6a02bab132
- Security fix: [bsc#1216922, CVE-2023-5678] * Fix excessive time spent in DH check / generation with large Q parameter value. * Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. * Add openssl-CVE-2023-5678.patch - Remove trailing spaces from changelog - Remove a hack for bsc#936563 bsc936563_hack.patch (bsc#936563) - Build with no-ssl3, for details on why this is needed read require us to patch dependant packages as the relevant functions are still available (SSLv3_(client|server)_method) - openssl.keyring: use Matt Caswells current key. - openSSL 1.0.1j - openssl.keyring: the 1.0.1i release was done by - 012-Fix-eckey_priv_encode.patch eckey_priv_encode should - 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch it is already in RPM_OPT_FLAGS and is replaced by - Remove the "gmp" and "capi" shared engines, nobody noticed but they are just dummies that do nothing. - Use enable-rfc3779 to allow projects such as rpki.net - openssl-buffreelistbug-aka-CVE-2010-5298.patch fix - openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does - openssl-gcc-attributes.patch OBS-URL: https://build.opensuse.org/request/show/1126087 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=150
496 lines
21 KiB
RPMSpec
496 lines
21 KiB
RPMSpec
#
|
|
# spec file for package openssl-1_1
|
|
#
|
|
# Copyright (c) 2023 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define ssletcdir %{_sysconfdir}/ssl
|
|
%define maj_min 1.1
|
|
%define _rname openssl
|
|
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
|
|
# Enable livepatching support for SLE15-SP4 onwards. It requires
|
|
# compiler support introduced there.
|
|
%define livepatchable 1
|
|
# Set variables for livepatching.
|
|
%define _other %{_topdir}/OTHER
|
|
%define tar_basename %{_rname}-livepatch-%{version}-%{release}
|
|
%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
|
|
%define clones_dest_dir %{tar_basename}/%{_arch}
|
|
%else
|
|
# Unsupported operating system.
|
|
%define livepatchable 0
|
|
%endif
|
|
%ifnarch x86_64
|
|
# Unsupported architectures must have livepatch disabled.
|
|
%define livepatchable 0
|
|
%endif
|
|
Name: openssl-1_1
|
|
# Don't forget to update the version in the "openssl" meta-package!
|
|
Version: 1.1.1w
|
|
Release: 0
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
License: OpenSSL
|
|
Group: Productivity/Networking/Security
|
|
URL: https://www.openssl.org/
|
|
Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
|
|
# to get mtime of file:
|
|
Source1: %{name}.changes
|
|
Source2: baselibs.conf
|
|
Source3: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
|
|
# https://www.openssl.org/about/
|
|
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
|
|
Source4: %{_rname}.keyring
|
|
Source5: showciphers.c
|
|
# PATCH-FIX-OPENSUSE: do not install html mans it takes ages
|
|
Patch1: openssl-1.1.0-no-html.patch
|
|
Patch2: openssl-truststore.patch
|
|
Patch3: openssl-pkgconfig.patch
|
|
Patch4: openssl-DEFAULT_SUSE_cipher.patch
|
|
Patch5: openssl-ppc64-config.patch
|
|
Patch6: openssl-riscv64-config.patch
|
|
Patch7: openssl-no-date.patch
|
|
# PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
|
|
Patch8: 0001-s390x-assembly-pack-perlasm-support.patch
|
|
Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
|
|
Patch10: 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
|
|
Patch11: 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
|
|
Patch12: 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
|
|
Patch13: 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
|
|
# PATCH-FIX-UPSTREAM bsc#1152695 jsc#SLE-7861 Support for CPACF enhancements - part 1 (crypto)
|
|
Patch16: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
|
|
Patch17: openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
|
|
Patch18: openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
|
|
Patch19: openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
|
|
Patch20: openssl-s390xcpuid.pl-fix-comment.patch
|
|
Patch21: openssl-assembly-pack-accelerate-scalar-multiplication.patch
|
|
Patch22: openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
|
|
Patch23: openssl-s390x-assembly-pack-accelerate-ECDSA.patch
|
|
Patch24: openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
|
|
Patch25: openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
|
|
Patch26: openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch
|
|
Patch27: openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch
|
|
Patch28: openssl-Fix-9bf682f-which-broke-nistp224_method.patch
|
|
# FIPS patches
|
|
Patch30: openssl-1.1.1-fips.patch
|
|
Patch31: openssl-1.1.1-fips-post-rand.patch
|
|
Patch32: openssl-1.1.1-fips-crng-test.patch
|
|
Patch33: openssl-1.1.0-issuer-hash.patch
|
|
Patch34: openssl-fips-run_selftests_only_when_module_is_complete.patch
|
|
Patch35: openssl-ship_fips_standalone_hmac.patch
|
|
Patch36: openssl-fips_mode.patch
|
|
Patch37: openssl-1.1.1-evp-kdf.patch
|
|
Patch38: openssl-1.1.1-ssh-kdf.patch
|
|
Patch40: openssl-fips-selftests_in_nonfips_mode.patch
|
|
Patch41: openssl-fips-clearerror.patch
|
|
Patch42: openssl-fips-ignore_broken_atexit_test.patch
|
|
Patch43: openssl-keep_EVP_KDF_functions_version.patch
|
|
Patch45: openssl-fips-add-SHA3-selftest.patch
|
|
Patch46: openssl-fips_selftest_upstream_drbg.patch
|
|
Patch47: openssl-unknown_dgst.patch
|
|
# PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto)
|
|
Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
|
|
Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
|
|
# PATCH-FIX-UPSTREAM bsc#1175844 FIPS: (EC)Diffie-Hellman requirements
|
|
# from SP800-56Arev3 SLE-15-SP2
|
|
Patch52: openssl-DH.patch
|
|
Patch53: openssl-kdf-selftest.patch
|
|
Patch54: openssl-kdf-tls-selftest.patch
|
|
Patch55: openssl-kdf-ssh-selftest.patch
|
|
Patch56: openssl-fips-DH_selftest_shared_secret_KAT.patch
|
|
# PATCH-FIX-UPSTREAM bsc#1192442 FIPS: missing KAT for HKDF/TLS 1.3/IPSEC IKEv2
|
|
Patch57: openssl-fips-kdf-hkdf-selftest.patch
|
|
Patch58: openssl-1.1.1-system-cipherlist.patch
|
|
# PATCH-FIX-OPENSUSE jsc#SLE-15832 Centralized Crypto Compliance Configuration
|
|
Patch59: openssl-1_1-seclevel.patch
|
|
Patch60: openssl-1_1-use-seclevel2-in-tests.patch
|
|
Patch61: openssl-1_1-disable-test_srp-sslapi.patch
|
|
# PATCH-FIX-UPSTREAM jsc#SLE-18136 POWER10 performance enhancements for cryptography
|
|
Patch69: openssl-1_1-Optimize-ppc64.patch
|
|
# PATCH-FIX-UPSTREAM jsc#SLE-19742 Backport Arm improvements from OpenSSL 3
|
|
Patch70: openssl-1_1-Optimize-RSA-armv8.patch
|
|
Patch71: openssl-1_1-Optimize-AES-XTS-aarch64.patch
|
|
Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch
|
|
# PATCH-FIX-SUSE bsc#1185320 FIPS: move the HMAC-SHA2-256 used for integrity test
|
|
Patch73: openssl-FIPS-KAT-before-integrity-tests.patch
|
|
# PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes
|
|
Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch
|
|
# PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode
|
|
Patch75: openssl-1_1-paramgen-default_to_rfc7919.patch
|
|
# PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf
|
|
Patch76: openssl-1_1-use-include-directive.patch
|
|
# PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT
|
|
Patch77: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
|
|
Patch78: bsc1185319-FIPS-KAT-for-ECDSA.patch
|
|
Patch79: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
|
|
Patch81: openssl-1_1-shortcut-test_afalg_aes_cbc.patch
|
|
# PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components
|
|
Patch84: openssl-1_1-Zeroization.patch
|
|
# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
|
|
Patch85: openssl-1_1-ossl-sli-000-fix-build-error.patch
|
|
Patch86: openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch
|
|
Patch87: openssl-1_1-ossl-sli-002-ran-make-update.patch
|
|
