File openssl-1_1.spec of Package openssl-1_1.29173
#
# spec file for package openssl-1_1
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define ssletcdir %{_sysconfdir}/ssl
%define maj_min 1.1
%define _rname openssl
Name: openssl-1_1
# When updating the version, fix also the "openssl" package!
Version: 1.1.0i
Release: 0
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
Group: Productivity/Networking/Security
Url: https://www.openssl.org/
Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
# to get mtime of file:
Source1: %{name}.changes
Source2: baselibs.conf
Source42: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
# https://www.openssl.org/about/
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
Source43: %{_rname}.keyring
Source99: showciphers.c
# https://github.com/openssl/openssl/pull/2045
Patch0: 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch
# PATCH-FIX-OPENSUSE: upstream won't use glibc
Patch1: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
# PATCH-FIX-OPENSUSE: do not install html mans it takes ages
Patch2: openssl-1.1.0-no-html.patch
# PATCH-FIX-UPSTREAM: patch to allow deps and linking to static libs
# needed for fips and taken from upstream
Patch3: openssl-static-deps.patch
Patch4: openssl-truststore.patch
Patch5: openssl-pkgconfig.patch
Patch6: openssl-1.0.1e-add-suse-default-cipher.patch
Patch7: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
Patch8: openssl-ppc64-config.patch
Patch9: openssl-no-date.patch
# FIPS patches:
Patch51: openssl-1.1.0-fips.patch
Patch52: openssl-fips-dont_run_FIPS_module_installed.patch
Patch53: openssl-fips_disallow_ENGINE_loading.patch
Patch54: openssl-rsakeygen-minimum-distance.patch
Patch56: openssl-fips-rsagen-d-bits.patch
Patch57: openssl-fips-selftests_in_nonfips_mode.patch
Patch58: openssl-fips-fix-odd-rsakeybits.patch
Patch59: openssl-fips-clearerror.patch
Patch60: openssl-fips-dont-fall-back-to-default-digest.patch
Patch61: openssl-disable_rsa_keygen_tests_with_small_modulus.patch
# PATCH-FIX-UPSTREAM FATE#321518 Add support for s390x CPACF enhancements (bsc#1122984)
Patch62: 0001-s390x-assembly-pack-extend-s390x-capability-vector.patch
Patch63: 0002-s390x-assembly-pack-add-KMA-code-path-for-aes-ctr.patch
Patch64: 0003-crypto-aes-asm-aes-s390x.pl-replace-decrypt-flag-by-.patch
Patch65: 0004-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
Patch66: 0005-s390x-assembly-pack-add-KMAC-code-path-for-aes-ccm.patch
Patch67: 0006-s390x-assembly-pack-add-KM-code-path-for-aes-ecb.patch
Patch68: 0007-s390x-assembly-pack-add-KMO-code-path-for-aes-ofb.patch
Patch69: 0008-s390x-assembly-pack-add-KMF-code-path-for-aes-cfb-cf.patch
Patch70: 0009-Fix-undefined-behavior-in-s390x-aes-gcm-ccm.patch
Patch76: openssl-One_and_Done.patch
Patch77: openssl-dsa_paramgen2_check.patch
# OpenSSL Security Advisory [30 October 2018]
Patch78: openssl-CVE-2018-0734.patch
Patch79: openssl-CVE-2018-0735.patch
Patch80: 0001-DSA-mod-inverse-fix.patch
Patch81: 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch
Patch82: openssl-Bleichenbachers_CAT.patch
# PATCH-FIX-UPSTREAM FATE#326561 Add vectorized chacha20 implementation for s390x (https://github.com/openssl/openssl/pull/6919)
Patch83: 0001-s390x-assembly-pack-perlasm-support.patch
