libressl: update to 4.0

2025-01-13 11:30:53 +06:00 · 2025-01-13 11:30:53 +06:00 · 5109161bd3
commit 5109161bd3
parent 01f81d23da
3 changed files with 16095 additions and 99 deletions
--- a/base/libressl/libressl-cmake-rename-binaries.patch
+++ b/base/libressl/libressl-cmake-rename-binaries.patch
--- a/base/libressl/libressl-rename-config-file.patch
+++ b/base/libressl/libressl-rename-config-file.patch
@ -1,66 +1,6 @@
-diff -Naur libressl-3.8.1-orig/Makefile.am libressl-3.8.1/Makefile.am
+diff -Naur a/apps/openssl/apps.c b/apps/openssl/apps.c
--- libressl-3.8.1-orig/Makefile.am	2023-08-21 17:00:06.000000000 +0600
+--- a/apps/openssl/apps.c	2024-09-25 09:30:06.000000000 +0600
-+++ libressl-3.8.1/Makefile.am	2023-10-03 14:13:45.763015193 +0600
+++ b/apps/openssl/apps.c	2025-01-09 22:24:46.419234126 +0600
@@ -12,7 +12,7 @@
 EXTRA_DIST = README.md README.windows VERSION config scripts
 EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in FindLibreSSL.cmake LibreSSLConfig.cmake.in
 -EXTRA_DIST += cert.pem openssl.cnf x509v3.cnf
 +EXTRA_DIST += cert.pem libressl.cnf x509v3.cnf
 .PHONY: install_sw
 install_sw: install
@@ -24,7 +24,7 @@
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
 -	for i in cert.pem openssl.cnf x509v3.cnf; do \
 +	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
 		else \
@@ -38,7 +38,7 @@
 	else \
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 -	for i in cert.pem openssl.cnf x509v3.cnf; do \
 +	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
 			rm -f "$$OPENSSLDIR/$$i"; \
 		fi \
 diff -Naur libressl-3.8.1-orig/Makefile.in libressl-3.8.1/Makefile.in
 --- libressl-3.8.1-orig/Makefile.in	2023-08-31 08:15:32.000000000 +0600
 +++ libressl-3.8.1/Makefile.in	2023-10-03 14:14:15.117827061 +0600
@@ -374,7 +374,7 @@
 EXTRA_DIST = README.md README.windows VERSION config scripts \
 	CMakeLists.txt cmake_export_symbol.cmake \
 	cmake_uninstall.cmake.in FindLibreSSL.cmake \
 -	LibreSSLConfig.cmake.in cert.pem openssl.cnf x509v3.cnf
 +	LibreSSLConfig.cmake.in cert.pem libressl.cnf x509v3.cnf
 all: all-recursive
 .SUFFIXES:
@@ -895,7 +895,7 @@
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
 -	for i in cert.pem openssl.cnf x509v3.cnf; do \
 +	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
 		else \
@@ -909,7 +909,7 @@
 	else \
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 -	for i in cert.pem openssl.cnf x509v3.cnf; do \
 +	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
 			rm -f "$$OPENSSLDIR/$$i"; \
 		fi \
 diff -Naur libressl-3.8.1-orig/apps/openssl/apps.c libressl-3.8.1/apps/openssl/apps.c
 --- libressl-3.8.1-orig/apps/openssl/apps.c	2023-08-21 16:50:37.000000000 +0600
 +++ libressl-3.8.1/apps/openssl/apps.c	2023-10-03 14:15:00.235537604 +0600
@@ -1069,7 +1069,7 @@
 	const char *t = X509_get_default_cert_area();
 	char *p;
@ -70,10 +10,22 @@ diff -Naur libressl-3.8.1-orig/apps/openssl/apps.c libressl-3.8.1/apps/openssl/a
 		return NULL;
 	return p;
 }
-diff -Naur libressl-3.8.1-orig/crypto/conf/conf_mod.c libressl-3.8.1/crypto/conf/conf_mod.c
+diff -Naur a/CMakeLists.txt b/CMakeLists.txt
--- libressl-3.8.1-orig/crypto/conf/conf_mod.c	2023-08-21 16:50:37.000000000 +0600
+--- a/CMakeLists.txt	2024-10-08 16:16:19.000000000 +0600
-+++ libressl-3.8.1/crypto/conf/conf_mod.c	2023-10-03 14:15:27.230364281 +0600
+++ b/CMakeLists.txt	2025-01-09 22:34:00.078411167 +0600
-@@ -474,7 +474,7 @@
+@@ -531,7 +531,7 @@
 			DESTINATION ${CMAKE_INSTALL_LIBDIR})
 	endif()
 -	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
 +	install(FILES cert.pem libressl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
 	install(DIRECTORY DESTINATION ${CONF_DIR}/certs)
  	if(NOT TARGET uninstall)
 diff -Naur a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
 --- a/crypto/conf/conf_mod.c	2024-09-25 09:30:06.000000000 +0600
 +++ b/crypto/conf/conf_mod.c	2025-01-09 22:22:06.849337107 +0600
@@ -485,7 +485,7 @@
