commit 6f17549fdf9996073abca29ef08c9cd2e6c4728f Author: MSVSphere Packaging Team Date: Wed Nov 13 16:15:11 2024 +0300 import openssl-fips-provider-3.0.7-6.el9_5 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c130f37 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/openssl-fips-provider-3.0.7.tar.gz diff --git a/.openssl-fips-provider.metadata b/.openssl-fips-provider.metadata new file mode 100644 index 0000000..669b267 --- /dev/null +++ b/.openssl-fips-provider.metadata @@ -0,0 +1 @@ +67352c52fc82ec2fa5161cd68166238c9ddd1c43 SOURCES/openssl-fips-provider-3.0.7.tar.gz diff --git a/SOURCES/README.md b/SOURCES/README.md new file mode 100644 index 0000000..0ddd1d8 --- /dev/null +++ b/SOURCES/README.md @@ -0,0 +1,5 @@ +This package provides a custom build of the OpenSSL FIPS module that has +been submitted to NIST for certification. + +The actual shared object is in the subpackage openssl-fips-provider-so +due to overcome a build issue around custom debuginfo packages. diff --git a/SOURCES/extract-fips.sh b/SOURCES/extract-fips.sh new file mode 100755 index 0000000..fe2d926 --- /dev/null +++ b/SOURCES/extract-fips.sh @@ -0,0 +1,71 @@ +#!/usr/bin/bash -e + +# args: build-V-R arch + +if [ -z "${RPM_BUILD_ROOT}" ]; then + echo >&2 "RPM_BUILD_ROOT is not set" + exit 1 +fi +if [ -z "${ORIGINAL_PACKAGE_VERSION}" ]; then + echo >&2 "ORIGINAL_PACKAGE_VERSION is not set" + exit 1 +fi +if [ -z "${ORIGINAL_PACKAGE_RELEASE}" ]; then + echo >&2 "ORIGINAL_PACKAGE_RELEASE is not set" + exit 1 +fi + +PKG_ARCH=${RPM_ARCH} +if [ "${PKG_ARCH}" = "i386" ]; then + PKG_ARCH=i686 +fi + +OVR=${ORIGINAL_PACKAGE_VERSION}-${ORIGINAL_PACKAGE_RELEASE} +DBGDIR=usr/lib/debug +DBGSRCDIR=usr/src/debug/openssl-${OVR}.${RPM_ARCH} +DEBUGINFO=${RPM_BUILD_DIR}/debuginfo.list +DEBUGSOURCE=${RPM_BUILD_DIR}/debugsourcefiles.list + +# Remove existing files if any +rm -fr ${RPM_BUILD_ROOT}/${DBGDIR} +rm -fr ${RPM_BUILD_ROOT}/usr/src/debug/* +> ${DEBUGINFO} +> ${DEBUGSOURCE} + +# fips.so +mkdir extract +pushd extract + +rpm2cpio ${RPM_BUILD_DIR}/openssl-libs-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet +rpm2cpio ${RPM_BUILD_DIR}/openssl-libs-debuginfo-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet +rpm2cpio ${RPM_BUILD_DIR}/openssl-debuginfo-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet +rpm2cpio ${RPM_BUILD_DIR}/openssl-debugsource-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet +FIPS_SO=$(find usr -name fips.so) +cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_SO} +FIPS_SO_DBG=$(find usr -name fips.so-${OVR}.${RPM_ARCH}.debug) +cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_SO_DBG} + +FIPS_DBG_ID=$(find -L usr -samefile ${FIPS_SO_DBG} -xtype l) +FIPS_DBG_ID_DIR=$(dirname ${FIPS_DBG_ID}) +cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_DBG_ID_DIR} +cp -adt ${RPM_BUILD_ROOT} --parents ${DBGDIR}/.dwz + +#remove unnecessary parts +rm -fr ${DBGSRCDIR}/apps +rm -fr ${DBGSRCDIR}/engines +rm -fr ${DBGSRCDIR}/ssl +cp -adt ${RPM_BUILD_ROOT} --parents usr/src/debug + +popd + +pushd ${RPM_BUILD_ROOT} + +find ${DBGDIR} -type d | sed -e "s#^#%dir /#" >> ${DEBUGINFO} +find ${DBGDIR} -type f | sed -e "s#^#/#">> ${DEBUGINFO} +find ${DBGDIR} -type l | sed -e "s#^#/#">> ${DEBUGINFO} + +find ${DBGSRCDIR} -type d | sed -e "s#^#%dir /#" >> ${DEBUGSOURCE} +find ${DBGSRCDIR} -type f | sed -e "s#^#/#">> ${DEBUGSOURCE} +find ${DBGSRCDIR} -type l | sed -e "s#^#/#">> ${DEBUGSOURCE} + +popd diff --git a/SOURCES/extract-src.sh b/SOURCES/extract-src.sh new file mode 100755 index 0000000..f3b7df3 --- /dev/null +++ b/SOURCES/extract-src.sh @@ -0,0 +1,22 @@ +#!/usr/bin/bash -e + +# args: version release +VERSION=$1 +RELEASE=$2 +OVR="${VERSION}-${RELEASE}" +rpm2cpio openssl-${OVR}.src.rpm |cpio -id + +rm -fr openssl-${VERSION} +tar xf openssl-${VERSION}-hobbled.tar.gz +rm openssl.spec + +pushd openssl-${VERSION} +git init +git config user.email "openssl-fips-provider-build@redhat.com" +git config user.name "openssl-fips-provider build" +git add . +git commit -m "init commit" --quiet +git apply -p1 ../*.patch + +cp ../ec_curve.c crypto/ec/ +cp ../ectest.c test/ diff --git a/SPECS/openssl-fips-provider.spec b/SPECS/openssl-fips-provider.spec new file mode 100644 index 0000000..306d9ee --- /dev/null +++ b/SPECS/openssl-fips-provider.spec @@ -0,0 +1,217 @@ +# For the curious: +# 0.9.8jk + EAP-FAST soversion = 8 +# 1.0.0 soversion = 10 +# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols +# depends on build configuration options) +# 3.0.0 soversion = 3 (same as upstream) +%define soversion 3 + +# Arches on which we need to prevent arch conflicts on opensslconf.h, must +# also be handled in opensslconf-new.h. +%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64 + +%global debug_package %{nil} +%define orig_release 18.el9_2 + +Summary: FIPS module for OpenSSL +Name: openssl-fips-provider +Version: 3.0.7 +Release: 6%{?dist} + +# We have to remove certain patented algorithms from the openssl source +# tarball with the hobble-openssl script which is included below. +# The original openssl upstream tarball cannot be shipped in the .src.rpm. +Source: %{name}-%{version}.tar.gz +Source1: extract-src.sh +Source2: extract-fips.sh +Source3: README.md + +License: ASL 2.0 +URL: http://www.openssl.org/ +BuildRequires: gcc g++ +BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp +BuildRequires: lksctp-tools-devel +BuildRequires: /usr/bin/rename +BuildRequires: /usr/bin/pod2man +BuildRequires: /usr/sbin/sysctl +BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt) +BuildRequires: perl(Module::Load::Conditional), perl(File::Temp) +BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA) +BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint) +BuildRequires: git-core +Requires: %{name}-so = %{version}-%{release} + +%description +This package provides a custom build of the OpenSSL FIPS module that has been +submitted to NIST for certification. + +%files +%doc README.md + +%package so +Summary: FIPS module for OpenSSL +Requires: coreutils +Conflicts: openssl-libs < 1:3.0.7-26 +Obsoletes: openssl-fips-provider < 3.0.7-3 + +%description so +This package provides a custom build of the OpenSSL FIPS module that has been +submitted to NIST for certification. + +%files so +%attr(0755,root,root) %{_libdir}/ossl-modules/fips.so + +%package so-debuginfo +Summary: Debug information for package %{name} +Group: Development/Debug +Recommends: %{name}-so-debugsource = %{version}-%{release} +%description so-debuginfo +This package provides debug information for package %{name}. +Debug information is useful when developing applications that use this +package or when debugging this package. +%files so-debuginfo -f debuginfo.list + +%package so-debugsource +Summary: Debug sources for package %{name} +Group: Development/Debug +%description so-debugsource +This package provides debug sources for package %{name}. +Debug sources are useful when developing applications that use this +package or when debugging this package. +%files so-debugsource -f debugsourcefiles.list + +%prep +tar xf %{SOURCE0} +%{SOURCE1} %{version} %{orig_release} + +## NOTE: we do a full build every time to endure our ability to build +## from source