1 files changed, 318 insertions, 0 deletions

diff --git a/compat-openssl11.spec b/compat-openssl11.spec
new file mode 100644
index 0000000..872ecec
--- /dev/null
+++ b/compat-openssl11.spec
@@ -0,0 +1,318 @@
+# For the curious:
+# 0.9.5a soversion = 0
+# 0.9.6  soversion = 1
+# 0.9.6a soversion = 2
+# 0.9.6c soversion = 3
+# 0.9.7a soversion = 4
+# 0.9.7ef soversion = 5
+# 0.9.8ab soversion = 6
+# 0.9.8g soversion = 7
+# 0.9.8jk + EAP-FAST soversion = 8
+# 1.0.0 soversion = 10
+# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
+#                        depends on build configuration options)
+%define soversion 1.1
+
+# Arches on which we need to prevent arch conflicts on opensslconf.h, must
+# also be handled in opensslconf-new.h.
+%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
+
+%global _performance_build 1
+
+Summary: Utilities from the general purpose cryptography library with TLS implementation
+Name: compat-openssl11
+Version: 1.1.1k
+Release: 2%{?dist}
+Epoch: 1
+# We have to remove certain patented algorithms from the openssl source
+# tarball with the hobble-openssl script which is included below.
+# The original openssl upstream tarball cannot be shipped in the .src.rpm.
+Source: openssl-%{version}-hobbled.tar.xz
+Source1: hobble-openssl
+Source2: Makefile.certificate
+Source6: make-dummy-cert
+Source7: renew-dummy-cert
+Source12: ec_curve.c
+Source13: ectest.c
+# Build changes
+Patch1: openssl-1.1.1-build.patch
+Patch2: openssl-1.1.1-defaults.patch
+Patch3: openssl-1.1.1-no-html.patch
+Patch4: openssl-1.1.1-man-rename.patch
+
+# Functionality changes
+Patch31: openssl-1.1.1-conf-paths.patch
+Patch32: openssl-1.1.1-version-add-engines.patch
+Patch33: openssl-1.1.1-apps-dgst.patch
+Patch36: openssl-1.1.1-no-brainpool.patch
+Patch37: openssl-1.1.1-ec-curves.patch
+Patch38: openssl-1.1.1-no-weak-verify.patch
+Patch40: openssl-1.1.1-disable-ssl3.patch
+Patch41: openssl-1.1.1-system-cipherlist.patch
+Patch42: openssl-1.1.1-fips.patch
+Patch44: openssl-1.1.1-version-override.patch
+Patch45: openssl-1.1.1-weak-ciphers.patch
+Patch46: openssl-1.1.1-seclevel.patch
+Patch47: openssl-1.1.1-ts-sha256-default.patch
+Patch48: openssl-1.1.1-fips-post-rand.patch
+Patch49: openssl-1.1.1-evp-kdf.patch
+Patch50: openssl-1.1.1-ssh-kdf.patch
+Patch51: openssl-1.1.1-intel-cet.patch
+Patch60: openssl-1.1.1-krb5-kdf.patch
+Patch61: openssl-1.1.1-edk2-build.patch
+Patch62: openssl-1.1.1-fips-curves.patch
+Patch65: openssl-1.1.1-fips-drbg-selftest.patch
+Patch66: openssl-1.1.1-fips-dh.patch
+Patch67: openssl-1.1.1-kdf-selftest.patch
+Patch69: openssl-1.1.1-alpn-cb.patch
+Patch70: openssl-1.1.1-rewire-fips-drbg.patch
+# Backported fixes including security fixes
+Patch52: openssl-1.1.1-s390x-update.patch
+Patch53: openssl-1.1.1-fips-crng-test.patch
+Patch55: openssl-1.1.1-arm-update.patch
+Patch56: openssl-1.1.1-s390x-ecc.patch
+
+License: OpenSSL and ASL 2.0
+URL: http://www.openssl.org/
+BuildRequires: make
+BuildRequires: gcc
+BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
+BuildRequires: lksctp-tools-devel
+BuildRequires: /usr/bin/rename
+BuildRequires: /usr/bin/pod2man
+BuildRequires: /usr/sbin/sysctl
+BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
+BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
+BuildRequires: perl(Time::HiRes)
+BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
+Requires: coreutils, crypto-policies
+Conflicts: openssl < 1:3.0, openssl-libs < 1:3.0
+
+%description
+The OpenSSL toolkit provides support for secure communications between
+machines. This version of OpenSSL package contains only the libraries
+from the 1.1.1 version and is provided for compatibility with previous
+releases.
