%define maj     3
%define libname     %mklibname openssl %{maj}
%define develname   %mklibname openssl -d
%define staticname  %mklibname openssl -s -d

Summary:    Secure Sockets Layer communications libs & utils
Name:       openssl
Version:    3.5.0
Release:    %mkrel 2
License:    ASL 2.0
Group:      System/Libraries
URL:        https://openssl-library.org/
Source0:    https://github.com/%{name}/%{name}/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
Source1:    https://github.com/%{name}/%{name}/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz.asc
Source2:    Makefile.certificate
Source3:    genpatches
Source4:    openssl-thread-test.c
Source6:    make-dummy-cert
Source7:    renew-dummy-cert
Source9:    configuration-switch.h
Source10:   configuration-prefix.h

# fedora patches
# Patches exported from source git
# Aarch64 and ppc64le use lib64
Patch0001: 0001-RH-Aarch64-and-ppc64le-use-lib64.patch
Patch0002: 0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
Patch0003: 0003-RH-Do-not-install-html-docs.patch
Patch0004: 0004-RH-Override-default-paths-for-the-CA-directory-tree.patch
Patch0005: 0005-RH-Instructions-to-load-legacy-provider.patch
Patch0006: 0006-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
Patch0007: 0007-RH-Disable-signature-verification-with-bad-digests-R.patch
Patch0008: 0008-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
Patch0009: 0009-RH-Add-FIPS_mode-compatibility-macro.patch
Patch0010: 0010-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
Patch0011: 0011-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
Patch0012: 0012-RH-Disable-explicit-ec-curves.patch
Patch0013: 0013-RH-skipped-tests-EC-curves.patch
Patch0014: 0014-RH-skip-quic-pairwise.patch
Patch0015: 0015-RH-version-aliasing.patch
Patch0016: 0016-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
Patch0017: 0017-RH-TMP-KTLS-test-skip.patch
Patch0018: 0018-RH-Allow-disabling-of-SHA1-signatures.patch
Patch0019: 0019-RH-Set-default-certificate-digest-to-sha256.patch
Patch0020: 0020-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
Patch0021: 0021-FIPS-disable-fipsinstall.patch
Patch0022: 0022-FIPS-Force-fips-provider-on.patch
Patch0023: 0023-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
Patch0024: 0024-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
Patch0025: 0025-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
Patch0026: 0026-FIPS-RSA-encrypt-limits-REVIEW.patch
Patch0027: 0027-FIPS-RSA-PCTs.patch
Patch0028: 0028-FIPS-RSA-encapsulate-limits.patch
Patch0029: 0029-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
Patch0030: 0030-FIPS-RSA-size-mode-restrictions.patch
Patch0031: 0031-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
Patch0032: 0032-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
Patch0033: 0033-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
Patch0034: 0034-FIPS-Deny-SHA-1-signature-verification.patch
Patch0035: 0035-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
Patch0036: 0036-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
Patch0037: 0037-FIPS-PBKDF2-Set-minimum-password-length.patch
Patch0038: 0038-FIPS-DH-PCT.patch
Patch0039: 0039-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
Patch0040: 0040-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
Patch0041: 0041-FIPS-CMS-Set-default-padding-to-OAEP.patch
Patch0042: 0042-FIPS-PKCS12-PBMAC1-defaults.patch
Patch0043: 0043-FIPS-Fix-encoder-decoder-negative-test.patch
Patch0044: 0044-FIPS-EC-DH-DSA-PCTs.patch
Patch0045: 0045-FIPS-EC-disable-weak-curves.patch
Patch0046: 0046-FIPS-NO-DSA-Support.patch
Patch0047: 0047-FIPS-NO-DES-support.patch
Patch0048: 0048-FIPS-NO-Kmac.patch
Patch0049: 0049-FIPS-NO-ECX-Ed-X-25519-448.patch
Patch0050: 0050-FIPS-NO-PQ-ML-SLH-DSA.patch
Patch0051: 0051-Revert-FIPS-NO-ECX-Ed-X-25519-448.patch
Patch0052: 0052-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
Patch0053: 0053-Current-Rebase-status.patch

