+# TODO
+# - consider dropping last optflags.patch hunk and return to SOMAJOR (.so.1) sonames
+# - find a way to simplify (drop) openssl-optflags.patch, it's pain to update here in pld
#
# Conditional build:
%bcond_without tests # don't perform "make tests"
-%bcond_with purify # Compile openssl with \-DPURIFY, useful when one wants to
+%bcond_without zlib # zlib: note - enables CVE-2012-4929 vulnerability
+%bcond_without sslv2 # SSLv2: note - many flaws http://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_2.0
+%bcond_without sslv3 # SSLv3: note - enables CVE-2014-3566 vulnerability
+%bcond_with purify # Compile openssl with "-DPURIFY", useful when one wants to
# use valgrind debugger against openssl-linked programs
-#
+
%include /usr/lib/rpm/macros.perl
Summary: OpenSSL Toolkit libraries for the "Secure Sockets Layer" (SSL v2/v3)
Summary(de.UTF-8): Secure Sockets Layer (SSL)-Kommunikationslibrary
Summary(ru.UTF-8): Библиотеки и утилиты для соединений через Secure Sockets Layer
Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer
Name: openssl
-Version: 0.9.8k
+# 1.0.2 will be LTS release
+# Version 1.0.2 will be supported until 2019-12-31.
+# https://www.openssl.org/about/releasestrat.html
+Version: 1.0.2e
Release: 1
License: Apache-like
Group: Libraries
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
-# Source0-md5: e555c6d58d276aec7fdc53363e338ab3
+# Source0-md5: 2218c1a6f807f7206c11eb3ee3a5ec80
Source2: %{name}.1.pl
Source3: %{name}-ssl-certificate.sh
Source4: %{name}-c_rehash.sh
Patch0: %{name}-alpha-ccc.patch
Patch1: %{name}-optflags.patch
-Patch2: %{name}-globalCA.diff
-Patch3: %{name}-include.patch
-Patch4: %{name}-libvar.patch
-Patch5: %{name}-man-namespace.patch
-Patch6: %{name}-asflag.patch
-Patch7: %{name}-ca-certificates.patch
-Patch8: %{name}-fips_install.patch
+Patch2: %{name}-include.patch
+Patch3: %{name}-man-namespace.patch
+Patch4: %{name}-asflag.patch
+Patch5: %{name}-ca-certificates.patch
+Patch6: %{name}-ldflags.patch
+Patch7: %{name}-find.patch
+Patch8: pic.patch
+Patch10: %{name}_fix_for_x32.patch
URL: http://www.openssl.org/
-# problem with =< 1.0.0beta2
-# Fixes should be in sourcecode
-BuildRequires: security(CVE-2009-1377)
-BuildRequires: security(CVE-2009-1378)
-BuildRequires: security(CVE-2009-1379)
-##
BuildRequires: bc
BuildRequires: perl-devel >= 1:5.6.1
BuildRequires: rpm-perlprov >= 4.1-13
BuildRequires: rpmbuild(macros) >= 1.213
BuildRequires: sed >= 4.0
+Requires: ca-certificates >= 20080809-4
+Requires: rpm-whiteout >= 1.7
Obsoletes: SSLeay
Obsoletes: SSLeay-devel
Obsoletes: SSLeay-perl
Obsoletes: libopenssl0
-Requires: ca-certificates >= 20080809-4
-Requires: rpm-whiteout >= 1.7
+%if "%{pld_release}" == "ac"
+Conflicts: neon < 0.26.3-3
+Conflicts: ntpd < 4.2.4p8-10
+Conflicts: openssh-clients < 2:5.8p1-9
+Conflicts: openssh-server < 2:5.8p1-9
+%else
+Conflicts: neon < 0.29.6-8
+Conflicts: openssh-clients < 2:6.2p2-3
+Conflicts: openssh-server < 2:6.2p2-3
+%endif
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
%description
користування, що реалізують велику кількість криптографічних
алгоритмів, включаючи DES, RC4, RSA та SSL.
+%package engines
+Summary: OpenSSL optional crypto engines
+Summary(pl.UTF-8): Opcjonalne silniki kryptograficzne dla OpenSSL-a
+Group: Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description engines
+With OpenSSL 0.9.6, a new component was added to support alternative
+cryptography implementations, most commonly for interfacing with
+external crypto devices (eg. accelerator cards). This component is
+called ENGINE.
