openssl: Update to 1.1.0g
This patch adds a compat package for openssl 1.0.2 which will be dropped when 1.0.2 is EOL. We leave the headers here because there will be applications that can't be built against openssl 1.1.0, yet. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
parent
3d8ec84d15
commit
41388a6339
|
@ -0,0 +1,147 @@
|
|||
###############################################################################
|
||||
# IPFire.org - An Open Source Firewall Solution #
|
||||
# Copyright (C) - IPFire Development Team <info@ipfire.org> #
|
||||
###############################################################################
|
||||
|
||||
name = compat-openssl
|
||||
version = 1.0.2n
|
||||
release = 1
|
||||
thisapp = openssl-%{version}
|
||||
|
||||
maintainer = Michael Tremer <michael.tremer@ipfire.org>
|
||||
groups = System/Libraries
|
||||
url = http://www.openssl.org/
|
||||
license = OpenSSL
|
||||
summary = A general purpose cryptography library with TLS implementation.
|
||||
|
||||
description
|
||||
The OpenSSL toolkit provides support for secure communications between
|
||||
machines. OpenSSL includes a certificate management tool and shared
|
||||
libraries which provide various cryptographic algorithms and protocols.
|
||||
end
|
||||
|
||||
source_dl = http://openssl.org/source/
|
||||
|
||||
build
|
||||
requires
|
||||
bc
|
||||
gnutls-devel
|
||||
perl
|
||||
util-linux
|
||||
zlib-devel
|
||||
end
|
||||
|
||||
CFLAGS += -DPURIFY
|
||||
export RPM_OPT_FLAGS = %{CFLAGS} %{LDFLAGS}
|
||||
|
||||
prepare_cmds
|
||||
sed -e 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' \
|
||||
-i crypto/opensslv.h
|
||||
|
||||
find crypto/ -name Makefile -exec \
|
||||
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
|
||||
|
||||
# Generate a table with the compile settings for my perusal.
|
||||
touch Makefile
|
||||
make TABLE PERL=/usr/bin/perl
|
||||
end
|
||||
|
||||
# Set default ssl_arch.
|
||||
ssl_arch = linux-%{DISTRO_ARCH}
|
||||
|
||||
if "%{DISTRO_ARCH}" == "i686"
|
||||
# 386 implies no-sse2
|
||||
ssl_arch = linux-elf no-asm 386
|
||||
end
|
||||
|
||||
if "%{DISTRO_ARCH}" == "armv5tel"
|
||||
ssl_arch = linux-armv4
|
||||
end
|
||||
|
||||
if "%{DISTRO_ARCH}" == "armv7hl"
