MSVSphere Packaging Team
1 month ago
commit
e0f6db3f89
GPG Key ID:
B2B0B9F29E528FE8
@ -0,0 +1 @@
|
||||
SOURCES/openssl-fips-provider-3.0.7.tar.gz
|
||||
@ -0,0 +1 @@
|
||||
67352c52fc82ec2fa5161cd68166238c9ddd1c43 SOURCES/openssl-fips-provider-3.0.7.tar.gz
|
||||
@ -0,0 +1,5 @@
|
||||
This package provides a custom build of the OpenSSL FIPS module that has
|
||||
been submitted to NIST for certification.
|
||||
|
||||
The actual shared object is in the subpackage openssl-fips-provider-so
|
||||
due to overcome a build issue around custom debuginfo packages.
|
||||
@ -0,0 +1,71 @@
|
||||
#!/usr/bin/bash -e
|
||||
|
||||
# args: build-V-R arch
|
||||
|
||||
if [ -z "${RPM_BUILD_ROOT}" ]; then
|
||||
echo >&2 "RPM_BUILD_ROOT is not set"
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "${ORIGINAL_PACKAGE_VERSION}" ]; then
|
||||
echo >&2 "ORIGINAL_PACKAGE_VERSION is not set"
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "${ORIGINAL_PACKAGE_RELEASE}" ]; then
|
||||
echo >&2 "ORIGINAL_PACKAGE_RELEASE is not set"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PKG_ARCH=${RPM_ARCH}
|
||||
if [ "${PKG_ARCH}" = "i386" ]; then
|
||||
PKG_ARCH=i686
|
||||
fi
|
||||
|
||||
OVR=${ORIGINAL_PACKAGE_VERSION}-${ORIGINAL_PACKAGE_RELEASE}
|
||||
DBGDIR=usr/lib/debug
|
||||
DBGSRCDIR=usr/src/debug/openssl-${OVR}.${RPM_ARCH}
|
||||
DEBUGINFO=${RPM_BUILD_DIR}/debuginfo.list
|
||||
DEBUGSOURCE=${RPM_BUILD_DIR}/debugsourcefiles.list
|
||||
|
||||
# Remove existing files if any
|
||||
rm -fr ${RPM_BUILD_ROOT}/${DBGDIR}
|
||||
rm -fr ${RPM_BUILD_ROOT}/usr/src/debug/*
|
||||
> ${DEBUGINFO}
|
||||
> ${DEBUGSOURCE}
|
||||
|
||||
# fips.so
|
||||
mkdir extract
|
||||
pushd extract
|
||||
|
||||
rpm2cpio ${RPM_BUILD_DIR}/openssl-libs-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
|
||||
rpm2cpio ${RPM_BUILD_DIR}/openssl-libs-debuginfo-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
|
||||
rpm2cpio ${RPM_BUILD_DIR}/openssl-debuginfo-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
|
||||
rpm2cpio ${RPM_BUILD_DIR}/openssl-debugsource-${OVR}.${PKG_ARCH}.rpm |cpio -id --quiet
|
||||
FIPS_SO=$(find usr -name fips.so)
|
||||
cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_SO}
|
||||
FIPS_SO_DBG=$(find usr -name fips.so-${OVR}.${RPM_ARCH}.debug)
|
||||
cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_SO_DBG}
|
||||
|
||||
FIPS_DBG_ID=$(find -L usr -samefile ${FIPS_SO_DBG} -xtype l)
|
||||
FIPS_DBG_ID_DIR=$(dirname ${FIPS_DBG_ID})
|
||||
cp -adt ${RPM_BUILD_ROOT} --parents ${FIPS_DBG_ID_DIR}
|
||||
cp -adt ${RPM_BUILD_ROOT} --parents ${DBGDIR}/.dwz
|
||||
|
||||
#remove unnecessary parts
|
||||
rm -fr ${DBGSRCDIR}/apps
|
||||
rm -fr ${DBGSRCDIR}/engines
|
||||
rm -fr ${DBGSRCDIR}/ssl
|
||||
cp -adt ${RPM_BUILD_ROOT} --parents usr/src/debug
|
||||
|
||||
popd
|
||||
|
||||
pushd ${RPM_BUILD_ROOT}
|
||||
|
||||
find ${DBGDIR} -type d | sed -e "s#^#%dir /#" >> ${DEBUGINFO}
|
||||
find ${DBGDIR} -type f | sed -e "s#^#/#">> ${DEBUGINFO}
|
||||
find ${DBGDIR} -type l | sed -e "s#^#/#">> ${DEBUGINFO}
|
||||
|
||||
find ${DBGSRCDIR} -type d | sed -e "s#^#%dir /#" >> ${DEBUGSOURCE}
|
||||
find ${DBGSRCDIR} -type f | sed -e "s#^#/#">> ${DEBUGSOURCE}
|
||||
find ${DBGSRCDIR} -type l | sed -e "s#^#/#">> ${DEBUGSOURCE}
|
||||
|
||||
popd
|
||||
@ -0,0 +1,22 @@
|
||||
#!/usr/bin/bash -e
|
||||
|
||||
# args: version release
|
||||
VERSION=$1
|
||||
RELEASE=$2
|
||||
OVR="${VERSION}-${RELEASE}"
|
||||
rpm2cpio openssl-${OVR}.src.rpm |cpio -id
|
||||
|
||||
rm -fr openssl-${VERSION}
|
||||
tar xf openssl-${VERSION}-hobbled.tar.gz
|
||||
rm openssl.spec
|
||||
|
||||
pushd openssl-${VERSION}
|
||||
git init
|
||||
git config user.email "openssl-fips-provider-build@redhat.com"
|
||||
git config user.name "openssl-fips-provider build"
|
||||
git add .
