diff --git a/openssl1.1.spec b/openssl1.1.spec index 5a06e150b6f88c928b09c541f5787408792736b3..c72bb4ff3eee309b76f71128865ca9a2cf101568 100644 --- a/openssl1.1.spec +++ b/openssl1.1.spec @@ -1,156 +1,148 @@ -%define anolis_release 1 -# To be reversed as soon as we verify that majority of software compiles -# fine against 3.0 version +%define anolis_release 2 %bcond_without devel - %define soversion 1.1 - %global _performance_build 1 +%define real_name OpenSSL Summary: Compatibility version of the OpenSSL library Name: openssl1.1 Version: 1.1.1q Release: %{anolis_release}%{?dist} Epoch: 1 -Source: https://www.openssl.org/source/openssl-%{version}.tar.gz -Source1: hobble-openssl -Source9: opensslconf-new.h -Source10: opensslconf-new-warning.h -Source12: ec_curve.c -Source13: ectest.c -# Build changes -Patch1: openssl-1.1.1-build.patch -Patch2: openssl-1.1.1-defaults.patch -Patch3: openssl-1.1.1-no-html.patch -Patch4: openssl-1.1.1-man-rename.patch - -# Functionality changes -Patch31: openssl-1.1.1-conf-paths.patch -Patch32: openssl-1.1.1-version-add-engines.patch -Patch33: openssl-1.1.1-apps-dgst.patch -Patch36: openssl-1.1.1-no-brainpool.patch -Patch37: openssl-1.1.1-ec-curves.patch -Patch38: openssl-1.1.1-no-weak-verify.patch -Patch40: openssl-1.1.1-disable-ssl3.patch -Patch41: openssl-1.1.1-system-cipherlist.patch -Patch42: openssl-1.1.1-fips.patch -Patch44: openssl-1.1.1-version-override.patch -Patch45: openssl-1.1.1-weak-ciphers.patch -Patch46: openssl-1.1.1-seclevel.patch -Patch47: openssl-1.1.1-ts-sha256-default.patch -Patch48: openssl-1.1.1-fips-post-rand.patch -Patch49: openssl-1.1.1-evp-kdf.patch -Patch50: openssl-1.1.1-ssh-kdf.patch -Patch51: openssl-1.1.1-intel-cet.patch -Patch60: openssl-1.1.1-krb5-kdf.patch -Patch61: openssl-1.1.1-edk2-build.patch -Patch62: openssl-1.1.1-fips-curves.patch -Patch65: openssl-1.1.1-fips-drbg-selftest.patch -Patch66: openssl-1.1.1-fips-dh.patch -Patch67: openssl-1.1.1-kdf-selftest.patch -Patch69: openssl-1.1.1-alpn-cb.patch -Patch70: openssl-1.1.1-rewire-fips-drbg.patch -# Backported fixes including security fixes -Patch52: openssl-1.1.1-s390x-update.patch -Patch53: openssl-1.1.1-fips-crng-test.patch -Patch55: openssl-1.1.1-arm-update.patch -Patch56: openssl-1.1.1-s390x-ecc.patch - License: OpenSSL and ASL 2.0 URL: http://www.openssl.org/ -BuildRequires: make -BuildRequires: gcc -BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp +Source: ${url}/source/openssl-%{version}.tar.gz +Source1: hobble-openssl +Source2: ec_curve.c +Source3: ectest.c + +BuildRequires: make, gcc > 12.0 +BuildRequires: coreutils +BuildRequires: perl-interpreter +BuildRequires: sed +BuildRequires: /usr/bin/cmp, /usr/bin/rename, /usr/bin/pod2man, /usr/sbin/sysctl +BuildRequires: zlib-devel BuildRequires: lksctp-tools-devel -BuildRequires: /usr/bin/rename -BuildRequires: /usr/bin/pod2man -BuildRequires: /usr/sbin/sysctl -BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt) -BuildRequires: perl(Module::Load::Conditional), perl(File::Temp) +BuildRequires: perl(Test::Harness) +BuildRequires: perl(Test::More) +BuildRequires: perl(Math::BigInt) +BuildRequires: perl(Module::Load::Conditional) +BuildRequires: perl(File::Temp) BuildRequires: perl(Time::HiRes) -BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy) +BuildRequires: perl(FindBin) +BuildRequires: perl(lib) +BuildRequires: perl(File::Compare) +BuildRequires: perl(File::Copy) Conflicts: openssl-libs < 1:3.0 +Patch1001: openssl-1.1.1-build.patch +Patch1002: openssl-1.1.1-defaults.patch +Patch1003: openssl-1.1.1-no-html.patch +Patch1004: openssl-1.1.1-man-rename.patch + +Patch1031: openssl-1.1.1-conf-paths.patch +Patch1032: openssl-1.1.1-version-add-engines.patch +Patch1033: openssl-1.1.1-apps-dgst.patch +Patch1036: openssl-1.1.1-no-brainpool.patch +Patch1037: openssl-1.1.1-ec-curves.patch +Patch1038: openssl-1.1.1-no-weak-verify.patch +Patch1040: openssl-1.1.1-disable-ssl3.patch +Patch1041: openssl-1.1.1-system-cipherlist.patch +Patch1042: openssl-1.1.1-fips.patch +Patch1044: openssl-1.1.1-version-override.patch +Patch1045: openssl-1.1.1-weak-ciphers.patch +Patch1046: openssl-1.1.1-seclevel.patch +Patch1047: openssl-1.1.1-ts-sha256-default.patch +Patch1048: openssl-1.1.1-fips-post-rand.patch +Patch1049: openssl-1.1.1-evp-kdf.patch +Patch1050: openssl-1.1.1-ssh-kdf.patch +Patch1051: openssl-1.1.1-intel-cet.patch +Patch1060: openssl-1.1.1-krb5-kdf.patch +Patch1061: openssl-1.1.1-edk2-build.patch +Patch1062: openssl-1.1.1-fips-curves.patch +Patch1065: openssl-1.1.1-fips-drbg-selftest.patch +Patch1066: openssl-1.1.1-fips-dh.patch +Patch1067: openssl-1.1.1-kdf-selftest.patch +Patch1069: openssl-1.1.1-alpn-cb.patch +Patch1070: openssl-1.1.1-rewire-fips-drbg.patch + +Patch1052: openssl-1.1.1-s390x-update.patch +Patch1053: openssl-1.1.1-fips-crng-test.patch +Patch1055: openssl-1.1.1-arm-update.patch +Patch1056: openssl-1.1.1-s390x-ecc.patch + %description -The OpenSSL toolkit provides support for secure communications between -machines. This version of OpenSSL package contains only the libraries +The %{real_name} toolkit provides support for secure communications between +machines. This version of %{real_name} package contains only the libraries from the 1.1.1 version and is provided for compatibility with previous releases. %if %{with devel} %package devel -Summary: Files for development of applications which will use OpenSSL +Summary: Files for development of applications which will use %{real_name} Requires: %{name} = %{epoch}:%{version}-%{release} Requires: pkgconfig -# The devel subpackage intentionally conflicts with main openssl-devel -# as simultaneous use of bSSL openssl package cannot be encouraged. -# Making the packages non-conflicting would also require further -# changes in the dependent packages. Conflicts: openssl-devel %description devel -OpenSSL is a toolkit for supporting cryptography. The openssl-devel +%{real_name} is a toolkit for supporting cryptography. The openssl-devel package contains include files needed to develop applications which support various cryptographic algorithms and protocols. %endif %package doc -Summary: Doc files for OpenSSL +Summary: Doc files for %{real_name} Requires: %{name} = %{epoch}:%{version}-%{release} BuildArch: noarch %description doc -Doc files for OpenSSL +Doc files for %{real_name} %prep %setup -q -n openssl-%{version} -# The hobble_openssl is called here redundantly, just to be sure. -# The tarball has already the sources removed. %{SOURCE1} > /dev/null -cp %{SOURCE12} crypto/ec/ -cp %{SOURCE13} test/ - -%patch1 -p1 -b .build %{?_rawbuild} -%patch2 -p1 -b .defaults -%patch3 -p1 -b .no-html %{?_rawbuild} -%patch4 -p1 -b .man-rename - -%patch31 -p1 -b .conf-paths -%patch32 -p1 -b .version-add-engines -%patch33 -p1 -b .dgst -%patch36 -p1 -b .no-brainpool -%patch37 -p1 -b .curves -%patch38 -p1 -b .no-weak-verify -%patch40 -p1 -b .disable-ssl3 -%patch41 -p1 -b .system-cipherlist -%patch42 -p1 -b .fips -%patch44 -p1 -b .version-override -%patch45 -p1 -b .weak-ciphers -%patch46 -p1 -b .seclevel -%patch47 -p1 -b .ts-sha256-default -%patch48 -p1 -b .fips-post-rand -%patch49 -p1 -b .evp-kdf -%patch50 -p1 -b .ssh-kdf -%patch51 -p1 -b .intel-cet -%patch52 -p1 -b .s390x-update -%patch53 -p1 -b .crng-test -%patch55 -p1 -b .arm-update -%patch56 -p1 -b .s390x-ecc -%patch60 -p1 -b .krb5-kdf -%patch61 -p1 -b .edk2-build -%patch62 -p1 -b .fips-curves -%patch65 -p1 -b .drbg-selftest -%patch66 -p1 -b .fips-dh -%patch67 -p1 -b .kdf-selftest -%patch69 -p1 -b .alpn-cb -%patch70 -p1 -b .rewire-fips-drbg +cp %{SOURCE2} crypto/ec/ +cp %{SOURCE3} test/ + +%patch1001 -p1 -b .build %{?_rawbuild} +%patch1002 -p1 -b .defaults +%patch1003 -p1 -b .no-html %{?_rawbuild} +%patch1004 -p1 -b .man-rename + +%patch1031 -p1 -b .conf-paths +%patch1032 -p1 -b .version-add-engines +%patch1033 -p1 -b .dgst +%patch1036 -p1 -b .no-brainpool +%patch1037 -p1 -b .curves +%patch1038 -p1 -b .no-weak-verify +%patch1040 -p1 -b .disable-ssl3 +%patch1041 -p1 -b .system-cipherlist +%patch1042 -p1 -b .fips +%patch1044 -p1 -b .version-override +%patch1045 -p1 -b .weak-ciphers +%patch1046 -p1 -b .seclevel +%patch1047 -p1 -b .ts-sha256-default +%patch1048 -p1 -b .fips-post-rand +%patch1049 -p1 -b .evp-kdf +%patch1050 -p1 -b .ssh-kdf +%patch1051 -p1 -b .intel-cet +%patch1052 -p1 -b .s390x-update +%patch1053 -p1 -b .crng-test +%patch1055 -p1 -b .arm-update +%patch1056 -p1 -b .s390x-ecc +%patch1060 -p1 -b .krb5-kdf +%patch1061 -p1 -b .edk2-build +%patch1062 -p1 -b .fips-curves +%patch1065 -p1 -b .drbg-selftest +%patch1066 -p1 -b .fips-dh +%patch1067 -p1 -b .kdf-selftest +%patch1069 -p1 -b .alpn-cb +%patch1070 -p1 -b .rewire-fips-drbg %build -# Figure out which flags we want to use. -# default sslarch=%{_os}-%{_target_cpu} %ifarch x86_64 sslflags=enable-ec_nistp_64_gcc_128 @@ -163,69 +155,64 @@ sslflags=enable-ec_nistp_64_gcc_128 sslarch=linux-generic64 %endif -# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be -# marked as not requiring an executable stack. -# Also add -DPURIFY to make using valgrind with openssl easier as we do not -# want to depend on the uninitialized memory as a source of entropy anyway. RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" export HASHBANGPERL=/usr/bin/perl -# ia64, x86_64, ppc are OK by default -# Configure the build tree. Override OpenSSL defaults with known-good defaults -# usable on all platforms. The Configure script already knows to use -fPIC and -# RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ - --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ + --prefix=%{_prefix} \ + --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ - zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ - enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ + zlib \ + enable-camellia \ + enable-seed \ + enable-rfc3779 \ + enable-sctp \ + enable-cms \ + enable-md2 \ + enable-rc5 \ + enable-ssl3 \ + enable-ssl3-method \ enable-weak-ssl-ciphers \ - no-mdc2 no-ec2m no-sm2 no-sm4 \ + no-mdc2 \ + no-ec2m \ + no-sm2 \ + no-sm4 \ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' -# Do not run this in a production package the FIPS symbols must be patched-in -#util/mkdef.pl crypto update - make all -# Clean up the .pc files for i in libcrypto.pc libssl.pc openssl.pc ; do sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i done %check -# Verify that what was compiled actually works. -# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check (sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \ (echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' && sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \ touch -r configdata.pm configdata.pm.new && \ mv -f configdata.pm.new configdata.pm) -# We must revert patch31 before tests otherwise they will fail -patch -p1 -R < %{PATCH31} +patch -p1 -R < %{PATCH1031} %define __provides_exclude_from %{_libdir}/openssl %install -[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT -# Install OpenSSL. -install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}} +[ "%{buildroot}" != "/" ] && rm -rf %{buildroot} + +install -d %{buildroot}/{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}} %make_install -rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion} -for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do - chmod 755 ${lib} - ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}` - ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion} +rename so.%{soversion} so.%{version} %{buildroot}/%{_libdir}/*.so.%{soversion} +for lib in %{buildroot}/%{_libdir}/*.so.%{version} ; do + chmod 0755 ${lib} + ln -s -f `basename ${lib}` %{buildroot}/%{_libdir}/`basename ${lib} .%{version}` + ln -s -f `basename ${lib}` %{buildroot}/%{_libdir}/`basename ${lib} .%{version}`.%{soversion} done -# Delete static library -rm -f $RPM_BUILD_ROOT%{_libdir}/*.a || : +rm -f %{buildroot}/%{_libdir}/*.a || : -# Rename man pages so that they don't conflict with other system man pages. -pushd $RPM_BUILD_ROOT%{_mandir} +pushd %{buildroot}/%{_mandir} ln -s -f config.5 man5/openssl.cnf.5 for manpage in man*/* ; do if [ -L ${manpage} ]; then @@ -238,7 +225,6 @@ for manpage in man*/* ; do done for conflict in passwd rand ; do rename ${conflict} ssl${conflict} man*/${conflict}* -# Fix dangling symlinks manpage=man1/openssl-${conflict}.