Blame SPECS/compat-openssl11.spec

0bf02d
# For the curious:
0bf02d
# 0.9.5a soversion = 0
0bf02d
# 0.9.6  soversion = 1
0bf02d
# 0.9.6a soversion = 2
0bf02d
# 0.9.6c soversion = 3
0bf02d
# 0.9.7a soversion = 4
0bf02d
# 0.9.7ef soversion = 5
0bf02d
# 0.9.8ab soversion = 6
0bf02d
# 0.9.8g soversion = 7
0bf02d
# 0.9.8jk + EAP-FAST soversion = 8
0bf02d
# 1.0.0 soversion = 10
0bf02d
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
0bf02d
#                        depends on build configuration options)
0bf02d
%define soversion 1.1
0bf02d
0bf02d
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
0bf02d
# also be handled in opensslconf-new.h.
0bf02d
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
0bf02d
0bf02d
%global _performance_build 1
0bf02d
0bf02d
Summary: Utilities from the general purpose cryptography library with TLS implementation
0bf02d
Name: compat-openssl11
0bf02d
Version: 1.1.1k
0bf02d
Release: 3%{?dist}
0bf02d
Epoch: 1
0bf02d
# We have to remove certain patented algorithms from the openssl source
0bf02d
# tarball with the hobble-openssl script which is included below.
0bf02d
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
0bf02d
Source: openssl-%{version}-hobbled.tar.xz
0bf02d
Source1: hobble-openssl
0bf02d
Source2: Makefile.certificate
0bf02d
Source6: make-dummy-cert
0bf02d
Source7: renew-dummy-cert
0bf02d
Source12: ec_curve.c
0bf02d
Source13: ectest.c
0bf02d
# Build changes
0bf02d
Patch1: openssl-1.1.1-build.patch
0bf02d
Patch2: openssl-1.1.1-defaults.patch
0bf02d
Patch3: openssl-1.1.1-no-html.patch
0bf02d
Patch4: openssl-1.1.1-man-rename.patch
0bf02d
0bf02d
# Functionality changes
0bf02d
Patch31: openssl-1.1.1-conf-paths.patch
0bf02d
Patch32: openssl-1.1.1-version-add-engines.patch
0bf02d
Patch33: openssl-1.1.1-apps-dgst.patch
0bf02d
Patch36: openssl-1.1.1-no-brainpool.patch
0bf02d
Patch37: openssl-1.1.1-ec-curves.patch
0bf02d
Patch38: openssl-1.1.1-no-weak-verify.patch
0bf02d
Patch40: openssl-1.1.1-disable-ssl3.patch
0bf02d
Patch41: openssl-1.1.1-system-cipherlist.patch
0bf02d
