# # spec file for package openssl-1_1 # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define ssletcdir %{_sysconfdir}/ssl %define maj_min 1.1 %define _rname openssl Name: openssl-1_1 Version: 1.1.0h Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security Url: https://www.openssl.org/ Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz # to get mtime of file: Source1: %{name}.changes Source2: baselibs.conf Source42: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc # https://www.openssl.org/about/ # http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring Source43: %{_rname}.keyring Source99: showciphers.c # https://github.com/openssl/openssl/pull/2045 Patch0: 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch # PATCH-FIX-OPENSUSE: upstream won't use glibc Patch1: 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch # PATCH-FIX-OPENSUSE: do not install html mans it takes ages Patch2: openssl-1.1.0-no-html.patch # PATCH-FIX-UPSTREAM: patch to allow deps and linking to static libs # needed for fips and taken from upstream Patch3: openssl-static-deps.patch Patch4: openssl-truststore.patch Patch5: openssl-pkgconfig.patch Patch6: openssl-1.0.1e-add-suse-default-cipher.patch Patch7: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch Patch8: openssl-ppc64-config.patch Patch9: openssl-no-date.patch # FIPS patches: Patch51: openssl-1.1.0-fips.patch Patch52: openssl-fips-dont_run_FIPS_module_installed.patch Patch53: openssl-fips_disallow_ENGINE_loading.patch Patch54: openssl-rsakeygen-minimum-distance.patch Patch55: openssl-urandom-reseeding.patch Patch56: openssl-fips-rsagen-d-bits.patch Patch57: openssl-fips-selftests_in_nonfips_mode.patch Patch58: openssl-fips-fix-odd-rsakeybits.patch Patch59: openssl-fips-clearerror.patch Patch60: openssl-fips-dont-fall-back-to-default-digest.patch Patch61: openssl-disable_rsa_keygen_tests_with_small_modulus.patch # FATE#321518 Add support for s390x CPACF enhancements (https://fate.suse.com/321518) Patch62: 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch Patch63: 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch Patch64: 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch Patch65: 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch Patch66: 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch Patch67: 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch Patch68: 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch Patch69: 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch Patch70: 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch Patch71: 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch Patch72: 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch # PATCH-FIX-UPSTREAM (boo#1084651) Patch73: 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch BuildRequires: bc BuildRequires: ed BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) Conflicts: ssl Provides: ssl # Needed for clean upgrade path, boo#1070003 Obsoletes: openssl-1_0_0 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: openssl-1_1_0 %description OpenSSL is a software library to be used in applications that need to secure communications over computer networks against eavesdropping or need to ascertain the identity of the party at the other end. OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl1_1 Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security Recommends: ca-certificates-mozilla # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl1_1_0 %description -n libopenssl1_1 OpenSSL is a software library to be used in applications that need to secure communications over computer networks against eavesdropping or need to ascertain the identity of the party at the other end. OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl-1_1-devel Summary: Development files for OpenSSL License: OpenSSL Group: Development/Libraries/C and C++ Requires: %{name} = %{version} Requires: libopenssl1_1 = %{version} Requires: pkgconfig(zlib) # we need to have around only the exact version we are able to operate with Conflicts: libopenssl-devel < %{version} Conflicts: libopenssl-devel > %{version} Conflicts: ssl-devel Provides: ssl-devel # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl-1_1_0-devel %description -n libopenssl-1_1-devel This subpackage contains header files for developing applications that want to make use of the OpenSSL C API. %package -n libopenssl1_1-hmac Summary: HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries License: BSD-3-Clause Group: Productivity/Networking/Security Requires: libopenssl1_1 = %{version}-%{release} # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl1_1_0-hmac %description -n libopenssl1_1-hmac The FIPS compliant operation of the openssl shared libraries is NOT possible without the HMAC hashes contained in this package! %package doc Summary: Additional Package Documentation License: OpenSSL Group: Productivity/Networking/Security Conflicts: openssl-doc Provides: openssl-doc = %{version} Obsoletes: openssl-doc < %{version} BuildArch: noarch %description doc This package contains optional documentation provided in addition to this package's base documentation. %prep %setup -q -n %{_rname}-%{version} %autopatch -p1 %build %ifarch armv5el armv5tel export MACHINE=armv5el %endif %ifarch armv6l armv6hl export MACHINE=armv6l %endif ./config \ no-rc5 no-idea \ fips \ no-ssl3 \ enable-rfc3779 \ %ifarch x86_64 aarch64 ppc64le enable-ec_nistp_64_gcc_128 \ %endif enable-camellia \ zlib \ no-ec2m \ --prefix=%{_prefix} \ --libdir=%{_lib} \ --openssldir=%{ssletcdir} \ %{optflags} -std=gnu99 \ -Wa,--noexecstack \ -Wl,-z,relro,-z,now \ -fno-common \ -DTERMIO \ -DPURIFY \ -D_GNU_SOURCE \ -DOPENSSL_NO_BUF_FREELISTS \ $(getconf LFS_CFLAGS) \ -Wall util/mkdef.pl crypto update make depend %{?_smp_mflags} make all %{?_smp_mflags} %check export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) LD_LIBRARY_PATH=`pwd` make test -j1 # show cyphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE99} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install %make_install %{?_smp_mflags} # kill static libs rm -f %{buildroot}%{_libdir}/lib*.a # remove the cnf.dist rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl mkdir %{buildroot}/%{_datadir}/ssl mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ # avoid file conflicts with man pages from other packages # set +x pushd %{buildroot}/%{_mandir} # some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check. # replace spaces by underscores #for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } for i in man?/*; do if test -L $i ; then LDEST=`readlink $i` rm -f $i ${i}ssl ln -sf ${LDEST}ssl ${i}ssl else mv $i ${i}ssl fi case "$i" in *.1) # these are the pages mentioned in openssl(1). They go into the main package. echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;; *) # the rest goes into the openssl-doc package. echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;; esac done popd set -x # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} \; # Place showciphers.c for %doc macro cp %{SOURCE99} . # the hmac hashes: # # this is a hack that re-defines the __os_install_post macro # for a simple reason: the macro strips the binaries and thereby # invalidates a HMAC that may have been created earlier. # solution: create the hashes _after_ the macro runs. # # this shows up earlier because otherwise the %expand of # the macro is too late. # remark: This is the same as running # openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs' %{expand:%%global __os_install_post {%__os_install_post %{buildroot}%{_bindir}/fips_standalone_hmac \ %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \ %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac %{buildroot}%{_bindir}/fips_standalone_hmac \ %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \ %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac }} %post -n libopenssl1_1 -p /sbin/ldconfig %postun -n libopenssl1_1 -p /sbin/ldconfig %files -n libopenssl1_1 %license LICENSE %{_libdir}/libssl.so.%{maj_min} %{_libdir}/libcrypto.so.%{maj_min} %{_libdir}/engines-%{maj_min} %files -n libopenssl1_1-hmac %{_libdir}/.libssl.so.%{maj_min}.hmac %{_libdir}/.libcrypto.so.%{maj_min}.hmac %files -n libopenssl-1_1-devel %{_includedir}/%{_rname}/ %{_includedir}/ssl %{_libdir}/libssl.so %{_libdir}/libcrypto.so %{_libdir}/pkgconfig/libcrypto.pc %{_libdir}/pkgconfig/libssl.pc %{_libdir}/pkgconfig/openssl.pc %files doc -f filelist.doc %doc doc/* demos %doc showciphers.c %files -f filelist %doc CHANGE* NEWS README %dir %{ssletcdir} %config (noreplace) %{ssletcdir}/openssl.cnf %attr(700,root,root) %{ssletcdir}/private %dir %{_datadir}/ssl %{_datadir}/ssl/misc %{_bindir}/c_rehash %{_bindir}/fips_standalone_hmac %{_bindir}/%{_rname} %changelog