openssl/openssl.spec

%define soversion 1.1
Name:        openssl
Epoch:       1
Version:     1.1.1f
Release:     24
Summary:     Cryptography and SSL/TLS Toolkit
License:     OpenSSL and SSLeay and GPLv2+
URL:         https://www.openssl.org/
Source0:     https://www.openssl.org/source/old/1.1.1/%{name}-%{version}.tar.gz
Source1:     Makefile.certificate
Patch1:      openssl-1.1.1-build.patch
Patch2:      openssl-1.1.1-fips.patch
Patch3:      CVE-2020-1967.patch
Patch4:      Ensure-ECDSA_size-always-returns-0.patch
Patch5:      Fix-the-error-handling-in-EC_POINTs_mul.patch
Patch6:      Integer-overflow-in-ASN1_STRING_set.patch
Patch7:      AES-CTR-DRGB-do-not-leak-timing-information.patch
Patch8:      Fix-AES-CTR_DRBG-on-1.1.1.patch
Patch9:      BIO_do_accept-correct-error-return-value.patch
Patch10:     Add-test-for-CVE-2020-1967.patch
Patch11:     EC-Constify-internal-EC_KEY-pointer-usage.patch
Patch12:     EC-harden-EC_KEY-against-leaks-from-memory-accesses.patch
Patch13:     BN-harden-BN_copy-against-leaks-from-memory-accesses.patch
Patch14:     Fix-type-cast-in-SSL_CTX_set1_groups-macro.patch
Patch15:     i2b_PVK_bio-don-t-set-PEM_R_BIO_WRITE_FAILURE-in-cas.patch
Patch16:     fuzz-asn1.c-Add-missing-include.patch
Patch17:     Fix-use-after-free-in-BIO_C_SET_SSL-callback.patch
Patch18:     Fix-PEM-certificate-loading-that-sometimes-fails.patch
Patch19:     Fix-rsa8192.pem.patch
Patch20:     Correct-alignment-calculation-in-ssl3_setup_write.patch
Patch21:     Fix-crash-in-early-data-send-with-out-of-band-PSK-us.patch
Patch22:     Test-TLSv1.3-out-of-band-PSK-with-all-5-ciphersuites.patch
Patch23:     Cast-the-unsigned-char-to-unsigned-int-before-shifti.patch
Patch24:     Avoid-potential-overflow-to-the-sign-bit-when-shifti.patch
Patch25:     t1_trce-Fix-remaining-places-where-the-24-bit-shift-.patch
Patch26:     Fix-d2i_PrivateKey-to-work-as-documented.patch
Patch27:     Prevent-use-after-free-of-global_engine_lock.patch
Patch28:     Allow-NULL-arg-to-OSSL_STORE_close.patch
Patch29:     EVP_EncryptInit.pod-fix-example.patch
Patch30:     bio-printf-Avoid-using-rounding-errors-in-range-chec.patch
Patch31:     Make-BIO_do_connect-and-friends-handle-multiple-IP-a.patch
Patch32:     Revert-the-check-for-NaN-in-f-format.patch
Patch33:     fix-a-docs-typo.patch
Patch34:     Replace-BUF_strdup-call-by-OPENSSL_strdup-adding-fai.patch
Patch35:     Fix-err-checking-and-mem-leaks-of-BIO_set_conn_port-.patch
Patch36:     Do-not-allow-dropping-Extended-Master-Secret-extensi.patch
Patch37:     EVP-allow-empty-strings-to-EVP_Decode-functions.patch
Patch38:     CMS_get0_signers-description.patch
Patch39:     Ensure-we-never-use-a-partially-initialised-CMAC_CTX.patch
Patch40:     Correctly-handle-the-return-value-from-EVP_Cipher-in.patch
Patch41:     Fix-wrong-return-value-check-of-mmap-function.patch
Patch42:     doc-man3-fix-types-taken-by-HMAC-HMAC_Update.patch
Patch43:     Ensure-that-SSL_dup-copies-the-min-max-protocol-vers.patch
Patch44:     Don-t-attempt-to-duplicate-the-BIO-state-in-SSL_dup.patch
Patch45:     Add-an-SSL_dup-test.patch
Patch46:     Free-pre_proc_exts-in-SSL_free.patch
Patch47:     Fix-issue-1418-by-moving-check-of-KU_KEY_CERT_SIGN-a.patch
Patch48:     x509_vfy.c-Improve-key-usage-checks-in-internal_veri.patch
Patch49:     doc-Fix-documentation-of-EVP_EncryptUpdate.patch
Patch50:     Avoid-errors-with-a-priori-inapplicable-protocol-bou.patch
Patch51:     fixed-swapped-parameters-descriptions-for-x509.patch
Patch52:     Update-EVP_EncodeInit.pod.patch
Patch53:     Avoid-segfault-in-SSL_export_keying_material-if-ther.patch
Patch54:     sslapitest-Add-test-for-premature-call-of-SSL_export.patch
Patch55:     Fix-PEM_write_bio_PrivateKey_traditional-to-not-outp.patch
Patch56:     Coverity-Fixes.patch
Patch57:     Fix-memory-leaks-in-conf_def.c.patch
Patch58:     Support-keys-with-RSA_METHOD_FLAG_NO_CHECK-with-OCSP.patch
Patch59:     Use-size-of-target-buffer-for-allocation.patch
Patch60:     Avoid-memory-leak-of-parent-on-allocation-failure-fo.patch
Patch61:     Pass-an-EVP_PKEY-for-SSL_SECOP_TMP_DH-in-the-securit.patch
Patch62:     Avoid-potential-doublefree-on-dh-object-assigned-to-.patch
Patch63:     Fix-AES-GCM-bug-on-aarch64-BigEndian.patch
Patch64:     crypto-poly1305-asm-fix-armv8-pointer-authentication.patch
Patch65:     Verification-zero-length-content-in-S-MIME-format.patch
Patch66:     CVE-2020-1971-0001-DirectoryString-is-a-CHOICE-type-and-therefore-uses-.patch
Patch67:     CVE-2020-1971-0002-Correctly-compare-EdiPartyName-in-GENERAL_NAME_cmp.patch
Patch68:     CVE-2020-1971-0003-Check-that-multi-strings-CHOICE-types-don-t-use-impl.patch
Patch69:     CVE-2020-1971-0004-Complain-if-we-are-attempting-to-encode-with-an-inva.patch
Patch70:     CVE-2020-1971-0005-Add-a-test-for-GENERAL_NAME_cmp.patch
Patch71:     CVE-2020-1971-0006-Add-a-test-for-encoding-decoding-using-an-invalid-AS.patch
Patch72:     CVE-2021-23840.patch
Patch73:     CVE-2021-23841.patch
Patch74:     CVE-2021-3449.patch
Patch75:     CVE-2021-3711-0001-Check-the-plaintext-buffer-is-large-enough-when-decr.patch
Patch76:     CVE-2021-3711-0002-Correctly-calculate-the-length-of-SM2-plaintext-give.patch
Patch77:     CVE-2021-3711-0003-Extend-tests-for-SM2-decryption.patch
Patch78:     CVE-2021-3712-0001-Fix-a-read-buffer-overrun-in-X509_aux_print.patch
Patch79:     CVE-2021-3712-0002-Fix-EC_GROUP_new_from_ecparameters-to-check-the-base.patch
Patch80:     bugfix-Don-t-Overflow-when-printing-Thawte-Strong-Extranet-.patch
Patch81:     CVE-2021-4160.patch
Patch82:     CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch
Patch83:     CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
Patch84:     CVE-2022-1292.patch
Patch85:     CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
Patch86:     CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
Patch87:     Backport-Update-expired-SCT-certificates.patch
Patch88:     Backport-ct_test.c-Update-the-epoch-time.patch
Patch89:     backport-CVE-2022-4304-Fix-Timing-Oracle-in-RSA-decryption.patch
Patch90:     backport-CVE-2022-4450-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch
Patch91:     backport-CVE-2023-0215-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
Patch92:     backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
Patch93:     backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
Patch94:     backport-test-add-test-cases-for-the-policy-resource-overuse.patch
Patch95:     backport-x509-excessive-resource-use-verifying-policy-constra.patch
Patch96:     backport-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch
Patch97:     backport-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch
Patch98:     fix-the-test-case-failure.patch

BuildRequires: gcc make lksctp-tools-devel coreutils util-linux zlib-devel

Requires:    coreutils perl %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires:    %{name}-help = %{epoch}:%{version}-%{release}
Obsoletes:   openssl-perl < %{epoch}:%{version}-%{release}
Provides:    openssl-perl%{_isa} = %{epoch}:%{version}-%{release}
Provides:    openssl-perl = %{epoch}:%{version}-%{release}
Obsoletes:   openssl-SMx < %{epoch}:%{version}-%{release}
Provides:    openssl-SMx = %{epoch}:%{version}-%{release}

%description
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

%package libs
Summary:      A general purpose cryptography library with TLS implementation
Group:        System Environment/Libraries
Requires:     ca-certificates >= 2008-5
Requires:     crypto-policies >= 20180730
Recommends:   openssl-pkcs11%{?_isa}
Obsoletes:    openssl < 1:1.0.1-0.3.beta3
Obsoletes:    openssl-fips < 1:1.0.1e-28
Provides:     openssl-fips = %{epoch}:%{version}-%{release}
Obsoletes:    openssl-SMx-libs < %{epoch}:%{version}-%{release}
Provides:     openssl-SMx-libs = %{epoch}:%{version}-%{release}

%description libs
The openssl-libs package contains the libraries that are used
by various applications which support cryptographic algorithms
and protocols.

%package devel
Summary:   Development files for openssl
Requires:  %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: krb5-devel zlib-devel pkgconfig
Obsoletes: openssl-static < %{epoch}:%{version}-%{release}
Provides:  openssl-static = %{epoch}:%{version}-%{release} openssl-static%{?_isa} = %{epoch}:%{version}-%{release}
Obsoletes: openssl-SMx-devel < %{epoch}:%{version}-%{release}
Provides:  openssl-SMx-devel = %{epoch}:%{version}-%{release}

%description devel
%{summary}.

%package_help

%prep
%autosetup -n %{name}-%{version} -p1

%build

sslarch=%{_os}-%{_target_cpu}
%ifarch x86_64 aarch64
sslflags=enable-ec_nistp_64_gcc_128
%endif

RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
./Configure \
    --prefix=%{_prefix} \
    --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
    zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
    enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
    enable-weak-ssl-ciphers \
    no-mdc2 no-ec2m enable-sm2 enable-sm4 \
    shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'

%make_build all

%define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
    ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
%{nil}

%install

%make_install

# rename so name with actual version
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
# create symbolic link
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
     ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
     ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done

mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate

mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}


mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/{certs,crl,newcerts,private}
chmod 700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private

touch -r %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/{openssl.cnf,ct_log_list.cnf}


# rename man pages avoid conflicting with other man pages in system
%define manpostfix _openssl
pushd $RPM_BUILD_ROOT%{_mandir}
ln -s -f config.5 man5/openssl.cnf.5
for manpage in man*/* ; do
    if [ -L ${manpage} ]; then
        targetfile=`ls -l ${manpage} | awk '{print $NF}'`
        ln -sf ${targetfile}%{manpostfix} ${manpage}%{manpostfix}
        rm -f ${manpage}
    else
        mv ${manpage} ${manpage}%{manpostfix}
    fi
done
popd

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/*.dist

%check
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH
crypto/fips/fips_standalone_hmac libcrypto.so.%{soversion} >.libcrypto.so.%{soversion}.hmac
ln -s .libcrypto.so.%{soversion}.hmac .libcrypto.so.hmac
crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion}.hmac
ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac
OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
make test || :

