libressl: update to 4.0

2025-01-13 11:30:53 +06:00 · 2025-01-13 11:30:53 +06:00 · 5109161bd3
commit 5109161bd3
parent 01f81d23da
3 changed files with 16095 additions and 99 deletions
--- a/base/libressl/libressl-cmake-rename-binaries.patch
+++ b/base/libressl/libressl-cmake-rename-binaries.patch
--- a/base/libressl/libressl-rename-config-file.patch
+++ b/base/libressl/libressl-rename-config-file.patch
@ -1,66 +1,6 @@
-diff -Naur libressl-3.8.1-orig/Makefile.am libressl-3.8.1/Makefile.am
--- libressl-3.8.1-orig/Makefile.am	2023-08-21 17:00:06.000000000 +0600
-+++ libressl-3.8.1/Makefile.am	2023-10-03 14:13:45.763015193 +0600
-@@ -12,7 +12,7 @@
- 
- EXTRA_DIST = README.md README.windows VERSION config scripts
- EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in FindLibreSSL.cmake LibreSSLConfig.cmake.in
-EXTRA_DIST += cert.pem openssl.cnf x509v3.cnf
-+EXTRA_DIST += cert.pem libressl.cnf x509v3.cnf
- 
- .PHONY: install_sw
- install_sw: install
-@@ -24,7 +24,7 @@
- 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
- 	fi; \
- 	mkdir -p "$$OPENSSLDIR/certs"; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-+	for i in cert.pem libressl.cnf x509v3.cnf; do \
- 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
- 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
- 		else \
-@@ -38,7 +38,7 @@
- 	else \
- 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
- 	fi; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-+	for i in cert.pem libressl.cnf x509v3.cnf; do \
- 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
- 			rm -f "$$OPENSSLDIR/$$i"; \
- 		fi \
-diff -Naur libressl-3.8.1-orig/Makefile.in libressl-3.8.1/Makefile.in
--- libressl-3.8.1-orig/Makefile.in	2023-08-31 08:15:32.000000000 +0600
-+++ libressl-3.8.1/Makefile.in	2023-10-03 14:14:15.117827061 +0600
-@@ -374,7 +374,7 @@
- EXTRA_DIST = README.md README.windows VERSION config scripts \
- 	CMakeLists.txt cmake_export_symbol.cmake \
- 	cmake_uninstall.cmake.in FindLibreSSL.cmake \
-	LibreSSLConfig.cmake.in cert.pem openssl.cnf x509v3.cnf
-+	LibreSSLConfig.cmake.in cert.pem libressl.cnf x509v3.cnf
- all: all-recursive
- 
- .SUFFIXES:
-@@ -895,7 +895,7 @@
- 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
- 	fi; \
- 	mkdir -p "$$OPENSSLDIR/certs"; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-+	for i in cert.pem libressl.cnf x509v3.cnf; do \
- 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
- 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
- 		else \
-@@ -909,7 +909,7 @@
- 	else \
- 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
- 	fi; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
-+	for i in cert.pem libressl.cnf x509v3.cnf; do \
- 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
- 			rm -f "$$OPENSSLDIR/$$i"; \
- 		fi \
-diff -Naur libressl-3.8.1-orig/apps/openssl/apps.c libressl-3.8.1/apps/openssl/apps.c
--- libressl-3.8.1-orig/apps/openssl/apps.c	2023-08-21 16:50:37.000000000 +0600
-+++ libressl-3.8.1/apps/openssl/apps.c	2023-10-03 14:15:00.235537604 +0600
+diff -Naur a/apps/openssl/apps.c b/apps/openssl/apps.c
+--- a/apps/openssl/apps.c	2024-09-25 09:30:06.000000000 +0600
+++ b/apps/openssl/apps.c	2025-01-09 22:24:46.419234126 +0600
@@ -1069,7 +1069,7 @@
 	const char *t = X509_get_default_cert_area();
 	char *p;
@ -70,10 +10,22 @@ diff -Naur libressl-3.8.1-orig/apps/openssl/apps.c libressl-3.8.1/apps/openssl/a
 		return NULL;
 	return p;
 }
-diff -Naur libressl-3.8.1-orig/crypto/conf/conf_mod.c libressl-3.8.1/crypto/conf/conf_mod.c
--- libressl-3.8.1-orig/crypto/conf/conf_mod.c	2023-08-21 16:50:37.000000000 +0600
-+++ libressl-3.8.1/crypto/conf/conf_mod.c	2023-10-03 14:15:27.230364281 +0600
-@@ -474,7 +474,7 @@
+diff -Naur a/CMakeLists.txt b/CMakeLists.txt
+--- a/CMakeLists.txt	2024-10-08 16:16:19.000000000 +0600
+++ b/CMakeLists.txt	2025-01-09 22:34:00.078411167 +0600
+@@ -531,7 +531,7 @@
+ 			DESTINATION ${CMAKE_INSTALL_LIBDIR})
+ 	endif()
+ 
+-	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+	install(FILES cert.pem libressl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+ 	install(DIRECTORY DESTINATION ${CONF_DIR}/certs)
+ 
+  	if(NOT TARGET uninstall)
+diff -Naur a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
+--- a/crypto/conf/conf_mod.c	2024-09-25 09:30:06.000000000 +0600
+++ b/crypto/conf/conf_mod.c	2025-01-09 22:22:06.849337107 +0600
+@@ -485,7 +485,7 @@
 {
 	char *file = NULL;
 
