# For the curious: # 0.9.5a soversion = 0 # 0.9.6 soversion = 1 # 0.9.6a soversion = 2 # 0.9.6c soversion = 3 # 0.9.7a soversion = 4 # 0.9.7ef soversion = 5 # 0.9.8ab soversion = 6 # 0.9.8g soversion = 7 # 0.9.8jk + EAP-FAST soversion = 8 # 1.0.0 soversion = 10 %define soversion 10 # Number of threads to spawn when testing some threading fixes. %define thread_test_threads %{?threads:%{threads}}%{!?threads:1} # Arches on which we need to prevent arch conflicts on opensslconf.h, must # also be handled in opensslconf-new.h. %define multilib_arches %{ix86} ia64 ppc ppc64 s390 s390x sparcv9 sparc64 x86_64 Summary: Compat 1.0.0 general purpose cryptography library with TLS implementation Name: compat-openssl-1-0-0 Version: 1.0.0i Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. Source: openssl-%{version}-usa.tar.xz # source is coming from fedora archive: # http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/17/Everything/source/SRPMS/o/openssl-1.0.0i-1.fc17.src.rpm Source1: hobble-openssl Source2: Makefile.certificate Source6: make-dummy-cert Source8: openssl-thread-test.c Source9: opensslconf-new.h Source10: opensslconf-new-warning.h Source11: README.FIPS # Build changes Patch0: openssl-1.0.0-beta4-redhat.patch Patch1: openssl-1.0.0f-defaults.patch Patch3: openssl-1.0.0-beta3-soversion.patch Patch4: openssl-1.0.0-beta5-enginesdir.patch Patch5: openssl-0.9.8a-no-rpath.patch Patch6: openssl-0.9.8b-test-use-localhost.patch Patch7: openssl-1.0.0-timezone.patch # Bug fixes Patch23: openssl-1.0.0-beta4-default-paths.patch Patch25: openssl-1.0.0a-manfix.patch # Functionality changes Patch32: openssl-0.9.8g-ia64.patch Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch Patch35: openssl-0.9.8j-version-add-engines.patch Patch38: openssl-1.0.0-beta5-cipher-change.patch Patch39: openssl-1.0.0b-ipv6-apps.patch Patch40: openssl-1.0.0f-fips.patch Patch41: openssl-1.0.0-beta3-fipscheck.patch Patch43: openssl-1.0.0a-fipsmode.patch Patch44: openssl-1.0.0-beta3-fipsrng.patch Patch45: openssl-0.9.8j-env-nozlib.patch Patch47: openssl-1.0.0-beta5-readme-warning.patch Patch49: openssl-1.0.1a-algo-doc.patch Patch50: openssl-1.0.0-beta4-dtls1-abi.patch Patch51: openssl-1.0.0i-version.patch Patch52: openssl-1.0.0b-aesni.patch Patch53: openssl-1.0.0-name-hash.patch Patch54: openssl-1.0.0c-speed-fips.patch Patch55: openssl-1.0.0c-apps-ipv6listen.patch Patch56: openssl-1.0.0c-rsa-x931.patch Patch57: openssl-1.0.0c-fips186-3.patch Patch58: openssl-1.0.0c-fips-md5-allow.patch Patch59: openssl-1.0.0c-pkcs12-fips-default.patch Patch60: openssl-1.0.0d-apps-dgst.patch Patch61: openssl-1.0.0d-cavs.patch Patch62: openssl-1.0.0-fips-aesni.patch Patch63: openssl-1.0.0d-xmpp-starttls.patch Patch64: openssl-1.0.0d-intelopts.patch Patch65: openssl-1.0.0e-chil-fixes.patch Patch66: openssl-1.0.0-sha2test.patch # Backported fixes including security fixes Patch81: openssl-1.0.0d-padlock64.patch #Patch82: openssl_perlpath.patch License: OpenSSL Group: System Environment/Libraries URL: http://www.openssl.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: coreutils, krb5-devel, perl, perl-Getopt-Long, sed, zlib-devel, /usr/bin/cmp BuildRequires: /usr/bin/rename Requires: coreutils, ca-certificates >= 2008-5, openssl >= 1.0 %description This is a retrocompatible OpenSSL toolkit 1.0.0 relying under standard package openssl of fedora Built to make binaries like Cisco Packettracer running under Fedora 24 where it complains about libcrypto version mismatch with the stdlib This package is build from openssl package of the old Fedora 17 And only : libssl.so.1.0.0 -> libssl.so.1.0.0i libssl.so.1.0.0i libcrypto.so.1.0.0 -> libcrypto.so.1.0.0i libcrypto.so.1.0.0i under /usr/lib will be packaged %package do-not-install Summary: This is just a ugly hack to build %{name}-%{version} without changing the make install section Group: Development/Libraries Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}, krb5-devel, zlib-devel Requires: pkgconfig %description do-not-install all the package except the lib above will be stored in this part This package MUST NOT BE Installed %prep %setup -q -n openssl-%{version} # The hobble_openssl is called here redundantly, just to be sure. # The tarball has already the sources removed. %{SOURCE1} > /dev/null %patch0 -p1 -b .redhat %patch1 -p1 -b .defaults %patch3 -p1 -b .soversion %patch4 -p1 -b .enginesdir %{?