Patch88: openssl-1_1-ossl-sli-003-add-sli.patch
|
|
# PATCH-FIX-SUSE bsc#1202148 FIPS: Port openssl to use jitterentropy
|
|
Patch89: openssl-1_1-jitterentropy-3.4.0.patch
|
|
# PATCH-FIX-SUSE bsc#1203046 FIPS: Fix memory leak when FIPS mode is enabled
|
|
Patch90: openssl-1.1.1-fips-fix-memory-leaks.patch
|
|
# PATCH-FIX-FEDORA bsc#1201293 FIPS: RAND api should call into FIPS DRBG
|
|
Patch91: openssl-1_1-FIPS_drbg-rewire.patch
|
|
# PATCH-FIX-FEDORA bsc#1203069 FIPS: Add KAT for the RAND_DRBG implementation
|
|
Patch92: openssl-1_1-fips-drbg-selftest.patch
|
|
# PATCH-FIX-SUSE bsc#1121365, bsc#1190888, bsc#1193859, bsc#1198471, bsc#1198472
|
|
# FIPS: List only approved digest and pubkey algorithms
|
|
Patch93: openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch
|
|
# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
|
|
Patch94: openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch
|
|
Patch95: openssl-1_1-ossl-sli-005-EC_group_order_bits.patch
|
|
Patch96: openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch
|
|
Patch97: openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch
|
|
# PATCH-FIX-UPSTREAM jsc#PED-512
|
|
# POWER10 performance enhancements for cryptography
|
|
Patch98: openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch
|
|
Patch99: openssl-1_1-Fixed-counter-overflow.patch
|
|
Patch100: openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch
|
|
Patch101: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch
|
|
Patch102: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
|
|
# PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl
|
|
Patch103: openssl-1_1-openssl-config.patch
|
|
# PATCH-FIX-SUSE bsc#1207994 FIPS Make jitterentropy calls thread-safe
|
|
Patch104: openssl-1_1-serialize-jitterentropy-calls.patch
|
|
# PATCH-FIX-SUSE bsc#1208998 FIPS: PBKDF2 requirements for openssl
|
|
Patch105: openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch
|
|
# PATCH-FIX-SUSE bsc#1212623 openssl s_client does not honor ocsp revocation status
|
|
Patch106: openssl-s_client-check-ocsp-status.patch
|
|
# PATCH-FIX-SUSE bsc#1213517 Dont pass zero length input to EVP_Cipher
|
|
Patch107: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
|
|
#PATCH-FIX-SUSE bsc#1215215 FIPS: Add "fips" to version string
|
|
Patch108: openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
|
|
# PATCH-FIX-UPSTREAM jsc#PED-5086, jsc#PED-3514
|
|
# POWER10 performance enhancements for cryptography
|
|
Patch109: openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch
|
|
Patch110: openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch
|
|
Patch111: openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch
|
|
Patch112: openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch
|
|
Patch113: openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch
|
|
Patch114: openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch
|
|
# PATCH-FIX-UPSTREAM: bsc#1216922 CVE-2023-5678 Generating excessively long X9.42 DH keys or
|
|
# checking excessively long X9.42 DH keys or parameters may be very slow
|
|
Patch115: openssl-CVE-2023-5678.patch
|
|
BuildRequires: jitterentropy-devel >= 3.4.0
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: pkgconfig(zlib)
|
|
Requires: libjitterentropy3 >= 3.4.0
|
|
Provides: ssl
|
|
Requires: libopenssl1_1 = %{version}-%{release}
|
|
# Needed for clean upgrade path, boo#1070003
|
|
Obsoletes: openssl-1_0_0
|
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
Obsoletes: openssl-1_1_0
|
|
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
|
|
Requires: crypto-policies
|
|
%endif
|
|
|
|
%description
|
|
OpenSSL is a software library to be used in applications that need to
|
|
secure communications over computer networks against eavesdropping or
|
|
need to ascertain the identity of the party at the other end.
|
|
OpenSSL contains an implementation of the SSL and TLS protocols.
|
|
|
|
%package -n libopenssl1_1
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
Group: Productivity/Networking/Security
|
|
Recommends: ca-certificates-mozilla
|
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
Obsoletes: libopenssl1_1_0
|
|
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
|
|
Requires: crypto-policies
|
|
%endif
|
|
Conflicts: %{name} < %{version}-%{release}
|
|
# Merge back the hmac files bsc#1185116
|
|
Provides: libopenssl1_1-hmac = %{version}-%{release}
|
|
Obsoletes: libopenssl1_1-hmac < %{version}-%{release}
|
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
Obsoletes: libopenssl1_1_0-hmac
|
|
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
|
Obsoletes: libopenssl-1_0_0-hmac
|
|
|
|
%description -n libopenssl1_1
|
|
OpenSSL is a software library to be used in applications that need to
|
|
secure communications over computer networks against eavesdropping or
|
|
need to ascertain the identity of the party at the other end.
|
|
OpenSSL contains an implementation of the SSL and TLS protocols.
|
|
|
|
%package -n libopenssl-1_1-devel
|
|
Summary: Development files for OpenSSL
|
|
Group: Development/Libraries/C and C++
|
|
Requires: jitterentropy-devel >= 3.4.0
|
|
Requires: libopenssl1_1 = %{version}
|
|
Requires: pkgconfig(zlib)
|
|
Recommends: %{name} = %{version}
|
|
Conflicts: ssl-devel
|
|
Provides: ssl-devel
|
|
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
|
|
Obsoletes: libopenssl-1_1_0-devel
|
|
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
|
|
Obsoletes: libopenssl-1_0_0-devel
|
|
|
|
%description -n libopenssl-1_1-devel
|
|
This subpackage contains header files for developing applications
|
|
that want to make use of the OpenSSL C API.
|
|
|
|
%package doc
|
|
Summary: Additional Package Documentation
|
|
Group: Productivity/Networking/Security
|
|
Conflicts: openssl-doc
|
|
Provides: openssl-doc = %{version}
|
|
Obsoletes: openssl-doc < %{version}
|
|
BuildArch: noarch
|
|
|
|
%description doc
|
|
This package contains optional documentation provided in addition to
|
|
this package's base documentation.
|
|
|
|
%prep
|
|
%autosetup -p1 -n %{_rname}-%{version}
|
|
|
|
cp apps/openssl.cnf apps/openssl-1_1.cnf
|
|
|
|
%build
|
|
%ifarch armv5el armv5tel
|
|
export MACHINE=armv5el
|
|
%endif
|
|
%ifarch armv6l armv6hl
|
|
export MACHINE=armv6l
|
|
%endif
|
|
|
|
./config \
|
|
no-idea \
|
|
enable-rfc3779 \
|
|
%ifarch x86_64 aarch64 ppc64le
|
|
enable-ec_nistp_64_gcc_128 \
|
|
%endif
|
|
enable-camellia \
|
|
zlib \
|
|
no-ec2m \
|
|
--prefix=%{_prefix} \
|
|
--libdir=%{_lib} \
|
|
--openssldir=%{ssletcdir} \
|
|
%{optflags} \
|
|
%if %{livepatchable}
|
|
-fpatchable-function-entry=16,14 -fdump-ipa-clones \
|
|
%endif
|
|
-Wa,--noexecstack \
|
|
-Wl,-z,relro,-z,now \
|
|
-fno-common \
|
|
-DTERMIO \
|
|
-DPURIFY \
|
|
-D_GNU_SOURCE \
|
|
-DOPENSSL_NO_BUF_FREELISTS \
|
|
$(getconf LFS_CFLAGS) \
|
|
-Wall \
|
|
--with-rand-seed=getrandom \
|
|
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config
|
|
|
|
# Show build configuration
|
|
perl configdata.pm --dump
|
|
|
|
util/mkdef.pl crypto update
|
|
%make_build depend
|
|
%make_build all
|
|
|
|
%check
|
|
export MALLOC_CHECK_=3
|
|
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
|
|
LD_LIBRARY_PATH=`pwd` make test -j1
|
|
|
|
# Create the hmac files required to run the regression tests in FIPS mode
|
|
#%{buildroot}%{_bindir}/fips_standalone_hmac \
|
|
# libssl.so.%{maj_min} > .libssl.so.%{maj_min}.hmac
|
|
#%{buildroot}%{_bindir}/fips_standalone_hmac \
|
|
# libcrypto.so.%{maj_min} > .libcrypto.so.%{maj_min}.hmac
|
|
#OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH=`pwd` make TESTS='-test_pem \
|
|
# -test_hmac -test_mdc2 -test_dh -test_dsa -test_genrsa \
|
|
# -test_mp_rsa -test_enc -test_enc_more -test_passwd -test_req \
|
|
# -test_verify -test_evp -test_evp_extra -test_pkey_meth_kdf \
|
|
# -test_bad_dtls -test_comp -test_key_share -test_renegotiation \
|
|
# -test_sslcbcpadding -test_sslcertstatus -test_sslextension \
|
|
# -test_sslmessages -test_sslrecords -test_sslsessiontick \
|
|
# -test_sslsigalgs -test_sslsignature -test_sslskewith0p \
|
|
# -test_sslversions -test_sslvertol -test_tls13alerts \
|
|
# -test_tls13cookie -test_tls13downgrade -test_tls13hrr \
|
|
# -test_tls13kexmodes -test_tls13messages -test_tls13psk \
|
|
# -test_tlsextms -test_ca -test_cipherlist -test_cms \
|
|
# -test_dtls_mtu -test_ssl_new -test_ssl_old -test_bio_enc \
|
|
# -test_sslapi -test_tls13ccs -test_ec' test -j1
|
|
|
|
# show ciphers
|
|
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
|
|
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
|
|
|
|
%install
|
|
|
|
%if %{livepatchable}
|
|
|
|
# Ipa-clones are files generated by gcc which logs changes made across
|
|
# functions, and we need to know such changes to build livepatches
|
|
# correctly. These files are intended to be used by the livepatch
|
|
# developers and may be retrieved by using `osc getbinaries`.
|
|
#
|
|
# Create list of ipa-clones.
|
|
find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list
|
|
|
|
# Create ipa-clones destination folder and move clones there.
|
|
mkdir -p ipa-clones/%{clones_dest_dir}
|
|
while read f; do
|
|
_dest=ipa-clones/%{clones_dest_dir}/$f
|
|
mkdir -p ${_dest%/*}
|
|
cp $f $_dest
|
|
done < ipa-clones.list
|
|
|
|
# Create tar package with the clone files.
|
|
tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename}
|
|
|
|
# Copy tar package to the OTHERS folder
|
|
cp %{tar_package_name} %{_other}
|
|
|
|
%endif # livepatchable
|
|
|
|
%make_install %{?_smp_mflags}
|
|
# kill static libs
|
|
rm -f %{buildroot}%{_libdir}/lib*.a
|
|
|
|
# Rename the openssl CLI to openssl-1_1
|
|
mv %{buildroot}%{_bindir}/openssl %{buildroot}%{_bindir}/openssl-1_1
|
|
|
|
# Install the openssl-1_1.cnf config file
|
|
install -m 644 apps/openssl-1_1.cnf %{buildroot}%{_sysconfdir}/ssl/openssl-1_1.cnf
|
|
|
|
# remove the cnf.dist
|
|
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl-1_1.cnf.dist
|
|
rm -f %{buildroot}%{_sysconfdir}/ssl/ct_log_list.cnf
|
|
rm -f %{buildroot}%{_sysconfdir}/ssl/ct_log_list.cnf.dist
|
|
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
|
|
|
|
mkdir %{buildroot}/%{_datadir}/ssl
|
|
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
|
|
# Create the two directories into which packages will drop their configuration
|
|
# files.
|
|
mkdir %{buildroot}/%{ssletcdir}/engines.d/
|
|
mkdir %{buildroot}/%{ssletcdir}/engdef.d/
|
|
|
|
# avoid file conflicts with man pages from other packages
|
|
#
|
|
pushd %{buildroot}/%{_mandir}
|
|
# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check.
