/[packages]/updates/8/openssl/current/SPECS/openssl.spec
ViewVC logotype

Contents of /updates/8/openssl/current/SPECS/openssl.spec

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1939475 - (show annotations) (download)
Wed Feb 8 15:08:03 2023 UTC (13 months, 2 weeks ago) by ns80
File size: 9667 byte(s)
- new version 1.1.1t for several CVEs (mga#31526)

1 %define maj 1.1
2 %define libname %mklibname openssl %{maj}
3 %define develname %mklibname openssl -d
4 %define staticname %mklibname openssl -s -d
5
6 %define with_krb5 0
7
8 Summary: Secure Sockets Layer communications libs & utils
9 Name: openssl
10 Version: 1.1.1t
11 Release: %mkrel 1
12 License: BSD-like
13 Group: System/Libraries
14 URL: http://www.openssl.org/
15 Source0: http://www.openssl.org/source/%{name}-%{version}.tar.gz
16 Source1: http://www.openssl.org/source/%{name}-%{version}.tar.gz.asc
17 Source2: Makefile.certificate
18 Source4: openssl-thread-test.c
19 Source6: make-dummy-cert
20 Source7: renew-dummy-cert
21 Source12: ec_curve.c
22 Source13: ectest.c
23
24 # fedora patches
25 Patch1: openssl-1.1.1-build.patch
26 Patch2: openssl-1.1.1-defaults.patch
27 Patch3: openssl-1.1.0-no-html.patch
28 Patch4: openssl-1.1.1-man-rename.patch
29 Patch21: openssl-1.1.0-issuer-hash.patch
30 Patch31: openssl-1.1.1-conf-paths.patch
31 Patch32: openssl-1.1.1-version-add-engines.patch
32 Patch33: openssl-1.1.1-apps-dgst.patch
33 Patch36: openssl-1.1.1-no-brainpool.patch
34 Patch37: openssl-1.1.1-ec-curves.patch
35 Patch38: openssl-1.1.1-no-weak-verify.patch
36 Patch40: openssl-1.1.1-disable-ssl3.patch
37 Patch41: openssl-1.1.1-system-cipherlist.patch
38 Patch45: openssl-1.1.1-weak-ciphers.patch
39 Patch46: openssl-1.1.1-seclevel.patch
40 Patch47: openssl-1.1.1-ts-sha256-default.patch
41 Patch49: openssl-1.1.1-evp-kdf.patch
42 Patch50: openssl-1.1.1-ssh-kdf.patch
43 # Backported fixes including security fixes
44
45 # MIPS and ARM support
46 Patch300: openssl-1.0.2a-mips.patch
47 Patch301: openssl-1.0.2a-arm.patch
48
49 #
50 # Security patches
51 # Patches 1000 -> ...
52 #
53 Patch1000: openssl-1.1.0-CVE-2021-23840.patch
54
55 Requires: %{libname} = %{version}-%{release}
56 Requires: rootcerts
57 %if %with_krb5
58 BuildRequires: krb5-devel
59 %endif
60 BuildRequires: multiarch-utils >= 1.0.3
61 BuildRequires: chrpath
62 BuildRequires: pkgconfig(zlib)
63 BuildRequires: pkgconfig(libsctp)
64 # (tv) for test suite:
65 BuildRequires: bc
66
67 %description
68 The openssl certificate management tool and the shared libraries that provide
69 various encryption and decription algorithms and protocols, including DES, RC4,
70 RSA and SSL.
71
72 %package -n %{libname}
73 Summary: Secure Sockets Layer communications libs
74 Group: System/Libraries
75 Requires: crypto-policies
76 Provides: %{libname} = %{version}-%{release}
77
78 %description -n %{libname}
79 The libraries files are needed for various cryptographic algorithms
80 and protocols, including DES, RC4, RSA and SSL.
81
82 %package -n %{develname}
83 Summary: Secure Sockets Layer communications libs & headers & utils
84 Group: Development/Other
85 Requires: %{libname} = %{version}-%{release}
86 Provides: libopenssl-devel
87 Provides: %{name}-devel = %{version}-%{release}
88 Obsoletes: %{mklibname openssl 1.0.0}-devel
89
90 %description -n %{develname}
91 The libraries and include files needed to compile apps with support
92 for various cryptographic algorithms and protocols, including DES, RC4, RSA
93 and SSL.
