current/SPECS/openssl.spec

%define maj 1.0.0
%define engines_name %mklibname openssl-engines %{maj}
%define libname %mklibname openssl %{maj}
%define develname %mklibname openssl -d
%define staticname %mklibname openssl -s -d

%define conflict1 %mklibname openssl 0.9.7
%define conflict2 %mklibname openssl 0.9.8

# Number of threads to spawn when testing some threading fixes.
#define thread_test_threads %{?threads:%{threads}}%{!?threads:1}

%define with_krb5 1

Summary:        Secure Sockets Layer communications libs & utils
Name:           openssl
Version:        1.0.1e
%define subrel  11
Release:        %mkrel 1
License:        BSD-like
Group:          System/Libraries
URL:            http://www.openssl.org/
Source0:        http://www.openssl.org/source/%{name}-%{version}.tar.gz
Source1:        http://www.openssl.org/source/%{name}-%{version}.tar.gz.asc
Source2:        Makefile.certificate
Source3:        make-dummy-cert
Source4:        openssl-thread-test.c
# (gb) 0.9.7b-4mdk: Handle RPM_OPT_FLAGS in Configure
Patch2:         openssl-1.0.1c-optflags.patch
# (oe) support Brazilian Government OTHERNAME X509v3 field (#14158)
# http://www.iti.gov.br/resolucoes/RESOLU__O_13_DE_26_04_2002.PDF
Patch6:         openssl-0.9.8-beta6-icpbrasil.diff
# http://qa.mandriva.com/show_bug.cgi?id=32621
Patch15:        openssl-0.9.8e-crt.patch
Patch5:         openssl-1.0.1g-use-after-free.patch
# upstream patches
Patch8:         openssl.git-147dbb2fe3bead7a10e2f280261b661ce7af7adc.patch
Patch9:         openssl-1.0.1e-cve-2013-4353.patch
Patch10:        openssl-1.0.1e-cve-2013-6450.patch
Patch11:        openssl-1.0.0l-CVE-2014-0076.patch
Patch12:        openssl-1.0.1f-CVE-2014-0160.patch
Patch19:        openssl-1.0.1e-extension-checking-fixes.patch

# fedora patches
Patch7:         openssl-1.0.0f-defaults.patch
Patch13:        openssl-0.9.6-x509.patch
Patch14:        openssl-0.9.8j-version-add-engines.patch
Patch16:        openssl-1.0.0-beta5-enginesdir.patch
Patch17:        openssl-1.0.1-pkgconfig-krb5.patch
Patch18:        openssl-1.0.1e-cve-2013-6449.patch
Patch20:        openssl-1.0.1e-cve-2014-0195.patch
Patch21:        openssl-1.0.1e-cve-2014-0198.patch
Patch22:        openssl-1.0.1e-cve-2014-0221.patch
Patch23:        openssl-1.0.1e-cve-2014-0224.patch
Patch24:        openssl-1.0.1e-cve-2014-3470.patch
Patch25:        openssl-1.0.1e-cve-2014-3567.patch
Patch26:        openssl-1.0.1e-cve-2014-3513.patch
Patch27:        openssl-1.0.1e-fallback-scsv.patch

# patches from upstream via debian to fix security issues fixed in 1.0.1i
# https://www.openssl.org/news/secadv_20140806.txt
Patch100:       Avoid-double-free-when-processing-DTLS-packets.patch
Patch101:       Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch
Patch102:       Fix-DTLS-handshake-message-size-checks.patch
Patch103:       Fix-memory-leak-from-zero-length-DTLS-fragments.patch
Patch104:       Fix-return-code-for-truncated-DTLS-fragment.patch
Patch105:       Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch
Patch106:       Remove-some-duplicate-DTLS-code.patch
Patch107:       Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch
Patch108:       Fix-DTLS-anonymous-EC-DH-denial-of-service.patch
Patch109:       Fix-OID-handling.patch
Patch110:       Fix-race-condition-in-ssl_parse_serverhello_tlsext.patch
Patch111:       SRP-ciphersuite-correction.patch
Patch112:       Fix-SRP-ciphersuite-DoS-vulnerability.patch
Patch113:       Fix-SRP-buffer-overrun-vulnerability.patch
Patch114:       Check-SRP-parameters-early.patch

