pkgs/raven
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
raven/base/openssl3/openssl3.spec

828 lines
29 KiB
RPMSpec
Raw Blame History

# For the curious:
# 0.9.8jk + EAP-FAST soversion = 8
# 1.0.0 soversion = 10
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
# depends on build configuration options)
# 3.0.0 soversion = 3 (same as upstream)
%define soversion 3
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
# also be handled in opensslconf-new.h.
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
%global _performance_build 1
%bcond_with bootstrap
%if 0%{?rhel} < 7
%global _pkgdocdir %{_datadir}/doc/%{name}-%{version}
%endif
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl3
Version: 3.2.2
Release: 6%{?dist}
Epoch: 1
Source0: openssl-%{version}.tar.gz
Source2: Makefile.certificate
Source3: genpatches
Source6: make-dummy-cert
Source7: renew-dummy-cert
Source9: configuration-switch.h
Source10: configuration-prefix.h
# Patches exported from source git
# Aarch64 and ppc64le use lib64
Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
# Use more general default values in openssl.cnf
Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
# Do not install html docs
Patch3: 0003-Do-not-install-html-docs.patch
# Override default paths for the CA directory tree
Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
# apps/ca: fix md option help text
Patch5: 0005-apps-ca-fix-md-option-help-text.patch
# Disable signature verification with totally unsafe hash algorithms
Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
# Add support for PROFILE=SYSTEM system default cipherlist
Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
# Add FIPS_mode() compatibility macro
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
# Add check to see if fips flag is enabled in kernel
Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
# Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so
# that new modifications made to these files by upstream are not lost.
Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch
# remove unsupported EC curves
Patch11: 0011-Remove-EC-curves.patch
# Disable explicit EC curves
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
Patch12: 0012-Disable-explicit-ec.patch
#Skipped tests from former 0011-Remove-EC-curves.patch
Patch13: 0013-skipped-tests-EC-curves.patch
# Instructions to load legacy provider in openssl.cnf
Patch24: 0024-load-legacy-prov.patch
# We load FIPS provider and set FIPS properties implicitly
Patch32: 0032-Force-fips.patch
# Embed HMAC into the fips.so
Patch33: 0033-FIPS-embed-hmac.patch
# Comment out fipsinstall command-line utility
Patch34: 0034.fipsinstall_disable.patch
# Skip unavailable algorithms running `openssl speed`
Patch35: 0035-speed-skip-unavailable-dgst.patch
# Extra public/private key checks required by FIPS-140-3
Patch44: 0044-FIPS-140-3-keychecks.patch
# Minimize fips services
Patch45: 0045-FIPS-services-minimize.patch
# Execute KATS before HMAC verification
Patch47: 0047-FIPS-early-KATS.patch
# Selectively disallow SHA1 signatures
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2049265
Patch50: 0050-FIPS-enable-pkcs12-mac.patch
# Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
# Originally from https://github.com/openssl/openssl/pull/18103
# As we rebased to 3.0.7 and used the version of the function
# not matching the upstream one, we have to use aliasing.
# When we eliminate this patch, the `-Wl,--allow-multiple-definition`
# should also be removed
Patch56: 0056-strcasecmp.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
# https://bugzilla.redhat.com/show_bug.cgi?id=2102541
%if 0%{?rhel} >= 8
Patch76: 0076-FIPS-140-3-DRBG.patch
%else
# RHEL 7 has no getrandom() implemented
Patch76: 0076-FIPS-140-3-DRBG-OLD.patch
%endif
# https://bugzilla.redhat.com/show_bug.cgi?id=2102542
Patch77: 0077-FIPS-140-3-zeroization.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
# https://bugzilla.redhat.com/show_bug.cgi?id=2141695
# https://bugzilla.redhat.com/show_bug.cgi?id=2160733
# https://bugzilla.redhat.com/show_bug.cgi?id=2164763
Patch78: 0078-KDF-Add-FIPS-indicators.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=2141748
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2142131
Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2136250
Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2137557
Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=2142121
Patch85: 0085-FIPS-RSA-disable-shake.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087
Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2144561
Patch91: 0091-FIPS-RSA-encapsulate.patch
