9f776e8d93
- Security fix: [bsc#1222548, CVE-2024-2511] * Fix unconstrained session cache growth in TLSv1.3 * Add openssl-CVE-2024-2511.patch OBS-URL: https://build.opensuse.org/request/show/1172426 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=160
544 lines
23 KiB
RPMSpec
544 lines
23 KiB
RPMSpec
#
|
|
# spec file for package openssl-1_1
|
|
#
|
|
# Copyright (c) 2024 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define ssletcdir %{_sysconfdir}/ssl
|
|
%define maj_min 1.1
|
|
%define _rname openssl
|
|
%global sslengcnf %{ssletcdir}/engines1.1.d
|
|
%global sslengdef %{ssletcdir}/engdef1.1.d
|
|
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
|
|
# Enable livepatching support for SLE15-SP4 onwards. It requires
|
|
# compiler support introduced there.
|
|
%define livepatchable 1
|
|
# Set variables for livepatching.
|
|
%define _other %{_topdir}/OTHER
|
|
%define tar_basename %{_rname}-livepatch-%{version}-%{release}
|
|
%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
|
|
%define clones_dest_dir %{tar_basename}/%{_arch}
|
|
%else
|
|
# Unsupported operating system.
|
|
%define livepatchable 0
|
|
%endif
|
|
%ifnarch x86_64
|
|
# Unsupported architectures must have livepatch disabled.
|
|
%define livepatchable 0
|
|
%endif
|
|
Name: openssl-1_1
|
|
# Don't forget to update the version in the "openssl" meta-package!
|
|
Version: 1.1.1w
|
|
Release: 0
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
License: OpenSSL
|
|
Group: Productivity/Networking/Security
|
|
URL: https://www.openssl.org/
|
|
Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
|
|
# to get mtime of file:
|
|
Source1: %{name}.changes
|
|
Source2: baselibs.conf
|
|
Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
|
|
# https://www.openssl.org/about/
|
|
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
|
|
Source4: %{_rname}.keyring
|
|
Source5: showciphers.c
|
|
# PATCH-FIX-OPENSUSE: do not install html mans it takes ages
|
|
Patch1: openssl-1.1.0-no-html.patch
|
|
Patch2: openssl-truststore.patch
|
|
Patch3: openssl-pkgconfig.patch
|
|
Patch4: openssl-DEFAULT_SUSE_cipher.patch
|
|
Patch5: openssl-ppc64-config.patch
|
|
Patch6: openssl-riscv64-config.patch
|
|
# PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
|
|
Patch8: 0001-s390x-assembly-pack-perlasm-support.patch
|
|
Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
|
|
Patch10: 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
|
|
Patch11: 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
|
|
Patch12: 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
|
|
Patch13: 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
|
|
# PATCH-FIX-UPSTREAM bsc#1152695 jsc#SLE-7861 Support for CPACF enhancements - part 1 (crypto)
|
|
Patch16: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
|
|
Patch17: openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
|
|
Patch18: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
|
|
Patch19: openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
|
|
Patch20: openssl-s390xcpuid.pl-fix-comment.patch
|
|
Patch21: openssl-assembly-pack-accelerate-scalar-multiplication.patch
|
|
Patch22: openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
|
|
Patch23: openssl-s390x-assembly-pack-accelerate-ECDSA.patch
|
|
Patch24: openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
|
|
Patch25: openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
|
|
Patch26: openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch
|
|
Patch27: openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch
|
|
Patch28: openssl-Fix-9bf682f-which-broke-nistp224_method.patch
|
|
# FIPS patches
|
|
Patch30: openssl-1.1.1-fips.patch
|
|
Patch31: openssl-1.1.1-fips-post-rand.patch
|
|
Patch32: openssl-1.1.1-fips-crng-test.patch
|
|
Patch33: openssl-1.1.0-issuer-hash.patch
|
|
Patch34: openssl-fips-run_selftests_only_when_module_is_complete.patch
|
|
Patch35: openssl-ship_fips_standalone_hmac.patch
|
|
Patch36: openssl-fips_mode.patch
|
|
Patch37: openssl-1.1.1-evp-kdf.patch
|
|
Patch38: openssl-1.1.1-ssh-kdf.patch
|
|
Patch40: openssl-fips-selftests_in_nonfips_mode.patch
|
|
Patch41: openssl-fips-clearerror.patch
|
|
Patch42: openssl-fips-ignore_broken_atexit_test.patch
|
|
Patch45: openssl-fips-add-SHA3-selftest.patch
|
|
