openssl/openssl.spec

%define soversion 1.1
Name:        openssl
Epoch:       1
Version:     1.1.1m
Release:     20
Summary:     Cryptography and SSL/TLS Toolkit
License:     OpenSSL and SSLeay
URL:         https://www.openssl.org/
Source0:     https://www.openssl.org/source/%{name}-%{version}.tar.gz
Source1:     Makefile.certificate
Patch1:      openssl-1.1.1-build.patch
Patch2:      openssl-1.1.1-fips.patch
Patch3:      CVE-2022-0778-Add-a-negative-testcase-for-BN_mod_sqrt.patch
Patch4:      CVE-2022-0778-Fix-possible-infinite-loop-in-BN_mod_sqrt.patch
Patch5:      CVE-2022-1292.patch
Patch6:      Backport-Support-raw-input-data-in-apps-pkeyutl.patch
Patch7:      Backport-Fix-no-ec-no-sm2-and-no-sm3.patch
Patch8:      Backport-Support-SM2-certificate-verification.patch
Patch9:      Backport-Guard-some-SM2-functions-with-OPENSSL_NO_SM2.patch
Patch10:     Backport-Add-test-cases-for-SM2-cert-verification.patch
Patch11:     Backport-Add-documents-for-SM2-cert-verification.patch
Patch12:     Backport-Fix-a-memleak-in-apps-verify.patch
Patch13:     Backport-Skip-the-correct-number-of-tests-if-SM2-is-disabled.patch
Patch14:     Backport-Make-X509_set_sm2_id-consistent-with-other-setters.patch
Patch15:     Backport-Support-SM2-certificate-signing.patch
Patch16:     Backport-Support-parsing-of-SM2-ID-in-hexdecimal.patch
Patch17:     Backport-Fix-a-double-free-issue-when-signing-SM2-cert.patch
Patch18:     Backport-Fix-a-document-description-in-apps-req.patch
Patch19:     Backport-Update-expired-SCT-certificates.patch
Patch20:     Backport-ct_test.c-Update-the-epoch-time.patch
Patch21:     Feature-Support-TLCP-protocol.patch
Patch22:     Feature-X509-command-supports-SM2-certificate-signing-with-default-sm2id.patch
Patch23:     CVE-2022-2068-Fix-file-operations-in-c_rehash.patch
Patch24:     CVE-2022-2097-Fix-AES-OCB-encrypt-decrypt-for-x86-AES-NI.patch
Patch25:     Feature-add-ARMv8-implementations-of-SM4-in-ECB-and-XTS.patch
Patch26:     Fix-reported-performance-degradation-on-aarch64.patch 
Patch27:     Feature-PKCS7-sign-and-verify-support-SM2-algorithm.patch
Patch28:     Backport-SM3-acceleration-with-SM3-hardware-instruction-on-aa.patch
Patch29:     Backport-SM4-optimization-for-ARM-by-HW-instruction.patch
Patch30:     Feature-SM4-XTS-optimization-for-ARM-by-HW-instruction.patch
Patch31:     backport-Fix-failure-to-check-result-of-bn_rshift_fixed_top.patch
Patch32:     backport-Test-processing-of-a-duplicated-HRR.patch
Patch33:     backport-tls_process_server_hello-Disallow-repeated-HRR.patch
Patch34:     backport-Avoid-potential-memory-leak.patch
Patch35:     backport-Fix-NULL-pointer-dereference-for-BN_mod_exp2_mont.patch
Patch36:     backport-crypto-x509-v3_utl.c-Add-missing-check-for-OPENSSL_s.patch
Patch37:     backport-Fix-password_callback-to-handle-short-passwords.patch
Patch38:     backport-Fix-usage-of-SSLfatal.patch
Patch39:     backport-Fix-integer-overflow-in-evp_EncryptDecryptUpdate.patch
Patch40:     backport-Fix-Coverity-1201763-uninitialised-pointer-read.patch
Patch41:     backport-Fix-Coverity-1498611-1498608-uninitialised-read.patch
Patch42:     backport-Fix-coverity-1498607-uninitialised-value.patch
Patch43:     backport-Check-password-length-only-when-verify-is-enabled.patch
Patch44:     backport-Fix-issue-where-OBJ_nid2obj-doesn-t-always-raise-an-.patch