# Upstream patches

# Mageia patches

Requires:   %{libname} = %{version}-%{release}
Requires:   rootcerts
BuildRequires:  multiarch-utils >= 1.0.3
BuildRequires:  chrpath
BuildRequires:  pkgconfig(zlib)
BuildRequires:  pkgconfig(libsctp)
BuildRequires:  git
%ifarch %{arm}
BuildRequires:  libatomic-devel
%endif
# (tv) for test suite:
BuildRequires:  bc

%description
The openssl certificate management tool and the shared libraries that provide
various encryption and decryption algorithms and protocols, including DES, RC4,
RSA and SSL.

%package -n %{libname}
Summary:    Secure Sockets Layer communications libs
Group:      System/Libraries
Requires:   crypto-policies
Provides:   %{libname} = %{version}-%{release}

%description -n %{libname}
The libraries files are needed for various cryptographic algorithms
and protocols, including DES, RC4, RSA and SSL.

%package -n %{develname}
Summary:    Secure Sockets Layer communications libs & headers & utils
Group:      Development/Other
Requires:   %{libname} = %{version}-%{release}
Provides:   libopenssl-devel
Provides:   %{name}-devel = %{version}-%{release}

%description -n %{develname}
The libraries and include files needed to compile apps with support
for various cryptographic algorithms and protocols, including DES, RC4, RSA
and SSL.

%package -n %{staticname}
Summary:    Secure Sockets Layer communications static libs
Group:      Development/Other
Requires:   %{develname} = %{version}-%{release}
Provides:   libopenssl-static-devel
Provides:   %{name}-static-devel = %{version}-%{release}

%description -n %{staticname}
The static libraries needed to compile apps with support for various
cryptographic algorithms and protocols, including DES, RC4, RSA and SSL.

%package    perl
Summary:    Perl scripts provided with OpenSSL
Group:      System/Libraries
Requires:   %{name} = %{version}-%{release}
Conflicts:  %name <= 1.0.2h-1.mga6

%description    perl
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.

%prep
%autosetup -S git -n %{name}-%{version}

%build
%serverbuild

# Figure out which flags we want to use.
# default
sslarch=%{_os}-%{_target_cpu}
%ifarch %ix86
sslarch=linux-elf
if ! echo %{_target} | grep -q i686 ; then
	sslflags="no-asm 386"
fi
%endif
%ifarch x86_64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch sparcv9
sslarch=linux-sparcv9
sslflags=no-asm
%endif
%ifarch sparc64
sslarch=linux64-sparcv9
sslflags=no-asm
%endif
%ifarch alpha alphaev56 alphaev6 alphaev67
sslarch=linux-alpha-gcc
%endif
%ifarch s390 sh3eb sh4eb
sslarch="linux-generic32 -DB_ENDIAN"
%endif
%ifarch s390x
sslarch="linux64-s390x"
%endif
%ifarch %{arm}
sslarch=linux-armv4
%endif
%ifarch aarch64
sslarch=linux-aarch64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch sh3 sh4
sslarch=linux-generic32
%endif
%ifarch ppc64 ppc64p7
sslarch=linux-ppc64
%endif
%ifarch ppc64le
sslarch="linux-ppc64le"
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch mips mipsel
sslarch="linux-mips32 -mips32r2"
%endif
%ifarch mips64 mips64el
sslarch="linux64-mips64 -mips64r2"
%endif
%ifarch mips64el
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch riscv64
sslarch=linux64-riscv64
%endif
ktlsopt=enable-ktls
%ifarch armv7hl
ktlsopt=disable-ktls
%endif

# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
# want to depend on the uninitialized memory as a source of entropy anyway.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"

export HASHBANGPERL=/usr/bin/perl

# ia64, x86_64, ppc, ppc64 are OK by default
# Configure the build tree.  Override OpenSSL defaults with known-good defaults
# usable on all platforms.  The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
	 -DOPENSSL_API_COMPAT=30400\
	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
	enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\
	no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' -DOPENSSL_PEDANTIC_ZEROIZATION\
	-DREDHAT_FIPS_VENDOR='"\"Mageia OpenSSL FIPS Provider\""' -DREDHAT_FIPS_VERSION='"\"Rebase Testing\""'\
	-Wl,--allow-multiple-definition

# Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update

make all

# Clean up the .pc files
for i in libcrypto.pc libssl.pc openssl.pc ; do
  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
done

%check
# Verify that what was compiled actually works.

# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
 sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
 touch -r configdata.pm configdata.pm.new && \
 mv -f configdata.pm.new configdata.pm)

# We must revert patch4 before tests otherwise they will fail
#patch -p1 -R < %{PATCH4}
#We must disable default provider before tests otherwise they will fail
#patch -p1 < %{SOURCE14}

OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
OPENSSL_ENABLE_SHA1_SIGNATURES=
export OPENSSL_ENABLE_SHA1_SIGNATURES
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
#embed HMAC into fips provider for test run
dd if=/dev/zero bs=1 count=32 of=tmp.mac
objcopy --update-section .rodata1=tmp.mac providers/fips.so providers/fips.so.zeromac
mv providers/fips.so.zeromac providers/fips.so
rm tmp.mac
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
mv providers/fips.so.mac providers/fips.so
#run tests itself
make test HARNESS_JOBS=8
#make test

%install
%make_install

# make the rootcerts dir
install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts

# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile
install -m 755 %{SOURCE6} %{buildroot}%{_bindir}/make-dummy-cert
install -m 755 %{SOURCE7} %{buildroot}%{_bindir}/renew-dummy-cert

# Move runable perl scripts to bindir
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/*.pl %{buildroot}%{_bindir}
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/tsget %{buildroot}%{_bindir}

# Rename man pages so that they don't conflict with other system man pages.
pushd %{buildroot}%{_mandir}
mv man5/config.5ossl man5/openssl.cnf.5
popd

install -d %{buildroot}%{_sysconfdir}/pki/CA
install -d %{buildroot}%{_sysconfdir}/pki/CA/private
install -d %{buildroot}%{_sysconfdir}/pki/CA/certs
install -d %{buildroot}%{_sysconfdir}/pki/CA/crl
install -d %{buildroot}%{_sysconfdir}/pki/CA/newcerts

rm -f %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
%ifarch i686
rm -f %{buildroot}%{_sysconfdir}/pki/tls/fipsmodule.cnf
%endif

%multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h

# nuke rpath
chrpath -d %{buildroot}%{_bindir}/openssl

# Fix libdir.
for i in %{buildroot}%{_libdir}/pkgconfig/*.pc; do
    sed -i 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' $i
done

# adjust ssldir
perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_bindir}/CA.pl
perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf

%files
%license LICENSE.txt
%doc NEWS.md README.md
%dir %{_sysconfdir}/pki
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%dir %{_sysconfdir}/pki/tls/rootcerts
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
%ifnarch i686
%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
%endif
%{_sysconfdir}/pki/tls/certs/Makefile
%{_bindir}/make-dummy-cert
%{_bindir}/renew-dummy-cert
%{_bindir}/openssl
%{_mandir}/man[157]/*
%exclude %{_mandir}/man1/*.pl*
%exclude %{_mandir}/man1/tsget*

%files -n %{libname}
%doc LICENSE.txt
%{_libdir}/lib*.so.%{maj}
%{_libdir}/engines-%{maj}
%{_libdir}/ossl-modules

%files -n %{develname}
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
%dir %{_includedir}/openssl
%multiarch %{multiarch_includedir}/openssl/opensslconf.h
%{_includedir}/openssl
%{_libdir}/lib*.so
%{_mandir}/man3/*
%{_libdir}/pkgconfig/*.pc
%{_libdir}/cmake/OpenSSL/

%files -n %{staticname}
%{_libdir}/lib*.a

%files perl
%{_bindir}/c_rehash
%{_bindir}/*.pl
%{_bindir}/tsget
%{_mandir}/man1/*.pl*
%{_mandir}/man1/tsget*
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts