# # spec file for package openssl-1_1 # # Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define ssletcdir %{_sysconfdir}/ssl %define maj_min 1.1 %define _rname openssl %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 # Enable livepatching support for SLE15-SP4 onwards. It requires # compiler support introduced there. %define livepatchable 1 # Set variables for livepatching. %define _other %{_topdir}/OTHER %define tar_basename %{_rname}-livepatch-%{version}-%{release} %define tar_package_name %{tar_basename}.%{_arch}.tar.xz %define clones_dest_dir %{tar_basename}/%{_arch} %else # Unsupported operating system. %define livepatchable 0 %endif %ifnarch x86_64 # Unsupported architectures must have livepatch disabled. %define livepatchable 0 %endif Name: openssl-1_1 # Don't forget to update the version in the "openssl" meta-package! Version: 1.1.1w Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security URL: https://www.openssl.org/ Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz # to get mtime of file: Source1: %{name}.changes Source2: baselibs.conf Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc # https://www.openssl.org/about/ # http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring Source4: %{_rname}.keyring Source5: showciphers.c # PATCH-FIX-OPENSUSE: do not install html mans it takes ages Patch1: openssl-1.1.0-no-html.patch Patch2: openssl-truststore.patch Patch3: openssl-pkgconfig.patch Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch Patch6: openssl-riscv64-config.patch Patch7: openssl-no-date.patch # PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129 Patch8: 0001-s390x-assembly-pack-perlasm-support.patch Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch Patch10: 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch Patch11: 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch Patch12: 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch Patch13: 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch # PATCH-FIX-UPSTREAM bsc#1152695 jsc#SLE-7861 Support for CPACF enhancements - part 1 (crypto) Patch16: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch Patch17: openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch Patch18: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch Patch19: openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch Patch20: openssl-s390xcpuid.pl-fix-comment.patch Patch21: openssl-assembly-pack-accelerate-scalar-multiplication.patch Patch22: openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch Patch23: openssl-s390x-assembly-pack-accelerate-ECDSA.patch Patch24: openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch Patch25: openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch Patch26: openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch Patch27: openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch Patch28: openssl-Fix-9bf682f-which-broke-nistp224_method.patch # FIPS patches Patch30: openssl-1.1.1-fips.patch Patch31: openssl-1.1.1-fips-post-rand.patch Patch32: openssl-1.1.1-fips-crng-test.patch Patch33: openssl-1.1.0-issuer-hash.patch Patch34: openssl-fips-run_selftests_only_when_module_is_complete.patch Patch35: openssl-ship_fips_standalone_hmac.patch Patch36: openssl-fips_mode.patch Patch37: openssl-1.1.1-evp-kdf.patch Patch38: openssl-1.1.1-ssh-kdf.patch Patch40: openssl-fips-selftests_in_nonfips_mode.patch Patch41: openssl-fips-clearerror.patch Patch42: openssl-fips-ignore_broken_atexit_test.patch Patch43: openssl-keep_EVP_KDF_functions_version.patch Patch45: openssl-fips-add-SHA3-selftest.patch Patch46: openssl-fips_selftest_upstream_drbg.patch Patch47: openssl-unknown_dgst.patch # PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto) Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch # PATCH-FIX-UPSTREAM bsc#1175844 FIPS: (EC)Diffie-Hellman requirements # from SP800-56Arev3 SLE-15-SP2 Patch52: openssl-DH.patch Patch53: openssl-kdf-selftest.patch Patch54: openssl-kdf-tls-selftest.patch Patch55: openssl-kdf-ssh-selftest.patch Patch56: openssl-fips-DH_selftest_shared_secret_KAT.patch # PATCH-FIX-UPSTREAM bsc#1192442 FIPS: missing KAT for HKDF/TLS 1.3/IPSEC IKEv2 Patch57: openssl-fips-kdf-hkdf-selftest.patch Patch58: openssl-1.1.1-system-cipherlist.patch # PATCH-FIX-OPENSUSE jsc#SLE-15832 Centralized Crypto Compliance Configuration Patch59: openssl-1_1-seclevel.patch Patch60: openssl-1_1-use-seclevel2-in-tests.patch Patch61: openssl-1_1-disable-test_srp-sslapi.patch # PATCH-FIX-UPSTREAM jsc#SLE-18136 