Blame SPECS/openssl.spec

e4b8d1
# For the curious:
e4b8d1
# 0.9.5a soversion = 0
e4b8d1
# 0.9.6  soversion = 1
e4b8d1
# 0.9.6a soversion = 2
e4b8d1
# 0.9.6c soversion = 3
e4b8d1
# 0.9.7a soversion = 4
e4b8d1
# 0.9.7ef soversion = 5
e4b8d1
# 0.9.8ab soversion = 6
e4b8d1
# 0.9.8g soversion = 7
e4b8d1
# 0.9.8jk + EAP-FAST soversion = 8
e4b8d1
# 1.0.0 soversion = 10
e4b8d1
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
e4b8d1
#                        depends on build configuration options)
e4b8d1
%define soversion 1.1
e4b8d1
e4b8d1
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
e4b8d1
# also be handled in opensslconf-new.h.
e4b8d1
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
e4b8d1
e4b8d1
%global _performance_build 1
e4b8d1
e4b8d1
Summary: Utilities from the general purpose cryptography library with TLS implementation
e4b8d1
Name: openssl
0c50f5
Version: 1.1.1k
dc0b1f
Release: 9%{?dist}
e4b8d1
Epoch: 1
e4b8d1
# We have to remove certain patented algorithms from the openssl source
e4b8d1
# tarball with the hobble-openssl script which is included below.
e4b8d1
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
e4b8d1
Source: openssl-%{version}-hobbled.tar.xz
e4b8d1
Source1: hobble-openssl
e4b8d1
Source2: Makefile.certificate
e4b8d1
Source6: make-dummy-cert
e4b8d1
Source7: renew-dummy-cert
e4b8d1
Source9: opensslconf-new.h
e4b8d1
Source10: opensslconf-new-warning.h
e4b8d1
Source11: README.FIPS
e4b8d1
Source12: ec_curve.c
e4b8d1
Source13: ectest.c
e4b8d1
# Build changes
e4b8d1
Patch1: openssl-1.1.1-build.patch
782d48
Patch2: openssl-1.1.1-defaults.patch
cf3dd1
Patch3: openssl-1.1.1-no-html.patch
e4b8d1
Patch4: openssl-1.1.1-man-rename.patch
0c50f5
e4b8d1
# Functionality changes
e4b8d1
Patch31: openssl-1.1.1-conf-paths.patch
e4b8d1
Patch32: openssl-1.1.1-version-add-engines.patch
782d48
Patch33: openssl-1.1.1-apps-dgst.patch
782d48
Patch36: openssl-1.1.1-no-brainpool.patch
e4b8d1
Patch37: openssl-1.1.1-ec-curves.patch
782d48
Patch38: openssl-1.1.1-no-weak-verify.patch
e4b8d1
Patch40: openssl-1.1.1-sslv3-keep-abi.patch
e4b8d1
Patch41: openssl-1.1.1-system-cipherlist.patch
e4b8d1
Patch42: openssl-1.1.1-fips.patch
e4b8d1
Patch44: openssl-1.1.1-version-override.patch
e4b8d1
Patch45: openssl-1.1.1-weak-ciphers.patch
e4b8d1
Patch46: openssl-1.1.1-seclevel.patch
782d48
Patch47: openssl-1.1.1-ts-sha256-default.patch
e4b8d1
Patch48: openssl-1.1.1-fips-post-rand.patch
782d48
Patch49: openssl-1.1.1-evp-kdf.patch
782d48
Patch50: openssl-1.1.1-ssh-kdf.patch
cf3dd1
Patch51: openssl-1.1.1-intel-cet.patch
b63792
Patch60: openssl-1.1.1-krb5-kdf.patch
b63792
Patch61: openssl-1.1.1-edk2-build.patch
b63792
Patch62: openssl-1.1.1-fips-curves.patch
a9339f
Patch65: openssl-1.1.1-fips-drbg-selftest.patch
cf3dd1
Patch66: openssl-1.1.1-fips-dh.patch
cf3dd1
Patch67: openssl-1.1.1-kdf-selftest.patch
cf3dd1
Patch69: openssl-1.1.1-alpn-cb.patch
cf3dd1
Patch70: openssl-1.1.1-rewire-fips-drbg.patch
0c50f5
Patch76: openssl-1.1.1-cleanup-peer-point-reneg.patch
0c50f5
Patch77: openssl-1.1.1-s390x-aes.patch
0c50f5
Patch78: openssl-1.1.1-detected-addr-ipv6.patch
0c50f5
Patch79: openssl-1.1.1-servername-cb.patch
0c50f5
Patch80: openssl-1.1.1-s390x-aes-tests.patch
e4b8d1
# Backported fixes including security fixes
782d48
Patch52: openssl-1.1.1-s390x-update.patch
782d48
Patch53: openssl-1.1.1-fips-crng-test.patch
b63792
Patch55: openssl-1.1.1-arm-update.patch
b63792
Patch56: openssl-1.1.1-s390x-ecc.patch
0c50f5
Patch74: openssl-1.1.1-addrconfig.patch
0c50f5
Patch75: openssl-1.1.1-tls13-curves.patch
9972ad
Patch81: openssl-1.1.1-read-buff.patch
5a7ab6
Patch82: openssl-1.1.1-cve-2022-0778.patch
eaef03
Patch83: openssl-1.1.1-replace-expired-certs.patch
eaef03
Patch84: openssl-1.1.1-cve-2022-1292.patch
eaef03
Patch85: openssl-1.1.1-cve-2022-2068.patch
eaef03
Patch86: openssl-1.1.1-cve-2022-2097.patch
dc0b1f
#OpenSSL 1.1.1t CVEs
dc0b1f
Patch101: openssl-1.1.1-cve-2022-4304-RSA-oracle.patch
dc0b1f
Patch102: openssl-1.1.1-cve-2022-4450-PEM-bio.patch
dc0b1f
Patch103: openssl-1.1.1-cve-2023-0215-BIO-UAF.patch
dc0b1f
Patch104: openssl-1.1.1-cve-2023-0286-X400.patch
cf3dd1
cf3dd1
License: OpenSSL and ASL 2.0
e4b8d1
URL: http://www.openssl.org/
e4b8d1
BuildRequires: gcc
782d48
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
e4b8d1
BuildRequires: lksctp-tools-devel
e4b8d1
BuildRequires: /usr/bin/rename
e4b8d1
BuildRequires: /usr/bin/pod2man
e4b8d1
BuildRequires: /usr/sbin/sysctl
e4b8d1
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
e4b8d1
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
e4b8d1
BuildRequires: perl(Time::HiRes)
cf3dd1
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy)
e4b8d1
Requires: coreutils
e4b8d1
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
e4b8d1
e4b8d1
%description
e4b8d1
The OpenSSL toolkit provides support for secure communications between
e4b8d1
machines. OpenSSL includes a certificate management tool and shared
e4b8d1
libraries which provide various cryptographic algorithms and
e4b8d1
protocols.
e4b8d1
e4b8d1
%package libs
e4b8d1
Summary: A general purpose cryptography library with TLS implementation
e4b8d1
Requires: ca-certificates >= 2008-5
e4b8d1
Requires: crypto-policies >= 20180730
e4b8d1
Recommends: openssl-pkcs11%{?_isa}
e4b8d1
# Needed obsoletes due to the base/lib subpackage split
e4b8d1
Obsoletes: openssl < 1:1.0.1-0.3.beta3
e4b8d1
Obsoletes: openssl-fips < 1:1.0.1e-28
e4b8d1
Provides: openssl-fips = %{epoch}:%{version}-%{release}
e4b8d1
e4b8d1
%description libs
e4b8d1
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
e4b8d1
package contains the libraries that are used by various applications which
e4b8d1
support cryptographic algorithms and protocols.
e4b8d1
e4b8d1
%package devel
e4b8d1
Summary: Files for development of applications which will use OpenSSL
e4b8d1
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
e4b8d1
Requires: krb5-devel%{?_isa}, zlib-devel%{?_isa}
e4b8d1
Requires: pkgconfig
e4b8d1
e4b8d1
%description devel
e4b8d1
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
e4b8d1
package contains include files needed to develop applications which
e4b8d1
support various cryptographic algorithms and protocols.
e4b8d1
e4b8d1
%package static
e4b8d1
Summary:  Libraries for static linking of applications which will use OpenSSL
e4b8d1
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
e4b8d1
e4b8d1
%description static
e4b8d1
OpenSSL is a toolkit for supporting cryptography. The openssl-static
e4b8d1
package contains static libraries needed for static linking of
e4b8d1
applications which support various cryptographic algorithms and
e4b8d1
protocols.
e4b8d1
e4b8d1
%package perl
e4b8d1
Summary: Perl scripts provided with OpenSSL
e4b8d1
Requires: perl-interpreter
e4b8d1
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
e4b8d1
e4b8d1
%description perl
e4b8d1
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
e4b8d1
package provides Perl scripts for converting certificates and keys
e4b8d1
from other formats to the formats used by the OpenSSL toolkit.