|
||||
ssl_arch = linux-armv4
|
||||
end
|
||||
|
||||
build
|
||||
./Configure \
|
||||
--prefix=/usr \
|
||||
--openssldir=/etc/pki/tls \
|
||||
--enginesdir=%{libdir}/openssl/engines \
|
||||
shared \
|
||||
zlib-dynamic \
|
||||
enable-camellia \
|
||||
enable-md2 \
|
||||
enable-seed \
|
||||
enable-tlsext \
|
||||
enable-rfc3779 \
|
||||
no-idea \
|
||||
no-mdc2 \
|
||||
no-rc5 \
|
||||
no-ec2m \
|
||||
no-srp \
|
||||
-DSSL_FORBID_ENULL \
|
||||
%{ssl_arch}
|
||||
|
||||
# Build.
|
||||
make depend
|
||||
make all
|
||||
|
||||
# Generate hashes for the included certs.
|
||||
make rehash
|
||||
end
|
||||
|
||||
test
|
||||
# Revert ca-dir patch. Otherwise the tests will fail.
|
||||
patch -Np1 -R < %{DIR_PATCHES}/openssl-1.0.0-beta4-ca-dir.patch
|
||||
|
||||
make test
|
||||
end
|
||||
|
||||
install
|
||||
make install INSTALL_PREFIX=%{BUILDROOT}
|
||||
|
||||
# Remove man pages
|
||||
rm -rfv %{BUILDROOT}%{sysconfdir}/pki/tls/man %{BUILDROOT}/usr/share/man*
|
||||
|
||||
# Remove configuration files
|
||||
rm -rfv %{BUILDROOT}%{sysconfdir}/pki
|
||||
|
||||
# Remove engines
|
||||
rm -rfv %{BUILDROOT}%{libdir}/{engines,openssl}
|
||||
|
||||
# Remove binaries
|
||||
rm -rfv %{BUILDROOT}%{bindir}
|
||||
end
|
||||
end
|
||||
|
||||
packages
|
||||
package %{name}
|
||||
requires
|
||||
ca-certificates
|
||||
end
|
||||
|
||||
provides
|
||||
openssl = %{thisver}
|
||||
end
|
||||
|
||||
obsoletes
|
||||
openssl <= %{thisver}
|
||||
end
|
||||
end
|
||||
|
||||
package %{name}-devel
|
||||
template DEVEL
|
||||
|
||||
provides
|
||||
openssl-devel = %{thisver}
|
||||
end
|
||||
|
||||
obsoletes
|
||||
openssl-devel <= %{thisver}
|
||||
end
|
||||
end
|
||||
|
||||
package %{name}-debuginfo
|
||||
template DEBUGINFO
|
||||
end
|
||||
end
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
|
||||
--- openssl-1.0.2c/Configure.rpmbuild 2015-06-12 16:51:21.000000000 +0200
|
||||
+++ openssl-1.0.2c/Configure 2015-06-15 17:22:52.598496680 +0200
|
||||
diff -up openssl-1.0.2e/Configure.rpmbuild openssl-1.0.2e/Configure
|
||||
--- openssl-1.0.2e/Configure.rpmbuild 2015-12-03 15:04:23.000000000 +0100
|
||||
+++ openssl-1.0.2e/Configure 2015-12-04 13:20:22.996835604 +0100
|
||||
@@ -365,8 +365,8 @@ my %table=(
|
||||
####
|
||||
# *-generic* is endian-neutral target, but ./config is free to
|
||||
|
@ -12,7 +12,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
|
|||
|
||||
#######################################################################
|
||||
# Note that -march is not among compiler options in below linux-armv4
|
||||
@@ -395,30 +395,30 @@ my %table=(
|
||||
@@ -395,31 +395,31 @@ my %table=(
|
||||
#
|
||||
# ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
|
||||
#
|
||||
|
@ -40,7 +40,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
|
|||
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
|
||||
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
|
||||
+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
+"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
|
||||
|
@ -48,6 +48,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
|
|||
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
|
||||
"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
"debug-linux-x86_64-clang", "clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
"linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
|
||||
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
|
||||
|
@ -55,7 +56,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
|
|||
#### So called "highgprs" target for z/Architecture CPUs
|
||||
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
|
||||
# /proc/cpuinfo. The idea is to preserve most significant bits of
|
||||
