|
@@ -7,9 +7,23 @@
|
|
|
# depends on build configuration options)
|
|
|
%define soversion 3
|
|
|
|
|
|
+%define srpmhash() %{lua:
|
|
|
+local files = rpm.expand("%_specdir/openssl.spec")
|
|
|
+for i, p in ipairs(patches) do
|
|
|
+ files = files.." "..p
|
|
|
+end
|
|
|
+for i, p in ipairs(sources) do
|
|
|
+ files = files.." "..p
|
|
|
+end
|
|
|
+local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum"))
|
|
|
+local hash = sha256sum:read("*a")
|
|
|
+sha256sum:close()
|
|
|
+print(string.sub(hash, 0, 16))
|
|
|
+}
|
|
|
+
|
|
|
Summary: Secure Sockets Layer Toolkit
|
|
|
Name: openssl
|
|
|
-Version: 3.0.8
|
|
|
+Version: 3.1.4
|
|
|
Release: 1%{_dist_release}
|
|
|
Group: system,security
|
|
|
Vendor: Project Vine
|
|
@@ -21,58 +35,122 @@ URL: https://www.openssl.org/
|
|
|
# We have to remove certain patented algorithms from the openssl source
|
|
|
# tarball with the hobble-openssl script which is included below.
|
|
|
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
|
|
|
-Source: openssl-%{version}-hobbled.tar.xz
|
|
|
-Source1: hobble-openssl
|
|
|
+Source: https://www.openssl.org/source/openssl-%{version}.tar.gz
|
|
|
Source2: Makefile.certificate
|
|
|
Source6: make-dummy-cert
|
|
|
Source7: renew-dummy-cert
|
|
|
Source9: configuration-switch.h
|
|
|
Source10: configuration-prefix.h
|
|
|
-Source12: ec_curve.c
|
|
|
-Source13: ectest.c
|
|
|
+Source14: for-tests.patch
|
|
|
|
|
|
# Patches exported from source git
|
|
|
-# Aarch64 and ppc64le use lib64
|
|
|
-#Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
|
|
|
-# Use more general default values in openssl.cnf
|
|
|
-Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
|
|
|
-# Do not install html docs
|
|
|
-Patch3: 0003-Do-not-install-html-docs.patch
|
|
|
-# Override default paths for the CA directory tree
|
|
|
-Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
|
|
|
-# apps/ca: fix md option help text
|
|
|
-Patch5: 0005-apps-ca-fix-md-option-help-text.patch
|
|
|
-# Disable signature verification with totally unsafe hash algorithms
|
|
|
-Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
|
|
|
-# Add support for PROFILE=SYSTEM system default cipherlist
|
|
|
-Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
|
|
-# Add FIPS_mode() compatibility macro
|
|
|
-Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
|
|
|
-# Add check to see if fips flag is enabled in kernel
|
|
|
-#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
|
|
-# remove unsupported EC curves
|
|
|
-Patch11: 0011-Remove-EC-curves.patch
|
|
|
-# Disable explicit EC curves
|
|
|
-Patch12: 0012-Disable-explicit-ec.patch
|
|
|
-# Instructions to load legacy provider in openssl.cnf
|
|
|
-#Patch24: 0024-load-legacy-prov.patch
|
|
|
-# Selectively disallow SHA1 signatures rhbz#2070977
|
|
|
-Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch
|
|
|
-# Backport of patch for RHEL for Edge rhbz #2027261
|
|
|
-Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
|
|
|
-# Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1)
|
|
|
-Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
|
|
|
-# Instrument with USDT probes related to SHA-1 deprecation
|
|
|
-#Patch53: 0053-Add-SHA1-probes.patch
|
|
|
-# https://github.com/openssl/openssl/pull/18103
|
|
|
-# The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
|
|
|
-# so the patch should persist
|
|
|
-Patch56: 0056-strcasecmp.patch
|
|
|
-# https://github.com/openssl/openssl/pull/18444
|
|
|
-#Patch58: 0058-replace-expired-certs.patch
|
|
|
-
|
|
|
-# drop test
|
|
|
-Patch1000: drop_bad_test.patch
|
|
|
+# # Aarch64 and ppc64le use lib64
|
|
|
+Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
|
|
|
+# # Use more general default values in openssl.cnf
|
|
|
+Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
|
|
|
+# # Do not install html docs
|
|
|
+Patch3: 0003-Do-not-install-html-docs.patch
|
|
|
+# # Override default paths for the CA directory tree
|
|
|
+Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
|
|
|
+# # apps/ca: fix md option help text
|
|
|
+Patch5: 0005-apps-ca-fix-md-option-help-text.patch
|
|
|
+# # Disable signature verification with totally unsafe hash algorithms
|
|
|
+Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
|
|
|
+# # Add support for PROFILE=SYSTEM system default cipherlist
|
|
|
+Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
|
|
|
+#Patch7: 0007-ossl_safe_getenv.patch
|
|
|
+# # Add FIPS_mode() compatibility macro
|
|
|
+Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
|
|
|
+# # Add check to see if fips flag is enabled in kernel
|
|
|
+Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
|
|
|
+# # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so
|
|
|
+# # that new modifications made to these files by upstream are not lost.
|
|
|
+Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch
|
|
|
+# # remove unsupported EC curves
|
|
|
+Patch11: 0011-Remove-EC-curves.patch
|
|
|
+# # Disable explicit EC curves
|
|
|
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
|
|
|
+Patch12: 0012-Disable-explicit-ec.patch
|
|
|
+# # Skipped tests from former 0011-Remove-EC-curves.patch
|
|
|
+Patch13: 0013-skipped-tests-EC-curves.patch
|
|
|
+# # Instructions to load legacy provider in openssl.cnf
|
|
|
+#Patch24: 0024-load-legacy-prov.patch
|
|
|
+# # We load FIPS provider and set FIPS properties implicitly
|
|
|
+Patch32: 0032-Force-fips.patch
|
|
|
+# # Embed HMAC into the fips.so
|
|
|
+Patch33: 0033-FIPS-embed-hmac.patch
|
|
|
+# # Comment out fipsinstall command-line utility
|
|
|
+Patch34: 0034.fipsinstall_disable.patch
|
|
|
+# # Skip unavailable algorithms running `openssl speed`
|
|
|
+Patch35: 0035-speed-skip-unavailable-dgst.patch
|
|
|
+# # Extra public/private key checks required by FIPS-140-3
|
|
|
+Patch44: 0044-FIPS-140-3-keychecks.patch
|
|
|
+# # Minimize fips services
|
|
|
+Patch45: 0045-FIPS-services-minimize.patch
|
|
|
+# # Execute KATS before HMAC verification
|
|
|
+Patch47: 0047-FIPS-early-KATS.patch
|
|
|
+# # Selectively disallow SHA1 signatures rhbz#2070977
|
|
|
+Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch
|
|
|
+# # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1)
|
|
|
+Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
|
|
|
+# # https://github.com/openssl/openssl/pull/18103
|
|
|
+# # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1
|
|
|
+# # so the patch should persist
|
|
|
+Patch56: 0056-strcasecmp.patch
|
|
|
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
|
|
|
+Patch58: 0058-FIPS-limit-rsa-encrypt.patch
|
|
|
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
|
|
|
+Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
|
|
|
+# 0062-fips-Expose-a-FIPS-indicator.patch
|
|
|
+Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
|
|
|
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
|
|
|
+Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
|
|
|
+# [PATCH 29/46]
|
|
|
+# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
|
|
+Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
|
|
|
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
|
|
|
+Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
|
|
|
+# # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
|
|
|
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
|
|
|
+Patch76: 0076-FIPS-140-3-DRBG.patch
|
|
|
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2102542
|
|
|
+Patch77: 0077-FIPS-140-3-zeroization.patch
|
|
|
+# # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
|
|
|
+Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
|
|
|
+# # https://github.com/openssl/openssl/pull/13817
|
|
|
+Patch79: 0079-RSA-PKCS15-implicit-rejection.patch
|
|
|
+# # We believe that some changes present in CentOS are not necessary
|
|
|
+# # because ustream has a check for FIPS version
|
|
|
+Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
|
|
|
+# [PATCH 36/46]
|
|
|
+# 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
|
|
|
+Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
|
|
|
+# [PATCH 37/46]
|
|
|
+# 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
|
|
|
+Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
|
|
|
+# [PATCH 38/46]
|
|
|
+# 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
|
|
|
+Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
|
|
|
+# 0085-FIPS-RSA-disable-shake.patch
|
|
|
+Patch85: 0085-FIPS-RSA-disable-shake.patch
|
|
|
+# 0088-signature-Add-indicator-for-PSS-salt-length.patch
|
|
|
+Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
|
|
|
+# 0091-FIPS-RSA-encapsulate.patch
|
|
|
+Patch91: 0091-FIPS-RSA-encapsulate.patch
|
|
|
+# [PATCH 42/46]
|
|
|
+# 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
|
|
|
+Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch
|
|
|
+# [PATCH 43/46]
|
|
|
+# 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
|
|
+Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch
|
|
|
+# [PATCH 44/46]
|
|
|
+# 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
|
|
+Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch
|
|
|
+# 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
|
|
|
+Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch
|
|
|
+# # We believe that some changes present in CentOS are not necessary
|
|
|
+# # because ustream has a check for FIPS version
|
|
|
+Patch114: 0114-FIPS-enforce-EMS-support.patch
|
|
|
|
|
|
# security fix
|
|
|
# none
|
|
@@ -176,13 +254,6 @@ supported by OpenSSL.
|
|
|
%setup -q -n %{name}-%{version}
|
|
|
%autopatch -p1
|
|
|
|
|
|
-# The hobble_openssl is called here redundantly, just to be sure.