e4b8d1
e4b8d1
%prep
e4b8d1
%setup -q -n %{name}-%{version}
e4b8d1
e4b8d1
# The hobble_openssl is called here redundantly, just to be sure.
e4b8d1
# The tarball has already the sources removed.
e4b8d1
%{SOURCE1} > /dev/null
e4b8d1
e4b8d1
cp %{SOURCE12} crypto/ec/
e4b8d1
cp %{SOURCE13} test/
e4b8d1
e4b8d1
%patch1 -p1 -b .build   %{?_rawbuild}
e4b8d1
%patch2 -p1 -b .defaults
e4b8d1
%patch3 -p1 -b .no-html  %{?_rawbuild}
e4b8d1
%patch4 -p1 -b .man-rename
e4b8d1
e4b8d1
%patch31 -p1 -b .conf-paths
e4b8d1
%patch32 -p1 -b .version-add-engines
e4b8d1
%patch33 -p1 -b .dgst
782d48
%patch36 -p1 -b .no-brainpool
e4b8d1
%patch37 -p1 -b .curves
e4b8d1
%patch38 -p1 -b .no-weak-verify
e4b8d1
%patch40 -p1 -b .sslv3-abi
e4b8d1
%patch41 -p1 -b .system-cipherlist
e4b8d1
%patch42 -p1 -b .fips
e4b8d1
%patch44 -p1 -b .version-override
e4b8d1
%patch45 -p1 -b .weak-ciphers
e4b8d1
%patch46 -p1 -b .seclevel
782d48
%patch47 -p1 -b .ts-sha256-default
e4b8d1
%patch48 -p1 -b .fips-post-rand
782d48
%patch49 -p1 -b .evp-kdf
782d48
%patch50 -p1 -b .ssh-kdf
cf3dd1
%patch51 -p1 -b .intel-cet
782d48
%patch52 -p1 -b .s390x-update
782d48
%patch53 -p1 -b .crng-test
b63792
%patch55 -p1 -b .arm-update
b63792
%patch56 -p1 -b .s390x-ecc
b63792
%patch60 -p1 -b .krb5-kdf
b63792
%patch61 -p1 -b .edk2-build
b63792
%patch62 -p1 -b .fips-curves
a9339f
%patch65 -p1 -b .drbg-selftest
cf3dd1
%patch66 -p1 -b .fips-dh
cf3dd1
%patch67 -p1 -b .kdf-selftest
cf3dd1
%patch69 -p1 -b .alpn-cb
cf3dd1
%patch70 -p1 -b .rewire-fips-drbg
0c50f5
%patch74 -p1 -b .addrconfig
0c50f5
%patch75 -p1 -b .tls13-curves
0c50f5
%patch76 -p1 -b .cleanup-reneg
0c50f5
%patch77 -p1 -b .s390x-aes
0c50f5
%patch78 -p1 -b .addr-ipv6
0c50f5
%patch79 -p1 -b .servername-cb
0c50f5
%patch80 -p1 -b .s390x-test-aes
9972ad
%patch81 -p1 -b .read-buff
5a7ab6
%patch82 -p1 -b .cve-2022-0778
eaef03
%patch83 -p1 -b .replace-expired-certs
eaef03
%patch84 -p1 -b .cve-2022-1292
eaef03
%patch85 -p1 -b .cve-2022-2068
eaef03
%patch86 -p1 -b .cve-2022-2097
dc0b1f
%patch101 -p1 -b .cve-2022-4304
dc0b1f
%patch102 -p1 -b .cve-2022-4450
dc0b1f
%patch103 -p1 -b .cve-2023-0215
dc0b1f
%patch104 -p1 -b .cve-2023-0286
e4b8d1
e4b8d1
%build
e4b8d1
# Figure out which flags we want to use.
e4b8d1
# default
e4b8d1
sslarch=%{_os}-%{_target_cpu}
e4b8d1
%ifarch %ix86
e4b8d1
sslarch=linux-elf
e4b8d1
if ! echo %{_target} | grep -q i686 ; then
e4b8d1
	sslflags="no-asm 386"
e4b8d1
fi
e4b8d1
%endif
e4b8d1
%ifarch x86_64
e4b8d1
sslflags=enable-ec_nistp_64_gcc_128
e4b8d1
%endif
e4b8d1
%ifarch sparcv9
e4b8d1
sslarch=linux-sparcv9
e4b8d1
sslflags=no-asm
e4b8d1
%endif
e4b8d1
%ifarch sparc64
e4b8d1
sslarch=linux64-sparcv9
e4b8d1
sslflags=no-asm
e4b8d1
%endif
e4b8d1
%ifarch alpha alphaev56 alphaev6 alphaev67
e4b8d1
sslarch=linux-alpha-gcc
e4b8d1
%endif
e4b8d1
%ifarch s390 sh3eb sh4eb
e4b8d1
sslarch="linux-generic32 -DB_ENDIAN"
e4b8d1
%endif
e4b8d1
%ifarch s390x
e4b8d1
sslarch="linux64-s390x"
e4b8d1
%endif
e4b8d1
%ifarch %{arm}
e4b8d1
sslarch=linux-armv4
e4b8d1
%endif
e4b8d1
%ifarch aarch64
e4b8d1
sslarch=linux-aarch64
e4b8d1
sslflags=enable-ec_nistp_64_gcc_128
e4b8d1
%endif
e4b8d1
%ifarch sh3 sh4
e4b8d1
sslarch=linux-generic32
e4b8d1
%endif
e4b8d1
%ifarch ppc64 ppc64p7
e4b8d1
sslarch=linux-ppc64
e4b8d1
%endif
e4b8d1
%ifarch ppc64le
e4b8d1
sslarch="linux-ppc64le"
e4b8d1
sslflags=enable-ec_nistp_64_gcc_128
e4b8d1
%endif
e4b8d1
%ifarch mips mipsel
e4b8d1
sslarch="linux-mips32 -mips32r2"
e4b8d1
%endif
e4b8d1
%ifarch mips64 mips64el
e4b8d1
sslarch="linux64-mips64 -mips64r2"
e4b8d1
%endif
e4b8d1
%ifarch mips64el
e4b8d1
sslflags=enable-ec_nistp_64_gcc_128
e4b8d1
%endif
e4b8d1
%ifarch riscv64
e4b8d1
sslarch=linux-generic64
e4b8d1
%endif
e4b8d1
e4b8d1
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
e4b8d1
# marked as not requiring an executable stack.
e4b8d1
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
e4b8d1
# want to depend on the uninitialized memory as a source of entropy anyway.
e4b8d1
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
e4b8d1
e4b8d1
export HASHBANGPERL=/usr/bin/perl
e4b8d1
e4b8d1
# ia64, x86_64, ppc are OK by default
e4b8d1
# Configure the build tree.  Override OpenSSL defaults with known-good defaults
e4b8d1
# usable on all platforms.  The Configure script already knows to use -fPIC and
e4b8d1
# RPM_OPT_FLAGS, so we can skip specifiying them here.
e4b8d1
./Configure \
e4b8d1
	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
e4b8d1
	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
e4b8d1
	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
e4b8d1
	enable-cms enable-md2 enable-rc5\
e4b8d1
	enable-weak-ssl-ciphers \
e4b8d1
	no-mdc2 no-ec2m no-sm2 no-sm4 \
e4b8d1
	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\""'
e4b8d1
e4b8d1
# Do not run this in a production package the FIPS symbols must be patched-in
e4b8d1
#util/mkdef.pl crypto update
e4b8d1
e4b8d1
make all
e4b8d1
e4b8d1
# Overwrite FIPS README
e4b8d1
cp -f %{SOURCE11} .
e4b8d1
e4b8d1
# Clean up the .pc files
e4b8d1
for i in libcrypto.pc libssl.pc openssl.pc ; do
e4b8d1
  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
e4b8d1
done
e4b8d1
e4b8d1
%check
e4b8d1
# Verify that what was compiled actually works.
e4b8d1
e4b8d1
# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
e4b8d1
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
e4b8d1
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
e4b8d1
 sed '/"zlib-dynamic" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
e4b8d1
 touch -r configdata.pm configdata.pm.new && \
e4b8d1
 mv -f configdata.pm.new configdata.pm)
e4b8d1
e4b8d1
# We must revert patch31 before tests otherwise they will fail
e4b8d1
patch -p1 -R < %{PATCH31}
e4b8d1
e4b8d1
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
e4b8d1
export LD_LIBRARY_PATH
e4b8d1
crypto/fips/fips_standalone_hmac libcrypto.so.%{soversion} >.libcrypto.so.%{soversion}.hmac
e4b8d1
ln -s .libcrypto.so.%{soversion}.hmac .libcrypto.so.hmac
e4b8d1
crypto/fips/fips_standalone_hmac libssl.so.%{soversion} >.libssl.so.%{soversion}.hmac
e4b8d1
ln -s .libssl.so.%{soversion}.hmac .libssl.so.hmac
e4b8d1
OPENSSL_ENABLE_MD5_VERIFY=
e4b8d1
export OPENSSL_ENABLE_MD5_VERIFY
e4b8d1
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
e4b8d1
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
e4b8d1
make test
e4b8d1
e4b8d1
# Add generation of HMAC checksum of the final stripped library
e4b8d1
%define __spec_install_post \
e4b8d1
    %{?__debug_package:%{__debug_install_post}} \
e4b8d1
    %{__arch_install_post} \
e4b8d1
    %{__os_install_post} \
e4b8d1
    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libcrypto.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{version}.hmac \
e4b8d1
    ln -sf .libcrypto.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libcrypto.so.%{soversion}.hmac \
e4b8d1
    crypto/fips/fips_standalone_hmac $RPM_BUILD_ROOT%{_libdir}/libssl.so.%{version} >$RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{version}.hmac \
e4b8d1
    ln -sf .libssl.so.%{version}.hmac $RPM_BUILD_ROOT%{_libdir}/.libssl.so.%{soversion}.hmac \
e4b8d1
%{nil}
e4b8d1
e4b8d1
%define __provides_exclude_from %{_libdir}/openssl
e4b8d1
e4b8d1
%install
e4b8d1
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
e4b8d1
# Install OpenSSL.
e4b8d1
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
e4b8d1
make DESTDIR=$RPM_BUILD_ROOT install
e4b8d1
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
e4b8d1
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
e4b8d1
	chmod 755 ${lib}
e4b8d1
	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
e4b8d1
	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
e4b8d1
done
e4b8d1
e4b8d1
# Install a makefile for generating keys and self-signed certs, and a script
e4b8d1
# for generating them on the fly.
e4b8d1
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
e4b8d1
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
e4b8d1
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
e4b8d1
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
e4b8d1
e4b8d1
# Move runable perl scripts to bindir
e4b8d1
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
e4b8d1
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
e4b8d1
e4b8d1
# Drop the SSLv3 methods from includes
e4b8d1
sed -i '/ifndef OPENSSL_NO_SSL3_METHOD/,+4d' $RPM_BUILD_ROOT%{_includedir}/openssl/ssl.h
