File openssl1.1-RHEL_6.spec of Package openssl1.1

# For the curious:
# 0.9.5a soversion = 0
# 0.9.6  soversion = 1
# 0.9.6a soversion = 2
# 0.9.6c soversion = 3
# 0.9.7a soversion = 4
# 0.9.7ef soversion = 5
# 0.9.8ab soversion = 6
# 0.9.8g soversion = 7
# 0.9.8jk + EAP-FAST soversion = 8
# 1.0.0 soversion = 10
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
#                        depends on build configuration options)
%define soversion 1.1

%define sslprefix  /opt/openssl1.1
%define sslbin     %{sslprefix}/bin
%define ssllib     %{sslprefix}/lib64
%define sslinclude %{sslprefix}/include
%define sslman     %{sslprefix}/share/man
%define ssletc     %{sslprefix}/etc

# Arches on which we need to prevent arch conflicts on opensslconf.h, must
# also be handled in opensslconf-new.h.
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64

%global _performance_build 1

Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl1.1
Version: 1.1.1k
Release: <CI_CNT>%{?dist}
#Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
Source: openssl-%{version}-hobbled.tar.xz
Source1: hobble-openssl
Source2: Makefile.certificate
Source6: make-dummy-cert
Source7: renew-dummy-cert
Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h
Source11: README.FIPS
Source12: ec_curve.c
Source13: ectest.c
# https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Server/source/tree/Packages/o/
# Build changes
Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.1-defaults.patch
Patch3: openssl-1.1.1-no-html.patch
Patch4: openssl-1.1.1-man-rename.patch
# Bug fixes
#Patch21: openssl-1.1.0-issuer-hash.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1916594
#Patch71: openssl-1.1.1-verify-cert.patch

# Functionality changes
Patch31: openssl-1.1.1-conf-paths.patch
Patch32: openssl-1.1.1-version-add-engines.patch
Patch33: openssl-1.1.1-apps-dgst.patch
Patch36: openssl-1.1.1-no-brainpool.patch
Patch37: openssl-1.1.1-ec-curves.patch
Patch38: el6-openssl-1.1.1-no-weak-verify.patch
Patch40: openssl-1.1.1-disable-ssl3.patch
Patch41: el6-openssl-1.1.1-system-cipherlist.patch
Patch42: el6-openssl-1.1.1-fips.patch
Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.1-weak-ciphers.patch
Patch46: openssl-1.1.1-seclevel.patch
Patch47: openssl-1.1.1-ts-sha256-default.patch
Patch48: openssl-1.1.1-fips-post-rand.patch
Patch49: openssl-1.1.1-evp-kdf.patch
Patch50: openssl-1.1.1-ssh-kdf.patch
Patch51: openssl-1.1.1-intel-cet.patch
Patch60: openssl-1.1.1-krb5-kdf.patch
Patch61: openssl-1.1.1-edk2-build.patch
Patch62: openssl-1.1.1-fips-curves.patch
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
Patch66: openssl-1.1.1-fips-dh.patch
Patch67: openssl-1.1.1-kdf-selftest.patch
Patch69: openssl-1.1.1-alpn-cb.patch
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
# Backported fixes including security fixes
Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch
Patch55: openssl-1.1.1-arm-update.patch
Patch56: openssl-1.1.1-s390x-ecc.patch

License: OpenSSL and ASL 2.0
Group: System Environment/Libraries
URL: http://www.openssl.org/
BuildRequires: coreutils, perl, sed, zlib-devel, diffutils
BuildRequires: util-linux-ng
#BuildRequires: lksctp-tools-devel
#BuildRequires: /usr/bin/rename
#BuildRequires: /usr/bin/pod2man
#BuildRequires: /usr/sbin/sysctl
#BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
#BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
#BuildRequires: perl(Time::HiRes)
#BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
Requires: coreutils
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Conflicts: openssl < 1.0.0


%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

%package libs
Summary: A general purpose cryptography library with TLS implementation
Group: System Environment/Libraries
Requires: ca-certificates >= 2008-5
#Recommends: openssl-pkcs11%{?_isa}
#Provides: openssl-fips = %{version}-%{release}
Conflicts: openssl-libs < 1.0.0

%description libs
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
package contains the libraries that are used by various applications which
support cryptographic algorithms and protocols.

%package devel
Summary: Files for development of applications which will use OpenSSL
Group: Development/Libraries
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: pkgconfig
Conflicts: openssl-devel

%description devel
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
package contains include files needed to develop applications which
support various cryptographic algorithms and protocols.

%package static
Summary:  Libraries for static linking of applications which will use OpenSSL
Group: Development/Libraries
Requires: %{name}-devel%{?_isa} = %{version}-%{release}
Conflicts: openssl-static

%description static
OpenSSL is a toolkit for supporting cryptography. The openssl-static
package contains static libraries needed for static linking of
applications which support various cryptographic algorithms and
protocols.

%package perl
Summary: Perl scripts provided with OpenSSL
Group: Applications/Internet
Requires: perl-interpreter
Requires: %{name}%{?_isa} = %{version}-%{release}
Conflicts: openssl-perl

%description perl
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.

%prep
%setup -q -n openssl-%{version}

# The hobble_openssl is called here redundantly, just to be sure.
# The tarball has already the sources removed.
chmod u+x %{SOURCE1}
%{SOURCE1} > /dev/null

cp %{SOURCE12} crypto/ec/
cp %{SOURCE13} test/

%patch1 -p1 -b .build   %{?_rawbuild}
%patch2 -p1 -b .defaults
%patch3 -p1 -b .no-html  %{?_rawbuild}
%patch4 -p1 -b .man-rename

#%patch21 -p1 -b .issuer-hash

%patch31 -p1 -b .conf-paths
%patch32 -p1 -b .version-add-engines
%patch33 -p1 -b .dgst
%patch36 -p1 -b .no-brainpool
%patch37 -p1 -b .curves
%patch38 -p1 -b .no-weak-verify
%patch40 -p1 -b .disable-ssl3
%patch41 -p1 -b .system-cipherlist
%patch42 -p1 -b .fips
%patch44 -p1 -b .version-override
%patch45 -p1 -b .weak-ciphers
%patch46 -p1 -b .seclevel
%patch47 -p1 -b .ts-sha256-default
%patch48 -p1 -b .fips-post-rand
%patch49 -p1 -b .evp-kdf
%patch50 -p1 -b .ssh-kdf
%patch51 -p1 -b .intel-cet
%patch52 -p1 -b .s390x-update
%patch53 -p1 -b .crng-test
%patch55 -p1 -b .arm-update
%patch56 -p1 -b .s390x-ecc
%patch60 -p1 -b .krb5-kdf
%patch61 -p1 -b .edk2-build
%patch62 -p1 -b .fips-curves
%patch65 -p1 -b .drbg-selftest
%patch66 -p1 -b .fips-dh
%patch67 -p1 -b .kdf-selftest
%patch69 -p1 -b .alpn-cb
%patch70 -p1 -b .rewire-fips-drbg
#%patch71 -p1 -b .verify-cert


%build
# Figure out which flags we want to use.
# default
sslarch=%{_os}-%{_target_cpu}
%ifarch %ix86
sslarch=linux-elf
if ! echo %{_target} | grep -q i686 ; then
	sslflags="no-asm 386"
fi
%endif
%ifarch sparcv9
sslarch=linux-sparcv9
sslflags=no-asm
%endif
%ifarch sparc64
sslarch=linux64-sparcv9
sslflags=no-asm
%endif
%ifarch alpha alphaev56 alphaev6 alphaev67
sslarch=linux-alpha-gcc
%endif
%ifarch s390 sh3eb sh4eb
sslarch="linux-generic32 -DB_ENDIAN"
%endif
%ifarch s390x
sslarch="linux64-s390x"
%endif
%ifarch %{arm}
sslarch=linux-armv4
%endif
%ifarch aarch64
sslarch=linux-aarch64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch sh3 sh4
sslarch=linux-generic32
%endif
%ifarch ppc64 ppc64p7
sslarch=linux-ppc64
%endif
%ifarch ppc64le
sslarch="linux-ppc64le"
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch mips mipsel
sslarch="linux-mips32 -mips32r2"
%endif
%ifarch mips64 mips64el
sslarch="linux64-mips64 -mips64r2"
%endif
%ifarch mips64el
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch riscv64
sslarch=linux-generic64
%endif

# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
# want to depend on the uninitialized memory as a source of entropy anyway.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"

export HASHBANGPERL=/usr/bin/perl

# ia64, x86_64, ppc are OK by default
# Configure the build tree.  Override OpenSSL defaults with known-good defaults
# usable on all platforms.  The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
	--prefix=%{sslprefix} --libdir=%{ssllib} --openssldir=%{ssletc}/pki/tls ${sslflags} \
	--system-ciphers-file=%{ssletc}/crypto-policies/back-ends/openssl.config \
	zlib enable-camellia enable-seed enable-rfc3779 \
	enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
	enable-weak-ssl-ciphers \
	no-mdc2 no-ec2m no-sm2 no-sm4 \
	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'

# Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update

make all

# Overwrite FIPS README
cp -f %{SOURCE11} .

# Clean up the .pc files
for i in libcrypto.pc libssl.pc openssl.pc ; do
  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
done

%check
# Verify that what was compiled actually works.

# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
 sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
 touch -r configdata.pm configdata.pm.new && \
 mv -f configdata.pm.new configdata.pm)

# We must revert patch31 before tests otherwise they will fail
patch -p1 -R < %{PATCH31}

LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH
crypto/fips/fips_standalone_hmac libcrypto.so.%{soversion} >.libcrypto.so.%{soversion}.hmac
ln -s .libcrypto.so.%{soversion}.hmac .libcrypto.so.hmac
crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion}.hmac
ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac
OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
#OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
#export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
#make test

# Add generation of HMAC checksum of the final stripped library
%define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} \
    export LD_LIBRARY_PATH \
    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{ssllib}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{ssllib}/.libcrypto.so.%{version}.hmac \
    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{ssllib}/.libcrypto.so.%{soversion}.hmac \
    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{ssllib}/libssl.so.%{version} >$RPM_BUILD_ROOT%{ssllib}/.libssl.so.%{version}.hmac \
    ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{ssllib}/.libssl.so.%{soversion}.hmac \
%{nil}

%define __provides_exclude_from %{ssllib}/openssl

%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
# Install OpenSSL.
install -d $RPM_BUILD_ROOT{%{sslbin},%{sslinclude},%{ssllib},%{sslman},%{ssllib}/openssl,%{_libdir}}
make DESTDIR=$RPM_BUILD_ROOT install
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{ssllib}/*.so.%{soversion}
for lib in $RPM_BUILD_ROOT%{ssllib}/*.so.%{version} ; do
	chmod 755 ${lib}
	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{ssllib}/`basename ${lib} .%{version}`
	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{ssllib}/`basename ${lib} .%{version}`.%{soversion}
done

# ph add
install -m755 $RPM_BUILD_ROOT%{ssllib}/*.so.%{version} $RPM_BUILD_ROOT%{_libdir}/

# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
mkdir -p $RPM_BUILD_ROOT%{ssletc}/pki/tls/certs
#install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{sslbin}/make-dummy-cert
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{sslbin}/renew-dummy-cert

# Move runable perl scripts to bindir
mv $RPM_BUILD_ROOT%{ssletc}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{sslbin}
mv $RPM_BUILD_ROOT%{ssletc}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{sslbin}

# Rename man pages so that they don't conflict with other system man pages.
pushd $RPM_BUILD_ROOT%{sslman}
ln -s -f config.5 man5/openssl.cnf.5
for manpage in man*/* ; do
	if [ -L ${manpage} ]; then
		TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
		ln -snf ${TARGET}ssl ${manpage}ssl
		rm -f ${manpage}
	else
		mv ${manpage} ${manpage}ssl
	fi
done
for conflict in passwd rand ; do
	rename ${conflict} ssl${conflict} man*/${conflict}*
# Fix dangling symlinks
	manpage=man1/openssl-${conflict}.*
	if [ -L ${manpage} ] ; then
		ln -snf ssl${conflict}.1ssl ${manpage}
	fi
done
popd

mkdir -m755 $RPM_BUILD_ROOT%{ssletc}/pki/CA
mkdir -m700 $RPM_BUILD_ROOT%{ssletc}/pki/CA/private
mkdir -m755 $RPM_BUILD_ROOT%{ssletc}/pki/CA/certs
mkdir -m755 $RPM_BUILD_ROOT%{ssletc}/pki/CA/crl
mkdir -m755 $RPM_BUILD_ROOT%{ssletc}/pki/CA/newcerts

# Ensure the config file timestamps are identical across builds to avoid
# mulitlib conflicts and unnecessary renames on upgrade
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{ssletc}/pki/tls/openssl.cnf
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{ssletc}/pki/tls/ct_log_list.cnf

rm -f $RPM_BUILD_ROOT%{ssletc}/pki/tls/openssl.cnf.dist
rm -f $RPM_BUILD_ROOT%{ssletc}/pki/tls/ct_log_list.cnf.dist

