fa61203f41
- OpenSSL Security Advisory [3rd May 2016] - update to 1.0.2h (boo#977584, boo#977663) * Prevent padding oracle in AES-NI CBC MAC check A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. (CVE-2016-2107, boo#977616) * Fix EVP_EncodeUpdate overflow An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. (CVE-2016-2105, boo#977614) * Fix EVP_EncryptUpdate overflow An overflow can occur in the EVP_EncryptUpdate() function. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. (CVE-2016-2106, boo#977615) * Prevent ASN.1 BIO excessive memory allocation When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. (CVE-2016-2109, boo#976942) * EBCDIC overread ASN1 Strings that are over 1024 bytes can cause an overread in applications using the X509_NAME_oneline() function on EBCDIC systems. This could result in arbitrary stack data being returned in the buffer. (CVE-2016-2176, boo#978224) * Modify behavior of ALPN to invoke callback after SNI/servername (forwarded request 393446 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/393456 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=132
511 lines
17 KiB
RPMSpec
511 lines
17 KiB
RPMSpec
#
|
|
# spec file for package openssl
|
|
#
|
|
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
Name: openssl
|
|
BuildRequires: bc
|
|
BuildRequires: ed
|
|
BuildRequires: pkg-config
|
|
BuildRequires: zlib-devel
|
|
%define ssletcdir %{_sysconfdir}/ssl
|
|
#%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
|
|
%define num_version 1.0.0
|
|
Provides: ssl
|
|
# bug437293
|
|
%ifarch ppc64
|
|
Obsoletes: openssl-64bit
|
|
%endif
|
|
Version: 1.0.2h
|
|
Release: 0
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
License: OpenSSL
|
|
Group: Productivity/Networking/Security
|
|
Url: https://www.openssl.org/
|
|
Source: https://www.%{name}.org/source/%{name}-%{version}.tar.gz
|
|
Source42: https://www.%{name}.org/source/%{name}-%{version}.tar.gz.asc
|
|
# https://www.openssl.org/about/
|
|
# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/%name.keyring
|
|
Source43: %name.keyring
|
|
# to get mtime of file:
|
|
Source1: openssl.changes
|
|
Source2: baselibs.conf
|
|
Source10: README.SUSE
|
|
Source11: README-FIPS.txt
|
|
Patch0: merge_from_0.9.8k.patch
|
|
Patch1: openssl-1.0.0-c_rehash-compat.diff
|
|
Patch2: bug610223.patch
|
|
%if 0%{?suse_version} >= 1120
|
|
Patch3: openssl-ocloexec.patch
|
|
%endif
|
|
Patch4: openssl-1.0.2a-padlock64.patch
|
|
# PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049
|
|
Patch5: openssl-fix-pod-syntax.diff
|
|
Patch6: openssl-1.0.1e-truststore.diff
|
|
Patch7: compression_methods_switch.patch
|
|
Patch8: 0005-libssl-Hide-library-private-symbols.patch
|
|
Patch9: openssl-1.0.2a-default-paths.patch
|
|
Patch10: openssl-pkgconfig.patch
|
|
Patch13: openssl-1.0.2a-ipv6-apps.patch
|
|
Patch14: 0001-libcrypto-Hide-library-private-symbols.patch
|
|
# FIPS patches:
|
|
Patch15: openssl-1.0.2e-fips.patch
|
|
Patch16: openssl-1.0.2a-fips-ec.patch
|
|
Patch17: openssl-1.0.2a-fips-ctor.patch
|
|
Patch18: openssl-1.0.2a-new-fips-reqs.patch
|
|
Patch19: openssl-gcc-attributes.patch
|
|
Patch26: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
|
|
Patch33: openssl-no-egd.patch
|
|
Patch34: openssl-fips-hidden.patch
|
|
Patch35: openssl-1.0.1e-add-suse-default-cipher.patch
|
|
Patch37: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
|
|
Patch38: openssl-missing_FIPS_ec_group_new_by_curve_name.patch
|
|
# FIPS patches from SLE-12
|
|
Patch50: openssl-fips_disallow_x931_rand_method.patch
|
|
Patch51: openssl-fips_disallow_ENGINE_loading.patch
|
|
Patch52: openssl-fips_RSA_compute_d_with_lcm.patch
|
|
Patch53: openssl-rsakeygen-minimum-distance.patch
|
|
Patch54: openssl-urandom-reseeding.patch
|
|
Patch55: openssl-fips-rsagen-d-bits.patch
|
|
Patch56: openssl-fips-selftests_in_nonfips_mode.patch
|
|
Patch57: openssl-fips-fix-odd-rsakeybits.patch
|
|
Patch58: openssl-fips-clearerror.patch
|
|
Patch59: openssl-fips-dont-fall-back-to-default-digest.patch
|
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
|
|
%description
|
|
The OpenSSL Project is a collaborative effort to develop a robust,
|
|
commercial-grade, full-featured, and open source toolkit implementing
|
|
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
|
|
v1) protocols with full-strength cryptography. The project is managed
|
|
by a worldwide community of volunteers that use the Internet to
|
|
communicate, plan, and develop the OpenSSL toolkit and its related
|
|
documentation.
|
|
|
|
Derivation and License
|
|
|
|
OpenSSL is based on the excellent SSLeay library developed by Eric A.
|
|
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
|
|
Apache-style license, which basically means that you are free to get it
|
|
and to use it for commercial and noncommercial purposes.
|
|
|
|
%package -n libopenssl1_0_0
|
|
Summary: Secure Sockets and Transport Layer Security
|
|
License: OpenSSL
|
|
Group: Productivity/Networking/Security
|
|
Recommends: ca-certificates-mozilla
|
|
# bug437293
|
|
%ifarch ppc64
|
|
Obsoletes: openssl-64bit
|
|
%endif
|
|
#
|
|
|
|
%description -n libopenssl1_0_0
|
|
The OpenSSL Project is a collaborative effort to develop a robust,
|
|
commercial-grade, full-featured, and open source toolkit implementing
|
|
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
|
|
v1) protocols with full-strength cryptography. The project is managed
|
|
by a worldwide community of volunteers that use the Internet to
|
|
communicate, plan, and develop the OpenSSL toolkit and its related
|
|
documentation.
|
|
|
|
Derivation and License
|
|
|
|
OpenSSL is based on the excellent SSLeay library developed by Eric A.
|
|
Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
|
|
Apache-style license, which basically means that you are free to get it
|
|
and to use it for commercial and noncommercial purposes.
|
|
|
|
%package -n libopenssl-devel
|
|
Summary: Include Files and Libraries mandatory for Development
|
|
License: OpenSSL
|
|
Group: Development/Libraries/C and C++
|
|
Obsoletes: openssl-devel < %{version}
|
|
Requires: %name = %version
|
|
Requires: libopenssl1_0_0 = %{version}
|
|
Requires: zlib-devel
|
|
Provides: openssl-devel = %{version}
|
|
# bug437293
|
|
%ifarch ppc64
|
|
Obsoletes: openssl-devel-64bit
|
|
%endif
|
|
#
|
|
|
|
%description -n libopenssl-devel
|
|
This package contains all necessary include files and libraries needed
|
|
to develop applications that require these.
|
|
|
|
%package -n libopenssl1_0_0-hmac
|
|
Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries
|
|
License: BSD-3-Clause
|
|
Group: Productivity/Networking/Security
|
|
Requires: libopenssl1_0_0 = %{version}-%{release}
|
|
|
|
%description -n libopenssl1_0_0-hmac
|
|
The FIPS compliant operation of the openssl shared libraries is NOT
|
|
possible without the HMAC hashes contained in this package!
|
|
|
|
%package doc
|
|
Summary: Additional Package Documentation
|
|
License: OpenSSL
|
|
Group: Productivity/Networking/Security
|
|
%if 0%{?suse_version} >= 1140
|
|
BuildArch: noarch
|
|
%endif
|
|
|
|
%description doc
|
|
This package contains optional documentation provided in addition to
|
|
this package's base documentation.
|
|
|
|
%prep
|
|
%setup -q
|
|
%patch0 -p1
|
|
%patch1 -p1
|
|
%patch2 -p1
|
|
%patch4 -p1
|
|
%patch5 -p1
|
|
%patch6 -p1
|
|
%patch7 -p1
|
|
%patch9 -p1
|
|
%patch10 -p1
|
|
%patch13 -p1
|
|
%patch15 -p1
|
|
%patch16 -p1
|
|
%patch17 -p1
|
|
%patch18 -p1
|
|
%patch19 -p1
|
|
%patch26 -p1
|
|
%patch33 -p1
|
|
%patch34 -p1
|
|
%patch35 -p1
|
|
%patch37 -p1
|
|
%patch38 -p1
|
|
%patch50 -p1
|
|
%patch51 -p1
|
|
%patch52 -p1
|
|
%patch53 -p1
|
|
%patch54 -p1
|
|
%patch55 -p1
|
|
%patch56 -p1
|
|
%patch57 -p1
|
|
%patch58 -p1
|
|
%patch59 -p1
|
|
%if 0%{?suse_version} >= 1120
|
|
%patch3
|
|
%endif
|
|
%patch8 -p1
|
|
%patch14 -p1
|
|
cp -p %{S:10} .
|
|
cp -p %{S:11} .
|
|
echo "adding/overwriting some entries in the 'table' hash in Configure"
|
|
# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
|
|
export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::'
|
|
cat <<EOF_ED | ed -s Configure
|
|
/^);
|
|
-
|
|
i
|
|
#
|
|
# local configuration added from specfile
|
|
# ... MOST of those are now correct in openssl's Configure already,
|
|
# so only add them for new ports!
|
|
#
|
|
#config-string, $cc:$cflags:$unistd:$thread_cflag:$sys_id:$lflags:$bn_ops:$cpuid_obj:$bn_obj:$des_obj:$aes_obj:$bf_obj:$md5_obj:$sha1_obj:$cast_obj:$rc4_obj:$rmd160_obj:$rc5_obj:$wp_obj:$cmll_obj:$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags:$multilib
|
|
#"linux-elf", "gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG \${x86_gcc_des} \${x86_gcc_opts}:\${x86_elf_asm}:$DSO_SCHEME:",
|
|
#"linux-ia64", "gcc:-DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:\${ia64_asm}: $DSO_SCHEME:",
|
|
#"linux-ppc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:\${no_asm}: $DSO_SCHEME:",
|
|
#"linux-ppc64", "gcc:-DB_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64",
|
|
"linux-elf-arm","gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG:\${no_asm}: $DSO_SCHEME:",
|
|
"linux-mips", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:\${no_asm}: $DSO_SCHEME:",
|
|
"linux-sparcv7","gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:\${no_asm}: $DSO_SCHEME:",
|
|
#"linux-sparcv8","gcc:-DB_ENDIAN -DBN_DIV2W -mv8 ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::asm/sparcv8.o::::::::::::: $DSO_SCHEME:",
|
|
#"linux-x86_64", "gcc:-DL_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64",
|
|
#"linux-s390", "gcc:-DB_ENDIAN ::(unknown): :-ldl:BN_LLONG:\${no_asm}: $DSO_SCHEME:",
|
|
#"linux-s390x", "gcc:-DB_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64",
|
|
"linux-parisc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR DES_PTR DES_UNROLL DES_RISC1:\${no_asm}: $DSO_SCHEME:",
|
|
.
|
|
wq
|
|
EOF_ED
|
|
# fix ENGINESDIR path
|
|
sed -i 's,/lib/engines,/%_lib/engines,' Configure
|
|
|
|
%build
|
|
|
|
%if 0%{suse_version} >= 1230
|
|
find -type f -name "*.c" -exec sed -i -e "s@getenv@secure_getenv@g" {} +
|
|
%endif
|
|
|
|
%ifarch armv5el armv5tel
|
|
export MACHINE=armv5el
|
|
%endif
|
|
%ifarch armv6l armv6hl
|
|
export MACHINE=armv6l
|
|
%endif
|
|
./config --test-sanity
|
|
#
|
|
config_flags="threads shared no-rc5 no-idea \
|
|
fips \
|
|
%if 0%{suse_version} > 1310
|
|
no-ssl2 \
|
|
no-ssl3 \
|
|
enable-rfc3779 \
|
|
%endif
|
|
%ifarch x86_64 aarch64 ppc64le
|
|
%if 0%{?suse_version} < 1010 || 0%{?suse_version} > 1020
|
|
enable-ec_nistp_64_gcc_128 \
|
|
%endif
|
|
%endif
|
|
enable-camellia \
|
|
zlib \
|
|
no-ec2m \
|
|
--prefix=%{_prefix} \
|
|
--libdir=%{_lib} \
|
|
--openssldir=%{ssletcdir} \
|
|
$RPM_OPT_FLAGS -O3 -std=gnu99 \
|
|
-Wa,--noexecstack \
|
|
-Wl,-z,relro,-z,now \
|
|
-fno-common \
|
|
-DTERMIO \
|
|
-DPURIFY \
|
|
-D_GNU_SOURCE \
|
|
-DOPENSSL_NO_BUF_FREELISTS \
|
|
$(getconf LFS_CFLAGS) \
|
|
-Wall "
|
|
|
|
#
|
|
#%{!?do_profiling:%define do_profiling 0}
|
|
#%if %do_profiling
|
|
# # generate feedback
|
|
# ./config $config_flags
|
|
# make depend CC="gcc %cflags_profile_generate"
|
|
# make CC="gcc %cflags_profile_generate"
|
|
# LD_LIBRARY_PATH=`pwd` make rehash CC="gcc %cflags_profile_generate"
|
|
# LD_LIBRARY_PATH=`pwd` make test CC="gcc %cflags_profile_generate"
|
|
# LD_LIBRARY_PATH=`pwd` apps/openssl speed
|
|
# make clean
|
|
# # compile with feedback
|
|
# # but not if it makes a cipher slower:
|
|
# #find crypto/aes -name '*.da' | xargs -r rm
|
|
# ./config $config_flags %cflags_profile_feedback
|
|
# make depend
|
|
# make
|
|
# LD_LIBRARY_PATH=`pwd` make rehash
|
|
# LD_LIBRARY_PATH=`pwd` make test
|
|
#%else
|
|
# OpenSSL relies on uname -m (not good). Thus that little sparc line.
|
|
./config \
|
|
%ifarch sparc64
|
|
linux64-sparcv9 \
|
|
%endif
|
|
$config_flags
|
|
|
|
# Record mtime of changes file instead of build time to make build-compare work
|
|
make PERL=perl -C crypto buildinf.h
|
|
CHANGES=`stat --format="%y" %SOURCE1`
|
|
cat crypto/buildinf.h
|
|
sed -i -e "s|#define DATE .*|#define DATE \"built on: $CHANGES\"|" crypto/buildinf.h
|
|
cat crypto/buildinf.h
|
|
|
|
make depend
|
|
make
|
|
LD_LIBRARY_PATH=`pwd` make rehash
|
|
# for FIPS mode testing; the same hashes are being created later just before
|
|
# the wrap-up of the files into the package.
|
|
# These files are just there for the make test below...
|
|
crypto/fips/fips_standalone_hmac libcrypto.so.1.0.0 > .libcrypto.so.1.0.0.hmac
|
|
crypto/fips/fips_standalone_hmac libssl.so.1.0.0 > .libssl.so.1.0.0.hmac
|
|
export MALLOC_CHECK_=3
|
|
export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
|
|
LD_LIBRARY_PATH=`pwd` make test FIPSCANLIB=""
|
|
%ifnarch armv4l
|
|
LD_LIBRARY_PATH=`pwd` make test
|
|
%endif
|
|
#%endif
|
|
# show settings
|
|
make TABLE
|
|
echo $RPM_OPT_FLAGS
|
|
eval $(egrep PLATFORM='[[:alnum:]]' Makefile)
|
|
grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE
|
|
|
|
%install
|
|
rm -rf $RPM_BUILD_ROOT
|
|
make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
|
|
cp -a crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac
|
|
ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
|
|
mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
|
|
mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/
|
|
# ln -s %{ssletcdir}/private $RPM_BUILD_ROOT/%{_datadir}/ssl/private
|
|
# ln -s %{ssletcdir}/openssl.cnf $RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf
|
|
#
|
|
|
|
# avoid file conflicts with man pages from other packages
|
|
#
|
|
pushd $RPM_BUILD_ROOT/%{_mandir}
|
|
# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check.
|
|
# replace spaces by underscores
|
|
#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
|
|
which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
|
|
for i in man?/*; do
|
|
if test -L $i ; then
|
|
LDEST=`readlink $i`
|
|
rm -f $i ${i}ssl
|
|
ln -sf ${LDEST}ssl ${i}ssl
|
|
else
|
|
mv $i ${i}ssl
|
|
fi
|
|
case "$i" in
|
|
*.1)
|
|
# these are the pages mentioned in openssl(1). They go into the main package.
|
|
echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist;;
|
|
*)
|
|
# the rest goes into the openssl-doc package.
|
|
echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist.doc;;
|
|
esac
|
|
done
|
|
popd
|
|
#
|
|
# check wether some shared library has been installed
|
|
#
|
|
ls -l $RPM_BUILD_ROOT%{_libdir}
|
|
test -f $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version}
|
|
test -f $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version}
|
|
test -L $RPM_BUILD_ROOT%{_libdir}/libssl.so
|
|
test -L $RPM_BUILD_ROOT%{_libdir}/libcrypto.so
|
|
#
|
|
# see what we've got
|
|
#
|
|
cat > showciphers.c <<EOF
|
|
#include <openssl/err.h>
|
|
#include <openssl/ssl.h>
|
|
int main(){
|
|
unsigned int i;
|
|
SSL_CTX *ctx;
|
|
SSL *ssl;
|
|
SSL_METHOD *meth;
|
|
meth = SSLv23_client_method();
|
|
SSLeay_add_ssl_algorithms();
|
|
ctx = SSL_CTX_new(meth);
|
|
if (ctx == NULL) return 0;
|
|
ssl = SSL_new(ctx);
|
|
if (!ssl) return 0;
|
|
for (i=0; ; i++) {
|
|
int j, k;
|
|
SSL_CIPHER *sc;
|
|
sc = (meth->get_cipher)(i);
|
|
if (!sc) break;
|
|
k = SSL_CIPHER_get_bits(sc, &j);
|
|
printf("%s\n", sc->name);
|
|
}
|
|
return 0;
|
|
};
|
|
EOF
|
|
gcc $RPM_OPT_FLAGS -I${RPM_BUILD_ROOT}%{_includedir} -c showciphers.c
|
|
gcc -o showciphers showciphers.o -L${RPM_BUILD_ROOT}%{_libdir} -lssl -lcrypto
|
|
LD_LIBRARY_PATH=${RPM_BUILD_ROOT}%{_libdir} ./showciphers > AVAILABLE_CIPHERS || true
|
|
cat AVAILABLE_CIPHERS
|
|
# Do not install demo scripts executable under /usr/share/doc
|
|
find demos -type f -perm /111 -exec chmod 644 {} \;
|
|
|
|
# the hmac hashes:
|
|
#
|
|
# this is a hack that re-defines the __os_install_post macro
|
|
# for a simple reason: the macro strips the binaries and thereby
|
|
# invalidates a HMAC that may have been created earlier.
|
|
# solution: create the hashes _after_ the macro runs.
|
|
#
|
|
# this shows up earlier because otherwise the %expand of
|
|
# the macro is too late.
|
|
# remark: This is the same as running
|
|
# openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
|
|
%{expand:%%global __os_install_post {%__os_install_post
|
|
|
|
$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
|
|
$RPM_BUILD_ROOT/%{_lib}/libssl.so.%{num_version} > \
|
|
$RPM_BUILD_ROOT/%{_lib}/.libssl.so.%{num_version}.hmac
|
|
|
|
$RPM_BUILD_ROOT/usr/bin/fips_standalone_hmac \
|
|
$RPM_BUILD_ROOT/%{_lib}/libcrypto.so.%{num_version} > \
|
|
$RPM_BUILD_ROOT/%{_lib}/.libcrypto.so.%{num_version}.hmac
|
|
|
|
}}
|
|
|
|
#process openssllib
|
|
mkdir $RPM_BUILD_ROOT/%{_lib}
|
|
mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
|
|
mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
|
|
mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
|
|
cd $RPM_BUILD_ROOT%{_libdir}/
|
|
ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
|
|
ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
|
|
|
|
for engine in 4758cca atalla nuron sureware ubsec cswift chil aep gmp capi; do
|
|
rm %{buildroot}/%{_lib}/engines/lib$engine.so
|
|
done
|
|
|
|
%ifnarch %{ix86} x86_64
|
|
rm %{buildroot}/%{_lib}/engines/libpadlock.so
|
|
%endif
|
|
|
|
%clean
|
|
if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
|
|
|
|
%post -n libopenssl1_0_0 -p /sbin/ldconfig
|
|
|
|
%postun -n libopenssl1_0_0 -p /sbin/ldconfig
|
|
|
|
%files -n libopenssl1_0_0
|
|
%defattr(-, root, root)
|
|
/%{_lib}/libssl.so.%{num_version}
|
|
/%{_lib}/libcrypto.so.%{num_version}
|
|
/%{_lib}/engines
|
|
|
|
%files -n libopenssl1_0_0-hmac
|
|
%defattr(-, root, root)
|
|
/%{_lib}/.libssl.so.%{num_version}.hmac
|
|
/%{_lib}/.libcrypto.so.%{num_version}.hmac
|
|
|
|
%files -n libopenssl-devel
|
|
%defattr(-, root, root)
|
|
%{_includedir}/%{name}/
|
|
%{_includedir}/ssl
|
|
%exclude %{_libdir}/libcrypto.a
|
|
%exclude %{_libdir}/libssl.a
|
|
%{_libdir}/libssl.so
|
|
%{_libdir}/libcrypto.so
|
|
%_libdir/pkgconfig/libcrypto.pc
|
|
%_libdir/pkgconfig/libssl.pc
|
|
%_libdir/pkgconfig/openssl.pc
|
|
|
|
%files doc -f filelist.doc
|
|
%defattr(-, root, root)
|
|
%doc doc/* demos
|
|
%doc showciphers.c
|
|
|
|
%files -f filelist
|
|
%defattr(-, root, root)
|
|
%doc CHANGE* INSTAL* AVAILABLE_CIPHERS
|
|
%doc LICENSE NEWS README README.SUSE README-FIPS.txt
|
|
%dir %{ssletcdir}
|
|
%config (noreplace) %{ssletcdir}/openssl.cnf
|
|
%attr(700,root,root) %{ssletcdir}/private
|
|
%dir %{_datadir}/ssl
|
|
%{_datadir}/ssl/misc
|
|
%{_bindir}/c_rehash
|
|
%{_bindir}/fips_standalone_hmac
|
|
%{_bindir}/%{name}
|
|
|
|
%changelog
|