updated 2 packages

openssl-3.0.0-1

openssl111-1.1.1l-2

o/openssl/openssl-vl.spec

@@ -5,11 +5,11 @@
 # 1.0.0 soversion = 10
 # 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
 #                        depends on build configuration options)
-%define soversion 1.1
+%define soversion 3
 
 Summary: Secure Sockets Layer Toolkit
 Name: openssl
-Version: 1.1.1l
+Version: 3.0.0
 Release: 1%{_dist_release}
 Group: system,security
 Vendor: Project Vine
@@ -26,49 +26,34 @@ Source1: hobble-openssl
 Source2: Makefile.certificate
 Source6: make-dummy-cert
 Source7: renew-dummy-cert
-Source9: opensslconf-new.h
+Source9: configuration-switch.h
-Source10: opensslconf-new-warning.h
+Source10: configuration-prefix.h
-Source11: README.FIPS
 Source12: ec_curve.c
 Source13: ectest.c
 
-# Build changes
+# Patches exported from source git
-Patch1: openssl-1.1.1f-build.patch
+# Aarch64 and ppc64le use lib64
-Patch2: openssl-1.1.0-defaults.patch
+#Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
-Patch3: openssl-1.1.0-no-html.patch
+# Use more general default values in openssl.cnf
-Patch4: openssl-1.1.1-man-rename.patch
+Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
-# Bug fixes
+# Do not install html docs
-Patch21: openssl-1.1.0-issuer-hash.patch
+Patch3: 0003-Do-not-install-html-docs.patch
-# Functionality changes
+# Override default paths for the CA directory tree
-Patch31: openssl-1.1.1-conf-paths.patch
+Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
-Patch32: openssl-1.1.1-version-add-engines.patch
+# apps/ca: fix md option help text
-Patch33: openssl-1.1.1-apps-dgst.patch
+Patch5: 0005-apps-ca-fix-md-option-help-text.patch
-Patch36: openssl-1.1.1-no-brainpool.patch
+# Disable signature verification with totally unsafe hash algorithms
-Patch37: openssl-1.1.1-ec-curves.patch
+Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
-Patch38: openssl-1.1.1-no-weak-verify.patch
+# Add support for PROFILE=SYSTEM system default cipherlist
-Patch40: openssl-1.1.1-disable-ssl3.patch
+Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
-Patch41: openssl-1.1.1-system-cipherlist.patch
+# Add FIPS_mode() compatibility macro
-Patch42: openssl-1.1.1-fips.patch
+Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
-Patch44: openssl-1.1.1-version-override.patch
+# Add check to see if fips flag is enabled in kernel
-Patch45: openssl-1.1.1-weak-ciphers.patch
+#Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
-Patch46: openssl-1.1.1-seclevel.patch
+# remove unsupported EC curves
-Patch48: openssl-1.1.1-fips-post-rand.patch
+Patch11: 0011-Remove-EC-curves.patch
-Patch49: openssl-1.1.1-evp-kdf.patch
+# Instructions to load legacy provider in openssl.cnf
-Patch50: openssl-1.1.1-ssh-kdf.patch
+#Patch24: 0024-load-legacy-prov.patch
-Patch51: openssl-1.1.1-intel-cet.patch
-Patch60: openssl-1.1.1-krb5-kdf.patch
-Patch61: openssl-1.1.1-edk2-build.patch
-Patch62: openssl-1.1.1-fips-curves.patch
-Patch65: openssl-1.1.1-fips-drbg-selftest.patch
-Patch66: openssl-1.1.1-fips-dh.patch
-Patch67: openssl-1.1.1-kdf-selftest.patch
-Patch69: openssl-1.1.1-alpn-cb.patch
-Patch70: openssl-1.1.1-rewire-fips-drbg.patch
-# Backported fixes including security fixes
-Patch52: openssl-1.1.1-s390x-update.patch
-Patch53: openssl-1.1.1-fips-crng-test.patch
-Patch55: openssl-1.1.1-arm-update.patch
-Patch56: openssl-1.1.1-s390x-ecc.patch
 
 # security fix
 # none
@@ -80,6 +65,8 @@ BuildRequires: lksctp-tools-devel
 
 Requires: mktemp
 Requires: ca-certificates
+Requires: %{name}-libs = %{version}-%{release}
+Obsoletes: openssl111 < 3.0.0
 
 %define solibbase %(echo %version | sed 's/[[:alpha:]]//g')
 
@@ -88,11 +75,22 @@ The OpenSSL certificate management tool and the shared libraries that
 provide various cryptographic algorithms and protocols.
 
 
+%package libs
+Summary: A general purpose cryptography library with TLS implementation
+Group: system
+
+%description libs
+OpenSSL is a toolkit for supporting cryptography. The openssl-libs
+package contains the libraries that are used by various applications which
+support cryptographic algorithms and protocols.
+
+
 %package devel
 Summary: OpenSSL libraries and development headers.
 Group: programming
-Requires: %{name} = %{version}-%{release}
+Requires: %{name}-libs = %{version}-%{release}
 Requires: krb5-devel
+Conflicts: openssl111-devel < 3.0.0
 
 %description devel
 The static libraries and include files needed to compile apps
@@ -107,6 +105,7 @@ ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/
 Summary:  Libraries for static linking of applications which will use OpenSSL
 Group: programming
 Requires: %{name}-devel = %{version}-%{release}
+Conflicts: openssl111-static < 3.0.0
 
 %description static
 OpenSSL is a toolkit for supporting cryptography. The openssl-static
@@ -118,7 +117,8 @@ protocols.
 %package perl
 Summary: OpenSSL scripts which require Perl.
 Group: security
-Requires: %{name} = %{version}-%{release}
+Requires: %{name}-libs = %{version}-%{release}
+Obsoletes: openssl111-perl < 3.0.0
 Requires: perl
 
 %description perl
@@ -131,6 +131,7 @@ from other formats to those used by OpenSSL.
 Summary: Secure Sockets Layer Toolkit
 Group: system
 Requires: %{name} = %{version}-%{release}
+
 %description -n compat32-%{name}
 The OpenSSL certificate management tool and the shared libraries that
 provide various cryptographic algorithms and protocols.
@@ -141,6 +142,8 @@ Summary: OpenSSL libraries and development headers.
 Group: programming
 Requires: compat32-%{name} = %{version}-%{release}
 Requires: compat32-krb5-devel
+Conflicts: compat32-openssl111-devel < 3.0.0
+
 %description -n compat32-%{name}-devel
 The static libraries and include files needed to compile apps
 with support for various the cryptographic algorithms and protocols
@@ -152,6 +155,7 @@ supported by OpenSSL.
 