+
+%prep
+%setup -q -n openssl-%{version}
+
+# The hobble_openssl is called here redundantly, just to be sure.
+# The tarball has already the sources removed.
+%{SOURCE1} > /dev/null
+
+cp %{SOURCE12} crypto/ec/
+cp %{SOURCE13} test/
+
+%patch1 -p1 -b .build   %{?_rawbuild}
+%patch2 -p1 -b .defaults
+%patch3 -p1 -b .no-html  %{?_rawbuild}
+%patch4 -p1 -b .man-rename
+
+%patch31 -p1 -b .conf-paths
+%patch32 -p1 -b .version-add-engines
+%patch33 -p1 -b .dgst
+%patch36 -p1 -b .no-brainpool
+%patch37 -p1 -b .curves
+%patch38 -p1 -b .no-weak-verify
+%patch40 -p1 -b .disable-ssl3
+%patch41 -p1 -b .system-cipherlist
+%patch42 -p1 -b .fips
+%patch44 -p1 -b .version-override
+%patch45 -p1 -b .weak-ciphers
+%patch46 -p1 -b .seclevel
+%patch47 -p1 -b .ts-sha256-default
+%patch48 -p1 -b .fips-post-rand
+%patch49 -p1 -b .evp-kdf
+%patch50 -p1 -b .ssh-kdf
+%patch51 -p1 -b .intel-cet
+%patch52 -p1 -b .s390x-update
+%patch53 -p1 -b .crng-test
+%patch55 -p1 -b .arm-update
+%patch56 -p1 -b .s390x-ecc
+%patch60 -p1 -b .krb5-kdf
+%patch61 -p1 -b .edk2-build
+%patch62 -p1 -b .fips-curves
+%patch65 -p1 -b .drbg-selftest
+%patch66 -p1 -b .fips-dh
+%patch67 -p1 -b .kdf-selftest
+%patch69 -p1 -b .alpn-cb
+%patch70 -p1 -b .rewire-fips-drbg
+
+cp apps/openssl.cnf apps/openssl11.cnf
+
+%build
+# Figure out which flags we want to use.
+# default
+sslarch=%{_os}-%{_target_cpu}
+%ifarch %ix86
+sslarch=linux-elf
+if ! echo %{_target} | grep -q i686 ; then
+	sslflags="no-asm 386"
+fi
+%endif
+%ifarch x86_64
+sslflags=enable-ec_nistp_64_gcc_128
+%endif
+%ifarch sparcv9
+sslarch=linux-sparcv9
+sslflags=no-asm
+%endif
+%ifarch sparc64
+sslarch=linux64-sparcv9
+sslflags=no-asm
+%endif
+%ifarch alpha alphaev56 alphaev6 alphaev67
+sslarch=linux-alpha-gcc
+%endif
+%ifarch s390 sh3eb sh4eb
+sslarch="linux-generic32 -DB_ENDIAN"
+%endif
+%ifarch s390x
+sslarch="linux64-s390x"
+%endif
+%ifarch %{arm}
+sslarch=linux-armv4
+%endif
+%ifarch aarch64
+sslarch=linux-aarch64
+sslflags=enable-ec_nistp_64_gcc_128
+%endif
+%ifarch sh3 sh4
+sslarch=linux-generic32
+%endif
+%ifarch ppc64 ppc64p7
+sslarch=linux-ppc64
+%endif
+%ifarch ppc64le
+sslarch="linux-ppc64le"
+sslflags=enable-ec_nistp_64_gcc_128
+%endif
+%ifarch mips mipsel
+sslarch="linux-mips32 -mips32r2"
+%endif
+%ifarch mips64 mips64el
+sslarch="linux64-mips64 -mips64r2"
+%endif
+%ifarch mips64el
+sslflags=enable-ec_nistp_64_gcc_128
+%endif
+%ifarch riscv64
+sslarch=linux-generic64
+%endif
+
+# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
+# marked as not requiring an executable stack.
+# Also add -DPURIFY to make using valgrind with openssl easier as we do not
+# want to depend on the uninitialized memory as a source of entropy anyway.
+RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
+
+export HASHBANGPERL=/usr/bin/perl
+
+# ia64, x86_64, ppc are OK by default
+# Configure the build tree.  Override OpenSSL defaults with known-good defaults
+# usable on all platforms.  The Configure script already knows to use -fPIC and
+# RPM_OPT_FLAGS, so we can skip specifiying them here.
+./Configure \
+	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
+	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
+	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
+	enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
+	enable-weak-ssl-ciphers \
+	no-mdc2 no-ec2m no-sm2 no-sm4 \
+	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
+
+# Do not run this in a production package the FIPS symbols must be patched-in
+#util/mkdef.pl crypto update
+
+make all
+
+# Clean up the .pc files
+for i in libcrypto.pc libssl.pc openssl.pc ; do
+  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
+done
+
+%check
+# Verify that what was compiled actually works.
+
+cp apps/openssl.cnf apps/openssl11.cnf
+
+# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
+(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
+(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
+ sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
+ touch -r configdata.pm configdata.pm.new && \
+ mv -f configdata.pm.new configdata.pm)
+
+# We must revert patch31 before tests otherwise they will fail
+patch -p1 -R < %{PATCH31}
+
+OPENSSL_ENABLE_MD5_VERIFY=
+export OPENSSL_ENABLE_MD5_VERIFY
+OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
+export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
+make test
+
+%define __provides_exclude_from %{_libdir}/openssl
+
+%install
+[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
+# Install OpenSSL.
+install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
+%make_install
+rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
+for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
+	chmod 755 ${lib}
+	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
+done
+
+# Delete static library
+rm -f $RPM_BUILD_ROOT%{_libdir}/*.a || :
+
+# Delete non-devel man pages in the compat package
+rm -rf $RPM_BUILD_ROOT%{_mandir}/man[157]*
+
+# Delete configuration files
+rm -rf  $RPM_BUILD_ROOT%{_sysconfdir}/pki/*
+
+# Remove binaries
+rm -rf $RPM_BUILD_ROOT/%{_bindir}
+
+# Remove useless capi engine
+rm -f $RPM_BUILD_ROOT/%{_libdir}/engines-1.1/capi.so
+
+# Delete devel files
+rm -rf $RPM_BUILD_ROOT%{_includedir}/openssl
+rm -rf $RPM_BUILD_ROOT%{_mandir}/man3*
+rm -rf $RPM_BUILD_ROOT%{_libdir}/*.so
+rm -rf $RPM_BUILD_ROOT%{_libdir}/pkgconfig
+
+# Install compat config file
+install -m 644 apps/openssl11.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/openssl11.cnf
+
+%files
+%license LICENSE
+%doc FAQ NEWS README
+%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
+%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
+%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
+%attr(0755,root,root) %{_libdir}/libssl.so.%{soversion}
+%attr(0755,root,root) %{_libdir}/engines-%{soversion}
+%config(noreplace) %{_sysconfdir}/pki/openssl11.cnf
+
+%dir %{_sysconfdir}/pki
+%attr(0644,root,root) %{_sysconfdir}/pki/openssl11.cnf
+
+%ldconfig_scriptlets
+
+%changelog
+* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-2
+- Remove support for building FIPS mode binaries for the
+  compat libraries
+- Ships openssl11.cnf as the configuration file.
+- Resolves: rhbz#1993795
+- Related: rhbz#1947584
+
+* Thu Apr 08 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-1
+- Repackage old openssl 1.1.1k package into compat-openssl11
+  Resolves: bz#1947584