#!/bin/sh ulimit -s unlimited shopt -s extglob # Copyright 2000 BSDi, Inc. Concord, CA, USA # Copyright 2001, 2002 Slackware Linux, Inc. Concord, CA, USA # Copyright 2005-2024 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is # permitted provided that the following conditions are met: # # 1. Redistributions of this script must retain the above copyright # notice, this list of conditions and the following disclaimer. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO # EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # openssl.SlackBuild # Heavily based on the original Slackware build scripts, # with patches and parts taken from Debian's 'rules' script; # Modified by Stuart Winter # 22-Dec-2004 # Record toolchain & other info for the build log: slackbuildinfo # Paths to skeleton port's source & real Slackware source tree: slackset_var_cwds # Detect whether we're building for /patches: # This function sets the variable 'SLACKPATCHING' slack_findpkgstore_is_stablerelease # Temporary build locations: export TMPBUILD=$TMP/build-$PKGNAM export PKG=$TMP/package-$PKGNAM mkpkgdirs # Delete and re-create temporary directories # This build script creates the basic a/openssl-solibs (consisting just of the shared objects) # plus the full n/openssl package: PKG1=$TMP/package-openssl PKG2=$TMP/package-ossllibs NAME1=$PKGNAM-$VERSION-$ARCH-$BUILD NAME2=$PKGNAM-solibs-$VERSION-$ARCH-$BUILD cd $TMP rm -rf $PKG1 $PKG2 mkdir -p $PKG1/install $PKG2/{install,usr} # Extract source: cd $TMPBUILD tar xvvf $CWD/openssl-*.tar.!(*sign|*asc|*sig) cd $PKGNAM-*/ || failextract slackhousekeeping # Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that # were only available to subscribers to OpenSSL's premium extended support. # These patches were prepared by backporting commits from the OpenSSL-3.0 repo. # Thanks to Ken Zalewski! cat $CWD/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch | patch -p1 --verbose || exit 1 cat $CWD/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch | patch -p1 --verbose || exit 1 cat $CWD/0003-openssl-1.1.1za_CVE-2024-5535.patch | patch -p1 --verbose || exit 1 cat $CWD/0004-openssl-1.1.1zb_CVE_2024_9143.patch | patch -p1 --verbose || exit 1 # Fix pod syntax errors which are fatal wih a newer perl: find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g" {} \; # This Configure file was taken from Debian's diff. # We've always used this since openssl-0.x, and Red Hat has a similar patch. # I wonder why this isn't upstream yet.. # We're also using ARM assembler optimisations - see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676533 # Determine the architecture type and toolchain flags: case $ARCH in arm) OSSL_BUILDARCH="debian-armhf" xz -dc $PORTCWD/sources/debian-targets.patch.xz | sed -e 's?${debian_cflags}?'"$SLKCFLAGS"'?g' -e 's?no_asm?armv4_asm?g' | patch -p1 --verbose || exit 1 ;; aarch64) OSSL_BUILDARCH="debian-arm64" xz -dc $PORTCWD/sources/debian-targets.patch.xz | patch -p1 --verbose || exit 1 ;; esac # Use .so.1, not .so.1.0.0: #sed -i "s/soname=\$\$SHLIB\$\$SHLIB_SOVER\$\$SHLIB_SUFFIX/soname=\$\$SHLIB.1/g" Makefile.shared # OpenSSL has a (nasty?) habit of bumping the internal version number with # every release. This wouldn't be so bad, but some applications are so # paranoid that they won't run against a different OpenSSL version than # what they were compiled against, whether or not the ABI has changed. # # So, we will use the OPENSSL_VERSION_NUMBER from openssl-1.1.1 unless ABI # breakage forces it to change. Yes, we're finally using this old trick. :) sed -i "s/#define OPENSSL_VERSION_NUMBER.*/\/* Use 0x1010100fL (1.1.1) below to avoid pointlessly breaking the ABI *\/\n#define OPENSSL_VERSION_NUMBER 0x1010100fL/g" include/openssl/opensslv.h || exit 1 # Copy docs: mkdir -p $PKG1/usr/doc/openssl-$VERSION cp -fav \ ACKNOWLEDGEMENTS AUTHORS CHANGES* CONTRIBUTING FAQ INSTALL* \ LICENSE* NEWS NOTES* README* doc \ $PKG1/usr/doc/openssl-$VERSION # For this backported package, let's put the patches in the documentation since # the CHANGES and other files are not up-to-date with the reported version. # This'll make it more clear exactly what this package is. cp -fav $CWD/00* $PKG1/usr/doc/openssl-$VERSION/ # If there's a CHANGES file, installing at least part of the recent history # is useful, but don't let it get totally out of control: if [ -r CHANGES ]; then DOCSDIR=$(echo $PKG1/usr/doc/*-$VERSION) cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES touch -r CHANGES $DOCSDIR/CHANGES fi # Make apps/openssl work after compilation so that it can generate # certificates. This is required since we removepkg openssl before building. ln -vfs libcrypto.so libcrypto.so.0 ln -vfs libssl.so libssl.so.0 # Configure: perl \ Configure \ --prefix=/usr \ --openssldir=/etc/ssl \ --libdir=lib${LIBDIRSUFFIX} \ zlib \ enable-camellia \ enable-seed \ enable-rfc3779 \ enable-cms \ enable-md2 \ enable-rc5 \ enable-ssl3 \ enable-ssl3-method \ no-weak-ssl-ciphers \ no-mdc2 \ no-ec2m \ no-idea \ no-sse2 \ shared \ ${OSSL_BUILDARCH} || exit 1 # Build: make depend || exit 1 ln -vsf apps/openssl.pod crypto/crypto.pod ssl/ssl.pod doc/ make $NUMJOBS || make || exit 1 # Install into package: make install DESTDIR=$PKG1 || exit 1 # No thanks on the static libraries: rm -f $PKG1/usr/lib${LIBDIRSUFFIX}/*.a # No thanks on manpages duplicated as html: rm -rf $PKG1/usr/share/doc # Also no thanks on .pod versions of the already shipped manpages: rm -rf $PKG1/usr/doc/openssl-*/doc/man* # Add a cron script to warn root if a certificate is going to expire soon: mkdir -vpm755 $PKG1/etc/cron.daily zcat $CWD/certwatch.gz > $PKG1/etc/cron.daily/certwatch.new chmod 755 $PKG1/etc/cron.daily/certwatch.new # Make config file non-clobber: mv -fv $PKG1/etc/ssl/openssl.cnf $PKG1/etc/ssl/openssl.cnf.new # Remove duplicate config file: rm -f $PKG1/etc/ssl/openssl.cnf.dist # Move libraries, as they might be needed by programs that bring a network # mounted /usr online: mkdir -vpm755 $PKG1/lib${LIBDIRSUFFIX} ( cd $PKG1/usr/lib${LIBDIRSUFFIX} for file in lib*.so.?.* ; do mv -fv $file ../../lib${LIBDIRSUFFIX} ln -vsf ../../lib${LIBDIRSUFFIX}/$file . done ) # Relocate the manpages: mv -fv $PKG1/usr/share/man $PKG1/usr rmdir $PKG1/usr/share # Fix manpage name collisions, and relink anything that linked to the old name: ( cd $PKG1/usr/man/man1 mv passwd.1 ssl_passwd.1 for file in *.1 ; do if [ -L $file ]; then if [ "$(readlink $file)" = "passwd.1" ]; then rm -f $file ln -sf ssl_passwd.1 $file fi fi done ) ########################################################### # Build main package ########################################################### cd $PKG1 chmod 755 usr/lib${LIBDIRSUFFIX}/pkgconfig sed -i -e "s#lib\$#lib${LIBDIRSUFFIX}#" usr/lib${LIBDIRSUFFIX}/pkgconfig/*.pc # Set some generic Slackware packaging policies: slackgzpages -i # compress man & info pages and delete usr/info/dir slackslack # set all files to root.root, chmod -R og-w, slackchown, slack644docs slackdesc # install slack-desc and doinst.sh # Install package description: install -vpm644 $CWD/slack-desc.openssl install/slack-desc zcat $CWD/doinst.sh-openssl.gz > install/doinst.sh # Build 'openssl' full package: #[ "$SLACKPATCHING" = "yes" ] && export PKGSERIES=patches || export PKGSERIES=n slackmp ########################################################### # Build runtime package ########################################################### mkdir -vpm755 $PKG2/{etc,install,lib${LIBDIRSUFFIX}} ( cd $PKG1/lib${LIBDIRSUFFIX} ; cp -fav lib*.so.* $PKG2/lib${LIBDIRSUFFIX} ) ( cd $PKG2/lib${LIBDIRSUFFIX} ; ldconfig -l * ) ( cd $PKG2/etc ; cp -fav $PKG1/etc/ssl . ) mkdir -vpm755 $PKG2/usr/doc/openssl-$VERSION ( cd $TMPBUILD/openssl-*/ cp -fav ACKNOWLEDGEMENTS AUTHORS CHANGES* CONTRIBUTING FAQ INSTALL* \ LICENSE* NEWS NOTES* README* \ $PKG2/usr/doc/openssl-$VERSION ) # If there's a CHANGES file, installing at least part of the recent history # is useful, but don't let it get totally out of control: if [ -r CHANGES ]; then DOCSDIR=$(echo $PKG2/usr/doc/*-$VERSION) cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES touch -r CHANGES $DOCSDIR/CHANGES fi # Build runtime package: cd $PKG2 install -vpm644 $CWD/slack-desc.openssl-solibs install/slack-desc zcat $CWD/doinst.sh-openssl-solibs.gz > install/doinst.sh # Append "solibs" to the package name: #[ "$SLACKPATCHING" = "yes" ] && export PKGSERIES=patches || export PKGSERIES=a #[ "$SLACKPATCHING" != "yes" ] && export PKGSERIES=a export PKGNAM=openssl-solibs export SLACKPACKAGE=$PKGNAM-$VERSION-$PKGARCH-$BUILD.txz slackmp