1037 lines
42 KiB
RPMSpec
1037 lines
42 KiB
RPMSpec
#
|
|
# spec file for package openssl (Version 0.9.8g)
|
|
#
|
|
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
|
# This file and all modifications and additions to the pristine
|
|
# package are under the same license as the package itself.
|
|
#
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
# norootforbuild
|
|
|
|
|
|
Name: openssl
|
|
BuildRequires: bc ed zlib-devel
|
|
%define ssletcdir %{_sysconfdir}/ssl
|
|
%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
|
|
License: BSD 3-Clause
|
|
Group: Productivity/Networking/Security
|
|
Provides: ssl
|
|
AutoReqProv: on
|
|
Version: 0.9.8g
|
|
Release: 43
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
Url: http://www.openssl.org/
|
|
Source: http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
|
|
Source10: README.SuSE
|
|
Source20: ICP-Brasil.pem
|
|
Source21: Equifax-root1.pem
|
|
Patch0: openssl-0.9.8-sparc.dif
|
|
Patch1: openssl-0.9.8-flags-priority.dif
|
|
Patch2: non-exec-stack.diff
|
|
Patch3: openssl-0.9.7f-ppc64.diff
|
|
Patch4: openssl-hppa-config.diff
|
|
Patch5: openssl-0.9.6g-alpha.diff
|
|
# http://www-124.ibm.com/developerworks/projects/libica/
|
|
#Patch10: openssl-0.9.7d-ICA_engine-jun142004.patch.bz2
|
|
Patch6: openssl-0.9.8a.ca-app-segfault.bug128655.dif
|
|
Patch7: bswap.diff
|
|
Patch8: openssl-0.9.8g-fix_dh_for_certain_moduli.patch
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
|
|
%description
|
|
The OpenSSL Project is a collaborative effort to develop a robust,
|
|
commercial-grade, full-featured, and open source toolkit implementing
|
|
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
|
|
v1) protocols with full-strength cryptography. The project is managed
|
|
by a worldwide community of volunteers that use the Internet to
|
|
communicate, plan, and develop the OpenSSL toolkit and its related
|
|
documentation.
|
|
|
|
Derivation and License
|
|
|
|
OpenSSL is based on the excellent SSLeay library developed by Eric A.
|
|
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
|
|
Apache-style license, which basically means that you are free to get it
|
|
and to use it for commercial and noncommercial purposes.
|
|
|
|
|
|
|
|
Authors:
|
|
--------
|
|
Mark J. Cox <mark@openssl.org>
|
|
Ralf S. Engelschall <rse@openssl.org>
|
|
Dr. Stephen Henson <steve@openssl.org>
|
|
Ben Laurie <ben@openssl.org>
|
|
Bodo Moeller <bodo@openssl.org>
|
|
Ulf Moeller <ulf@openssl.org>
|
|
Holger Reif <holger@openssl.org>
|
|
Paul C. Sutton <paul@openssl.org>
|
|
|
|
%package -n libopenssl0_9_8
|
|
License: BSD 3-Clause
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
Group: Productivity/Networking/Security
|
|
Requires: openssl-certs
|
|
|
|
%description -n libopenssl0_9_8
|
|
The OpenSSL Project is a collaborative effort to develop a robust,
|
|
commercial-grade, full-featured, and open source toolkit implementing
|
|
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
|
|
v1) protocols with full-strength cryptography. The project is managed
|
|
by a worldwide community of volunteers that use the Internet to
|
|
communicate, plan, and develop the OpenSSL toolkit and its related
|
|
documentation.
|
|
|
|
Derivation and License
|
|
|
|
OpenSSL is based on the excellent SSLeay library developed by Eric A.
|
|
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
|
|
Apache-style license, which basically means that you are free to get it
|
|
and to use it for commercial and noncommercial purposes.
|
|
|
|
|
|
|
|
Authors:
|
|
--------
|
|
Mark J. Cox <mark@openssl.org>
|
|
Ralf S. Engelschall <rse@openssl.org>
|
|
Dr. Stephen Henson <steve@openssl.org>
|
|
Ben Laurie <ben@openssl.org>
|
|
Bodo Moeller <bodo@openssl.org>
|
|
Ulf Moeller <ulf@openssl.org>
|
|
Holger Reif <holger@openssl.org>
|
|
Paul C. Sutton <paul@openssl.org>
|
|
|
|
%package -n libopenssl-devel
|
|
License: BSD 3-Clause
|
|
Summary: Include Files and Libraries mandatory for Development.
|
|
Group: Development/Libraries/C and C++
|
|
# openssl-devel last used in openSUSE 10.2
|
|
Obsoletes: openssl-devel <= 0.9.8e-8
|
|
Requires: libopenssl0_9_8 = %{version} zlib-devel
|
|
Provides: openssl-devel = 0.9.8e-8
|
|
|
|
%description -n libopenssl-devel
|
|
This package contains all necessary include files and libraries needed
|
|
to develop applications that require these.
|
|
|
|
|
|
|
|
Authors:
|
|
--------
|
|
Mark J. Cox <mark@openssl.org>
|
|
Ralf S. Engelschall <rse@openssl.org>
|
|
Dr. Stephen <Henson steve@openssl.org>
|
|
Ben Laurie <ben@openssl.org>
|
|
Bodo Moeller <bodo@openssl.org>
|
|
Ulf Moeller <ulf@openssl.org>
|
|
Holger Reif <holger@openssl.org>
|
|
Paul C. Sutton <paul@openssl.org>
|
|
|
|
%package certs
|
|
License: BSD 3-Clause
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
Group: Productivity/Networking/Security
|
|
|
|
%description certs
|
|
The OpenSSL Project is a collaborative effort to develop a robust,
|
|
commercial-grade, full-featured, and open source toolkit implementing
|
|
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
|
|
v1) protocols with full-strength cryptography. The project is managed
|
|
by a worldwide community of volunteers that use the Internet to
|
|
communicate, plan, and develop the OpenSSL toolkit and its related
|
|
documentation.
|
|
|
|
Derivation and License
|
|
|
|
OpenSSL is based on the excellent SSLeay library developed by Eric A.
|
|
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
|
|
Apache-style license, which basically means that you are free to get it
|
|
and to use it for commercial and noncommercial purposes.
|
|
|
|
|
|
|
|
Authors:
|
|
--------
|
|
Mark J. Cox <mark@openssl.org>
|
|
Ralf S. Engelschall <rse@openssl.org>
|
|
Dr. Stephen Henson <steve@openssl.org>
|
|
Ben Laurie <ben@openssl.org>
|
|
Bodo Moeller <bodo@openssl.org>
|
|
Ulf Moeller <ulf@openssl.org>
|
|
Holger Reif <holger@openssl.org>
|
|
Paul C. Sutton <paul@openssl.org>
|
|
|
|
%package doc
|
|
License: BSD 3-Clause
|
|
Summary: Additional Package Documentation.
|
|
Group: Productivity/Networking/Security
|
|
|
|
%description doc
|
|
This package contains optional documentation provided in addition to
|
|
this package's base documentation.
|
|
|
|
|
|
|
|
Authors:
|
|
--------
|
|
Mark J. Cox <mark@openssl.org>
|
|
Ralf S. Engelschall <rse@openssl.org>
|
|
Dr. Stephen <Henson steve@openssl.org>
|
|
Ben Laurie <ben@openssl.org>
|
|
Bodo Moeller <bodo@openssl.org>
|
|
Ulf Moeller <ulf@openssl.org>
|
|
Holger Reif <holger@openssl.org>
|
|
Paul C. Sutton <paul@openssl.org>
|
|
|
|
%prep
|
|
%setup -q
|
|
%patch -p1
|
|
%patch1 -p1
|
|
%patch2
|
|
%patch3 -p1
|
|
%patch4
|
|
%patch5 -p1
|
|
#%patch10 -p1
|
|
%patch6 -p1
|
|
%patch7
|
|
%patch8 -p1
|
|
cp -p %{S:10} .
|
|
cp -p %{S:20} certs/
|
|
cp -p %{S:21} certs/
|
|
# lib64 installation fixes
|
|
for i in Makefile.org engines/Makefile; do
|
|
sed -e "s+\(\$(INSTALL_PREFIX)\$(INSTALLTOP)\)/lib+\1/%_lib+g" \
|
|
-e "s+libdir=\$\${exec_prefix}/lib+libdir=\$\${exec_prefix}/%_lib+g" \
|
|
$i > $i.t
|
|
diff -u $i $i.t ||:
|
|
mv $i.t $i
|
|
done
|
|
echo "adding/overwriting some entries in the 'table' hash in Configure"
|
|
# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
|
|
export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):'
|
|
cat <<EOF_ED | ed -s Configure
|
|
/^);
|
|
-
|
|
i
|
|
# local configuration added from specfile
|
|
#config-string, $cc:$cflags:$unistd:$thread_cflag:$sys_id:$lflags:$bn_ops:$cpuid_obj:$bn_obj:$des_obj:$aes_obj:$bf_obj:$md5_obj:$sha1_obj:$cast_obj:$rc4_obj:$rmd160_obj:$rc5_obj:$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
|
|
"linux-elf", "gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG \${x86_gcc_des} \${x86_gcc_opts}:\${x86_elf_asm}:$DSO_SCHEME",
|
|
"linux-ia64", "gcc:-DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR::asm/ia64.o:::::::::: $DSO_SCHEME",
|
|
"linux-ppc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:::::::::::: $DSO_SCHEME",
|
|
"linux-ppc64", "gcc:-DB_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL SIXTY_FOUR_BIT_LONG:::::::::::: $DSO_SCHEME",
|
|
"linux-elf-arm","gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG:::::::::::: $DSO_SCHEME",
|
|
"linux-mips", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:::::::::::: $DSO_SCHEME",
|
|
"linux-sparcv7","gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::: $DSO_SCHEME",
|
|
"linux-sparcv8","gcc:-DB_ENDIAN -DBN_DIV2W -mv8 ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::asm/sparcv8.o:::::::::: $DSO_SCHEME",
|
|
"linux-x86_64", "gcc:-DL_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:::::::::::: $DSO_SCHEME",
|
|
"linux-s390", "gcc:-DB_ENDIAN ::(unknown): :-ldl:BN_LLONG:::::::::::: $DSO_SCHEME",
|
|
"linux-s390x", "gcc:-DB_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:::::::::::: $DSO_SCHEME",
|
|
"linux-parisc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR DES_PTR DES_UNROLL DES_RISC1:::::::::::: $DSO_SCHEME",
|
|
.
|
|
wq
|
|
EOF_ED
|
|
# fix ENGINESDIR path
|
|
sed -i 's,/lib/engines,/%_lib/engines,' Configure
|
|
|
|
%build
|
|
./config --test-sanity
|
|
#
|
|
config_flags="threads shared no-rc5 no-idea \
|
|
enable-camellia \
|
|
zlib \
|
|
--prefix=%{_prefix} \
|
|
--openssldir=%{ssletcdir} \
|
|
$RPM_OPT_FLAGS \
|
|
-fomit-frame-pointer \
|
|
-fno-strict-aliasing \
|
|
-DTERMIO \
|
|
-Wall \
|
|
-fstack-protector "
|
|
#
|
|
%{!?do_profiling:%define do_profiling 0}
|
|
%if %do_profiling
|
|
# generate feedback
|
|
./config $config_flags
|
|
make depend CC="gcc %cflags_profile_generate"
|
|
make CC="gcc %cflags_profile_generate"
|
|
LD_LIBRARY_PATH=`pwd` make rehash CC="gcc %cflags_profile_generate"
|
|
LD_LIBRARY_PATH=`pwd` make test CC="gcc %cflags_profile_generate"
|
|
LD_LIBRARY_PATH=`pwd` apps/openssl speed
|
|
make clean
|
|
# compile with feedback
|
|
# but not if it makes a cipher slower:
|
|
#find crypto/aes -name '*.da' | xargs -r rm
|
|
./config $config_flags %cflags_profile_feedback
|
|
make depend
|
|
make
|
|
LD_LIBRARY_PATH=`pwd` make rehash
|
|
LD_LIBRARY_PATH=`pwd` make test
|
|
%else
|
|
./config $config_flags
|
|
make depend
|
|
make
|
|
LD_LIBRARY_PATH=`pwd` make rehash
|
|
%ifnarch armv4l
|
|
LD_LIBRARY_PATH=`pwd` make test
|
|
%endif
|
|
%endif
|
|
# show settings
|
|
make TABLE
|
|
echo $RPM_OPT_FLAGS
|
|
eval $(egrep PLATFORM='[[:alnum:]]' Makefile)
|
|
grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE
|
|
|
|
%install
|
|
rm -rf $RPM_BUILD_ROOT
|
|
make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
|
|
# install standard root certificates
|
|
cp -pr certs/* $RPM_BUILD_ROOT/%{ssletcdir}/certs
|
|
ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
|
|
mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
|
|
mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/
|
|
# ln -s %{ssletcdir}/certs $RPM_BUILD_ROOT/%{_datadir}/ssl/certs
|
|
# ln -s %{ssletcdir}/private $RPM_BUILD_ROOT/%{_datadir}/ssl/private
|
|
# ln -s %{ssletcdir}/openssl.cnf $RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf
|
|
#
|
|
# avoid file conflicts with man pages from other packages
|
|
#
|
|
pushd $RPM_BUILD_ROOT/%{_mandir}
|
|
# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check.