 {
 	char *file = NULL;
@ -82,9 +34,9 @@ diff -Naur libressl-3.8.1-orig/crypto/conf/conf_mod.c libressl-3.8.1/crypto/conf
 	    X509_get_default_cert_area()) == -1)
 		return (NULL);
 	return file;
-diff -Naur libressl-3.8.1-orig/libressl.cnf libressl-3.8.1/libressl.cnf
+diff -Naur a/libressl.cnf b/libressl.cnf
--- libressl-3.8.1-orig/libressl.cnf	1970-01-01 06:00:00.000000000 +0600
+--- a/libressl.cnf	1970-01-01 06:00:00.000000000 +0600
-+++ libressl-3.8.1/libressl.cnf	2023-07-05 14:08:27.000000000 +0600
+++ b/libressl.cnf	2023-07-05 14:08:27.000000000 +0600
@@ -0,0 +1,24 @@
 +[ req ]
 +#default_bits		= 2048
@ -110,9 +62,823 @@ diff -Naur libressl-3.8.1-orig/libressl.cnf libressl-3.8.1/libressl.cnf
 +challengePassword		= A challenge password
 +challengePassword_min		= 4
 +challengePassword_max		= 20
-diff -Naur libressl-3.8.1-orig/openssl.cnf libressl-3.8.1/openssl.cnf
+diff -Naur a/Makefile.am b/Makefile.am
--- libressl-3.8.1-orig/openssl.cnf	2023-07-05 14:08:27.000000000 +0600
+--- a/Makefile.am	2024-05-28 19:25:41.000000000 +0600
-+++ libressl-3.8.1/openssl.cnf	1970-01-01 06:00:00.000000000 +0600
+++ b/Makefile.am	2025-01-09 22:23:13.342877490 +0600
@@ -12,7 +12,7 @@
 EXTRA_DIST = README.md README.mingw.md VERSION config scripts
 EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in FindLibreSSL.cmake LibreSSLConfig.cmake.in
 -EXTRA_DIST += cert.pem openssl.cnf x509v3.cnf
 +EXTRA_DIST += cert.pem libressl.cnf x509v3.cnf
 .PHONY: install_sw
 install_sw: install
@@ -24,7 +24,7 @@
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
 -	for i in cert.pem openssl.cnf x509v3.cnf; do \
 +	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
 		else \
@@ -38,7 +38,7 @@
 	else \
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 -	for i in cert.pem openssl.cnf x509v3.cnf; do \
 +	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
 			rm -f "$$OPENSSLDIR/$$i"; \
 		fi \
 diff -Naur a/Makefile.in b/Makefile.in
 --- a/Makefile.in	2024-10-14 10:53:04.000000000 +0600
 +++ b/Makefile.in	2025-01-09 22:25:23.906975003 +0600
@@ -374,7 +374,7 @@
 EXTRA_DIST = README.md README.mingw.md VERSION config scripts \
 	CMakeLists.txt cmake_export_symbol.cmake \
 	cmake_uninstall.cmake.in FindLibreSSL.cmake \
 -	LibreSSLConfig.cmake.in cert.pem openssl.cnf x509v3.cnf
 +	LibreSSLConfig.cmake.in cert.pem libressl.cnf x509v3.cnf
 all: all-recursive
 .SUFFIXES:
@@ -895,7 +895,7 @@
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
 -	for i in cert.pem openssl.cnf x509v3.cnf; do \
 +	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
 		else \
@@ -909,7 +909,7 @@
 	else \
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 -	for i in cert.pem openssl.cnf x509v3.cnf; do \
 +	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
 			rm -f "$$OPENSSLDIR/$$i"; \
 		fi \
 diff -Naur a/man/libressl.cnf.5 b/man/libressl.cnf.5
 --- a/man/libressl.cnf.5	1970-01-01 06:00:00.000000000 +0600
 +++ b/man/libressl.cnf.5	2025-01-09 22:33:23.437663998 +0600
@@ -0,0 +1,361 @@
 +.\" $OpenBSD: openssl.cnf.5,v 1.11 2024/07/08 15:02:28 jmc Exp $
 +.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100
 +.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400
 +.\"
 +.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
 +.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project.
 +.\" All rights reserved.
 +.\"
 +.\" Redistribution and use in source and binary forms, with or without
 +.\" modification, are permitted provided that the following conditions
 +.\" are met:
 +.\"
 +.\" 1. Redistributions of source code must retain the above copyright
 +.\"    notice, this list of conditions and the following disclaimer.
 +.\"
 +.\" 2. Redistributions in binary form must reproduce the above copyright
 +.\"    notice, this list of conditions and the following disclaimer in
 +.\"    the documentation and/or other materials provided with the
 +.\"    distribution.