# FIPS-95
Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2168289
Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2179331
Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2157951
Patch114: 0114-FIPS-enforce-EMS-support.patch
# skip quic and pairwise tests temporarily
Patch115: 0115-skip-quic-pairwise.patch
# Add version aliasing due to
# https://github.com/openssl/openssl/issues/23534
Patch116: 0116-version-aliasing.patch
# https://github.com/openssl/openssl/issues/23050
Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2160797
Patch121: 0121-FIPS-cms-defaults.patch
# KTLS regression, temporary skip tests
Patch122: 0122-TMP-KTLS-test-skip.patch
# HKDF regression with older provider implementations
Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch
# https://github.com/openssl/openssl/pull/24717
Patch124: 0124-Fix-SSL_select_next_proto.patch
Patch125: 0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch
Patch126: 0126-Use-correctly-formatted-ALPN-data-in-tserver.patch
Patch127: 0127-Clarify-the-SSL_select_next_proto-documentation.patch
Patch128: 0128-Add-a-test-for-SSL_select_next_proto.patch
Patch129: 0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch
Patch130: 0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch
Patch131: 0131-Add-ALPN-validation-in-the-client.patch
Patch132: 0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch
Patch133: 0133-Add-a-test-for-an-empty-NextProto-message.patch
Patch136: 0136-CVE-2024-6119.patch
%if 0%{?rhel} < 8
Patch1000: openssl-3.0.2-bundled-policy.patch
Patch1001: rename-config.patch
%endif
%if 0%{?rhel} == 6
Patch1002: fix-secure_getenv-for-el6.patch
%endif
License: ASL 2.0
URL: http://www.openssl.org/
%if 0%{?rhel} < 8
BuildRequires: devtoolset-8-gcc-c++ devtoolset-8-build
%else
BuildRequires: gcc-c++
%endif
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename
BuildRequires: /usr/bin/pod2man
BuildRequires: /sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
BuildRequires: git-core
%if %{with bootstrap}
BuildRequires: %{name}-devel = %{epoch}:%{version}
%endif
Requires: coreutils
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
%if 0%{?rhel} < 8
Obsoletes: rx-openssl
Provides: rx-openssl = %{epoch}:%{version}-%{release}
%endif
%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.
%package libs
Summary: A general purpose cryptography library with TLS implementation
Requires: ca-certificates >= 2008-5
Provides: openssl-libs%{?_isa} = %{epoch}:%{version}-%{release}
%if 0%{?rhel} < 8
Obsoletes: rx-openssl-libs >= %{epoch}:3.0
Provides: rx-openssl-libs = %{epoch}:%{version}-%{release}
%endif
%if 0%{?rhel} >= 8
Requires: crypto-policies >= 20180730
Recommends: openssl-pkcs11%{?_isa}
%endif
%description libs
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
package contains the libraries that are used by various applications which
support cryptographic algorithms and protocols.
%package devel
Summary: Files for development of applications which will use OpenSSL
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Conflicts: openssl-devel <= 3.0.0
Provides: openssl-devel = %{epoch}:%{version}-%{release}
Provides: openssl-devel%{?_isa} = %{epoch}:%{version}-%{release}
%if 0%{?rhel} < 8
Obsoletes: rx-openssl-devel
Provides: rx-openssl-devel = %{epoch}:%{version}-%{release}
%endif
Requires: pkgconfig
%description devel
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
package contains include files needed to develop applications which
support various cryptographic algorithms and protocols.
%prep
%autosetup -S git -n openssl-%{version}
%build
%if 0%{?rhel} < 8
%enable_devtoolset8
%endif
# Figure out which flags we want to use.
# default
sslarch=%{_os}-%{_target_cpu}
%ifarch %ix86
sslarch=linux-elf
if ! echo %{_target} | grep -q i686 ; then
sslflags="no-asm 386"
fi
%endif
%ifarch x86_64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch sparcv9
sslarch=linux-sparcv9
sslflags=no-asm
%endif
%ifarch sparc64
sslarch=linux64-sparcv9
sslflags=no-asm
%endif
%ifarch alpha alphaev56 alphaev6 alphaev67
sslarch=linux-alpha-gcc
%endif
%ifarch s390 sh3eb sh4eb
sslarch="linux-generic32 -DB_ENDIAN"
%endif
%ifarch s390x
sslarch="linux64-s390x"
%endif
%ifarch %{arm}
sslarch=linux-armv4
%endif
%ifarch aarch64
sslarch=linux-aarch64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch sh3 sh4
sslarch=linux-generic32
%endif
%ifarch ppc64 ppc64p7
sslarch=linux-ppc64
%endif
%ifarch ppc64le
sslarch="linux-ppc64le"
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch mips mipsel
sslarch="linux-mips32 -mips32r2"
%endif
%ifarch mips64 mips64el
sslarch="linux64-mips64 -mips64r2"
%endif
%ifarch mips64el
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch riscv64
sslarch=linux-generic64
%endif
ktlsopt=enable-ktls
%ifarch armv7hl
ktlsopt=disable-ktls
%endif
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
# want to depend on the uninitialized memory as a source of entropy anyway.
# RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -fno-common -DPURIFY -DOPENSSL_NO_BUF_FREELISTS -DTERMIO $RPM_LD_FLAGS"
%if %{with bootstrap}
export LDFLAGS="-L%{_libdir} -Wl,-rpath=%{_libdir} $_LDFLAGS -lcrypto -lssl"
export CFLAGS="-I%{_includedir} $_CFLAGS"
%endif
export HASHBANGPERL=/usr/bin/perl
%define fips %{version}-%(date +%Y%m%d)
# ia64, x86_64, ppc are OK by default
# Configure the build tree. Override OpenSSL defaults with known-good defaults
# usable on all platforms. The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
%if 0%{?rhel} > 7
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
%endif
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\
no-mdc2 no-ec2m no-sm2 no-sm4 no-tests \
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""' \
-Wl,--allow-multiple-definition
# Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update
make %{?_smp_mflags} all
# Clean up the .pc files
for i in libcrypto.pc libssl.pc openssl.pc ; do
sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
done
%check
# Verify that what was compiled actually works.
# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
touch -r configdata.pm configdata.pm.new && \
mv -f configdata.pm.new configdata.pm)
# We must revert patch4 before tests otherwise they will fail
#patch -p1 -R < %{PATCH4}
OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
%if 0%{?rhel}
OPENSSL_ENABLE_SHA1_SIGNATURES=
export OPENSSL_ENABLE_SHA1_SIGNATURES
%endif
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
make test HARNESS_JOBS=8
# Add generation of HMAC checksum of the final stripped library
#%define __spec_install_post \
# %{?__debug_package:%{__debug_install_post}} \
# %{__arch_install_post} \
# %{__os_install_post} \
# crypto/fips/fips_standalone_hmac %{buildroot}%{_libdir}/libcrypto.so.%{version} >%{buildroot}%{_libdir}/.libcrypto.so.%{version}.hmac \
# ln -sf .libcrypto.so.%{version}.hmac %{buildroot}%{_libdir}/.libcrypto.so.%{soversion}.hmac \
# crypto/fips/fips_standalone_hmac %{buildroot}%{_libdir}/libssl.so.%{version} >%{buildroot}%{_libdir}/.libssl.so.%{version}.hmac \
# ln -sf .libssl.so.%{version}.hmac %{buildroot}%{_libdir}/.libssl.so.%{soversion}.hmac \
#%{nil}
%define __provides_exclude_from %{_libdir}/openssl
%install
[ "%{buildroot}" != "/" ] && rm -rf %{buildroot}
# Install OpenSSL.
install -d %{buildroot}{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
%make_install
rename so.%{soversion} so.%{version} %{buildroot}%{_libdir}/*.so.%{soversion}
for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do
chmod 755 ${lib}
ln -s -f `basename ${lib}` %{buildroot}%{_libdir}/`basename ${lib} .%{version}`
ln -s -f `basename ${lib}` %{buildroot}%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done
# Remove static libraries
for lib in %{buildroot}%{_libdir}/*.a ; do
rm -f ${lib}
done
# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE2} %{buildroot}%{_pkgdocdir}/Makefile.certificate
install -m755 %{SOURCE6} %{buildroot}%{_bindir}/make-dummy-cert
install -m755 %{SOURCE7} %{buildroot}%{_bindir}/renew-dummy-cert
# Move runable perl scripts to bindir
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/*.pl %{buildroot}%{_bindir}
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/tsget %{buildroot}%{_bindir}
