/[smecontribs]/rpms/openssl3/contribs10/openssl3.spec
ViewVC logotype

Annotation of /rpms/openssl3/contribs10/openssl3.spec

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (hide annotations) (download)
Wed Jan 31 17:40:30 2024 UTC (9 months, 4 weeks ago) by jpp
Branch: MAIN
Changes since 1.1: +5 -2 lines
* Wed Jan 31 2023 Jean-Philippe Pialasse <jpp@koozali.org> 3.0.7-5.1
- build for SME10

1 jpp 1.1 # For the curious:
2     # 0.9.8jk + EAP-FAST soversion = 8
3     # 1.0.0 soversion = 10
4     # 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
5     # depends on build configuration options)
6     # 3.0.0 soversion = 3 (same as upstream)
7     %define soversion 3
8    
9     # Arches on which we need to prevent arch conflicts on opensslconf.h, must
10     # also be handled in opensslconf-new.h.
11     %define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
12    
13     %define srpmhash() %{lua:
14     local files = rpm.expand("%_specdir/openssl3.spec")
15     for i, p in ipairs(patches) do
16     files = files.." "..p
17     end
18     for i, p in ipairs(sources) do
19     files = files.." "..p
20     end
21     local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum"))
22     local hash = sha256sum:read("*a")
23     sha256sum:close()
24     print(string.sub(hash, 0, 16))
25     }
26    
27     %global _performance_build 1
28    
29     Summary: Utilities from the general purpose cryptography library with TLS implementation
30     Name: openssl3
31     Version: 3.0.7
32     Release: 5%{?dist}.1
33     # We have to remove certain patented algorithms from the openssl source
34     # tarball with the hobble-openssl script which is included below.
35     # The original openssl upstream tarball cannot be shipped in the .src.rpm.
36     Source: openssl-%{version}-hobbled.tar.gz
37     Source1: hobble-openssl
38     Source2: Makefile.certificate
39     Source3: genpatches
40     Source6: make-dummy-cert
41     Source7: renew-dummy-cert
42     Source9: configuration-switch.h
43     Source10: configuration-prefix.h
44     Source12: ec_curve.c
45     Source13: ectest.c
46     Source14: 0025-for-tests.patch
47    
48     # Patches exported from source git
49     # Aarch64 and ppc64le use lib64
50     Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
51     # Use more general default values in openssl.cnf
52     Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
53     # Do not install html docs
54     Patch3: 0003-Do-not-install-html-docs.patch
55     # Override default paths for the CA directory tree
56     Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
57     # apps/ca: fix md option help text
58     Patch5: 0005-apps-ca-fix-md-option-help-text.patch
59     # Disable signature verification with totally unsafe hash algorithms
60     Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
61     # Add support for PROFILE=SYSTEM system default cipherlist
62     Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
63     # Add FIPS_mode() compatibility macro
64     Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
65     # Add check to see if fips flag is enabled in kernel
66     Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
67     # remove unsupported EC curves
68     Patch11: 0011-Remove-EC-curves.patch
69     # Disable explicit EC curves
70     # https://bugzilla.redhat.com/show_bug.cgi?id=2066412
71     Patch12: 0012-Disable-explicit-ec.patch
72     # Instructions to load legacy provider in openssl.cnf
73     Patch24: 0024-load-legacy-prov.patch
74     # Tmp: test name change
75     Patch31: 0031-tmp-Fix-test-names.patch
76     # We load FIPS provider and set FIPS properties implicitly
77     Patch32: 0032-Force-fips.patch
78     # Embed HMAC into the fips.so
79     Patch33: 0033-FIPS-embed-hmac.patch
80     # Comment out fipsinstall command-line utility
81     Patch34: 0034.fipsinstall_disable.patch
82     # Skip unavailable algorithms running `openssl speed`
83     Patch35: 0035-speed-skip-unavailable-dgst.patch
84     # Extra public/private key checks required by FIPS-140-3
85     Patch44: 0044-FIPS-140-3-keychecks.patch
86     # Minimize fips services
87     Patch45: 0045-FIPS-services-minimize.patch
88     # Execute KATS before HMAC verification
89     Patch47: 0047-FIPS-early-KATS.patch
90     # Selectively disallow SHA1 signatures
91     Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
92     # https://bugzilla.redhat.com/show_bug.cgi?id=2049265
93     Patch50: 0050-FIPS-enable-pkcs12-mac.patch
94     # Backport of patch for RHEL for Edge rhbz #2027261
95     Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
96     # Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
97     Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
98     # https://github.com/openssl/openssl/pull/18103
99     Patch56: 0056-strcasecmp.patch
100     # https://bugzilla.redhat.com/show_bug.cgi?id=2053289
101     Patch58: 0058-FIPS-limit-rsa-encrypt.patch
102     # https://bugzilla.redhat.com/show_bug.cgi?id=2069235
103     Patch60: 0060-FIPS-KAT-signature-tests.patch
104     # https://bugzilla.redhat.com/show_bug.cgi?id=2087147
105     Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
106     Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
