source: projects/specs/trunk/o/openssl/openssl-vl.spec @ 12211

%bcond_with fips

%define build_compat32 %{?_with_compat32:1}%{!?_with_compat32:0}
%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}}
%define version 1.1.1d
%define release 1%{_dist_release}
# 1.0.0 soversion = 10
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
#                        depends on build configuration options)
%define soversion 1.1

Summary: Secure Sockets Layer Toolkit
Name: openssl
Version: %{version}
Release: %{release}
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
Source: openssl-%{version}-hobbled.tar.xz
Source1: hobble-openssl
Source2: Makefile.certificate
Source6: make-dummy-cert
Source7: renew-dummy-cert
Source9: opensslconf-new.h
Source10: opensslconf-new-warning.h
Source11: README.FIPS
Source12: ec_curve.c
Source13: ectest.c

# Build changes
Patch1: openssl-1.1.1-build.patch
Patch2: openssl-1.1.0-defaults.patch
Patch3: openssl-1.1.0-no-html.patch
Patch4: openssl-1.1.1-man-rename.patch
# Bug fixes
Patch21: openssl-1.1.0-issuer-hash.patch
# Functionality changes
Patch31: openssl-1.1.1-conf-paths.patch
Patch32: openssl-1.1.1-version-add-engines.patch
Patch33: openssl-1.1.1-apps-dgst.patch
Patch36: openssl-1.1.1-no-brainpool.patch
Patch37: openssl-1.1.1-ec-curves.patch
Patch38: openssl-1.1.1-no-weak-verify.patch
Patch40: openssl-1.1.1-disable-ssl3.patch
Patch41: openssl-1.1.1-system-cipherlist.patch
Patch42: openssl-1.1.1-fips.patch
Patch43: openssl-1.1.1-ignore-bound.patch
Patch44: openssl-1.1.1-version-override.patch
Patch45: openssl-1.1.1-weak-ciphers.patch
Patch46: openssl-1.1.1-seclevel.patch
Patch48: openssl-1.1.1-fips-post-rand.patch
Patch49: openssl-1.1.1-evp-kdf.patch
Patch50: openssl-1.1.1-ssh-kdf.patch
# Backported fixes including security fixes
Patch51: openssl-1.1.1-upstream-sync.patch
Patch52: openssl-1.1.1-s390x-update.patch
Patch53: openssl-1.1.1-fips-crng-test.patch
Patch54: openssl-1.1.1-regression-fixes.patch
Patch100: BIO_f_zlib.patch

# security fix
# nothing ;-)

License: BSDish
Group: System Environment/Libraries
URL: http://www.openssl.org/

BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: perl, sed
BuildRequires: zlib-devel, krb5-devel
BuildRequires: lksctp-tools-devel

Requires: mktemp
Requires: ca-certificates

Vendor: Project Vine
Distribution: Vine Linux
Packager: daisuke, iwamoto

%define solibbase %(echo %version | sed 's/[[:alpha:]]//g')

%description
The OpenSSL certificate management tool and the shared libraries that
provide various cryptographic algorithms and protocols.

%package devel
Summary: OpenSSL libraries and development headers.
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
Requires: krb5-devel

%description devel
The static libraries and include files needed to compile apps
with support for various the cryptographic algorithms and protocols
supported by OpenSSL.

Patches for many networking apps can be found at:
ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/

%package static
Summary:  Libraries for static linking of applications which will use OpenSSL
Group: Development/Libraries
Requires: %{name}-devel = %{version}-%{release}

%description static
OpenSSL is a toolkit for supporting cryptography. The openssl-static
package contains static libraries needed for static linking of
applications which support various cryptographic algorithms and
protocols.

%package perl
Summary: OpenSSL scripts which require Perl.
Group: Applications/Internet
Requires: %{name} = %{version}-%{release}
Requires: perl

%description perl
Perl scripts provided with OpenSSL for converting certificates and keys
from other formats to those used by OpenSSL.

