Up to 1.1.1t (fixes few SECURITY issues)

[packages/openssl.git] / openssl.spec

diff --git a/openssl.spec b/openssl.spec
index 347483862069cf4fdd856b1abab2a0d8f148f3e9..6c48274985e860f265b368d8589b447ad1c0753f 100644 (file)
--- a/openssl.spec
+++ b/openssl.spec
@@ -2,12 +2,10 @@
 # Conditional build:
 %bcond_without tests   # don't perform "make tests"
 %bcond_without zlib    # zlib: note - enables CVE-2012-4929 vulnerability
-%bcond_without sslv2   # SSLv2: note - many flaws http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_2.0
-%bcond_without sslv3   # SSLv3: note - enables  CVE-2014-3566 vulnerability
+%bcond_with    sslv2   # SSLv2: note - many flaws http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_2.0
+%bcond_with    sslv3   # SSLv3: note - enables CVE-2014-3566 vulnerability
 %bcond_with    snap    # use GitHub snapshot to build branch release
 
-%define                rel             0.1
-%include       /usr/lib/rpm/macros.perl
 Summary:       OpenSSL Toolkit libraries for the "Secure Sockets Layer" (SSL v2/v3)
 Summary(de.UTF-8):     Secure Sockets Layer (SSL)-Kommunikationslibrary
 Summary(es.UTF-8):     Biblioteca C que suministra algoritmos y protocolos criptográficos
@@ -17,42 +15,44 @@ Summary(pt_BR.UTF-8):       Uma biblioteca C que fornece vários algoritmos e protocol
 Summary(ru.UTF-8):     Библиотеки и утилиты для соединений через Secure Sockets Layer
 Summary(uk.UTF-8):     Бібліотеки та утиліти для з'єднань через Secure Sockets Layer
 Name:          openssl
-# Version 1.1.0 will be supported until 2018-08-31.
+# Version 1.1.1 is LTS, supported until 2023-09-11.
 # https://www.openssl.org/about/releasestrat.html
-Version:       1.1.0g
+Version:       1.1.1t
 Release:       1
 License:       Apache-like
 Group:         Libraries
 %if %{without snap}
 Source0:       https://www.openssl.org/source/%{name}-%{version}.tar.gz
-# Source0-md5: ba5f1b8b835b88cadbce9b35ed9531a6
+# Source0-md5: 1cfee919e0eac6be62c88c5ae8bcd91e
 %else
-Source1:       https://github.com/openssl/openssl/archive/OpenSSL_1_1_0-stable/%{name}-%{version}-dev.tar.gz
+Source1:       https://github.com/openssl/openssl/archive/OpenSSL_1_1_1-stable/%{name}-%{version}-dev.tar.gz
 %endif
 Source2:       %{name}.1.pl
 Source3:       %{name}-ssl-certificate.sh
 Source4:       %{name}-c_rehash.sh
 Patch1:                %{name}-optflags.patch
+
 Patch3:                %{name}-man-namespace.patch
-Patch4:                %{name}-asflag.patch
 Patch5:                %{name}-ca-certificates.patch
+Patch6:                %{name}-no-win32.patch
 Patch7:                %{name}-find.patch
 Patch8:                pic.patch
-Patch10:       %{name}_fix_for_x32.patch
+
 Patch11:       engines-dir.patch
 URL:           http://www.openssl.org/
+BuildRequires: libsctp-devel
 BuildRequires: perl-devel >= 1:5.10.0
 BuildRequires: pkgconfig
 BuildRequires: rpm-perlprov >= 4.1-13
 BuildRequires: rpmbuild(macros) >= 1.213
 BuildRequires: sed >= 4.0
 BuildRequires: zlib-devel
-Requires:      ca-certificates >= 20120623-1.1
+Requires:      ca-certificates >= 20141019-3
 Requires:      rpm-whiteout >= 1.7
-Obsoletes:     SSLeay
-Obsoletes:     SSLeay-devel
-Obsoletes:     SSLeay-perl
-Obsoletes:     libopenssl0
+Obsoletes:     SSLeay < 0.9.3
+Obsoletes:     SSLeay-devel < 0.9.3
+Obsoletes:     SSLeay-perl < 0.9.3
+Obsoletes:     libopenssl0 < 1
 %if "%{pld_release}" == "ac"
 Conflicts:     neon < 0.26.3-3
 Conflicts:     ntpd < 4.2.4p8-10
@@ -194,7 +194,7 @@ Summary(ru.UTF-8):  Библиотеки, хедеры и утилиты для S
 Summary(uk.UTF-8):     Бібліотеки, хедери та утиліти для Secure Sockets Layer
 Group:         Development/Libraries
 Requires:      %{name} = %{version}-%{release}
-Obsoletes:     libopenssl0-devel
+Obsoletes:     libopenssl0-devel < 1
 