# MIPS and ARM support
Patch300:       openssl-1.0.1c-mips.patch
Patch301:       openssl-1.0.1c-arm.patch
Requires:       %{libname} = %{version}-%{release}
Requires:       perl-base
Requires:       rootcerts
%if %with_krb5
BuildRequires: krb5-devel
%endif
BuildRequires:  multiarch-utils >= 1.0.3
BuildRequires:  chrpath
BuildRequires:  zlib-devel
# (tv) for test suite:
BuildRequires:  bc

%description
The openssl certificate management tool and the shared libraries that provide
various encryption and decription algorithms and protocols, including DES, RC4,
RSA and SSL.

%package -n     %{engines_name}
Summary:        Engines for openssl
Group:          System/Libraries
Obsoletes:      openssl-engines < 1.0.0a-5
Provides:       openssl-engines = %{version}-%{release}

%description -n %{engines_name}
This package provides engines for openssl.

%package -n     %{libname}
Summary:        Secure Sockets Layer communications libs
Group:          System/Libraries
Requires:       %{engines_name} >= %{version}-%{release}
Provides:       %{libname} = %{version}-%{release}

%description -n %{libname}
The libraries files are needed for various cryptographic algorithms
and protocols, including DES, RC4, RSA and SSL.

%package -n     %{develname}
Summary:        Secure Sockets Layer communications libs & headers & utils
Group:          Development/Other
Requires:       %{libname} = %{version}-%{release}
Provides:       libopenssl-devel
Provides:       openssl-devel = %{version}-%{release}
Obsoletes:      openssl-devel
# temporary opsolete, will be a conflict later. a compat package
# with openssl-0.9.7 devel libs will be provided soon
Obsoletes:      %{conflict1}-devel
Obsoletes:      %{conflict2}-devel
Obsoletes:      %{mklibname openssl 1.0.0}-devel
Provides:       %{name}-devel = %{version}-%{release}

%description -n %{develname}
The libraries and include files needed to compile apps with support
for various cryptographic algorithms and protocols, including DES, RC4, RSA
and SSL.

%package -n     %{staticname}
Summary:        Secure Sockets Layer communications static libs
Group:          Development/Other
Requires:       %{develname} = %{version}-%{release}
Provides:       libopenssl-static-devel
Provides:       openssl-static-devel = %{version}-%{release}
# temporary opsolete, will be a conflict later. a compat package
# with openssl-0.9.7 static-devel libs will be provided soon
Obsoletes:      %{conflict1}-static-devel
Obsoletes:      %{conflict2}-static-devel
Obsoletes:      %{mklibname openssl 1.0.0}-static-devel
Provides:       %{name}-static-devel = %{version}-%{release}

%description -n %{staticname}
The static libraries needed to compile apps with support for various
cryptographic algorithms and protocols, including DES, RC4, RSA and SSL.

%prep

%setup -q -n %{name}-%{version}
%patch2 -p1 -b .optflags
%patch6 -p0 -b .icpbrasil
%patch7 -p1 -b .defaults
%patch8 -p1 -b .SSL_get_certificate
%patch13 -p1 -b .x509
%patch14 -p1 -b .version-add-engines
%patch15 -p1 -b .crt
%patch16 -p1 -b .engines
%patch17 -p1 -b .krb5
%patch18 -p1 -b .hash-crash
%patch9 -p1 -b .cve-2013-4353
%patch10 -p1 -b .cve-2013-6450
%patch11 -p1 -b .CVE-2014-0076
%patch12 -p1 -b .CVE-2014-0160
%patch5 -p3 -b .CVE-2010-5298
%patch19 -p1 -b .extension-checking-fixes
%patch20 -p1 -b .cve-2014-0195
%patch21 -p1 -b .cve-2014-0198
%patch22 -p1 -b .cve-2014-0221
%patch23 -p1 -b .cve-2014-0224
%patch24 -p1 -b .cve-2014-3470
%patch25 -p1 -b .cve-2014-3657
%patch26 -p1 -b .cve-2014-3513
%patch27 -p1 -b .fallback-scsv