@ -82,9 +34,9 @@ diff -Naur libressl-3.8.1-orig/crypto/conf/conf_mod.c libressl-3.8.1/crypto/conf
 	    X509_get_default_cert_area()) == -1)
 		return (NULL);
 	return file;
-diff -Naur libressl-3.8.1-orig/libressl.cnf libressl-3.8.1/libressl.cnf
--- libressl-3.8.1-orig/libressl.cnf	1970-01-01 06:00:00.000000000 +0600
-+++ libressl-3.8.1/libressl.cnf	2023-07-05 14:08:27.000000000 +0600
+diff -Naur a/libressl.cnf b/libressl.cnf
+--- a/libressl.cnf	1970-01-01 06:00:00.000000000 +0600
+++ b/libressl.cnf	2023-07-05 14:08:27.000000000 +0600
@@ -0,0 +1,24 @@
 +[ req ]
 +#default_bits		= 2048
@ -110,9 +62,823 @@ diff -Naur libressl-3.8.1-orig/libressl.cnf libressl-3.8.1/libressl.cnf
 +challengePassword		= A challenge password
 +challengePassword_min		= 4
 +challengePassword_max		= 20
-diff -Naur libressl-3.8.1-orig/openssl.cnf libressl-3.8.1/openssl.cnf
--- libressl-3.8.1-orig/openssl.cnf	2023-07-05 14:08:27.000000000 +0600
-+++ libressl-3.8.1/openssl.cnf	1970-01-01 06:00:00.000000000 +0600
+diff -Naur a/Makefile.am b/Makefile.am
+--- a/Makefile.am	2024-05-28 19:25:41.000000000 +0600
+++ b/Makefile.am	2025-01-09 22:23:13.342877490 +0600
+@@ -12,7 +12,7 @@
+ 
+ EXTRA_DIST = README.md README.mingw.md VERSION config scripts
+ EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in FindLibreSSL.cmake LibreSSLConfig.cmake.in
+-EXTRA_DIST += cert.pem openssl.cnf x509v3.cnf
+EXTRA_DIST += cert.pem libressl.cnf x509v3.cnf
+ 
+ .PHONY: install_sw
+ install_sw: install
+@@ -24,7 +24,7 @@
+ 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
+ 	fi; \
+ 	mkdir -p "$$OPENSSLDIR/certs"; \
+-	for i in cert.pem openssl.cnf x509v3.cnf; do \
+	for i in cert.pem libressl.cnf x509v3.cnf; do \
+ 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
+ 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
+ 		else \
+@@ -38,7 +38,7 @@
+ 	else \
+ 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
+ 	fi; \
+-	for i in cert.pem openssl.cnf x509v3.cnf; do \
+	for i in cert.pem libressl.cnf x509v3.cnf; do \
+ 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
+ 			rm -f "$$OPENSSLDIR/$$i"; \
+ 		fi \
+diff -Naur a/Makefile.in b/Makefile.in
+--- a/Makefile.in	2024-10-14 10:53:04.000000000 +0600
+++ b/Makefile.in	2025-01-09 22:25:23.906975003 +0600
+@@ -374,7 +374,7 @@
+ EXTRA_DIST = README.md README.mingw.md VERSION config scripts \
+ 	CMakeLists.txt cmake_export_symbol.cmake \
+ 	cmake_uninstall.cmake.in FindLibreSSL.cmake \
+-	LibreSSLConfig.cmake.in cert.pem openssl.cnf x509v3.cnf
+	LibreSSLConfig.cmake.in cert.pem libressl.cnf x509v3.cnf
+ all: all-recursive
+ 
+ .SUFFIXES:
+@@ -895,7 +895,7 @@
+ 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
+ 	fi; \
+ 	mkdir -p "$$OPENSSLDIR/certs"; \
+-	for i in cert.pem openssl.cnf x509v3.cnf; do \
+	for i in cert.pem libressl.cnf x509v3.cnf; do \
+ 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
+ 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
+ 		else \
+@@ -909,7 +909,7 @@
+ 	else \
+ 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
+ 	fi; \
+-	for i in cert.pem openssl.cnf x509v3.cnf; do \
+	for i in cert.pem libressl.cnf x509v3.cnf; do \
+ 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
+ 			rm -f "$$OPENSSLDIR/$$i"; \
+ 		fi \
+diff -Naur a/man/libressl.cnf.5 b/man/libressl.cnf.5
+--- a/man/libressl.cnf.5	1970-01-01 06:00:00.000000000 +0600
+++ b/man/libressl.cnf.5	2025-01-09 22:33:23.437663998 +0600
+@@ -0,0 +1,361 @@
+.\" $OpenBSD: openssl.cnf.5,v 1.11 2024/07/08 15:02:28 jmc Exp $
+.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100
+.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: July 8 2024 $
+.Dt OPENSSL.CNF 5
+.Os
+.Sh NAME
+.Nm libressl.cnf
+.Nd OpenSSL configuration files
+.Sh DESCRIPTION
+The OpenSSL CONF library can be used to read configuration files; see
+.Xr CONF_modules_load_file 3 .
+It is used for the OpenSSL master configuration file
+.Pa /etc/pki/tls/libressl.cnf
+and in a few other places such as certificate extension files for the
+.Xr openssl 1
+.Cm x509
+utility.
+OpenSSL applications can also use the CONF library for their own
+purposes.
+.Pp
+A configuration file is divided into a number of sections.
+Each section starts with a line
+.Bq Ar section_name
+and ends when a new section is started or the end of the file is reached.