 %description devel
 Development part of OpenSSL library.
@@ -255,19 +255,18 @@ RC4, RSA и SSL. Включает статические библиотеки д
 %prep
 %if %{with snap}
 %setup -qcT -a1
-%{__mv} %{name}-OpenSSL_1_1_0-stable/* .
+%{__mv} %{name}-OpenSSL_1_1_1-stable/* .
 %else
 %setup -q %{?subver:-n %{name}-%{version}-%{subver}}
 %endif
 %patch1 -p1
+
 %patch3 -p1
-%patch4 -p1
 %patch5 -p1
+%patch6 -p1
 %patch7 -p1
 %patch8 -p1
-%ifarch x32
-%patch10 -p1
-%endif
+
 %patch11 -p1
 
 %build
@@ -278,6 +277,7 @@ PERL="%{__perl}" \
        --prefix=%{_prefix} \
        --openssldir=%{_sysconfdir}/%{name} \
        --libdir=%{_lib} \
+       -Wa,--noexecstack \
        shared \
        threads \
        %{?with_sslv2:enable-ssl2}%{!?with_sslv2:no-ssl2} \
@@ -289,6 +289,7 @@ PERL="%{__perl}" \
        enable-mdc2 \
        enable-rc5 \
        enable-rfc3779 \
+       enable-sctp \
        enable-seed \
 %ifarch %{x8664}
        enable-ec_nistp_64_gcc_128 \
@@ -338,18 +339,19 @@ PERL="%{__perl}" \
 v=$(awk -F= '/^VERSION/{print $2}' Makefile)
 test "$v" = %{version}%{?subver:-%{subver}}%{?with_snap:-dev}
 
+# fails with enable-sctp as of 1.1.1
+%{__rm} test/recipes/80-test_ssl_new.t
+
 %{__make} -j1 all %{?with_tests:tests} \
        CC="%{__cc}" \
-       ASFLAG="-Wa,--noexecstack" \
        OPTFLAGS="%{rpmcflags} %{rpmcppflags}" \
        INSTALLTOP=%{_prefix}
 
 # Rename POD sources of man pages. "openssl-" prefix is added to each
 # manpage to avoid potential conflicts with other packages.
-# (libcrypto/libssl function names are not affected)
+# openssl-man-namespace.patch mostly marks these pages with "openssl-" prefix.
 
-%{__perl} -pi -e 's/(\W)((?<!openssl-)\w+)(\([157]\))/$1openssl-$2$3/g; s/openssl-openssl/openssl/g;' {apps,ssl,crypto}/*.pod;
-for podfile in doc/apps/!(CA.pl|openssl*).pod doc/crypto/{bio,crypto,ct,des_modes,evp,x509}.pod  doc/ssl/ssl.pod ; do
+for podfile in $(grep -rl '^openssl-' doc/man*); do
        dir=$(dirname "$podfile")
        base=$(basename "$podfile")
        %{__mv} "$podfile" "$dir/openssl-$base"
@@ -363,8 +365,7 @@ install -d $RPM_BUILD_ROOT{%{_sysconfdir}/%{name},%{_libdir}/%{name}} \
 
 %{__make} -j1 install \
        CC="%{__cc}" \
-       ASFLAG="-Wa,--noexecstack" \
-       DESTDIR=$RPM_BUILD_ROOT \
+       DESTDIR=$RPM_BUILD_ROOT
 
 %{__mv} $RPM_BUILD_ROOT%{_libdir}/lib*.so.*.* $RPM_BUILD_ROOT/%{_lib}
 ln -sf /%{_lib}/$(basename $RPM_BUILD_ROOT/%{_lib}/libcrypto.*.*) $RPM_BUILD_ROOT%{_libdir}/libcrypto.so
@@ -376,9 +377,6 @@ ln -sf /%{_lib}/$(basename $RPM_BUILD_ROOT/%{_lib}/libssl.*.*) $RPM_BUILD_ROOT%{
 # html version of man pages - not packaged
 %{__rm} -r $RPM_BUILD_ROOT%{_docdir}/%{name}/html/man[1357]
 