as needed, but in RHEL we ultimately throw away all +## binaries and replace with the certified one. +%build +pushd openssl-%{version} +# Figure out which flags we want to use. +# default +sslarch=%{_os}-%{_target_cpu} +%ifarch %ix86 +sslarch=linux-elf +if ! echo %{_target} | grep -q i686 ; then + sslflags="no-asm 386" +fi +%endif +%ifarch x86_64 +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch sparcv9 +sslarch=linux-sparcv9 +sslflags=no-asm +%endif +%ifarch sparc64 +sslarch=linux64-sparcv9 +sslflags=no-asm +%endif +%ifarch alpha alphaev56 alphaev6 alphaev67 +sslarch=linux-alpha-gcc +%endif +%ifarch s390 sh3eb sh4eb +sslarch="linux-generic32 -DB_ENDIAN" +%endif +%ifarch s390x +sslarch="linux64-s390x" +%endif +%ifarch %{arm} +sslarch=linux-armv4 +%endif +%ifarch aarch64 +sslarch=linux-aarch64 +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch sh3 sh4 +sslarch=linux-generic32 +%endif +%ifarch ppc64 ppc64p7 +sslarch=linux-ppc64 +%endif +%ifarch ppc64le +sslarch="linux-ppc64le" +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch mips mipsel +sslarch="linux-mips32 -mips32r2" +%endif +%ifarch mips64 mips64el +sslarch="linux64-mips64 -mips64r2" +%endif +%ifarch mips64el +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch riscv64 +sslarch=linux-generic64 +%endif + +# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be +# marked as not requiring an executable stack. +# Also add -DPURIFY to make using valgrind with openssl easier as we do not +# want to depend on the uninitialized memory as a source of entropy anyway. +RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" + +export HASHBANGPERL=/usr/bin/perl + +%define fips %{version}-nevership +# ia64, x86_64, ppc are OK by default +# Configure the build tree. Override OpenSSL defaults with known-good defaults +# usable on all platforms. The Configure script already knows to use -fPIC and +# RPM_OPT_FLAGS, so we can skip specifiying them here. +./Configure \ + --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ + zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ + enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\ + no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\ + shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\ + -Wl,--allow-multiple-definition + +# Do not run this in a production package the FIPS symbols must be patched-in +#util/mkdef.pl crypto update + +make %{?_smp_mflags} all + +popd + +%check +#We re not using the actual built bits, so skip any checks on those binaries. + +%install +#we are not actually installing the build, as we replace all contents with the +#content from the original rpms +export ORIGINAL_PACKAGE_VERSION=%{version} +export ORIGINAL_PACKAGE_RELEASE=%{orig_release} +%{SOURCE2} +install -d $RPM_BUILD_ROOT%{_pkgdocdir} +install -m644 %{SOURCE3} $RPM_BUILD_ROOT%{_pkgdocdir}/README.md + +%changelog +* Tue Sep 10 2024 Simo Sorce - 3.0.7-6 +- Try to fix an upgrade issue with pkg version numbers + Resolves: RHEL-58662 + +* Mon Apr 29 2024 Simo Sorce - 3.0.7-5 +- Add an empty metapackage and proper requires to correctly + handle upgrades. + Related: RHEL-32123 + +* Tue Apr 23 2024 Simo Sorce - 3.0.7-4 +- Change subpackage names to avoid build gating issues + Related: RHEL-32123 + +* Tue Apr 16 2024 Simo Sorce - 3.0.7-3 +- Change tarball source contents +- Rework file extraction process +- Fixes debug packages + Resolves: RHEL-32123 + +* Wed Feb 21 2024 Dmitry Belyavskiy - 3.0.7-2 +- Denote conflict with old versions of openssl-libs package + Related: RHEL-23474 + +* Wed Jan 24 2024 Simo Sorce - 3.0.7-1 +Initial packaging