|
|
|
-# The tarball has already the sources removed.
|
|
|
-%{SOURCE1} > /dev/null
|
|
|
-
|
|
|
-cp %{SOURCE12} crypto/ec/
|
|
|
-cp %{SOURCE13} test/
|
|
|
-
|
|
|
|
|
|
%build
|
|
|
# Figure out which flags we want to use.
|
|
@@ -203,11 +274,11 @@ sslflags=enable-ec_nistp_64_gcc_128
|
|
|
# marked as not requiring an executable stack.
|
|
|
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
|
|
|
# want to depend on the uninitialized memory as a source of entropy anyway.
|
|
|
-RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
|
|
|
+RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
|
|
|
|
|
|
export HASHBANGPERL=/usr/bin/perl
|
|
|
|
|
|
-perl -pi -e 's|/engines-|/%{name}/engines-|' ./Configurations/unix-Makefile.tmpl
|
|
|
+%define fips %{version}-%{srpmhash}
|
|
|
|
|
|
# ia64, x86_64, ppc are OK by default
|
|
|
# Configure the build tree. Override OpenSSL defaults with known-good defaults
|
|
@@ -219,7 +290,8 @@ perl -pi -e 's|/engines-|/%{name}/engines-|' ./Configurations/unix-Makefile.tmpl
|
|
|
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
|
|
|
enable-cms enable-md2 enable-rc5 enable-ktls enable-fips \
|
|
|
no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++ \
|
|
|
- shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
|
|
|
+ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""' \
|
|
|
+ -Wl,--allow-multiple-definition
|
|
|
|
|
|
# Do not run this in a production package the FIPS symbols must be patched-in
|
|
|
#util/mkdef.pl crypto update
|
|
@@ -244,6 +316,8 @@ done
|
|
|
|
|
|
# We must revert patch4 before tests otherwise they will fail
|
|
|
patch -p1 -R < %{PATCH4}
|
|
|
+#We must disable default provider before tests otherwise they will fail
|
|
|
+patch -p1 < %{SOURCE14}
|
|
|
|
|
|
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
|
|
|
export LD_LIBRARY_PATH
|
|
@@ -251,20 +325,31 @@ OPENSSL_ENABLE_MD5_VERIFY=
|
|
|
export OPENSSL_ENABLE_MD5_VERIFY
|
|
|
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
|
|
|
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
|
|
|
+
|
|
|
+#embed HMAC into fips provider for test run
|
|
|
+OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
|
|
|
+objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
|
|
|
+mv providers/fips.so.mac providers/fips.so
|
|
|
+
|
|
|
+#run tests itself
|
|
|
make test HARNESS_JOBS=8
|
|
|
|
|
|
-%if 0
|
|
|
+
|
|
|
# Add generation of HMAC checksum of the final stripped library
|
|
|
+# We manually copy standard definition of __spec_install_post
|
|
|
+# and add hmac calculation/embedding to fips.so
|
|
|
%define __spec_install_post \
|
|
|
%{?__debug_package:%{__debug_install_post}} \
|
|
|
%{__arch_install_post} \
|
|
|
%{__os_install_post} \
|
|
|
+ OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
|
|
+ objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
|
|
|
+ mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
|
|
|
+ rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
|
|
|
%{nil}
|
|
|
-%endif
|
|
|
|
|
|
%define __provides_exclude_from %{_libdir}/openssl
|
|
|
|
|
|
-
|
|
|
%install
|
|
|
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
|
|
# Install OpenSSL.
|
|
@@ -372,7 +457,7 @@ install -m644 %{SOURCE9} \
|
|
|
/%{_lib}/libcrypto.so.%{soversion}
|
|
|
%attr(0755,root,root) /%{_lib}/libssl.so.%{version}
|
|
|
/%{_lib}/libssl.so.%{soversion}
|
|
|
-%attr(0755,root,root) %{_libdir}/%{name}/engines-%{soversion}
|
|
|
+%attr(0755,root,root) %{_libdir}/engines-%{soversion}
|
|
|
%attr(0755,root,root) %{_libdir}/ossl-modules
|
|
|
%ifnarch i686
|
|
|
%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
|
|
@@ -420,6 +505,18 @@ install -m644 %{SOURCE9} \
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
+* Wed Oct 25 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.1.4-1
|
|
|
+- new upstream release.
|
|
|
+
|
|
|
+* Wed Sep 20 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.1.3-1
|
|
|
+- new upstream release.
|
|
|
+
|
|
|
+* Wed Aug 02 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.10-1
|
|
|
+- new upstream release.
|
|
|
+
|
|
|
+* Tue Jul 11 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.9-1
|
|
|
+- new upstream release.
|
|
|
+
|
|
|
* Wed Feb 08 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.8-1
|
|
|
- new upstream release.
|
|
|
|