 %prep
 %setup -q -n %{name}-%{version}
+%autopatch -p1
 
 # The hobble_openssl is called here redundantly, just to be sure.
 # The tarball has already the sources removed.
@@ -160,56 +164,6 @@ supported by OpenSSL.
 cp %{SOURCE12} crypto/ec/
 cp %{SOURCE13} test/
 
-%patch1 -p1 -b .build   %{?_rawbuild}
-%patch2 -p1 -b .defaults
-%patch3 -p1 -b .no-html  %{?_rawbuild}
-%patch4 -p1 -b .man-rename
-
-%patch21 -p1 -b .issuer-hash
-
-%patch31 -p1 -b .conf-paths
-%patch32 -p1 -b .version-add-engines
-%patch33 -p1 -b .dgst
-%patch36 -p1 -b .no-brainpool
-%patch37 -p1 -b .curves
-%patch38 -p1 -b .no-weak-verify
-%patch40 -p1 -b .disable-ssl3
-%patch41 -p1 -b .system-cipherlist
-%if %{with fips}
-%patch42 -p1 -b .fips
-%endif
-%if %{with fips}
-%patch44 -p1 -b .version-override
-%endif
-%patch45 -p1 -b .weak-ciphers
-%if %{with fips}
-%patch46 -p1 -b .seclevel
-%patch49 -p1 -b .evp-kdf
-%patch50 -p1 -b .ssh-kdf
-%patch51 -p1 -b .upstream-sync
-#patch52 -p1 -b .s390x-update
-%endif
-%if %{with fips}
-%patch53 -p1 -b .crng-test
-%endif
-#patch55 -p1 -b .arm-update
-#patch56 -p1 -b .s390x-ecc
-%if %{with fips}
-%patch60 -p1 -b .krb5-kdf
-%patch61 -p1 -b .edk2-build
-%patch62 -p1 -b .fips-curves
-%patch65 -p1 -b .drbg-selftest
-%patch66 -p1 -b .fips-dh
-%patch67 -p1 -b .kdf-selftest
-%endif
-%patch69 -p1 -b .alpn-cb
-%if %{with fips}
-%patch70 -p1 -b .rewire-fips-drbg
-%endif
-
-# security fix
-# none
-
 
 %build 
 # Figure out which flags we want to use.
@@ -244,20 +198,14 @@ perl -pi -e 's|/engines-|/%{name}/engines-|' ./Configurations/unix-Makefile.tmpl
 	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
 	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
 	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
-	enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
+	enable-cms enable-md2 enable-rc5 enable-ktls enable-fips \
-	enable-weak-ssl-ciphers \
 	no-mdc2 no-ec2m no-sm2 no-sm4 \
 	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
 
 # Do not run this in a production package the FIPS symbols must be patched-in
 #util/mkdef.pl crypto update
 
-make all
+make -s %{?_smp_mflags} all
-
-%if %{with fips}
-# Overwrite FIPS README
-cp -f %{SOURCE11} .
-%endif
 
 # Clean up the .pc files
 for i in libcrypto.pc libssl.pc openssl.pc ; do
@@ -271,15 +219,13 @@ done
 # Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
 (sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
 (echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
- sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
+ sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
  touch -r configdata.pm configdata.pm.new && \
  mv -f configdata.pm.new configdata.pm)
 
-# We must revert patch31 before tests otherwise they will fail
+# We must revert patch4 before tests otherwise they will fail
-patch -p1 -R < %{PATCH31}
+patch -p1 -R < %{PATCH4}
 
-# drop a recipe includes tests for brainpool curves (not supported by openssl-hobbled).
-rm -f test/recipes/80-test_ssl_new.t
 
 LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
 export LD_LIBRARY_PATH
@@ -287,14 +233,16 @@ OPENSSL_ENABLE_MD5_VERIFY=
 export OPENSSL_ENABLE_MD5_VERIFY
 OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
 export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
-make test
+make test HARNESS_JOBS=8
 
+%if 0
 # Add generation of HMAC checksum of the final stripped library
 %define __spec_install_post \
     %{?__debug_package:%{__debug_install_post}} \
     %{__arch_install_post} \
     %{__os_install_post} \
 %{nil}
+%endif
 
 %define __provides_exclude_from %{_libdir}/openssl
 
@@ -325,24 +273,7 @@ mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
 
 # Rename man pages so that they don't conflict with other system man pages.
 pushd $RPM_BUILD_ROOT%{_mandir}
-ln -s -f config.5 man5/openssl.cnf.5
+mv man5/config.5ossl man5/openssl.cnf.5
-for manpage in man*/* ; do
-	if [ -L ${manpage} ]; then
-		TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
-		ln -snf ${TARGET}ssl ${manpage}ssl
-		rm -f ${manpage}
-	else
-		mv ${manpage} ${manpage}ssl
-	fi
-done
-for conflict in passwd rand ; do
-	rename ${conflict} ssl${conflict} man*/${conflict}*
-# Fix dangling symlinks
-	manpage=man1/openssl-${conflict}.*
-	if [ -L ${manpage} ] ; then
-		ln -snf ssl${conflict}.1ssl ${manpage}
-	fi
-done
 popd
 
 mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
@@ -358,6 +289,9 @@ touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
 
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
+%ifarch i686
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf
+%endif
 
 # Determine which arch opensslconf.h is going to try to #include.
 basearch=%{_arch}
@@ -377,14 +311,12 @@ sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
 # can have both a 32- and 64-bit version of the library, and they each need
 # their own correct-but-different versions of opensslconf.h to be usable.
 install -m644 %{SOURCE10} \
-	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
+	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h
-cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \
+cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \
-	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
+	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h
 install -m644 %{SOURCE9} \
-	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
+	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h
 %endif
-LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
-export LD_LIBRARY_PATH
 
 
 %clean
@@ -394,36 +326,46 @@ export LD_LIBRARY_PATH
 %files 
 %defattr(-,root,root)
 %{!?_licensedir:%global license %%doc}
-%license LICENSE
+%license LICENSE.txt
-%doc FAQ NEWS README
+%doc NEWS.md README.md
-%if %{with fips}
-%doc README.FIPS
-%endif
 %{_pkgdocdir}/Makefile.certificate
-%dir %{_sysconfdir}/pki/tls
-%dir %{_sysconfdir}/pki/tls/certs
-%dir %{_sysconfdir}/pki/tls/misc
-%dir %{_sysconfdir}/pki/tls/private
-%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
-%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
-
 %{_bindir}/make-dummy-cert
 %{_bindir}/renew-dummy-cert
 %{_bindir}/openssl
-%attr(0755,root,root) /%{_lib}/*.so.*
-%attr(0755,root,root) %{_libdir}/%{name}/engines-%{soversion}
 %dir %{_mandir}/man1*
 %{_mandir}/man1*/*
 %dir %{_mandir}/man5*
 %{_mandir}/man5*/*
 %dir %{_mandir}/man7*
 %{_mandir}/man7*/*
+%exclude %{_mandir}/man1/*.pl*
+%exclude %{_mandir}/man1/tsget*
+
+%files libs
+%{!?_licensedir:%global license %%doc}
+%license LICENSE.txt
+%dir %{_sysconfdir}/pki/tls
+%dir %{_sysconfdir}/pki/tls/certs
+%dir %{_sysconfdir}/pki/tls/misc
+%dir %{_sysconfdir}/pki/tls/private
+%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
+%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
+%attr(0755,root,root) /%{_lib}/libcrypto.so.%{version}
+/%{_lib}/libcrypto.so.%{soversion}
+%attr(0755,root,root) /%{_lib}/libssl.so.%{version}
+/%{_lib}/libssl.so.%{soversion}
+%attr(0755,root,root) %{_libdir}/%{name}/engines-%{soversion}
+%attr(0755,root,root) %{_libdir}/ossl-modules
+%ifnarch i686
+%config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf
+%endif
+
 
 %files devel
-%defattr(-,root,root)
+%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
 %{_prefix}/include/openssl
 %exclude %{_libdir}/lib*.a
-%attr(0755,root,root) %{_libdir}/*.so
+%{_libdir}/*.so
 %attr(0644,root,root) %{_libdir}/pkgconfig/*.pc
 %dir %{_mandir}/man3*
 %{_mandir}/man3*/*
@@ -438,9 +380,7 @@ export LD_LIBRARY_PATH
 %{_bindir}/*.pl
 %{_bindir}/tsget
 %{_mandir}/man1*/*.pl*
-%{_mandir}/man1*/c_rehash*
 %{_mandir}/man1*/tsget*
-%{_mandir}/man1*/openssl-tsget*
 %dir %{_sysconfdir}/pki/CA
 %dir %{_sysconfdir}/pki/CA/private
 %dir %{_sysconfdir}/pki/CA/certs
@@ -462,6 +402,9 @@ export LD_LIBRARY_PATH
 
 
 %changelog
+* Thu Sep 30 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.0-1
+- new upstream release.
+
 * Wed Aug 25 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1l-1
 - new upstream release.
 