# Determine which arch opensslconf.h is going to try to #include.
basearch=%{_arch}
%ifarch %{ix86}
basearch=i386
%endif
%ifarch sparcv9
basearch=sparc
%endif
%ifarch sparc64
basearch=sparc64
%endif

# Next step of gradual disablement of SSL3.
# Make SSL3 disappear to newly built dependencies.
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
#ifndef OPENSSL_NO_SSL3\
# define OPENSSL_NO_SSL3\
#endif' $RPM_BUILD_ROOT/%{sslprefix}/include/openssl/opensslconf.h

%ifarch %{multilib_arches}
# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
# can have both a 32- and 64-bit version of the library, and they each need
# their own correct-but-different versions of opensslconf.h to be usable.
install -m644 %{SOURCE10} \
	$RPM_BUILD_ROOT/%{sslprefix}/include/openssl/opensslconf-${basearch}.h
cat $RPM_BUILD_ROOT/%{sslprefix}/include/openssl/opensslconf.h >> \
	$RPM_BUILD_ROOT/%{sslprefix}/include/openssl/opensslconf-${basearch}.h
install -m644 %{SOURCE9} \
	$RPM_BUILD_ROOT/%{sslprefix}/include/openssl/opensslconf.h
%endif
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH


%files
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc}
%license LICENSE
%doc FAQ NEWS README README.FIPS
%{sslbin}/make-dummy-cert
%{sslbin}/renew-dummy-cert
%{sslbin}/openssl
%{sslman}/man1*/*
%{sslman}/man5*/*
%{sslman}/man7*/*
#%{_pkgdocdir}/Makefile.certificate
%exclude %{sslman}/man1*/*.pl*
%exclude %{sslman}/man1*/c_rehash*
%exclude %{sslman}/man1*/openssl-c_rehash*
%exclude %{sslman}/man1*/tsget*
%exclude %{sslman}/man1*/openssl-tsget*

%files libs
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc}
%license LICENSE
%dir %{ssletc}/pki/tls
%dir %{ssletc}/pki/tls/certs
%dir %{ssletc}/pki/tls/misc
%dir %{ssletc}/pki/tls/private
%config(noreplace) %{ssletc}/pki/tls/openssl.cnf
%config(noreplace) %{ssletc}/pki/tls/ct_log_list.cnf
%attr(0755,root,root) %{ssllib}/libcrypto.so.%{version}
%attr(0755,root,root) %{ssllib}/libcrypto.so.%{soversion}
%attr(0755,root,root) %{ssllib}/libssl.so.%{version}
%attr(0755,root,root) %{ssllib}/libssl.so.%{soversion}
%attr(0644,root,root) %{ssllib}/.libcrypto.so.*.hmac
%attr(0644,root,root) %{ssllib}/.libssl.so.*.hmac
%attr(0755,root,root) %{ssllib}/engines-%{soversion}
# ph add
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}

%files devel
%defattr(-,root,root)
%doc CHANGES doc/dir-locals.example.el doc/openssl-c-indent.el
%{sslprefix}/include/openssl
%{ssllib}/*.so
%{sslman}/man3*/*
%{ssllib}/pkgconfig/*.pc

%files static
%defattr(-,root,root)
%{ssllib}/*.a

%files perl
%defattr(-,root,root)
%{sslbin}/c_rehash
%{sslbin}/*.pl
%{sslbin}/tsget
%{sslman}/man1*/*.pl*
%{sslman}/man1*/c_rehash*
%{sslman}/man1*/openssl-c_rehash*
%{sslman}/man1*/tsget*
%{sslman}/man1*/openssl-tsget*
%dir %{ssletc}/pki/CA
%dir %{ssletc}/pki/CA/private
%dir %{ssletc}/pki/CA/certs
%dir %{ssletc}/pki/CA/crl
%dir %{ssletc}/pki/CA/newcerts

%post libs -p /sbin/ldconfig

%postun libs -p /sbin/ldconfig

%changelog
* Tue Feb 23 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1j-1
- Upgrade to version 1.1.1.j

* Wed Feb 10 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1i-3
- Fix regression in X509_verify_cert() (bz1916594)

* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1i-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild