# # spec file for package openssl1 # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: openssl1 BuildRequires: bc BuildRequires: ed BuildRequires: pkg-config BuildRequires: zlib-devel %define ssletcdir %{_sysconfdir}/ssl #%define num_version %(echo "%{version}" | sed -e "s+[a-zA-Z]++g; s+_.*++g") %define num_version 1.0.0 Provides: ssl Version: 1.0.1g Release: 0. Summary: Secure Sockets and Transport Layer Security License: OpenSSL Group: Productivity/Networking/Security Url: http://www.openssl.org/ Source: http://www.openssl.org/source/openssl-%{version}.tar.gz Source42: http://www.openssl.org/source/openssl-%{version}.tar.gz.asc # https://www.openssl.org/about/ Source43: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/%name.keyring # to get mtime of file: Source1: openssl1.changes Source2: baselibs.conf Source10: README.SUSE Patch0: merge_from_0.9.8k.patch Patch1: openssl-1.0.0-c_rehash-compat.diff Patch2: bug610223.patch Patch3: openssl-ocloexec.patch Patch4: VIA_padlock_support_on_64systems.patch # PATCH-FIX-UPSTREAM http://rt.openssl.org/Ticket/Attachment/WithHeaders/20049 Patch5: openssl-fix-pod-syntax.diff # new truststore for SLE12, not needed in SLE11. #Patch6: openssl-1.0.1e-truststore.diff Patch7: compression_methods_switch.patch Patch8: 0005-libssl-Hide-library-private-symbols.patch Patch9: openssl-1.0.1c-default-paths.patch Patch10: openssl-pkgconfig.patch # From Fedora openssl. Patch13: openssl-1.0.1c-ipv6-apps.patch Patch14: 0001-libcrypto-Hide-library-private-symbols.patch # FIPS patches left out Patch19: bug-860332-cmdline-check-certs.patch Patch22: CVE-2010-5298.patch Patch23: CVE-2014-0198.patch Patch24: CVE-2014-3470.patch Patch25: CVE-2014-0221.patch Patch26: CVE-2014-0224.patch Patch27: CVE-2014-0195.patch Patch28: openssl-CVE-2014-3505.patch Patch29: openssl-CVE-2014-3506.patch Patch30: openssl-CVE-2014-3507.patch Patch31: openssl-CVE-2014-3508.patch Patch32: openssl-CVE-2014-3509.patch Patch33: openssl-CVE-2014-3510.patch Patch34: openssl-CVE-2014-3511.patch Patch35: openssl-CVE-2014-3512.patch Patch36: openssl-CVE-2014-5139.patch Patch37: openssl1-CVE-2014-3513.patch Patch38: openssl1-CVE-2014-3566.patch Patch39: openssl1-CVE-2014-3567.patch Patch40: openssl1-CVE-2014-3568.patch Patch41: openssl-Added-OPENSSL_NO_EC2M-guards-around-the-preferred-EC.patch Patch45: openssl-CVE-2014-3572.patch Patch46: openssl-CVE-2014-8275.patch Patch47: openssl-CVE-2015-0204.patch Patch48: openssl-CVE-2015-0205.patch Patch49: openssl-CVE-2015-0206.patch Patch50: openssl-CVE-2014-3570.patch Patch51: openssl-CVE-2014-3571.patch Patch52: openssl-CVE-2015-0209.patch Patch53: openssl-CVE-2015-0286.patch Patch54: openssl-CVE-2015-0287.patch Patch55: openssl-CVE-2015-0288.patch Patch56: openssl-CVE-2015-0289.patch Patch57: openssl-CVE-2015-0293.patch Patch58: openssl-CVE-2015-0292.patch Patch59: openssl-add_option_to_disable_padding_extension.patch Patch67: openssl-CVE-2014-8176.patch Patch68: openssl-RSA_premaster_secret_in_constant_time.patch Patch69: openssl-CVE-2015-1788.patch Patch70: openssl-CVE-2015-1789.patch Patch71: openssl-CVE-2015-1790.patch Patch72: openssl-CVE-2015-1791.patch