+
+There are currently built-in ENGINE implementations for the following
+crypto devices:
+
+- CryptoSwift
+- Compaq Atalla
+- nCipher CHIL
+- Nuron
+- Broadcom uBSec
+
+In addition, dynamic binding to external ENGINE implementations is now
+provided by a special ENGINE called "dynamic".
+
+%description engines -l pl.UTF-8
+Począwszy od OpenSSL-a 0.9.6 został dodany nowy komponent, mający
+wspierać alternatywne implementacje kryptografii, przeważnie
+współpracujące z zewnętrznymi urządzeniami kryptograficznymi (np.
+kartami akceleratorów). Komponent ten jest nazywany SILNIKIEM (ang.
+ENGINE).
+
+Obecnie istnieją wbudowane implementacje silników dla następujących
+urządzeń kryptograficznych:
+- CryptoSwift
+- Compaq Atalla
+- nCipher CHIL
+- Nuron
+- Broadcom uBSec
+
+Ponadto zapewnione jest dynamiczne wiązanie dla zewnętrznych
+implementacji silników poprzez specjalny silnik o nazwie "dynamic".
+
%package tools
Summary: OpenSSL command line tool and utilities
Summary(pl.UTF-8): Zestaw narzędzi i skryptów
Group: Applications/Communications
Requires: %{name} = %{version}-%{release}
+Requires: which
%description tools
The OpenSSL Toolkit cmdline tool openssl and utility scripts.
%patch5 -p1
%patch6 -p1
%patch7 -p1
-%patch8 -p0
+%patch8 -p1
+%patch10 -p1
-%{__perl} -pi -e 's#%{_prefix}/local/bin/perl#%{__perl}#g' \
- `grep -l -r "%{_prefix}/local/bin/perl" *`
+sed -i -e 's|\$prefix/\$libdir/engines|/%{_lib}/engines|g' Configure
-sed -i -e 's|$prefix/lib/engines|%{_libdir}/engines|g' Configure
+# fix packaging error
+# https://github.com/openssl/openssl/issues/491
+ln -s . test/openssl-1.0.2e
+
+# also pod2man missing
+# https://github.com/openssl/openssl/issues/490
%build
touch Makefile.*
%{__perl} util/perlpath.pl %{__perl}
-OPTFLAGS="%{rpmcflags} %{?with_purify:-DPURIFY}" \
-./Configure \
-%if "%{pld_release}" == "ti"
- --openssldir=%{_var}/lib/%{name} \
-%else
+OPTFLAGS="%{rpmcflags} %{rpmcppflags} %{?with_purify:-DPURIFY}" \
+PERL="%{__perl}" \
+%{__perl} ./Configure \
--openssldir=%{_sysconfdir}/%{name} \
+ --libdir=%{_lib} \
+ shared \
+ threads \
+ %{!?with_sslv2:no-ssl2} \
+ %{!?with_sslv3:no-ssl3} \
+ %{!?with_zlib:no-}zlib \
+ enable-camelia \
+ enable-cms \
+ enable-idea \
+ enable-md2 \
+ enable-mdc2 \
+ enable-rc5 \
+ enable-rfc3779 \
+ enable-seed \
+ enable-tlsext \
+%ifarch %{x8664}
+ enable-ec_nistp_64_gcc_128 \
%endif
- --lib=%{_lib} \
- shared threads \
- enable-mdc2 enable-rc5 enable-tlsext \
%ifarch %{ix86}
%ifarch i386
386 linux-elf
%ifarch %{x8664}
linux-x86_64
%endif
+%ifarch x32
+ linux-x32
+%endif
%ifarch ia64
linux-ia64
%endif
%ifarch sparc64
linux64-sparcv9
%endif
+%ifarch armv4 armv5 armv5t armv5te armv5tel
+ linux-armv4
+%endif
%{__make} -j1 all rehash %{?with_tests:tests} \
CC="%{__cc}" \
rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT{%{_sysconfdir}/%{name},%{_libdir}/%{name}} \
$RPM_BUILD_ROOT{%{_mandir}/{pl/man1,man{1,3,5,7}},%{_datadir}/ssl} \