e4b8d1
e4b8d1
# Rename man pages so that they don't conflict with other system man pages.
e4b8d1
pushd $RPM_BUILD_ROOT%{_mandir}
e4b8d1
ln -s -f config.5 man5/openssl.cnf.5
e4b8d1
for manpage in man*/* ; do
e4b8d1
	if [ -L ${manpage} ]; then
e4b8d1
		TARGET=`ls -l ${manpage} | awk '{ print $NF }'`
e4b8d1
		ln -snf ${TARGET}ssl ${manpage}ssl
e4b8d1
		rm -f ${manpage}
e4b8d1
	else
e4b8d1
		mv ${manpage} ${manpage}ssl
e4b8d1
	fi
e4b8d1
done
e4b8d1
for conflict in passwd rand ; do
e4b8d1
	rename ${conflict} ssl${conflict} man*/${conflict}*
e4b8d1
# Fix dangling symlinks
e4b8d1
	manpage=man1/openssl-${conflict}.*
e4b8d1
	if [ -L ${manpage} ] ; then
e4b8d1
		ln -snf ssl${conflict}.1ssl ${manpage}
e4b8d1
	fi
e4b8d1
done
e4b8d1
popd
e4b8d1
e4b8d1
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
e4b8d1
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
e4b8d1
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
e4b8d1
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
e4b8d1
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
e4b8d1
e4b8d1
# Ensure the config file timestamps are identical across builds to avoid
e4b8d1
# mulitlib conflicts and unnecessary renames on upgrade
e4b8d1
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
e4b8d1
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
e4b8d1
e4b8d1
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
e4b8d1
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
e4b8d1
e4b8d1
# Determine which arch opensslconf.h is going to try to #include.
e4b8d1
basearch=%{_arch}
e4b8d1
%ifarch %{ix86}
e4b8d1
basearch=i386
e4b8d1
%endif
e4b8d1
%ifarch sparcv9
e4b8d1
basearch=sparc
e4b8d1
%endif
e4b8d1
%ifarch sparc64
e4b8d1
basearch=sparc64
e4b8d1
%endif
e4b8d1
e4b8d1
%ifarch %{multilib_arches}
e4b8d1
# Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
e4b8d1
# can have both a 32- and 64-bit version of the library, and they each need
e4b8d1
# their own correct-but-different versions of opensslconf.h to be usable.
e4b8d1
install -m644 %{SOURCE10} \
e4b8d1
	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
e4b8d1
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h >> \
e4b8d1
	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf-${basearch}.h
e4b8d1
install -m644 %{SOURCE9} \
e4b8d1
	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
e4b8d1
%endif
e4b8d1
LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
e4b8d1
export LD_LIBRARY_PATH
e4b8d1
e4b8d1
%files
e4b8d1
%{!?_licensedir:%global license %%doc}
e4b8d1
%license LICENSE
e4b8d1
%doc FAQ NEWS README README.FIPS
e4b8d1
%{_bindir}/make-dummy-cert
e4b8d1
%{_bindir}/renew-dummy-cert
e4b8d1
%{_bindir}/openssl
e4b8d1
%{_mandir}/man1*/*
e4b8d1
%{_mandir}/man5*/*
e4b8d1
%{_mandir}/man7*/*
e4b8d1
%{_pkgdocdir}/Makefile.certificate
e4b8d1
%exclude %{_mandir}/man1*/*.pl*
e4b8d1
%exclude %{_mandir}/man1*/c_rehash*
e4b8d1
%exclude %{_mandir}/man1*/tsget*
e4b8d1
%exclude %{_mandir}/man1*/openssl-tsget*
e4b8d1
e4b8d1
%files libs
e4b8d1
%{!?_licensedir:%global license %%doc}
e4b8d1
%license LICENSE
e4b8d1
%dir %{_sysconfdir}/pki/tls
e4b8d1
%dir %{_sysconfdir}/pki/tls/certs
e4b8d1
%dir %{_sysconfdir}/pki/tls/misc
e4b8d1
%dir %{_sysconfdir}/pki/tls/private
e4b8d1
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
e4b8d1
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
e4b8d1
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
e4b8d1
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{soversion}
e4b8d1
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
e4b8d1
%attr(0755,root,root) %{_libdir}/libssl.so.%{soversion}
e4b8d1
%attr(0644,root,root) %{_libdir}/.libcrypto.so.*.hmac
e4b8d1
%attr(0644,root,root) %{_libdir}/.libssl.so.*.hmac
e4b8d1
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
e4b8d1
e4b8d1
%files devel
e4b8d1
%doc CHANGES doc/dir-locals.example.el doc/openssl-c-indent.el
e4b8d1
%{_prefix}/include/openssl
e4b8d1
%{_libdir}/*.so
e4b8d1
%{_mandir}/man3*/*
e4b8d1
%{_libdir}/pkgconfig/*.pc
e4b8d1
e4b8d1
%files static
e4b8d1
%{_libdir}/*.a
e4b8d1
e4b8d1
%files perl
e4b8d1
%{_bindir}/c_rehash
e4b8d1
%{_bindir}/*.pl
e4b8d1
%{_bindir}/tsget
e4b8d1
%{_mandir}/man1*/*.pl*
e4b8d1
%{_mandir}/man1*/c_rehash*
e4b8d1
%{_mandir}/man1*/tsget*
e4b8d1
%{_mandir}/man1*/openssl-tsget*
e4b8d1
%dir %{_sysconfdir}/pki/CA
e4b8d1
%dir %{_sysconfdir}/pki/CA/private
e4b8d1
%dir %{_sysconfdir}/pki/CA/certs
e4b8d1
%dir %{_sysconfdir}/pki/CA/crl
e4b8d1
%dir %{_sysconfdir}/pki/CA/newcerts
e4b8d1
e4b8d1
%post libs -p /sbin/ldconfig
e4b8d1
e4b8d1
%postun libs -p /sbin/ldconfig
e4b8d1
e4b8d1
%changelog
dc0b1f
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-9
dc0b1f
- Fixed Timing Oracle in RSA Decryption
dc0b1f
  Resolves: CVE-2022-4304
dc0b1f
- Fixed Double free after calling PEM_read_bio_ex
dc0b1f
  Resolves: CVE-2022-4450
dc0b1f
- Fixed Use-after-free following BIO_new_NDEF
dc0b1f
  Resolves: CVE-2023-0215
dc0b1f
- Fixed X.400 address type confusion in X.509 GeneralName
dc0b1f
  Resolves: CVE-2023-0286
dc0b1f
dc0b1f
* Thu Jul 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-8
dc0b1f
- Fix no-ec build
dc0b1f
  Resolves: rhbz#2071020
dc0b1f
eaef03
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-7
eaef03
- Fix CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
eaef03
  Resolves: CVE-2022-2097
eaef03
- Update expired certificates used in the testsuite
dc0b1f
  Resolves: rhbz#2092462
eaef03
- Fix CVE-2022-1292: openssl: c_rehash script allows command injection
dc0b1f
  Resolves: rhbz#2090372
eaef03
- Fix CVE-2022-2068: the c_rehash script allows command injection
dc0b1f
  Resolves: rhbz#2098279
eaef03
5a7ab6
* Wed Mar 23 2022 Clemens Lang <cllang@redhat.com> - 1:1.1.1k-6
5a7ab6
- Fixes CVE-2022-0778 openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates
dc0b1f
- Resolves: rhbz#2067146
5a7ab6
eaef03
* Tue Nov 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-5
eaef03
- Fixes CVE-2021-3712 openssl: Read buffer overruns processing ASN.1 strings
eaef03
- Resolves: rhbz#2005402
9972ad
0c50f5
* Fri Jul 16 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-4
0c50f5
- Fixes bugs in s390x AES code.
0c50f5
- Uses the first detected address family if IPv6 is not available
0c50f5
- Reverts the changes in https://github.com/openssl/openssl/pull/13305
0c50f5
  as it introduces a regression if server has a DSA key pair, the handshake fails
0c50f5
  when the protocol is not explicitly set to TLS 1.2. However, if the patch is reverted,
0c50f5
  it has an effect on the "ssl_reject_handshake" feature in nginx. Although, this feature
0c50f5
  will continue to work, TLS 1.3 protocol becomes unavailable/disabled. This is already
0c50f5
  known - https://trac.nginx.org/nginx/ticket/2071#comment:1
0c50f5
  As per https://github.com/openssl/openssl/issues/16075#issuecomment-879939938, nginx
0c50f5
  could early callback instead of servername callback.
0c50f5
- Resolves: rhbz#1978214
0c50f5
- Related: rhbz#1934534
0c50f5
0c50f5
* Thu Jun 24 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1k-3
0c50f5
- Cleansup the peer point formats on renegotiation
0c50f5
- Resolves rhbz#1965362
0c50f5
0c50f5
* Wed Jun 23 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:1.1.1k-2
0c50f5
- Fixes FIPS_selftest to work in FIPS mode. Resolves: rhbz#1940085
0c50f5
- Using safe primes for FIPS DH self-test
0c50f5
0c50f5
* Mon May 24 2021 Sahana Prasad <sahana@redhat.com> 1.1.1k-1
0c50f5
- Update to version 1.1.1k
0c50f5
0c50f5
* Mon Apr 26 2021 Daiki Ueno <dueno@redhat.com> 1.1.1g-16
0c50f5
- Use AI_ADDRCONFIG only when explicit host name is given
0c50f5
- Allow only curves defined in RFC 8446 in TLS 1.3
0c50f5
0c50f5
* Fri Apr 16 2021 Dmitry Belyavski <dbelyavs@redhat.com> 1.1.1g-15
0c50f5
- Remove 2-key 3DES test from FIPS_selftest
0c50f5
0c50f5
* Mon Mar 29 2021 Sahana Prasad <sahana@redhat.com> 1.1.1g-14
0c50f5
- Fix CVE-2021-3450 openssl: CA certificate check bypass with
0c50f5
  X509_V_FLAG_X509_STRICT
6f47c0
- Fix CVE-2021-3449 NULL pointer deref in signature_algorithms processing
6f47c0
0c50f5
* Fri Dec  4 2020 Sahana Prasad <sahana@redhat.com> 1.1.1g-13
535d01
- Fix CVE-2020-1971 ediparty null pointer dereference
535d01
0c50f5
* Fri Oct 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-12
535d01
- Implemented new FIPS requirements in regards to KDF and DH selftests
535d01
- Disallow certificates with explicit EC parameters
535d01
cf3dd1
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-11
cf3dd1
- Further changes for SP 800-56A rev3 requirements
cf3dd1
cf3dd1
* Tue Jun 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-9
cf3dd1
- Rewire FIPS_drbg API to use the RAND_DRBG
cf3dd1
- Use the well known DH groups in TLS even for 2048 and 1024 bit parameters
cf3dd1
cf3dd1
* Mon Jun  8 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-7
cf3dd1
- Disallow dropping Extended Master Secret extension
cf3dd1
  on renegotiation
cf3dd1
- Return alert from s_server if ALPN protocol does not match
cf3dd1
- SHA1 is allowed in @SECLEVEL=2 only if allowed by
cf3dd1
  TLS SigAlgs configuration
cf3dd1
cf3dd1
* Wed Jun  3 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-6
cf3dd1
- Add FIPS selftest for PBKDF2 and KBKDF
cf3dd1
cf3dd1
* Wed May 27 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-5
cf3dd1
- Allow only well known DH groups in the FIPS mode
cf3dd1
cf3dd1
* Mon May 18 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1g-1
cf3dd1
- update to the 1.1.1g release
cf3dd1
- FIPS module installed state definition is modified
cf3dd1
b63792
* Thu Mar  5 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-15
a9339f
- add selftest of the RAND_DRBG implementation
b63792
b63792
* Wed Feb 19 2020 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-14
a9339f
- fix incorrect error return value from FIPS_selftest_dsa
b63792
- S390x: properly restore SIGILL signal handler
b63792
b63792
* Wed Dec  4 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-12
b63792
- additional fix for the edk2 build
b63792
b63792
* Tue Nov 26 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-9
b63792
- disallow use of SHA-1 signatures in TLS in FIPS mode
b63792
b63792
* Mon Nov 25 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-8
b63792
- fix CVE-2019-1547 - side-channel weak encryption vulnerability
b63792
- fix CVE-2019-1563 - padding oracle in CMS API
b63792
- fix CVE-2019-1549 - ensure fork safety of the DRBG
b63792
- fix handling of non-FIPS allowed EC curves in FIPS mode
b63792
- fix TLS compliance issues
b63792
b63792
* Thu Nov 21 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-7
b63792
- backported ARM performance fixes from master
b63792
b63792
* Wed Nov 20 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-6
b63792
- backport of S390x ECC CPACF enhancements from master
b63792
- FIPS mode: properly disable 1024 bit DSA key generation
b63792
- FIPS mode: skip ED25519 and ED448 algorithms in openssl speed
b63792
- FIPS mode: allow AES-CCM ciphersuites
b63792
b63792
* Tue Nov 19 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-5
b63792
- make the code suitable for edk2 build
b63792
b63792
* Thu Nov 14 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-4
b63792
- backport of SSKDF from master
b63792
b63792
* Wed Nov 13 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-3
b63792
- backport of KBKDF and KRB5KDF from master
a9339f
782d48
* Mon Jun 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-2
782d48
- do not try to use EC groups disallowed in FIPS mode
782d48
  in TLS
782d48
- fix Valgrind regression with constant-time code
782d48
782d48
* Mon Jun  3 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1c-1
782d48
- update to the 1.1.1c release
782d48
782d48
* Fri May 24 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-6
782d48
- adjust the default cert pbe algorithm for pkcs12 -export
782d48
  in the FIPS mode
782d48
782d48
* Fri May 10 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-5
782d48
- Fix small regressions related to the rebase
782d48
782d48
* Tue May  7 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-3
782d48
- FIPS compliance fixes
782d48
782d48
* Tue May  7 2019 Tomáš Mráz <tmraz@redhat.com> 1.1.1b-1
782d48
- update to the 1.1.1b release
782d48
- EVP_KDF API backport from master
782d48
- SSH KDF implementation for EVP_KDF API backport from master
782d48
- add S390x chacha20-poly1305 assembler support from master branch
782d48
e4b8d1
* Fri Dec 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-8
e4b8d1
- make openssl ts default to using SHA256 digest
e4b8d1
e4b8d1
* Wed Nov 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-7
e4b8d1
- use /dev/urandom for seeding the RNG in FIPS POST
e4b8d1
e4b8d1
* Mon Oct 15 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-6
e4b8d1
- make SECLEVEL=3 work
e4b8d1
e4b8d1
* Tue Oct  9 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-5
e4b8d1
- fix defects found in Coverity scan
e4b8d1
e4b8d1
* Mon Oct  1 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-4
e4b8d1
- drop SSLv3 support
e4b8d1
e4b8d1
* Tue Sep 25 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-3
e4b8d1
- drop the TLS-1.3 version revert
e4b8d1
e4b8d1
* Mon Sep 17 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-2
e4b8d1
- disable RC4-MD5 ciphersuites completely
e4b8d1
e4b8d1
* Fri Sep 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-1
e4b8d1
- update to the final 1.1.1 version
e4b8d1
- for consistent support of security policies we build
e4b8d1
  RC4 support in TLS (not default) and allow SHA1 in SECLEVEL 2
e4b8d1
- use only /dev/urandom if getrandom() is not available
e4b8d1
- disable SM4
e4b8d1
e4b8d1
* Thu Aug 23 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre9.1
e4b8d1
- update to the latest 1.1.1 beta version
e4b8d1
- temporarily revert TLS-1.3 to draft 28 version
e4b8d1
e4b8d1
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.4
e4b8d1
- bidirectional shutdown fixes from upstream
e4b8d1
e4b8d1
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.3
e4b8d1
- do not put error on stack when using fixed protocol version
e4b8d1
  with the default config (#1615098)
e4b8d1
e4b8d1
* Fri Jul 27 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8.2
e4b8d1
- load crypto policy config file from the default config
e4b8d1
e4b8d1
* Wed Jul 25 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-0.pre8
e4b8d1
- update to the latest 1.1.1 beta version
e4b8d1
e4b8d1
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0h-6
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
e4b8d1
e4b8d1
* Tue Jun 19 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-5
e4b8d1
- fix FIPS RSA key generation failure
e4b8d1
e4b8d1
* Mon Jun  4 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-4
e4b8d1
- ppc64le is not multilib arch (#1584994)
e4b8d1
e4b8d1
* Tue Apr  3 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-3
e4b8d1
- fix regression of c_rehash (#1562953)
e4b8d1
e4b8d1
* Thu Mar 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-2
e4b8d1
- fix FIPS symbol versions
e4b8d1
e4b8d1
* Thu Mar 29 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0h-1
e4b8d1
- update to upstream version 1.1.0h
e4b8d1
- add Recommends for openssl-pkcs11
e4b8d1
e4b8d1
* Fri Feb 23 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-6
e4b8d1
- one more try to apply RPM_LD_FLAGS properly (#1541033)
e4b8d1
- dropped unneeded starttls xmpp patch (#1417017)
e4b8d1
e4b8d1
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0g-5
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
e4b8d1
e4b8d1
* Thu Feb  1 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-4
e4b8d1
- apply RPM_LD_FLAGS properly (#1541033)
e4b8d1
e4b8d1
* Thu Jan 11 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-3
e4b8d1
- silence the .rnd write failure as that is auxiliary functionality (#1524833)
e4b8d1
e4b8d1
* Thu Dec 14 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-2
e4b8d1
- put the Makefile.certificate in pkgdocdir and drop the requirement on make
e4b8d1
e4b8d1
* Fri Nov  3 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0g-1
e4b8d1
- update to upstream version 1.1.0g
e4b8d1
e4b8d1
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0f-9
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
e4b8d1
e4b8d1
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0f-8
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
e4b8d1
e4b8d1
* Mon Jul 17 2017 Tomáš Mráz <tmraz@redhat.com> 1:1.1.0f-7
e4b8d1
- make s_client and s_server work with -ssl3 option (#1471783)
e4b8d1
e4b8d1
* Thu Jul 13 2017 Petr Pisar <ppisar@redhat.com> - 1:1.1.0f-6
e4b8d1
- perl dependency renamed to perl-interpreter
e4b8d1
  <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules>
e4b8d1
e4b8d1
* Mon Jun 26 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-5
e4b8d1
- disable verification of all insecure hashes
e4b8d1
e4b8d1
* Fri Jun 23 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-4
e4b8d1
- make DTLS work (#1462541)
e4b8d1
e4b8d1
* Thu Jun 15 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-3
e4b8d1
- enable 3DES SSL ciphersuites, RC4 is kept disabled (#1453066)
e4b8d1
e4b8d1
* Mon Jun  5 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-2
e4b8d1
- only release thread-local key if we created it (from upstream) (#1458775)
e4b8d1
e4b8d1
* Fri Jun  2 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0f-1
e4b8d1
- update to upstream version 1.1.0f
e4b8d1
- SRP and GOST is now allowed, note that GOST support requires
e4b8d1
  adding GOST engine which is not part of openssl anymore
e4b8d1
e4b8d1
* Thu Feb 16 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0e-1
e4b8d1
- update to upstream version 1.1.0e
e4b8d1
- add documentation of the PROFILE=SYSTEM special cipher string (#1420232)
e4b8d1
e4b8d1
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.0d-3
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
e4b8d1
e4b8d1
* Wed Feb  1 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0d-2
e4b8d1
- applied upstream fixes (fix regression in X509_CRL_digest)
e4b8d1
e4b8d1
* Thu Jan 26 2017 Tomáš Mráz <tmraz@redhat.com> 1.1.0d-1
e4b8d1
- update to upstream version 1.1.0d
e4b8d1
e4b8d1
* Thu Dec 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-5
e4b8d1
- preserve new line in fd BIO BIO_gets() as other BIOs do
e4b8d1
e4b8d1
* Fri Dec  2 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-4
e4b8d1
- FIPS mode fixes for TLS
e4b8d1
e4b8d1
* Wed Nov 30 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-3
e4b8d1
- revert SSL_read() behavior change - patch from upstream (#1394677)
e4b8d1
- fix behavior on client certificate request in renegotiation (#1393579)
e4b8d1
e4b8d1
* Tue Nov 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-2
e4b8d1
- EC curve NIST P-224 is now allowed, still kept disabled in TLS due
e4b8d1
  to less than optimal security
e4b8d1
e4b8d1
* Fri Nov 11 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0c-1
e4b8d1
- update to upstream version 1.1.0c
e4b8d1
e4b8d1
* Fri Nov  4 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0b-4
e4b8d1
- use a random seed if the supplied one did not generate valid
e4b8d1
  parameters in dsa_builtin_paramgen2()
e4b8d1
e4b8d1
* Wed Oct 12 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0b-3
e4b8d1
- do not break contract on return value when using dsa_builtin_paramgen2()
e4b8d1
e4b8d1
* Wed Oct 12 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0b-2
e4b8d1
- fix afalg failure on big endian
e4b8d1
e4b8d1
* Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> 1.1.0b-1
e4b8d1
- update to upstream version 1.1.0b
e4b8d1
e4b8d1
* Fri Oct 07 2016 Richard W.M. Jones <rjones@redhat.com> - 1:1.0.2j-2
e4b8d1
- Add flags for riscv64.
e4b8d1
e4b8d1
* Mon Sep 26 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2j-1
e4b8d1
- minor upstream release 1.0.2j fixing regression from previous release
e4b8d1
e4b8d1
* Sat Sep 24 2016 David Woodhouse <dwmw2@infradead.org> 1.0.2i-2
e4b8d1
- Fix enginesdir in libcrypto.c (#1375361)
e4b8d1
e4b8d1
* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2i-1
e4b8d1
- minor upstream release 1.0.2i fixing security issues
e4b8d1
- move man pages for perl based scripts to perl subpackage (#1377617)
e4b8d1
e4b8d1
* Wed Aug 10 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2h-3
e4b8d1
- fix regression in Cisco AnyConnect VPN support (#1354588)
e4b8d1
e4b8d1
* Mon Jun 27 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2h-2
e4b8d1
- require libcrypto in libssl.pc (#1301301)
e4b8d1
e4b8d1
* Tue May  3 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2h-1
e4b8d1
- minor upstream release 1.0.2h fixing security issues
e4b8d1
e4b8d1
* Tue Mar 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2g-4
e4b8d1
- disable SSLv2 support altogether (without ABI break)
e4b8d1
e4b8d1
* Mon Mar  7 2016 Tom Callaway <spot@fedoraproject.org> - 1.0.2g-3
e4b8d1
- enable RC5
e4b8d1
e4b8d1
* Wed Mar  2 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2g-2
e4b8d1
- reenable SSL2 in the build to avoid ABI break (it does not
e4b8d1
  make the openssl vulnerable to DROWN attack)
e4b8d1
e4b8d1
* Tue Mar  1 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2g-1
e4b8d1
- minor upstream release 1.0.2g fixing security issues
e4b8d1
e4b8d1
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.2f-2
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
e4b8d1
e4b8d1
* Thu Jan 28 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2f-1
e4b8d1
- minor upstream release 1.0.2f fixing security issues
e4b8d1
- add support for MIPS secondary architecture
e4b8d1
e4b8d1
* Fri Jan 15 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.2e-5
e4b8d1
- document some options of openssl speed command
e4b8d1
e4b8d1
* Fri Dec 18 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2e-4
e4b8d1
- enable sctp support in DTLS
e4b8d1
e4b8d1
* Tue Dec  8 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2e-3
e4b8d1
- remove unimplemented EC method from header (#1289599)
e4b8d1
e4b8d1
* Mon Dec  7 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2e-2
e4b8d1
- the fast nistp implementation works only on little endian architectures
e4b8d1
e4b8d1
* Fri Dec  4 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2e-1
e4b8d1
- minor upstream release 1.0.2e fixing moderate severity security issues
e4b8d1
- enable fast assembler implementation for NIST P-256 and P-521
e4b8d1
  elliptic curves (#1164210)
e4b8d1
- filter out unwanted link options from the .pc files (#1257836)
e4b8d1
- do not set serial to 0 in Makefile.certificate (#1135719)
e4b8d1
e4b8d1
* Mon Nov 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2d-3
e4b8d1
- fix sigill on some AMD CPUs (#1278194)
e4b8d1
e4b8d1
* Wed Aug 12 2015 Tom Callaway <spot@fedoraproject.org> 1.0.2d-2
e4b8d1
- re-enable secp256k1 (bz1021898)
e4b8d1
e4b8d1
* Thu Jul  9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2d-1
e4b8d1
- minor upstream release 1.0.2d fixing a high severity security issue
e4b8d1
e4b8d1
* Tue Jul  7 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2c-3
e4b8d1
- fix the aarch64 build
e4b8d1
e4b8d1
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.0.2c-2
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
e4b8d1
e4b8d1
* Mon Jun 15 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2c-1
e4b8d1
- minor upstream release 1.0.2c fixing multiple security issues
e4b8d1
e4b8d1
* Thu May  7 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.2a-4
e4b8d1
- Add aarch64 sslarch details
e4b8d1
e4b8d1
* Thu May  7 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2a-3
e4b8d1
- fix some 64 bit build targets
e4b8d1
e4b8d1
* Tue Apr 28 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2a-2
e4b8d1
- add alternative certificate chain discovery support from upstream
e4b8d1
e4b8d1
* Thu Apr 23 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.2a-1
e4b8d1
- rebase to 1.0.2 branch
e4b8d1
e4b8d1
* Thu Apr  9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-7
e4b8d1
- drop the AES-GCM restriction of 2^32 operations because the IV is
e4b8d1
  always 96 bits (32 bit fixed field + 64 bit invocation field)
e4b8d1
e4b8d1
* Thu Mar 19 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-6
e4b8d1
- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()
e4b8d1
- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison
e4b8d1
- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption
e4b8d1
- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data
e4b8d1
- fix CVE-2015-0293 - triggerable assert in SSLv2 server
e4b8d1
e4b8d1
* Mon Mar 16 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-5
e4b8d1
- fix bug in the CRYPTO_128_unwrap()
e4b8d1
e4b8d1
* Fri Feb 27 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-4
e4b8d1
- fix bug in the RFC 5649 support (#1185878)
e4b8d1
e4b8d1
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1:1.0.1k-3
e4b8d1
- Rebuilt for Fedora 23 Change
e4b8d1
  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
e4b8d1
e4b8d1
* Thu Jan 15 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-2
e4b8d1
- test in the non-FIPS RSA keygen for minimal distance of p and q
e4b8d1
  similarly to the FIPS RSA keygen
e4b8d1
e4b8d1
* Fri Jan  9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-1
e4b8d1
- new upstream release fixing multiple security issues
e4b8d1
e4b8d1
* Thu Nov 20 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-3
e4b8d1
- disable SSLv3 by default again (mail servers and possibly
