable to the logjam attack, see +https://weakdh.org/ for more information. + +DH parameters < 2048-bit should not be used but a few TLS clients still +in use do not support DH parameters > 1024-bit. When using a 1024-bit +group to satisfy those clients it is important that they are unique to +your server and are re-generated frequently. + +YJL provides a cron script in `/etc/cron.daily` that will generate a +fresh 2048-bit group on a daily basis, and a cron script in +`/etc/cron.monthly` that will generate fresh 3072-bit and 4096-bit +groups on a monthly basis. + +The results of those scripts are placed in the following PEM format +files: + +* `/etc/pki/tls/dh2048.pem` +* `/etc/pki/tls/dh3072.pem` +* `/etc/pki/tls/dh4096.pem` + +The initial group in the `dh2048.pem`, `dh3072.pem`, and `dh4096.pem` +files are the same as the MODP-IKE parameters. The group in the +`dh2048.pem` file will be replaced by a fresh unique group generated +on your server within a day of install, and the groups in the `dh3072.pem` +and `dh4096.pem` files will be replaced by fresh unique groups within +a month of install. + +Which to Use? +------------- + +If you must use a 1024-bit group, you will need to generate it youself. +I would recommend regenerating it at least four times a day. + +For 2048-bit, 3072-bit, 4096-bit you have a choice. Some prefer the +pre-defined MODP-IKE parameters as they have likely been reviewed by +many eyes, while others prefer parameters uniquely generated on the +server. + +It is hypothetically possible unique parameters have a flaw that can +be exploited (e.g. not truly prime and can be factored) but it is very +unlikely. + +Similarly it is possible an attack has been crafted for the RFC published +DH parameters, though that also is unlikely as it would almost certainly +take more computing power than even the NSA has to even develop an attack +against the published 2048-bit group. + +My *personal* preference is to use the `dh2048.pem` parameters that are +daily re-generated on the server when I need to support DHE key exchange. +The rationale I use is that if an attack ever is developed, it provides +a moving target rather than a static target. + +If security beyond what the `dh4096.pem` parameters can provide is +required, then I require ECDHE key exchange. + +EOF diff --git a/SOURCES/group14.pem b/SOURCES/group14.pem new file mode 100644 index 0000000..b150715 --- /dev/null +++ b/SOURCES/group14.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/SOURCES/group15.pem b/SOURCES/group15.pem new file mode 100644 index 0000000..f27b778 --- /dev/null +++ b/SOURCES/group15.pem @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM +fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq +ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqTrS +yv//////////AgEC +-----END DH PARAMETERS----- diff --git a/SOURCES/group16.pem b/SOURCES/group16.pem new file mode 100644 index 0000000..a734b90 --- /dev/null +++ b/SOURCES/group16.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM +fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq +ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI +ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O ++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI +HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI= +-----END DH PARAMETERS----- diff --git a/SOURCES/group17.pem b/SOURCES/group17.pem new file mode 100644 index 0000000..d8307bd --- /dev/null +++ b/SOURCES/group17.pem @@ -0,0 +1,19 @@ +-----BEGIN DH PARAMETERS----- +MIIDCAKCAwEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM +fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq +ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI +ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O ++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI +HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG +3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU +7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId +A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha +xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/ +8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebcxA +JP//////////AgEC +-----END DH PARAMETERS----- diff --git a/SOURCES/group18.pem b/SOURCES/group18.pem new file mode 100644 index 0000000..af54dd6 --- /dev/null +++ b/SOURCES/group18.pem @@ -0,0 +1,24 @@ +-----BEGIN DH PARAMETERS----- +MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM +fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq +ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI +ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O ++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI +HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG +3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU +7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId +A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha +xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/ +8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R +WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk +ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw +xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4 +Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i +aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU +38gfVuiAuW5xYMmA3Zjt09///////////wIBAg== +-----END DH PARAMETERS----- diff --git a/SOURCES/libressl-3.7.2-cnf-name.patch b/SOURCES/libressl-3.7.2-cnf-name.patch new file mode 100644 index 0000000..54270e7 --- /dev/null +++ b/SOURCES/libressl-3.7.2-cnf-name.patch @@ -0,0 +1,96 @@ +diff -ur libressl-3.7.2.orig/CMakeLists.txt libressl-3.7.2/CMakeLists.txt +--- libressl-3.7.2.orig/CMakeLists.txt 2023-03-28 04:55:36.000000000 -0700 ++++ libressl-3.7.2/CMakeLists.txt 2023-05-07 22:13:47.896252860 -0700 +@@ -445,7 +445,7 @@ + endif() + + if(ENABLE_LIBRESSL_INSTALL) +- install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR}) ++ install(FILES cert.pem libressl.cnf x509v3.cnf DESTINATION ${CONF_DIR}) + install(DIRECTORY DESTINATION ${CONF_DIR}/certs) + endif(ENABLE_LIBRESSL_INSTALL) + +diff -ur libressl-3.7.2.orig/Makefile.am libressl-3.7.2/Makefile.am +--- libressl-3.7.2.orig/Makefile.am 2023-03-28 04:55:36.000000000 -0700 ++++ libressl-3.7.2/Makefile.am 2023-05-07 22:14:46.126652600 -0700 +@@ -12,7 +12,7 @@ + + EXTRA_DIST = README.md README.windows VERSION config scripts + EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in FindLibreSSL.cmake +-EXTRA_DIST += cert.pem openssl.cnf x509v3.cnf ++EXTRA_DIST += cert.pem libressl.cnf x509v3.cnf + + .PHONY: install_sw + install_sw: install +@@ -24,7 +24,7 @@ + OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ + fi; \ + mkdir -p "$$OPENSSLDIR/certs"; \ +- for i in cert.pem openssl.cnf x509v3.cnf; do \ ++ for i in cert.pem libressl.cnf x509v3.cnf; do \ + if [ ! -f "$$OPENSSLDIR/$i" ]; then \ + $(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \ + else \ +@@ -38,7 +38,7 @@ + else \ + OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ + fi; \ +- for i in cert.pem openssl.cnf x509v3.cnf; do \ ++ for i in cert.pem libressl.cnf x509v3.cnf; do \ + if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \ + rm -f "$$OPENSSLDIR/$$i"; \ + fi \ +diff -ur libressl-3.7.2.orig/Makefile.in libressl-3.7.2/Makefile.in +--- libressl-3.7.2.orig/Makefile.in 2023-04-06 19:01:15.000000000 -0700 ++++ libressl-3.7.2/Makefile.in 2023-05-07 22:15:24.941586209 -0700 +@@ -375,7 +375,7 @@ + EXTRA_DIST = README.md README.windows VERSION config scripts \ + CMakeLists.txt cmake_export_symbol.cmake \ + cmake_uninstall.cmake.in FindLibreSSL.cmake cert.pem \ +- openssl.cnf x509v3.cnf ++ libressl.cnf x509v3.cnf + all: all-recursive + + .SUFFIXES: +@@ -896,7 +896,7 @@ + OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ + fi; \ + mkdir -p "$$OPENSSLDIR/certs"; \ +- for i in cert.pem openssl.cnf x509v3.cnf; do \ ++ for i in cert.pem libressl.cnf x509v3.cnf; do \ + if [ ! -f "$$OPENSSLDIR/$i" ]; then \ + $(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \ + else \ +@@ -910,7 +910,7 @@ + else \ + OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ + fi; \ +- for i in cert.pem openssl.cnf x509v3.cnf; do \ ++ for i in cert.pem libressl.cnf x509v3.cnf; do \ + if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \ + rm -f "$$OPENSSLDIR/$$i"; \ + fi \ +diff -ur libressl-3.7.2.orig/apps/openssl/apps.c libressl-3.7.2/apps/openssl/apps.c +--- libressl-3.7.2.orig/apps/openssl/apps.c 2022-03-15 09:37:03.000000000 -0700 ++++ libressl-3.7.2/apps/openssl/apps.c 2023-05-07 22:16:40.972497926 -0700 +@@ -1134,7 +1134,7 @@ + const char *t = X509_get_default_cert_area(); + char *p; + +- if (asprintf(&p, "%s/openssl.cnf", t) == -1) ++ if (asprintf(&p, "%s/libressl.cnf", t) == -1) + return NULL; + return p; + } +diff -ur libressl-3.7.2.orig/crypto/conf/conf_mod.c libressl-3.7.2/crypto/conf/conf_mod.c +--- libressl-3.7.2.orig/crypto/conf/conf_mod.c 2022-02-18 14:30:39.000000000 -0800 ++++ libressl-3.7.2/crypto/conf/conf_mod.c 2023-05-07 22:15:56.781711569 -0700 +@@ -545,7 +545,7 @@ + { + char *file = NULL; + +- if (asprintf(&file, "%s/openssl.cnf", ++ if (asprintf(&file, "%s/libressl.cnf", + X509_get_default_cert_area()) == -1) + return (NULL); + return file; diff --git a/SOURCES/libressl-3.7.2-manpage.patch b/SOURCES/libressl-3.7.2-manpage.patch new file mode 100644 index 0000000..4b482ce --- /dev/null +++ b/SOURCES/libressl-3.7.2-manpage.patch @@ -0,0 +1,1165 @@ +diff -ur libressl-3.7.2.orig/apps/openssl/CMakeLists.txt libressl-3.7.2/apps/openssl/CMakeLists.txt +--- libressl-3.7.2.orig/apps/openssl/CMakeLists.txt 2022-05-15 19:39:46.000000000 -0700 ++++ libressl-3.7.2/apps/openssl/CMakeLists.txt 2023-05-07 22:46:31.152841800 -0700 +@@ -75,5 +75,5 @@ + + if(ENABLE_LIBRESSL_INSTALL) + install(TARGETS openssl DESTINATION ${CMAKE_INSTALL_BINDIR}) +- install(FILES openssl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1) ++ install(FILES libressl.1 DESTINATION ${CMAKE_INSTALL_MANDIR}/man1) + endif(ENABLE_LIBRESSL_INSTALL) +diff -ur libressl-3.7.2.orig/apps/openssl/Makefile.am libressl-3.7.2/apps/openssl/Makefile.am +--- libressl-3.7.2.orig/apps/openssl/Makefile.am 2022-05-15 19:39:46.000000000 -0700 ++++ libressl-3.7.2/apps/openssl/Makefile.am 2023-05-07 22:47:04.615844228 -0700 +@@ -2,7 +2,7 @@ + + if !ENABLE_LIBTLS_ONLY + bin_PROGRAMS = openssl +-dist_man_MANS = openssl.1 ++dist_man_MANS = libressl.1 + else + noinst_PROGRAMS = openssl + endif +diff -ur libressl-3.7.2.orig/apps/openssl/Makefile.in libressl-3.7.2/apps/openssl/Makefile.in +--- libressl-3.7.2.orig/apps/openssl/Makefile.in 2023-04-06 19:01:16.000000000 -0700 ++++ libressl-3.7.2/apps/openssl/Makefile.in 2023-05-07 22:47:31.959031333 -0700 +@@ -407,7 +407,7 @@ + AM_CPPFLAGS = -I$(top_srcdir)/include -I$(abs_top_builddir)/include \ + -I$(top_srcdir)/include/compat -DLIBRESSL_INTERNAL \ + -D__BEGIN_HIDDEN_DECLS= -D__END_HIDDEN_DECLS= +-@ENABLE_LIBTLS_ONLY_FALSE@dist_man_MANS = openssl.1 ++@ENABLE_LIBTLS_ONLY_FALSE@dist_man_MANS = libressl.1 + openssl_LDADD = $(abs_top_builddir)/ssl/libssl.la \ + $(abs_top_builddir)/crypto/libcrypto.la $(PLATFORM_LDADD) \ + $(PROG_LDADD) +diff -ur libressl-3.7.2.orig/apps/openssl/openssl.1 libressl-3.7.2/apps/openssl/openssl.1 +--- libressl-3.7.2.orig/apps/openssl/openssl.1 2023-03-26 18:58:30.000000000 -0700 ++++ libressl-3.7.2/apps/openssl/openssl.1 2023-05-07 22:45:08.514318400 -0700 +@@ -1,4 +1,4 @@ +-.\" $OpenBSD: openssl.1,v 1.140 2022/12/22 19:53:23 kn Exp $ ++.\" $OpenBSD: libressl.1,v 1.140 2022/12/22 19:53:23 kn Exp $ + .\" ==================================================================== + .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + .\" +@@ -111,11 +111,11 @@ + .\" [including the GNU Public Licence.] + .\" + .Dd $Mdocdate: December 22 2022 $ +-.Dt OPENSSL 1 ++.Dt LIBRESSL 1 + .Os + .Sh NAME +-.Nm openssl +-.Nd OpenSSL command line tool ++.Nm libressl ++.Nd LibreSSL command line tool + .Sh SYNOPSIS + .Nm + .Ar command +@@ -133,7 +133,7 @@ + .Nm + .Cm no- Ns Ar command + .Sh DESCRIPTION +-.Nm OpenSSL ++.Nm LibreSSL + is a cryptography toolkit implementing the + Transport Layer Security + .Pq TLS v1 +@@ -144,7 +144,7 @@ + .Nm + program is a command line tool for using the various + cryptography functions of +-.Nm openssl Ns 's ++.Nm libressl Ns 's + crypto library from the shell. + .Pp + The pseudo-commands +@@ -202,8 +202,8 @@ + itself. + .Tg asn1parse + .Sh ASN1PARSE +-.Bl -hang -width "openssl asn1parse" +-.It Nm openssl asn1parse ++.Bl -hang -width "libressl asn1parse" ++.It Nm libressl asn1parse + .Bk -words + .Op Fl i + .Op Fl dlimit Ar number +@@ -271,7 +271,7 @@ + If an OID + .Pq object identifier + is not part of +-.Nm openssl Ns 's ++.Nm libressl Ns 's + internal table, it will be represented in + numerical form + .Pq for example 1.2.3.4 . +@@ -299,8 +299,8 @@ + .El + .Tg ca + .Sh CA +-.Bl -hang -width "openssl ca" +-.It Nm openssl ca ++.Bl -hang -width "libressl ca" ++.It Nm libressl ca + .Bk -words + .Op Fl batch + .Op Fl cert Ar file +@@ -789,7 +789,7 @@ + is accepted by both to produce a reasonable output. + .Pp + If neither option is present, the format used in earlier versions of +-.Nm openssl ++.Nm libressl + is used. + Use of the