Patch84: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
# PATCH-FIX-UPSTREAM FATE#326351 Add vectorized poly1305 implementation for s390x (https://github.com/openssl/openssl/pull/7991)
Patch85: 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
# OpenSSL Security Advisory [6 March 2019]
Patch86: openssl-CVE-2019-1543.patch
Patch87: 0001-apps-speed-fix-segfault-while-looking-up-algorithm-n.patch
Patch88: openssl-speed_skip_binary_curves_NO_EC2M.patch
# OpenSSL Security Advisory [10 September 2019]
Patch89: openssl-CVE-2019-1547.patch
Patch90: openssl-CVE-2019-1563.patch
Patch91: openssl-jsc-SLE-8789-backport_KDF.patch
# OpenSSL Security Advisory [6 December 2019]
Patch92: openssl-CVE-2019-1551.patch
# More FIPS patches
Patch100: openssl-fips_SHA2_in_RSA_pairwise_test.patch
Patch101: openssl-fips-xts_nonidentical_key_parts.patch
Patch102: openssl-fips-run_selftests_only_when_module_is_complete.patch
Patch103: openssl-fips_entropy_reseeding.patch
Patch104: openssl-fips_allow_md5_sha1_for_tls1.0.patch
Patch105: openssl-fips-drbg_derfunc.patch
Patch106: openssl-fips_fix_selftests_return_value.patch
Patch107: openssl-fipslocking.patch
# PATCH-FIX-UPSTREAM bsc#1175847 FIPS: (EC)Diffie-Hellman requirements
# from SP800-56Arev3 SLE-15-SP0
Patch108: openssl-DH.patch
Patch109: openssl-kdf-selftest.patch
Patch110: openssl-kdf-tls-selftest.patch
Patch111: openssl-kdf-ssh-selftest.patch
Patch112: openssl-fips-DH_selftest_shared_secret_KAT.patch
# OpenSSL Security Advisory [8 December 2020] bsc#1179491 CVE-2020-1971
Patch113: openssl-CVE-2020-1971.patch
# OpenSSL Security Advisory [16 February 2021] [bsc#1182333,CVE-2021-23840] [bsc#1182331,CVE-2021-23841]
Patch114: openssl-CVE-2021-23840.patch
Patch115: openssl-CVE-2021-23841.patch
# OpenSSL Security Advisory [17 August 2021] bsc#1189521 CVE-2021-3712
Patch116: CVE-2021-3712-Fix-read-buffer-overrun-in-X509_aux_print.patch
Patch117: CVE-2021-3712-other-ASN1_STRING-issues.patch
Patch118: openssl-add_rfc3526_rfc7919.patch
#PATCH-FIX-UPSTREAM bsc#1196877 CVE-2022-0778 Infinite loop in BN_mod_sqrt() reachable when parsing certificates
Patch119: openssl-CVE-2022-0778.patch
Patch120: openssl-CVE-2022-1292.patch
Patch121: openssl-update_expired_certificates.patch
Patch122: openssl-1_1-Fix-file-operations-in-c_rehash.patch
Patch123: openssl-CVE-2022-2097.patch
Patch124: openssl-1_1-paramgen-default_to_rfc7919.patch
#PATCH-FIX-UPSTREAM bsc#1207534 CVE-2022-4304 Timing Oracle in RSA Decryption
Patch125: openssl-CVE-2022-4304.patch
#PATCH-FIX-UPSTREAM bsc#1207536 CVE-2023-0215 Use-after-free following BIO_new_NDEF()
Patch130: openssl-CVE-2023-0215-1of4.patch
Patch131: openssl-CVE-2023-0215-2of4.patch
Patch132: openssl-CVE-2023-0215-3of4.patch
Patch133: openssl-CVE-2023-0215-4of4.patch
#PATCH-FIX-UPSTREAM bsc#1207533 CVE-2023-0286 Address type confusion related to X.400 address processing
Patch134: openssl-Add-a-test-for-GENERAL_NAME_cmp.patch
Patch135: openssl-CVE-2023-0286.patch
# PATCH-FIX-UPSTREAM: bsc#1209624, CVE-2023-0464 Excessive Resource Usage Verifying X.509 Policy Constraints
Patch136: openssl-CVE-2023-0464.patch
# PATCH-FIX-UPSTREAM: bsc#1209878, CVE-2023-0465 Invalid certificate policies in leaf certificates are silently ignored
Patch137: openssl-CVE-2023-0465.patch