%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%patch108 -p1
%patch109 -p1
%patch110 -p1
%patch111 -p1
%patch112 -p1
%patch113 -p1
%patch114 -p1

%patch300 -p1 -b .mips
%patch301 -p1 -b .arm

perl -pi -e "s,^(OPENSSL_LIBNAME=).+$,\1%{_lib}," Makefile.org engines/Makefile

cp %{SOURCE2} Makefile.certificate
cp %{SOURCE3} make-dummy-cert
cp %{SOURCE4} openssl-thread-test.c

%build 
%serverbuild

# Figure out which flags we want to use.
# default
sslarch=%{_os}-%{_arch}
%ifarch %ix86
sslarch=linux-elf
if ! echo %{_target} | grep -q i[56]86 ; then
    sslflags="no-asm"
fi
%endif
%ifarch sparcv9
sslarch=linux-sparcv9
%endif
%ifarch alpha
sslarch=linux-alpha-gcc
%endif
%ifarch s390
sslarch="linux-generic32 -DB_ENDIAN -DNO_ASM"
%endif
%ifarch s390x
sslarch="linux-generic64 -DB_ENDIAN -DNO_ASM"
%endif

# ia64, x86_64, ppc, ppc64 are OK by default
# Configure the build tree.  Override OpenSSL defaults with known-good defaults
# usable on all platforms.  The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
    --prefix=%{_prefix} \
    --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
    --libdir=%{_lib}/ \
%if %with_krb5
    --with-krb5-flavor=MIT --with-krb5-dir=%{_prefix} \
%endif
    --enginesdir=%{_libdir}/openssl/%{version}/engines \
     zlib no-idea no-rc5 enable-camellia shared enable-tlsext ${sslarch}

# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
RPM_OPT_FLAGS="%{optflags} -Wa,--noexecstack"
make depend
make all build-shared

# Generate hashes for the included certs.
make rehash build-shared

%check
# Verify that what was compiled actually works.
export LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}

make -C test apps tests

gcc -o openssl-thread-test \
    %{?_with_krb5:`krb5-config --cflags`} \
    -I./include \
    %{optflags} \
    openssl-thread-test.c \
    -L. -lssl -lcrypto \
    %{?_with_krb5:`krb5-config --libs`} \
    -lpthread -lz -ldl

./openssl-thread-test --threads %{thread_test_threads}

%install
rm -fr %{buildroot}

%makeinstall \
    INSTALL_PREFIX=%{buildroot} \
    MANDIR=%{_mandir} \
    build-shared

install -d -m 755 %{buildroot}%{_libdir}/openssl/%{version}
mv %{buildroot}%{_libdir}/engines %{buildroot}%{_libdir}/openssl/%{version}

# make the rootcerts dir
install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts

# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -m0644 Makefile.certificate %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile
install -m0755 make-dummy-cert %{buildroot}%{_sysconfdir}/pki/tls/certs/make-dummy-cert

# Pick a CA script.
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.sh %{buildroot}%{_sysconfdir}/pki/tls/misc/CA

install -d %{buildroot}%{_sysconfdir}/pki/CA
install -d %{buildroot}%{_sysconfdir}/pki/CA/private

# openssl was named ssleay in "ancient" times.
ln -snf openssl %{buildroot}%{_bindir}/ssleay

# The man pages rand.3 and passwd.1 conflict with other packages
# Rename them to ssl-* and also make a symlink from openssl-* to ssl-*
mv %{buildroot}%{_mandir}/man1/passwd.1 %{buildroot}%{_mandir}/man1/ssl-passwd.1
ln -sf ssl-passwd.1%{_extension} %{buildroot}%{_mandir}/man1/openssl-passwd.1%{_extension}

for i in rand err; do
    mv %{buildroot}%{_mandir}/man3/$i.3 %{buildroot}%{_mandir}/man3/ssl-$i.3
    ln -snf ssl-$i.3%{_extension} %{buildroot}%{_mandir}/man3/openssl-$i.3%{_extension}
done

rm -rf {main,devel}-doc-info
mkdir -p {main,devel}-doc-info
cat > main-doc-info/README.mga <<EOF
Warning:
The man page of passwd, passwd.1, has been renamed to ssl-passwd.1
to avoid a conflict with passwd.1 man page from the package passwd.
EOF

cat > devel-doc-info/README.mga <<EOF
Warning:
The man page of rand, rand.3, has been renamed to ssl-rand.3
to avoid a conflict with rand.3 from the package man-pages
The man page of err, err.3, has been renamed to ssl-err.3
to avoid a conflict with err.3 from the package man-pages
EOF

chmod 755 %{buildroot}%{_libdir}/pkgconfig

%multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h

# strip cannot touch these unless 755
chmod 755 %{buildroot}%{_libdir}/openssl/%{version}/engines/*.so*
chmod 755 %{buildroot}%{_libdir}/*.so*
chmod 755 %{buildroot}%{_bindir}/*

# nuke a mistake
rm -f %{buildroot}%{_mandir}/man3/.3

# nuke rpath
chrpath -d %{buildroot}%{_bindir}/openssl

# Fix libdir.
pushd %{buildroot}%{_libdir}/pkgconfig
    for i in *.pc ; do
        sed 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' \
            $i >$i.tmp && \
            cat $i.tmp >$i && \
            rm -f $i.tmp
    done
popd

# adjust ssldir
perl -pi -e "s|^CATOP=.*|CATOP=%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA
perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.pl
perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf

%files 
%doc FAQ INSTALL LICENSE NEWS PROBLEMS main-doc-info/README*
%doc README README.ASN1 README.ENGINE
%dir %{_sysconfdir}/pki
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%dir %{_sysconfdir}/pki/tls/rootcerts
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%{_sysconfdir}/pki/tls/certs/make-dummy-cert
%{_sysconfdir}/pki/tls/certs/Makefile
%{_sysconfdir}/pki/tls/misc/*
%{_bindir}/*
%{_mandir}/man[157]/*

%files -n %{libname}
%doc FAQ INSTALL LICENSE NEWS PROBLEMS README*
%{_libdir}/lib*.so.%{maj}

%files -n %{engines_name}
%{_libdir}/openssl

%files -n %{develname}
%doc CHANGES doc/* devel-doc-info/README*
%dir %{_includedir}/openssl
%multiarch %{multiarch_includedir}/openssl/opensslconf.h
%{_includedir}/openssl/*
%{_libdir}/lib*.so
%{_mandir}/man3/*
%{_libdir}/pkgconfig/*

%files -n %{staticname}
%{_libdir}/lib*.a
1	%define maj 1.0.0
2	%define engines_name %mklibname openssl-engines %{maj}
3	%define libname %mklibname openssl %{maj}
4	%define develname %mklibname openssl -d
5	%define staticname %mklibname openssl -s -d
6
7	%define conflict1 %mklibname openssl 0.9.7
8	%define conflict2 %mklibname openssl 0.9.8
9
10	# Number of threads to spawn when testing some threading fixes.
11	#define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
12
13	%define with_krb5 1
14
15	Summary: Secure Sockets Layer communications libs & utils
16	Name: openssl
17	Version: 1.0.1e
18	%define subrel 11
19	Release: %mkrel 1
20	License: BSD-like
21	Group: System/Libraries
22	URL: http://www.openssl.org/
23	Source0: http://www.openssl.org/source/%{name}-%{version}.tar.gz
24	Source1: http://www.openssl.org/source/%{name}-%{version}.tar.gz.asc
25	Source2: Makefile.certificate
26	Source3: make-dummy-cert
27	Source4: openssl-thread-test.c
28	# (gb) 0.9.7b-4mdk: Handle RPM_OPT_FLAGS in Configure
29	Patch2: openssl-1.0.1c-optflags.patch
30	# (oe) support Brazilian Government OTHERNAME X509v3 field (#14158)
31	# http://www.iti.gov.br/resolucoes/RESOLU__O_13_DE_26_04_2002.PDF
32	Patch6: openssl-0.9.8-beta6-icpbrasil.diff
33	# http://qa.mandriva.com/show_bug.cgi?id=32621
34	Patch15: openssl-0.9.8e-crt.patch
35	Patch5: openssl-1.0.1g-use-after-free.patch
36	# upstream patches
37	Patch8: openssl.git-147dbb2fe3bead7a10e2f280261b661ce7af7adc.patch
38	Patch9: openssl-1.0.1e-cve-2013-4353.patch
39	Patch10: openssl-1.0.1e-cve-2013-6450.patch
40	Patch11: openssl-1.0.0l-CVE-2014-0076.patch
41	Patch12: openssl-1.0.1f-CVE-2014-0160.patch
42	Patch19: openssl-1.0.1e-extension-checking-fixes.patch
43
44	# fedora patches
45	Patch7: openssl-1.0.0f-defaults.patch
46	Patch13: openssl-0.9.6-x509.patch
47	Patch14: openssl-0.9.8j-version-add-engines.patch
48	Patch16: openssl-1.0.0-beta5-enginesdir.patch
49	Patch17: openssl-1.0.1-pkgconfig-krb5.patch
50	Patch18: openssl-1.0.1e-cve-2013-6449.patch
51	Patch20: openssl-1.0.1e-cve-2014-0195.patch
52	Patch21: openssl-1.0.1e-cve-2014-0198.patch
53	Patch22: openssl-1.0.1e-cve-2014-0221.patch
54	Patch23: openssl-1.0.1e-cve-2014-0224.patch
55	Patch24: openssl-1.0.1e-cve-2014-3470.patch
56	Patch25: openssl-1.0.1e-cve-2014-3567.patch
57	Patch26: openssl-1.0.1e-cve-2014-3513.patch
58	Patch27: openssl-1.0.1e-fallback-scsv.patch
59
60	# patches from upstream via debian to fix security issues fixed in 1.0.1i
61	# https://www.openssl.org/news/secadv_20140806.txt
62	Patch100: Avoid-double-free-when-processing-DTLS-packets.patch
63	Patch101: Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch
64	Patch102: Fix-DTLS-handshake-message-size-checks.patch
65	Patch103: Fix-memory-leak-from-zero-length-DTLS-fragments.patch
66	Patch104: Fix-return-code-for-truncated-DTLS-fragment.patch
67	Patch105: Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch
68	Patch106: Remove-some-duplicate-DTLS-code.patch
69	Patch107: Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch
70	Patch108: Fix-DTLS-anonymous-EC-DH-denial-of-service.patch
71	Patch109: Fix-OID-handling.patch
72	Patch110: Fix-race-condition-in-ssl_parse_serverhello_tlsext.patch
73	Patch111: SRP-ciphersuite-correction.patch
74	Patch112: Fix-SRP-ciphersuite-DoS-vulnerability.patch
75	Patch113: Fix-SRP-buffer-overrun-vulnerability.patch
76	Patch114: Check-SRP-parameters-early.patch
77
78	# MIPS and ARM support
79	Patch300: openssl-1.0.1c-mips.patch
80	Patch301: openssl-1.0.1c-arm.patch
81	Requires: %{libname} = %{version}-%{release}
82	Requires: perl-base
83	Requires: rootcerts
84	%if %with_krb5
85	BuildRequires: krb5-devel
86	%endif
87	BuildRequires: multiarch-utils >= 1.0.3
88	BuildRequires: chrpath
89	BuildRequires: zlib-devel
90	# (tv) for test suite:
91	BuildRequires: bc
92
93	%description
94	The openssl certificate management tool and the shared libraries that provide
95	various encryption and decription algorithms and protocols, including DES, RC4,
96	RSA and SSL.
97
98	%package -n %{engines_name}
99	Summary: Engines for openssl
100	Group: System/Libraries
101	Obsoletes: openssl-engines < 1.0.0a-5
102	Provides: openssl-engines = %{version}-%{release}
103
104	%description -n %{engines_name}
105	This package provides engines for openssl.
106
107	%package -n %{libname}
108	Summary: Secure Sockets Layer communications libs
109	Group: System/Libraries
110	Requires: %{engines_name} >= %{version}-%{release}
111	Provides: %{libname} = %{version}-%{release}
112
113	%description -n %{libname}
114	The libraries files are needed for various cryptographic algorithms
115	and protocols, including DES, RC4, RSA and SSL.
116
117	%package -n %{develname}
118	Summary: Secure Sockets Layer communications libs & headers & utils
119	Group: Development/Other
120	Requires: %{libname} = %{version}-%{release}
121	Provides: libopenssl-devel
122	Provides: openssl-devel = %{version}-%{release}
123	Obsoletes: openssl-devel
124	# temporary opsolete, will be a conflict later. a compat package
125	# with openssl-0.9.7 devel libs will be provided soon
126	Obsoletes: %{conflict1}-devel
127	Obsoletes: %{conflict2}-devel
128	Obsoletes: %{mklibname openssl 1.0.0}-devel
129	Provides: %{name}-devel = %{version}-%{release}
130
131	%description -n %{develname}
132	The libraries and include files needed to compile apps with support
133	for various cryptographic algorithms and protocols, including DES, RC4, RSA
134	and SSL.
135
136	%package -n %{staticname}
137	Summary: Secure Sockets Layer communications static libs
138	Group: Development/Other
139	Requires: %{develname} = %{version}-%{release}
140	Provides: libopenssl-static-devel
141	Provides: openssl-static-devel = %{version}-%{release}
142	# temporary opsolete, will be a conflict later. a compat package
143	# with openssl-0.9.7 static-devel libs will be provided soon
144	Obsoletes: %{conflict1}-static-devel
145	Obsoletes: %{conflict2}-static-devel
146	Obsoletes: %{mklibname openssl 1.0.0}-static-devel
147	Provides: %{name}-static-devel = %{version}-%{release}
148
149	%description -n %{staticname}
150	The static libraries needed to compile apps with support for various
151	cryptographic algorithms and protocols, including DES, RC4, RSA and SSL.
152
153	%prep
154
155	%setup -q -n %{name}-%{version}
156	%patch2 -p1 -b .optflags
157	%patch6 -p0 -b .icpbrasil
158	%patch7 -p1 -b .defaults
159	%patch8 -p1 -b .SSL_get_certificate
160	%patch13 -p1 -b .x509
161	%patch14 -p1 -b .version-add-engines
162	%patch15 -p1 -b .crt
163	%patch16 -p1 -b .engines
164	%patch17 -p1 -b .krb5
165	%patch18 -p1 -b .hash-crash
166	%patch9 -p1 -b .cve-2013-4353
167	%patch10 -p1 -b .cve-2013-6450
168	%patch11 -p1 -b .CVE-2014-0076
169	%patch12 -p1 -b .CVE-2014-0160
170	%patch5 -p3 -b .CVE-2010-5298
171	%patch19 -p1 -b .extension-checking-fixes
172	%patch20 -p1 -b .cve-2014-0195
173	%patch21 -p1 -b .cve-2014-0198
174	%patch22 -p1 -b .cve-2014-0221
175	%patch23 -p1 -b .cve-2014-0224
176	%patch24 -p1 -b .cve-2014-3470
177	%patch25 -p1 -b .cve-2014-3657
178	%patch26 -p1 -b .cve-2014-3513
179	%patch27 -p1 -b .fallback-scsv
180
181	%patch100 -p1
182	%patch101 -p1
183	%patch102 -p1
184	%patch103 -p1
185	%patch104 -p1
186	%patch105 -p1
187	%patch106 -p1
188	%patch107 -p1
189	%patch108 -p1
190	%patch109 -p1
191	%patch110 -p1
192	%patch111 -p1
193	%patch112 -p1
194	%patch113 -p1
195	%patch114 -p1
196
197	%patch300 -p1 -b .mips
198	%patch301 -p1 -b .arm
199
200	perl -pi -e "s,^(OPENSSL_LIBNAME=).+$,\1%{_lib}," Makefile.org engines/Makefile
201
202	cp %{SOURCE2} Makefile.certificate
203	cp %{SOURCE3} make-dummy-cert
204	cp %{SOURCE4} openssl-thread-test.c
205
206	%build
207	%serverbuild
208
209	# Figure out which flags we want to use.
210	# default
211	sslarch=%{_os}-%{_arch}
212	%ifarch %ix86
213	sslarch=linux-elf
214	if ! echo %{_target} \| grep -q i[56]86 ; then
215	sslflags="no-asm"
216	fi
217	%endif
218	%ifarch sparcv9
219	sslarch=linux-sparcv9
220	%endif
221	%ifarch alpha
222	sslarch=linux-alpha-gcc
223	%endif
224	%ifarch s390
225	sslarch="linux-generic32 -DB_ENDIAN -DNO_ASM"
226	%endif
227	%ifarch s390x
228	sslarch="linux-generic64 -DB_ENDIAN -DNO_ASM"
229	%endif
230
231	# ia64, x86_64, ppc, ppc64 are OK by default
232	# Configure the build tree. Override OpenSSL defaults with known-good defaults
233	# usable on all platforms. The Configure script already knows to use -fPIC and
234	# RPM_OPT_FLAGS, so we can skip specifiying them here.
235	./Configure \
236	--prefix=%{_prefix} \
237	--openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
238	--libdir=%{_lib}/ \
239	%if %with_krb5
240	--with-krb5-flavor=MIT --with-krb5-dir=%{_prefix} \
241	%endif
242	--enginesdir=%{_libdir}/openssl/%{version}/engines \
243	zlib no-idea no-rc5 enable-camellia shared enable-tlsext ${sslarch}
244
245	# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
246	# marked as not requiring an executable stack.
247	RPM_OPT_FLAGS="%{optflags} -Wa,--noexecstack"
248	make depend
249	make all build-shared
250
251	# Generate hashes for the included certs.
252	make rehash build-shared
253
254	%check
255	# Verify that what was compiled actually works.
256	export LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
257
258	make -C test apps tests
259
260	gcc -o openssl-thread-test \
261	%{?_with_krb5:`krb5-config --cflags`} \
262	-I./include \
263	%{optflags} \
264	openssl-thread-test.c \
265	-L. -lssl -lcrypto \
266	%{?_with_krb5:`krb5-config --libs`} \
267	-lpthread -lz -ldl
268
269	./openssl-thread-test --threads %{thread_test_threads}
270
271	%install
272	rm -fr %{buildroot}
273
274	%makeinstall \
275	INSTALL_PREFIX=%{buildroot} \
276	MANDIR=%{_mandir} \
277	build-shared
278
279	install -d -m 755 %{buildroot}%{_libdir}/openssl/%{version}
280	mv %{buildroot}%{_libdir}/engines %{buildroot}%{_libdir}/openssl/%{version}
281
282	# make the rootcerts dir
283	install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts
284
285	# Install a makefile for generating keys and self-signed certs, and a script
286	# for generating them on the fly.
287	install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
288	install -m0644 Makefile.certificate %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile
289	install -m0755 make-dummy-cert %{buildroot}%{_sysconfdir}/pki/tls/certs/make-dummy-cert
290
291	# Pick a CA script.
292	mv %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.sh %{buildroot}%{_sysconfdir}/pki/tls/misc/CA
293
294	install -d %{buildroot}%{_sysconfdir}/pki/CA
295	install -d %{buildroot}%{_sysconfdir}/pki/CA/private
296
297	# openssl was named ssleay in "ancient" times.
298	ln -snf openssl %{buildroot}%{_bindir}/ssleay
299
300	# The man pages rand.3 and passwd.1 conflict with other packages
301	# Rename them to ssl-* and also make a symlink from openssl-* to ssl-*
302	mv %{buildroot}%{_mandir}/man1/passwd.1 %{buildroot}%{_mandir}/man1/ssl-passwd.1
303	ln -sf ssl-passwd.1%{_extension} %{buildroot}%{_mandir}/man1/openssl-passwd.1%{_extension}
304
305	for i in rand err; do
306	mv %{buildroot}%{_mandir}/man3/$i.3 %{buildroot}%{_mandir}/man3/ssl-$i.3
307	ln -snf ssl-$i.3%{_extension} %{buildroot}%{_mandir}/man3/openssl-$i.3%{_extension}
308	done
309
310	rm -rf {main,devel}-doc-info
311	mkdir -p {main,devel}-doc-info
312	cat > main-doc-info/README.mga <<EOF
313	Warning:
314	The man page of passwd, passwd.1, has been renamed to ssl-passwd.1
315	to avoid a conflict with passwd.1 man page from the package passwd.
316	EOF
317
318	cat > devel-doc-info/README.mga <<EOF
319	Warning:
320	The man page of rand, rand.3, has been renamed to ssl-rand.3
321	to avoid a conflict with rand.3 from the package man-pages
322	The man page of err, err.3, has been renamed to ssl-err.3
323	to avoid a conflict with err.3 from the package man-pages
324	EOF
325
326	chmod 755 %{buildroot}%{_libdir}/pkgconfig
327
328	%multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h
329
330	# strip cannot touch these unless 755
331	chmod 755 %{buildroot}%{_libdir}/openssl/%{version}/engines/.so
332	chmod 755 %{buildroot}%{_libdir}/.so
333	chmod 755 %{buildroot}%{_bindir}/*
334
335	# nuke a mistake
336	rm -f %{buildroot}%{_mandir}/man3/.3
337
338	# nuke rpath
339	chrpath -d %{buildroot}%{_bindir}/openssl
340
341	# Fix libdir.
342	pushd %{buildroot}%{_libdir}/pkgconfig
343	for i in *.pc ; do
344	sed 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' \
345	$i >$i.tmp && \
346	cat $i.tmp >$i && \
347	rm -f $i.tmp
348	done
349	popd
350
351	# adjust ssldir
352	perl -pi -e "s\|^CATOP=.*\|CATOP=%{_sysconfdir}/pki/tls\|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA
353	perl -pi -e "s\|^\\\$CATOP\=\".*\|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";\|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.pl
354	perl -pi -e "s\|\./demoCA\|%{_sysconfdir}/pki/tls\|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf
355
356	%files
357	%doc FAQ INSTALL LICENSE NEWS PROBLEMS main-doc-info/README*
358	%doc README README.ASN1 README.ENGINE
359	%dir %{_sysconfdir}/pki
360	%dir %{_sysconfdir}/pki/CA
361	%dir %{_sysconfdir}/pki/CA/private
362	%dir %{_sysconfdir}/pki/tls
363	%dir %{_sysconfdir}/pki/tls/certs
364	%dir %{_sysconfdir}/pki/tls/misc
365	%dir %{_sysconfdir}/pki/tls/private
366	%dir %{_sysconfdir}/pki/tls/rootcerts
367	%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
368	%{_sysconfdir}/pki/tls/certs/make-dummy-cert
369	%{_sysconfdir}/pki/tls/certs/Makefile
370	%{_sysconfdir}/pki/tls/misc/*
371	%{_bindir}/*
372	%{_mandir}/man[157]/*
373
374	%files -n %{libname}
375	%doc FAQ INSTALL LICENSE NEWS PROBLEMS README*
376	%{_libdir}/lib*.so.%{maj}
377
378	%files -n %{engines_name}
379	%{_libdir}/openssl
380
381	%files -n %{develname}
382	%doc CHANGES doc/* devel-doc-info/README*
383	%dir %{_includedir}/openssl
384	%multiarch %{multiarch_includedir}/openssl/opensslconf.h
385	%{_includedir}/openssl/*
386	%{_libdir}/lib*.so
387	%{_mandir}/man3/*
388	%{_libdir}/pkgconfig/*
389
390	%files -n %{staticname}
391	%{_libdir}/lib*.a