_rawbuild} %patch5 -p1 -b .no-rpath %patch6 -p1 -b .use-localhost %patch7 -p1 -b .timezone %patch23 -p1 -b .default-paths %patch25 -p1 -b .manfix %patch32 -p1 -b .ia64 %patch33 -p1 -b .ca-dir %patch34 -p1 -b .x509 %patch35 -p1 -b .version-add-engines %patch38 -p1 -b .cipher-change %patch39 -p1 -b .ipv6-apps %patch40 -p1 -b .fips %patch41 -p1 -b .fipscheck %patch43 -p1 -b .fipsmode %patch44 -p1 -b .fipsrng %patch45 -p1 -b .env-nozlib %patch47 -p1 -b .warning %patch49 -p1 -b .algo-doc %patch50 -p1 -b .dtls1-abi %patch51 -p1 -b .version %patch52 -p1 -b .aesni %patch53 -p1 -b .name-hash %patch54 -p1 -b .spfips %patch55 -p1 -b .ipv6listen %patch56 -p1 -b .x931 %patch57 -p1 -b .fips186-3 %patch58 -p1 -b .md5-allow %patch59 -p1 -b .fips-default %patch60 -p1 -b .dgst %patch61 -p1 -b .cavs %patch62 -p1 -b .fips-aesni %patch63 -p1 -b .starttls %patch64 -p1 -b .intelopts %patch65 -p1 -b .chil %patch66 -p1 -b .sha2test %patch81 -p1 -b .padlock64 #%patch82 -p1 # Modify the various perl scripts to reference perl in the right location. #perl util/perlpath.pl `dirname %{__perl}` # Generate a table with the compile settings for my perusal. touch Makefile make TABLE PERL=%{__perl} %build # Figure out which flags we want to use. # default sslarch=%{_os}-%{_target_cpu} %ifarch %ix86 sslarch=linux-elf if ! echo %{_target} | grep -q i686 ; then sslflags="no-asm 386" fi %endif %ifarch sparcv9 sslarch=linux-sparcv9 sslflags=no-asm %endif %ifarch sparc64 sslarch=linux64-sparcv9 sslflags=no-asm %endif %ifarch alpha alphaev56 alphaev6 alphaev67 sslarch=linux-alpha-gcc %endif %ifarch s390 sh3eb sh4eb sslarch="linux-generic32 -DB_ENDIAN" %endif %ifarch s390x sslarch="linux-s390x" %endif %ifarch %{arm} sh3 sh4 sslarch=linux-generic32 %endif #bugged man syntax with Fedora 20 pod2man translator rm doc/apps/cms.pod rm doc/apps/genpkey.pod rm doc/apps/smime.pod rm doc/crypto/X509_STORE_CTX_get_error.pod cd doc/ssl rm SSL_accept.pod SSL_clear.pod SSL_COMP_add_compression_method.pod SSL_connect.pod SSL_CTX_add_session.pod SSL_CTX_load_verify_locations.pod SSL_CTX_set_client_CA_list.pod SSL_CTX_set_session_id_context.pod SSL_CTX_set_ssl_version.pod SSL_CTX_use_psk_identity_hint.pod SSL_do_handshake.pod SSL_read.pod SSL_session_reused.pod SSL_set_fd.pod SSL_set_session.pod SSL_shutdown.pod SSL_write.pod cd ../.. # ia64, x86_64, ppc, ppc64 are OK by default # Configure the build tree. Override OpenSSL defaults with known-good defaults # usable on all platforms. The Configure script already knows to use -fPIC and # RPM_OPT_FLAGS, so we can skip specifiying them here. ./Configure \ --prefix=/usr --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \ enable-cms enable-md2 no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa \ --with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \ --with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips} # "no version information available" mitigation file cat >> openssl.ld << EOF OPENSSL_1.0.0 { global: *; }; EOF # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack. RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack" make depend make all # Generate hashes for the included certs. make rehash # Overwrite FIPS README cp -f %{SOURCE11} . %install [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT # Install OpenSSL. install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl} make INSTALL_PREFIX=$RPM_BUILD_ROOT install make INSTALL_PREFIX=$RPM_BUILD_ROOT install_docs mv $RPM_BUILD_ROOT%{_libdir}/engines $RPM_BUILD_ROOT%{_libdir}/openssl mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man/* $RPM_BUILD_ROOT%{_mandir}/ rmdir $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/man rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion} # in fedora 20, no usage of %{_lib}, because all is under /usr/lib or /usr/lib64 # the compat 1.0.0, require an extra symbolic link for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do chmod 755 ${lib} ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}` ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion} ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.1.0.0 done # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/Makefile install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/make-dummy-cert # Make sure we actually include the headers we built against. for header in $RPM_BUILD_ROOT%{_includedir}/openssl/* ; do if [ -f ${header} -a -f include/openssl/$(basename ${header}) ] ; then install -m644 include/openssl/`basename ${header}` ${header} fi done # Rename man pages so that they don't conflict with other system man pages. pushd $RPM_BUILD_ROOT%{_mandir} for manpage in man*/* ; do if [ -L ${manpage} ]; then TARGET=`ls -l ${manpage} | awk '{ print $NF }'` ln -snf ${TARGET}ssl ${manpage}ssl rm -f ${manpage} else mv ${manpage} ${manpage}ssl fi done for conflict in passwd rand ; do rename ${conflict} ssl${conflict} man*/${conflict}* done popd # Pick a CA script. pushd $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc mv CA.sh CA popd mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts # Ensure the openssl.cnf timestamp is identical across builds to avoid # mulitlib conflicts and unnecessary renames on upgrade touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf # Determine which arch opensslconf.h is going to try to #include. basearch=%{_arch} %ifarch %{ix86} basearch=i386 %endif %ifarch sparcv9 basearch=sparc %endif %ifarch sparc64 basearch=sparc64 %endif %ifarch %{multilib_arches} # Do an opensslconf.h switcheroo to avoid file conflicts on systems where you # can have both a 32- and 64-bit version of the library, and they each need # their own correct-but-different versions of opensslconf.h to be usable. install -m644 %{SOURCE10} \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h install -m644 %{SOURCE9} \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h %endif # Remove unused files from upstream fips support rm -rf $RPM_BUILD_ROOT/%{_bindir}/openssl_fips_fingerprint rm -rf $RPM_BUILD_ROOT/%{_libdir}/fips_premain.* rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %clean [ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} %attr(0755,root,root) %{_libdir}/libcrypto.so.1.0.0 %attr(0755,root,root) %{_libdir}/libssl.so.%{version} %attr(0755,root,root) %{_libdir}/libssl.so.1.0.0 %files do-not-install %defattr(-,root,root) %doc FAQ LICENSE CHANGES NEWS INSTALL README %doc doc/c-indentation.el doc/openssl.txt %doc doc/openssl_button.html doc/openssl_button.gif %doc doc/ssleay.txt %doc README.FIPS %dir %{_sysconfdir}/pki/tls %dir %{_sysconfdir}/pki/tls/certs %{_sysconfdir}/pki/tls/certs/make-dummy-cert %{_sysconfdir}/pki/tls/certs/Makefile %dir %{_sysconfdir}/pki/tls/misc %{_sysconfdir}/pki/tls/misc/CA %dir %{_sysconfdir}/pki/CA %dir %{_sysconfdir}/pki/CA/private %dir %{_sysconfdir}/pki/CA/certs %dir %{_sysconfdir}/pki/CA/crl %dir %{_sysconfdir}/pki/CA/newcerts %{_sysconfdir}/pki/tls/misc/c_* %{_sysconfdir}/pki/tls/private %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %attr(0755,root,root) %{_bindir}/openssl %attr(0755,root,root) %{_libdir}/libssl.so.%{soversion} %attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion} %attr(0755,root,root) %{_libdir}/openssl %attr(0644,root,root) %{_mandir}/man1*/[ABD-Zabcd-z]* %attr(0644,root,root) %{_mandir}/man5*/* %attr(0644,root,root) %{_mandir}/man7*/* %{_prefix}/include/openssl %attr(0755,root,root) %{_libdir}/*.so %attr(0644,root,root) %{_mandir}/man3*/* %attr(0644,root,root) %{_libdir}/pkgconfig/*.pc %attr(0644,root,root) %{_libdir}/*.a %attr(0755,root,root) %{_bindir}/c_rehash %attr(0644,root,root) %{_mandir}/man1*/*.pl* %{_sysconfdir}/pki/tls/misc/*.pl %{_sysconfdir}/pki/tls/misc/tsget %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %changelog * Thu Aug 04 2016 Alberto Rodriguez S - change to compile in Fedora 25 environment - to get a libcrypto VERSION_1.0.0 compatible with PacketTracer 7 - i comment not present utilities in F24 * Sun Jan 12 2014 Yves L'ECUYER - change to compile in Fedora 20 environment - to get a libcrypto VERSION_1.0.0 compatible with PacketTracer 6 - this is a ugly hack to get just the required lib, wile all the package is - compiled, only openssl-lib-compat is intersting. - all the rest of the package will be stored in openssl-lib-compat-reject