diff options
| author | Anas Nashif <anas.nashif@intel.com> | 2012-11-05 13:57:24 -0800 |
|---|---|---|
| committer | Janusz Kozerski <j.kozerski@samsung.com> | 2014-10-22 08:56:04 +0200 |
| commit | 71592d3affc292a749584830d432fd065cad0830 (patch) | |
| tree | 8f27c8bfb9c941817e1bf6a02c729d3555e175a6 | |
| parent | 6cd65d403decbb1c956face5448d3a94ad03e1f7 (diff) | |
| download | openssl-71592d3affc292a749584830d432fd065cad0830.tar.gz openssl-71592d3affc292a749584830d432fd065cad0830.tar.bz2 openssl-71592d3affc292a749584830d432fd065cad0830.zip | |
add packaging
| -rw-r--r-- | packaging/baselibs.conf | 5 | ||||
| -rw-r--r-- | packaging/bug610223.patch | 14 | ||||
| -rw-r--r-- | packaging/merge_from_0.9.8k.patch | 70 | ||||
| -rw-r--r-- | packaging/openssl-1.0.0-c_rehash-compat.diff | 45 | ||||
| -rw-r--r-- | packaging/openssl-ocloexec.patch | 166 | ||||
| -rw-r--r-- | packaging/openssl.changes | 1381 | ||||
| -rw-r--r-- | packaging/openssl.spec | 377 | ||||
| -rw-r--r-- | packaging/openssl.test | 2 |
8 files changed, 2060 insertions, 0 deletions
diff --git a/packaging/baselibs.conf b/packaging/baselibs.conf new file mode 100644 index 0000000..aee4346 --- /dev/null +++ b/packaging/baselibs.conf @@ -0,0 +1,5 @@ +libopenssl1_0_0 + obsoletes "openssl-<targettype> <= <version>" +libopenssl-devel + requires -libopenssl-<targettype> + requires "libopenssl1_0_0-<targettype> = <version>" diff --git a/packaging/bug610223.patch b/packaging/bug610223.patch new file mode 100644 index 0000000..ba4f062 --- /dev/null +++ b/packaging/bug610223.patch @@ -0,0 +1,14 @@ +Index: openssl-1.0.0/Configure +=================================================================== +--- openssl-1.0.0.orig/Configure ++++ openssl-1.0.0/Configure +@@ -1673,7 +1673,8 @@ while (<IN>) + } + elsif (/^#define\s+ENGINESDIR/) + { +- my $foo = "$prefix/$libdir/engines"; ++ #my $foo = "$prefix/$libdir/engines"; ++ my $foo = "/$libdir/engines"; + $foo =~ s/\\/\\\\/g; + print OUT "#define ENGINESDIR \"$foo\"\n"; + } diff --git a/packaging/merge_from_0.9.8k.patch b/packaging/merge_from_0.9.8k.patch new file mode 100644 index 0000000..55d9f04 --- /dev/null +++ b/packaging/merge_from_0.9.8k.patch @@ -0,0 +1,70 @@ +--- openssl-1.0.1c.orig/Configure ++++ openssl-1.0.1c/Configure +@@ -931,7 +931,7 @@ PROCESS_ARGS: + } + else + { +- die "target already defined - $target (offending arg: $_)\n" if ($target ne ""); ++ warn "target already defined - $target (offending arg: $_)\n" if ($target ne ""); + $target=$_; + } + +@@ -1204,7 +1204,7 @@ if ($target =~ /^mingw/ && `$cc --target + my $no_shared_warn=0; + my $no_user_cflags=0; + +-if ($flags ne "") { $cflags="$flags$cflags"; } ++if ($flags ne "") { $cflags="$cflags $flags"; } + else { $no_user_cflags=1; } + + # Kerberos settings. The flavor must be provided from outside, either through +--- openssl-1.0.1c.orig/config ++++ openssl-1.0.1c/config +@@ -573,7 +573,8 @@ case "$GUESSOS" in + options="$options -arch%20${MACHINE}" + OUT="iphoneos-cross" ;; + alpha-*-linux2) +- ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` ++ #ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` ++ ISA=EV56 + case ${ISA:-generic} in + *[678]) OUT="linux-alpha+bwx-$CC" ;; + *) OUT="linux-alpha-$CC" ;; +@@ -593,7 +594,8 @@ case "$GUESSOS" in + echo " You have about 5 seconds to press Ctrl-C to abort." + (trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1 + fi +- OUT="linux-ppc" ++ # we have the target and force it here ++ OUT="linux-ppc64" + ;; + ppc-*-linux2) OUT="linux-ppc" ;; + ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;; +@@ -614,10 +616,10 @@ case "$GUESSOS" in + sparc-*-linux2) + KARCH=`awk '/^type/{print$3;exit(0);}' /proc/cpuinfo` + case ${KARCH:-sun4} in +- sun4u*) OUT="linux-sparcv9" ;; +- sun4m) OUT="linux-sparcv8" ;; +- sun4d) OUT="linux-sparcv8" ;; +- *) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;; ++# sun4u*) OUT="linux-sparcv9" ;; ++# sun4m) OUT="linux-sparcv8" ;; ++# sun4d) OUT="linux-sparcv8" ;; ++ *) OUT="linux-sparcv8" ;; + esac ;; + parisc*-*-linux2) + # 64-bit builds under parisc64 linux are not supported and +@@ -636,7 +638,11 @@ case "$GUESSOS" in + # PA8500 -> 8000 (2.0) + # PA8600 -> 8000 (2.0) + +- CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8.00/8000/'` ++ # CPUSCHEDULE=`echo $CPUSCHEDULE|sed -e 's/7300LC/7100LC/' -e 's/8?00/8000/'` ++ # lets have CPUSCHEDULE for 1.1: ++ CPUSCHEDULE=7100LC ++ # we want to support 1.1 CPUs as well: ++ CPUARCH=1.1 + # Finish Model transformations + + options="$options -DB_ENDIAN -mschedule=$CPUSCHEDULE -march=$CPUARCH" diff --git a/packaging/openssl-1.0.0-c_rehash-compat.diff b/packaging/openssl-1.0.0-c_rehash-compat.diff new file mode 100644 index 0000000..ec618e2 --- /dev/null +++ b/packaging/openssl-1.0.0-c_rehash-compat.diff @@ -0,0 +1,45 @@ +From 83f318d68bbdab1ca898c94576a838cc97df4700 Mon Sep 17 00:00:00 2001 +From: Ludwig Nussel <ludwig.nussel@suse.de> +Date: Wed, 21 Apr 2010 15:52:10 +0200 +Subject: [PATCH] also create old hash for compatibility + +--- + tools/c_rehash.in | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletions(-) + +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index bfc4a69..f8d0ce1 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -83,6 +83,7 @@ sub hash_dir { + next; + } + link_hash_cert($fname) if($cert); ++ link_hash_cert_old($fname) if($cert); + link_hash_crl($fname) if($crl); + } + } +@@ -116,8 +117,9 @@ sub check_file { + + sub link_hash_cert { + my $fname = $_[0]; ++ my $hashopt = $_[1] || '-subject_hash'; + $fname =~ s/'/'\\''/g; +- my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`; ++ my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`; + chomp $hash; + chomp $fprint; + $fprint =~ s/^.*=//; +@@ -147,6 +149,10 @@ sub link_hash_cert { + $hashlist{$hash} = $fprint; + } + ++sub link_hash_cert_old { ++ link_hash_cert($_[0], '-subject_hash_old'); ++} ++ + # Same as above except for a CRL. CRL links are of the form <hash>.r<n> + + sub link_hash_crl { +-- +1.6.4.2 diff --git a/packaging/openssl-ocloexec.patch b/packaging/openssl-ocloexec.patch new file mode 100644 index 0000000..e3c723c --- /dev/null +++ b/packaging/openssl-ocloexec.patch @@ -0,0 +1,166 @@ +--- crypto/bio/b_sock.c.orig ++++ crypto/bio/b_sock.c +@@ -735,7 +735,7 @@ int BIO_get_accept_socket(char *host, in + } + + again: +- s=socket(server.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL); ++ s=socket(server.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); + if (s == INVALID_SOCKET) + { + SYSerr(SYS_F_SOCKET,get_last_socket_error()); +@@ -784,7 +784,7 @@ again: + } + else goto err; + } +- cs=socket(client.sa.sa_family,SOCK_STREAM,SOCKET_PROTOCOL); ++ cs=socket(client.sa.sa_family,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); + if (cs != INVALID_SOCKET) + { + int ii; +--- crypto/bio/bss_conn.c.orig ++++ crypto/bio/bss_conn.c +@@ -209,7 +209,7 @@ static int conn_state(BIO *b, BIO_CONNEC + c->them.sin_addr.s_addr=htonl(l); + c->state=BIO_CONN_S_CREATE_SOCKET; + +- ret=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL); ++ ret=socket(AF_INET,SOCK_STREAM|SOCK_CLOEXEC,SOCKET_PROTOCOL); + if (ret == INVALID_SOCKET) + { + SYSerr(SYS_F_SOCKET,get_last_socket_error()); +--- crypto/bio/bss_dgram.c.orig ++++ crypto/bio/bss_dgram.c +@@ -999,7 +999,7 @@ static int dgram_sctp_read(BIO *b, char + msg.msg_control = cmsgbuf; + msg.msg_controllen = 512; + msg.msg_flags = 0; +- n = recvmsg(b->num, &msg, 0); ++ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); + + if (msg.msg_controllen > 0) + { +@@ -1560,7 +1560,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) + msg.msg_controllen = 0; + msg.msg_flags = 0; + +- n = recvmsg(b->num, &msg, MSG_PEEK); ++ n = recvmsg(b->num, &msg, MSG_PEEK| MSG_CMSG_CLOEXEC); + if (n <= 0) + { + if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) +@@ -1583,7 +1583,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) + msg.msg_controllen = 0; + msg.msg_flags = 0; + +- n = recvmsg(b->num, &msg, 0); ++ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); + if (n <= 0) + { + if ((n < 0) && (get_last_socket_error() != EAGAIN) && (get_last_socket_error() != EWOULDBLOCK)) +@@ -1644,7 +1644,7 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b) + fcntl(b->num, F_SETFL, O_NONBLOCK); + } + +- n = recvmsg(b->num, &msg, MSG_PEEK); ++ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC); + + if (is_dry) + { +@@ -1688,7 +1688,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) + + sockflags = fcntl(b->num, F_GETFL, 0); + fcntl(b->num, F_SETFL, O_NONBLOCK); +- n = recvmsg(b->num, &msg, MSG_PEEK); ++ n = recvmsg(b->num, &msg, MSG_PEEK | MSG_CMSG_CLOEXEC); + fcntl(b->num, F_SETFL, sockflags); + + /* if notification, process and try again */ +@@ -1709,7 +1709,7 @@ int BIO_dgram_sctp_msg_waiting(BIO *b) + msg.msg_control = NULL; + msg.msg_controllen = 0; + msg.msg_flags = 0; +- n = recvmsg(b->num, &msg, 0); ++ n = recvmsg(b->num, &msg, MSG_CMSG_CLOEXEC); + + if (data->handle_notifications != NULL) + data->handle_notifications(b, data->notification_context, (void*) &snp); +--- crypto/bio/bss_file.c.orig ++++ crypto/bio/bss_file.c +@@ -120,6 +120,10 @@ BIO *BIO_new_file(const char *filename, + { + BIO *ret; + FILE *file=NULL; ++ size_t modelen = strlen (mode); ++ char newmode[modelen + 2]; ++ ++ memcpy (mempcpy (newmode, mode, modelen), "e", 2); + + #if defined(_WIN32) && defined(CP_UTF8) + int sz, len_0 = (int)strlen(filename)+1; +@@ -162,7 +166,7 @@ BIO *BIO_new_file(const char *filename, + file = fopen(filename,mode); + } + #else +- file=fopen(filename,mode); ++ file=fopen(filename,newmode); + #endif + if (file == NULL) + { +@@ -275,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b + long ret=1; + FILE *fp=(FILE *)b->ptr; + FILE **fpp; +- char p[4]; ++ char p[5]; + + switch (cmd) + { +@@ -392,6 +396,8 @@ static long MS_CALLBACK file_ctrl(BIO *b + else + strcat(p,"t"); + #endif ++ strcat(p, "e"); ++ + fp=fopen(ptr,p); + if (fp == NULL) + { +--- crypto/rand/rand_unix.c.orig ++++ crypto/rand/rand_unix.c +@@ -262,7 +262,7 @@ int RAND_poll(void) + for (i = 0; (i < sizeof(randomfiles)/sizeof(randomfiles[0])) && + (n < ENTROPY_NEEDED); i++) + { +- if ((fd = open(randomfiles[i], O_RDONLY ++ if ((fd = open(randomfiles[i], O_RDONLY | O_CLOEXEC + #ifdef O_NONBLOCK + |O_NONBLOCK + #endif +--- crypto/rand/randfile.c.orig ++++ crypto/rand/randfile.c +@@ -134,7 +134,7 @@ int RAND_load_file(const char *file, lon + #ifdef OPENSSL_SYS_VMS + in=vms_fopen(file,"rb",VMS_OPEN_ATTRS); + #else +- in=fopen(file,"rb"); ++ in=fopen(file,"rbe"); + #endif + if (in == NULL) goto err; + #if defined(S_IFBLK) && defined(S_IFCHR) && !defined(OPENSSL_NO_POSIX_IO) +@@ -207,7 +207,7 @@ int RAND_write_file(const char *file) + #endif + /* chmod(..., 0600) is too late to protect the file, + * permissions should be restrictive from the start */ +- int fd = open(file, O_WRONLY|O_CREAT|O_BINARY, 0600); ++ int fd = open(file, O_WRONLY|O_CREAT|O_BINARY|O_CLOEXEC, 0600); + if (fd != -1) + out = fdopen(fd, "wb"); + } +@@ -238,7 +238,7 @@ int RAND_write_file(const char *file) + out = vms_fopen(file,"wb",VMS_OPEN_ATTRS); + #else + if (out == NULL) +- out = fopen(file,"wb"); ++ out = fopen(file,"wbe"); + #endif + if (out == NULL) goto err; diff --git a/packaging/openssl.changes b/packaging/openssl.changes new file mode 100644 index 0000000..4b957b7 --- /dev/null +++ b/packaging/openssl.changes @@ -0,0 +1,1381 @@ +------------------------------------------------------------------- +Sun Aug 19 23:38:32 UTC 2012 - crrodriguez@opensuse.org + +- Open Internal file descriptors with O_CLOEXEC, leaving + those open across fork()..execve() makes a perfect + vector for a side-channel attack... + +------------------------------------------------------------------- +Tue Aug 7 17:17:34 UTC 2012 - dmueller@suse.com + +- fix build on armv5 (bnc#774710) + +------------------------------------------------------------------- +Thu May 10 19:18:06 UTC 2012 - crrodriguez@opensuse.org + +- Update to version 1.0.1c for the complete list of changes see + NEWS, this only list packaging changes. +- Drop aes-ni patch, no longer needed as it is builtin in openssl + now. +- Define GNU_SOURCE and use -std=gnu99 to build the package. +- Use LFS_CFLAGS in platforms where it matters. + +------------------------------------------------------------------- +Fri May 4 12:09:57 UTC 2012 - lnussel@suse.de + +- don't install any demo or expired certs at all + +------------------------------------------------------------------- +Mon Apr 23 05:57:35 UTC 2012 - gjhe@suse.com + +- update to latest stable verison 1.0.0i + including the following patches: + CVE-2012-2110.path + Bug748738_Tolerate_bad_MIME_headers.patch + bug749213-Free-headers-after-use.patch + bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch + CVE-2012-1165.patch + CVE-2012-0884.patch + bug749735.patch + +------------------------------------------------------------------- +Tue Mar 27 09:16:37 UTC 2012 - gjhe@suse.com + +- fix bug[bnc#749735] - Memory leak when creating public keys. + fix bug[bnc#751977] - CMS and S/MIME Bleichenbacher attack + CVE-2012-0884 + +------------------------------------------------------------------- +Thu Mar 22 03:24:20 UTC 2012 - gjhe@suse.com + +- fix bug[bnc#751946] - S/MIME verification may erroneously fail + CVE-2012-1165 + +------------------------------------------------------------------- +Wed Mar 21 02:44:41 UTC 2012 - gjhe@suse.com + +- fix bug[bnc#749213]-Free headers after use in error message + and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt + +------------------------------------------------------------------- +Tue Mar 20 14:29:24 UTC 2012 - cfarrell@suse.com + +- license update: OpenSSL + +------------------------------------------------------------------- +Fri Feb 24 02:33:22 UTC 2012 - gjhe@suse.com + +- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's + asn1 parser. + CVE-2006-7250 + +------------------------------------------------------------------- +Thu Feb 2 06:55:12 UTC 2012 - gjhe@suse.com + +- Update to version 1.0.0g fix the following: + DTLS DoS attack (CVE-2012-0050) + +------------------------------------------------------------------- +Wed Jan 11 05:35:18 UTC 2012 - gjhe@suse.com + +- Update to version 1.0.0f fix the following: + DTLS Plaintext Recovery Attack (CVE-2011-4108) + Uninitialized SSL 3.0 Padding (CVE-2011-4576) + Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577) + SGC Restart DoS Attack (CVE-2011-4619) + Invalid GOST parameters DoS Attack (CVE-2012-0027) + +------------------------------------------------------------------- +Tue Oct 18 16:43:50 UTC 2011 - crrodriguez@opensuse.org + +- AES-NI: Check the return value of Engine_add() + if the ENGINE_add() call fails: it ends up adding a reference + to a freed up ENGINE which is likely to subsequently contain garbage + This will happen if an ENGINE with the same name is added multiple + times,for example different libraries. [bnc#720601] + +------------------------------------------------------------------- +Sat Oct 8 21:36:58 UTC 2011 - crrodriguez@opensuse.org + +- Build with -DSSL_FORBID_ENULL so servers are not + able to use the NULL encryption ciphers (Those offering no + encryption whatsoever). + +------------------------------------------------------------------- +Wed Sep 7 14:29:41 UTC 2011 - crrodriguez@opensuse.org + +- Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210 + see http://openssl.org/news/secadv_20110906.txt for details. + +------------------------------------------------------------------- +Sat Aug 6 00:33:47 UTC 2011 - crrodriguez@opensuse.org + +- Add upstream patch that calls ENGINE_register_all_complete() + in ENGINE_load_builtin_engines() saving us from adding dozens + of calls to such function to calling applications. + +------------------------------------------------------------------- +Fri Aug 5 19:09:42 UTC 2011 - crrodriguez@opensuse.org + +- remove -fno-strict-aliasing from CFLAGS no longer needed + and is likely to slow down stuff. + +------------------------------------------------------------------- +Mon Jul 25 19:07:32 UTC 2011 - jengelh@medozas.de + +- Edit baselibs.conf to provide libopenssl-devel-32bit too + +------------------------------------------------------------------- +Fri Jun 24 04:51:50 UTC 2011 - gjhe@novell.com + +- update to latest stable version 1.0.0d. + patch removed(already in the new package): + CVE-2011-0014 + patch added: + ECDSA_signatures_timing_attack.patch + +------------------------------------------------------------------- +Tue May 31 07:07:49 UTC 2011 - gjhe@novell.com + +- fix bug[bnc#693027]. + Add protection against ECDSA timing attacks as mentioned in the paper + by Billy Bob Brumley and Nicola Tuveri, see: + http://eprint.iacr.org/2011/232.pdf + [Billy Bob Brumley and Nicola Tuveri] + +------------------------------------------------------------------- +Mon May 16 14:38:26 UTC 2011 - andrea@opensuse.org + +- added openssl as dependency in the devel package + +------------------------------------------------------------------- +Thu Feb 10 07:42:01 UTC 2011 - gjhe@novell.com + +- fix bug [bnc#670526] + CVE-2011-0014,OCSP stapling vulnerability + +------------------------------------------------------------------- +Sat Jan 15 19:58:51 UTC 2011 - cristian.rodriguez@opensuse.org + +- Add patch from upstream in order to support AES-NI instruction + set present on current Intel and AMD processors + +------------------------------------------------------------------- +Mon Jan 10 11:45:27 CET 2011 - meissner@suse.de + +- enable -DPURIFY to avoid valgrind errors. + +------------------------------------------------------------------- +Thu Dec 9 07:04:32 UTC 2010 - gjhe@novell.com + +- update to stable version 1.0.0c. + patch included: + CVE-2010-1633_and_CVE-2010-0742.patch + patchset-19727.diff + CVE-2010-2939.patch + CVE-2010-3864.patch + +------------------------------------------------------------------- +Thu Nov 18 07:53:12 UTC 2010 - gjhe@novell.com + +- fix bug [bnc#651003] + CVE-2010-3864 + +------------------------------------------------------------------- +Sat Sep 25 08:55:02 UTC 2010 - gjhe@novell.com + +- fix bug [bnc#629905] + CVE-2010-2939 + +------------------------------------------------------------------- +Wed Jul 28 20:55:18 UTC 2010 - cristian.rodriguez@opensuse.org + +- Exclude static libraries, see what breaks and fix that + instead + +------------------------------------------------------------------- +Wed Jun 30 08:47:39 UTC 2010 - jengelh@medozas.de + +- fix two compile errors on SPARC + +------------------------------------------------------------------- +Tue Jun 15 09:53:54 UTC 2010 - bg@novell.com + +- -fstack-protector is not supported on hppa + +------------------------------------------------------------------- +Fri Jun 4 07:11:28 UTC 2010 - gjhe@novell.com + +- fix bnc #610642 + CVE-2010-0742 + CVE-2010-1633 + +------------------------------------------------------------------- +Mon May 31 03:06:39 UTC 2010 - gjhe@novell.com + +- fix bnc #610223,change Configure to tell openssl to load engines + from /%{_lib} instead of %{_libdir} + +------------------------------------------------------------------- +Mon May 10 16:11:54 UTC 2010 - aj@suse.de + +- Do not compile in