1 |
%define maj 1.0.0 |
2 |
%define engines_name %mklibname openssl-engines %{maj} |
3 |
%define libname %mklibname openssl %{maj} |
4 |
%define develname %mklibname openssl -d |
5 |
%define staticname %mklibname openssl -s -d |
6 |
|
7 |
%define conflict1 %mklibname openssl 0.9.7 |
8 |
%define conflict2 %mklibname openssl 0.9.8 |
9 |
|
10 |
# Number of threads to spawn when testing some threading fixes. |
11 |
#define thread_test_threads %{?threads:%{threads}}%{!?threads:1} |
12 |
|
13 |
%define with_krb5 1 |
14 |
|
15 |
Summary: Secure Sockets Layer communications libs & utils |
16 |
Name: openssl |
17 |
Version: 1.0.1e |
18 |
%define subrel 11 |
19 |
Release: %mkrel 1 |
20 |
License: BSD-like |
21 |
Group: System/Libraries |
22 |
URL: http://www.openssl.org/ |
23 |
Source0: http://www.openssl.org/source/%{name}-%{version}.tar.gz |
24 |
Source1: http://www.openssl.org/source/%{name}-%{version}.tar.gz.asc |
25 |
Source2: Makefile.certificate |
26 |
Source3: make-dummy-cert |
27 |
Source4: openssl-thread-test.c |
28 |
# (gb) 0.9.7b-4mdk: Handle RPM_OPT_FLAGS in Configure |
29 |
Patch2: openssl-1.0.1c-optflags.patch |
30 |
# (oe) support Brazilian Government OTHERNAME X509v3 field (#14158) |
31 |
# http://www.iti.gov.br/resolucoes/RESOLU__O_13_DE_26_04_2002.PDF |
32 |
Patch6: openssl-0.9.8-beta6-icpbrasil.diff |
33 |
# http://qa.mandriva.com/show_bug.cgi?id=32621 |
34 |
Patch15: openssl-0.9.8e-crt.patch |
35 |
Patch5: openssl-1.0.1g-use-after-free.patch |
36 |
# upstream patches |
37 |
Patch8: openssl.git-147dbb2fe3bead7a10e2f280261b661ce7af7adc.patch |
38 |
Patch9: openssl-1.0.1e-cve-2013-4353.patch |
39 |
Patch10: openssl-1.0.1e-cve-2013-6450.patch |
40 |
Patch11: openssl-1.0.0l-CVE-2014-0076.patch |
41 |
Patch12: openssl-1.0.1f-CVE-2014-0160.patch |
42 |
Patch19: openssl-1.0.1e-extension-checking-fixes.patch |
43 |
|
44 |
# fedora patches |
45 |
Patch7: openssl-1.0.0f-defaults.patch |
46 |
Patch13: openssl-0.9.6-x509.patch |
47 |
Patch14: openssl-0.9.8j-version-add-engines.patch |
48 |
Patch16: openssl-1.0.0-beta5-enginesdir.patch |
49 |
Patch17: openssl-1.0.1-pkgconfig-krb5.patch |
50 |
Patch18: openssl-1.0.1e-cve-2013-6449.patch |
51 |
Patch20: openssl-1.0.1e-cve-2014-0195.patch |
52 |
Patch21: openssl-1.0.1e-cve-2014-0198.patch |
53 |
Patch22: openssl-1.0.1e-cve-2014-0221.patch |
54 |
Patch23: openssl-1.0.1e-cve-2014-0224.patch |
55 |
Patch24: openssl-1.0.1e-cve-2014-3470.patch |
56 |
Patch25: openssl-1.0.1e-cve-2014-3567.patch |
57 |
Patch26: openssl-1.0.1e-cve-2014-3513.patch |
58 |
Patch27: openssl-1.0.1e-fallback-scsv.patch |
59 |
|
60 |
# patches from upstream via debian to fix security issues fixed in 1.0.1i |
61 |
# https://www.openssl.org/news/secadv_20140806.txt |
62 |
Patch100: Avoid-double-free-when-processing-DTLS-packets.patch |
63 |
Patch101: Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch |
64 |
Patch102: Fix-DTLS-handshake-message-size-checks.patch |
65 |
Patch103: Fix-memory-leak-from-zero-length-DTLS-fragments.patch |
66 |
Patch104: Fix-return-code-for-truncated-DTLS-fragment.patch |
67 |
Patch105: Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch |
68 |
Patch106: Remove-some-duplicate-DTLS-code.patch |
69 |
Patch107: Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch |
70 |
Patch108: Fix-DTLS-anonymous-EC-DH-denial-of-service.patch |
71 |
Patch109: Fix-OID-handling.patch |
72 |
Patch110: Fix-race-condition-in-ssl_parse_serverhello_tlsext.patch |
73 |
Patch111: SRP-ciphersuite-correction.patch |
74 |
Patch112: Fix-SRP-ciphersuite-DoS-vulnerability.patch |
75 |
Patch113: Fix-SRP-buffer-overrun-vulnerability.patch |
76 |
Patch114: Check-SRP-parameters-early.patch |
77 |
|
78 |
# MIPS and ARM support |
79 |
Patch300: openssl-1.0.1c-mips.patch |
80 |
Patch301: openssl-1.0.1c-arm.patch |
81 |
Requires: %{libname} = %{version}-%{release} |
82 |
Requires: perl-base |
83 |
Requires: rootcerts |
84 |
%if %with_krb5 |
85 |
BuildRequires: krb5-devel |
86 |
%endif |
87 |
BuildRequires: multiarch-utils >= 1.0.3 |
88 |
BuildRequires: chrpath |
89 |
BuildRequires: zlib-devel |
90 |
# (tv) for test suite: |
91 |
BuildRequires: bc |
92 |
|
93 |
%description |
94 |
The openssl certificate management tool and the shared libraries that provide |
95 |
various encryption and decription algorithms and protocols, including DES, RC4, |
96 |
RSA and SSL. |
97 |
|
98 |
%package -n %{engines_name} |
99 |
Summary: Engines for openssl |
100 |
Group: System/Libraries |
101 |
Obsoletes: openssl-engines < 1.0.0a-5 |
102 |
Provides: openssl-engines = %{version}-%{release} |
103 |
|
104 |
%description -n %{engines_name} |
105 |
This package provides engines for openssl. |
106 |
|
107 |
%package -n %{libname} |
108 |
Summary: Secure Sockets Layer communications libs |
109 |
Group: System/Libraries |
110 |
Requires: %{engines_name} >= %{version}-%{release} |
111 |
Provides: %{libname} = %{version}-%{release} |
112 |
|
113 |
%description -n %{libname} |
114 |
The libraries files are needed for various cryptographic algorithms |
115 |
and protocols, including DES, RC4, RSA and SSL. |
116 |
|
117 |
%package -n %{develname} |
118 |
Summary: Secure Sockets Layer communications libs & headers & utils |
119 |
Group: Development/Other |
120 |
Requires: %{libname} = %{version}-%{release} |
121 |
Provides: libopenssl-devel |
122 |
Provides: openssl-devel = %{version}-%{release} |
123 |
Obsoletes: openssl-devel |
124 |
# temporary opsolete, will be a conflict later. a compat package |
125 |
# with openssl-0.9.7 devel libs will be provided soon |
126 |
Obsoletes: %{conflict1}-devel |
127 |
Obsoletes: %{conflict2}-devel |
128 |
Obsoletes: %{mklibname openssl 1.0.0}-devel |
129 |
Provides: %{name}-devel = %{version}-%{release} |
130 |
|
131 |
%description -n %{develname} |
132 |
The libraries and include files needed to compile apps with support |
133 |
for various cryptographic algorithms and protocols, including DES, RC4, RSA |
134 |
and SSL. |
135 |
|
136 |
%package -n %{staticname} |
137 |
Summary: Secure Sockets Layer communications static libs |
138 |
Group: Development/Other |
139 |
Requires: %{develname} = %{version}-%{release} |
140 |
Provides: libopenssl-static-devel |
141 |
Provides: openssl-static-devel = %{version}-%{release} |
142 |
# temporary opsolete, will be a conflict later. a compat package |
143 |
# with openssl-0.9.7 static-devel libs will be provided soon |
144 |
Obsoletes: %{conflict1}-static-devel |
145 |
Obsoletes: %{conflict2}-static-devel |
146 |
Obsoletes: %{mklibname openssl 1.0.0}-static-devel |
147 |
Provides: %{name}-static-devel = %{version}-%{release} |
148 |
|
149 |
%description -n %{staticname} |
150 |
The static libraries needed to compile apps with support for various |
151 |
cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. |
152 |
|
153 |
%prep |
154 |
|
155 |
%setup -q -n %{name}-%{version} |
156 |
%patch2 -p1 -b .optflags |
157 |
%patch6 -p0 -b .icpbrasil |
158 |
%patch7 -p1 -b .defaults |
159 |
%patch8 -p1 -b .SSL_get_certificate |
160 |
%patch13 -p1 -b .x509 |
161 |
%patch14 -p1 -b .version-add-engines |
162 |
%patch15 -p1 -b .crt |
163 |
%patch16 -p1 -b .engines |
164 |
%patch17 -p1 -b .krb5 |
165 |
%patch18 -p1 -b .hash-crash |
166 |
%patch9 -p1 -b .cve-2013-4353 |
167 |
%patch10 -p1 -b .cve-2013-6450 |
168 |
%patch11 -p1 -b .CVE-2014-0076 |
169 |
%patch12 -p1 -b .CVE-2014-0160 |
170 |
%patch5 -p3 -b .CVE-2010-5298 |
171 |
%patch19 -p1 -b .extension-checking-fixes |
172 |
%patch20 -p1 -b .cve-2014-0195 |
173 |
%patch21 -p1 -b .cve-2014-0198 |
174 |
%patch22 -p1 -b .cve-2014-0221 |
175 |
%patch23 -p1 -b .cve-2014-0224 |
176 |
%patch24 -p1 -b .cve-2014-3470 |
177 |
%patch25 -p1 -b .cve-2014-3657 |
178 |
%patch26 -p1 -b .cve-2014-3513 |
179 |
%patch27 -p1 -b .fallback-scsv |
180 |
|
181 |
%patch100 -p1 |
182 |
%patch101 -p1 |
183 |
%patch102 -p1 |
184 |
%patch103 -p1 |
185 |
%patch104 -p1 |
186 |
%patch105 -p1 |
187 |
%patch106 -p1 |
188 |
%patch107 -p1 |
189 |
%patch108 -p1 |
190 |
%patch109 -p1 |
191 |
%patch110 -p1 |
192 |
%patch111 -p1 |
193 |
%patch112 -p1 |
194 |
%patch113 -p1 |
195 |
%patch114 -p1 |
196 |
|
197 |
%patch300 -p1 -b .mips |
198 |
%patch301 -p1 -b .arm |
199 |
|
200 |
perl -pi -e "s,^(OPENSSL_LIBNAME=).+$,\1%{_lib}," Makefile.org engines/Makefile |
201 |
|
202 |
cp %{SOURCE2} Makefile.certificate |
203 |
cp %{SOURCE3} make-dummy-cert |
204 |
cp %{SOURCE4} openssl-thread-test.c |
205 |
|
206 |
%build |
207 |
%serverbuild |
208 |
|
209 |
# Figure out which flags we want to use. |
210 |
# default |
211 |
sslarch=%{_os}-%{_arch} |
212 |
%ifarch %ix86 |
213 |
sslarch=linux-elf |
214 |
if ! echo %{_target} | grep -q i[56]86 ; then |
215 |
sslflags="no-asm" |
216 |
fi |
217 |
%endif |
218 |
%ifarch sparcv9 |
219 |
sslarch=linux-sparcv9 |
220 |
%endif |
221 |
%ifarch alpha |
222 |
sslarch=linux-alpha-gcc |
223 |
%endif |
224 |
%ifarch s390 |
225 |
sslarch="linux-generic32 -DB_ENDIAN -DNO_ASM" |
226 |
%endif |
227 |
%ifarch s390x |
228 |
sslarch="linux-generic64 -DB_ENDIAN -DNO_ASM" |
229 |
%endif |
230 |
|
231 |
# ia64, x86_64, ppc, ppc64 are OK by default |
232 |
# Configure the build tree. Override OpenSSL defaults with known-good defaults |
233 |
# usable on all platforms. The Configure script already knows to use -fPIC and |
234 |
# RPM_OPT_FLAGS, so we can skip specifiying them here. |
235 |
./Configure \ |
236 |
--prefix=%{_prefix} \ |
237 |
--openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ |
238 |
--libdir=%{_lib}/ \ |
239 |
%if %with_krb5 |
240 |
--with-krb5-flavor=MIT --with-krb5-dir=%{_prefix} \ |
241 |
%endif |
242 |
--enginesdir=%{_libdir}/openssl/%{version}/engines \ |
243 |
zlib no-idea no-rc5 enable-camellia shared enable-tlsext ${sslarch} |
244 |
|
245 |
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be |
246 |
# marked as not requiring an executable stack. |
247 |
RPM_OPT_FLAGS="%{optflags} -Wa,--noexecstack" |
248 |
make depend |
249 |
make all build-shared |
250 |
|
251 |
# Generate hashes for the included certs. |
252 |
make rehash build-shared |
253 |
|
254 |
%check |
255 |
# Verify that what was compiled actually works. |
256 |
export LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} |
257 |
|
258 |
make -C test apps tests |
259 |
|
260 |
gcc -o openssl-thread-test \ |
261 |
%{?_with_krb5:`krb5-config --cflags`} \ |
262 |
-I./include \ |
263 |
%{optflags} \ |
264 |
openssl-thread-test.c \ |
265 |
-L. -lssl -lcrypto \ |
266 |
%{?_with_krb5:`krb5-config --libs`} \ |
267 |
-lpthread -lz -ldl |
268 |
|
269 |
./openssl-thread-test --threads %{thread_test_threads} |
270 |
|
271 |
%install |
272 |
rm -fr %{buildroot} |
273 |
|
274 |
%makeinstall \ |
275 |
INSTALL_PREFIX=%{buildroot} \ |
276 |
MANDIR=%{_mandir} \ |
277 |
build-shared |
278 |
|
279 |
install -d -m 755 %{buildroot}%{_libdir}/openssl/%{version} |
280 |
mv %{buildroot}%{_libdir}/engines %{buildroot}%{_libdir}/openssl/%{version} |
281 |
|
282 |
# make the rootcerts dir |
283 |
install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts |
284 |
|
285 |
# Install a makefile for generating keys and self-signed certs, and a script |
286 |
# for generating them on the fly. |
287 |
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs |
288 |
install -m0644 Makefile.certificate %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile |
289 |
install -m0755 make-dummy-cert %{buildroot}%{_sysconfdir}/pki/tls/certs/make-dummy-cert |
290 |
|
291 |
# Pick a CA script. |
292 |
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.sh %{buildroot}%{_sysconfdir}/pki/tls/misc/CA |
293 |
|
294 |
install -d %{buildroot}%{_sysconfdir}/pki/CA |
295 |
install -d %{buildroot}%{_sysconfdir}/pki/CA/private |
296 |
|
297 |
# openssl was named ssleay in "ancient" times. |
298 |
ln -snf openssl %{buildroot}%{_bindir}/ssleay |
299 |
|
300 |
# The man pages rand.3 and passwd.1 conflict with other packages |
301 |
# Rename them to ssl-* and also make a symlink from openssl-* to ssl-* |
302 |
mv %{buildroot}%{_mandir}/man1/passwd.1 %{buildroot}%{_mandir}/man1/ssl-passwd.1 |
303 |
ln -sf ssl-passwd.1%{_extension} %{buildroot}%{_mandir}/man1/openssl-passwd.1%{_extension} |
304 |
|
305 |
for i in rand err; do |
306 |
mv %{buildroot}%{_mandir}/man3/$i.3 %{buildroot}%{_mandir}/man3/ssl-$i.3 |
307 |
ln -snf ssl-$i.3%{_extension} %{buildroot}%{_mandir}/man3/openssl-$i.3%{_extension} |
308 |
done |
309 |
|
310 |
rm -rf {main,devel}-doc-info |
311 |
mkdir -p {main,devel}-doc-info |
312 |
cat > main-doc-info/README.mga <<EOF |
313 |
Warning: |
314 |
The man page of passwd, passwd.1, has been renamed to ssl-passwd.1 |
315 |
to avoid a conflict with passwd.1 man page from the package passwd. |
316 |
EOF |
317 |
|
318 |
cat > devel-doc-info/README.mga <<EOF |
319 |
Warning: |
320 |
The man page of rand, rand.3, has been renamed to ssl-rand.3 |
321 |
to avoid a conflict with rand.3 from the package man-pages |
322 |
The man page of err, err.3, has been renamed to ssl-err.3 |
323 |
to avoid a conflict with err.3 from the package man-pages |
324 |
EOF |
325 |
|
326 |
chmod 755 %{buildroot}%{_libdir}/pkgconfig |
327 |
|
328 |
%multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h |
329 |
|
330 |
# strip cannot touch these unless 755 |
331 |
chmod 755 %{buildroot}%{_libdir}/openssl/%{version}/engines/*.so* |
332 |
chmod 755 %{buildroot}%{_libdir}/*.so* |
333 |
chmod 755 %{buildroot}%{_bindir}/* |
334 |
|
335 |
# nuke a mistake |
336 |
rm -f %{buildroot}%{_mandir}/man3/.3 |
337 |
|
338 |
# nuke rpath |
339 |
chrpath -d %{buildroot}%{_bindir}/openssl |
340 |
|
341 |
# Fix libdir. |
342 |
pushd %{buildroot}%{_libdir}/pkgconfig |
343 |
for i in *.pc ; do |
344 |
sed 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' \ |
345 |
$i >$i.tmp && \ |
346 |
cat $i.tmp >$i && \ |
347 |
rm -f $i.tmp |
348 |
done |
349 |
popd |
350 |
|
351 |
# adjust ssldir |
352 |
perl -pi -e "s|^CATOP=.*|CATOP=%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA |
353 |
perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.pl |
354 |
perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf |
355 |
|
356 |
%files |
357 |
%doc FAQ INSTALL LICENSE NEWS PROBLEMS main-doc-info/README* |
358 |
%doc README README.ASN1 README.ENGINE |
359 |
%dir %{_sysconfdir}/pki |
360 |
%dir %{_sysconfdir}/pki/CA |
361 |
%dir %{_sysconfdir}/pki/CA/private |
362 |
%dir %{_sysconfdir}/pki/tls |
363 |
%dir %{_sysconfdir}/pki/tls/certs |
364 |
%dir %{_sysconfdir}/pki/tls/misc |
365 |
%dir %{_sysconfdir}/pki/tls/private |
366 |
%dir %{_sysconfdir}/pki/tls/rootcerts |
367 |
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf |
368 |
%{_sysconfdir}/pki/tls/certs/make-dummy-cert |
369 |
%{_sysconfdir}/pki/tls/certs/Makefile |
370 |
%{_sysconfdir}/pki/tls/misc/* |
371 |
%{_bindir}/* |
372 |
%{_mandir}/man[157]/* |
373 |
|
374 |
%files -n %{libname} |
375 |
%doc FAQ INSTALL LICENSE NEWS PROBLEMS README* |
376 |
%{_libdir}/lib*.so.%{maj} |
377 |
|
378 |
%files -n %{engines_name} |
379 |
%{_libdir}/openssl |
380 |
|
381 |
%files -n %{develname} |
382 |
%doc CHANGES doc/* devel-doc-info/README* |
383 |
%dir %{_includedir}/openssl |
384 |
%multiarch %{multiarch_includedir}/openssl/opensslconf.h |
385 |
%{_includedir}/openssl/* |
386 |
%{_libdir}/lib*.so |
387 |
%{_mandir}/man3/* |
388 |
%{_libdir}/pkgconfig/* |
389 |
|
390 |
%files -n %{staticname} |
391 |
%{_libdir}/lib*.a |