|
|
# replace spaces by underscores
|
|
#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
|
|
which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
|
|
for i in man?/*; do
|
|
if test -L $i ; then
|
|
LDEST=`readlink $i`
|
|
rm -f $i ${i}ssl
|
|
ln -sf ${LDEST}ssl ${i}ssl
|
|
else
|
|
mv $i ${i}ssl
|
|
fi
|
|
case `basename ${i%.*}` in
|
|
asn1parse|ca|config|crl|crl2pkcs7|crypto|dgst|dhparam|dsa|dsaparam|enc|gendsa|genrsa|nseq|openssl|passwd|pkcs12|pkcs7|pkcs8|rand|req|rsa|rsautl|s_client|s_server|smime|spkac|ssl|verify|version|x509)
|
|
# these are the pages mentioned in openssl(1). They go into the main package.
|
|
echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist;;
|
|
*)
|
|
# the rest goes into the openssl-doc package.
|
|
echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist.doc;;
|
|
esac
|
|
done
|
|
popd
|
|
#
|
|
# check wether some shared library has been installed
|
|
#
|
|
ls -l $RPM_BUILD_ROOT/%{_libdir}
|
|
test -f $RPM_BUILD_ROOT/%{_libdir}/libssl.so.%{num_version}
|
|
test -f $RPM_BUILD_ROOT/%{_libdir}/libcrypto.so.%{num_version}
|
|
test -L $RPM_BUILD_ROOT/%{_libdir}/libssl.so
|
|
test -L $RPM_BUILD_ROOT/%{_libdir}/libcrypto.so
|
|
#
|
|
# see what we've got
|
|
#
|
|
cat > showciphers.c <<EOF
|
|
#include <openssl/err.h>
|
|
#include <openssl/ssl.h>
|
|
void main(){
|
|
unsigned int i;
|
|
SSL_CTX *ctx;
|
|
SSL *ssl;
|
|
SSL_METHOD *meth;
|
|
meth = SSLv2_client_method();
|
|
SSLeay_add_ssl_algorithms();
|
|
ctx = SSL_CTX_new(meth);
|
|
if (ctx == NULL) return 0;
|
|
ssl = SSL_new(ctx);
|
|
if (!ssl) return 0;
|
|
for (i=0; ; i++) {
|
|
int j, k;
|
|
SSL_CIPHER *sc;
|
|
sc = (meth->get_cipher)(i);
|
|
if (!sc) break;
|
|
k = SSL_CIPHER_get_bits(sc, &j);
|
|
printf("%s\n", sc->name);
|
|
}
|
|
return 0;
|
|
};
|
|
EOF
|
|
gcc $RPM_OPT_FLAGS -I${RPM_BUILD_ROOT}%{_includedir} -c showciphers.c
|
|
gcc -o showciphers showciphers.o -L${RPM_BUILD_ROOT}%{_libdir} -lssl -lcrypto
|
|
LD_LIBRARY_PATH=${RPM_BUILD_ROOT}%{_libdir} ./showciphers > AVAILABLE_CIPHERS || true
|
|
cat AVAILABLE_CIPHERS
|
|
# Do not install demo scripts executable under /usr/share/doc
|
|
find demos -type f -perm /111 -exec chmod 644 {} \;
|
|
|
|
%clean
|
|
if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
|
|
|
|
%post -n libopenssl0_9_8
|
|
/sbin/ldconfig
|
|
|
|
%postun -n libopenssl0_9_8
|
|
/sbin/ldconfig
|
|
|
|
%files -n libopenssl0_9_8
|
|
%defattr(-, root, root)
|
|
%{_libdir}/libssl.so.%{num_version}
|
|
%{_libdir}/libcrypto.so.%{num_version}
|
|
%{_libdir}/engines
|
|
|
|
%files -n libopenssl-devel
|
|
%defattr(-, root, root)
|
|
%{_includedir}/%{name}/
|
|
%{_includedir}/ssl
|
|
%{_libdir}/libcrypto.a
|
|
%{_libdir}/libssl.a
|
|
%{_libdir}/libcrypto.so
|
|
%{_libdir}/libssl.so
|
|
%_libdir/pkgconfig/libcrypto.pc
|
|
%_libdir/pkgconfig/libssl.pc
|
|
%_libdir/pkgconfig/openssl.pc
|
|
|
|
%files doc -f filelist.doc
|
|
%defattr(-, root, root)
|
|
%doc doc/* demos
|
|
%doc showciphers.c
|
|
|
|
%files -f filelist
|
|
%defattr(-, root, root)
|
|
%doc CHANGE* INSTAL* AVAILABLE_CIPHERS
|
|
%doc LICENSE NEWS README README.SuSE
|
|
%dir %{ssletcdir}
|
|
%config (noreplace) %{ssletcdir}/openssl.cnf
|
|
%attr(700,root,root) %{ssletcdir}/private
|
|
%dir %{_datadir}/ssl
|
|
%{_datadir}/ssl/misc
|
|
%{_bindir}/c_rehash
|
|
%{_bindir}/%{name}
|
|
|
|
%files certs
|
|
%defattr(-, root, root)
|
|
%{ssletcdir}/certs
|
|
|
|
%changelog
|
|
* Wed May 21 2008 cthiel@suse.de
|
|
- fix baselibs.conf
|
|
* Tue Apr 22 2008 mkoenig@suse.de
|
|
- add -DMD32_REG_T=int for x86_64 and ia64 [bnc#381844]
|
|
* Thu Apr 10 2008 ro@suse.de
|
|
- added baselibs.conf file to build xxbit packages
|
|
for multilib support
|
|
* Mon Nov 05 2007 mkoenig@suse.de
|
|
- fix Diffie-Hellman failure with certain prime lengths
|
|
* Mon Oct 22 2007 mkoenig@suse.de
|
|
- update to version 0.9.8g:
|
|
* fix some bugs introduced with 0.9.8f
|
|
* Mon Oct 15 2007 mkoenig@suse.de
|
|
- update to version 0.9.8f:
|
|
* fixes CVE-2007-3108, CVE-2007-5135, CVE-2007-4995
|
|
- patches merged upstream:
|
|
openssl-0.9.8-key_length.patch
|
|
openssl-CVE-2007-3108-bug296511
|
|
openssl-CVE-2007-5135.patch
|
|
openssl-gcc42.patch
|
|
openssl-gcc42_b.patch
|
|
openssl-s390-config.diff
|
|
* Mon Oct 01 2007 mkoenig@suse.de
|
|
- fix buffer overflow CVE-2007-5135 [#329208]
|
|
* Wed Sep 05 2007 mkoenig@suse.de
|
|
- fix another gcc 4.2 build problem [#307669]
|
|
* Fri Aug 03 2007 coolo@suse.de
|
|
- provide the version obsoleted (#293401)
|
|
* Wed Aug 01 2007 werner@suse.de
|
|
- Add patch from CVS for RSA key reconstruction vulnerability
|
|
(CVE-2007-3108, VU#724968, bug #296511)
|
|
* Thu May 24 2007 mkoenig@suse.de
|
|
- fix build with gcc-4.2
|
|
openssl-gcc42.patch
|
|
- do not install example scripts with executable permissions
|
|
* Mon Apr 30 2007 ro@suse.de
|
|
- adapt requires
|
|
* Fri Apr 27 2007 mkoenig@suse.de
|
|
- Do not use dots in package name
|
|
- explicitly build with gcc-4.1 because of currently unresolved
|
|
failures with gcc-4.2
|
|
* Wed Apr 25 2007 mkoenig@suse.de
|
|
- Split/rename package to follow library packaging policy [#260219]
|
|
New package libopenssl0.9.8 containing shared libs
|
|
openssl-devel package renamed to libopenssl-devel
|
|
New package openssl-certs containing certificates
|
|
- add zlib-devel to Requires of devel package
|
|
- remove old Obsoletes and Conflicts
|
|
openssls (Last used Nov 2000)
|
|
ssleay (Last used 6.2)
|
|
* Mon Apr 23 2007 mkoenig@suse.de
|
|
- Fix key length [#254905,#262477]
|
|
* Tue Mar 06 2007 mkoenig@suse.de
|
|
- update to version 0.9.8e:
|
|
* patches merged upstream:
|
|
openssl-CVE-2006-2940-fixup.patch
|
|
openssl-0.9.8d-padlock-static.patch
|
|
* Tue Jan 09 2007 mkoenig@suse.de
|
|
- fix PadLock support [#230823]
|
|
* Thu Nov 30 2006 mkoenig@suse.de
|
|
- enable fix for CVE-2006-2940 [#223040], SWAMP-ID 7198
|
|
* Mon Nov 06 2006 poeml@suse.de
|
|
- configure with 'zlib' instead of 'zlib-dynamic'. Build with the
|
|
latter, there are problems opening the libz when running on the
|
|
Via Epia or vmware platforms. [#213305]
|
|
* Wed Oct 04 2006 poeml@suse.de
|
|
- add patch for the CVE-2006-2940 fix: the newly introduced limit
|
|
on DH modulus size could lead to a crash when exerted. [#208971]
|
|
Discovered and fixed after the 0.9.8d release.
|
|
* Fri Sep 29 2006 poeml@suse.de
|
|
- update to 0.9.8d
|
|
*) Introduce limits to prevent malicious keys being able to
|
|
cause a denial of service. (CVE-2006-2940)
|
|
*) Fix ASN.1 parsing of certain invalid structures that can result
|
|
in a denial of service. (CVE-2006-2937)
|
|
*) Fix buffer overflow in SSL_get_shared_ciphers() function.
|
|
(CVE-2006-3738)
|
|
*) Fix SSL client code which could crash if connecting to a
|
|
malicious SSLv2 server. (CVE-2006-4343)
|
|
*) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
|
|
match only those. Before that, "AES256-SHA" would be interpreted
|
|
as a pattern and match "AES128-SHA" too (since AES128-SHA got
|
|
the same strength classification in 0.9.7h) as we currently only
|
|
have a single AES bit in the ciphersuite description bitmap.
|
|
That change, however, also applied to ciphersuite strings such as
|
|
"RC4-MD5" that intentionally matched multiple ciphersuites --
|
|
namely, SSL 2.0 ciphersuites in addition to the more common ones
|
|
from SSL 3.0/TLS 1.0.
|
|
So we change the selection algorithm again: Naming an explicit
|
|
ciphersuite selects this one ciphersuite, and any other similar
|
|
ciphersuite (same bitmap) from *other* protocol versions.
|
|
Thus, "RC4-MD5" again will properly select both the SSL 2.0
|
|
ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
|
|
Since SSL 2.0 does not have any ciphersuites for which the
|
|
128/256 bit distinction would be relevant, this works for now.
|
|
The proper fix will be to use different bits for AES128 and
|
|
AES256, which would have avoided the problems from the beginning;
|
|
however, bits are scarce, so we can only do this in a new release
|
|
(not just a patchlevel) when we can change the SSL_CIPHER
|
|
definition to split the single 'unsigned long mask' bitmap into
|
|
multiple values to extend the available space.
|
|
- not in mentioned in CHANGES: patch for CVE-2006-4339 corrected
|
|
[openssl.org #1397]
|
|
* Fri Sep 08 2006 schwab@suse.de
|
|
- Fix inverted logic.
|
|
* Wed Sep 06 2006 poeml@suse.de
|
|
- update to 0.9.8c
|
|
Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
|
|
*) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
|
|
(CVE-2006-4339) [Ben Laurie and Google Security Team]
|
|
*) Add AES IGE and biIGE modes. [Ben Laurie]
|
|
*) Change the Unix randomness entropy gathering to use poll() when
|
|
possible instead of select(), since the latter has some
|
|
undesirable limitations. [Darryl Miles via Richard Levitte and Bodo Moeller]
|
|
*) Disable "ECCdraft" ciphersuites more thoroughly. Now special
|
|
treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
|
|
cannot be implicitly activated as part of, e.g., the "AES" alias.
|
|
However, please upgrade to OpenSSL 0.9.9[-dev] for
|
|
non-experimental use of the ECC ciphersuites to get TLS extension
|
|
support, which is required for curve and point format negotiation
|
|
to avoid potential handshake problems. [Bodo Moeller]
|
|
*) Disable rogue ciphersuites:
|
|
- SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
|
|
- SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
|
|
- SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
|
|
The latter two were purportedly from
|
|
draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
|
|
appear there.
|
|
Also deactive the remaining ciphersuites from
|
|
draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
|
|
unofficial, and the ID has long expired. [Bodo Moeller]
|
|
*) Fix RSA blinding Heisenbug (problems sometimes occured on
|
|
dual-core machines) and other potential thread-safety issues.
|
|
[Bodo Moeller]
|
|
*) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
|
|
versions), which is now available for royalty-free use
|
|
(see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
|
|
Also, add Camellia TLS ciphersuites from RFC 4132.
|
|
To minimize changes between patchlevels in the OpenSSL 0.9.8
|
|
series, Camellia remains excluded from compilation unless OpenSSL
|
|
is configured with 'enable-camellia'. [NTT]
|
|
*) Disable the padding bug check when compression is in use. The padding
|
|
bug check assumes the first packet is of even length, this is not
|
|
necessarily true if compresssion is enabled and can result in false
|
|
positives causing handshake failure. The actual bug test is ancient
|
|
code so it is hoped that implementations will either have fixed it by
|
|
now or any which still have the bug do not support compression.
|
|
[Steve Henson]
|
|
Changes between 0.9.8a and 0.9.8b [04 May 2006]
|
|
*) When applying a cipher rule check to see if string match is an explicit
|
|
cipher suite and only match that one cipher suite if it is. [Steve Henson]
|
|
*) Link in manifests for VC++ if needed. [Austin Ziegler <halostatue@gmail.com>]
|
|
*) Update support for ECC-based TLS ciphersuites according to
|
|
draft-ietf-tls-ecc-12.txt with proposed changes (but without
|
|
TLS extensions, which are supported starting with the 0.9.9
|
|
branch, not in the OpenSSL 0.9.8 branch). [Douglas Stebila]
|
|
*) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
|
|
opaque EVP_CIPHER_CTX handling. [Steve Henson]
|
|
*) Fixes and enhancements to zlib compression code. We now only use
|
|
"zlib1.dll" and use the default __cdecl calling convention on Win32
|
|
to conform with the standards mentioned here:
|
|
http://www.zlib.net/DLL_FAQ.txt
|
|
Static zlib linking now works on Windows and the new --with-zlib-include
|
|
--with-zlib-lib options to Configure can be used to supply the location
|
|
of the headers and library. Gracefully handle case where zlib library
|
|
can't be loaded. [Steve Henson]
|
|
*) Several fixes and enhancements to the OID generation code. The old code
|
|
sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
|
|
handle numbers larger than ULONG_MAX, truncated printing and had a
|
|
non standard OBJ_obj2txt() behaviour. [Steve Henson]
|
|
*) Add support for building of engines under engine/ as shared libraries
|
|
under VC++ build system. [Steve Henson]
|
|
*) Corrected the numerous bugs in the Win32 path splitter in DSO.
|
|
Hopefully, we will not see any false combination of paths any more.
|
|
[Richard Levitte]
|
|
- enable Camellia cipher. There is a royalty free license to the
|
|
patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html.
|
|
NOTE: the license forbids patches to the cipher.
|
|
- build with zlib-dynamic and add zlib-devel to BuildRequires.
|
|
Allows compression of data in TLS, although few application would
|
|
actually use it since there is no standard for negotiating the
|
|
compression method. The only one I know if is stunnel.
|
|
* Fri Jun 02 2006 poeml@suse.de
|
|
- fix built-in ENGINESDIR for 64 bit architectures. We change only
|
|
the builtin search path for engines, not the path where engines
|
|
are packaged. Path can be overridden with the OPENSSL_ENGINES
|
|
environment variable. [#179094]
|
|
* Wed Jan 25 2006 mls@suse.de
|
|
- converted neededforbuild to BuildRequires
|
|
* Mon Jan 16 2006 mc@suse.de
|
|
- fix build problems on s390x (openssl-s390-config.diff)
|
|
- build with -fstack-protector
|
|
* Mon Nov 07 2005 dmueller@suse.de
|
|
- build with non-executable stack
|
|
* Thu Oct 20 2005 poeml@suse.de
|
|
- fix unguarded free() which can cause a segfault in the ca
|
|
commandline app [#128655]
|
|
* Thu Oct 13 2005 poeml@suse.de
|
|
- add Geotrusts Equifax Root1 CA certificate, which needed to
|
|
verify the authenticity of you.novell.com [#121966]
|
|
* Tue Oct 11 2005 poeml@suse.de
|
|
- update to 0.9.8a
|
|
*) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
|
|
(part of SSL_OP_ALL). This option used to disable the
|
|
countermeasure against man-in-the-middle protocol-version
|
|
rollback in the SSL 2.0 server implementation, which is a bad
|
|
idea. (CAN-2005-2969)
|
|
*) Add two function to clear and return the verify parameter flags.
|
|
*) Keep cipherlists sorted in the source instead of sorting them at
|
|
runtime, thus removing the need for a lock.
|
|
*) Avoid some small subgroup attacks in Diffie-Hellman.
|
|
*) Add functions for well-known primes.
|
|
*) Extended Windows CE support.
|
|
*) Initialize SSL_METHOD structures at compile time instead of during
|
|
runtime, thus removing the need for a lock.
|
|
*) Make PKCS7_decrypt() work even if no certificate is supplied by
|
|
attempting to decrypt each encrypted key in turn. Add support to
|
|
smime utility.
|
|
* Thu Sep 29 2005 poeml@suse.de
|
|
- update to 0.9.8
|
|
see CHANGES file or http://www.openssl.org/news/changelog.html
|
|
- adjust patches
|
|
- drop obsolete openssl-no-libc.diff
|
|
- disable libica patch until it has been ported
|
|
* Fri May 20 2005 poeml@suse.de
|
|
- update to 0.9.7g. The significant changes are:
|
|
*) Fixes for newer kerberos headers. NB: the casts are needed because
|
|
the 'length' field is signed on one version and unsigned on another
|
|
with no (?) obvious way to tell the difference, without these VC++
|
|
complains. Also the "definition" of FAR (blank) is no longer included
|
|
nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
|
|
some needed definitions.
|
|
*) Added support for proxy certificates according to RFC 3820.
|
|
Because they may be a security thread to unaware applications,
|
|
they must be explicitely allowed in run-time. See
|
|
docs/HOWTO/proxy_certificates.txt for further information.
|
|
* Tue May 17 2005 schwab@suse.de
|
|
- Include %%cflags_profile_generate in ${CC} since it is required for
|
|
linking as well.
|
|
- Remove explicit reference to libc.
|
|
* Fri Apr 08 2005 poeml@suse.de
|
|
- update to 0.9.7f. The most significant changes are:
|
|
o Several compilation issues fixed.
|
|
o Many memory allocation failure checks added.
|
|
o Improved comparison of X509 Name type.
|
|
o Mandatory basic checks on certificates.
|
|
o Performance improvements.
|
|
(for a complete list see http://www.openssl.org/source/exp/CHANGES)
|
|
- adjust openssl-0.9.7f-ppc64.diff
|
|
- drop obsolete openssl-0.9.7d-crl-default_md.dif [#55435]
|
|
* Tue Jan 04 2005 poeml@suse.de
|
|
- update to 0.9.7e
|
|
*) Avoid a race condition when CRLs are checked in a multi
|
|
threaded environment. This would happen due to the reordering
|
|
of the revoked entries during signature checking and serial
|
|
number lookup. Now the encoding is cached and the serial
|
|
number sort performed under a lock. Add new STACK function
|
|
sk_is_sorted().
|
|
*) Add Delta CRL to the extension code.
|
|
*) Various fixes to s3_pkt.c so alerts are sent properly.