+A section name can consist of alphanumeric characters and underscores.
+.Pp
+The first section of a configuration file is special and is referred to
+as the
+.Dq default section .
+It is usually unnamed and extends from the start of file to the
+first named section.
+When a name is being looked up, it is first looked up in a named
+section (if any) and then in the default section.
+.Pp
+The environment is mapped onto a section called
+.Ic ENV .
+.Pp
+Comments can be included by preceding them with the
+.Ql #
+character.
+.Pp
+Each section in a configuration file consists of a number of name and
+value pairs of the form
+.Ar name Ns = Ns Ar value .
+.Pp
+The
+.Ar name
+string can contain any alphanumeric characters as well as a few
+punctuation symbols such as
+.Ql \&.
+.Ql \&,
+.Ql \&;
+and
+.Ql _ .
+.Pp
+The
+.Ar value
+string consists of the string following the
+.Ql =
+character until the end of the line with any leading and trailing
+whitespace removed.
+.Pp
+The value string undergoes variable expansion.
+This can be done by including substrings of the form
+.Pf $ Ar name
+or
+.Pf $ Brq Ar name :
+this will substitute the value of the named variable in the current
+section.
+It is also possible to substitute a value from another section using the
+syntax
+.Pf $ Ar section Ns :: Ns Ar name
+or
+.Pf $ Brq Ar section Ns :: Ns Ar name .
+By using the form
+.Pf $ Ic ENV Ns :: Ns Ar name ,
+environment variables can be substituted.
+It is also possible to assign values to environment variables by using
+the name
+.Ic ENV Ns :: Ns Ar name .
+This will work if the program looks up environment variables using
+the CONF library instead of calling
+.Xr getenv 3
+directly.
+The value string must not exceed 64k in length after variable expansion or an
+error will occur.
+.Pp
+It is possible to escape certain characters by using any kind of quote
+or the
+.Ql \e
+character.
+By making the last character of a line a
+.Ql \e ,
+a
+.Ar value
+string can be spread across multiple lines.
+In addition the sequences
+.Ql \en ,
+.Ql \er ,
+.Ql \eb ,
+and
+.Ql \et
+are recognized.
+.Sh OPENSSL LIBRARY CONFIGURATION
+Applications can automatically configure certain aspects of OpenSSL
+using the master OpenSSL configuration file, or optionally an
+alternative configuration file.
+The
+.Xr openssl 1
+utility includes this functionality: any sub command uses the master
+OpenSSL configuration file unless an option is used in the sub command
+to use an alternative configuration file.
+.Pp
+To enable library configuration, the default section needs to contain
+an appropriate line which points to the main configuration section.
+The default name is
+.Ic openssl_conf ,
+which is used by the
+.Xr openssl 1
+utility.
+Other applications may use an alternative name such as
+.Sy myapplication_conf .
+All library configuration lines appear in the default section
+at the start of the configuration file.
+.Pp
+The configuration section should consist of a set of name value pairs
+which contain specific module configuration information.
+The
+.Ar name
+represents the name of the configuration module.
+The meaning of the
+.Ar value
+is module specific: it may, for example, represent a further
+configuration section containing configuration module specific
+information.
+For example:
+.Bd -literal -offset indent
+# The following line must be in the default section.
+openssl_conf = openssl_init
+
+[openssl_init]
+oid_section = new_oids
+
+[new_oids]
+\&... new oids here ...
+.Ed
+.Pp
+The features of each configuration module are described below.
+.Ss ASN1 Object Configuration Module
+This module has the name
+.Ic oid_section .
+The value of this variable points to a section containing name value
+pairs of OIDs: the name is the OID short and long name, and the value is the
+numerical form of the OID.
+Although some of the
+.Xr openssl 1
+utility subcommands already have their own ASN1 OBJECT section
+functionality, not all do.
+By using the ASN1 OBJECT configuration module, all the
+.Xr openssl 1
+utility subcommands can see the new objects as well as any compliant
+applications.
+For example:
+.Bd -literal -offset indent
+[new_oids]
+some_new_oid = 1.2.3.4
+some_other_oid = 1.2.3.5
+.Ed
+.Pp
+It is also possible to set the value to the long name followed by a
+comma and the numerical OID form.
+For example:
+.Pp
+.Dl shortName = some object long name, 1.2.3.4
+.Sh FILES
+.Bl -tag -width /etc/pki/tls/libressl.cnf -compact
+.It Pa /etc/pki/tls/libressl.cnf
+standard configuration file
+.El
+.Sh EXAMPLES
+Here is a sample configuration file using some of the features
+mentioned above:
+.Bd -literal -offset indent
+# This is the default section.
+HOME=/temp
+RANDFILE= ${ENV::HOME}/.rnd
+configdir=$ENV::HOME/config
+
+[ section_one ]
+# We are now in section one.
+
+# Quotes permit leading and trailing whitespace
+any = " any variable name "
+
+other = A string that can \e
+cover several lines \e
+by including \e\e characters
+
+message = Hello World\en
+
+[ section_two ]
+greeting = $section_one::message
+.Ed
+.Pp
+This next example shows how to expand environment variables safely.
+.Pp
+Suppose you want a variable called
+.Sy tmpfile
+to refer to a temporary filename.
+The directory it is placed in can determined by the
+.Ev TEMP
+or
+.Ev TMP
+environment variables but they may not be set to any value at all.
+If you just include the environment variable names and the variable
+doesn't exist then this will cause an error when an attempt is made to
+load the configuration file.
+By making use of the default section both values can be looked up with
+.Ev TEMP
+taking priority and
+.Pa /tmp
+used if neither is defined:
+.Bd -literal -offset indent
+TMP=/tmp
+# The above value is used if TMP isn't in the environment
+TEMP=$ENV::TMP
+# The above value is used if TEMP isn't in the environment
+tmpfile=${ENV::TEMP}/tmp.filename
+.Ed
+.Pp
+More complex OpenSSL library configuration.
+Add OID:
+.Bd -literal -offset indent
+# Default appname: should match "appname" parameter (if any)
+# supplied to CONF_modules_load_file et al.
+openssl_conf = openssl_conf_section
+
+[openssl_conf_section]
+# Configuration module list
+oid_section = new_oids
+
+[new_oids]
+# New OID, just short name
+newoid1 = 1.2.3.4.1
+# New OID shortname and long name
+newoid2 = New OID 2 long name, 1.2.3.4.2
+.Ed
+.Pp
+The above examples can be used with any application supporting library
+configuration if "openssl_conf" is modified to match the appropriate
+"appname".
+.Pp
+For example if the second sample file above is saved to "example.cnf"
+then the command line:
+.Pp
+.Dl OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
+.Pp
+will output:
+.Dl 0:d=0  hl=2 l=   4 prim: OBJECT            :newoid1
+.Pp
+showing that the OID "newoid1" has been added as "1.2.3.4.1".
+.Sh SEE ALSO
+.Xr openssl 1 ,
+.Xr CONF_modules_load_file 3 ,
+.Xr OPENSSL_config 3 ,
+.Xr x509v3.cnf 5
+.Sh CAVEATS
+If a configuration file attempts to expand a variable that doesn't
+exist, then an error is flagged and the file will not load.
+This can also happen if an attempt is made to expand an environment
+variable that doesn't exist.
+For example, in a previous version of OpenSSL the default OpenSSL
+master configuration file used the value of
+.Ev HOME
+which may not be defined on non Unix systems and would cause an error.
+.Pp
+This can be worked around by including a default section to provide
+a default value: then if the environment lookup fails, the default
+value will be used instead.
+For this to work properly, the default value must be defined earlier
+in the configuration file than the expansion.
+See the
+.Sx EXAMPLES
+section for an example of how to do this.
+.Pp
+If the same variable is defined more than once in the same section,
+then all but the last value will be silently ignored.
+In certain circumstances such as with DNs, the same field may occur
+multiple times.
+This is usually worked around by ignoring any characters before an
+initial
+.Ql \&. ,
+for example:
+.Bd -literal -offset indent
+1.OU="My first OU"
+2.OU="My Second OU"
+.Ed
+.Sh BUGS
+Currently there is no way to include characters using the octal
+.Pf \e Ar nnn
+form.
+Strings are all NUL terminated, so NUL bytes cannot form part of
+the value.
+.Pp
+The escaping isn't quite right: if you want to use sequences like
+.Ql \en ,
+you can't use any quote escaping on the same line.
+.Pp
+Files are loaded in a single pass.
+This means that a variable expansion will only work if the variables
+referenced are defined earlier in the file.
+diff -Naur a/man/Makefile.am b/man/Makefile.am
