import openssl-fips-provider-3.0.7-6.el9_5

c9 imports/c9/openssl-fips-provider-3.0.7-6.el9_5
MSVSphere Packaging Team 1 month ago
commit 6f17549fdf
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

1
.gitignore vendored

@ -0,0 +1 @@
SOURCES/openssl-fips-provider-3.0.7.tar.gz

@ -0,0 +1 @@
67352c52fc82ec2fa5161cd68166238c9ddd1c43 SOURCES/openssl-fips-provider-3.0.7.tar.gz

@ -0,0 +1,5 @@
This package provides a custom build of the OpenSSL FIPS module that has
been submitted to NIST for certification.
The actual shared object is in the subpackage openssl-fips-provider-so
due to overcome a build issue around custom debuginfo packages.

@ -0,0 +1,71 @@
#!/usr/bin/bash -e
# args: build-V-R arch
if [ -z "${RPM_BUILD_ROOT}" ]; then
echo >&2 "RPM_BUILD_ROOT is not set"
exit 1
fi
if [ -z "${ORIGINAL_PACKAGE_VERSION}" ]; then
echo >&2 "ORIGINAL_PACKAGE_VERSION is not set"
exit 1
fi
if [ -z "${ORIGINAL_PACKAGE_RELEASE}" ]; then
echo >&2 "ORIGINAL_PACKAGE_RELEASE is not set"
exit 1
fi
PKG_ARCH=${RPM_ARCH}
if [ "${PKG_ARCH}" = "i386" ]; then
PKG_ARCH=i686
fi
OVR=${ORIGINAL_PACKAGE_VERSION}-${ORIGINAL_PACKAGE_RELEASE}
DBGDIR=usr/lib/debug
DBGSRCDIR=usr/src/debug/openssl-${OVR}.${RPM_ARCH}
DEBUGINFO=${RPM_BUILD_DIR}/debuginfo.list
DEBUGSOURCE=${RPM_BUILD_DIR}/debugsourcefiles.list
# Remove existing files if any
rm -fr ${RPM_BUILD_ROOT}/${DBGDIR}
rm -fr ${RPM_BUILD_ROOT}/usr/src/debug/*
> ${DEBUGINFO}
> ${DEBUGSOURCE}
# fips.so
mkdir extract
pushd extract
rpm2cpio ${RPM_BUILD_DIR}/openssl-libs-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
rpm2cpio ${RPM_BUILD_DIR}/openssl-libs-debuginfo-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
rpm2cpio ${RPM_BUILD_DIR}/openssl-debuginfo-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
rpm2cpio ${RPM_BUILD_DIR}/openssl-debugsource-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
FIPS_SO=$(find usr -name fips.so)
cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_SO}
FIPS_SO_DBG=$(find usr -name fips.so-${OVR}.${RPM_ARCH}.debug)
cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_SO_DBG}
FIPS_DBG_ID=$(find -L usr -samefile ${FIPS_SO_DBG} -xtype l)
FIPS_DBG_ID_DIR=$(dirname ${FIPS_DBG_ID})
cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_DBG_ID_DIR}
cp -adt ${RPM_BUILD_ROOT} --parents ${DBGDIR}/.dwz
#remove unnecessary parts
rm -fr ${DBGSRCDIR}/apps
rm -fr ${DBGSRCDIR}/engines
rm -fr ${DBGSRCDIR}/ssl
cp -adt ${RPM_BUILD_ROOT} --parents usr/src/debug
popd
pushd ${RPM_BUILD_ROOT}
find ${DBGDIR} -type d | sed -e "s#^#%dir /#" >> ${DEBUGINFO}
find ${DBGDIR} -type f | sed -e "s#^#/#">> ${DEBUGINFO}
find ${DBGDIR} -type l | sed -e "s#^#/#">> ${DEBUGINFO}
find ${DBGSRCDIR} -type d | sed -e "s#^#%dir /#" >> ${DEBUGSOURCE}
find ${DBGSRCDIR} -type f | sed -e "s#^#/#">> ${DEBUGSOURCE}
find ${DBGSRCDIR} -type l | sed -e "s#^#/#">> ${DEBUGSOURCE}
popd

@ -0,0 +1,22 @@
#!/usr/bin/bash -e
# args: version release
VERSION=$1
RELEASE=$2
OVR="${VERSION}-${RELEASE}"
rpm2cpio openssl-${OVR}.src.rpm |cpio -id
rm -fr openssl-${VERSION}
tar xf openssl-${VERSION}-hobbled.tar.gz
rm openssl.spec
pushd openssl-${VERSION}
git init
git config user.email "openssl-fips-provider-build@redhat.com"
git config user.name "openssl-fips-provider build"
git add .
git commit -m "init commit" --quiet
git apply -p1 ../*.patch
cp ../ec_curve.c crypto/ec/
cp ../ectest.c test/

