master

分支 (1)

标签 (1)

管理

管理

master

ocs-2309

openssl
/
openssl.spec

%bcond_with turbo

%define soversion 3
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
%define srpmhash() %{lua:
local files = rpm.expand("%_specdir/openssl.spec")
for i, p in ipairs(patches) do
   files = files.." "..p
end
for i, p in ipairs(sources) do
   files = files.." "..p
end
local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum"))
local hash = sha256sum:read("*a")
sha256sum:close()
print(string.sub(hash, 0, 16))
}

%global _performance_build 1

Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.12
Release: 16%{?dist}
License: ASL 2.0
URL: http://www.openssl.org/
Source0: https://www.openssl.org/source/openssl-%{version}.tar.gz
Source1: Makefile.certificate
Source2: genpatches
Source3: make-dummy-cert
Source4: renew-dummy-cert
Source5: configuration-switch.h
Source6: configuration-prefix.h
Source7: 0025-for-tests.patch

%if %{with turbo}
Epoch: 5
%endif

%global epoch_dep %{?epoch:%{epoch}:}

Patch3000: 0001-Aarch64-and-ppc64le-use-lib64.patch
Patch3001: 0002-Use-more-general-default-values-in-openssl.cnf.patch
Patch3002: 0003-Do-not-install-html-docs.patch
Patch3003: 0004-Override-default-paths-for-the-CA-directory-tree.patch
Patch3004: 0005-apps-ca-fix-md-option-help-text.patch
Patch3005: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
Patch3006: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
Patch3007: 0008-Add-FIPS_mode-compatibility-macro.patch
Patch3008: 0009-Add-Kernel-FIPS-mode-flag-support.patch
Patch3009: 0010-Add-changes-to-ectest-and-eccurve.patch
Patch3010: 0011-Remove-EC-curves.patch
Patch3011: 0012-Disable-explicit-ec.patch
Patch3012: 0013-skipped-tests-EC-curves.patch
Patch3013: 0014-load-legacy-prov.patch
Patch3014: 0015-tmp-Fix-test-names.patch
Patch3015: 0016-Force-fips.patch
Patch3016: 0017-FIPS-embed-hmac.patch
Patch3017: 0018-fipsinstall_disable.patch
Patch3018: 0019-speed-skip-unavailable-dgst.patch
Patch3019: 0020-FIPS-140-3-keychecks.patch
Patch3020: 0021-FIPS-services-minimize.patch
Patch3021: 0022-FIPS-early-KATS.patch
Patch3022: 0023-Selectively-disallow-SHA1-signatures.patch
Patch3023: 0024-FIPS-enable-pkcs12-mac.patch
Patch3024: 0025-Support-different-R_BITS-lengths-for-KBKDF.patch
Patch3025: 0026-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
Patch3026: 0027-strcasecmp.patch
Patch3027: 0028-FIPS-limit-rsa-encrypt.patch
Patch3028: 0029-FIPS-KAT-signature-tests.patch
Patch3029: 0030-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
Patch3030: 0031-fips-Expose-a-FIPS-indicator.patch
Patch3031: 0032-AES-GCM-performance-optimization.patch
Patch3032: 0033-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
Patch3033: 0034-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
Patch3034: 0035-FIPS-Use-FFDHE2048-in-self-test.patch
Patch3035: 0036-FIPS-140-3-DRBG.patch
Patch3036: 0037-FIPS-140-3-zeroization.patch
Patch3037: 0038-Add-FIPS-indicator-parameter-to-HKDF.patch
Patch3038: 0039-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
Patch3039: 0040-signature-Remove-X9.31-padding-from-FIPS-prov.patch
Patch3040: 0041-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch
Patch3041: 0042-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
Patch3042: 0043-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
Patch3043: 0044-FIPS-RSA-disable-shake.patch
Patch3044: 0045-signature-Add-indicator-for-PSS-salt-length.patch
Patch3045: 0046-signature-Clamp-PSS-salt-len-to-MD-len.patch
Patch3046: 0047-FIPS-RSA-encapsulate.patch
Patch3047: 0048-add-loongarch64-support-for-openssl-3.0.11.patch

Patch0001: openssl-3.0-CVE-2023-5678.patch
Patch0002: openssl-3.0-CVE-2023-6129.patch
Patch0003: openssl-3.0-CVE-2023-6237.patch
Patch0004: openssl-3.0-CVE-2024-0727.patch
Patch0005: Revert-Improved-detection-of-engine-provided-private-classic-keys.patch
Patch0006: RSA-PKCS15-implicit-rejection.patch
Patch0007: openssl-3.0-CVE-2024-2511.patch
Patch0008: openssl-3.0-CVE-2024-4603.patch
Patch0009: openssl-3.0-CVE-2024-4741.patch
Patch0010: openssl-3.0-CVE-2024-5535.patch
#https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6
Patch0011: openssl-3.0-CVE-2024-6119.patch
#https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98
Patch0012: openssl-3.0-CVE-2024-41996.patch
#https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712
Patch0013: openssl-3.0-CVE-2024-9143.patch
Patch0014: https://github.com/openssl/openssl/commit/5781c0a181c97530e57708fa67bb5faa44368246.patch
Patch0015: https://github.com/openssl/openssl/commit/3732a8963d7aacde04f138204e235478609cba8a.patch
Patch0016: https://github.com/openssl/openssl/commit/112754183a720b4db0f2770a80a55805010b4e68.patch
Patch0017: https://github.com/openssl/openssl/commit/d9d260eb95ec129b93a55965b6f2f392df0ed0a9.patch
Patch0018: https://github.com/openssl/openssl/commit/d44aa28b0db3ba355fe68c5971c90c9a1414788f.patch
Patch0019: https://github.com/openssl/openssl/commit/17d12183797033f55aec03376ffd3969cd703c0e.patch
Patch0020: https://github.com/openssl/openssl/commit/a473d59db1ce6943c010c5ba842e7c17fbe81aab.patch
Patch0021: https://github.com/openssl/openssl/commit/95dfb4244a8b6f23768714619f4f4640d51dc3ff.patch

Patch5000: set-Availablein-default-in-evppkey_rsa_common.patch
Patch5001: openssl-3.0.12-support-tlcp.patch
Patch5002: openssl-3.0.12-support-rfc8998.patch


%if %{with turbo}
%ifarch x86_64
Patch5100: turbo-recommend-8-async_jobs.patch

########################################################
# This patch set QAT as default engine for performance,
# however, it will cause performance degradation
# when the hardware is not sufficient.
# so we do not apply this patch but keep it
########################################################
# Patch5101: turbo-enable-support-for-QAT-engine.patch

Patch5102: 0001-turbo-optimized-sha256-call-chain-for-improved-effic.patch
%endif
%endif

BuildRequires: gcc g++
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
BuildRequires: lksctp-tools-devel
BuildRequires: /usr/bin/rename /usr/bin/pod2man /usr/sbin/sysctl
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
BuildRequires: git-core systemtap-sdt-devel
Requires: coreutils
%if %{with turbo}
%ifarch x86_64
Requires: qatengine
%endif
%endif
Requires: %{name}-libs = %{epoch_dep}%{version}-%{release}

%description
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

%package libs
Summary: A general purpose cryptography library with TLS implementation
Requires: ca-certificates >= 2008-5
Requires: crypto-policies >= 20180730
Recommends: openssl-pkcs11

%description libs
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
package contains the libraries that are used by various applications which
support cryptographic algorithms and protocols.

%package devel
Summary: Files for development of applications which will use OpenSSL
Requires: %{name}-libs = %{epoch_dep}%{version}-%{release}
Requires: pkgconfig

%description devel
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
package contains include files needed to develop applications which
support various cryptographic algorithms and protocols.

%package perl
Summary: Perl scripts provided with OpenSSL
Requires: perl-interpreter
Requires: %{name} = %{epoch_dep}%{version}-%{release}

%description perl
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
package provides Perl scripts for converting certificates and keys
from other formats to the formats used by the OpenSSL toolkit.

%prep
%autosetup -S git -n %{name}-%{version}

%build
sslarch=%{_os}-%{_target_cpu}
%ifarch %ix86
sslarch=linux-elf
if ! echo %{_target} | grep -q i686 ; then
	sslflags="no-asm 386"
fi
%endif
%ifarch x86_64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch sparcv9
sslarch=linux-sparcv9
sslflags=no-asm
%endif
%ifarch sparc64
sslarch=linux64-sparcv9
sslflags=no-asm
%endif
%ifarch alpha alphaev56 alphaev6 alphaev67
sslarch=linux-alpha-gcc
%endif
%ifarch s390 sh3eb sh4eb
sslarch="linux-generic32 -DB_ENDIAN"
%endif
%ifarch s390x
sslarch="linux64-s390x"
%endif
%ifarch %{arm}
sslarch=linux-armv4
%endif
%ifarch aarch64
sslarch=linux-aarch64
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch sh3 sh4
sslarch=linux-generic32
%endif
%ifarch ppc64 ppc64p7
sslarch=linux-ppc64
%endif
%ifarch ppc64le
sslarch="linux-ppc64le"
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch mips mipsel
sslarch="linux-mips32 -mips32r2"
%endif
%ifarch mips64 mips64el
sslarch="linux64-mips64 -mips64r2"
%endif
%ifarch mips64el
sslflags=enable-ec_nistp_64_gcc_128
%endif
%ifarch riscv64
sslarch=linux-generic64
%endif
ktlsopt=enable-ktls
%ifarch armv7hl
ktlsopt=disable-ktls
%endif


RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"

export HASHBANGPERL=/usr/bin/perl

%define fips %{version}-%{srpmhash}

./Configure \
	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
	enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips enable-tlcp\
	no-mdc2 enable-sm2 enable-sm3 enable-sm4 no-ec2m enable-buildtest-c++\
	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
	-Wl,--allow-multiple-definition

%make_build all
for i in libcrypto.pc libssl.pc openssl.pc ; do
  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
done

%check
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
 sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
 touch -r configdata.pm configdata.pm.new && \
 mv -f configdata.pm.new configdata.pm)

patch -p1 -R < %{PATCH3003}
patch -p1 < %{SOURCE7}

OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY

OPENSSL_ENABLE_SHA1_SIGNATURES=
export OPENSSL_ENABLE_SHA1_SIGNATURES

OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
mv providers/fips.so.mac providers/fips.so

make test HARNESS_JOBS=8

%define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < %{buildroot}%{_libdir}/ossl-modules/fips.so > %{buildroot}%{_libdir}/ossl-modules/fips.so.hmac \
    objcopy --update-section .rodata1=%{buildroot}%{_libdir}/ossl-modules/fips.so.hmac %{buildroot}%{_libdir}/ossl-modules/fips.so %{buildroot}%{_libdir}/ossl-modules/fips.so.mac \
    mv %{buildroot}%{_libdir}/ossl-modules/fips.so.mac %{buildroot}%{_libdir}/ossl-modules/fips.so \
    rm %{buildroot}%{_libdir}/ossl-modules/fips.so.hmac \
%{nil}

%define __provides_exclude_from %{_libdir}/openssl

%install
[ "%{buildroot}" != "/" ] && rm -rf %{buildroot}
install -d %{buildroot}{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
%make_install
rename so.%{soversion} so.%{version} %{buildroot}%{_libdir}/*.so.%{soversion}
for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do
	chmod 755 ${lib}
	ln -s -f `basename ${lib}` %{buildroot}%{_libdir}/`basename ${lib} .%{version}`
	ln -s -f `basename ${lib}` %{buildroot}%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
done

for lib in %{buildroot}%{_libdir}/*.a ; do
	rm -f ${lib}
done

mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE1} %{buildroot}%{_pkgdocdir}/Makefile.certificate
install -m755 %{SOURCE3} %{buildroot}%{_bindir}/make-dummy-cert
install -m755 %{SOURCE4} %{buildroot}%{_bindir}/renew-dummy-cert

mv %{buildroot}%{_sysconfdir}/pki/tls/misc/*.pl %{buildroot}%{_bindir}
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/tsget %{buildroot}%{_bindir}


pushd %{buildroot}%{_mandir}
mv man5/config.5ossl man5/openssl.cnf.5
popd

mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA
mkdir -m700 %{buildroot}%{_sysconfdir}/pki/CA/private
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/certs
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/crl
mkdir -m755 %{buildroot}%{_sysconfdir}/pki/CA/newcerts


touch -r %{SOURCE1} %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf
touch -r %{SOURCE1} %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf

rm -f %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f %{buildroot}%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
rm -f %{buildroot}%{_sysconfdir}/pki/tls/fipsmodule.cnf


basearch=%{_arch}
%ifarch %{ix86}
basearch=i386
%endif
%ifarch sparcv9
basearch=sparc
%endif
%ifarch sparc64
basearch=sparc64
%endif


sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
#ifndef OPENSSL_NO_SSL3\
# define OPENSSL_NO_SSL3\
#endif' %{buildroot}/%{_prefix}/include/openssl/opensslconf.h

%ifarch %{multilib_arches}
install -m644 %{SOURCE6} \
	%{buildroot}/%{_prefix}/include/openssl/configuration-${basearch}.h
cat %{buildroot}/%{_prefix}/include/openssl/configuration.h >> \
	%{buildroot}/%{_prefix}/include/openssl/configuration-${basearch}.h
install -m644 %{SOURCE5} \
	%{buildroot}/%{_prefix}/include/openssl/configuration.h
%endif

%files
%license LICENSE.txt
%doc NEWS.md README.md
%{_bindir}/make-dummy-cert
%{_bindir}/renew-dummy-cert
%{_bindir}/openssl
%{_mandir}/man1/*
%{_mandir}/man5/*
%{_mandir}/man7/*
%{_pkgdocdir}/Makefile.certificate
%exclude %{_mandir}/man1/*.pl*
%exclude %{_mandir}/man1/tsget*

%files libs
%license LICENSE.txt
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
%{_libdir}/libcrypto.so.%{soversion}
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
%{_libdir}/libssl.so.%{soversion}
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
%attr(0755,root,root) %{_libdir}/ossl-modules

%files devel
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
%{_prefix}/include/openssl
%{_libdir}/*.so
%{_mandir}/man3/*
%{_libdir}/pkgconfig/*.pc

%files perl
%{_bindir}/c_rehash
%{_bindir}/*.pl
%{_bindir}/tsget
%{_mandir}/man1/*.pl*
%{_mandir}/man1/tsget*
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts


%changelog
* Thu Dec 26 2024 Tracker Robot <trackbot@opencloudos.tech> - 3.0.12-16
- Apply patches from rpm-tracker
- [Bug Fix] 95dfb4244a8b6f23768714619f4f4640d51dc3ff.patch: Add NULL check before accessing PKCS7 encrypted algorithm
- [Bug Fix] a473d59db1ce6943c010c5ba842e7c17fbe81aab.patch: Fix unbounded memory growth when using no-cached-fetch
- [Bug Fix] 17d12183797033f55aec03376ffd3969cd703c0e.patch: Fix dasync_rsa_decrypt to call EVP_PKEY_meth_get_decrypt
- [Bug Fix] d44aa28b0db3ba355fe68c5971c90c9a1414788f.patch: Fix off by one issue in buf2hexstr_sep()
- [Bug Fix] d9d260eb95ec129b93a55965b6f2f392df0ed0a9.patch: SSL_set1_groups_list(): Fix memory corruption with 40 groups and more
- [Bug Fix] 112754183a720b4db0f2770a80a55805010b4e68.patch: KDF_CTX_new API has incorrect signature (const should not be there)
- [Bug Fix] 3732a8963d7aacde04f138204e235478609cba8a.patch: Fix memory leaks on error cases during drbg initializations
- [Bug Fix] 5781c0a181c97530e57708fa67bb5faa44368246.patch: Fix error reporting in EVP_PKEY_{sign,verify,verify_recover}

* Tue Oct 22 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-15
- [Type] security
- [DESC] Resolves: CVE-2024-9143

* Tue Oct 8 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-14
- [Type] security
- [DESC] Resolves: CVE-2024-41996

