%bcond_with fips %define build_compat32 %{?_with_compat32:1}%{!?_with_compat32:0} %{!?_pkgdocdir:%global _pkgdocdir %{_docdir}} # 1.0.0 soversion = 10 # 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols # depends on build configuration options) %define soversion 3 %define srpmhash() %{lua: local files = rpm.expand("%_specdir/openssl.spec") for i, p in ipairs(patches) do files = files.." "..p end for i, p in ipairs(sources) do files = files.." "..p end local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum")) local hash = sha256sum:read("*a") sha256sum:close() print(string.sub(hash, 0, 16)) } Summary: Secure Sockets Layer Toolkit Name: openssl Version: 3.1.6 Release: 1%{_dist_release} Group: system,security Vendor: Project Vine Distribution: Vine Linux Packager: daisuke, iwamoto License: BSDish URL: https://www.openssl.org/ Source: https://www.openssl.org/source/openssl-%{version}.tar.gz Source2: Makefile.certificate Source6: make-dummy-cert Source7: renew-dummy-cert Source9: configuration-switch.h Source10: configuration-prefix.h Source14: for-tests.patch # Patches exported from source git # # Aarch64 and ppc64le use lib64 Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch # # Use more general default values in openssl.cnf Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch # # Do not install html docs Patch3: 0003-Do-not-install-html-docs.patch # # Override default paths for the CA directory tree Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch # # apps/ca: fix md option help text Patch5: 0005-apps-ca-fix-md-option-help-text.patch # # Disable signature verification with totally unsafe hash algorithms Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch # # Add support for PROFILE=SYSTEM system default cipherlist Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch #Patch7: 0007-ossl_safe_getenv.patch # # Add FIPS_mode() compatibility macro Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch # # Add check to see if fips flag is enabled in kernel Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch # # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so # # that new modifications made to these files by upstream are not lost. Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch # # remove unsupported EC curves Patch11: 0011-Remove-EC-curves.patch # # Disable explicit EC curves # # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 Patch12: 0012-Disable-explicit-ec.patch # # Skipped tests from former 0011-Remove-EC-curves.patch Patch13: 0013-skipped-tests-EC-curves.patch # # Instructions to load legacy provider in openssl.cnf #Patch24: 0024-load-legacy-prov.patch # # We load FIPS provider and set FIPS properties implicitly Patch32: 0032-Force-fips.patch # # Embed HMAC into the fips.so Patch33: 0033-FIPS-embed-hmac.patch # # Comment out fipsinstall command-line utility Patch34: 0034.fipsinstall_disable.patch # # Skip unavailable algorithms running `openssl speed` Patch35: 0035-speed-skip-unavailable-dgst.patch # # Extra public/private key checks required by FIPS-140-3 Patch44: 0044-FIPS-140-3-keychecks.patch # # Minimize fips services Patch45: 0045-FIPS-services-minimize.patch # # Execute KATS before HMAC verification Patch47: 0047-FIPS-early-KATS.patch # # Selectively disallow SHA1 signatures rhbz#2070977 Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch # # Support SHA1 in TLS in LEGACY crypto-policy (which is SECLEVEL=1) Patch52: 0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch # # https://github.com/openssl/openssl/pull/18103 # # The patch is incorporated in 3.0.3 but we provide this function since 3.0.1 # # so the patch should persist Patch56: 0056-strcasecmp.patch # # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 Patch58: 0058-FIPS-limit-rsa-encrypt.patch # # https://bugzilla.redhat.com/show_bug.cgi?id=2087147 Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch # 0062-fips-Expose-a-FIPS-indicator.patch Patch62: 0062-fips-Expose-a-FIPS-indicator.patch # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch # [PATCH 29/46] # 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch # # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM) # # https://bugzilla.redhat.com/show_bug.cgi?id=2102541 Patch76: 0076-FIPS-140-3-DRBG.patch # # https://bugzilla.redhat.com/show_bug.cgi?id=2102542 Patch77: 0077-FIPS-140-3-zeroization.patch # # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch # # https://github.com/openssl/openssl/pull/13817 Patch79: 0079-RSA-PKCS15-implicit-rejection.patch # # We believe that some changes present in CentOS are not necessary # # because ustream has a check for FIPS version Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch # [PATCH 36/46] # 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch # [PATCH 37/46] # 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch # [PATCH 38/46] # 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch # 0085-FIPS-RSA-disable-shake.patch Patch85: 0085-FIPS-RSA-disable-shake.patch # 0088-signature-Add-indicator-for-PSS-salt-length.patch Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch # 0091-FIPS-RSA-encapsulate.patch Patch91: 0091-FIPS-RSA-encapsulate.patch # [PATCH 42/46] # 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch # [PATCH 43/46] # 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch # [PATCH 44/46] # 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch # 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch # # We believe that some changes present in CentOS are not necessary # # because ustream has a check for FIPS version Patch114: 0114-FIPS-enforce-EMS-support.patch # security fix # none BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: perl, sed BuildRequires: pkgconfig(zlib), krb5-devel BuildRequires: lksctp-tools-devel Requires: mktemp Requires: ca-certificates Requires: %{name}-libs = %{version}-%{release} Obsoletes: openssl111 < 3.0.0 %define solibbase %(echo %version | sed 's/[[:alpha:]]//g') %description The OpenSSL certificate management tool and the shared libraries that provide various cryptographic algorithms and protocols. %package libs Summary: A general purpose cryptography library with TLS implementation Group: system %description libs OpenSSL is a toolkit for supporting cryptography. The openssl-libs package contains the libraries that are used by various applications which support cryptographic algorithms and protocols. %package devel Summary: OpenSSL libraries and development headers. Group: programming Requires: %{name}-libs = %{version}-%{release} Requires: krb5-devel Conflicts: openssl111-devel < 3.0.0 %description devel The static libraries and include files needed to compile apps with support for various the cryptographic algorithms and protocols supported by OpenSSL. Patches for many networking apps can be found at: ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/ %package static Summary: Libraries for static linking of applications which will use OpenSSL Group: programming Requires: %{name}-devel = %{version}-%{release} Conflicts: openssl111-static < 3.0.0 %description static OpenSSL is a toolkit for supporting cryptography. The openssl-static package contains static libraries needed for static linking of applications which support various cryptographic algorithms and protocols. %package perl Summary: OpenSSL scripts which require Perl. Group: security Requires: %{name}-libs = %{version}-%{release} Obsoletes: openssl111-perl < 3.0.0 Requires: perl %description perl Perl scripts provided with OpenSSL for converting certificates and keys from other formats to those used by OpenSSL. ## to build compat32 for x86_64 architecture support %package -n compat32-%{name} Summary: Secure Sockets Layer Toolkit Group: system Requires: %{name} = %{version}-%{release} %description -n compat32-%{name} The OpenSSL certificate management tool and the shared libraries that provide various cryptographic algorithms and protocols. %package -n compat32-%{name}-devel Summary: OpenSSL libraries and development headers. Group: programming Requires: compat32-%{name} = %{version}-%{release} Requires: compat32-krb5-devel Conflicts: compat32-openssl111-devel < 3.0.0 %description -n compat32-%{name}-devel The static libraries and include files needed to compile apps with support for various the cryptographic algorithms and protocols supported by OpenSSL. %debug_package %prep %autosetup -n %{name}-%{version} -p1 %build # Figure out which flags we want to use. # default sslarch=%{_os}-%{_target_cpu} # %ifarch %ix86 sslarch=linux-elf if ! echo %{_target} | grep -q i686 ; then sslflags="no-asm 386" fi %endif %ifarch x86_64 sslflags=enable-ec_nistp_64_gcc_128 %endif # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack. # Also add -DPURIFY to make using valgrind with openssl easier as we do not # want to depend on the uninitialized memory as a source of entropy anyway. RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" export HASHBANGPERL=/usr/bin/perl %define fips %{version}-%{srpmhash} # ia64, x86_64, ppc are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ enable-cms enable-md2 enable-rc5 enable-ktls enable-fips \ no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++ \ shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""' \ -Wl,--allow-multiple-definition # Do not run this in a production package the FIPS symbols must be patched-in #util/mkdef.pl crypto update make -s %{?_smp_mflags} all # Clean up the .pc files for i in libcrypto.pc libssl.pc openssl.pc ; do sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i done %check # Verify that what was compiled actually works. # Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check (sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \ (echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' && sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \ touch -r configdata.pm configdata.pm.new && \ mv -f configdata.pm.new configdata.pm) # We must revert patch4 before tests otherwise they will fail patch -p1 -R < %{PATCH4} #We must disable default provider before tests otherwise they will fail patch -p1 < %{SOURCE14} LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} export LD_LIBRARY_PATH OPENSSL_ENABLE_MD5_VERIFY= export OPENSSL_ENABLE_MD5_VERIFY OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file export OPENSSL_SYSTEM_CIPHERS_OVERRIDE #embed HMAC into fips provider for test run OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac mv providers/fips.so.mac providers/fips.so #run tests itself make test HARNESS_JOBS=8 # Add generation of HMAC checksum of the final stripped library # We manually copy standard definition of __spec_install_post # and add hmac calculation/embedding to fips.so %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \ mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ %{nil} %define __provides_exclude_from %{_libdir}/openssl %install [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT # Install OpenSSL. install -d $RPM_BUILD_ROOT{/%{_lib},%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}} make DESTDIR=$RPM_BUILD_ROOT install mv $RPM_BUILD_ROOT%{_libdir}/lib*.so.%{soversion} $RPM_BUILD_ROOT/%{_lib}/ rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT/%{_lib}/*.so.%{soversion} for lib in $RPM_BUILD_ROOT/%{_lib}/*.so.%{version} ; do chmod 755 ${lib} ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT/%{_libdir}/`basename ${lib} .