%define maj 1.1 %define libname %mklibname openssl %{maj} %define develname %mklibname openssl -d %define staticname %mklibname openssl -s -d %define with_krb5 0 Summary: Secure Sockets Layer communications libs & utils Name: openssl Version: 1.1.1d Release: %mkrel 1 License: BSD-like Group: System/Libraries URL: http://www.openssl.org/ Source0: http://www.openssl.org/source/%{name}-%{version}.tar.gz Source1: http://www.openssl.org/source/%{name}-%{version}.tar.gz.asc Source2: Makefile.certificate Source4: openssl-thread-test.c Source6: make-dummy-cert Source7: renew-dummy-cert Source12: ec_curve.c Source13: ectest.c # fedora patches Patch1: openssl-1.1.1-build.patch Patch2: openssl-1.1.1-defaults.patch Patch3: openssl-1.1.0-no-html.patch Patch4: openssl-1.1.1-man-rename.patch Patch21: openssl-1.1.0-issuer-hash.patch Patch31: openssl-1.1.1-conf-paths.patch Patch32: openssl-1.1.1-version-add-engines.patch Patch33: openssl-1.1.1-apps-dgst.patch Patch36: openssl-1.1.1-no-brainpool.patch Patch37: openssl-1.1.1-ec-curves.patch Patch38: openssl-1.1.1-no-weak-verify.patch Patch40: openssl-1.1.1-disable-ssl3.patch Patch41: openssl-1.1.1-system-cipherlist.patch Patch43: openssl-1.1.1-ignore-bound.patch Patch45: openssl-1.1.1-weak-ciphers.patch Patch46: openssl-1.1.1-seclevel.patch Patch47: openssl-1.1.1-ts-sha256-default.patch Patch49: openssl-1.1.1-evp-kdf.patch Patch50: openssl-1.1.1-ssh-kdf.patch # Backported fixes including security fixes Patch51: openssl-1.1.1-upstream-sync.patch Patch54: openssl-1.1.1-regression-fixes.patch # MIPS and ARM support Patch300: openssl-1.0.2a-mips.patch Patch301: openssl-1.0.2a-arm.patch Requires: %{libname} = %{version}-%{release} Requires: rootcerts %if %with_krb5 BuildRequires: krb5-devel %endif BuildRequires: multiarch-utils >= 1.0.3 BuildRequires: chrpath BuildRequires: pkgconfig(zlib) BuildRequires: pkgconfig(libsctp) # (tv) for test suite: BuildRequires: bc %description The openssl certificate management tool and the shared libraries that provide various encryption and decription algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{libname} Summary: Secure Sockets Layer communications libs Group: System/Libraries Requires: crypto-policies Provides: %{libname} = %{version}-%{release} %description -n %{libname} The libraries files are needed for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{develname} Summary: Secure Sockets Layer communications libs & headers & utils Group: Development/Other Requires: %{libname} = %{version}-%{release} Provides: libopenssl-devel Provides: %{name}-devel = %{version}-%{release} Obsoletes: %{mklibname openssl 1.0.0}-devel %description -n %{develname} The libraries and include files needed to compile apps with support for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{staticname} Summary: Secure Sockets Layer communications static libs Group: Development/Other Requires: %{develname} = %{version}-%{release} Provides: libopenssl-static-devel Provides: %{name}-static-devel = %{version}-%{release} Obsoletes: %{mklibname openssl 1.0.0}-static-devel %description -n %{staticname} The static libraries needed to compile apps with support for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package perl Summary: Perl scripts provided with OpenSSL Group: System/Libraries Requires: %{name}%{?_isa} = %{version}-%{release} Conflicts: %name <= 1.0.2h-1.mga6 %description perl OpenSSL is a toolkit for supporting cryptography. The openssl-perl package provides Perl scripts for converting certificates and keys from other formats to the formats used by the OpenSSL toolkit. %prep %setup -q cp %{SOURCE12} crypto/ec/ cp %{SOURCE13} test/ %patch1 -p1 -b .build %patch2 -p1 -b .default %patch3 -p1 -b .no-html %patch4 -p1 -b .man-rename %patch21 -p1 -b .issuer-hash %patch31 -p1 -b .ca-dir %patch32 -p1 -b .version-add-engines %patch33 -p1 -b .dgst %patch36 -p1 -b .no-brainpool %patch37 -p1 -b .curves %patch38 -p1 -b .no-weak-verify %patch40 -p1 -b .disable-ssl3 %patch41 -p1 -b .system-cipherlist %patch43 -p1 -b .ignore-bound %patch45 -p1 -b .weak-ciphers %patch46 -p1 -b .seclevel %patch47 -p1 -b .ts-sha256-defaul %patch49 -p1 -b .evp-kdf %patch50 -p1 -b .ssh-kdf %patch51 -p1 -b .upstream-sync %patch54 -p1 -b .regression #perl -pi -e "s,^(OPENSSL_LIBNAME=).+$,\1%{_lib}," Makefile.org engines/Makefile %build %serverbuild # Figure out which flags we want to use. # default sslarch=%{_os}-%{_target_cpu} %ifarch %ix86 sslarch=linux-elf if ! echo %{_target} | grep -q i[56]86 ; then sslflags="no-asm 386" fi %endif %ifarch x86_64 sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch %{arm} sslarch=linux-armv4 %endif # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack. # Also add -DPURIFY to make using valgrind with openssl easier as we do not # want to depend on the uninitialized memory as a source of entropy anyway. RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" # ia64, x86_64, ppc, ppc64 are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} \ --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ %if %with_krb5 --with-krb5-flavor=MIT --with-krb5-dir=%{_prefix} \ %endif zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \ enable-weak-ssl-ciphers \ no-mdc2 no-ec2m no-sm2 no-sm4 \ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""' util/mkdef.pl crypto update make all %check %ifnarch %ix86 (sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \ (echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' && sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \ touch -r configdata.pm configdata.pm.new && \ mv -f configdata.pm.new configdata.pm) # We must revert patch31 before tests otherwise they will fail patch -p1 -R < %{PATCH31} export LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} export OPENSSL_ENABLE_MD5_VERIFY= export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file make test %endif %install %make_install # make the rootcerts dir install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile install -m 755 %{SOURCE6} %{buildroot}%{_bindir}/make-dummy-cert install -m 755 %{SOURCE7} %{buildroot}%{_bindir}/renew-dummy-cert # Move runable perl scripts to bindir mv %{buildroot}%{_sysconfdir}/pki/tls/misc/*.pl %{buildroot}%{_bindir} mv %{buildroot}%{_sysconfdir}/pki/tls/misc/tsget %{buildroot}%{_bindir} install -d %{buildroot}%{_sysconfdir}/pki/CA install -d %{buildroot}%{_sysconfdir}/pki/CA/private install -d %{buildroot}%{_sysconfdir}/pki/CA/certs install -d %{buildroot}%{_sysconfdir}/pki/CA/crl install -d %{buildroot}%{_sysconfdir}/pki/CA/newcerts rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist # fix man pages conflicts with other packages for i in passwd rand ; do mv %{buildroot}%{_mandir}/man1/$i.1 %{buildroot}%{_mandir}/man1/ssl-$i.1 done %multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h # nuke rpath chrpath -d %{buildroot}%{_bindir}/openssl # Fix libdir. for i in %{buildroot}%{_libdir}/pkgconfig/*.pc; do sed -i 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' $i done # adjust ssldir perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_bindir}/CA.pl perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf %files %doc FAQ INSTALL LICENSE NEWS README* %dir %{_sysconfdir}/pki %dir %{_sysconfdir}/pki/tls %dir %{_sysconfdir}/pki/tls/certs %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private %dir %{_sysconfdir}/pki/tls/rootcerts %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf %{_sysconfdir}/pki/tls/certs/Makefile %{_bindir}/make-dummy-cert %{_bindir}/renew-dummy-cert %{_bindir}/openssl %{_mandir}/man[157]/* %exclude %{_mandir}/man1*/*rehash* %exclude %{_mandir}/man1*/*.pl* %exclude %{_mandir}/man1*/*tsget* %files -n %{libname} %doc FAQ LICENSE NEWS README* %{_libdir}/lib*.so.%{maj} %{_libdir}/engines-%{maj} %files -n %{develname} %doc CHANGES doc/* %dir %{_includedir}/openssl %multiarch %{multiarch_includedir}/openssl/opensslconf.h %{_includedir}/openssl %{_libdir}/lib*.so %{_mandir}/man3/* %{_libdir}/pkgconfig/*.pc %files -n %{staticname} %{_libdir}/lib*.a %files perl %{_bindir}/c_rehash %{_bindir}/*.pl %{_bindir}/tsget %{_mandir}/man1*/*rehash* %{_mandir}/man1*/*.pl* %{_mandir}/man1*/*tsget* %dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA/private %dir %{_sysconfdir}/pki/CA/certs %dir %{_sysconfdir}/pki/CA/crl %dir %{_sysconfdir}/pki/CA/newcerts