# PATCH-FIX-UPSTREAM: bsc#1209873, CVE-2023-0466 Certificate policy check not enabled
Patch138: openssl-CVE-2023-0466.patch
# PATCH-FIX-UPSTREAM: bsc#1211430, CVE-2023-2650 Possible DoS translating ASN.1 object identifiers
Patch139: openssl-CVE-2023-2650.patch
# PATCH-FIX-UPSTREAM bsc#1201627 Update further expiring certificates that affect tests
Patch140: openssl-Update-further-expiring-certificates.patch
BuildRequires: bc
BuildRequires: ed
BuildRequires: pkgconfig
BuildRequires: pkgconfig(zlib)
Conflicts: ssl
Provides: ssl
Provides: openssl(cli)
# Needed for clean upgrade path, boo#1070003
Obsoletes: openssl-1_0_0
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: openssl-1_1_0
%description
OpenSSL is a software library to be used in applications that need to
secure communications over computer networks against eavesdropping or
need to ascertain the identity of the party at the other end.
OpenSSL contains an implementation of the SSL and TLS protocols.
%package -n libopenssl1_1
Summary: Secure Sockets and Transport Layer Security
License: OpenSSL
Group: Productivity/Networking/Security
Recommends: ca-certificates-mozilla
# install libopenssl and libopenssl-hmac close together (bsc#1090765)
Suggests: libopenssl1_1-hmac = %{version}-%{release}
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl1_1_0
%description -n libopenssl1_1
OpenSSL is a software library to be used in applications that need to
secure communications over computer networks against eavesdropping or
need to ascertain the identity of the party at the other end.
OpenSSL contains an implementation of the SSL and TLS protocols.
%package -n libopenssl-1_1-devel
Summary: Development files for OpenSSL
License: OpenSSL
Group: Development/Libraries/C and C++
Recommends: %{name} = %{version}
Requires: libopenssl1_1 = %{version}
Requires: pkgconfig(zlib)
# we need to have around only the exact version we are able to operate with
Conflicts: libopenssl-devel < %{version}
Conflicts: libopenssl-devel > %{version}
Conflicts: ssl-devel
Provides: ssl-devel
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl-1_1_0-devel
# Needed for clean upgrade from former openssl-1_0_0, bsc#1106180
Obsoletes: libopenssl-1_0_0-devel
%description -n libopenssl-1_1-devel
This subpackage contains header files for developing applications
that want to make use of the OpenSSL C API.
%package -n libopenssl1_1-hmac
Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries
License: BSD-3-Clause
Group: Productivity/Networking/Security
Requires: libopenssl1_1 = %{version}-%{release}
# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
Obsoletes: libopenssl1_1_0-hmac
# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
Obsoletes: libopenssl-1_0_0-hmac
%description -n libopenssl1_1-hmac
The FIPS compliant operation of the openssl shared libraries is NOT
possible without the HMAC hashes contained in this package!
%package doc
Summary: Additional Package Documentation
License: OpenSSL
Group: Productivity/Networking/Security
Conflicts: openssl-doc
Provides: openssl-doc = %{version}
Obsoletes: openssl-doc < %{version}
BuildArch: noarch
%description doc
This package contains optional documentation provided in addition to
this package's base documentation.
%prep
%setup -q -n %{_rname}-%{version}
%autopatch -p1
%build
%ifarch armv5el armv5tel
export MACHINE=armv5el
%endif
%ifarch armv6l armv6hl
export MACHINE=armv6l
%endif
./config \
no-rc5 no-idea \
fips \
no-ssl3 \
enable-rfc3779 \
%ifarch x86_64 aarch64 ppc64le
enable-ec_nistp_64_gcc_128 \
%endif
enable-camellia \
zlib \
no-ec2m \
--prefix=%{_prefix} \
--libdir=%{_lib} \
--openssldir=%{ssletcdir} \
%{optflags} -std=gnu99 \
-Wa,--noexecstack \
-Wl,-z,relro,-z,now \
-fno-common \
-DTERMIO \
-DPURIFY \
-D_GNU_SOURCE \
-DOPENSSL_NO_BUF_FREELISTS \
$(getconf LFS_CFLAGS) \
-Wall
util/mkdef.pl crypto update
make depend %{?_smp_mflags}
make all %{?_smp_mflags}
%check
export MALLOC_CHECK_=3
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
LD_LIBRARY_PATH=`pwd` make test -j1
# show cyphers
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE99} -L%{buildroot}%{_libdir} -lssl -lcrypto
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
%install
%make_install %{?_smp_mflags}
# kill static libs
rm -f %{buildroot}%{_libdir}/lib*.a
# remove the cnf.dist
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
mkdir %{buildroot}/%{_datadir}/ssl
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
# avoid file conflicts with man pages from other packages
#
set +x
pushd %{buildroot}/%{_mandir}
# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check.
# replace spaces by underscores
#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
for i in man?/*; do
if test -L $i ; then
LDEST=`readlink $i`
rm -f $i ${i}ssl
ln -sf ${LDEST}ssl ${i}ssl
else
mv $i ${i}ssl
fi
case "$i" in
*.1)
# these are the pages mentioned in openssl(1). They go into the main package.
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
*)
# the rest goes into the openssl-doc package.
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
esac
done
popd
set -x
# Do not install demo scripts executable under /usr/share/doc
find demos -type f -perm /111 -exec chmod 644 {} \;
# Place showciphers.c for %doc macro
cp %{SOURCE99} .
# the hmac hashes:
#
# this is a hack that re-defines the __os_install_post macro
# for a simple reason: the macro strips the binaries and thereby
# invalidates a HMAC that may have been created earlier.
# solution: create the hashes _after_ the macro runs.
#
# this shows up earlier because otherwise the %%expand of
# the macro is too late.
# remark: This is the same as running
# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
%{expand:%%global __os_install_post {%__os_install_post
%{buildroot}%{_bindir}/fips_standalone_hmac \
%{buildroot}%{_libdir}/libssl.so.%{maj_min} > \
%{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac
%{buildroot}%{_bindir}/fips_standalone_hmac \
%{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \
%{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac
}}
%post -n libopenssl1_1 -p /sbin/ldconfig
%postun -n libopenssl1_1 -p /sbin/ldconfig
%files -n libopenssl1_1
%license LICENSE
%{_libdir}/libssl.so.%{maj_min}
%{_libdir}/libcrypto.so.%{maj_min}
%{_libdir}/engines-%{maj_min}
%files -n libopenssl1_1-hmac
%{_libdir}/.libssl.so.%{maj_min}.hmac
%{_libdir}/.libcrypto.so.%{maj_min}.hmac
%files -n libopenssl-1_1-devel
%{_includedir}/%{_rname}/
%{_includedir}/ssl
%{_libdir}/libssl.so
%{_libdir}/libcrypto.so
%{_libdir}/pkgconfig/libcrypto.pc
%{_libdir}/pkgconfig/libssl.pc
%{_libdir}/pkgconfig/openssl.pc
%files doc -f filelist.doc
%doc doc/* demos
%doc showciphers.c
%files -f filelist
%doc CHANGE* NEWS README
%dir %{ssletcdir}
%config (noreplace) %{ssletcdir}/openssl.cnf
%attr(700,root,root) %{ssletcdir}/private
%dir %{_datadir}/ssl
%{_datadir}/ssl/misc
%{_bindir}/c_rehash
%{_bindir}/fips_standalone_hmac
%{_bindir}/%{_rname}
%changelog