old format is strongly discouraged + because it only displays fields mentioned in the +@@ -854,8 +854,8 @@ + .El + .Tg certhash + .Sh CERTHASH +-.Bl -hang -width "openssl certhash" +-.It Nm openssl certhash ++.Bl -hang -width "libressl certhash" ++.It Nm libressl certhash + .Bk -words + .Op Fl nv + .Ar dir ... +@@ -909,7 +909,7 @@ + .El + .Tg ciphers + .Sh CIPHERS +-.Nm openssl ciphers ++.Nm libressl ciphers + .Op Fl hsVv + .Op Fl tls1 + .Op Fl tls1_1 +@@ -953,8 +953,8 @@ + .El + .Tg cms + .Sh CMS +-.Bl -hang -width "openssl cms" +-.It Nm openssl cms ++.Bl -hang -width "libressl cms" ++.It Nm libressl cms + .Bk -words + .Oo + .Fl aes128 | aes192 | aes256 | camellia128 | +@@ -1470,8 +1470,8 @@ + .El + .Tg crl + .Sh CRL +-.Bl -hang -width "openssl crl" +-.It Nm openssl crl ++.Bl -hang -width "libressl crl" ++.It Nm libressl crl + .Bk -words + .Op Fl CAfile Ar file + .Op Fl CApath Ar dir +@@ -1547,8 +1547,8 @@ + .El + .Tg crl2pkcs7 + .Sh CRL2PKCS7 +-.Bl -hang -width "openssl crl2pkcs7" +-.It Nm openssl crl2pkcs7 ++.Bl -hang -width "libressl crl2pkcs7" ++.It Nm libressl crl2pkcs7 + .Bk -words + .Op Fl certfile Ar file + .Op Fl in Ar file +@@ -1593,8 +1593,8 @@ + .El + .Tg dgst + .Sh DGST +-.Bl -hang -width "openssl dgst" +-.It Nm openssl dgst ++.Bl -hang -width "libressl dgst" ++.It Nm libressl dgst + .Bk -words + .Op Fl cdr + .Op Fl binary +@@ -1635,13 +1635,13 @@ + .Ar digest . + The default is SHA256. + The available digests can be displayed using +-.Nm openssl ++.Nm libressl + .Cm list-message-digest-commands . + The following are equivalent: +-.Nm openssl dgst ++.Nm libressl dgst + .Fl sha256 + and +-.Nm openssl ++.Nm libressl + .Cm sha256 . + .It Fl hex + Digest is to be output as a hex dump. +@@ -1708,8 +1708,8 @@ + .El + .Tg dhparam + .Sh DHPARAM +-.Bl -hang -width "openssl dhparam" +-.It Nm openssl dhparam ++.Bl -hang -width "libressl dhparam" ++.It Nm libressl dhparam + .Bk -words + .Op Fl 2 | 5 + .Op Fl C +@@ -1785,8 +1785,8 @@ + .El + .Tg dsa + .Sh DSA +-.Bl -hang -width "openssl dsa" +-.It Nm openssl dsa ++.Bl -hang -width "libressl dsa" ++.It Nm libressl dsa + .Bk -words + .Oo + .Fl aes128 | aes192 | aes256 | +@@ -1874,8 +1874,8 @@ + .El + .Tg dsaparam + .Sh DSAPARAM +-.Bl -hang -width "openssl dsaparam" +-.It Nm openssl dsaparam ++.Bl -hang -width "libressl dsaparam" ++.It Nm libressl dsaparam + .Bk -words + .Op Fl C + .Op Fl genkey +@@ -1927,8 +1927,8 @@ + .El + .Tg ec + .Sh EC +-.Bl -hang -width "openssl ec" +-.It Nm openssl ec ++.Bl -hang -width "libressl ec" ++.It Nm libressl ec + .Bk -words + .Op Fl conv_form Ar arg + .Op Fl des +@@ -1953,7 +1953,7 @@ + command processes EC keys. + They can be converted between various + forms and their components printed out. +-.Nm openssl ++.Nm libressl + uses the private key format specified in + .Dq SEC 1: Elliptic Curve Cryptography + .Pq Lk https://www.secg.org/ . +@@ -1985,7 +1985,7 @@ + .It Fl des | des3 + Encrypt the private key with DES, triple DES, or + any other cipher supported by +-.Nm openssl . ++.Nm libressl . + A pass phrase is prompted for. + If none of these options are specified, the key is written in plain text. + This means that using the +@@ -2040,8 +2040,8 @@ + .El + .Tg ecparam + .Sh ECPARAM +-.Bl -hang -width "openssl ecparam" +-.It Nm openssl ecparam ++.Bl -hang -width "libressl ecparam" ++.It Nm libressl ecparam + .Bk -words + .Op Fl C + .Op Fl check +@@ -2063,7 +2063,7 @@ + The + .Nm ecparam + command is used to manipulate or generate EC parameter files. +-.Nm openssl ++.Nm libressl + is not able to generate new groups so + .Nm ecparam + can only create EC parameters from known (named) curves. +@@ -2136,8 +2136,8 @@ + .El + .Tg enc + .Sh ENC +-.Bl -hang -width "openssl enc" +-.It Nm openssl enc ++.Bl -hang -width "libressl enc" ++.It Nm libressl enc + .Bk -words + .Fl ciphername + .Op Fl AadePpv +@@ -2168,9 +2168,9 @@ + Base64 encoding or decoding can also be performed either by itself + or in addition to the encryption or decryption. + The program can be called either as +-.Nm openssl Ar ciphername ++.Nm libressl Ar ciphername + or +-.Nm openssl enc - Ns Ar ciphername . ++.Nm libressl enc - Ns Ar ciphername . + .Pp + Some of the ciphers do not have large keys and others have security + implications if not used correctly. +@@ -2300,7 +2300,7 @@ + .El + .Tg errstr + .Sh ERRSTR +-.Nm openssl errstr ++.Nm libressl errstr + .Op Fl stats + .Ar errno ... + .Pp +@@ -2331,8 +2331,8 @@ + .El + .Tg gendsa + .Sh GENDSA +-.Bl -hang -width "openssl gendsa" +-.It Nm openssl gendsa ++.Bl -hang -width "libressl gendsa" ++.It Nm libressl gendsa + .Bk -words + .Oo + .Fl aes128 | aes192 | aes256 | camellia128 | +@@ -2348,7 +2348,7 @@ + .Nm gendsa + command generates a DSA private key from a DSA parameter file + (typically generated by the +-.Nm openssl dsaparam ++.Nm libressl dsaparam + command). + DSA key generation is little more than random number generation so it is + much quicker than, +@@ -2378,8 +2378,8 @@ + .El + .Tg genpkey + .Sh GENPKEY +-.Bl -hang -width "openssl genpkey" +-.It Nm openssl genpkey ++.Bl -hang -width "libressl genpkey" ++.It Nm libressl genpkey + .Bk -words + .Op Fl algorithm Ar alg + .Op Ar cipher +@@ -2483,8 +2483,8 @@ + .El + .Tg genrsa + .Sh GENRSA +-.Bl -hang -width "openssl genrsa" +-.It Nm openssl genrsa ++.Bl -hang -width "libressl genrsa" ++.It Nm libressl genrsa + .Bk -words + .Op Fl 3 | f4 + .Oo +@@ -2544,7 +2544,7 @@ + .El + .Tg nseq + .Sh NSEQ +-.Nm openssl nseq ++.Nm libressl nseq + .Op Fl in Ar file + .Op Fl out Ar file + .Op Fl toseq +@@ -2575,8 +2575,8 @@ + .El + .Tg ocsp + .Sh OCSP +-.Bl -hang -width "openssl ocsp" +-.It Nm openssl ocsp ++.Bl -hang -width "libressl ocsp" ++.It Nm libressl ocsp + .Bk -words + .Op Fl CA Ar file + .Op Fl CAfile Ar file +@@ -2896,7 +2896,7 @@ + and + .Fl CApath + options or they will be looked for in the standard +-.Nm openssl ++.Nm libressl + certificates directory. + .Pp + If the initial verify fails, the OCSP verify process halts with an error. +@@ -2928,8 +2928,8 @@ + option. + .Tg passwd + .Sh PASSWD +-.Bl -hang -width "openssl passwd" +-.It Nm openssl passwd ++.Bl -hang -width "libressl passwd" ++.It Nm libressl passwd + .Bk -words + .Op Fl 1 | apr1 | crypt + .Op Fl in Ar file +@@ -2992,8 +2992,8 @@ + .El + .Tg pkcs7 + .Sh PKCS7 +-.Bl -hang -width "openssl pkcs7" +-.It Nm openssl pkcs7 ++.Bl -hang -width "libressl pkcs7" ++.It Nm libressl pkcs7 + .Bk -words + .Op Fl in Ar file + .Op Fl inform Cm der | pem +@@ -3038,8 +3038,8 @@ + .El + .Tg pkcs8 + .Sh PKCS8 +-.Bl -hang -width "openssl pkcs8" +-.It Nm openssl pkcs8 ++.Bl -hang -width "libressl pkcs8" ++.It Nm