1 |
guillomovitch |
1431659 |
%define maj 1.1 |
2 |
|
|
%define libname %mklibname openssl %{maj} |
3 |
|
|
%define develname %mklibname openssl -d |
4 |
|
|
%define staticname %mklibname openssl -s -d |
5 |
blino |
733 |
|
6 |
guillomovitch |
1431659 |
%define with_krb5 0 |
7 |
blino |
733 |
|
8 |
guillomovitch |
1431659 |
Summary: Secure Sockets Layer communications libs & utils |
9 |
|
|
Name: openssl |
10 |
luigiwalser |
1762133 |
Version: 1.1.1m |
11 |
ns80 |
1559124 |
Release: %mkrel 1 |
12 |
guillomovitch |
1431659 |
License: BSD-like |
13 |
|
|
Group: System/Libraries |
14 |
|
|
URL: http://www.openssl.org/ |
15 |
|
|
Source0: http://www.openssl.org/source/%{name}-%{version}.tar.gz |
16 |
|
|
Source1: http://www.openssl.org/source/%{name}-%{version}.tar.gz.asc |
17 |
|
|
Source2: Makefile.certificate |
18 |
|
|
Source4: openssl-thread-test.c |
19 |
|
|
Source6: make-dummy-cert |
20 |
|
|
Source7: renew-dummy-cert |
21 |
|
|
Source12: ec_curve.c |
22 |
|
|
Source13: ectest.c |
23 |
blino |
733 |
|
24 |
guillomovitch |
256937 |
# fedora patches |
25 |
guillomovitch |
1431659 |
Patch1: openssl-1.1.1-build.patch |
26 |
|
|
Patch2: openssl-1.1.1-defaults.patch |
27 |
|
|
Patch3: openssl-1.1.0-no-html.patch |
28 |
|
|
Patch4: openssl-1.1.1-man-rename.patch |
29 |
|
|
Patch21: openssl-1.1.0-issuer-hash.patch |
30 |
|
|
Patch31: openssl-1.1.1-conf-paths.patch |
31 |
|
|
Patch32: openssl-1.1.1-version-add-engines.patch |
32 |
|
|
Patch33: openssl-1.1.1-apps-dgst.patch |
33 |
|
|
Patch36: openssl-1.1.1-no-brainpool.patch |
34 |
|
|
Patch37: openssl-1.1.1-ec-curves.patch |
35 |
|
|
Patch38: openssl-1.1.1-no-weak-verify.patch |
36 |
|
|
Patch40: openssl-1.1.1-disable-ssl3.patch |
37 |
|
|
Patch41: openssl-1.1.1-system-cipherlist.patch |
38 |
|
|
Patch45: openssl-1.1.1-weak-ciphers.patch |
39 |
|
|
Patch46: openssl-1.1.1-seclevel.patch |
40 |
|
|
Patch47: openssl-1.1.1-ts-sha256-default.patch |
41 |
|
|
Patch49: openssl-1.1.1-evp-kdf.patch |
42 |
|
|
Patch50: openssl-1.1.1-ssh-kdf.patch |
43 |
|
|
# Backported fixes including security fixes |
44 |
guillomovitch |
256937 |
|
45 |
blino |
733 |
# MIPS and ARM support |
46 |
guillomovitch |
1431659 |
Patch300: openssl-1.0.2a-mips.patch |
47 |
|
|
Patch301: openssl-1.0.2a-arm.patch |
48 |
wally |
1228710 |
|
49 |
neoclust |
1693005 |
# |
50 |
|
|
# Security patches |
51 |
|
|
# Patches 1000 -> ... |
52 |
|
|
# |
53 |
|
|
Patch1000: openssl-1.1.0-CVE-2021-23840.patch |
54 |
|
|
|
55 |
guillomovitch |
1431659 |
Requires: %{libname} = %{version}-%{release} |
56 |
|
|
Requires: rootcerts |
57 |
guillomovitch |
337573 |
%if %with_krb5 |
58 |
guillomovitch |
1431659 |
BuildRequires: krb5-devel |
59 |
guillomovitch |
337573 |
%endif |
60 |
guillomovitch |
1431659 |
BuildRequires: multiarch-utils >= 1.0.3 |
61 |
|
|
BuildRequires: chrpath |
62 |
|
|
BuildRequires: pkgconfig(zlib) |
63 |
|
|
BuildRequires: pkgconfig(libsctp) |
64 |
blino |
733 |
# (tv) for test suite: |
65 |
guillomovitch |
1431659 |
BuildRequires: bc |
66 |
blino |
733 |
|
67 |
|
|
