Skip to content

Commit c59ee5a

Browse files
span786span786
committed
[PA-6132] : Updated openssl FIPS version from 1.1.1k-6 to 1.1.1k-7
1 parent 832549b commit c59ee5a

File tree

2 files changed

+120
-4
lines changed

2 files changed

+120
-4
lines changed

configs/components/openssl-1.1.1-fips.rb

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
component 'openssl-1.1.1-fips' do |pkg, settings, platform|
2-
pkg.version '1.1.1k-6'
3-
pkg.sha256sum 'da536944410a0cbf5c0b6ee0b8f3ec62a9121be3b72bf2819bb4395a761662aa'
2+
pkg.version '1.1.1k-7'
3+
pkg.sha256sum '74f5175ea4e931ae3c2a078aa7f2e0314f1daa81d34a869746eff5bd61145a82'
44
pkg.url "https://vault.centos.org/centos/8-stream/BaseOS/Source/SPackages/openssl-#{pkg.get_version}.el8.src.rpm"
55
pkg.mirror "#{settings[:buildsources_url]}/openssl-#{pkg.get_version}.el8.src.rpm"
66

@@ -21,7 +21,7 @@
2121
# proper fix would be extension in vanagon for source rpm handling
2222
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-patch-openssl-cnf.patch'
2323
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-force-fips-mode.patch'
24-
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-spec-file.patch'
24+
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1k-7-fips-spec-file.patch'
2525
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1-fips-remove-env-check.patch'
2626
pkg.add_source 'file://resources/patches/openssl/openssl-1.1.1l-sm2-plaintext.patch'
2727

@@ -53,7 +53,7 @@
5353
[
5454
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-patch-openssl-cnf.patch && cd -",
5555
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-force-fips-mode.patch && cd -",
56-
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-spec-file.patch && cd -",
56+
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1k-7-fips-spec-file.patch && cd -",
5757
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1-fips-remove-env-check.patch && cd -",
5858
"cd openssl-#{pkg.get_version} && /usr/bin/patch --strip=1 --fuzz=0 --ignore-whitespace --no-backup-if-mismatch < ../openssl-1.1.1l-sm2-plaintext.patch && cd -"
5959
]

resources/patches/openssl/openssl-1.1.1k-7-fips-spec-file.patch

Lines changed: 116 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,116 @@
1+
--- a/SPECS/openssl.spec 2024-02-20 10:19:41
2+
+++ b/SPECS/openssl.spec 2024-02-23 11:38:58
3+
@@ -87,6 +87,10 @@
4+
Patch84: openssl-1.1.1-cve-2022-1292.patch
5+
Patch85: openssl-1.1.1-cve-2022-2068.patch
6+
Patch86: openssl-1.1.1-cve-2022-2097.patch
7+
+Patch100: openssl-1.1.1-force-fips-on-init.patch
8+
+Patch101: openssl-1.1.1-openssl-cnf-fips-mode.patch
9+
+Patch102: openssl-1.1.1-remove-env-check.patch
10+
+Patch103: openssl-1.1.1l-sm2-plaintext.patch
11+
12+
License: OpenSSL and ASL 2.0
13+
URL: http://www.openssl.org/
14+
@@ -212,6 +216,10 @@
15+
%patch84 -p1 -b .cve-2022-1292
16+
%patch85 -p1 -b .cve-2022-2068
17+
%patch86 -p1 -b .cve-2022-2097
18+
+%patch100 -p1 -b .force-fips-on-init
19+
+%patch101 -p1 -b .openssl-cnf-fips-mode
20+
+%patch102 -p1 -b .remove-env-check
21+
+%patch103 -p1 -b .sm2-plaintext
22+
23+
%build
24+
# Figure out which flags we want to use.
25+
@@ -220,7 +228,7 @@
26+
%ifarch %ix86
27+
sslarch=linux-elf
28+
if ! echo %{_target} | grep -q i686 ; then
29+
- sslflags="no-asm 386"
30+
+ sslflags="no-asm 386"
31+
fi
32+
%endif
33+
%ifarch x86_64
34+
@@ -286,13 +294,13 @@
35+
# usable on all platforms. The Configure script already knows to use -fPIC and
36+
# RPM_OPT_FLAGS, so we can skip specifiying them here.
37+
./Configure \
38+
- --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
39+
- --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
40+
- zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
41+
- enable-cms enable-md2 enable-rc5\
42+
- enable-weak-ssl-ciphers \
43+
- no-mdc2 no-ec2m no-sm2 no-sm4 \
44+
- shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
45+
+ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
46+
+ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
47+
+ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
48+
+ enable-cms enable-md2 enable-rc5\
49+
+ enable-weak-ssl-ciphers \
50+
+ no-mdc2 no-ec2m no-sm2 no-sm4 \
51+
+ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
52+
53+
# Do not run this in a production package the FIPS symbols must be patched-in
54+
#util/mkdef.pl crypto update
55+
@@ -352,9 +360,9 @@
56+
make DESTDIR=$RPM_BUILD_ROOT install
57+
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
58+
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
59+
- chmod 755 ${lib}
60+
- ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
61+
- ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
62+
+ chmod 755 ${lib}
63+
+ ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
64+
+ ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
65+
done
66+
67+
# Install a makefile for generating keys and self-signed certs, and a script
68+
@@ -375,21 +383,21 @@
69+
pushd $RPM_BUILD_ROOT%{_mandir}
70+
ln -s -f config.5 man5/openssl.cnf.5
71+
for manpage in man*/* ; do
72+
- if [ -L ${manpage} ]; then
73+
- TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
74+
- ln -snf ${TARGET}ssl ${manpage}ssl
75+
- rm -f ${manpage}
76+
- else
77+
- mv ${manpage} ${manpage}ssl
78+
- fi
79+
+ if [ -L ${manpage} ]; then
80+
+ TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
81+
+ ln -snf ${TARGET}ssl ${manpage}ssl
82+
+ rm -f ${manpage}
83+
+ else
84+
+ mv ${manpage} ${manpage}ssl
85+
+ fi
86+
done
87+
for conflict in passwd rand ; do
88+
- rename ${conflict} ssl${conflict} man*/${conflict}*
89+
+ rename ${conflict} ssl${conflict} man*/${conflict}*
90+
# Fix dangling symlinks
91+
- manpage=man1/openssl-${conflict}.*
92+
- if [ -L ${manpage} ] ; then
93+
- ln -snf ssl${conflict}.1ssl ${manpage}
94+
- fi
95+
+ manpage=man1/openssl-${conflict}.*
96+
+ if [ -L ${manpage} ] ; then
97+
+ ln -snf ssl${conflict}.1ssl ${manpage}
98+
+ fi
99+
done
100+
popd
101+
102+
@@ -424,11 +432,11 @@
103+
# can have both a 32- and 64-bit version of the library, and they each need
104+
# their own correct-but-different versions of opensslconf.h to be usable.
105+
install -m644 %{SOURCE10} \
106+
- $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
107+
+ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
108+
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \
109+
- $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
110+
+ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
111+
install -m644 %{SOURCE9} \
112+
- $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
113+
+ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
114+
%endif
115+
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
116+
export LD_LIBRARY_PATH

0 commit comments

Comments
 (0)