openssl: Update to 1.1.0g

This patch adds a compat package for openssl 1.0.2 which will be dropped when 1.0.2 is EOL. We leave the headers here because there will be applications that can't be built against openssl 1.1.0, yet. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2018-01-29 10:29:44 +00:00 · 2018-01-29 10:29:44 +00:00 · 41388a6339
parent 3d8ec84d15
commit 41388a6339
14 changed files with 494 additions and 87 deletions
--- a/compat-openssl/compat-openssl.nm
+++ b/compat-openssl/compat-openssl.nm
@ -0,0 +1,147 @@
+###############################################################################
+# IPFire.org    - An Open Source Firewall Solution                            #
+# Copyright (C) - IPFire Development Team <info@ipfire.org>                   #
+###############################################################################
+
+name       = compat-openssl
+version    = 1.0.2n
+release    = 1
+thisapp    = openssl-%{version}
+
+maintainer = Michael Tremer <michael.tremer@ipfire.org>
+groups     = System/Libraries
+url        = http://www.openssl.org/
+license    = OpenSSL
+summary    = A general purpose cryptography library with TLS implementation.
+
+description
+	The OpenSSL toolkit provides support for secure communications between
+	machines. OpenSSL includes a certificate management tool and shared
+	libraries which provide various cryptographic algorithms and protocols.
+end
+
+source_dl  = http://openssl.org/source/
+
+build
+	requires
+		bc
+		gnutls-devel
+		perl
+		util-linux
+		zlib-devel
+	end
+
+	CFLAGS += -DPURIFY
+	export RPM_OPT_FLAGS = %{CFLAGS} %{LDFLAGS}
+
+	prepare_cmds
+		sed -e 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' \
+			-i crypto/opensslv.h
+
+		find crypto/ -name Makefile -exec \
+			sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
+
+		# Generate a table with the compile settings for my perusal.
+		touch Makefile
+		make TABLE PERL=/usr/bin/perl
+	end
+
+	# Set default ssl_arch.
+	ssl_arch = linux-%{DISTRO_ARCH}
+
+	if "%{DISTRO_ARCH}" == "i686"
+		# 386 implies no-sse2
+		ssl_arch = linux-elf no-asm 386
+	end
+
+	if "%{DISTRO_ARCH}" == "armv5tel"
+		ssl_arch = linux-armv4
+	end
+
+	if "%{DISTRO_ARCH}" == "armv7hl"
+		ssl_arch = linux-armv4
+	end
+
+	build
+		./Configure \
+			--prefix=/usr \
+			--openssldir=/etc/pki/tls \
+			--enginesdir=%{libdir}/openssl/engines \
+			shared \
+			zlib-dynamic \
+			enable-camellia \
+			enable-md2 \
+			enable-seed \
+			enable-tlsext \
+			enable-rfc3779 \
+			no-idea \
+			no-mdc2 \
+			no-rc5 \
+			no-ec2m \
+			no-srp \
+			-DSSL_FORBID_ENULL \
+			 %{ssl_arch}
+
+		# Build.
+		make depend
+		make all
+
+		# Generate hashes for the included certs.
+		make rehash
+	end
+
+	test
+		# Revert ca-dir patch. Otherwise the tests will fail.
+		patch -Np1 -R < %{DIR_PATCHES}/openssl-1.0.0-beta4-ca-dir.patch
+
+		make test
+	end
+
+	install
+		make install INSTALL_PREFIX=%{BUILDROOT}
+
+		# Remove man pages
+		rm -rfv %{BUILDROOT}%{sysconfdir}/pki/tls/man %{BUILDROOT}/usr/share/man*
+
+		# Remove configuration files
+		rm -rfv %{BUILDROOT}%{sysconfdir}/pki
+
+		# Remove engines
+		rm -rfv %{BUILDROOT}%{libdir}/{engines,openssl}
+
+		# Remove binaries
+		rm -rfv %{BUILDROOT}%{bindir}
+	end
+end
+
+packages
+	package %{name}
+		requires
+			ca-certificates
+		end
+
+		provides
+			openssl = %{thisver}
+		end
+
+		obsoletes
+			openssl <= %{thisver}
+		end
+	end
+
+	package %{name}-devel
+		template DEVEL
+
+		provides
+			openssl-devel = %{thisver}
+		end
+
+		obsoletes
+			openssl-devel <= %{thisver}
+		end
+	end
+
+	package %{name}-debuginfo
+		template DEBUGINFO
+	end
+end
--- a/compat-openssl/openssl.cnf
+++ b/compat-openssl/openssl.cnf
--- a/compat-openssl/patches/openssl-0.9.8a-no-rpath.patch
+++ b/compat-openssl/patches/openssl-0.9.8a-no-rpath.patch
--- a/compat-openssl/patches/openssl-1.0.0-beta4-ca-dir.patch
+++ b/compat-openssl/patches/openssl-1.0.0-beta4-ca-dir.patch
--- a/compat-openssl/patches/openssl-1.0.0-beta5-enginesdir.patch
+++ b/compat-openssl/patches/openssl-1.0.0-beta5-enginesdir.patch
--- a/compat-openssl/patches/openssl-1.0.2a-version.patch
+++ b/compat-openssl/patches/openssl-1.0.2a-version.patch
--- a/compat-openssl/patches/openssl-1.0.2e-rpmbuild.patch
+++ b/compat-openssl/patches/openssl-1.0.2e-rpmbuild.patch
@ -1,6 +1,6 @@
-diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
--- openssl-1.0.2c/Configure.rpmbuild	2015-06-12 16:51:21.000000000 +0200
-+++ openssl-1.0.2c/Configure	2015-06-15 17:22:52.598496680 +0200
+diff -up openssl-1.0.2e/Configure.rpmbuild openssl-1.0.2e/Configure
+--- openssl-1.0.2e/Configure.rpmbuild	2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2e/Configure	2015-12-04 13:20:22.996835604 +0100
@@ -365,8 +365,8 @@ my %table=(
 ####
 # *-generic* is endian-neutral target, but ./config is free to
@ -12,7 +12,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
 
 #######################################################################
 # Note that -march is not among compiler options in below linux-armv4
-@@ -395,30 +395,30 @@ my %table=(
+@@ -395,31 +395,31 @@ my %table=(
 #
 #       ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
 #
@ -40,7 +40,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
 -"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 -"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
 -"linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 +"linux-ppc64",	"gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 +"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 +"linux-ia64",	"gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
@ -48,6 +48,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
 -"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 +"linux-x86_64",	"gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
 "linux-x86_64-clang",	"clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "debug-linux-x86_64-clang",	"clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "linux-x32",	"gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
 -"linux64-s390x",	"gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
@ -55,7 +56,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
 #### So called "highgprs" target for z/Architecture CPUs
 # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
 # /proc/cpuinfo. The idea is to preserve most significant bits of
-@@ -436,12 +436,12 @@ my %table=(
+@@ -437,12 +437,12 @@ my %table=(
 #### SPARC Linux setups
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
@ -71,7 +72,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
 #### Alpha Linux with GNU C and Compaq C setups
 # Special notes:
 # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -1764,7 +1764,7 @@ while (<IN>)
+@@ -1767,7 +1767,7 @@ while (<IN>)
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
 		{
 		my $sotmp = $1;
@ -80,9 +81,9 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
 		{
-diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
--- openssl-1.0.2c/Makefile.org.rpmbuild	2015-06-12 16:51:21.000000000 +0200
-+++ openssl-1.0.2c/Makefile.org	2015-06-15 17:19:14.874510995 +0200
+diff -up openssl-1.0.2e/Makefile.org.rpmbuild openssl-1.0.2e/Makefile.org
+--- openssl-1.0.2e/Makefile.org.rpmbuild	2015-12-03 15:04:23.000000000 +0100
+++ openssl-1.0.2e/Makefile.org	2015-12-04 13:18:44.913538616 +0100
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=
 SHLIB_MINOR=
@ -91,7 +92,7 @@ diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
 PLATFORM=dist
 OPTIONS=
 CONFIGURE_ARGS=
-@@ -338,10 +339,9 @@ clean-shared:
+@@ -341,10 +342,9 @@ clean-shared:
 link-shared:
 	@ set -e; for i in $(SHLIBDIRS); do \
 		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
@ -103,7 +104,7 @@ diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
 	done
 
 build-shared: do_$(SHLIB_TARGET) link-shared
-@@ -352,7 +352,7 @@ do_$(SHLIB_TARGET):
+@@ -355,7 +355,7 @@ do_$(SHLIB_TARGET):
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
--- a/openssl/openssl.nm
+++ b/openssl/openssl.nm
@ -4,8 +4,8 @@
 ###############################################################################

 name       = openssl
-version    = 1.0.2d
-release    = 4
+version    = 1.1.0g
+release    = 1

 maintainer = Michael Tremer <michael.tremer@ipfire.org>
 groups     = System/Libraries
@ -23,36 +23,37 @@ source_dl  = http://openssl.org/source/

 build
 	requires
-		bc
-		gnutls-devel
+		ca-certificates
+		coreutils
 		perl
-		util-linux
+		perl(Math::BigInt)
+		perl(Module::Load::Conditional)
+		perl(Test::Harness)
+		perl(Test::More)
+		sed
 		zlib-devel
 	end

-	CFLAGS += -DPURIFY
-	export RPM_OPT_FLAGS = %{CFLAGS} %{LDFLAGS}
+	export HASHBANGPERL = %{bindir}/perl

-	prepare_cmds
-		sed -e 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' \
-			-i crypto/opensslv.h
-
-		find crypto/ -name Makefile -exec \
-			sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
-
-		# Generate a table with the compile settings for my perusal.
-		touch Makefile
-		make TABLE PERL=/usr/bin/perl
-	end
+	CFLAGS += -DPURIFY -Wa,--noexecstack

 	# Set default ssl_arch.
 	ssl_arch = linux-%{DISTRO_ARCH}

+	if "%{DISTRO_ARCH}" == "x86_64"
+		ssl_arch += enable-ec_nistp_64_gcc_128
+	end
+
 	if "%{DISTRO_ARCH}" == "i686"
 		# 386 implies no-sse2
 		ssl_arch = linux-elf no-asm 386
 	end

+	if "%{DISTRO_ARCH}" == "aarch64"
+		ssl_arch += enable-ec_nistp_64_gcc_128
+	end
+
 	if "%{DISTRO_ARCH}" == "armv5tel"
 		ssl_arch = linux-armv4
 	end
@ -63,84 +64,63 @@ build

 	build
 		./Configure \
-			--prefix=/usr \
-			--openssldir=/etc/pki/tls \
-			--enginesdir=%{libdir}/openssl/engines \
+			--prefix=%{prefix} \
+			--openssldir=%{sysconfdir}/pki/tls \
 			shared \
-			zlib-dynamic \
+			zlib \
 			enable-camellia \
-			enable-md2 \
 			enable-seed \
-			enable-tlsext \
 			enable-rfc3779 \
-			no-idea \
-			no-mdc2 \
+			enable-ssl3 \
+			enable-ssl3-method \
+			no-rc4 \
 			no-rc5 \
-			no-ec2m \
-			no-srp \
-			-DSSL_FORBID_ENULL \
-			 %{ssl_arch}
+			%{ssl_arch} \
+			${CFLAGS} \
+			${LDFLAGS}

-		# Build.
-		make depend
+		util/mkdef.pl crypto update
 		make all

-		# Generate hashes for the included certs.
-		make rehash
+		# Clean up the .pc files
+		for i in libcrypto.pc libssl.pc openssl.pc; do
+			sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
+		done
 	end

 	test
 		# Revert ca-dir patch. Otherwise the tests will fail.
-		patch -Np1 -R < %{DIR_PATCHES}/openssl-1.0.0-beta4-ca-dir.patch
+		patch -Np1 -R < %{DIR_PATCHES}/openssl-1.1.0-ca-dir.patch

 		make test
 	end

 	install
-		make install build-shared INSTALL_PREFIX=%{BUILDROOT}
-
-		# Install manpages do right place
-		mkdir -pv %{BUILDROOT}/usr/share
-		mv -v %{BUILDROOT}/etc/pki/tls/man %{BUILDROOT}/usr/share/
-
-		if [ -d "%{BUILDROOT}%{libdir}/engines" ]; then
-			mkdir -pv %{BUILDROOT}%{libdir}/openssl
-			mv -v %{BUILDROOT}%{libdir}/engines %{BUILDROOT}%{libdir}/openssl
-		fi
-
-		mkdir -pv %{BUILDROOT}/etc/pki/CA/private
-		chmod -v 700 -R %{BUILDROOT}/etc/pki/CA
-
-		mkdir -pv %{BUILDROOT}/etc/pki/tls
-		install -m 0644 %{DIR_SOURCE}/openssl.cnf %{BUILDROOT}/etc/pki/tls
-		cp -v -r certs %{BUILDROOT}/etc/pki/tls
+		make install DESTDIR=%{BUILDROOT}

 		# Rename man pages so that they don't conflict with other system man pages.
 		pushd %{BUILDROOT}%{mandir}
-		for m in $(find . -type f | xargs grep -L '#include'); do
-			d="${m%/*}"
-			d="${d#./}"
-			m="${m##*/}"
-			[[ ${m} == openssl.1* ]] && continue
-			[[ -n "$(find -L "${d}" -type l)" ]] && exit 1
-			mv ${d}/{,ssl-}${m}
-
-			# fix up references to renamed man pages
-			sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' "${d}/ssl-${m}"
-			ln -s "ssl-${m}" "${d}/openssl-${m}"
-
-			# locate any symlinks that point to this man page ... we assume
-			# that any broken links are due to the above renaming
-			for s in $(find -L "${d}" -type l); do
-				s="${s##*/}"
-				rm -f "${d}/${s}"
-				ln -s "ssl-${m}" "${d}/ssl-${s}"
-				ln -s "ssl-${s}" "${d}/openssl-${s}"
-			done
+		ln -svf config.5 man5/openssl.cnf.5
+		for manpage in man*/*; do
+			if [ -L "${manpage}" ]; then
+				TARGET=$(ls -l "${manpage}" | awk '{ print $NF }')
+				ln -snf "${TARGET}ssl" "${manpage}ssl"
+				rm -f "${manpage}"
+			else
+				mv ${manpage} ${manpage}ssl
+			fi
+		done
+		for conflict in passwd rand; do
+			rename ${conflict} ssl${conflict} man*/${conflict}*
+			ln -svf ssl${conflict}.1ssl %{BUILDROOT}%{mandir}/man1/openssl-${conflict}.1ssl
 		done
-
-		[[ -n "$(find -L "${d}" -type l)" ]] && exit 1 # "broken manpage links found :("
 		popd
+
+		# Remove dist config
+		rm -vf %{BUILDROOT}%{sysconfdir}/pki/tls/openssl.cnf.dist
+
+		# Move executable stuff to %{bindir}
+		mv -v %{BUILDROOT}%{sysconfdir}/pki/tls/misc/{CA.pl,tsget} %{BUILDROOT}%{bindir}
 	end
 end

@ -156,7 +136,7 @@ packages

 		conflicts += %{name} < %{thisver}

-		files += %{libdir}/openssl
+		files += %{libdir}/openssl %{libdir}/engines*
 	end

