fix(openssl): harden ossl build CFLAGS

Related: RHEL-76323

From-source-git-commit: a5e477c67c45b4439249ab92590f7b67dab4f7df

0014-fix-openssl-harden-ossl-build-CFLAGS.patch

@@ -0,0 +1,26 @@
+From a5e477c67c45b4439249ab92590f7b67dab4f7df Mon Sep 17 00:00:00 2001
+From: Pavel Valena <pvalena@redhat.com>
+Date: Mon, 17 Feb 2025 06:58:26 +0100
+Subject: [PATCH 14/14] fix(openssl): harden ossl build CFLAGS
+
+Related: RHEL-76323
+---
+ src/ossl/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/ossl/Makefile b/src/ossl/Makefile
+index 17b418c2..200dcbb5 100644
+--- a/src/ossl/Makefile
++++ b/src/ossl/Makefile
+@@ -1,7 +1,7 @@
+ .PHONY: all clean tests
+ 
+ CFLAGS ?= -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600
+-CRYPTO_FLAGS = -lcrypto
++CRYPTO_FLAGS = -lcrypto -Wl,-pie -Wl,-z,now
+ TARGETS = src/ossl-config src/ossl-files
+ 
+ TESTS_CONFIG = $(wildcard tests/config/*.cnf)
+-- 
+2.47.1
+

dracut.spec

@@ -8,7 +8,7 @@
 
 Name: dracut
 Version: 105
-Release: 1%{?dist}
+Release: 2%{?dist}
 
 Summary: Initramfs generator using udev
 
@@ -61,6 +61,9 @@ Patch12: 0012-fix-dracut-install-initize-fts-pointer.patch
 # feat: add openssl module
 # Author: Pavel Valena <pvalena@redhat.com>
 Patch13: 0013-feat-add-openssl-module.patch
+# fix(openssl): harden ossl build CFLAGS
+# Author: Pavel Valena <pvalena@redhat.com>
+Patch14: 0014-fix-openssl-harden-ossl-build-CFLAGS.patch
 
 # Please use source-git to work with this spec file:
 # HowTo: https://packit.dev/source-git/work-with-source-git
@@ -479,6 +482,10 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
 %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install
 
 %changelog
+* Mon Feb 17 2025 Pavel Valena <pvalena@redhat.com> - 105-2
+- fix(openssl): harden ossl build CFLAGS
+  Related: RHEL-76323
+
 * Mon Feb 17 2025 Pavel Valena <pvalena@redhat.com> - 105-1
 - build: upgrade to dracut 105
 - fix(systemd-ask-password): do not half-install systemd-ask-password-wall