# Rename man pages so that they don't conflict with other system man pages.
pushd %{buildroot}%{_mandir}
mv man5/config.5ossl man5/openssl.cnf.5
popd
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA
mkdir -m700 %{buildroot}%{_sysconfdir}/pki/CA/private
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/certs
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/crl
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/newcerts
#mkdir -p -m755 %{buildroot}%{_sysconfig}/ld.so.conf.d
#install -m 0644 %{SOURCE14} %{buildroot}%{_sysconfig}/ld.so.conf.d/
# Ensure the config file timestamps are identical across builds to avoid
# mulitlib conflicts and unnecessary renames on upgrade
touch -r %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf
touch -r %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf
rm -f %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
%ifarch i686
rm -f %{buildroot}%{_sysconfdir}/pki/tls/fipsmodule.cnf
%endif
%if 0%{?rhel} < 8
mv %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf %{buildroot}%{_sysconfdir}/pki/tls/openssl3.cnf
%endif
# Determine which arch opensslconf.h is going to try to #include.
basearch=%{_arch}
%ifarch %{ix86}
basearch=i386
%endif
%ifarch sparcv9
basearch=sparc
%endif
%ifarch sparc64
basearch=sparc64
%endif
# Next step of gradual disablement of SSL3.
# Make SSL3 disappear to newly built dependencies.
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
#ifndef OPENSSL_NO_SSL3\
# define OPENSSL_NO_SSL3\
#endif' %{buildroot}/%{_prefix}/include/openssl/opensslconf.h
%ifarch %{multilib_arches}
# Do an configuration.h switcheroo to avoid file conflicts on systems where you
# can have both a 32- and 64-bit version of the library, and they each need
# their own correct-but-different versions of opensslconf.h to be usable.
install -m644 %{SOURCE10} \
%{buildroot}/%{_prefix}/include/openssl/configuration-${basearch}.h
cat %{buildroot}/%{_prefix}/include/openssl/configuration.h >> \
%{buildroot}/%{_prefix}/include/openssl/configuration-${basearch}.h
install -m644 %{SOURCE9} \
%{buildroot}/%{_prefix}/include/openssl/configuration.h
%endif
# Transformation for openssl3
# see openssl11.spec
mkdir -p %{buildroot}{%{_libdir},%{_includedir}}/%{name}/
%if 0%{?rhel} > 7
rm -f %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf
%endif
rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf
#rm -f %{buildroot}%{_libdir}/*.so
mv -f %{buildroot}%{_includedir}/{openssl,%{name}/openssl}/
mv -f %{buildroot}%{_bindir}/{openssl,%{name}}
for pc in libcrypto libssl openssl; do
sed -i 's@/include@/include/%{name}@' %{buildroot}%{_libdir}/pkgconfig/${pc}.pc
done
# ln -s ../libcrypto.so.%{version} %{buildroot}%{_libdir}/libcrypto.so
# ln -s ../libssl.so.%{version} %{buildroot}%{_libdir}/%{name}/libssl.so
# pushd %{buildroot}%{_mandir}
# for manpage in man*/* ; do
# [ "${manpage}" = "man1/%{name}.1" ] && continue
# if [ -L ${manpage} ]; then
# TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
# ln -snf ${TARGET}11 ${manpage}
# rm -f ${manpage}
# else
# mv -f ${manpage} ${manpage}3
# fi
# done
# popd
# No openssl3-perl, because it wouldn't be really different or newer
rm -rf %{buildroot}{%{_sysconfdir}/pki/CA/,{%{_bindir},%{_mandir}/man1}/{CA.pl,c_rehash,*tsget}*}
# Remove dummy cert tools
rm -f %{buildroot}%{_bindir}/{make,renew}-dummy-cert
%files
%if 0%{?rhel} >= 7
%license LICENSE.txt
%doc NEWS.md README.md
%endif
%{_bindir}/%{name}
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man7/*
#exclude %{_mandir}/man1/*.pl*
#exclude %{_mandir}/man1/tsget*
%{_pkgdocdir}/Makefile.certificate
%files libs
%if 0%{?rhel} >= 7
%license LICENSE.txt
%endif
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%ifnarch i686
%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
%endif
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%{_libdir}/libcrypto.so.%{soversion}
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
%{_libdir}/libssl.so.%{soversion}
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
%attr(0755,root,root) %{_libdir}/ossl-modules
%if 0%{?rhel} < 8
%{_sysconfdir}/pki/tls/openssl3.cnf
%endif
%files devel
%doc CHANGES.md
