--- /dev/null
+###############################################################################
+# IPFire.org - An Open Source Firewall Solution #
+# Copyright (C) - IPFire Development Team <info@ipfire.org> #
+###############################################################################
+
+name = compat-openssl
+version = 1.0.2n
+release = 1
+thisapp = openssl-%{version}
+
+maintainer = Michael Tremer <michael.tremer@ipfire.org>
+groups = System/Libraries
+url = http://www.openssl.org/
+license = OpenSSL
+summary = A general purpose cryptography library with TLS implementation.
+
+description
+ The OpenSSL toolkit provides support for secure communications between
+ machines. OpenSSL includes a certificate management tool and shared
+ libraries which provide various cryptographic algorithms and protocols.
+end
+
+source_dl = http://openssl.org/source/
+
+build
+ requires
+ bc
+ gnutls-devel
+ perl
+ util-linux
+ zlib-devel
+ end
+
+ CFLAGS += -DPURIFY
+ export RPM_OPT_FLAGS = %{CFLAGS} %{LDFLAGS}
+
+ prepare_cmds
+ sed -e 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' \
+ -i crypto/opensslv.h
+
+ find crypto/ -name Makefile -exec \
+ sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
+
+ # Generate a table with the compile settings for my perusal.
+ touch Makefile
+ make TABLE PERL=/usr/bin/perl
+ end
+
+ # Set default ssl_arch.
+ ssl_arch = linux-%{DISTRO_ARCH}
+
+ if "%{DISTRO_ARCH}" == "i686"
+ # 386 implies no-sse2
+ ssl_arch = linux-elf no-asm 386
+ end
+
+ if "%{DISTRO_ARCH}" == "armv5tel"
+ ssl_arch = linux-armv4
+ end
+
+ if "%{DISTRO_ARCH}" == "armv7hl"
+ ssl_arch = linux-armv4
+ end
+
+ build
+ ./Configure \
+ --prefix=/usr \
+ --openssldir=/etc/pki/tls \
+ --enginesdir=%{libdir}/openssl/engines \
+ shared \
+ zlib-dynamic \
+ enable-camellia \
+ enable-md2 \
+ enable-seed \
+ enable-tlsext \
+ enable-rfc3779 \
+ no-idea \
+ no-mdc2 \
+ no-rc5 \
+ no-ec2m \
+ no-srp \
+ -DSSL_FORBID_ENULL \
+ %{ssl_arch}
+
+ # Build.
+ make depend
+ make all
+
+ # Generate hashes for the included certs.
+ make rehash
+ end
+
+ test
+ # Revert ca-dir patch. Otherwise the tests will fail.
+ patch -Np1 -R < %{DIR_PATCHES}/openssl-1.0.0-beta4-ca-dir.patch
+
+ make test
+ end
+
+ install
+ make install INSTALL_PREFIX=%{BUILDROOT}
+
+ # Remove man pages
+ rm -rfv %{BUILDROOT}%{sysconfdir}/pki/tls/man %{BUILDROOT}/usr/share/man*
+
+ # Remove configuration files
+ rm -rfv %{BUILDROOT}%{sysconfdir}/pki
+
+ # Remove engines
+ rm -rfv %{BUILDROOT}%{libdir}/{engines,openssl}
+
+ # Remove binaries
+ rm -rfv %{BUILDROOT}%{bindir}
+ end
+end
+
+packages
+ package %{name}
+ requires
+ ca-certificates
+ end
+
+ provides
+ openssl = %{thisver}
+ end
+
+ obsoletes
+ openssl <= %{thisver}
+ end
+ end
+
+ package %{name}-devel
+ template DEVEL
+
+ provides
+ openssl-devel = %{thisver}
+ end
+
+ obsoletes
+ openssl-devel <= %{thisver}
+ end
+ end
+
+ package %{name}-debuginfo
+ template DEBUGINFO
+ end
+end
-diff -up openssl-1.0.2c/Configure.rpmbuild openssl-1.0.2c/Configure
---- openssl-1.0.2c/Configure.rpmbuild 2015-06-12 16:51:21.000000000 +0200
-+++ openssl-1.0.2c/Configure 2015-06-15 17:22:52.598496680 +0200
+diff -up openssl-1.0.2e/Configure.rpmbuild openssl-1.0.2e/Configure
+--- openssl-1.0.2e/Configure.rpmbuild 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/Configure 2015-12-04 13:20:22.996835604 +0100
@@ -365,8 +365,8 @@ my %table=(
####
# *-generic* is endian-neutral target, but ./config is free to
#######################################################################
