[openssl-3] Update to OpenSSL 3.2.1. JB#55609

.gitmodules

@@ -1,3 +1,3 @@
-[submodule "openssl"]
-	path = openssl
+[submodule "upstream"]
+	path = upstream
 	url = https://github.com/sailfishos-mirror/openssl.git

rpm/0001-Disable-html-docs.patch

@@ -0,0 +1,22 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <[email protected]>
+Date: Mon, 30 Sep 2024 00:23:48 +0300
+Subject: [PATCH] Disable html docs
+
+---
+ Configurations/unix-Makefile.tmpl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index dcd41a9f22a1c82fa4eb3f18e320f3d1ffb65b5b..7a71ee9bf3b968c3b0634f38be18529ef1055318 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -633,7 +633,7 @@ install_sw: install_dev install_engines install_modules install_runtime ## Insta
+
+ uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries
+
+-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation
++install_docs: install_man_docs ## Install manpages and HTML documentation
+
+ uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation
+ 	$(RM) -r "$(DESTDIR)$(DOCDIR)"

rpm/0002-Implicitly-load-OpenSSL-configuration.patch

@@ -0,0 +1,36 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <[email protected]>
+Date: Mon, 30 Sep 2024 09:18:21 +0300
+Subject: [PATCH] Implicitly load OpenSSL configuration
+
+For applications to load the OpenSSL configuration they have to call
+OPENSSL_config(). Many applications/libraries don't do so.
+Instead we can pass -DOPENSSL_LOAD_CONF in the pkgconfig files
+so the needed operation becomes implicit the next time such apps
+are recompiled, see OPENSSL_config(3).
+---
+ Configurations/unix-Makefile.tmpl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 7a71ee9bf3b968c3b0634f38be18529ef1055318..c7ff3e3c6e06ab55b7251d134339d9277c1b42a7 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -1453,7 +1453,7 @@ libcrypto.pc:
+ 	    echo 'Version: '$(VERSION); \
+ 	    echo 'Libs: -L$${libdir} -lcrypto'; \
+ 	    echo 'Libs.private: $(LIB_EX_LIBS)'; \
+-	    echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
++	    echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libcrypto.pc
+
+ libssl.pc:
+ 	@ ( echo 'prefix=$(INSTALLTOP)'; \
+@@ -1470,7 +1470,7 @@ libssl.pc:
+ 	    echo 'Version: '$(VERSION); \
+ 	    echo 'Requires.private: libcrypto'; \
+ 	    echo 'Libs: -L$${libdir} -lssl'; \
+-	    echo 'Cflags: -I$${includedir}' ) > libssl.pc
++	    echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc
+
+ openssl.pc:
+ 	@ ( echo 'prefix=$(INSTALLTOP)'; \

rpm/0003-Set-a-sane-default-cipher-list-for-applications.patch

@@ -0,0 +1,84 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <[email protected]>
+Date: Mon, 30 Sep 2024 10:11:06 +0300
+Subject: [PATCH] Set a sane default cipher list for applications
+
+Set a sane default cipher list which is "COMPLEMENTOFDEFAULT,eNULL"
+which enables all ciphers built even those without description.
+
+Note this patch was imported from SUSE and thous includes the name.
+This patch applies to applications using deprecated OpenSSL 1.1 API's
+and thous can be removed once those are gone.
+---
+ include/openssl/ssl.h.in                    |  5 +++++
+ ssl/ssl_ciph.c                              | 10 ++++++++-
+ test/recipes/99-test_suse_default_ciphers.t | 23 +++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 1 deletion(-)
+ create mode 100644 test/recipes/99-test_suse_default_ciphers.t
+
+diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
+index 9f91039f8a121c3324dee7801ed49a2bd51e5534..f49b4b700e4a42235d297e5af5a080fd30cbf1b0 100644
+--- a/include/openssl/ssl.h.in
++++ b/include/openssl/ssl.h.in
+@@ -194,6 +194,11 @@ extern "C" {
+  */
+ # ifndef OPENSSL_NO_DEPRECATED_3_0
+ #  define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
++#  define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
++    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
++    "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
++    "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\
++    "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
+ /*
+  * This is the default set of TLSv1.3 ciphersuites
+  * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 8360991ce419a03c6dc59d6dbb54bed7b7d577ee..80a7da3d0836c825d6c1c2f47fb9a19ecac54141 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -1623,7 +1623,15 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx,
+      */
+     ok = 1;
+     rule_p = rule_str;
+-    if (HAS_PREFIX(rule_str, "DEFAULT")) {
++    if (HAS_PREFIX(rule_str, "DEFAULT_SUSE")) {
++            ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
++                                            &head, &tail, ca_list, c);
++            rule_p += 12;
++            if (*rule_p == ':')
++                    rule_p++;
++
++    }
++    else if (HAS_PREFIX(rule_str, "DEFAULT")) {
+         ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(),
+                                         &head, &tail, ca_list, c);
+         rule_p += 7;
+diff --git a/test/recipes/99-test_suse_default_ciphers.t b/test/recipes/99-test_suse_default_ciphers.t
+new file mode 100644
+index 0000000000000000000000000000000000000000..d7a687452f0e6768d9b6aeb3c3dcd764e9d75f7e
+--- /dev/null
++++ b/test/recipes/99-test_suse_default_ciphers.t
+@@ -0,0 +1,23 @@
++#! /usr/bin/env perl
++
++use strict;
++use warnings;
++
++use OpenSSL::Test qw/:DEFAULT/;
++use OpenSSL::Test::Utils;
++
++setup("test_default_ciphersuites");
++
++plan tests => 6;
++
++my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
++
++foreach my $cipherlist (@cipher_suites) {
++  ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
++     "openssl ciphers works with ciphersuite $cipherlist");
++  ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
++         "$cipherlist shouldn't contain MD5, DES or RC4\n");
++  ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
++         "$cipherlist should contain TLSv1.3 ciphers\n");
++}
++