You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
218 lines
6.6 KiB
218 lines
6.6 KiB
# For the curious:
|
|
# 0.9.8jk + EAP-FAST soversion = 8
|
|
# 1.0.0 soversion = 10
|
|
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
|
|
# depends on build configuration options)
|
|
# 3.0.0 soversion = 3 (same as upstream)
|
|
%define soversion 3
|
|
|
|
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
|
|
# also be handled in opensslconf-new.h.
|
|
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
|
|
|
|
%global debug_package %{nil}
|
|
%define orig_release 18.el9_2
|
|
|
|
Summary: FIPS module for OpenSSL
|
|
Name: openssl-fips-provider
|
|
Version: 3.0.7
|
|
Release: 6%{?dist}
|
|
|
|
# We have to remove certain patented algorithms from the openssl source
|
|
# tarball with the hobble-openssl script which is included below.
|
|
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
|
|
Source: %{name}-%{version}.tar.gz
|
|
Source1: extract-src.sh
|
|
Source2: extract-fips.sh
|
|
Source3: README.md
|
|
|
|
License: ASL 2.0
|
|
URL: http://www.openssl.org/
|
|
BuildRequires: gcc g++
|
|
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
|
|
BuildRequires: lksctp-tools-devel
|
|
BuildRequires: /usr/bin/rename
|
|
BuildRequires: /usr/bin/pod2man
|
|
BuildRequires: /usr/sbin/sysctl
|
|
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
|
|
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
|
|
BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
|
|
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
|
|
BuildRequires: git-core
|
|
Requires: %{name}-so = %{version}-%{release}
|
|
|
|
%description
|
|
This package provides a custom build of the OpenSSL FIPS module that has been
|
|
submitted to NIST for certification.
|
|
|
|
%files
|
|
%doc README.md
|
|
|
|
%package so
|
|
Summary: FIPS module for OpenSSL
|
|
Requires: coreutils
|
|
Conflicts: openssl-libs < 1:3.0.7-26
|
|
Obsoletes: openssl-fips-provider < 3.0.7-3
|
|
|
|
%description so
|
|
This package provides a custom build of the OpenSSL FIPS module that has been
|
|
submitted to NIST for certification.
|
|
|
|
%files so
|
|
%attr(0755,root,root) %{_libdir}/ossl-modules/fips.so
|
|
|
|
%package so-debuginfo
|
|
Summary: Debug information for package %{name}
|
|
Group: Development/Debug
|
|
Recommends: %{name}-so-debugsource = %{version}-%{release}
|
|
%description so-debuginfo
|
|
This package provides debug information for package %{name}.
|
|
Debug information is useful when developing applications that use this
|
|
package or when debugging this package.
|
|
%files so-debuginfo -f debuginfo.list
|
|
|
|
%package so-debugsource
|
|
Summary: Debug sources for package %{name}
|
|
Group: Development/Debug
|
|
%description so-debugsource
|
|
This package provides debug sources for package %{name}.
|
|
Debug sources are useful when developing applications that use this
|
|
package or when debugging this package.