@ -0,0 +1,217 @@
# For the curious:
# 0.9.8jk + EAP-FAST soversion = 8
# 1.0.0 soversion = 10
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
# depends on build configuration options)
# 3.0.0 soversion = 3 (same as upstream)
%define soversion 3
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
# also be handled in opensslconf-new.h.
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
%global debug_package %{nil}
%define orig_release 18.el9_2
Summary: FIPS module for OpenSSL
Name: openssl-fips-provider
Version: 3.0.7
Release: 6%{?dist}
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
Source: %{name}-%{version}.tar.gz
Source1: extract-src.sh
Source2: extract-fips.sh
Source3: README.md
License: ASL 2.0
URL: http://www.openssl.org/
BuildRequires: gcc g++
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename
BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
BuildRequires: git-core
Requires: %{name}-so = %{version}-%{release}
%description
This package provides a custom build of the OpenSSL FIPS module that has been
submitted to NIST for certification.
%files
%doc README.md
%package so
Summary: FIPS module for OpenSSL
Requires: coreutils
Conflicts: openssl-libs < 1:3.0.7-26
Obsoletes: openssl-fips-provider < 3.0.7-3
%description so
This package provides a custom build of the OpenSSL FIPS module that has been
submitted to NIST for certification.
%files so
%attr(0755,root,root) %{_libdir}/ossl-modules/fips.so
%package so-debuginfo
Summary: Debug information for package %{name}
Group: Development/Debug
Recommends: %{name}-so-debugsource = %{version}-%{release}
%description so-debuginfo
This package provides debug information for package %{name}.
Debug information is useful when developing applications that use this
package or when debugging this package.
%files so-debuginfo -f debuginfo.list
%package so-debugsource
Summary: Debug sources for package %{name}
Group: Development/Debug
%description so-debugsource
This package provides debug sources for package %{name}.
Debug sources are useful when developing applications that use this
package or when debugging this package.
%files so-debugsource -f debugsourcefiles.list
%prep
tar xf %{SOURCE0}
%{SOURCE1} %{version} %{orig_release}
## NOTE: we do a full build every time to endure our ability to build
## from source as needed, but in RHEL we ultimately throw away all
## binaries and replace with the certified one.
%build
pushd openssl-%{version}
# Figure out which flags we want to use.
# default
sslarch=%{_os}-%{_target_cpu}
%ifarch %ix86
sslarch=linux-elf
if ! echo %{_target} | grep -q i686 ; then
sslflags="no-asm 386"
fi
%endif
%ifarch x86_64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch sparcv9
sslarch=linux-sparcv9
sslflags=no-asm
%endif
%ifarch sparc64
sslarch=linux64-sparcv9
sslflags=no-asm
%endif
%ifarch alpha alphaev56 alphaev6 alphaev67
sslarch=linux-alpha-gcc
%endif
%ifarch s390 sh3eb sh4eb
sslarch="linux-generic32 -DB_ENDIAN"
%endif
%ifarch s390x
sslarch="linux64-s390x"
%endif
%ifarch %{arm}
sslarch=linux-armv4
%endif
%ifarch aarch64
sslarch=linux-aarch64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch sh3 sh4
sslarch=linux-generic32
%endif
%ifarch ppc64 ppc64p7
sslarch=linux-ppc64
%endif
%ifarch ppc64le
sslarch="linux-ppc64le"
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch mips mipsel
sslarch="linux-mips32 -mips32r2"
%endif
%ifarch mips64 mips64el
sslarch="linux64-mips64 -mips64r2"
%endif
%ifarch mips64el
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch riscv64
sslarch=linux-generic64
%endif
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
# want to depend on the uninitialized memory as a source of entropy anyway.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
export HASHBANGPERL=/usr/bin/perl
%define fips %{version}-nevership
# ia64, x86_64, ppc are OK by default
# Configure the build tree. Override OpenSSL defaults with known-good defaults
# usable on all platforms. The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
-Wl,--allow-multiple-definition
# Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update
make %{?_smp_mflags} all
popd
%check
#We re not using the actual built bits, so skip any checks on those binaries.
%install
#we are not actually installing the build, as we replace all contents with the
#content from the original rpms
export ORIGINAL_PACKAGE_VERSION=%{version}
export ORIGINAL_PACKAGE_RELEASE=%{orig_release}
%{SOURCE2}
install -d $RPM_BUILD_ROOT%{_pkgdocdir}
install -m644 %{SOURCE3} $RPM_BUILD_ROOT%{_pkgdocdir}/README.md
%changelog
* Tue Sep 10 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-6
- Try to fix an upgrade issue with pkg version numbers
Resolves: RHEL-58662
* Mon Apr 29 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-5
- Add an empty metapackage and proper requires to correctly
handle upgrades.
Related: RHEL-32123
* Tue Apr 23 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-4
- Change subpackage names to avoid build gating issues
Related: RHEL-32123
* Tue Apr 16 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-3
- Change tarball source contents
- Rework file extraction process
- Fixes debug packages
Resolves: RHEL-32123
* Wed Feb 21 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.7-2
- Denote conflict with old versions of openssl-libs package
Related: RHEL-23474
* Wed Jan 24 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-1
Initial packaging
Loading…
Cancel
Save