%define         debug_package %nil
Name:           openssl35
Version:        3.5.0
Release:        1%{?dist}
Summary:        openssl - Utilities from the general purpose cryptography library with TLS implementation

License:        Apache-2.0
URL:            http://www.openssl.org/
%undefine _disable_source_fetch
Source0:        https://github.com/openssl/openssl/releases/download/openssl-3.5.0/openssl-3.5.0.tar.gz  
Patch0001: 0001-RH-Aarch64-and-ppc64le-use-lib64.patch
Patch0002: 0002-Add-a-separate-config-file-to-use-for-rpm-installs.patch
Patch0003: 0003-RH-Do-not-install-html-docs.patch
Patch0004: 0004-RH-apps-ca-fix-md-option-help-text.patch-DROP.patch
Patch0005: 0005-RH-Disable-signature-verification-with-bad-digests-R.patch
Patch0006: 0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
Patch0007: 0007-RH-Add-FIPS_mode-compatibility-macro.patch
Patch0008: 0008-RH-Add-Kernel-FIPS-mode-flag-support-FIXSTYLE.patch
Patch0009: 0009-RH-Drop-weak-curve-definitions-RENAMED-SQUASHED.patch
Patch0010: 0010-RH-Disable-explicit-ec-curves.patch
Patch0011: 0011-RH-skipped-tests-EC-curves.patch
Patch0012: 0012-RH-skip-quic-pairwise.patch
Patch0013: 0013-RH-version-aliasing.patch
Patch0014: 0014-RH-Export-two-symbols-for-OPENSSL_str-n-casecmp.patch
Patch0015: 0015-RH-TMP-KTLS-test-skip.patch
Patch0016: 0016-RH-Allow-disabling-of-SHA1-signatures.patch
Patch0017: 0017-FIPS-Red-Hat-s-FIPS-module-name-and-version.patch
Patch0018: 0018-FIPS-disable-fipsinstall.patch
Patch0019: 0019-FIPS-Force-fips-provider-on.patch
Patch0020: 0020-FIPS-INTEG-CHECK-Embed-hmac-in-fips.so-NOTE.patch
Patch0021: 0021-FIPS-INTEG-CHECK-Add-script-to-hmac-ify-fips.so.patch
Patch0022: 0022-FIPS-INTEG-CHECK-Execute-KATS-before-HMAC-REVIEW.patch
Patch0023: 0023-FIPS-RSA-encrypt-limits-REVIEW.patch
Patch0024: 0024-FIPS-RSA-PCTs.patch
Patch0025: 0025-FIPS-RSA-encapsulate-limits.patch
Patch0026: 0026-FIPS-RSA-Disallow-SHAKE-in-OAEP-and-PSS.patch
Patch0027: 0027-FIPS-RSA-size-mode-restrictions.patch
Patch0028: 0028-FIPS-RSA-Mark-x931-as-not-approved-by-default.patch
Patch0029: 0029-FIPS-RSA-Remove-X9.31-padding-signatures-tests.patch
Patch0030: 0030-FIPS-RSA-NEEDS-REWORK-FIPS-Use-OAEP-in-KATs-support-.patch
Patch0031: 0031-FIPS-Deny-SHA-1-signature-verification.patch
Patch0032: 0032-FIPS-RAND-FIPS-140-3-DRBG-NEEDS-REVIEW.patch
Patch0033: 0033-FIPS-RAND-Forbid-truncated-hashes-SHA-3.patch
Patch0034: 0034-FIPS-PBKDF2-Set-minimum-password-length.patch
Patch0035: 0035-FIPS-DH-PCT.patch
Patch0036: 0036-FIPS-DH-Disable-FIPS-186-4-type-parameters.patch
Patch0037: 0037-FIPS-TLS-Enforce-EMS-in-TLS-1.2-NOTE.patch
Patch0038: 0038-FIPS-CMS-Set-default-padding-to-OAEP.patch
Patch0039: 0039-FIPS-PKCS12-PBMAC1-defaults.patch
Patch0040: 0040-FIPS-Fix-encoder-decoder-negative-test.patch
Patch0041: 0041-FIPS-EC-DH-DSA-PCTs.patch
Patch0042: 0042-FIPS-EC-disable-weak-curves.patch
Patch0043: 0043-FIPS-NO-DSA-Support.patch
Patch0044: 0044-FIPS-NO-DES-support.patch
Patch0045: 0045-FIPS-NO-Kmac.patch
Patch0046: 0046-FIPS-NO-PQ-ML-SLH-DSA.patch
Patch0047: 0047-FIPS-Fix-some-tests-due-to-our-versioning-change.patch
Patch0048: 0048-Current-Rebase-status.patch
Patch0049: 0049-FIPS-KDF-key-lenght-errors.patch
Patch0050: 0050-FIPS-fix-disallowed-digests-tests.patch
Patch0051: 0051-Make-openssl-speed-run-in-FIPS-mode.patch
Patch0052: 0052-Backport-upstream-27483-for-PKCS11-needs.patch
Patch0053: 0053-Red-Hat-9-FIPS-indicator-defines.patch
Patch0054: 0054-crypto-disable-OSSL_PARAM_REAL-on-UEFI.patch
Patch0055: 0055-hashfunc-add-stddef.h-include.patch
Patch0056: 0056-rio-add-RIO_POLL_METHOD_NONE.patch
Patch0057: 0057-apps-x509.c-Fix-the-addreject-option-adding-trust-in.patch
#%if ( %{defined rhel} && (! %{defined centos}) )
#Patch0058: 0058-Allow-hybrid-MLKEM-in-FIPS-mode.patch
#%endif

# #The patches that are different for RHEL9 and 10 start here
Patch0100: 0100-RHEL9-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
Patch0101: 0101-FIPS-enable-pkcs12-mac.patch
BuildRequires: make, gcc,g++, coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename
BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes), perl(Time::Piece), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
#Requires:       

%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.


%prep
%autosetup -p1 -n openssl-%{version}


%build
# Figure out which flags we want to use.
# default
sslarch=%{_os}-%{_target_cpu}
%ifarch x86_64
sslflags=enable-ec_nistp_64_gcc_128
%endif
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
# want to depend on the uninitialized memory as a source of entropy anyway.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"

export HASHBANGPERL=/usr/bin/perl

%define fips %{version}-%{srpmhash}

# ia64, x86_64, ppc are OK by default
# Configure the build tree.  Override OpenSSL defaults with known-good defaults
# usable on all platforms.  The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
#--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config \
./Configure \
	--prefix=/usr/local/%{name} --openssldir=/usr/local/%{name}/ssl ${sslflags} \
	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp enable-sslkeylog \
	enable-cms enable-md2 enable-rc5 enable-ktls enable-fips -D_GNU_SOURCE\
	no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\
	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' -DOPENSSL_PEDANTIC_ZEROIZATION\
	-DREDHAT_FIPS_VENDOR='"\"Red Hat Enterprise Linux OpenSSL FIPS Provider\""' -DREDHAT_FIPS_VERSION='"\"%{fips}\""'\
	-Wl,-rpath,%{_libdir} -Wl,--allow-multiple-definition
make %{?_smp_mflags} all


%install
rm -rf $RPM_BUILD_ROOT
%make_install
mkdir -p $RPM_BUILD_ROOT/usr/local/bin
cd $RPM_BUILD_ROOT/usr/local/bin
ln -s ../openssl35/bin/openssl openssl35


%files
%{!?_licensedir:%global license %%doc}
%license LICENSE.txt
%doc NEWS.md README.md
/usr/local/openssl35/*
/usr/local/bin/openssl35

%changelog