 +.\"
 +.\" 3. All advertising materials mentioning features or use of this
 +.\"    software must display the following acknowledgment:
 +.\"    "This product includes software developed by the OpenSSL Project
 +.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 +.\"
 +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 +.\"    endorse or promote products derived from this software without
 +.\"    prior written permission. For written permission, please contact
 +.\"    openssl-core@openssl.org.
 +.\"
 +.\" 5. Products derived from this software may not be called "OpenSSL"
 +.\"    nor may "OpenSSL" appear in their names without prior written
 +.\"    permission of the OpenSSL Project.
 +.\"
 +.\" 6. Redistributions of any form whatsoever must retain the following
 +.\"    acknowledgment:
 +.\"    "This product includes software developed by the OpenSSL Project
 +.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 +.\"
 +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 +.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 +.\" OF THE POSSIBILITY OF SUCH DAMAGE.
 +.\"
 +.Dd $Mdocdate: July 8 2024 $
 +.Dt OPENSSL.CNF 5
 +.Os
 +.Sh NAME
 +.Nm libressl.cnf
 +.Nd OpenSSL configuration files
 +.Sh DESCRIPTION
 +The OpenSSL CONF library can be used to read configuration files; see
 +.Xr CONF_modules_load_file 3 .
 +It is used for the OpenSSL master configuration file
 +.Pa /etc/pki/tls/libressl.cnf
 +and in a few other places such as certificate extension files for the
 +.Xr openssl 1
 +.Cm x509
 +utility.
 +OpenSSL applications can also use the CONF library for their own
 +purposes.
 +.Pp
 +A configuration file is divided into a number of sections.
 +Each section starts with a line
 +.Bq Ar section_name
 +and ends when a new section is started or the end of the file is reached.
 +A section name can consist of alphanumeric characters and underscores.
 +.Pp
 +The first section of a configuration file is special and is referred to
 +as the
 +.Dq default section .
 +It is usually unnamed and extends from the start of file to the
 +first named section.
 +When a name is being looked up, it is first looked up in a named
 +section (if any) and then in the default section.
 +.Pp
 +The environment is mapped onto a section called
 +.Ic ENV .
 +.Pp
 +Comments can be included by preceding them with the
 +.Ql #
 +character.
 +.Pp
 +Each section in a configuration file consists of a number of name and
 +value pairs of the form
 +.Ar name Ns = Ns Ar value .
 +.Pp
 +The
 +.Ar name
 +string can contain any alphanumeric characters as well as a few
 +punctuation symbols such as
 +.Ql \&.
 +.Ql \&,
 +.Ql \&;
 +and
 +.Ql _ .
 +.Pp
 +The
 +.Ar value
 +string consists of the string following the
 +.Ql =
 +character until the end of the line with any leading and trailing
 +whitespace removed.
 +.Pp
 +The value string undergoes variable expansion.
 +This can be done by including substrings of the form
 +.Pf $ Ar name
 +or
 +.Pf $ Brq Ar name :
 +this will substitute the value of the named variable in the current
 +section.
 +It is also possible to substitute a value from another section using the
 +syntax
 +.Pf $ Ar section Ns :: Ns Ar name
 +or
 +.Pf $ Brq Ar section Ns :: Ns Ar name .
 +By using the form
 +.Pf $ Ic ENV Ns :: Ns Ar name ,
 +environment variables can be substituted.
 +It is also possible to assign values to environment variables by using
 +the name
 +.Ic ENV Ns :: Ns Ar name .
 +This will work if the program looks up environment variables using
 +the CONF library instead of calling
 +.Xr getenv 3
 +directly.
 +The value string must not exceed 64k in length after variable expansion or an
 +error will occur.
 +.Pp
 +It is possible to escape certain characters by using any kind of quote
 +or the
 +.Ql \e
 +character.
 +By making the last character of a line a
 +.Ql \e ,
 +a
 +.Ar value
 +string can be spread across multiple lines.
 +In addition the sequences
 +.Ql \en ,
 +.Ql \er ,
 +.Ql \eb ,
 +and
 +.Ql \et
 +are recognized.
 +.Sh OPENSSL LIBRARY CONFIGURATION
 +Applications can automatically configure certain aspects of OpenSSL
 +using the master OpenSSL configuration file, or optionally an
 +alternative configuration file.
 +The
 +.Xr openssl 1
 +utility includes this functionality: any sub command uses the master
 +OpenSSL configuration file unless an option is used in the sub command
 +to use an alternative configuration file.
 +.Pp
 +To enable library configuration, the default section needs to contain
 +an appropriate line which points to the main configuration section.
 +The default name is
 +.Ic openssl_conf ,
 +which is used by the
 +.Xr openssl 1
 +utility.
 +Other applications may use an alternative name such as
 +.Sy myapplication_conf .
 +All library configuration lines appear in the default section
 +at the start of the configuration file.
 +.Pp
 +The configuration section should consist of a set of name value pairs
 +which contain specific module configuration information.