+--- a/man/Makefile.am	2024-10-14 10:52:54.000000000 +0600
+++ b/man/Makefile.am	2025-01-09 22:30:29.135866729 +0600
+@@ -561,7 +561,7 @@
+ dist_man3_MANS += tls_load_file.3
+ dist_man3_MANS += tls_ocsp_process_response.3
+ dist_man3_MANS += tls_read.3
+-dist_man5_MANS += openssl.cnf.5
+dist_man5_MANS += libressl.cnf.5
+ dist_man5_MANS += x509v3.cnf.5
+ install-data-hook:
+ 	ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3"
+diff -Naur a/man/Makefile.in b/man/Makefile.in
+--- a/man/Makefile.in	2024-10-14 10:53:07.000000000 +0600
+++ b/man/Makefile.in	2025-01-09 22:30:39.821792993 +0600
+@@ -686,7 +686,7 @@
+ @ENABLE_LIBTLS_ONLY_FALSE@	tls_init.3 tls_load_file.3 \
+ @ENABLE_LIBTLS_ONLY_FALSE@	tls_ocsp_process_response.3 \
+ @ENABLE_LIBTLS_ONLY_FALSE@	tls_read.3
+-@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = openssl.cnf.5 x509v3.cnf.5
+@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = libressl.cnf.5 x509v3.cnf.5
+ all: all-am
+ 
+ .SUFFIXES:
+diff -Naur a/man/openssl.cnf.5 b/man/openssl.cnf.5
+--- a/man/openssl.cnf.5	2024-09-25 09:30:06.000000000 +0600
+++ b/man/openssl.cnf.5	1970-01-01 06:00:00.000000000 +0600
+@@ -1,361 +0,0 @@
+-.\" $OpenBSD: openssl.cnf.5,v 1.11 2024/07/08 15:02:28 jmc Exp $
+-.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100
+-.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400
+-.\"
+-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+-.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project.
+-.\" All rights reserved.
+-.\"
+-.\" Redistribution and use in source and binary forms, with or without
+-.\" modification, are permitted provided that the following conditions
+-.\" are met:
+-.\"
+-.\" 1. Redistributions of source code must retain the above copyright
+-.\"    notice, this list of conditions and the following disclaimer.
+-.\"
+-.\" 2. Redistributions in binary form must reproduce the above copyright
+-.\"    notice, this list of conditions and the following disclaimer in
+-.\"    the documentation and/or other materials provided with the
+-.\"    distribution.
+-.\"
+-.\" 3. All advertising materials mentioning features or use of this
+-.\"    software must display the following acknowledgment:
+-.\"    "This product includes software developed by the OpenSSL Project
+-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+-.\"
+-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+-.\"    endorse or promote products derived from this software without
+-.\"    prior written permission. For written permission, please contact
+-.\"    openssl-core@openssl.org.
+-.\"
+-.\" 5. Products derived from this software may not be called "OpenSSL"
+-.\"    nor may "OpenSSL" appear in their names without prior written
+-.\"    permission of the OpenSSL Project.
+-.\"
+-.\" 6. Redistributions of any form whatsoever must retain the following
+-.\"    acknowledgment:
+-.\"    "This product includes software developed by the OpenSSL Project
+-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+-.\"
+-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+-.\"
+-.Dd $Mdocdate: July 8 2024 $
+-.Dt OPENSSL.CNF 5
+-.Os
+-.Sh NAME
+-.Nm openssl.cnf
+-.Nd OpenSSL configuration files
+-.Sh DESCRIPTION
+-The OpenSSL CONF library can be used to read configuration files; see
+-.Xr CONF_modules_load_file 3 .
+-It is used for the OpenSSL master configuration file
+-.Pa /etc/ssl/openssl.cnf
+-and in a few other places such as certificate extension files for the
+-.Xr openssl 1
+-.Cm x509
+-utility.
+-OpenSSL applications can also use the CONF library for their own
+-purposes.
+-.Pp
+-A configuration file is divided into a number of sections.
+-Each section starts with a line
+-.Bq Ar section_name
+-and ends when a new section is started or the end of the file is reached.
+-A section name can consist of alphanumeric characters and underscores.
+-.Pp
+-The first section of a configuration file is special and is referred to
+-as the
+-.Dq default section .
+-It is usually unnamed and extends from the start of file to the
+-first named section.
+-When a name is being looked up, it is first looked up in a named
+-section (if any) and then in the default section.
+-.Pp
+-The environment is mapped onto a section called
+-.Ic ENV .
+-.Pp
+-Comments can be included by preceding them with the
+-.Ql #
+-character.
