openssl-1.1.1b-1

o/openssl/openssl-vl.spec

@@ -1,6 +1,8 @@
+%bcond_with fips
+
 %define build_compat32 %{?_with_compat32:1}%{!?_with_compat32:0}
-%{!?_pkgdocdir:%define _pkgdocdir %{_docdir}}
-%define version 1.1.1a
+%{!?_pkgdocdir:%global _pkgdocdir %{_docdir}}
+%define version 1.1.1b
 %define release 1%{_dist_release}
 # 1.0.0 soversion = 10
 # 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
@@ -21,7 +23,7 @@ Source6: make-dummy-cert
 Source7: renew-dummy-cert
 Source9: opensslconf-new.h
 Source10: opensslconf-new-warning.h
-#Source11: README.FIPS
+Source11: README.FIPS
 Source12: ec_curve.c
 Source13: ectest.c
 
@@ -35,17 +37,22 @@ Patch21: openssl-1.1.0-issuer-hash.patch
 # Functionality changes
 Patch31: openssl-1.1.1-conf-paths.patch
 Patch32: openssl-1.1.1-version-add-engines.patch
-Patch33: openssl-1.1.0-apps-dgst.patch
-#Patch36: openssl-1.1.1-secure-getenv.patch
+Patch33: openssl-1.1.1-apps-dgst.patch
+Patch36: openssl-1.1.1-no-brainpool.patch
 Patch37: openssl-1.1.1-ec-curves.patch
-Patch38: openssl-1.1.0-no-weak-verify.patch
+Patch38: openssl-1.1.1-no-weak-verify.patch
 Patch40: openssl-1.1.1-disable-ssl3.patch
 Patch41: openssl-1.1.1-system-cipherlist.patch
-#Patch42: openssl-1.1.1-fips.patch
+Patch42: openssl-1.1.1-fips.patch
 Patch43: openssl-1.1.1-ignore-bound.patch
-#Patch44: openssl-1.1.1-version-override.patch
+Patch44: openssl-1.1.1-version-override.patch
 Patch45: openssl-1.1.1-weak-ciphers.patch
-#Patch46: openssl-1.1.1-seclevel.patch
+Patch46: openssl-1.1.1-seclevel.patch
+Patch48: openssl-1.1.1-fips-post-rand.patch
+Patch49: openssl-1.1.1-evp-kdf.patch
+Patch50: openssl-1.1.1-ssh-kdf.patch
+# Backported fixes including security fixes
+Patch51: openssl-1.1.1-upstream-sync.patch
 
 # security fix
 # nothing ;-)
@@ -147,16 +154,25 @@ cp %{SOURCE13} test/
 %patch31 -p1 -b .conf-paths
 %patch32 -p1 -b .version-add-engines
 %patch33 -p1 -b .dgst
-#%patch36 -p1 -b .secure-getenv
+%patch36 -p1 -b .no-brainpool
 %patch37 -p1 -b .curves
 %patch38 -p1 -b .no-weak-verify
 %patch40 -p1 -b .disable-ssl3
 %patch41 -p1 -b .system-cipherlist
-#patch42 -p1 -b .fips
+%if %{with fips}
+%patch42 -p1 -b .fips
+%endif
 %patch43 -p1 -b .ignore-bound
-#patch44 -p1 -b .version-override
+%if %{with fips}
+%patch44 -p1 -b .version-override
+%endif
 %patch45 -p1 -b .weak-ciphers
-#%patch46 -p1 -b .seclevel
+%if %{with fips}
+%patch46 -p1 -b .seclevel
+%patch49 -p1 -b .evp-kdf
+%patch50 -p1 -b .ssh-kdf
+%patch51 -p1 -b .upstream-sync
+%endif
 
 # security fix
 # nothing ;-)
@@ -204,6 +220,11 @@ perl -pi -e 's|/engines-|/%{name}/engines-|' ./Configurations/unix-Makefile.tmpl
 
 make all
 
+%if %{with fips}
+# Overwrite FIPS README
+cp -f %{SOURCE11} .
+%endif
+
 # Clean up the .pc files
 for i in libcrypto.pc libssl.pc openssl.pc ; do
   sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
@@ -340,6 +361,9 @@ export LD_LIBRARY_PATH
 %{!?_licensedir:%global license %%doc}
 %license LICENSE
 %doc FAQ NEWS README
+%if %{with fips}
+%doc README.FIPS
+%endif
 %{_pkgdocdir}/Makefile.certificate
 %dir %{_sysconfdir}/pki/tls
 %dir %{_sysconfdir}/pki/tls/certs
@@ -352,7 +376,6 @@ export LD_LIBRARY_PATH
 %{_bindir}/renew-dummy-cert
 %{_bindir}/openssl
 %attr(0755,root,root) /%{_lib}/*.so.*
-/%{_lib}/*.so.%{soversion}
 %attr(0755,root,root) %{_libdir}/%{name}/engines-%{soversion}
 %dir %{_mandir}/man1*
 %{_mandir}/man1*/*
@@ -411,6 +434,11 @@ export LD_LIBRARY_PATH
 %postun -n compat32-%{name} -p /sbin/ldconfig
 
 %changelog
+* Sun May 05 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1b-1
+- new upstream release.
+- imported Patch36 from rawhide.
+- updated Patch32.
+
 * Sat Dec 08 2018 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 1.1.1a-1
 - new upstream release.
 - updated Patch2.