#!/bin/bash # Copyright 2000 BSDi, Inc. Concord, CA, USA # Copyright 2001, 2002 Slackware Linux, Inc. Concord, CA, USA # Copyright 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2018, 2023, 2024 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is # permitted provided that the following conditions are met: # # 1. Redistributions of this script must retain the above copyright # notice, this list of conditions and the following disclaimer. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO # EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # Set initial variables: cd $(dirname $0) ; CWD=$(pwd) TMP=${TMP:-/tmp} PKGNAM=openssl11 VERSION=${VERSION:-$(echo openssl-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} # Get the new version number from the latest patch: PKGVER=$(grep "^+" $(/bin/ls -t 00*patch | head -n 1) | grep OPENSSL_VERSION_TEXT | cut -f 2 -d \" | cut -f 2 -d ' ') BUILD=${BUILD:-1} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then case "$( uname -m )" in i?86) export ARCH=i586 ;; arm*) export ARCH=arm ;; # Unless $ARCH is already set, use uname -m for all other archs: *) export ARCH=$( uname -m ) ;; esac fi PKG1=$TMP/package-openssl11 PKG2=$TMP/package-ossllibs11 NAME1=openssl11-$PKGVER-$ARCH-$BUILD NAME2=openssl11-solibs-$PKGVER-$ARCH-$BUILD # If the variable PRINT_PACKAGE_NAME is set, then this script will report what # the name of the created package would be, and then exit. This information # could be useful to other scripts. if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then echo "${NAME1}.txz" echo "${NAME2}.txz" exit 0 fi # Parallel build doesn't link properly. #NUMJOBS=${NUMJOBS:-" -j$(expr $(nproc) + 1) "} # So that ls has the right field counts for parsing... export LC_ALL=C cd $TMP rm -rf $PKG1 $PKG2 openssl-$VERSION tar xvf $CWD/openssl-$VERSION.tar.gz || exit 1 cd openssl-$VERSION # Fix pod syntax errors which are fatal wih a newer perl: find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g" {} \; # Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that # were only available to subscribers to OpenSSL's premium extended support. # These patches were prepared by backporting commits from the OpenSSL-3.0 repo. # Thanks to Ken Zalewski! cat $CWD/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch | patch -p1 --verbose || exit 1 cat $CWD/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch | patch -p1 --verbose || exit 1 cat $CWD/0003-openssl-1.1.1za_CVE-2024-5535.patch | patch -p1 --verbose || exit 1 cat $CWD/0004-openssl-1.1.1zb_CVE_2024_9143.patch | patch -p1 --verbose || exit 1 ## For openssl-1.1.x, don't try to change the soname. ## Use .so.1, not .so.1.0.0: #sed -i "s/soname=\$\$SHLIB\$\$SHLIB_SOVER\$\$SHLIB_SUFFIX/soname=\$\$SHLIB.1/g" Makefile.shared if [ "$ARCH" = "i586" ]; then # Build with -march=i586 -mtune=i686: sed -i "/linux-elf/s/fomit-frame-pointer/fomit-frame-pointer -march=i586 -mtune=i686/g" Configure LIBDIRSUFFIX="" elif [ "$ARCH" = "i686" ]; then # Build with -march=pentium4 -mtune=generic: sed -i "/linux-elf/s/fomit-frame-pointer/fomit-frame-pointer -march=pentium4 -mtune=generic/g" Configure LIBDIRSUFFIX="" elif [ "$ARCH" = "x86_64" ]; then LIBDIRSUFFIX="64" else LIBDIRSUFFIX=${LIBDIRSUFFIX:-""} fi # OpenSSL has a (nasty?) habit of bumping the internal version number with # every release. This wouldn't be so bad, but some applications are so # paranoid that they won't run against a different OpenSSL version than # what they were compiled against, whether or not the ABI has changed. # # So, we will use the OPENSSL_VERSION_NUMBER from openssl-1.1.1 unless ABI # breakage forces it to change. Yes, we're finally using this old trick. :) sed -i "s/#define OPENSSL_VERSION_NUMBER.