 	package %{name}-devel
--- a/openssl/patches/openssl-1.1.0-build.patch
+++ b/openssl/patches/openssl-1.1.0-build.patch
@ -0,0 +1,73 @@
+diff -up openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build openssl-1.1.0f/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build	2017-06-02 13:51:39.621289504 +0200
+++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl	2017-06-02 13:54:45.298654812 +0200
+@@ -553,7 +553,7 @@ uninstall_runtime:
+ install_man_docs:
+ 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ 	@echo "*** Installing manpages"
+-	$(PERL) $(SRCDIR)/util/process_docs.pl \
+	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ 		--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
+ 
+ uninstall_man_docs:
+@@ -565,7 +565,7 @@ uninstall_man_docs:
+ install_html_docs:
+ 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ 	@echo "*** Installing HTML manpages"
+-	$(PERL) $(SRCDIR)/util/process_docs.pl \
+	TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ 		--destdir=$(DESTDIR)$(HTMLDIR) --type=html
+ 
+ uninstall_html_docs:
+diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configurations/10-main.conf
+--- openssl-1.1.0f/Configurations/10-main.conf.build	2017-05-25 14:46:17.000000000 +0200
+++ openssl-1.1.0f/Configurations/10-main.conf	2017-06-02 13:51:39.622289528 +0200
+@@ -662,6 +662,7 @@ sub vms_info {
+         cflags           => add("-m64 -DL_ENDIAN"),
+         perlasm_scheme   => "linux64le",
+         shared_ldflag    => add("-m64"),
+        multilib         => "64",
+     },
+ 
+     "linux-armv4" => {
+@@ -702,6 +703,7 @@ sub vms_info {
+     "linux-aarch64" => {
+         inherit_from     => [ "linux-generic64", asm("aarch64_asm") ],
+         perlasm_scheme   => "linux64",
+        multilib         => "64",
+     },
+     "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
+         inherit_from     => [ "linux-generic32", asm("aarch64_asm") ],
+diff -up openssl-1.1.0g/test/evptests.txt.build openssl-1.1.0g/test/evptests.txt
+--- openssl-1.1.0g/test/evptests.txt.build	2017-11-02 15:29:05.000000000 +0100
+++ openssl-1.1.0g/test/evptests.txt	2017-11-03 16:37:01.253671494 +0100
+@@ -3707,14 +3707,6 @@ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+D
+ 
+ PrivPubKeyPair = Bob-25519:Bob-25519-PUBLIC
+ 
+-Derive=Alice-25519
+-PeerKey=Bob-25519-PUBLIC
+-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
+-
+-Derive=Bob-25519
+-PeerKey=Alice-25519-PUBLIC
+-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
+-
+ # Illegal sign/verify operations with X25519 key
+ 
+ Sign=Alice-25519
+@@ -3727,6 +3719,14 @@ Result = KEYOP_INIT_ERROR
+ Function = EVP_PKEY_verify_init
+ Reason = operation not supported for this keytype
+ 
+Derive=Alice-25519
+PeerKey=Bob-25519-PUBLIC
+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
+
+Derive=Bob-25519
+PeerKey=Alice-25519-PUBLIC
+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
+
+ ## ECDH Tests: test with randomly generated keys for all the listed curves
+ 
+ 
--- a/openssl/patches/openssl-1.1.0-ca-dir.patch
+++ b/openssl/patches/openssl-1.1.0-ca-dir.patch
@ -0,0 +1,24 @@
+diff -up openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir openssl-1.1.0-pre5/apps/CA.pl.in
+--- openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir	2016-07-18 15:19:40.118110405 +0200
+++ openssl-1.1.0-pre5/apps/CA.pl.in	2016-07-18 15:21:06.531061337 +0200
+@@ -26,7 +26,7 @@ my $X509 = "$openssl x509";
+ my $PKCS12 = "$openssl pkcs12";
+ 
+ # default openssl.cnf file has setup as per the following
+-my $CATOP = "./demoCA";
+my $CATOP = "/etc/pki/CA";
+ my $CAKEY = "cakey.pem";
+ my $CAREQ = "careq.pem";
+ my $CACERT = "cacert.pem";
+diff -up openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir openssl-1.1.0-pre5/apps/openssl.cnf
+--- openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir	2016-07-18 15:19:40.114110315 +0200
+++ openssl-1.1.0-pre5/apps/openssl.cnf	2016-07-18 15:19:48.492299467 +0200
+@@ -39,7 +39,7 @@ default_ca	= CA_default		# The default c
+ ####################################################################
+ [ CA_default ]
+ 
+-dir		= ./demoCA		# Where everything is kept
+dir		= /etc/pki/CA		# Where everything is kept
+ certs		= $dir/certs		# Where the issued certs are kept
+ crl_dir		= $dir/crl		# Where the issued crl are kept
+ database	= $dir/index.txt	# database index file.
--- a/openssl/patches/openssl-1.1.0-defaults.patch
+++ b/openssl/patches/openssl-1.1.0-defaults.patch
@ -0,0 +1,51 @@
+diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf
+--- openssl-1.1.0-pre5/apps/openssl.cnf.defaults	2016-04-19 16:57:52.000000000 +0200
+++ openssl-1.1.0-pre5/apps/openssl.cnf	2016-07-18 14:22:08.252691017 +0200
+@@ -72,7 +72,7 @@ cert_opt 	= ca_default		# Certificate fi
+ 
+ default_days	= 365			# how long to certify for
+ default_crl_days= 30			# how long before next CRL
+-default_md	= default		# use public key default MD
+default_md	= sha256		# use SHA-256 by default
+ preserve	= no			# keep passed DN ordering
+ 
+ # A few difference way of specifying how similar the request should look
+@@ -104,6 +104,7 @@ emailAddress		= optional
+ ####################################################################
+ [ req ]
+ default_bits		= 2048
+default_md		= sha256
+ default_keyfile 	= privkey.pem
+ distinguished_name	= req_distinguished_name
+ attributes		= req_attributes
+@@ -126,17 +127,18 @@ string_mask = utf8only
+ 
+ [ req_distinguished_name ]
+ countryName			= Country Name (2 letter code)
+-countryName_default		= AU
+countryName_default		= XX
+ countryName_min			= 2
+ countryName_max			= 2
+ 
+ stateOrProvinceName		= State or Province Name (full name)
+-stateOrProvinceName_default	= Some-State
+#stateOrProvinceName_default	= Default Province
+ 
+ localityName			= Locality Name (eg, city)
+localityName_default		= Default City
+ 
+ 0.organizationName		= Organization Name (eg, company)
+-0.organizationName_default	= Internet Widgits Pty Ltd
+0.organizationName_default	= Default Company Ltd
+ 
+ # we can do this but it is not needed normally :-)
+ #1.organizationName		= Second Organization Name (eg, company)
+@@ -145,7 +147,7 @@ localityName			= Locality Name (eg, city
+ organizationalUnitName		= Organizational Unit Name (eg, section)
+ #organizationalUnitName_default	=
+ 
+-commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName			= Common Name (eg, your name or your server\'s hostname)
+ commonName_max			= 64
+ 
+ emailAddress			= Email Address
--- a/openssl/patches/openssl-1.1.0-disable-ssl3.patch
+++ b/openssl/patches/openssl-1.1.0-disable-ssl3.patch
@ -0,0 +1,86 @@
+diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
+--- openssl-1.1.0f/apps/s_client.c.disable-ssl3	2017-06-05 15:42:44.838853312 +0200
+++ openssl-1.1.0f/apps/s_client.c	2017-07-17 14:50:06.468821871 +0200
+@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
+     if (sdebug)
+         ssl_ctx_security_debug(ctx, sdebug);
+ 
+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+
+     if (ssl_config) {
+         if (SSL_CTX_config(ctx, ssl_config) == 0) {
+             BIO_printf(bio_err, "Error using configuration \"%s\"\n",
+diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
+--- openssl-1.1.0f/apps/s_server.c.disable-ssl3	2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/apps/s_server.c	2017-07-17 14:49:50.434447583 +0200
+@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
+     }
+     if (sdebug)
+         ssl_ctx_security_debug(ctx, sdebug);
+
+    if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
+        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+
+     if (ssl_config) {
+         if (SSL_CTX_config(ctx, ssl_config) == 0) {
+             BIO_printf(bio_err, "Error using configuration \"%s\"\n",
+diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
+--- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3	2016-08-25 17:29:22.000000000 +0200
+++ openssl-1.1.0/ssl/ssl_lib.c	2016-09-08 11:08:05.252082263 +0200
+@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+      * or by using the SSL_CONF library.
+      */
+     ret->options |= SSL_OP_NO_COMPRESSION;
+    /*