build time but use mtime of changes file instead. + This allows build-compare to identify that no changes have happened. + +------------------------------------------------------------------- +Tue May 4 02:55:52 UTC 2010 - gjhe@novell.com + +- build libopenssl to /%{_lib} dir,and keep only one + libopenssl-devel for new developping programs. + +------------------------------------------------------------------- +Tue Apr 27 05:44:32 UTC 2010 - gjhe@novell.com + +- build libopenssl and libopenssl-devel to a version directory + +------------------------------------------------------------------- +Sat Apr 24 09:46:37 UTC 2010 - coolo@novell.com + +- buildrequire pkg-config to fix provides + +------------------------------------------------------------------- +Wed Apr 21 13:54:15 UTC 2010 - lnussel@suse.de + +- also create old certificate hash in /etc/ssl/certs for + compatibility with applications that still link against 0.9.8 + +------------------------------------------------------------------- +Mon Apr 12 16:12:08 CEST 2010 - meissner@suse.de + +- Disable our own build targets, instead use the openSSL provided ones + as they are now good (or should be good at least). + +- add -Wa,--noexecstack to the Configure call, this is the upstream + approved way to avoid exec-stack marking + +------------------------------------------------------------------- +Mon Apr 12 04:57:17 UTC 2010 - gjhe@novell.com + +- update to 1.0.0 + Merge the following patches from 0.9.8k: + openssl-0.9.6g-alpha.diff + openssl-0.9.7f-ppc64.diff + openssl-0.9.8-flags-priority.dif + openssl-0.9.8-sparc.dif + openssl-allow-arch.diff + openssl-hppa-config.diff + +------------------------------------------------------------------- +Fri Apr 9 11:42:51 CEST 2010 - meissner@suse.de + +- fixed "exectuable stack" for libcrypto.so issue on i586 by + adjusting the assembler output during MMX builds. + +------------------------------------------------------------------- +Wed Apr 7 14:08:05 CEST 2010 - meissner@suse.de + +- Openssl is now partially converted to libdir usage upstream, + merge that in to fix lib64 builds. + +------------------------------------------------------------------- +Thu Mar 25 02:18:22 UTC 2010 - gjhe@novell.com + +- fix security bug [bnc#590833] + CVE-2010-0740 + +------------------------------------------------------------------- +Mon Mar 22 06:29:14 UTC 2010 - gjhe@novell.com + +- update to version 0.9.8m + Merge the following patches from 0.9.8k: + bswap.diff + non-exec-stack.diff + openssl-0.9.6g-alpha.diff + openssl-0.9.7f-ppc64.diff + openssl-0.9.8-flags-priority.dif + openssl-0.9.8-sparc.dif + openssl-allow-arch.diff + openssl-hppa-config.diff + +------------------------------------------------------------------- +Fri Feb 5 01:24:55 UTC 2010 - jengelh@medozas.de + +- build openssl for sparc64 + +------------------------------------------------------------------- +Mon Dec 14 16:11:11 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source +- package documentation as noarch + +------------------------------------------------------------------- +Tue Nov 3 19:09:35 UTC 2009 - coolo@novell.com + +- updated patches to apply with fuzz=0 + +------------------------------------------------------------------- +Tue Sep 1 10:21:16 CEST 2009 - gjhe@novell.com + +- fix Bug [bnc#526319] + +------------------------------------------------------------------- +Wed Aug 26 11:24:16 CEST 2009 - coolo@novell.com + +- use %patch0 for Patch0 + +------------------------------------------------------------------- +Fri Jul 3 11:53:48 CEST 2009 - gjhe@novell.com + +- update to version 0.9.8k +- patches merged upstream: + openssl-CVE-2008-5077.patch + openssl-CVE-2009-0590.patch + openssl-CVE-2009-0591.patch + openssl-CVE-2009-0789.patch + openssl-CVE-2009-1377.patch + openssl-CVE-2009-1378.patch + openssl-CVE-2009-1379.patch + openssl-CVE-2009-1386.patch + openssl-CVE-2009-1387.patch + +------------------------------------------------------------------- +Tue Jun 30 05:17:26 CEST 2009 - gjhe@novell.com + +- fix security bug [bnc#509031] + CVE-2009-1386 + CVE-2009-1387 + +------------------------------------------------------------------- +Tue Jun 30 05:16:39 CEST 2009 - gjhe@novell.com + +- fix security bug [bnc#504687] + CVE-2009-1377 + CVE-2009-1378 + CVE-2009-1379 + +------------------------------------------------------------------- +Wed Apr 15 12:28:29 CEST 2009 - gjhe@suse.de + +- fix security bug [bnc#489641] + CVE-2009-0590 + CVE-2009-0591 + CVE-2009-0789 + +------------------------------------------------------------------- +Wed Jan 7 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Thu Dec 18 08:15:12 CET 2008 - jshi@suse.de + +- fix security bug [bnc#459468] + CVE-2008-5077 + +------------------------------------------------------------------- +Tue Dec 9 11:32:50 CET 2008 - xwhu@suse.de + +- Disable optimization for s390x + +------------------------------------------------------------------- +Mon Dec 8 12:12:14 CET 2008 - xwhu@suse.de + +- Disable optimization of md4 + +------------------------------------------------------------------- +Mon Nov 10 10:22:04 CET 2008 - xwhu@suse.de + +- Disable optimization of ripemd [bnc#442740] + +------------------------------------------------------------------- +Tue Oct 14 09:08:47 CEST 2008 - xwhu@suse.de + +- Passing string as struct cause openssl segment-fault [bnc#430141] + +------------------------------------------------------------------- +Wed Jul 16 12:02:37 CEST 2008 - mkoenig@suse.de + +- do not require openssl-certs, but rather recommend it + to avoid dependency cycle [bnc#408865] + +------------------------------------------------------------------- +Wed Jul 9 12:53:27 CEST 2008 - mkoenig@suse.de + +- remove the certs subpackage from the openssl package + and move the CA root certificates into a package of its own + +------------------------------------------------------------------- +Tue Jun 24 09:09:04 CEST 2008 - mkoenig@suse.de + +- update to version 0.9.8h +- openssl does not ship CA root certificates anymore + keep certificates that SuSE is already shipping +- resolves bad array index (function has been removed) [bnc#356549] +- removed patches + openssl-0.9.8g-fix_dh_for_certain_moduli.patch + openssl-CVE-2008-0891.patch + openssl-CVE-2008-1672.patch + +------------------------------------------------------------------- +Wed May 28 15:04:08 CEST 2008 - mkoenig@suse.de + +- fix OpenSSL Server Name extension crash (CVE-2008-0891) + and OpenSSL Omit Server Key Exchange message crash (CVE-2008-1672) + [bnc#394317] + +------------------------------------------------------------------- +Wed May 21 20:48:39 CEST 2008 - cthiel@suse.de + +- fix baselibs.conf + +------------------------------------------------------------------- +Tue Apr 22 14:39:35 CEST 2008 - mkoenig@suse.de + +- add -DMD32_REG_T=int for x86_64 and ia64 [bnc#381844] + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Mon Nov 5 14:27:06 CET 2007 - mkoenig@suse.de + +- fix Diffie-Hellman failure with certain prime lengths + +------------------------------------------------------------------- +Mon Oct 22 15:00:21 CEST 2007 - mkoenig@suse.de + +- update to version 0.9.8g: + * fix some bugs introduced with 0.9.8f + +------------------------------------------------------------------- +Mon Oct 15 11:17:14 CEST 2007 - mkoenig@suse.de + +- update to version 0.9.8f: + * fixes CVE-2007-3108, CVE-2007-5135, CVE-2007-4995 +- patches merged upstream: + openssl-0.9.8-key_length.patch + openssl-CVE-2007-3108-bug296511 + openssl-CVE-2007-5135.patch + openssl-gcc42.patch + openssl-gcc42_b.patch + openssl-s390-config.diff + +------------------------------------------------------------------- +Mon Oct 1 11:29:55 CEST 2007 - mkoenig@suse.de + +- fix buffer overflow CVE-2007-5135 [#329208] + +------------------------------------------------------------------- +Wed Sep 5 11:39:26 CEST 2007 - mkoenig@suse.de + +- fix another gcc 4.2 build problem [#307669] + +------------------------------------------------------------------- +Fri Aug 3 14:17:27 CEST 2007 - coolo@suse.de + +- provide the version obsoleted (#293401) + +------------------------------------------------------------------- +Wed Aug 1 18:01:45 CEST 2007 - werner@suse.de + +- Add patch from CVS for RSA key reconstruction vulnerability + (CVE-2007-3108, VU#724968, bug #296511) + +------------------------------------------------------------------- +Thu May 24 16:18:50 CEST 2007 - mkoenig@suse.de + +- fix build with gcc-4.2 + openssl-gcc42.patch +- do not install example scripts with executable permissions + +------------------------------------------------------------------- +Mon Apr 30 01:32:44 CEST 2007 - ro@suse.de + +- adapt requires + +------------------------------------------------------------------- +Fri Apr 27 15:25:13 CEST 2007 - mkoenig@suse.de + +- Do not use dots in package name +- explicitly build with gcc-4.1 because of currently unresolved + failures with gcc-4.2 + +------------------------------------------------------------------- +Wed Apr 25 12:32:44 CEST 2007 - mkoenig@suse.de + +- Split/rename package to follow library packaging policy [#260219] + New package libopenssl0.9.8 containing shared libs + openssl-devel package renamed to libopenssl-devel + New package openssl-certs containing certificates +- add zlib-devel to Requires of devel package +- remove old Obsoletes and Conflicts + openssls (Last used Nov 2000) + ssleay (Last used 6.2) + +------------------------------------------------------------------- +Mon Apr 23 11:17:57 CEST 2007 - mkoenig@suse.de + +- Fix key length [#254905,#262477] + +------------------------------------------------------------------- +Tue Mar 6 10:38:10 CET 2007 - mkoenig@suse.de + +- update to version 0.9.8e: + * patches merged upstream: + openssl-CVE-2006-2940-fixup.patch + openssl-0.9.8d-padlock-static.patch + +------------------------------------------------------------------- +Tue Jan 9 14:30:28 CET 2007 - mkoenig@suse.de + +- fix PadLock support [#230823] + +------------------------------------------------------------------- +Thu Nov 30 14:33:51 CET 2006 - mkoenig@suse.de + +- enable fix for CVE-2006-2940 [#223040], SWAMP-ID 7198 + +------------------------------------------------------------------- +Mon Nov 6 18:35:10 CET 2006 - poeml@suse.de + +- configure with 'zlib' instead of 'zlib-dynamic'. Build with the + latter, there are problems opening the libz when running on the + Via Epia or vmware platforms. [#213305] + +------------------------------------------------------------------- +Wed Oct 4 15:07:55 CEST 2006 - poeml@suse.de + +- add patch for the CVE-2006-2940 fix: the newly introduced limit + on DH modulus size could lead to a crash when exerted. [#208971] + Discovered and fixed after the 0.9.8d release. + +------------------------------------------------------------------- +Fri Sep 29 18:37:01 CEST 2006 - poeml@suse.de + +- update to 0.9.8d + *) Introduce limits to prevent malicious keys being able to + cause a denial of service. (CVE-2006-2940) + *) Fix ASN.1 parsing of certain invalid structures that can result + in a denial of service. (CVE-2006-2937) + *) Fix buffer overflow in SSL_get_shared_ciphers() function. + (CVE-2006-3738) + *) Fix SSL client code which could crash if connecting to a + malicious SSLv2 server. (CVE-2006-4343) + *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites + match only those. Before that, "AES256-SHA" would be interpreted + as a pattern and match "AES128-SHA" too (since AES128-SHA got + the same strength classification in 0.9.7h) as we currently only + have a single AES bit in the ciphersuite description bitmap. + That change, however, also applied to ciphersuite strings such as + "RC4-MD5" that intentionally matched multiple ciphersuites -- + namely, SSL 2.0 ciphersuites in addition to the more common ones + from SSL 3.0/TLS 1.0. + So we change the selection algorithm again: Naming an explicit + ciphersuite selects this one ciphersuite, and any other similar + ciphersuite (same bitmap) from *other* protocol versions. + Thus, "RC4-MD5" again will properly select both the SSL 2.0 + ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. + Since SSL 2.0 does not have any ciphersuites for which the + 128/256 bit distinction would be relevant, this works for now. + The proper fix will be to use different bits for AES128 and + AES256, which would have avoided the problems from the beginning; + however, bits are scarce, so we can only do this in a new release + (not just a patchlevel) when we can change the SSL_CIPHER + definition to split the single 'unsigned long mask' bitmap into + multiple values to extend the available space. +- not in mentioned in CHANGES: patch for CVE-2006-4339 corrected + [openssl.org #1397] + +------------------------------------------------------------------- +Fri Sep 8 20:33:40 CEST 2006 - schwab@suse.de + +- Fix inverted logic. + +------------------------------------------------------------------- +Wed Sep 6 17:56:08 CEST 2006 - poeml@suse.de + +- update to 0.9.8c + Changes between 0.9.8b and 0.9.8c [05 Sep 2006] + *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher + (CVE-2006-4339) [Ben Laurie and Google Security Team] + *) Add AES IGE and biIGE modes. [Ben Laurie] + *) Change the Unix randomness entropy gathering to use poll() when + possible instead of select(), since the latter has some + undesirable limitations. [Darryl Miles via Richard Levitte and Bodo Moeller] + *) Disable "ECCdraft" ciphersuites more thoroughly. Now special + treatment in ssl/ssl_ciph.s makes sure that these ciphersuites + cannot be implicitly activated as part of, e.g., the "AES" alias. + However, please upgrade to OpenSSL 0.9.9[-dev] for + non-experimental use of the ECC ciphersuites to get TLS extension + support, which is required for curve and point format negotiation + to avoid potential handshake problems. [Bodo Moeller] + *) Disable rogue ciphersuites: + - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5") + - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5") + - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5") + The latter two were purportedly from + draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really + appear there. + Also deactive the remaining ciphersuites from + draft-ietf-tls-56-bit-ciphersuites-01.txt. These are just as + unofficial, and the ID has long expired. [Bodo Moeller] + *) Fix RSA blinding Heisenbug (problems sometimes occured on + dual-core machines) and other potential thread-safety issues. + [Bodo Moeller] + *) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key + versions), which is now available for royalty-free use + (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html). + Also, add Camellia TLS ciphersuites from RFC 4132. + To minimize changes between patchlevels in the OpenSSL 0.9.8 + series, Camellia remains excluded from compilation unless OpenSSL + is configured with 'enable-camellia'. [NTT] + *) Disable the padding bug check when compression is in use. The padding + bug check assumes the first packet is of even length, this is not + necessarily true if compresssion is enabled and can result in false + positives causing handshake failure. The actual bug test is ancient + code so it is hoped that implementations will either have fixed it by + now or any which still have the bug do not support compression. + [Steve Henson] + Changes between 0.9.8a and 0.9.8b [04 May 2006] + *) When applying a cipher rule check to see if string match is an explicit + cipher suite and only match that one cipher suite if it is. [Steve Henson] + *) Link in manifests for VC++ if needed. [Austin Ziegler <halostatue@gmail.com>] + *) Update support for ECC-based TLS ciphersuites according to + draft-ietf-tls-ecc-12.txt with proposed changes (but without + TLS extensions, which are supported starting with the 0.9.9 + branch, not in the OpenSSL 0.9.8 branch). [Douglas Stebila] + *) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support + opaque EVP_CIPHER_CTX handling. [Steve Henson] + *) Fixes and enhancements to zlib compression code. We now only use + "zlib1.dll" and use the default __cdecl calling convention on Win32 + to conform with the standards mentioned here: + http://www.zlib.net/DLL_FAQ.txt + Static zlib linking now works on Windows and the new --with-zlib-include + --with-zlib-lib options to Configure can be used to supply the location + of the headers and library. Gracefully handle case where zlib library + can't be loaded. [Steve Henson] + *) Several fixes and enhancements to the OID generation code. The old code + sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't + handle numbers larger than ULONG_MAX, truncated printing and had a + non standard OBJ_obj2txt() behaviour. [Steve Henson] + *) Add support for building of engines under engine/ as shared libraries + under VC++ build system. [Steve Henson] + *) Corrected the numerous bugs in the Win32 path splitter in DSO. + Hopefully, we will not see any false combination of paths any more. + [Richard Levitte] +- enable Camellia cipher. There is a royalty free license to the + patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html. + NOTE: the license forbids patches to the cipher. +- build with zlib-dynamic and add zlib-devel to BuildRequires. + Allows compression of data in TLS, although few application would + actually use it since there is no standard for negotiating the + compression method. The only one I know if is stunnel. + +------------------------------------------------------------------- +Fri Jun 2 15:00:58 CEST 2006 - poeml@suse.de + +- fix built-in ENGINESDIR for 64 bit architectures. We change only + the builtin search path for engines, not the path where engines + are packaged. Path can be overridden with the OPENSSL_ENGINES + environment variable. [#179094] + +------------------------------------------------------------------- +Wed Jan 25 21:30:41 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Mon Jan 16 13:13:13 CET 2006 - mc@suse.de + +- fix build problems on s390x (openssl-s390-config.diff) +- build with -fstack-protector + +------------------------------------------------------------------- +Mon Nov 7 16:30:49 CET 2005 - dmueller@suse.de + +- build with non-executable stack + +------------------------------------------------------------------- +Thu Oct 20 17:37:47 CEST 2005 - poeml@suse.de + +- fix unguarded free() which can cause a segfault in the ca + commandline app [#128655] + +------------------------------------------------------------------- +Thu Oct 13 15:10:28 CEST 2005 - poeml@suse.de + +- add Geotrusts Equifax Root1 CA certificate, which needed to + verify the authenticity of you.novell.com [#121966] + +------------------------------------------------------------------- +Tue Oct 11 15:34:07 CEST 2005 - poeml@suse.de + +- update to 0.9.8a + *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING + (part of SSL_OP_ALL). This option used to disable the + countermeasure against man-in-the-middle protocol-version + rollback in the SSL 2.0 server implementation, which is a bad + idea. (CAN-2005-2969) + *) Add two function to clear and return the verify parameter flags. + *) Keep cipherlists sorted in the source instead of sorting