%{version}` ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion} done # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert # Move runable perl scripts to bindir mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir} mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir} # Rename man pages so that they don't conflict with other system man pages. pushd $RPM_BUILD_ROOT%{_mandir} mv man5/config.5ossl man5/openssl.cnf.5 popd mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts # Ensure the config file timestamps are identical across builds to avoid # mulitlib conflicts and unnecessary renames on upgrade touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist %ifarch i686 rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf %endif # Determine which arch opensslconf.h is going to try to #include. basearch=%{_arch} %ifarch %{ix86} basearch=i386 %endif # Next step of gradual disablement of SSL3. # Make SSL3 disappear to newly built dependencies. sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\ #ifndef OPENSSL_NO_SSL3\ # define OPENSSL_NO_SSL3\ #endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h %ifarch %{multilib_arches} # Do an opensslconf.h switcheroo to avoid file conflicts on systems where you # can have both a 32- and 64-bit version of the library, and they each need # their own correct-but-different versions of opensslconf.h to be usable. install -m644 %{SOURCE10} \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h install -m644 %{SOURCE9} \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h %endif %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %{!?_licensedir:%global license %%doc} %license LICENSE.txt %doc NEWS.md README.md %{_pkgdocdir}/Makefile.certificate %{_bindir}/make-dummy-cert %{_bindir}/renew-dummy-cert %{_bindir}/openssl %dir %{_mandir}/man1* %{_mandir}/man1*/* %dir %{_mandir}/man5* %{_mandir}/man5*/* %dir %{_mandir}/man7* %{_mandir}/man7*/* %exclude %{_mandir}/man1/*.pl* %exclude %{_mandir}/man1/tsget* %files libs %{!?_licensedir:%global license %%doc} %license LICENSE.txt %dir %{_sysconfdir}/pki/tls %dir %{_sysconfdir}/pki/tls/certs %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf %attr(0755,root,root) /%{_lib}/libcrypto.so.%{version} /%{_lib}/libcrypto.so.%{soversion} %attr(0755,root,root) /%{_lib}/libssl.so.%{version} /%{_lib}/libssl.so.%{soversion} %attr(0755,root,root) %{_libdir}/engines-%{soversion} %attr(0755,root,root) %{_libdir}/ossl-modules %ifnarch i686 %config(noreplace) %{_sysconfdir}/pki/tls/fipsmodule.cnf %endif %files devel %doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el %{_prefix}/include/openssl %exclude %{_libdir}/lib*.a %{_libdir}/*.so %attr(0644,root,root) %{_libdir}/pkgconfig/*.pc %dir %{_mandir}/man3* %{_mandir}/man3*/* %files static %defattr(-,root,root) %attr(0644,root,root) %{_libdir}/*.a %files perl %defattr(-,root,root) %{_bindir}/c_rehash %{_bindir}/*.pl %{_bindir}/tsget %{_mandir}/man1*/*.pl* %{_mandir}/man1*/tsget* %dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA/private %dir %{_sysconfdir}/pki/CA/certs %dir %{_sysconfdir}/pki/CA/crl %dir %{_sysconfdir}/pki/CA/newcerts ## to build compat32 for x86_64 architecture support %if %{build_compat32} %files -n compat32-%{name} %defattr(-,root,root) %attr(0755,root,root) /%{_lib}/*.so.* %files -n compat32-%{name}-devel %defattr(-,root,root) %exclude %{_libdir}/lib*.a %attr(0755,root,root) %{_libdir}/*.so %attr(0644,root,root) %{_libdir}/pkgconfig/*.pc %endif %changelog * Mon Jun 10 2024 Tomohiro "Tomo-p" KATO 3.1.6-1 - new upstream release. * Wed Jan 31 2024 Tomohiro "Tomo-p" KATO 3.1.5-1 - new upstream release. * Wed Oct 25 2023 Tomohiro "Tomo-p" KATO 3.1.4-1 - new upstream release. * Wed Sep 20 2023 Tomohiro "Tomo-p" KATO 3.1.3-1 - new upstream release. * Wed Aug 02 2023 Tomohiro "Tomo-p" KATO 3.0.10-1 - new upstream release. * Tue Jul 11 2023 Tomohiro "Tomo-p" KATO 3.0.9-1 - new upstream release. * Wed Feb 08 2023 Tomohiro "Tomo-p" KATO 3.0.8-1 - new upstream release. * Wed Nov 02 2022 Tomohiro "Tomo-p" KATO 3.0.7-1 - new upstream release. * Wed Oct 12 2022 Tomohiro "Tomo-p" KATO 3.0.6-1 - new upstream release. * Wed Jul 06 2022 Tomohiro "Tomo-p" KATO 3.0.5-1 - new upstream release. * Wed Jun 22 2022 Tomohiro "Tomo-p" KATO 3.0.4-1 - new upstream release. * Wed Mar 16 2022 Tomohiro "Tomo-p" KATO 3.0.2-1 - new upstream release. * Wed Dec 15 2021 Tomohiro "Tomo-p" KATO 3.0.1-1 - new upstream release. * Thu Sep 30 2021 Tomohiro "Tomo-p" KATO 3.0.0-1 - new upstream release. * Wed Aug 25 2021 Tomohiro "Tomo-p" KATO 1.1.1l-1 - new upstream release. * Fri Mar 26 2021 Tomohiro "Tomo-p" KATO 1.1.1k-1 - new upstream release. - dropped ldconfig scriptlets. * Wed Feb 17 2021 Tomohiro "Tomo-p" KATO 1.1.1j-1 - new upstream release. * Wed Dec 09 2020 Tomohiro "Tomo-p" KATO 1.1.1i-1 - new upstream release. * Sat Nov 21 2020 Tomohiro "Tomo-p" KATO 1.1.1h-1 - new upstream release. - dropped Patch43: fixed in upstream. - imported Patch55-70 from rawhide. - updated Source13. * Sat Apr 25 2020 Tomohiro "Tomo-p" KATO 1.1.1g-1 - new upstream release. * Wed Apr 08 2020 Tomohiro "Tomo-p" KATO 1.1.1f-1 - new upstream release. - updated Patch1. - dropped Patch54: fixed in upstream. * Wed Mar 18 2020 Tomohiro "Tomo-p" KATO 1.1.1e-1 - new upstream release. - dropped Patch100 and 1000: fixed in upstream. * Fri Dec 20 2019 Tomohiro "Tomo-p" KATO 1.1.1d-2 - imported Patch1000 from upstream. * Fri Sep 13 2019 Tomohiro "Tomo-p" KATO 1.1.1d-1 - new upstream release. - updated Source12 and 13. - updated all patches. - imported Patch100 from upstream. * Sat Aug 24 2019 Tomohiro "Tomo-p" KATO 1.1.1c-1 - new upstream release. - updated Patch37 and 41. - imported Patch52-54 from rawhide. * Mon May 06 2019 Tomohiro "Tomo-p" KATO 1.1.1b-2 - fixed openssl.cnf * Sun May 05 2019 Tomohiro "Tomo-p" KATO 1.1.1b-1 - new upstream release. - imported Patch36 from rawhide. - updated Patch32. * Sat Dec 08 2018 Tomohiro "Tomo-p" KATO 1.1.1a-1 - new upstream release. - updated Patch2. - dropped Patch36 and 46: fixed in upstream. * Thu Nov 01 2018 Tomohiro "Tomo-p" KATO 1.1.1-2 - fixed symlinks. * Thu Nov 01 2018 Tomohiro "Tomo-p" KATO 1.1.1-1 - new upstream release (newest LTS version). - imported fedora stuff (except FIPS). * Sun Apr 1 2018 IWAI, Masaharu 1.0.2o-1 - new upstream release with security fixes * Sun Jan 21 2018 Satoshi IWAMOTO 1.0.2n-1 - new upstream release with security fixes * Wed Nov 15 2017 Satoshi IWAMOTO 1.0.2m-1 - new upstream release with security fixes * Sun Jan 29 2017 IWAI, Masaharu 1.0.2k-1 - new upstream release with security fixes * Thu May 5 2016 IWAI, Masaharu 1.0.2h-1 - new upstream release with security fixes * Wed Mar 9 2016 Satoshi IWAMOTO 1.0.2g-1 - new upstream release 1.0.2 with security fixes - Patch2 is merged into Patch0 * Mon Dec 28 2015 Satoshi IWAMOTO 1.0.1q-1 - new upstream release with security fixes * Fri Jul 10 2015 Satoshi IWAMOTO 1.0.1p-1 - new upstream release with security fixes * Wed Jul 1 2015 Satoshi IWAMOTO 1.0.1o-1 - new upstream release * Sun Apr 12 2015 Yoji TOYODA 1.0.1m-1 - merged into Vine6 * Fri Mar 20 2015 Satoshi IWAMOTO 1.0.1m-1 - new upstream release with security fixes - update Patch2,5 * Mon Jan 12 2015 Satoshi IWAMOTO 1.0.1k-1 - new upstream release with security fixes * Mon Oct 20 2014 Satoshi IWAMOTO 1.0.1j-1 - new upstream release with security fixes - add patch8 from fc21 (fix perl find.pl) * Fri Jun 6 2014 Tomohiro "Tomo-p" KATO 1.0.1h-1 - new upstream release with security fixes. * Tue Apr 8 2014 Satoshi IWAMOTO 1.0.1g-1 - new upstream release with security fixes * Thu Jan 9 2014 Satoshi IWAMOTO 1.0.1f-1 - new upstream release with security fixes * Tue Sep 24 2013 Daisuke SUZUKI 1.0.1e-2 - move root CA bundle to ca-certificates package * Tue Feb 12 2013 Daisuke SUZUKI 1.0.1e-1 - update to 1.0.1e - 1.0.1d has major regressions from 1.0.1c * Sat Feb 9 2013 IWAI, Masaharu 1.0.1d-2 - remove tsget script to delete dependency perl(WWW::Curl::Easy) - openssl-perl package contains it in docdir * Fri Feb 08 2013 Toshiharu Kudoh 1.0.1d-1 - new upstream release with security fix (CVE-2012-2686, CVE-2013-0166, 0169) - fixed %%files * Tue May 29 2012 Daisuke SUZUKI 1.0.1c-1 - update to 1.0.1c - enable configure options: enable-camellia enable-seed enable-tlsext enable-rfc3779 enable-cms enable-md2 - remove no-asm option from ai64/x86_64/ppc/ppc64/i686 - generate a table with the compile settings before configure * Fri Jan 20 2012 Satoshi IWAMOTO 1.0.0g-1 - new upstream release with security fix (CVE-2012-0050) * Fri Jan 6 2012 Satoshi IWAMOTO 1.0.0f-1 - new upstream release with security fix (CVE-2011-4108,09, CVE-2011-4576,77, CVE-2011-4619, CVE-2012-0027) * Wed Sep 7 2011 Satoshi IWAMOTO 1.0.0e-1 - new upstream release with security fix (CVE-2011-3207, 3210) * Sun Mar 20 2011 Satoshi IWAMOTO 1.0.0d-2 - rebuild with krb5-libs 1.8 * Fri Feb 11 2011 Satoshi IWAMOTO 1.0.0d-1 - new upstream release with security fix * Sat Jan 15 2011 Satoshi IWAMOTO 1.0.0c-4 - use upstream openssl.pc instead of vine original one (SOURCE6) * Sun Jan 9 2011 Satoshi IWAMOTO 1.0.0c-3 - move tsget to docs to delete dependency perl(WWW::Curl::Easy) * Sat Jan 1 2011 Satoshi IWAMOTO 1.0.0c-2 - add R: krb5-devel into devel pkg - add R: compat32-krb5-devel into compat32-devel pkg * Fri Dec 31 2010 Satoshi IWAMOTO 1.0.0c-1 - new upstream release 1.0.0x - separate static libs into static package - change configure options - change so version 10 - add tsget into perl package - update all patches * Thu Dec 30 2010 Satoshi IWAMOTO 0.9.8q-2 - fix changelog typo... * Tue Dec 7 2010 Satoshi IWAMOTO 0.9.8q-1 - new upstream release with security fix (CVE-2010-4180) * Wed Nov 17 2010 Satoshi IWAMOTO 0.9.8p-1 - new upstream release with security fix (CVE-2010-3864) - drop patches included in new release - update patch4 * Sun Jan 17 2010 Satoshi IWAMOTO 0.9.8k-5 - add patch12 for fix CVE-2009-3555 (renegotiation) * Fri Jan 15 2010 Satoshi IWAMOTO 0.9.8k-4 - add patch11 for fix CVE-2009-4355 (memory leak) * Tue Jun 23 2009 Satoshi IWAMOTO 0.9.8k-3 - add patch10 to fix CVE-2009-1377, 78, 79 (from fc11) * Mon Jun 22 2009 NAKAMURA Kenta 0.9.8k-2 - removed unnecessary %%if %{build_compat32} statements - removed lib*.a from devel package * Mon Mar 30 2009 Satosh IWAMOTO 0.9.8k-1 - new upstream release with security fix (CVE-2000-0590,0591,0789) * Sun Jan 11 2009 Satosh IWAMOTO 0.9.8j-1 - new upstream release with security fix (CVE-2008-5077) * Sat Sep 20 2008 Daisuke SUZUKI 0.9.8i-1 - new upstream release * Sat Jul 12 2008 Satosh IWAMOTO 0.9.8h-1 - new upstream release - new versioning policy * Sat Oct 27 2007 Daisuke SUZUKI 0.9.8g-0vl1 - new upstream release - drop patch10,20 which is merged in upstream * Fri Sep 28 2007 MATSUBAYASHI Kohji 0.9.8e-0vl3 - add security patch in advance for CVE-2007-5135 http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded http://marc.info/?l=openssl-cvs&m=119020417919619&w=2 * Fri Aug 10 2007 MATSUBAYASHI Kohji 0.9.8e-0vl2 - add security patch for CVE-2007-3108 (http://openssl.org/news/patch-CVE-2007-3108.txt) * Tue May 15 2007 Daisuke SUZUKI 0.9.8e-0vl1 - new upstream release * Sun Dec 24 2006 Satosh IWAMOTO 0.9.7l-0vl2 - update (fix) openssl.pc * Fri Sep 29 2006 Satosh IWAMOTO 0.9.7l-0vl1 - new upstream release (with security fix) * Mon Sep 11 2006 Satosh IWAMOTO 0.9.7k-0vl1 - new upstream release - add patch2 to use RPM_OPT macro * Mon Feb 06 2006 Shu KONNO 0.9.7i-0vl3 - moved macros _lib to /usr/lib/rpm/rpmrc or macros files * Fri Feb 03 2006 Shu KONNO 0.9.7i-0vl2 - added compat32-* packages for x86_64 architecture support - added openssl-0.9.7i.Configure-compat32.patch - changed '/lib' to '/%{_lib}' * Mon Oct 17 2005 Daisuke SUZUKI 0.9.7i-0vl1 - new upstream release * Mon Jan 31 2005 Daisuke SUZUKI 0.9.7d-0vl4 - rebuild on VineSeed * Sun Jan 09 2005 IKEDA Katsumi 0.9.7d-0vl3.1 - added a security patch from Gentoo. - Patch1: openssl-0.9.7c-tempfile.patch * Sun Mar 28 2004 MATSUBAYASHI Kohji 0.9.7d-0vl3 - sslarch for ppc was missing... added. * Fri Mar 26 2004 Tomoya TAKA 0.9.7d-0vl2 - use sslarch=linux-alpha-gcc instead of alpha-gcc * Mon Mar 22 2004 Satoshi MACHINO 0.9.7d-0vl1 - new upstream version - clean up of spec file -- removed old patches * Sat Mar 20 2004 Daisuke SUZUKI 0.9.6m-0vl1 - new upstream release - SECURITY fix. - http://www.openssl.org/news/secadv_20040317.txt * Wed Oct 1 2003 Daisuke SUZUKI 0.9.6k-0vl1 - new upstream release - [Security fix] - Vulnerabilities in ASN.1 parsing http://www.openssl.org/news/secadv_20030930.txt - see %{_docdir}/%{name}-%{version}/CHANGES for other changes * Wed Jun 04 2003 HOTTA Michihide 0.9.6j-0vl2 - add openssl.pc for pkgconfig * Tue Mar 11 2003 Satoshi MACHINO 0.9.6j-0vl1 - New upstream version - dropped patch10, 11 -- merged upstream version * Sun Feb 23 2003 Daisuke SUZUKI 0.9.6i-0vl1 - rebuild for VineSeed * Sun Feb 23 2003 Daisuke SUZUKI 0.9.6i-0vl0.26.1 - [Security Fix] - Timing-based attacks on RSA keys http://www.openssl.org/news/secadv_20030317.txt - Klima-Pokorny0Rosa attack on RSA in SSL/TLS http://www.openssl.org/news/secadv_20030317.txt * Sun Feb 23 2003 Daisuke SUZUKI 0.9.6i-0vl0.26 - new upstream release 0.9.6i - [Security Fix] - build for Vine Linux 2.6 errata * Mon Nov 18 2002 Daisuke SUZUKI 0.9.6h-0vl1 - new upstream release 0.9.6h * Mon Nov 18 2002 Daisuke SUZUKI 0.9.6g-0vl1 - new upstream release 0.9.6g * Mon Oct 28 2002 IWAI Masaharu 0.9.6b-1vl6 - SECURITY: CAN-2002-0659 fixed - added Patch101 from RedHat 7.2 updates 0.9.6b-28 * Fri Aug 02 2002 Nalin Dahyabhai 0.9.6b-28 - update asn patch to fix accidental reversal of a logic check * Thu Aug 01 2002 Nalin Dahyabhai 0.9.6b-27 - update asn patch to reduce chance that compiler optimization will remove one of the added tests * Thu Aug 01 2002 Nalin Dahyabhai 0.9.6b-26 - rebuild * Tue Jul 30 2002 Nalin Dahyabhai 0.9.6b-25 - add patch to fix ASN.1 vulnerabilities * Wed Jul 31 2002 IWAI Masaharu 0.9.6b-1vl5 - rename spec file name - SECURITY: CA-2002-23 fixed - added Patch100 from RedHat 7.2 updates 0.9.6b-24 * Thu Jul 25 2002 Nalin Dahyabhai 0.9.6b-24 - add backport of Ben Laurie's patches for OpenSSL 0.9.6d * Mon Sep 10 2001 Satoshi MACHINO 0.9.6b-1vl4 - added ${PATH} in LD_LIBRARY_PATH - added install -m 755 *.so.* $RPM_BUILD_ROOT%{_libdir} in %install * Sun Jul 15 2001 Daisuke SUZUKI 0.9.6b-1vl3 - remove --no- * Sun Jul 15 2001 Daisuke SUZUKI 0.9.6b-1vl2 - add Patch10 for mipsel shared ( Configure ) * Sat Jul 14 2001 Daisuke SUZUKI 0.9.6b-1vl1 - build for Vine Linux - use openssl-engine-0.9.6b.tar.gz * Wed Jul 11 2001 Nalin Dahyabhai - update to 0.9.6b * Thu Jul 5 2001 Nalin Dahyabhai - move .so symlinks back to %%{_libdir} * Tue Jul 3 2001 Nalin Dahyabhai - move shared libraries to /lib (#38410) * Mon Jun 25 2001 Nalin Dahyabhai - switch to engine code base * Mon Jun 18 2001 Nalin Dahyabhai - add a script for creating dummy certificates - move man pages from %%{_mandir}/man?/foo.?ssl to %%{_mandir}/man?ssl/foo.? * Thu Jun 07 2001 Florian La Roche - add s390x support * Fri Jun 1 2001 Nalin Dahyabhai - change two memcpy() calls to memmove() - don't define L_ENDIAN on alpha * Tue May 15 2001 Nalin Dahyabhai - make subpackages depend on the main package * Tue May 1 2001 Nalin Dahyabhai - adjust the hobble script to not disturb symlinks in include/ (fix from Joe Orton) * Thu Apr 26 2001 Nalin Dahyabhai - drop the m2crypo patch we weren't using * Tue Apr 24 2001 Nalin Dahyabhai - configure using "shared" as well * Sun Apr 8 2001 Nalin Dahyabhai - update to 0.9.6a - use the build-shared target to build shared libraries - bump the soversion to 2 because we're no longer compatible with our 0.9.5a packages or our 0.9.6 packages - drop the patch for making rsatest a no-op when rsa null support is used - put all man pages into
ssl instead of
- break the m2crypto modules into a separate package * Tue Mar 13 2001 Nalin Dahyabhai - use BN_LLONG on s390 * Mon Mar 12 2001 Nalin Dahyabhai - fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit) * Sat Mar 3 2001 Nalin Dahyabhai - move c_rehash to the perl subpackage, because it's a perl script now * Fri Mar 2 2001 Nalin Dahyabhai - update to 0.9.6 - enable MD2 - use the libcrypto.so and libssl.so targets to build shared libs with - bump the soversion to 1 because we're no longer compatible with any of the various 0.9.5a packages circulating around, which provide lib*.so.0 * Wed Feb 28 2001 Florian La Roche - change hobble-openssl for disabling MD2 again * Tue Feb 27 2001 Nalin Dahyabhai - re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152 bytes or so, causing EVP_DigestInit() to zero out stack variables in apps built against a version of the library without it * Mon Feb 26 2001 Nalin Dahyabhai - disable some inline assembly, which on x86 is Pentium-specific - re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all) * Thu Feb 08 2001 Florian La Roche - fix s390 patch * Fri Dec 8 2000 Than Ngo - added support s390 * Mon Nov 20 2000 Nalin Dahyabhai - remove -Wa,* and -m* compiler flags from the default Configure file (#20656) - add the CA.pl man page to the perl subpackage * Thu Nov 2 2000 Nalin Dahyabhai - always build with -mcpu=ev5 on alpha * Tue Oct 31 2000 Nalin Dahyabhai - add a symlink from cert.pem to ca-bundle.crt * Wed Oct 25 2000 Nalin Dahyabhai - add a ca-bundle file for packages like Samba to reference for CA certificates * Tue Oct 24 2000 Nalin Dahyabhai - remove libcrypto's crypt(), which doesn't handle md5crypt (#19295) * Mon Oct 2 2000 Nalin Dahyabhai - add unzip as a buildprereq (#17662) - update m2crypto to 0.05-snap4 * Tue Sep 26 2000 Bill Nottingham - fix some issues in building when it's not installed * Wed Sep 6 2000 Nalin Dahyabhai - make sure the headers we include are the ones we built with (aaaaarrgh!) * Fri Sep 1 2000 Nalin Dahyabhai - add Richard Henderson's patch for BN on ia64 - clean up the changelog * Tue Aug 29 2000 Nalin Dahyabhai - fix the building of python modules without openssl-devel already installed * Wed Aug 23 2000 Nalin Dahyabhai - byte-compile python extensions without the build-root - adjust the makefile to not remove temporary files (like .key files when building .csr files) by marking them as .PRECIOUS * Sat Aug 19 2000 Nalin Dahyabhai - break out python extensions into a subpackage * Mon Jul 17 2000 Nalin Dahyabhai - tweak the makefile some more * Tue Jul 11 2000 Nalin Dahyabhai - disable MD2 support * Thu Jul 6 2000 Nalin Dahyabhai - disable MDC2 support * Sun Jul 2 2000 Nalin Dahyabhai - tweak the disabling of RC5, IDEA support - tweak the makefile * Thu Jun 29 2000 Nalin Dahyabhai - strip binaries and libraries - rework certificate makefile to have the right parts for Apache * Wed Jun 28 2000 Nalin Dahyabhai - use %%{_perl} instead of /usr/bin/perl - disable alpha until it passes its own test suite * Fri Jun 9 2000 Nalin Dahyabhai - move the passwd.1 man page out of the passwd package's way * Fri Jun 2 2000 Nalin Dahyabhai - update to 0.9.5a, modified for U.S. - add perl as a build-time requirement - move certificate makefile to another package - disable RC5, IDEA, RSA support - remove optimizations for now * Wed Mar 1 2000 Florian La Roche - Bero told me to move the Makefile into this package * Wed Mar 1 2000 Florian La Roche - add lib*.so symlinks to link dynamically against shared libs * Tue Feb 29 2000 Florian La Roche - update to 0.9.5 - run ldconfig directly in post/postun - add FAQ * Sat Dec 18 1999 Bernhard Rosenkrdnzer - Fix build on non-x86 platforms * Fri Nov 12 1999 Bernhard Rosenkrdnzer - move /usr/share/ssl/* from -devel to main package * Tue Oct 26 1999 Bernhard Rosenkrdnzer - inital packaging - changes from base: - Move /usr/local/ssl to /usr/share/ssl for FHS compliance - handle RPM_OPT_FLAGS