|
|
*) Reduce the chances of duplicate issuer name and serial numbers
|
|
(in violation of RFC3280) using the OpenSSL certificate
|
|
creation utilities. This is done by creating a random 64 bit
|
|
value for the initial serial number when a serial number file
|
|
is created or when a self signed certificate is created using
|
|
'openssl req -x509'. The initial serial number file is created
|
|
using 'openssl x509 -next_serial' in CA.pl rather than being
|
|
initialized to 1.
|
|
- remove obsolete patches
|
|
- fix openssl-0.9.7d-padlock-glue.diff and ICA patch to patch
|
|
Makefile, not Makefile.ssl
|
|
- fixup for spaces in names of man pages not needed now
|
|
- pack /usr/bin/openssl_fips_fingerprint
|
|
- in rpm post/postun script, run /sbin/ldconfig directly (the macro
|
|
is deprecated)
|
|
* Mon Oct 18 2004 poeml@suse.de
|
|
- don't install openssl.doxy file [#45210]
|
|
* Thu Jul 29 2004 poeml@suse.de
|
|
- apply patch from CVS to fix segfault in S/MIME encryption
|
|
(http://cvs.openssl.org/chngview?cn=12081, regression in
|
|
openssl-0.9.7d) [#43386]
|
|
* Mon Jul 12 2004 mludvig@suse.cz
|
|
- Updated VIA PadLock engine.
|
|
* Wed Jun 30 2004 mludvig@suse.cz
|
|
- Updated openssl-0.9.7d-padlock-engine.diff with support for
|
|
AES192, AES256 and RNG.
|
|
* Tue Jun 15 2004 poeml@suse.de
|
|
- update IBM ICA patch to last night's version. Fixes ibmca_init()
|
|
to reset ibmca_dso=NULL after calling DSO_free(), if the device
|
|
driver could not be loaded. The bug lead to a segfault triggered
|
|
by stunnel, which does autoload available engines [#41874]
|
|
- patch from CVS: make stack API more robust (return NULL for
|
|
out-of-range indexes). Fixes another possible segfault during
|
|
engine detection (could also triggered by stunnel)
|
|
- add patch from Michal Ludvig for VIA PadLock support
|
|
* Wed Jun 02 2004 poeml@suse.de
|
|
- add root certificate for the ICP-Brasil CA [#41546]
|
|
* Thu May 13 2004 poeml@suse.de
|
|
- add patch to use default_md for CRLs too [#40435]
|
|
* Tue May 04 2004 poeml@suse.de
|
|
- update ICA patch to apr292004 release [#39695]
|
|
* Thu Mar 18 2004 poeml@suse.de
|
|
- update to 0.9.7d
|
|
o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
|
|
(CAN-2004-0112)
|
|
o Security: Fix null-pointer assignment in do_change_cipher_spec()
|
|
(CAN-2004-0079)
|
|
o Allow multiple active certificates with same subject in CA index
|
|
o Multiple X590 verification fixes
|
|
o Speed up HMAC and other operations
|
|
- remove the hunk from openssl-0.9.6d.dif that added NO_IDEA around
|
|
IDEA_128_CBC_WITH_MD5 in the global cipher list. Upstream now has
|
|
OPENSSL_NO_IDEA around it
|
|
- [#36386] fixed (broken generation of EVP_BytesToKey.3ssl from the
|
|
pod file)
|
|
- permissions of lib/pkgconfig fixed
|
|
* Wed Feb 25 2004 poeml@suse.de
|
|
- update to 0.9.7c
|
|
*) Fix various bugs revealed by running the NISCC test suite:
|
|
Stop out of bounds reads in the ASN1 code when presented with
|
|
invalid tags (CAN-2003-0543 and CAN-2003-0544).
|
|
Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
|
|
If verify callback ignores invalid public key errors don't try to check
|
|
certificate signature with the NULL public key.
|
|
*) New -ignore_err option in ocsp application to stop the server
|
|
exiting on the first error in a request.
|
|
*) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
|
|
if the server requested one: as stated in TLS 1.0 and SSL 3.0
|
|
specifications.
|
|
*) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
|
|
extra data after the compression methods not only for TLS 1.0
|
|
but also for SSL 3.0 (as required by the specification).
|
|
*) Change X509_certificate_type() to mark the key as exported/exportable
|
|
when it's 512 *bits* long, not 512 bytes.
|
|
*) Change AES_cbc_encrypt() so it outputs exact multiple of
|
|
blocks during encryption.
|
|
*) Various fixes to base64 BIO and non blocking I/O. On write
|
|
flushes were not handled properly if the BIO retried. On read
|
|
data was not being buffered properly and had various logic bugs.
|
|
This also affects blocking I/O when the data being decoded is a
|
|
certain size.
|
|
*) Various S/MIME bugfixes and compatibility changes:
|
|
output correct application/pkcs7 MIME type if
|
|
PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
|
|
Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
|
|
of files as .eml work). Correctly handle very long lines in MIME
|
|
parser.
|
|
- update ICA patch
|
|
quote: This version of the engine patch has updated error handling in
|
|
the DES/SHA code, and turns RSA blinding off for hardware
|
|
accelerated RSA ops.
|
|
- filenames of some man pages contain spaces now. Replace them with
|
|
underscores
|
|
- fix compiler warnings in showciphers.c
|
|
- fix permissions of /usr/%%_lib/pkgconfig
|
|
* Sat Jan 10 2004 adrian@suse.de
|
|
- add %%run_ldconfig
|
|
- remove unneeded PreRequires
|
|
* Tue Nov 18 2003 poeml@suse.de
|
|
- ditch annoying mail to root about moved locations [#31969]
|
|
* Thu Aug 14 2003 poeml@suse.de
|
|
- enable profile feedback based optimizations (except AES which
|
|
becomes slower)
|
|
- add -fno-strict-aliasing, due to warnings about code where
|
|
dereferencing type-punned pointers will break strict aliasing
|
|
- make a readlink function if readlink is not available
|
|
* Mon Aug 04 2003 ro@suse.de
|
|
- fixed manpages symlinks
|
|
* Wed Jul 30 2003 meissner@suse.de
|
|
- Fix Makefile to create pkgconfig file with lib64 on lib64 systems.
|
|
* Sun Jul 27 2003 poeml@suse.de
|
|
- don't explicitely strip binaries since RPM handles it, and may
|
|
keep the stripped information somewhere
|
|
* Tue Jul 15 2003 meissner@suse.de
|
|
- -DMD32_REG_T=int for ppc64 and s390x.
|
|
* Fri Jul 11 2003 poeml@suse.de
|
|
- update ibm ICA patch to 20030708 release (libica-1.3)
|
|
* Tue May 13 2003 poeml@suse.de
|
|
- package the openssl.pc file for pkgconfig
|
|
* Wed Apr 16 2003 poeml@suse.de
|
|
- update to 0.9.7b. The most significant changes are:
|
|
o New library section OCSP.
|
|
o Complete rewrite of ASN1 code.
|
|
o CRL checking in verify code and openssl utility.
|
|
o Extension copying in 'ca' utility.
|
|
o Flexible display options in 'ca' utility.
|
|
o Provisional support for international characters with UTF8.
|
|
o Support for external crypto devices ('engine') is no longer
|
|
a separate distribution.
|
|
o New elliptic curve library section.
|
|
o New AES (Rijndael) library section.
|
|
o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
|
|
Linux x86_64, Linux 64-bit on Sparc v9
|
|
o Extended support for some platforms: VxWorks
|
|
o Enhanced support for shared libraries.
|
|
o Now only builds PIC code when shared library support is requested.
|
|
o Support for pkg-config.
|
|
o Lots of new manuals.
|
|
o Makes symbolic links to or copies of manuals to cover all described
|
|
functions.
|
|
o Change DES API to clean up the namespace (some applications link also
|
|
against libdes providing similar functions having the same name).
|
|
Provide macros for backward compatibility (will be removed in the
|
|
future).
|
|
o Unify handling of cryptographic algorithms (software and engine)
|
|
to be available via EVP routines for asymmetric and symmetric ciphers.
|
|
o NCONF: new configuration handling routines.
|
|
o Change API to use more 'const' modifiers to improve error checking
|
|
and help optimizers.
|
|
o Finally remove references to RSAref.
|
|
o Reworked parts of the BIGNUM code.
|
|
o Support for new engines: Broadcom ubsec, Accelerated Encryption
|
|
Processing, IBM 4758.
|
|
o A few new engines added in the demos area.
|
|
o Extended and corrected OID (object identifier) table.
|
|
o PRNG: query at more locations for a random device, automatic query for
|
|
EGD style random sources at several locations.
|
|
o SSL/TLS: allow optional cipher choice according to server's preference.
|
|
o SSL/TLS: allow server to explicitly set new session ids.
|
|
o SSL/TLS: support Kerberos cipher suites (RFC2712).
|
|
Only supports MIT Kerberos for now.
|
|
o SSL/TLS: allow more precise control of renegotiations and sessions.
|
|
o SSL/TLS: add callback to retrieve SSL/TLS messages.
|
|
o SSL/TLS: support AES cipher suites (RFC3268).
|
|
- adapt the ibmca patch
|
|
- remove openssl-nocrypt.diff, openssl's crypt() vanished
|
|
- configuration syntax has changed ($sys_id added before $lflags)
|
|
* Thu Feb 20 2003 poeml@suse.de
|
|
- update to bugfix release 0.9.6i:
|
|
- security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize
|
|
information leaked via timing by performing a MAC computation
|
|
even if incorrrect block cipher padding has been found. This
|
|
is a countermeasure against active attacks where the attacker
|
|
has to distinguish between bad padding and a MAC verification
|
|
error. (CAN-2003-0078)
|
|
- a few more small bugfixes (mainly missing assertions)
|
|
* Fri Dec 06 2002 poeml@suse.de
|
|
- update to 0.9.6h (last release in the 0.9.6 series)
|
|
o New configuration targets for Tandem OSS and A/UX.
|
|
o New OIDs for Microsoft attributes.
|
|
o Better handling of SSL session caching.
|
|
o Better comparison of distinguished names.
|
|
o Better handling of shared libraries in a mixed GNU/non-GNU environment.
|
|
o Support assembler code with Borland C.
|
|
o Fixes for length problems.
|
|
o Fixes for uninitialised variables.
|
|
o Fixes for memory leaks, some unusual crashes and some race conditions.
|
|
o Fixes for smaller building problems.
|
|
o Updates of manuals, FAQ and other instructive documents.
|
|
- add a call to make depend
|
|
- fix sed expression (lib -> lib64) to replace multiple occurences
|
|
on one line
|
|
* Mon Nov 04 2002 stepan@suse.de
|
|
- fix openssl for alpha ev56 cpus
|
|
* Thu Oct 24 2002 poeml@suse.de
|
|
- own the /usr/share/ssl directory [#20849]
|
|
- openssl-hppa-config.diff can be applied on all architectures
|
|
* Mon Sep 30 2002 bg@suse.de
|
|
- enable hppa distribution; use only pa1.1 architecture.
|
|
* Tue Sep 17 2002 froh@suse.de
|
|
- update ibm-hardware-crypto-patch to ibmca.patch-0.96e-2 (#18953)
|
|
* Mon Aug 12 2002 poeml@suse.de
|
|
- update to 0.9.6g and drop the now included ASN1 check patch.
|
|
Other change:
|
|
- Use proper error handling instead of 'assertions' in buffer
|
|
overflow checks added in 0.9.6e. This prevents DoS (the
|
|
assertions could call abort()).
|
|
* Fri Aug 09 2002 kukuk@suse.de
|
|
- Fix requires of openssl-devel subpackage
|
|
* Tue Aug 06 2002 draht@suse.de
|
|
- Correction for changes in the ASN1 code, assembled in
|
|
openssl-0.9.6e-cvs-20020802-asn1_lib.diff
|
|
* Thu Aug 01 2002 poeml@suse.de
|
|
- update to 0.9.6e. Major changes:
|
|
o Various security fixes (sanity checks to asn1_get_length(),
|
|
various remote buffer overflows)
|
|
o new option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, disabling the
|
|
countermeasure against a vulnerability in the CBC ciphersuites
|
|
in SSL 3.0/TLS 1.0 that was added in 0.9.6d which turned out to
|
|
be incompatible with buggy SSL implementations
|
|
- update ibmca crypto hardware patch (security issues fixed)
|
|
- gcc 3.1 version detection is fixed, we can drop the patch
|
|
- move the most used man pages from the -doc to the main package
|
|
[#9913] and resolve man page conflicts by putting them into ssl
|
|
sections [#17239]
|
|
- spec file: use PreReq for %%post script
|
|
* Fri Jul 12 2002 poeml@suse.de
|
|
- update to 0.9.6d. Major changes:
|
|
o Various SSL/TLS library bugfixes.
|
|
o Fix DH parameter generation for 'non-standard' generators.
|
|
Complete Changelog: http://www.openssl.org/news/changelog.html
|
|
- supposed to fix a session caching failure occuring with postfix
|
|
- simplify local configuration for the architectures
|
|
- there's a new config variable: $shared_ldflag
|
|
- use RPM_OPT_FLAGS in favor of predifined cflags by appending them
|
|
at the end
|
|
- validate config data (config --check-sanity)
|
|
- resolve file conflict of /usr/share/man/man1/openssl.1.gz [#15982]
|
|
- move configuration to /etc/ssl [#14387]
|
|
- mark openssl.cnf %%config (noreplace)
|
|
* Sat Jul 06 2002 schwab@suse.de
|
|
- Include <crypt.h> to get crypt prototype.