107     # https://bugzilla.redhat.com/show_bug.cgi?id=2130708
108     # https://github.com/openssl/openssl/pull/18883
109     Patch67: 0067-ppc64le-Montgomery-multiply.patch
110     # https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c
111     # https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd
112     Patch71: 0071-AES-GCM-performance-optimization.patch
113     # https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149
114     # https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa
115     # hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447
116     Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch
117     # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
118     Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
119     # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
120     Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
121     # https://bugzilla.redhat.com/show_bug.cgi?id=2102535
122     Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
123     # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
124     # https://bugzilla.redhat.com/show_bug.cgi?id=2102541
125     # no available on centos7
126     #Patch76: 0076-FIPS-140-3-DRBG.patch
127     # https://bugzilla.redhat.com/show_bug.cgi?id=2102542
128     Patch77: 0077-FIPS-140-3-zeroization.patch
129     # https://bugzilla.redhat.com/show_bug.cgi?id=2114772
130     Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
131     #https://bugzilla.redhat.com/show_bug.cgi?id=2141748
132     Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
133     # https://bugzilla.redhat.com/show_bug.cgi?id=2142131
134     Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
135     # https://bugzilla.redhat.com/show_bug.cgi?id=2141695
136     Patch82: 0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch
137     # https://bugzilla.redhat.com/show_bug.cgi?id=2136250
138     Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
139     # https://bugzilla.redhat.com/show_bug.cgi?id=2137557
140     Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
141     #https://bugzilla.redhat.com/show_bug.cgi?id=2142121
142     Patch85: 0085-FIPS-RSA-disable-shake.patch
143     # https://bugzilla.redhat.com/show_bug.cgi?id=2142087
144     Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
145     # https://bugzilla.redhat.com/show_bug.cgi?id=2142087
146     Patch89: 0089-PSS-salt-length-from-provider.patch
147     # https://bugzilla.redhat.com/show_bug.cgi?id=2142087
148     Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch
149     # https://bugzilla.redhat.com/show_bug.cgi?id=2144561
150     Patch91: 0091-FIPS-RSA-encapsulate.patch
151     # https://bugzilla.redhat.com/show_bug.cgi?id=2142517
152     Patch92: 0092-provider-improvements.patch
153    
154     # OpenSSL 3.0.8 CVEs
155     Patch101: 0101-CVE-2022-4203-nc-match.patch
156     Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch
157     Patch103: 0103-CVE-2022-4450-pem-read-bio.patch
158     Patch104: 0104-CVE-2023-0215-UAF-bio.patch
159     Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch
160     Patch106: 0106-CVE-2023-0217-dsa.patch
161     Patch107: 0107-CVE-2023-0286-X400.patch
162     Patch108: 0108-CVE-2023-0401-pkcs7-md.patch
163    
164     License: ASL 2.0
165     URL: http://www.openssl.org/
166     BuildRequires: gcc-c++
167     BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
168     BuildRequires: lksctp-tools-devel
169     BuildRequires: /usr/bin/rename
170     BuildRequires: /usr/bin/pod2man
171     BuildRequires: /usr/sbin/sysctl
172     BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
173     BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
174     BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
175     BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
176     BuildRequires: git-core
177     Requires: coreutils
178     Requires: %{name}-libs%{?_isa} = %{version}-%{release}
179     #KOOZALI
180 jpp 1.2 #BuildRequires: dietlibc-devel
181 jpp 1.1 Source55: random.h
182    
183     %description
184     The OpenSSL toolkit provides support for secure communications between
185     machines. OpenSSL includes a certificate management tool and shared
186     libraries which provide various cryptographic algorithms and
187     protocols.
188    
189     %package libs
190     Summary: A general purpose cryptography library with TLS implementation
191     Requires: ca-certificates >= 2008-5
192     Requires: crypto-policies >= 20180730
193    
194     %description libs
195     OpenSSL is a toolkit for supporting cryptography. The openssl-libs
196     package contains the libraries that are used by various applications which
197     support cryptographic algorithms and protocols.
198    
199     %package devel
200     Summary: Files for development of applications which will use OpenSSL
201     Requires: %{name}-libs%{?_isa} = %{version}-%{release}
202     Requires: pkgconfig
203    
204     %description devel
205     OpenSSL is a toolkit for supporting cryptography. The openssl-devel
206     package contains include files needed to develop applications which
207     support various cryptographic algorithms and protocols.
