#!/bin/sh ulimit -s unlimited shopt -s extglob # Copyright 2000 BSDi, Inc. Concord, CA, USA # Copyright 2001, 2002 Slackware Linux, Inc. Concord, CA, USA # Copyright 2005-2024 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is # permitted provided that the following conditions are met: # # 1. Redistributions of this script must retain the above copyright # notice, this list of conditions and the following disclaimer. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO # EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # openssl11.SlackBuild # Heavily based on the original Slackware build scripts, # with patches and parts taken from Debian's 'rules' script; # Modified by Stuart Winter # 22-Dec-2004 # Record toolchain & other info for the build log: slackbuildinfo # Paths to skeleton port's source & real Slackware source tree: slackset_var_cwds # Detect whether we're building for /patches: # This function sets the variable 'SLACKPATCHING' slack_findpkgstore_is_stablerelease # Temporary build locations: export TMPBUILD=$TMP/build-$PKGNAM export PKG=$TMP/package-$PKGNAM mkpkgdirs # Delete and re-create temporary directories # This build script creates the basic a/openssl-solibs (consisting just of the shared objects) # plus the full n/openssl package: PKG1=$TMP/package-openssl11 PKG2=$TMP/package-ossllibs11 NAME1=${PKGNAM}11-$VERSION-$ARCH-$BUILD NAME2=${PKGNAM}11-solibs-$VERSION-$ARCH-$BUILD cd $TMP rm -rf $PKG1 $PKG2 mkdir -p $PKG1/install $PKG2/{install,usr} # Extract source: cd $TMPBUILD tar xvvf $CWD/openssl-*.tar.!(*sign|*asc|*sig) cd openssl*/ || failextract slackhousekeeping # Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that # were only available to subscribers to OpenSSL's premium extended support. # These patches were prepared by backporting commits from the OpenSSL-3.0 repo. # Thanks to Ken Zalewski! cat $CWD/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch | patch -p1 --verbose || exit 1 cat $CWD/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch | patch -p1 --verbose || exit 1 cat $CWD/0003-openssl-1.1.1za_CVE-2024-5535.patch | patch -p1 --verbose || exit 1 cat $CWD/0004-openssl-1.1.1zb_CVE_2024_9143.patch | patch -p1 --verbose || exit 1 # Fix pod syntax errors which are fatal wih a newer perl: find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g" {} \; # This Configure file was taken from Debian's diff. # We've always used this since openssl-0.x, and Red Hat has a similar patch. # I wonder why this isn't upstream yet.. # We're also using ARM assembler optimisations - see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676533 # Determine the architecture type and toolchain flags: case $ARCH in arm) OSSL_BUILDARCH="debian-armhf" xz -dc $PORTCWD/sources/debian-targets.patch.xz | sed -e 's?${debian_cflags}?'"$SLKCFLAGS"'?g' -e 's?no_asm?armv4_asm?g' | patch -p1 --verbose || exit 1 ;; aarch64) OSSL_BUILDARCH="debian-arm64" xz -dc $PORTCWD/sources/debian-targets.patch.xz | patch -p1 --verbose || exit 1 ;; esac # Use .so.1, not .so.1.0.0: #sed -i "s/soname=\$\$SHLIB\$\$SHLIB_SOVER\$\$SHLIB_SUFFIX/soname=\$\$SHLIB.1/g" Makefile.shared # OpenSSL has a (nasty?) habit of bumping the internal version number with # every release. This wouldn't be so bad, but some applications are so # paranoid that they won't run against a different OpenSSL version than # what they were compiled against, whether or not the ABI has changed. # # So, we will use the OPENSSL_VERSION_NUMBER from openssl-1.1.1 unless ABI # breakage forces it to change. Yes, we're finally using this old trick. :) sed -i "s/#define OPENSSL_VERSION_NUMBER.*/\/* Use 0x1010100fL (1.1.1) below to avoid pointlessly breaking the ABI *\/\n#define OPENSSL_VERSION_NUMBER 0x1010100fL/g" include/openssl/opensslv.h || exit 1 # Copy docs: mkdir -p $PKG1/usr/doc/openssl-$VERSION cp -fav \ ACKNOWLEDGEMENTS AUTHORS CHANGES* CONTRIBUTING FAQ INSTALL* \ LICENSE* NEWS NOTES* README* doc \ $PKG1/usr/doc/openssl-$VERSION # For this backported package, let's put the patches in the documentation since # the CHANGES and other files are not up-to-date with the reported version. # This'll make it more clear exactly what this package is. cp -fav $CWD/00* $PKG1/usr/doc/openssl-$VERSION/ # If there's a CHANGES file, installing at least part of the recent history # is useful, but don't let it get totally out of control: if [ -r CHANGES ]; then DOCSDIR=$(echo $PKG1/usr/doc/*-$VERSION) cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES touch -r CHANGES $DOCSDIR/CHANGES fi # Make apps/openssl work after compilation so that it can generate # certificates. This is required since we removepkg openssl before building. ln -vfs libcrypto.so libcrypto.so.0 ln -vfs libssl.so libssl.so.0 # Configure: perl \ Configure \ --prefix=/usr \ --openssldir=/etc/ssl \ --libdir=lib${LIBDIRSUFFIX}/openssl-1.1 \ zlib \ enable-camellia \ enable-seed \ enable-rfc3779 \ enable-cms \ enable-md2 \ enable-rc5 \ enable-ssl3 \ enable-ssl3-method \ no-weak-ssl-ciphers \ no-mdc2 \ no-ec2m \ no-idea \ no-sse2 \ shared \ ${OSSL_BUILDARCH} || exit 1 # Build: make depend || exit 1 ln -vsf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ make $NUMJOBS || make || exit 1 # Install into package: make install DESTDIR=$PKG1 || exit 1 # No thanks on static libraries: rm -fv $PKG1/usr/lib${LIBDIRSUFFIX}/openssl-1.1/*.a # Also no thanks on .pod versions of the already shipped manpages: rm -rfv $PKG1/usr/doc/openssl-*/doc/man* # Move libraries, as they might be needed by programs that bring a network # mounted /usr online: mkdir -vpm755 $PKG1/lib${LIBDIRSUFFIX} ( cd $PKG1/usr/lib${LIBDIRSUFFIX}/openssl-1.1 for file in lib*.so.?.* ; do mv -fv $file ../../../lib${LIBDIRSUFFIX} ln -vsf ../../../lib${LIBDIRSUFFIX}/$file . done ) # Move include files: mkdir -p $PKG1/usr/include/openssl-1.1 mv $PKG1/usr/include/openssl $PKG1/usr/include/openssl-1.1/openssl # Edit .pc files to correct the includedir: sed -e "s|/include$|/include/openssl-1.1|" -i $PKG1/usr/lib${LIBDIRSUFFIX}/openssl-1.1/pkgconfig/*.pc # Rename openssl binary: mv $PKG1/usr/bin/openssl $PKG1/usr/bin/openssl-1.1 # Don't package these things: rm -rf $PKG1/etc $PKG1/usr/bin/c_rehash # Not needed in openssl11 compat package. # ## Add a cron script to warn root if a certificate is going to expire soon: #mkdir -p $PKG1/etc/cron.daily #zcat $CWD/certwatch.gz > $PKG1/etc/cron.daily/certwatch.new #chmod 755 $PKG1/etc/cron.daily/certwatch.new #mv $PKG1/etc/ssl/openssl.cnf $PKG1/etc/ssl/openssl.cnf.new # Remove the man pages and installed docs: rm -r $PKG1/usr/share/{doc,man} rmdir $PKG1/usr/share ########################################################### # Build main package ########################################################### cd $PKG1 #chmod 755 usr/lib${LIBDIRSUFFIX}/pkgconfig #sed -i -e "s#lib\$#lib${LIBDIRSUFFIX}#" usr/lib${LIBDIRSUFFIX}/pkgconfig/*.pc # Set some generic Slackware packaging policies: slackgzpages -i # compress man & info pages and delete usr/info/dir slackslack # set all files to root.root, chmod -R og-w, slackchown, slack644docs slackdesc # install slack-desc and doinst.sh # Install package description: install -vpm644 $CWD/slack-desc.openssl11 install/slack-desc # Build 'openssl' full package: #[ "$SLACKPATCHING" = "yes" ] && export PKGSERIES=patches || export PKGSERIES=n [ "$SLACKPATCHING" != "yes" ] && export PKGSERIES=n slackmp ########################################################### # Build runtime package ########################################################### mkdir -vpm755 $PKG2/{etc,install,lib${LIBDIRSUFFIX}} # Copy libs from $PKG1 (we remain in its directory): ( cd lib${LIBDIRSUFFIX} ; cp -fav lib*.so.* $PKG2/lib${LIBDIRSUFFIX} ) mkdir -p $PKG2/usr/lib${LIBDIRSUFFIX}/openssl-1.1 cp -a $PKG1/usr/lib${LIBDIRSUFFIX}/openssl-1.1/engines-1.1 $PKG2/usr/lib${LIBDIRSUFFIX}/openssl-1.1 ( cd $PKG2/lib${LIBDIRSUFFIX} for file in lib*.so.?.? ; do ( cd $PKG2/usr/lib${LIBDIRSUFFIX}/openssl-1.1 ; ln -vsf ../../../lib${LIBDIRSUFFIX}/$file . ) done ) #mkdir -p $PKG2/etc #( cd $PKG2/etc ; cp -a $PKG1/etc/ssl . ) mkdir -vpm755 $PKG2/usr/doc/openssl-$VERSION ( cd $TMPBUILD/openssl-*/ cp -fav \ CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \ LICENSE NEWS README README.ENGINE $PKG2/usr/doc/openssl-$VERSION \ $PKG2/usr/doc/openssl-$VERSION # If there's a CHANGES file, installing at least part of the recent history # is useful, but don't let it get totally out of control: if [ -r CHANGES ]; then DOCSDIR=$(echo $PKG2/usr/doc/*-$VERSION) cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES touch -r CHANGES $DOCSDIR/CHANGES fi ) # Build runtime package: cd $PKG2 install -vpm644 $CWD/slack-desc.openssl11-solibs install/slack-desc #zcat $CWD/doinst.sh-openssl11-solibs.gz > install/doinst.sh # Append "solibs" to the package name: #[ "$SLACKPATCHING" = "yes" ] && export PKGSERIES=patches || export PKGSERIES=a [ "$SLACKPATCHING" != "yes" ] && export PKGSERIES=a export PKGNAM=openssl11-solibs export SLACKPACKAGE=$PKGNAM-$VERSION-$PKGARCH-$BUILD.txz slackmp