%description |
68 |
|
|
The openssl certificate management tool and the shared libraries that provide |
69 |
|
|
various encryption and decription algorithms and protocols, including DES, RC4, |
70 |
|
|
RSA and SSL. |
71 |
|
|
|
72 |
guillomovitch |
1431659 |
%package -n %{libname} |
73 |
|
|
Summary: Secure Sockets Layer communications libs |
74 |
|
|
Group: System/Libraries |
75 |
|
|
Requires: crypto-policies |
76 |
|
|
Provides: %{libname} = %{version}-%{release} |
77 |
blino |
733 |
|
78 |
guillomovitch |
1431659 |
%description -n %{libname} |
79 |
blino |
733 |
The libraries files are needed for various cryptographic algorithms |
80 |
|
|
and protocols, including DES, RC4, RSA and SSL. |
81 |
|
|
|
82 |
guillomovitch |
1431659 |
%package -n %{develname} |
83 |
|
|
Summary: Secure Sockets Layer communications libs & headers & utils |
84 |
|
|
Group: Development/Other |
85 |
|
|
Requires: %{libname} = %{version}-%{release} |
86 |
|
|
Provides: libopenssl-devel |
87 |
|
|
Provides: %{name}-devel = %{version}-%{release} |
88 |
|
|
Obsoletes: %{mklibname openssl 1.0.0}-devel |
89 |
blino |
733 |
|
90 |
guillomovitch |
1431659 |
%description -n %{develname} |
91 |
blino |
733 |
The libraries and include files needed to compile apps with support |
92 |
|
|
for various cryptographic algorithms and protocols, including DES, RC4, RSA |
93 |
|
|
and SSL. |
94 |
|
|
|
95 |
guillomovitch |
1431659 |
%package -n %{staticname} |
96 |
|
|
Summary: Secure Sockets Layer communications static libs |
97 |
|
|
Group: Development/Other |
98 |
|
|
Requires: %{develname} = %{version}-%{release} |
99 |
|
|
Provides: libopenssl-static-devel |
100 |
|
|
Provides: %{name}-static-devel = %{version}-%{release} |
101 |
|
|
Obsoletes: %{mklibname openssl 1.0.0}-static-devel |
102 |
blino |
733 |
|
103 |
guillomovitch |
1431659 |
%description -n %{staticname} |
104 |
blino |
733 |
The static libraries needed to compile apps with support for various |
105 |
|
|
cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. |
106 |
|
|
|
107 |
guillomovitch |
1431659 |
%package perl |
108 |
|
|
Summary: Perl scripts provided with OpenSSL |
109 |
|
|
Group: System/Libraries |
110 |
|
|
Requires: %{name}%{?_isa} = %{version}-%{release} |
111 |
|
|
Conflicts: %name <= 1.0.2h-1.mga6 |
112 |
tv |
1020393 |
|
113 |
guillomovitch |
1431659 |
%description perl |
114 |
tv |
1020393 |
OpenSSL is a toolkit for supporting cryptography. The openssl-perl |
115 |
|
|
package provides Perl scripts for converting certificates and keys |
116 |
|
|
from other formats to the formats used by the OpenSSL toolkit. |
117 |
|
|
|
118 |
blino |
733 |
%prep |
119 |
ovitters |
877880 |
%setup -q |
120 |
guillomovitch |
1133938 |
|
121 |
|
|
cp %{SOURCE12} crypto/ec/ |
122 |
|
|
cp %{SOURCE13} test/ |
123 |
|
|
|
124 |
guillomovitch |
1431659 |
%patch1 -p1 -b .build |
125 |
|
|
%patch2 -p1 -b .default |
126 |
guillomovitch |
1133938 |
%patch3 -p1 -b .no-html |
127 |
guillomovitch |
1431659 |
%patch4 -p1 -b .man-rename |
128 |
blino |
733 |
|
129 |