e4b8d1
  LDAP servers should probably allow it explicitly for legacy
e4b8d1
  clients)
e4b8d1
e4b8d1
* Tue Oct 21 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-2
e4b8d1
- update the FIPS RSA keygen to be FIPS 186-4 compliant
e4b8d1
e4b8d1
* Thu Oct 16 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1j-1
e4b8d1
- new upstream release fixing multiple security issues
e4b8d1
e4b8d1
* Fri Oct 10 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1i-5
e4b8d1
- copy negotiated digests when switching certs by SNI (#1150032)
e4b8d1
e4b8d1
* Mon Sep  8 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1i-4
e4b8d1
- add support for RFC 5649
e4b8d1
e4b8d1
* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.0.1i-3
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
e4b8d1
e4b8d1
* Wed Aug 13 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1i-2
e4b8d1
- drop RSA X9.31 from RSA FIPS selftests
e4b8d1
- add Power 8 optimalizations
e4b8d1
e4b8d1
* Thu Aug  7 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1i-1
e4b8d1
- new upstream release fixing multiple moderate security issues
e4b8d1
- for now disable only SSLv2 by default
e4b8d1
e4b8d1
* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> 1.0.1h-6
e4b8d1
- fix license handling
e4b8d1
e4b8d1
* Mon Jun 30 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1h-5
e4b8d1
- disable SSLv2 and SSLv3 protocols by default (can be enabled
e4b8d1
  via appropriate SSL_CTX_clear_options() call)
e4b8d1
e4b8d1
* Wed Jun 11 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1h-4
e4b8d1
- use system profile for default cipher list
e4b8d1
e4b8d1
* Tue Jun 10 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1h-3
e4b8d1
- make FIPS mode keygen bit length restriction enforced only when
e4b8d1
  OPENSSL_ENFORCE_MODULUS_BITS is set
e4b8d1
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
e4b8d1
e4b8d1
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.0.1h-2
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
e4b8d1
e4b8d1
* Thu Jun  5 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1h-1
e4b8d1
- new upstream release 1.0.1h
e4b8d1
e4b8d1
* Sat May 31 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.1g-2
e4b8d1
- Drop obsolete and irrelevant docs
e4b8d1
- Move devel docs to appropriate package
e4b8d1
e4b8d1
* Wed May  7 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1g-1
e4b8d1
- new upstream release 1.0.1g
e4b8d1
- do not include ECC ciphersuites in SSLv2 client hello (#1090952)
e4b8d1
- fail on hmac integrity check if the .hmac file is empty
e4b8d1
e4b8d1
* Mon Apr 07 2014 Dennis Gilmore <dennis@ausil.us> - 1.0.1e-44
e4b8d1
- pull in upstream patch for CVE-2014-0160
e4b8d1
- removed CHANGES file portion from patch for expediency
e4b8d1
e4b8d1
* Thu Apr  3 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-43
e4b8d1
- add support for ppc64le architecture (#1072633)
e4b8d1
e4b8d1
* Mon Mar 17 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-42
e4b8d1
- properly detect encryption failure in BIO
e4b8d1
- use 2048 bit RSA key in FIPS selftests
e4b8d1
e4b8d1
* Fri Feb 14 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-41
e4b8d1
- use the key length from configuration file if req -newkey rsa is invoked
e4b8d1
e4b8d1
* Thu Feb 13 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-40
e4b8d1
- print ephemeral key size negotiated in TLS handshake (#1057715)
e4b8d1
- add DH_compute_key_padded needed for FIPS CAVS testing
e4b8d1
e4b8d1
* Thu Feb  6 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-39
e4b8d1
- make expiration and key length changeable by DAYS and KEYLEN
e4b8d1
  variables in the certificate Makefile (#1058108)
e4b8d1
- change default hash to sha256 (#1062325)
e4b8d1
e4b8d1
* Wed Jan 22 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-38
e4b8d1
- make 3des strength to be 128 bits instead of 168 (#1056616)
e4b8d1
e4b8d1
* Tue Jan  7 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-37
e4b8d1
- fix CVE-2013-4353 - Invalid TLS handshake crash
e4b8d1
- fix CVE-2013-6450 - possible MiTM attack on DTLS1
e4b8d1
e4b8d1
* Fri Dec 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-36
e4b8d1
- fix CVE-2013-6449 - crash when version in SSL structure is incorrect
e4b8d1
- more FIPS validation requirement changes
e4b8d1
e4b8d1
* Wed Dec 18 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-35
e4b8d1
- drop weak ciphers from the default TLS ciphersuite list
e4b8d1
- add back some symbols that were dropped with update to 1.0.1 branch
e4b8d1
- more FIPS validation requirement changes
e4b8d1
e4b8d1
* Tue Nov 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-34
e4b8d1
- fix locking and reseeding problems with FIPS drbg
e4b8d1
e4b8d1
* Fri Nov 15 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-33
e4b8d1
- additional changes required for FIPS validation
e4b8d1
e4b8d1
* Wed Nov 13 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-32
e4b8d1
- disable verification of certificate, CRL, and OCSP signatures
e4b8d1
  using MD5 if OPENSSL_ENABLE_MD5_VERIFY environment variable
e4b8d1
  is not set
e4b8d1
e4b8d1
* Fri Nov  8 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-31
e4b8d1
- add back support for secp521r1 EC curve
e4b8d1
- add aarch64 to Configure (#969692)
e4b8d1
e4b8d1
* Tue Oct 29 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-30
e4b8d1
- fix misdetection of RDRAND support on Cyrix CPUS (from upstream) (#1022346)
e4b8d1
e4b8d1
* Thu Oct 24 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-29
e4b8d1
- do not advertise ECC curves we do not support (#1022493)
e4b8d1
e4b8d1
* Wed Oct 16 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-28
e4b8d1
- only ECC NIST Suite B curves support
e4b8d1
- drop -fips subpackage
e4b8d1
e4b8d1
* Mon Oct 14 2013 Tom Callaway <spot@fedoraproject.org> - 1.0.1e-27
e4b8d1
- resolve bugzilla 319901 (phew! only took 6 years & 9 days)
e4b8d1
e4b8d1
* Fri Sep 27 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-26
e4b8d1
- make DTLS1 work in FIPS mode
e4b8d1
- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode
e4b8d1
e4b8d1
* Mon Sep 23 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-25
e4b8d1
- avoid dlopening libssl.so from libcrypto (#1010357)
e4b8d1
e4b8d1
* Fri Sep 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-24
e4b8d1
- fix small memory leak in FIPS aes selftest
e4b8d1
e4b8d1
* Thu Sep 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-23
e4b8d1
- fix segfault in openssl speed hmac in the FIPS mode
e4b8d1
e4b8d1
* Thu Sep 12 2013 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-22
e4b8d1
- document the nextprotoneg option in manual pages
e4b8d1
  original patch by Hubert Kario
e4b8d1
e4b8d1
* Tue Sep 10 2013 Kyle McMartin <kyle@redhat.com> 1.0.1e-21
e4b8d1
- [arm] use elf auxv to figure out armcap.c instead of playing silly
e4b8d1
  games with SIGILL handlers. (#1006474)
e4b8d1
e4b8d1
* Wed Sep  4 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-20
e4b8d1
- try to avoid some races when updating the -fips subpackage
e4b8d1
e4b8d1
* Mon Sep  2 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-19
e4b8d1
- use version-release in .hmac suffix to avoid overwrite
e4b8d1
  during upgrade
e4b8d1
e4b8d1
* Thu Aug 29 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-18
e4b8d1
- allow deinitialization of the FIPS mode
e4b8d1
e4b8d1
* Thu Aug 29 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-17
e4b8d1
- always perform the FIPS selftests in library constructor
e4b8d1
  if FIPS module is installed
e4b8d1
e4b8d1
* Tue Aug 27 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-16
e4b8d1
- add -fips subpackage that contains the FIPS module files
e4b8d1
e4b8d1
* Fri Aug 16 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-15
e4b8d1
- fix use of rdrand if available
e4b8d1
- more commits cherry picked from upstream
e4b8d1
- documentation fixes
e4b8d1
e4b8d1
* Sat Aug 03 2013 Petr Pisar <ppisar@redhat.com> - 1:1.0.1e-14
e4b8d1
- Perl 5.18 rebuild
e4b8d1
e4b8d1
* Fri Jul 26 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-13
e4b8d1
- additional manual page fix
e4b8d1
- use symbol versioning also for the textual version
e4b8d1
e4b8d1
* Thu Jul 25 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-12
e4b8d1
- additional manual page fixes
e4b8d1
e4b8d1
* Fri Jul 19 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-11
e4b8d1
- use _prefix macro
e4b8d1
e4b8d1
* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 1:1.0.1e-10
e4b8d1
- Perl 5.18 rebuild
e4b8d1
e4b8d1
* Thu Jul 11 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-9
e4b8d1
- add openssl.cnf.5 manpage symlink to config.5
e4b8d1
e4b8d1
* Wed Jul 10 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-8
e4b8d1
- add relro linking flag
e4b8d1
e4b8d1
* Wed Jul 10 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-7
e4b8d1
- add support for the -trusted_first option for certificate chain verification
e4b8d1
e4b8d1
* Fri May  3 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-6
e4b8d1
- fix build of manual pages with current pod2man (#959439)
e4b8d1
e4b8d1
* Sun Apr 21 2013 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.1e-5
e4b8d1
- Enable ARM optimised build
e4b8d1
e4b8d1
* Mon Mar 18 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-4
e4b8d1
- fix random bad record mac errors (#918981)
e4b8d1
e4b8d1
* Tue Feb 19 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-3
e4b8d1
- fix up the SHLIB_VERSION_NUMBER
e4b8d1
e4b8d1
* Tue Feb 19 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-2
e4b8d1
- disable ZLIB loading by default (due to CRIME attack)
e4b8d1
e4b8d1
* Tue Feb 19 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-1
e4b8d1
- new upstream version
e4b8d1
e4b8d1
* Wed Jan 30 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1c-12
e4b8d1
- more fixes from upstream
e4b8d1
- fix errors in manual causing build failure (#904777)
e4b8d1
e4b8d1
* Fri Dec 21 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-11
e4b8d1
- add script for renewal of a self-signed cert by Philip Prindeville (#871566)
e4b8d1
- allow X509_issuer_and_serial_hash() produce correct result in
e4b8d1
  the FIPS mode (#881336)
e4b8d1
e4b8d1
* Thu Dec  6 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-10
e4b8d1
- do not load default verify paths if CApath or CAfile specified (#884305)
e4b8d1
e4b8d1
* Tue Nov 20 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-9
e4b8d1
- more fixes from upstream CVS
e4b8d1
- fix DSA key pairwise check (#878597)
e4b8d1
e4b8d1
* Thu Nov 15 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-8
e4b8d1
- use 1024 bit DH parameters in s_server as 512 bit is not allowed
e4b8d1
  in FIPS mode and it is quite weak anyway
e4b8d1
e4b8d1
* Mon Sep 10 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-7
e4b8d1
- add missing initialization of str in aes_ccm_init_key (#853963)
e4b8d1
- add important patches from upstream CVS
e4b8d1
- use the secure_getenv() with new glibc
e4b8d1
e4b8d1
* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1:1.0.1c-6
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
e4b8d1
e4b8d1
* Fri Jul 13 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-5
e4b8d1
- use __getenv_secure() instead of __libc_enable_secure
e4b8d1
e4b8d1
* Fri Jul 13 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-4
e4b8d1
- do not move libcrypto to /lib
e4b8d1
- do not use environment variables if __libc_enable_secure is on
e4b8d1
- fix strict aliasing problems in modes
e4b8d1
e4b8d1
* Thu Jul 12 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-3
e4b8d1
- fix DSA key generation in FIPS mode (#833866)
e4b8d1
- allow duplicate FIPS_mode_set(1)
e4b8d1
- enable build on ppc64 subarch (#834652)
e4b8d1
e4b8d1
* Wed Jul 11 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-2
e4b8d1
- fix s_server with new glibc when no global IPv6 address (#839031)
e4b8d1
- make it build with new Perl
e4b8d1
e4b8d1
* Tue May 15 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-1
e4b8d1
- new upstream version
e4b8d1
e4b8d1
* Thu Apr 26 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1b-1
e4b8d1
- new upstream version
e4b8d1
e4b8d1
* Fri Apr 20 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1a-1
e4b8d1
- new upstream version fixing CVE-2012-2110
e4b8d1
e4b8d1
* Wed Apr 11 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-3
e4b8d1
- add Kerberos 5 libraries to pkgconfig for static linking (#807050)
e4b8d1
e4b8d1
* Thu Apr  5 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-2
e4b8d1
- backports from upstream CVS
e4b8d1
- fix segfault when /dev/urandom is not available (#809586)
e4b8d1
e4b8d1
* Wed Mar 14 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-1
e4b8d1