+-.Pp
+-Each section in a configuration file consists of a number of name and
+-value pairs of the form
+-.Ar name Ns = Ns Ar value .
+-.Pp
+-The
+-.Ar name
+-string can contain any alphanumeric characters as well as a few
+-punctuation symbols such as
+-.Ql \&.
+-.Ql \&,
+-.Ql \&;
+-and
+-.Ql _ .
+-.Pp
+-The
+-.Ar value
+-string consists of the string following the
+-.Ql =
+-character until the end of the line with any leading and trailing
+-whitespace removed.
+-.Pp
+-The value string undergoes variable expansion.
+-This can be done by including substrings of the form
+-.Pf $ Ar name
+-or
+-.Pf $ Brq Ar name :
+-this will substitute the value of the named variable in the current
+-section.
+-It is also possible to substitute a value from another section using the
+-syntax
+-.Pf $ Ar section Ns :: Ns Ar name
+-or
+-.Pf $ Brq Ar section Ns :: Ns Ar name .
+-By using the form
+-.Pf $ Ic ENV Ns :: Ns Ar name ,
+-environment variables can be substituted.
+-It is also possible to assign values to environment variables by using
+-the name
+-.Ic ENV Ns :: Ns Ar name .
+-This will work if the program looks up environment variables using
+-the CONF library instead of calling
+-.Xr getenv 3
+-directly.
+-The value string must not exceed 64k in length after variable expansion or an
+-error will occur.
+-.Pp
+-It is possible to escape certain characters by using any kind of quote
+-or the
+-.Ql \e
+-character.
+-By making the last character of a line a
+-.Ql \e ,
+-a
+-.Ar value
+-string can be spread across multiple lines.
+-In addition the sequences
+-.Ql \en ,
+-.Ql \er ,
+-.Ql \eb ,
+-and
+-.Ql \et
+-are recognized.
+-.Sh OPENSSL LIBRARY CONFIGURATION
+-Applications can automatically configure certain aspects of OpenSSL
+-using the master OpenSSL configuration file, or optionally an
+-alternative configuration file.
+-The
+-.Xr openssl 1
+-utility includes this functionality: any sub command uses the master
+-OpenSSL configuration file unless an option is used in the sub command
+-to use an alternative configuration file.
+-.Pp
+-To enable library configuration, the default section needs to contain
+-an appropriate line which points to the main configuration section.
+-The default name is
+-.Ic openssl_conf ,
+-which is used by the
+-.Xr openssl 1
+-utility.
+-Other applications may use an alternative name such as
+-.Sy myapplication_conf .
+-All library configuration lines appear in the default section
+-at the start of the configuration file.
+-.Pp
+-The configuration section should consist of a set of name value pairs
+-which contain specific module configuration information.
+-The
+-.Ar name
+-represents the name of the configuration module.
+-The meaning of the
+-.Ar value
+-is module specific: it may, for example, represent a further
+-configuration section containing configuration module specific
+-information.
+-For example:
+-.Bd -literal -offset indent
+-# The following line must be in the default section.
+-openssl_conf = openssl_init
+-
+-[openssl_init]
+-oid_section = new_oids
+-
+-[new_oids]
+-\&... new oids here ...
+-.Ed
+-.Pp
+-The features of each configuration module are described below.
+-.Ss ASN1 Object Configuration Module
+-This module has the name
+-.Ic oid_section .
+-The value of this variable points to a section containing name value
+-pairs of OIDs: the name is the OID short and long name, and the value is the
+-numerical form of the OID.
+-Although some of the
+-.Xr openssl 1
+-utility subcommands already have their own ASN1 OBJECT section
+-functionality, not all do.
+-By using the ASN1 OBJECT configuration module, all the
+-.Xr openssl 1
+-utility subcommands can see the new objects as well as any compliant
+-applications.
+-For example:
+-.Bd -literal -offset indent
+-[new_oids]
+-some_new_oid = 1.2.3.4
+-some_other_oid = 1.2.3.5
+-.Ed
+-.Pp
+-It is also possible to set the value to the long name followed by a
+-comma and the numerical OID form.
+-For example:
+-.Pp
+-.Dl shortName = some object long name, 1.2.3.4
+-.Sh FILES
+-.Bl -tag -width /etc/ssl/openssl.cnf -compact
+-.It Pa /etc/ssl/openssl.cnf
+-standard configuration file
+-.El
+-.Sh EXAMPLES
+-Here is a sample configuration file using some of the features
+-mentioned above:
+-.Bd -literal -offset indent
+-# This is the default section.
+-HOME=/temp