 +The
 +.Ar name
 +represents the name of the configuration module.
 +The meaning of the
 +.Ar value
 +is module specific: it may, for example, represent a further
 +configuration section containing configuration module specific
 +information.
 +For example:
 +.Bd -literal -offset indent
 +# The following line must be in the default section.
 +openssl_conf = openssl_init
 +
 +[openssl_init]
 +oid_section = new_oids
 +
 +[new_oids]
 +\&... new oids here ...
 +.Ed
 +.Pp
 +The features of each configuration module are described below.
 +.Ss ASN1 Object Configuration Module
 +This module has the name
 +.Ic oid_section .
 +The value of this variable points to a section containing name value
 +pairs of OIDs: the name is the OID short and long name, and the value is the
 +numerical form of the OID.
 +Although some of the
 +.Xr openssl 1
 +utility subcommands already have their own ASN1 OBJECT section
 +functionality, not all do.
 +By using the ASN1 OBJECT configuration module, all the
 +.Xr openssl 1
 +utility subcommands can see the new objects as well as any compliant
 +applications.
 +For example:
 +.Bd -literal -offset indent
 +[new_oids]
 +some_new_oid = 1.2.3.4
 +some_other_oid = 1.2.3.5
 +.Ed
 +.Pp
 +It is also possible to set the value to the long name followed by a
 +comma and the numerical OID form.
 +For example:
 +.Pp
 +.Dl shortName = some object long name, 1.2.3.4
 +.Sh FILES
 +.Bl -tag -width /etc/pki/tls/libressl.cnf -compact
 +.It Pa /etc/pki/tls/libressl.cnf
 +standard configuration file
 +.El
 +.Sh EXAMPLES
 +Here is a sample configuration file using some of the features
 +mentioned above:
 +.Bd -literal -offset indent
 +# This is the default section.
 +HOME=/temp
 +RANDFILE= ${ENV::HOME}/.rnd
 +configdir=$ENV::HOME/config
 +
 +[ section_one ]
 +# We are now in section one.
 +
 +# Quotes permit leading and trailing whitespace
 +any = " any variable name "
 +
 +other = A string that can \e
 +cover several lines \e
 +by including \e\e characters
 +
 +message = Hello World\en
 +
 +[ section_two ]
 +greeting = $section_one::message
 +.Ed
 +.Pp
 +This next example shows how to expand environment variables safely.
 +.Pp
 +Suppose you want a variable called
 +.Sy tmpfile
 +to refer to a temporary filename.
 +The directory it is placed in can determined by the
 +.Ev TEMP
 +or
 +.Ev TMP
 +environment variables but they may not be set to any value at all.
 +If you just include the environment variable names and the variable
 +doesn't exist then this will cause an error when an attempt is made to
 +load the configuration file.
 +By making use of the default section both values can be looked up with
 +.Ev TEMP
 +taking priority and
 +.Pa /tmp
 +used if neither is defined:
 +.Bd -literal -offset indent
 +TMP=/tmp
 +# The above value is used if TMP isn't in the environment
 +TEMP=$ENV::TMP
 +# The above value is used if TEMP isn't in the environment
 +tmpfile=${ENV::TEMP}/tmp.filename
 +.Ed
 +.Pp
 +More complex OpenSSL library configuration.
 +Add OID:
 +.Bd -literal -offset indent
 +# Default appname: should match "appname" parameter (if any)
 +# supplied to CONF_modules_load_file et al.
 +openssl_conf = openssl_conf_section
 +
 +[openssl_conf_section]
 +# Configuration module list
 +oid_section = new_oids
 +
 +[new_oids]
 +# New OID, just short name
 +newoid1 = 1.2.3.4.1
 +# New OID shortname and long name
 +newoid2 = New OID 2 long name, 1.2.3.4.2
 +.Ed
 +.Pp
 +The above examples can be used with any application supporting library
 +configuration if "openssl_conf" is modified to match the appropriate
 +"appname".
 +.Pp
 +For example if the second sample file above is saved to "example.cnf"
 +then the command line:
 +.Pp
 +.Dl OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
 +.Pp
 +will output:
 +.Dl 0:d=0  hl=2 l=   4 prim: OBJECT            :newoid1
 +.Pp
 +showing that the OID "newoid1" has been added as "1.2.3.4.1".
 +.Sh SEE ALSO
 +.Xr openssl 1 ,
 +.Xr CONF_modules_load_file 3 ,
 +.Xr OPENSSL_config 3 ,
 +.Xr x509v3.cnf 5
 +.Sh CAVEATS
 +If a configuration file attempts to expand a variable that doesn't
 +exist, then an error is flagged and the file will not load.
 +This can also happen if an attempt is made to expand an environment
 +variable that doesn't exist.
 +For example, in a previous version of OpenSSL the default OpenSSL
 +master configuration file used the value of
 +.Ev HOME
 +which may not be defined on non Unix systems and would cause an error.