* Thu Sep 26 2024 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 3.0.12-13
- Rebuilt for clarifying the packages requirement in BaseOS and AppStream

* Thu Sep 5 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-12
- [Type] security
- [DESC] Resolves: CVE-2024-6119

* Fri Aug 16 2024 Miaojun Dong <zoedong@tencent.com> - 3.0.12-11
- turbo: update sha call chain

* Fri Aug 16 2024 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 3.0.12-10
- Rebuilt for loongarch release

* Tue Aug 13 2024 Shuo Wang <abushwang@tencent.com> - 3.0.12-9
- enable support for QAT engine

* Mon Jul 1 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-8
- [Type] security
- [DESC] Resolves: CVE-2024-5535

* Tue Jun 4 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-7
- [Type] security
- [DESC] Resolves: CVE-2024-2511, CVE-2024-4741, CVE-2024-4603

* Tue Apr 23 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-6
- [Type] other
- [DESC] support rfc8998, including TLS_SM4_GCM_SM3, TLS_SM4_CCM_SM3

* Mon Apr 15 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-5
- [Type] other
- [DESC] Support TLCP & GM/T 0024, including cipher suites ECDHE-SM2-SM4-CBC-SM3,ECDHE-SM2-SM4-GCM-SM3,
- ECC-SM2-SM4-CBC-SM3, ECC-SM2-SM4-GCM-SM3,RSA-SM4-CBC-SM3, RSA-SM4-GCM-SM3, RSA-SM4-CBC-SHA256, RSA-SM4-GCM-SHA256.

* Fri Mar 22 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-4
- backport upstream patch: RSA-PKCS15-implicit-rejection
- #https://github.com/openssl/openssl/pull/13817

* Mon Feb 19 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-3
- Revert "Improved detection of engine-provided private "classic" keys" to temporaryly fix openssl-pkcs11 test failures
# https://github.com/openssl/openssl/issues/22508

* Tue Jan 30 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-2
- Resolves: CVE-2023-6237, CVE-2023-0727

* Wed Jan 17 2024 Feng Weiyao <wynnfeng@tencent.com> - 3.0.12-1
- upgrade to 3.0.12 and Resolves: CVE-2023-5678, CVE-2023-6129

* Thu Nov 23 2023 Feng Weiyao <wynnfeng@tencent.com> - 3.0.9-5
- Resolves: CVE-2023-5678, CVE-2023-5363

* Mon Oct 23 2023 Feng Weiyao <wynnfeng@tencent.com> - 3.0.9-4
- Resolves: CVE-2023-3446

* Fri Sep 08 2023 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 3.0.9-3
- Rebuilt for OpenCloudOS Stream 23.09

* Tue Aug 29 2023 Feng Weiyao <wynnfeng@tencent.com> - 3.0.9-2
- Resolves: CVE-2023-2975
  Resolves: CVE-2023-3817

* Tue Aug 1 2023 Feng Weiyao <wynnfeng@tencent.com> - 3.0.9-1
- update to version 3.0.9
  Resolves: CVE-2023-0464
  Resolves: CVE-2023-0465
  Resolves: CVE-2023-0466
  Resolves: CVE-2023-1255
  Resolves: CVE-2023-2650

* Fri Apr 28 2023 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 3.0.8-4
- Rebuilt for OpenCloudOS Stream 23.05

* Tue Apr 4 2023 Feng Weiyao <wynnfeng@tencent.com> - 3.0.8-3
- add fips patches

* Fri Mar 31 2023 OpenCloudOS Release Engineering <releng@opencloudos.tech> - 3.0.8-2
- Rebuilt for OpenCloudOS Stream 23

* Fri Feb 24 2023 Feng Weiyao <wynnfeng@tencent.com> - 3.0.8-1
- update to 3.0.8
- support SM2, SM3 and SM4

* Fri Dec 2 2022 Anakin Zhang <anakinzhang@tencent.com> - 3.0.5-2
- Fixed CVE-2022-3786
- Fixed CVE-2022-3602

* Tue Aug 2 2022 Anakin Zhang <anakinzhang@tencent.com> - 3.0.5-1
- Initial build