%define maj 1.1 %define libname %mklibname openssl %{maj} %define develname %mklibname openssl -d %define staticname %mklibname openssl -s -d %define conflict1 %mklibname openssl 0.9.7 %define conflict2 %mklibname openssl 0.9.8 %define with_krb5 0 Summary: Secure Sockets Layer communications libs & utils Name: openssl Version: 1.1.0i Release: %mkrel 1 License: BSD-like Group: System/Libraries URL: http://www.openssl.org/ Source0: http://www.openssl.org/source/%{name}-%{version}.tar.gz Source1: http://www.openssl.org/source/%{name}-%{version}.tar.gz.asc Source2: Makefile.certificate Source4: openssl-thread-test.c Source6: make-dummy-cert Source7: renew-dummy-cert Source12: ec_curve.c Source13: ectest.c # (oe) support Brazilian Government OTHERNAME X509v3 field (#14158) # http://www.iti.gov.br/resolucoes/RESOLU__O_13_DE_26_04_2002.PDF Patch6: openssl-1.0.2l-icpbrasil.diff # fedora patches Patch1: openssl-1.1.0-build.patch Patch3: openssl-1.1.0-no-html.patch Patch21: openssl-1.1.0-issuer-hash.patch Patch22: openssl-1.1.0-algo-doc.patch Patch23: openssl-1.1.0-manfix.patch Patch31: openssl-1.1.0-ca-dir.patch Patch32: openssl-1.1.0-version-add-engines.patch Patch33: openssl-1.1.0-apps-dgst.patch Patch34: openssl-1.1.0-starttls-xmpp.patch Patch35: openssl-1.1.0-chil-fixes.patch Patch36: openssl-1.1.0-secure-getenv.patch Patch37: openssl-1.1.0-ec-curves.patch Patch38: openssl-1.1.0-no-weak-verify.patch Patch39: openssl-1.1.0-cc-reqs.patch Patch40: openssl-1.1.0-disable-ssl3.patch Patch41: openssl-1.1.0-system-cipherlist.patch Patch44: openssl-1.1.0-bio-fd-preserve-nl.patch Patch45: openssl-1.1.0-weak-ciphers.patch # Upstream patches # https://github.com/openssl/openssl/issues/5772 Patch100: 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch # MIPS and ARM support Patch300: openssl-1.0.2a-mips.patch Patch301: openssl-1.0.2a-arm.patch Requires: %{libname} = %{version}-%{release} Requires: rootcerts %if %with_krb5 BuildRequires: krb5-devel %endif BuildRequires: multiarch-utils >= 1.0.3 BuildRequires: chrpath BuildRequires: pkgconfig(zlib) # (tv) for test suite: BuildRequires: bc %description The openssl certificate management tool and the shared libraries that provide various encryption and decription algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{libname} Summary: Secure Sockets Layer communications libs Group: System/Libraries Requires: crypto-policies Provides: %{libname} = %{version}-%{release} %description -n %{libname} The libraries files are needed for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{develname} Summary: Secure Sockets Layer communications libs & headers & utils Group: Development/Other Requires: %{libname} = %{version}-%{release} Provides: libopenssl-devel Provides: %{name}-devel = %{version}-%{release} # temporary opsolete, will be a conflict later. a compat package # with openssl-0.9.7 devel libs will be provided soon Obsoletes: %{conflict1}-devel Obsoletes: %{conflict2}-devel Obsoletes: %{mklibname openssl 1.0.0}-devel %description -n %{develname} The libraries and include files needed to compile apps with support for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{staticname} Summary: Secure Sockets Layer communications static libs Group: Development/Other Requires: %{develname} = %{version}-%{release} Provides: libopenssl-static-devel Provides: %{name}-static-devel = %{version}-%{release} # temporary opsolete, will be a conflict later. a compat package # with openssl-0.9.7 static-devel libs will be provided soon Obsoletes: %{conflict1}-static-devel Obsoletes: %{conflict2}-static-devel Obsoletes: %{mklibname openssl 1.0.0}-static-devel %description -n %{staticname} The static libraries needed to compile apps with support for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package perl Summary: Perl scripts provided with OpenSSL Group: System/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} Conflicts: %name <= 1.0.2h-1.mga6 %description perl OpenSSL is a toolkit for supporting cryptography. The openssl-perl package provides Perl scripts for converting certificates and keys from other formats to the formats used by the OpenSSL toolkit. %prep %setup -q cp %{SOURCE12} crypto/ec/ cp %{SOURCE13} test/ %patch1 -p1 -b .build %patch3 -p1 -b .no-html %patch6 -p1 -b .icpbrasil %patch21 -p1 -b .issuer-hash %patch22 -p1 -b .algo-doc %patch23 -p1 -b .manfix %patch31 -p1 -b .ca-dir %patch32 -p1 -b .version-add-engines %patch33 -p1 -b .dgst %patch34 -p1 -b .xmpp %patch35 -p1 -b .chil %patch36 -p1 -b .secure-getenv %patch37 -p1 -b .curves %patch38 -p1 -b .no-md5-verify %patch39 -p1 -b .cc-reqs %patch40 -p1 -b .disable-ssl3 %patch41 -p1 -b .system-cipherlist %patch44 -p1 -b .preserve-nl %patch45 -p1 -b .weak-ciphers #patch100 -p1 -b .c_rehash-fix #patch300 -p1 -b .mips #patch301 -p1 -b .arm #perl -pi -e "s,^(OPENSSL_LIBNAME=).+$,\1%{_lib}," Makefile.org engines/Makefile %build %serverbuild # Figure out which flags we want to use. # default sslarch=%{_os}-%{_target_cpu} %ifarch %ix86 sslarch=linux-elf if ! echo %{_target} | grep -q i[56]86 ; then sslflags="no-asm 386" fi %endif %ifarch x86_64 sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch %{arm} sslarch=linux-armv4 %endif # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack. # Also add -DPURIFY to make using valgrind with openssl easier as we do not # want to depend on the uninitialized memory as a source of entropy anyway. RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY" # ia64, x86_64, ppc, ppc64 are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} \ --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ %if %with_krb5 --with-krb5-flavor=MIT --with-krb5-dir=%{_prefix} \ %endif zlib enable-camellia enable-seed enable-rfc3779 \ enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ enable-weak-ssl-ciphers no-mdc2 no-ec2m shared ${sslarch} \ $RPM_OPT_FLAGS util/mkdef.pl crypto update make all %check # Verify that what was compiled actually works. # We must revert patch31 before tests otherwise they will fail patch -p1 -R < %{PATCH31} export LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} export OPENSSL_ENABLE_MD5_VERIFY= make test patch -p1 < %{PATCH31} %install %make_install # make the rootcerts dir install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile install -m 755 %{SOURCE6} %{buildroot}%{_bindir}/make-dummy-cert install -m 755 %{SOURCE7} %{buildroot}%{_bindir}/renew-dummy-cert # Move runable perl scripts to bindir mv %{buildroot}%{_sysconfdir}/pki/tls/misc/*.pl %{buildroot}%{_bindir} mv %{buildroot}%{_sysconfdir}/pki/tls/misc/tsget %{buildroot}%{_bindir} install -d %{buildroot}%{_sysconfdir}/pki/CA install -d %{buildroot}%{_sysconfdir}/pki/CA/private install -d %{buildroot}%{_sysconfdir}/pki/CA/certs install -d %{buildroot}%{_sysconfdir}/pki/CA/crl install -d %{buildroot}%{_sysconfdir}/pki/CA/newcerts rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist # fix man pages conflicts with other packages for i in passwd rand ; do mv %{buildroot}%{_mandir}/man1/$i.1 %{buildroot}%{_mandir}/man1/ssl-$i.1 done %multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h # nuke rpath chrpath -d %{buildroot}%{_bindir}/openssl # Fix libdir. for i in %{buildroot}%{_libdir}/pkgconfig/*.pc; do sed -i 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' $i done # adjust ssldir perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_bindir}/CA.pl perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf %files %doc FAQ INSTALL LICENSE NEWS README* %dir %{_sysconfdir}/pki %dir %{_sysconfdir}/pki/tls %dir %{_sysconfdir}/pki/tls/certs %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private %dir %{_sysconfdir}/pki/tls/rootcerts %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %{_sysconfdir}/pki/tls/certs/Makefile %{_bindir}/make-dummy-cert %{_bindir}/renew-dummy-cert %{_bindir}/openssl %{_mandir}/man[157]/* %exclude %{_mandir}/man1*/*rehash* %exclude %{_mandir}/man1*/*.pl* %exclude %{_mandir}/man1*/*tsget* %files -n %{libname} %doc FAQ LICENSE NEWS README* %{_libdir}/lib*.so.%{maj} %{_libdir}/engines-%{maj} %files -n %{develname} %doc CHANGES doc/* %dir %{_includedir}/openssl %multiarch %{multiarch_includedir}/openssl/opensslconf.h %{_includedir}/openssl %{_libdir}/lib*.so %{_mandir}/man3/* %{_libdir}/pkgconfig/*.pc %files -n %{staticname} %{_libdir}/lib*.a %files perl %{_bindir}/c_rehash %{_bindir}/*.pl %{_bindir}/tsget %{_mandir}/man1*/*rehash* %{_mandir}/man1*/*.pl* %{_mandir}/man1*/*tsget* %dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA/private %dir %{_sysconfdir}/pki/CA/certs %dir %{_sysconfdir}/pki/CA/crl %dir %{_sysconfdir}/pki/CA/newcerts