 +.Pp
 +This can be worked around by including a default section to provide
 +a default value: then if the environment lookup fails, the default
 +value will be used instead.
 +For this to work properly, the default value must be defined earlier
 +in the configuration file than the expansion.
 +See the
 +.Sx EXAMPLES
 +section for an example of how to do this.
 +.Pp
 +If the same variable is defined more than once in the same section,
 +then all but the last value will be silently ignored.
 +In certain circumstances such as with DNs, the same field may occur
 +multiple times.
 +This is usually worked around by ignoring any characters before an
 +initial
 +.Ql \&. ,
 +for example:
 +.Bd -literal -offset indent
 +1.OU="My first OU"
 +2.OU="My Second OU"
 +.Ed
 +.Sh BUGS
 +Currently there is no way to include characters using the octal
 +.Pf \e Ar nnn
 +form.
 +Strings are all NUL terminated, so NUL bytes cannot form part of
 +the value.
 +.Pp
 +The escaping isn't quite right: if you want to use sequences like
 +.Ql \en ,
 +you can't use any quote escaping on the same line.
 +.Pp
 +Files are loaded in a single pass.
 +This means that a variable expansion will only work if the variables
 +referenced are defined earlier in the file.
 diff -Naur a/man/Makefile.am b/man/Makefile.am
 --- a/man/Makefile.am	2024-10-14 10:52:54.000000000 +0600
 +++ b/man/Makefile.am	2025-01-09 22:30:29.135866729 +0600
@@ -561,7 +561,7 @@
 dist_man3_MANS += tls_load_file.3
 dist_man3_MANS += tls_ocsp_process_response.3
 dist_man3_MANS += tls_read.3
 -dist_man5_MANS += openssl.cnf.5
 +dist_man5_MANS += libressl.cnf.5
 dist_man5_MANS += x509v3.cnf.5
 install-data-hook:
 	ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3"
 diff -Naur a/man/Makefile.in b/man/Makefile.in
 --- a/man/Makefile.in	2024-10-14 10:53:07.000000000 +0600
 +++ b/man/Makefile.in	2025-01-09 22:30:39.821792993 +0600
@@ -686,7 +686,7 @@
 @ENABLE_LIBTLS_ONLY_FALSE@	tls_init.3 tls_load_file.3 \
 @ENABLE_LIBTLS_ONLY_FALSE@	tls_ocsp_process_response.3 \
 @ENABLE_LIBTLS_ONLY_FALSE@	tls_read.3
 -@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = openssl.cnf.5 x509v3.cnf.5
 +@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = libressl.cnf.5 x509v3.cnf.5
 all: all-am
 .SUFFIXES:
 diff -Naur a/man/openssl.cnf.5 b/man/openssl.cnf.5
 --- a/man/openssl.cnf.5	2024-09-25 09:30:06.000000000 +0600
 +++ b/man/openssl.cnf.5	1970-01-01 06:00:00.000000000 +0600
@@ -1,361 +0,0 @@
 -.\" $OpenBSD: openssl.cnf.5,v 1.11 2024/07/08 15:02:28 jmc Exp $
 -.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100
 -.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400
 -.\"
 -.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
 -.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project.
 -.\" All rights reserved.
 -.\"
 -.\" Redistribution and use in source and binary forms, with or without
 -.\" modification, are permitted provided that the following conditions
 -.\" are met:
 -.\"
 -.\" 1. Redistributions of source code must retain the above copyright
 -.\"    notice, this list of conditions and the following disclaimer.
 -.\"
 -.\" 2. Redistributions in binary form must reproduce the above copyright
 -.\"    notice, this list of conditions and the following disclaimer in
 -.\"    the documentation and/or other materials provided with the
 -.\"    distribution.
 -.\"
 -.\" 3. All advertising materials mentioning features or use of this
 -.\"    software must display the following acknowledgment:
 -.\"    "This product includes software developed by the OpenSSL Project
 -.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 -.\"
 -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 -.\"    endorse or promote products derived from this software without
 -.\"    prior written permission. For written permission, please contact
 -.\"    openssl-core@openssl.org.
 -.\"
 -.\" 5. Products derived from this software may not be called "OpenSSL"
 -.\"    nor may "OpenSSL" appear in their names without prior written
 -.\"    permission of the OpenSSL Project.
 -.\"
 -.\" 6. Redistributions of any form whatsoever must retain the following
 -.\"    acknowledgment:
 -.\"    "This product includes software developed by the OpenSSL Project
 -.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 -.\"
 -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 -.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 -.\" OF THE POSSIBILITY OF SUCH DAMAGE.
 -.\"
 -.Dd $Mdocdate: July 8 2024 $
 -.Dt OPENSSL.CNF 5
 -.Os
 -.Sh NAME
 -.Nm openssl.cnf
 -.Nd OpenSSL configuration files
 -.Sh DESCRIPTION
 -The OpenSSL CONF library can be used to read configuration files; see
 -.Xr CONF_modules_load_file 3 .