# Note that -march is not among compiler options in below linux-armv4
-@@ -395,30 +395,30 @@ my %table=(
+@@ -395,31 +395,31 @@ my %table=(
#
# ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
#
-"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
-"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
-"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
++"linux-generic64","gcc:-Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ppc64", "gcc:-m64 -DB_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ppc64le","gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
+"linux-ia64", "gcc:-DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC:\$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER)",
-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -Wall \$(RPM_OPT_FLAGS)::-D_REENTRANT::-Wl,-z,relro -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64 \$(RPM_OPT_FLAGS):.so.\$(SHLIB_SONAMEVER):::64",
"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+ "debug-linux-x86_64-clang", "clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
-"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
#### So called "highgprs" target for z/Architecture CPUs
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
# /proc/cpuinfo. The idea is to preserve most significant bits of
-@@ -436,12 +436,12 @@ my %table=(
+@@ -437,12 +437,12 @@ my %table=(
#### SPARC Linux setups
# Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
# assisted with debugging of following two configs.
#### Alpha Linux with GNU C and Compaq C setups
# Special notes:
# - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
-@@ -1764,7 +1764,7 @@ while (<IN>)
+@@ -1767,7 +1767,7 @@ while (<IN>)
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{
my $sotmp = $1;
}
elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/)
{
-diff -up openssl-1.0.2c/Makefile.org.rpmbuild openssl-1.0.2c/Makefile.org
---- openssl-1.0.2c/Makefile.org.rpmbuild 2015-06-12 16:51:21.000000000 +0200
-+++ openssl-1.0.2c/Makefile.org 2015-06-15 17:19:14.874510995 +0200
+diff -up openssl-1.0.2e/Makefile.org.rpmbuild openssl-1.0.2e/Makefile.org
+--- openssl-1.0.2e/Makefile.org.rpmbuild 2015-12-03 15:04:23.000000000 +0100
++++ openssl-1.0.2e/Makefile.org 2015-12-04 13:18:44.913538616 +0100
@@ -10,6 +10,7 @@ SHLIB_VERSION_HISTORY=
SHLIB_MAJOR=
SHLIB_MINOR=
PLATFORM=dist
OPTIONS=
CONFIGURE_ARGS=
-@@ -338,10 +339,9 @@ clean-shared:
+@@ -341,10 +342,9 @@ clean-shared:
link-shared:
@ set -e; for i in $(SHLIBDIRS); do \
$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
done
build-shared: do_$(SHLIB_TARGET) link-shared
-@@ -352,7 +352,7 @@ do_$(SHLIB_TARGET):
+@@ -355,7 +355,7 @@ do_$(SHLIB_TARGET):
libs="$(LIBKRB5) $$libs"; \
fi; \
$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
###############################################################################
name = openssl
-version = 1.0.2d
-release = 4
+version = 1.1.0g
+release = 1
maintainer = Michael Tremer <michael.tremer@ipfire.org>
groups = System/Libraries
build
requires
- bc
- gnutls-devel
+ ca-certificates
+ coreutils
perl
- util-linux
+ perl(Math::BigInt)
+ perl(Module::Load::Conditional)
+ perl(Test::Harness)
+ perl(Test::More)
+ sed
zlib-devel
end
- CFLAGS += -DPURIFY
- export RPM_OPT_FLAGS = %{CFLAGS} %{LDFLAGS}
+ export HASHBANGPERL = %{bindir}/perl
- prepare_cmds
- sed -e 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' \
- -i crypto/opensslv.h
-
- find crypto/ -name Makefile -exec \
- sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
-
- # Generate a table with the compile settings for my perusal.