%post libs -p /sbin/ldconfig

%postun libs -p /sbin/ldconfig

%files
%defattr(-,root,root)
%license LICENSE
%doc AUTHORS CHANGES FAQ NEWS README
%{_pkgdocdir}/Makefile.certificate
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts
%{_bindir}/*

%files libs
%defattr(-,root,root)
%license LICENSE
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
%{_libdir}/libcrypto.so.%{version}
%{_libdir}/libcrypto.so.%{soversion}
%{_libdir}/libssl.so.%{version}
%{_libdir}/libssl.so.%{soversion}
%{_libdir}/engines-%{soversion}
%attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac
%attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac

%files devel
%defattr(-,root,root)
%doc doc/dir-locals.example.el doc/openssl-c-indent.el
%{_prefix}/include/openssl
%{_libdir}/pkgconfig/*.pc
%{_libdir}/*.so
%{_libdir}/*.a

%files help
%defattr(-,root,root)
%{_mandir}/man1/*
%{_mandir}/man3/*
%{_mandir}/man5/*
%{_mandir}/man7/*
%{_pkgdocdir}/html/

%changelog
* Thu May 25 2023 wangcheng <wangcheng156@huawei.com> - 1:1.1.1f-24
- fix the test case failure

* Tue Apr 4 2023 wangcheng <wangcheng156@huawei.com> - 1:1.1.1f-23
- fix some CVEs

* Thu Feb 09 2023 wangcheng <wangcheng156@huawei.com> - 1:1.1.1f-22
- fix some CVEs

* Fri Jan 6 2023 wangcheng <wangcheng156@huawei.com> - 1:1.1.1f-21
- fix expiring-certificates test case

* Tue Sep 13 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1f-19
- add provides for openssl-SMx

* Thu Jul 14 2022 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1f-18
- fix CVE-2022-2097

* Fri Jul 01 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1f-17
- fix CVE-2022-2068

* Mon May 16 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1f-16
- fix CVE-2022-1292

* Mon Mar 21 2022 wangcheng156 <wangcheng156@huawei.com> - 1:1.1.1f-15
- fix CVE-2022-0778

* Mon Feb 28 2022 wangyu283 <wangyu283@huawei.com> - 1:1.1.1f-14
- fix CVE-2021-4160

* Fri Sep 24 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-13
- bugfix Overflow when printing Thawte Strong Extranet

* Thu Sep 16 2021 wutao <wutao61@huawei.com> - 1:1.1.1f-12
- add provides openssl-perl

* Mon Aug 30 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-11
- fix CVE-2021-3711 and CVE-2021-3712

* Wed Apr 7 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-10
- fix CVE-2021-3449

* Thu Mar 11 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-9
- fix CVE-2021-23840 and CVE-2021-23841

* Tue Feb 09 2021 Liufeng <liufeng111@huawei.com> - 1:1.1.1f-8
- backport some bugfix patches from OpenSSL community and reset the release

* Tue Jan 19 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-3
- fix CVE-2020-1971

* Fri Nov 13 2020 Liufeng <liufeng111@huawei.com> - 1:1.1.1f-2
- make openssl require openssl-help

* Tue May 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-1
- update openssl-1.1.1d to openssl-1.1.1f and fix CVE-2020-1967

* Wed Mar 18 2020 steven <steven_ygui@163.com> - 1:1.1.1d-9
- fix division zero issue which found by oss-fuzz

* Tue Mar 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-8
- add missiong /sbin/ldconfig

* Tue Mar 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-7
- Fix problem caused by missing hmac files

* Mon Feb 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-6
- add openssl-libs containing dynamic library for openssl

* Sun Jan 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-5
- add obsoletes

* Tue Jan 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-4
- clean code

* Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-3
- delete unused files

* Fri Dec 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-2
- modify obsoletes

* Mon Dec 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-1
- update to 1:1.1.1d

* Thu Nov 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-5
- enable sm2 and sm4

* Fri Oct 25 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-4
- Add missing openssl/fips.h

* Thu Oct 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-3
- Add buildrequires zlib-devel

* Tue Sep 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-2
- Adjust requires

* Mon Sep 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-1
- Package init