POWER10 performance enhancements for cryptography Patch69: openssl-1_1-Optimize-ppc64.patch # PATCH-FIX-UPSTREAM jsc#SLE-19742 Backport Arm improvements from OpenSSL 3 Patch70: openssl-1_1-Optimize-RSA-armv8.patch Patch71: openssl-1_1-Optimize-AES-XTS-aarch64.patch Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch # PATCH-FIX-SUSE bsc#1185320 FIPS: move the HMAC-SHA2-256 used for integrity test Patch73: openssl-FIPS-KAT-before-integrity-tests.patch # PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch # PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode Patch75: openssl-1_1-paramgen-default_to_rfc7919.patch # PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf Patch76: openssl-1_1-use-include-directive.patch # PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT Patch77: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch Patch78: bsc1185319-FIPS-KAT-for-ECDSA.patch Patch79: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch Patch81: openssl-1_1-shortcut-test_afalg_aes_cbc.patch # PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components Patch84: openssl-1_1-Zeroization.patch # PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator Patch85: openssl-1_1-ossl-sli-000-fix-build-error.patch Patch86: openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch Patch87: openssl-1_1-ossl-sli-002-ran-make-update.patch Patch88: openssl-1_1-ossl-sli-003-add-sli.patch # PATCH-FIX-SUSE bsc#1202148 FIPS: Port openssl to use jitterentropy Patch89: openssl-1_1-jitterentropy-3.4.0.patch # PATCH-FIX-SUSE bsc#1203046 FIPS: Fix memory leak when FIPS mode is enabled Patch90: openssl-1.1.1-fips-fix-memory-leaks.patch # PATCH-FIX-FEDORA bsc#1201293 FIPS: RAND api should call into FIPS DRBG Patch91: openssl-1_1-FIPS_drbg-rewire.patch # PATCH-FIX-FEDORA bsc#1203069 FIPS: Add KAT for the RAND_DRBG implementation Patch92: openssl-1_1-fips-drbg-selftest.patch # PATCH-FIX-SUSE bsc#1121365, bsc#1190888, bsc#1193859, bsc#1198471, bsc#1198472 # FIPS: List only approved digest and pubkey algorithms Patch93: openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch # PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator Patch94: openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch Patch95: openssl-1_1-ossl-sli-005-EC_group_order_bits.patch Patch96: openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch Patch97: openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch # PATCH-FIX-UPSTREAM jsc#PED-512 # POWER10 performance enhancements for cryptography Patch98: openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch Patch99: openssl-1_1-Fixed-counter-overflow.patch Patch100: openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch Patch101: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch Patch102: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch # PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl Patch103: openssl-1_1-openssl-config.patch # PATCH-FIX-SUSE bsc#1207994 FIPS Make jitterentropy calls thread-safe Patch104: openssl-1_1-serialize-jitterentropy-calls.patch # PATCH-FIX-SUSE bsc#1208998 FIPS: PBKDF2 requirements for openssl Patch105: openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch # PATCH-FIX-SUSE bsc#1212623 openssl s_client does not honor ocsp revocation status Patch106: openssl-s_client-check-ocsp-status.patch # PATCH-FIX-SUSE bsc#1213517 Dont pass zero length input to EVP_Cipher Patch107: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch #PATCH-FIX-SUSE bsc#1215215 FIPS: Add "fips" to version string Patch108: openssl-1_1-fips-bsc1215215_fips_in_version_string.patch # PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514 # POWER10 performance enhancements for cryptography Patch109: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch Patch110: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch Patch111: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch Patch112: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch Patch113: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch Patch114: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch # PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or # checking excessively long X9.42 DH keys or parameters may be very slow Patch115: openssl-CVE-2023-5678.patch BuildRequires: jitterentropy-devel >= 3.4.0 BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) Requires: libjitterentropy3 >= 3.4.0 Provides: ssl Requires: libopenssl1_1 = %{version}-%{release} # Needed for clean upgrade path, boo#1070003 