## to build compat32 for x86_64 architecture support
%package -n compat32-%{name}
Summary: Secure Sockets Layer Toolkit
Group: System Environment/Libraries
Requires: %{name} = %{version}-%{release}
%description -n compat32-%{name}
The OpenSSL certificate management tool and the shared libraries that
provide various cryptographic algorithms and protocols.

%package -n compat32-%{name}-devel
Summary: OpenSSL libraries and development headers.
Group: Development/Libraries
Requires: compat32-%{name} = %{version}-%{release}
Requires: compat32-krb5-devel
%description -n compat32-%{name}-devel
The static libraries and include files needed to compile apps
with support for various the cryptographic algorithms and protocols
supported by OpenSSL.

%prep
%setup -q -n %{name}-%{version}

# The hobble_openssl is called here redundantly, just to be sure.
# The tarball has already the sources removed.
%{SOURCE1} > /dev/null

cp %{SOURCE12} crypto/ec/
cp %{SOURCE13} test/

%patch1 -p1 -b .build   %{?_rawbuild}
%patch2 -p1 -b .defaults
%patch3 -p1 -b .no-html  %{?_rawbuild}
%patch4 -p1 -b .man-rename

%patch21 -p1 -b .issuer-hash

%patch31 -p1 -b .conf-paths
%patch32 -p1 -b .version-add-engines
%patch33 -p1 -b .dgst
%patch36 -p1 -b .no-brainpool
%patch37 -p1 -b .curves
%patch38 -p1 -b .no-weak-verify
%patch40 -p1 -b .disable-ssl3
%patch41 -p1 -b .system-cipherlist
%if %{with fips}
%patch42 -p1 -b .fips
%endif
%patch43 -p1 -b .ignore-bound
%if %{with fips}
%patch44 -p1 -b .version-override
%endif
%patch45 -p1 -b .weak-ciphers
%if %{with fips}
%patch46 -p1 -b .seclevel
%patch49 -p1 -b .evp-kdf
%patch50 -p1 -b .ssh-kdf
%patch51 -p1 -b .upstream-sync
%endif
%patch52 -p1 -b .s390x-update
%if %{with fips}
%patch53 -p1 -b .crng-test
%endif
%patch54 -p1 -b .regression

%patch100 -p1 -b .BIO_f_zlib

# security fix
# nothing ;-)

%build 
# Figure out which flags we want to use.
# default
sslarch=%{_os}-%{_target_cpu}
#
%ifarch %ix86
sslarch=linux-elf
if ! echo %{_target} | grep -q i686 ; then
   sslflags="no-asm 386"
fi
%endif
%ifarch x86_64
sslflags=enable-ec_nistp_64_gcc_128
%endif

# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
# want to depend on the uninitialized memory as a source of entropy anyway.
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY $RPM_LD_FLAGS"

export HASHBANGPERL=/usr/bin/perl

perl -pi -e 's|/engines-|/%{name}/engines-|' ./Configurations/unix-Makefile.tmpl

# ia64, x86_64, ppc are OK by default
# Configure the build tree.  Override OpenSSL defaults with known-good defaults
# usable on all platforms.  The Configure script already knows to use -fPIC and
# RPM_OPT_FLAGS, so we can skip specifiying them here.
./Configure \
        --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
        --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
        zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
        enable-cms enable-md2 enable-rc5 enable-ssl3 enable-ssl3-method \
        enable-weak-ssl-ciphers \
        no-mdc2 no-ec2m no-sm2 no-sm4 \
        shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'

# Do not run this in a production package the FIPS symbols must be patched-in
#util/mkdef.pl crypto update

make all

%if %{with fips}
# Overwrite FIPS README
cp -f %{SOURCE11} .
%endif

# Clean up the .pc files
for i in libcrypto.pc libssl.pc openssl.pc ; do
  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
done

%check
# Verify that what was compiled actually works.

# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
 sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
 touch -r configdata.pm configdata.pm.new && \
 mv -f configdata.pm.new configdata.pm)

# We must revert patch31 before tests otherwise they will fail
patch -p1 -R < %{PATCH31}

# drop a recipe includes tests for brainpool curves (not supported by openssl-hobbled).
rm -f test/recipes/80-test_ssl_new.t


LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH
OPENSSL_ENABLE_MD5_VERIFY=
export OPENSSL_ENABLE_MD5_VERIFY
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
make test


# Add generation of HMAC checksum of the final stripped library
%define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
%{nil}

%define __provides_exclude_from %{_libdir}/openssl

%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
# Install OpenSSL.
install -d $RPM_BUILD_ROOT{/%{_lib},%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
make DESTDIR=$RPM_BUILD_ROOT install
mv $RPM_BUILD_ROOT%{_libdir}/lib*.so.%{soversion} $RPM_BUILD_ROOT/%{_lib}/
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT/%{_lib}/*.so.%{soversion}
for lib in $RPM_BUILD_ROOT/%{_lib}/*.so.%{version} ; do
        chmod 755 ${lib}
        ln -s -f ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT/%{_libdir}/`basename ${lib} .%{version}`
        ln -s -f `basename ${lib}` $RPM_BUILD_ROOT/%{_lib}/`basename ${lib} .%{version}`.%{soversion}
done

# Install a makefile for generating keys and self-signed certs, and a script
# for generating them on the fly.
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert

# Move runable perl scripts to bindir
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}

# Rename man pages so that they don't conflict with other system man pages.
pushd $RPM_BUILD_ROOT%{_mandir}
ln -s -f config.5 man5/openssl.cnf.5
for manpage in man*/* ; do
        if [ -L ${manpage} ]; then
                TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
                ln -snf ${TARGET}ssl ${manpage}ssl
                rm -f ${manpage}
        else
                mv ${manpage} ${manpage}ssl
        fi
done
for conflict in passwd rand ; do
        rename ${conflict} ssl${conflict} man*/${conflict}*
# Fix dangling symlinks
        manpage=man1/openssl-${conflict}.*
        if [ -L ${manpage} ] ; then
                ln -snf ssl${conflict}.1ssl ${manpage}
        fi
done
popd

mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts

# Ensure the config file timestamps are identical across builds to avoid
# mulitlib conflicts and unnecessary renames on upgrade
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist

# Determine which arch opensslconf.h is going to try to #include.
basearch=%{_arch}
%ifarch %{ix86}
basearch=i386
%endif

# Next step of gradual disablement of SSL3.
# Make SSL3 disappear to newly built dependencies.
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
#ifndef OPENSSL_NO_SSL3\
# define OPENSSL_NO_SSL3\
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h

%ifarch %{multilib_arches}
# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
# can have both a 32- and 64-bit version of the library, and they each need
# their own correct-but-different versions of opensslconf.h to be usable.
install -m644 %{SOURCE10} \
        $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \
        $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
install -m644 %{SOURCE9} \
        $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
%endif
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
export LD_LIBRARY_PATH


%clean
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT

%files 
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc}
%license LICENSE
%doc FAQ NEWS README
%if %{with fips}
%doc README.FIPS
%endif
%{_pkgdocdir}/Makefile.certificate
%dir %{_sysconfdir}/pki/tls
%dir %{_sysconfdir}/pki/tls/certs
%dir %{_sysconfdir}/pki/tls/misc
%dir %{_sysconfdir}/pki/tls/private
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf

%{_bindir}/make-dummy-cert
%{_bindir}/renew-dummy-cert
%{_bindir}/openssl
%attr(0755,root,root) /%{_lib}/*.so.*
%attr(0755,root,root) %{_libdir}/%{name}/engines-%{soversion}
%dir %{_mandir}/man1*
%{_mandir}/man1*/*
%dir %{_mandir}/man5*
%{_mandir}/man5*/*
%dir %{_mandir}/man7*
%{_mandir}/man7*/*

%files devel
%defattr(-,root,root)
%{_prefix}/include/openssl
%exclude %{_libdir}/lib*.a
%attr(0755,root,root) %{_libdir}/*.so
%attr(0644,root,root) %{_libdir}/pkgconfig/*.pc
%dir %{_mandir}/man3*
%{_mandir}/man3*/*

%files static
%defattr(-,root,root)
%attr(0644,root,root) %{_libdir}/*.a

%files perl
%defattr(-,root,root)
%{_bindir}/c_rehash
%{_bindir}/*.pl
%{_bindir}/tsget
%{_mandir}/man1*/*.pl*
%{_mandir}/man1*/c_rehash*
%{_mandir}/man1*/tsget*
%{_mandir}/man1*/openssl-tsget*
%dir %{_sysconfdir}/pki/CA
%dir %{_sysconfdir}/pki/CA/private
%dir %{_sysconfdir}/pki/CA/certs
%dir %{_sysconfdir}/pki/CA/crl
%dir %{_sysconfdir}/pki/CA/newcerts

## to build compat32 for x86_64 architecture support
%if %{build_compat32}
%files -n compat32-%{name}
%defattr(-,root,root)
%attr(0755,root,root) /%{_lib}/*.so.*

%files -n compat32-%{name}-devel
%defattr(-,root,root)
%exclude %{_libdir}/lib*.a
%attr(0755,root,root) %{_libdir}/*.so
%attr(0644,root,root) %{_libdir}/pkgconfig/*.pc
%endif

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

%post -n compat32-%{name} -p /sbin/ldconfig

%postun -n compat32-%{name} -p /sbin/ldconfig

%changelog
* Fri Sep 13 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1d-1
- new upstream release.
- updated Source12 and 13.
- updated all patches.
- imported Patch100 from upstream.

* Sat Aug 24 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1c-1
- new upstream release.
- updated Patch37 and 41.
- imported Patch52-54 from rawhide.

* Mon May 06 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1b-2
- fixed openssl.cnf

* Sun May 05 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1b-1
- new upstream release.
- imported Patch36 from rawhide.
- updated Patch32.

* Sat Dec 08 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1a-1
- new upstream release.
- updated Patch2.
- dropped Patch36 and 46: fixed in upstream.

* Thu Nov 01 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1-2
- fixed symlinks.

* Thu Nov 01 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1-1
- new upstream release (newest LTS version).
- imported fedora stuff (except FIPS).

* Sun Apr  1 2018 IWAI, Masaharu <iwaim.sub@gmail.com> 1.0.2o-1
- new upstream release with security fixes

* Sun Jan 21 2018 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.2n-1
- new upstream release with security fixes 

* Wed Nov 15 2017 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.2m-1
- new upstream release with security fixes 

* Sun Jan 29 2017 IWAI, Masaharu <iwaim.sub@gmail.com> 1.0.2k-1
- new upstream release with security fixes

* Thu May  5 2016 IWAI, Masaharu <iwaim.sub@gmail.com> 1.0.2h-1
- new upstream release with security fixes

* Wed Mar  9 2016 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.2g-1
- new upstream release 1.0.2 with security fixes
- Patch2 is merged into Patch0

* Mon Dec 28 2015 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1q-1
- new upstream release with security fixes 

* Fri Jul 10 2015 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1p-1
- new upstream release with security fixes

* Wed Jul  1 2015 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1o-1
- new upstream release

* Sun Apr 12 2015 Yoji TOYODA <bsyamato@sea.plala.or.jp> 1.0.1m-1
- merged into Vine6
  * Fri Mar 20 2015 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1m-1
  - new upstream release with security fixes  
  - update Patch2,5

* Mon Jan 12 2015 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1k-1
- new upstream release with security fixes  

* Mon Oct 20 2014 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1j-1
- new upstream release with security fixes 
- add patch8 from fc21 (fix perl find.pl)

* Fri Jun 6 2014 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.0.1h-1
- new upstream release with security fixes.

* Tue Apr  8 2014 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1g-1
- new upstream release with security fixes 

* Thu Jan  9 2014 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.1f-1
- new upstream release with security fixes

* Tue Sep 24 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 1.0.1e-2
- move root CA bundle to ca-certificates package

* Tue Feb 12 2013 Daisuke SUZUKI <daisuke@linux.or.jp> 1.0.1e-1
- update to 1.0.1e
  - 1.0.1d has major regressions from 1.0.1c

* Sat Feb  9 2013 IWAI, Masaharu <iwai@alib.jp> 1.0.1d-2
- remove tsget script to delete dependency perl(WWW::Curl::Easy)
 - openssl-perl package contains it in docdir

* Fri Feb 08 2013 Toshiharu Kudoh <toshi.kd2@gmail.com> 1.0.1d-1
- new upstream release with security fix (CVE-2012-2686, CVE-2013-0166, 0169)
- fixed %%files

* Tue May 29 2012 Daisuke SUZUKI <daisuke@linux.or.jp> 1.0.1c-1
- update to 1.0.1c
- enable configure options:
  enable-camellia enable-seed enable-tlsext enable-rfc3779
  enable-cms enable-md2
- remove no-asm option from ai64/x86_64/ppc/ppc64/i686
- generate a table with the compile settings before configure

* Fri Jan 20 2012 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0g-1
- new upstream release with security fix (CVE-2012-0050)

* Fri Jan  6 2012 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0f-1
- new upstream release with security fix 
  (CVE-2011-4108,09, CVE-2011-4576,77, CVE-2011-4619, CVE-2012-0027) 

* Wed Sep  7 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0e-1
- new upstream release with security fix (CVE-2011-3207, 3210)

* Sun Mar 20 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0d-2
- rebuild with krb5-libs 1.8

* Fri Feb 11 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0d-1
- new upstream release with security fix

* Sat Jan 15 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0c-4
- use upstream openssl.pc instead of vine original one (SOURCE6)

* Sun Jan  9 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0c-3
- move tsget to docs to delete dependency perl(WWW::Curl::Easy)

* Sat Jan  1 2011 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0c-2
- add R: krb5-devel into devel pkg
- add R: compat32-krb5-devel into compat32-devel pkg

* Fri Dec 31 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 1.0.0c-1
- new upstream release 1.0.0x
- separate static libs into static package
- change configure options
- change so version 10
- add tsget into perl package
- update all patches

* Thu Dec 30 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8q-2
- fix changelog typo...

* Tue Dec  7 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8q-1
- new upstream release with security fix (CVE-2010-4180) 

* Wed Nov 17 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8p-1
- new upstream release with security fix (CVE-2010-3864)
- drop patches included in new release
- update patch4

* Sun Jan 17 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8k-5
- add patch12 for fix CVE-2009-3555 (renegotiation)

* Fri Jan 15 2010 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8k-4
- add patch11 for fix CVE-2009-4355 (memory leak)

* Tue Jun 23 2009 Satoshi IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8k-3
- add patch10 to fix CVE-2009-1377, 78, 79 (from fc11)

* Mon Jun 22 2009 NAKAMURA Kenta <kenta@vinelinux.org> 0.9.8k-2
- removed unnecessary %%if %{build_compat32} statements
- removed lib*.a from devel package

* Mon Mar 30 2009 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8k-1
- new upstream release with security fix (CVE-2000-0590,0591,0789)

* Sun Jan 11 2009 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8j-1
- new upstream release with security fix (CVE-2008-5077)

* Sat Sep 20 2008 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.8i-1
- new upstream release

* Sat Jul 12 2008 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.8h-1
- new upstream release
- new versioning policy

* Sat Oct 27 2007 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.8g-0vl1
- new upstream release
- drop patch10,20 which is merged in upstream

* Fri Sep 28 2007 MATSUBAYASHI Kohji <shaolin@vinelinux.org> 0.9.8e-0vl3
- add security patch in advance for CVE-2007-5135
  http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded
  http://marc.info/?l=openssl-cvs&m=119020417919619&w=2

* Fri Aug 10 2007 MATSUBAYASHI Kohji <shaolin@vinelinux.org> 0.9.8e-0vl2
- add security patch for CVE-2007-3108
  (http://openssl.org/news/patch-CVE-2007-3108.txt)

* Tue May 15 2007 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.8e-0vl1
- new upstream release

* Sun Dec 24 2006 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.7l-0vl2
- update (fix) openssl.pc <BTS:437>

* Fri Sep 29 2006 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.7l-0vl1
- new upstream release (with security fix)

* Mon Sep 11 2006 Satosh IWAMOTO <satoshi.iwamoto@nifty.ne.jp> 0.9.7k-0vl1
- new upstream release
- add patch2 to use RPM_OPT macro

* Mon Feb 06 2006 Shu KONNO <owa@bg.wakwak.com> 0.9.7i-0vl3
- moved macros _lib to /usr/lib/rpm/rpmrc or macros files

* Fri Feb 03 2006 Shu KONNO <owa@bg.wakwak.com> 0.9.7i-0vl2
- added compat32-* packages for x86_64 architecture support
- added openssl-0.9.7i.Configure-compat32.patch
- changed '/lib' to '/%{_lib}'

* Mon Oct 17 2005 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.7i-0vl1
- new upstream release

* Mon Jan 31 2005 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.7d-0vl4
- rebuild on VineSeed

* Sun Jan 09 2005 IKEDA Katsumi <ikeda@webmasters.gr.jp> 0.9.7d-0vl3.1
- added a security patch from Gentoo.
  - Patch1: openssl-0.9.7c-tempfile.patch

* Sun Mar 28 2004 MATSUBAYASHI Kohji <shaolin@vinelinux.org> 0.9.7d-0vl3
- sslarch for ppc was missing... added.

* Fri Mar 26 2004 Tomoya TAKA <taka@vinelinux.org> 0.9.7d-0vl2
- use sslarch=linux-alpha-gcc instead of alpha-gcc

* Mon Mar 22 2004 Satoshi MACHINO <machino@vinelinux.org> 0.9.7d-0vl1
- new upstream version
- clean up of spec file
        -- removed old patches

* Sat Mar 20 2004 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6m-0vl1
- new upstream release
- SECURITY fix.
  - http://www.openssl.org/news/secadv_20040317.txt

* Wed Oct  1 2003 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6k-0vl1
- new upstream release
- [Security fix]
  - Vulnerabilities in ASN.1 parsing
    http://www.openssl.org/news/secadv_20030930.txt
- see %{_docdir}/%{name}-%{version}/CHANGES for other changes

* Wed Jun 04 2003 HOTTA Michihide <hotta@net-newbie.com> 0.9.6j-0vl2
- add openssl.pc for pkgconfig

* Tue Mar 11 2003 Satoshi MACHINO <machino@vinelinux.org> 0.9.6j-0vl1
- New upstream version
- dropped patch10, 11
        -- merged upstream version

* Sun Feb 23 2003 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6i-0vl1
- rebuild for VineSeed

* Sun Feb 23 2003 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6i-0vl0.26.1
- [Security Fix]
  - Timing-based attacks on RSA keys
    http://www.openssl.org/news/secadv_20030317.txt
  - Klima-Pokorny0Rosa attack on RSA in SSL/TLS
    http://www.openssl.org/news/secadv_20030317.txt

* Sun Feb 23 2003 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6i-0vl0.26
- new upstream release 0.9.6i
- [Security Fix]
- build for Vine Linux 2.6 errata

* Mon Nov 18 2002 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6h-0vl1
- new upstream release 0.9.6h

* Mon Nov 18 2002 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6g-0vl1
- new upstream release 0.9.6g

* Mon Oct 28 2002 IWAI Masaharu <iwai@alib.jp> 0.9.6b-1vl6
- SECURITY: CAN-2002-0659 fixed
  - added Patch101 from RedHat 7.2 updates 0.9.6b-28
    * Fri Aug 02 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-28
    - update asn patch to fix accidental reversal of a logic check
    * Thu Aug 01 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-27
    - update asn patch to reduce chance that compiler optimization will remove
      one of the added tests
    * Thu Aug 01 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-26
    - rebuild
    * Tue Jul 30 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-25
    - add patch to fix ASN.1 vulnerabilities

* Wed Jul 31 2002 IWAI Masaharu <iwai@alib.jp> 0.9.6b-1vl5
- rename spec file name
- SECURITY: CA-2002-23 fixed
  - added Patch100 from RedHat 7.2 updates 0.9.6b-24
    * Thu Jul 25 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-24
    - add backport of Ben Laurie's patches for OpenSSL 0.9.6d

* Mon Sep 10 2001 Satoshi MACHINO <machino@vinelinux.org> 0.9.6b-1vl4
- added ${PATH} in LD_LIBRARY_PATH
- added install -m 755 *.so.* $RPM_BUILD_ROOT%{_libdir} in %install
 
* Sun Jul 15 2001 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6b-1vl3
- remove --no-<cipher>

* Sun Jul 15 2001 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6b-1vl2
- add Patch10 for mipsel shared ( Configure )

* Sat Jul 14 2001 Daisuke SUZUKI <daisuke@linux.or.jp> 0.9.6b-1vl1
- build for Vine Linux
- use openssl-engine-0.9.6b.tar.gz

* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 0.9.6b

* Thu Jul  5 2001 Nalin Dahyabhai <nalin@redhat.com>
- move .so symlinks back to %%{_libdir}

* Tue Jul  3 2001 Nalin Dahyabhai <nalin@redhat.com>
- move shared libraries to /lib (#38410)

* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
- switch to engine code base

* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
- add a script for creating dummy certificates
- move man pages from %%{_mandir}/man?/foo.?ssl to %%{_mandir}/man?ssl/foo.?

* Thu Jun 07 2001 Florian La Roche <Florian.LaRoche@redhat.de>
- add s390x support

* Fri Jun  1 2001 Nalin Dahyabhai <nalin@redhat.com>
- change two memcpy() calls to memmove()
- don't define L_ENDIAN on alpha

* Tue May 15 2001 Nalin Dahyabhai <nalin@redhat.com>
- make subpackages depend on the main package

* Tue May  1 2001 Nalin Dahyabhai <nalin@redhat.com>
- adjust the hobble script to not disturb symlinks in include/ (fix from
  Joe Orton)

* Thu Apr 26 2001 Nalin Dahyabhai <nalin@redhat.com>
- drop the m2crypo patch we weren't using

* Tue Apr 24 2001 Nalin Dahyabhai <nalin@redhat.com>
- configure using "shared" as well

* Sun Apr  8 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 0.9.6a
- use the build-shared target to build shared libraries
- bump the soversion to 2 because we're no longer compatible with
  our 0.9.5a packages or our 0.9.6 packages
- drop the patch for making rsatest a no-op when rsa null support is used
- put all man pages into <section>ssl instead of <section>
- break the m2crypto modules into a separate package

* Tue Mar 13 2001 Nalin Dahyabhai <nalin@redhat.com>
- use BN_LLONG on s390

* Mon Mar 12 2001 Nalin Dahyabhai <nalin@redhat.com>
- fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit)

* Sat Mar  3 2001 Nalin Dahyabhai <nalin@redhat.com>
- move c_rehash to the perl subpackage, because it's a perl script now

* Fri Mar  2 2001 Nalin Dahyabhai <nalin@redhat.com>
- update to 0.9.6
- enable MD2
- use the libcrypto.so and libssl.so targets to build shared libs with
- bump the soversion to 1 because we're no longer compatible with any of
  the various 0.9.5a packages circulating around, which provide lib*.so.0

* Wed Feb 28 2001 Florian La Roche <Florian.LaRoche@redhat.de>
- change hobble-openssl for disabling MD2 again

* Tue Feb 27 2001 Nalin Dahyabhai <nalin@redhat.com>
- re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152
  bytes or so, causing EVP_DigestInit() to zero out stack variables in
  apps built against a version of the library without it

* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
- disable some inline assembly, which on x86 is Pentium-specific
- re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all)

