openssl.spec is synced with RHEL

Related: rhbz#2123755
This commit is contained in:
Dmitry Belyavskiy 2022-09-02 14:57:07 +02:00
parent 89541c6ea4
commit 4855397272

View File

@ -10,12 +10,26 @@
# also be handled in opensslconf-new.h. # also be handled in opensslconf-new.h.
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64 %define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
%define srpmhash() %{lua:
local files = rpm.expand("%_specdir/openssl.spec")
for i, p in ipairs(patches) do
files = files.." "..p
end
for i, p in ipairs(sources) do
files = files.." "..p
end
local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum"))
local hash = sha256sum:read("*a")
sha256sum:close()
print(string.sub(hash, 0, 16))
}
%global _performance_build 1 %global _performance_build 1
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.0.5 Version: 3.0.5
Release: 2%{?dist} Release: 3%{?dist}
Epoch: 1 Epoch: 1
# We have to remove certain patented algorithms from the openssl source # We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below. # tarball with the hobble-openssl script which is included below.
@ -31,6 +45,7 @@ Source9: configuration-switch.h
Source10: configuration-prefix.h Source10: configuration-prefix.h
Source12: ec_curve.c Source12: ec_curve.c
Source13: ectest.c Source13: ectest.c
Source14: 0025-for-tests.patch
# Patches exported from source git # Patches exported from source git
# Aarch64 and ppc64le use lib64 # Aarch64 and ppc64le use lib64
@ -50,13 +65,40 @@ Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
# Add FIPS_mode() compatibility macro # Add FIPS_mode() compatibility macro
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
# Add check to see if fips flag is enabled in kernel # Add check to see if fips flag is enabled in kernel
#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
# remove unsupported EC curves # remove unsupported EC curves
Patch11: 0011-Remove-EC-curves.patch Patch11: 0011-Remove-EC-curves.patch
# Disable explicit EC curves # Disable explicit EC curves
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
Patch12: 0012-Disable-explicit-ec.patch Patch12: 0012-Disable-explicit-ec.patch
# https://github.com/openssl/openssl/pull/17981
# Patch13: 0013-FIPS-provider-explicit-ec.patch
# https://github.com/openssl/openssl/pull/17998
# Patch14: 0014-FIPS-disable-explicit-ec.patch
# https://github.com/openssl/openssl/pull/18609
# Patch15: 0015-FIPS-decoded-from-explicit.patch
# Instructions to load legacy provider in openssl.cnf # Instructions to load legacy provider in openssl.cnf
Patch24: 0024-load-legacy-prov.patch Patch24: 0024-load-legacy-prov.patch
# Tmp: test name change
Patch31: 0031-tmp-Fix-test-names.patch
# We load FIPS provider and set FIPS properties implicitly
Patch32: 0032-Force-fips.patch
# Embed HMAC into the fips.so
Patch33: 0033-FIPS-embed-hmac.patch
# Comment out fipsinstall command-line utility
Patch34: 0034.fipsinstall_disable.patch
# Skip unavailable algorithms running `openssl speed`
Patch35: 0035-speed-skip-unavailable-dgst.patch
# Extra public/private key checks required by FIPS-140-3
Patch44: 0044-FIPS-140-3-keychecks.patch
# Minimize fips services
Patch45: 0045-FIPS-services-minimize.patch
# Backport of s390x hardening, https://github.com/openssl/openssl/pull/17486
# Patch46: 0046-FIPS-s390x-hardening.patch
# Execute KATS before HMAC verification
Patch47: 0047-FIPS-early-KATS.patch
# Backport of correctly handle 2^14 byte long records #17538
# Patch48: 0048-correctly-handle-records.patch
%if 0%{?rhel} %if 0%{?rhel}
# Selectively disallow SHA1 signatures # Selectively disallow SHA1 signatures
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
@ -79,14 +121,66 @@ Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
# Instrument with USDT probes related to SHA-1 deprecation # Instrument with USDT probes related to SHA-1 deprecation
Patch53: 0053-Add-SHA1-probes.patch Patch53: 0053-Add-SHA1-probes.patch
%endif %endif
# https://bugzilla.redhat.com/show_bug.cgi?id=2004915, backport of 2c0f7d46b8449423446cfe1e52fc1e1ecd506b62
# Patch54: 0054-Replace-size-check-with-more-meaningful-pubkey-check.patch
# https://github.com/openssl/openssl/pull/17324
# Patch55: 0055-nonlegacy-fetch-null-deref.patch
# https://github.com/openssl/openssl/pull/18103 # https://github.com/openssl/openssl/pull/18103
# The patch is incorporated in 3.0.3 but we provide this function since 3.0.1 # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
# so the patch should persist # so the patch should persist
Patch56: 0056-strcasecmp.patch Patch56: 0056-strcasecmp.patch
# https://github.com/openssl/openssl/pull/18175
# Patch57: 0057-strcasecmp-fix.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2069235
Patch60: 0060-FIPS-KAT-signature-tests.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
# https://github.com/openssl/openssl/pull/18141
# Patch63: 0063-CVE-2022-1473.patch
# upstream commits 55c80c222293a972587004c185dc5653ae207a0e 2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
# Patch64: 0064-CVE-2022-1343.diff
# upstream commit 1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
# Patch65: 0065-CVE-2022-1292.patch
# https://github.com/openssl/openssl/pull/18444
# https://github.com/openssl/openssl/pull/18467
# Patch66: 0066-replace-expired-certs.patch
# https://github.com/openssl/openssl/pull/18512
# Patch67: 0067-fix-ppc64-montgomery.patch
#https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa
#https://github.com/openssl/openssl/commit/8a3579a7b7067a983e69a4eda839ac408c120739
# Patch68: 0068-CVE-2022-2068.patch
# https://github.com/openssl/openssl/commit/a98f339ddd7e8f487d6e0088d4a9a42324885a93
# https://github.com/openssl/openssl/commit/52d50d52c2f1f4b70d37696bfa74fe5e581e7ba8
# Patch69: 0069-CVE-2022-2097.patch
# https://github.com/openssl/openssl/commit/edceec7fe0c9a5534ae155c8398c63dd7dd95483
# Patch70: 0070-EVP_PKEY_Q_keygen-Call-OPENSSL_init_crypto-to-init-s.patch
# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c
# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd
Patch71: 0071-AES-GCM-performance-optimization.patch
# https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149
# https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa
# hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447
Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
# https://bugzilla.redhat.com/show_bug.cgi?id=2102541
Patch76: 0076-FIPS-140-3-DRBG.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2102542
Patch77: 0077-FIPS-140-3-zeroization.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
License: ASL 2.0 License: ASL 2.0
URL: http://www.openssl.org/ URL: http://www.openssl.org/
BuildRequires: gcc BuildRequires: gcc g++
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
BuildRequires: lksctp-tools-devel BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename BuildRequires: /usr/bin/rename
@ -220,6 +314,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-not
export HASHBANGPERL=/usr/bin/perl export HASHBANGPERL=/usr/bin/perl
%define fips %{version}-%{srpmhash}
# ia64, x86_64, ppc are OK by default # ia64, x86_64, ppc are OK by default
# Configure the build tree. Override OpenSSL defaults with known-good defaults # Configure the build tree. Override OpenSSL defaults with known-good defaults
# usable on all platforms. The Configure script already knows to use -fPIC and # usable on all platforms. The Configure script already knows to use -fPIC and
@ -229,8 +324,8 @@ export HASHBANGPERL=/usr/bin/perl
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\ enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips\
no-mdc2 no-ec2m no-sm2 no-sm4 \ no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'
# Do not run this in a production package the FIPS symbols must be patched-in # Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update #util/mkdef.pl crypto update
@ -254,6 +349,8 @@ done
# We must revert patch4 before tests otherwise they will fail # We must revert patch4 before tests otherwise they will fail
patch -p1 -R < %{PATCH4} patch -p1 -R < %{PATCH4}
#We must disable default provider before tests otherwise they will fail
patch -p1 < %{SOURCE14}
OPENSSL_ENABLE_MD5_VERIFY= OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY export OPENSSL_ENABLE_MD5_VERIFY
@ -263,18 +360,25 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES
%endif %endif
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
#embed HMAC into fips provider for test run
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
mv providers/fips.so.mac providers/fips.so
#run tests itself
make test HARNESS_JOBS=8 make test HARNESS_JOBS=8
# Add generation of HMAC checksum of the final stripped library # Add generation of HMAC checksum of the final stripped library
#%define __spec_install_post \ # We manually copy standard definition of __spec_install_post
# %{?__debug_package:%{__debug_install_post}} \ # and add hmac calculation/embedding to fips.so
# %{__arch_install_post} \ %define __spec_install_post \
# %{__os_install_post} \ %{?__debug_package:%{__debug_install_post}} \
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \ %{__arch_install_post} \
# ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \ %{__os_install_post} \
# crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \ LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
# ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \ objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
#%{nil} mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
%{nil}
%define __provides_exclude_from %{_libdir}/openssl %define __provides_exclude_from %{_libdir}/openssl
@ -324,9 +428,8 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
%ifarch i686 #we don't use native fipsmodule.cnf because FIPS module is loaded automatically
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf
%endif
# Determine which arch opensslconf.h is going to try to #include. # Determine which arch opensslconf.h is going to try to #include.
basearch=%{_arch} basearch=%{_arch}
@ -388,9 +491,6 @@ install -m644 %{SOURCE9} \
%{_libdir}/libssl.so.%{soversion} %{_libdir}/libssl.so.%{soversion}
%attr(0755,root,root) %{_libdir}/engines-%{soversion} %attr(0755,root,root) %{_libdir}/engines-%{soversion}
%attr(0755,root,root) %{_libdir}/ossl-modules %attr(0755,root,root) %{_libdir}/ossl-modules
%ifnarch i686
%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
%endif
%files devel %files devel
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
@ -414,6 +514,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Thu Sep 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.5-3
- Sync patches with RHEL
Related: rhbz#2123755
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.5-2 * Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.5-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild