%define maj 1.0.0
%define engines_name %mklibname openssl-engines %{maj}
%define libname %mklibname openssl %{maj}
%define develname %mklibname openssl -d
%define staticname %mklibname openssl -s -d
%define conflict1 %mklibname openssl 0.9.7
%define conflict2 %mklibname openssl 0.9.8
# Number of threads to spawn when testing some threading fixes.
#define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
%define with_krb5 1
Summary: Secure Sockets Layer communications libs & utils
Name: openssl
Version: 1.0.1e
%define subrel 11
Release: %mkrel 1
License: BSD-like
Group: System/Libraries
URL: http://www.openssl.org/
Source0: http://www.openssl.org/source/%{name}-%{version}.tar.gz
Source1: http://www.openssl.org/source/%{name}-%{version}.tar.gz.asc
Source2: Makefile.certificate
Source3: make-dummy-cert
Source4: openssl-thread-test.c
# (gb) 0.9.7b-4mdk: Handle RPM_OPT_FLAGS in Configure
Patch2: openssl-1.0.1c-optflags.patch
# (oe) support Brazilian Government OTHERNAME X509v3 field (#14158)
# http://www.iti.gov.br/resolucoes/RESOLU__O_13_DE_26_04_2002.PDF
Patch6: openssl-0.9.8-beta6-icpbrasil.diff
# http://qa.mandriva.com/show_bug.cgi?id=32621
Patch15: openssl-0.9.8e-crt.patch
Patch5: openssl-1.0.1g-use-after-free.patch
# upstream patches
Patch8: openssl.git-147dbb2fe3bead7a10e2f280261b661ce7af7adc.patch
Patch9: openssl-1.0.1e-cve-2013-4353.patch
Patch10: openssl-1.0.1e-cve-2013-6450.patch
Patch11: openssl-1.0.0l-CVE-2014-0076.patch
Patch12: openssl-1.0.1f-CVE-2014-0160.patch
Patch19: openssl-1.0.1e-extension-checking-fixes.patch
# fedora patches
Patch7: openssl-1.0.0f-defaults.patch
Patch13: openssl-0.9.6-x509.patch
Patch14: openssl-0.9.8j-version-add-engines.patch
Patch16: openssl-1.0.0-beta5-enginesdir.patch
Patch17: openssl-1.0.1-pkgconfig-krb5.patch
Patch18: openssl-1.0.1e-cve-2013-6449.patch
Patch20: openssl-1.0.1e-cve-2014-0195.patch
Patch21: openssl-1.0.1e-cve-2014-0198.patch
Patch22: openssl-1.0.1e-cve-2014-0221.patch
Patch23: openssl-1.0.1e-cve-2014-0224.patch
Patch24: openssl-1.0.1e-cve-2014-3470.patch
Patch25: openssl-1.0.1e-cve-2014-3567.patch
Patch26: openssl-1.0.1e-cve-2014-3513.patch
Patch27: openssl-1.0.1e-fallback-scsv.patch
# patches from upstream via debian to fix security issues fixed in 1.0.1i
# https://www.openssl.org/news/secadv_20140806.txt
Patch100: Avoid-double-free-when-processing-DTLS-packets.patch
Patch101: Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch
Patch102: Fix-DTLS-handshake-message-size-checks.patch
Patch103: Fix-memory-leak-from-zero-length-DTLS-fragments.patch
Patch104: Fix-return-code-for-truncated-DTLS-fragment.patch
Patch105: Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch
Patch106: Remove-some-duplicate-DTLS-code.patch
Patch107: Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch
Patch108: Fix-DTLS-anonymous-EC-DH-denial-of-service.patch
Patch109: Fix-OID-handling.patch
Patch110: Fix-race-condition-in-ssl_parse_serverhello_tlsext.patch
Patch111: SRP-ciphersuite-correction.patch
Patch112: Fix-SRP-ciphersuite-DoS-vulnerability.patch
Patch113: Fix-SRP-buffer-overrun-vulnerability.patch
Patch114: Check-SRP-parameters-early.patch
# MIPS and ARM support
Patch300: openssl-1.0.1c-mips.patch
Patch301: openssl-1.0.1c-arm.patch
Requires: %{libname} = %{version}-%{release}
Requires: perl-base
Requires: rootcerts
%if %with_krb5
BuildRequires: krb5-devel
%endif
BuildRequires: multiarch-utils >= 1.0.3
BuildRequires: chrpath
BuildRequires: zlib-devel
# (tv) for test suite:
BuildRequires: bc
%description
The openssl certificate management tool and the shared libraries that provide
various encryption and decription algorithms and protocols, including DES, RC4,
RSA and SSL.
%package -n %{engines_name}
Summary: Engines for openssl
Group: System/Libraries
Obsoletes: openssl-engines < 1.0.0a-5
Provides: openssl-engines = %{version}-%{release}
%description -n %{engines_name}
This package provides engines for openssl.
%package -n %{libname}
Summary: Secure Sockets Layer communications libs
Group: System/Libraries
Requires: %{engines_name} >= %{version}-%{release}
Provides: %{libname} = %{version}-%{release}
%description -n %{libname}
The libraries files are needed for various cryptographic algorithms
and protocols, including DES, RC4, RSA and SSL.
%package -n %{develname}
Summary: Secure Sockets Layer communications libs & headers & utils
Group: Development/Other
Requires: %{libname} = %{version}-%{release}
Provides: libopenssl-devel
Provides: openssl-devel = %{version}-%{release}
Obsoletes: openssl-devel
# temporary opsolete, will be a conflict later. a compat package
# with openssl-0.9.7 devel libs will be provided soon
Obsoletes: %{conflict1}-devel
Obsoletes: %{conflict2}-devel
Obsoletes: %{mklibname openssl 1.0.0}-devel
Provides: %{name}-devel = %{version}-%{release}
%description -n %{develname}
The libraries and include files needed to compile apps with support
for various cryptographic algorithms and protocols, including DES, RC4, RSA
and SSL.
%package -n %{staticname}
Summary: Secure Sockets Layer communications static libs
Group: Development/Other
Requires: %{develname} = %{version}-%{release}
Provides: libopenssl-static-devel
Provides: openssl-static-devel = %{version}-%{release}
# temporary opsolete, will be a conflict later. a compat package
# with openssl-0.9.7 static-devel libs will be provided soon
Obsoletes: %{conflict1}-static-devel
Obsoletes: %{conflict2}-static-devel
Obsoletes: %{mklibname openssl 1.0.0}-static-devel
Provides: %{name}-static-devel = %{version}-%{release}
%description -n %{staticname}
The static libraries needed to compile apps with support for various
cryptographic algorithms and protocols, including DES, RC4, RSA and SSL.
%prep
%setup -q -n %{name}-%{version}
%patch2 -p1 -b .optflags
%patch6 -p0 -b .icpbrasil
%patch7 -p1 -b .defaults
%patch8 -p1 -b .SSL_get_certificate
%patch13 -p1 -b .x509
%patch14 -p1 -b .version-add-engines
%patch15 -p1 -b .crt
%patch16 -p1 -b .engines
%patch17 -p1 -b .krb5
%patch18 -p1 -b .hash-crash
%patch9 -p1 -b .cve-2013-4353
%patch10 -p1 -b .cve-2013-6450
%patch11 -p1 -b .CVE-2014-0076
%patch12 -p1 -b .CVE-2014-0160
%patch5 -p3 -b .CVE-2010-5298
%patch19 -p1 -b .extension-checking-fixes
%patch20 -p1 -b .cve-2014-0195
%patch21 -p1 -b .cve-2014-0198
%patch22 -p1 -b .cve-2014-0221
%patch23 -p1 -b .cve-2014-0224
%patch24 -p1 -b .cve-2014-3470
%patch25 -p1 -b .cve-2014-3657
%patch26 -p1 -b .cve-2014-3513
%patch27 -p1 -b .fallback-scsv
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
%patch107 -p1
%patch108 -p1
%patch109 -p1
%patch110 -p1
%patch111 -p1
%patch112 -p1
%patch113 -p1
%patch114 -p1
%patch300 -p1 -b .mips
%patch301 -p1 -b .arm
perl -pi -e "s,^(OPENSSL_LIBNAME=).+$,\1%{_lib}," Makefile.org engines/Makefile
cp %{SOURCE2} Makefile.certificate
cp %{SOURCE3} make-dummy-cert
cp %{SOURCE4} openssl-thread-test.c
%build
%serverbuild
# Figure out which flags we want to use.
# default
sslarch=%{_os}-%{_arch}
%ifarch %ix86
sslarch=linux-elf
if ! echo %{_target} | grep -q i[56]86 ; then
sslflags="no-asm"
fi
%endif
%ifarch sparcv9
sslarch=linux-sparcv9
%endif
%ifarch alpha
sslarch=linux-alpha-gcc
%endif
%ifarch s390
sslarch="linux-generic32 -DB_ENDIAN -DNO_ASM"
%endif
%ifarch s390x
sslarch="linux-generic64 -DB_ENDIAN -DNO_ASM"
%endif
# ia64, x86_64, ppc, ppc64 are OK by default
# Configure the build tree. Override OpenSSL defaults with known-good defaults
# usable on all platforms. The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
--prefix=%{_prefix} \
--openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
--libdir=%{_lib}/ \
%if %with_krb5
--with-krb5-flavor=MIT --with-krb5-dir=%{_prefix} \
%endif
--enginesdir=%{_libdir}/openssl/%{version}/engines \
zlib no-idea no-rc5 enable-camellia shared enable-tlsext ${sslarch}
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
RPM_OPT_FLAGS="%{optflags} -Wa,--noexecstack"
make depend
make all build-shared
# Generate hashes for the included certs.
make rehash build-shared
%check
# Verify that what was compiled actually works.
export LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
make -C test apps tests
gcc -o openssl-thread-test \
%{?_with_krb5:`krb5-config --cflags`} \
-I./include \
%{optflags} \
openssl-thread-test.c \
-L. -lssl -lcrypto \
%{?_with_krb5:`krb5-config --libs`} \
-lpthread -lz -ldl
./openssl-thread-test --threads %{thread_test_threads}
%install
rm -fr %{buildroot}
%makeinstall \
INSTALL_PREFIX=%{buildroot} \
MANDIR=%{_mandir} \
build-shared
install -d -m 755 %{buildroot}%{_libdir}/openssl/%{version}
mv %{buildroot}%{_libdir}/engines %{buildroot}%{_libdir}/openssl/%{version}
# make the rootcerts dir
install -d %{buildroot}%{_sysconfdir}/pki/tls/rootcerts
# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -m0644 Makefile.certificate %{buildroot}%{_sysconfdir}/pki/tls/certs/Makefile
install -m0755 make-dummy-cert %{buildroot}%{_sysconfdir}/pki/tls/certs/make-dummy-cert
# Pick a CA script.
mv %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.sh %{buildroot}%{_sysconfdir}/pki/tls/misc/CA
install -d %{buildroot}%{_sysconfdir}/pki/CA
install -d %{buildroot}%{_sysconfdir}/pki/CA/private
# openssl was named ssleay in "ancient" times.
ln -snf openssl %{buildroot}%{_bindir}/ssleay
# The man pages rand.3 and passwd.1 conflict with other packages
# Rename them to ssl-* and also make a symlink from openssl-* to ssl-*
mv %{buildroot}%{_mandir}/man1/passwd.1 %{buildroot}%{_mandir}/man1/ssl-passwd.1
ln -sf ssl-passwd.1%{_extension} %{buildroot}%{_mandir}/man1/openssl-passwd.1%{_extension}
for i in rand err; do
mv %{buildroot}%{_mandir}/man3/$i.3 %{buildroot}%{_mandir}/man3/ssl-$i.3
ln -snf ssl-$i.3%{_extension} %{buildroot}%{_mandir}/man3/openssl-$i.3%{_extension}
done
rm -rf {main,devel}-doc-info
mkdir -p {main,devel}-doc-info
cat > main-doc-info/README.mga <<EOF
Warning:
The man page of passwd, passwd.1, has been renamed to ssl-passwd.1
to avoid a conflict with passwd.1 man page from the package passwd.
EOF
cat > devel-doc-info/README.mga <<EOF
Warning:
The man page of rand, rand.3, has been renamed to ssl-rand.3
to avoid a conflict with rand.3 from the package man-pages
The man page of err, err.3, has been renamed to ssl-err.3
to avoid a conflict with err.3 from the package man-pages
EOF
chmod 755 %{buildroot}%{_libdir}/pkgconfig
%multiarch_includes %{buildroot}%{_includedir}/openssl/opensslconf.h
# strip cannot touch these unless 755
chmod 755 %{buildroot}%{_libdir}/openssl/%{version}/engines/*.so*
chmod 755 %{buildroot}%{_libdir}/*.so*
chmod 755 %{buildroot}%{_bindir}/*
# nuke a mistake
rm -f %{buildroot}%{_mandir}/man3/.3
# nuke rpath
chrpath -d %{buildroot}%{_bindir}/openssl
# Fix libdir.
pushd %{buildroot}%{_libdir}/pkgconfig
for i in *.pc ; do
sed 's,^libdir=${exec_prefix}/lib$,libdir=${exec_prefix}/%{_lib},g' \
$i >$i.tmp && \
cat $i.tmp >$i && \
rm -f $i.tmp
done
popd
# adjust ssldir
perl -pi -e "s|^CATOP=.*|CATOP=%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA
perl -pi -e "s|^\\\$CATOP\=\".*|\\\$CATOP\=\"%{_sysconfdir}/pki/tls\";|g" %{buildroot}%{_sysconfdir}/pki/tls/misc/CA.pl
perl -pi -e "s|\./demoCA|%{_sysconfdir}/pki/tls|g" %{buildroot}%{_sysconfdir}/pki/tls/openssl.cnf
%files
%doc FAQ INSTALL LICENSE NEWS PROBLEMS main-doc-info/README*
%doc README README.ASN1 README.ENGINE
%dir %{_sysconfdir}/pki
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%dir %{_sysconfdir}/pki/tls/rootcerts
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%{_sysconfdir}/pki/tls/certs/make-dummy-cert
%{_sysconfdir}/pki/tls/certs/Makefile
%{_sysconfdir}/pki/tls/misc/*
%{_bindir}/*
%{_mandir}/man[157]/*
%files -n %{libname}
%doc FAQ INSTALL LICENSE NEWS PROBLEMS README*
%{_libdir}/lib*.so.%{maj}
%files -n %{engines_name}
%{_libdir}/openssl
%files -n %{develname}
%doc CHANGES doc/* devel-doc-info/README*
%dir %{_includedir}/openssl
%multiarch %{multiarch_includedir}/openssl/opensslconf.h
%{_includedir}/openssl/*
%{_libdir}/lib*.so
%{_mandir}/man3/*
%{_libdir}/pkgconfig/*
%files -n %{staticname}
%{_libdir}/lib*.a
%changelog
* Thu Oct 16 2014 luigiwalser <luigiwalser> 1.0.1e-1.11.mga3
+ Revision: 767446
- add patches from rhel to fix CVE-2014-3513 and CVE-2014-3567
- rediff patch from rhel to add scsv (mitigate CVE-2014-3566)
- update patch 112 to cope with scsv changes
- add patches from debian to fix security issues fixed in 1.0.1h (mga#13874)
- add patches from fedora to fix:
- CVE-2014-0195
- CVE-2014-0221
- CVE-2014-0224
- CVE-2014-3470
- update CVE-2014-0198 patch from fedora
- rediff patch from openbsd to fix CVE-2014-0198
- add patch from debian to fix checking critical flag in TSA cert extensions
- add patch from openbsd to fix CVE-2010-5298
- add upstream patch to fix CVE-2014-0160
- add patch from upstream via opensuse to fix CVE-2014-0076
- add upstream patches to fix CVE-2013-4353 and CVE-2013-6450
- add patch from fedora to fix CVE-2013-6449