|
|
# replace spaces by underscores
|
|
#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
|
|
which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
|
|
for i in man?/*; do
|
|
if test -L $i ; then
|
|
LDEST=`readlink $i`
|
|
rm -f $i ${i}ssl
|
|
ln -sf ${LDEST}ssl ${i}ssl
|
|
else
|
|
mv $i ${i}ssl
|
|
fi
|
|
case "$i" in
|
|
*.1)
|
|
# these are the pages mentioned in openssl(1). They go into the main package.
|
|
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
|
|
*)
|
|
# the rest goes into the openssl-doc package.
|
|
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
|
|
esac
|
|
done
|
|
popd
|
|
|
|
# Do not install demo scripts executable under /usr/share/doc
|
|
find demos -type f -perm /111 -exec chmod 644 {} \;
|
|
|
|
# Place showciphers.c for %%doc macro
|
|
cp %{SOURCE5} .
|
|
|
|
# the hmac hashes:
|
|
#
|
|
# this is a hack that re-defines the __os_install_post macro
|
|
# for a simple reason: the macro strips the binaries and thereby
|
|
# invalidates a HMAC that may have been created earlier.
|
|
# solution: create the hashes _after_ the macro runs.
|
|
#
|
|
# this shows up earlier because otherwise the expand of
|
|
# the macro is too late.
|
|
# remark: This is the same as running
|
|
# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
|
|
%{expand:%%global __os_install_post {%__os_install_post
|
|
|
|
# Point linker to the newly installed libcrypto in order to avoid BuildRequiring itself (libopenssl1_1)
|
|
export LD_LIBRARY_PATH="%{buildroot}%{_libdir}"
|
|
|
|
%{buildroot}%{_bindir}/fips_standalone_hmac \
|
|
%{buildroot}%{_libdir}/libssl.so.%{maj_min} > \
|
|
%{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac
|
|
|
|
# As fips_standalone_hmac now uses the very same library it checksums,
|
|
# the libcrypto hmac needs to be saved to a temporary file, otherwise
|
|
# the library will detect the empty hmac and abort due to a wrong checksum
|
|
%{buildroot}%{_bindir}/fips_standalone_hmac \
|
|
%{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \
|
|
%{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac
|
|
|
|
# rename the temporary checksum to its proper name
|
|
mv %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac
|
|
unset LD_LIBRARY_PATH
|
|
|
|
}}
|
|
|
|
%post -n libopenssl1_1 -p /sbin/ldconfig
|
|
%postun -n libopenssl1_1 -p /sbin/ldconfig
|
|
|
|
%files -n libopenssl1_1
|
|
%license LICENSE
|
|
%{_libdir}/libssl.so.%{maj_min}
|
|
%{_libdir}/libcrypto.so.%{maj_min}
|
|
%{_libdir}/.libssl.so.%{maj_min}.hmac
|
|
%{_libdir}/.libcrypto.so.%{maj_min}.hmac
|
|
%{_libdir}/engines-%{maj_min}
|
|
|
|
%files -n libopenssl-1_1-devel
|
|
%{_includedir}/%{_rname}/
|
|
%{_includedir}/ssl
|
|
%{_libdir}/libssl.so
|
|
%{_libdir}/libcrypto.so
|
|
%{_libdir}/pkgconfig/libcrypto.pc
|
|
%{_libdir}/pkgconfig/libssl.pc
|
|
%{_libdir}/pkgconfig/openssl.pc
|
|
|
|
%files doc -f filelist.doc
|
|
%doc doc/* demos
|
|
%doc showciphers.c
|
|
|
|
%files -f filelist
|
|
%doc CHANGE* NEWS README
|
|
%dir %{ssletcdir}
|
|
%config (noreplace) %{ssletcdir}/openssl-1_1.cnf
|
|
%attr(700,root,root) %{ssletcdir}/private
|
|
%dir %{ssletcdir}/engines.d
|
|
%dir %{ssletcdir}/engdef.d
|
|
%dir %{_datadir}/ssl
|
|
%{_datadir}/ssl/misc
|
|
%{_bindir}/c_rehash-1_1
|
|
%{_bindir}/fips_standalone_hmac
|
|
%{_bindir}/openssl-1_1
|
|
|
|
%changelog
|