|
|
* Fri Jul 05 2002 kukuk@suse.de
|
|
- Remove crypt prototype from des.h header file, too.
|
|
* Mon Jun 10 2002 meissner@suse.de
|
|
- enhanced ppc64 support (needs seperate config), reenabled make check
|
|
* Fri May 31 2002 olh@suse.de
|
|
- add ppc64 support, temporary disable make check
|
|
* Thu Apr 18 2002 meissner@suse.de
|
|
- fixed x86_64 build, added bc to needed_for_build (used by tests)
|
|
* Wed Apr 17 2002 ro@suse.de
|
|
- fixed gcc version determination
|
|
- drop sun4c support/always use sparcv8
|
|
- ignore return code from showciphers
|
|
* Fri Mar 15 2002 poeml@suse.de
|
|
- add settings for sparc to build shared objects. Note that all
|
|
sparcs (sun4[mdu]) are recognized as linux-sparcv7
|
|
* Wed Feb 06 2002 kukuk@suse.de
|
|
- Remove crypt function from libcrypto.so.0 [Bug #13056]
|
|
* Mon Feb 04 2002 poeml@suse.de
|
|
- add settings for mips to build shared objects
|
|
- print out all settings to the build log
|
|
* Tue Jan 29 2002 poeml@suse.de
|
|
- update to 0.9.6c:
|
|
o bug fixes
|
|
o support for hardware crypto devices (Cryptographic Appliances,
|
|
Broadcom, and Accelerated Encryption Processing)
|
|
- add IBMCA patch for IBM eServer Cryptographic Accelerator Device
|
|
Driver (#12565) (forward ported from 0.9.6b)
|
|
(http://www-124.ibm.com/developerworks/projects/libica/)
|
|
- tell Configure how to build shared libs for s390 and s390x
|
|
- tweak Makefile.org to use %%_libdir
|
|
- clean up spec file
|
|
- add README.SuSE as source file instead of in a patch
|
|
* Wed Dec 05 2001 uli@suse.de
|
|
- disabled "make test" for ARM (destest segfaults, the other tests
|
|
seem to succeed)
|
|
* Wed Dec 05 2001 ro@suse.de
|
|
- removed subpackage src
|
|
* Wed Nov 28 2001 uli@suse.de
|
|
- needs -ldl on ARM, too
|
|
* Mon Nov 19 2001 mls@suse.de
|
|
- made mips big endian, fixed shared library creation for mips
|
|
* Fri Aug 31 2001 rolf@suse.de
|
|
- added root certificates [BUG#9913]
|
|
- move from /usr/ssh to /usr/share/ssl
|
|
* Wed Jul 18 2001 rolf@suse.de
|
|
- update to 0.9.6b
|
|
- switch to engine version of openssl, which supports hardware
|
|
encryption for a few popular devices
|
|
- check wether shared libraries have been generated
|
|
* Thu Jul 05 2001 rolf@suse.de
|
|
- appliy PRNG security patch
|
|
* Tue Jun 12 2001 bk@suse.de
|
|
- added support for s390x
|
|
* Mon May 07 2001 kukuk@suse.de
|
|
- Fix building of shared libraries on SPARC, too.
|
|
* Mon May 07 2001 rolf@suse.de
|
|
- Fix ppc and s390 shared library builds
|
|
- resolved conflict in manpage naming:
|
|
rand.3 is now sslrand.3 [BUG#7643]
|
|
* Wed May 02 2001 schwab@suse.de
|
|
- Fix ia64 configuration.
|
|
- Fix link command.
|
|
* Thu Apr 26 2001 bjacke@suse.de
|
|
- updated to 0.96a
|
|
* Wed Apr 18 2001 kkaempf@suse.de
|
|
- provide .so files in -devel package only
|
|
* Tue Apr 17 2001 bjacke@suse.de
|
|
- resolve file name conflict (#6966)
|
|
* Wed Mar 21 2001 rolf@suse.de
|
|
- new subpackage openssl-src [BUG#6383]
|
|
- added README.SuSE which explains where to find the man pages [BUG#6717]
|
|
* Fri Dec 15 2000 sf@suse.de
|
|
- changed CFLAG to -O1 to make the tests run successfully
|
|
* Mon Dec 11 2000 rolf@suse.de
|
|
- build openssl with no-idea and no-rc5 to meet US & RSA regulations
|
|
- build with -fPIC on all platforms (especially IA64)
|
|
* Wed Nov 22 2000 rolf@suse.de
|
|
- rename openssls to openssl-devel and add shared libs and header files
|
|
- new subpackge openssl-doc for manpages and documentation
|
|
- use BuildRoot
|
|
* Fri Oct 27 2000 schwab@suse.de
|
|
- Add link-time links for libcrypto and libssl.
|
|
- Make sure that LD_LIBRARY_PATH is passed down to sub-makes.
|
|
* Mon Oct 02 2000 rolf@suse.de
|
|
- update to 0.9.6
|
|
* Tue Apr 11 2000 bk@suse.de
|
|
- fix support for s390-linux
|
|
* Mon Apr 10 2000 rolf@suse.de
|
|
- new version 0.9.5a
|
|
* Sun Apr 09 2000 bk@suse.de
|
|
- add support for s390-linux
|
|
* Mon Mar 27 2000 kukuk@suse.de
|
|
- Use sparcv7 for SPARC
|
|
* Wed Mar 01 2000 rolf@suse.de
|
|
- move manpages back, as too many conflict with system manuals
|
|
* Wed Mar 01 2000 rolf@suse.de
|
|
- move manpages to %%{_mandir}
|
|
- include static libraries
|
|
* Wed Mar 01 2000 bk@suse.de
|
|
- added subpackage source openssls, needed for ppp_ssl
|
|
* Tue Feb 29 2000 rolf@suse.de
|
|
- new version 0.9.5
|
|
* Thu Feb 24 2000 schwab@suse.de
|
|
- add support for ia64-linux
|
|
* Mon Jan 31 2000 kukuk@suse.de
|
|
- Create and add libcrypto.so.0 and libssl.so.0
|
|
* Mon Sep 13 1999 bs@suse.de
|
|
- ran old prepare_spec on spec file to switch to new prepare_spec.
|
|
* Wed Sep 01 1999 rolf@suse.de
|
|
- new version 0.9.4
|
|
* Wed May 26 1999 rolf@suse.de
|
|
- new version 0.9.3 with new layout
|
|
- alpha asm disabled by default now, no patch needed
|
|
* Thu May 20 1999 ro@suse.de
|
|
- disable asm for alpha: seems incomplete
|
|
* Mon May 17 1999 rolf@suse.de
|
|
- don't use -DNO_IDEA
|
|
* Wed May 12 1999 rolf@suse.de
|
|
- first version 0.9.2b
|