+     * Disable SSLv3 by default.  Applications can
+     * re-enable it by configuring
+     * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+     * or by using the SSL_CONF library.
+     */
+    ret->options |= SSL_OP_NO_SSLv3;
+ 
+     ret->tlsext_status_type = -1;
+ 
+diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
+--- openssl-1.1.0/test/ssl_test.c.disable-ssl3	2016-09-08 11:08:05.252082263 +0200
+++ openssl-1.1.0/test/ssl_test.c	2016-09-08 11:11:44.802005886 +0200
+@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
+             SSL_TEST_SERVERNAME_CB_NONE) {
+             server2_ctx = SSL_CTX_new(TLS_server_method());
+             TEST_check(server2_ctx != NULL);
+            SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
+         }
+         client_ctx = SSL_CTX_new(TLS_client_method());
+ 
+@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
+             resume_client_ctx = SSL_CTX_new(TLS_client_method());
+             TEST_check(resume_server_ctx != NULL);
+             TEST_check(resume_client_ctx != NULL);
+            SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
+            SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
+         }
+     }
+ 
+     TEST_check(server_ctx != NULL);
+     TEST_check(client_ctx != NULL);
+    SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
+    SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
+ 
+     TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
+ 
+diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
+--- openssl-1.1.0/test/ssltest_old.c.disable-ssl3	2016-08-25 17:29:23.000000000 +0200
+++ openssl-1.1.0/test/ssltest_old.c	2016-09-08 11:08:05.253082286 +0200
+@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
+         ERR_print_errors(bio_err);
+         goto end;
+     }
+
+    SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
+    SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
+    SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
+
+     /*
+      * Since we will use low security ciphersuites and keys for testing set
+      * security level to zero by default. Tests can override this by adding
--- a/openssl/patches/openssl-1.1.0-no-html.patch
+++ b/openssl/patches/openssl-1.1.0-no-html.patch
@ -0,0 +1,12 @@
+diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html	2016-04-19 16:57:52.000000000 +0200
+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl	2016-07-18 13:58:55.060106243 +0200
+@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
+ 
+ uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
+ 
+-install_docs: install_man_docs install_html_docs
+install_docs: install_man_docs
+ 
+ uninstall_docs: uninstall_man_docs uninstall_html_docs
+ 	$(RM) -r -v $(DESTDIR)$(DOCDIR)
--- a/openssl/patches/openssl-1.1.0g-tests.patch
+++ b/openssl/patches/openssl-1.1.0g-tests.patch
@ -0,0 +1,33 @@
+--- openssl-1.1.0g/test/recipes/40-test_rehash.t~	2018-01-28 19:08:01.151912658 +0000
+++ openssl-1.1.0g/test/recipes/40-test_rehash.t	2018-01-28 19:09:19.408454430 +0000
+@@ -23,7 +23,7 @@
+ plan skip_all => "test_rehash is not available on this platform"
+     unless run(app(["openssl", "rehash", "-help"]));
+ 
+-plan tests => 5;
+plan tests => 3;
+ 
+ indir "rehash.$$" => sub {
+     prepare();
+@@ -42,21 +42,6 @@
+        'Testing rehash operations on empty directory');
+ }, create => 1, cleanup => 1;
+ 
+-indir "rehash.$$" => sub {
+-    prepare();
+-    chmod 0500, curdir();
+-  SKIP: {
+-      if (!ok(!open(FOO, ">unwritable.txt"),
+-              "Testing that we aren't running as a privileged user, such as root")) {
+-          close FOO;
+-          skip "It's pointless to run the next test as root", 1;
+-      }
+-      isnt(run(app(["openssl", "rehash", curdir()])), 1,
+-           'Testing rehash operations on readonly directory');
+-    }
+-    chmod 0700, curdir();       # make it writable again, so cleanup works
+-}, create => 1, cleanup => 1;
+-
+ sub prepare {
+     my @pemsourcefiles = sort glob(srctop_file('test', "*.pem"));
+     my @destfiles = ();