libressl pkcs8 + .Bk -words + .Op Fl in Ar file + .Op Fl inform Cm der | pem +@@ -3112,7 +3112,7 @@ + Supports algorithms such as 168-bit triple DES or 128-bit RC2, + however not many implementations support PKCS#5 v2.0 yet + (if using private keys with +-.Nm openssl ++.Nm libressl + this doesn't matter). + .Pp + .Ar alg +@@ -3122,8 +3122,8 @@ + .El + .Tg pkcs12 + .Sh PKCS12 +-.Bl -hang -width "openssl pkcs12" +-.It Nm openssl pkcs12 ++.Bl -hang -width "libressl pkcs12" ++.It Nm libressl pkcs12 + .Bk -words + .Oo + .Fl aes128 | aes192 | aes256 | camellia128 | +@@ -3340,8 +3340,8 @@ + .El + .Tg pkey + .Sh PKEY +-.Bl -hang -width "openssl pkey" +-.It Nm openssl pkey ++.Bl -hang -width "libressl pkey" ++.It Nm libressl pkey + .Bk -words + .Op Fl check + .Op Ar cipher +@@ -3411,7 +3411,7 @@ + .El + .Tg pkeyparam + .Sh PKEYPARAM +-.Cm openssl pkeyparam ++.Cm libressl pkeyparam + .Op Fl check + .Op Fl in Ar file + .Op Fl noout +@@ -3440,8 +3440,8 @@ + .El + .Tg pkeyutl + .Sh PKEYUTL +-.Bl -hang -width "openssl pkeyutl" +-.It Nm openssl pkeyutl ++.Bl -hang -width "libressl pkeyutl" ++.It Nm libressl pkeyutl + .Bk -words + .Op Fl asn1parse + .Op Fl certin +@@ -3593,7 +3593,7 @@ + .El + .Tg prime + .Sh PRIME +-.Cm openssl prime ++.Cm libressl prime + .Op Fl bits Ar n + .Op Fl checks Ar n + .Op Fl generate +@@ -3638,8 +3638,8 @@ + .El + .Tg rand + .Sh RAND +-.Bl -hang -width "openssl rand" +-.It Nm openssl rand ++.Bl -hang -width "libressl rand" ++.It Nm libressl rand + .Bk -words + .Op Fl base64 + .Op Fl hex +@@ -3666,8 +3666,8 @@ + .El + .Tg req + .Sh REQ +-.Bl -hang -width "openssl req" +-.It Nm openssl req ++.Bl -hang -width "libressl req" ++.It Nm libressl req + .Bk -words + .Op Fl addext Ar ext + .Op Fl batch +@@ -3916,7 +3916,7 @@ + .Cm distinguished_name . + Typically these may contain the challengePassword or unstructuredName types. + They are currently ignored by the +-.Nm openssl ++.Nm libressl + request signing utilities, but some CAs might want them. + .It Cm default_bits + The default key size, in bits. +@@ -4088,7 +4088,7 @@ + The actual permitted field names are any object identifier short or + long names. + These are compiled into +-.Nm openssl ++.Nm libressl + and include the usual values such as + .Cm commonName , countryName , localityName , organizationName , + .Cm organizationalUnitName , stateOrProvinceName . +@@ -4108,8 +4108,8 @@ + .Cm DirectoryString . + .Tg rsa + .Sh RSA +-.Bl -hang -width "openssl rsa" +-.It Nm openssl rsa ++.Bl -hang -width "libressl rsa" ++.It Nm libressl rsa + .Bk -words + .Op Fl aes128 | aes192 | aes256 | des | des3 + .Op Fl check +@@ -4202,8 +4202,8 @@ + .El + .Tg rsautl + .Sh RSAUTL +-.Bl -hang -width "openssl rsautl" +-.It Nm openssl rsautl ++.Bl -hang -width "libressl rsautl" ++.It Nm libressl rsautl + .Bk -words + .Op Fl asn1parse + .Op Fl certin +@@ -4277,8 +4277,8 @@ + .El + .Tg s_client + .Sh S_CLIENT +-.Bl -hang -width "openssl s_client" +-.It Nm openssl s_client ++.Bl -hang -width "libressl s_client" ++.It Nm libressl s_client + .Bk -words + .Op Fl 4 | 6 + .Op Fl alpn Ar protocols +@@ -4585,8 +4585,8 @@ + .El + .Tg s_server + .Sh S_SERVER +-.Bl -hang -width "openssl s_server" +-.It Nm openssl s_server ++.Bl -hang -width "libressl s_server" ++.It Nm libressl s_server + .Bk -words + .Op Fl accept Ar port + .Op Fl alpn Ar protocols +@@ -4913,8 +4913,8 @@ + .El + .Tg s_time + .Sh S_TIME +-.Bl -hang -width "openssl s_time" +-.It Nm openssl s_time ++.Bl -hang -width "libressl s_time" ++.It Nm libressl s_time + .Bk -words + .Op Fl bugs + .Op Fl CAfile Ar file +@@ -5024,8 +5024,8 @@ + .El + .Tg sess_id + .Sh SESS_ID +-.Bl -hang -width "openssl sess_id" +-.It Nm openssl sess_id ++.Bl -hang -width "libressl sess_id" ++.It Nm libressl sess_id + .Bk -words + .Op Fl cert + .Op Fl context Ar ID +@@ -5117,8 +5117,8 @@ + debugging purposes. + .Tg smime + .Sh SMIME +-.Bl -hang -width "openssl smime" +-.It Nm openssl smime ++.Bl -hang -width "libressl smime" ++.It Nm libressl smime + .Bk -words + .Oo + .Fl aes128 | aes192 | aes256 | des | +@@ -5414,8 +5414,8 @@ + .El + .Tg speed + .Sh SPEED +-.Bl -hang -width "openssl speed" +-.It Nm openssl speed ++.Bl -hang -width "libressl speed" ++.It Nm libressl speed + .Bk -words + .Op Ar algorithm + .Op Fl decrypt +@@ -5452,8 +5452,8 @@ + .El + .Tg spkac + .Sh SPKAC +-.Bl -hang -width "openssl spkac" +-.It Nm openssl spkac ++.Bl -hang -width "libressl spkac" ++.It Nm libressl spkac + .Bk -words + .Op Fl challenge Ar string + .Op Fl in Ar file +@@ -5515,8 +5515,8 @@ + .Tg ts + .Sh TS + .Bk -words +-.Bl -hang -width "openssl ts" +-.It Nm openssl ts ++.Bl -hang -width "libressl ts" ++.It Nm libressl ts + .Fl query + .Op Fl md4 | md5 | ripemd160 | sha1 + .Op Fl cert +@@ -5528,7 +5528,7 @@ + .Op Fl out Ar request.tsq + .Op Fl policy Ar object_id + .Op Fl text +-.It Nm openssl ts ++.It Nm libressl ts + .Fl reply + .Op Fl chain Ar certs_file.pem + .Op Fl config Ar configfile +@@ -5543,7 +5543,7 @@ + .Op Fl text + .Op Fl token_in + .Op Fl token_out +-.It Nm openssl ts ++.It Nm libressl ts + .Fl verify + .Op Fl CAfile Ar trusted_certs.pem + .Op Fl CApath Ar trusted_cert_path +@@ -5877,8 +5877,8 @@ + .El + .Tg verify + .Sh VERIFY +-.Bl -hang -width "openssl verify" +-.It Nm openssl verify ++.Bl -hang -width "libressl verify" ++.It Nm libressl verify + .Bk -words + .Op Fl CAfile Ar file + .Op Fl CApath Ar directory +@@ -6208,13 +6208,13 @@ + .El + .Tg version + .Sh VERSION +-.Nm openssl version ++.Nm libressl version + .Op Fl abdfopv + .Pp + The + .Nm version + command is used to print out version information about +-.Nm openssl . ++.Nm libressl . + .Pp + The options are as follows: + .Bl -tag -width Ds +@@ -6222,7 +6222,7 @@ + All information: this is the same as setting all the other flags. + .It Fl b + The date the current version of +-.Nm openssl ++.Nm libressl + was built. + .It Fl d + .Ev OPENSSLDIR +@@ -6235,13 +6235,13 @@ + Platform setting. + .It Fl v + The current +-.Nm openssl ++.Nm libressl + version. + .El + .Tg x509 + .Sh X509 +-.Bl -hang -width "openssl x509" +-.It Nm openssl x509 ++.Bl -hang -width "libressl x509" ++.It Nm libressl x509 + .Bk -words + .Op Fl C + .Op Fl addreject Ar arg +@@ -6458,7 +6458,7 @@ + as though each content octet represents a single character. + .It Cm dump_unknown + Dump any field whose OID is not recognised by +-.Nm openssl . ++.Nm libressl . + .It Cm esc_2253 + Escape the + .Qq special +@@ -6582,7 +6582,7 @@ + .It Fl subject_hash + Print the hash of the certificate subject name. + This is used in +-.Nm openssl ++.Nm libressl + to form an index to allow certificates in a directory to be looked up + by subject name. + .It Fl subject_hash_old +@@ -6972,23 +6972,23 @@ + .El + .Sh ENVIRONMENT + The following environment variables affect the execution of +-.Nm openssl : +-.Bl -tag -width "/etc/ssl/openssl.cnf" ++.Nm libressl : ++.Bl -tag -width "/etc/ssl/libressl.cnf" + .It Ev OPENSSL_CONF + The location of the master configuration file. + .El + .Sh FILES +-.Bl -tag -width "/etc/ssl/openssl.cnf" -compact ++.Bl -tag -width "/etc/ssl/libressl.cnf" -compact + .It Pa /etc/ssl/ + Default config directory for +-.Nm openssl . ++.Nm libressl . + .It Pa /etc/ssl/lib/ + Unused. + .It Pa /etc/ssl/private/ + Default private key directory. +-.It Pa /etc/ssl/openssl.cnf ++.It Pa /etc/ssl/libressl.cnf + Default configuration file for +-.Nm openssl . ++.Nm libressl . + .It Pa /etc/ssl/x509v3.cnf + Default configuration file for + .Nm x509 +@@ -6997,7 +6997,7 @@ + .Sh SEE ALSO + .Xr acme-client 1 , + .Xr nc 1 , +-.Xr openssl.cnf 5 , ++.Xr libressl.cnf 5 , + .Xr x509v3.cnf 5 , + .Xr ssl 8 , + .Xr starttls 8 +diff -ur libressl-3.7.2.orig/man/CONF_modules_load_file.3 libressl-3.7.2/man/CONF_modules_load_file.3 +--- libressl-3.7.2.orig/man/CONF_modules_load_file.3 2022-03-15 09:34:47.000000000 -0700 ++++ libressl-3.7.2/man/CONF_modules_load_file.3 2023-05-07 22:22:28.284734091 -0700 +@@ -97,7 +97,7 @@ + configures OpenSSL using the file + .Fa filename + in +-.Xr openssl.cnf 5 ++.Xr libressl.cnf 5 + format and the application name + .Fa appname . + If +@@ -105,7 +105,7 @@ + is + .Dv NULL , + the standard OpenSSL configuration file +-.Pa /etc/ssl/openssl.cnf ++.Pa /etc/ssl/libressl.cnf + is used. + If + .Fa appname +@@ -189,10 +189,10 @@ + returns a pointer to the constant string + .Qq "/etc/ssl" . + .Sh FILES +-.Bl -tag -width /etc/ssl/openssl.cnf -compact ++.Bl -tag -width /etc/ssl/libressl.cnf -compact + .It Pa /etc/ssl + standard configuration directory +-.It Pa /etc/ssl/openssl.cnf ++.It Pa /etc/ssl/libressl.cnf + standard configuration file + .El + .Sh EXAMPLES +diff -ur libressl-3.7.2.orig/man/EVP_EncryptInit.3 libressl-3.7.2/man/EVP_EncryptInit.3 +--- libressl-3.7.2.orig/man/EVP_EncryptInit.3 2023-03-15 10:17:47.000000000 -0700 ++++ libressl-3.7.2/man/EVP_EncryptInit.3 2023-05-07 22:34:45.670759105 -0700 +@@ -1182,7 +1182,7 @@ + .Ed + .Pp + The ciphertext from the above example can be decrypted using the +-.Xr openssl 1 ++.Xr libressl 1 + utility with the command line: + .Bd -literal -offset indent + openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F \e +diff -ur libressl-3.7.2.orig/man/EVP_PKEY_CTX_ctrl.3 libressl-3.7.2/man/EVP_PKEY_CTX_ctrl.3 +--- libressl-3.7.2.orig/man/EVP_PKEY_CTX_ctrl.3 2022-02-18 14:30:39.000000000 -0800 ++++ libressl-3.7.2/man/EVP_PKEY_CTX_ctrl.3 2023-05-07 22:34:14.335455994 -0700 +@@ -232,7 +232,7 @@ + This is intended to be used for options specified on the command line or + in text files. + The commands supported are documented in the +-.Xr openssl 1 ++.Xr libressl 1 + utility command line pages for the option + .Fl pkeyopt + which is supported by the +diff -ur libressl-3.7.2.orig/man/Makefile.am libressl-3.7.2/man/Makefile.am +--- libressl-3.7.2.orig/man/Makefile.am 2023-04-06 19:01:04.000000000 -0700 ++++ libressl-3.7.2/man/Makefile.am 2023-05-07 22:25:35.256408874 -0700 +@@ -574,7 +574,7 @@ + dist_man3_MANS += tls_load_file.3 + dist_man3_MANS += tls_ocsp_process_response.3 + dist_man3_MANS += tls_read.3 +-dist_man5_MANS += openssl.cnf.5 ++dist_man5_MANS += libressl.cnf.5 + dist_man5_MANS += x509v3.cnf.5 + install-data-hook: + ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3" +diff -ur libressl-3.7.2.orig/man/Makefile.in libressl-3.7.2/man/Makefile.in +--- libressl-3.7.2.orig/man/Makefile.in 2023-04-06 19:01:19.000000000 -0700 ++++ libressl-3.7.2/man/Makefile.in 2023-05-07 22:26:00.104705715 -0700 +@@ -698,7 +698,7 @@ + @ENABLE_LIBTLS_ONLY_FALSE@ tls_init.3 tls_load_file.3 \ + @ENABLE_LIBTLS_ONLY_FALSE@ tls_ocsp_process_response.3 \ + @ENABLE_LIBTLS_ONLY_FALSE@ tls_read.3 +-@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = openssl.cnf.5 x509v3.cnf.5 ++@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = libressl.cnf.5 x509v3.cnf.5 + all: all-am + + .SUFFIXES: +diff -ur libressl-3.7.2.orig/man/OPENSSL_config.3 libressl-3.7.2/man/OPENSSL_config.3 +--- libressl-3.7.2.orig/man/OPENSSL_config.3 2022-02-18 14:30:39.000000000 -0800 ++++ libressl-3.7.2/man/OPENSSL_config.3 2023-05-07 22:23:33.658864615 -0700 +@@ -133,8 +133,8 @@ + calling + .Xr CONF_modules_free 3 . + .Sh FILES +-.Bl -tag -width /etc/ssl/openssl.cnf -compact +-.It Pa /etc/ssl/openssl.cnf ++.Bl -tag -width /etc/ssl/libressl.cnf -compact ++.It Pa /etc/ssl/libressl.cnf + standard configuration file + .El + .Sh SEE ALSO +@@ -143,7 +143,7 @@ + .Xr crypto 3 , + .Xr OPENSSL_load_builtin_modules 3 , + .Xr OPENSSL_VERSION_NUMBER 3 , +-.Xr openssl.cnf 5 , ++.Xr libressl.cnf 5 , + .Xr x509v3.cnf 5 + .Sh HISTORY + .Fn OPENSSL_config +diff -ur libressl-3.7.2.orig/man/OPENSSL_init_crypto.3 libressl-3.7.2/man/OPENSSL_init_crypto.3 +--- libressl-3.7.2.orig/man/OPENSSL_init_crypto.3 2022-02-18 14:30:39.000000000 -0800 ++++ libressl-3.7.2/man/OPENSSL_init_crypto.3 2023-05-07 22:24:17.201624136 -0700 +@@ -93,7 +93,7 @@ + .Xr CONF_modules_load_file 3 , + .Xr OPENSSL_config 3 , + .Xr OPENSSL_load_builtin_modules 3 , +-.Xr openssl.cnf 5 ++.Xr libressl.cnf 5 + .Sh HISTORY + .Fn OPENSSL_init + first appeared in OpenSSL 1.0.0e and has been available since +diff -ur libressl-3.7.2.orig/man/SSL_CIPHER_get_name.3 libressl-3.7.2/man/SSL_CIPHER_get_name.3 +--- libressl-3.7.2.orig/man/SSL_CIPHER_get_name.3 2023-03-15 10:17:47.000000000 -0700 ++++ libressl-3.7.2/man/SSL_CIPHER_get_name.3 2023-05-07 22:33:12.415805278 -0700 +@@ -339,7 +339,7 @@ + .Pp + .Dl $ openssl ciphers -v ALL:COMPLEMENTOFALL + .Sh SEE ALSO +-.Xr openssl 1 , ++.Xr libressl 1 , + .Xr ssl 3 , + .Xr SSL_get_ciphers 3 , + .Xr SSL_get_current_cipher 3 +diff -ur libressl-3.7.2.orig/man/SSL_CTX_set_cipher_list.3 libressl-3.7.2/man/SSL_CTX_set_cipher_list.3 +--- libressl-3.7.2.orig/man/SSL_CTX_set_cipher_list.3 2023-03-26 18:58:30.000000000 -0700 ++++ libressl-3.7.2/man/SSL_CTX_set_cipher_list.3 2023-05-07 22:35:27.445816533 -0700 +@@ -137,7 +137,7 @@ + The + .Cm DEFAULT + cipher list can be displayed with the +-.Xr openssl 1 ++.Xr libressl 1 + .Cm ciphers + command. + .It Cm @SECLEVEL=n +@@ -307,7 +307,7 @@ + .El + .Pp + The full words returned by the +-.Xr openssl 1 ++.Xr libressl 1 + .Cm ciphers + command can be used to select individual cipher suites. + .Pp +diff -ur libressl-3.7.2.orig/man/SSL_CTX_set_options.3 libressl-3.7.2/man/SSL_CTX_set_options.3 +--- libressl-3.7.2.orig/man/SSL_CTX_set_options.3 2022-04-03 22:32:16.000000000 -0700 ++++ libressl-3.7.2/man/SSL_CTX_set_options.3 2023-05-07 22:36:14.716732793 -0700 +@@ -347,7 +347,7 @@ + .Fn SSL_get_secure_renegotiation_support + returns 1 is the peer supports secure renegotiation and 0 if it does not. + .Sh SEE ALSO +-.Xr openssl 1 , ++.Xr libressl 1 , + .Xr ssl 3 , + .Xr SSL_clear 3 , + .Xr SSL_CTX_ctrl 3 , +diff -ur libressl-3.7.2.orig/man/SSL_CTX_set_tmp_dh_callback.3 libressl-3.7.2/man/SSL_CTX_set_tmp_dh_callback.3 +--- libressl-3.7.2.orig/man/SSL_CTX_set_tmp_dh_callback.3 2022-04-03 22:32:16.000000000 -0700 ++++ libressl-3.7.2/man/SSL_CTX_set_tmp_dh_callback.3 2023-05-07 22:37:30.203968223 -0700 +@@ -129,7 +129,7 @@ + often used DH group. + Applications should therefore generate their own DH parameters during the + installation process using the +-.Xr openssl 1 ++.Xr libressl 1 + .Cm dhparam + application. + This application guarantees that "strong" primes are used. +@@ -147,7 +147,7 @@ + These files can be converted into C code using the + .Fl C + option of the +-.Xr openssl 1 ++.Xr libressl 1 + .Cm dhparam + application. + Generation of custom DH parameters during installation should still +@@ -211,7 +211,7 @@ + } + .Ed + .Sh SEE ALSO +-.Xr openssl 1 , ++.Xr libressl 1 , + .Xr ssl 3 , + .Xr SSL_CTX_set_cipher_list 3 , + .Xr SSL_CTX_set_options 3 , +diff -ur libressl-3.7.2.orig/man/SSL_get_verify_result.3 libressl-3.7.2/man/SSL_get_verify_result.3 +--- libressl-3.7.2.orig/man/SSL_get_verify_result.3 2022-03-15 09:34:47.000000000 -0700 ++++ libressl-3.7.2/man/SSL_get_verify_result.3 2023-05-07 22:38:12.354966571 -0700 +@@ -79,10 +79,10 @@ + The verification succeeded or no peer certificate was presented. + .It Any other value + Documented in +-.Xr openssl 1 . ++.Xr libressl 1 . + .El + .Sh SEE ALSO +-.Xr openssl 1 , ++.Xr libressl 1 , + .Xr ssl 3 , + .Xr SSL_CTX_set_verify 3 , + .Xr SSL_get0_peername 3 , +diff -ur libressl-3.7.2.orig/man/SSL_set_verify_result.3 libressl-3.7.2/man/SSL_set_verify_result.3 +--- libressl-3.7.2.orig/man/SSL_set_verify_result.3 2022-02-18 14:30:39.000000000 -0800 ++++ libressl-3.7.2/man/SSL_set_verify_result.3 2023-05-07 22:38:47.106132859 -0700 +@@ -78,9 +78,9 @@ + The valid codes for + .Fa verify_result + are documented in +-.Xr openssl 1 . ++.Xr libressl 1 . + .Sh SEE ALSO +-.Xr openssl 1 , ++.Xr libressl 1 , + .Xr ssl 3 , + .Xr SSL_get_peer_certificate 3 , + .Xr SSL_get_verify_result 3 +diff -ur libressl-3.7.2.orig/man/X509_LOOKUP_hash_dir.3 libressl-3.7.2/man/X509_LOOKUP_hash_dir.3 +--- libressl-3.7.2.orig/man/X509_LOOKUP_hash_dir.3 2022-03-15 09:37:03.000000000 -0700 ++++ libressl-3.7.2/man/X509_LOOKUP_hash_dir.3 2023-05-07 22:39:16.113431740 -0700 +@@ -132,7 +132,7 @@ + The hash can also be obtained via the + .Fl hash + option of the +-.Xr openssl 1 ++.Xr libressl 1 + .Cm x509 + or + .Cm crl +diff -ur libressl-3.7.2.orig/man/X509_VERIFY_PARAM_set_flags.3 libressl-3.7.2/man/X509_VERIFY_PARAM_set_flags.3 +--- libressl-3.7.2.orig/man/X509_VERIFY_PARAM_set_flags.3 2023-03-26 18:58:30.000000000 -0700 ++++ libressl-3.7.2/man/X509_VERIFY_PARAM_set_flags.3 2023-05-07 22:39:47.369671389 -0700 +@@ -607,7 +607,7 @@ + have explicit trust settings; see the trust settings options of the + .Cm x509 + command in +-.Xr openssl 1 . ++.Xr libressl 1 . + .Pp + The + .Dv X509_V_FLAG_NO_ALT_CHAINS +diff -ur libressl-3.7.2.orig/man/X509_ocspid_print.3 libressl-3.7.2/man/X509_ocspid_print.3 +--- libressl-3.7.2.orig/man/X509_ocspid_print.3 2022-03-15 09:34:47.000000000 -0700 ++++ libressl-3.7.2/man/X509_ocspid_print.3 2023-05-07 22:40:17.752927645 -0700 +@@ -42,7 +42,7 @@ + This function is used by the + .Fl ocspid + flag of the +-.Xr openssl 1 ++.Xr libressl 1 + .Cm x509 + command. + .Sh SEE ALSO +diff -ur libressl-3.7.2.orig/man/X509_verify_cert.3 libressl-3.7.2/man/X509_verify_cert.3 +--- libressl-3.7.2.orig/man/X509_verify_cert.3 2022-02-18 14:30:39.000000000 -0800 ++++ libressl-3.7.2/man/X509_verify_cert.3 2023-05-07 22:40:51.952085391 -0700 +@@ -79,7 +79,7 @@ + using + .Xr X509_STORE_CTX_get_error 3 . + .Sh SEE ALSO +-.Xr openssl 1 , ++.Xr libressl 1 , + .Xr X509_STORE_CTX_get_error 3 , + .Xr X509_STORE_CTX_new 3 + .Sh HISTORY +diff -ur libressl-3.7.2.orig/man/crypto.3 libressl-3.7.2/man/crypto.3 +--- libressl-3.7.2.orig/man/crypto.3 2022-03-15 09:37:03.000000000 -0700 ++++ libressl-3.7.2/man/crypto.3 2023-05-07 22:41:15.527501799 -0700 +@@ -426,5 +426,5 @@ + function rather than freeing the object. + .El + .Sh SEE ALSO +-.Xr openssl 1 , ++.Xr libressl 1 , + .Xr ssl 3 +diff -ur libressl-3.7.2.orig/man/openssl.cnf.5 libressl-3.7.2/man/openssl.cnf.5 +--- libressl-3.7.2.orig/man/openssl.cnf.5 2022-04-03 22:32:16.000000000 -0700 ++++ libressl-3.7.2/man/openssl.cnf.5 2023-05-07 22:42:24.789774372 -0700 +@@ -1,4 +1,4 @@ +-.\" $OpenBSD: openssl.cnf.5,v 1.8 2022/03/31 17:27:17 naddy Exp $ ++.\" $OpenBSD: libressl.cnf.5,v 1.8 2022/03/31 17:27:17 naddy Exp $ + .\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100 + .\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400 + .\" +@@ -54,17 +54,17 @@ + .Dt OPENSSL.CNF 5 + .Os + .Sh NAME +-.Nm openssl.cnf ++.Nm libressl.cnf + .Nd OpenSSL configuration files + .Sh DESCRIPTION + The OpenSSL CONF library can be used to read configuration files; see + .Xr CONF_modules_load_file 3 . + It is used for the OpenSSL master configuration file +-.Pa /etc/ssl/openssl.cnf ++.Pa /etc/ssl/libressl.cnf + and in a few other places like + .Sy SPKAC + files and certificate extension files for the +-.Xr openssl 1 ++.Xr libressl 1 + .Cm x509 + utility. + OpenSSL applications can also use the CONF library for their own +@@ -158,7 +158,7 @@ + using the master OpenSSL configuration file, or optionally an + alternative configuration file. + The +-.Xr openssl 1 ++.Xr libressl 1 + utility includes this functionality: any sub command uses the master + OpenSSL configuration file unless an option is used in the sub command + to use an alternative configuration file. +@@ -168,7 +168,7 @@ + The default name is + .Ic openssl_conf , + which is used by the +-.Xr openssl 1 ++.Xr libressl 1 + utility. + Other applications may use an alternative name such as + .Sy myapplication_conf . +@@ -209,11 +209,11 @@ + pairs of OIDs: the name is the OID short and long name, and the value is the + numerical form of the OID. + Although some of the +-.Xr openssl 1 ++.Xr libressl 1 + utility subcommands already have their own ASN1 OBJECT section + functionality, not all do. + By using the ASN1 OBJECT configuration module, all the +-.Xr openssl 1 ++.Xr libressl 1 + utility subcommands can see the