# For the curious: # 0.9.5a soversion = 0 # 0.9.6 soversion = 1 # 0.9.6a soversion = 2 # 0.9.6c soversion = 3 # 0.9.7a soversion = 4 # 0.9.7ef soversion = 5 # 0.9.8ab soversion = 6 # 0.9.8g soversion = 7 # 0.9.8jk + EAP-FAST soversion = 8 # 1.0.0 soversion = 10 %global soversion 10 # Number of threads to spawn when testing some threading fixes. %global thread_test_threads %{?threads:%{threads}}%{!?threads:1} # Arches on which we need to prevent arch conflicts on opensslconf.h, must # also be handled in opensslconf-new.h. %global multilib_arches %{ix86} ia64 %{mips} ppc %{power64} s390 s390x sparcv9 sparc64 x86_64 %global _performance_build 1 Summary: Compatibility version of the OpenSSL library Name: compat-openssl10 Version: 1.0.2o Release: 117%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. Source: openssl-%{version}-hobbled.tar.xz Source1: hobble-openssl Source2: Makefile.certificate Source5: README.legacy-settings Source6: make-dummy-cert Source7: renew-dummy-cert Source8: openssl-thread-test.c Source9: opensslconf-new.h Source10: opensslconf-new-warning.h Source11: README.FIPS Source12: ec_curve.c Source13: ectest.c # Source14: smrsa3.pem Source15: smrsa2.pem Source16: smrsa1.pem Source17: smroot.pem Source18: smec2.pem Source19: smec1.pem Source20: smdsap.pem Source21: smdsa3.pem Source22: smdsa2.pem Source23: smdsa1.pem Source24: smdh.pem # # Build changes Patch1: openssl-1.0.2e-rpmbuild.patch Patch2: openssl-1.0.2a-defaults.patch Patch4: openssl-1.0.2i-enginesdir.patch Patch5: openssl-1.0.2a-no-rpath.patch Patch6: openssl-1.0.2o-test-use-localhost.patch Patch7: openssl-1.0.0-timezone.patch Patch8: openssl-1.0.1c-perlfind.patch Patch9: openssl-1.0.1c-aliasing.patch Patch10: openssl-1.0.2o-conf-10.patch # Bug fixes Patch23: openssl-1.0.2c-default-paths.patch Patch24: openssl-1.0.2a-issuer-hash.patch # Functionality changes Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-1.0.2a-x509.patch Patch35: openssl-1.0.2a-version-add-engines.patch Patch39: openssl-1.0.2o-ipv6-apps.patch Patch40: openssl-1.0.2o-fips.patch Patch45: openssl-1.0.2a-env-zlib.patch Patch47: openssl-1.0.2a-readme-warning.patch Patch49: openssl-1.0.1i-algo-doc.patch Patch50: openssl-1.0.2a-dtls1-abi.patch Patch51: openssl-1.0.2a-version.patch Patch56: openssl-1.0.2a-rsa-x931.patch Patch58: openssl-1.0.2a-fips-md5-allow.patch Patch60: openssl-1.0.2a-apps-dgst.patch Patch63: openssl-1.0.2a-xmpp-starttls.patch Patch65: openssl-1.0.2i-chil-fixes.patch Patch66: openssl-1.0.2h-pkgconfig.patch Patch68: openssl-1.0.2m-secure-getenv.patch Patch70: openssl-1.0.2a-fips-ec.patch Patch71: openssl-1.0.2m-manfix.patch Patch72: openssl-1.0.2a-fips-ctor.patch Patch73: openssl-1.0.2c-ecc-suiteb.patch Patch74: openssl-1.0.2j-deprecate-algos.patch Patch75: openssl-1.0.2a-compat-symbols.patch Patch76: openssl-1.0.2o-new-fips-reqs.patch Patch77: openssl-1.0.2j-downgrade-strength.patch Patch78: openssl-1.0.2o-cc-reqs.patch Patch90: openssl-1.0.2i-enc-fail.patch Patch92: openssl-1.0.2o-system-cipherlist.patch Patch93: openssl-1.0.2g-disable-sslv2v3.patch Patch94: openssl-1.0.2d-secp256k1.patch Patch95: openssl-1.0.2e-remove-nistp224.patch Patch96: openssl-1.0.2e-speed-doc.patch Patch97: openssl-1.0.2j-nokrb5-abi.patch Patch98: openssl-1.0.2k-long-hello.patch Patch99: openssl-1.0.2k-fips-randlock.patch # Backported fixes including security fixes Patch80: openssl-1.0.2o-wrap-pad.patch Patch81: openssl-1.0.2a-padlock64.patch Patch82: openssl-1.0.2m-trusted-first-doc.patch Patch83: CVE-2018-0737.patch Patch84: CVE-2018-0732.patch Patch85: CVE-2018-0734.patch Patch86: CVE-2019-1552.patch Patch87: CVE-2019-1559.patch License: OpenSSL URL: http://www.openssl.org/ BuildRequires: gcc BuildRequires: coreutils, perl-interpreter, perl-generators, sed, zlib-devel, /usr/bin/cmp BuildRequires: lksctp-tools-devel BuildRequires: /usr/bin/rename BuildRequires: /usr/bin/pod2man Requires: coreutils, make Requires: crypto-policies Conflicts: openssl < 1:1.1.0, openssl-libs < 1:1.1.0 %description The OpenSSL toolkit provides support for secure communications between machines. This version of OpenSSL package contains only the libraries and is provided for compatibility with previous releases and software that does not support compilation with OpenSSL-1.1. %package devel Summary: Files for development of applications which have to use OpenSSL-1.0.2 Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} Requires: zlib-devel%{?_isa} Requires: pkgconfig # The devel subpackage intentionally conflicts with main openssl-devel # as simultaneous use of both openssl package cannot be encouraged. # Making the packages non-conflicting would also require further # changes in the dependent packages. Conflicts: openssl-devel %description devel The OpenSSL toolkit provides support for secure communications between machines. This version of OpenSSL package contains only the libraries and is provided for compatibility with previous releases and software that does not support compilation with OpenSSL-1.1. This package contains include files needed to develop applications which support various cryptographic algorithms and protocols. %prep %setup -q -n openssl-%{version} # The hobble_openssl is called here redundantly, just to be sure. # The tarball has already the sources removed. %{SOURCE1} > /dev/null cp %{SOURCE12} %{SOURCE13} crypto/ec/ %patch1 -p1 -b .rpmbuild %patch2 -p1 -b .defaults %patch4 -p1 -b .enginesdir %{?_rawbuild} %patch5 -p1 -b .no-rpath %patch6 -p1 -b .use-localhost %patch7 -p1 -b .timezone %patch8 -p1 -b .perlfind %{?_rawbuild} %patch9 -p1 -b .aliasing %patch10 -p1 -b .conf-10 %patch23 -p1 -b .default-paths %patch24 -p1 -b .issuer-hash %patch33 -p1 -b .ca-dir %patch34 -p1 -b .x509 %patch35 -p1 -b .version-add-engines %patch39 -p1 -b .ipv6-apps %patch40 -p1 -b .fips %patch45 -p1 -b .env-zlib %patch47 -p1 -b .warning %patch49 -p1 -b .algo-doc %patch50 -p1 -b .dtls1-abi %patch51 -p1 -b .version %patch56 -p1 -b .x931 %patch58 -p1 -b .md5-allow %patch60 -p1 -b .dgst %patch63 -p1 -b .starttls %patch65 -p1 -b .chil %patch66 -p1 -b .pkgconfig %patch68 -p1 -b .secure-getenv %patch70 -p1 -b .fips-ec %patch71 -p1 -b .manfix %patch72 -p1 -b .fips-ctor %patch73 -p1 -b .suiteb %patch74 -p1 -b .deprecate-algos %patch75 -p1 -b .compat %patch76 -p1 -b .fips-reqs %patch77 -p1 -b .strength %patch78 -p1 -b .cc-reqs %patch90 -p1 -b .enc-fail %patch92 -p1 -b .system %patch93 -p1 -b .v2v3 %patch94 -p1 -b .secp256k1 %patch95 -p1 -b .nistp224 %patch96 -p1 -b .speed-doc %patch97 -p1 -b .nokrb5-abi %patch98 -p1 -b .long-hello %patch99 -p1 -b .randlock %patch80 -p1 -b .wrap %patch81 -p1 -b .padlock64 %patch82 -p1 -b .trusted-first %patch83 -p1 -b .CVE-2018-0737 %patch84 -p1 -b .CVE-2018-0732 %patch85 -p1 -b .CVE-2018-0734 %patch86 -p1 -b .CVE-2019-1552 %patch87 -p1 -b .CVE-2019-1559 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h # Modify the various perl scripts to reference perl in the right location. perl util/perlpath.pl `dirname %{__perl}` # Generate a table with the compile settings for my perusal. touch Makefile make TABLE PERL=%{__perl} cp apps/openssl.cnf apps/openssl10.cnf %build # Figure out which flags we want to use. # default sslarch=%{_os}-%{_target_cpu} %ifarch %ix86 sslarch=linux-elf if ! echo %{_target} | grep -q i686 ; then sslflags="no-asm 386" fi %endif %ifarch x86_64 sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch sparcv9 sslarch=linux-sparcv9 sslflags=no-asm %endif %ifarch sparc64 sslarch=linux64-sparcv9 sslflags=no-asm %endif %ifarch alpha alphaev56 alphaev6 alphaev67 sslarch=linux-alpha-gcc %endif %ifarch s390 sh3eb sh4eb sslarch="linux-generic32 -DB_ENDIAN" %endif %ifarch s390x sslarch="linux64-s390x" %endif %ifarch %{arm} sslarch=linux-armv4 %endif %ifarch aarch64 sslarch=linux-aarch64 sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch sh3 sh4 sslarch=linux-generic32 %endif %ifarch ppc64 ppc64p7 sslarch=linux-ppc64 %endif %ifarch ppc64le sslarch="linux-ppc64le" sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch mips mipsel sslarch="linux-mips32 -mips32r2" %endif %ifarch mips64 mips64el sslarch="linux64-mips64 -mips64r2" %endif %ifarch mips64el sslflags=enable-ec_nistp_64_gcc_128 %endif %ifarch riscv64 sslarch=linux-generic64 %endif # ia64, x86_64, ppc are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ zlib sctp enable-camellia enable-seed enable-tlsext enable-rfc3779 \ enable-cms enable-md2 enable-rc5 \ no-mdc2 no-ec2m no-gost no-srp no-krb5 \ --enginesdir=%{_libdir}/openssl/engines \ shared ${sslarch} %{?!nofips:fips} # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack. # Also add -DPURIFY to make using valgrind with openssl easier as we do not # want to depend on the uninitialized memory as a source of entropy anyway. RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY" make depend make all # Generate hashes for the included certs. make rehash # Overwrite FIPS README and copy README.legacy-settings cp -f %{SOURCE5} %{SOURCE11} . # Clean up the .pc files for i in libcrypto.pc libssl.pc openssl.pc ; do sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i done %check # make new smime certs cp %{SOURCE14} %{_builddir}/openssl-%{version}/test/smime-certs/ cp %{SOURCE15} %{_builddir}/openssl-%{version}/test/smime-certs/ cp %{SOURCE16} %{_builddir}/openssl-%{version}/test/smime-certs/ cp %{SOURCE17} %{_builddir}/openssl-%{version}/test/smime-certs/ cp %{SOURCE18} %{_builddir}/openssl-%{version}/test/smime-certs/ cp %{SOURCE19} %{_builddir}/openssl-%{version}/test/smime-certs/ cp %{SOURCE20} %{_builddir}/openssl-%{version}/test/smime-certs/ cp %{SOURCE21} %{_builddir}/openssl-%{version}/test/smime-certs/ cp %{SOURCE22} %{_builddir}/openssl-%{version}/test/smime-certs/ cp %{SOURCE23} %{_builddir}/openssl-%{version}/test/smime-certs/ cp %{SOURCE24} %{_builddir}/openssl-%{version}/test/smime-certs/ # Verify that what was compiled actually works. export OPENSSL_CONF=/etc/pki/openssl10.cnf # We must revert patch33 before tests otherwise they will fail patch -p1 -R < %{PATCH33} cp apps/openssl.cnf apps/openssl10.cnf LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} export LD_LIBRARY_PATH OPENSSL_ENABLE_MD5_VERIFY= export OPENSSL_ENABLE_MD5_VERIFY make -C test apps tests %{__cc} -o openssl-thread-test \ -I./include \ $RPM_OPT_FLAGS \ %{SOURCE8} \ -L. \ -lssl -lcrypto \ -lpthread -lz -ldl ./openssl-thread-test --threads %{thread_test_threads} # Add generation of HMAC checksum of the final stripped library %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \ ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \ crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \ ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \ %{nil} %define __provides_exclude_from %{_libdir}/openssl %install [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT # Install OpenSSL. install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl} make INSTALL_PREFIX=$RPM_BUILD_ROOT install make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/openssl mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/ rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion} for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do chmod 755 ${lib} ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion} done # Delete static library rm -f $RPM_BUILD_ROOT%{_libdir}/*.a || : # Rename man pages so that they don't conflict with other system man pages. pushd $RPM_BUILD_ROOT%{_mandir} for manpage in man*/* ; do if [ -L ${manpage} ]; then TARGET=`ls -l ${manpage} | awk '{ print $NF }'` ln -snf ${TARGET}ssl ${manpage}ssl rm -f ${manpage} else mv ${manpage} ${manpage}ssl fi done popd # Delete non-devel man pages in the compat package rm -rf $RPM_BUILD_ROOT%{_mandir}/man[157]* # Delete configuration files rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/pki/* # Remove binaries rm -rf $RPM_BUILD_ROOT/%{_bindir} # Remove engines rm -rf $RPM_BUILD_ROOT/%{_libdir}/openssl # Install compat config file install -m 644 apps/openssl10.cnf $RPM_BUILD_ROOT%{_sysconfdir}/pki/openssl10.cnf %files %license LICENSE %doc FAQ NEWS README %doc README.FIPS %doc README.legacy-settings %attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} %attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion} %attr(0755,root,root) %{_libdir}/libssl.so.%{version} %attr(0755,root,root) %{_libdir}/libssl.so.%{soversion} %attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac %attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac %dir %{_sysconfdir}/pki %attr(0644,root,root) %{_sysconfdir}/pki/openssl10.cnf %files devel %doc doc/c-indentation.el doc/openssl.txt CHANGES %{_prefix}/include/openssl %attr(0755,root,root) %{_libdir}/*.so %attr(0644,root,root) %{_mandir}/man3*/* %attr(0644,root,root) %{_libdir}/pkgconfig/*.pc %ldconfig_scriptlets %changelog * Tue Sep 10 2019 Gwyn Ciesla - 1:1.0.2o-7 - Patch for CVE-2018-0737, CVE-2018-0732, CVE-2018-0734, CVE-2019-1552, CVE-2019-1559 * Wed Jul 24 2019 Fedora Release Engineering - 1:1.0.2o-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild * Fri Feb 8 2019 Tomáš Mráz 1.0.2o-5 - Keep the compat-openssl10-devel for Fedora 30 - Generate missing build notes for assembler sources * Thu Jan 31 2019 Fedora Release Engineering - 1:1.0.2o-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Fri Aug 3 2018 Tomáš Mráz 1.0.2o-3 - provide and use compat openssl10.cnf as the non-compat one is incompatible * Thu Jul 12 2018 Fedora Release Engineering - 1:1.0.2o-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild * Thu Apr 5 2018 Tomáš Mráz 1.0.2o-1 - minor upstream release 1.0.2o fixing security issues * Sun Mar 11 2018 Stefan O'Rear 1:1.0.2n-4 - Add flags for riscv64. * Fri Feb 23 2018 Tomáš Mráz 1.0.2n-3 - apply RPM_LD_FLAGS properly (#1548117) * Wed Feb 07 2018 Fedora Release Engineering - 1:1.0.2n-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Thu Jan 18 2018 Tomáš Mráz 1.0.2n-1 - minor upstream release 1.0.2n fixing security issues * Mon Nov 13 2017 Tomáš Mráz 1.0.2m-1 - minor upstream release 1.0.2m fixing security issues - fix locking of RNG in FIPS mode for some obscure use-cases * Mon Aug 21 2017 Tomáš Mráz 1.0.2j-9 - add missing ldconfig call to post script * Wed Aug 02 2017 Fedora Release Engineering - 1:1.0.2j-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild * Wed Jul 26 2017 Fedora Release Engineering - 1:1.0.2j-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild * Fri Feb 10 2017 Fedora Release Engineering - 1:1.0.2j-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild * Thu Oct 20 2016 Tomáš Mráz 1.0.2j-5 - fix -devel subpackage conflict with man-pages package (#1387175) * Fri Oct 14 2016 Tomáš Mráz 1.0.2j-4 - correct wrong Requires in -devel subpackage * Fri Oct 14 2016 Tomáš Mráz 1.0.2j-3 - add back -devel subpackage as a stop-gap measure for software that cannot be ported to new API easily * Fri Oct 7 2016 Tomáš Mráz 1.0.2j-2 - removed Buildroot and clean section - added Conflicts with old openssl * Thu Oct 6 2016 Tomáš Mráz 1.0.2j-1 - updated to 1.0.2j and modified Summary * Thu Oct 6 2016 Tomáš Mráz 1.0.2i-3 - renamed to compat-openssl10, additional cleanups * Fri Sep 23 2016 Tomáš Mráz 1.0.2i-2 - compat package created