Patch46: openssl-fips_selftest_upstream_drbg.patch
|
|
Patch47: openssl-unknown_dgst.patch
|
|
# PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto)
|
|
Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
|
|
Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
|
|
# PATCH-FIX-UPSTREAM bsc#1175844 FIPS: (EC)Diffie-Hellman requirements
|
|
# from SP800-56Arev3 SLE-15-SP2
|
|
Patch52: openssl-DH.patch
|
|
Patch53: openssl-kdf-selftest.patch
|
|
Patch54: openssl-kdf-tls-selftest.patch
|
|
Patch55: openssl-kdf-ssh-selftest.patch
|
|
Patch56: openssl-fips-DH_selftest_shared_secret_KAT.patch
|
|
# PATCH-FIX-UPSTREAM bsc#1192442 FIPS: missing KAT for HKDF/TLS 1.3/IPSEC IKEv2
|
|
Patch57: openssl-fips-kdf-hkdf-selftest.patch
|
|
Patch58: openssl-1.1.1-system-cipherlist.patch
|
|
# PATCH-FIX-OPENSUSE jsc#SLE-15832 Centralized Crypto Compliance Configuration
|
|
Patch59: openssl-1_1-seclevel.patch
|
|
Patch60: openssl-1_1-use-seclevel2-in-tests.patch
|
|
Patch61: openssl-1_1-disable-test_srp-sslapi.patch
|
|
# PATCH-FIX-UPSTREAM jsc#SLE-18136 POWER10 performance enhancements for cryptography
|
|
Patch69: openssl-1_1-Optimize-ppc64.patch
|
|
# PATCH-FIX-UPSTREAM jsc#SLE-19742 Backport Arm improvements from OpenSSL 3
|
|
Patch70: openssl-1_1-Optimize-RSA-armv8.patch
|
|
Patch71: openssl-1_1-Optimize-AES-XTS-aarch64.patch
|
|
Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch
|
|
# PATCH-FIX-SUSE bsc#1185320 FIPS: move the HMAC-SHA2-256 used for integrity test
|
|
Patch73: openssl-FIPS-KAT-before-integrity-tests.patch
|
|
# PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes
|
|
Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch
|
|
#PATCH-FIX-SUSE bsc#1190652 FIPS: Add release number to version string
|
|
Patch75: openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
|
|
# PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode
|
|
Patch76: openssl-1_1-paramgen-default_to_rfc7919.patch
|
|
# PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf
|
|
Patch77: openssl-1_1-use-include-directive.patch
|
|
# PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT
|
|
Patch78: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
|
|
Patch79: bsc1185319-FIPS-KAT-for-ECDSA.patch
|
|
Patch80: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
|
|
Patch82: openssl-1_1-shortcut-test_afalg_aes_cbc.patch
|
|
# PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components
|
|
Patch84: openssl-1_1-Zeroization.patch
|
|
# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
|
|
Patch85: openssl-1_1-ossl-sli-000-fix-build-error.patch
|
|
Patch86: openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch
|
|
Patch87: openssl-1_1-ossl-sli-002-ran-make-update.patch
|
|
Patch88: openssl-1_1-ossl-sli-003-add-sli.patch
|
|
# PATCH-FIX-SUSE bsc#1202148 FIPS: Port openssl to use jitterentropy
|
|
Patch89: openssl-1_1-jitterentropy-3.4.0.patch
|
|
# PATCH-FIX-SUSE bsc#1203046 FIPS: Fix memory leak when FIPS mode is enabled
|
|
Patch90: openssl-1.1.1-fips-fix-memory-leaks.patch
|
|
# PATCH-FIX-FEDORA bsc#1201293 FIPS: RAND api should call into FIPS DRBG
|
|
Patch91: openssl-1_1-FIPS_drbg-rewire.patch
|
|
# PATCH-FIX-FEDORA bsc#1203069 FIPS: Add KAT for the RAND_DRBG implementation
|
|
Patch92: openssl-1_1-fips-drbg-selftest.patch
|
|
# PATCH-FIX-SUSE bsc#1121365, bsc#1190888, bsc#1193859, bsc#1198471, bsc#1198472
|
|
# FIPS: List only approved digest and pubkey algorithms
|
|
Patch93: openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch
|
|
# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
|
|
Patch94: openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch
|
|
Patch95: openssl-1_1-ossl-sli-005-EC_group_order_bits.patch
|
|
Patch96: openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch
|
|
Patch97: openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch
|
|
# PATCH-FIX-UPSTREAM jsc#PED-512
|
|
# POWER10 performance enhancements for cryptography
|
|
Patch98: openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch
|
|
Patch99: openssl-1_1-Fixed-counter-overflow.patch
|
|
Patch100: openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch
|
|
Patch101: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch
|
|
Patch102: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
|
|
# PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl
|