|
|
%files so-debugsource -f debugsourcefiles.list
|
|
|
|
%prep
|
|
tar xf %{SOURCE0}
|
|
%{SOURCE1} %{version} %{orig_release}
|
|
|
|
## NOTE: we do a full build every time to endure our ability to build
|
|
## from source as needed, but in RHEL we ultimately throw away all
|
|
## binaries and replace with the certified one.
|
|
%build
|
|
pushd openssl-%{version}
|
|
# Figure out which flags we want to use.
|
|
# default
|
|
sslarch=%{_os}-%{_target_cpu}
|
|
%ifarch %ix86
|
|
sslarch=linux-elf
|
|
if ! echo %{_target} | grep -q i686 ; then
|
|
sslflags="no-asm 386"
|
|
fi
|
|
%endif
|
|
%ifarch x86_64
|
|
sslflags=enable-ec_nistp_64_gcc_128
|
|
%endif
|
|
%ifarch sparcv9
|
|
sslarch=linux-sparcv9
|
|
sslflags=no-asm
|
|
%endif
|
|
%ifarch sparc64
|
|
sslarch=linux64-sparcv9
|
|
sslflags=no-asm
|
|
%endif
|
|
%ifarch alpha alphaev56 alphaev6 alphaev67
|
|
sslarch=linux-alpha-gcc
|
|
%endif
|
|
%ifarch s390 sh3eb sh4eb
|
|
sslarch="linux-generic32 -DB_ENDIAN"
|
|
%endif
|
|
%ifarch s390x
|
|
sslarch="linux64-s390x"
|
|
%endif
|
|
%ifarch %{arm}
|
|
sslarch=linux-armv4
|
|
%endif
|
|
%ifarch aarch64
|
|
sslarch=linux-aarch64
|
|
sslflags=enable-ec_nistp_64_gcc_128
|
|
%endif
|
|
%ifarch sh3 sh4
|
|
sslarch=linux-generic32
|
|
%endif
|
|
%ifarch ppc64 ppc64p7
|
|
sslarch=linux-ppc64
|
|
%endif
|
|
%ifarch ppc64le
|
|
sslarch="linux-ppc64le"
|
|
sslflags=enable-ec_nistp_64_gcc_128
|
|
%endif
|
|
%ifarch mips mipsel
|
|
sslarch="linux-mips32 -mips32r2"
|
|
%endif
|
|
%ifarch mips64 mips64el
|
|
sslarch="linux64-mips64 -mips64r2"
|
|
%endif
|
|
%ifarch mips64el
|
|
sslflags=enable-ec_nistp_64_gcc_128
|
|
%endif
|
|
%ifarch riscv64
|
|
sslarch=linux-generic64
|
|
%endif
|
|
|
|
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
|
|
# marked as not requiring an executable stack.
|
|
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
|
|
# want to depend on the uninitialized memory as a source of entropy anyway.
|
|
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
|
|
|
|
export HASHBANGPERL=/usr/bin/perl
|
|
|
|
%define fips %{version}-nevership
|
|
# ia64, x86_64, ppc are OK by default
|
|
# Configure the build tree. Override OpenSSL defaults with known-good defaults
|
|
# usable on all platforms. The Configure script already knows to use -fPIC and
|
|
# RPM_OPT_FLAGS, so we can skip specifiying them here.
|
|
./Configure \
|
|
--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
|
|
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
|
|
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
|
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
|
|
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
|
|
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
|
|
-Wl,--allow-multiple-definition
|
|
|
|
# Do not run this in a production package the FIPS symbols must be patched-in
|
|
#util/mkdef.pl crypto update
|
|
|
|
make %{?_smp_mflags} all
|
|
|
|
popd
|
|
|
|
%check
|
|
#We re not using the actual built bits, so skip any checks on those binaries.
|
|
|
|
%install
|
|
#we are not actually installing the build, as we replace all contents with the
|
|
#content from the original rpms
|
|
export ORIGINAL_PACKAGE_VERSION=%{version}
|
|
export ORIGINAL_PACKAGE_RELEASE=%{orig_release}
|
|
%{SOURCE2}
|
|
install -d $RPM_BUILD_ROOT%{_pkgdocdir}
|
|
install -m644 %{SOURCE3} $RPM_BUILD_ROOT%{_pkgdocdir}/README.md
|
|
|
|
%changelog
|
|
* Tue Sep 10 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-6
|
|
- Try to fix an upgrade issue with pkg version numbers
|
|
Resolves: RHEL-58662
|
|
|
|
* Mon Apr 29 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-5
|
|
- Add an empty metapackage and proper requires to correctly
|
|
handle upgrades.
|
|
Related: RHEL-32123
|
|
|
|
* Tue Apr 23 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-4
|
|
- Change subpackage names to avoid build gating issues
|
|
Related: RHEL-32123
|
|
|
|
* Tue Apr 16 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-3
|
|
- Change tarball source contents
|
|
- Rework file extraction process
|
|
- Fixes debug packages
|
|
Resolves: RHEL-32123
|
|
|
|
* Wed Feb 21 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.7-2
|
|
- Denote conflict with old versions of openssl-libs package
|
|
Related: RHEL-23474
|
|
|
|
* Wed Jan 24 2024 Simo Sorce <ssorce@redhat.com> - 3.0.7-1
|
|
Initial packaging
|