- new upstream release
e4b8d1
e4b8d1
* Mon Mar  5 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-0.3.beta3
e4b8d1
- add obsoletes to assist multilib updates (#799636)
e4b8d1
e4b8d1
* Wed Feb 29 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-0.2.beta3
e4b8d1
- epoch bumped to 1 due to revert to 1.0.0g on Fedora 17
e4b8d1
- new upstream release from the 1.0.1 branch
e4b8d1
- fix s390x build (#798411)
e4b8d1
- versioning for the SSLeay symbol (#794950)
e4b8d1
- add -DPURIFY to build flags (#797323)
e4b8d1
- filter engine provides
e4b8d1
- split the libraries to a separate -libs package
e4b8d1
- add make to requires on the base package (#783446)
e4b8d1
e4b8d1
* Tue Feb  7 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-0.1.beta2
e4b8d1
- new upstream release from the 1.0.1 branch, ABI compatible
e4b8d1
- add documentation for the -no_ign_eof option
e4b8d1
e4b8d1
* Thu Jan 19 2012 Tomas Mraz <tmraz@redhat.com> 1.0.0g-1
e4b8d1
- new upstream release fixing CVE-2012-0050 - DoS regression in
e4b8d1
  DTLS support introduced by the previous release (#782795)
e4b8d1
e4b8d1
* Thu Jan  5 2012 Tomas Mraz <tmraz@redhat.com> 1.0.0f-1
e4b8d1
- new upstream release fixing multiple CVEs
e4b8d1
e4b8d1
* Tue Nov 22 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0e-4
e4b8d1
- move the libraries needed for static linking to Libs.private
e4b8d1
e4b8d1
* Thu Nov  3 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0e-3
e4b8d1
- do not use AVX instructions when osxsave bit not set
e4b8d1
- add direct known answer tests for SHA2 algorithms
e4b8d1
e4b8d1
* Wed Sep 21 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0e-2
e4b8d1
- fix missing initialization of variable in CHIL engine
e4b8d1
e4b8d1
* Wed Sep  7 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0e-1
e4b8d1
- new upstream release fixing CVE-2011-3207 (#736088)
e4b8d1
e4b8d1
* Wed Aug 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-8
e4b8d1
- drop the separate engine for Intel acceleration improvements
e4b8d1
  and merge in the AES-NI, SHA1, and RC4 optimizations
e4b8d1
- add support for OPENSSL_DISABLE_AES_NI environment variable
e4b8d1
  that disables the AES-NI support
e4b8d1
e4b8d1
* Tue Jul 26 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-7
e4b8d1
- correct openssl cms help output (#636266)
e4b8d1
- more tolerant starttls detection in XMPP protocol (#608239)
e4b8d1
e4b8d1
* Wed Jul 20 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-6
e4b8d1
- add support for newest Intel acceleration improvements backported
e4b8d1
  from upstream by Intel in form of a separate engine
e4b8d1
e4b8d1
* Thu Jun  9 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-5
e4b8d1
- allow the AES-NI engine in the FIPS mode
e4b8d1
e4b8d1
* Tue May 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-4
e4b8d1
- add API necessary for CAVS testing of the new DSA parameter generation
e4b8d1
e4b8d1
* Thu Apr 28 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-3
e4b8d1
- add support for VIA Padlock on 64bit arch from upstream (#617539)
e4b8d1
- do not return bogus values from load_certs (#652286)
e4b8d1
e4b8d1
* Tue Apr  5 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-2
e4b8d1
- clarify apps help texts for available digest algorithms (#693858)
e4b8d1
e4b8d1
* Thu Feb 10 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0d-1
e4b8d1
- new upstream release fixing CVE-2011-0014 (OCSP stapling vulnerability)
e4b8d1
e4b8d1
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.0c-4
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
e4b8d1
e4b8d1
* Fri Feb  4 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0c-3
e4b8d1
- add -x931 parameter to openssl genrsa command to use the ANSI X9.31
e4b8d1
  key generation method
e4b8d1
- use FIPS-186-3 method for DSA parameter generation
e4b8d1
- add OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW environment variable
e4b8d1
  to allow using MD5 when the system is in the maintenance state
e4b8d1
  even if the /proc fips flag is on
e4b8d1
- make openssl pkcs12 command work by default in the FIPS mode
e4b8d1
e4b8d1
* Mon Jan 24 2011 Tomas Mraz <tmraz@redhat.com> 1.0.0c-2
e4b8d1
- listen on ipv6 wildcard in s_server so we accept connections
e4b8d1
  from both ipv4 and ipv6 (#601612)
e4b8d1
- fix openssl speed command so it can be used in the FIPS mode
e4b8d1
  with FIPS allowed ciphers
e4b8d1
e4b8d1
* Fri Dec  3 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0c-1
e4b8d1
- new upstream version fixing CVE-2010-4180
e4b8d1
e4b8d1
* Tue Nov 23 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0b-3
e4b8d1
- replace the revert for the s390x bignum asm routines with
e4b8d1
  fix from upstream
e4b8d1
e4b8d1
* Mon Nov 22 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0b-2
e4b8d1
- revert upstream change in s390x bignum asm routines
e4b8d1
e4b8d1
* Tue Nov 16 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0b-1
e4b8d1
- new upstream version fixing CVE-2010-3864 (#649304)
e4b8d1
e4b8d1
* Tue Sep  7 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0a-3
e4b8d1
- make SHLIB_VERSION reflect the library suffix
e4b8d1
e4b8d1
* Wed Jun 30 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0a-2
e4b8d1
- openssl man page fix (#609484)
e4b8d1
e4b8d1
* Fri Jun  4 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0a-1
e4b8d1
- new upstream patch release, fixes CVE-2010-0742 (#598738)
e4b8d1
  and CVE-2010-1633 (#598732)
e4b8d1
e4b8d1
* Wed May 19 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-5
e4b8d1
- pkgconfig files now contain the correct libdir (#593723)
e4b8d1
e4b8d1
* Tue May 18 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-4
e4b8d1
- make CA dir readable - the private keys are in private subdir (#584810)
e4b8d1
e4b8d1
* Fri Apr  9 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-3
e4b8d1
- a few fixes from upstream CVS
e4b8d1
- move libcrypto to /lib (#559953)
e4b8d1
e4b8d1
* Tue Apr  6 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-2
e4b8d1
- set UTC timezone on pod2man run (#578842)
e4b8d1
- make X509_NAME_hash_old work in FIPS mode
e4b8d1
e4b8d1
* Tue Mar 30 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-1
e4b8d1
- update to final 1.0.0 upstream release
e4b8d1
e4b8d1
* Tue Feb 16 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.22.beta5
e4b8d1
- make TLS work in the FIPS mode
e4b8d1
e4b8d1
* Fri Feb 12 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.21.beta5
e4b8d1
- gracefully handle zero length in assembler implementations of
e4b8d1
  OPENSSL_cleanse (#564029)
e4b8d1
- do not fail in s_server if client hostname not resolvable (#561260)
e4b8d1
e4b8d1
* Wed Jan 20 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.20.beta5
e4b8d1
- new upstream release
e4b8d1
e4b8d1
* Thu Jan 14 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.19.beta4
e4b8d1
- fix CVE-2009-4355 - leak in applications incorrectly calling
e4b8d1
  CRYPTO_free_all_ex_data() before application exit (#546707)
e4b8d1
- upstream fix for future TLS protocol version handling
e4b8d1
e4b8d1
* Wed Jan 13 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.18.beta4
e4b8d1
- add support for Intel AES-NI
e4b8d1
e4b8d1
* Thu Jan  7 2010 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.17.beta4
e4b8d1
- upstream fix compression handling on session resumption
e4b8d1
- various null checks and other small fixes from upstream
e4b8d1
- upstream changes for the renegotiation info according to the latest draft
e4b8d1
e4b8d1
* Mon Nov 23 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.16.beta4
e4b8d1
- fix non-fips mingw build (patch by Kalev Lember)
e4b8d1
- add IPV6 fix for DTLS
e4b8d1
e4b8d1
* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.15.beta4
e4b8d1
- add better error reporting for the unsafe renegotiation
e4b8d1
e4b8d1
* Fri Nov 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.14.beta4
e4b8d1
- fix build on s390x
e4b8d1
e4b8d1
* Wed Nov 18 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.13.beta4
e4b8d1
- disable enforcement of the renegotiation extension on the client (#537962)
e4b8d1
- add fixes from the current upstream snapshot
e4b8d1
e4b8d1
* Fri Nov 13 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.12.beta4
e4b8d1
- keep the beta status in version number at 3 so we do not have to rebuild
e4b8d1
  openssh and possibly other dependencies with too strict version check
e4b8d1
e4b8d1
* Thu Nov 12 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.11.beta4
e4b8d1
- update to new upstream version, no soname bump needed
e4b8d1
- fix CVE-2009-3555 - note that the fix is bypassed if SSL_OP_ALL is used
e4b8d1
  so the compatibility with unfixed clients is not broken. The
e4b8d1
  protocol extension is also not final.
e4b8d1
e4b8d1
* Fri Oct 16 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.10.beta3
e4b8d1
- fix use of freed memory if SSL_CTX_free() is called before
e4b8d1
  SSL_free() (#521342)
e4b8d1
e4b8d1
* Thu Oct  8 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.9.beta3
e4b8d1
- fix typo in DTLS1 code (#527015)
e4b8d1
- fix leak in error handling of d2i_SSL_SESSION()
e4b8d1
e4b8d1
* Wed Sep 30 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.8.beta3
e4b8d1
- fix RSA and DSA FIPS selftests
e4b8d1
- reenable fixed x86_64 camellia assembler code (#521127)
e4b8d1
e4b8d1
* Fri Sep  4 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.7.beta3
e4b8d1
- temporarily disable x86_64 camellia assembler code (#521127)
e4b8d1
e4b8d1
* Mon Aug 31 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.6.beta3
e4b8d1
- fix openssl dgst -dss1 (#520152)
e4b8d1
e4b8d1
* Wed Aug 26 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.5.beta3
e4b8d1
- drop the compat symlink hacks
e4b8d1
e4b8d1
* Sat Aug 22 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.4.beta3
e4b8d1
- constify SSL_CIPHER_description()
e4b8d1
e4b8d1
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.3.beta3
e4b8d1
- fix WWW:Curl:Easy reference in tsget
e4b8d1
e4b8d1
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.2.beta3
e4b8d1
- enable MD-2
e4b8d1
e4b8d1
* Thu Aug 20 2009 Tomas Mraz <tmraz@redhat.com> 1.0.0-0.1.beta3
e4b8d1
- update to new major upstream release
e4b8d1
e4b8d1
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.8k-7
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
e4b8d1
e4b8d1
* Wed Jul 22 2009 Bill Nottingham <notting@redhat.com>
e4b8d1
- do not build special 'optimized' versions for i686, as that's the base
e4b8d1
  arch in Fedora now
e4b8d1
e4b8d1
* Tue Jun 30 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-6
e4b8d1
- abort if selftests failed and random number generator is polled
e4b8d1
- mention EVP_aes and EVP_sha2xx routines in the manpages
e4b8d1
- add README.FIPS
e4b8d1
- make CA dir absolute path (#445344)
e4b8d1
- change default length for RSA key generation to 2048 (#484101)
e4b8d1
e4b8d1
* Thu May 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-5
e4b8d1
- fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
e4b8d1
  (DTLS DoS problems) (#501253, #501254, #501572)
e4b8d1
e4b8d1
* Tue Apr 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-4
e4b8d1
- support compatibility DTLS mode for CISCO AnyConnect (#464629)
e4b8d1
e4b8d1
* Fri Apr 17 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-3
e4b8d1
- correct the SHLIB_VERSION define
e4b8d1
e4b8d1
* Wed Apr 15 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-2
e4b8d1
- add support for multiple CRLs with same subject
e4b8d1
- load only dynamic engine support in FIPS mode
e4b8d1
e4b8d1
* Wed Mar 25 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-1
e4b8d1
- update to new upstream release (minor bug fixes, security
e4b8d1
  fixes and machine code optimizations only)
e4b8d1
e4b8d1
* Thu Mar 19 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-10
e4b8d1
- move libraries to /usr/lib (#239375)
e4b8d1
e4b8d1
* Fri Mar 13 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-9
e4b8d1
- add a static subpackage
e4b8d1
e4b8d1
* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.8j-8
e4b8d1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
e4b8d1
e4b8d1
* Mon Feb  2 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-7
e4b8d1
- must also verify checksum of libssl.so in the FIPS mode
e4b8d1
- obtain the seed for FIPS rng directly from the kernel device
e4b8d1
- drop the temporary symlinks
e4b8d1
e4b8d1
* Mon Jan 26 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-6
e4b8d1
- drop the temporary triggerpostun and symlinking in post
e4b8d1
- fix the pkgconfig files and drop the unnecessary buildrequires
e4b8d1
  on pkgconfig as it is a rpmbuild dependency (#481419)
e4b8d1
e4b8d1
* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-5
