# EPEL note: Since we're deleting the regular openssl files and only shipping # the ones from openssl-devel-engine, we must disable debug packages or else # we'll get this build error: # Empty %files file /builddir/build/BUILD/openssl-3.2.2/debugsourcefiles.list %global debug_package %{nil} Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl-epel Version: 3.2.2 Release: 11.1%{?dist} Epoch: 1 Source: openssl-%{version}.tar.gz License: Apache-2.0 URL: http://www.openssl.org/ BuildRequires: make BuildRequires: coreutils, perl-interpreter BuildRequires: /usr/bin/pod2man BuildRequires: perl(IPC::Cmd) BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy) BuildRequires: findutils %description The OpenSSL toolkit provides support for secure communications between machines. OpenSSL includes a certificate management tool and shared libraries which provide various cryptographic algorithms and protocols. %package -n openssl-devel-engine Summary: Files for development of applications which will use OpenSSL and use deprecated ENGINE API. # EPEL note: Normally this would require a full matching EVR, but we're going # to omit matching the release because it will be too difficult to keep ours in # exact sync with CentOS/RHEL. It's also unlikely that release bump style # changes in the CentOS/RHEL package will affect the files we're shipping in # this package. Requires: openssl-libs%{?_isa} = %{epoch}:%{version} Requires: openssl-devel%{?_isa} = %{epoch}:%{version} Requires: pkgconfig %description -n openssl-devel-engine OpenSSL is a toolkit for supporting cryptography. The openssl-devel-engine package contains include files needed to develop applications which use deprecated OpenSSL ENGINE functionality. %prep %autosetup -n openssl-%{version} %build # EPEL note: This has been trimmed down from the original spec file to just the # architectures that EPEL builds for. sslarch=%{_os}-%{_target_cpu} %ifarch s390x sslarch="linux64-s390x" %endif %ifarch aarch64 sslarch=linux-aarch64 %endif %ifarch ppc64le sslarch="linux-ppc64le" %endif export HASHBANGPERL=/usr/bin/perl # EPEL note: This has been trimmed down from the original spec file, because # the install_man_docs section of the Makefile isn't affected by any of the # other flags. ./Configure \ --prefix=%{_prefix} \ ${sslarch} %install # EPEL note: There is an install_dev target in the Makefile, but it has a # prerequisites of the install_runtime_libs target, which needs to compile the # libraries. The engine header files in the source aren't modified in those # targets, so it's easier to just copy them into place manually. install -D -p -m 0644 -t %{buildroot}%{_includedir}/openssl include/openssl/engine*.h # EPEL note: There is an install_man_docs target in the Makefile that we can # use to install the engine man pages and set up symlinks. We just have to # remove the other man pages and symlinks that we can't ship here (because # they're already in the CentOS/RHEL packages). make DESTDIR=%{buildroot} INSTALL="%{__install} -p" install_man_docs rm -r %{buildroot}%{_mandir}/man1 rm -r %{buildroot}%{_mandir}/man5 rm -r %{buildroot}%{_mandir}/man7 find %{buildroot}%{_mandir}/man3 -type f,l -not -name 'ENGINE*' -delete %files -n openssl-devel-engine %license LICENSE.txt %{_prefix}/include/openssl/engine*.h %{_mandir}/man3/ENGINE* %changelog * Sat Aug 31 2024 Carl George - 1:3.2.2-11.1 - Convert to openssl-epel package to ship missing engine headers and man pages * Wed Aug 21 2024 Clemens Lang - 1:3.2.2-11 - Fix CVE-2024-5535: SSL_select_next_proto buffer overread Resolves: RHEL-45692 * Wed Aug 14 2024 Dmitry Belyavskiy - 1:3.2.2-10 - Use PBMAC1 by default when creating PKCS#12 files in FIPS mode Related: RHEL-36659 - Support key encapsulation/decapsulation in openssl pkeyutl command Resolves: RHEL-54156 - Fix typo in the patch numeration Related: RHEL-41261 - Enable KTLS, temporary disable KTLS tests Related: RHEL-47335 - Speedup SSL_add_{file,dir}_cert_subjects_to_stack Resolves: RHEL-54232 - Resolve SAST package scan results Resolves: RHEL-37561 * Fri Aug 09 2024 Dmitry Belyavskiy - 1:3.2.2-9 - An interface to create PKCS #12 files in FIPS compliant way Related: RHEL-36659 * Wed Aug 07 2024 Dmitry Belyavskiy - 1:3.2.2-8 - An interface to create PKCS #12 files in FIPS compliant way Resolves: RHEL-36659 * Wed Jul 10 2024 Dmitry Belyavskiy - 1:3.2.2-7 - Disallow SHA1 at SECLEVEL2 in OpenSSL Resolves: RHEL-39962 - SHA-1 signature shouldn't work in normal mode Resolves: RHEL-36677 * Mon Jul 01 2024 Dmitry Belyavskiy - 1:3.2.2-6 - Do not install ENGINE headers, man pages, and define OPENSSL_NO_ENGINE Resolves: RHEL-45704 * Mon Jul 1 2024 Daiki Ueno - 1:3.2.2-5 - Replace HKDF backward compatibility patch with the official one Related: RHEL-41261 * Mon Jun 24 2024 Troy Dawson - 1:3.2.2-4 - Bump release for June 2024 mass rebuild * Sat Jun 15 2024 Daiki Ueno - 1:3.2.2-3 - Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers Resolves: RHEL-41261 * Wed Jun 12 2024 Dmitry Belyavskiy - 1:3.2.2-2 - Build openssl with no-atexit Resolves: RHEL-40408 * Wed Jun 05 2024 Dmitry Belyavskiy - 1:3.2.2-1 - Rebase to OpenSSL 3.2.2. Related: RHEL-31762 * Mon Jun 03 2024 Sahana Prasad - 1:3.2.1-4 - Synchronize patches from c9s and Fedora - Resolves: RHEL-31762 * Tue Feb 13 2024 Sahana Prasad - 1:3.2.1-3 - Temporarily disable ktls to unblock c10s builds - Resolves: RHEL-25259 * Fri Feb 09 2024 Sahana Prasad - 1:3.2.1-2 - Fix version aliasing issue - https://github.com/openssl/openssl/issues/23534 * Tue Feb 06 2024 Sahana Prasad - 1:3.2.1-1 - Rebase to upstream version 3.2.1 * Thu Jan 25 2024 Fedora Release Engineering - 1:3.1.4-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild * Sun Jan 21 2024 Fedora Release Engineering - 1:3.1.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild * Wed Jan 10 2024 Dmitry Belyavskiy - 1:3.1.4-2 - We don't want to ship openssl-pkcs11 in RHEL10/Centos 10 * Thu Oct 26 2023 Sahana Prasad - 1:3.1.4-1 - Rebase to upstream version 3.1.4 * Thu Oct 19 2023 Sahana Prasad - 1:3.1.3-1 - Rebase to upstream version 3.1.3 * Thu Aug 31 2023 Dmitry Belyavskiy - 1:3.1.1-4 - Drop duplicated patch and do some contamination * Tue Aug 22 2023 Dmitry Belyavskiy - 1:3.1.1-3 - Integrate FIPS patches from CentOS * Fri Aug 04 2023 Dmitry Belyavskiy - 1:3.1.1-2 - migrated to SPDX license * Thu Jul 27 2023 Sahana Prasad - 1:3.1.1-1 - Rebase to upstream version 3.1.1 Resolves: CVE-2023-0464 Resolves: CVE-2023-0465 Resolves: CVE-2023-0466 Resolves: CVE-2023-1255 Resolves: CVE-2023-2650 * Thu Jul 27 2023 Dmitry Belyavskiy - 1:3.0.8-4 - Forbid custom EC more completely Resolves: rhbz#2223953 * Thu Jul 20 2023 Fedora Release Engineering - 1:3.0.8-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Tue Mar 21 2023 Sahana Prasad - 1:3.0.8-2 - Upload new upstream sources without manually hobbling them. - Remove the hobbling script as it is redundant. It is now allowed to ship the sources of patented EC curves, however it is still made unavailable to use by compiling with the 'no-ec2m' Configure option. The additional forbidden curves such as P-160, P-192, wap-tls curves are manually removed by updating 0011-Remove-EC-curves.patch. - Enable Brainpool curves. - Apply the changes to ec_curve.c and ectest.c as a new patch 0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them. - Modify 0011-Remove-EC-curves.patch to allow Brainpool curves. - Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M. Resolves: rhbz#2130618, rhbz#2141672 * Thu Feb 09 2023 Dmitry Belyavskiy - 1:3.0.8-1 - Rebase to upstream version 3.0.8 Resolves: CVE-2022-4203 Resolves: CVE-2022-4304 Resolves: CVE-2022-4450 Resolves: CVE-2023-0215 Resolves: CVE-2023-0216 Resolves: CVE-2023-0217 Resolves: CVE-2023-0286 Resolves: CVE-2023-0401 * Thu Jan 19 2023 Fedora Release Engineering - 1:3.0.7-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild * Thu Jan 05 2023 Dmitry Belyavskiy - 1:3.0.7-3 - Backport implicit rejection for RSA PKCS#1 v1.5 encryption Resolves: rhbz#2153470 * Thu Jan 05 2023 Dmitry Belyavskiy - 1:3.0.7-2 - Refactor embedded mac verification in FIPS module Resolves: rhbz#2156045 * Fri Dec 23 2022 Dmitry Belyavskiy - 1:3.0.7-1 - Rebase to upstream version 3.0.7 - C99 compatibility in downstream-only 0032-Force-fips.patch Resolves: rhbz#2152504 - Adjusting include for the FIPS_mode macro Resolves: rhbz#2083876 * Wed Nov 16 2022 Simo sorce - 1:3.0.5-7 - Backport patches to fix external providers compatibility issues * Tue Nov 01 2022 Dmitry Belyavskiy - 1:3.0.5-6 - CVE-2022-3602: X.509 Email Address Buffer Overflow - CVE-2022-3786: X.509 Email Address Buffer Overflow Resolves: CVE-2022-3602 Resolves: CVE-2022-3786 * Mon Sep 12 2022 Dmitry Belyavskiy - 1:3.0.5-5 - Update patches to make ELN build happy Resolves: rhbz#2123755 * Fri Sep 09 2022 Clemens Lang - 1:3.0.5-4 - Fix AES-GCM on Power 8 CPUs Resolves: rhbz#2124845 * Thu Sep 01 2022 Dmitry Belyavskiy - 1:3.0.5-3 - Sync patches with RHEL Related: rhbz#2123755 * Fri Jul 22 2022 Fedora Release Engineering - 1:3.0.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Tue Jul 05 2022 Clemens Lang - 1:3.0.5-1 - Rebase to upstream version 3.0.5 Related: rhbz#2099972, CVE-2022-2097 * Wed Jun 01 2022 Dmitry Belyavskiy - 1:3.0.3-1 - Rebase to upstream version 3.0.3 * Thu Apr 28 2022 Clemens Lang - 1:3.0.2-5 - Instrument with USDT probes related to SHA-1 deprecation * Wed Apr 27 2022 Clemens Lang - 1:3.0.2-4 - Support rsa_pkcs1_md5_sha1 in TLS 1.0/1.1 with rh-allow-sha1-signatures = yes to restore TLS 1.0 and 1.1 support in LEGACY crypto-policy. Related: rhbz#2069239 * Tue Apr 26 2022 Alexander Sosedkin - 1:3.0.2-4 - Instrument with USDT probes related to SHA-1 deprecation * Wed Apr 20 2022 Clemens Lang - 1:3.0.2-3 - Disable SHA-1 by default in ELN using the patches from CentOS - Fix a FIXME in the openssl.cnf(5) manpage * Thu Apr 07 2022 Clemens Lang - 1:3.0.2-2 - Silence a few rpmlint false positives. * Thu Apr 07 2022 Clemens Lang - 1:3.0.2-2 - Allow disabling SHA1 signature creation and verification. Set rh-allow-sha1-signatures = no to disable. Allow SHA1 in TLS in SECLEVEL 1 if rh-allow-sha1-signatures = yes. This will support SHA1 in TLS in the LEGACY crypto-policy. Resolves: rhbz#2070977 Related: rhbz#2031742, rhbz#2062640 * Fri Mar 18 2022 Dmitry Belyavskiy - 1:3.0.2-1 - Rebase to upstream version 3.0.2 * Thu Jan 20 2022 Fedora Release Engineering - 1:3.0.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild * Thu Sep 09 2021 Sahana Prasad - 1:3.0.0-1 - Rebase to upstream version 3.0.0