Patch42: openssl-1.1.1-fips.patch
0bf02d
Patch44: openssl-1.1.1-version-override.patch
0bf02d
Patch45: openssl-1.1.1-weak-ciphers.patch
0bf02d
Patch46: openssl-1.1.1-seclevel.patch
0bf02d
Patch47: openssl-1.1.1-ts-sha256-default.patch
0bf02d
Patch48: openssl-1.1.1-fips-post-rand.patch
0bf02d
Patch49: openssl-1.1.1-evp-kdf.patch
0bf02d
Patch50: openssl-1.1.1-ssh-kdf.patch
0bf02d
Patch51: openssl-1.1.1-intel-cet.patch
0bf02d
Patch60: openssl-1.1.1-krb5-kdf.patch
0bf02d
Patch61: openssl-1.1.1-edk2-build.patch
0bf02d
Patch62: openssl-1.1.1-fips-curves.patch
0bf02d
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
0bf02d
Patch66: openssl-1.1.1-fips-dh.patch
0bf02d
Patch67: openssl-1.1.1-kdf-selftest.patch
0bf02d
Patch69: openssl-1.1.1-alpn-cb.patch
0bf02d
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
0bf02d
Patch71: openssl-1.1.1-new-config-file.patch
0bf02d
# Backported fixes including security fixes
0bf02d
Patch52: openssl-1.1.1-s390x-update.patch
0bf02d
Patch53: openssl-1.1.1-fips-crng-test.patch
0bf02d
Patch55: openssl-1.1.1-arm-update.patch
0bf02d
Patch56: openssl-1.1.1-s390x-ecc.patch
0bf02d
0bf02d
License: OpenSSL and ASL 2.0
0bf02d
URL: http://www.openssl.org/
0bf02d
BuildRequires: make
0bf02d
BuildRequires: gcc
0bf02d
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
0bf02d
BuildRequires: lksctp-tools-devel
0bf02d
BuildRequires: /usr/bin/rename
0bf02d
BuildRequires: /usr/bin/pod2man
0bf02d
BuildRequires: /usr/sbin/sysctl
0bf02d
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
0bf02d
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
0bf02d
BuildRequires: perl(Time::HiRes)
0bf02d
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
0bf02d
Requires: coreutils, crypto-policies
0bf02d
Conflicts: openssl < 1:3.0, openssl-libs < 1:3.0
0bf02d
0bf02d
%description
0bf02d
The OpenSSL toolkit provides support for secure communications between
0bf02d
machines. This version of OpenSSL package contains only the libraries
0bf02d
from the 1.1.1 version and is provided for compatibility with previous
0bf02d
releases.
0bf02d
0bf02d
%prep
0bf02d
%setup -q -n openssl-%{version}
0bf02d
0bf02d
# The hobble_openssl is called here redundantly, just to be sure.
0bf02d
# The tarball has already the sources removed.
0bf02d
%{SOURCE1} > /dev/null
0bf02d
0bf02d
cp %{SOURCE12} crypto/ec/
0bf02d
cp %{SOURCE13} test/
0bf02d
0bf02d
%patch1 -p1 -b .build   %{?_rawbuild}
0bf02d
%patch2 -p1 -b .defaults
0bf02d
%patch3 -p1 -b .no-html  %{?_rawbuild}
0bf02d
%patch4 -p1 -b .man-rename
0bf02d
0bf02d
%patch31 -p1 -b .conf-paths
0bf02d
%patch32 -p1 -b .version-add-engines
0bf02d
%patch33 -p1 -b .dgst
0bf02d
%patch36 -p1 -b .no-brainpool
0bf02d
%patch37 -p1 -b .curves
0bf02d
%patch38 -p1 -b .no-weak-verify
0bf02d
%patch40 -p1 -b .disable-ssl3
0bf02d
%patch41 -p1 -b .system-cipherlist
0bf02d
%patch42 -p1 -b .fips
0bf02d
%patch44 -p1 -b .version-override
0bf02d
%patch45 -p1 -b .weak-ciphers
0bf02d
%patch46 -p1 -b .seclevel
0bf02d
%patch47 -p1 -b .ts-sha256-default
0bf02d
%patch48 -p1 -b .fips-post-rand
0bf02d
%patch49 -p1 -b .evp-kdf
0bf02d
%patch50 -p1 -b .ssh-kdf
0bf02d
%patch51 -p1 -b .intel-cet
0bf02d
%patch52 -p1 -b .s390x-update
0bf02d
%patch53 -p1 -b .crng-test
0bf02d
%patch55 -p1 -b .arm-update
0bf02d
%patch56 -p1 -b .s390x-ecc
0bf02d
%patch60 -p1 -b .krb5-kdf
0bf02d
%patch61 -p1 -b .edk2-build
0bf02d
%patch62 -p1 -b .fips-curves
0bf02d
%patch65 -p1 -b .drbg-selftest
0bf02d
%patch66 -p1 -b .fips-dh
0bf02d
%patch67 -p1 -b .kdf-selftest
0bf02d
%patch69 -p1 -b .alpn-cb
0bf02d
%patch70 -p1 -b .rewire-fips-drbg
0bf02d
%patch71 -p1 -b .conf-new
0bf02d
0bf02d
cp apps/openssl.cnf apps/openssl11.cnf
0bf02d
0bf02d
%build
0bf02d
# Figure out which flags we want to use.
0bf02d
# default
0bf02d
sslarch=%{_os}-%{_target_cpu}
0bf02d
%ifarch %ix86
0bf02d
sslarch=linux-elf
0bf02d
if ! echo %{_target} | grep -q i686 ; then
0bf02d
	sslflags="no-asm 386"
0bf02d
fi
0bf02d
%endif
0bf02d
%ifarch x86_64
0bf02d
sslflags=enable-ec_nistp_64_gcc_128
0bf02d
%endif
0bf02d
%ifarch sparcv9
0bf02d
sslarch=linux-sparcv9
0bf02d
sslflags=no-asm
0bf02d
%endif
0bf02d
%ifarch sparc64
0bf02d
sslarch=linux64-sparcv9
0bf02d
sslflags=no-asm
0bf02d
%endif
0bf02d
%ifarch alpha alphaev56 alphaev6 alphaev67
0bf02d
sslarch=linux-alpha-gcc
0bf02d
%endif
0bf02d
%ifarch s390 sh3eb sh4eb
0bf02d
sslarch="linux-generic32 -DB_ENDIAN"
0bf02d
%endif
0bf02d
%ifarch s390x
0bf02d
sslarch="linux64-s390x"
0bf02d
%endif
0bf02d
%ifarch %{arm}
0bf02d
sslarch=linux-armv4
0bf02d
%endif
0bf02d
%ifarch aarch64
0bf02d
sslarch=linux-aarch64
0bf02d
sslflags=enable-ec_nistp_64_gcc_128
0bf02d
%endif
0bf02d
%ifarch sh3 sh4
0bf02d
sslarch=linux-generic32
0bf02d
%endif
0bf02d
%ifarch ppc64 ppc64p7
0bf02d
sslarch=linux-ppc64
0bf02d
%endif
0bf02d
%ifarch ppc64le
0bf02d
sslarch="linux-ppc64le"
0bf02d
sslflags=enable-ec_nistp_64_gcc_128
0bf02d
%endif
0bf02d
%ifarch mips mipsel
0bf02d
sslarch="linux-mips32 -mips32r2"
0bf02d
%endif
0bf02d
%ifarch mips64 mips64el
0bf02d
sslarch="linux64-mips64 -mips64r2"
0bf02d
%endif
0bf02d
%ifarch mips64el
0bf02d
sslflags=enable-ec_nistp_64_gcc_128
0bf02d
%endif
0bf02d
%ifarch riscv64
0bf02d
sslarch=linux-generic64
0bf02d
%endif
0bf02d
0bf02d
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
0bf02d
# marked as not requiring an executable stack.
0bf02d
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
0bf02d
# want to depend on the uninitialized memory as a source of entropy anyway.
0bf02d
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
0bf02d
0bf02d
export HASHBANGPERL=/usr/bin/perl
0bf02d
0bf02d
# ia64, x86_64, ppc are OK by default
0bf02d
# Configure the build tree.  Override OpenSSL defaults with known-good defaults
0bf02d
# usable on all platforms.  The Configure script already knows to use -fPIC and
0bf02d
# RPM_OPT_FLAGS, so we can skip specifiying them here.
0bf02d
./Configure \
0bf02d
	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
0bf02d
	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
0bf02d
	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
0bf02d
	enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
0bf02d
	enable-weak-ssl-ciphers \
0bf02d
	no-mdc2 no-ec2m no-sm2 no-sm4 \
0bf02d
	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
0bf02d
0bf02d
# Do not run this in a production package the FIPS symbols must be patched-in
0bf02d
#util/mkdef.pl crypto update
0bf02d
0bf02d
make all
0bf02d
0bf02d
# Clean up the .pc files
0bf02d
for i in libcrypto.pc libssl.pc openssl.pc ; do
0bf02d
  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
0bf02d
done
0bf02d
0bf02d
%check
0bf02d
# Verify that what was compiled actually works.
0bf02d
0bf02d
cp apps/openssl.cnf apps/openssl11.cnf
0bf02d
0bf02d
# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
0bf02d
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
0bf02d
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
0bf02d
 sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
0bf02d
 touch -r configdata.pm configdata.pm.new && \
0bf02d
 mv -f configdata.pm.new configdata.pm)
0bf02d
0bf02d
# We must revert patch31 before tests otherwise they will fail
0bf02d
patch -p1 -R < %{PATCH31}
0bf02d
0bf02d
OPENSSL_ENABLE_MD5_VERIFY=
0bf02d
export OPENSSL_ENABLE_MD5_VERIFY
0bf02d
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
0bf02d
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
0bf02d
make test
0bf02d
0bf02d
%define __provides_exclude_from %{_libdir}/openssl
0bf02d
0bf02d
%install
0bf02d
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
0bf02d
# Install OpenSSL.
0bf02d
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
0bf02d
%make_install
0bf02d
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
0bf02d
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
0bf02d
	chmod 755 ${lib}
0bf02d
	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
0bf02d
done
0bf02d
0bf02d
# Delete static library
0bf02d
rm -f $RPM_BUILD_ROOT%{_libdir}/*.a || :
0bf02d
0bf02d
# Delete non-devel man pages in the compat package
0bf02d
rm -rf $RPM_BUILD_ROOT%{_mandir}/man[157]*
0bf02d
0bf02d
# Delete configuration files
0bf02d
rm -rf  $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/*
0bf02d
0bf02d
# Remove binaries
0bf02d
rm -rf $RPM_BUILD_ROOT/%{_bindir}
0bf02d
0bf02d
# Remove useless capi engine
0bf02d
rm -f $RPM_BUILD_ROOT/%{_libdir}/engines-1.1/capi.so
0bf02d
0bf02d
# Delete devel files
0bf02d
rm -rf $RPM_BUILD_ROOT%{_includedir}/openssl
0bf02d
rm -rf $RPM_BUILD_ROOT%{_mandir}/man3*
0bf02d
rm -rf $RPM_BUILD_ROOT%{_libdir}/*.so
0bf02d
rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig
0bf02d
0bf02d
# Install compat config file
0bf02d
install -m 644 apps/openssl11.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl11.cnf
0bf02d
0bf02d
%files
0bf02d
%license LICENSE
0bf02d
%doc FAQ NEWS README
0bf02d
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
0bf02d
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
0bf02d
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
0bf02d
%attr(0755,root,root) %{_libdir}/libssl.so.%{soversion}
0bf02d
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
0bf02d
%config(noreplace) %{_sysconfdir}/pki/tls/openssl11.cnf
0bf02d
0bf02d
%dir %{_sysconfdir}/pki/tls
0bf02d
%attr(0644,root,root) %{_sysconfdir}/pki/tls/openssl11.cnf
0bf02d
0bf02d
%ldconfig_scriptlets
0bf02d
0bf02d
%changelog
0bf02d
* Mon Oct 05 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-3
0bf02d
- updates OPENSSL_CONF to openssl11.cnf.
0bf02d
- Related: rhbz#1947584, rhbz#2003123
0bf02d
0bf02d
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-2
0bf02d
- Remove support for building FIPS mode binaries for the
0bf02d
  compat libraries
0bf02d
- Ships openssl11.cnf as the configuration file.
0bf02d
- Resolves: rhbz#1993795
0bf02d
- Related: rhbz#1947584
0bf02d
0bf02d
* Thu Apr 08 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-1
0bf02d
- Repackage old openssl 1.1.1k package into compat-openssl11
0bf02d
  Resolves: bz#1947584