|
||||
git commit -m "init commit" --quiet
|
||||
git apply -p1 ../*.patch
|
||||
|
||||
cp ../ec_curve.c crypto/ec/
|
||||
cp ../ectest.c test/
|
||||
@ -0,0 +1,220 @@
|
||||
# For the curious:
|
||||
# 0.9.8jk + EAP-FAST soversion = 8
|
||||
# 1.0.0 soversion = 10
|
||||
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
|
||||
# depends on build configuration options)
|
||||
# 3.0.0 soversion = 3 (same as upstream)
|
||||
%define soversion 3
|
||||
|
||||
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
|
||||
# also be handled in opensslconf-new.h.
|
||||
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
|
||||
|
||||
%global debug_package %{nil}
|
||||
%define orig_release 18.el9_2
|
||||
|
||||
Summary: FIPS module for OpenSSL
|
||||
Name: openssl-fips-provider
|
||||
Version: 3.0.7
|
||||
Release: 6%{?dist}
|
||||
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
|
||||
Source: %{name}-%{version}.tar.gz
|
||||
Source1: extract-src.sh
|
||||
Source2: extract-fips.sh
|
||||
Source3: README.md
|
||||
|
||||
License: ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
BuildRequires: gcc g++
|
||||
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
|
||||
BuildRequires: lksctp-tools-devel
|
||||
BuildRequires: /usr/bin/rename
|
||||
BuildRequires: /usr/bin/pod2man
|
||||
BuildRequires: /usr/sbin/sysctl
|
||||
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
|
||||
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
|
||||
BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
|
||||
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
|
||||
BuildRequires: git-core
|
||||
Requires: %{name}-so = %{version}-%{release}
|
||||
|
||||
%description
|
||||
This package provides a custom build of the OpenSSL FIPS module that has been
|
||||
submitted to NIST for certification.
|
||||
|
||||
%files
|
||||
%doc README.md
|
||||
|
||||
%package so
|
||||
Summary: FIPS module for OpenSSL
|
||||
Requires: coreutils
|
||||
Conflicts: openssl-libs < 1:3.0.7-26
|
||||
Obsoletes: openssl-fips-provider < 3.0.7-3
|
||||
|
||||
%description so
|
||||
This package provides a custom build of the OpenSSL FIPS module that has been
|
||||
submitted to NIST for certification.
|
||||
|
||||
%files so
|
||||
%attr(0755,root,root) %{_libdir}/ossl-modules/fips.so
|
||||
|
||||
%package so-debuginfo
|
||||
Summary: Debug information for package %{name}
|
||||
Group: Development/Debug
|
||||
Recommends: %{name}-so-debugsource = %{version}-%{release}
|
||||
%description so-debuginfo
|
||||
This package provides debug information for package %{name}.
|
||||
Debug information is useful when developing applications that use this
|
||||
package or when debugging this package.
|
||||
%files so-debuginfo -f debuginfo.list
|
||||
|
||||
%package so-debugsource
|
||||
Summary: Debug sources for package %{name}
|
||||
Group: Development/Debug
|
||||
%description so-debugsource
|
||||
This package provides debug sources for package %{name}.
|
||||
Debug sources are useful when developing applications that use this
|
||||
package or when debugging this package.