94
95 %package -n %{staticname}
96 Summary: Secure Sockets Layer communications static libs
97 Group: Development/Other
98 Requires: %{develname} = %{version}-%{release}
99 Provides: libopenssl-static-devel
100 Provides: %{name}-static-devel = %{version}-%{release}
101 Obsoletes: %{mklibname openssl 1.0.0}-static-devel
102
103 %description -n %{staticname}
104 The static libraries needed to compile apps with support for various
105 cryptographic algorithms and protocols, including DES, RC4, RSA and SSL.
106
107 %package perl
108 Summary: Perl scripts provided with OpenSSL
109 Group: System/Libraries
110 Requires: %{name}%{?_isa} = %{version}-%{release}
111 Conflicts: %name <= 1.0.2h-1.mga6
112
113 %description perl
114 OpenSSL is a toolkit for supporting cryptography. The openssl-perl
115 package provides Perl scripts for converting certificates and keys
116 from other formats to the formats used by the OpenSSL toolkit.
117
118 %prep
119 %setup -q
120
121 cp %{SOURCE12} crypto/ec/
122 cp %{SOURCE13} test/
123
124 %patch1 -p1 -b .build
125 %patch2 -p1 -b .default
126 %patch3 -p1 -b .no-html
127 %patch4 -p1 -b .man-rename
128
129 %patch21 -p1 -b .issuer-hash
130
131 %patch31 -p1 -b .ca-dir
132 %patch32 -p1 -b .version-add-engines
133 %patch33 -p1 -b .dgst
134 %patch36 -p1 -b .no-brainpool
135 %patch37 -p1 -b .curves
136 %patch38 -p1 -b .no-weak-verify
137 %patch40 -p1 -b .disable-ssl3
138 %patch41 -p1 -b .system-cipherlist
139 %patch45 -p1 -b .weak-ciphers
140 %patch46 -p1 -b .seclevel
141 %patch47 -p1 -b .ts-sha256-defaul
142 %patch49 -p1 -b .evp-kdf
143 %patch50 -p1 -b .ssh-kdf
144
145 #patch1000 -p1
146
147 #perl -pi -e "s,^(OPENSSL_LIBNAME=).+$,\1%{_lib}," Makefile.org engines/Makefile
148
149 %build
150 %serverbuild
151
152 # Figure out which flags we want to use.
153 # default
154 sslarch=%{_os}-%{_target_cpu}
155 %ifarch %ix86
156 sslarch=linux-elf
157 if ! echo %{_target} | grep -q i[56]86 ; then
158 sslflags="no-asm 386"
159 fi
160 %endif
161 %ifarch x86_64
162 sslflags=enable-ec_nistp_64_gcc_128
163 %endif
164 %ifarch %{arm}
165 sslarch=linux-armv4
166 %endif
167
168 # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
169 # marked as not requiring an executable stack.
170 # Also add -DPURIFY to make using valgrind with openssl easier as we do not
171 # want to depend on the uninitialized memory as a source of entropy anyway.
172 RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
173
174 # ia64, x86_64, ppc, ppc64 are OK by default
175 # Configure the build tree. Override OpenSSL defaults with known-good defaults
176 # usable on all platforms. The Configure script already knows to use -fPIC and
177 # RPM_OPT_FLAGS, so we can skip specifiying them here.
178 ./Configure \
179 --prefix=%{_prefix} \
180 --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
181 --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
182 %if %with_krb5
183 --with-krb5-flavor=MIT --with-krb5-dir=%{_prefix} \
184 %endif
185 zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
186 enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
187 enable-weak-ssl-ciphers \
188 no-mdc2 no-ec2m no-sm2 no-sm4 \
189 shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
190
191 util/mkdef.pl crypto update
192
193 make all
194
195 %check
196 %ifnarch %ix86
197
198 (sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
199 (echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
200 sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
201 touch -r configdata.pm configdata.pm.new && \
202 mv -f configdata.pm.new configdata.pm)
203
204 # We must revert patch31 before tests otherwise they will fail
205 patch -p1 -R < %{PATCH31}
206
207 export LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
208 export OPENSSL_ENABLE_MD5_VERIFY=
209 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
210
211 make test
212 %endif
213
214 %install
215 %make_install
216
217 # make the rootcerts dir
218 install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts
219
220 # Install a makefile for generating keys and self-signed certs, and a script
221 # for generating them on the fly.
