02427a3414
* All the minor versions of the 1.1.x openssl branch have the same
sonum and keep ABI compatibility
- Remove bit obsolete syntax
- Use %license macro
- Don't disable afalgeng on aarch64
- Add support for s390x CPACF enhancements (fate#321518)
patches taken from https://github.com/openssl/openssl/pull/2859:
* 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch
* 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
* 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
* 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch
* 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch
* 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch
* 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch
* 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch
* 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
* 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
* 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
- Do not filter pkgconfig() provides/requires.
- Obsolete openssl-1_0_0 by openssl-1_1_0: this is required for a
clean upgrade path as an aid to zypp (boo#1070003).
- Update to 1.1.0g
OpenSSL Security Advisory [02 Nov 2017]
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=2
298 lines
10 KiB
RPMSpec
298 lines
10 KiB
RPMSpec
#
|
|
# spec file for package openssl-1_1
|
|
#
|
|
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
%define ssletcdir %{_sysconfdir}/ssl
|
|
%define maj_min 1.1
|
|
%define _rname openssl
|
|
Name: openssl-1_1
|
|
Version: 1.1.0g
|
|
Release: 0
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
License: OpenSSL
|
|
Group: Productivity/Networking/Security
|
|
Url: https://www.openssl.org/
|
|
Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
|
|
# to get mtime of file:
|
|
Source1: %{name}.changes
|
|
Source2: baselibs.conf
|
|
Source42: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
|
|
# https://www.openssl.org/about/
|
|
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
|
|
Source43: %{_rname}.keyring
|
|
Source99: showciphers.c
|
|
# https://github.com/openssl/openssl/pull/2045
|
|
Patch0: 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch
|
|
# PATCH-FIX-OPENSUSE: upstream won't use glibc
|
|
Patch1: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
|
|
# PATCH-FIX-OPENSUSE: do not install html mans it takes ages
|
|
Patch2: openssl-1.1.0-no-html.patch
|
|
# PATCH-FIX-UPSTREAM: patch to allow deps and linking to static libs
|
|
# needed for fips and taken from upstream
|
|
Patch3: openssl-static-deps.patch
|
|
Patch4: openssl-truststore.patch
|
|
Patch5: openssl-pkgconfig.patch
|
|
Patch6: openssl-1.0.1e-add-suse-default-cipher.patch
|
|
Patch7: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
|
|
Patch8: openssl-ppc64-config.patch
|
|
Patch9: openssl-no-date.patch
|
|
# FIPS patches:
|
|
Patch51: openssl-1.1.0-fips.patch
|
|
Patch52: openssl-fips-dont_run_FIPS_module_installed.patch
|
|
Patch53: openssl-fips_disallow_ENGINE_loading.patch
|
|
Patch54: openssl-rsakeygen-minimum-distance.patch
|
|
Patch55: openssl-urandom-reseeding.patch
|
|
Patch56: openssl-fips-rsagen-d-bits.patch
|
|
Patch57: openssl-fips-selftests_in_nonfips_mode.patch
|
|
Patch58: openssl-fips-fix-odd-rsakeybits.patch
|
|
Patch59: openssl-fips-clearerror.patch
|
|
Patch60: openssl-fips-dont-fall-back-to-default-digest.patch
|
|
Patch61: openssl-disable_rsa_keygen_tests_with_small_modulus.patch
|
|
# FATE#321518 Add support for s390x CPACF enhancements (https://fate.suse.com/321518)
|
|
Patch62: 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch
|
|
Patch63: 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
|
|
Patch64: 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
|
|
Patch65: 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch
|
|
Patch66: 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch
|
|
Patch67: 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch
|
|
Patch68: 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch
|
|
Patch69: 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch
|
|
Patch70: 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
|
|
Patch71: 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
|
|
Patch72: 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
|
|
BuildRequires: bc
|
|
BuildRequires: ed
|
|
BuildRequires: pkgconfig
|
|
BuildRequires: pkgconfig(zlib)
|
|
Conflicts: ssl
|
|
Provides: ssl
|
|
# Needed for clean upgrade path, boo#1070003
|
|
Obsoletes: openssl-1_0_0
|
|
|
|
%description
|
|
OpenSSL is a software library to be used in applications that need to
|
|
secure communications over computer networks against eavesdropping or
|
|
need to ascertain the identity of the party at the other end.
|
|
OpenSSL contains an implementation of the SSL and TLS protocols.
|
|
|
|
%package -n libopenssl1_1
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
License: OpenSSL
|
|
Group: Productivity/Networking/Security
|
|
Recommends: ca-certificates-mozilla
|
|
|
|
%description -n libopenssl1_1
|
|
OpenSSL is a software library to be used in applications that need to
|
|
secure communications over computer networks against eavesdropping or
|
|
need to ascertain the identity of the party at the other end.
|
|
OpenSSL contains an implementation of the SSL and TLS protocols.
|
|
|
|
%package -n libopenssl-1_1-devel
|
|
Summary: Development files for OpenSSL
|
|
License: OpenSSL
|
|
Group: Development/Libraries/C and C++
|
|
Requires: %{name} = %{version}
|
|
Requires: libopenssl1_1 = %{version}
|
|
Requires: pkgconfig(zlib)
|
|
# we need to have around only the exact version we are able to operate with
|
|
Conflicts: libopenssl-devel < %{version}
|
|
Conflicts: libopenssl-devel > %{version}
|
|
Conflicts: ssl-devel
|
|
Provides: ssl-devel
|
|
|
|
%description -n libopenssl-1_1-devel
|
|
This subpackage contains header files for developing applications
|
|
that want to make use of the OpenSSL C API.
|
|
|
|
%package -n libopenssl1_1-hmac
|
|
Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries
|
|
License: BSD-3-Clause
|
|
Group: Productivity/Networking/Security
|
|
Requires: libopenssl1_1 = %{version}-%{release}
|
|
|
|
%description -n libopenssl1_1-hmac
|
|
The FIPS compliant operation of the openssl shared libraries is NOT
|
|
possible without the HMAC hashes contained in this package!
|
|
|
|
%package doc
|
|
Summary: Additional Package Documentation
|
|
License: OpenSSL
|
|
Group: Productivity/Networking/Security
|
|
Conflicts: openssl-doc
|
|
Provides: openssl-doc = %{version}
|
|
Obsoletes: openssl-doc < %{version}
|
|
BuildArch: noarch
|
|
|
|
%description doc
|
|
This package contains optional documentation provided in addition to
|
|
this package's base documentation.
|
|
|
|
%prep
|
|
%setup -q -n %{_rname}-%{version}
|
|
%autopatch -p1
|
|
|
|
%build
|
|
%ifarch armv5el armv5tel
|
|
export MACHINE=armv5el
|
|
%endif
|
|
%ifarch armv6l armv6hl
|
|
export MACHINE=armv6l
|
|
%endif
|
|
|
|
./config \
|
|
no-rc5 no-idea \
|
|
fips \
|
|
no-ssl3 \
|
|
enable-rfc3779 \
|
|
%ifarch x86_64 aarch64 ppc64le
|
|
enable-ec_nistp_64_gcc_128 \
|
|
%endif
|
|
enable-camellia \
|
|
zlib \
|
|
no-ec2m \
|
|
--prefix=%{_prefix} \
|
|
--libdir=%{_lib} \
|
|
--openssldir=%{ssletcdir} \
|
|
%{optflags} -std=gnu99 \
|
|
-Wa,--noexecstack \
|
|
-Wl,-z,relro,-z,now \
|
|
-fno-common \
|
|
-DTERMIO \
|
|
-DPURIFY \
|
|
-D_GNU_SOURCE \
|
|
-DOPENSSL_NO_BUF_FREELISTS \
|
|
$(getconf LFS_CFLAGS) \
|
|
-Wall
|
|
|
|
util/mkdef.pl crypto update
|
|
make depend %{?_smp_mflags}
|
|
make all %{?_smp_mflags}
|
|
|
|
%check
|
|
export MALLOC_CHECK_=3
|
|
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
|
|
LD_LIBRARY_PATH=`pwd` make test -j1
|
|
# show cyphers
|
|
gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE99} -L%{buildroot}%{_libdir} -lssl -lcrypto
|
|
LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
|
|
|
|
%install
|
|
%make_install %{?_smp_mflags}
|
|
# kill static libs
|
|
rm -f %{buildroot}%{_libdir}/lib*.a
|
|
# remove the cnf.dist
|
|
rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist
|
|
ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
|
|
mkdir %{buildroot}/%{_datadir}/ssl
|
|
mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
|
|
|
|
# avoid file conflicts with man pages from other packages
|
|
#
|
|
set +x
|
|
pushd %{buildroot}/%{_mandir}
|
|
# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check.