- touch Makefile
- make TABLE PERL=/usr/bin/perl
- end
+ CFLAGS += -DPURIFY -Wa,--noexecstack
# Set default ssl_arch.
ssl_arch = linux-%{DISTRO_ARCH}
+ if "%{DISTRO_ARCH}" == "x86_64"
+ ssl_arch += enable-ec_nistp_64_gcc_128
+ end
+
if "%{DISTRO_ARCH}" == "i686"
# 386 implies no-sse2
ssl_arch = linux-elf no-asm 386
end
+ if "%{DISTRO_ARCH}" == "aarch64"
+ ssl_arch += enable-ec_nistp_64_gcc_128
+ end
+
if "%{DISTRO_ARCH}" == "armv5tel"
ssl_arch = linux-armv4
end
build
./Configure \
- --prefix=/usr \
- --openssldir=/etc/pki/tls \
- --enginesdir=%{libdir}/openssl/engines \
+ --prefix=%{prefix} \
+ --openssldir=%{sysconfdir}/pki/tls \
shared \
- zlib-dynamic \
+ zlib \
enable-camellia \
- enable-md2 \
enable-seed \
- enable-tlsext \
enable-rfc3779 \
- no-idea \
- no-mdc2 \
+ enable-ssl3 \
+ enable-ssl3-method \
+ no-rc4 \
no-rc5 \
- no-ec2m \
- no-srp \
- -DSSL_FORBID_ENULL \
- %{ssl_arch}
+ %{ssl_arch} \
+ ${CFLAGS} \
+ ${LDFLAGS}
- # Build.
- make depend
+ util/mkdef.pl crypto update
make all
- # Generate hashes for the included certs.
- make rehash
+ # Clean up the .pc files
+ for i in libcrypto.pc libssl.pc openssl.pc; do
+ sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
+ done
end
test
# Revert ca-dir patch. Otherwise the tests will fail.
- patch -Np1 -R < %{DIR_PATCHES}/openssl-1.0.0-beta4-ca-dir.patch
+ patch -Np1 -R < %{DIR_PATCHES}/openssl-1.1.0-ca-dir.patch
make test
end
install
- make install build-shared INSTALL_PREFIX=%{BUILDROOT}
-
- # Install manpages do right place
- mkdir -pv %{BUILDROOT}/usr/share
- mv -v %{BUILDROOT}/etc/pki/tls/man %{BUILDROOT}/usr/share/
-
- if [ -d "%{BUILDROOT}%{libdir}/engines" ]; then
- mkdir -pv %{BUILDROOT}%{libdir}/openssl
- mv -v %{BUILDROOT}%{libdir}/engines %{BUILDROOT}%{libdir}/openssl
- fi
-
- mkdir -pv %{BUILDROOT}/etc/pki/CA/private
- chmod -v 700 -R %{BUILDROOT}/etc/pki/CA
-
- mkdir -pv %{BUILDROOT}/etc/pki/tls
- install -m 0644 %{DIR_SOURCE}/openssl.cnf %{BUILDROOT}/etc/pki/tls
- cp -v -r certs %{BUILDROOT}/etc/pki/tls
+ make install DESTDIR=%{BUILDROOT}
# Rename man pages so that they don't conflict with other system man pages.
pushd %{BUILDROOT}%{mandir}
- for m in $(find . -type f | xargs grep -L '#include'); do
- d="${m%/*}"
- d="${d#./}"
- m="${m##*/}"
- [[ ${m} == openssl.1* ]] && continue
- [[ -n "$(find -L "${d}" -type l)" ]] && exit 1
- mv ${d}/{,ssl-}${m}
-
- # fix up references to renamed man pages
- sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' "${d}/ssl-${m}"
- ln -s "ssl-${m}" "${d}/openssl-${m}"
-
- # locate any symlinks that point to this man page ... we assume
- # that any broken links are due to the above renaming
- for s in $(find -L "${d}" -type l); do
- s="${s##*/}"
- rm -f "${d}/${s}"
- ln -s "ssl-${m}" "${d}/ssl-${s}"
- ln -s "ssl-${s}" "${d}/openssl-${s}"
- done
+ ln -svf config.5 man5/openssl.cnf.5
+ for manpage in man*/*; do
+ if [ -L "${manpage}" ]; then
+ TARGET=$(ls -l "${manpage}" | awk '{ print $NF }')
+ ln -snf "${TARGET}ssl" "${manpage}ssl"
+ rm -f "${manpage}"
+ else
+ mv ${manpage} ${manpage}ssl
+ fi
+ done
+ for conflict in passwd rand; do
+ rename ${conflict} ssl${conflict} man*/${conflict}*
+ ln -svf ssl${conflict}.1ssl %{BUILDROOT}%{mandir}/man1/openssl-${conflict}.1ssl
done
-
- [[ -n "$(find -L "${d}" -type l)" ]] && exit 1 # "broken manpage links found :("
popd
+
+ # Remove dist config
+ rm -vf %{BUILDROOT}%{sysconfdir}/pki/tls/openssl.cnf.dist
+
+ # Move executable stuff to %{bindir}
+ mv -v %{BUILDROOT}%{sysconfdir}/pki/tls/misc/{CA.pl,tsget} %{BUILDROOT}%{bindir}
end
end
conflicts += %{name} < %{thisver}
- files += %{libdir}/openssl
+ files += %{libdir}/openssl %{libdir}/engines*
end
package %{name}-devel