@@ -436,12 +436,12 @@ my %table=(
|
||||
@@ -437,12 +437,12 @@ my %table=(
|
||||
#### SPARC Linux setups
|
||||
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
|
||||
# assisted with debugging of following two configs.
|
||||
|
@ -71,7 +72,7 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
|
|||
#### Alpha Linux with GNU C and Compaq C setups
|
||||
# Special notes:
|
||||
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
|
||||
@@ -1764,7 +1764,7 @@ while (<IN>)
|
||||
@@ -1767,7 +1767,7 @@ while (<IN>)
|
||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
|
||||
{
|
||||
my $sotmp = $1;
|
||||
|
@ -80,9 +81,9 @@ diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
|
|||
}
|
||||
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
|
||||
{
|
||||
diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
|
||||
--- openssl-1.0.2c/Makefile.org.rpmbuild 2015-06-12 16:51:21.000000000 +0200
|
||||
+++ openssl-1.0.2c/Makefile.org 2015-06-15 17:19:14.874510995 +0200
|
||||
diff -up openssl-1.0.2e/Makefile.org.rpmbuild openssl-1.0.2e/Makefile.org
|
||||
--- openssl-1.0.2e/Makefile.org.rpmbuild 2015-12-03 15:04:23.000000000 +0100
|
||||
+++ openssl-1.0.2e/Makefile.org 2015-12-04 13:18:44.913538616 +0100
|
||||
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
|
||||
SHLIB_MAJOR=
|
||||
SHLIB_MINOR=
|
||||
|
@ -91,7 +92,7 @@ diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
|
|||
PLATFORM=dist
|
||||
OPTIONS=
|
||||
CONFIGURE_ARGS=
|
||||
@@ -338,10 +339,9 @@ clean-shared:
|
||||
@@ -341,10 +342,9 @@ clean-shared:
|
||||
link-shared:
|
||||
@ set -e; for i in $(SHLIBDIRS); do \
|
||||
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
|
||||
|
@ -103,7 +104,7 @@ diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
|
|||
done
|
||||
|
||||
build-shared: do_$(SHLIB_TARGET) link-shared
|
||||
@@ -352,7 +352,7 @@ do_$(SHLIB_TARGET):
|
||||
@@ -355,7 +355,7 @@ do_$(SHLIB_TARGET):
|
||||
libs="$(LIBKRB5) $$libs"; \
|
||||
fi; \
|
||||
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
|
|
@ -4,8 +4,8 @@
|
|||
###############################################################################
|
||||
|
||||
name = openssl
|
||||
version = 1.0.2d
|
||||
release = 4
|
||||
version = 1.1.0g
|
||||
release = 1
|
||||
|
||||
maintainer = Michael Tremer <michael.tremer@ipfire.org>
|
||||
groups = System/Libraries
|
||||
|
@ -23,36 +23,37 @@ source_dl = http://openssl.org/source/
|
|||
|
||||
build
|
||||
requires
|
||||
bc
|
||||
gnutls-devel
|
||||
ca-certificates
|
||||
coreutils
|
||||
perl
|
||||
util-linux
|
||||
perl(Math::BigInt)
|
||||
perl(Module::Load::Conditional)
|
||||
perl(Test::Harness)
|
||||
perl(Test::More)
|
||||
sed
|
||||
zlib-devel
|
||||
end
|
||||
|
||||
CFLAGS += -DPURIFY
|
||||
export RPM_OPT_FLAGS = %{CFLAGS} %{LDFLAGS}
|
||||
export HASHBANGPERL = %{bindir}/perl
|
||||
|
||||
prepare_cmds
|
||||
sed -e 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' \
|
||||
-i crypto/opensslv.h
|
||||
|
||||
find crypto/ -name Makefile -exec \
|
||||
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
|
||||
|
||||
# Generate a table with the compile settings for my perusal.
|
||||
touch Makefile
|
||||
make TABLE PERL=/usr/bin/perl
|
||||
end
|
||||
CFLAGS += -DPURIFY -Wa,--noexecstack
|
||||
|
||||
# Set default ssl_arch.
|
||||
ssl_arch = linux-%{DISTRO_ARCH}
|
||||
|
||||
if "%{DISTRO_ARCH}" == "x86_64"
|
||||
ssl_arch += enable-ec_nistp_64_gcc_128
|
||||
end
|
||||
|
||||
if "%{DISTRO_ARCH}" == "i686"
|
||||
# 386 implies no-sse2
|
||||
ssl_arch = linux-elf no-asm 386
|
||||
end
|
||||
|
||||
if "%{DISTRO_ARCH}" == "aarch64"
|
||||
ssl_arch += enable-ec_nistp_64_gcc_128
|
||||
end
|
||||
|
||||
if "%{DISTRO_ARCH}" == "armv5tel"
|
||||
ssl_arch = linux-armv4
|
||||
end
|
||||
|
@ -63,84 +64,63 @@ build
|
|||
|
||||
build
|
||||
./Configure \
|
||||
--prefix=/usr \
|
||||
--openssldir=/etc/pki/tls \
|
||||
--enginesdir=%{libdir}/openssl/engines \
|
||||
--prefix=%{prefix} \
|
||||
--openssldir=%{sysconfdir}/pki/tls \
|
||||
shared \
|
||||
zlib-dynamic \
|
||||
zlib \
|
||||
enable-camellia \
|
||||
enable-md2 \
|
||||
enable-seed \
|
||||
enable-tlsext \
|
||||
enable-rfc3779 \
|
||||
no-idea \
|
||||
no-mdc2 \
|
||||
enable-ssl3 \
|
||||
enable-ssl3-method \
|
||||
no-rc4 \
|
||||
no-rc5 \
|
||||
no-ec2m \
|
||||
no-srp \
|
||||
-DSSL_FORBID_ENULL \
|
||||
%{ssl_arch}
|
||||
%{ssl_arch} \
|
||||
${CFLAGS} \
|
||||
${LDFLAGS}
|
||||
|
||||
# Build.
|
||||
make depend
|
||||
util/mkdef.pl crypto update
|
||||
make all
|
||||
|
||||
# Generate hashes for the included certs.
|
||||
make rehash
|
||||
# Clean up the .pc files
|
||||
for i in libcrypto.pc libssl.pc openssl.pc; do
|
||||
sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
|
||||
done
|
||||
end
|
||||
|
||||
test
|
||||
# Revert ca-dir patch. Otherwise the tests will fail.
|
||||
patch -Np1 -R < %{DIR_PATCHES}/openssl-1.0.0-beta4-ca-dir.patch
|
||||
patch -Np1 -R < %{DIR_PATCHES}/openssl-1.1.0-ca-dir.patch
|
||||
|
||||
make test
|
||||
end
|
||||
|
||||
install
|
||||
make install build-shared INSTALL_PREFIX=%{BUILDROOT}
|
||||
|
||||
# Install manpages do right place
|
||||
mkdir -pv %{BUILDROOT}/usr/share
|
||||
mv -v %{BUILDROOT}/etc/pki/tls/man %{BUILDROOT}/usr/share/
|
||||
|
||||
if [ -d "%{BUILDROOT}%{libdir}/engines" ]; then
|
||||
mkdir -pv %{BUILDROOT}%{libdir}/openssl
|
||||
mv -v %{BUILDROOT}%{libdir}/engines %{BUILDROOT}%{libdir}/openssl
|
||||
fi
|
||||
|
||||
mkdir -pv %{BUILDROOT}/etc/pki/CA/private
|
||||
chmod -v 700 -R %{BUILDROOT}/etc/pki/CA
|
||||
|
||||
mkdir -pv %{BUILDROOT}/etc/pki/tls
|
||||
install -m 0644 %{DIR_SOURCE}/openssl.cnf %{BUILDROOT}/etc/pki/tls
|
||||
cp -v -r certs %{BUILDROOT}/etc/pki/tls
|
||||
make install DESTDIR=%{BUILDROOT}
|
||||
|
||||
# Rename man pages so that they don't conflict with other system man pages.
|
||||
pushd %{BUILDROOT}%{mandir}
|
||||
for m in $(find . -type f | xargs grep -L '#include'); do
|
||||
d="${m%/*}"
|
||||
d="${d#./}"
|
||||
m="${m##*/}"
|
||||
[[ ${m} == openssl.1* ]] && continue
|
||||
[[ -n "$(find -L "${d}" -type l)" ]] && exit 1
|
||||
mv ${d}/{,ssl-}${m}
|
||||
|
||||
# fix up references to renamed man pages
|
||||
sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' "${d}/ssl-${m}"
|
||||
ln -s "ssl-${m}" "${d}/openssl-${m}"
|
||||
|
||||
# locate any symlinks that point to this man page ... we assume
|
||||
# that any broken links are due to the above renaming
|
||||
for s in $(find -L "${d}" -type l); do
|
||||
s="${s##*/}"
|
||||
rm -f "${d}/${s}"
|
||||
ln -s "ssl-${m}" "${d}/ssl-${s}"
|
||||
ln -s "ssl-${s}" "${d}/openssl-${s}"
|
||||
done
|
||||
ln -svf config.5 man5/openssl.cnf.5
|
||||
for manpage in man*/*; do
|
||||
if [ -L "${manpage}" ]; then
|
||||
TARGET=$(ls -l "${manpage}" | awk '{ print $NF }')
|
||||
ln -snf "${TARGET}ssl" "${manpage}ssl"
|
||||
rm -f "${manpage}"
|
||||
else
|
||||
mv ${manpage} ${manpage}ssl
|
||||
fi
|
||||
done
|
||||
for conflict in passwd rand; do
|
||||
rename ${conflict} ssl${conflict} man*/${conflict}*
|
||||
ln -svf ssl${conflict}.1ssl %{BUILDROOT}%{mandir}/man1/openssl-${conflict}.1ssl
|
||||
done
|
||||
|
||||
[[ -n "$(find -L "${d}" -type l)" ]] && exit 1 # "broken manpage links found :("
|
||||
popd
|
||||
|
||||
# Remove dist config
|
||||
rm -vf %{BUILDROOT}%{sysconfdir}/pki/tls/openssl.cnf.dist
|
||||
|
||||
# Move executable stuff to %{bindir}
|
||||
mv -v %{BUILDROOT}%{sysconfdir}/pki/tls/misc/{CA.pl,tsget} %{BUILDROOT}%{bindir}
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -156,7 +136,7 @@ packages
|
|||
|
||||
conflicts += %{name} < %{thisver}
|
||||
|
||||
files += %{libdir}/openssl
|
||||
files += %{libdir}/openssl %{libdir}/engines*
|
||||
end
|
||||
|
||||
package %{name}-devel
|
||||
|
|
|
@ -0,0 +1,73 @@
|
|||
diff -up openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build openssl-1.1.0f/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build 2017-06-02 13:51:39.621289504 +0200
|
||||
+++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl 2017-06-02 13:54:45.298654812 +0200
|
||||
@@ -553,7 +553,7 @@ uninstall_runtime:
|
||||
install_man_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@echo "*** Installing manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
--destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
|
||||
|
||||
uninstall_man_docs:
|
||||
@@ -565,7 +565,7 @@ uninstall_man_docs:
|
||||
install_html_docs:
|
||||
@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
|
||||
@echo "*** Installing HTML manpages"
|
||||
- $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
|
||||
--destdir=$(DESTDIR)$(HTMLDIR) --type=html
|
||||
|
||||
uninstall_html_docs:
|
||||
diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configurations/10-main.conf
|
||||
--- openssl-1.1.0f/Configurations/10-main.conf.build 2017-05-25 14:46:17.000000000 +0200
|
||||
+++ openssl-1.1.0f/Configurations/10-main.conf 2017-06-02 13:51:39.622289528 +0200
|
||||
@@ -662,6 +662,7 @@ sub vms_info {
|
||||
cflags => add("-m64 -DL_ENDIAN"),
|
||||
perlasm_scheme => "linux64le",
|
||||
shared_ldflag => add("-m64"),
|
||||
+ multilib => "64",
|
||||
},
|
||||
|
||||
"linux-armv4" => {
|
||||
@@ -702,6 +703,7 @@ sub vms_info {
|
||||
"linux-aarch64" => {
|
||||
inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
|
||||
perlasm_scheme => "linux64",
|
||||
+ multilib => "64",
|
||||
},
|
||||
"linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
|
||||
inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
|
||||
diff -up openssl-1.1.0g/test/evptests.txt.build openssl-1.1.0g/test/evptests.txt
|
||||
--- openssl-1.1.0g/test/evptests.txt.build 2017-11-02 15:29:05.000000000 +0100
|
||||
+++ openssl-1.1.0g/test/evptests.txt 2017-11-03 16:37:01.253671494 +0100
|
||||
@@ -3707,14 +3707,6 @@ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+D
|
||||
|
||||
PrivPubKeyPair = Bob-25519:Bob-25519-PUBLIC
|
||||
|
||||
-Derive=Alice-25519
|
||||
-PeerKey=Bob-25519-PUBLIC
|
||||
-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||
-
|
||||
-Derive=Bob-25519
|
||||
-PeerKey=Alice-25519-PUBLIC
|
||||
-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||
-
|
||||
# Illegal sign/verify operations with X25519 key
|
||||
|
||||
Sign=Alice-25519
|
||||
@@ -3727,6 +3719,14 @@ Result = KEYOP_INIT_ERROR
|
||||
Function = EVP_PKEY_verify_init
|
||||
Reason = operation not supported for this keytype
|
||||
|
||||
+Derive=Alice-25519
|
||||
+PeerKey=Bob-25519-PUBLIC
|
||||
+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||
+
|
||||
+Derive=Bob-25519
|
||||
+PeerKey=Alice-25519-PUBLIC
|
||||
+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
|
||||
+
|
||||
## ECDH Tests: test with randomly generated keys for all the listed curves
|
||||
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
diff -up openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir openssl-1.1.0-pre5/apps/CA.pl.in
|
||||
--- openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir 2016-07-18 15:19:40.118110405 +0200
|
||||
+++ openssl-1.1.0-pre5/apps/CA.pl.in 2016-07-18 15:21:06.531061337 +0200
|
||||
@@ -26,7 +26,7 @@ my $X509 = "$openssl x509";
|
||||
my $PKCS12 = "$openssl pkcs12";
|
||||
|
||||
# default openssl.cnf file has setup as per the following
|
||||
-my $CATOP = "./demoCA";
|
||||
+my $CATOP = "/etc/pki/CA";
|
||||
my $CAKEY = "cakey.pem";
|
||||
my $CAREQ = "careq.pem";
|
||||
my $CACERT = "cacert.pem";
|
||||
diff -up openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir openssl-1.1.0-pre5/apps/openssl.cnf
|
||||
--- openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir 2016-07-18 15:19:40.114110315 +0200
|
||||
+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 15:19:48.492299467 +0200
|
||||
@@ -39,7 +39,7 @@ default_ca = CA_default # The default c
|
||||
####################################################################
|
||||
[ CA_default ]
|
||||
|
||||
-dir = ./demoCA # Where everything is kept
|
||||
+dir = /etc/pki/CA # Where everything is kept
|
||||
certs = $dir/certs # Where the issued certs are kept
|
||||
crl_dir = $dir/crl # Where the issued crl are kept
|
||||
database = $dir/index.txt # database index file.
|
|
@ -0,0 +1,51 @@
|
|||
diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf
|
||||
--- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200
|
||||
+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200
|
||||
@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
|
||||
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
-default_md = default # use public key default MD
|
||||
+default_md = sha256 # use SHA-256 by default
|
||||
preserve = no # keep passed DN ordering
|
||||
|
||||
# A few difference way of specifying how similar the request should look
|
||||
@@ -104,6 +104,7 @@ emailAddress = optional
|
||||
####################################################################
|
||||
[ req ]
|
||||
default_bits = 2048
|
||||
+default_md = sha256
|
||||
default_keyfile = privkey.pem
|
||||
distinguished_name = req_distinguished_name
|
||||
attributes = req_attributes
|
||||
@@ -126,17 +127,18 @@ string_mask = utf8only
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = Country Name (2 letter code)
|
||||
-countryName_default = AU
|
||||
+countryName_default = XX
|
||||
countryName_min = 2
|
||||
countryName_max = 2
|
||||
|
||||
stateOrProvinceName = State or Province Name (full name)
|
||||
-stateOrProvinceName_default = Some-State
|
||||
+#stateOrProvinceName_default = Default Province
|
||||
|
||||
localityName = Locality Name (eg, city)
|
||||
+localityName_default = Default City
|
||||
|
||||
0.organizationName = Organization Name (eg, company)
|
||||
-0.organizationName_default = Internet Widgits Pty Ltd
|
||||
+0.organizationName_default = Default Company Ltd
|
||||
|
||||
# we can do this but it is not needed normally :-)
|
||||
#1.organizationName = Second Organization Name (eg, company)
|
||||
@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
|
||||
organizationalUnitName = Organizational Unit Name (eg, section)
|
||||
#organizationalUnitName_default =
|
||||
|
||||
-commonName = Common Name (e.g. server FQDN or YOUR name)
|
||||
+commonName = Common Name (eg, your name or your server\'s hostname)
|
||||
commonName_max = 64
|
||||
|
||||
emailAddress = Email Address
|
|
@ -0,0 +1,86 @@
|
|||
diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
|
||||
--- openssl-1.1.0f/apps/s_client.c.disable-ssl3 2017-06-05 15:42:44.838853312 +0200
|
||||
+++ openssl-1.1.0f/apps/s_client.c 2017-07-17 14:50:06.468821871 +0200
|
||||
@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
|
||||
if (sdebug)
|
||||
ssl_ctx_security_debug(ctx, sdebug);
|
||||
|
||||
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
||||
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
if (ssl_config) {
|
||||
if (SSL_CTX_config(ctx, ssl_config) == 0) {
|
||||
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
|
||||
diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
|
||||
--- openssl-1.1.0f/apps/s_server.c.disable-ssl3 2017-05-25 14:46:18.000000000 +0200
|
||||
+++ openssl-1.1.0f/apps/s_server.c 2017-07-17 14:49:50.434447583 +0200
|
||||
@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
|
||||
}
|
||||
if (sdebug)
|
||||
ssl_ctx_security_debug(ctx, sdebug);
|
||||
+
|
||||
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
|
||||
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
if (ssl_config) {
|
||||
if (SSL_CTX_config(ctx, ssl_config) == 0) {
|
||||
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
|
||||
diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
|
||||
--- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200
|
||||
+++ openssl-1.1.0/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200
|
||||
@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
||||
* or by using the SSL_CONF library.
|
||||
*/
|
||||
ret->options |= SSL_OP_NO_COMPRESSION;
|
||||
+ /*
|
||||
+ * Disable SSLv3 by default. Applications can
|
||||
+ * re-enable it by configuring
|
||||
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
|
||||
+ * or by using the SSL_CONF library.
|
||||
+ */
|
||||
+ ret->options |= SSL_OP_NO_SSLv3;
|
||||
|
||||
ret->tlsext_status_type = -1;
|
||||
|
||||
diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
|
||||
--- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200
|
||||
+++ openssl-1.1.0/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200
|
||||
@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
|
||||
SSL_TEST_SERVERNAME_CB_NONE) {
|
||||
server2_ctx = SSL_CTX_new(TLS_server_method());
|
||||
TEST_check(server2_ctx != NULL);
|
||||
+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
|
||||
}
|
||||
client_ctx = SSL_CTX_new(TLS_client_method());
|
||||
|
||||
@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
|
||||
resume_client_ctx = SSL_CTX_new(TLS_client_method());
|
||||
TEST_check(resume_server_ctx != NULL);
|
||||
TEST_check(resume_client_ctx != NULL);
|
||||
+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
|
||||
}
|
||||
}
|
||||
|
||||
TEST_check(server_ctx != NULL);
|
||||
TEST_check(client_ctx != NULL);
|
||||
+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
|
||||
|
||||
TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
|
||||
|
||||
diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
|
||||
--- openssl-1.1.0/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200
|
||||
+++ openssl-1.1.0/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200
|
||||
@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
+
|
||||
+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
|
||||
+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
|
||||
+
|
||||
/*
|
||||
* Since we will use low security ciphersuites and keys for testing set
|
||||
* security level to zero by default. Tests can override this by adding
|
|
@ -0,0 +1,12 @@
|
|||
diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
|
||||
--- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200
|
||||
+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200
|
||||
@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
|
||||
|
||||
uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
|
||||
|
||||
-install_docs: install_man_docs install_html_docs
|
||||
+install_docs: install_man_docs
|
||||
|
||||
uninstall_docs: uninstall_man_docs uninstall_html_docs
|
||||
$(RM) -r -v $(DESTDIR)$(DOCDIR)
|
|
@ -0,0 +1,33 @@
|
|||
--- openssl-1.1.0g/test/recipes/40-test_rehash.t~ 2018-01-28 19:08:01.151912658 +0000
|
||||
+++ openssl-1.1.0g/test/recipes/40-test_rehash.t 2018-01-28 19:09:19.408454430 +0000
|
||||
@@ -23,7 +23,7 @@
|
||||
plan skip_all => "test_rehash is not available on this platform"
|
||||
unless run(app(["openssl", "rehash", "-help"]));
|
||||
|
||||
-plan tests => 5;
|
||||
+plan tests => 3;
|
||||
|
||||
indir "rehash.$$" => sub {
|
||||
prepare();
|
||||
@@ -42,21 +42,6 @@
|
||||
'Testing rehash operations on empty directory');
|
||||
}, create => 1, cleanup => 1;
|
||||
|
||||
-indir "rehash.$$" => sub {
|
||||
- prepare();
|
||||
- chmod 0500, curdir();
|
||||
- SKIP: {
|
||||
- if (!ok(!open(FOO, ">unwritable.txt"),
|
||||
- "Testing that we aren't running as a privileged user, such as root")) {
|
||||
- close FOO;
|
||||
- skip "It's pointless to run the next test as root", 1;
|
||||
- }
|
||||
- isnt(run(app(["openssl", "rehash", curdir()])), 1,
|
||||
- 'Testing rehash operations on readonly directory');
|
||||
- }
|
||||
- chmod 0700, curdir(); # make it writable again, so cleanup works
|
||||
-}, create => 1, cleanup => 1;
|
||||
-
|
||||
sub prepare {
|
||||
my @pemsourcefiles = sort glob(srctop_file('test', "*.pem"));
|
||||
my @destfiles = ();
|
Loading…
Reference in New Issue