-# not installed as individual utilities (see openssl dgst instead)
-#%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/{md4,md5,mdc2,ripemd160,sha,sha1,sha224,sha256,sha384,sha512}.1
-
 cp -p %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/pl/man1/openssl.1
 install -p %{SOURCE3} $RPM_BUILD_ROOT%{_bindir}/ssl-certificate
 install -p %{SOURCE4} $RPM_BUILD_ROOT%{_bindir}/c_rehash.sh
@@ -417,6 +415,7 @@ fi
 %doc CHANGES LICENSE NEWS README doc/*.txt
 %attr(755,root,root) /%{_lib}/libcrypto.so.*.*
 %attr(755,root,root) /%{_lib}/libssl.so.*.*
+%dir /%{_lib}/engines-1.1
 %dir %{_sysconfdir}/%{name}
 %dir %{_sysconfdir}/%{name}/certs
 %dir %attr(700,root,root) %{_sysconfdir}/%{name}/private
@@ -424,27 +423,17 @@ fi
 
 %files engines
 %defattr(644,root,root,755)
-%dir /%{_lib}/engines-1.1
 %attr(755,root,root) /%{_lib}/engines-1.1/*.so
 
 %files tools
 %defattr(644,root,root,755)
+%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/ct_log_list.cnf
 %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/openssl.cnf
 %attr(755,root,root) %{_bindir}/c_rehash.sh
 %attr(755,root,root) %{_bindir}/openssl
 %attr(754,root,root) %{_bindir}/ssl-certificate
-
-%dir %{_libdir}/%{name}
-#%attr(755,root,root) %{_libdir}/%{name}/CA.sh
-#%attr(755,root,root) %{_libdir}/%{name}/c_hash
-#%attr(755,root,root) %{_libdir}/%{name}/c_info
-#%attr(755,root,root) %{_libdir}/%{name}/c_issuer
-#%attr(755,root,root) %{_libdir}/%{name}/c_name
-
 %{_mandir}/man1/openssl.1*
 %{_mandir}/man1/openssl-asn1parse.1*
-%{_mandir}/man1/openssl-blake2b.1*
-%{_mandir}/man1/openssl-blake2s.1*
 %{_mandir}/man1/openssl-ca.1*
 %{_mandir}/man1/openssl-ciphers.1*
 %{_mandir}/man1/openssl-cms.1*
@@ -463,9 +452,6 @@ fi
 %{_mandir}/man1/openssl-genpkey.1*
 %{_mandir}/man1/openssl-genrsa.1*
 %{_mandir}/man1/openssl-list.1*
-%{_mandir}/man1/openssl-md4.1*
-%{_mandir}/man1/openssl-md5.1*
-%{_mandir}/man1/openssl-mdc2.1*
 %{_mandir}/man1/openssl-nseq.1*
 %{_mandir}/man1/openssl-ocsp.1*
 %{_mandir}/man1/openssl-passwd.1*
@@ -475,25 +461,21 @@ fi
 %{_mandir}/man1/openssl-pkey.1*
 %{_mandir}/man1/openssl-pkeyparam.1*
 %{_mandir}/man1/openssl-pkeyutl.1*
+%{_mandir}/man1/openssl-prime.1*
 %{_mandir}/man1/openssl-rand.1*
 %{_mandir}/man1/openssl-rehash.1*
 %{_mandir}/man1/openssl-req.1*
-%{_mandir}/man1/openssl-ripemd160.1*
 %{_mandir}/man1/openssl-rsa.1*
 %{_mandir}/man1/openssl-rsautl.1*
 %{_mandir}/man1/openssl-s_client.1*
 %{_mandir}/man1/openssl-s_server.1*
 %{_mandir}/man1/openssl-s_time.1*
 %{_mandir}/man1/openssl-sess_id.1*
-%{_mandir}/man1/openssl-sha.1*
-%{_mandir}/man1/openssl-sha1.1*
-%{_mandir}/man1/openssl-sha224.1*
-%{_mandir}/man1/openssl-sha256.1*
-%{_mandir}/man1/openssl-sha384.1*
-%{_mandir}/man1/openssl-sha512.1*
 %{_mandir}/man1/openssl-smime.1*
 %{_mandir}/man1/openssl-speed.1*
 %{_mandir}/man1/openssl-spkac.1*
+%{_mandir}/man1/openssl-srp.1*
+%{_mandir}/man1/openssl-storeutl.1*
 %{_mandir}/man1/openssl-ts.1*
 %{_mandir}/man1/openssl-tsget.1*
 %{_mandir}/man1/openssl-verify.1*
@@ -506,11 +488,12 @@ fi
 %files tools-perl
 %defattr(644,root,root,755)
 %attr(755,root,root) %{_bindir}/c_rehash
+%dir %{_libdir}/%{name}
 %attr(755,root,root) %{_libdir}/%{name}/CA.pl
 %attr(755,root,root) %{_libdir}/%{name}/tsget
+%attr(755,root,root) %{_libdir}/%{name}/tsget.pl
 %{_mandir}/man1/CA.pl.1*
 %{_mandir}/man1/c_rehash.1*
-%{_mandir}/man1/openssl-c_rehash.1*
 