 -It is used for the OpenSSL master configuration file
 -.Pa /etc/ssl/openssl.cnf
 -and in a few other places such as certificate extension files for the
 -.Xr openssl 1
 -.Cm x509
 -utility.
 -OpenSSL applications can also use the CONF library for their own
 -purposes.
 -.Pp
 -A configuration file is divided into a number of sections.
 -Each section starts with a line
 -.Bq Ar section_name
 -and ends when a new section is started or the end of the file is reached.
 -A section name can consist of alphanumeric characters and underscores.
 -.Pp
 -The first section of a configuration file is special and is referred to
 -as the
 -.Dq default section .
 -It is usually unnamed and extends from the start of file to the
 -first named section.
 -When a name is being looked up, it is first looked up in a named
 -section (if any) and then in the default section.
 -.Pp
 -The environment is mapped onto a section called
 -.Ic ENV .
 -.Pp
 -Comments can be included by preceding them with the
 -.Ql #
 -character.
 -.Pp
 -Each section in a configuration file consists of a number of name and
 -value pairs of the form
 -.Ar name Ns = Ns Ar value .
 -.Pp
 -The
 -.Ar name
 -string can contain any alphanumeric characters as well as a few
 -punctuation symbols such as
 -.Ql \&.
 -.Ql \&,
 -.Ql \&;
 -and
 -.Ql _ .
 -.Pp
 -The
 -.Ar value
 -string consists of the string following the
 -.Ql =
 -character until the end of the line with any leading and trailing
 -whitespace removed.
 -.Pp
 -The value string undergoes variable expansion.
 -This can be done by including substrings of the form
 -.Pf $ Ar name
 -or
 -.Pf $ Brq Ar name :
 -this will substitute the value of the named variable in the current
 -section.
 -It is also possible to substitute a value from another section using the
 -syntax
 -.Pf $ Ar section Ns :: Ns Ar name
 -or
 -.Pf $ Brq Ar section Ns :: Ns Ar name .
 -By using the form
 -.Pf $ Ic ENV Ns :: Ns Ar name ,
 -environment variables can be substituted.
 -It is also possible to assign values to environment variables by using
 -the name
 -.Ic ENV Ns :: Ns Ar name .
 -This will work if the program looks up environment variables using
 -the CONF library instead of calling
 -.Xr getenv 3
 -directly.
 -The value string must not exceed 64k in length after variable expansion or an
 -error will occur.
 -.Pp
 -It is possible to escape certain characters by using any kind of quote
 -or the
 -.Ql \e
 -character.
 -By making the last character of a line a
 -.Ql \e ,
 -a
 -.Ar value
 -string can be spread across multiple lines.
 -In addition the sequences
 -.Ql \en ,
 -.Ql \er ,
 -.Ql \eb ,
 -and
 -.Ql \et
 -are recognized.
 -.Sh OPENSSL LIBRARY CONFIGURATION
 -Applications can automatically configure certain aspects of OpenSSL
 -using the master OpenSSL configuration file, or optionally an
 -alternative configuration file.
 -The
 -.Xr openssl 1
 -utility includes this functionality: any sub command uses the master
 -OpenSSL configuration file unless an option is used in the sub command
 -to use an alternative configuration file.
 -.Pp
 -To enable library configuration, the default section needs to contain
 -an appropriate line which points to the main configuration section.
 -The default name is
 -.Ic openssl_conf ,
 -which is used by the
 -.Xr openssl 1
 -utility.
 -Other applications may use an alternative name such as
 -.Sy myapplication_conf .
 -All library configuration lines appear in the default section
 -at the start of the configuration file.
 -.Pp
 -The configuration section should consist of a set of name value pairs
 -which contain specific module configuration information.
 -The
 -.Ar name
 -represents the name of the configuration module.
 -The meaning of the
 -.Ar value
 -is module specific: it may, for example, represent a further
 -configuration section containing configuration module specific
 -information.
 -For example:
 -.Bd -literal -offset indent
 -# The following line must be in the default section.
 -openssl_conf = openssl_init
 -
 -[openssl_init]
 -oid_section = new_oids
 -
 -[new_oids]
 -\&... new oids here ...
 -.Ed
 -.Pp
 -The features of each configuration module are described below.
 -.Ss ASN1 Object Configuration Module
 -This module has the name
 -.Ic oid_section .
 -The value of this variable points to a section containing name value
 -pairs of OIDs: the name is the OID short and long name, and the value is the
 -numerical form of the OID.
 -Although some of the
 -.Xr openssl 1
 -utility subcommands already have their own ASN1 OBJECT section
 -functionality, not all do.
 -By using the ASN1 OBJECT configuration module, all the
 -.Xr openssl 1
 -utility subcommands can see the new objects as well as any compliant
 -applications.
 -For example:
 -.Bd -literal -offset indent
 -[new_oids]
 -some_new_oid = 1.2.3.4
 -some_other_oid = 1.2.3.5
 -.Ed
 -.Pp
 -It is also possible to set the value to the long name followed by a
 -comma and the numerical OID form.
 -For example:
 -.Pp
 -.Dl shortName = some object long name, 1.2.3.4
 -.Sh FILES
 -.Bl -tag -width /etc/ssl/openssl.cnf -compact
 -.It Pa /etc/ssl/openssl.cnf
 -standard configuration file
 -.El
 -.Sh EXAMPLES
 -Here is a sample configuration file using some of the features
 -mentioned above:
 -.Bd -literal -offset indent
 -# This is the default section.
 -HOME=/temp
 -RANDFILE= ${ENV::HOME}/.rnd
 -configdir=$ENV::HOME/config
 -
 -[ section_one ]
 -# We are now in section one.
 -
 -# Quotes permit leading and trailing whitespace
 -any = " any variable name "
 -
 -other = A string that can \e
 -cover several lines \e
 -by including \e\e characters
 -
 -message = Hello World\en
 -
 -[ section_two ]
 -greeting = $section_one::message
 -.Ed
 -.Pp
 -This next example shows how to expand environment variables safely.
 -.Pp
 -Suppose you want a variable called
 -.Sy tmpfile
 -to refer to a temporary filename.
 -The directory it is placed in can determined by the
 -.Ev TEMP
 -or
 -.Ev TMP
 -environment variables but they may not be set to any value at all.
 -If you just include the environment variable names and the variable
 -doesn't exist then this will cause an error when an attempt is made to
 -load the configuration file.
 -By making use of the default section both values can be looked up with
 -.Ev TEMP
 -taking priority and
 -.Pa /tmp
 -used if neither is defined:
 -.Bd -literal -offset indent
 -TMP=/tmp
 -# The above value is used if TMP isn't in the environment
 -TEMP=$ENV::TMP
 -# The above value is used if TEMP isn't in the environment
 -tmpfile=${ENV::TEMP}/tmp.filename
 -.Ed
 -.Pp
 -More complex OpenSSL library configuration.
 -Add OID:
 -.Bd -literal -offset indent
 -# Default appname: should match "appname" parameter (if any)
 -# supplied to CONF_modules_load_file et al.
 -openssl_conf = openssl_conf_section
 -
 -[openssl_conf_section]
 -# Configuration module list
 -oid_section = new_oids
 -
 -[new_oids]
 -# New OID, just short name
 -newoid1 = 1.2.3.4.1
 -# New OID shortname and long name
 -newoid2 = New OID 2 long name, 1.2.3.4.2
 -.Ed
 -.Pp
 -The above examples can be used with any application supporting library
 -configuration if "openssl_conf" is modified to match the appropriate
 -"appname".
 -.Pp
 -For example if the second sample file above is saved to "example.cnf"
 -then the command line:
 -.Pp
 -.Dl OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
 -.Pp
 -will output:
 -.Dl 0:d=0  hl=2 l=   4 prim: OBJECT            :newoid1
 -.Pp
 -showing that the OID "newoid1" has been added as "1.2.3.4.1".
 -.Sh SEE ALSO
 -.Xr openssl 1 ,
 -.Xr CONF_modules_load_file 3 ,
 -.Xr OPENSSL_config 3 ,
 -.Xr x509v3.cnf 5
 -.Sh CAVEATS
 -If a configuration file attempts to expand a variable that doesn't
 -exist, then an error is flagged and the file will not load.
 -This can also happen if an attempt is made to expand an environment
 -variable that doesn't exist.
 -For example, in a previous version of OpenSSL the default OpenSSL
 -master configuration file used the value of
 -.Ev HOME
 -which may not be defined on non Unix systems and would cause an error.
 -.Pp
 -This can be worked around by including a default section to provide
 -a default value: then if the environment lookup fails, the default
 -value will be used instead.
 -For this to work properly, the default value must be defined earlier
 -in the configuration file than the expansion.
 -See the
 -.Sx EXAMPLES
 -section for an example of how to do this.
 -.Pp
 -If the same variable is defined more than once in the same section,
 -then all but the last value will be silently ignored.
 -In certain circumstances such as with DNs, the same field may occur
 -multiple times.
 -This is usually worked around by ignoring any characters before an
 -initial
 -.Ql \&. ,
 -for example:
 -.Bd -literal -offset indent
 -1.OU="My first OU"
 -2.OU="My Second OU"
 -.Ed
 -.Sh BUGS
 -Currently there is no way to include characters using the octal
 -.Pf \e Ar nnn
 -form.
 -Strings are all NUL terminated, so NUL bytes cannot form part of
 -the value.
 -.Pp
 -The escaping isn't quite right: if you want to use sequences like
 -.Ql \en ,
 -you can't use any quote escaping on the same line.
 -.Pp
 -Files are loaded in a single pass.
 -This means that a variable expansion will only work if the variables
 -referenced are defined earlier in the file.
 diff -Naur a/openssl.cnf b/openssl.cnf
 --- a/openssl.cnf	2023-07-05 14:08:27.000000000 +0600
 +++ b/openssl.cnf	1970-01-01 06:00:00.000000000 +0600
@@ -1,24 +0,0 @@
 -[ req ]
 -#default_bits		= 2048
--- a/base/libressl/libressl.spec
+++ b/base/libressl/libressl.spec
@ -20,7 +20,7 @@
 %global _hardened_build 1
 Name:           libressl
-Version:        3.8.4
+Version:        4.0.0
 Release:        1%{dist}
 Summary:        An SSL/TLS protocol implementation
 License:        OpenSSL
@ -29,6 +29,7 @@ Url:            http://libressl.org/
 Source:         http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/%{name}-%{version}.tar.gz
 Patch1:         libressl-rename-config-file.patch
 Patch2:         libressl-cmake-rename-binaries.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?rhel} == 7
@ -36,13 +37,7 @@ BuildRequires:  devtoolset-8-gcc devtoolset-8-gcc-c++ devtoolset-8-build devtool
 %else
 BuildRequires:  gcc gcc-c++
 %endif
-%if %{?rhel} < 7
+BuildRequires:  cmake
 BuildRequires: autoconf2.69
 %else
 BuildRequires:  autoconf
 %endif
 BuildRequires:  automake
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 Requires:      %{name}-libs = %{version}-%{release}
@ -86,9 +81,7 @@ applications that want to make use of libressl.
 %prep
-%setup -q -n %{name}-%{version}
+%autosetup -p1 -n %{name}-%{version}
 %patch1 -p1 -b .config
 %build
 %if 0%{?rhel} == 7
@ -96,22 +89,17 @@ applications that want to make use of libressl.
 %enable_devtoolset8
 %endif
-autoreconf -vfi
+%cmake \
    -DCMAKE_INSTALL_LIBDIR=%{_libdir}/libressl \
    -DCMAKE_INSTALL_INCLUDEDIR=%{_includedir}/libressl \
    -DOPENSSLDIR=%{_ssldir} \
    -DLIBRESSL_TESTS=OFF \
    -DENABLE_NC=ON
-# Some smart people broke disable-static
+%cmake_build
 %configure \
    --with-openssldir=%{_ssldir} \
    --libdir=%{_libdir}/libressl \
    --includedir=%{_includedir}/libressl \
    --program-suffix "-libre"
 sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
 make %{?_smp_mflags}
 %install
-%make_install
+%cmake_install
 rm -f %{buildroot}/etc/pki/tls/cert.pem
 rm -f %{buildroot}/%{_libdir}/libressl/*.a
@ -121,10 +109,12 @@ echo '%{_libdir}/libressl' > %{buildroot}/%{_sysconfdir}/ld.so.conf.d/libressl.c
 find %{buildroot}/%{_libdir} -type f \( -name '*.so' -o -name '*.so.*' \) -exec chmod 755 {} +
 mv %{buildroot}%{_libdir}/libressl/pkgconfig %{buildroot}%{_libdir}/pkgconfig
 mv %{buildroot}%{_libdir}/libressl/cmake %{buildroot}%{_libdir}/
 pushd %{buildroot}%{_libdir}/libressl
 for lib in ssl tls crypto
 do
    ln -sf %{_libdir}/libressl/$(readlink lib${lib}.so) %{buildroot}%{_libdir}/lib${lib}.so
    rm -f %{buildroot}/%{_libdir}/libressl/lib${lib}.so
 done
@ -135,7 +125,6 @@ done
 %files
 %defattr(-,root,root)
 %config %{_sysconfdir}/ld.so.conf.d/libressl.conf
 %{_bindir}/*-libre
 %{_mandir}/man1/*.1*
 %{_mandir}/man5/*.*
@ -143,9 +132,10 @@ done
 %doc COPYING VERSION README.md
 %files libs
 %config %{_sysconfdir}/ld.so.conf.d/libressl.conf
 %attr(0644,root,root) %config(noreplace) %{_ssldir}/libressl.cnf
 %attr(0644,root,root) %config(noreplace) %{_ssldir}/x509v3.cnf
-%{_libdir}/libressl/lib*.so*
+%{_libdir}/libressl/lib*.so.*
 %doc COPYING VERSION
 %files devel
@ -155,9 +145,13 @@ done
 %{_libdir}/libssl.so
 %{_libdir}/libtls.so
 %{_libdir}/pkgconfig/*.pc
 %{_libdir}/cmake/LibreSSL/*.cmake
 %{_mandir}/man3/*
 %changelog
 * Mon Jan  6 2025 Raven <raven@sysadmins.ws> - 4.0.0-1
 - update to 4.0.0
 * Thu Mar 28 2024 Raven <raven@sysadmins.ws> - 3.8.4-1
 - update to 3.8.4