* Thu Feb 08 2001 Florian La Roche <Florian.LaRoche@redhat.de>
- fix s390 patch

* Fri Dec 8 2000 Than Ngo <than@redhat.com>
- added support s390

* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
- remove -Wa,* and -m* compiler flags from the default Configure file (#20656)
- add the CA.pl man page to the perl subpackage

* Thu Nov  2 2000 Nalin Dahyabhai <nalin@redhat.com>
- always build with -mcpu=ev5 on alpha

* Tue Oct 31 2000 Nalin Dahyabhai <nalin@redhat.com>
- add a symlink from cert.pem to ca-bundle.crt

* Wed Oct 25 2000 Nalin Dahyabhai <nalin@redhat.com>
- add a ca-bundle file for packages like Samba to reference for CA certificates

* Tue Oct 24 2000 Nalin Dahyabhai <nalin@redhat.com>
- remove libcrypto's crypt(), which doesn't handle md5crypt (#19295)

* Mon Oct  2 2000 Nalin Dahyabhai <nalin@redhat.com>
- add unzip as a buildprereq (#17662)
- update m2crypto to 0.05-snap4

* Tue Sep 26 2000 Bill Nottingham <notting@redhat.com>
- fix some issues in building when it's not installed

* Wed Sep  6 2000 Nalin Dahyabhai <nalin@redhat.com>
- make sure the headers we include are the ones we built with (aaaaarrgh!)

* Fri Sep  1 2000 Nalin Dahyabhai <nalin@redhat.com>
- add Richard Henderson's patch for BN on ia64
- clean up the changelog

* Tue Aug 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- fix the building of python modules without openssl-devel already installed

* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
- byte-compile python extensions without the build-root
- adjust the makefile to not remove temporary files (like .key files when
  building .csr files) by marking them as .PRECIOUS

* Sat Aug 19 2000 Nalin Dahyabhai <nalin@redhat.com>
- break out python extensions into a subpackage

* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
- tweak the makefile some more

* Tue Jul 11 2000 Nalin Dahyabhai <nalin@redhat.com>
- disable MD2 support

* Thu Jul  6 2000 Nalin Dahyabhai <nalin@redhat.com>
- disable MDC2 support

* Sun Jul  2 2000 Nalin Dahyabhai <nalin@redhat.com>
- tweak the disabling of RC5, IDEA support
- tweak the makefile

* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
- strip binaries and libraries
- rework certificate makefile to have the right parts for Apache

* Wed Jun 28 2000 Nalin Dahyabhai <nalin@redhat.com>
- use %%{_perl} instead of /usr/bin/perl
- disable alpha until it passes its own test suite

* Fri Jun  9 2000 Nalin Dahyabhai <nalin@redhat.com>
- move the passwd.1 man page out of the passwd package's way

* Fri Jun  2 2000 Nalin Dahyabhai <nalin@redhat.com>
- update to 0.9.5a, modified for U.S.
- add perl as a build-time requirement
- move certificate makefile to another package
- disable RC5, IDEA, RSA support
- remove optimizations for now

* Wed Mar  1 2000 Florian La Roche <Florian.LaRoche@redhat.de>
- Bero told me to move the Makefile into this package

* Wed Mar  1 2000 Florian La Roche <Florian.LaRoche@redhat.de>
- add lib*.so symlinks to link dynamically against shared libs

* Tue Feb 29 2000 Florian La Roche <Florian.LaRoche@redhat.de>
- update to 0.9.5
- run ldconfig directly in post/postun
- add FAQ

* Sat Dec 18 1999 Bernhard Rosenkrdnzer <bero@redhat.de>
- Fix build on non-x86 platforms

* Fri Nov 12 1999 Bernhard Rosenkrdnzer <bero@redhat.de>
- move /usr/share/ssl/* from -devel to main package

* Tue Oct 26 1999 Bernhard Rosenkrdnzer <bero@redhat.de>
- inital packaging
- changes from base:
  - Move /usr/local/ssl to /usr/share/ssl for FHS compliance
  - handle RPM_OPT_FLAGS