%doc doc/dir-locals.example.el doc/openssl-c-indent.el
%{_prefix}/include
%{_libdir}/*.so
%{_mandir}/man3/*
%{_libdir}/pkgconfig/*.pc
%ldconfig_scriptlets libs
%changelog
* Thu Sep 12 2024 Raven <raven@sysadmins.ws> - 1:3.2.2-6
- rebase to 3.2.2-6 from c9-stream
* Thu Sep 5 2024 Raven <raven@sysadmins.ws> - 1:3.0.15-1
- update to 3.0.15
* Fri Jun 7 2024 Raven <raven@sysadmins.ws> - 1:3.0.14-1
- update to 3.0.14
* Tue Feb 6 2024 Raven <raven@sysadmins.ws> - 1:3.0.13-1
- update to 3.0.13
* Thu Mar 23 2023 Raven <raven@sysadmins.ws> - 1:3.0.12-1
- update to 3.0.12
* Thu Mar 23 2023 Raven <raven@sysadmins.ws> - 1:3.0.8-2
- import Fedora upstream patches
- remove hobbling script
* Fri Feb 10 2023 Raven <raven@sysadmins.ws> - 1:3.0.8-1
- update to 3.0.8
Resolves: CVE-2022-4203
Resolves: CVE-2022-4304
Resolves: CVE-2022-4450
Resolves: CVE-2023-0215
Resolves: CVE-2023-0216
Resolves: CVE-2023-0217
Resolves: CVE-2023-0286
Resolves: CVE-2023-0401
* Fri Dec 23 2022 Raven <raven@sysadmins.ws> - 1:3.0.7-2
- import FIPS patches from Fedora
- rename to openssl3
* Wed Nov 2 2022 Raven <raven@sysadmins.ws> - 1:3.0.7-1
- update to 3.0.7
* Wed Nov 2 2022 Raven <raven@sysadmins.ws> - 1:3.0.5-2
- security patch from Fedora
Resolves: CVE-2022-3602
Resolves: CVE-2022-3786
* Fri Aug 19 2022 Raven <raven@sysadmins.ws> - 1:3.0.5-1
- update to 3.0.5
- Related: rhbz#2099972, CVE-2022-2097
* Tue Jul 12 2022 Raven <raven@sysadmins.ws> - 1:3.0.2-4
- rebuild for debuginfo
* Wed May 18 2022 Raven <raven@sysadmins.ws> - 1:3.0.2-3
- port configs from crypto-policies
* Mon Apr 25 2022 Raven <raven@sysadmins.ws> - 1:3.0.2-2
- minor bug in Requires
* Wed Mar 16 2022 Raven <raven@sysadmins.ws> - 1:3.0.2-1
- port c9s' openssl to rx-openssl for epel7
- update to 3.0.2
* Thu Mar 10 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-17
- Fix invocation of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING) before
setting an allowed digest with EVP_PKEY_CTX_set_signature_md()
- Skipping 3.0.1-16 due to version numbering confusion with the RHEL-9.0 branch
- Resolves: rhbz#2062640
* Tue Mar 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-15
- Allow SHA1 in SECLEVEL 2 if rh-allow-sha1-signatures = yes
- Resolves: rhbz#2060510
* Fri Feb 25 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-14
- Prevent use of SHA1 with ECDSA
- Resolves: rhbz#2031742
* Fri Feb 25 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-13
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
- Resolves: rhbz#1977867
* Thu Feb 24 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 1:3.0.1-12
- Support KBKDF (NIST SP800-108) with an R value of 8bits
- Resolves: rhbz#2027261
* Wed Feb 23 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-11
- Allow SHA1 usage in MGF1 for RSASSA-PSS signatures
- Resolves: rhbz#2031742
* Wed Feb 23 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-10
- rebuilt
* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-9
- Allow SHA1 usage in HMAC in TLS
- Resolves: rhbz#2031742
* Tue Feb 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-8
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
- Resolves: rhbz#1977867
- pkcs12 export broken in FIPS mode
- Resolves: rhbz#2049265
* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-8
- Disable SHA1 signature creation and verification by default
- Set rh-allow-sha1-signatures = yes to re-enable
- Resolves: rhbz#2031742
* Thu Feb 03 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-7
- s_server: correctly handle 2^14 byte long records
- Resolves: rhbz#2042011
* Tue Feb 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-6
- Adjust FIPS provider version
- Related: rhbz#2026445
* Wed Jan 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-5
- On the s390x, zeroize all the copies of TLS premaster secret
- Related: rhbz#2040448
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-4
- rebuilt
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-3
- KATS tests should be executed before HMAC verification
- Restoring fips=yes for SHA1
- Related: rhbz#2026445, rhbz#2041994
* Thu Jan 20 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-2
- Add enable-buildtest-c++ to the configure options.