--- /dev/null
+diff -up openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build openssl-1.1.0f/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.0f/Configurations/unix-Makefile.tmpl.build 2017-06-02 13:51:39.621289504 +0200
++++ openssl-1.1.0f/Configurations/unix-Makefile.tmpl 2017-06-02 13:54:45.298654812 +0200
+@@ -553,7 +553,7 @@ uninstall_runtime:
+ install_man_docs:
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @echo "*** Installing manpages"
+- $(PERL) $(SRCDIR)/util/process_docs.pl \
++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ --destdir=$(DESTDIR)$(MANDIR) --type=man --suffix=$(MANSUFFIX)
+
+ uninstall_man_docs:
+@@ -565,7 +565,7 @@ uninstall_man_docs:
+ install_html_docs:
+ @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+ @echo "*** Installing HTML manpages"
+- $(PERL) $(SRCDIR)/util/process_docs.pl \
++ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \
+ --destdir=$(DESTDIR)$(HTMLDIR) --type=html
+
+ uninstall_html_docs:
+diff -up openssl-1.1.0f/Configurations/10-main.conf.build openssl-1.1.0f/Configurations/10-main.conf
+--- openssl-1.1.0f/Configurations/10-main.conf.build 2017-05-25 14:46:17.000000000 +0200
++++ openssl-1.1.0f/Configurations/10-main.conf 2017-06-02 13:51:39.622289528 +0200
+@@ -662,6 +662,7 @@ sub vms_info {
+ cflags => add("-m64 -DL_ENDIAN"),
+ perlasm_scheme => "linux64le",
+ shared_ldflag => add("-m64"),
++ multilib => "64",
+ },
+
+ "linux-armv4" => {
+@@ -702,6 +703,7 @@ sub vms_info {
+ "linux-aarch64" => {
+ inherit_from => [ "linux-generic64", asm("aarch64_asm") ],
+ perlasm_scheme => "linux64",
++ multilib => "64",
+ },
+ "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32
+ inherit_from => [ "linux-generic32", asm("aarch64_asm") ],
+diff -up openssl-1.1.0g/test/evptests.txt.build openssl-1.1.0g/test/evptests.txt
+--- openssl-1.1.0g/test/evptests.txt.build 2017-11-02 15:29:05.000000000 +0100
++++ openssl-1.1.0g/test/evptests.txt 2017-11-03 16:37:01.253671494 +0100
+@@ -3707,14 +3707,6 @@ MCowBQYDK2VuAyEA3p7bfXt9wbTTW2HC7OQ1Nz+D
+
+ PrivPubKeyPair = Bob-25519:Bob-25519-PUBLIC
+
+-Derive=Alice-25519
+-PeerKey=Bob-25519-PUBLIC
+-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
+-
+-Derive=Bob-25519
+-PeerKey=Alice-25519-PUBLIC
+-SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
+-
+ # Illegal sign/verify operations with X25519 key
+
+ Sign=Alice-25519
+@@ -3727,6 +3719,14 @@ Result = KEYOP_INIT_ERROR
+ Function = EVP_PKEY_verify_init
+ Reason = operation not supported for this keytype
+
++Derive=Alice-25519
++PeerKey=Bob-25519-PUBLIC
++SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
++
++Derive=Bob-25519
++PeerKey=Alice-25519-PUBLIC
++SharedSecret=4A5D9D5BA4CE2DE1728E3BF480350F25E07E21C947D19E3376F09B3C1E161742
++
+ ## ECDH Tests: test with randomly generated keys for all the listed curves
+
+
--- /dev/null
+diff -up openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir openssl-1.1.0-pre5/apps/CA.pl.in
+--- openssl-1.1.0-pre5/apps/CA.pl.in.ca-dir 2016-07-18 15:19:40.118110405 +0200
++++ openssl-1.1.0-pre5/apps/CA.pl.in 2016-07-18 15:21:06.531061337 +0200
+@@ -26,7 +26,7 @@ my $X509 = "$openssl x509";
+ my $PKCS12 = "$openssl pkcs12";
+
+ # default openssl.cnf file has setup as per the following
+-my $CATOP = "./demoCA";
++my $CATOP = "/etc/pki/CA";
+ my $CAKEY = "cakey.pem";
+ my $CAREQ = "careq.pem";
+ my $CACERT = "cacert.pem";
+diff -up openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir openssl-1.1.0-pre5/apps/openssl.cnf
+--- openssl-1.1.0-pre5/apps/openssl.cnf.ca-dir 2016-07-18 15:19:40.114110315 +0200
++++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 15:19:48.492299467 +0200