guillomovitch |
1133938 |
%patch21 -p1 -b .issuer-hash |
130 |
guillomovitch |
1431659 |
|
131 |
guillomovitch |
1133938 |
%patch31 -p1 -b .ca-dir |
132 |
|
|
%patch32 -p1 -b .version-add-engines |
133 |
|
|
%patch33 -p1 -b .dgst |
134 |
guillomovitch |
1431659 |
%patch36 -p1 -b .no-brainpool |
135 |
guillomovitch |
1133938 |
%patch37 -p1 -b .curves |
136 |
guillomovitch |
1431659 |
%patch38 -p1 -b .no-weak-verify |
137 |
guillomovitch |
1133938 |
%patch40 -p1 -b .disable-ssl3 |
138 |
|
|
%patch41 -p1 -b .system-cipherlist |
139 |
|
|
%patch45 -p1 -b .weak-ciphers |
140 |
guillomovitch |
1431659 |
%patch46 -p1 -b .seclevel |
141 |
|
|
%patch47 -p1 -b .ts-sha256-defaul |
142 |
|
|
%patch49 -p1 -b .evp-kdf |
143 |
|
|
%patch50 -p1 -b .ssh-kdf |
144 |
blino |
733 |
|
145 |
neoclust |
1693005 |
#patch1000 -p1 |
146 |
|
|
|
147 |
guillomovitch |
1133938 |
#perl -pi -e "s,^(OPENSSL_LIBNAME=).+$,\1%{_lib}," Makefile.org engines/Makefile |
148 |
blino |
733 |
|
149 |
akien |
1104774 |
%build |
150 |
blino |
733 |
%serverbuild |
151 |
|
|
|
152 |
|
|
# Figure out which flags we want to use. |
153 |
|
|
# default |
154 |
guillomovitch |
1133938 |
sslarch=%{_os}-%{_target_cpu} |
155 |
blino |
733 |
%ifarch %ix86 |
156 |
|
|
sslarch=linux-elf |
157 |
|
|
if ! echo %{_target} | grep -q i[56]86 ; then |
158 |
guillomovitch |
1133938 |
sslflags="no-asm 386" |
159 |
blino |
733 |
fi |
160 |
|
|
%endif |
161 |
guillomovitch |
1133938 |
%ifarch x86_64 |
162 |
|
|
sslflags=enable-ec_nistp_64_gcc_128 |
163 |
blino |
733 |
%endif |
164 |
guillomovitch |
1133938 |
%ifarch %{arm} |
165 |
|
|
sslarch=linux-armv4 |
166 |
blino |
733 |
%endif |
167 |
|
|
|
168 |
guillomovitch |
1133938 |
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be |
169 |
|
|
# marked as not requiring an executable stack. |
170 |
|
|
# Also add -DPURIFY to make using valgrind with openssl easier as we do not |
171 |
|
|
# want to depend on the uninitialized memory as a source of entropy anyway. |
172 |
guillomovitch |
1431659 |
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" |
173 |
guillomovitch |
1133938 |
|
174 |
blino |
733 |
# ia64, x86_64, ppc, ppc64 are OK by default |
175 |
|
|
# Configure the build tree. Override OpenSSL defaults with known-good defaults |
176 |
|
|
# usable on all platforms. The Configure script already knows to use -fPIC and |
177 |
|
|
# RPM_OPT_FLAGS, so we can skip specifiying them here. |
178 |
|
|
./Configure \ |
179 |
guillomovitch |
256937 |
--prefix=%{_prefix} \ |
180 |
blino |
733 |
--openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ |
181 |
guillomovitch |
1133938 |
--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ |
182 |
guillomovitch |
337573 |
%if %with_krb5 |
183 |
guillomovitch |
256938 |
--with-krb5-flavor=MIT --with-krb5-dir=%{_prefix} \ |
184 |
guillomovitch |
337573 |
%endif |
185 |
guillomovitch |
1431659 |
zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ |
186 |
guillomovitch |
1133938 |
enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ |
187 |
guillomovitch |
1431659 |
enable-weak-ssl-ciphers \ |
188 |
|
|
no-mdc2 no-ec2m no-sm2 no-sm4 \ |
189 |
|
|
shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' |
190 |
blino |
733 |
|
191 |
guillomovitch |
1133938 |
util/mkdef.pl crypto update |
192 |
blino |
733 |
|
193 |
guillomovitch |
1133938 |
make all |
194 |
blino |
733 |
|
195 |
|
|
%check |
196 |
guillomovitch |
1431659 |
%ifnarch %ix86 |
197 |
guillomovitch |
1133938 |
|
198 |
guillomovitch |
1431659 |
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \ |
199 |
|
|
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' && |
200 |
|
|
sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \ |
201 |
|
|
touch -r configdata.pm configdata.pm.new && \ |
202 |
|
|
mv -f configdata.pm.new configdata.pm) |
203 |
|
|
|
204 |
guillomovitch |
1133938 |
# We must revert patch31 before tests otherwise they will fail |
205 |
|
|
patch -p1 -R < %{PATCH31} |
206 |
|
|
|
207 |
blino |
733 |
export LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} |
208 |
guillomovitch |
1133938 |
export OPENSSL_ENABLE_MD5_VERIFY= |
209 |
guillomovitch |
1431659 |
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file |
210 |
blino |
733 |
|
211 |
ns80 |
1256515 |
make test |
212 |
|
|
%endif |
213 |
blino |
733 |
|
214 |
|
|
%install |
215 |
guillomovitch |
1133938 |
%make_install |
216 |
blino |
733 |
|
217 |
|
|
# make the rootcerts dir |
218 |
|
|
install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts |
219 |
|
|
|
220 |
|
|
# Install a makefile for generating keys and self-signed certs, and a script |
221 |
|
|
# for generating them on the fly. |
222 |
guillomovitch |
1133938 |
mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs |
223 |
|
|
install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile |
224 |
|
|
install -m 755 %{SOURCE6} %{buildroot}%{_bindir}/make-dummy-cert |
225 |
|
|
install -m 755 %{SOURCE7} %{buildroot}%{_bindir}/renew-dummy-cert |
226 |
blino |
733 |
|
227 |
guillomovitch |
1133938 |
# Move runable perl scripts to bindir |
228 |
|
|
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/*.pl %{buildroot}%{_bindir} |
229 |
|
|
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/tsget %{buildroot}%{_bindir} |
230 |
blino |
733 |
|
231 |
|
|
install -d %{buildroot}%{_sysconfdir}/pki/CA |
232 |
|
|
install -d %{buildroot}%{_sysconfdir}/pki/CA/private |
233 |
guillomovitch |
1133938 |
install -d %{buildroot}%{_sysconfdir}/pki/CA/certs |
234 |
|
|
install -d %{buildroot}%{_sysconfdir}/pki/CA/crl |
235 |
|
|
install -d %{buildroot}%{_sysconfdir}/pki/CA/newcerts |
236 |
blino |
733 |
|
237 |
guillomovitch |
1133938 |
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist |
238 |
guillomovitch |
1431659 |
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist |
239 |
blino |
733 |
|
240 |
guillomovitch |
1133938 |
# fix man pages conflicts with other packages |
241 |
|
|
for i in passwd rand ; do |
242 |
|
|
mv %{buildroot}%{_mandir}/man1/$i.1 %{buildroot}%{_mandir}/man1/ssl-$i.1 |
243 |
blino |
733 |
done |
244 |
|
|
|
245 |
|
|
%multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h |
246 |
|
|
|
247 |
|
|
# nuke rpath |
248 |
|
|
chrpath -d %{buildroot}%{_bindir}/openssl |
249 |
|
|
|
250 |
|
|
# Fix libdir. |
251 |
guillomovitch |
1133938 |
for i in %{buildroot}%{_libdir}/pkgconfig/*.pc; do |
252 |
guillomovitch |
1431659 |
sed -i 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' $i |
253 |
guillomovitch |
1133938 |
done |
254 |
blino |
733 |
|
255 |
|
|
# adjust ssldir |
256 |
guillomovitch |
1133938 |
perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_bindir}/CA.pl |
257 |
blino |
733 |
perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf |
258 |
|
|
|
259 |
akien |
1104774 |
%files |
260 |
guillomovitch |
1133938 |
%doc FAQ INSTALL LICENSE NEWS README* |
261 |
blino |
733 |
%dir %{_sysconfdir}/pki |
262 |
|
|
%dir %{_sysconfdir}/pki/tls |
263 |
|
|
%dir %{_sysconfdir}/pki/tls/certs |
264 |
|
|
%dir %{_sysconfdir}/pki/tls/misc |
265 |
|
|
%dir %{_sysconfdir}/pki/tls/private |
266 |
|
|
%dir %{_sysconfdir}/pki/tls/rootcerts |
267 |
guillomovitch |
191620 |
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf |
268 |
guillomovitch |
1431659 |
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf |
269 |
guillomovitch |
191620 |
%{_sysconfdir}/pki/tls/certs/Makefile |
270 |
guillomovitch |
1133938 |
%{_bindir}/make-dummy-cert |
271 |
|
|
%{_bindir}/renew-dummy-cert |
272 |
|
|
%{_bindir}/openssl |
273 |
guillomovitch |
191620 |
%{_mandir}/man[157]/* |
274 |
daviddavid |
1206027 |
%exclude %{_mandir}/man1*/*rehash* |
275 |
guillomovitch |
1133938 |
%exclude %{_mandir}/man1*/*.pl* |
276 |
daviddavid |
1204885 |
%exclude %{_mandir}/man1*/*tsget* |
277 |
blino |
733 |
|
278 |
|
|
%files -n %{libname} |
279 |
guillomovitch |
1133938 |
%doc FAQ LICENSE NEWS README* |
280 |
fwang |
257304 |
%{_libdir}/lib*.so.%{maj} |
281 |
guillomovitch |
1133938 |
%{_libdir}/engines-%{maj} |
282 |
blino |
733 |
|
283 |
|
|
%files -n %{develname} |
284 |
guillomovitch |
1133938 |
%doc CHANGES doc/* |
285 |
guillomovitch |
191620 |
%dir %{_includedir}/openssl |
286 |
blino |
733 |
%multiarch %{multiarch_includedir}/openssl/opensslconf.h |
287 |
guillomovitch |
1133938 |
%{_includedir}/openssl |
288 |
guillomovitch |
191620 |
%{_libdir}/lib*.so |
289 |
|
|
%{_mandir}/man3/* |
290 |
guillomovitch |
1133938 |
%{_libdir}/pkgconfig/*.pc |
291 |
blino |
733 |
|
292 |
|
|
%files -n %{staticname} |
293 |
fwang |
395433 |
%{_libdir}/lib*.a |
294 |
tv |
1020393 |
|
295 |
|
|
%files perl |
296 |
guillomovitch |
1133938 |
%{_bindir}/c_rehash |
297 |
|
|
%{_bindir}/*.pl |
298 |
|
|
%{_bindir}/tsget |
299 |
daviddavid |
1206027 |
%{_mandir}/man1*/*rehash* |
300 |
guillomovitch |
1133938 |
%{_mandir}/man1*/*.pl* |
301 |
daviddavid |
1204885 |
%{_mandir}/man1*/*tsget* |
302 |
guillomovitch |
1133938 |
%dir %{_sysconfdir}/pki/CA |
303 |
|
|
%dir %{_sysconfdir}/pki/CA/private |
304 |
|
|
%dir %{_sysconfdir}/pki/CA/certs |
305 |
|
|
%dir %{_sysconfdir}/pki/CA/crl |
306 |
|
|
%dir %{_sysconfdir}/pki/CA/newcerts |