webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
fd02fb29d829fc35ea65fb2cab201bf25bcfedae
bpfire/lfs/openssl
Adolf Belka acf2754880 openssl: Update to version 3.3.0 
- Update from version 3.2.1 to 3.3.0
- Update of rootfile
- Changelog
    3.3
	This release adds the following new features:
	  * Support for qlog for tracing QUIC connections has been added
	  * Added APIs to allow configuring the negotiated idle timeout for QUIC
	    connections, and to allow determining the number of additional streams
	    that can currently be created for a QUIC connection.
	  * Added APIs to allow disabling implicit QUIC event processing for QUIC SSL
	    objects
	  * Added APIs to allow querying the size and utilisation of a QUIC stream's
	    write buffer
	  * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
	    condition in an optimised way when using QUIC.
	  * Limited support for polling of QUIC connection and stream objects in a
	    non-blocking manner.
	  * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple
	    times with different output sizes.
	  * Added exporter for CMake on Unix and Windows, alongside the pkg-config
	    exporter.
	  * The BLAKE2s hash algorithm matches BLAKE2b's support for configurable
	    output length.
	  * The EVP_PKEY_fromdata function has been augmented to allow for the
	    derivation of CRT (Chinese Remainder Theorem) parameters when requested
	  * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
	    using time_t which is Y2038 safe on 32 bit systems when 64 bit time
	    is enabled
	  * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
	    config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
	    SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
	    ignored and the configuration will still be used.
	  * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
	    override the Issuer and Subject when creating a certificate. The `-subj`
	    option now is an alias for `-set_subject`.
	  * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483
	  * New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3
	    server to prefer session resumption using PSK-only key exchange over PSK
	    with DHE, if both are available.
	  * New atexit configuration switch, which controls whether the OPENSSL_cleanup
	    is registered when libcrypto is unloaded.
	  * Added X509_STORE_get1_objects to avoid issues with the existing
	    X509_STORE_get0_objects API in multi-threaded applications.
	This release incorporates the following potentially significant or incompatible
	changes:
	  * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
	  * Optimized AES-CTR for ARM Neoverse V1 and V2
	  * Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems
	    similar to M1/M2.
	  * Various optimizations for cryptographic routines using RISC-V vector crypto
	    extensions
	  * Added assembly implementation for md5 on loongarch64
	  * Accept longer context for TLS 1.2 exporters
	  * The activate and soft_load configuration settings for providers in
	    openssl.cnf have been updated to require a value of [1|yes|true|on]
	    (in lower or UPPER case) to enable the setting. Conversely a value
	    of [0|no|false|off] will disable the setting.
	  * In `openssl speed`, changed the default hash function used with `hmac` from
	    `md5` to `sha256`.
	  * The `-verify` option to the `openssl crl` and `openssl req` will make the
	    program exit with 1 on failure.
	  * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and
	    related functions have been augmented to check for a minimum length of
	    the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
	  * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
	    if called with a NULL stack argument.
	  * New limit on HTTP response headers is introduced to HTTP client. The
	    default limit is set to 256 header lines.
	This release incorporates the following bug fixes and mitigations:
	  * The BIO_get_new_index() function can only be called 127 times before it
	    reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its
	    exhausted.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2024-08-06 09:10:28 +00:00

128 lines
4.1 KiB
Plaintext
Raw Blame History

###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2024 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 3.3.0
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)$(KCFG)
CFLAGS += -DPURIFY -Wa,--noexecstack
export RPM_OPT_FLAGS = $(CFLAGS)
CONFIGURE_OPTIONS = \
--prefix=/usr \
--openssldir=/etc/ssl \
shared \
zlib-dynamic \
enable-camellia \
enable-seed \
enable-rfc3779 \
no-idea \
no-mdc2 \
no-rc5 \
no-srp \
no-aria \
$(OPENSSL_ARCH)
ifeq "$(BUILD_ARCH)" "aarch64"
OPENSSL_ARCH = linux-aarch64
endif
ifeq "$(BUILD_ARCH)" "riscv64"
OPENSSL_ARCH = linux64-riscv64
endif
ifeq "$(BUILD_ARCH)" "x86_64"
OPENSSL_ARCH = linux-x86_64
endif
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_BLAKE2 = c68efaf8aca87961f396e305acc767b56d651b9adf4fd2c9d9b5a3266e35da4b856c6ed34be47d656c782aade975f20317a6759913b33d29d7eb088e638fa501
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
b2 : $(subst %,%_BLAKE2,$(objects))
###############################################################################
# Downloading, checking, b2sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_BLAKE2,$(objects)) :
@$(B2SUM)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
# Apply our CFLAGS
cd $(DIR_APP) && sed -i Configure \
-e "s/-O3 -fomit-frame-pointer/$(CFLAGS)/g"
cd $(DIR_APP) && find crypto/ -name Makefile -exec \
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
cd $(DIR_APP) && ./Configure $(CONFIGURE_OPTIONS) \
$(CFLAGS) $(LDFLAGS)
cd $(DIR_APP) && make depend
cd $(DIR_APP) && make $(MAKETUNING)
# Install everything
cd $(DIR_APP) && make install
install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl
# Install RFC 7919 defined standard group ffdhe4096
install -m 0644 $(DIR_SRC)/config/ssl/ffdhe4096.pem /etc/ssl
@rm -rf $(DIR_APP)
@$(POSTBUILD)
Reference in New Issue View Git Blame Copy Permalink