Thu Mar 9 20:28:23 UTC 202320230309202823

a/openssl-solibs-3.0.8-x86_64-2.txz:  Rebuilt.
ap/dc3dd-7.3.0-x86_64-1.txz:  Upgraded.
ap/mariadb-10.11.2-x86_64-1.txz:  Upgraded.
d/cmake-3.25.3-x86_64-1.txz:  Upgraded.
l/imagemagick-7.1.1_1-x86_64-1.txz:  Upgraded.
l/libieee1284-0.2.11-x86_64-7.txz:  Rebuilt.
  Rebuilt for python3. Thanks to Heinz Wiesinger.
l/libplist-2.2.0-x86_64-4.txz:  Rebuilt.
  Rebuilt for python3. Thanks to Heinz Wiesinger.
l/pipewire-0.3.67-x86_64-1.txz:  Upgraded.
n/ModemManager-1.20.6-x86_64-1.txz:  Upgraded.
n/NetworkManager-1.42.4-x86_64-1.txz:  Upgraded.
n/openssl-3.0.8-x86_64-2.txz:  Rebuilt.
  Fixed man pages. Thanks to marav.
  Add example for enabling the legacy algorithms to /etc/ssl/openssl.cnf.
  Thanks to ctrlaltca.
n/openvpn-2.6.1-x86_64-1.txz:  Upgraded.
x/ibus-libpinyin-1.15.2-x86_64-1.txz:  Upgraded.
x/mesa-22.3.7-x86_64-1.txz:  Upgraded.

2 files changed, 64 insertions, 32 deletions

diff --git a/source/n/openssl/0024-load-legacy-prov.patch b/source/n/openssl/0024-load-legacy-prov.patch
new file mode 100644
index 000000000..bb6f84ebe
--- /dev/null
+++ b/source/n/openssl/0024-load-legacy-prov.patch
@@ -0,0 +1,55 @@
+--- ./apps/openssl.cnf.orig	2023-03-09 12:18:42.039633050 -0600
++++ ./apps/openssl.cnf	2023-03-09 12:26:32.614607021 -0600
+@@ -42,35 +42,33 @@
+ tsa_policy2 = 1.2.3.4.5.6
+ tsa_policy3 = 1.2.3.4.5.7
+ 
+-# For FIPS
+-# Optionally include a file that is generated by the OpenSSL fipsinstall
+-# application. This file contains configuration data required by the OpenSSL
+-# fips provider. It contains a named section e.g. [fips_sect] which is
+-# referenced from the [provider_sect] below.
+-# Refer to the OpenSSL security policy for more information.
+-# .include fipsmodule.cnf
+-
+ [openssl_init]
+ providers = provider_sect
+ 
+-# List of providers to load
+-[provider_sect]
+-default = default_sect
+-# The fips section name should match the section name inside the
+-# included fipsmodule.cnf.
+-# fips = fips_sect
+-
+-# If no providers are activated explicitly, the default one is activated implicitly.
+-# See man 7 OSSL_PROVIDER-default for more details.
+-#
++# List of providers to load:
++# Uncomment the sections that start with ## below to enable the legacy provider.
++# Loading the legacy provider enables support for the following algorithms:
++# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160
++# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED
++# Key Derivation Function (KDF): PBKDF1
++# In general it is not recommended to use the above mentioned algorithms for
++# security critical operations, as they are cryptographically weak or vulnerable
++# to side-channel attacks and as such have been deprecated.
+ # If you add a section explicitly activating any other provider(s), you most
+ # probably need to explicitly activate the default provider, otherwise it
+ # becomes unavailable in openssl.  As a consequence applications depending on
+ # OpenSSL may not work correctly which could lead to significant system
+ # problems including inability to remotely access the system.
++
++[provider_sect]
++default = default_sect
++##legacy = legacy_sect
++
+ [default_sect]
+-# activate = 1
++activate = 1
+ 
++##[legacy_sect]
++##activate = 1
+ 
+ ####################################################################
+ [ ca ]
diff --git a/source/n/openssl/openssl.SlackBuild b/source/n/openssl/openssl.SlackBuild
index 690807a4d..a4a42c259 100755
--- a/source/n/openssl/openssl.SlackBuild
+++ b/source/n/openssl/openssl.SlackBuild
@@ -28,7 +28,7 @@ TMP=${TMP:-/tmp}
 
 PKGNAM=openssl
 VERSION=${VERSION:-$(echo openssl-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
 
 # Automatically determine the architecture we're building on:
 if [ -z "$ARCH" ]; then
@@ -65,13 +65,7 @@ rm -rf $PKG1 $PKG2 openssl-$VERSION
 
 tar xvf $CWD/openssl-$VERSION.tar.gz || exit 1
 cd openssl-$VERSION
-
-# Fix pod syntax errors which are fatal wih a newer perl:
-find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g" {} \;
-
-## For openssl-1.1.x, don't try to change the soname.
-## Use .so.1, not .so.1.0.0:
-#sed -i "s/soname=\$\$SHLIB\$\$SHLIB_SOVER\$\$SHLIB_SUFFIX/soname=\$\$SHLIB.1/g" Makefile.shared
+chown -R root:root .
 
 if [ "$ARCH" = "i586" ]; then
   # Build with -march=i586 -mtune=i686:
@@ -85,17 +79,11 @@ elif [ "$ARCH" = "x86_64" ]; then
   LIBDIRSUFFIX="64"
 fi
 
-# NOT USED for openssl3...
-# OpenSSL has a (nasty?) habit of bumping the internal version number with
-# every release.  This wouldn't be so bad, but some applications are so
-# paranoid that they won't run against a different OpenSSL version than
-# what they were compiled against, whether or not the ABI has changed.
-#
-# So, we will use the OPENSSL_VERSION_NUMBER from openssl-1.1.1 unless ABI
-# breakage forces it to change.  Yes, we're finally using this old trick.  :)
-#sed -i "s/#define OPENSSL_VERSION_NUMBER.*/\/* Use 0x1010100fL (1.1.1) below to avoid pointlessly breaking the ABI *\/\n#define OPENSSL_VERSION_NUMBER 0x1010100fL/g" include/openssl/opensslv.h || exit 1
+# Patch openssl.cnf to remove useless FIPS documentation, and to provide
+# examples for enabling legacy algorithms. These are considered weaker, but
+# some applications may still require them.
+zcat $CWD/0024-load-legacy-prov.patch.gz | patch -p1 --verbose || exit 1
 
-chown -R root:root .
 mkdir -p $PKG1/usr/doc/openssl-$VERSION
 cp -a ACKNOWLEDGEMENTS* AUTHORS* CHANGES* CONTRIBUTING* FAQ* INSTALL* \
   LICENSE* NEWS* NOTES* README* doc \
@@ -135,7 +123,8 @@ fi
  no-weak-ssl-ciphers \
  no-mdc2 \
  no-ec2m \
- no-idea \
+ no-sm2 \
+ no-sm4 \
  no-sse2 \
  shared
 
@@ -186,18 +175,6 @@ rm -f $PKG1/etc/ssl/openssl.cnf.dist
 mv $PKG1/usr/share/man $PKG1/usr
 rmdir $PKG1/usr/share
 
-# Fix manpage name collisions, and relink anything that linked to the old name:
-( cd $PKG1/usr/man/man1
-  mv passwd.1 ssl_passwd.1
-  for file in *.1 ; do
-    if [ -L $file ]; then
-      if [ "$(readlink $file)" = "passwd.1" ]; then
-        rm -f $file
-        ln -sf ssl_passwd.1 $file
-      fi
-    fi
-  done )
-
 # Compress and symlink the man pages:
 if [ -d $PKG1/usr/man ]; then
   ( cd $PKG1/usr/man
@@ -207,7 +184,7 @@ if [ -d $PKG1/usr/man ]; then
           ln -s $( readlink $eachpage ).gz $eachpage.gz
           rm $eachpage
         done
-        gzip -9 *.ossl?
+        gzip -9 *.?ossl
       )
     done
   )