+-RANDFILE= ${ENV::HOME}/.rnd
+-configdir=$ENV::HOME/config
+-
+-[ section_one ]
+-# We are now in section one.
+-
+-# Quotes permit leading and trailing whitespace
+-any = " any variable name "
+-
+-other = A string that can \e
+-cover several lines \e
+-by including \e\e characters
+-
+-message = Hello World\en
+-
+-[ section_two ]
+-greeting = $section_one::message
+-.Ed
+-.Pp
+-This next example shows how to expand environment variables safely.
+-.Pp
+-Suppose you want a variable called
+-.Sy tmpfile
+-to refer to a temporary filename.
+-The directory it is placed in can determined by the
+-.Ev TEMP
+-or
+-.Ev TMP
+-environment variables but they may not be set to any value at all.
+-If you just include the environment variable names and the variable
+-doesn't exist then this will cause an error when an attempt is made to
+-load the configuration file.
+-By making use of the default section both values can be looked up with
+-.Ev TEMP
+-taking priority and
+-.Pa /tmp
+-used if neither is defined:
+-.Bd -literal -offset indent
+-TMP=/tmp
+-# The above value is used if TMP isn't in the environment
+-TEMP=$ENV::TMP
+-# The above value is used if TEMP isn't in the environment
+-tmpfile=${ENV::TEMP}/tmp.filename
+-.Ed
+-.Pp
+-More complex OpenSSL library configuration.
+-Add OID:
+-.Bd -literal -offset indent
+-# Default appname: should match "appname" parameter (if any)
+-# supplied to CONF_modules_load_file et al.
+-openssl_conf = openssl_conf_section
+-
+-[openssl_conf_section]
+-# Configuration module list
+-oid_section = new_oids
+-
+-[new_oids]
+-# New OID, just short name
+-newoid1 = 1.2.3.4.1
+-# New OID shortname and long name
+-newoid2 = New OID 2 long name, 1.2.3.4.2
+-.Ed
+-.Pp
+-The above examples can be used with any application supporting library
+-configuration if "openssl_conf" is modified to match the appropriate
+-"appname".
+-.Pp
+-For example if the second sample file above is saved to "example.cnf"
+-then the command line:
+-.Pp
+-.Dl OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
+-.Pp
+-will output:
+-.Dl 0:d=0  hl=2 l=   4 prim: OBJECT            :newoid1
+-.Pp
+-showing that the OID "newoid1" has been added as "1.2.3.4.1".
+-.Sh SEE ALSO
+-.Xr openssl 1 ,
+-.Xr CONF_modules_load_file 3 ,
+-.Xr OPENSSL_config 3 ,
+-.Xr x509v3.cnf 5
+-.Sh CAVEATS
+-If a configuration file attempts to expand a variable that doesn't
+-exist, then an error is flagged and the file will not load.
+-This can also happen if an attempt is made to expand an environment
+-variable that doesn't exist.
+-For example, in a previous version of OpenSSL the default OpenSSL
+-master configuration file used the value of
+-.Ev HOME
+-which may not be defined on non Unix systems and would cause an error.
+-.Pp
+-This can be worked around by including a default section to provide
+-a default value: then if the environment lookup fails, the default
+-value will be used instead.
+-For this to work properly, the default value must be defined earlier
+-in the configuration file than the expansion.
+-See the
+-.Sx EXAMPLES
+-section for an example of how to do this.
+-.Pp
+-If the same variable is defined more than once in the same section,
+-then all but the last value will be silently ignored.
+-In certain circumstances such as with DNs, the same field may occur
+-multiple times.
+-This is usually worked around by ignoring any characters before an
+-initial
+-.Ql \&. ,
+-for example:
+-.Bd -literal -offset indent
+-1.OU="My first OU"
+-2.OU="My Second OU"
+-.Ed
+-.Sh BUGS
+-Currently there is no way to include characters using the octal
+-.Pf \e Ar nnn
+-form.
+-Strings are all NUL terminated, so NUL bytes cannot form part of
+-the value.
+-.Pp
+-The escaping isn't quite right: if you want to use sequences like
+-.Ql \en ,
+-you can't use any quote escaping on the same line.
+-.Pp
+-Files are loaded in a single pass.
+-This means that a variable expansion will only work if the variables
+-referenced are defined earlier in the file.
+diff -Naur a/openssl.cnf b/openssl.cnf
+--- a/openssl.cnf	2023-07-05 14:08:27.000000000 +0600
+++ b/openssl.cnf	1970-01-01 06:00:00.000000000 +0600
@@ -1,24 +0,0 @@
 -[ req ]
 -#default_bits		= 2048
--- a/base/libressl/libressl.spec
+++ b/base/libressl/libressl.spec
@ -20,7 +20,7 @@
 %global _hardened_build 1

 Name:           libressl
-Version:        3.8.4
+Version:        4.0.0
 Release:        1%{dist}
 Summary:        An SSL/TLS protocol implementation
 License:        OpenSSL
@ -29,6 +29,7 @@ Url:            http://libressl.org/

 Source:         http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/%{name}-%{version}.tar.gz
 Patch1:         libressl-rename-config-file.patch
+Patch2:         libressl-cmake-rename-binaries.patch

 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if 0%{?rhel} == 7
@ -36,13 +37,7 @@ BuildRequires:  devtoolset-8-gcc devtoolset-8-gcc-c++ devtoolset-8-build devtool
 %else
 BuildRequires:  gcc gcc-c++
 %endif
-%if %{?rhel} < 7
-BuildRequires: autoconf2.69
-%else
-BuildRequires:  autoconf
-%endif
-BuildRequires:  automake
-BuildRequires:  libtool
+BuildRequires:  cmake
 BuildRequires:  pkgconfig
 Requires:      %{name}-libs = %{version}-%{release}

@ -86,9 +81,7 @@ applications that want to make use of libressl.


 %prep
-%setup -q -n %{name}-%{version}
-%patch1 -p1 -b .config
-
+%autosetup -p1 -n %{name}-%{version}

 %build
 %if 0%{?rhel} == 7
@ -96,22 +89,17 @@ applications that want to make use of libressl.
 %enable_devtoolset8
 %endif

-autoreconf -vfi
+%cmake \
+    -DCMAKE_INSTALL_LIBDIR=%{_libdir}/libressl \
+    -DCMAKE_INSTALL_INCLUDEDIR=%{_includedir}/libressl \
+    -DOPENSSLDIR=%{_ssldir} \
+    -DLIBRESSL_TESTS=OFF \
+    -DENABLE_NC=ON

-# Some smart people broke disable-static
-%configure \
-    --with-openssldir=%{_ssldir} \
-    --libdir=%{_libdir}/libressl \
-    --includedir=%{_includedir}/libressl \
-    --program-suffix "-libre"
-
-sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
-
-
-make %{?_smp_mflags}
+%cmake_build

 %install
-%make_install
+%cmake_install

 rm -f %{buildroot}/etc/pki/tls/cert.pem
 rm -f %{buildroot}/%{_libdir}/libressl/*.a
@ -121,10 +109,12 @@ echo '%{_libdir}/libressl' > %{buildroot}/%{_sysconfdir}/ld.so.conf.d/libressl.c
 find %{buildroot}/%{_libdir} -type f \( -name '*.so' -o -name '*.so.*' \) -exec chmod 755 {} +

 mv %{buildroot}%{_libdir}/libressl/pkgconfig %{buildroot}%{_libdir}/pkgconfig
+mv %{buildroot}%{_libdir}/libressl/cmake %{buildroot}%{_libdir}/
 pushd %{buildroot}%{_libdir}/libressl
 for lib in ssl tls crypto
 do
    ln -sf %{_libdir}/libressl/$(readlink lib${lib}.so) %{buildroot}%{_libdir}/lib${lib}.so
+    rm -f %{buildroot}/%{_libdir}/libressl/lib${lib}.so
 done


@ -135,7 +125,6 @@ done

 %files
 %defattr(-,root,root)
-%config %{_sysconfdir}/ld.so.conf.d/libressl.conf
 %{_bindir}/*-libre
 %{_mandir}/man1/*.1*
 %{_mandir}/man5/*.*
@ -143,9 +132,10 @@ done
 %doc COPYING VERSION README.md

 %files libs
+%config %{_sysconfdir}/ld.so.conf.d/libressl.conf
 %attr(0644,root,root) %config(noreplace) %{_ssldir}/libressl.cnf
 %attr(0644,root,root) %config(noreplace) %{_ssldir}/x509v3.cnf
-%{_libdir}/libressl/lib*.so*
+%{_libdir}/libressl/lib*.so.*
 %doc COPYING VERSION

 %files devel
@ -155,9 +145,13 @@ done
 %{_libdir}/libssl.so
 %{_libdir}/libtls.so
 %{_libdir}/pkgconfig/*.pc
+%{_libdir}/cmake/LibreSSL/*.cmake
 %{_mandir}/man3/*

 %changelog
+* Mon Jan  6 2025 Raven <raven@sysadmins.ws> - 4.0.0-1
+- update to 4.0.0
+
 * Thu Mar 28 2024 Raven <raven@sysadmins.ws> - 3.8.4-1
 - update to 3.8.4