Patch45:     backport-Set-protocol-in-init_client.patch
Patch46:     backport-Fix-a-crash-in-ssl_security_cert_chain.patch
Patch47:     backport-Fix-undefined-behaviour-in-EC_GROUP_new_from_ecparam.patch
Patch48:     backport-Fix-a-memory-leak-in-ec_key_simple_oct2priv.patch
Patch49:     backport-Fix-a-crash-in-asn1_item_embed_new.patch
Patch50:     backport-Fix-leakage-when-the-cacheline-is-32-bytes-in-CBC_MA.patch
Patch51:     backport-Add-test-for-empty-supported-groups-extension.patch
Patch52:     backport-Do-not-send-an-empty-supported-groups-extension.patch
Patch53:     backport-x509-use-actual-issuer-name-if-a-CA-is-used.patch
Patch54:     backport-ticket_lifetime_hint-may-exceed-1-week-in-TLSv1.3.patch
Patch55:     backport-Fix-a-memory-leak-in-crl_set_issuers.patch
Patch56:     backport-Fix-a-DTLS-server-hangup-due-to-TLS13_AD_MISSING_EXT.patch
Patch57:     backport-Fix-an-assertion-in-the-DTLS-server-code.patch
Patch58:     backport-Fix-a-memory-leak-in-X509_issuer_and_serial_hash.patch
Patch59:     backport-Fix-strict-client-chain-check-with-TLS-1.3.patch
Patch60:     backport-Fix-a-crash-in-X509v3_asid_subset.patch
Patch61:     backport-Fix-a-memory-leak-in-EC_GROUP_new_from_ecparameters.patch
Patch62:     backport-Fix-range_should_be_prefix-to-actually-return-the-co.patch
Patch63:     backport-v3_sxnet-add-a-check-for-the-return-of-i2s_ASN1_INTE.patch
Patch64:     backport-Fix-bn_gcd-code-to-check-return-value-when-calling-B.patch
Patch65:     backport-Add-missing-header-for-memcmp.patch
Patch66:     backport-Fix-a-memory-leak-in-tls13_generate_secret.patch
Patch67:     backport-Make-the-DRBG-seed-propagation-thread-safe.patch
Patch68:     backport-Fix-memory-leak-in-X509V3_add1_i2d-when-flag-is-X509.patch
Patch69:     fix-add-loongarch64-target.patch
Patch70:     backport-APPS-x509-With-CA-but-both-CAserial-and-CAcreateseri.patch 
Patch71:     backport-Fix-verify_callback-in-the-openssl-s_client-s_server.patch 
Patch72:     backport-Fix-re-signing-certificates-with-different-key-sizes.patch 
Patch73:     backport-Fix-ipv4_from_asc-behavior-on-invalid-Ip-addresses.patch 
Patch74:     backport-Test-case-for-a2i_IPADDRESS.patch 
Patch75:     backport-Fix-test-case-for-a2i_IPADDRESS.patch 
Patch76:     backport-Fix-a-crash-in-v2i_IPAddrBlocks.patch 
Patch77:     backport-Fixes-segfault-occurrence-in-PEM_write.patch 
Patch78:     backport-X509_REQ_get_extensions-Return-empty-stack-if-no-ext.patch 
Patch79:     backport-Fix-EC_KEY_set_private_key-priv_key-regression.patch 
Patch80:     backport-Add-test-for-EC_KEY_set_private_key.patch 
Patch81:     backport-Fix-SSL_pending-and-SSL_has_pending-with-DTLS.patch 
Patch82:     backport-Test-that-swapping-the-first-app-data-record-with-Fi.patch
Patch83:     backport-Always-end-BN_mod_exp_mont_consttime-with-normal-Mon.patch
Patch84:     backport-Add-an-extra-reduction-step-to-RSAZ-mod_exp-implemen.patch
Patch85:     backport-Coverity-1508534-1508540-misuses-of-time_t.patch
Patch86:     backport-Moving-notify-check-after-the-no-time-check.patch
Patch87:     backport-Convert-serverinfo-in-SSL_CTX_use_serverinfo-to-v2.patch
Patch88:     backport-X509-x509_req.c-Set-modified-flag-when-X509_req_info.patch
Patch89:     backport-ssl_cipher_process_rulestr-don-t-read-outside-rule_s.patch

BuildRequires: gcc perl make lksctp-tools-devel coreutils util-linux zlib-devel
Requires:    coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Obsoletes:   openssl-SMx < %{epoch}:%{version}-%{release}
Provides:    openssl-SMx = %{epoch}:%{version}-%{release}

%description
OpenSSL is a robust, commercial-grade, and full-featured toolkit for the
Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

%package libs
Summary:      A general purpose cryptography library with TLS implementation
Group:        System Environment/Libraries
Requires:     ca-certificates >= 2008-5
Requires:     crypto-policies >= 20180730
Recommends:   openssl-pkcs11%{?_isa}
Obsoletes:    openssl < 1:1.0.1-0.3.beta3
Obsoletes:    openssl-fips < 1:1.0.1e-28
Provides:     openssl-fips = %{epoch}:%{version}-%{release}
Obsoletes:    openssl-SMx-libs < %{epoch}:%{version}-%{release}
Provides:     openssl-SMx-libs = %{epoch}:%{version}-%{release}

%description libs
The openssl-libs package contains the libraries that are used
by various applications which support cryptographic algorithms
and protocols.

%package perl
Summary: Perl scripts provided with OpenSSL
Requires: perl-interpreter
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}

%description perl
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.

%package devel
Summary:   Development files for openssl
Requires:  %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: krb5-devel zlib-devel pkgconfig
Obsoletes: openssl-static < %{epoch}:%{version}-%{release}
Provides:  openssl-static = %{epoch}:%{version}-%{release} openssl-static%{?_isa} = %{epoch}:%{version}-%{release}
Obsoletes: openssl-SMx-devel < %{epoch}:%{version}-%{release}
Provides:  openssl-SMx-devel = %{epoch}:%{version}-%{release}

%description devel
%{summary}.

%package_help

%prep
%autosetup -n %{name}-%{version} -p1

%build

sslarch=%{_os}-%{_target_cpu}
%ifarch x86_64 aarch64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch loongarch64
sslflags="--libdir=%{_libdir}"
%endif

RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
./Configure \
    --prefix=%{_prefix} \
    --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
    zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
    enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
    enable-weak-ssl-ciphers \
    no-mdc2 no-ec2m enable-sm2 enable-sm3 enable-sm4 enable-tlcp \
    shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'

%make_build all

%define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
    ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
%{nil}

%install

%make_install

# rename so name with actual version
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
# create symbolic link
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
     ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
     ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done

mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate

mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}


mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/{certs,crl,newcerts,private}
chmod 700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private

touch -r %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/{openssl.cnf,ct_log_list.cnf}


# rename man pages avoid conflicting with other man pages in system
%define manpostfix _openssl
pushd $RPM_BUILD_ROOT%{_mandir}
ln -s -f config.5 man5/openssl.cnf.5
for manpage in man*/* ; do
    if [ -L ${manpage} ]; then
        targetfile=`ls -l ${manpage} | awk '{print $NF}'`
        ln -sf ${targetfile}%{manpostfix} ${manpage}%{manpostfix}
        rm -f ${manpage}
    else
        mv ${manpage} ${manpage}%{manpostfix}
    fi
done
popd

# Next step of gradual disablement of ssl3.
# Make SSL3 disappear to newly built dependencies.
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
#ifndef OPENSSL_NO_SSL3\
# define OPENSSL_NO_SSL3\
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/*.dist

%check
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH
crypto/fips/fips_standalone_hmac libcrypto.so.%{soversion} >.libcrypto.so.%{soversion}.hmac
ln -s .libcrypto.so.%{soversion}.hmac .libcrypto.so.hmac
crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion}.hmac
ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac
OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
make test || :

%post libs -p /sbin/ldconfig

%postun libs -p /sbin/ldconfig

%files
%defattr(-,root,root)
%license LICENSE
%doc AUTHORS CHANGES FAQ NEWS README
%{_pkgdocdir}/Makefile.certificate
%{_bindir}/openssl

%files libs
%defattr(-,root,root)
%license LICENSE
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
%{_libdir}/libcrypto.so.%{version}
%{_libdir}/libcrypto.so.%{soversion}
%{_libdir}/libssl.so.%{version}
%{_libdir}/libssl.so.%{soversion}
%{_libdir}/engines-%{soversion}
%attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac
%attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac

%files devel
%defattr(-,root,root)
%doc doc/dir-locals.example.el doc/openssl-c-indent.el
%{_prefix}/include/openssl
%{_libdir}/pkgconfig/*.pc
%{_libdir}/*.so
%{_libdir}/*.a

%files help
%defattr(-,root,root)
%{_mandir}/man1/*
%{_mandir}/man3/*
%{_mandir}/man5/*
%{_mandir}/man7/*
%{_pkgdocdir}/html/

%files perl
%{_bindir}/c_rehash
%{_bindir}/*.pl
%{_bindir}/tsget
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts

%ldconfig_scriptlets libs

%changelog
* Wed Dec 21 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-20
- backport some patches

* Mon Nov 28 2022 zhujianwei001 <zhujianwei7@huawei.com> - 1:1.1.1m-19
- backport some patches

* Mon Nov 14 2022 zhaozhen <zhaozhen@loongson.cn> - 1:1.1.1m-18
- Add loongarch support

* Mon Nov 7 2022 ExtinctFire<shenyining_00@126.com> - 1:1.1.1m-17
- backport some patches

* Mon Nov 7 2022 steven.ygui<steven_ygui@163.com> - 1:1.1.1m-16
- backport some patches

* Mon Nov 7 2022 fangxiuning<fangxiuning@huawei.com> - 1:1.1.1m-15
- backport some patches

* Mon Nov 7 2022 fangxiuning<fangxiuning@huawei.com> - 1:1.1.1m-14
- backport some patches

* Fri Nov 4 2022 wangcheng<wangcheng156@huawei.com> - 1:1.1.1m-13
- backport some patches

* Wed Nov 2 2022 Xu Yizhou <xuyizhou1@huawei.com> - 1:1.1.1m-12
- SM3 acceleration with SM3 hardware instruction on aarch64
- SM4 optimization for ARM by HW instruction
- SM4 XTS optimization for ARM by HW instruction

* Wed Oct 26 2022 luhuaxin <luhuaxin1@huawei.com> - 1:1.1.1m-11
- fix cms testcase

* Fri Oct 21 2022 luhuaxin <luhuaxin1@huawei.com> - 1:1.1.1m-10
- add support for SM2 PKCS7

* Thu Oct 20 2022 fangxiuning <fangxiuning@huawei.com> - 1:1.1.1m-9
- fix proformance degradation on aarch64

* Tue Sep 13 2022 Xu Yizhou <xuyizhou1@huawei.com> - 1:1.1.1m-8
- add ARMv8 implementations of SM4 in ECB and XTS

* Tue Sep 13 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-7
- add provides for openssl-SMx

* Tue Jul 12 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-6
- fix CVE-2022-2097

* Thu Jun 30 2022 wangcheng <wangcheng156@huawei.com> - 1:1.1.1m-5
- fix CVE-2022-2068

* Wed Jun 29 2022 shichuchao <shichuchao@huawei.com> - 1:1.1.1m-4
- x509 command support SM2 signing with default sm2id

* Thu Jun 9 2022 shichuchao <shichuchao@huawei.com> - 1:1.1.1m-3
- support sm2 certificate sign and verify
- fix ct test errors
- add TLCP feature

* Mon May 16 2022 zhouchenchen <zhouchenchen@huawei.com> - 1:1.1.1m-2
- fix the CVE-2022-1292

* Thu Mar 24 2022 duyiwei <duyiwei@kylinos.cn> - 1:1.1.1m-1
- update openssl-1.1.1f to openssl-1.1.1m
- add subpackage openssl-perl
- fix the cve-2022-0778

* Wed Dec 8 2021 lujie42 <lujie42@huawei.com> - 1:1.1.1l-1
- update openssl-1.1.1f to openssl-1.1.1l

* Fri Sep 24 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-9
- bugfix Overflow when printing Thawte Strong Extranet

* Sat Sep 18 2021 zhuyan <zhuyan34@huawei.com> - 1:1.1.1f-8
- fix software package format problem

* Mon Aug 30 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-7
- fix the CVE-2021-3711 and CVE-2021-3712

* Tue Jun 29 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-6
- add perl BuildRequires

* Wed Apr 7 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-5
- fix CVE-2021-3449

* Wed Mar 10 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-4
- fix CVE-2021-23840 and CVE-2021-23841

* Tue Jan 19 2021 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-3
- fix CVE-2020-1971

* Fri Sep 11 2020 Liquor <lirui130@huawei.com> - 1:1.1.1f-2
- provides openssl-perl

* Tue May 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1f-1
- update openssl-1.1.1d to openssl-1.1.1f and fix CVE-2020-1967

* Wed Mar 18 2020 steven <steven_ygui@163.com> - 1:1.1.1d-9
- fix division zero issue which found by oss-fuzz

* Tue Mar 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-8
- add missiong /sbin/ldconfig

* Tue Mar 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-7
- Fix problem caused by missing hmac files

* Mon Feb 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-6
- add openssl-libs containing dynamic library for openssl

* Sun Jan 19 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-5
- add obsoletes

* Tue Jan 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-4
- clean code

* Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-3
- delete unused files

* Fri Dec 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-2
- modify obsoletes

* Mon Dec 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1d-1
- update to 1:1.1.1d

* Thu Nov 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-5
- enable sm2 and sm4

* Fri Oct 25 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-4
- Add missing openssl/fips.h

* Thu Oct 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-3
- Add buildrequires zlib-devel

* Tue Sep 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-2
- Adjust requires

* Mon Sep 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1:1.1.1c-1
- Package init