|
||||
%files so-debugsource -f debugsourcefiles.list
|
||||
|
||||
%prep
|
||||
tar xf %{SOURCE0}
|
||||
%{SOURCE1} %{version} %{orig_release}
|
||||
|
||||
## NOTE: we do a full build every time to endure our ability to build
|
||||
## from source as needed, but in RHEL we ultimately throw away all
|
||||
## binaries and replace with the certified one.
|
||||
%build
|
||||
pushd openssl-%{version}
|
||||
# Figure out which flags we want to use.
|
||||
# default
|
||||
sslarch=%{_os}-%{_target_cpu}
|
||||
%ifarch %ix86
|
||||
sslarch=linux-elf
|
||||
if ! echo %{_target} | grep -q i686 ; then
|
||||
sslflags="no-asm 386"
|
||||
fi
|
||||
%endif
|
||||
%ifarch x86_64
|
||||
sslflags=enable-ec_nistp_64_gcc_128
|
||||
%endif
|
||||
%ifarch sparcv9
|
||||
sslarch=linux-sparcv9
|
||||
sslflags=no-asm
|
||||
%endif
|
||||
%ifarch sparc64
|
||||
sslarch=linux64-sparcv9
|
||||
sslflags=no-asm
|
||||
%endif
|
||||
%ifarch alpha alphaev56 alphaev6 alphaev67
|
||||
sslarch=linux-alpha-gcc
|
||||
%endif
|
||||
%ifarch s390 sh3eb sh4eb
|
||||
sslarch="linux-generic32 -DB_ENDIAN"
|
||||
%endif
|
||||
%ifarch s390x
|
||||
sslarch="linux64-s390x"
|
||||
%endif
|
||||
%ifarch %{arm}
|
||||
sslarch=linux-armv4
|
||||
%endif
|
||||
%ifarch aarch64
|
||||
sslarch=linux-aarch64
|
||||
sslflags=enable-ec_nistp_64_gcc_128
|
||||
%endif
|
||||
%ifarch sh3 sh4
|
||||
sslarch=linux-generic32
|
||||
%endif
|
||||
%ifarch ppc64 ppc64p7
|
||||
sslarch=linux-ppc64
|
||||
%endif
|
||||
%ifarch ppc64le
|
||||
sslarch="linux-ppc64le"
|
||||
sslflags=enable-ec_nistp_64_gcc_128
|
||||
%endif
|
||||
%ifarch mips mipsel
|
||||
sslarch="linux-mips32 -mips32r2"
|
||||
%endif
|
||||
%ifarch mips64 mips64el
|
||||
sslarch="linux64-mips64 -mips64r2"
|
||||
%endif
|
||||
%ifarch mips64el
|
||||
sslflags=enable-ec_nistp_64_gcc_128
|
||||
%endif
|
||||
%ifarch riscv64
|
||||
sslarch=linux-generic64
|
||||
%endif
|
||||
|
||||
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
|
||||
# marked as not requiring an executable stack.
|
||||
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
|
||||
# want to depend on the uninitialized memory as a source of entropy anyway.
|
||||
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
|
||||
|
||||
export HASHBANGPERL=/usr/bin/perl
|
||||
|
||||
%define fips %{version}-nevership
|
||||
# ia64, x86_64, ppc are OK by default
|
||||
# Configure the build tree. Override OpenSSL defaults with known-good defaults
|
||||
# usable on all platforms. The Configure script already knows to use -fPIC and
|
||||
# RPM_OPT_FLAGS, so we can skip specifiying them here.
|
||||
./Configure \
|
||||
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
|
||||
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
||||
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
||||
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
|
||||
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
|
||||
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
|
||||
-Wl,--allow-multiple-definition
|
||||
|
||||
# Do not run this in a production package the FIPS symbols must be patched-in
|
||||
#util/mkdef.pl crypto update
|
||||
|
||||
make %{?_smp_mflags} all
|
||||
|
||||
popd
|
||||
|
||||
%check
|
||||
#We re not using the actual built bits, so skip any checks on those binaries.
|
||||
|
||||
%install
|
||||
#we are not actually installing the build, as we replace all contents with the
|
||||
#content from the original rpms
|
||||
export ORIGINAL_PACKAGE_VERSION=%{version}
|
||||
export ORIGINAL_PACKAGE_RELEASE=%{orig_release}
|
||||
%{SOURCE2}
|
||||
install -d $RPM_BUILD_ROOT%{_pkgdocdir}
|
||||
install -m644 %{SOURCE3} $RPM_BUILD_ROOT%{_pkgdocdir}/README.md
|
||||
|
||||
%changelog
|
||||
* Wed Nov 13 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 3.0.7-6
|
||||
- Rebuilt for MSVSphere 9.5
|
||||
|
||||
* Tue Sep 10 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-6
|
||||
- Try to fix an upgrade issue with pkg version numbers
|
||||
Resolves: RHEL-58662
|
||||
|
||||
* Mon Apr 29 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-5
|
||||
- Add an empty metapackage and proper requires to correctly
|
||||
handle upgrades.
|
||||
Related: RHEL-32123
|
||||
|
||||
* Tue Apr 23 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-4
|
||||
- Change subpackage names to avoid build gating issues
|
||||
Related: RHEL-32123
|
||||
|
||||
* Tue Apr 16 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-3
|
||||
- Change tarball source contents
|
||||
- Rework file extraction process
|
||||
- Fixes debug packages
|
||||
Resolves: RHEL-32123
|
||||
|
||||
* Wed Feb 21 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.7-2
|
||||
- Denote conflict with old versions of openssl-libs package
|
||||
Related: RHEL-23474
|
||||
|
||||
* Wed Jan 24 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-1
|
||||
Initial packaging
|
||||
Loading…
Reference in new issue