them at + runtime, thus removing the need for a lock. + *) Avoid some small subgroup attacks in Diffie-Hellman. + *) Add functions for well-known primes. + *) Extended Windows CE support. + *) Initialize SSL_METHOD structures at compile time instead of during + runtime, thus removing the need for a lock. + *) Make PKCS7_decrypt() work even if no certificate is supplied by + attempting to decrypt each encrypted key in turn. Add support to + smime utility. + +------------------------------------------------------------------- +Thu Sep 29 18:53:08 CEST 2005 - poeml@suse.de + +- update to 0.9.8 + see CHANGES file or http://www.openssl.org/news/changelog.html +- adjust patches +- drop obsolete openssl-no-libc.diff +- disable libica patch until it has been ported + +------------------------------------------------------------------- +Fri May 20 11:27:12 CEST 2005 - poeml@suse.de + +- update to 0.9.7g. The significant changes are: + *) Fixes for newer kerberos headers. NB: the casts are needed because + the 'length' field is signed on one version and unsigned on another + with no (?) obvious way to tell the difference, without these VC++ + complains. Also the "definition" of FAR (blank) is no longer included + nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up + some needed definitions. + *) Added support for proxy certificates according to RFC 3820. + Because they may be a security thread to unaware applications, + they must be explicitely allowed in run-time. See + docs/HOWTO/proxy_certificates.txt for further information. + +------------------------------------------------------------------- +Tue May 17 16:28:51 CEST 2005 - schwab@suse.de + +- Include %cflags_profile_generate in ${CC} since it is required for + linking as well. +- Remove explicit reference to libc. + +------------------------------------------------------------------- +Fri Apr 8 17:27:27 CEST 2005 - poeml@suse.de + +- update to 0.9.7f. The most significant changes are: + o Several compilation issues fixed. + o Many memory allocation failure checks added. + o Improved comparison of X509 Name type. + o Mandatory basic checks on certificates. + o Performance improvements. + (for a complete list see http://www.openssl.org/source/exp/CHANGES) +- adjust openssl-0.9.7f-ppc64.diff +- drop obsolete openssl-0.9.7d-crl-default_md.dif [#55435] + +------------------------------------------------------------------- +Tue Jan 4 16:47:02 CET 2005 - poeml@suse.de + +- update to 0.9.7e + *) Avoid a race condition when CRLs are checked in a multi + threaded environment. This would happen due to the reordering + of the revoked entries during signature checking and serial + number lookup. Now the encoding is cached and the serial + number sort performed under a lock. Add new STACK function + sk_is_sorted(). + *) Add Delta CRL to the extension code. + *) Various fixes to s3_pkt.c so alerts are sent properly. + *) Reduce the chances of duplicate issuer name and serial numbers + (in violation of RFC3280) using the OpenSSL certificate + creation utilities. This is done by creating a random 64 bit + value for the initial serial number when a serial number file + is created or when a self signed certificate is created using + 'openssl req -x509'. The initial serial number file is created + using 'openssl x509 -next_serial' in CA.pl rather than being + initialized to 1. +- remove obsolete patches +- fix openssl-0.9.7d-padlock-glue.diff and ICA patch to patch + Makefile, not Makefile.ssl +- fixup for spaces in names of man pages not needed now +- pack /usr/bin/openssl_fips_fingerprint +- in rpm post/postun script, run /sbin/ldconfig directly (the macro + is deprecated) + +------------------------------------------------------------------- +Mon Oct 18 15:03:28 CEST 2004 - poeml@suse.de + +- don't install openssl.doxy file [#45210] + +------------------------------------------------------------------- +Thu Jul 29 16:56:44 CEST 2004 - poeml@suse.de + +- apply patch from CVS to fix segfault in S/MIME encryption + (http://cvs.openssl.org/chngview?cn=12081, regression in + openssl-0.9.7d) [#43386] + +------------------------------------------------------------------- +Mon Jul 12 15:22:31 CEST 2004 - mludvig@suse.cz + +- Updated VIA PadLock engine. + +------------------------------------------------------------------- +Wed Jun 30 21:45:01 CEST 2004 - mludvig@suse.cz + +- Updated openssl-0.9.7d-padlock-engine.diff with support for + AES192, AES256 and RNG. + +------------------------------------------------------------------- +Tue Jun 15 16:18:36 CEST 2004 - poeml@suse.de + +- update IBM ICA patch to last night's version. Fixes ibmca_init() + to reset ibmca_dso=NULL after calling DSO_free(), if the device + driver could not be loaded. The bug lead to a segfault triggered + by stunnel, which does autoload available engines [#41874] +- patch from CVS: make stack API more robust (return NULL for + out-of-range indexes). Fixes another possible segfault during + engine detection (could also triggered by stunnel) +- add patch from Michal Ludvig for VIA PadLock support + +------------------------------------------------------------------- +Wed Jun 2 20:44:40 CEST 2004 - poeml@suse.de + +- add root certificate for the ICP-Brasil CA [#41546] + +------------------------------------------------------------------- +Thu May 13 19:53:48 CEST 2004 - poeml@suse.de + +- add patch to use default_md for CRLs too [#40435] + +------------------------------------------------------------------- +Tue May 4 20:45:19 CEST 2004 - poeml@suse.de + +- update ICA patch to apr292004 release [#39695] + +------------------------------------------------------------------- +Thu Mar 18 13:47:09 CET 2004 - poeml@suse.de + +- update to 0.9.7d + o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug + (CAN-2004-0112) + o Security: Fix null-pointer assignment in do_change_cipher_spec() + (CAN-2004-0079) + o Allow multiple active certificates with same subject in CA index + o Multiple X590 verification fixes + o Speed up HMAC and other operations +- remove the hunk from openssl-0.9.6d.dif that added NO_IDEA around + IDEA_128_CBC_WITH_MD5 in the global cipher list. Upstream now has + OPENSSL_NO_IDEA around it +- [#36386] fixed (broken generation of EVP_BytesToKey.3ssl from the + pod file) +- permissions of lib/pkgconfig fixed + +------------------------------------------------------------------- +Wed Feb 25 20:42:39 CET 2004 - poeml@suse.de + +- update to 0.9.7c + *) Fix various bugs revealed by running the NISCC test suite: + Stop out of bounds reads in the ASN1 code when presented with + invalid tags (CAN-2003-0543 and CAN-2003-0544). + Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545). + If verify callback ignores invalid public key errors don't try to check + certificate signature with the NULL public key. + *) New -ignore_err option in ocsp application to stop the server + exiting on the first error in a request. + *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate + if the server requested one: as stated in TLS 1.0 and SSL 3.0 + specifications. + *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional + extra data after the compression methods not only for TLS 1.0 + but also for SSL 3.0 (as required by the specification). + *) Change X509_certificate_type() to mark the key as exported/exportable + when it's 512 *bits* long, not 512 bytes. + *) Change AES_cbc_encrypt() so it outputs exact multiple of + blocks during encryption. + *) Various fixes to base64 BIO and non blocking I/O. On write + flushes were not handled properly if the BIO retried. On read + data was not being buffered properly and had various logic bugs. + This also affects blocking I/O when the data being decoded is a + certain size. + *) Various S/MIME bugfixes and compatibility changes: + output correct application/pkcs7 MIME type if + PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. + Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening + of files as .eml work). Correctly handle very long lines in MIME + parser. +- update ICA patch + quote: This version of the engine patch has updated error handling in + the DES/SHA code, and turns RSA blinding off for hardware + accelerated RSA ops. +- filenames of some man pages contain spaces now. Replace them with + underscores +- fix compiler warnings in showciphers.c +- fix permissions of /usr/%_lib/pkgconfig + +------------------------------------------------------------------- +Sat Jan 10 10:55:59 CET 2004 - adrian@suse.de + +- add %run_ldconfig +- remove unneeded PreRequires + +------------------------------------------------------------------- +Tue Nov 18 14:07:53 CET 2003 - poeml@suse.de + +- ditch annoying mail to root about moved locations [#31969] + +------------------------------------------------------------------- +Wed Aug 13 22:30:13 CEST 2003 - poeml@suse.de + +- enable profile feedback based optimizations (except AES which + becomes slower) +- add -fno-strict-aliasing, due to warnings about code where + dereferencing type-punned pointers will break strict aliasing +- make a readlink function if readlink is not available + +------------------------------------------------------------------- +Mon Aug 4 16:16:57 CEST 2003 - ro@suse.de + +- fixed manpages symlinks + +------------------------------------------------------------------- +Wed Jul 30 15:37:37 CEST 2003 - meissner@suse.de + +- Fix Makefile to create pkgconfig file with lib64 on lib64 systems. + +------------------------------------------------------------------- +Sun Jul 27 15:51:04 CEST 2003 - poeml@suse.de + +- don't explicitely strip binaries since RPM