summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAnas Nashif <anas.nashif@intel.com>2012-11-05 13:57:24 -0800
committerJanusz Kozerski <j.kozerski@samsung.com>2014-10-22 08:56:04 +0200
commit71592d3affc292a749584830d432fd065cad0830 (patch)
tree8f27c8bfb9c941817e1bf6a02c729d3555e175a6
parent6cd65d403decbb1c956face5448d3a94ad03e1f7 (diff)
downloadopenssl-71592d3affc292a749584830d432fd065cad0830.tar.gz
openssl-71592d3affc292a749584830d432fd065cad0830.tar.bz2
openssl-71592d3affc292a749584830d432fd065cad0830.zip
add packaging
-rw-r--r--packaging/baselibs.conf5
-rw-r--r--packaging/bug610223.patch14
-rw-r--r--packaging/merge_from_0.9.8k.patch70
-rw-r--r--packaging/openssl-1.0.0-c_rehash-compat.diff45
-rw-r--r--packaging/openssl-ocloexec.patch166
-rw-r--r--packaging/openssl.changes1381
-rw-r--r--packaging/openssl.spec377
-rw-r--r--packaging/openssl.test2
8 files changed, 2060 insertions, 0 deletions
diff --git a/packaging/baselibs.conf b/packaging/baselibs.conf
new file mode 100644
index 0000000..aee4346
--- /dev/null
+++ b/packaging/baselibs.conf
@@ -0,0 +1,5 @@
+libopenssl1_0_0
+ obsoletes "openssl-<targettype> <= <version>"
+libopenssl-devel
+ requires -libopenssl-<targettype>
+ requires "libopenssl1_0_0-<targettype> = <version>"
diff --git a/packaging/bug610223.patch b/packaging/bug610223.patch
new file mode 100644
index 0000000..ba4f062
--- /dev/null
+++ b/packaging/bug610223.patch
@@ -0,0 +1,14 @@
+Index: openssl-1.0.0/Configure
+===================================================================
+--- openssl-1.0.0.orig/Configure
++++ openssl-1.0.0/Configure
+@@ -1673,7 +1673,8 @@ while (<IN>)
+ }
+ elsif (/^#define\s+ENGINESDIR/)
+ {
+- my $foo = "$prefix/$libdir/engines";
++ #my $foo = "$prefix/$libdir/engines";
++ my $foo = "/$libdir/engines";
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define ENGINESDIR \"$foo\"\n";
+ }
diff --git a/packaging/merge_from_0.9.8k.patch b/packaging/merge_from_0.9.8k.patch
new file mode 100644
index 0000000..55d9f04
--- /dev/null
+++ b/packaging/merge_from_0.9.8k.patch
@@ -0,0 +1,70 @@
+--- openssl-1.0.1c.orig/Configure
++++ openssl-1.0.1c/Configure
+@@ -931,7 +931,7 @@ PROCESS_ARGS:
+ }
+ else
+ {
+- die "target already defined - $target (offending arg: $_)\n" if ($target ne "");
++ warn "target already defined - $target (offending arg: $_)\n" if ($target ne "");
+ $target=$_;
+ }
+
+@@ -1204,7 +1204,7 @@ if ($target =~ /^mingw/ && `$cc --target
+ my $no_shared_warn=0;
+ my $no_user_cflags=0;
+
+-if ($flags ne "") { $cflags="$flags$cflags"; }
++if ($flags ne "") { $cflags="$cflags $flags"; }
+ else { $no_user_cflags=1; }
+
+ # Kerberos settings. The flavor must be provided from outside, either through
+--- openssl-1.0.1c.orig/config
++++ openssl-1.0.1c/config
+@@ -573,7 +573,8 @@ case "$GUESSOS" in
+ options="$options -arch%20${MACHINE}"
+ OUT="iphoneos-cross" ;;
+ alpha-*-linux2)
+- ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
++ #ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
++ ISA=EV56
+ case ${ISA:-generic} in
+ *[678]) OUT="linux-alpha+bwx-$CC" ;;
+ *) OUT="linux-alpha-$CC" ;;
+@@ -593,7 +594,8 @@ case "$GUESSOS" in
+ echo " You have about 5 seconds to press Ctrl-C to abort."
+ (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
+ fi
+- OUT="linux-ppc"
++ # we have the target and force it here
++ OUT="linux-ppc64"
+ ;;
+ ppc-*-linux2) OUT="linux-ppc" ;;
+ ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
+@@ -614,10 +616,10 @@ case "$GUESSOS" in
+ sparc-*-linux2)
+ KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo`
+ case ${KARCH:-sun4} in
+- sun4u*) OUT="linux-sparcv9" ;;
+- sun4m) OUT="linux-sparcv8" ;;
+- sun4d) OUT="linux-sparcv8" ;;
+- *) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
++# sun4u*) OUT="linux-sparcv9" ;;
++# sun4m) OUT="linux-sparcv8" ;;
++# sun4d) OUT="linux-sparcv8" ;;
++ *) OUT="linux-sparcv8" ;;
+ esac ;;
+ parisc*-*-linux2)
+ # 64-bit builds under parisc64 linux are not supported and
+@@ -636,7 +638,11 @@ case "$GUESSOS" in
+ # PA8500 -> 8000 (2.0)
+ # PA8600 -> 8000 (2.0)
+
+- CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'`
++ # CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'`
++ # lets have CPUSCHEDULE for 1.1:
++ CPUSCHEDULE=7100LC
++ # we want to support 1.1 CPUs as well:
++ CPUARCH=1.1
+ # Finish Model transformations
+
+ options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH"
diff --git a/packaging/openssl-1.0.0-c_rehash-compat.diff b/packaging/openssl-1.0.0-c_rehash-compat.diff
new file mode 100644
index 0000000..ec618e2
--- /dev/null
+++ b/packaging/openssl-1.0.0-c_rehash-compat.diff
@@ -0,0 +1,45 @@
+From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001
+From: Ludwig Nussel <ludwig.nussel@suse.de>
+Date: Wed, 21 Apr 2010 15:52:10 +0200
+Subject: [PATCH] also create old hash for compatibility
+
+---
+ tools/c_rehash.in | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index bfc4a69..f8d0ce1 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -83,6 +83,7 @@ sub hash_dir {
+ next;
+ }
+ link_hash_cert($fname) if($cert);
++ link_hash_cert_old($fname) if($cert);
+ link_hash_crl($fname) if($crl);
+ }
+ }
+@@ -116,8 +117,9 @@ sub check_file {
+
+ sub link_hash_cert {
+ my $fname = $_[0];
++ my $hashopt = $_[1] || '-subject_hash';
+ $fname =~ s/'/'\\''/g;
+- my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`;
++ my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
+ chomp $hash;
+ chomp $fprint;
+ $fprint =~ s/^.*=//;
+@@ -147,6 +149,10 @@ sub link_hash_cert {
+ $hashlist{$hash} = $fprint;
+ }
+
++sub link_hash_cert_old {
++ link_hash_cert($_[0], '-subject_hash_old');
++}
++
+ # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
+
+ sub link_hash_crl {
+--
+1.6.4.2
diff --git a/packaging/openssl-ocloexec.patch b/packaging/openssl-ocloexec.patch
new file mode 100644
index 0000000..e3c723c
--- /dev/null
+++ b/packaging/openssl-ocloexec.patch
@@ -0,0 +1,166 @@
+--- crypto/bio/b_sock.c.orig
++++ crypto/bio/b_sock.c
+@@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in
+ }
+
+ again:
+- s=socket(server.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
++ s=socket(server.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
+ if (s == INVALID_SOCKET)
+ {
+ SYSerr(SYS_F_SOCKET,get_last_socket_error());
+@@ -784,7 +784,7 @@ again:
+ }
+ else goto err;
+ }
+- cs=socket(client.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL);
++ cs=socket(client.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
+ if (cs != INVALID_SOCKET)
+ {
+ int ii;
+--- crypto/bio/bss_conn.c.orig
++++ crypto/bio/bss_conn.c
+@@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC
+ c->them.sin_addr.s_addr=htonl(l);
+ c->state=BIO_CONN_S_CREATE_SOCKET;
+
+- ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
++ ret=socket(AF_INET,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL);
+ if (ret == INVALID_SOCKET)
+ {
+ SYSerr(SYS_F_SOCKET,get_last_socket_error());
+--- crypto/bio/bss_dgram.c.orig
++++ crypto/bio/bss_dgram.c
+@@ -999,7 +999,7 @@ static int dgram_sctp_read(BIO *b, char
+ msg.msg_control = cmsgbuf;
+ msg.msg_controllen = 512;
+ msg.msg_flags = 0;
+- n = recvmsg(b->num, &msg, 0);
++ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
+
+ if (msg.msg_controllen > 0)
+ {
+@@ -1560,7 +1560,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
+ msg.msg_controllen = 0;
+ msg.msg_flags = 0;
+
+- n = recvmsg(b->num, &msg, MSG_PEEK);
++ n = recvmsg(b->num, &msg, MSG_PEEK| MSG_CMSG_CLOEXEC);
+ if (n <= 0)
+ {
+ if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
+@@ -1583,7 +1583,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
+ msg.msg_controllen = 0;
+ msg.msg_flags = 0;
+
+- n = recvmsg(b->num, &msg, 0);
++ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
+ if (n <= 0)
+ {
+ if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK))
+@@ -1644,7 +1644,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b)
+ fcntl(b->num, F_SETFL, O_NONBLOCK);
+ }
+
+- n = recvmsg(b->num, &msg, MSG_PEEK);
++ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
+
+ if (is_dry)
+ {
+@@ -1688,7 +1688,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
+
+ sockflags = fcntl(b->num, F_GETFL, 0);
+ fcntl(b->num, F_SETFL, O_NONBLOCK);
+- n = recvmsg(b->num, &msg, MSG_PEEK);
++ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC);
+ fcntl(b->num, F_SETFL, sockflags);
+
+ /* if notification, process and try again */
+@@ -1709,7 +1709,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b)
+ msg.msg_control = NULL;
+ msg.msg_controllen = 0;
+ msg.msg_flags = 0;
+- n = recvmsg(b->num, &msg, 0);
++ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC);
+
+ if (data->handle_notifications != NULL)
+ data->handle_notifications(b, data->notification_context, (void*) &snp);
+--- crypto/bio/bss_file.c.orig
++++ crypto/bio/bss_file.c
+@@ -120,6 +120,10 @@ BIO *BIO_new_file(const char *filename,
+ {
+ BIO *ret;
+ FILE *file=NULL;
++ size_t modelen = strlen (mode);
++ char newmode[modelen + 2];
++
++ memcpy (mempcpy (newmode, mode, modelen), "e", 2);
+
+ #if defined(_WIN32) && defined(CP_UTF8)
+ int sz, len_0 = (int)strlen(filename)+1;
+@@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename,
+ file = fopen(filename,mode);
+ }
+ #else
+- file=fopen(filename,mode);
++ file=fopen(filename,newmode);
+ #endif
+ if (file == NULL)
+ {
+@@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b
+ long ret=1;
+ FILE *fp=(FILE *)b->ptr;
+ FILE **fpp;
+- char p[4];
++ char p[5];
+
+ switch (cmd)
+ {
+@@ -392,6 +396,8 @@ static long MS_CALLBACK file_ctrl(BIO *b
+ else
+ strcat(p,"t");
+ #endif
++ strcat(p, "e");
++
+ fp=fopen(ptr,p);
+ if (fp == NULL)
+ {
+--- crypto/rand/rand_unix.c.orig
++++ crypto/rand/rand_unix.c
+@@ -262,7 +262,7 @@ int RAND_poll(void)
+ for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) &&
+ (n < ENTROPY_NEEDED); i++)
+ {
+- if ((fd = open(randomfiles[i], O_RDONLY
++ if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC
+ #ifdef O_NONBLOCK
+ |O_NONBLOCK
+ #endif
+--- crypto/rand/randfile.c.orig
++++ crypto/rand/randfile.c
+@@ -134,7 +134,7 @@ int RAND_load_file(const char *file, lon
+ #ifdef OPENSSL_SYS_VMS
+ in=vms_fopen(file,"rb",VMS_OPEN_ATTRS);
+ #else
+- in=fopen(file,"rb");
++ in=fopen(file,"rbe");
+ #endif
+ if (in == NULL) goto err;
+ #if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO)
+@@ -207,7 +207,7 @@ int RAND_write_file(const char *file)
+ #endif
+ /* chmod(..., 0600) is too late to protect the file,
+ * permissions should be restrictive from the start */
+- int fd = open(file, O_WRONLY|O_CREAT|O_BINARY, 0600);
++ int fd = open(file, O_WRONLY|O_CREAT|O_BINARY|O_CLOEXEC, 0600);
+ if (fd != -1)
+ out = fdopen(fd, "wb");
+ }
+@@ -238,7 +238,7 @@ int RAND_write_file(const char *file)
+ out = vms_fopen(file,"wb",VMS_OPEN_ATTRS);
+ #else
+ if (out == NULL)
+- out = fopen(file,"wb");
++ out = fopen(file,"wbe");
+ #endif
+ if (out == NULL) goto err;
diff --git a/packaging/openssl.changes b/packaging/openssl.changes
new file mode 100644
index 0000000..4b957b7
--- /dev/null
+++ b/packaging/openssl.changes
@@ -0,0 +1,1381 @@
+-------------------------------------------------------------------
+Sun Aug 19 23:38:32 UTC 2012 - crrodriguez@opensuse.org
+
+- Open Internal file descriptors with O_CLOEXEC, leaving
+ those open across fork()..execve() makes a perfect
+ vector for a side-channel attack...
+
+-------------------------------------------------------------------
+Tue Aug 7 17:17:34 UTC 2012 - dmueller@suse.com
+
+- fix build on armv5 (bnc#774710)
+
+-------------------------------------------------------------------
+Thu May 10 19:18:06 UTC 2012 - crrodriguez@opensuse.org
+
+- Update to version 1.0.1c for the complete list of changes see
+ NEWS, this only list packaging changes.
+- Drop aes-ni patch, no longer needed as it is builtin in openssl
+ now.
+- Define GNU_SOURCE and use -std=gnu99 to build the package.
+- Use LFS_CFLAGS in platforms where it matters.
+
+-------------------------------------------------------------------
+Fri May 4 12:09:57 UTC 2012 - lnussel@suse.de
+
+- don't install any demo or expired certs at all
+
+-------------------------------------------------------------------
+Mon Apr 23 05:57:35 UTC 2012 - gjhe@suse.com
+
+- update to latest stable verison 1.0.0i
+ including the following patches:
+ CVE-2012-2110.path
+ Bug748738_Tolerate_bad_MIME_headers.patch
+ bug749213-Free-headers-after-use.patch
+ bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
+ CVE-2012-1165.patch
+ CVE-2012-0884.patch
+ bug749735.patch
+
+-------------------------------------------------------------------
+Tue Mar 27 09:16:37 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#749735] - Memory leak when creating public keys.
+ fix bug[bnc#751977] - CMS and S/MIME Bleichenbacher attack
+ CVE-2012-0884
+
+-------------------------------------------------------------------
+Thu Mar 22 03:24:20 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#751946] - S/MIME verification may erroneously fail
+ CVE-2012-1165
+
+-------------------------------------------------------------------
+Wed Mar 21 02:44:41 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#749213]-Free headers after use in error message
+ and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt
+
+-------------------------------------------------------------------
+Tue Mar 20 14:29:24 UTC 2012 - cfarrell@suse.com
+
+- license update: OpenSSL
+
+-------------------------------------------------------------------
+Fri Feb 24 02:33:22 UTC 2012 - gjhe@suse.com
+
+- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's
+ asn1 parser.
+ CVE-2006-7250
+
+-------------------------------------------------------------------
+Thu Feb 2 06:55:12 UTC 2012 - gjhe@suse.com
+
+- Update to version 1.0.0g fix the following:
+ DTLS DoS attack (CVE-2012-0050)
+
+-------------------------------------------------------------------
+Wed Jan 11 05:35:18 UTC 2012 - gjhe@suse.com
+
+- Update to version 1.0.0f fix the following:
+ DTLS Plaintext Recovery Attack (CVE-2011-4108)
+ Uninitialized SSL 3.0 Padding (CVE-2011-4576)
+ Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
+ SGC Restart DoS Attack (CVE-2011-4619)
+ Invalid GOST parameters DoS Attack (CVE-2012-0027)
+
+-------------------------------------------------------------------
+Tue Oct 18 16:43:50 UTC 2011 - crrodriguez@opensuse.org
+
+- AES-NI: Check the return value of Engine_add()
+ if the ENGINE_add() call fails: it ends up adding a reference
+ to a freed up ENGINE which is likely to subsequently contain garbage
+ This will happen if an ENGINE with the same name is added multiple
+ times,for example different libraries. [bnc#720601]
+
+-------------------------------------------------------------------
+Sat Oct 8 21:36:58 UTC 2011 - crrodriguez@opensuse.org
+
+- Build with -DSSL_FORBID_ENULL so servers are not
+ able to use the NULL encryption ciphers (Those offering no
+ encryption whatsoever).
+
+-------------------------------------------------------------------
+Wed Sep 7 14:29:41 UTC 2011 - crrodriguez@opensuse.org
+
+- Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210
+ see http://openssl.org/news/secadv_20110906.txt for details.
+
+-------------------------------------------------------------------
+Sat Aug 6 00:33:47 UTC 2011 - crrodriguez@opensuse.org
+
+- Add upstream patch that calls ENGINE_register_all_complete()
+ in ENGINE_load_builtin_engines() saving us from adding dozens
+ of calls to such function to calling applications.
+
+-------------------------------------------------------------------
+Fri Aug 5 19:09:42 UTC 2011 - crrodriguez@opensuse.org
+
+- remove -fno-strict-aliasing from CFLAGS no longer needed
+ and is likely to slow down stuff.
+
+-------------------------------------------------------------------
+Mon Jul 25 19:07:32 UTC 2011 - jengelh@medozas.de
+
+- Edit baselibs.conf to provide libopenssl-devel-32bit too
+
+-------------------------------------------------------------------
+Fri Jun 24 04:51:50 UTC 2011 - gjhe@novell.com
+
+- update to latest stable version 1.0.0d.
+ patch removed(already in the new package):
+ CVE-2011-0014
+ patch added:
+ ECDSA_signatures_timing_attack.patch
+
+-------------------------------------------------------------------
+Tue May 31 07:07:49 UTC 2011 - gjhe@novell.com
+
+- fix bug[bnc#693027].
+ Add protection against ECDSA timing attacks as mentioned in the paper
+ by Billy Bob Brumley and Nicola Tuveri, see:
+ http://eprint.iacr.org/2011/232.pdf
+ [Billy Bob Brumley and Nicola Tuveri]
+
+-------------------------------------------------------------------
+Mon May 16 14:38:26 UTC 2011 - andrea@opensuse.org
+
+- added openssl as dependency in the devel package
+
+-------------------------------------------------------------------
+Thu Feb 10 07:42:01 UTC 2011 - gjhe@novell.com
+
+- fix bug [bnc#670526]
+ CVE-2011-0014,OCSP stapling vulnerability
+
+-------------------------------------------------------------------
+Sat Jan 15 19:58:51 UTC 2011 - cristian.rodriguez@opensuse.org
+
+- Add patch from upstream in order to support AES-NI instruction
+ set present on current Intel and AMD processors
+
+-------------------------------------------------------------------
+Mon Jan 10 11:45:27 CET 2011 - meissner@suse.de
+
+- enable -DPURIFY to avoid valgrind errors.
+
+-------------------------------------------------------------------
+Thu Dec 9 07:04:32 UTC 2010 - gjhe@novell.com
+
+- update to stable version 1.0.0c.
+ patch included:
+ CVE-2010-1633_and_CVE-2010-0742.patch
+ patchset-19727.diff
+ CVE-2010-2939.patch
+ CVE-2010-3864.patch
+
+-------------------------------------------------------------------
+Thu Nov 18 07:53:12 UTC 2010 - gjhe@novell.com
+
+- fix bug [bnc#651003]
+ CVE-2010-3864
+
+-------------------------------------------------------------------
+Sat Sep 25 08:55:02 UTC 2010 - gjhe@novell.com
+
+- fix bug [bnc#629905]
+ CVE-2010-2939
+
+-------------------------------------------------------------------
+Wed Jul 28 20:55:18 UTC 2010 - cristian.rodriguez@opensuse.org
+
+- Exclude static libraries, see what breaks and fix that
+ instead
+
+-------------------------------------------------------------------
+Wed Jun 30 08:47:39 UTC 2010 - jengelh@medozas.de
+
+- fix two compile errors on SPARC
+
+-------------------------------------------------------------------
+Tue Jun 15 09:53:54 UTC 2010 - bg@novell.com
+
+- -fstack-protector is not supported on hppa
+
+-------------------------------------------------------------------
+Fri Jun 4 07:11:28 UTC 2010 - gjhe@novell.com
+
+- fix bnc #610642
+ CVE-2010-0742
+ CVE-2010-1633
+
+-------------------------------------------------------------------
+Mon May 31 03:06:39 UTC 2010 - gjhe@novell.com
+
+- fix bnc #610223,change Configure to tell openssl to load engines
+ from /%{_lib} instead of %{_libdir}
+
+-------------------------------------------------------------------
+Mon May 10 16:11:54 UTC 2010 - aj@suse.de
+
+- Do not compile in build time but use mtime of changes file instead.
+ This allows build-compare to identify that no changes have happened.
+
+-------------------------------------------------------------------
+Tue May 4 02:55:52 UTC 2010 - gjhe@novell.com
+
+- build libopenssl to /%{_lib} dir,and keep only one
+ libopenssl-devel for new developping programs.
+
+-------------------------------------------------------------------
+Tue Apr 27 05:44:32 UTC 2010 - gjhe@novell.com
+
+- build libopenssl and libopenssl-devel to a version directory
+
+-------------------------------------------------------------------
+Sat Apr 24 09:46:37 UTC 2010 - coolo@novell.com
+
+- buildrequire pkg-config to fix provides
+
+-------------------------------------------------------------------
+Wed Apr 21 13:54:15 UTC 2010 - lnussel@suse.de
+
+- also create old certificate hash in /etc/ssl/certs for
+ compatibility with applications that still link against 0.9.8
+
+-------------------------------------------------------------------
+Mon Apr 12 16:12:08 CEST 2010 - meissner@suse.de
+
+- Disable our own build targets, instead use the openSSL provided ones
+ as they are now good (or should be good at least).
+
+- add -Wa,--noexecstack to the Configure call, this is the upstream
+ approved way to avoid exec-stack marking
+
+-------------------------------------------------------------------
+Mon Apr 12 04:57:17 UTC 2010 - gjhe@novell.com
+
+- update to 1.0.0
+ Merge the following patches from 0.9.8k:
+ openssl-0.9.6g-alpha.diff
+ openssl-0.9.7f-ppc64.diff
+ openssl-0.9.8-flags-priority.dif
+ openssl-0.9.8-sparc.dif
+ openssl-allow-arch.diff
+ openssl-hppa-config.diff
+
+-------------------------------------------------------------------
+Fri Apr 9 11:42:51 CEST 2010 - meissner@suse.de
+
+- fixed "exectuable stack" for libcrypto.so issue on i586 by
+ adjusting the assembler output during MMX builds.
+
+-------------------------------------------------------------------
+Wed Apr 7 14:08:05 CEST 2010 - meissner@suse.de
+
+- Openssl is now partially converted to libdir usage upstream,
+ merge that in to fix lib64 builds.
+
+-------------------------------------------------------------------
+Thu Mar 25 02:18:22 UTC 2010 - gjhe@novell.com
+
+- fix security bug [bnc#590833]
+ CVE-2010-0740
+
+-------------------------------------------------------------------
+Mon Mar 22 06:29:14 UTC 2010 - gjhe@novell.com
+
+- update to version 0.9.8m
+ Merge the following patches from 0.9.8k:
+ bswap.diff
+ non-exec-stack.diff
+ openssl-0.9.6g-alpha.diff
+ openssl-0.9.7f-ppc64.diff
+ openssl-0.9.8-flags-priority.dif
+ openssl-0.9.8-sparc.dif
+ openssl-allow-arch.diff
+ openssl-hppa-config.diff
+
+-------------------------------------------------------------------
+Fri Feb 5 01:24:55 UTC 2010 - jengelh@medozas.de
+
+- build openssl for sparc64
+
+-------------------------------------------------------------------
+Mon Dec 14 16:11:11 CET 2009 - jengelh@medozas.de
+
+- add baselibs.conf as a source
+- package documentation as noarch
+
+-------------------------------------------------------------------
+Tue Nov 3 19:09:35 UTC 2009 - coolo@novell.com
+
+- updated patches to apply with fuzz=0
+
+-------------------------------------------------------------------
+Tue Sep 1 10:21:16 CEST 2009 - gjhe@novell.com
+
+- fix Bug [bnc#526319]
+
+-------------------------------------------------------------------
+Wed Aug 26 11:24:16 CEST 2009 - coolo@novell.com
+
+- use %patch0 for Patch0
+
+-------------------------------------------------------------------
+Fri Jul 3 11:53:48 CEST 2009 - gjhe@novell.com
+
+- update to version 0.9.8k
+- patches merged upstream:
+ openssl-CVE-2008-5077.patch
+ openssl-CVE-2009-0590.patch
+ openssl-CVE-2009-0591.patch
+ openssl-CVE-2009-0789.patch
+ openssl-CVE-2009-1377.patch
+ openssl-CVE-2009-1378.patch
+ openssl-CVE-2009-1379.patch
+ openssl-CVE-2009-1386.patch
+ openssl-CVE-2009-1387.patch
+
+-------------------------------------------------------------------
+Tue Jun 30 05:17:26 CEST 2009 - gjhe@novell.com
+
+- fix security bug [bnc#509031]
+ CVE-2009-1386
+ CVE-2009-1387
+
+-------------------------------------------------------------------
+Tue Jun 30 05:16:39 CEST 2009 - gjhe@novell.com
+
+- fix security bug [bnc#504687]
+ CVE-2009-1377
+ CVE-2009-1378
+ CVE-2009-1379
+
+-------------------------------------------------------------------
+Wed Apr 15 12:28:29 CEST 2009 - gjhe@suse.de
+
+- fix security bug [bnc#489641]
+ CVE-2009-0590
+ CVE-2009-0591
+ CVE-2009-0789
+
+-------------------------------------------------------------------
+Wed Jan 7 12:34:56 CET 2009 - olh@suse.de
+
+- obsolete old -XXbit packages (bnc#437293)
+
+-------------------------------------------------------------------
+Thu Dec 18 08:15:12 CET 2008 - jshi@suse.de
+
+- fix security bug [bnc#459468]
+ CVE-2008-5077
+
+-------------------------------------------------------------------
+Tue Dec 9 11:32:50 CET 2008 - xwhu@suse.de
+
+- Disable optimization for s390x
+
+-------------------------------------------------------------------
+Mon Dec 8 12:12:14 CET 2008 - xwhu@suse.de
+
+- Disable optimization of md4
+
+-------------------------------------------------------------------
+Mon Nov 10 10:22:04 CET 2008 - xwhu@suse.de
+
+- Disable optimization of ripemd [bnc#442740]
+
+-------------------------------------------------------------------
+Tue Oct 14 09:08:47 CEST 2008 - xwhu@suse.de
+
+- Passing string as struct cause openssl segment-fault [bnc#430141]
+
+-------------------------------------------------------------------
+Wed Jul 16 12:02:37 CEST 2008 - mkoenig@suse.de
+
+- do not require openssl-certs, but rather recommend it
+ to avoid dependency cycle [bnc#408865]
+
+-------------------------------------------------------------------
+Wed Jul 9 12:53:27 CEST 2008 - mkoenig@suse.de
+
+- remove the certs subpackage from the openssl package
+ and move the CA root certificates into a package of its own
+
+-------------------------------------------------------------------
+Tue Jun 24 09:09:04 CEST 2008 - mkoenig@suse.de
+
+- update to version 0.9.8h
+- openssl does not ship CA root certificates anymore
+ keep certificates that SuSE is already shipping
+- resolves bad array index (function has been removed) [bnc#356549]
+- removed patches
+ openssl-0.9.8g-fix_dh_for_certain_moduli.patch
+ openssl-CVE-2008-0891.patch
+ openssl-CVE-2008-1672.patch
+
+-------------------------------------------------------------------
+Wed May 28 15:04:08 CEST 2008 - mkoenig@suse.de
+
+- fix OpenSSL Server Name extension crash (CVE-2008-0891)
+ and OpenSSL Omit Server Key Exchange message crash (CVE-2008-1672)
+ [bnc#394317]
+
+-------------------------------------------------------------------
+Wed May 21 20:48:39 CEST 2008 - cthiel@suse.de
+
+- fix baselibs.conf
+
+-------------------------------------------------------------------
+Tue Apr 22 14:39:35 CEST 2008 - mkoenig@suse.de
+
+- add -DMD32_REG_T=int for x86_64 and ia64 [bnc#381844]
+
+-------------------------------------------------------------------
+Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
+
+- added baselibs.conf file to build xxbit packages
+ for multilib support
+
+-------------------------------------------------------------------
+Mon Nov 5 14:27:06 CET 2007 - mkoenig@suse.de
+
+- fix Diffie-Hellman failure with certain prime lengths
+
+-------------------------------------------------------------------
+Mon Oct 22 15:00:21 CEST 2007 - mkoenig@suse.de
+
+- update to version 0.9.8g:
+ * fix some bugs introduced with 0.9.8f
+
+-------------------------------------------------------------------
+Mon Oct 15 11:17:14 CEST 2007 - mkoenig@suse.de
+
+- update to version 0.9.8f:
+ * fixes CVE-2007-3108, CVE-2007-5135, CVE-2007-4995
+- patches merged upstream:
+ openssl-0.9.8-key_length.patch
+ openssl-CVE-2007-3108-bug296511
+ openssl-CVE-2007-5135.patch
+ openssl-gcc42.patch
+ openssl-gcc42_b.patch
+ openssl-s390-config.diff
+
+-------------------------------------------------------------------
+Mon Oct 1 11:29:55 CEST 2007 - mkoenig@suse.de
+
+- fix buffer overflow CVE-2007-5135 [#329208]
+
+-------------------------------------------------------------------
+Wed Sep 5 11:39:26 CEST 2007 - mkoenig@suse.de
+
+- fix another gcc 4.2 build problem [#307669]
+
+-------------------------------------------------------------------
+Fri Aug 3 14:17:27 CEST 2007 - coolo@suse.de
+
+- provide the version obsoleted (#293401)
+
+-------------------------------------------------------------------
+Wed Aug 1 18:01:45 CEST 2007 - werner@suse.de
+
+- Add patch from CVS for RSA key reconstruction vulnerability
+ (CVE-2007-3108, VU#724968, bug #296511)
+
+-------------------------------------------------------------------
+Thu May 24 16:18:50 CEST 2007 - mkoenig@suse.de
+
+- fix build with gcc-4.2
+ openssl-gcc42.patch
+- do not install example scripts with executable permissions
+
+-------------------------------------------------------------------
+Mon Apr 30 01:32:44 CEST 2007 - ro@suse.de
+
+- adapt requires
+
+-------------------------------------------------------------------
+Fri Apr 27 15:25:13 CEST 2007 - mkoenig@suse.de
+
+- Do not use dots in package name
+- explicitly build with gcc-4.1 because of currently unresolved
+ failures with gcc-4.2
+
+-------------------------------------------------------------------
+Wed Apr 25 12:32:44 CEST 2007 - mkoenig@suse.de
+
+- Split/rename package to follow library packaging policy [#260219]
+ New package libopenssl0.9.8 containing shared libs
+ openssl-devel package renamed to libopenssl-devel
+ New package openssl-certs containing certificates
+- add zlib-devel to Requires of devel package
+- remove old Obsoletes and Conflicts
+ openssls (Last used Nov 2000)
+ ssleay (Last used 6.2)
+
+-------------------------------------------------------------------
+Mon Apr 23 11:17:57 CEST 2007 - mkoenig@suse.de
+
+- Fix key length [#254905,#262477]
+
+-------------------------------------------------------------------
+Tue Mar 6 10:38:10 CET 2007 - mkoenig@suse.de
+
+- update to version 0.9.8e:
+ * patches merged upstream:
+ openssl-CVE-2006-2940-fixup.patch
+ openssl-0.9.8d-padlock-static.patch
+
+-------------------------------------------------------------------
+Tue Jan 9 14:30:28 CET 2007 - mkoenig@suse.de
+
+- fix PadLock support [#230823]
+
+-------------------------------------------------------------------
+Thu Nov 30 14:33:51 CET 2006 - mkoenig@suse.de
+
+- enable fix for CVE-2006-2940 [#223040], SWAMP-ID 7198
+
+-------------------------------------------------------------------
+Mon Nov 6 18:35:10 CET 2006 - poeml@suse.de
+
+- configure with 'zlib' instead of 'zlib-dynamic'. Build with the
+ latter, there are problems opening the libz when running on the
+ Via Epia or vmware platforms. [#213305]
+
+-------------------------------------------------------------------
+Wed Oct 4 15:07:55 CEST 2006 - poeml@suse.de
+
+- add patch for the CVE-2006-2940 fix: the newly introduced limit
+ on DH modulus size could lead to a crash when exerted. [#208971]
+ Discovered and fixed after the 0.9.8d release.
+
+-------------------------------------------------------------------
+Fri Sep 29 18:37:01 CEST 2006 - poeml@suse.de
+
+- update to 0.9.8d
+ *) Introduce limits to prevent malicious keys being able to
+ cause a denial of service. (CVE-2006-2940)
+ *) Fix ASN.1 parsing of certain invalid structures that can result
+ in a denial of service. (CVE-2006-2937)
+ *) Fix buffer overflow in SSL_get_shared_ciphers() function.
+ (CVE-2006-3738)
+ *) Fix SSL client code which could crash if connecting to a
+ malicious SSLv2 server. (CVE-2006-4343)
+ *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
+ match only those. Before that, "AES256-SHA" would be interpreted
+ as a pattern and match "AES128-SHA" too (since AES128-SHA got
+ the same strength classification in 0.9.7h) as we currently only
+ have a single AES bit in the ciphersuite description bitmap.
+ That change, however, also applied to ciphersuite strings such as
+ "RC4-MD5" that intentionally matched multiple ciphersuites --
+ namely, SSL 2.0 ciphersuites in addition to the more common ones
+ from SSL 3.0/TLS 1.0.
+ So we change the selection algorithm again: Naming an explicit
+ ciphersuite selects this one ciphersuite, and any other similar
+ ciphersuite (same bitmap) from *other* protocol versions.
+ Thus, "RC4-MD5" again will properly select both the SSL 2.0
+ ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
+ Since SSL 2.0 does not have any ciphersuites for which the
+ 128/256 bit distinction would be relevant, this works for now.
+ The proper fix will be to use different bits for AES128 and
+ AES256, which would have avoided the problems from the beginning;
+ however, bits are scarce, so we can only do this in a new release
+ (not just a patchlevel) when we can change the SSL_CIPHER
+ definition to split the single 'unsigned long mask' bitmap into
+ multiple values to extend the available space.
+- not in mentioned in CHANGES: patch for CVE-2006-4339 corrected
+ [openssl.org #1397]
+
+-------------------------------------------------------------------
+Fri Sep 8 20:33:40 CEST 2006 - schwab@suse.de
+
+- Fix inverted logic.
+
+-------------------------------------------------------------------
+Wed Sep 6 17:56:08 CEST 2006 - poeml@suse.de
+
+- update to 0.9.8c
+ Changes between 0.9.8b and 0.9.8c [05 Sep 2006]
+ *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+ (CVE-2006-4339) [Ben Laurie and Google Security Team]
+ *) Add AES IGE and biIGE modes. [Ben Laurie]
+ *) Change the Unix randomness entropy gathering to use poll() when
+ possible instead of select(), since the latter has some
+ undesirable limitations. [Darryl Miles via Richard Levitte and Bodo Moeller]
+ *) Disable "ECCdraft" ciphersuites more thoroughly. Now special
+ treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
+ cannot be implicitly activated as part of, e.g., the "AES" alias.
+ However, please upgrade to OpenSSL 0.9.9[-dev] for
+ non-experimental use of the ECC ciphersuites to get TLS extension
+ support, which is required for curve and point format negotiation
+ to avoid potential handshake problems. [Bodo Moeller]
+ *) Disable rogue ciphersuites:
+ - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+ - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+ - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+ The latter two were purportedly from
+ draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+ appear there.
+ Also deactive the remaining ciphersuites from
+ draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as
+ unofficial, and the ID has long expired. [Bodo Moeller]
+ *) Fix RSA blinding Heisenbug (problems sometimes occured on
+ dual-core machines) and other potential thread-safety issues.
+ [Bodo Moeller]
+ *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
+ versions), which is now available for royalty-free use
+ (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
+ Also, add Camellia TLS ciphersuites from RFC 4132.
+ To minimize changes between patchlevels in the OpenSSL 0.9.8
+ series, Camellia remains excluded from compilation unless OpenSSL
+ is configured with 'enable-camellia'. [NTT]
+ *) Disable the padding bug check when compression is in use. The padding
+ bug check assumes the first packet is of even length, this is not
+ necessarily true if compresssion is enabled and can result in false
+ positives causing handshake failure. The actual bug test is ancient
+ code so it is hoped that implementations will either have fixed it by
+ now or any which still have the bug do not support compression.
+ [Steve Henson]
+ Changes between 0.9.8a and 0.9.8b [04 May 2006]
+ *) When applying a cipher rule check to see if string match is an explicit
+ cipher suite and only match that one cipher suite if it is. [Steve Henson]
+ *) Link in manifests for VC++ if needed. [Austin Ziegler <halostatue@gmail.com>]
+ *) Update support for ECC-based TLS ciphersuites according to
+ draft-ietf-tls-ecc-12.txt with proposed changes (but without
+ TLS extensions, which are supported starting with the 0.9.9
+ branch, not in the OpenSSL 0.9.8 branch). [Douglas Stebila]
+ *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
+ opaque EVP_CIPHER_CTX handling. [Steve Henson]
+ *) Fixes and enhancements to zlib compression code. We now only use
+ "zlib1.dll" and use the default __cdecl calling convention on Win32
+ to conform with the standards mentioned here:
+ http://www.zlib.net/DLL_FAQ.txt
+ Static zlib linking now works on Windows and the new --with-zlib-include
+ --with-zlib-lib options to Configure can be used to supply the location
+ of the headers and library. Gracefully handle case where zlib library
+ can't be loaded. [Steve Henson]
+ *) Several fixes and enhancements to the OID generation code. The old code
+ sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
+ handle numbers larger than ULONG_MAX, truncated printing and had a
+ non standard OBJ_obj2txt() behaviour. [Steve Henson]
+ *) Add support for building of engines under engine/ as shared libraries
+ under VC++ build system. [Steve Henson]
+ *) Corrected the numerous bugs in the Win32 path splitter in DSO.
+ Hopefully, we will not see any false combination of paths any more.
+ [Richard Levitte]
+- enable Camellia cipher. There is a royalty free license to the
+ patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html.
+ NOTE: the license forbids patches to the cipher.
+- build with zlib-dynamic and add zlib-devel to BuildRequires.
+ Allows compression of data in TLS, although few application would
+ actually use it since there is no standard for negotiating the
+ compression method. The only one I know if is stunnel.
+
+-------------------------------------------------------------------
+Fri Jun 2 15:00:58 CEST 2006 - poeml@suse.de
+
+- fix built-in ENGINESDIR for 64 bit architectures. We change only
+ the builtin search path for engines, not the path where engines
+ are packaged. Path can be overridden with the OPENSSL_ENGINES
+ environment variable. [#179094]
+
+-------------------------------------------------------------------
+Wed Jan 25 21:30:41 CET 2006 - mls@suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Mon Jan 16 13:13:13 CET 2006 - mc@suse.de
+
+- fix build problems on s390x (openssl-s390-config.diff)
+- build with -fstack-protector
+
+-------------------------------------------------------------------
+Mon Nov 7 16:30:49 CET 2005 - dmueller@suse.de
+
+- build with non-executable stack
+
+-------------------------------------------------------------------
+Thu Oct 20 17:37:47 CEST 2005 - poeml@suse.de
+
+- fix unguarded free() which can cause a segfault in the ca
+ commandline app [#128655]
+
+-------------------------------------------------------------------
+Thu Oct 13 15:10:28 CEST 2005 - poeml@suse.de
+
+- add Geotrusts Equifax Root1 CA certificate, which needed to
+ verify the authenticity of you.novell.com [#121966]
+
+-------------------------------------------------------------------
+Tue Oct 11 15:34:07 CEST 2005 - poeml@suse.de
+
+- update to 0.9.8a
+ *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+ (part of SSL_OP_ALL). This option used to disable the
+ countermeasure against man-in-the-middle protocol-version
+ rollback in the SSL 2.0 server implementation, which is a bad
+ idea. (CAN-2005-2969)
+ *) Add two function to clear and return the verify parameter flags.
+ *) Keep cipherlists sorted in the source instead of sorting them at
+ runtime, thus removing the need for a lock.
+ *) Avoid some small subgroup attacks in Diffie-Hellman.
+ *) Add functions for well-known primes.
+ *) Extended Windows CE support.
+ *) Initialize SSL_METHOD structures at compile time instead of during
+ runtime, thus removing the need for a lock.
+ *) Make PKCS7_decrypt() work even if no certificate is supplied by
+ attempting to decrypt each encrypted key in turn. Add support to
+ smime utility.
+
+-------------------------------------------------------------------
+Thu Sep 29 18:53:08 CEST 2005 - poeml@suse.de
+
+- update to 0.9.8
+ see CHANGES file or http://www.openssl.org/news/changelog.html
+- adjust patches
+- drop obsolete openssl-no-libc.diff
+- disable libica patch until it has been ported
+
+-------------------------------------------------------------------
+Fri May 20 11:27:12 CEST 2005 - poeml@suse.de
+
+- update to 0.9.7g. The significant changes are:
+ *) Fixes for newer kerberos headers. NB: the casts are needed because
+ the 'length' field is signed on one version and unsigned on another
+ with no (?) obvious way to tell the difference, without these VC++
+ complains. Also the "definition" of FAR (blank) is no longer included
+ nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
+ some needed definitions.
+ *) Added support for proxy certificates according to RFC 3820.
+ Because they may be a security thread to unaware applications,
+ they must be explicitely allowed in run-time. See
+ docs/HOWTO/proxy_certificates.txt for further information.
+
+-------------------------------------------------------------------
+Tue May 17 16:28:51 CEST 2005 - schwab@suse.de
+
+- Include %cflags_profile_generate in ${CC} since it is required for
+ linking as well.
+- Remove explicit reference to libc.
+
+-------------------------------------------------------------------
+Fri Apr 8 17:27:27 CEST 2005 - poeml@suse.de
+
+- update to 0.9.7f. The most significant changes are:
+ o Several compilation issues fixed.
+ o Many memory allocation failure checks added.
+ o Improved comparison of X509 Name type.
+ o Mandatory basic checks on certificates.
+ o Performance improvements.
+ (for a complete list see http://www.openssl.org/source/exp/CHANGES)
+- adjust openssl-0.9.7f-ppc64.diff
+- drop obsolete openssl-0.9.7d-crl-default_md.dif [#55435]
+
+-------------------------------------------------------------------
+Tue Jan 4 16:47:02 CET 2005 - poeml@suse.de
+
+- update to 0.9.7e
+ *) Avoid a race condition when CRLs are checked in a multi
+ threaded environment. This would happen due to the reordering
+ of the revoked entries during signature checking and serial
+ number lookup. Now the encoding is cached and the serial
+ number sort performed under a lock. Add new STACK function
+ sk_is_sorted().
+ *) Add Delta CRL to the extension code.
+ *) Various fixes to s3_pkt.c so alerts are sent properly.
+ *) Reduce the chances of duplicate issuer name and serial numbers
+ (in violation of RFC3280) using the OpenSSL certificate
+ creation utilities. This is done by creating a random 64 bit
+ value for the initial serial number when a serial number file
+ is created or when a self signed certificate is created using
+ 'openssl req -x509'. The initial serial number file is created
+ using 'openssl x509 -next_serial' in CA.pl rather than being
+ initialized to 1.
+- remove obsolete patches
+- fix openssl-0.9.7d-padlock-glue.diff and ICA patch to patch
+ Makefile, not Makefile.ssl
+- fixup for spaces in names of man pages not needed now
+- pack /usr/bin/openssl_fips_fingerprint
+- in rpm post/postun script, run /sbin/ldconfig directly (the macro
+ is deprecated)
+
+-------------------------------------------------------------------
+Mon Oct 18 15:03:28 CEST 2004 - poeml@suse.de
+
+- don't install openssl.doxy file [#45210]
+
+-------------------------------------------------------------------
+Thu Jul 29 16:56:44 CEST 2004 - poeml@suse.de
+
+- apply patch from CVS to fix segfault in S/MIME encryption
+ (http://cvs.openssl.org/chngview?cn=12081, regression in
+ openssl-0.9.7d) [#43386]
+
+-------------------------------------------------------------------
+Mon Jul 12 15:22:31 CEST 2004 - mludvig@suse.cz
+
+- Updated VIA PadLock engine.
+
+-------------------------------------------------------------------
+Wed Jun 30 21:45:01 CEST 2004 - mludvig@suse.cz
+
+- Updated openssl-0.9.7d-padlock-engine.diff with support for
+ AES192, AES256 and RNG.
+
+-------------------------------------------------------------------
+Tue Jun 15 16:18:36 CEST 2004 - poeml@suse.de
+
+- update IBM ICA patch to last night's version. Fixes ibmca_init()
+ to reset ibmca_dso=NULL after calling DSO_free(), if the device
+ driver could not be loaded. The bug lead to a segfault triggered
+ by stunnel, which does autoload available engines [#41874]
+- patch from CVS: make stack API more robust (return NULL for
+ out-of-range indexes). Fixes another possible segfault during
+ engine detection (could also triggered by stunnel)
+- add patch from Michal Ludvig for VIA PadLock support
+
+-------------------------------------------------------------------
+Wed Jun 2 20:44:40 CEST 2004 - poeml@suse.de
+
+- add root certificate for the ICP-Brasil CA [#41546]
+
+-------------------------------------------------------------------
+Thu May 13 19:53:48 CEST 2004 - poeml@suse.de
+
+- add patch to use default_md for CRLs too [#40435]
+
+-------------------------------------------------------------------
+Tue May 4 20:45:19 CEST 2004 - poeml@suse.de
+
+- update ICA patch to apr292004 release [#39695]
+
+-------------------------------------------------------------------
+Thu Mar 18 13:47:09 CET 2004 - poeml@suse.de
+
+- update to 0.9.7d
+ o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
+ (CAN-2004-0112)
+ o Security: Fix null-pointer assignment in do_change_cipher_spec()
+ (CAN-2004-0079)
+ o Allow multiple active certificates with same subject in CA index
+ o Multiple X590 verification fixes
+ o Speed up HMAC and other operations
+- remove the hunk from openssl-0.9.6d.dif that added NO_IDEA around
+ IDEA_128_CBC_WITH_MD5 in the global cipher list. Upstream now has
+ OPENSSL_NO_IDEA around it
+- [#36386] fixed (broken generation of EVP_BytesToKey.3ssl from the
+ pod file)
+- permissions of lib/pkgconfig fixed
+
+-------------------------------------------------------------------
+Wed Feb 25 20:42:39 CET 2004 - poeml@suse.de
+
+- update to 0.9.7c
+ *) Fix various bugs revealed by running the NISCC test suite:
+ Stop out of bounds reads in the ASN1 code when presented with
+ invalid tags (CAN-2003-0543 and CAN-2003-0544).
+ Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+ If verify callback ignores invalid public key errors don't try to check
+ certificate signature with the NULL public key.
+ *) New -ignore_err option in ocsp application to stop the server
+ exiting on the first error in a request.
+ *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+ if the server requested one: as stated in TLS 1.0 and SSL 3.0
+ specifications.
+ *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+ extra data after the compression methods not only for TLS 1.0
+ but also for SSL 3.0 (as required by the specification).
+ *) Change X509_certificate_type() to mark the key as exported/exportable
+ when it's 512 *bits* long, not 512 bytes.
+ *) Change AES_cbc_encrypt() so it outputs exact multiple of
+ blocks during encryption.
+ *) Various fixes to base64 BIO and non blocking I/O. On write
+ flushes were not handled properly if the BIO retried. On read
+ data was not being buffered properly and had various logic bugs.
+ This also affects blocking I/O when the data being decoded is a
+ certain size.
+ *) Various S/MIME bugfixes and compatibility changes:
+ output correct application/pkcs7 MIME type if
+ PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
+ Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
+ of files as .eml work). Correctly handle very long lines in MIME
+ parser.
+- update ICA patch
+ quote: This version of the engine patch has updated error handling in
+ the DES/SHA code, and turns RSA blinding off for hardware
+ accelerated RSA ops.
+- filenames of some man pages contain spaces now. Replace them with
+ underscores
+- fix compiler warnings in showciphers.c
+- fix permissions of /usr/%_lib/pkgconfig
+
+-------------------------------------------------------------------
+Sat Jan 10 10:55:59 CET 2004 - adrian@suse.de
+
+- add %run_ldconfig
+- remove unneeded PreRequires
+
+-------------------------------------------------------------------
+Tue Nov 18 14:07:53 CET 2003 - poeml@suse.de
+
+- ditch annoying mail to root about moved locations [#31969]
+
+-------------------------------------------------------------------
+Wed Aug 13 22:30:13 CEST 2003 - poeml@suse.de
+
+- enable profile feedback based optimizations (except AES which
+ becomes slower)
+- add -fno-strict-aliasing, due to warnings about code where
+ dereferencing type-punned pointers will break strict aliasing
+- make a readlink function if readlink is not available
+
+-------------------------------------------------------------------
+Mon Aug 4 16:16:57 CEST 2003 - ro@suse.de
+
+- fixed manpages symlinks
+
+-------------------------------------------------------------------
+Wed Jul 30 15:37:37 CEST 2003 - meissner@suse.de
+
+- Fix Makefile to create pkgconfig file with lib64 on lib64 systems.
+
+-------------------------------------------------------------------
+Sun Jul 27 15:51:04 CEST 2003 - poeml@suse.de
+
+- don't explicitely strip binaries since RPM handles it, and may
+ keep the stripped information somewhere
+
+-------------------------------------------------------------------
+Tue Jul 15 16:29:16 CEST 2003 - meissner@suse.de
+
+- -DMD32_REG_T=int for ppc64 and s390x.
+
+-------------------------------------------------------------------
+Thu Jul 10 23:14:22 CEST 2003 - poeml@suse.de
+
+- update ibm ICA patch to 20030708 release (libica-1.3)
+
+-------------------------------------------------------------------
+Mon May 12 23:27:07 CEST 2003 - poeml@suse.de
+
+- package the openssl.pc file for pkgconfig
+
+-------------------------------------------------------------------
+Wed Apr 16 16:04:32 CEST 2003 - poeml@suse.de
+
+- update to 0.9.7b. The most significant changes are:
+ o New library section OCSP.
+ o Complete rewrite of ASN1 code.
+ o CRL checking in verify code and openssl utility.
+ o Extension copying in 'ca' utility.
+ o Flexible display options in 'ca' utility.
+ o Provisional support for international characters with UTF8.
+ o Support for external crypto devices ('engine') is no longer
+ a separate distribution.
+ o New elliptic curve library section.
+ o New AES (Rijndael) library section.
+ o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
+ Linux x86_64, Linux 64-bit on Sparc v9
+ o Extended support for some platforms: VxWorks
+ o Enhanced support for shared libraries.
+ o Now only builds PIC code when shared library support is requested.
+ o Support for pkg-config.
+ o Lots of new manuals.
+ o Makes symbolic links to or copies of manuals to cover all described
+ functions.
+ o Change DES API to clean up the namespace (some applications link also
+ against libdes providing similar functions having the same name).
+ Provide macros for backward compatibility (will be removed in the
+ future).
+ o Unify handling of cryptographic algorithms (software and engine)
+ to be available via EVP routines for asymmetric and symmetric ciphers.
+ o NCONF: new configuration handling routines.
+ o Change API to use more 'const' modifiers to improve error checking
+ and help optimizers.
+ o Finally remove references to RSAref.
+ o Reworked parts of the BIGNUM code.
+ o Support for new engines: Broadcom ubsec, Accelerated Encryption
+ Processing, IBM 4758.
+ o A few new engines added in the demos area.
+ o Extended and corrected OID (object identifier) table.
+ o PRNG: query at more locations for a random device, automatic query for
+ EGD style random sources at several locations.
+ o SSL/TLS: allow optional cipher choice according to server's preference.
+ o SSL/TLS: allow server to explicitly set new session ids.
+ o SSL/TLS: support Kerberos cipher suites (RFC2712).
+ Only supports MIT Kerberos for now.
+ o SSL/TLS: allow more precise control of renegotiations and sessions.
+ o SSL/TLS: add callback to retrieve SSL/TLS messages.
+ o SSL/TLS: support AES cipher suites (RFC3268).
+- adapt the ibmca patch
+- remove openssl-nocrypt.diff, openssl's crypt() vanished
+- configuration syntax has changed ($sys_id added before $lflags)
+
+-------------------------------------------------------------------
+Thu Feb 20 11:55:34 CET 2003 - poeml@suse.de
+
+- update to bugfix release 0.9.6i:
+ - security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize
+ information leaked via timing by performing a MAC computation
+ even if incorrrect block cipher padding has been found. This
+ is a countermeasure against active attacks where the attacker
+ has to distinguish between bad padding and a MAC verification
+ error. (CAN-2003-0078)
+ - a few more small bugfixes (mainly missing assertions)
+
+-------------------------------------------------------------------
+Fri Dec 6 10:07:20 CET 2002 - poeml@suse.de
+
+- update to 0.9.6h (last release in the 0.9.6 series)
+ o New configuration targets for Tandem OSS and A/UX.
+ o New OIDs for Microsoft attributes.
+ o Better handling of SSL session caching.
+ o Better comparison of distinguished names.
+ o Better handling of shared libraries in a mixed GNU/non-GNU environment.
+ o Support assembler code with Borland C.
+ o Fixes for length problems.
+ o Fixes for uninitialised variables.
+ o Fixes for memory leaks, some unusual crashes and some race conditions.
+ o Fixes for smaller building problems.
+ o Updates of manuals, FAQ and other instructive documents.
+- add a call to make depend
+- fix sed expression (lib -> lib64) to replace multiple occurences
+ on one line
+
+-------------------------------------------------------------------
+Mon Nov 4 13:16:09 CET 2002 - stepan@suse.de
+
+- fix openssl for alpha ev56 cpus
+
+-------------------------------------------------------------------
+Thu Oct 24 12:57:36 CEST 2002 - poeml@suse.de
+
+- own the /usr/share/ssl directory [#20849]
+- openssl-hppa-config.diff can be applied on all architectures
+
+-------------------------------------------------------------------
+Mon Sep 30 16:07:49 CEST 2002 - bg@suse.de
+
+- enable hppa distribution; use only pa1.1 architecture.
+
+-------------------------------------------------------------------
+Tue Sep 17 17:13:46 CEST 2002 - froh@suse.de
+
+- update ibm-hardware-crypto-patch to ibmca.patch-0.96e-2 (#18953)
+
+-------------------------------------------------------------------
+Mon Aug 12 18:34:58 CEST 2002 - poeml@suse.de
+
+- update to 0.9.6g and drop the now included ASN1 check patch.
+ Other change:
+ - Use proper error handling instead of 'assertions' in buffer
+ overflow checks added in 0.9.6e. This prevents DoS (the
+ assertions could call abort()).
+
+-------------------------------------------------------------------
+Fri Aug 9 19:49:59 CEST 2002 - kukuk@suse.de
+
+- Fix requires of openssl-devel subpackage
+
+-------------------------------------------------------------------
+Tue Aug 6 15:18:59 MEST 2002 - draht@suse.de
+
+- Correction for changes in the ASN1 code, assembled in
+ openssl-0.9.6e-cvs-20020802-asn1_lib.diff
+
+-------------------------------------------------------------------
+Thu Aug 1 00:53:33 CEST 2002 - poeml@suse.de
+
+- update to 0.9.6e. Major changes:
+ o Various security fixes (sanity checks to asn1_get_length(),
+ various remote buffer overflows)
+ o new option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, disabling the
+ countermeasure against a vulnerability in the CBC ciphersuites
+ in SSL 3.0/TLS 1.0 that was added in 0.9.6d which turned out to
+ be incompatible with buggy SSL implementations
+- update ibmca crypto hardware patch (security issues fixed)
+- gcc 3.1 version detection is fixed, we can drop the patch
+- move the most used man pages from the -doc to the main package
+ [#9913] and resolve man page conflicts by putting them into ssl
+ sections [#17239]
+- spec file: use PreReq for %post script
+
+-------------------------------------------------------------------
+Fri Jul 12 17:59:10 CEST 2002 - poeml@suse.de
+
+- update to 0.9.6d. Major changes:
+ o Various SSL/TLS library bugfixes.
+ o Fix DH parameter generation for 'non-standard' generators.
+ Complete Changelog: http://www.openssl.org/news/changelog.html
+- supposed to fix a session caching failure occuring with postfix
+- simplify local configuration for the architectures
+- there's a new config variable: $shared_ldflag
+- use RPM_OPT_FLAGS in favor of predifined cflags by appending them
+ at the end
+- validate config data (config --check-sanity)
+- resolve file conflict of /usr/share/man/man1/openssl.1.gz [#15982]
+- move configuration to /etc/ssl [#14387]
+- mark openssl.cnf %config (noreplace)
+
+-------------------------------------------------------------------
+Sat Jul 6 20:28:56 CEST 2002 - schwab@suse.de
+
+- Include <crypt.h> to get crypt prototype.
+
+-------------------------------------------------------------------
+Fri Jul 5 08:51:16 CEST 2002 - kukuk@suse.de
+
+- Remove crypt prototype from des.h header file, too.
+
+-------------------------------------------------------------------
+Mon Jun 10 11:38:16 CEST 2002 - meissner@suse.de
+
+- enhanced ppc64 support (needs seperate config), reenabled make check
+
+-------------------------------------------------------------------
+Fri May 31 14:54:06 CEST 2002 - olh@suse.de
+
+- add ppc64 support, temporary disable make check
+
+-------------------------------------------------------------------
+Thu Apr 18 16:30:01 CEST 2002 - meissner@suse.de
+
+- fixed x86_64 build, added bc to needed_for_build (used by tests)
+
+-------------------------------------------------------------------
+Wed Apr 17 16:56:34 CEST 2002 - ro@suse.de
+
+- fixed gcc version determination
+- drop sun4c support/always use sparcv8
+- ignore return code from showciphers
+
+-------------------------------------------------------------------
+Fri Mar 15 16:54:44 CET 2002 - poeml@suse.de
+
+- add settings for sparc to build shared objects. Note that all
+ sparcs (sun4[mdu]) are recognized as linux-sparcv7
+
+-------------------------------------------------------------------
+Wed Feb 6 14:23:44 CET 2002 - kukuk@suse.de
+
+- Remove crypt function from libcrypto.so.0 [Bug #13056]
+
+-------------------------------------------------------------------
+Sun Feb 3 22:32:16 CET 2002 - poeml@suse.de
+
+- add settings for mips to build shared objects
+- print out all settings to the build log
+
+-------------------------------------------------------------------
+Tue Jan 29 12:42:58 CET 2002 - poeml@suse.de
+
+- update to 0.9.6c:
+ o bug fixes
+ o support for hardware crypto devices (Cryptographic Appliances,
+ Broadcom, and Accelerated Encryption Processing)
+- add IBMCA patch for IBM eServer Cryptographic Accelerator Device
+ Driver (#12565) (forward ported from 0.9.6b)
+ (http://www-124.ibm.com/developerworks/projects/libica/)
+- tell Configure how to build shared libs for s390 and s390x
+- tweak Makefile.org to use %_libdir
+- clean up spec file
+- add README.SuSE as source file instead of in a patch
+
+-------------------------------------------------------------------
+Wed Dec 5 10:59:59 CET 2001 - uli@suse.de
+
+- disabled "make test" for ARM (destest segfaults, the other tests
+ seem to succeed)
+
+-------------------------------------------------------------------
+Wed Dec 5 02:39:16 CET 2001 - ro@suse.de
+
+- removed subpackage src
+
+-------------------------------------------------------------------
+Wed Nov 28 13:28:42 CET 2001 - uli@suse.de
+
+- needs -ldl on ARM, too
+
+-------------------------------------------------------------------
+Mon Nov 19 17:48:31 MET 2001 - mls@suse.de
+
+- made mips big endian, fixed shared library creation for mips
+
+-------------------------------------------------------------------
+Fri Aug 31 11:19:46 CEST 2001 - rolf@suse.de
+
+- added root certificates [BUG#9913]
+- move from /usr/ssh to /usr/share/ssl
+
+-------------------------------------------------------------------
+Wed Jul 18 10:27:54 CEST 2001 - rolf@suse.de
+
+- update to 0.9.6b
+- switch to engine version of openssl, which supports hardware
+ encryption for a few popular devices
+- check wether shared libraries have been generated
+
+-------------------------------------------------------------------
+Thu Jul 5 15:06:03 CEST 2001 - rolf@suse.de
+
+- appliy PRNG security patch
+
+-------------------------------------------------------------------
+Tue Jun 12 10:52:34 EDT 2001 - bk@suse.de
+
+- added support for s390x
+
+-------------------------------------------------------------------
+Mon May 7 21:02:30 CEST 2001 - kukuk@suse.de
+
+- Fix building of shared libraries on SPARC, too.
+
+-------------------------------------------------------------------
+Mon May 7 11:36:53 MEST 2001 - rolf@suse.de
+
+- Fix ppc and s390 shared library builds
+- resolved conflict in manpage naming:
+ rand.3 is now sslrand.3 [BUG#7643]
+
+-------------------------------------------------------------------
+Tue May 1 22:32:48 CEST 2001 - schwab@suse.de
+
+- Fix ia64 configuration.
+- Fix link command.
+
+-------------------------------------------------------------------
+Thu Apr 26 03:17:52 CEST 2001 - bjacke@suse.de
+
+- updated to 0.96a
+
+-------------------------------------------------------------------
+Wed Apr 18 12:56:48 CEST 2001 - kkaempf@suse.de
+
+- provide .so files in -devel package only
+
+-------------------------------------------------------------------
+Tue Apr 17 02:45:36 CEST 2001 - bjacke@suse.de
+
+- resolve file name conflict (#6966)
+
+-------------------------------------------------------------------
+Wed Mar 21 10:12:59 MET 2001 - rolf@suse.de
+
+- new subpackage openssl-src [BUG#6383]
+- added README.SuSE which explains where to find the man pages [BUG#6717]
+
+-------------------------------------------------------------------
+Fri Dec 15 18:09:16 CET 2000 - sf@suse.de
+
+- changed CFLAG to -O1 to make the tests run successfully
+
+-------------------------------------------------------------------
+Mon Dec 11 13:33:55 CET 2000 - rolf@suse.de
+
+- build openssl with no-idea and no-rc5 to meet US & RSA regulations
+- build with -fPIC on all platforms (especially IA64)
+
+-------------------------------------------------------------------
+Wed Nov 22 11:27:39 MET 2000 - rolf@suse.de
+
+- rename openssls to openssl-devel and add shared libs and header files
+- new subpackge openssl-doc for manpages and documentation
+- use BuildRoot
+
+-------------------------------------------------------------------
+Fri Oct 27 16:53:45 CEST 2000 - schwab@suse.de
+
+- Add link-time links for libcrypto and libssl.
+- Make sure that LD_LIBRARY_PATH is passed down to sub-makes.
+
+-------------------------------------------------------------------
+Mon Oct 2 17:33:07 MEST 2000 - rolf@suse.de
+
+- update to 0.9.6
+
+-------------------------------------------------------------------
+Mon Apr 10 23:04:15 CEST 2000 - bk@suse.de
+
+- fix support for s390-linux
+
+-------------------------------------------------------------------
+Mon Apr 10 18:01:46 MEST 2000 - rolf@suse.de
+
+- new version 0.9.5a
+
+-------------------------------------------------------------------
+Sun Apr 9 02:51:42 CEST 2000 - bk@suse.de
+
+- add support for s390-linux
+
+-------------------------------------------------------------------
+Mon Mar 27 19:25:25 CEST 2000 - kukuk@suse.de
+
+- Use sparcv7 for SPARC
+
+-------------------------------------------------------------------
+Wed Mar 1 16:42:00 MET 2000 - rolf@suse.de
+
+- move manpages back, as too many conflict with system manuals
+
+-------------------------------------------------------------------
+Wed Mar 1 11:23:21 MET 2000 - rolf@suse.de
+
+- move manpages to %{_mandir}
+- include static libraries
+
+-------------------------------------------------------------------
+Wed Mar 1 02:52:17 CET 2000 - bk@suse.de
+
+- added subpackage source openssls, needed for ppp_ssl
+
+-------------------------------------------------------------------
+Tue Feb 29 12:50:48 MET 2000 - rolf@suse.de
+
+- new version 0.9.5
+
+-------------------------------------------------------------------
+Thu Feb 24 15:43:38 CET 2000 - schwab@suse.de
+
+- add support for ia64-linux
+
+-------------------------------------------------------------------
+Mon Jan 31 13:05:59 CET 2000 - kukuk@suse.de
+
+- Create and add libcrypto.so.0 and libssl.so.0
+
+-------------------------------------------------------------------
+Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de
+
+- ran old prepare_spec on spec file to switch to new prepare_spec.
+
+-------------------------------------------------------------------
+Wed Sep 1 12:30:08 MEST 1999 - rolf@suse.de
+
+- new version 0.9.4
+
+-------------------------------------------------------------------
+Wed May 26 16:26:49 MEST 1999 - rolf@suse.de
+
+- new version 0.9.3 with new layout
+- alpha asm disabled by default now, no patch needed
+
+-------------------------------------------------------------------
+Thu May 20 09:38:09 MEST 1999 - ro@suse.de
+
+- disable asm for alpha: seems incomplete
+
+-------------------------------------------------------------------
+Mon May 17 17:43:34 MEST 1999 - rolf@suse.de
+
+- don't use -DNO_IDEA
+
+-------------------------------------------------------------------
+Wed May 12 16:10:03 MEST 1999 - rolf@suse.de
+
+- first version 0.9.2b
diff --git a/packaging/openssl.spec b/packaging/openssl.spec
new file mode 100644
index 0000000..a876ef1
--- /dev/null
+++ b/packaging/openssl.spec
@@ -0,0 +1,377 @@
+Name: openssl
+BuildRequires: bc
+BuildRequires: ed
+BuildRequires: pkg-config
+BuildRequires: zlib-devel
+%define ssletcdir %{_sysconfdir}/ssl
+#%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g")
+%define num_version 1.0.0
+Provides: ssl
+Version: 1.0.1c
+Release: 0
+Summary: Secure Sockets and Transport Layer Security
+License: OpenSSL
+Group: Productivity/Networking/Security
+Url: http://www.openssl.org/
+Source: http://www.%{name}.org/source/%{name}-%{version}.tar.gz
+# to get mtime of file:
+Source1: openssl.changes
+Source2: baselibs.conf
+Patch0: merge_from_0.9.8k.patch
+Patch1: openssl-1.0.0-c_rehash-compat.diff
+Patch2: bug610223.patch
+Patch3: openssl-ocloexec.patch
+BuildRoot: %{_tmppath}/%{name}-%{version}-build
+
+%description
+The OpenSSL Project is a collaborative effort to develop a robust,
+commercial-grade, full-featured, and open source toolkit implementing
+the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
+v1) protocols with full-strength cryptography. The project is managed
+by a worldwide community of volunteers that use the Internet to
+communicate, plan, and develop the OpenSSL toolkit and its related
+documentation.
+
+Derivation and License
+
+OpenSSL is based on the excellent SSLeay library developed by Eric A.
+Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
+Apache-style license, which basically means that you are free to get it
+and to use it for commercial and noncommercial purposes.
+
+
+
+Authors:
+--------
+ Mark J. Cox <mark@openssl.org>
+ Ralf S. Engelschall <rse@openssl.org>
+ Dr. Stephen Henson <steve@openssl.org>
+ Ben Laurie <ben@openssl.org>
+ Bodo Moeller <bodo@openssl.org>
+ Ulf Moeller <ulf@openssl.org>
+ Holger Reif <holger@openssl.org>
+ Paul C. Sutton <paul@openssl.org>
+
+%package -n libopenssl
+Summary: Secure Sockets and Transport Layer Security
+Group: Productivity/Networking/Security
+
+%description -n libopenssl
+The OpenSSL Project is a collaborative effort to develop a robust,
+commercial-grade, full-featured, and open source toolkit implementing
+the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
+v1) protocols with full-strength cryptography. The project is managed
+by a worldwide community of volunteers that use the Internet to
+communicate, plan, and develop the OpenSSL toolkit and its related
+documentation.
+
+Derivation and License
+
+OpenSSL is based on the excellent SSLeay library developed by Eric A.
+Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an
+Apache-style license, which basically means that you are free to get it
+and to use it for commercial and noncommercial purposes.
+
+
+
+Authors:
+--------
+ Mark J. Cox <mark@openssl.org>
+ Ralf S. Engelschall <rse@openssl.org>
+ Dr. Stephen Henson <steve@openssl.org>
+ Ben Laurie <ben@openssl.org>
+ Bodo Moeller <bodo@openssl.org>
+ Ulf Moeller <ulf@openssl.org>
+ Holger Reif <holger@openssl.org>
+ Paul C. Sutton <paul@openssl.org>
+
+%package -n libopenssl-devel
+Summary: Include Files and Libraries mandatory for Development
+Group: Development/Libraries/C and C++
+Obsoletes: openssl-devel < %{version}
+Requires: %name = %version
+Requires: libopenssl = %{version}
+Requires: zlib-devel
+Provides: openssl-devel = %{version}
+
+%description -n libopenssl-devel
+This package contains all necessary include files and libraries needed
+to develop applications that require these.
+
+
+
+Authors:
+--------
+ Mark J. Cox <mark@openssl.org>
+ Ralf S. Engelschall <rse@openssl.org>
+ Dr. Stephen <Henson steve@openssl.org>
+ Ben Laurie <ben@openssl.org>
+ Bodo Moeller <bodo@openssl.org>
+ Ulf Moeller <ulf@openssl.org>
+ Holger Reif <holger@openssl.org>
+ Paul C. Sutton <paul@openssl.org>
+
+%package doc
+Summary: Additional Package Documentation
+Group: Productivity/Networking/Security
+BuildArch: noarch
+
+%description doc
+This package contains optional documentation provided in addition to
+this package's base documentation.
+
+
+
+Authors:
+--------
+ Mark J. Cox <mark@openssl.org>
+ Ralf S. Engelschall <rse@openssl.org>
+ Dr. Stephen <Henson steve@openssl.org>
+ Ben Laurie <ben@openssl.org>
+ Bodo Moeller <bodo@openssl.org>
+ Ulf Moeller <ulf@openssl.org>
+ Holger Reif <holger@openssl.org>
+ Paul C. Sutton <paul@openssl.org>
+
+%prep
+%setup -q
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3
+echo "adding/overwriting some entries in the 'table' hash in Configure"
+# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
+export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::'
+cat <<EOF_ED | ed -s Configure
+/^);
+-
+i
+#
+# local configuration added from specfile
+# ... MOST of those are now correct in openssl's Configure already,
+# so only add them for new ports!
+#
+#config-string, $cc:$cflags:$unistd:$thread_cflag:$sys_id:$lflags:$bn_ops:$cpuid_obj:$bn_obj:$des_obj:$aes_obj:$bf_obj:$md5_obj:$sha1_obj:$cast_obj:$rc4_obj:$rmd160_obj:$rc5_obj:$wp_obj:$cmll_obj:$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags:$multilib
+#"linux-elf", "gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG \${x86_gcc_des} \${x86_gcc_opts}:\${x86_elf_asm}:$DSO_SCHEME:",
+#"linux-ia64", "gcc:-DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:\${ia64_asm}: $DSO_SCHEME:",
+#"linux-ppc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:\${no_asm}: $DSO_SCHEME:",
+#"linux-ppc64", "gcc:-DB_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64",
+"linux-elf-arm","gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG:\${no_asm}: $DSO_SCHEME:",
+"linux-mips", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:\${no_asm}: $DSO_SCHEME:",
+"linux-sparcv7","gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:\${no_asm}: $DSO_SCHEME:",
+#"linux-sparcv8","gcc:-DB_ENDIAN -DBN_DIV2W -mv8 ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::asm/sparcv8.o::::::::::::: $DSO_SCHEME:",
+#"linux-x86_64", "gcc:-DL_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64",
+#"linux-s390", "gcc:-DB_ENDIAN ::(unknown): :-ldl:BN_LLONG:\${no_asm}: $DSO_SCHEME:",
+#"linux-s390x", "gcc:-DB_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64",
+"linux-parisc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR DES_PTR DES_UNROLL DES_RISC1:\${no_asm}: $DSO_SCHEME:",
+.
+wq
+EOF_ED
+# fix ENGINESDIR path
+sed -i 's,/lib/engines,/%_lib/engines,' Configure
+# Record mtime of changes file instead of build time
+CHANGES=`stat --format="%y" %SOURCE1`
+sed -i -e "s|#define DATE \(.*\).LC_ALL.*date.|#define DATE \1$CHANGES|" crypto/Makefile
+
+%build
+%ifarch armv5el armv5tel
+export MACHINE=armv5el
+%endif
+RPM_OPT_FLAGS=$(echo $RPM_OPT_FLAGS | sed -s "s/--param=ssp-buffer-size=32//g")
+export RPM_OPT_FLAGS
+
+./config --test-sanity
+#
+config_flags="threads shared no-rc5 no-idea \
+enable-camellia \
+zlib \
+--prefix=%{_prefix} \
+--libdir=%{_lib} \
+--openssldir=%{ssletcdir} \
+$RPM_OPT_FLAGS -std=gnu99 \
+-Wa,--noexecstack \
+-fomit-frame-pointer \
+-DTERMIO \
+-DPURIFY \
+-DSSL_FORBID_ENULL \
+-D_GNU_SOURCE \
+$(getconf LFS_CFLAGS) \
+%ifnarch hppa
+-Wall \
+-fstack-protector "
+%else
+-Wall "
+%endif
+#
+#%{!?do_profiling:%define do_profiling 0}
+#%if %do_profiling
+# # generate feedback
+# ./config $config_flags
+# make depend CC="gcc %cflags_profile_generate"
+# make CC="gcc %cflags_profile_generate"
+# LD_LIBRARY_PATH=`pwd` make rehash CC="gcc %cflags_profile_generate"
+# LD_LIBRARY_PATH=`pwd` make test CC="gcc %cflags_profile_generate"
+# LD_LIBRARY_PATH=`pwd` apps/openssl speed
+# make clean
+# # compile with feedback
+# # but not if it makes a cipher slower:
+# #find crypto/aes -name '*.da' | xargs -r rm
+# ./config $config_flags %cflags_profile_feedback
+# make depend
+# make
+# LD_LIBRARY_PATH=`pwd` make rehash
+# LD_LIBRARY_PATH=`pwd` make test
+#%else
+# OpenSSL relies on uname -m (not good). Thus that little sparc line.
+ ./config \
+%ifarch sparc64
+ linux64-sparcv9 \
+%endif
+ $config_flags
+ make depend
+ make
+ LD_LIBRARY_PATH=`pwd` make rehash
+ %ifnarch armv4l
+ LD_LIBRARY_PATH=`pwd` make test
+ %endif
+#%endif
+# show settings
+make TABLE
+echo $RPM_OPT_FLAGS
+eval $(egrep PLATFORM='[[:alnum:]]' Makefile)
+grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install
+install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs
+ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl
+mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl
+mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/
+# ln -s %{ssletcdir}/certs $RPM_BUILD_ROOT/%{_datadir}/ssl/certs
+# ln -s %{ssletcdir}/private $RPM_BUILD_ROOT/%{_datadir}/ssl/private
+# ln -s %{ssletcdir}/openssl.cnf $RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf
+#
+
+# avoid file conflicts with man pages from other packages
+#
+pushd $RPM_BUILD_ROOT/%{_mandir}
+# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check.
+# replace spaces by underscores
+#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
+which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
+for i in man?/*; do
+ if test -L $i ; then
+ LDEST=`readlink $i`
+ rm -f $i ${i}ssl
+ ln -sf ${LDEST}ssl ${i}ssl
+ else
+ mv $i ${i}ssl
+ fi
+ case `basename ${i%.*}` in
+ asn1parse|ca|config|crl|crl2pkcs7|crypto|dgst|dhparam|dsa|dsaparam|enc|gendsa|genrsa|nseq|openssl|passwd|pkcs12|pkcs7|pkcs8|rand|req|rsa|rsautl|s_client|s_server|smime|spkac|ssl|verify|version|x509)
+ # these are the pages mentioned in openssl(1). They go into the main package.
+ echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist;;
+ *)
+ # the rest goes into the openssl-doc package.
+ echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist.doc;;
+ esac
+done
+popd
+#
+# check wether some shared library has been installed
+#
+ls -l $RPM_BUILD_ROOT%{_libdir}
+test -f $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version}
+test -f $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version}
+test -L $RPM_BUILD_ROOT%{_libdir}/libssl.so
+test -L $RPM_BUILD_ROOT%{_libdir}/libcrypto.so
+#
+# see what we've got
+#
+cat > showciphers.c <<EOF
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+int main(){
+unsigned int i;
+SSL_CTX *ctx;
+SSL *ssl;
+SSL_METHOD *meth;
+ meth = SSLv23_client_method();
+ SSLeay_add_ssl_algorithms();
+ ctx = SSL_CTX_new(meth);
+ if (ctx == NULL) return 0;
+ ssl = SSL_new(ctx);
+ if (!ssl) return 0;
+ for (i=0; ; i++) {
+ int j, k;
+ SSL_CIPHER *sc;
+ sc = (meth->get_cipher)(i);
+ if (!sc) break;
+ k = SSL_CIPHER_get_bits(sc, &j);
+ printf("%s\n", sc->name);
+ }
+ return 0;
+};
+EOF
+gcc $RPM_OPT_FLAGS -I${RPM_BUILD_ROOT}%{_includedir} -c showciphers.c
+gcc -o showciphers showciphers.o -L${RPM_BUILD_ROOT}%{_libdir} -lssl -lcrypto
+LD_LIBRARY_PATH=${RPM_BUILD_ROOT}%{_libdir} ./showciphers > AVAILABLE_CIPHERS || true
+cat AVAILABLE_CIPHERS
+# Do not install demo scripts executable under /usr/share/doc
+find demos -type f -perm /111 -exec chmod 644 {} \;
+
+#process openssllib
+mkdir $RPM_BUILD_ROOT/%{_lib}
+mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
+mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/
+mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/
+cd $RPM_BUILD_ROOT%{_libdir}/
+ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
+ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
+
+cd $RPM_BUILD_DIR
+
+%clean
+if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi
+
+%post -n libopenssl -p /sbin/ldconfig
+
+%postun -n libopenssl -p /sbin/ldconfig
+
+%files -n libopenssl
+%defattr(-, root, root)
+/%{_lib}/libssl.so.%{num_version}
+/%{_lib}/libcrypto.so.%{num_version}
+/%{_lib}/engines
+
+%files -n libopenssl-devel
+%defattr(-, root, root)
+%{_includedir}/%{name}/
+%{_includedir}/ssl
+%exclude %{_libdir}/libcrypto.a
+%exclude %{_libdir}/libssl.a
+%{_libdir}/libssl.so
+%{_libdir}/libcrypto.so
+%_libdir/pkgconfig/libcrypto.pc
+%_libdir/pkgconfig/libssl.pc
+%_libdir/pkgconfig/openssl.pc
+
+%files doc -f filelist.doc
+%defattr(-, root, root)
+%doc doc/* demos
+%doc showciphers.c
+
+%files -f filelist
+%defattr(-, root, root)
+%doc LICENSE
+%dir %{ssletcdir}
+%dir %{ssletcdir}/certs
+%config (noreplace) %{ssletcdir}/openssl.cnf
+%attr(700,root,root) %{ssletcdir}/private
+%dir %{_datadir}/ssl
+%{_datadir}/ssl/misc
+%{_bindir}/c_rehash
+%{_bindir}/%{name}
+
+%changelog
diff --git a/packaging/openssl.test b/packaging/openssl.test
new file mode 100644
index 0000000..5206b79
--- /dev/null
+++ b/packaging/openssl.test
@@ -0,0 +1,2 @@
+
+openssl autmatically tests iteslf, no further testing needed