Patch73: openssl-CVE-2015-1792.patch # CVE-2015-4000 fixes (aka Logjam, weakdh.org) Patch74: 0001-s_server-Use-2048-bit-DH-parameters-by-default.patch Patch75: 0002-dhparam-set-the-default-to-2048-bits.patch Patch76: 0003-dhparam-fix-documentation.patch Patch77: 0004-Update-documentation-with-Diffie-Hellman-best-practi.patch Patch78: 0005-client-reject-handshakes-with-DH-parameters-1024-bits.patch # EO CVE-2015-4000 Patch79: 0001-bn-asm-s390x.S-improve-performance-on-z196-and-z13-b.patch Patch80: openssl-CVE-2015-3194.patch Patch81: openssl-CVE-2015-3195.patch Patch82: openssl-CVE-2015-3196.patch Patch83: openssl-CVE-2015-3197.patch Patch84: openssl-avoid-config-twice.patch # OpenSSL Security Advisory [1st March 2016] Patch85: openssl-CVE-2016-0702-openssl101.patch Patch86: openssl-CVE-2016-0705.patch Patch87: openssl-CVE-2016-0797.patch Patch88: openssl-CVE-2016-0798-101.patch Patch89: openssl-CVE-2016-0799.patch Patch90: openssl-CVE-2016-0800-DROWN-disable-ssl2.patch # OpenSSL Security Advisory [3rd May 2016] Patch91: openssl-CVE-2016-2107.patch Patch92: openssl-CVE-2016-2108.patch Patch93: openssl-CVE-2016-2109.patch Patch94: openssl-CVE-2016-2105.patch Patch95: openssl-CVE-2016-2106.patch Patch96: 0001-Preserve-digests-for-SNI.patch Patch97: 0001-Fix-buffer-overrun-in-ASN1_parse.patch # SLE11 shadow ssl1 Patch100: openssl1-opt-suse.patch # let c_rehash1 call openssl1 Patch101: openssl1-c_rehash.patch Patch110: openssl-s390x_performance_improvements.patch Patch111: openssl-update-expired-smime-certs.patch Patch112: openssl-print_notice-NULL_crash.patch #OpenSSL Security Advisory [22 Sep 2016] (bsc#999665) Patch120: openssl-CVE-2016-2177.patch Patch121: openssl-CVE-2016-2178.patch Patch122: openssl-CVE-2016-2180.patch Patch123: openssl-CVE-2016-2182.patch Patch124: openssl-CVE-2016-2181.patch Patch125: openssl-CVE-2016-2179.patch Patch126: openssl-CVE-2016-6303.patch Patch127: openssl-CVE-2016-2183-SWEET32.patch Patch128: openssl-CVE-2016-6306.patch Patch129: openssl-CVE-2016-6304.patch Patch130: openssl-CVE-2016-6302.patch Patch131: openssl-randfile_fread_interrupt.patch # OpenSSL Security Advisory [26 Jan 2017] (bsc#1021641) Patch133: openssl-CVE-2016-8610.patch Patch134: openssl-CVE-2016-7056.patch Patch136: openssl-fix_crash_in_openssl_speed.patch Patch137: openssl-degrade_3DES_to_MEDIUM_in_SSL2.patch Patch138: openssl-CVE-2017-3731.patch # OpenSSL Security Advisory [28 Aug 2017] Patch139: openssl-CVE-2017-3735.patch Patch140: openssl-fix_crash_in_DES.patch Patch141: 0001-Backport-support-for-fixed-DH-ciphersuites-from-HEAD.patch Patch142: 0001-Don-t-send-a-for-ServerKeyExchange-for-kDHr-and-kDHd.patch Patch143: openssl-DH_fix_logjam.patch Patch144: openssl-1.0.1i-trusted-first.patch Patch145: openssl-1.0.1i-alt-chains.patch # add DEFAULT_SUSE cipher list Patch146: openssl-1.0.1e-add-test-suse-default-cipher-suite.patch Patch147: openssl-1.0.1e-add-suse-default-cipher-header.patch Patch148: openssl-1.0.1e-add-suse-default-cipher.patch # OpenSSL Security Advisory [27 Mar 2018] Patch149: openssl-CVE-2018-0739.patch # OpenSSL Security Advisory [12 June 2018] # bsc#1097158 Patch150: openssl-CVE-2018-0732.patch # bsc#1097624 Patch151: openssl-add-blinding-to-ecdsa.patch # bsc#1098592 Patch152: openssl-add-blinding-to-dsa.patch # OpenSSL Security Advisory [16 Apr 2018] Patch153: openssl-CVE-2018-0737.patch Patch155: openssl-One_and_Done.patch # OpenSSL Security Advisory [30 October 2018] Patch156: 0001-DSA-Address-a-timing-side-channel-whereby-it-is-possible.patch Patch157: 0002-ECDSA-Address-a-timing-side-channel-whereby-it-is-possible.patch Patch158: openssl-CVE-2018-0734.patch Patch159: 0001-Merge-to-1.0.2-DSA-mod-inverse-fix.patch Patch160: 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch Patch161: openssl-CVE-2018-5407-PortSmash.patch # The 9 Lives of Bleichenbacher's CAT - vulnerability #7739 # https://github.com/openssl/openssl/pull/6889 Patch162: openssl-Extended-OAEP-support.patch Patch163: openssl-rewrite-RSA-padding-checks.patch Patch164: openssl-add-computationally-constant-time-bn_bn2binpad.patch Patch165: openssl-address-Coverity-nit-in-bn2binpad.patch Patch166: openssl-switch-to-BN_bn2binpad.patch # https://github.com/openssl/openssl/pull/6942 Patch167: 0001-crypto-bn-add-more-fixed-top-routines.patch Patch168: 0002-rsa-rsa_eay.c-implement-variant-of-Smooth-CRT-RSA.patch Patch169: 0003-bn-bn_blind.c-use-Montgomery-multiplication-when-pos.patch Patch170: 0004-bn-bn_lib.c-conceal-even-memmory-access-pattern-in-b.patch # https://github.com/openssl/openssl/pull/7737 Patch171: 0005-err-err.c-add-err_clear_last_constant_time.patch Patch172: 0006-rsa-rsa_eay.c-make-RSAerr-call-in-rsa_ossl_private_d.patch Patch173: 0007-rsa-rsa_pk1.c-remove-memcpy-calls-from-RSA_padding_c.patch Patch174: 0008-rsa-rsa_oaep.c-remove-memcpy-calls-from-RSA_padding_.patch Patch175: 0009-rsa-rsa_ssl.c-make-RSA_padding_check_SSLv23-constant.patch Patch176: openssl-bn_mul_mont_fixed_top.patch Patch177: openssl-bn_mod_add_fixed_top.patch Patch178: 0001-RT-4242-reject-invalid-EC-point-coordinates.patch Patch179: openssl-CVE-2019-1559.patch # OpenSSL Security Advisory [10 September 2019] Patch180: openssl-CVE-2019-1547.patch Patch181: openssl-CVE-2019-1563.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. Derivation and License OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get it and to use it for commercial and noncommercial purposes. %package -n libopenssl1_0_0 Summary: Secure Sockets and Transport Layer Security Group: Productivity/Networking/Security Recommends: openssl-certs Requires: openssl1 Provides: cipher(openssl1:DEFAULT_SUSE) # %description -n libopenssl1_0_0 The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. Derivation and License OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get it and to use it for commercial and noncommercial purposes. %package -n libopenssl1-devel Summary: Include Files and Libraries mandatory for Development Group: Development/Libraries/C and C++ Requires: %name = %version Requires: libopenssl1_0_0 = %{version} Requires: zlib-devel Provides: libopenssl-devel = %{version} Provides: openssl-devel = %{version} Conflicts: libopenssl-devel < 1.0.1 %description -n libopenssl1-devel This package contains all necessary include files and libraries needed to develop applications that require these. %package doc Summary: Additional Package Documentation Group: Productivity/Networking/Security %if 0%{?suse_version} >= 1140 BuildArch: noarch %endif Conflicts: openssl-doc %description doc This package contains optional documentation provided in addition to this package's base documentation. %prep %setup -q -n openssl-%version %patch0 -p1 %patch1 -p1 #%patch2 -p1 %patch3 %patch4 -p1 %patch5 -p1 #patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch13 -p1 %patch14 -p1 %patch19 -p1 %patch22 -p1 %patch23 -p1 %patch24 -p1 %patch25 -p1 %patch26 -p1 %patch27 -p1 %patch28 -p1 %patch29 -p1 %patch30 -p1 %patch31 -p1 %patch32 -p1 %patch33 -p1 %patch34 -p1 %patch35 -p1 %patch36 -p1 %patch37 -p1 %patch38 -p1 %patch39 -p1 %patch40 -p1 %patch41 -p1 %patch45 -p1 %patch46 -p1 %patch47 -p1 %patch48 -p1 %patch49 -p1 %patch50 -p1 %patch51 -p1 %patch52 -p1 %patch53 -p1 %patch54 -p1 %patch55 -p1 %patch56 -p1 %patch57 -p1 %patch58 -p1 %patch59 -p1 %patch67 -p1 %patch68 -p1 %patch69 -p1 %patch70 -p1 %patch71 -p1 %patch72 -p1 %patch73 -p1 %patch74 -p1 %patch75 -p1 %patch76 -p1 %patch77 -p1 %patch78 -p1 %patch79 -p1 %patch80 -p1 %patch81 -p1 %patch82 -p1 %patch83 -p1 %patch84 -p1 %patch85 -p1 %patch86 -p1 %patch87 -p1 %patch88 -p1 %patch89 -p1 %patch90 -p1 %patch91 -p1 %patch92 -p1 %patch93 -p1 %patch94 -p1 %patch95 -p1 %patch96 -p1 %patch97 -p1 # sle11 override specific adjustments %patch100 -p1 %patch101 -p1 # delete patch leftovers from doc to silence a build check find doc -name \*.orig -delete %patch110 -p1 %patch111 -p1 %patch112 -p1 #OpenSSL Security Advisory [22 Sep 2016] (bsc#999665) %patch120 -p1 %patch121 -p1 %patch122 -p1 %patch123 -p1 %patch124 -p1 %patch125 -p1 %patch126 -p1 %patch127 -p1 %patch128 -p1 %patch129 -p1 %patch130 -p1 %patch131 -p1 %patch133 -p1 %patch134 -p1 %patch136 -p1 %patch137 -p1 %patch138 -p1 %patch139 -p1 %patch140 -p1 %patch141 -p1 %patch142 -p1 %patch143 -p1 %patch144 -p1 %patch145 -p1 %patch146 -p1 %patch147 -p1 %patch148 -p1 %patch149 -p1 %patch150 -p1 %patch151 -p1 %patch152 -p1 %patch153 -p1 %patch155 -p1 %patch156 -p1 %patch157 -p1 %patch158 -p1 %patch159 -p1 %patch160 -p1 %patch161 -p1 %patch162 -p1 %patch163 -p1 %patch164 -p1 %patch165 -p1 %patch166 -p1 %patch167 -p1 %patch168 -p1 %patch169 -p1 %patch170 -p1 %patch171 -p1 %patch172 -p1 %patch173 -p1 %patch174 -p1 %patch175 -p1 %patch176 -p1 %patch177 -p1 %patch178 -p1 %patch179 -p1 %patch180 -p1 %patch181 -p1 # clean up patching leftovers find . -name '*.orig' -delete cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags export DSO_SCHEME='dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::' cat </dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) } for i in man?/*; do if test -L $i ; then LDEST=`readlink $i` rm -f $i ${i}ssl1 ln -sf ${LDEST}ssl1 ${i}ssl1 else mv $i ${i}ssl1 fi case `basename ${i%.*}` in asn1parse|ca|config|crl|crl2pkcs7|crypto|dgst|dhparam|dsa|dsaparam|enc|gendsa|genrsa|nseq|openssl|passwd|pkcs12|pkcs7|pkcs8|rand|req|rsa|rsautl|s_client|s_server|smime|spkac|ssl|verify|version|x509) # these are the pages mentioned in openssl(1). They go into the main package. echo %doc %{_mandir}/${i}ssl1.gz >> $OLDPWD/filelist;; *) # the rest goes into the openssl-doc package. echo %doc %{_mandir}/${i}ssl1.gz >> $OLDPWD/filelist.doc;; esac done popd # # check wether some shared library has been installed # ls -l $RPM_BUILD_ROOT%{_libdir} test -f $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} test -f $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} test -L $RPM_BUILD_ROOT%{_libdir}/libssl.so test -L $RPM_BUILD_ROOT%{_libdir}/libcrypto.so # # see what we've got # cat > showciphers.c < #include int main(){ unsigned int i; SSL_CTX *ctx; SSL *ssl; SSL_METHOD *meth; meth = SSLv23_client_method(); SSLeay_add_ssl_algorithms(); ctx = SSL_CTX_new(meth); if (ctx == NULL) return 0; ssl = SSL_new(ctx); if (!ssl) return 0; for (i=0; ; i++) { int j, k; SSL_CIPHER *sc; sc = (meth->get_cipher)(i); if (!sc) break; k = SSL_CIPHER_get_bits(sc, &j); printf("%s\n", sc->name); } return 0; }; EOF gcc $RPM_OPT_FLAGS -I${RPM_BUILD_ROOT}%{_includedir} -c showciphers.c gcc -o showciphers showciphers.o -L${RPM_BUILD_ROOT}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=${RPM_BUILD_ROOT}%{_libdir} ./showciphers > AVAILABLE_CIPHERS || true cat AVAILABLE_CIPHERS # Do not install demo scripts executable under /usr/share/doc find demos -type f -perm /111 -exec chmod 644 {} \; #process openssllib #mkdir $RPM_BUILD_ROOT/%{_lib} #mv $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/ #mv $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{num_version} $RPM_BUILD_ROOT/%{_lib}/ rm -rf $RPM_BUILD_ROOT/usr/share/ssl rm -rf $RPM_BUILD_ROOT/etc/ssl/openssl.cnf # engines/ directory is hardcoded in engines/Makefile regardless of ENGINEDIR # value in Configure, so just move the directory. mv $RPM_BUILD_ROOT%{_libdir}/engines{,1} ls %{buildroot}/%{_libdir}/engines1/ for engine in atalla nuron sureware ubsec cswift chil aep; do rm %{buildroot}/%{_libdir}/engines1/lib$engine.so done %ifnarch %{ix86} x86_64 rm %{buildroot}/%{_libdir}/engines1/libpadlock.so %endif # openssl1 stuff mv %{buildroot}/usr/bin/openssl{,1} mv %{buildroot}/usr/bin/c_rehash{,1} %clean if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi %post -n libopenssl1_0_0 /sbin/ldconfig env OPENSSL=openssl1 c_rehash1 %{ssletcdir}/certs > /dev/null || true %postun -n libopenssl1_0_0 -p /sbin/ldconfig %files -n libopenssl1_0_0 %defattr(-, root, root) /%{_libdir}/libssl.so.%{num_version} /%{_libdir}/libcrypto.so.%{num_version} /%{_libdir}/engines1 %files -n libopenssl1-devel %defattr(-, root, root) %{_includedir}/openssl/ %{_includedir}/ssl %{_libdir}/libcrypto.a %{_libdir}/libssl.a %{_libdir}/libssl.so %{_libdir}/libcrypto.so %_libdir/pkgconfig/libcrypto.pc %_libdir/pkgconfig/libssl.pc %_libdir/pkgconfig/openssl.pc %files doc -f filelist.doc %defattr(-, root, root) %doc doc/* demos %doc showciphers.c %files -f filelist %defattr(-, root, root) %doc CHANGE* INSTAL* AVAILABLE_CIPHERS %doc LICENSE NEWS README README.SUSE #dir %{ssletcdir} #dir %{ssletcdir}/certs #config (noreplace) %{ssletcdir}/openssl.cnf #attr(700,root,root) %{ssletcdir}/private #dir %{_datadir}/ssl #{_datadir}/ssl/misc %{_bindir}/c_rehash1 %{_bindir}/%{name} %changelog