|
Patch103: openssl-1_1-openssl-config.patch
|
|
# PATCH-FIX-SUSE bsc#1207994 FIPS Make jitterentropy calls thread-safe
|
|
Patch104: openssl-1_1-serialize-jitterentropy-calls.patch
|
|
# PATCH-FIX-SUSE bsc#1208998 FIPS: PBKDF2 requirements for openssl
|
|
Patch105: openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch
|
|
# PATCH-FIX-SUSE bsc#1212623 openssl s_client does not honor ocsp revocation status
|
|
Patch106: openssl-s_client-check-ocsp-status.patch
|
|
# PATCH-FIX-SUSE bsc#1213517 Dont pass zero length input to EVP_Cipher
|
|
Patch107: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
|
|
#PATCH-FIX-SUSE bsc#1215215 FIPS: Add "fips" to version string
|
|
Patch108: openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
|
|
# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514
|
|
# POWER10 performance enhancements for cryptography
|
|
Patch109: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
|
|
Patch110: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
|
|
Patch111: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
|
|
Patch112: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
|
|
Patch113: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
|
|
Patch114: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
|
|
# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
|
|
# checking excessively long X9.42 DH keys or parameters may be very slow
|
|
Patch115: openssl-CVE-2023-5678.patch
|
|
# PATCH-FIX-OPENSUSE skip SHA1 test in FIPS mode
|
|
Patch116: openssl-Skip_SHA1-test-in-FIPS-mode.patch
|
|
# PATCH-FIX-UPSTREAM: bsc#1219243 CVE-2024-0727: denial of service via null dereference
|
|
Patch117: openssl-CVE-2024-0727.patch
|
|
# PATCH-FIX-UPSTREAM: bsc#1222548 CVE-2024-2511: Unbounded memory growth with session handling in TLSv1.3
|
|
Patch118: openssl-CVE-2024-2511.patch
|
|
BuildRequires: jitterentropy-devel >= 3.4.0
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: pkgconfig(zlib)
|
|
Requires: libjitterentropy3 >= 3.4.0
|
|
Provides: ssl
|
|
Requires: libopenssl1_1 = %{version}-%{release}
|
|
# Needed for clean upgrade path, boo#1070003
|
|
Obsoletes: openssl-1_0_0
|
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
Obsoletes: openssl-1_1_0
|
|
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description
|
|
OpenSSL is a software library to be used in applications that need to
|
|
secure communications over computer networks against eavesdropping or
|
|
need to ascertain the identity of the party at the other end.
|
|
OpenSSL contains an implementation of the SSL and TLS protocols.
|
|
|
|
%package -n libopenssl1_1
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
Group: Productivity/Networking/Security
|
|
Recommends: ca-certificates-mozilla
|
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
Obsoletes: libopenssl1_1_0
|
|
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
|
|
Requires: crypto-policies
|
|
%endif
|
|
Conflicts: %{name} < %{version}-%{release}
|
|
# Merge back the hmac files bsc#1185116
|
|
Provides: libopenssl1_1-hmac = %{version}-%{release}
|
|
Obsoletes: libopenssl1_1-hmac < %{version}-%{release}
|
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
Obsoletes: libopenssl1_1_0-hmac
|
|
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
|
Obsoletes: libopenssl-1_0_0-hmac
|
|
|
|
%description -n libopenssl1_1
|
|
OpenSSL is a software library to be used in applications that need to
|
|
secure communications over computer networks against eavesdropping or
|
|
need to ascertain the identity of the party at the other end.
|
|
OpenSSL contains an implementation of the SSL and TLS protocols.
|
|
|
|
%package -n libopenssl-1_1-devel
|
|
Summary: Development files for OpenSSL
|
|
Group: Development/Libraries/C and C++
|
|
Requires: jitterentropy-devel >= 3.4.0
|
|
Requires: libopenssl1_1 = %{version}
|
|
Requires: pkgconfig(zlib)
|
|
Recommends: %{name} = %{version}
|
|
Conflicts: ssl-devel
|
|
Provides: ssl-devel
|
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
Obsoletes: libopenssl-1_1_0-devel
|
|
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
|
Obsoletes: libopenssl-1_0_0-devel
|
|
|
|
%description -n libopenssl-1_1-devel
|
|
This subpackage contains header files for developing applications
|
|
that want to make use of the OpenSSL C API.