208    
209     %prep
210     %autosetup -S git -n openssl-%{version}
211    
212     # The hobble_openssl is called here redundantly, just to be sure.
213     # The tarball has already the sources removed.
214     %{SOURCE1} > /dev/null
215    
216     cp %{SOURCE12} crypto/ec/
217     cp %{SOURCE13} test/
218     mkdir include/sys
219     cp %{SOURCE55} include/sys
220    
221     %build
222     # Figure out which flags we want to use.
223     # default
224     sslarch=%{_os}-%{_target_cpu}
225     %ifarch %ix86
226     sslarch=linux-elf
227     if ! echo %{_target} | grep -q i686 ; then
228     sslflags="no-asm 386"
229     fi
230     %endif
231     %ifarch x86_64
232     sslflags=enable-ec_nistp_64_gcc_128
233     %endif
234     %ifarch sparcv9
235     sslarch=linux-sparcv9
236     sslflags=no-asm
237     %endif
238     %ifarch sparc64
239     sslarch=linux64-sparcv9
240     sslflags=no-asm
241     %endif
242     %ifarch alpha alphaev56 alphaev6 alphaev67
243     sslarch=linux-alpha-gcc
244     %endif
245     %ifarch s390 sh3eb sh4eb
246     sslarch="linux-generic32 -DB_ENDIAN"
247     %endif
248     %ifarch s390x
249     sslarch="linux64-s390x"
250     %endif
251     %ifarch %{arm}
252     sslarch=linux-armv4
253     %endif
254     %ifarch aarch64
255     sslarch=linux-aarch64
256     sslflags=enable-ec_nistp_64_gcc_128
257     %endif
258     %ifarch sh3 sh4
259     sslarch=linux-generic32
260     %endif
261     %ifarch ppc64 ppc64p7
262     sslarch=linux-ppc64
263     %endif
264     %ifarch ppc64le
265     sslarch="linux-ppc64le"
266     sslflags=enable-ec_nistp_64_gcc_128
267     %endif
268     %ifarch mips mipsel
269     sslarch="linux-mips32 -mips32r2"
270     %endif
271     %ifarch mips64 mips64el
272     sslarch="linux64-mips64 -mips64r2"
273     %endif
274     %ifarch mips64el
275     sslflags=enable-ec_nistp_64_gcc_128
276     %endif
277     %ifarch riscv64
278     sslarch=linux-generic64
279     %endif
280    
281     # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
282     # marked as not requiring an executable stack.
283     # Also add -DPURIFY to make using valgrind with openssl easier as we do not
284     # want to depend on the uninitialized memory as a source of entropy anyway.
285     #RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
286     #KOOZALI
287     RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
288    
289     export HASHBANGPERL=/usr/bin/perl
290    
291     %define fips %{version}-%{srpmhash}
292     # ia64, x86_64, ppc are OK by default
293     # Configure the build tree. Override OpenSSL defaults with known-good defaults
294     # usable on all platforms. The Configure script already knows to use -fPIC and
295     # RPM_OPT_FLAGS, so we can skip specifiying them here.
296     ./Configure \
297     --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
298     --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
299     zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
300     enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
301     no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
302     shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'
303    
304     # Do not run this in a production package the FIPS symbols must be patched-in
305     #util/mkdef.pl crypto update
306    
307     make %{?_smp_mflags} all
308    
309     # Clean up the .pc files
310     for i in libcrypto.pc libssl.pc openssl.pc ; do
311     sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
312     done
313    
314     %check
315     # Verify that what was compiled actually works.
316    
317     # Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
318     (sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
319     (echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
320     sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
321     touch -r configdata.pm configdata.pm.new && \
322     mv -f configdata.pm.new configdata.pm)
323    
324     # We must revert patch4 before tests otherwise they will fail
325     patch -p1 -R < %{PATCH4}
326     #We must disable default provider before tests otherwise they will fail
327     patch -p1 < %{SOURCE14}
328    
329     OPENSSL_ENABLE_MD5_VERIFY=
330     export OPENSSL_ENABLE_MD5_VERIFY
331     OPENSSL_ENABLE_SHA1_SIGNATURES=
332     export OPENSSL_ENABLE_SHA1_SIGNATURES
333     OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
334     export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
335     #embed HMAC into fips provider for test run
336     LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
337     objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
338     mv providers/fips.so.mac providers/fips.so
339     #run tests itself
340     make test HARNESS_JOBS=8
341    
342     # Add generation of HMAC checksum of the final stripped library
343     # We manually copy standard definition of __spec_install_post
344     # and add hmac calculation/embedding to fips.so
345     %define __spec_install_post \
346     %{?__debug_package:%{__debug_install_post}} \
347     %{__arch_install_post} \
348     %{__os_install_post} \
349     LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
350     objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
351     mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
352     rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
353     %{nil}
354    
355     %define __provides_exclude_from %{_libdir}/openssl
356    
357     %install
358     [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
359     # Install OpenSSL.