*/\/* Use 0x1010100fL (1.1.1) below to avoid pointlessly breaking the ABI *\/\n#define OPENSSL_VERSION_NUMBER 0x1010100fL/g" include/openssl/opensslv.h || exit 1 chown -R root:root . mkdir -p $PKG1/usr/doc/openssl-$PKGVER cp -a ACKNOWLEDGEMENTS AUTHORS CHANGES* CONTRIBUTING FAQ INSTALL* \ LICENSE* NEWS NOTES* README* doc \ $PKG1/usr/doc/openssl-$PKGVER # For this backported package, let's put the patches in the documentation since # the CHANGES and other files are not up-to-date with the reported version. # This'll make it more clear exactly what this package is. cp -a $CWD/00* $PKG1/usr/doc/openssl-$PKGVER chown root:root $PKG1/usr/doc/openssl-$PKGVER/00* find $PKG1/usr/doc/openssl-$PKGVER -type d -exec chmod 755 {} \+ find $PKG1/usr/doc/openssl-$PKGVER -type f -exec chmod 644 {} \+ # If there's a CHANGES file, installing at least part of the recent history # is useful, but don't let it get totally out of control: if [ -r CHANGES ]; then DOCSDIR=$(echo $PKG1/usr/doc/*-$PKGVER) cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES touch -r CHANGES $DOCSDIR/CHANGES fi # Add patch for pure 64 bits mips64 library zcat $CWD/mips64_64bits.patch.gz | patch -p1 --verbose || exit 1 # These are the known patent issues with OpenSSL: # name # expires # MDC-2: 4,908,861 2007-03-13, not included. # IDEA: 5,214,703 2010-05-25, not included. # # Although all of the above are expired, it's still probably # not a good idea to include them as there are better # algorithms to use. KERNEL_BITS=$LIBDIRSUFFIX ./config \ --prefix=/usr \ --openssldir=/etc/ssl \ --libdir=lib${LIBDIRSUFFIX}/openssl-1.1 \ zlib \ enable-camellia \ enable-seed \ enable-rfc3779 \ enable-cms \ enable-md2 \ enable-rc5 \ enable-ssl3 \ enable-ssl3-method \ no-weak-ssl-ciphers \ no-mdc2 \ no-ec2m \ no-idea \ no-sse2 \ shared make $NUMJOBS depend || make depend || exit 1 make $NUMJOBS || make || exit 1 make install DESTDIR=$PKG1 || exit 1 # No thanks on static libraries: rm -f $PKG1/usr/lib${LIBDIRSUFFIX}/openssl-1.1/*.a # Also no thanks on .pod versions of the already shipped manpages: rm -rf $PKG1/usr/doc/openssl-*/doc/man* # Move libraries, as they might be needed by programs that bring a network # mounted /usr online: mkdir $PKG1/lib${LIBDIRSUFFIX} ( cd $PKG1/usr/lib${LIBDIRSUFFIX}/openssl-1.1 for file in lib*.so.?.* ; do mv $file ../../../lib${LIBDIRSUFFIX} ln -sf ../../../lib${LIBDIRSUFFIX}/$file . done ) # Move include files: mkdir -p $PKG1/usr/include/openssl-1.1 mv $PKG1/usr/include/openssl $PKG1/usr/include/openssl-1.1/openssl # Edit .pc files to correct the includedir: sed -e "s|/include$|/include/openssl-1.1|" -i $PKG1/usr/lib${LIBDIRSUFFIX}/openssl-1.1/pkgconfig/*.pc # Rename openssl binary: mv $PKG1/usr/bin/openssl $PKG1/usr/bin/openssl-1.1 # Don't package these things: rm -rf $PKG1/etc $PKG1/usr/bin/c_rehash # Not needed in openssl11 compat package. # ## Add a cron script to warn root if a certificate is going to expire soon: #mkdir -p $PKG1/etc/cron.daily #zcat $CWD/certwatch.gz > $PKG1/etc/cron.daily/certwatch.new #chmod 755 $PKG1/etc/cron.daily/certwatch.new #mv $PKG1/etc/ssl/openssl.cnf $PKG1/etc/ssl/openssl.cnf.new ( cd $PKG1 find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null ) # Remove the man pages and installed docs: rm -r $PKG1/usr/share/{doc,man} rmdir $PKG1/usr/share cd $PKG1 #chmod 755 usr/lib${LIBDIRSUFFIX}/pkgconfig #sed -i -e "s#lib\$#lib${LIBDIRSUFFIX}#" usr/lib${LIBDIRSUFFIX}/pkgconfig/*.pc mkdir -p install cat $CWD/slack-desc.openssl11 > install/slack-desc /sbin/makepkg -l y -c n $TMP/${NAME1}.txz # Make runtime package: mkdir -p $PKG2/lib${LIBDIRSUFFIX} ( cd lib${LIBDIRSUFFIX} ; cp -a lib*.so.* $PKG2/lib${LIBDIRSUFFIX} ) mkdir -p $PKG2/usr/lib${LIBDIRSUFFIX}/openssl-1.1 cp -a $PKG1//usr/lib${LIBDIRSUFFIX}/openssl-1.1/engines-1.1 $PKG2/usr/lib${LIBDIRSUFFIX}/openssl-1.1 ( cd $PKG2/lib${LIBDIRSUFFIX} for file in lib*.so.?.? ; do ( cd $PKG2/usr/lib${LIBDIRSUFFIX}/openssl-1.1 ; ln -sf ../../../lib${LIBDIRSUFFIX}/$file . ) done ) #mkdir -p $PKG2/etc #( cd $PKG2/etc ; cp -a $PKG1/etc/ssl . ) mkdir -p $PKG2/usr/doc/openssl-$PKGVER ( cd $TMP/openssl-$VERSION cp -a CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \ LICENSE NEWS README README.ENGINE $PKG2/usr/doc/openssl-$PKGVER # If there's a CHANGES file, installing at least part of the recent history # is useful, but don't let it get totally out of control: if [ -r CHANGES ]; then DOCSDIR=$(echo $PKG2/usr/doc/*-$PKGVER) cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES touch -r CHANGES $DOCSDIR/CHANGES fi ) find $PKG2/usr/doc/openssl-$PKGVER -type d -exec chmod 755 {} \+ find $PKG2/usr/doc/openssl-$PKGVER -type f -exec chmod 644 {} \+ cd $PKG2 mkdir -p install cat $CWD/slack-desc.openssl11-solibs > install/slack-desc /sbin/makepkg -l y -c n $TMP/${NAME2}.txz