+@@ -39,7 +39,7 @@ default_ca = CA_default # The default c
+ ####################################################################
+ [ CA_default ]
+
+-dir = ./demoCA # Where everything is kept
++dir = /etc/pki/CA # Where everything is kept
+ certs = $dir/certs # Where the issued certs are kept
+ crl_dir = $dir/crl # Where the issued crl are kept
+ database = $dir/index.txt # database index file.
--- /dev/null
+diff -up openssl-1.1.0-pre5/apps/openssl.cnf.defaults openssl-1.1.0-pre5/apps/openssl.cnf
+--- openssl-1.1.0-pre5/apps/openssl.cnf.defaults 2016-04-19 16:57:52.000000000 +0200
++++ openssl-1.1.0-pre5/apps/openssl.cnf 2016-07-18 14:22:08.252691017 +0200
+@@ -72,7 +72,7 @@ cert_opt = ca_default # Certificate fi
+
+ default_days = 365 # how long to certify for
+ default_crl_days= 30 # how long before next CRL
+-default_md = default # use public key default MD
++default_md = sha256 # use SHA-256 by default
+ preserve = no # keep passed DN ordering
+
+ # A few difference way of specifying how similar the request should look
+@@ -104,6 +104,7 @@ emailAddress = optional
+ ####################################################################
+ [ req ]
+ default_bits = 2048
++default_md = sha256
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ attributes = req_attributes
+@@ -126,17 +127,18 @@ string_mask = utf8only
+
+ [ req_distinguished_name ]
+ countryName = Country Name (2 letter code)
+-countryName_default = AU
++countryName_default = XX
+ countryName_min = 2
+ countryName_max = 2
+
+ stateOrProvinceName = State or Province Name (full name)
+-stateOrProvinceName_default = Some-State
++#stateOrProvinceName_default = Default Province
+
+ localityName = Locality Name (eg, city)
++localityName_default = Default City
+
+ 0.organizationName = Organization Name (eg, company)
+-0.organizationName_default = Internet Widgits Pty Ltd
++0.organizationName_default = Default Company Ltd
+
+ # we can do this but it is not needed normally :-)
+ #1.organizationName = Second Organization Name (eg, company)
+@@ -145,7 +147,7 @@ localityName = Locality Name (eg, city
+ organizationalUnitName = Organizational Unit Name (eg, section)
+ #organizationalUnitName_default =
+
+-commonName = Common Name (e.g. server FQDN or YOUR name)
++commonName = Common Name (eg, your name or your server\'s hostname)
+ commonName_max = 64
+
+ emailAddress = Email Address
--- /dev/null
+diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
+--- openssl-1.1.0f/apps/s_client.c.disable-ssl3 2017-06-05 15:42:44.838853312 +0200
++++ openssl-1.1.0f/apps/s_client.c 2017-07-17 14:50:06.468821871 +0200
+@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
+ if (sdebug)
+ ssl_ctx_security_debug(ctx, sdebug);
+
++ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
++
+ if (ssl_config) {
+ if (SSL_CTX_config(ctx, ssl_config) == 0) {
+ BIO_printf(bio_err, "Error using configuration \"%s\"\n",
+diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
+--- openssl-1.1.0f/apps/s_server.c.disable-ssl3 2017-05-25 14:46:18.000000000 +0200
++++ openssl-1.1.0f/apps/s_server.c 2017-07-17 14:49:50.434447583 +0200
+@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
+ }
+ if (sdebug)
+ ssl_ctx_security_debug(ctx, sdebug);
++
++ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
++
+ if (ssl_config) {
+ if (SSL_CTX_config(ctx, ssl_config) == 0) {
+ BIO_printf(bio_err, "Error using configuration \"%s\"\n",
+diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
+--- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200
++++ openssl-1.1.0/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200
+@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+ * or by using the SSL_CONF library.