+ $RPM_BUILD_ROOT/%{_lib}/engines \
$RPM_BUILD_ROOT%{_pkgconfigdir}
-%{__make} install \
+%{__make} -j1 install \
INSTALLTOP=%{_prefix} \
INSTALL_PREFIX=$RPM_BUILD_ROOT \
MANDIR=%{_mandir}
-install libcrypto.a libssl.a $RPM_BUILD_ROOT%{_libdir}
-install lib*.so.*.* $RPM_BUILD_ROOT%{_libdir}
-ln -sf libcrypto.so.*.* $RPM_BUILD_ROOT%{_libdir}/libcrypto.so
-ln -sf libssl.so.*.* $RPM_BUILD_ROOT%{_libdir}/libssl.so
-
-%if "%{pld_release}" == "ti"
-ln -sf %{_var}/lib/%{name}/%{name}.cnf \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/openssl.cnf
-ln -sf %{_var}/lib/%{name}/certs \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/certs
-ln -sf %{_var}/lib/%{name}/private \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/private
-mv -f $RPM_BUILD_ROOT%{_var}/lib/%{name}/misc/* $RPM_BUILD_ROOT%{_libdir}/%{name}
-rm -rf $RPM_BUILD_ROOT%{_var}/lib/%{name}/misc
-%else
+mv -f $RPM_BUILD_ROOT%{_libdir}/engines/* $RPM_BUILD_ROOT/%{_lib}/engines
+mv -f $RPM_BUILD_ROOT%{_libdir}/lib*.so.*.* $RPM_BUILD_ROOT/%{_lib}
+ln -sf /%{_lib}/$(basename $RPM_BUILD_ROOT/%{_lib}/libcrypto.*.*) $RPM_BUILD_ROOT%{_libdir}/libcrypto.so
+ln -sf /%{_lib}/$(basename $RPM_BUILD_ROOT/%{_lib}/libssl.*.*) $RPM_BUILD_ROOT%{_libdir}/libssl.so
+
mv -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/misc/* $RPM_BUILD_ROOT%{_libdir}/%{name}
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/misc
-%endif
# not installed as individual utilities (see openssl dgst instead)
-%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/{md2,md4,md5,mdc2,ripemd160,sha,sha1}.1
+%{__rm} $RPM_BUILD_ROOT%{_mandir}/man1/{dss1,md2,md4,md5,mdc2,ripemd160,sha,sha1,sha224,sha256,sha384,sha512}.1
-install %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/pl/man1/openssl.1
-install %{SOURCE3} $RPM_BUILD_ROOT%{_bindir}/ssl-certificate
-install %{SOURCE4} $RPM_BUILD_ROOT%{_bindir}/c_rehash.sh
+cp -p %{SOURCE2} $RPM_BUILD_ROOT%{_mandir}/pl/man1/openssl.1
+install -p %{SOURCE3} $RPM_BUILD_ROOT%{_bindir}/ssl-certificate
+install -p %{SOURCE4} $RPM_BUILD_ROOT%{_bindir}/c_rehash.sh
%clean
rm -rf $RPM_BUILD_ROOT
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
-%if "%{pld_release}" == "ti"
-%triggerin -- %{name}-tools < 0.9.8i-2
-if [ -L /var/lib/openssl/openssl.cnf ] ; then
- echo "Saving old configuration as /var/lib/openssl/openssl.cnf.rpmsave"
- rm /var/lib/openssl/openssl.cnf
- mv %{_sysconfdir}/%{name}/openssl.cnf /var/lib/openssl/openssl.cnf.rpmsave 2>/dev/null || :
-fi
-%else
+%triggerpostun -- %{name}-tools < 1.0.0-5
+# the hashing format has changed in 1.0.0
+[ ! -x %{_sbindir}/update-ca-certificates ] || %{_sbindir}/update-ca-certificates --fresh || :
+
%triggerpostun -- %{name} < 0.9.8i-2
+# don't do anything on --downgrade
+if [ $1 -le 1 ]; then
+ exit 0
+fi
if [ -d /var/lib/openssl/certs ] ; then
mv /var/lib/openssl/certs/* %{_sysconfdir}/%{name}/certs 2>/dev/null || :
fi
for f in /var/lib/openssl/* ; do