|
|
|
|
%package doc
|
|
Summary: Additional Package Documentation
|
|
Group: Productivity/Networking/Security
|
|
Conflicts: openssl-doc
|
|
Provides: openssl-doc = %{version}
|
|
Obsoletes: openssl-doc < %{version}
|
|
BuildArch: noarch
|
|
|
|
%description doc
|
|
This package contains optional documentation provided in addition to
|
|
this package's base documentation.
|
|
|
|
%prep
|
|
%autosetup -p1 -n %{_rname}-%{version}
|
|
|
|
cp apps/openssl.cnf apps/openssl-1_1.cnf
|
|
|
|
%build
|
|
%ifarch armv5el armv5tel
|
|
export MACHINE=armv5el
|
|
%endif
|
|
%ifarch armv6l armv6hl
|
|
export MACHINE=armv6l
|
|
%endif
|
|
|
|
./config \
|
|
no-idea \
|
|
enable-rfc3779 \
|
|
%ifarch x86_64 aarch64 ppc64le
|
|
enable-ec_nistp_64_gcc_128 \
|
|
%endif
|
|
enable-camellia \
|
|
zlib \
|
|
no-ec2m \
|
|
--prefix=%{_prefix} \
|
|
--libdir=%{_lib} \
|
|
--openssldir=%{ssletcdir} \
|
|
%{optflags} \
|
|
%if %{livepatchable}
|
|
-fpatchable-function-entry=16,14 -fdump-ipa-clones \
|
|
%endif
|
|
-Wa,--noexecstack \
|
|
-Wl,-z,relro,-z,now \
|
|
-fno-common \
|
|
-DTERMIO \
|
|
-DPURIFY \
|
|
-D_GNU_SOURCE \
|
|
-DOPENSSL_NO_BUF_FREELISTS \
|
|
$(getconf LFS_CFLAGS) \
|
|
-Wall \
|
|
--with-rand-seed=getrandom \
|
|
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config
|
|
|
|
# Show build configuration
|
|
perl configdata.pm --dump
|
|
|
|
util/mkdef.pl crypto update
|
|
%make_build depend
|
|
%make_build all
|
|
|
|
%check
|
|
export MALLOC_CHECK_=3
|
|
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
|
|
LD_LIBRARY_PATH=`pwd` make test -j1
|
|
|
|
# Create the hmac files required to run the regression tests in FIPS mode
|
|
LD_LIBRARY_PATH=`pwd` %{buildroot}%{_bindir}/fips_standalone_hmac \
|
|
libssl.so.%{maj_min} > .libssl.so.%{maj_min}.hmac
|
|
LD_LIBRARY_PATH=`pwd` %{buildroot}%{_bindir}/fips_standalone_hmac \
|
|
libcrypto.so.%{maj_min} > .libcrypto.so.%{maj_min}.hmac
|
|
OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH=`pwd` make TESTS='-test_pem \
|
|
-test_hmac -test_mdc2 -test_dh -test_dsa -test_genrsa \
|
|
-test_mp_rsa -test_enc -test_enc_more -test_passwd -test_req \
|
|
-test_verify -test_evp -test_evp_extra -test_pkey_meth_kdf \
|
|
-test_bad_dtls -test_comp -test_key_share -test_renegotiation \
|
|
-test_sslcbcpadding -test_sslcertstatus -test_sslextension \
|
|
-test_sslmessages -test_sslrecords -test_sslsessiontick \
|
|
-test_sslsigalgs -test_sslsignature -test_sslskewith0p \
|
|
-test_sslversions -test_sslvertol -test_tls13alerts \
|
|
-test_tls13cookie -test_tls13downgrade -test_tls13hrr \
|
|
-test_tls13kexmodes -test_tls13messages -test_tls13psk \
|
|
-test_tlsextms -test_ca -test_cipherlist -test_cms \
|
|
-test_dtls_mtu -test_ssl_new -test_ssl_old -test_bio_enc \
|
|
-test_sslapi -test_tls13ccs -test_ec' test -j1
|
|
|
|
# show ciphers
|
|
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
|
|
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
|
|
|
|
%install
|
|
|
|
%if %{livepatchable}
|
|
|
|
# Ipa-clones are files generated by gcc which logs changes made across
|
|
# functions, and we need to know such changes to build livepatches
|
|
# correctly. These files are intended to be used by the livepatch
|
|
# developers and may be retrieved by using `osc getbinaries`.
|
|
#
|
|
# Create list of ipa-clones.
|
|
find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list
|
|
|
|
# Create ipa-clones destination folder and move clones there.
|
|
mkdir -p ipa-clones/%{clones_dest_dir}
|
|
while read f; do
|
|
_dest=ipa-clones/%{clones_dest_dir}/$f
|
|
mkdir -p ${_dest%/*}
|
|
cp $f $_dest
|
|
done < ipa-clones.list
|
|
|
|
# Create tar package with the clone files.
|
|
tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename}
|
|
|
|
# Copy tar package to the OTHERS folder
|
|
cp %{tar_package_name} %{_other}
|
|
|
|
%endif # livepatchable
|
|
|
|
%make_install %{?_smp_mflags}
|
|
# kill static libs
|
|
rm -f %{buildroot}%{_libdir}/lib*.a
|
|
|
|
# Rename the openssl CLI to openssl-1_1
|
|
mv %{buildroot}%{_bindir}/openssl %{buildroot}%{_bindir}/openssl-1_1
|
|
|
|
# Install the openssl-1_1.cnf config file
|
|
install -m 644 apps/openssl-1_1.cnf %{buildroot}%{_sysconfdir}/ssl/openssl-1_1.cnf
|
|
|
|
# remove the cnf.dist
|
|
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl-1_1.cnf.dist
|
|
rm -f %{buildroot}%{_sysconfdir}/ssl/ct_log_list.cnf
|
|
rm -f %{buildroot}%{_sysconfdir}/ssl/ct_log_list.cnf.dist
|
|
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
|
|
|
|
mkdir %{buildroot}/%{_datadir}/ssl
|
|
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
|
|
# Create the two directories into which packages will drop their configuration
|
|
# files.
|
|
mkdir %{buildroot}/%{sslengcnf}
|
|
mkdir %{buildroot}/%{sslengdef}
|
|
|
|
# avoid file conflicts with man pages from other packages
|
|
#
|
|
pushd %{buildroot}/%{_mandir}
|
|
# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check.
|
|
# replace spaces by underscores
|
|
#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
|
|
which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
|
|
for i in man?/*; do
|
|
if test -L $i ; then
|
|
LDEST=`readlink $i`
|
|
rm -f $i ${i}ssl
|
|
ln -sf ${LDEST}ssl ${i}ssl
|
|
else
|
|
mv $i ${i}ssl
|
|
fi
|
|
case "$i" in
|
|
*.1)
|
|
# these are the pages mentioned in openssl(1). They go into the main package.
|
|
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
|
|
*)
|
|
# the rest goes into the openssl-doc package.
|
|
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
|
|
esac
|
|
done
|
|
popd
|
|
|
|
# Do not install demo scripts executable under /usr/share/doc
|
|
find demos -type f -perm /111 -exec chmod 644 {} \;
|
|
|
|
# Place showciphers.c for %%doc macro
|
|
cp %{SOURCE5} .