222 mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs
223 install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile
224 install -m 755 %{SOURCE6} %{buildroot}%{_bindir}/make-dummy-cert
225 install -m 755 %{SOURCE7} %{buildroot}%{_bindir}/renew-dummy-cert
226
227 # Move runable perl scripts to bindir
228 mv %{buildroot}%{_sysconfdir}/pki/tls/misc/*.pl %{buildroot}%{_bindir}
229 mv %{buildroot}%{_sysconfdir}/pki/tls/misc/tsget %{buildroot}%{_bindir}
230
231 install -d %{buildroot}%{_sysconfdir}/pki/CA
232 install -d %{buildroot}%{_sysconfdir}/pki/CA/private
233 install -d %{buildroot}%{_sysconfdir}/pki/CA/certs
234 install -d %{buildroot}%{_sysconfdir}/pki/CA/crl
235 install -d %{buildroot}%{_sysconfdir}/pki/CA/newcerts
236
237 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
238 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
239
240 # fix man pages conflicts with other packages
241 for i in passwd rand ; do
242 mv %{buildroot}%{_mandir}/man1/$i.1 %{buildroot}%{_mandir}/man1/ssl-$i.1
243 done
244
245 %multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h
246
247 # nuke rpath
248 chrpath -d %{buildroot}%{_bindir}/openssl
249
250 # Fix libdir.
251 for i in %{buildroot}%{_libdir}/pkgconfig/*.pc; do
252 sed -i 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' $i
253 done
254
255 # adjust ssldir
256 perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_bindir}/CA.pl
257 perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf
258
259 %files
260 %doc FAQ INSTALL LICENSE NEWS README*
261 %dir %{_sysconfdir}/pki
262 %dir %{_sysconfdir}/pki/tls
263 %dir %{_sysconfdir}/pki/tls/certs
264 %dir %{_sysconfdir}/pki/tls/misc
265 %dir %{_sysconfdir}/pki/tls/private
266 %dir %{_sysconfdir}/pki/tls/rootcerts
267 %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
268 %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
269 %{_sysconfdir}/pki/tls/certs/Makefile
270 %{_bindir}/make-dummy-cert
271 %{_bindir}/renew-dummy-cert
272 %{_bindir}/openssl
273 %{_mandir}/man[157]/*
274 %exclude %{_mandir}/man1*/*rehash*
275 %exclude %{_mandir}/man1*/*.pl*
276 %exclude %{_mandir}/man1*/*tsget*
277
278 %files -n %{libname}
279 %doc FAQ LICENSE NEWS README*
280 %{_libdir}/lib*.so.%{maj}
281 %{_libdir}/engines-%{maj}
282
283 %files -n %{develname}
284 %doc CHANGES doc/*
285 %dir %{_includedir}/openssl
286 %multiarch %{multiarch_includedir}/openssl/opensslconf.h
287 %{_includedir}/openssl
288 %{_libdir}/lib*.so
289 %{_mandir}/man3/*
290 %{_libdir}/pkgconfig/*.pc
291
292 %files -n %{staticname}
293 %{_libdir}/lib*.a
294
295 %files perl
296 %{_bindir}/c_rehash
297 %{_bindir}/*.pl
298 %{_bindir}/tsget
299 %{_mandir}/man1*/*rehash*
300 %{_mandir}/man1*/*.pl*
301 %{_mandir}/man1*/*tsget*
302 %dir %{_sysconfdir}/pki/CA
303 %dir %{_sysconfdir}/pki/CA/private
304 %dir %{_sysconfdir}/pki/CA/certs
305 %dir %{_sysconfdir}/pki/CA/crl
306 %dir %{_sysconfdir}/pki/CA/newcerts

  ViewVC Help
Powered by ViewVC 1.1.30