- Removes support for building FIPS mode binaries for the

compat libraries - Ships openssl11.cnf as the configuration file. Resolves: rhbz#1993795 Related: rhbz#1947584 Signed-off-by: Sahana Prasad <sahana@redhat.com>
2021-08-16 11:02:53 +02:00 · 2021-08-16 11:02:53 +02:00 · 2d26967a35
commit 2d26967a35
parent a77136b129
1 changed files with 17 additions and 20 deletions
--- a/compat-openssl11.spec
+++ b/compat-openssl11.spec
@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: compat-openssl11
 Version: 1.1.1k
-Release: 1%{?dist}
+Release: 2%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -235,6 +235,8 @@ done
 %check
 # Verify that what was compiled actually works.

+cp apps/openssl.cnf apps/openssl11.cnf
+
 # Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
 (sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
 (echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
@ -245,29 +247,12 @@ done
 # We must revert patch31 before tests otherwise they will fail
 patch -p1 -R < %{PATCH31}

-LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
-export LD_LIBRARY_PATH
-crypto/fips/fips_standalone_hmac libcrypto.so.%{soversion} >.libcrypto.so.%{soversion}.hmac
-ln -s .libcrypto.so.%{soversion}.hmac .libcrypto.so.hmac
-crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion}.hmac
-ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac
 OPENSSL_ENABLE_MD5_VERIFY=
 export OPENSSL_ENABLE_MD5_VERIFY
 OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
 make test

-# Add generation of HMAC checksum of the final stripped library
-%define __spec_install_post \
-    %{?__debug_package:%{__debug_install_post}} \
-    %{__arch_install_post} \
-    %{__os_install_post} \
-    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
-    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
-    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
-    ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
-%{nil}
-
 %define __provides_exclude_from %{_libdir}/openssl

 %install
@ -302,6 +287,9 @@ rm -rf $RPM_BUILD_ROOT%{_mandir}/man3*
 rm -rf $RPM_BUILD_ROOT%{_libdir}/*.so
 rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig

+# Install compat config file
+install -m 644 apps/openssl11.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/openssl11.cnf
+
 %files
 %license LICENSE
 %doc FAQ NEWS README
@ -309,13 +297,22 @@ rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig
 %attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
 %attr(0755,root,root) %{_libdir}/libssl.so.%{version}
 %attr(0755,root,root) %{_libdir}/libssl.so.%{soversion}
-%attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac
-%attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac
 %attr(0755,root,root) %{_libdir}/engines-%{soversion}
+%config(noreplace) %{_sysconfdir}/pki/openssl11.cnf
+
+%dir %{_sysconfdir}/pki
+%attr(0644,root,root) %{_sysconfdir}/pki/openssl11.cnf

 %ldconfig_scriptlets

 %changelog
+* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-2
+- Remove support for building FIPS mode binaries for the
+  compat libraries
+- Ships openssl11.cnf as the configuration file.
+- Resolves: rhbz#1993795
+- Related: rhbz#1947584
+
 * Thu Apr 08 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-1
 - Repackage old openssl 1.1.1k package into compat-openssl11
  Resolves: bz#1947584