360     install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
361     %make_install
362     rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
363     for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
364     chmod 755 ${lib}
365     ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
366     ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
367     done
368    
369     # Remove static libraries
370     for lib in $RPM_BUILD_ROOT%{_libdir}/*.a ; do
371     rm -f ${lib}
372     done
373    
374     # Install a makefile for generating keys and self-signed certs, and a script
375     # for generating them on the fly.
376     mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
377     install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
378     install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
379     install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
380    
381     # Move runable perl scripts to bindir
382     mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
383     mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
384    
385     # Rename man pages so that they don't conflict with other system man pages.
386     pushd $RPM_BUILD_ROOT%{_mandir}
387     mv man5/config.5ossl man5/openssl.cnf.5
388     popd
389    
390     mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
391     mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
392     mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
393     mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
394     mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
395    
396     # Ensure the config file timestamps are identical across builds to avoid
397     # mulitlib conflicts and unnecessary renames on upgrade
398     touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
399     touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
400    
401     rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
402     rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
403     #we don't use native fipsmodule.cnf because FIPS module is loaded automatically
404     rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf
405    
406     # Determine which arch opensslconf.h is going to try to #include.
407     basearch=%{_arch}
408     %ifarch %{ix86}
409     basearch=i386
410     %endif
411     %ifarch sparcv9
412     basearch=sparc
413     %endif
414     %ifarch sparc64
415     basearch=sparc64
416     %endif
417    
418     # Next step of gradual disablement of SSL3.
419     # Make SSL3 disappear to newly built dependencies.
420     sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
421     #ifndef OPENSSL_NO_SSL3\
422     # define OPENSSL_NO_SSL3\
423     #endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
424    
425     %ifarch %{multilib_arches}
426     # Do an configuration.h switcheroo to avoid file conflicts on systems where you
427     # can have both a 32- and 64-bit version of the library, and they each need
428     # their own correct-but-different versions of opensslconf.h to be usable.
429     install -m644 %{SOURCE10} \
430     $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h
431     cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \
432     $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h
433     install -m644 %{SOURCE9} \
434     $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h
435     %endif
436    
437     # Transformation for openssl3
438     # see openssl11.spec
439     mkdir -p $RPM_BUILD_ROOT{%{_libdir},%{_includedir}}/%{name}/
440     rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
441     rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
442     rm -f $RPM_BUILD_ROOT%{_libdir}/*.so
443     mv -f $RPM_BUILD_ROOT%{_includedir}/{openssl,%{name}/openssl}/
444     mv -f $RPM_BUILD_ROOT%{_bindir}/{openssl,%{name}}
445    
446     for pc in libcrypto libssl openssl; do
447     sed -e 's@\(Libs: -L${libdir}\)@\1 -L${libdir}/%{name}@' \
448     -e 's@\(Cflags: -I${includedir}\)@\1 -I${includedir}/%{name}@' \
449     -e 's@\(Requires.*:.*\)\(libssl\)@\1\23@g' \
450     -e 's@\(Requires.*:.*\)\(libcrypto\)@\1\23@g' \
451     $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}3.pc
452     touch -c -r $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}3.pc
453     rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/${pc}.pc
454     done
455    
456     ln -s ../libcrypto.so.%{version} $RPM_BUILD_ROOT%{_libdir}/%{name}/libcrypto.so
457     ln -s ../libssl.so.%{version} $RPM_BUILD_ROOT%{_libdir}/%{name}/libssl.so
458    
459     pushd $RPM_BUILD_ROOT%{_mandir}
460     for manpage in man*/* ; do
461     [ "${manpage}" = "man1/%{name}.1" ] && continue
462     if [ -L ${manpage} ]; then
463     TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
464     ln -snf ${TARGET}11 ${manpage}
465     rm -f ${manpage}
466     else
467     mv -f ${manpage} ${manpage}3
468     fi
469     done
470     popd
471    
472     # No openssl3-perl, because it wouldn't be really different or newer
473     rm -rf $RPM_BUILD_ROOT{%{_sysconfdir}/pki/CA/,{%{_bindir},%{_mandir}/man1}/{CA.pl,c_rehash,*tsget}*}
474    
475     # Remove dummy cert tools
476     rm -f $RPM_BUILD_ROOT%{_bindir}/{make,renew}-dummy-cert
477    
478     %files
479     %{!?_licensedir:%global license %%doc}
480     %license LICENSE.txt
481     %doc NEWS.md README.md
482     %{_bindir}/%{name}
483     %{_mandir}/man1/*
484     %{_mandir}/man5/*
485     %{_mandir}/man7/*
486     %{_pkgdocdir}/Makefile.certificate
487    
488     %files libs
489     %{!?_licensedir:%global license %%doc}
490     %license LICENSE.txt
491     %attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
492     %{_libdir}/libcrypto.so.%{soversion}
493     %attr(0755,root,root) %{_libdir}/libssl.so.%{version}
494     %{_libdir}/libssl.so.%{soversion}
495     %attr(0755,root,root) %{_libdir}/engines-%{soversion}
496     %attr(0755,root,root) %{_libdir}/ossl-modules
497    
498     %files devel
499     %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
500     %{_prefix}/include/%{name}
501     %{_libdir}/%{name}/*.so
502     %{_mandir}/man3/*
503     %{_libdir}/pkgconfig/*.pc
504    
505     %ldconfig_scriptlets libs
506    
507     %changelog
508 jpp 1.2 * Wed Jan 31 2023 Jean-Philippe Pialasse <jpp@koozali.org> 3.0.7-5.1
509     - build for SME10
510    
511 jpp 1.1 * Thu Feb 09 2023 Michel Alexandre Salim <salimma@fedoraproject.org> 3.0.7-5.1
512     - Merge c9s openssl changes to pick up CVE fixes
513     - Back out f2a49ef424f831aac988356fc8b2b910e443dc42 as that caused test failures
514 jpp 1.2
515 jpp 1.1 * Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-5
516     - Fixed X.509 Name Constraints Read Buffer Overflow
517     Resolves: CVE-2022-4203
518     - Fixed Timing Oracle in RSA Decryption
519     Resolves: CVE-2022-4304
520     - Fixed Double free after calling PEM_read_bio_ex
521     Resolves: CVE-2022-4450
522     - Fixed Use-after-free following BIO_new_NDEF
523     Resolves: CVE-2023-0215
524     - Fixed Invalid pointer dereference in d2i_PKCS7 functions
525     Resolves: CVE-2023-0216
526     - Fixed NULL dereference validating DSA public key
527     Resolves: CVE-2023-0217
528     - Fixed X.400 address type confusion in X.509 GeneralName
529     Resolves: CVE-2023-0286
530     - Fixed NULL dereference during PKCS7 data verification
531     Resolves: CVE-2023-0401
532    
533     * Wed Jan 11 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-4
534     - Disallow SHAKE in RSA-OAEP decryption in FIPS mode
535     Resolves: rhbz#2142121
536    
537     * Thu Jan 05 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-3
538     - Refactor OpenSSL fips module MAC verification
539     Resolves: rhbz#2157965
540    
541     * Thu Nov 24 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-2
542     - Various provider-related imrovements necessary for PKCS#11 provider correct operations
543     Resolves: rhbz#2142517
544     - We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream
545     Resolves: rhbz#2133809
546     - Removed recommended package for openssl-libs
547     Resolves: rhbz#2093804
548     - Adjusting include for the FIPS_mode macro
549     Resolves: rhbz#2083879
550     - Backport of ppc64le Montgomery multiply enhancement
551     Resolves: rhbz#2130708
552     - Fix explicit indicator for PSS salt length in FIPS mode when used with
553     negative magic values
554     Resolves: rhbz#2142087
555     - Update change to default PSS salt length with patch state from upstream
556     Related: rhbz#2142087
557    
558     * Tue Nov 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-1
559     - Rebasing to OpenSSL 3.0.7
560     Resolves: rhbz#2129063
561    
562     * Mon Nov 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-44
563     - SHAKE-128/256 are not allowed with RSA in FIPS mode
564     Resolves: rhbz#2144010
565     - Avoid memory leaks in TLS
566     Resolves: rhbz#2144008
567     - FIPS RSA CRT tests must use correct parameters
568     Resolves: rhbz#2144006
569     - FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC
570     Resolves: rhbz#2144017
571     - Remove support for X9.31 signature padding in FIPS mode
572     Resolves: rhbz#2144015
573     - Add explicit indicator for SP 800-108 KDFs with short key lengths
574     Resolves: rhbz#2144019
575     - Add explicit indicator for HMAC with short key lengths
576     Resolves: rhbz#2144000
577     - Set minimum password length for PBKDF2 in FIPS mode
578     Resolves: rhbz#2144003
579     - Add explicit indicator for PSS salt length in FIPS mode
580     Resolves: rhbz#2144012
581     - Clamp default PSS salt length to digest size for FIPS 186-4 compliance
582     Related: rhbz#2144012
583     - Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode
584     Resolves: rhbz#2145170
585    
586     * Tue Nov 01 2022 Michel Alexandre Salim <salimma@fedoraproject.org> 3.0.1-43.1
587     - Merge c9s openssl changes to pick up CVE fixes
588    
589     * Tue Nov 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-43
590     - CVE-2022-3602: X.509 Email Address Buffer Overflow
591     - CVE-2022-3786: X.509 Email Address Buffer Overflow
592     Resolves: CVE-2022-3602
593    
594     * Wed Oct 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-42
595     - CVE-2022-3602: X.509 Email Address Buffer Overflow
596     Resolves: CVE-2022-3602 (rhbz#2137723)
597    
598     * Tue Sep 27 2022 Michel Alexandre Salim <salimma@fedoraproject.org> 3.0.1-41.1
599     - Merge c9s openssl changes to pick up CVE fixes
600    
601     * Thu Aug 11 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-41
602     - Zeroize public keys as required by FIPS 140-3
603     Related: rhbz#2102542
604     - Add FIPS indicator for HKDF
605     Related: rhbz#2114772
606    
607     * Fri Aug 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-40
608     - Deal with DH keys in FIPS mode according FIPS-140-3 requirements
609     Related: rhbz#2102536
610     - Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements
611     Related: rhbz#2102537
612     - Use signature for RSA pairwise test according FIPS-140-3 requirements
613     Related: rhbz#2102540
614     - Reseed all the parent DRBGs in chain on reseeding a DRBG
615     Related: rhbz#2102541
616    
617     * Mon Aug 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-39
618     - Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test
619     - Use Use digest_sign & digest_verify in FIPS signature self test
620     - Use FFDHE2048 in Diffie-Hellman FIPS self-test
621     Resolves: rhbz#2102535
622    
623     * Thu Jul 14 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-38
624     - Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously
625     initialized.
626     Resolves: rhbz#2103289
627     - Improve AES-GCM performance on Power9 and Power10 ppc64le
628     Resolves: rhbz#2051312
629     - Improve ChaCha20 performance on Power10 ppc64le
630     Resolves: rhbz#2051312
631    
632     * Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-37
633     - CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
634     Resolves: CVE-2022-2097
635    
636     * Thu Jun 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-36
637     - Ciphersuites with RSAPSK KX should be filterd in FIPS mode
638     - Related: rhbz#2085088
639     - FIPS provider should block RSA encryption for key transport.
640     - Other RSA encryption options should still be available if key length is enough
641     - Related: rhbz#2053289
642     - Improve diagnostics when passing unsupported groups in TLS
643     - Related: rhbz#2070197
644     - Fix PPC64 Montgomery multiplication bug
645     - Related: rhbz#2098199
646     - Strict certificates validation shouldn't allow explicit EC parameters
647     - Related: rhbz#2058663
648     - CVE-2022-2068: the c_rehash script allows command injection
649     - Related: rhbz#2098277
650    
651     * Wed Jun 08 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-35
652     - Add explicit indicators for signatures in FIPS mode and mark signature
653     primitives as unapproved.
654     Resolves: rhbz#2087147
655    
656     * Fri Jun 03 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-34
657     - Some OpenSSL test certificates are expired, updating
658     - Resolves: rhbz#2092456
659    
660     * Thu May 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-33
661     - CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory
662     - Resolves: rhbz#2089444
663     - CVE-2022-1343 openssl: Signer certificate verification returned
664     inaccurate response when using OCSP_NOCHECKS
665     - Resolves: rhbz#2087911
666     - CVE-2022-1292 openssl: c_rehash script allows command injection
667     - Resolves: rhbz#2090362
668     - Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode"
669     Related: rhbz#2087147
670     - Use KAT for ECDSA signature tests, s390 arch
671     - Resolves: rhbz#2069235
672    
673     * Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32
674     - `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode
675     - Resolves: rhbz#2083240
676     - Ciphersuites with RSA KX should be filterd in FIPS mode
677     - Related: rhbz#2085088
678     - In FIPS mode, signature verification works with keys of arbitrary size
679     above 2048 bit, and only with 1024, 1280, 1536, 1792 bits for keys
680     below 2048 bits
681     - Resolves: rhbz#2077884
682    
683     * Wed May 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-31
684     - Disable SHA-1 signature verification in FIPS mode
685     - Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode
686     Resolves: rhbz#2087147
687    
688     * Mon May 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-30
689     - Use KAT for ECDSA signature tests
690     - Resolves: rhbz#2069235
691    
692     * Thu May 12 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-29
693     - `-config` argument of openssl app should work properly in FIPS mode
694     - Resolves: rhbz#2083274
695     - openssl req defaults on PKCS#8 encryption changed to AES-256-CBC
696     - Resolves: rhbz#2063947
697    
698     * Fri May 06 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-28
699     - OpenSSL should not accept custom elliptic curve parameters
700     - Resolves rhbz#2066412
701     - OpenSSL should not accept explicit curve parameters in FIPS mode
702     - Resolves rhbz#2058663
703    
704     * Fri May 06 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-27
705     - Change FIPS module version to include hash of specfile, patches and sources
706     Resolves: rhbz#2070550
707    
708     * Thu May 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-26
709     - OpenSSL FIPS module should not build in non-approved algorithms
710     - Resolves: rhbz#2081378
711    
712     * Mon May 02 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-25
713     - FIPS provider should block RSA encryption for key transport.
714     - Other RSA encryption options should still be available
715     - Resolves: rhbz#2053289
716    
717     * Thu Apr 28 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-24
718     - Fix regression in evp_pkey_name2type caused by tr_TR locale fix
719     Resolves: rhbz#2071631
720    
721     * Wed Apr 20 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-23
722     - Fix openssl curl error with LANG=tr_TR.utf8
723     - Resolves: rhbz#2071631
724    
725     * Mon Mar 28 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-22
726     - FIPS provider should block RSA encryption for key transport
727     - Resolves: rhbz#2053289
728    
729     * Tue Mar 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-21
730     - Fix occasional internal error in TLS when DHE is used
731     - Resolves: rhbz#2004915
732    
733     * Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-20
734     - Fix acceptance of SHA-1 certificates with rh-allow-sha1-signatures = yes when
735     no OpenSSL library context is set
736     - Resolves: rhbz#2065400
737    
738     * Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-19
739     - Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes
740     - Resolves: rhbz#2065400
741    
742     * Wed Mar 16 2022 Michel Alexandre Salim <salimma@fedoraproject.org> 3.0.1-18.1
743     - Merge c9s openssl changes to pick up CVE-2022-0778 fix
744    
745     * Wed Mar 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-18
746     - CVE-2022-0778 fix
747     - Resolves: rhbz#2062315
748    
749     * Thu Mar 10 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-17
750     - Fix invocation of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING) before
751     setting an allowed digest with EVP_PKEY_CTX_set_signature_md()
752     - Skipping 3.0.1-16 due to version numbering confusion with the RHEL-9.0 branch
753     - Resolves: rhbz#2062640
754    
755     * Tue Mar 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-15
756     - Allow SHA1 in SECLEVEL 2 if rh-allow-sha1-signatures = yes
757     - Resolves: rhbz#2060510
758    
759     * Fri Feb 25 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-14
760     - Prevent use of SHA1 with ECDSA
761     - Resolves: rhbz#2031742
762    
763     * Fri Feb 25 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-13
764     - OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
765     - Resolves: rhbz#1977867
766    
767     * Thu Feb 24 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 1:3.0.1-12
768     - Support KBKDF (NIST SP800-108) with an R value of 8bits
769     - Resolves: rhbz#2027261
770    
771     * Wed Feb 23 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-11
772     - Allow SHA1 usage in MGF1 for RSASSA-PSS signatures
773     - Resolves: rhbz#2031742
774    
775     * Wed Feb 23 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-10
776     - rebuilt
777    
778     * Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-9
779     - Allow SHA1 usage in HMAC in TLS
780     - Resolves: rhbz#2031742
781    
782     * Tue Feb 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-8
783     - OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
784     - Resolves: rhbz#1977867
785     - pkcs12 export broken in FIPS mode
786     - Resolves: rhbz#2049265
787    
788     * Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-8
789     - Disable SHA1 signature creation and verification by default
790     - Set rh-allow-sha1-signatures = yes to re-enable
791     - Resolves: rhbz#2031742
792    
793     * Thu Feb 03 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-7
794     - s_server: correctly handle 2^14 byte long records
795     - Resolves: rhbz#2042011
796    
797     * Tue Feb 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-6
798     - Adjust FIPS provider version
799     - Related: rhbz#2026445
800    
801     * Wed Jan 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-5
802     - On the s390x, zeroize all the copies of TLS premaster secret
803     - Related: rhbz#2040448
804    
805     * Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-4
806     - rebuilt
807    
808     * Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-3
809     - KATS tests should be executed before HMAC verification
810     - Restoring fips=yes for SHA1
811     - Related: rhbz#2026445, rhbz#2041994
812    
813     * Thu Jan 20 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-2
814     - Add enable-buildtest-c++ to the configure options.
815     - Related: rhbz#1990814
816    
817     * Tue Jan 18 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-1
818     - Rebase to upstream version 3.0.1
819     - Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
820     - Resolves: rhbz#2038910, rhbz#2035148
821    
822     * Mon Jan 17 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-7
823     - Remove algorithms we don't plan to certify from fips module
824     - Remove native fipsmodule.cnf
825     - Related: rhbz#2026445
826    
827     * Tue Dec 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-6
828     - openssl speed should run in FIPS mode
829     - Related: rhbz#1977318
830    
831     * Wed Nov 24 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-5
832     - rebuilt for spec cleanup
833     - Related: rhbz#1985362
834    
835     * Thu Nov 18 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-4
836     - Embed FIPS HMAC in fips.so
837     - Enforce loading FIPS provider when FIPS kernel flag is on
838     - Related: rhbz#1985362
839    
840     * Wed Nov 17 2021 Michel Alexandre Salim <salimma@fedoraproject.org> - 3.0.0-3.1
841     - Fork c9s' openssl to openssl3 for epel8 (and possibly Fedora <= 35)
842    
843     * Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3
844     - Fix memory leak in s_client
845     - Related: rhbz#1996092
846    
847     * Mon Sep 20 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-2
848     - Avoid double-free on error seeding the RNG.
849     - KTLS and FIPS may interfere, so tests need to be tuned
850     - Resolves: rhbz#1952844, rhbz#1961643
851    
852     * Thu Sep 09 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-1
853     - Rebase to upstream version 3.0.0
854     - Related: rhbz#1990814
855    
856     * Wed Aug 25 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-0.beta2.7
857     - Removes the dual-abi build as it not required anymore. The mass rebuild
858     was completed and all packages are rebuilt against Beta version.
859     - Resolves: rhbz#1984097
860    
861     * Mon Aug 23 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-0.beta2.6
862     - Correctly process CMS reading from /dev/stdin
863     - Resolves: rhbz#1986315
864    
865     * Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.5
866     - Add instruction for loading legacy provider in openssl.cnf
867     - Resolves: rhbz#1975836
868    
869     * Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.4
870     - Adds support for IDEA encryption.
871     - Resolves: rhbz#1990602
872    
873     * Tue Aug 10 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.3
874     - Fixes core dump in openssl req -modulus
875     - Fixes 'openssl req' to not ask for password when non-encrypted private key
876     is used
877     - cms: Do not try to check binary format on stdin and -rctform fix
878     - Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
879    
880     * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.beta2.2.1
881     - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
882     Related: rhbz#1991688
883    
884     * Wed Aug 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.0-0.beta2.2
885     - When signature_algorithm extension is omitted, use more relevant alerts
886     - Resolves: rhbz#1965017
887    
888     * Tue Aug 03 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta2.1
889     - Rebase to upstream version beta2
890     - Related: rhbz#1903209
891    
892     * Thu Jul 22 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.5
893     - Prevents creation of duplicate cert entries in PKCS #12 files
894     - Resolves: rhbz#1978670
895    
896     * Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4
897     - NVR bump to update to OpenSSL 3.0 Beta1
898    
899     * Mon Jul 19 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.3
900     - Update patch dual-abi.patch to add the #define macros in implementation
901     files instead of public header files
902    
903     * Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.2
904     - Removes unused patch dual-abi.patch
905    
906     * Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.1
907     - Update to Beta1 version
908     - Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16
909    
910     * Tue Jul 06 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.7
911     - Fixes override of openssl_conf in openssl.cnf
912     - Use AI_ADDRCONFIG only when explicit host name is given
913     - Temporarily remove fipsmodule.cnf for arch i686
914     - Fixes segmentation fault in BN_lebin2bn
915     - Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855
916    
917     * Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.6
918     - Adds FIPS mode compatibility patch (sahana@redhat.com)
919     - Related: rhbz#1977318
920    
921     * Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.5
922     - Fixes system hang issue when booted in FIPS mode (sahana@redhat.com)
923     - Temporarily disable downstream FIPS patches
924     - Related: rhbz#1977318
925    
926     * Fri Jun 11 2021 Mohan Boddu <mboddu@redhat.com> 3.0.0-0.alpha16.4
927     - Speeding up building openssl (dbelyavs@redhat.com)
928     Resolves: rhbz#1903209
929    
930     * Fri Jun 04 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.3
931     - Fix reading SPKAC data from stdin
932     - Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448
933     - Return 0 after cleanup in OPENSSL_init_crypto()
934     - Cleanup the peer point formats on regotiation
935     - Fix default digest to SHA256
936    
937     * Thu May 27 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.2
938     - Enable FIPS via config options
939    
940     * Mon May 17 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.1
941     - Update to alpha 16 version
942     Resolves: rhbz#1952901 openssl sends alert after orderly connection close
943    
944     * Mon Apr 26 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha15.1
945     - Update to alpha 15 version
946     Resolves: rhbz#1903209, rhbz#1952598,
947    
948     * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.alpha13.1.1
949     - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
950    
951     * Fri Apr 09 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha13.1
952     - Update to new major release OpenSSL 3.0.0 alpha 13
953     Resolves: rhbz#1903209

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed