###############################################################################
name = openssl
-version = 1.1.0g
+version = 1.1.1g
release = 1
maintainer = Michael Tremer <michael.tremer@ipfire.org>
end
test
- # Revert ca-dir patch. Otherwise the tests will fail.
- patch -Np1 -R < %{DIR_PATCHES}/openssl-1.1.0-ca-dir.patch
-
make test
end
# Remove dist config
rm -vf %{BUILDROOT}%{sysconfdir}/pki/tls/openssl.cnf.dist
-
- # Move executable stuff to %{bindir}
- mv -v %{BUILDROOT}%{sysconfdir}/pki/tls/misc/{CA.pl,tsget} %{BUILDROOT}%{bindir}
end
end
+++ /dev/null
-diff -up openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build openssl-1.1.0f/Configurations/unix-Makefile.tmpl
---- openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build 2017-06-02 13:51:39.621289504 +0200
-+++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl 2017-06-02 13:54:45.298654812 +0200
-@@ -553,7 +553,7 @@ uninstall_runtime:
- install_man_docs:
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @echo "*** Installing manpages"
-- $(PERL) $(SRCDIR)/util/process_docs.pl \
-+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
-
- uninstall_man_docs:
-@@ -565,7 +565,7 @@ uninstall_man_docs:
- install_html_docs:
- @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
- @echo "*** Installing HTML manpages"
-- $(PERL) $(SRCDIR)/util/process_docs.pl \
-+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
- --destdir=$(DESTDIR)$(HTMLDIR) --type=html
-
- uninstall_html_docs:
-diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configurations/10-main.conf
---- openssl-1.1.0f/Configurations/10-main.conf.build 2017-05-25 14:46:17.000000000 +0200
-+++ openssl-1.1.0f/Configurations/10-main.conf 2017-06-02 13:51:39.622289528 +0200
-@@ -662,6 +662,7 @@ sub vms_info {
- cflags => add("-m64 -DL_ENDIAN"),
- perlasm_scheme => "linux64le",
- shared_ldflag => add("-m64"),
-+ multilib => "64",
- },
-
- "linux-armv4" => {
-@@ -702,6 +703,7 @@ sub vms_info {
- "linux-aarch64" => {
- inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
- perlasm_scheme => "linux64",
-+ multilib => "64",
- },
- "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
- inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
-diff -up openssl-1.1.0g/test/evptests.txt.build openssl-1.1.0g/test/evptests.txt
---- openssl-1.1.0g/test/evptests.txt.build 2017-11-02 15:29:05.000000000 +0100
-+++ openssl-1.1.0g/test/evptests.txt 2017-11-03 16:37:01.253671494 +0100
-@@ -3707,14 +3707,6 @@ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+D
-
- PrivPubKeyPair = Bob-25519:Bob-25519-PUBLIC
-
--Derive=Alice-25519
--PeerKey=Bob-25519-PUBLIC
--SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
--
--Derive=Bob-25519
--PeerKey=Alice-25519-PUBLIC
--SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
--
- # Illegal sign/verify operations with X25519 key
-
- Sign=Alice-25519
-@@ -3727,6 +3719,14 @@ Result = KEYOP_INIT_ERROR
- Function = EVP_PKEY_verify_init
- Reason = operation not supported for this keytype
-
-+Derive=Alice-25519
-+PeerKey=Bob-25519-PUBLIC
-+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
-+
-+Derive=Bob-25519
-+PeerKey=Alice-25519-PUBLIC
-+SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
-+
- ## ECDH Tests: test with randomly generated keys for all the listed curves
-
-
+++ /dev/null
-diff -up openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir openssl-1.1.0-pre5/apps/CA.pl.in
---- openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir 2016-07-18 15:19:40.118110405 +0200
-+++ openssl-1.1.0-pre5/apps/CA.pl.in 2016-07-18 15:21:06.531061337 +0200
-@@ -26,7 +26,7 @@ my $X509 = "$openssl x509";
- my $PKCS12 = "$openssl pkcs12";
-
- # default openssl.cnf file has setup as per the following
--my $CATOP = "./demoCA";
-+my $CATOP = "/etc/pki/CA";
- my $CAKEY = "cakey.pem";
- my $CAREQ = "careq.pem";
- my $CACERT = "cacert.pem";
-diff -up openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir openssl-1.1.0-pre5/apps/openssl.cnf
---- openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir 2016-07-18 15:19:40.114110315 +0200
-+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 15:19:48.492299467 +0200
-@@ -39,7 +39,7 @@ default_ca = CA_default # The default c
- ####################################################################
- [ CA_default ]
-
--dir = ./demoCA # Where everything is kept
-+dir = /etc/pki/CA # Where everything is kept
- certs = $dir/certs # Where the issued certs are kept
- crl_dir = $dir/crl # Where the issued crl are kept
- database = $dir/index.txt # database index file.
+++ /dev/null
-diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf
---- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200
-+++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200
-@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
-
- default_days = 365 # how long to certify for
- default_crl_days= 30 # how long before next CRL
--default_md = default # use public key default MD
-+default_md = sha256 # use SHA-256 by default
- preserve = no # keep passed DN ordering
-
- # A few difference way of specifying how similar the request should look
-@@ -104,6 +104,7 @@ emailAddress = optional
- ####################################################################
- [ req ]
- default_bits = 2048
-+default_md = sha256
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- attributes = req_attributes
-@@ -126,17 +127,18 @@ string_mask = utf8only
-
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
--countryName_default = AU
-+countryName_default = XX
- countryName_min = 2
- countryName_max = 2
-
- stateOrProvinceName = State or Province Name (full name)
--stateOrProvinceName_default = Some-State
-+#stateOrProvinceName_default = Default Province
-
- localityName = Locality Name (eg, city)
-+localityName_default = Default City
-
- 0.organizationName = Organization Name (eg, company)
--0.organizationName_default = Internet Widgits Pty Ltd
-+0.organizationName_default = Default Company Ltd
-
- # we can do this but it is not needed normally :-)
- #1.organizationName = Second Organization Name (eg, company)
-@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
- organizationalUnitName = Organizational Unit Name (eg, section)
- #organizationalUnitName_default =
-
--commonName = Common Name (e.g. server FQDN or YOUR name)
-+commonName = Common Name (eg, your name or your server\'s hostname)
- commonName_max = 64
-
- emailAddress = Email Address
+++ /dev/null
-diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
---- openssl-1.1.0f/apps/s_client.c.disable-ssl3 2017-06-05 15:42:44.838853312 +0200
-+++ openssl-1.1.0f/apps/s_client.c 2017-07-17 14:50:06.468821871 +0200
-@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
- if (sdebug)
- ssl_ctx_security_debug(ctx, sdebug);
-
-+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
- if (ssl_config) {
- if (SSL_CTX_config(ctx, ssl_config) == 0) {
- BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
---- openssl-1.1.0f/apps/s_server.c.disable-ssl3 2017-05-25 14:46:18.000000000 +0200
-+++ openssl-1.1.0f/apps/s_server.c 2017-07-17 14:49:50.434447583 +0200
-@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
- }
- if (sdebug)
- ssl_ctx_security_debug(ctx, sdebug);
-+
-+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
-+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+
- if (ssl_config) {
- if (SSL_CTX_config(ctx, ssl_config) == 0) {
- BIO_printf(bio_err, "Error using configuration \"%s\"\n",
-diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
---- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200
-+++ openssl-1.1.0/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200
-@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
- * or by using the SSL_CONF library.
- */
- ret->options |= SSL_OP_NO_COMPRESSION;
-+ /*
-+ * Disable SSLv3 by default. Applications can
-+ * re-enable it by configuring
-+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
-+ * or by using the SSL_CONF library.
-+ */
-+ ret->options |= SSL_OP_NO_SSLv3;
-
- ret->tlsext_status_type = -1;
-
-diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
---- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200
-+++ openssl-1.1.0/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200
-@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
- SSL_TEST_SERVERNAME_CB_NONE) {
- server2_ctx = SSL_CTX_new(TLS_server_method());
- TEST_check(server2_ctx != NULL);
-+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
- }
- client_ctx = SSL_CTX_new(TLS_client_method());
-
-@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
- resume_client_ctx = SSL_CTX_new(TLS_client_method());
- TEST_check(resume_server_ctx != NULL);
- TEST_check(resume_client_ctx != NULL);
-+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
- }
- }
-
- TEST_check(server_ctx != NULL);
- TEST_check(client_ctx != NULL);
-+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
-
- TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
-
-diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
---- openssl-1.1.0/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200
-+++ openssl-1.1.0/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200
-@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
- ERR_print_errors(bio_err);
- goto end;
- }
-+
-+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
-+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
-+
- /*
- * Since we will use low security ciphersuites and keys for testing set
- * security level to zero by default. Tests can override this by adding
+++ /dev/null
-diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
---- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200
-+++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200
-@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
-
- uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
-
--install_docs: install_man_docs install_html_docs
-+install_docs: install_man_docs
-
- uninstall_docs: uninstall_man_docs uninstall_html_docs
- $(RM) -r -v $(DESTDIR)$(DOCDIR)
+++ /dev/null
---- openssl-1.1.0g/test/recipes/40-test_rehash.t~ 2018-01-28 19:08:01.151912658 +0000
-+++ openssl-1.1.0g/test/recipes/40-test_rehash.t 2018-01-28 19:09:19.408454430 +0000
-@@ -23,7 +23,7 @@
- plan skip_all => "test_rehash is not available on this platform"
- unless run(app(["openssl", "rehash", "-help"]));
-
--plan tests => 5;
-+plan tests => 3;
-
- indir "rehash.$$" => sub {
- prepare();
-@@ -42,21 +42,6 @@
- 'Testing rehash operations on empty directory');
- }, create => 1, cleanup => 1;
-
--indir "rehash.$$" => sub {
-- prepare();
-- chmod 0500, curdir();
-- SKIP: {
-- if (!ok(!open(FOO, ">unwritable.txt"),
-- "Testing that we aren't running as a privileged user, such as root")) {
-- close FOO;
-- skip "It's pointless to run the next test as root", 1;
-- }
-- isnt(run(app(["openssl", "rehash", curdir()])), 1,
-- 'Testing rehash operations on readonly directory');
-- }
-- chmod 0700, curdir(); # make it writable again, so cleanup works
--}, create => 1, cleanup => 1;
--
- sub prepare {
- my @pemsourcefiles = sort glob(srctop_file('test', "*.pem"));
- my @destfiles = ();