o/openssl111/openssl111-vl.spec

@@ -0,0 +1,1028 @@
+%bcond_with utils
+%bcond_with perl
+%bcond_with fips
+
+%define build_compat32 %{?_with_compat32:1}%{!?_with_compat32:0}
+%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}}
+# 1.0.0 soversion = 10
+# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
+#                        depends on build configuration options)
+%define soversion 1.1
+
+Summary: Secure Sockets Layer Toolkit
+Name: openssl111
+Version: 1.1.1l
+Release: 2%{_dist_release}
+Group: system,security
+Vendor: Project Vine
+Distribution: Vine Linux
+Packager: daisuke, iwamoto
+
+License: BSDish
+URL: https://www.openssl.org/
+# We have to remove certain patented algorithms from the openssl source
+# tarball with the hobble-openssl script which is included below.
+# The original openssl upstream tarball cannot be shipped in the .src.rpm.
+Source: openssl-%{version}-hobbled.tar.xz
+Source1: hobble-openssl
+Source2: Makefile.certificate
+Source6: make-dummy-cert
+Source7: renew-dummy-cert
+Source9: opensslconf-new.h
+Source10: opensslconf-new-warning.h
+Source11: README.FIPS
+Source12: ec_curve.c
+Source13: ectest.c
+
+# Build changes
+Patch1: openssl-1.1.1f-build.patch
+Patch2: openssl-1.1.0-defaults.patch
+Patch3: openssl-1.1.0-no-html.patch
+Patch4: openssl-1.1.1-man-rename.patch
+# Bug fixes
+Patch21: openssl-1.1.0-issuer-hash.patch
+# Functionality changes
+Patch31: openssl-1.1.1-conf-paths.patch
+Patch32: openssl-1.1.1-version-add-engines.patch
+Patch33: openssl-1.1.1-apps-dgst.patch
+Patch36: openssl-1.1.1-no-brainpool.patch
+Patch37: openssl-1.1.1-ec-curves.patch
+Patch38: openssl-1.1.1-no-weak-verify.patch
+Patch40: openssl-1.1.1-disable-ssl3.patch
+Patch41: openssl-1.1.1-system-cipherlist.patch
+Patch42: openssl-1.1.1-fips.patch
+Patch44: openssl-1.1.1-version-override.patch
+Patch45: openssl-1.1.1-weak-ciphers.patch
+Patch46: openssl-1.1.1-seclevel.patch
+Patch48: openssl-1.1.1-fips-post-rand.patch
+Patch49: openssl-1.1.1-evp-kdf.patch
+Patch50: openssl-1.1.1-ssh-kdf.patch
+Patch51: openssl-1.1.1-intel-cet.patch
+Patch60: openssl-1.1.1-krb5-kdf.patch
+Patch61: openssl-1.1.1-edk2-build.patch
+Patch62: openssl-1.1.1-fips-curves.patch
+Patch65: openssl-1.1.1-fips-drbg-selftest.patch
+Patch66: openssl-1.1.1-fips-dh.patch
+Patch67: openssl-1.1.1-kdf-selftest.patch
+Patch69: openssl-1.1.1-alpn-cb.patch
+Patch70: openssl-1.1.1-rewire-fips-drbg.patch
+# Backported fixes including security fixes
+Patch52: openssl-1.1.1-s390x-update.patch
+Patch53: openssl-1.1.1-fips-crng-test.patch
+Patch55: openssl-1.1.1-arm-update.patch
+Patch56: openssl-1.1.1-s390x-ecc.patch
+
+# security fix
+# none
+
+BuildRoot: %{_tmppath}/%{name}-%{version}-root
+BuildRequires: perl, sed
+BuildRequires: zlib-devel, krb5-devel
+BuildRequires: lksctp-tools-devel
+
+Requires: mktemp
+Requires: ca-certificates
+Requires: %{name}-libs = %{version}-%{release}
+Provides: openssl = %{version}-%{release}
+#Obsoletes: openssl < 1.1.1l-2
+Conflicts: openssl >= 3.0.0
+
+%define solibbase %(echo %version | sed 's/[[:alpha:]]//g')
+
+%description
+The OpenSSL certificate management utilities.
+
+
+%package libs
+Summary: OpenSSL shared libraries.
+Group: system,security
+Requires: %{name}-libs = %{version}-%{release}
+Conflicts: openssl < 1.1.1l-2
+
+%description libs
+The OpenSSL shared libraries that provide various cryptographic algorithms
+and protocols.
+
+
+%package devel
+Summary: OpenSSL libraries and development headers.
+Group: programming
+Requires: %{name}-libs = %{version}-%{release}
+Requires: krb5-devel
+
+%description devel
+The static libraries and include files needed to compile apps
+with support for various the cryptographic algorithms and protocols
+supported by OpenSSL.
+
+Patches for many networking apps can be found at:
+ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/
+
+
+%package static
+Summary:  Libraries for static linking of applications which will use OpenSSL
+Group: programming
+Requires: %{name}-devel = %{version}-%{release}
+
+%description static
+OpenSSL is a toolkit for supporting cryptography. The openssl-static
+package contains static libraries needed for static linking of
+applications which support various cryptographic algorithms and
+protocols.
+
+
+%package perl
+Summary: OpenSSL scripts which require Perl.
+Group: security
+Requires: %{name}-libs = %{version}-%{release}
+Requires: perl
+
+%description perl
+Perl scripts provided with OpenSSL for converting certificates and keys
+from other formats to those used by OpenSSL.
+
+
+## to build compat32 for x86_64 architecture support
+%package -n compat32-%{name}
+Summary: Secure Sockets Layer Toolkit
+Group: system
+Requires: %{name}-libs = %{version}-%{release}
+Provides: compat32-openssl = %{version}-%{release}
+Obsoletes: compat32-openssl < 1.1.1l-2
+
+%description -n compat32-%{name}
+The OpenSSL shared libraries that provide various cryptographic algorithms and protocols.
+
+
+%package -n compat32-%{name}-devel
+Summary: OpenSSL libraries and development headers.
+Group: programming
+Requires: compat32-%{name} = %{version}-%{release}
+Requires: compat32-krb5-devel
+Obsoletes: compat32-openssl-devel < 1.1.1l-2
+
+%description -n compat32-%{name}-devel
+The static libraries and include files needed to compile apps
+with support for various the cryptographic algorithms and protocols
+supported by OpenSSL.
+
+
+%debug_package
+
+
+%prep
+%setup -q -n openssl-%{version}
+
+# The hobble_openssl is called here redundantly, just to be sure.
+# The tarball has already the sources removed.
+%{SOURCE1} > /dev/null
+
+cp %{SOURCE12} crypto/ec/
+cp %{SOURCE13} test/
+
+%patch1 -p1 -b .build   %{?_rawbuild}
+%patch2 -p1 -b .defaults
+%patch3 -p1 -b .no-html  %{?_rawbuild}
+%patch4 -p1 -b .man-rename
+
+%patch21 -p1 -b .issuer-hash
+
+%patch31 -p1 -b .conf-paths
+%patch32 -p1 -b .version-add-engines
+%patch33 -p1 -b .dgst
+%patch36 -p1 -b .no-brainpool
+%patch37 -p1 -b .curves
+%patch38 -p1 -b .no-weak-verify
+%patch40 -p1 -b .disable-ssl3
+%patch41 -p1 -b .system-cipherlist
+%if %{with fips}
+%patch42 -p1 -b .fips
+%endif
+%if %{with fips}
+%patch44 -p1 -b .version-override
+%endif
+%patch45 -p1 -b .weak-ciphers
+%if %{with fips}
+%patch46 -p1 -b .seclevel
+%patch49 -p1 -b .evp-kdf
+%patch50 -p1 -b .ssh-kdf
+%patch51 -p1 -b .upstream-sync
+#patch52 -p1 -b .s390x-update
+%endif
+%if %{with fips}
+%patch53 -p1 -b .crng-test
+%endif
+#patch55 -p1 -b .arm-update
+#patch56 -p1 -b .s390x-ecc
+%if %{with fips}
+%patch60 -p1 -b .krb5-kdf
+%patch61 -p1 -b .edk2-build
+%patch62 -p1 -b .fips-curves
+%patch65 -p1 -b .drbg-selftest
+%patch66 -p1 -b .fips-dh
+%patch67 -p1 -b .kdf-selftest
+%endif
+%patch69 -p1 -b .alpn-cb
+%if %{with fips}
+%patch70 -p1 -b .rewire-fips-drbg
+%endif
+
+# security fix
+# none
+
+
+%build 
+# Figure out which flags we want to use.
+# default
+sslarch=%{_os}-%{_target_cpu}
+#
+%ifarch %ix86
+sslarch=linux-elf
+if ! echo %{_target} | grep -q i686 ; then
+   sslflags="no-asm 386"
+fi
+%endif
+%ifarch x86_64
+sslflags=enable-ec_nistp_64_gcc_128
+%endif
+
+# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
+# marked as not requiring an executable stack.
+# Also add -DPURIFY to make using valgrind with openssl easier as we do not
+# want to depend on the uninitialized memory as a source of entropy anyway.
+RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"
+
+export HASHBANGPERL=/usr/bin/perl
+
+perl -pi -e 's|/engines-|/%{name}/engines-|' ./Configurations/unix-Makefile.tmpl
+
+# ia64, x86_64, ppc are OK by default
+# Configure the build tree.  Override OpenSSL defaults with known-good defaults
+# usable on all platforms.  The Configure script already knows to use -fPIC and
+# RPM_OPT_FLAGS, so we can skip specifiying them here.
+./Configure \
+	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
+	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
+	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
+	enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
+	enable-weak-ssl-ciphers \
+	no-mdc2 no-ec2m no-sm2 no-sm4 \
+	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
+
+# Do not run this in a production package the FIPS symbols must be patched-in
+#util/mkdef.pl crypto update
+
+make all
+
+%if %{with fips}
+# Overwrite FIPS README
+cp -f %{SOURCE11} .
+%endif
+
+# Clean up the .pc files
+for i in libcrypto.pc libssl.pc openssl.pc ; do
+  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
+done
+
+
+%check
+# Verify that what was compiled actually works.
+
+# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
+(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
+(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
+ sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
+ touch -r configdata.pm configdata.pm.new && \
+ mv -f configdata.pm.new configdata.pm)
+
+# We must revert patch31 before tests otherwise they will fail
+patch -p1 -R < %{PATCH31}
+
+# drop a recipe includes tests for brainpool curves (not supported by openssl-hobbled).
+rm -f test/recipes/80-test_ssl_new.t
+
+LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
+export LD_LIBRARY_PATH
+OPENSSL_ENABLE_MD5_VERIFY=
+export OPENSSL_ENABLE_MD5_VERIFY
+OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
+export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
+make test
+
+# Add generation of HMAC checksum of the final stripped library
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+%{nil}
+
+%define __provides_exclude_from %{_libdir}/openssl
+
+
+%install
+[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
+# Install OpenSSL.
+install -d $RPM_BUILD_ROOT{/%{_lib},%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
+make DESTDIR=$RPM_BUILD_ROOT install
+mv $RPM_BUILD_ROOT%{_libdir}/lib*.so.%{soversion} $RPM_BUILD_ROOT/%{_lib}/
+rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT/%{_lib}/*.so.%{soversion}
+for lib in $RPM_BUILD_ROOT/%{_lib}/*.so.%{version} ; do
+	chmod 755 ${lib}
+	ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT/%{_libdir}/`basename ${lib} .%{version}`
+	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion}
+done
+
+# Install a makefile for generating keys and self-signed certs, and a script
+# for generating them on the fly.
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
+install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
+install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
+install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
+
+# Move runable perl scripts to bindir
+mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
+mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
+
+# Rename man pages so that they don't conflict with other system man pages.
+pushd $RPM_BUILD_ROOT%{_mandir}
+ln -s -f config.5 man5/openssl.cnf.5
+for manpage in man*/* ; do
+	if [ -L ${manpage} ]; then
+		TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
+		ln -snf ${TARGET}ssl ${manpage}ssl
+		rm -f ${manpage}
+	else
+		mv ${manpage} ${manpage}ssl
+	fi
+done
+for conflict in passwd rand ; do
+	rename ${conflict} ssl${conflict} man*/${conflict}*
+# Fix dangling symlinks
+	manpage=man1/openssl-${conflict}.*
+	if [ -L ${manpage} ] ; then
+		ln -snf ssl${conflict}.1ssl ${manpage}
+	fi
+done
+popd
+
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
+mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
+mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
+
+# Ensure the config file timestamps are identical across builds to avoid
+# mulitlib conflicts and unnecessary renames on upgrade
+touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
+touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
+
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
+
+# Determine which arch opensslconf.h is going to try to #include.
+basearch=%{_arch}
+%ifarch %{ix86}
+basearch=i386
+%endif
+
+# Next step of gradual disablement of SSL3.
+# Make SSL3 disappear to newly built dependencies.
+sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
+#ifndef OPENSSL_NO_SSL3\
+# define OPENSSL_NO_SSL3\
+#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
+
+%ifarch %{multilib_arches}
+# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
+# can have both a 32- and 64-bit version of the library, and they each need
+# their own correct-but-different versions of opensslconf.h to be usable.
+install -m644 %{SOURCE10} \
+	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
+cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \
+	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
+install -m644 %{SOURCE9} \
+	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
+%endif
+LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
+export LD_LIBRARY_PATH
+
+%if ! %{with utils}
+rm -f %{buildroot}%{_pkgdocdir}/Makefile.certificate
+rm -rf %{buildroot}%{_sysconfdir}/pki/tls
+rm -f %{buildroot}%{_bindir}/make-dummy-cert
+rm -f %{buildroot}%{_bindir}/renew-dummy-cert
+rm -f %{buildroot}%{_bindir}/openssl
+rm -f %{buildroot}%{_mandir}/man1*/*
+rm -f %{buildroot}%{_mandir}/man5*/*
+rm -f %{buildroot}%{_mandir}/man7*/*
+%endif
+
+%if ! %{with perl}
+rm -f %{buildroot}%{_bindir}/c_rehash
+rm -f %{buildroot}%{_bindir}/*.pl
+rm -f %{buildroot}%{_bindir}/tsget
+rm -rf %{buildroot}%{_sysconfdir}/pki/CA
+%endif
+
+
+%clean
+[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
+
+
+%if %{with utils}
+%files
+%{!?_licensedir:%global license %%doc}
+%license LICENSE
+%doc FAQ NEWS README
+%if %{with fips}
+%doc README.FIPS
+%endif
+%{_pkgdocdir}/Makefile.certificate
+%dir %{_sysconfdir}/pki/tls
+%dir %{_sysconfdir}/pki/tls/certs
+%dir %{_sysconfdir}/pki/tls/misc
+%dir %{_sysconfdir}/pki/tls/private
+%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
+%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
+%{_bindir}/make-dummy-cert
+%{_bindir}/renew-dummy-cert
+%{_bindir}/openssl
+%dir %{_mandir}/man1*
+%{_mandir}/man1*/*
+%dir %{_mandir}/man5*
+%{_mandir}/man5*/*
+%dir %{_mandir}/man7*
+%{_mandir}/man7*/*
+%endif
+
+%files libs
+%defattr(-,root,root)
+%{!?_licensedir:%global license %%doc}
+%license LICENSE
+%doc FAQ NEWS README
+%if %{with fips}
+%doc README.FIPS
+%endif
+%attr(0755,root,root) /%{_lib}/*.so.*
+%attr(0755,root,root) %{_libdir}/%{name}/engines-%{soversion}
+
+%files devel
+%defattr(-,root,root)
+%{_prefix}/include/openssl
+%exclude %{_libdir}/lib*.a
+%attr(0755,root,root) %{_libdir}/*.so
+%attr(0644,root,root) %{_libdir}/pkgconfig/*.pc
+%dir %{_mandir}/man3*
+%{_mandir}/man3*/*
+
+%files static
+%defattr(-,root,root)
+%attr(0644,root,root) %{_libdir}/*.a
+
+%if %{with perl}
+%files perl
+%defattr(-,root,root)
+%{_bindir}/c_rehash
+%{_bindir}/*.pl
+%{_bindir}/tsget
+%{_mandir}/man1*/*.pl*
+%{_mandir}/man1*/c_rehash*
+%{_mandir}/man1*/tsget*
+%{_mandir}/man1*/openssl-tsget*
+%dir %{_sysconfdir}/pki/CA
+%dir %{_sysconfdir}/pki/CA/private
+%dir %{_sysconfdir}/pki/CA/certs
+%dir %{_sysconfdir}/pki/CA/crl
+%dir %{_sysconfdir}/pki/CA/newcerts
+%endif
+
+## to build compat32 for x86_64 architecture support
+%if %{build_compat32}
+%files -n compat32-%{name}
+%defattr(-,root,root)
+%attr(0755,root,root) /%{_lib}/*.so.*
+
+%files -n compat32-%{name}-devel
+%defattr(-,root,root)
+%exclude %{_libdir}/lib*.a
+%attr(0755,root,root) %{_libdir}/*.so
+%attr(0644,root,root) %{_libdir}/pkgconfig/*.pc
+%endif
+
+
+%changelog
+* Wed Sep 29 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1l-2
+- changed %%name to "openssl111".
+
+* Wed Aug 25 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1l-1
+- new upstream release.
+
+* Fri Mar 26 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1k-1
+- new upstream release.
+- dropped ldconfig scriptlets.
+
+* Wed Feb 17 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1j-1
+- new upstream release.
+
+* Wed Dec 09 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1i-1
+- new upstream release.
+
+* Sat Nov 21 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1h-1
+- new upstream release.
+- dropped Patch43: fixed in upstream.
+- imported Patch55-70 from rawhide.
+- updated Source13.
+
+* Sat Apr 25 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1g-1
+- new upstream release.
+
+* Wed Apr 08 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1f-1
+- new upstream release.
+- updated Patch1.
+- dropped Patch54: fixed in upstream.
+
+* Wed Mar 18 2020 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1e-1
+- new upstream release.
+- dropped Patch100 and 1000: fixed in upstream.
+
+* Fri Dec 20 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1d-2
+- imported Patch1000 from upstream.
+
+* Fri Sep 13 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1d-1
+- new upstream release.
+- updated Source12 and 13.
+- updated all patches.
+- imported Patch100 from upstream.
+
+* Sat Aug 24 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1c-1
+- new upstream release.
+- updated Patch37 and 41.
+- imported Patch52-54 from rawhide.
+
+* Mon May 06 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1b-2
+- fixed openssl.cnf
+
+* Sun May 05 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1b-1
+- new upstream release.
+- imported Patch36 from rawhide.
+- updated Patch32.
+
+* Sat Dec 08 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1a-1
+- new upstream release.
+- updated Patch2.
+- dropped Patch36 and 46: fixed in upstream.
+
+* Thu Nov 01 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1-2
+- fixed symlinks.
+
+* Thu Nov 01 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1-1
+- new upstream release (newest LTS version).
+- imported fedora stuff (except FIPS).
+
+* Sun Apr  1 2018 IWAI, Masaharu <iwaim.sub@gmail.com> 1.0.2o-1
+- new upstream release with security fixes
+
+* Sun Jan 21 2018 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.2n-1
+- new upstream release with security fixes 
+
+* Wed Nov 15 2017 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.2m-1
+- new upstream release with security fixes 
+
+* Sun Jan 29 2017 IWAI, Masaharu <iwaim.sub@gmail.com> 1.0.2k-1
+- new upstream release with security fixes
+
+* Thu May  5 2016 IWAI, Masaharu <iwaim.sub@gmail.com> 1.0.2h-1
+- new upstream release with security fixes
+
+* Wed Mar  9 2016 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.2g-1
+- new upstream release 1.0.2 with security fixes
+- Patch2 is merged into Patch0
+
+* Mon Dec 28 2015 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1q-1
+- new upstream release with security fixes 
+
+* Fri Jul 10 2015 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1p-1
+- new upstream release with security fixes
+
+* Wed Jul  1 2015 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1o-1
+- new upstream release
+
+* Sun Apr 12 2015 Yoji TOYODA <bsyamato@sea.plala.or.jp> 1.0.1m-1
+- merged into Vine6
+  * Fri Mar 20 2015 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1m-1
+  - new upstream release with security fixes  
+  - update Patch2,5
+
+* Mon Jan 12 2015 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1k-1
+- new upstream release with security fixes  
+
+* Mon Oct 20 2014 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1j-1
+- new upstream release with security fixes 
+- add patch8 from fc21 (fix perl find.pl)
+
+* Fri Jun 6 2014 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.0.1h-1
+- new upstream release with security fixes.
+
+* Tue Apr  8 2014 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1g-1
+- new upstream release with security fixes 
+
+* Thu Jan  9 2014 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1f-1
+- new upstream release with security fixes
+
+* Tue Sep 24 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 1.0.1e-2
+- move root CA bundle to ca-certificates package
+
+* Tue Feb 12 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 1.0.1e-1
+- update to 1.0.1e
+  - 1.0.1d has major regressions from 1.0.1c
+
+* Sat Feb  9 2013 IWAI, Masaharu <iwai@alib.jp> 1.0.1d-2
+- remove tsget script to delete dependency perl(WWW::Curl::Easy)
+ - openssl-perl package contains it in docdir
+
+* Fri Feb 08 2013 Toshiharu Kudoh <toshi.kd2@gmail.com> 1.0.1d-1
+- new upstream release with security fix (CVE-2012-2686, CVE-2013-0166, 0169)
+- fixed %%files
+
+* Tue May 29 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 1.0.1c-1
+- update to 1.0.1c
+- enable configure options:
+  enable-camellia enable-seed enable-tlsext enable-rfc3779
+  enable-cms enable-md2
+- remove no-asm option from ai64/x86_64/ppc/ppc64/i686
+- generate a table with the compile settings before configure
+
+* Fri Jan 20 2012 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0g-1
+- new upstream release with security fix (CVE-2012-0050)
+
+* Fri Jan  6 2012 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0f-1
+- new upstream release with security fix 
+  (CVE-2011-4108,09, CVE-2011-4576,77, CVE-2011-4619, CVE-2012-0027) 
+
+* Wed Sep  7 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0e-1
+- new upstream release with security fix (CVE-2011-3207, 3210)
+
+* Sun Mar 20 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0d-2
+- rebuild with krb5-libs 1.8
+
+* Fri Feb 11 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0d-1
+- new upstream release with security fix
+
+* Sat Jan 15 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0c-4
+- use upstream openssl.pc instead of vine original one (SOURCE6)
+
+* Sun Jan  9 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0c-3
+- move tsget to docs to delete dependency perl(WWW::Curl::Easy)
+
+* Sat Jan  1 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0c-2
+- add R: krb5-devel into devel pkg
+- add R: compat32-krb5-devel into compat32-devel pkg
+
+* Fri Dec 31 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0c-1
+- new upstream release 1.0.0x
+- separate static libs into static package
+- change configure options
+- change so version 10
+- add tsget into perl package
+- update all patches
+
+* Thu Dec 30 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8q-2
+- fix changelog typo...
+
+* Tue Dec  7 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8q-1
+- new upstream release with security fix (CVE-2010-4180) 
+
+* Wed Nov 17 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8p-1
+- new upstream release with security fix (CVE-2010-3864)
+- drop patches included in new release
+- update patch4
+
+* Sun Jan 17 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8k-5
+- add patch12 for fix CVE-2009-3555 (renegotiation)
+
+* Fri Jan 15 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8k-4
+- add patch11 for fix CVE-2009-4355 (memory leak)
+
+* Tue Jun 23 2009 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8k-3
+- add patch10 to fix CVE-2009-1377, 78, 79 (from fc11)
+
+* Mon Jun 22 2009 NAKAMURA Kenta <kenta@vinelinux.org> 0.9.8k-2
+- removed unnecessary %%if %{build_compat32} statements
+- removed lib*.a from devel package
+
+* Mon Mar 30 2009 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8k-1
+- new upstream release with security fix (CVE-2000-0590,0591,0789)
+
+* Sun Jan 11 2009 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8j-1
+- new upstream release with security fix (CVE-2008-5077)
+
+* Sat Sep 20 2008 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.8i-1
+- new upstream release
+
+* Sat Jul 12 2008 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8h-1
+- new upstream release
+- new versioning policy
+
+* Sat Oct 27 2007 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.8g-0vl1
+- new upstream release
+- drop patch10,20 which is merged in upstream
+
+* Fri Sep 28 2007 MATSUBAYASHI Kohji <shaolin@vinelinux.org> 0.9.8e-0vl3
+- add security patch in advance for CVE-2007-5135
+  http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded
+  http://marc.info/?l=openssl-cvs&m=119020417919619&w=2
+
+* Fri Aug 10 2007 MATSUBAYASHI Kohji <shaolin@vinelinux.org> 0.9.8e-0vl2
+- add security patch for CVE-2007-3108
+  (http://openssl.org/news/patch-CVE-2007-3108.txt)
+
+* Tue May 15 2007 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.8e-0vl1
+- new upstream release
+
+* Sun Dec 24 2006 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.7l-0vl2
+- update (fix) openssl.pc <BTS:437>
+
+* Fri Sep 29 2006 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.7l-0vl1
+- new upstream release (with security fix)
+
+* Mon Sep 11 2006 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.7k-0vl1
+- new upstream release
+- add patch2 to use RPM_OPT macro
+
+* Mon Feb 06 2006 Shu KONNO <owa@bg.wakwak.com> 0.9.7i-0vl3
+- moved macros _lib to /usr/lib/rpm/rpmrc or macros files
+
+* Fri Feb 03 2006 Shu KONNO <owa@bg.wakwak.com> 0.9.7i-0vl2
+- added compat32-* packages for x86_64 architecture support
+- added openssl-0.9.7i.Configure-compat32.patch
+- changed '/lib' to '/%{_lib}'
+
+* Mon Oct 17 2005 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.7i-0vl1
+- new upstream release
+
+* Mon Jan 31 2005 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.7d-0vl4
+- rebuild on VineSeed
+
+* Sun Jan 09 2005 IKEDA Katsumi <ikeda@webmasters.gr.jp> 0.9.7d-0vl3.1
+- added a security patch from Gentoo.
+  - Patch1: openssl-0.9.7c-tempfile.patch
+
+* Sun Mar 28 2004 MATSUBAYASHI Kohji <shaolin@vinelinux.org> 0.9.7d-0vl3
+- sslarch for ppc was missing... added.
+
+* Fri Mar 26 2004 Tomoya TAKA <taka@vinelinux.org> 0.9.7d-0vl2
+- use sslarch=linux-alpha-gcc instead of alpha-gcc
+
+* Mon Mar 22 2004 Satoshi MACHINO <machino@vinelinux.org> 0.9.7d-0vl1
+- new upstream version
+- clean up of spec file
+	-- removed old patches
+
+* Sat Mar 20 2004 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6m-0vl1
+- new upstream release
+- SECURITY fix.
+  - http://www.openssl.org/news/secadv_20040317.txt
+
+* Wed Oct  1 2003 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6k-0vl1
+- new upstream release
+- [Security fix]
+  - Vulnerabilities in ASN.1 parsing
+    http://www.openssl.org/news/secadv_20030930.txt
+- see %{_docdir}/%{name}-%{version}/CHANGES for other changes
+
+* Wed Jun 04 2003 HOTTA Michihide <hotta@net-newbie.com> 0.9.6j-0vl2
+- add openssl.pc for pkgconfig
+
+* Tue Mar 11 2003 Satoshi MACHINO <machino@vinelinux.org> 0.9.6j-0vl1
+- New upstream version
+- dropped patch10, 11
+	-- merged upstream version
+
+* Sun Feb 23 2003 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6i-0vl1
+- rebuild for VineSeed
+
+* Sun Feb 23 2003 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6i-0vl0.26.1
+- [Security Fix]
+  - Timing-based attacks on RSA keys
+    http://www.openssl.org/news/secadv_20030317.txt
+  - Klima-Pokorny0Rosa attack on RSA in SSL/TLS
+    http://www.openssl.org/news/secadv_20030317.txt
+
+* Sun Feb 23 2003 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6i-0vl0.26
+- new upstream release 0.9.6i
+- [Security Fix]
+- build for Vine Linux 2.6 errata
+
+* Mon Nov 18 2002 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6h-0vl1
+- new upstream release 0.9.6h
+
+* Mon Nov 18 2002 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6g-0vl1
+- new upstream release 0.9.6g
+
+* Mon Oct 28 2002 IWAI Masaharu <iwai@alib.jp> 0.9.6b-1vl6
+- SECURITY: CAN-2002-0659 fixed
+  - added Patch101 from RedHat 7.2 updates 0.9.6b-28
+    * Fri Aug 02 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-28
+    - update asn patch to fix accidental reversal of a logic check
+    * Thu Aug 01 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-27
+    - update asn patch to reduce chance that compiler optimization will remove
+      one of the added tests
+    * Thu Aug 01 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-26
+    - rebuild
+    * Tue Jul 30 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-25
+    - add patch to fix ASN.1 vulnerabilities
+
+* Wed Jul 31 2002 IWAI Masaharu <iwai@alib.jp> 0.9.6b-1vl5
+- rename spec file name
+- SECURITY: CA-2002-23 fixed
+  - added Patch100 from RedHat 7.2 updates 0.9.6b-24
+    * Thu Jul 25 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-24
+    - add backport of Ben Laurie's patches for OpenSSL 0.9.6d
+
+* Mon Sep 10 2001 Satoshi MACHINO <machino@vinelinux.org> 0.9.6b-1vl4
+- added ${PATH} in LD_LIBRARY_PATH
+- added install -m 755 *.so.* $RPM_BUILD_ROOT%{_libdir} in %install
+ 
+* Sun Jul 15 2001 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6b-1vl3
+- remove --no-<cipher>
+
+* Sun Jul 15 2001 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6b-1vl2
+- add Patch10 for mipsel shared ( Configure )
+
+* Sat Jul 14 2001 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6b-1vl1
+- build for Vine Linux
+- use openssl-engine-0.9.6b.tar.gz
+
+* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 0.9.6b
+
+* Thu Jul  5 2001 Nalin Dahyabhai <nalin@redhat.com>
+- move .so symlinks back to %%{_libdir}
+
+* Tue Jul  3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- move shared libraries to /lib (#38410)
+
+* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- switch to engine code base
+
+* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add a script for creating dummy certificates
+- move man pages from %%{_mandir}/man?/foo.?ssl to %%{_mandir}/man?ssl/foo.?
+
+* Thu Jun 07 2001 Florian La Roche <Florian.LaRoche@redhat.de>
+- add s390x support
+
+* Fri Jun  1 2001 Nalin Dahyabhai <nalin@redhat.com>
+- change two memcpy() calls to memmove()
+- don't define L_ENDIAN on alpha
+
+* Tue May 15 2001 Nalin Dahyabhai <nalin@redhat.com>
+- make subpackages depend on the main package
+
+* Tue May  1 2001 Nalin Dahyabhai <nalin@redhat.com>
+- adjust the hobble script to not disturb symlinks in include/ (fix from
+  Joe Orton)
+
+* Thu Apr 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+- drop the m2crypo patch we weren't using
+
+* Tue Apr 24 2001 Nalin Dahyabhai <nalin@redhat.com>
+- configure using "shared" as well
+
+* Sun Apr  8 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 0.9.6a
+- use the build-shared target to build shared libraries
+- bump the soversion to 2 because we're no longer compatible with
+  our 0.9.5a packages or our 0.9.6 packages
+- drop the patch for making rsatest a no-op when rsa null support is used
+- put all man pages into <section>ssl instead of <section>
+- break the m2crypto modules into a separate package
+
+* Tue Mar 13 2001 Nalin Dahyabhai <nalin@redhat.com>
+- use BN_LLONG on s390
+
+* Mon Mar 12 2001 Nalin Dahyabhai <nalin@redhat.com>
+- fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit)
+
+* Sat Mar  3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- move c_rehash to the perl subpackage, because it's a perl script now
+
+* Fri Mar  2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 0.9.6
+- enable MD2
+- use the libcrypto.so and libssl.so targets to build shared libs with
+- bump the soversion to 1 because we're no longer compatible with any of
+  the various 0.9.5a packages circulating around, which provide lib*.so.0
+
+* Wed Feb 28 2001 Florian La Roche <Florian.LaRoche@redhat.de>
+- change hobble-openssl for disabling MD2 again
+
+* Tue Feb 27 2001 Nalin Dahyabhai <nalin@redhat.com>
+- re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152
+  bytes or so, causing EVP_DigestInit() to zero out stack variables in
+  apps built against a version of the library without it
+
+* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+- disable some inline assembly, which on x86 is Pentium-specific
+- re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all)
+
+* Thu Feb 08 2001 Florian La Roche <Florian.LaRoche@redhat.de>
+- fix s390 patch
+
+* Fri Dec 8 2000 Than Ngo <than@redhat.com>
+- added support s390
+
+* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- remove -Wa,* and -m* compiler flags from the default Configure file (#20656)
+- add the CA.pl man page to the perl subpackage
+
+* Thu Nov  2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- always build with -mcpu=ev5 on alpha
+
+* Tue Oct 31 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add a symlink from cert.pem to ca-bundle.crt
+
+* Wed Oct 25 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add a ca-bundle file for packages like Samba to reference for CA certificates
+
+* Tue Oct 24 2000 Nalin Dahyabhai <nalin@redhat.com>
+- remove libcrypto's crypt(), which doesn't handle md5crypt (#19295)
+
+* Mon Oct  2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add unzip as a buildprereq (#17662)
+- update m2crypto to 0.05-snap4
+
+* Tue Sep 26 2000 Bill Nottingham <notting@redhat.com>
+- fix some issues in building when it's not installed
+
+* Wed Sep  6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- make sure the headers we include are the ones we built with (aaaaarrgh!)
+
+* Fri Sep  1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- add Richard Henderson's patch for BN on ia64
+- clean up the changelog
+
+* Tue Aug 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- fix the building of python modules without openssl-devel already installed
+
+* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
+- byte-compile python extensions without the build-root
+- adjust the makefile to not remove temporary files (like .key files when
+  building .csr files) by marking them as .PRECIOUS
+
+* Sat Aug 19 2000 Nalin Dahyabhai <nalin@redhat.com>
+- break out python extensions into a subpackage
+
+* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- tweak the makefile some more
+
+* Tue Jul 11 2000 Nalin Dahyabhai <nalin@redhat.com>
+- disable MD2 support
+
+* Thu Jul  6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- disable MDC2 support
+
+* Sun Jul  2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- tweak the disabling of RC5, IDEA support
+- tweak the makefile
+
+* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- strip binaries and libraries
+- rework certificate makefile to have the right parts for Apache
+
+* Wed Jun 28 2000 Nalin Dahyabhai <nalin@redhat.com>
+- use %%{_perl} instead of /usr/bin/perl
+- disable alpha until it passes its own test suite
+
+* Fri Jun  9 2000 Nalin Dahyabhai <nalin@redhat.com>
+- move the passwd.1 man page out of the passwd package's way
+
+* Fri Jun  2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- update to 0.9.5a, modified for U.S.
+- add perl as a build-time requirement
+- move certificate makefile to another package
+- disable RC5, IDEA, RSA support
+- remove optimizations for now
+
+* Wed Mar  1 2000 Florian La Roche <Florian.LaRoche@redhat.de>
+- Bero told me to move the Makefile into this package
+
+* Wed Mar  1 2000 Florian La Roche <Florian.LaRoche@redhat.de>
+- add lib*.so symlinks to link dynamically against shared libs
+
+* Tue Feb 29 2000 Florian La Roche <Florian.LaRoche@redhat.de>
+- update to 0.9.5
+- run ldconfig directly in post/postun
+- add FAQ
+
+* Sat Dec 18 1999 Bernhard Rosenkrdnzer <bero@redhat.de>
+- Fix build on non-x86 platforms
+
+* Fri Nov 12 1999 Bernhard Rosenkrdnzer <bero@redhat.de>
+- move /usr/share/ssl/* from -devel to main package
+
+* Tue Oct 26 1999 Bernhard Rosenkrdnzer <bero@redhat.de>
+- inital packaging
+- changes from base:
+  - Move /usr/local/ssl to /usr/share/ssl for FHS compliance
+  - handle RPM_OPT_FLAGS