目录

一、给openssl-1.0.2u打包rpm

二、编译安装openssl-1.1.1k

三、给openssl-1.1.1k打包rpm（不推荐！）

---

近日openssl爆出拒绝服务、证书绕过漏洞，CVE编号CVE-2021-3449、CVE-2021-3450。

解决方法：
CentOS7默认openssl版本1.0.2，不受影响。
CentOS8默认openssl版本1.1.1，受影响，需要到OpenSSL1.1.1k及以上版本。

记录centos8编译打包openssl-1.0.2u、openssl-1.1.1k的过程。

一、给openssl-1.0.2u打包rpm

从官网https://www.openssl.org/source/old/1.0.2/下载openssl-1.0.2u.tar.gz，并做sha256校验。

cd rpmbuild/SOURCES/
wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2u.tar.gz
sha256sum ./openssl-1.0.2u.tar.gz
ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16  ./openssl-1.0.2u.tar.gz

解压缩，把spec文件copy到SPEC目录下。 

tar xvzf openssl-1.0.2u.tar.gz
cp openssl-1.0.2u/openssl.spec ../SPECS/openssl-1.0.2u.spec

编译打包openssl-1.0.2u并排错。报错Can't locate find.pl in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5，解决方案是安装依赖perl-Perl4-CoreLibs.noarch

rpmbuild -ba openssl-1.0.2u.spec

Can't locate find.pl in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at util/perlpath.pl line 7.
error: Bad exit status from /var/tmp/rpm-tmp.IaQ3r6 (%build)

RPM build errors:
    bogus date in %changelog: Sun Jun  6 2005 Richard Levitte <[email protected]>
    bogus date in %changelog: Tue Sep 10 1999 Damien Miller <[email protected]>
    Bad exit status from /var/tmp/rpm-tmp.IaQ3r6 (%build)

yum install perl-Perl4-CoreLibs.noarch

 编译打包openssl-1.0.2u成功。

rpmbuild -ba --clean openssl-1.0.2u.spec
……
Wrote: /home/cnpe/rpmbuild/SRPMS/openssl-1.0.2u-1.src.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-1.0.2u-1.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-devel-1.0.2u-1.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-doc-1.0.2u-1.x86_64.rpm

二、编译安装openssl-1.1.1k

从官网https://www.openssl.org/source/下载openssl-1.1.1k.tar.gz，并做sha256校验，再解压缩。

wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz

sha256sum ./openssl-1.1.1k.tar.gz
892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5  ./openssl-1.1.1k.tar.gz

tar xvzf openssl-1.1.1k.tar.gz

编译安装
config生成Makefile
make编译，make test的结果一定要PASS
make install安装，或者其他选项只安装你需要的内容
如果在这些过程中提示有依赖项就安装，不OK就解决，再make clean后重新来过。

cd openssl-1.1.1k
./config
make
make test
make install

 这样编译安装以后，openssl的版本升级到了1.1.1k，但是库文件仍使用原来1.1.1g版本的，不会影响使用。

openssl version
OpenSSL 1.1.1k  25 Mar 2021 (Library: OpenSSL 1.1.1g FIPS  21 Apr 2020)

三、给openssl-1.1.1k打包rpm（不推荐！动态库不兼容！）

这个包安装上以后，会导致严重的故障。

[root@test18 x86_64]# rpm --version
rpm: symbol lookup error: /lib64/librpmio.so.8: undefined symbol: EVP_md2, version OPENSSL_1_1_0

[root@test18 x86_64]# yum remove openssl
Traceback (most recent call last):
......
ImportError: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b
......


[root@test18 ~]# ldd /lib64/librpmio.so.8 | grep crypto
	libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f299ed70000)
[root@test18 ~]# ldd /lib64/libk5crypto.so.3 | grep crypto
	libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007fea0bf97000)

原因是这种方式会替换库文件，不能替换这个库文件详细的原因在这个地方有https://github.com/openssl/openssl/issues/11471，请自行查看。

[root@test18 ~]# ll /lib64/libcrypto.so.1.1
lrwxrwxrwx. 1 root root 19 Dec 18 06:45 /lib64/libcrypto.so.1.1 -> libcrypto.so.1.1.1g
[root@test18 ~]# nm -gD /lib64/libcrypto.so.1.1 | grep EVP_KDF
0000000000170530 T EVP_KDF_ctrl
0000000000170620 T EVP_KDF_ctrl_str
0000000000170370 T EVP_KDF_CTX_free
00000000001703b0 T EVP_KDF_CTX_new_id
00000000001706e0 T EVP_KDF_derive
00000000001704d0 T EVP_KDF_reset
00000000001706b0 T EVP_KDF_size
0000000000170500 T EVP_KDF_vctrl

[root@test18 x86_64]# ll /lib64/libcrypto.so.1.1
lrwxrwxrwx. 1 root root 19 Apr  5 12:58 /lib64/libcrypto.so.1.1 -> libcrypto.so.1.1.1k
[root@test18 x86_64]# nm -gD /lib64/libcrypto.so.1.1 | grep EVP_KDF
Nothing！！！

这里只是记录编译打包的过程，不推荐使用！

从官网https://www.openssl.org/source/下载openssl-1.1.1k.tar.gz，并做sha256校验。解压缩，发现这个版本没有现成的spec文件。经查证在http://rpmfind.net/可以找到openssl-1.1.1g-12.el8.src.rpm这个包，这个包里面有1.1.1g版本的spec文件，可以找来使用。
该rpm文件cpio提取归档文件不会生成目录，因此建立一个目录存放，再下载。

mkdir openssl-1.1.1g-src
cd openssl-1.1.1g-src/
wget http://vault.centos.org/8.3.2011/BaseOS/Source/SPackages/openssl-1.1.1g-12.el8_3.src.rpm
rpm2cpio openssl-1.1.1g-12.el8_3.src.rpm | cpio -duim

提取的文件很多，把其中的openssl.spec拷贝到rpmbuild/SPECS目录下，并编辑openssl-1.1.1k.spec，修改源代码文件、版本、删除不需要的内容，最终形成openssl-1.1.1k.spec文件，内容如下。

# For the curious:
# 0.9.5a soversion = 0
# 0.9.6  soversion = 1
# 0.9.6a soversion = 2
# 0.9.6c soversion = 3
# 0.9.7a soversion = 4
# 0.9.7ef soversion = 5
# 0.9.8ab soversion = 6
# 0.9.8g soversion = 7
# 0.9.8jk + EAP-FAST soversion = 8
# 1.0.0 soversion = 10
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
#                        depends on build configuration options)
%define soversion 1.1
%define debug_package %{nil}

Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1k
Release: 1%{?dist}
Epoch: 1
License: OpenSSL and ASL 2.0
URL: http://www.openssl.org/
BuildRequires: gcc
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename
BuildRequires: /usr/bin/pod2man
BuildRequires: /usr/sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes)
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
Requires: coreutils
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Source0:openssl-%{version}.tar.gz

%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

%package libs
Summary: A general purpose cryptography library with TLS implementation
Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20180730
Recommends: openssl-pkcs11%{?_isa}
# Needed obsoletes due to the base/lib subpackage split
Obsoletes: openssl < 1:1.0.1-0.3.beta3
Obsoletes: openssl-fips < 1:1.0.1e-28
Provides: openssl-fips = %{epoch}:%{version}-%{release}

%description libs
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
package contains the libraries that are used by various applications which
support cryptographic algorithms and protocols.

%package devel
Summary: Files for development of applications which will use OpenSSL
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa}
Requires: pkgconfig

%description devel
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
package contains include files needed to develop applications which
support various cryptographic algorithms and protocols.

%package static
Summary:  Libraries for static linking of applications which will use OpenSSL
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}

%description static
OpenSSL is a toolkit for supporting cryptography. The openssl-static
package contains static libraries needed for static linking of
applications which support various cryptographic algorithms and
protocols.

%package perl
Summary: Perl scripts provided with OpenSSL
Requires: perl-interpreter
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}

%description perl
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.

%prep
%setup -q -n %{name}-%{version}

%build
#./config \
#	--prefix=/usr/bin \
#	--openssldir=/etc/pki/tls \
#	--libdir=/usr/lib64 \

#./config \
#	--prefix=%{_bindir} \
#	--openssldir=%{_sysconfdir}/pki/tls \
#	--libdir=%{_prefix}/lib64 \

./config \
        --prefix=%{_prefix} \
        --openssldir=%{_sysconfdir}/pki/tls \

make all

# Clean up the .pc files
#for i in libcrypto.pc libssl.pc openssl.pc ; do
#  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
#done

%check
# Verify that what was compiled actually works.
make test

%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
# Install OpenSSL.
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
make DESTDIR=$RPM_BUILD_ROOT install
make DESTDIR=$RPM_BUILD_ROOT uninstall_html_docs
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
	chmod 755 ${lib}
	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done

# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
#mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
#install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
#install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
#install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert

# Move runable perl scripts to bindir
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}


# Rename man pages so that they don't conflict with other system man pages.
pushd $RPM_BUILD_ROOT%{_mandir}
ln -s -f config.5 man5/openssl.cnf.5
for manpage in man*/* ; do
	if [ -L ${manpage} ]; then
		TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
		ln -snf ${TARGET}ssl ${manpage}ssl
		rm -f ${manpage}
	else
		mv ${manpage} ${manpage}ssl
	fi
done
for conflict in passwd rand ; do
	rename ${conflict} ssl${conflict} man*/${conflict}*
# Fix dangling symlinks
	manpage=man1/openssl-${conflict}.*
	if [ -L ${manpage} ] ; then
		ln -snf ssl${conflict}.1ssl ${manpage}
	fi
done
popd

mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts

# Ensure the config file timestamps are identical across builds to avoid
# mulitlib conflicts and unnecessary renames on upgrade
#touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
#touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist

# Determine which arch opensslconf.h is going to try to #include.
basearch=%{_arch}
%ifarch %{ix86}
basearch=i386
%endif
%ifarch sparcv9
basearch=sparc
%endif
%ifarch sparc64
basearch=sparc64
%endif

%ifarch %{multilib_arches}
# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
# can have both a 32- and 64-bit version of the library, and they each need
# their own correct-but-different versions of opensslconf.h to be usable.
install -m644 %{SOURCE10} \
	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \
	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
install -m644 %{SOURCE9} \
	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
%endif
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH

%files
%{!?_licensedir:%global license %%doc}
%license LICENSE
%doc FAQ NEWS README README.FIPS
%{_bindir}/openssl
%{_mandir}/man1*/*
%{_mandir}/man5*/*
%{_mandir}/man7*/*
%exclude %{_mandir}/man1*/*.pl*
%exclude %{_mandir}/man1*/c_rehash*
%exclude %{_mandir}/man1*/tsget*
%exclude %{_mandir}/man1*/openssl-tsget*

%files libs
%{!?_licensedir:%global license %%doc}
%license LICENSE
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
%attr(0755,root,root) %{_libdir}/libssl.so.%{soversion}
%attr(0755,root,root) %{_libdir}/engines-%{soversion}

%files devel
%doc CHANGES doc/dir-locals.example.el doc/openssl-c-indent.el
%{_prefix}/include/openssl
%{_libdir}/*.so
%{_mandir}/man3*/*
%{_libdir}/pkgconfig/*.pc

%files static
%{_libdir}/*.a

%files perl
%{_bindir}/c_rehash
%{_bindir}/*.pl
%{_bindir}/tsget
%{_mandir}/man1*/*.pl*
%{_mandir}/man1*/c_rehash*
%{_mandir}/man1*/tsget*
%{_mandir}/man1*/openssl-tsget*
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts

%post libs -p /sbin/ldconfig

%postun libs -p /sbin/ldconfig

%changelog

然后rpmbuild -ba --clean openssl-1.1.1k.spec，得到openssl-1.1.1k的rpm包。

rpmbuild -ba --clean openssl-1.1.1k.spec
......
Wrote: /home/cnpe/rpmbuild/SRPMS/openssl-1.1.1k-1.el8.src.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-libs-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-devel-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-static-1.1.1k-1.el8.x86_64.rpm
Wrote: /home/cnpe/rpmbuild/RPMS/x86_64/openssl-perl-1.1.1k-1.el8.x86_64.rpm
......