[ -f "$f" ] && mv "$f" %{_sysconfdir}/%{name} 2>/dev/null || :
done
+ rmdir /var/lib/openssl/* 2>/dev/null || :
+ rmdir /var/lib/openssl 2>/dev/null || :
fi
-%endif
%files
%defattr(644,root,root,755)
%doc CHANGES CHANGES.SSLeay LICENSE NEWS README doc/*.txt
%doc doc/openssl_button.gif doc/openssl_button.html
-%attr(755,root,root) %{_libdir}/libcrypto.so.*.*.*
-%attr(755,root,root) %{_libdir}/libssl.so.*.*.*
-%dir %{_libdir}/engines
-%attr(755,root,root) %{_libdir}/engines/*.so
-%if "%{pld_release}" == "ti"
-%dir %{_var}/lib/%{name}
-%dir %{_var}/lib/%{name}/certs
-%dir %{_var}/lib/%{name}/private
-%dir %{_sysconfdir}/%{name}
-%attr(755,root,root) %{_sysconfdir}/%{name}/certs
-%attr(755,root,root) %{_sysconfdir}/%{name}/private
-%else
+%attr(755,root,root) /%{_lib}/libcrypto.so.*.*.*
+%attr(755,root,root) /%{_lib}/libssl.so.*.*.*
%dir %{_sysconfdir}/%{name}
%dir %{_sysconfdir}/%{name}/certs
%dir %{_sysconfdir}/%{name}/private
-%endif
%dir %{_datadir}/ssl
+%files engines
+%defattr(644,root,root,755)
+%dir /%{_lib}/engines
+%attr(755,root,root) /%{_lib}/engines/*.so
+
%files tools
%defattr(644,root,root,755)
-%if "%{pld_release}" == "ti"
-%{_sysconfdir}/%{name}/openssl.cnf
-%config(noreplace) %verify(not md5 mtime size) %{_var}/lib/%{name}/openssl.cnf
-%else
%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/%{name}/openssl.cnf
-%endif
-%attr(755,root,root) %{_bindir}/%{name}
%attr(755,root,root) %{_bindir}/c_rehash.sh
+%attr(755,root,root) %{_bindir}/openssl
%attr(754,root,root) %{_bindir}/ssl-certificate
%dir %{_libdir}/%{name}
%{_mandir}/man1/openssl_asn1parse.1*
%{_mandir}/man1/openssl_ca.1*
%{_mandir}/man1/openssl_ciphers.1*
+%{_mandir}/man1/openssl_cms.1*
%{_mandir}/man1/openssl_crl.1*
%{_mandir}/man1/openssl_crl2pkcs7.1*
%{_mandir}/man1/openssl_dgst.1*
%{_mandir}/man1/openssl_enc.1*
%{_mandir}/man1/openssl_errstr.1*
%{_mandir}/man1/openssl_gendsa.1*
+%{_mandir}/man1/openssl_genpkey.1*
%{_mandir}/man1/openssl_genrsa.1*
%{_mandir}/man1/openssl_nseq.1*
%{_mandir}/man1/openssl_ocsp.1*
%{_mandir}/man1/openssl_pkcs12.1*
%{_mandir}/man1/openssl_pkcs7.1*
%{_mandir}/man1/openssl_pkcs8.1*
+%{_mandir}/man1/openssl_pkey.1*
+%{_mandir}/man1/openssl_pkeyparam.1*
+%{_mandir}/man1/openssl_pkeyutl.1*
%{_mandir}/man1/openssl_rand.1*
%{_mandir}/man1/openssl_req.1*
%{_mandir}/man1/openssl_rsa.1*
%{_mandir}/man1/openssl_smime.1*
%{_mandir}/man1/openssl_speed.1*
%{_mandir}/man1/openssl_spkac.1*
+%{_mandir}/man1/openssl_ts.1*
+%{_mandir}/man1/openssl_tsget.1*
%{_mandir}/man1/openssl_verify.1*
%{_mandir}/man1/openssl_version.1*
%{_mandir}/man1/openssl_x509.1*
%defattr(644,root,root,755)
%attr(755,root,root) %{_bindir}/c_rehash
%attr(755,root,root) %{_libdir}/%{name}/CA.pl
+%attr(755,root,root) %{_libdir}/%{name}/tsget
%{_mandir}/man1/openssl_CA.pl.1*
+%{_mandir}/man1/openssl_c_rehash.1*
%files devel
%defattr(644,root,root,755)
%files static
%defattr(644,root,root,755)
-%{_libdir}/lib*.a
+%{_libdir}/libcrypto.a
+%{_libdir}/libssl.a