|
|
# replace spaces by underscores
|
|
#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
|
|
which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
|
|
for i in man?/*; do
|
|
if test -L $i ; then
|
|
LDEST=`readlink $i`
|
|
rm -f $i ${i}ssl
|
|
ln -sf ${LDEST}ssl ${i}ssl
|
|
else
|
|
mv $i ${i}ssl
|
|
fi
|
|
case "$i" in
|
|
*.1)
|
|
# these are the pages mentioned in openssl(1). They go into the main package.
|
|
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
|
|
*)
|
|
# the rest goes into the openssl-doc package.
|
|
echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
|
|
esac
|
|
done
|
|
popd
|
|
set -x
|
|
|
|
# Do not install demo scripts executable under /usr/share/doc
|
|
find demos -type f -perm /111 -exec chmod 644 {} \;
|
|
|
|
# Place showciphers.c for %doc macro
|
|
cp %{SOURCE99} .
|
|
|
|
# the hmac hashes:
|
|
#
|
|
# this is a hack that re-defines the __os_install_post macro
|
|
# for a simple reason: the macro strips the binaries and thereby
|
|
# invalidates a HMAC that may have been created earlier.
|
|
# solution: create the hashes _after_ the macro runs.
|
|
#
|
|
# this shows up earlier because otherwise the %expand of
|
|
# the macro is too late.
|
|
# remark: This is the same as running
|
|
# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
|
|
%{expand:%%global __os_install_post {%__os_install_post
|
|
|
|
%{buildroot}%{_bindir}/fips_standalone_hmac \
|
|
%{buildroot}%{_libdir}/libssl.so.%{maj_min} > \
|
|
%{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac
|
|
|
|
%{buildroot}%{_bindir}/fips_standalone_hmac \
|
|
%{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \
|
|
%{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac
|
|
|
|
}}
|
|
|
|
%post -n libopenssl1_1 -p /sbin/ldconfig
|
|
%postun -n libopenssl1_1 -p /sbin/ldconfig
|
|
|
|
%files -n libopenssl1_1
|
|
%license LICENSE
|
|
%{_libdir}/libssl.so.%{maj_min}
|
|
%{_libdir}/libcrypto.so.%{maj_min}
|
|
%{_libdir}/engines-%{maj_min}
|
|
|
|
%files -n libopenssl1_1-hmac
|
|
%{_libdir}/.libssl.so.%{maj_min}.hmac
|
|
%{_libdir}/.libcrypto.so.%{maj_min}.hmac
|
|
|
|
%files -n libopenssl-1_1-devel
|
|
%{_includedir}/%{_rname}/
|
|
%{_includedir}/ssl
|
|
%{_libdir}/libssl.so
|
|
%{_libdir}/libcrypto.so
|
|
%{_libdir}/pkgconfig/libcrypto.pc
|
|
%{_libdir}/pkgconfig/libssl.pc
|
|
%{_libdir}/pkgconfig/openssl.pc
|
|
|
|
%files doc -f filelist.doc
|
|
%doc doc/* demos
|
|
%doc showciphers.c
|
|
|
|
%files -f filelist
|
|
%doc CHANGE* NEWS README
|
|
%dir %{ssletcdir}
|
|
%config (noreplace) %{ssletcdir}/openssl.cnf
|
|
%attr(700,root,root) %{ssletcdir}/private
|
|
%dir %{_datadir}/ssl
|
|
%{_datadir}/ssl/misc
|
|
%{_bindir}/c_rehash
|
|
%{_bindir}/fips_standalone_hmac
|
|
%{_bindir}/%{_rname}
|
|
|
|
%changelog
|