+ */
+ ret->options |= SSL_OP_NO_COMPRESSION;
++ /*
++ * Disable SSLv3 by default. Applications can
++ * re-enable it by configuring
++ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
++ * or by using the SSL_CONF library.
++ */
++ ret->options |= SSL_OP_NO_SSLv3;
+
+ ret->tlsext_status_type = -1;
+
+diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
+--- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200
++++ openssl-1.1.0/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200
+@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
+ SSL_TEST_SERVERNAME_CB_NONE) {
+ server2_ctx = SSL_CTX_new(TLS_server_method());
+ TEST_check(server2_ctx != NULL);
++ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
+ }
+ client_ctx = SSL_CTX_new(TLS_client_method());
+
+@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
+ resume_client_ctx = SSL_CTX_new(TLS_client_method());
+ TEST_check(resume_server_ctx != NULL);
+ TEST_check(resume_client_ctx != NULL);
++ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
++ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
+ }
+ }
+
+ TEST_check(server_ctx != NULL);
+ TEST_check(client_ctx != NULL);
++ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
++ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
+
+ TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
+
+diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
+--- openssl-1.1.0/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200
++++ openssl-1.1.0/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200
+@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
+ ERR_print_errors(bio_err);
+ goto end;
+ }
++
++ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
++ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
++ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
++
+ /*
+ * Since we will use low security ciphersuites and keys for testing set
+ * security level to zero by default. Tests can override this by adding
--- /dev/null
+diff -up openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.nohtml openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl.no-html 2016-04-19 16:57:52.000000000 +0200
++++ openssl-1.1.0-pre5/Configurations/unix-Makefile.tmpl 2016-07-18 13:58:55.060106243 +0200
+@@ -288,7 +288,7 @@ install_sw: all install_dev install_engi
+
+ uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
+
+-install_docs: install_man_docs install_html_docs
++install_docs: install_man_docs
+
+ uninstall_docs: uninstall_man_docs uninstall_html_docs
+ $(RM) -r -v $(DESTDIR)$(DOCDIR)
--- /dev/null
+--- openssl-1.1.0g/test/recipes/40-test_rehash.t~ 2018-01-28 19:08:01.151912658 +0000
++++ openssl-1.1.0g/test/recipes/40-test_rehash.t 2018-01-28 19:09:19.408454430 +0000
+@@ -23,7 +23,7 @@
+ plan skip_all => "test_rehash is not available on this platform"
+ unless run(app(["openssl", "rehash", "-help"]));
+
+-plan tests => 5;
++plan tests => 3;
+
+ indir "rehash.$$" => sub {
+ prepare();
+@@ -42,21 +42,6 @@
+ 'Testing rehash operations on empty directory');
+ }, create => 1, cleanup => 1;
+
+-indir "rehash.$$" => sub {
+- prepare();
+- chmod 0500, curdir();
+- SKIP: {
+- if (!ok(!open(FOO, ">unwritable.txt"),
+- "Testing that we aren't running as a privileged user, such as root")) {
+- close FOO;
+- skip "It's pointless to run the next test as root", 1;
+- }
+- isnt(run(app(["openssl", "rehash", curdir()])), 1,
+- 'Testing rehash operations on readonly directory');
+- }
+- chmod 0700, curdir(); # make it writable again, so cleanup works
+-}, create => 1, cleanup => 1;
+-
+ sub prepare {
+ my @pemsourcefiles = sort glob(srctop_file('test', "*.pem"));
+ my @destfiles = ();