 %files devel
 %defattr(644,root,root,755)
@@ -521,6 +504,7 @@ fi
 %{_pkgconfigdir}/libssl.pc
 %{_pkgconfigdir}/openssl.pc
 %{_mandir}/man3/ACCESS_DESCRIPTION_*.3*
+%{_mandir}/man3/ADMISSION*.3*
 %{_mandir}/man3/ASId*.3*
 %{_mandir}/man3/ASRange_*.3*
 %{_mandir}/man3/ASN1_*.3*
@@ -568,17 +552,19 @@ fi
 %{_mandir}/man3/IMPLEMENT_*.3*
 %{_mandir}/man3/IPAddress*.3*
 %{_mandir}/man3/ISSUING_DIST_POINT_*.3*
-%{_mandir}/man3/LHASH_*.3*
+%{_mandir}/man3/LHASH*.3*
 %{_mandir}/man3/MD2*.3*
 %{_mandir}/man3/MD4*.3*
 %{_mandir}/man3/MD5*.3*
 %{_mandir}/man3/MDC2*.3*
 %{_mandir}/man3/NAME_CONSTRAINTS_*.3*
+%{_mandir}/man3/NAMING_AUTHORITY*.3*
 %{_mandir}/man3/NETSCAPE_*.3*
 %{_mandir}/man3/NOTICEREF_*.3*
 %{_mandir}/man3/OBJ_*.3*
 %{_mandir}/man3/OCSP_*.3*
 %{_mandir}/man3/OPENSSL_*.3*
+%{_mandir}/man3/OSSL*.3*
 %{_mandir}/man3/OTHERNAME_*.3*
 %{_mandir}/man3/OpenSSL_*.3*
 %{_mandir}/man3/PBE2PARAM_*.3*
@@ -593,6 +579,7 @@ fi
 %{_mandir}/man3/POLICYINFO_*.3*
 %{_mandir}/man3/POLICYQUALINFO_*.3*
 %{_mandir}/man3/POLICY_*.3*
+%{_mandir}/man3/PROFESSION_INFO*.3*
 %{_mandir}/man3/PROXY_*.3*
 %{_mandir}/man3/RAND_*.3*
 %{_mandir}/man3/RC4*.3*
@@ -600,6 +587,7 @@ fi
 %{_mandir}/man3/RSAPrivateKey_*.3*
 %{_mandir}/man3/RSAPublicKey_*.3*
 %{_mandir}/man3/RSA_*.3*
+%{_mandir}/man3/SCRYPT_PARAMS*.3*
 %{_mandir}/man3/SCT_*.3*
 %{_mandir}/man3/SHA1*.3*
 %{_mandir}/man3/SHA224*.3*
@@ -620,7 +608,6 @@ fi
 %{_mandir}/man3/X509_*.3*
 %{_mandir}/man3/X509V3_*.3*
 %{_mandir}/man3/X509v3_*.3*
-%{_mandir}/man3/bio_info_cb.3*
 %{_mandir}/man3/custom_ext_*.3*
 %{_mandir}/man3/d2i_*.3*
 %{_mandir}/man3/i2d_*.3*
@@ -631,13 +618,27 @@ fi
 %{_mandir}/man3/pem_password_cb.3*
 %{_mandir}/man3/sk_TYPE_*.3*
 %{_mandir}/man3/ssl_ct_validation_cb.3*
+%{_mandir}/man7/openssl.7*
 %{_mandir}/man7/openssl-bio.7*
 %{_mandir}/man7/openssl-crypto.7*
 %{_mandir}/man7/openssl-ct.7*
 %{_mandir}/man7/openssl-des_modes.7*
+%{_mandir}/man7/openssl-Ed25519.7*
+%{_mandir}/man7/openssl-Ed448.7*
 %{_mandir}/man7/openssl-evp.7*
+%{_mandir}/man7/openssl-passphrase-encoding.7*
+%{_mandir}/man7/openssl-RAND.7*
+%{_mandir}/man7/openssl-RAND_DRBG.7*
+%{_mandir}/man7/openssl-scrypt.7*
+%{_mandir}/man7/openssl-SM2.7*
 %{_mandir}/man7/openssl-ssl.7*
+%{_mandir}/man7/openssl-X25519.7*
+%{_mandir}/man7/openssl-X448.7*
 %{_mandir}/man7/openssl-x509.7*
+%{_mandir}/man7/ossl_store.7*
+%{_mandir}/man7/ossl_store-file.7*
+%{_mandir}/man7/proxy-certificates.7*
+%{_mandir}/man7/RSA-PSS.7.gz
 
 %files static
 %defattr(644,root,root,755)