%define maj 81.3 %define libname %mklibname quictls %{maj} %define develname %mklibname quictls -d %define staticname %mklibname quictls -s -d %define sslname openssl-quic %define ssllibname %mklibname openssl-quic 3 %define ssldevelname %mklibname openssl-quic -d %define sslstaticname %mklibname openssl-quic -s -d Summary: Secure Sockets Layer communications libs & utils Name: quictls Version: 3.0.5 Release: %mkrel 5 License: ASL 2.0 Group: System/Libraries URL: https://www.openssl.org/ Source0: https://github.com/quictls/openssl/archive/refs/heads/openssl-%{version}+quic1.tar.gz Source2: Makefile.certificate Source3: genpatches Source4: openssl-thread-test.c Source6: make-dummy-cert Source7: renew-dummy-cert Source9: configuration-switch.h Source10: configuration-prefix.h Source12: ec_curve.c Source13: ectest.c # fedora patches # Patches exported from source git # Aarch64 and ppc64le use lib64 Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch # Use more general default values in openssl.cnf Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch # Do not install html docs Patch3: 0003-Do-not-install-html-docs.patch # Override default paths for the CA directory tree Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch # apps/ca: fix md option help text Patch5: 0005-apps-ca-fix-md-option-help-text.patch # Disable signature verification with totally unsafe hash algorithms Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch # Add support for PROFILE=SYSTEM system default cipherlist Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch # Add FIPS_mode() compatibility macro Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch # Add check to see if fips flag is enabled in kernel #Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch # remove unsupported EC curves Patch11: 0011-Remove-EC-curves.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch # # fix library names as 'variant' so to not interfere with main openssl Patch100: openssl-3.0.5+quic-change-soname.patch Patch101: openssl-3.0.5+quic-change-pkgconfig-pc.patch Patch102: openssl-3.0.5+quic-change-includedir-openssl.patch Patch103: openssl-3.0.5+quic-change-ossl-modules-dir.patch Patch104: openssl-3.0.5+quic-change-staticname.patch Patch105: openssl-3.0.5+quic-honor-shlib_variant.patch Requires: %{libname} = %{version}-%{release} Requires: rootcerts BuildRequires: multiarch-utils >= 1.0.3 BuildRequires: chrpath BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(libsctp) BuildRequires: git %ifarch %{arm} BuildRequires: libatomic-devel %endif # (tv) for test suite: BuildRequires: bc %description The openssl certificate management tool and the shared libraries that provide various encryption and decryption algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{libname} Summary: Secure Sockets Layer communications libs Group: System/Libraries Requires: crypto-policies Provides: %{libname} = %{version}-%{release} Provides: %{ssllibname} = %{version}-%{release} %description -n %{libname} The libraries files are needed for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{develname} Summary: Secure Sockets Layer communications libs & headers & utils Group: Development/Other Requires: %{libname} = %{version}-%{release} Provides: %{name}-devel = %{version}-%{release} Provides: %{sslname}-devel = %{version}-%{release} Provides: %{ssldevelname} = %{version}-%{release} %description -n %{develname} The libraries and include files needed to compile apps with support for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{staticname} Summary: Secure Sockets Layer communications static libs Group: Development/Other Requires: %{develname} = %{version}-%{release} Provides: %{name}-static-devel = %{version}-%{release} Provides: %{sslname}-static-devel = %{version}-%{release} Provides: %{sslstaticname} = %{version}-%{release} %description -n %{staticname} The static libraries needed to compile apps with support for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package perl Summary: Perl scripts provided with OpenSSL Group: System/Libraries Requires: %{name} = %{version}-%{release} Conflicts: %name <= 1.0.2h-1.mga6 %description perl OpenSSL is a toolkit for supporting cryptography. The openssl-perl package provides Perl scripts for converting certificates and keys from other formats to