%define maj 1.0.0 %define engines_name %mklibname openssl-engines %{maj} %define libname %mklibname openssl %{maj} %define develname %mklibname openssl -d %define staticname %mklibname openssl -s -d %define conflict1 %mklibname openssl 0.9.7 %define conflict2 %mklibname openssl 0.9.8 # Number of threads to spawn when testing some threading fixes. #define thread_test_threads %{?threads:%{threads}}%{!?threads:1} %define with_krb5 1 Summary: Secure Sockets Layer communications libs & utils Name: openssl Version: 1.0.1e %define subrel 11 Release: %mkrel 1 License: BSD-like Group: System/Libraries URL: http://www.openssl.org/ Source0: http://www.openssl.org/source/%{name}-%{version}.tar.gz Source1: http://www.openssl.org/source/%{name}-%{version}.tar.gz.asc Source2: Makefile.certificate Source3: make-dummy-cert Source4: openssl-thread-test.c # (gb) 0.9.7b-4mdk: Handle RPM_OPT_FLAGS in Configure Patch2: openssl-1.0.1c-optflags.patch # (oe) support Brazilian Government OTHERNAME X509v3 field (#14158) # http://www.iti.gov.br/resolucoes/RESOLU__O_13_DE_26_04_2002.PDF Patch6: openssl-0.9.8-beta6-icpbrasil.diff # http://qa.mandriva.com/show_bug.cgi?id=32621 Patch15: openssl-0.9.8e-crt.patch Patch5: openssl-1.0.1g-use-after-free.patch # upstream patches Patch8: openssl.git-147dbb2fe3bead7a10e2f280261b661ce7af7adc.patch Patch9: openssl-1.0.1e-cve-2013-4353.patch Patch10: openssl-1.0.1e-cve-2013-6450.patch Patch11: openssl-1.0.0l-CVE-2014-0076.patch Patch12: openssl-1.0.1f-CVE-2014-0160.patch Patch19: openssl-1.0.1e-extension-checking-fixes.patch # fedora patches Patch7: openssl-1.0.0f-defaults.patch Patch13: openssl-0.9.6-x509.patch Patch14: openssl-0.9.8j-version-add-engines.patch Patch16: openssl-1.0.0-beta5-enginesdir.patch Patch17: openssl-1.0.1-pkgconfig-krb5.patch Patch18: openssl-1.0.1e-cve-2013-6449.patch Patch20: openssl-1.0.1e-cve-2014-0195.patch Patch21: openssl-1.0.1e-cve-2014-0198.patch Patch22: openssl-1.0.1e-cve-2014-0221.patch Patch23: openssl-1.0.1e-cve-2014-0224.patch Patch24: openssl-1.0.1e-cve-2014-3470.patch Patch25: openssl-1.0.1e-cve-2014-3567.patch Patch26: openssl-1.0.1e-cve-2014-3513.patch Patch27: openssl-1.0.1e-fallback-scsv.patch # patches from upstream via debian to fix security issues fixed in 1.0.1i # https://www.openssl.org/news/secadv_20140806.txt Patch100: Avoid-double-free-when-processing-DTLS-packets.patch Patch101: Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch Patch102: Fix-DTLS-handshake-message-size-checks.patch Patch103: Fix-memory-leak-from-zero-length-DTLS-fragments.patch Patch104: Fix-return-code-for-truncated-DTLS-fragment.patch Patch105: Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch Patch106: Remove-some-duplicate-DTLS-code.patch Patch107: Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch Patch108: Fix-DTLS-anonymous-EC-DH-denial-of-service.patch Patch109: Fix-OID-handling.patch Patch110: Fix-race-condition-in-ssl_parse_serverhello_tlsext.patch Patch111: SRP-ciphersuite-correction.patch Patch112: Fix-SRP-ciphersuite-DoS-vulnerability.patch Patch113: Fix-SRP-buffer-overrun-vulnerability.patch Patch114: Check-SRP-parameters-early.patch # MIPS and ARM support Patch300: openssl-1.0.1c-mips.patch Patch301: openssl-1.0.1c-arm.patch Requires: %{libname} = %{version}-%{release} Requires: perl-base Requires: rootcerts %if %with_krb5 BuildRequires: krb5-devel %endif BuildRequires: multiarch-utils >= 1.0.3 BuildRequires: chrpath BuildRequires: zlib-devel # (tv) for test suite: BuildRequires: bc %description The openssl certificate management tool and the shared libraries that provide various encryption and decription algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{engines_name} Summary: Engines for openssl Group: System/Libraries Obsoletes: openssl-engines < 1.0.0a-5 Provides: openssl-engines = %{version}-%{release} %description -n %{engines_name} This package provides engines for openssl. %package -n %{libname} Summary: Secure Sockets Layer communications libs Group: System/Libraries Requires: %{engines_name} >= %{version}-%{release} Provides: %{libname} = %{version}-%{release} %description -n %{libname} The libraries files are needed for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{develname} Summary: Secure Sockets Layer communications libs & headers & utils Group: Development/Other Requires: %{libname} = %{version}-%{release} Provides: libopenssl-devel Provides: openssl-devel = %{version}-%{release} Obsoletes: openssl-devel # temporary opsolete, will be a conflict later. a compat package # with openssl-0.9.7 devel libs will be provided soon Obsoletes: %{conflict1}-devel Obsoletes: %{conflict2}-devel Obsoletes: %{mklibname openssl 1.0.0}-devel Provides: %{name}-devel = %{version}-%{release} %description -n %{develname} The libraries and include files needed to compile apps with support for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %package -n %{staticname} Summary: Secure Sockets Layer communications static libs Group: Development/Other Requires: %{develname} = %{version}-%{release} Provides: libopenssl-static-devel Provides: openssl-static-devel = %{version}-%{release} # temporary opsolete, will be a conflict later. a compat package # with openssl-0.9.7 static-devel libs will be provided soon Obsoletes: %{conflict1}-static-devel Obsoletes: %{conflict2}-static-devel Obsoletes: %{mklibname openssl 1.0.0}-static-devel Provides: %{name}-static-devel = %{version}-%{release} %description -n %{staticname} The static libraries needed to compile apps with support for various cryptographic algorithms and protocols, including DES, RC4, RSA and SSL. %prep %setup -q -n %{name}-%{version} %patch2 -p1 -b .optflags %patch6 -p0 -b .icpbrasil %patch7 -p1 -b .defaults %patch8 -p1 -b .SSL_get_certificate %patch13 -p1 -b .x509 %patch14 -p1 -b .version-add-engines %patch15 -p1 -b .crt %patch16 -p1 -b .engines %patch17 -p1 -b .krb5 %patch18 -p1 -b .hash-crash %patch9 -p1 -b .cve-2013-4353 %patch10 -p1 -b .cve-2013-6450 %patch11 -p1 -b .CVE-2014-0076 %patch12 -p1 -b .CVE-2014-0160 %patch5 -p3 -b .CVE-2010-5298 %patch19 -p1 -b .extension-checking-fixes %patch20 -p1 -b .cve-2014-0195 %patch21 -p1 -b .cve-2014-0198 %patch22 -p1 -b .cve-2014-0221 %patch23 -p1 -b .cve-2014-0224 %patch24 -p1 -b .cve-2014-3470 %patch25 -p1 -b .cve-2014-3657 %patch26 -p1 -b .cve-2014-3513 %patch27 -p1 -b .fallback-scsv %patch100 -p1 %patch101 -p1 %patch102 -p1 %patch103 -p1 %patch104 -p1 %patch105 -p1 %patch106 -p1 %patch107 -p1 %patch108 -p1 %patch109 -p1 %patch110 -p1 %patch111 -p1 %patch112 -p1 %patch113 -p1 %patch114 -p1 %patch300 -p1 -b .mips %patch301 -p1 -b .arm perl -pi -e "s,^(OPENSSL_LIBNAME=).+$,\1%{_lib}," Makefile.org engines/Makefile cp %{SOURCE2} Makefile.certificate cp %{SOURCE3} make-dummy-cert cp %{SOURCE4} openssl-thread-test.c %build %serverbuild # Figure out which flags we want to use. # default sslarch=%{_os}-%{_arch} %ifarch %ix86 sslarch=linux-elf if ! echo %{_target} | grep -q i[56]86 ; then sslflags="no-asm" fi %endif %ifarch sparcv9 sslarch=linux-sparcv9 %endif %ifarch alpha sslarch=linux-alpha-gcc %endif %ifarch s390 sslarch="linux-generic32 -DB_ENDIAN -DNO_ASM" %endif %ifarch s390x sslarch="linux-generic64 -DB_ENDIAN -DNO_ASM" %endif # ia64, x86_64, ppc, ppc64 are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} \ --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --libdir=%{_lib}/ \ %if %with_krb5 --with-krb5-flavor=MIT --with-krb5-dir=%{_prefix} \ %endif --enginesdir=%{_libdir}/openssl/%{version}/engines \ zlib no-idea no-rc5 enable-camellia shared enable-tlsext ${sslarch} # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack. RPM_OPT_FLAGS="%{optflags} -Wa,--noexecstack" make depend make all build-shared # Generate hashes for the included certs. make rehash build-shared %check # Verify that what was compiled actually works. export LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} make -C test apps tests gcc -o openssl-thread-test \ %{?_with_krb5:`krb5-config --cflags`} \ -I./include \ %{optflags} \ openssl-thread-test.c \ -L. -lssl -lcrypto \ %{?_with_krb5:`krb5-config --libs`} \ -lpthread -lz -ldl ./openssl-thread-test --threads %{thread_test_threads} %install rm -fr %{buildroot} %makeinstall \ INSTALL_PREFIX=%{buildroot} \ MANDIR=%{_mandir} \ build-shared install -d -m 755 %{buildroot}%{_libdir}/openssl/%{version} mv %{buildroot}%{_libdir}/engines %{buildroot}%{_libdir}/openssl/%{version} # make the rootcerts dir install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. install -d %{buildroot}%{_sysconfdir}/pki/tls/certs install -m0644 Makefile.certificate %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile install -m0755 make-dummy-cert %{buildroot}%{_sysconfdir}/pki/tls/certs/make-dummy-cert # Pick a CA script. mv %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.sh %{buildroot}%{_sysconfdir}/pki/tls/misc/CA install -d %{buildroot}%{_sysconfdir}/pki/CA install -d %{buildroot}%{_sysconfdir}/pki/CA/private # openssl was named ssleay in "ancient" times. ln -snf openssl %{buildroot}%{_bindir}/ssleay # The man pages rand.3 and passwd.1 conflict with other packages # Rename them to ssl-* and also make a symlink from openssl-* to ssl-* mv %{buildroot}%{_mandir}/man1/passwd.1 %{buildroot}%{_mandir}/man1/ssl-passwd.1 ln -sf ssl-passwd.1%{_extension} %{buildroot}%{_mandir}/man1/openssl-passwd.1%{_extension} for i in rand err; do mv %{buildroot}%{_mandir}/man3/$i.3 %{buildroot}%{_mandir}/man3/ssl-$i.3 ln -snf ssl-$i.3%{_extension} %{buildroot}%{_mandir}/man3/openssl-$i.3%{_extension} done rm -rf {main,devel}-doc-info mkdir -p {main,devel}-doc-info cat > main-doc-info/README.mga <<EOF Warning: The man page of passwd, passwd.1, has been renamed to ssl-passwd.1 to avoid a conflict with passwd.1 man page from the package passwd. EOF cat > devel-doc-info/README.mga <<EOF Warning: The man page of rand, rand.3, has been renamed to ssl-rand.3 to avoid a conflict with rand.3 from the package man-pages The man page of err, err.3, has been renamed to ssl-err.3 to avoid a conflict with err.3 from the package man-pages EOF chmod 755 %{buildroot}%{_libdir}/pkgconfig %multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h # strip cannot touch these unless 755 chmod 755 %{buildroot}%{_libdir}/openssl/%{version}/engines/*.so* chmod 755 %{buildroot}%{_libdir}/*.so* chmod 755 %{buildroot}%{_bindir}/* # nuke a mistake rm -f %{buildroot}%{_mandir}/man3/.3 # nuke rpath chrpath -d %{buildroot}%{_bindir}/openssl # Fix libdir. pushd %{buildroot}%{_libdir}/pkgconfig for i in *.pc ; do sed 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' \ $i >$i.tmp && \ cat $i.tmp >$i && \ rm -f $i.tmp done popd # adjust ssldir perl -pi -e "s|^CATOP=.*|CATOP=%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.pl perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf %files %doc FAQ INSTALL LICENSE NEWS PROBLEMS main-doc-info/README* %doc README README.ASN1 README.ENGINE %dir %{_sysconfdir}/pki %dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA/private %dir %{_sysconfdir}/pki/tls %dir %{_sysconfdir}/pki/tls/certs %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private %dir %{_sysconfdir}/pki/tls/rootcerts %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %{_sysconfdir}/pki/tls/certs/make-dummy-cert %{_sysconfdir}/pki/tls/certs/Makefile %{_sysconfdir}/pki/tls/misc/* %{_bindir}/* %{_mandir}/man[157]/* %files -n %{libname} %doc FAQ INSTALL LICENSE NEWS PROBLEMS README* %{_libdir}/lib*.so.%{maj} %files -n %{engines_name} %{_libdir}/openssl %files -n %{develname} %doc CHANGES doc/* devel-doc-info/README* %dir %{_includedir}/openssl %multiarch %{multiarch_includedir}/openssl/opensslconf.h %{_includedir}/openssl/* %{_libdir}/lib*.so %{_mandir}/man3/* %{_libdir}/pkgconfig/* %files -n %{staticname} %{_libdir}/lib*.a %changelog * Thu Oct 16 2014 luigiwalser <luigiwalser> 1.0.1e-1.11.mga3 + Revision: 767446 - add patches from rhel to fix CVE-2014-3513 and CVE-2014-3567 - rediff patch from rhel to add scsv (mitigate CVE-2014-3566) - update patch 112 to cope with scsv changes - add patches from debian to fix security issues fixed in 1.0.1h (mga#13874) - add patches from fedora to fix: - CVE-2014-0195 - CVE-2014-0221 - CVE-2014-0224 - CVE-2014-3470 - update CVE-2014-0198 patch from fedora - rediff patch from openbsd to fix CVE-2014-0198 - add patch from debian to fix checking critical flag in TSA cert extensions - add patch from openbsd to fix CVE-2010-5298 - add upstream patch to fix CVE-2014-0160 - add patch from upstream via opensuse to fix CVE-2014-0076 - add upstream patches to fix CVE-2013-4353 and CVE-2013-6450 - add patch from fedora to fix CVE-2013-6449 + guillomovitch <guillomovitch> - add upstream patch to fix null pointer issue (mga #11549) * Mon Feb 11 2013 luigiwalser <luigiwalser> 1.0.1e-1.mga3 + Revision: 397936 - 1.0.1e - remove upstreamed patch * Fri Feb 08 2013 fwang <fwang> 1.0.1d-1.mga3 + Revision: 395433 - new version 1.0.1d * Sun Jan 13 2013 umeabot <umeabot> 1.0.1c-8.mga3 + Revision: 362158 - Mass Rebuild - https://wiki.mageia.org/en/Feature:Mageia3MassRebuild * Wed Jan 02 2013 guillomovitch <guillomovitch> 1.0.1c-7.mga3 + Revision: 337612 - re-enable kerberos support * Wed Jan 02 2013 guillomovitch <guillomovitch> 1.0.1c-6.mga3 + Revision: 337573 - temporarily disable kerberos support, to be able to build kerberos package without kerberos-devel installed + oden <oden> - small fixes * Wed Dec 05 2012 guillomovitch <guillomovitch> 1.0.1c-5.mga3 + Revision: 327008 - use a versionned subdirectory for engines, so as to avoid a file conflict with multiple versions installed simultaneously (spotted by oden) * Wed Oct 31 2012 guillomovitch <guillomovitch> 1.0.1c-4.mga3 + Revision: 311718 - fix engines location * Tue Oct 30 2012 guillomovitch <guillomovitch> 1.0.1c-3.mga3 + Revision: 311668 - ships engine in a non-versioned directory, as in fedora + fwang <fwang> - lock libmajor * Thu Jun 07 2012 guillomovitch <guillomovitch> 1.0.1c-2.mga3 + Revision: 257018 - downgrade lib major, it didn't change * Thu Jun 07 2012 guillomovitch <guillomovitch> 1.0.1c-1.mga3 + Revision: 256938 - fix krb5 support, and make it mandatory as in fedora - new version - drop outdated pkcs11 engine patch * Fri May 11 2012 luigiwalser <luigiwalser> 1.0.0j-1.mga2 + Revision: 235378 - 1.0.0j (fixes CVE-2012-2333) * Thu Apr 19 2012 guillomovitch <guillomovitch> 1.0.0i-1.mga2 + Revision: 231806 - new version (fix CVE 2012-2110) * Tue Mar 13 2012 guillomovitch <guillomovitch> 1.0.0h-1.mga2 + Revision: 223223 - new version * Thu Jan 19 2012 fwang <fwang> 1.0.0g-1.mga2 + Revision: 198045 - new version 1.0.0g * Thu Jan 05 2012 guillomovitch <guillomovitch> 1.0.0f-1.mga2 + Revision: 191621 - rename distribution-specific README files to README.mga - spec cleanup - drop unapplied conditional patch0, this isn't true anymore - new version * Mon Dec 19 2011 fwang <fwang> 1.0.0e-2.mga2 + Revision: 184360 - enable zlib support * Wed Sep 07 2011 fwang <fwang> 1.0.0e-1.mga2 + Revision: 140881 - new version 1.0.0e * Sun May 15 2011 pterjan <pterjan> 1.0.0d-2.mga1 + Revision: 99024 - Rebuild for fixed find-requires * Sat Apr 16 2011 pterjan <pterjan> 1.0.0d-1.mga1 + Revision: 86203 - Update to 1.0.0d + rtp <rtp> - Fix arm & mips openssl 1.0.0 patches. * Sat Jan 08 2011 blino <blino> 1.0.0c-2.mga1 + Revision: 736 - use generic distribution macro - remove old distro checks - imported package openssl