new objects as well as any compliant + applications. + For example: +@@ -329,8 +329,8 @@ + default_algorithms = ALL + .Ed + .Sh FILES +-.Bl -tag -width /etc/ssl/openssl.cnf -compact +-.It Pa /etc/ssl/openssl.cnf ++.Bl -tag -width /etc/ssl/libressl.cnf -compact ++.It Pa /etc/ssl/libressl.cnf + standard configuration file + .El + .Sh EXAMPLES +@@ -417,7 +417,7 @@ + .Pp + showing that the OID "newoid1" has been added as "1.2.3.4.1". + .Sh SEE ALSO +-.Xr openssl 1 , ++.Xr libressl 1 , + .Xr CONF_modules_load_file 3 , + .Xr OPENSSL_config 3 , + .Xr x509v3.cnf 5 +diff -ur libressl-3.7.2.orig/man/ssl.3 libressl-3.7.2/man/ssl.3 +--- libressl-3.7.2.orig/man/ssl.3 2023-03-15 10:17:47.000000000 -0700 ++++ libressl-3.7.2/man/ssl.3 2023-05-07 22:42:47.038215665 -0700 +@@ -358,7 +358,7 @@ + .Xr SSL_library_init 3 , + .Xr SSL_set_tmp_ecdh 3 + .Sh SEE ALSO +-.Xr openssl 1 , ++.Xr libressl 1 , + .Xr crypto 3 , + .Xr tls_init 3 + .Sh HISTORY +diff -ur libressl-3.7.2.orig/man/tls_config_set_protocols.3 libressl-3.7.2/man/tls_config_set_protocols.3 +--- libressl-3.7.2.orig/man/tls_config_set_protocols.3 2022-02-18 14:30:40.000000000 -0800 ++++ libressl-3.7.2/man/tls_config_set_protocols.3 2023-05-07 22:43:30.253125698 -0700 +@@ -146,7 +146,7 @@ + .Pp + Alternatively, libssl cipher strings can be specified. + See the CIPHERS section of +-.Xr openssl 1 ++.Xr libressl 1 + for further information. + .Pp + .Fn tls_config_set_dheparams +diff -ur libressl-3.7.2.orig/man/x509v3.cnf.5 libressl-3.7.2/man/x509v3.cnf.5 +--- libressl-3.7.2.orig/man/x509v3.cnf.5 2022-04-03 22:32:16.000000000 -0700 ++++ libressl-3.7.2/man/x509v3.cnf.5 2023-05-07 22:44:07.684154053 -0700 +@@ -61,7 +61,7 @@ + Several of the OpenSSL utilities can add extensions to a certificate or + certificate request based on the contents of a configuration file. + The file format is based on the +-.Xr openssl.cnf 5 ++.Xr libressl.cnf 5 + format. + .Pp + Typically the application will contain an option to point to an +@@ -682,10 +682,10 @@ + standard configuration file + .El + .Sh SEE ALSO +-.Xr openssl 1 , ++.Xr libressl 1 , + .Xr ASN1_generate_nconf 3 , + .Xr OPENSSL_config 3 , +-.Xr openssl.cnf 5 ++.Xr libressl.cnf 5 + .Sh HISTORY + X509v3 extension code was first added to OpenSSL 0.9.2. + .Sh CAVEATS diff --git a/SOURCES/libressl-yjl-additions.cnf b/SOURCES/libressl-yjl-additions.cnf new file mode 100644 index 0000000..f400195 --- /dev/null +++ b/SOURCES/libressl-yjl-additions.cnf @@ -0,0 +1,223 @@ + +# Additions from RHEL/CentOS 7 openssl.cnf w/ default_bits increased +#################################################################### +[ req ] +default_bits = 3072 +default_md = sha256 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = XX +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName_default = Default Province + +localityName = Locality Name (eg, city) +localityName_default = Default City + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Default Company Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + + diff --git a/SPECS/libressl.spec b/SPECS/libressl.spec new file mode 100644 index 0000000..48d7756 --- /dev/null +++ b/SPECS/libressl.spec @@ -0,0 +1,300 @@ +%if 0%{!?_ssldir:1} == 1 +%global _ssldir %{_sysconfdir}/ssl +%endif +%if 0%{!?_pkitls:1} == 1 +%global _pkitls %{_sysconfdir}/pki/tls +%endif + +%if 0%{!?__sed:1} == 1 +%global __sed %{_bindir}/sed +%endif +%if 0%{!?__chrpath:1} == 1 +%global __chrpath %{_bindir}/chrpath +%endif + +# Shared library versions +%global slibcryptov 50.0.2 +%global slibsslv 53.0.2 +%global slibtlsv 26.0.2 + +Name: libressl +Version: 3.7.2 +Release: %{?repo}0.rc1%{?dist} +Summary: OpenBSD fork of the OpenSSL Cryptography Suite + +Group: System Environment/Libraries +License: OpenSSL +URL: https://www.libressl.org/ +Source0: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/%{name}-%{version}.tar.gz +Source1: libressl-yjl-additions.cnf +# some DH params +# 2048 +Source20: https://bettercrypto.org/static/dhparams/group14.pem +# 3072 +Source21: https://bettercrypto.org/static/dhparams/group15.pem +# 4096 +Source22: https://bettercrypto.org/static/dhparams/group16.pem +# 6144 +Source23: https://bettercrypto.org/static/dhparams/group17.pem +# 8192 +Source24: https://bettercrypto.org/static/dhparams/group18.pem +# DHE README +Source25: README.DHE.md +###### YJL patches +Patch90: libressl-3.7.2-cnf-name.patch +Patch91: libressl-3.7.2-manpage.patch + + +#BuildRequires: %%{__chrpath} +BuildRequires: %{__sed} +Requires: %{name}-libs = %{version}-%{release} + +%description +LibreSSL is a fork of OpenSSL 1.0.1g developed by the OpenBSD project. +Our goal is to modernize the codebase, improve security, and apply best +practice development processes from OpenBSD. + +%package libs +Summary: Shared Libraries for LibreSSL +Group: System Environment/Libraries +Requires: make-ca +#Requires: ca-certificates + +%description libs +This package provides the shared libraries for LibreSSL. + +LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include +all new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs +not yet present in OpenSSL. The current common API subset is OpenSSL +1.0.1. + +LibreSSL it is not ABI compatible with any release of OpenSSL, or +necessarily earlier releases of LibreSSL. You will need to relink your +programs to LibreSSL in order to use it, just as in moving between major +versions of OpenSSL. + +LibreSSL's installed library version numbers are incremented to account +for ABI and API changes. + +%package devel +Summary: Developer files for LibreSSL +Group: Development/Libraries +Requires: %{name}-libs = %{version}-%{release} +Conflicts: openssl-devel + +%description devel +This package provides the development header files for LibreSSL. + +%package dhe-cron +Summary: Cron scripts to generate DHE groups +Group: System Administration/Miscellaneous +Requires: %{name} = %{version}-%{release} +Requires: fcron + +%description dhe-cron +For servers that support TLS with the DHE key exchange, it is generally +a good idea to generate fresh DHE groups periodically. This package +installs cron job scripts that do so. + +For non-servers, all these scripts do is waste CPU cycles. Desktop +users should not install this package. + +%prep +%setup -q +%patch 90 -p1 +%patch 91 -p1 +# These aren't renamed in the patches to reduce patch size. +mv openssl.cnf libressl.cnf +mv man/openssl.cnf.5 man/libressl.cnf.5 +mv apps/openssl/openssl.1 apps/openssl/libressl.1 + +cp %{SOURCE25} . + + +%build +%configure \ + --with-openssldir=%{_ssldir} \ + --libdir=/%{_lib} + +# fails biotest w/ this option +# --enable-extratests + +##%% from RHEL/CentOS OpenSSL spec file ##%% +# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be +# marked as not requiring an executable stack. +# Also add -DPURIFY to make using valgrind with openssl easier as we do not +# want to depend on the uninitialized memory as a source of entropy anyway. +RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY" + +make %{?_smp_mflags} + +%check +%if 0%{?runtests:1} == 1 +make check > %{name}-make.check.log 2>&1 +%else +echo "make test not run during package build." > %{name}-make.check.log +%endif + + +%install +make install DESTDIR=%{buildroot} +rm -f %{buildroot}%{_ssldir}/cert.pem +install -d %{buildroot}%{_ssldir}/csr +#install -d %%{buildroot}%%{_sysconfdir}/ssl +#ln -s ../pki/tls/libressl.cnf %%{buildroot}%%{_sysconfdir}/ssl/libressl.cnf +install -d %{buildroot}%{_pkitls} + +#rename openssl binary +mv %{buildroot}%{_bindir}/openssl %{buildroot}%{_bindir}/libressl + +#customize the conf +cat %{SOURCE1} >> %{buildroot}%{_ssldir}/libressl.cnf + +# adjust developer .so links +install -m755 -d %{buildroot}%{_libdir} +rm -f %{buildroot}/%{_lib}/libcrypto.{so,la} +ln -s ../../%{_lib}/libcrypto.so.%{slibcryptov} \ + %{buildroot}%{_libdir}/libcrypto.so +mv %{buildroot}/%{_lib}/libcrypto.a %{buildroot}%{_libdir}/ +rm -f %{buildroot}/%{_lib}/libssl.{so,la} +ln -s ../../%{_lib}/libssl.so.%{slibsslv} \ + %{buildroot}%{_libdir}/libssl.so +mv %{buildroot}/%{_lib}/libssl.a %{buildroot}%{_libdir}/ +rm -f %{buildroot}/%{_lib}/libtls.{so,la} +ln -s ../../%{_lib}/libtls.so.%{slibtlsv} \ + %{buildroot}%{_libdir}/libtls.so +mv %{buildroot}/%{_lib}/libtls.a %{buildroot}%{_libdir}/ + +# adjust developer pkgconfig files +%{__sed} -i 's?libdir=.*?libdir=%{_libdir}?' \ + %{buildroot}/%{_lib}/pkgconfig/libcrypto.pc +%{__sed} -i 's?libdir=.*?libdir=%{_libdir}?' \ + %{buildroot}/%{_lib}/pkgconfig/libssl.pc +%{__sed} -i 's?libdir=.*?libdir=%{_libdir}?' \ + %{buildroot}/%{_lib}/pkgconfig/libtls.pc +%{__sed} -i 's?libdir=.*?libdir=%{_libdir}?' \ + %{buildroot}/%{_lib}/pkgconfig/openssl.pc +mv %{buildroot}/%{_lib}/pkgconfig %{buildroot}%{_libdir}/ + + + +#MODP IKE +install -p -m644 %{SOURCE20} %{buildroot}%{_pkitls}/MODP-IKE-2048-group14.pem +install -p -m644 %{SOURCE21} %{buildroot}%{_pkitls}/MODP-IKE-3072-group15.pem +install -p -m644 %{SOURCE22} %{buildroot}%{_pkitls}/MODP-IKE-4096-group16.pem +install -p -m644 %{SOURCE23} %{buildroot}%{_pkitls}/MODP-IKE-6144-group17.pem +install -p -m644 %{SOURCE24} %{buildroot}%{_pkitls}/MODP-IKE-8192-group18.pem + +# initial parameters +install -p -m644 %{SOURCE20} %{buildroot}%{_pkitls}/dh2048.pem +install -p -m644 %{SOURCE21} %{buildroot}%{_pkitls}/dh3072.pem +install -p -m644 %{SOURCE22} %{buildroot}%{_pkitls}/dh4096.pem +install -p -m644 %{SOURCE25} %{buildroot}%{_pkitls}/README.DHE.md + +#DH parameter generation cronjobs +mkdir -p %{buildroot}%{_sysconfdir}/cron.daily +mkdir -p %{buildroot}%{_sysconfdir}/cron.monthly +cat < %{buildroot}%{_sysconfdir}/cron.daily/generate_dh_params.sh +#!/bin/bash +TMPFILE="\`%{_bindir}/mktemp -p /tmp dhparams.XXXXXXXXXX\`" + +trap "rm -f \${TMPFILE}" EXIT TERM + +%{_bindir}/nice -n19 %{_bindir}/libressl dhparam -out \${TMPFILE} 2048 > /dev/null 2>&1 +if [ \$? -eq 0 ]; then + install -m644 \${TMPFILE} %{_pkitls}/dh2048.pem +fi +EOF +cat < %{buildroot}%{_sysconfdir}/cron.monthly/generate_dh_params.sh +#!/bin/bash +TMPFILE="\`%{_bindir}/mktemp -p /tmp dhparams.XXXXXXXXXX\`" + +trap "rm -f \${TMPFILE}" EXIT TERM + +%{_bindir}/nice -n19 %{_bindir}/libressl dhparam -out \${TMPFILE} 3072 > /dev/null 2>&1 +if [ \$? -eq 0 ]; then + install -m644 \${TMPFILE} %{_pkitls}/dh3072.pem +fi +%{_bindir}/nice -n19 %{_bindir}/libressl dhparam -out \${TMPFILE} 4096 > /dev/null 2>&1 +if [ \$? -eq 0 ]; then + install -m644 \${TMPFILE} %{_pkitls}/dh4096.pem +fi +EOF + +#fix rpath +#%%{_bindir}/chrpath -d %%{buildroot}%{_bindir}/libressl +#%%{_bindir}/chrpath -d %%{buildroot}%{_bindir}/ocspcheck +#%%{_bindir}/chrpath -d %%{buildroot}/%%{_lib}/libcrypto.so.%%{slibcryptov} +#%%{_bindir}/chrpath -d %%{buildroot}/%%{_lib}/libssl.so.%%{slibsslv} +#%%{_bindir}/chrpath -d %%{buildroot}/%%{_lib}/libtls.so.%%{slibtlsv} + + +%post libs -p /sbin/ldconfig +%postun libs -p /sbin/ldconfig + +%files +%defattr(-,root,root,-) +%attr(0755,root,root) %{_bindir}/libressl +%attr(0755,root,root) %{_bindir}/ocspcheck +%attr(0644,root,root) %{_mandir}/man1/libressl.1* +%attr(0644,root,root) %{_mandir}/man5/libressl.cnf.5* +%attr(0644,root,root) %{_mandir}/man5/x509v3.cnf.5* +%attr(0644,root,root) %{_mandir}/man8/ocspcheck.8* +%license COPYING +%doc ChangeLog COPYING README.md VERSION %{name}-make.check.log + +%files libs +%defattr(-,root,root,-) +%dir %{_ssldir}/csr +%dir %{_sysconfdir}/ssl +/%{_lib}/libcrypto.so.50 +%attr(0755,root,root) /%{_lib}/libcrypto.so.%{slibcryptov} +/%{_lib}/libssl.so.53 +%attr(0755,root,root) /%{_lib}/libssl.so.%{slibsslv} +/%{_lib}/libtls.so.26 +%attr(0755,root,root) /%{_lib}/libtls.so.%{slibtlsv} +# configuration files +%attr(0644,root,root) %config(noreplace) %{_ssldir}/libressl.cnf +%attr(0644,root,root) %config(noreplace) %{_ssldir}/x509v3.cnf +%attr(0644,root,root) %config(noreplace) %{_pkitls}/dh2048.pem +%attr(0644,root,root) %config(noreplace) %{_pkitls}/dh3072.pem +%attr(0644,root,root) %config(noreplace) %{_pkitls}/dh4096.pem +# MODP IKE +%attr(0644,root,root) %{_pkitls}/MODP-IKE-2048-group14.pem +%attr(0644,root,root) %{_pkitls}/MODP-IKE-3072-group15.pem +%attr(0644,root,root) %{_pkitls}/MODP-IKE-4096-group16.pem +%attr(0644,root,root) %{_pkitls}/MODP-IKE-6144-group17.pem +%attr(0644,root,root) %{_pkitls}/MODP-IKE-8192-group18.pem +%license COPYING +%doc ChangeLog COPYING README.md VERSION %{name}-make.check.log + +%files devel +%defattr(-,root,root,-) +%{_includedir}/openssl +%{_includedir}/tls.h +%exclude %{_libdir}/libcrypto.a +%{_libdir}/libcrypto.so +%exclude %{_libdir}/libssl.a +%{_libdir}/libssl.so +%exclude %{_libdir}/libtls.a +%{_libdir}/libtls.so +%{_mandir}/man3/*.3* +%attr(0644,root,root) %{_libdir}/pkgconfig/*.pc + +%files dhe-cron +%defattr(-,root,root,-) +%attr(0755,root,root) %{_sysconfdir}/cron.daily/generate_dh_params.sh +%attr(0755,root,root) %{_sysconfdir}/cron.monthly/generate_dh_params.sh +%attr(0644,root,root) %{_pkitls}/README.DHE.md +%doc README.DHE.md + +%changelog +* Sun May 07 2023 Michael A. Peters - 3.7.2-0.rc1 +- Update to 3.7.2 + +* Thu Apr 27 2023 Michael A. Peters - 3.6.2-0.rc3 +- Fix openssldir + +* Sat Mar 18 2023 Michael A. Peters - 3.6.2-0.rc1 +- Initial spec file for YJL (RPM bootstrapping LFS/BLFS 11.3) +- Based on the LibreSSL packages I created for CentOS 7 (AWEL)