the formats used by the OpenSSL toolkit. %prep %autosetup -S git -n openssl-openssl-%{version}-quic1 cp %{SOURCE12} crypto/ec/ cp %{SOURCE13} test/ %build %serverbuild # Figure out which flags we want to use. # default sslarch=%{_os}-%{_target_cpu} %ifarch %ix86 sslarch=linux-elf if ! echo %{_target} | grep -q i[56]86 ; then sslflags="no-asm 386" fi %endif %ifarch x86_64 sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch %{arm} sslarch=linux-armv4 %endif # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack. # Also add -DPURIFY to make using valgrind with openssl easier as we do not # want to depend on the uninitialized memory as a source of entropy anyway. RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" export HASHBANGPERL=/usr/bin/perl # ia64, x86_64, ppc, ppc64 are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 enable-ktls enable-fips \ no-mdc2 no-ec2m no-sm2 no-sm4 \ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' %make_build all # Clean up the .pc files for i in libcrypto-quic.pc libssl-quic.pc openssl-quic.pc ; do sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i done %check (sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \ (echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' && sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \ touch -r configdata.pm configdata.pm.new && \ mv -f configdata.pm.new configdata.pm) # We must revert patch31 before tests otherwise they will fail patch -p1 -R < %{PATCH4} export OPENSSL_ENABLE_MD5_VERIFY= export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file make test %install %make_install # make the rootcerts dir install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile install -m 755 %{SOURCE6} %{buildroot}%{_bindir}/make-dummy-cert install -m 755 %{SOURCE7} %{buildroot}%{_bindir}/renew-dummy-cert # Move runable perl scripts to bindir mv %{buildroot}%{_sysconfdir}/pki/tls/misc/*.pl %{buildroot}%{_bindir} mv %{buildroot}%{_sysconfdir}/pki/tls/misc/tsget %{buildroot}%{_bindir} # Rename man pages so that they don't conflict with other system man pages. pushd %{buildroot}%{_mandir} mv man5/config.5ossl man5/openssl.cnf.5 popd install -d %{buildroot}%{_sysconfdir}/pki/CA install -d %{buildroot}%{_sysconfdir}/pki/CA/private install -d %{buildroot}%{_sysconfdir}/pki/CA/certs install -d %{buildroot}%{_sysconfdir}/pki/CA/crl install -d %{buildroot}%{_sysconfdir}/pki/CA/newcerts rm -f %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist %ifarch i686 rm -f %{buildroot}%{_sysconfdir}/pki/tls/fipsmodule.cnf %endif %multiarch_includes %{buildroot}%{_includedir}/openssl-quic/openssl/opensslconf.h # nuke rpath chrpath -d %{buildroot}%{_bindir}/openssl # Fix libdir. for i in %{buildroot}%{_libdir}/pkgconfig/*.pc; do sed -i 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' $i done # adjust ssldir perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_bindir}/CA.pl perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf %files %doc LICENSE.txt NEWS.md README.md %dir %{_sysconfdir}/pki %dir %{_sysconfdir}/pki/tls %dir %{_sysconfdir}/pki/tls/certs %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private %dir %{_sysconfdir}/pki/tls/rootcerts %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf %ifnarch i686 %config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf %endif %{_sysconfdir}/pki/tls/certs/Makefile %{_bindir}/make-dummy-cert %{_bindir}/renew-dummy-cert %{_bindir}/openssl %{_mandir}/man[157]/* %exclude %{_mandir}/man1*/*rehash* %exclude %{_mandir}/man1*/*.pl* %exclude %{_mandir}/man1*/*tsget* %files -n %{libname} %doc LICENSE.txt %{_libdir}/lib*.so.%{maj} %{_libdir}/engines-quic-%{maj} %{_libdir}/ossl-quic-modules %files -n %{develname} %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el %dir %{_includedir}/openssl-quic/openssl %multiarch %{multiarch_includedir}/openssl-quic/openssl/opensslconf.h %{_includedir}/openssl-quic/openssl %{_libdir}/lib*.so %{_mandir}/man3/* %{_libdir}/pkgconfig/*.pc %files -n %{staticname} %{_libdir}/lib*.a %files perl %{_bindir}/c_rehash %{_bindir}/*.pl %{_bindir}/tsget %{_mandir}/man1*/*rehash* %{_mandir}/man1*/*.pl* %{_mandir}/man1*/*tsget* %dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA/private %dir %{_sysconfdir}/pki/CA/certs %dir %{_sysconfdir}/pki/CA/crl %dir %{_sysconfdir}/pki/CA/newcerts