handles it, and may + keep the stripped information somewhere + +------------------------------------------------------------------- +Tue Jul 15 16:29:16 CEST 2003 - meissner@suse.de + +- -DMD32_REG_T=int for ppc64 and s390x. + +------------------------------------------------------------------- +Thu Jul 10 23:14:22 CEST 2003 - poeml@suse.de + +- update ibm ICA patch to 20030708 release (libica-1.3) + +------------------------------------------------------------------- +Mon May 12 23:27:07 CEST 2003 - poeml@suse.de + +- package the openssl.pc file for pkgconfig + +------------------------------------------------------------------- +Wed Apr 16 16:04:32 CEST 2003 - poeml@suse.de + +- update to 0.9.7b. The most significant changes are: + o New library section OCSP. + o Complete rewrite of ASN1 code. + o CRL checking in verify code and openssl utility. + o Extension copying in 'ca' utility. + o Flexible display options in 'ca' utility. + o Provisional support for international characters with UTF8. + o Support for external crypto devices ('engine') is no longer + a separate distribution. + o New elliptic curve library section. + o New AES (Rijndael) library section. + o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit, + Linux x86_64, Linux 64-bit on Sparc v9 + o Extended support for some platforms: VxWorks + o Enhanced support for shared libraries. + o Now only builds PIC code when shared library support is requested. + o Support for pkg-config. + o Lots of new manuals. + o Makes symbolic links to or copies of manuals to cover all described + functions. + o Change DES API to clean up the namespace (some applications link also + against libdes providing similar functions having the same name). + Provide macros for backward compatibility (will be removed in the + future). + o Unify handling of cryptographic algorithms (software and engine) + to be available via EVP routines for asymmetric and symmetric ciphers. + o NCONF: new configuration handling routines. + o Change API to use more 'const' modifiers to improve error checking + and help optimizers. + o Finally remove references to RSAref. + o Reworked parts of the BIGNUM code. + o Support for new engines: Broadcom ubsec, Accelerated Encryption + Processing, IBM 4758. + o A few new engines added in the demos area. + o Extended and corrected OID (object identifier) table. + o PRNG: query at more locations for a random device, automatic query for + EGD style random sources at several locations. + o SSL/TLS: allow optional cipher choice according to server's preference. + o SSL/TLS: allow server to explicitly set new session ids. + o SSL/TLS: support Kerberos cipher suites (RFC2712). + Only supports MIT Kerberos for now. + o SSL/TLS: allow more precise control of renegotiations and sessions. + o SSL/TLS: add callback to retrieve SSL/TLS messages. + o SSL/TLS: support AES cipher suites (RFC3268). +- adapt the ibmca patch +- remove openssl-nocrypt.diff, openssl's crypt() vanished +- configuration syntax has changed ($sys_id added before $lflags) + +------------------------------------------------------------------- +Thu Feb 20 11:55:34 CET 2003 - poeml@suse.de + +- update to bugfix release 0.9.6i: + - security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize + information leaked via timing by performing a MAC computation + even if incorrrect block cipher padding has been found. This + is a countermeasure against active attacks where the attacker + has to distinguish between bad padding and a MAC verification + error. (CAN-2003-0078) + - a few more small bugfixes (mainly missing assertions) + +------------------------------------------------------------------- +Fri Dec 6 10:07:20 CET 2002 - poeml@suse.de + +- update to 0.9.6h (last release in the 0.9.6 series) + o New configuration targets for Tandem OSS and A/UX. + o New OIDs for Microsoft attributes. + o Better handling of SSL session caching. + o Better comparison of distinguished names. + o Better handling of shared libraries in a mixed GNU/non-GNU environment. + o Support assembler code with Borland C. + o Fixes for length problems. + o Fixes for uninitialised variables. + o Fixes for memory leaks, some unusual crashes and some race conditions. + o Fixes for smaller building problems. + o Updates of manuals, FAQ and other instructive documents. +- add a call to make depend +- fix sed expression (lib -> lib64) to replace multiple occurences + on one line + +------------------------------------------------------------------- +Mon Nov 4 13:16:09 CET 2002 - stepan@suse.de + +- fix openssl for alpha ev56 cpus + +------------------------------------------------------------------- +Thu Oct 24 12:57:36 CEST 2002 - poeml@suse.de + +- own the /usr/share/ssl directory [#20849] +- openssl-hppa-config.diff can be applied on all architectures + +------------------------------------------------------------------- +Mon Sep 30 16:07:49 CEST 2002 - bg@suse.de + +- enable hppa distribution; use only pa1.1 architecture. + +------------------------------------------------------------------- +Tue Sep 17 17:13:46 CEST 2002 - froh@suse.de + +- update ibm-hardware-crypto-patch to ibmca.patch-0.96e-2 (#18953) + +------------------------------------------------------------------- +Mon Aug 12 18:34:58 CEST 2002 - poeml@suse.de + +- update to 0.9.6g and drop the now included ASN1 check patch. + Other change: + - Use proper error handling instead of 'assertions' in buffer + overflow checks added in 0.9.6e. This prevents DoS (the + assertions could call abort()). + +------------------------------------------------------------------- +Fri Aug 9 19:49:59 CEST 2002 - kukuk@suse.de + +- Fix requires of openssl-devel subpackage + +------------------------------------------------------------------- +Tue Aug 6 15:18:59 MEST 2002 - draht@suse.de + +- Correction for changes in the ASN1 code, assembled in + openssl-0.9.6e-cvs-20020802-asn1_lib.diff + +------------------------------------------------------------------- +Thu Aug 1 00:53:33 CEST 2002 - poeml@suse.de + +- update to 0.9.6e. Major changes: + o Various security fixes (sanity checks to asn1_get_length(), + various remote buffer overflows) + o new option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, disabling the + countermeasure against a vulnerability in the CBC ciphersuites + in SSL 3.0/TLS 1.0 that was added in 0.9.6d which turned out to + be incompatible with buggy SSL implementations +- update ibmca crypto hardware patch (security issues fixed) +- gcc 3.1 version detection is fixed, we can drop the patch +- move the most used man pages from the -doc to the main package + [#9913] and resolve man page conflicts by putting them into ssl + sections [#17239] +- spec file: use PreReq for %post script + +------------------------------------------------------------------- +Fri Jul 12 17:59:10 CEST 2002 - poeml@suse.de + +- update to 0.9.6d. Major changes: + o Various SSL/TLS library bugfixes. + o Fix DH parameter generation for 'non-standard' generators. + Complete Changelog: http://www.openssl.org/news/changelog.html +- supposed to fix a session caching failure occuring with postfix +- simplify local configuration for the architectures +- there's a new config variable: $shared_ldflag +- use RPM_OPT_FLAGS in favor of predifined cflags by appending them + at the end +- validate config data (config --check-sanity) +- resolve file conflict of /usr/share/man/man1/openssl.1.gz [#15982] +- move configuration to /etc/ssl [#14387] +- mark openssl.cnf %config (noreplace) + +------------------------------------------------------------------- +Sat Jul 6 20:28:56 CEST 2002 - schwab@suse.de + +- Include <crypt.h> to get crypt prototype. + +------------------------------------------------------------------- +Fri Jul 5 08:51:16 CEST 2002 - kukuk@suse.de + +- Remove crypt prototype from des.h header file, too. + +------------------------------------------------------------------- +Mon Jun 10 11:38:16 CEST 2002 - meissner@suse.de + +- enhanced ppc64 support (needs seperate config), reenabled make check + +------------------------------------------------------------------- +Fri May 31 14:54:06 CEST 2002 - olh@suse.de + +- add ppc64 support, temporary disable make check + +------------------------------------------------------------------- +Thu Apr 18 16:30:01 CEST 2002 - meissner@suse.de + +- fixed x86_64 build, added bc to needed_for_build (used by tests) + +------------------------------------------------------------------- +Wed Apr 17 16:56:34 CEST 2002 - ro@suse.de + +- fixed gcc version determination +- drop sun4c support/always use sparcv8 +- ignore return code from showciphers + +------------------------------------------------------------------- +Fri Mar 15 16:54:44 CET 2002 - poeml@suse.de + +- add settings for sparc to build shared objects. Note that all + sparcs (sun4[mdu]) are recognized as linux-sparcv7 + +------------------------------------------------------------------- +Wed Feb 6 14:23:44 CET 2002 - kukuk@suse.de + +- Remove crypt function from libcrypto.so.0 [Bug #13056] + +------------------------------------------------------------------- +Sun Feb 3 22:32:16 CET 2002 - poeml@suse.de + +- add settings for mips to build shared objects +- print out all settings to the build log + +------------------------------------------------------------------- +Tue Jan 29 12:42:58 CET 2002 - poeml@suse.de + +- update to 0.9.6c: + o bug fixes + o support for hardware crypto devices (Cryptographic Appliances, + Broadcom, and Accelerated Encryption Processing) +- add IBMCA patch for IBM eServer Cryptographic Accelerator Device + Driver (#12565) (forward ported from 0.9.6b) + (http://www-124.ibm.com/developerworks/projects/libica/) +- tell Configure how to build shared libs for s390 and s390x +- tweak Makefile.org to use %_libdir +- clean up spec file +- add README.SuSE as source file instead of in a patch + +------------------------------------------------------------------- +Wed Dec 5 10:59:59 CET 2001 - uli@suse.de + +- disabled "make test" for ARM (destest segfaults, the other tests + seem to succeed) + +------------------------------------------------------------------- +Wed Dec 5 02:39:16 CET 2001 - ro@suse.de + +- removed subpackage src + +------------------------------------------------------------------- +Wed Nov 28 13:28:42 CET 2001 - uli@suse.de + +- needs -ldl on ARM, too + +------------------------------------------------------------------- +Mon Nov 19 17:48:31 MET 2001 - mls@suse.de + +- made mips big endian, fixed shared library creation for mips + +------------------------------------------------------------------- +Fri Aug 31 11:19:46 CEST 2001 - rolf@suse.de + +- added root certificates [BUG#9913] +- move from /usr/ssh to /usr/share/ssl + +------------------------------------------------------------------- +Wed Jul 18 10:27:54 CEST 2001 - rolf@suse.de + +- update to 0.9.6b +- switch to engine version of openssl, which supports hardware + encryption for a few popular devices +- check wether shared libraries have been generated + +------------------------------------------------------------------- +Thu Jul 5 15:06:03 CEST 2001 - rolf@suse.de + +- appliy PRNG security patch + +------------------------------------------------------------------- +Tue Jun 12 10:52:34 EDT 2001 - bk@suse.de + +- added support for s390x + +------------------------------------------------------------------- +Mon May 7 21:02:30 CEST 2001 - kukuk@suse.de + +- Fix building of shared libraries on SPARC, too. + +------------------------------------------------------------------- +Mon May 7 11:36:53 MEST 2001 - rolf@suse.de + +- Fix ppc and s390 shared library builds +- resolved conflict in manpage naming: + rand.3 is now sslrand.3 [BUG#7643] + +------------------------------------------------------------------- +Tue May 1 22:32:48 CEST 2001 - schwab@suse.de + +- Fix ia64 configuration. +- Fix link command. + +------------------------------------------------------------------- +Thu Apr 26 03:17:52 CEST 2001 - bjacke@suse.de + +- updated to 0.96a + +------------------------------------------------------------------- +Wed Apr 18 12:56:48 CEST 2001 - kkaempf@suse.de + +- provide .so files in -devel package only + +------------------------------------------------------------------- +Tue Apr 17 02:45:36 CEST 2001 - bjacke@suse.de + +- resolve file name conflict (#6966) + +------------------------------------------------------------------- +Wed Mar 21 10:12:59 MET 2001 - rolf@suse.de + +- new subpackage openssl-src [BUG#6383] +- added README.SuSE which explains where to find the man pages [BUG#6717] + +------------------------------------------------------------------- +Fri Dec 15 18:09:16 CET 2000 - sf@suse.de + +- changed CFLAG to -O1 to make the tests run successfully + +------------------------------------------------------------------- +Mon Dec 11 13:33:55 CET 2000 - rolf@suse.de + +- build openssl with no-idea and no-rc5 to meet US & RSA regulations +- build with -fPIC on all platforms (especially IA64) + +------------------------------------------------------------------- +Wed Nov 22 11:27:39 MET 2000 - rolf@suse.de + +- rename openssls to openssl-devel and add shared libs and header files +- new subpackge openssl-doc for manpages and documentation +- use BuildRoot + +------------------------------------------------------------------- +Fri Oct 27 16:53:45 CEST 2000 - schwab@suse.de + +- Add link-time links for libcrypto and libssl. +- Make sure that LD_LIBRARY_PATH is passed down to sub-makes. + +------------------------------------------------------------------- +Mon Oct 2 17:33:07 MEST 2000 - rolf@suse.de + +- update to 0.9.6 + +------------------------------------------------------------------- +Mon Apr 10 23:04:15 CEST 2000 - bk@suse.de + +- fix support for s390-linux + +------------------------------------------------------------------- +Mon Apr 10 18:01:46 MEST 2000 - rolf@suse.de + +- new version 0.9.5a + +------------------------------------------------------------------- +Sun Apr 9 02:51:42 CEST 2000 - bk@suse.de + +- add support for s390-linux + +------------------------------------------------------------------- +Mon Mar 27 19:25:25 CEST 2000 - kukuk@suse.de + +- Use sparcv7 for SPARC + +------------------------------------------------------------------- +Wed Mar 1 16:42:00 MET 2000 - rolf@suse.de + +- move manpages back, as too many conflict with system manuals + +------------------------------------------------------------------- +Wed Mar 1 11:23:21 MET 2000 - rolf@suse.de + +- move manpages to %{_mandir} +- include static libraries + +------------------------------------------------------------------- +Wed Mar 1 02:52:17 CET 2000 - bk@suse.de + +- added subpackage source openssls, needed for ppp_ssl + +------------------------------------------------------------------- +Tue Feb 29 12:50:48 MET 2000 - rolf@suse.de + +- new version 0.9.5 + +------------------------------------------------------------------- +Thu Feb 24 15:43:38 CET 2000 - schwab@suse.de + +- add support for ia64-linux + +------------------------------------------------------------------- +Mon Jan 31 13:05:59 CET 2000 - kukuk@suse.de + +- Create and add libcrypto.so.0 and libssl.so.0 + +------------------------------------------------------------------- +Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de + +- ran old prepare_spec on spec file to switch to new prepare_spec. + +------------------------------------------------------------------- +Wed Sep 1 12:30:08 MEST 1999 - rolf@suse.de + +- new version 0.9.4 + +------------------------------------------------------------------- +Wed May 26 16:26:49 MEST 1999 - rolf@suse.de + +- new version 0.9.3 with new layout +- alpha asm disabled by default now, no patch needed + +------------------------------------------------------------------- +Thu May 20 09:38:09 MEST 1999 - ro@suse.de + +- disable asm for alpha: seems incomplete + +------------------------------------------------------------------- +Mon May 17 17:43:34 MEST 1999 - rolf@suse.de + +- don't use -DNO_IDEA + +------------------------------------------------------------------- +Wed May 12 16:10:03 MEST 1999 - rolf@suse.de + +- first version 0.9.2b diff --git a/packaging/openssl.spec b/packaging/openssl.spec new file mode 100644 index 0000000..a876ef1 --- /dev/null +++ b/packaging/openssl.spec @@ -0,0 +1,377 @@ +Name: openssl +BuildRequires: bc +BuildRequires: ed +BuildRequires: pkg-config +BuildRequires: zlib-devel +%define ssletcdir %{_sysconfdir}/ssl +#%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g") +%define num_version 1.0.0 +Provides: ssl +Version: 1.0.1c +Release: 0 +Summary: Secure Sockets and Transport Layer Security +License: OpenSSL +Group: Productivity/Networking/Security +Url: http://www.openssl.org/ +Source: http://www.%{name}.org/source/%{name}-%{version}.tar.gz +# to get mtime of file: +Source1: openssl.changes +Source2: baselibs.conf +Patch0: merge_from_0.9.8k.patch +Patch1: openssl-1.0.0-c_rehash-compat.diff +Patch2: bug610223.patch +Patch3: openssl-ocloexec.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +The OpenSSL Project is a collaborative effort to develop a robust, +commercial-grade, full-featured, and open source toolkit implementing +the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS +v1) protocols with full-strength cryptography. The project is managed +by a worldwide community of volunteers that use the Internet to +communicate, plan, and develop the OpenSSL toolkit and its related +documentation. + +Derivation and License + +OpenSSL is based on the excellent SSLeay library developed by Eric A. +Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an +Apache-style license, which basically means that you are free to get it +and to use it for commercial and noncommercial purposes. + + + +Authors: +-------- + Mark J. Cox <mark@openssl.org> + Ralf S. Engelschall <rse@openssl.org> + Dr. Stephen Henson <steve@openssl.org> + Ben Laurie <ben@openssl.org> + Bodo Moeller <bodo@openssl.org> + Ulf Moeller <ulf@openssl.org> + Holger Reif <holger@openssl.org> + Paul C. Sutton <paul@openssl.org> + +%package -n libopenssl +Summary: Secure Sockets and Transport Layer Security +Group: Productivity/Networking/Security + +%description -n libopenssl +The OpenSSL Project is a collaborative effort to develop a robust, +commercial-grade, full-featured, and open source toolkit implementing +the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS +v1) protocols with full-strength cryptography. The project is managed +by a worldwide community of volunteers that use the Internet to +communicate, plan, and develop the OpenSSL toolkit and its related +documentation. + +Derivation and License + +OpenSSL is based on the excellent SSLeay library developed by Eric A. +Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an +Apache-style license, which basically means that you are free to get it +and to use it for commercial and noncommercial purposes. + + + +Authors: +-------- + Mark J. Cox <mark@openssl.org> + Ralf S. Engelschall <rse@openssl.org> + Dr. Stephen Henson <steve@openssl.org> + Ben Laurie <ben@openssl.org> + Bodo Moeller <bodo@openssl.org> + Ulf Moeller <ulf@openssl.org> + Holger Reif <holger@openssl.org> + Paul C. Sutton <paul@openssl.org> + +%package -n libopenssl-devel +Summary: Include Files and Libraries mandatory for Development +Group: Development/Libraries/C and C++ +Obsoletes: openssl-devel < %{version} +Requires: %name = %version +Requires: libopenssl = %{version} +Requires: zlib-devel +Provides: openssl-devel = %{version} + +%description -n libopenssl-devel +This package contains all necessary include files and libraries needed +to develop applications that require these. + + + +Authors: +-------- + Mark J. Cox <mark@openssl.org> + Ralf S. Engelschall <rse@openssl.org> + Dr. Stephen <Henson steve@openssl.org> + Ben Laurie <ben@openssl.org> + Bodo Moeller <bodo@openssl.org> + Ulf Moeller <ulf@openssl.org> + Holger Reif <holger@openssl.org> + Paul C. Sutton <paul@openssl.org> + +%package doc +Summary: Additional Package Documentation +Group: Productivity/Networking/Security +BuildArch: noarch + +%description doc +This package contains optional documentation provided in addition to +this package's base documentation. + + + +Authors: +-------- + Mark J. Cox <mark@openssl.org> + Ralf S. Engelschall <rse@openssl.org> + Dr. Stephen <Henson steve@openssl.org> + Ben Laurie <ben@openssl.org> + Bodo Moeller <bodo@openssl.org> + Ulf Moeller <ulf@openssl.org> + Holger Reif <holger@openssl.org> + Paul C. Sutton <paul@openssl.org> + +%prep +%setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 +echo "adding/overwriting some entries in the 'table' hash in Configure" +# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags +export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::' +cat <<EOF_ED | ed -s Configure +/^); +- +i +# +# local configuration added from specfile +# ... MOST of those are now correct in openssl's Configure already, +# so only add them for new ports! +# +#config-string, $cc:$cflags:$unistd:$thread_cflag:$sys_id:$lflags:$bn_ops:$cpuid_obj:$bn_obj:$des_obj:$aes_obj:$bf_obj:$md5_obj:$sha1_obj:$cast_obj:$rc4_obj:$rmd160_obj:$rc5_obj:$wp_obj:$cmll_obj:$dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags:$multilib +#"linux-elf", "gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG \${x86_gcc_des} \${x86_gcc_opts}:\${x86_elf_asm}:$DSO_SCHEME:", +#"linux-ia64", "gcc:-DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:\${ia64_asm}: $DSO_SCHEME:", +#"linux-ppc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:\${no_asm}: $DSO_SCHEME:", +#"linux-ppc64", "gcc:-DB_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64", +"linux-elf-arm","gcc:-DL_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG:\${no_asm}: $DSO_SCHEME:", +"linux-mips", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:\${no_asm}: $DSO_SCHEME:", +"linux-sparcv7","gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:\${no_asm}: $DSO_SCHEME:", +#"linux-sparcv8","gcc:-DB_ENDIAN -DBN_DIV2W -mv8 ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::asm/sparcv8.o::::::::::::: $DSO_SCHEME:", +#"linux-x86_64", "gcc:-DL_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64", +#"linux-s390", "gcc:-DB_ENDIAN ::(unknown): :-ldl:BN_LLONG:\${no_asm}: $DSO_SCHEME:", +#"linux-s390x", "gcc:-DB_ENDIAN -DNO_ASM -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG:\${no_asm}: $DSO_SCHEME:64", +"linux-parisc", "gcc:-DB_ENDIAN ::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR DES_PTR DES_UNROLL DES_RISC1:\${no_asm}: $DSO_SCHEME:", +. +wq +EOF_ED +# fix ENGINESDIR path +sed -i 's,/lib/engines,/%_lib/engines,' Configure +# Record mtime of changes file instead of build time +CHANGES=`stat --format="%y" %SOURCE1` +sed -i -e "s|#define DATE \(.*\).LC_ALL.*date.|#define DATE \1$CHANGES|" crypto/Makefile + +%build +%ifarch armv5el armv5tel +export MACHINE=armv5el +%endif +RPM_OPT_FLAGS=$(echo $RPM_OPT_FLAGS | sed -s "s/--param=ssp-buffer-size=32//g") +export RPM_OPT_FLAGS + +./config --test-sanity +# +config_flags="threads shared no-rc5 no-idea \ +enable-camellia \ +zlib \ +--prefix=%{_prefix} \ +--libdir=%{_lib} \ +--openssldir=%{ssletcdir} \ +$RPM_OPT_FLAGS -std=gnu99 \ +-Wa,--noexecstack \ +-fomit-frame-pointer \ +-DTERMIO \ +-DPURIFY \ +-DSSL_FORBID_ENULL \ +-D_GNU_SOURCE \ +$(getconf LFS_CFLAGS) \ +%ifnarch hppa +-Wall \ +-fstack-protector " +%else +-Wall " +%endif +# +#%{!?do_profiling:%define do_profiling 0} +#%if %do_profiling +# # generate feedback +# ./config $config_flags +# make depend CC="gcc %cflags_profile_generate" +# make CC="gcc %cflags_profile_generate" +# LD_LIBRARY_PATH=`pwd` make rehash CC="gcc %cflags_profile_generate" +# LD_LIBRARY_PATH=`pwd` make test CC="gcc %cflags_profile_generate" +# LD_LIBRARY_PATH=`pwd` apps/openssl speed +# make clean +# # compile with feedback +# # but not if it makes a cipher slower: +# #find crypto/aes -name '*.da' | xargs -r rm +# ./config $config_flags %cflags_profile_feedback +# make depend +# make +# LD_LIBRARY_PATH=`pwd` make rehash +# LD_LIBRARY_PATH=`pwd` make test +#%else +# OpenSSL relies on uname -m (not good). Thus that little sparc line. + ./config \ +%ifarch sparc64 + linux64-sparcv9 \ +%endif + $config_flags + make depend + make + LD_LIBRARY_PATH=`pwd` make rehash + %ifnarch armv4l + LD_LIBRARY_PATH=`pwd` make test + %endif +#%endif +# show settings +make TABLE +echo $RPM_OPT_FLAGS +eval $(egrep PLATFORM='[[:alnum:]]' Makefile) +grep -B1 -A22 "^\*\*\* $PLATFORM$" TABLE + +%install +rm -rf $RPM_BUILD_ROOT +make MANDIR=%{_mandir} INSTALL_PREFIX=$RPM_BUILD_ROOT install +install -d -m755 $RPM_BUILD_ROOT%{ssletcdir}/certs +ln -sf ./%{name} $RPM_BUILD_ROOT/%{_includedir}/ssl +mkdir $RPM_BUILD_ROOT/%{_datadir}/ssl +mv $RPM_BUILD_ROOT/%{ssletcdir}/misc $RPM_BUILD_ROOT/%{_datadir}/ssl/ +# ln -s %{ssletcdir}/certs $RPM_BUILD_ROOT/%{_datadir}/ssl/certs +# ln -s %{ssletcdir}/private $RPM_BUILD_ROOT/%{_datadir}/ssl/private +# ln -s %{ssletcdir}/openssl.cnf $RPM_BUILD_ROOT/%{_datadir}/ssl/openssl.cnf +# + +# avoid file conflicts with man pages from other packages +# +pushd $RPM_BUILD_ROOT/%{_mandir} +# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check. +# replace spaces by underscores +#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done +which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } +for i in man?/*; do + if test -L $i ; then + LDEST=`readlink $i` + rm -f $i ${i}ssl + ln -sf ${LDEST}ssl ${i}ssl + else + mv $i ${i}ssl + fi + case `basename ${i%.*}` in + asn1parse|ca|config|crl|crl2pkcs7|crypto|dgst|dhparam|dsa|dsaparam|enc|gendsa|genrsa|nseq|openssl|passwd|pkcs12|pkcs7|pkcs8|rand|req|rsa|rsautl|s_client|s_server|smime|spkac|ssl|verify|version|x509) + # these are the pages mentioned in openssl(1). They go into the main package. + echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist;; + *) + # the rest goes into the openssl-doc package. + echo %doc %{_mandir}/${i}ssl.gz >> $OLDPWD/filelist.doc;; + esac +done +popd +# +# check wether some shared library has been installed +# +ls -l $RPM_BUILD_ROOT%{_libdir} +test -f $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} +test -f $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} +test -L $RPM_BUILD_ROOT%{_libdir}/libssl.so +test -L $RPM_BUILD_ROOT%{_libdir}/libcrypto.so +# +# see what we've got +# +cat > showciphers.c <<EOF +#include <openssl/err.h> +#include <openssl/ssl.h> +int main(){ +unsigned int i; +SSL_CTX *ctx; +SSL *ssl; +SSL_METHOD *meth; + meth = SSLv23_client_method(); + SSLeay_add_ssl_algorithms(); + ctx = SSL_CTX_new(meth); + if (ctx == NULL) return 0; + ssl = SSL_new(ctx); + if (!ssl) return 0; + for (i=0; ; i++) { + int j, k; + SSL_CIPHER *sc; + sc = (meth->get_cipher)(i); + if (!sc) break; + k = SSL_CIPHER_get_bits(sc, &j); + printf("%s\n", sc->name); + } + return 0; +}; +EOF +gcc $RPM_OPT_FLAGS -I${RPM_BUILD_ROOT}%{_includedir} -c showciphers.c +gcc -o showciphers showciphers.o -L${RPM_BUILD_ROOT}%{_libdir} -lssl -lcrypto +LD_LIBRARY_PATH=${RPM_BUILD_ROOT}%{_libdir} ./showciphers > AVAILABLE_CIPHERS || true +cat AVAILABLE_CIPHERS +# Do not install demo scripts executable under /usr/share/doc +find demos -type f -perm /111 -exec chmod 644 {} \; + +#process openssllib +mkdir $RPM_BUILD_ROOT/%{_lib} +mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/ +mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/ +mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT/%{_lib}/ +cd $RPM_BUILD_ROOT%{_libdir}/ +ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so +ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so + +cd $RPM_BUILD_DIR + +%clean +if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi + +%post -n libopenssl -p /sbin/ldconfig + +%postun -n libopenssl -p /sbin/ldconfig + +%files -n libopenssl +%defattr(-, root, root) +/%{_lib}/libssl.so.%{num_version} +/%{_lib}/libcrypto.so.%{num_version} +/%{_lib}/engines + +%files -n libopenssl-devel +%defattr(-, root, root) +%{_includedir}/%{name}/ +%{_includedir}/ssl +%exclude %{_libdir}/libcrypto.a +%exclude %{_libdir}/libssl.a +%{_libdir}/libssl.so +%{_libdir}/libcrypto.so +%_libdir/pkgconfig/libcrypto.pc +%_libdir/pkgconfig/libssl.pc +%_libdir/pkgconfig/openssl.pc + +%files doc -f filelist.doc +%defattr(-, root, root) +%doc doc/* demos +%doc showciphers.c + +%files -f filelist +%defattr(-, root, root) +%doc LICENSE +%dir %{ssletcdir} +%dir %{ssletcdir}/certs +%config (noreplace) %{ssletcdir}/openssl.cnf +%attr(700,root,root) %{ssletcdir}/private +%dir %{_datadir}/ssl +%{_datadir}/ssl/misc +%{_bindir}/c_rehash +%{_bindir}/%{name} + +%changelog diff --git a/packaging/openssl.test b/packaging/openssl.test new file mode 100644 index 0000000..5206b79 --- /dev/null +++ b/packaging/openssl.test @@ -0,0 +1,2 @@ + +openssl autmatically tests iteslf, no further testing needed |