- Related: rhbz#1990814
* Tue Jan 18 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-1
- Rebase to upstream version 3.0.1
- Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
- Resolves: rhbz#2038910, rhbz#2035148
* Mon Jan 17 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-7
- Remove algorithms we don't plan to certify from fips module
- Remove native fipsmodule.cnf
- Related: rhbz#2026445
* Tue Dec 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-6
- openssl speed should run in FIPS mode
- Related: rhbz#1977318
* Wed Nov 24 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-5
- rebuilt for spec cleanup
- Related: rhbz#1985362
* Thu Nov 18 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-4
- Embed FIPS HMAC in fips.so
- Enforce loading FIPS provider when FIPS kernel flag is on
- Related: rhbz#1985362
* Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3
- Fix memory leak in s_client
- Related: rhbz#1996092
* Mon Sep 20 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-2
- Avoid double-free on error seeding the RNG.
- KTLS and FIPS may interfere, so tests need to be tuned
- Resolves: rhbz#1952844, rhbz#1961643
* Thu Sep 09 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-1
- Rebase to upstream version 3.0.0
- Related: rhbz#1990814
* Wed Aug 25 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-0.beta2.7
- Removes the dual-abi build as it not required anymore. The mass rebuild
was completed and all packages are rebuilt against Beta version.
- Resolves: rhbz#1984097
* Mon Aug 23 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-0.beta2.6
- Correctly process CMS reading from /dev/stdin
- Resolves: rhbz#1986315
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.5
- Add instruction for loading legacy provider in openssl.cnf
- Resolves: rhbz#1975836
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.4
- Adds support for IDEA encryption.
- Resolves: rhbz#1990602
* Tue Aug 10 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.3
- Fixes core dump in openssl req -modulus
- Fixes 'openssl req' to not ask for password when non-encrypted private key
is used
- cms: Do not try to check binary format on stdin and -rctform fix
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.beta2.2.1
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Aug 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.0-0.beta2.2
- When signature_algorithm extension is omitted, use more relevant alerts
- Resolves: rhbz#1965017
* Tue Aug 03 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta2.1
- Rebase to upstream version beta2
- Related: rhbz#1903209
* Thu Jul 22 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.5
- Prevents creation of duplicate cert entries in PKCS #12 files
- Resolves: rhbz#1978670
* Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4
- NVR bump to update to OpenSSL 3.0 Beta1
* Mon Jul 19 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.3
- Update patch dual-abi.patch to add the #define macros in implementation
files instead of public header files
* Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.2
- Removes unused patch dual-abi.patch
* Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.1
- Update to Beta1 version
- Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16
* Tue Jul 06 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.7
- Fixes override of openssl_conf in openssl.cnf
- Use AI_ADDRCONFIG only when explicit host name is given
- Temporarily remove fipsmodule.cnf for arch i686
- Fixes segmentation fault in BN_lebin2bn
- Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855
* Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.6
- Adds FIPS mode compatibility patch (sahana@redhat.com)
- Related: rhbz#1977318
* Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.5
- Fixes system hang issue when booted in FIPS mode (sahana@redhat.com)
- Temporarily disable downstream FIPS patches
- Related: rhbz#1977318
* Fri Jun 11 2021 Mohan Boddu <mboddu@redhat.com> 3.0.0-0.alpha16.4
- Speeding up building openssl (dbelyavs@redhat.com)
Resolves: rhbz#1903209
* Fri Jun 04 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.3
- Fix reading SPKAC data from stdin
- Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448
- Return 0 after cleanup in OPENSSL_init_crypto()
- Cleanup the peer point formats on regotiation
- Fix default digest to SHA256
* Thu May 27 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.2
- Enable FIPS via config options
* Mon May 17 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.1
- Update to alpha 16 version
Resolves: rhbz#1952901 openssl sends alert after orderly connection close
* Mon Apr 26 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha15.1
- Update to alpha 15 version
Resolves: rhbz#1903209, rhbz#1952598,
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.alpha13.1.1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Apr 09 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha13.1
- Update to new major release OpenSSL 3.0.0 alpha 13
Resolves: rhbz#1903209
Reference in New Issue View Git Blame Copy Permalink