* if [ -L ${manpage} ] ; then ln -snf ssl${conflict}.1ssl ${manpage} @@ -246,34 +232,23 @@ for conflict in passwd rand ; do done popd -# Delete non-devel man pages in the compat package -rm -rf $RPM_BUILD_ROOT%{_mandir}/man[157]* - -# Delete configuration files -rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/pki/* +rm -rf %{buildroot}/%{_mandir}/man[157]* +rm -rf %{buildroot}/%{_sysconfdir}/pki/* +rm -rf %{buildroot}/%{_bindir} +rm -f %{buildroot}/%{_libdir}/engines-1.1/capi.so -# Remove binaries -rm -rf $RPM_BUILD_ROOT/%{_bindir} - -# Remove useless capi engine -rm -f $RPM_BUILD_ROOT/%{_libdir}/engines-1.1/capi.so - -# Determine which arch opensslconf.h is going to try to #include. basearch=%{_arch} -# Next step of gradual disablement of SSL3. -# Make SSL3 disappear to newly built dependencies. sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\ #ifndef OPENSSL_NO_SSL3\ # define OPENSSL_NO_SSL3\ -#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h +#endif' %{buildroot}/%{_prefix}/include/openssl/opensslconf.h %if %{without devel} -# Delete devel files -rm -rf $RPM_BUILD_ROOT%{_includedir}/openssl -rm -rf $RPM_BUILD_ROOT%{_mandir}/man3* -rm -rf $RPM_BUILD_ROOT%{_libdir}/*.so -rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig +rm -rf %{buildroot}/%{_includedir}/openssl +rm -rf %{buildroot}/%{_mandir}/man3* +rm -rf %{buildroot}/%{_libdir}/*.so +rm -rf %{buildroot}/%{_libdir}/pkgconfig %endif %files @@ -298,5 +273,8 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig %ldconfig_scriptlets %changelog +* Tue Apr 11 2023 Ziyang Zhang -1:1.1.1q-2 +- Optimize spec file + * Tue Sep 13 2022 Chunmei Xu - 1:1.1.1q-1 - init from upstream diff --git a/opensslconf-new-warning.h b/opensslconf-new-warning.h deleted file mode 100644 index de091c83bd1630332d860a5e2c5a85ea7f5b1284..0000000000000000000000000000000000000000 --- a/opensslconf-new-warning.h +++ /dev/null @@ -1,7 +0,0 @@ -/* Prepended at openssl package build-time. Don't include this file directly, - * use instead. */ - -#ifndef openssl_opensslconf_multilib_redirection_h -#error "Don't include this file directly, use instead!" -#endif - diff --git a/opensslconf-new.h b/opensslconf-new.h deleted file mode 100644 index 04363c3415b44caa4f12a4003dd42f1521e502d6..0000000000000000000000000000000000000000 --- a/opensslconf-new.h +++ /dev/null @@ -1,47 +0,0 @@ -/* This file is here to prevent a file conflict on multiarch systems. A - * conflict will frequently occur because arch-specific build-time - * configuration options are stored (and used, so they can't just be stripped - * out) in opensslconf.h. The original opensslconf.h has been renamed. - * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ - -#ifdef openssl_opensslconf_multilib_redirection_h -#error "Do not define openssl_opensslconf_multilib_redirection_h!" -#endif -#define openssl_opensslconf_multilib_redirection_h - -#if defined(__i386__) -#include "opensslconf-i386.h" -#elif defined(__ia64__) -#include "opensslconf-ia64.h" -#elif defined(__mips64) && defined(__MIPSEL__) -#include "opensslconf-mips64el.h" -#elif defined(__mips64) -#include "opensslconf-mips64.h" -#elif defined(__mips) && defined(__MIPSEL__) -#include "opensslconf-mipsel.h" -#elif defined(__mips) -#include "opensslconf-mips.h" -#elif defined(__powerpc64__) -#include -#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ -#include "opensslconf-ppc64.h" -#else -#include "opensslconf-ppc64le.h" -#endif -#elif defined(__powerpc__) -#include "opensslconf-ppc.h" -#elif defined(__s390x__) -#include "opensslconf-s390x.h" -#elif defined(__s390__) -#include "opensslconf-s390.h" -#elif defined(__sparc__) && defined(__arch64__) -#include "opensslconf-sparc64.h" -#elif defined(__sparc__) -#include "opensslconf-sparc.h" -#elif defined(__x86_64__) -#include "opensslconf-x86_64.h" -#else -#error "This openssl-devel package does not work your architecture?" -#endif - -#undef openssl_opensslconf_multilib_redirection_h