+ guillomovitch <guillomovitch>
- add upstream patch to fix null pointer issue (mga #11549)
* Mon Feb 11 2013 luigiwalser <luigiwalser> 1.0.1e-1.mga3
+ Revision: 397936
- 1.0.1e
- remove upstreamed patch
* Fri Feb 08 2013 fwang <fwang> 1.0.1d-1.mga3
+ Revision: 395433
- new version 1.0.1d
* Sun Jan 13 2013 umeabot <umeabot> 1.0.1c-8.mga3
+ Revision: 362158
- Mass Rebuild - https://wiki.mageia.org/en/Feature:Mageia3MassRebuild
* Wed Jan 02 2013 guillomovitch <guillomovitch> 1.0.1c-7.mga3
+ Revision: 337612
- re-enable kerberos support
* Wed Jan 02 2013 guillomovitch <guillomovitch> 1.0.1c-6.mga3
+ Revision: 337573
- temporarily disable kerberos support, to be able to build kerberos package without kerberos-devel installed
+ oden <oden>
- small fixes
* Wed Dec 05 2012 guillomovitch <guillomovitch> 1.0.1c-5.mga3
+ Revision: 327008
- use a versionned subdirectory for engines, so as to avoid a file conflict with multiple versions installed simultaneously (spotted by oden)
* Wed Oct 31 2012 guillomovitch <guillomovitch> 1.0.1c-4.mga3
+ Revision: 311718
- fix engines location
* Tue Oct 30 2012 guillomovitch <guillomovitch> 1.0.1c-3.mga3
+ Revision: 311668
- ships engine in a non-versioned directory, as in fedora
+ fwang <fwang>
- lock libmajor
* Thu Jun 07 2012 guillomovitch <guillomovitch> 1.0.1c-2.mga3
+ Revision: 257018
- downgrade lib major, it didn't change
* Thu Jun 07 2012 guillomovitch <guillomovitch> 1.0.1c-1.mga3
+ Revision: 256938
- fix krb5 support, and make it mandatory as in fedora
- new version
- drop outdated pkcs11 engine patch
* Fri May 11 2012 luigiwalser <luigiwalser> 1.0.0j-1.mga2
+ Revision: 235378
- 1.0.0j (fixes CVE-2012-2333)
* Thu Apr 19 2012 guillomovitch <guillomovitch> 1.0.0i-1.mga2
+ Revision: 231806
- new version (fix CVE 2012-2110)
* Tue Mar 13 2012 guillomovitch <guillomovitch> 1.0.0h-1.mga2
+ Revision: 223223
- new version
* Thu Jan 19 2012 fwang <fwang> 1.0.0g-1.mga2
+ Revision: 198045
- new version 1.0.0g
* Thu Jan 05 2012 guillomovitch <guillomovitch> 1.0.0f-1.mga2
+ Revision: 191621
- rename distribution-specific README files to README.mga
- spec cleanup
- drop unapplied conditional patch0, this isn't true anymore
- new version
* Mon Dec 19 2011 fwang <fwang> 1.0.0e-2.mga2
+ Revision: 184360
- enable zlib support
* Wed Sep 07 2011 fwang <fwang> 1.0.0e-1.mga2
+ Revision: 140881
- new version 1.0.0e
* Sun May 15 2011 pterjan <pterjan> 1.0.0d-2.mga1
+ Revision: 99024
- Rebuild for fixed find-requires
* Sat Apr 16 2011 pterjan <pterjan> 1.0.0d-1.mga1
+ Revision: 86203
- Update to 1.0.0d
+ rtp <rtp>
- Fix arm & mips openssl 1.0.0 patches.
* Sat Jan 08 2011 blino <blino> 1.0.0c-2.mga1
+ Revision: 736
- use generic distribution macro
- remove old distro checks
- imported package openssl
distrib
>
Mageia
>
3
>
x86_64
>
media
>
core-updates-src
>
by-pkgid
>
07a65ad359ceb60c5e65e7958d134560
>
files
>
47