Obsoletes: openssl-1_0_0 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: openssl-1_1_0 %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 Requires: crypto-policies %endif %description OpenSSL is a software library to be used in applications that need to secure communications over computer networks against eavesdropping or need to ascertain the identity of the party at the other end. OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl1_1 Summary: Secure Sockets and Transport Layer Security Group: Productivity/Networking/Security Recommends: ca-certificates-mozilla # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl1_1_0 %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 Requires: crypto-policies %endif Conflicts: %{name} < %{version}-%{release} # Merge back the hmac files bsc#1185116 Provides: libopenssl1_1-hmac = %{version}-%{release} Obsoletes: libopenssl1_1-hmac < %{version}-%{release} # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl1_1_0-hmac # Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 Obsoletes: libopenssl-1_0_0-hmac %description -n libopenssl1_1 OpenSSL is a software library to be used in applications that need to secure communications over computer networks against eavesdropping or need to ascertain the identity of the party at the other end. OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl-1_1-devel Summary: Development files for OpenSSL Group: Development/Libraries/C and C++ Requires: jitterentropy-devel >= 3.4.0 Requires: libopenssl1_1 = %{version} Requires: pkgconfig(zlib) Recommends: %{name} = %{version} Conflicts: ssl-devel Provides: ssl-devel # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl-1_1_0-devel # Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 Obsoletes: libopenssl-1_0_0-devel %description -n libopenssl-1_1-devel This subpackage contains header files for developing applications that want to make use of the OpenSSL C API. %package doc Summary: Additional Package Documentation Group: Productivity/Networking/Security Conflicts: openssl-doc Provides: openssl-doc = %{version} Obsoletes: openssl-doc < %{version} BuildArch: noarch %description doc This package contains optional documentation provided in addition to this package's base documentation. %prep %autosetup -p1 -n %{_rname}-%{version} cp apps/openssl.cnf apps/openssl-1_1.cnf %build %ifarch armv5el armv5tel export MACHINE=armv5el %endif %ifarch armv6l armv6hl export MACHINE=armv6l %endif ./config \ no-idea \ enable-rfc3779 \ %ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif enable-camellia \ zlib \ no-ec2m \ --prefix=%{_prefix} \ --libdir=%{_lib} \ --openssldir=%{ssletcdir} \ %{optflags} \ %if %{livepatchable} -fpatchable-function-entry=16,14 -fdump-ipa-clones \ %endif -Wa,--noexecstack \ -Wl,-z,relro,-z,now \ -fno-common \ -DTERMIO \ -DPURIFY \ -D_GNU_SOURCE \ -DOPENSSL_NO_BUF_FREELISTS \ $(getconf LFS_CFLAGS) \ -Wall \ --with-rand-seed=getrandom \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config # Show build configuration perl configdata.pm --dump util/mkdef.pl crypto update %make_build depend %make_build all %check export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) LD_LIBRARY_PATH=`pwd` make test -j1 # Create the hmac files required to run the regression tests in FIPS mode #%{buildroot}%{_bindir}/fips_standalone_hmac \ # libssl.so.%{maj_min} > .libssl.so.%{maj_min}.hmac #%{buildroot}%{_bindir}/fips_standalone_hmac \ # libcrypto.so.%{maj_min} > .libcrypto.so.%{maj_min}.hmac #OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH=`pwd` make TESTS='-test_pem \ # -test_hmac -test_mdc2 -test_dh -test_dsa -test_genrsa \ # -test_mp_rsa -test_enc -test_enc_more -test_passwd -test_req \ # -test_verify -test_evp -test_evp_extra -test_pkey_meth_kdf \ # -test_bad_dtls -test_comp -test_key_share -test_renegotiation \ # -test_sslcbcpadding -test_sslcertstatus -test_sslextension \ # -test_sslmessages -test_sslrecords -test_sslsessiontick \ # -test_sslsigalgs -test_sslsignature -test_sslskewith0p \ # -test_sslversions -test_sslvertol -test_tls13alerts \ # -test_tls13cookie -test_tls13downgrade -test_tls13hrr \ # -test_tls13kexmodes -test_tls13messages -test_tls13psk \ # -test_tlsextms -test_ca -test_cipherlist -test_cms \ # -test_dtls_mtu -test_ssl_new -test_ssl_old -test_bio_enc \ # -test_sslapi -test_tls13ccs -test_ec' test -j1 # show ciphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install %if %{livepatchable} # Ipa-clones are files generated by gcc which logs changes made across # functions, and we need to know such changes to build livepatches # correctly. These files are intended to be used by the livepatch # developers and may be retrieved by using `osc getbinaries`. # # Create list of ipa-clones. find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list # Create ipa-clones destination folder and move clones there. mkdir -p ipa-clones/%{clones_dest_dir} while read f; do _dest=ipa-clones/%{clones_dest_dir}/$f mkdir -p ${_dest%/*} cp $f $_dest done < ipa-clones.list # Create tar package with the clone files. tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename} # Copy tar package to the OTHERS folder cp %{tar_package_name} %{_other} %endif # livepatchable %make_install %{?_smp_mflags} # kill static libs rm -f %{buildroot}%{_libdir}/lib*.a # Rename the openssl CLI to openssl-1_1 mv %{buildroot}%{_bindir}/openssl %{buildroot}%{_bindir}/openssl-1_1 # Install the openssl-1_1.cnf config file install -m 644 apps/openssl-1_1.cnf %{buildroot}%{_sysconfdir}/ssl/openssl-1_1.cnf # remove the cnf.dist rm -f %{buildroot}%{_sysconfdir}/ssl/openssl-1_1.cnf.dist rm -f %{buildroot}%{_sysconfdir}/ssl/ct_log_list.cnf rm -f %{buildroot}%{_sysconfdir}/ssl/ct_log_list.cnf.dist ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl mkdir %{buildroot}/%{_datadir}/ssl mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ # Create the two directories into which packages will drop their configuration # files. mkdir %{buildroot}/%{ssletcdir}/engines.d/ mkdir %{buildroot}/%{ssletcdir}/engdef.d/ # avoid file conflicts with man pages from other packages # pushd %{buildroot}/%{_mandir} # some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check. # replace spaces by underscores #for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } for i in man?/*; do if test -L $i ; then LDEST=`readlink $i` rm -f $i ${i}ssl ln -sf ${LDEST}ssl ${i}ssl else mv $i ${i}ssl fi case "$i" in *.1) # these are the pages mentioned in openssl(1). They go into the main package. echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;; *) # the rest goes into the openssl-doc package. echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;; esac done popd # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} \; # Place showciphers.c for %%doc macro cp %{SOURCE5} . # the hmac hashes: # # this is a hack that re-defines the __os_install_post macro # for a simple reason: the macro strips the binaries and thereby # invalidates a HMAC that may have been created earlier. # solution: create the hashes _after_ the macro runs. # # this shows up earlier because otherwise the expand of # the macro is too late. # remark: This is the same as running # openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs' %{expand:%%global __os_install_post {%__os_install_post # Point linker to the newly installed libcrypto in order to avoid BuildRequiring itself (libopenssl1_1) export LD_LIBRARY_PATH="%{buildroot}%{_libdir}" %{buildroot}%{_bindir}/fips_standalone_hmac \ %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \ %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac # As fips_standalone_hmac now uses the very same library it checksums, # the libcrypto hmac needs to be saved to a temporary file, otherwise # the library will detect the empty hmac and abort due to a wrong checksum %{buildroot}%{_bindir}/fips_standalone_hmac \ %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \ %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac # rename the temporary checksum to its proper name mv %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac unset LD_LIBRARY_PATH }} %post -n libopenssl1_1 -p /sbin/ldconfig %postun -n libopenssl1_1 -p /sbin/ldconfig %files -n libopenssl1_1 %license LICENSE %{_libdir}/libssl.so.%{maj_min} %{_libdir}/libcrypto.so.%{maj_min} %{_libdir}/.libssl.so.%{maj_min}.hmac %{_libdir}/.libcrypto.so.%{maj_min}.hmac %{_libdir}/engines-%{maj_min} %files -n libopenssl-1_1-devel %{_includedir}/%{_rname}/ %{_includedir}/ssl %{_libdir}/libssl.so %{_libdir}/libcrypto.so %{_libdir}/pkgconfig/libcrypto.pc %{_libdir}/pkgconfig/libssl.pc %{_libdir}/pkgconfig/openssl.pc %files doc -f filelist.doc %doc doc/* demos %doc showciphers.c %files -f filelist %doc CHANGE* NEWS README %dir %{ssletcdir} %config (noreplace) %{ssletcdir}/openssl-1_1.cnf %attr(700,root,root) %{ssletcdir}/private %dir %{ssletcdir}/engines.d %dir %{ssletcdir}/engdef.d %dir %{_datadir}/ssl %{_datadir}/ssl/misc %{_bindir}/c_rehash-1_1 %{_bindir}/fips_standalone_hmac %{_bindir}/openssl-1_1 %changelog