|
|
|
|
# the hmac hashes:
|
|
#
|
|
# this is a hack that re-defines the __os_install_post macro
|
|
# for a simple reason: the macro strips the binaries and thereby
|
|
# invalidates a HMAC that may have been created earlier.
|
|
# solution: create the hashes _after_ the macro runs.
|
|
#
|
|
# this shows up earlier because otherwise the expand of
|
|
# the macro is too late.
|
|
# remark: This is the same as running
|
|
# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
|
|
%{expand:%%global __os_install_post {%__os_install_post
|
|
|
|
# Point linker to the newly installed libcrypto in order to avoid BuildRequiring itself (libopenssl1_1)
|
|
export LD_LIBRARY_PATH="%{buildroot}%{_libdir}"
|
|
|
|
%{buildroot}%{_bindir}/fips_standalone_hmac \
|
|
%{buildroot}%{_libdir}/libssl.so.%{maj_min} > \
|
|
%{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac
|
|
|
|
# As fips_standalone_hmac now uses the very same library it checksums,
|
|
# the libcrypto hmac needs to be saved to a temporary file, otherwise
|
|
# the library will detect the empty hmac and abort due to a wrong checksum
|
|
%{buildroot}%{_bindir}/fips_standalone_hmac \
|
|
%{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \
|
|
%{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac
|
|
|
|
# rename the temporary checksum to its proper name
|
|
mv %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac
|
|
unset LD_LIBRARY_PATH
|
|
|
|
}}
|
|
|
|
%pre
|
|
# Migrate old engines.d to engines1.1.d.rpmsave
|
|
if [ ! -L %{ssletcdir}/engines.d ] && [ -d %{ssletcdir}/engines.d ]; then
|
|
mkdir %{ssletcdir}/engines1.1.d.rpmsave ||:
|
|
mv -v %{ssletcdir}/engines.d/* %{ssletcdir}/engines1.1.d.rpmsave ||:
|
|
rmdir %{ssletcdir}/engines.d ||:
|
|
fi
|
|
|
|
# Migrate old engdef.d to engdef1.1.d.rpmsave
|
|
if [ ! -L %{ssletcdir}/engdef.d ] && [ -d %{ssletcdir}/engdef.d ]; then
|
|
mkdir %{ssletcdir}/engdef1.1.d.rpmsave ||:
|
|
mv -v %{ssletcdir}/engdef.d/* %{ssletcdir}/engdef1.1.d.rpmsave ||:
|
|
rmdir %{ssletcdir}/engdef.d ||:
|
|
fi
|
|
|
|
%posttrans
|
|
# Restore engines1.1.d.rpmsave to engines1.1.d
|
|
if [ -d %{ssletcdir}/engines1.1.d.rpmsave ]; then
|
|
mv -v %{ssletcdir}/engines1.1.d.rpmsave/* %{ssletcdir}/engines1.1.d ||:
|
|
rmdir %{ssletcdir}/engines1.1.d.rpmsave ||:
|
|
fi
|
|
|
|
# Restore engdef1.1.d.rpmsave to engdef1.1.d
|
|
if [ -d %{ssletcdir}/engdef1.1.d.rpmsave ]; then
|
|
mv -v %{ssletcdir}/engdef1.1.d.rpmsave/* %{ssletcdir}/engdef1.1.d ||:
|
|
rmdir %{ssletcdir}/engdef1.1.d.rpmsave ||:
|
|
fi
|
|
|
|
# Move engines1_1.d to engines1.1.d
|
|
if [ -d %{ssletcdir}/engines1_1.d ]; then
|
|
mv -v %{ssletcdir}/engines1_1.d/* %{ssletcdir}/engines1.1.d ||:
|
|
rmdir %{ssletcdir}/engines1_1.d ||:
|
|
fi
|
|
|
|
# Move engdef1_1.d to engdef1.1.d
|
|
if [ -d %{ssletcdir}/engdef1_1.d ]; then
|
|
mv -v %{ssletcdir}/engdef1_1.d/* %{ssletcdir}/engdef1.1.d ||:
|
|
rmdir %{ssletcdir}/engdef1_1.d ||:
|
|
fi
|
|
|
|
%post -n libopenssl1_1 -p /sbin/ldconfig
|
|
%postun -n libopenssl1_1 -p /sbin/ldconfig
|
|
|
|
%files -n libopenssl1_1
|
|
%license LICENSE
|
|
%{_libdir}/libssl.so.%{maj_min}
|
|
%{_libdir}/libcrypto.so.%{maj_min}
|
|
%{_libdir}/.libssl.so.%{maj_min}.hmac
|
|
%{_libdir}/.libcrypto.so.%{maj_min}.hmac
|
|
%{_libdir}/engines-%{maj_min}
|
|
|
|
%files -n libopenssl-1_1-devel
|
|
%{_includedir}/%{_rname}/
|
|
%{_includedir}/ssl
|
|
%{_libdir}/libssl.so
|
|
%{_libdir}/libcrypto.so
|
|
%{_libdir}/pkgconfig/libcrypto.pc
|
|
%{_libdir}/pkgconfig/libssl.pc
|
|
%{_libdir}/pkgconfig/openssl.pc
|
|
|
|
%files doc -f filelist.doc
|
|
%doc doc/* demos
|
|
%doc showciphers.c
|
|
|
|
%files -f filelist
|
|
%doc CHANGE* NEWS README
|
|
%dir %{ssletcdir}
|
|
%config (noreplace) %{ssletcdir}/openssl-1_1.cnf
|
|
%attr(700,root,root) %{ssletcdir}/private
|
|
%dir %{sslengcnf}
|
|
%dir %{sslengdef}
|
|
%dir %{_datadir}/ssl
|
|
%{_datadir}/ssl/misc
|
|
%{_bindir}/c_rehash-1_1
|
|
%{_bindir}/fips_standalone_hmac
|
|
%{_bindir}/openssl-1_1
|
|
|
|
%changelog
|