packages/compat-openssl11
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
compat-openssl11/compat-openssl11.spec
hugel c3623d8a11 fix CVE-2024-13176 
(cherry picked from commit 985bfb2aa0d8ed49bdfc3ed31c4e0c3b58fd3759)
2025-03-10 14:50:48 +08:00

309 lines
14 KiB
RPMSpec
Raw Permalink Blame History

%define soversion 1.1
Name: compat-openssl11
Version: 1.1.1m
Release: 13
Epoch: 1
Summary: Cryptography and SSL/TLS Toolkit
License: OpenSSL and SSLeay
URL: https://www.openssl.org/
Source0: https://www.openssl.org/source/openssl-%{version}.tar.gz
Source1: Makefile.certificate
Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.1-fips.patch
Patch3: CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch
Patch4: CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
Patch5: CVE-2022-1292.patch
Patch6: Backport-Support-raw-input-data-in-apps-pkeyutl.patch
Patch7: Backport-Fix-no-ec-no-sm2-and-no-sm3.patch
Patch8: Backport-Support-SM2-certificate-verification.patch
Patch9: Backport-Guard-some-SM2-functions-with-OPENSSL_NO_SM2.patch
Patch10: Backport-Add-test-cases-for-SM2-cert-verification.patch
Patch11: Backport-Add-documents-for-SM2-cert-verification.patch
Patch12: Backport-Fix-a-memleak-in-apps-verify.patch
Patch13: Backport-Skip-the-correct-number-of-tests-if-SM2-is-disabled.patch
Patch14: Backport-Make-X509_set_sm2_id-consistent-with-other-setters.patch
Patch15: Backport-Support-SM2-certificate-signing.patch
Patch16: Backport-Support-parsing-of-SM2-ID-in-hexdecimal.patch
Patch17: Backport-Fix-a-double-free-issue-when-signing-SM2-cert.patch
Patch18: Backport-Fix-a-document-description-in-apps-req.patch
Patch19: Backport-Update-expired-SCT-certificates.patch
Patch20: Backport-ct_test.c-Update-the-epoch-time.patch
Patch21: Feature-Support-TLCP-protocol.patch
Patch22: Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch
Patch23: CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
Patch24: CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
Patch25: Feature-add-ARMv8-implementations-of-SM4-in-ECB-and-XTS.patch
Patch26: Fix-reported-performance-degradation-on-aarch64.patch
Patch27: Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch
Patch28: Backport-SM3-acceleration-with-SM3-hardware-instruction-on-aa.patch
Patch29: Backport-SM4-optimization-for-ARM-by-HW-instruction.patch
Patch30: Feature-SM4-XTS-optimization-for-ARM-by-HW-instruction.patch
Patch31: backport-Fix-failure-to-check-result-of-bn_rshift_fixed_top.patch
Patch32: backport-Test-processing-of-a-duplicated-HRR.patch
Patch33: backport-tls_process_server_hello-Disallow-repeated-HRR.patch
Patch34: backport-Avoid-potential-memory-leak.patch
Patch35: backport-Fix-NULL-pointer-dereference-for-BN_mod_exp2_mont.patch
Patch36: backport-crypto-x509-v3_utl.c-Add-missing-check-for-OPENSSL_s.patch
Patch37: backport-Fix-password_callback-to-handle-short-passwords.patch
Patch38: backport-Fix-usage-of-SSLfatal.patch
Patch39: backport-Fix-integer-overflow-in-evp_EncryptDecryptUpdate.patch
Patch40: backport-Fix-Coverity-1201763-uninitialised-pointer-read.patch
Patch41: backport-Fix-Coverity-1498611-1498608-uninitialised-read.patch
Patch42: backport-Fix-coverity-1498607-uninitialised-value.patch
Patch43: backport-Check-password-length-only-when-verify-is-enabled.patch
Patch44: backport-Fix-issue-where-OBJ_nid2obj-doesn-t-always-raise-an-.patch
Patch45: backport-Set-protocol-in-init_client.patch
Patch46: backport-Fix-a-crash-in-ssl_security_cert_chain.patch
Patch47: backport-Fix-undefined-behaviour-in-EC_GROUP_new_from_ecparam.patch
Patch48: backport-Fix-a-memory-leak-in-ec_key_simple_oct2priv.patch
Patch49: backport-Fix-a-crash-in-asn1_item_embed_new.patch
Patch50: backport-Fix-leakage-when-the-cacheline-is-32-bytes-in-CBC_MA.patch
Patch51: backport-Add-test-for-empty-supported-groups-extension.patch
Patch52: backport-Do-not-send-an-empty-supported-groups-extension.patch
Patch53: backport-x509-use-actual-issuer-name-if-a-CA-is-used.patch
Patch54: backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch
Patch55: backport-Fix-a-memory-leak-in-crl_set_issuers.patch
Patch56: backport-Fix-a-DTLS-server-hangup-due-to-TLS13_AD_MISSING_EXT.patch
Patch57: backport-Fix-an-assertion-in-the-DTLS-server-code.patch
Patch58: backport-Fix-a-memory-leak-in-X509_issuer_and_serial_hash.patch
Patch59: backport-Fix-strict-client-chain-check-with-TLS-1.3.patch
Patch60: backport-Fix-a-crash-in-X509v3_asid_subset.patch
Patch61: backport-Fix-a-memory-leak-in-EC_GROUP_new_from_ecparameters.patch
Patch62: backport-Fix-range_should_be_prefix-to-actually-return-the-co.patch
Patch63: backport-v3_sxnet-add-a-check-for-the-return-of-i2s_ASN1_INTE.patch
Patch64: backport-Fix-bn_gcd-code-to-check-return-value-when-calling-B.patch
Patch65: backport-Add-missing-header-for-memcmp.patch
Patch66: backport-Fix-a-memory-leak-in-tls13_generate_secret.patch
Patch67: backport-Make-the-DRBG-seed-propagation-thread-safe.patch
Patch68: backport-Fix-memory-leak-in-X509V3_add1_i2d-when-flag-is-X509.patch
Patch69: fix-add-loongarch64-target.patch
Patch70: backport-APPS-x509-With-CA-but-both-CAserial-and-CAcreateseri.patch
Patch71: backport-Fix-verify_callback-in-the-openssl-s_client-s_server.patch
Patch72: backport-Fix-re-signing-certificates-with-different-key-sizes.patch
Patch73: backport-Fix-ipv4_from_asc-behavior-on-invalid-Ip-addresses.patch
Patch74: backport-Test-case-for-a2i_IPADDRESS.patch
Patch75: backport-Fix-test-case-for-a2i_IPADDRESS.patch
Patch76: backport-Fix-a-crash-in-v2i_IPAddrBlocks.patch
Patch77: backport-Fixes-segfault-occurrence-in-PEM_write.patch
Patch78: backport-X509_REQ_get_extensions-Return-empty-stack-if-no-ext.patch
Patch79: backport-Fix-EC_KEY_set_private_key-priv_key-regression.patch
Patch80: backport-Add-test-for-EC_KEY_set_private_key.patch
Patch81: backport-Fix-SSL_pending-and-SSL_has_pending-with-DTLS.patch
Patch82: backport-Test-that-swapping-the-first-app-data-record-with-Fi.patch
Patch83: backport-Always-end-BN_mod_exp_mont_consttime-with-normal-Mon.patch
Patch84: backport-Add-an-extra-reduction-step-to-RSAZ-mod_exp-implemen.patch
Patch85: backport-Coverity-1508534-1508540-misuses-of-time_t.patch
Patch86: backport-Moving-notify-check-after-the-no-time-check.patch
Patch87: backport-Convert-serverinfo-in-SSL_CTX_use_serverinfo-to-v2.patch
Patch88: backport-X509-x509_req.c-Set-modified-flag-when-X509_req_info.patch
Patch89: backport-ssl_cipher_process_rulestr-don-t-read-outside-rule_s.patch
Patch90: backport-CVE-2022-4304-Fix-Timing-Oracle-in-RSA-decryption.patch
Patch91: backport-CVE-2022-4450-Avoid-dangling-ptrs-in-header-and-data-params-for-PE.patch
Patch92: backport-CVE-2023-0215-Check-CMS-failure-during-BIO-setup-with-stream-is-ha.patch
Patch93: backport-CVE-2023-0215-Fix-a-UAF-resulting-from-a-bug-in-BIO_new_NDEF.patch
Patch94: backport-CVE-2023-0286-Fix-GENERAL_NAME_cmp-for-x400Address-1.patch
Patch95: Fix-SM4-XTS-build-failure-using-clang.patch
Patch96: backport-test-add-test-cases-for-the-policy-resource-overuse.patch
Patch97: backport-x509-excessive-resource-use-verifying-policy-constra.patch
Patch98: backport-Ensure-that-EXFLAG_INVALID_POLICY-is-checked-even-in.patch
Patch99: backport-Fix-documentation-of-X509_VERIFY_PARAM_add0_policy.patch
Patch100: backport-CVE-2023-2650-Restrict-the-size-of-OBJECT-IDENTIFIERs-that-OBJ_obj.patch
Patch101: backport-Add-a-test-for-CVE-2023-3446.patch
Patch102: backport-CVE-2023-3446-Fix-DH_check-excessive-time-with-over-sized-modulus.patch
Patch103: backport-update-expired-certificates-for-sm2.patch
Patch104: backport-CVE-2023-3817.patch
Patch105: backport-CVE-2023-3817-testcase.patch
Patch106: backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch
Patch107: backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch
Patch108: backport-CVE-2023-5678-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch
Patch109: backport-Add-negative-integer-check-when-using-ASN1_BIT_STRIN.patch
Patch110: backport-Fix-stack-corruption-in-ui_read.patch
Patch111: backport-Re-add-BN_F_OSSL_BN_RSA_DO_UNBLIND-which-was-incorre.patch
Patch112: backport-x509-Fix-possible-use-after-free-when-OOM.patch
Patch113: backport-x509-Handle-ossl_policy_level_add_node-errors.patch
Patch114: backport-Fix-a-possbile-memleak-in-rsa_pub_encode.patch
Patch115: backport-Fix-a-possible-memleak-in-eckey_priv_encode.patch
Patch116: backport-Fix-error-handling-in-CMS_EncryptedData_encrypt.patch
Patch117: backport-Fix-EVP_PKEY_asn1_copy.patch
Patch118: backport-CVE-2024-0727-fix-pkcs12-decoding-crashes.patch
Patch119: backport-apps-passwd.c-free-before-error-exiting.patch
Patch120: backport-Fix-mem-leaks-on-PKCS-12-read-error-in-PKCS12_key_ge.patch
Patch121: backport-CVE-2024-2511-Fix-unconstrained-session-cache-growth-in-TLSv1.3.patch
Patch122: backport-Add-a-test-for-session-cache-handling.patch
Patch123: backport-Extend-the-multi_resume-test-for-simultaneous-resump.patch
Patch124: backport-Hardening-around-not_resumable-sessions.patch
Patch125: backport-Add-a-test-for-session-cache-overflow.patch
Patch126: backport-CVE-2024-4741-Only-free-the-read-buffer.patch
Patch127: backport-CVE-2024-4741-Set-rlayer.packet-to-NULL-after-we-ve-.patch
Patch128: backport-CVE-2024-4741-test-Fix-possible-use-after-free.patch
Patch129: skip-some-test-cases.patch
Patch130: backport-Update-further-expiring-certificates-that-affect-tes.patch
Patch131: backport-CVE-2024-5535-Fix-SSL_select_next_proto-and-add-ALPN.patch
Patch132: backport-CVE-2024-5535-Add-a-test-for-ALPN-and-NPN.patch
Patch133: backport-CVE-2024-9143-Harden-BN_GF2m_poly2arr-against-misuse.patch
Patch134: backport-CVE-2024-13176-Fix-timing-side-channel.patch
BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
%description
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
%package libs
Summary: A general purpose cryptography library with TLS implementation
Group: System Environment/Libraries
Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20180730
Conflicts: openssl-libs < 1:3.0
%description libs
The openssl-libs package contains the libraries that are used
by various applications which support cryptographic algorithms
and protocols.
%package devel
Summary: Development files for openssl
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: krb5-devel zlib-devel pkgconfig
Conflicts: openssl-devel
%description devel
%{summary}.
%prep
%autosetup -n openssl-%{version} -p1
%build
sslarch=%{_os}-%{_target_cpu}
%ifarch x86_64 aarch64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch loongarch64 riscv64
sslflags="--libdir=%{_libdir}"
%endif
%ifarch riscv64
sslarch=%{_os}64-%{_target_cpu}
%endif
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
./Configure \
--prefix=%{_prefix} \
--openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
enable-weak-ssl-ciphers \
no-mdc2 no-ec2m enable-sm2 enable-sm3 enable-sm4 enable-tlcp \
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
%make_build all
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
%{nil}
%install
%make_install
# rename so name with actual version
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
# create symbolic link
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done
# Next step of gradual disablement of ssl3.
# Make SSL3 disappear to newly built dependencies.
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
#ifndef OPENSSL_NO_SSL3\
# define OPENSSL_NO_SSL3\
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
# Delete configuration files
rm -rf $RPM_BUILD_ROOT/%{_sysconfdir}/pki/tls/*
# Delete man pages
rm -rf $RPM_BUILD_ROOT/%{_mandir}/*
rm -rf $RPM_BUILD_ROOT/%{_datadir}/doc
# Remove binaries
rm -rf $RPM_BUILD_ROOT/%{_bindir}
%check
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH
OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
make test || :
%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
%files libs
%defattr(-,root,root)
%license LICENSE
%{_libdir}/libcrypto.so.%{version}
%{_libdir}/libcrypto.so.%{soversion}
%{_libdir}/libssl.so.%{version}
%{_libdir}/libssl.so.%{soversion}
%{_libdir}/engines-%{soversion}
%files devel
%defattr(-,root,root)
%doc doc/dir-locals.example.el doc/openssl-c-indent.el
%{_prefix}/include/openssl
%{_libdir}/pkgconfig/*.pc
%{_libdir}/*.so
%{_libdir}/*.a
%ldconfig_scriptlets libs
%changelog
* Mon Mar 10 2025 hugel <gengqihu2@h-partners.com> - 1:1.1.1m-13
- fix CVE-2024-13176
* Thu Dec 12 2024 jinlun <jinlun@huawei.com> - 1:1.1.1m-12
- fix CVE-2024-5535 CVE-2024-9143
* Fri Jun 7 2024 zhujianwei <zhujianwei7@huawei.com> - 1:1.1.1m-11
- fix CVE-2024-4741
* Mon Apr 22 2023 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-10
- fix CVE-2023-5678 CVE-2024-0727 CVE-2024-2511
* Thu Oct 12 2023 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-9
- fix some CVEs
* Mon Jun 05 2023 laokz <zhangkai@iscas.ac.cn> - 1:1.1.1m-8
- fix sslarch and libdir for riscv64
* Thu May 25 2023 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-7
- Fix some cves
* Fri May 12 2023 Xu Yizhou <xuyizhou1@huawei.com> - 1:1.1.1m-6
- Fix SM4-XTS build failure using clang
* Thu Mar 16 2023 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-5
- Remove the .fips hamc file
* Wed Mar 08 2023 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-4
- Fix some cves
* Tue Mar 07 2023 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-3
- Fix some cves
* Thu Jan 19 2023 licihua <licihua@huawei.com> - 1:1.1.1m-2
- Add Conflicts for compat-openssl11-devel compat-openssl11-lib
* Fri Jan 13 2023 licihua <licihua@huawei.com> - 1:1.1.1m-1
- Repackge openssl-1.1.1m into compat-openssl11
Reference in New Issue View Git Blame Copy Permalink