e4b8d1
- add temporary triggerpostun to reinstate the symlinks
e4b8d1
e4b8d1
* Sat Jan 17 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-4
e4b8d1
- no pairwise key tests in non-fips mode (#479817)
e4b8d1
e4b8d1
* Fri Jan 16 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-3
e4b8d1
- even more robust test for the temporary symlinks
e4b8d1
e4b8d1
* Fri Jan 16 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-2
e4b8d1
- try to ensure the temporary symlinks exist
e4b8d1
e4b8d1
* Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8j-1
e4b8d1
- new upstream version with necessary soname bump (#455753)
e4b8d1
- temporarily provide symlink to old soname to make it possible to rebuild
e4b8d1
  the dependent packages in rawhide
e4b8d1
- add eap-fast support (#428181)
e4b8d1
- add possibility to disable zlib by setting
e4b8d1
- add fips mode support for testing purposes
e4b8d1
- do not null dereference on some invalid smime files
e4b8d1
- add buildrequires pkgconfig (#479493)
e4b8d1
e4b8d1
* Sun Aug 10 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-11
e4b8d1
- do not add tls extensions to server hello for SSLv3 either
e4b8d1
e4b8d1
* Mon Jun  2 2008 Joe Orton <jorton@redhat.com> 0.9.8g-10
e4b8d1
- move root CA bundle to ca-certificates package
e4b8d1
e4b8d1
* Wed May 28 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-9
e4b8d1
- fix CVE-2008-0891 - server name extension crash (#448492)
e4b8d1
- fix CVE-2008-1672 - server key exchange message omit crash (#448495)
e4b8d1
e4b8d1
* Tue May 27 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-8
e4b8d1
- super-H arch support
e4b8d1
- drop workaround for bug 199604 as it should be fixed in gcc-4.3
e4b8d1
e4b8d1
* Mon May 19 2008 Tom "spot" Callaway <tcallawa@redhat.com> 0.9.8g-7
e4b8d1
- sparc handling
e4b8d1
e4b8d1
* Mon Mar 10 2008 Joe Orton <jorton@redhat.com> 0.9.8g-6
e4b8d1
- update to new root CA bundle from mozilla.org (r1.45)
e4b8d1
e4b8d1
* Wed Feb 20 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.9.8g-5
e4b8d1
- Autorebuild for GCC 4.3
e4b8d1
e4b8d1
* Thu Jan 24 2008 Tomas Mraz <tmraz@redhat.com> 0.9.8g-4
e4b8d1
- merge review fixes (#226220)
e4b8d1
- adjust the SHLIB_VERSION_NUMBER to reflect library name (#429846)
e4b8d1
e4b8d1
* Thu Dec 13 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8g-3
e4b8d1
- set default paths when no explicit paths are set (#418771)
e4b8d1
- do not add tls extensions to client hello for SSLv3 (#422081)
e4b8d1
e4b8d1
* Tue Dec  4 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8g-2
e4b8d1
- enable some new crypto algorithms and features
e4b8d1
- add some more important bug fixes from openssl CVS
e4b8d1
e4b8d1
* Mon Dec  3 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8g-1
e4b8d1
- update to latest upstream release, SONAME bumped to 7
e4b8d1
e4b8d1
* Mon Oct 15 2007 Joe Orton <jorton@redhat.com> 0.9.8b-17
e4b8d1
- update to new CA bundle from mozilla.org
e4b8d1
e4b8d1
* Fri Oct 12 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8b-16
e4b8d1
- fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309801)
e4b8d1
- fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321191)
e4b8d1
- add alpha sub-archs (#296031)
e4b8d1
e4b8d1
* Tue Aug 21 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8b-15
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Fri Aug  3 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8b-14
e4b8d1
- use localhost in testsuite, hopefully fixes slow build in koji
e4b8d1
- CVE-2007-3108 - fix side channel attack on private keys (#250577)
e4b8d1
- make ssl session cache id matching strict (#233599)
e4b8d1
e4b8d1
* Wed Jul 25 2007 Tomas Mraz <tmraz@redhat.com> 0.9.8b-13
e4b8d1
- allow building on ARM architectures (#245417)
e4b8d1
- use reference timestamps to prevent multilib conflicts (#218064)
e4b8d1
- -devel package must require pkgconfig (#241031)
e4b8d1
e4b8d1
* Mon Dec 11 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-12
e4b8d1
- detect duplicates in add_dir properly (#206346)
e4b8d1
e4b8d1
* Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-11
e4b8d1
- the previous change still didn't make X509_NAME_cmp transitive
e4b8d1
e4b8d1
* Thu Nov 23 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-10
e4b8d1
- make X509_NAME_cmp transitive otherwise certificate lookup
e4b8d1
  is broken (#216050)
e4b8d1
e4b8d1
* Thu Nov  2 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-9
e4b8d1
- aliasing bug in engine loading, patch by IBM (#213216)
e4b8d1
e4b8d1
* Mon Oct  2 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-8
e4b8d1
- CVE-2006-2940 fix was incorrect (#208744)
e4b8d1
e4b8d1
* Mon Sep 25 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-7
e4b8d1
- fix CVE-2006-2937 - mishandled error on ASN.1 parsing (#207276)
e4b8d1
- fix CVE-2006-2940 - parasitic public keys DoS (#207274)
e4b8d1
- fix CVE-2006-3738 - buffer overflow in SSL_get_shared_ciphers (#206940)
e4b8d1
- fix CVE-2006-4343 - sslv2 client DoS (#206940)
e4b8d1
e4b8d1
* Tue Sep  5 2006 Tomas Mraz <tmraz@redhat.com> 0.9.8b-6
e4b8d1
- fix CVE-2006-4339 - prevent attack on PKCS#1 v1.5 signatures (#205180)
e4b8d1
e4b8d1
* Wed Aug  2 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-5
e4b8d1
- set buffering to none on stdio/stdout FILE when bufsize is set (#200580)
e4b8d1
  patch by IBM
e4b8d1
e4b8d1
* Fri Jul 28 2006 Alexandre Oliva <aoliva@redhat.com> - 0.9.8b-4.1
e4b8d1
- rebuild with new binutils (#200330)
e4b8d1
e4b8d1
* Fri Jul 21 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-4
e4b8d1
- add a temporary workaround for sha512 test failure on s390 (#199604)
e4b8d1
e4b8d1
* Thu Jul 20 2006 Tomas Mraz <tmraz@redhat.com>
e4b8d1
- add ipv6 support to s_client and s_server (by Jan Pazdziora) (#198737)
e4b8d1
- add patches for BN threadsafety, AES cache collision attack hazard fix and
e4b8d1
  pkcs7 code memleak fix from upstream CVS
e4b8d1
e4b8d1
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 0.9.8b-3.1
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Wed Jun 21 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-3
e4b8d1
- dropped libica and ica engine from build
e4b8d1
e4b8d1
* Wed Jun 21 2006 Joe Orton <jorton@redhat.com>
e4b8d1
- update to new CA bundle from mozilla.org; adds CA certificates
e4b8d1
  from netlock.hu and startcom.org
e4b8d1
e4b8d1
* Mon Jun  5 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-2
e4b8d1
- fixed a few rpmlint warnings
e4b8d1
- better fix for #173399 from upstream
e4b8d1
- upstream fix for pkcs12
e4b8d1
e4b8d1
* Thu May 11 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8b-1
e4b8d1
- upgrade to new version, stays ABI compatible
e4b8d1
- there is no more linux/config.h (it was empty anyway)
e4b8d1
e4b8d1
* Tue Apr  4 2006 Tomas Mraz <tmraz@redhat.com> - 0.9.8a-6
e4b8d1
- fix stale open handles in libica (#177155)
e4b8d1
- fix build if 'rand' or 'passwd' in buildroot path (#178782)
e4b8d1
- initialize VIA Padlock engine (#186857)
e4b8d1
e4b8d1
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 0.9.8a-5.2
e4b8d1
- bump again for double-long bug on ppc(64)
e4b8d1
e4b8d1
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 0.9.8a-5.1
e4b8d1
- rebuilt for new gcc4.1 snapshot and glibc changes
e4b8d1
e4b8d1
* Thu Dec 15 2005 Tomas Mraz <tmraz@redhat.com> 0.9.8a-5
e4b8d1
- don't include SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
e4b8d1
  in SSL_OP_ALL (#175779)
e4b8d1
e4b8d1
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
e4b8d1
- rebuilt
e4b8d1
e4b8d1
* Tue Nov 29 2005 Tomas Mraz <tmraz@redhat.com> 0.9.8a-4
e4b8d1
- fix build (-lcrypto was erroneusly dropped) of the updated libica
e4b8d1
- updated ICA engine to 1.3.6-rc3
e4b8d1
e4b8d1
* Tue Nov 22 2005 Tomas Mraz <tmraz@redhat.com> 0.9.8a-3
e4b8d1
- disable builtin compression methods for now until they work
e4b8d1
  properly (#173399)
e4b8d1
e4b8d1
* Wed Nov 16 2005 Tomas Mraz <tmraz@redhat.com> 0.9.8a-2
e4b8d1
- don't set -rpath for openssl binary
e4b8d1
e4b8d1
* Tue Nov  8 2005 Tomas Mraz <tmraz@redhat.com> 0.9.8a-1
e4b8d1
- new upstream version
e4b8d1
- patches partially renumbered
e4b8d1
e4b8d1
* Fri Oct 21 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-11
e4b8d1
- updated IBM ICA engine library and patch to latest upstream version
e4b8d1
e4b8d1
* Wed Oct 12 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-10
e4b8d1
- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which
e4b8d1
  disables the countermeasure against man in the middle attack in SSLv2
e4b8d1
  (#169863)
e4b8d1
- use sha1 as default for CA and cert requests - CAN-2005-2946 (#169803)
e4b8d1
e4b8d1
* Tue Aug 23 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-9
e4b8d1
- add *.so.soversion as symlinks in /lib (#165264)
e4b8d1
- remove unpackaged symlinks (#159595)
e4b8d1
- fixes from upstream (constant time fixes for DSA,
e4b8d1
  bn assembler div on ppc arch, initialize memory on realloc)
e4b8d1
e4b8d1
* Thu Aug 11 2005 Phil Knirsch <pknirsch@redhat.com> 0.9.7f-8
e4b8d1
- Updated ICA engine IBM patch to latest upstream version.
e4b8d1
e4b8d1
* Thu May 19 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-7
e4b8d1
- fix CAN-2005-0109 - use constant time/memory access mod_exp
e4b8d1
  so bits of private key aren't leaked by cache eviction (#157631)
e4b8d1
- a few more fixes from upstream 0.9.7g
e4b8d1
e4b8d1
* Wed Apr 27 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-6
e4b8d1
- use poll instead of select in rand (#128285)
e4b8d1
- fix Makefile.certificate to point to /etc/pki/tls
e4b8d1
- change the default string mask in ASN1 to PrintableString+UTF8String
e4b8d1
e4b8d1
* Mon Apr 25 2005 Joe Orton <jorton@redhat.com> 0.9.7f-5
e4b8d1
- update to revision 1.37 of Mozilla CA bundle
e4b8d1
e4b8d1
* Thu Apr 21 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-4
e4b8d1
- move certificates to _sysconfdir/pki/tls (#143392)
e4b8d1
- move CA directories to _sysconfdir/pki/CA
e4b8d1
- patch the CA script and the default config so it points to the
e4b8d1
  CA directories
e4b8d1
e4b8d1
* Fri Apr  1 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-3
e4b8d1
- uninitialized variable mustn't be used as input in inline
e4b8d1
  assembly
e4b8d1
- reenable the x86_64 assembly again
e4b8d1
e4b8d1
* Thu Mar 31 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-2
e4b8d1
- add back RC4_CHAR on ia64 and x86_64 so the ABI isn't broken
e4b8d1
- disable broken bignum assembly on x86_64
e4b8d1
e4b8d1
* Wed Mar 30 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7f-1
e4b8d1
- reenable optimizations on ppc64 and assembly code on ia64
e4b8d1
- upgrade to new upstream version (no soname bump needed)
e4b8d1
- disable thread test - it was testing the backport of the
e4b8d1
  RSA blinding - no longer needed
e4b8d1
- added support for changing serial number to
e4b8d1
  Makefile.certificate (#151188)
e4b8d1
- make ca-bundle.crt a config file (#118903)
e4b8d1
e4b8d1
* Tue Mar  1 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7e-3
e4b8d1
- libcrypto shouldn't depend on libkrb5 (#135961)
e4b8d1
e4b8d1
* Mon Feb 28 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7e-2
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Mon Feb 28 2005 Tomas Mraz <tmraz@redhat.com> 0.9.7e-1
e4b8d1
- new upstream source, updated patches
e4b8d1
- added patch so we are hopefully ABI compatible with upcoming
e4b8d1
  0.9.7f
e4b8d1
e4b8d1
* Thu Feb 10 2005 Tomas Mraz <tmraz@redhat.com>
e4b8d1
- Support UTF-8 charset in the Makefile.certificate (#134944)
e4b8d1
- Added cmp to BuildPrereq
e4b8d1
e4b8d1
* Thu Jan 27 2005 Joe Orton <jorton@redhat.com> 0.9.7a-46
e4b8d1
- generate new ca-bundle.crt from Mozilla certdata.txt (revision 1.32)
e4b8d1
e4b8d1
* Thu Dec 23 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-45
e4b8d1
- Fixed and updated libica-1.3.4-urandom.patch patch (#122967)
e4b8d1
e4b8d1
* Fri Nov 19 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-44
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Fri Nov 19 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-43
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Fri Nov 19 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-42
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Fri Nov 19 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-41
e4b8d1
- remove der_chop, as upstream cvs has done (CAN-2004-0975, #140040)
e4b8d1
e4b8d1
* Tue Oct 05 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-40
e4b8d1
- Include latest libica version with important bugfixes
e4b8d1
e4b8d1
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
e4b8d1
- rebuilt
e4b8d1
e4b8d1
* Mon Jun 14 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-38
e4b8d1
- Updated ICA engine IBM patch to latest upstream version.
e4b8d1
e4b8d1
* Mon Jun  7 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-37
e4b8d1
- build for linux-alpha-gcc instead of alpha-gcc on alpha (Jeff Garzik)
e4b8d1
e4b8d1
* Tue May 25 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-36
e4b8d1
- handle %%{_arch}=i486/i586/i686/athlon cases in the intermediate
e4b8d1
  header (#124303)
e4b8d1
e4b8d1
* Thu Mar 25 2004 Joe Orton <jorton@redhat.com> 0.9.7a-35
e4b8d1
- add security fixes for CAN-2004-0079, CAN-2004-0112
e4b8d1
e4b8d1
* Tue Mar 16 2004 Phil Knirsch <pknirsch@redhat.com>
e4b8d1
- Fixed libica filespec.
e4b8d1
e4b8d1
* Thu Mar 11 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-34
e4b8d1
- ppc/ppc64 define __powerpc__/__powerpc64__, not __ppc__/__ppc64__, fix
e4b8d1
  the intermediate header
e4b8d1
e4b8d1
* Wed Mar 10 2004 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-33
e4b8d1
- add an intermediate <openssl/opensslconf.h> which points to the right
e4b8d1
  arch-specific opensslconf.h on multilib arches
e4b8d1
e4b8d1
* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
e4b8d1
- rebuilt
e4b8d1
e4b8d1
* Thu Feb 26 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-32
e4b8d1
- Updated libica to latest upstream version 1.3.5.
e4b8d1
e4b8d1
* Tue Feb 17 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-31
e4b8d1
- Update ICA crypto engine patch from IBM to latest version.
e4b8d1
e4b8d1
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
e4b8d1
- rebuilt
e4b8d1
e4b8d1
* Fri Feb 13 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-29
e4b8d1
- rebuilt
e4b8d1
e4b8d1
* Wed Feb 11 2004 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-28
e4b8d1
- Fixed libica build.
e4b8d1
e4b8d1
* Wed Feb  4 2004 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- add "-ldl" to link flags added for Linux-on-ARM (#99313)
e4b8d1
e4b8d1
* Wed Feb  4 2004 Joe Orton <jorton@redhat.com> 0.9.7a-27
e4b8d1
- updated ca-bundle.crt: removed expired GeoTrust roots, added
e4b8d1
  freessl.com root, removed trustcenter.de Class 0 root
e4b8d1
e4b8d1
* Sun Nov 30 2003 Tim Waugh <twaugh@redhat.com> 0.9.7a-26
e4b8d1
- Fix link line for libssl (bug #111154).
e4b8d1
e4b8d1
* Fri Oct 24 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-25
e4b8d1
- add dependency on zlib-devel for the -devel package, which depends on zlib
e4b8d1
  symbols because we enable zlib for libssl (#102962)
e4b8d1
e4b8d1
* Fri Oct 24 2003 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-24
e4b8d1
- Use /dev/urandom instead of PRNG for libica.
e4b8d1
- Apply libica-1.3.5 fix for /dev/urandom in icalinux.c
e4b8d1
- Use latest ICA engine patch from IBM.
e4b8d1
e4b8d1
* Sat Oct  4 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-22.1
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Wed Oct  1 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-22
e4b8d1
- rebuild (22 wasn't actually built, fun eh?)
e4b8d1
e4b8d1
* Tue Sep 30 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-23
e4b8d1
- re-disable optimizations on ppc64
e4b8d1
e4b8d1
* Tue Sep 30 2003 Joe Orton <jorton@redhat.com>
e4b8d1
- add a_mbstr.c fix for 64-bit platforms from CVS
e4b8d1
e4b8d1
* Tue Sep 30 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-22
e4b8d1
- add -Wa,--noexecstack to RPM_OPT_FLAGS so that assembled modules get tagged
e4b8d1
  as not needing executable stacks
e4b8d1
e4b8d1
* Mon Sep 29 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-21
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Thu Sep 25 2003 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- re-enable optimizations on ppc64
e4b8d1
e4b8d1
* Thu Sep 25 2003 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- remove exclusivearch
e4b8d1
e4b8d1
* Wed Sep 24 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-20
e4b8d1
- only parse a client cert if one was requested
e4b8d1
- temporarily exclusivearch for %%{ix86}
e4b8d1
e4b8d1
* Tue Sep 23 2003 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)
e4b8d1
  and heap corruption (CAN-2003-0545)
e4b8d1
- update RHNS-CA-CERT files
e4b8d1
- ease back on the number of threads used in the threading test
e4b8d1
e4b8d1
* Wed Sep 17 2003 Matt Wilson <msw@redhat.com> 0.9.7a-19
e4b8d1
- rebuild to fix gzipped file md5sums (#91211)
e4b8d1
e4b8d1
* Mon Aug 25 2003 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-18
e4b8d1
- Updated libica to version 1.3.4.
e4b8d1
e4b8d1
* Thu Jul 17 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-17
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Tue Jul 15 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-10.9
e4b8d1
- free the kssl_ctx structure when we free an SSL structure (#99066)
e4b8d1
e4b8d1
* Fri Jul 11 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-16
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Thu Jul 10 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-15
e4b8d1
- lower thread test count on s390x
e4b8d1
e4b8d1
* Tue Jul  8 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-14
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Thu Jun 26 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-13
e4b8d1
- disable assembly on arches where it seems to conflict with threading
e4b8d1
e4b8d1
* Thu Jun 26 2003 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-12
e4b8d1
- Updated libica to latest upstream version 1.3.0
e4b8d1
e4b8d1
* Wed Jun 11 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-9.9
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Wed Jun 11 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-11
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Tue Jun 10 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-10
e4b8d1
- ubsec: don't stomp on output data which might also be input data
e4b8d1
e4b8d1
* Tue Jun 10 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-9
e4b8d1
- temporarily disable optimizations on ppc64
e4b8d1
e4b8d1
* Mon Jun  9 2003 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- backport fix for engine-used-for-everything from 0.9.7b
e4b8d1
- backport fix for prng not being seeded causing problems, also from 0.9.7b
e4b8d1
- add a check at build-time to ensure that RSA is thread-safe
e4b8d1
- keep perlpath from stomping on the libica configure scripts
e4b8d1
e4b8d1
* Fri Jun  6 2003 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- thread-safety fix for RSA blinding
e4b8d1
e4b8d1
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com> 0.9.7a-8
e4b8d1
- rebuilt
e4b8d1
e4b8d1
* Fri May 30 2003 Phil Knirsch <pknirsch@redhat.com> 0.9.7a-7
e4b8d1
- Added libica-1.2 to openssl (featurerequest).
e4b8d1
e4b8d1
* Wed Apr 16 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-6
e4b8d1
- fix building with incorrect flags on ppc64
e4b8d1
e4b8d1
* Wed Mar 19 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-5
e4b8d1
- add patch to harden against Klima-Pokorny-Rosa extension of Bleichenbacher's
e4b8d1
  attack (CAN-2003-0131)
e4b8d1
e4b8d1
* Mon Mar 17 2003 Nalin Dahyabhai <nalin@redhat.com>  0.9.7a-4
e4b8d1
- add patch to enable RSA blinding by default, closing a timing attack
e4b8d1
  (CAN-2003-0147)
e4b8d1
e4b8d1
* Wed Mar  5 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-3
e4b8d1
- disable use of BN assembly module on x86_64, but continue to allow inline
e4b8d1
  assembly (#83403)
e4b8d1
e4b8d1
* Thu Feb 27 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-2
e4b8d1
- disable EC algorithms
e4b8d1
e4b8d1
* Wed Feb 19 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7a-1
e4b8d1
- update to 0.9.7a
e4b8d1
e4b8d1
* Wed Feb 19 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7-8
e4b8d1
- add fix to guard against attempts to allocate negative amounts of memory
e4b8d1
- add patch for CAN-2003-0078, fixing a timing attack
e4b8d1
e4b8d1
* Thu Feb 13 2003 Elliot Lee <sopwith@redhat.com> 0.9.7-7
e4b8d1
- Add openssl-ppc64.patch
e4b8d1
e4b8d1
* Mon Feb 10 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7-6
e4b8d1
- EVP_DecryptInit should call EVP_CipherInit() instead of EVP_CipherInit_ex(),
e4b8d1
  to get the right behavior when passed uninitialized context structures
e4b8d1
  (#83766)
e4b8d1
- build with -mcpu=ev5 on alpha family (#83828)
e4b8d1
e4b8d1
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
e4b8d1
- rebuilt
e4b8d1
e4b8d1
* Fri Jan 17 2003 Phil Knirsch <pknirsch@redhat.com> 0.9.7-4
e4b8d1
- Added IBM hw crypto support patch.
e4b8d1
e4b8d1
* Wed Jan 15 2003 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- add missing builddep on sed
e4b8d1
e4b8d1
* Thu Jan  9 2003 Bill Nottingham <notting@redhat.com> 0.9.7-3
e4b8d1
- debloat
e4b8d1
- fix broken manpage symlinks
e4b8d1
e4b8d1
* Wed Jan  8 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7-2
e4b8d1
- fix double-free in 'openssl ca'
e4b8d1
e4b8d1
* Fri Jan  3 2003 Nalin Dahyabhai <nalin@redhat.com> 0.9.7-1
e4b8d1
- update to 0.9.7 final
e4b8d1
e4b8d1
* Tue Dec 17 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.7-0
e4b8d1
- update to 0.9.7 beta6 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)
e4b8d1
e4b8d1
* Wed Dec 11 2002 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- update to 0.9.7 beta5 (DO NOT USE UNTIL UPDATED TO FINAL 0.9.7)
e4b8d1
e4b8d1
* Tue Oct 22 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-30
e4b8d1
- add configuration stanza for x86_64 and use it on x86_64
e4b8d1
- build for linux-ppc on ppc
e4b8d1
- start running the self-tests again
e4b8d1
e4b8d1
* Wed Oct 02 2002 Elliot Lee <sopwith@redhat.com> 0.9.6b-29hammer.3
e4b8d1
- Merge fixes from previous hammer packages, including general x86-64 and
e4b8d1
  multilib
e4b8d1
e4b8d1
* Tue Aug  6 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-29
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Thu Aug  1 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-28
e4b8d1
- update asn patch to fix accidental reversal of a logic check
e4b8d1
e4b8d1
* Wed Jul 31 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-27
e4b8d1
- update asn patch to reduce chance that compiler optimization will remove
e4b8d1
  one of the added tests
e4b8d1
e4b8d1
* Wed Jul 31 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-26
e4b8d1
- rebuild
e4b8d1
e4b8d1
* Mon Jul 29 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-25
e4b8d1
- add patch to fix ASN.1 vulnerabilities
e4b8d1
e4b8d1
* Thu Jul 25 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-24
e4b8d1
- add backport of Ben Laurie's patches for OpenSSL 0.9.6d
e4b8d1
e4b8d1
* Wed Jul 17 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-23
e4b8d1
- own {_datadir}/ssl/misc
e4b8d1
e4b8d1
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
e4b8d1
- automated rebuild
e4b8d1
e4b8d1
* Sun May 26 2002 Tim Powers <timp@redhat.com>
e4b8d1
- automated rebuild
e4b8d1
e4b8d1
* Fri May 17 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-20
e4b8d1
- free ride through the build system (whee!)
e4b8d1
e4b8d1
* Thu May 16 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-19
e4b8d1
- rebuild in new environment
e4b8d1
e4b8d1
* Thu Apr  4 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-17, 0.9.6b-18
e4b8d1
- merge RHL-specific bits into stronghold package, rename
e4b8d1
e4b8d1
* Tue Apr 02 2002 Gary Benson <gbenson@redhat.com> stronghold-0.9.6c-2
e4b8d1
- add support for Chrysalis Luna token
e4b8d1
e4b8d1
* Tue Mar 26 2002 Gary Benson <gbenson@redhat.com>
e4b8d1
- disable AEP random number generation, other AEP fixes
e4b8d1
e4b8d1
* Fri Mar 15 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-15
e4b8d1
- only build subpackages on primary arches
e4b8d1
e4b8d1
* Thu Mar 14 2002 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-13
e4b8d1
- on ia32, only disable use of assembler on i386
e4b8d1
- enable assembly on ia64
e4b8d1
e4b8d1
* Mon Jan  7 2002 Florian La Roche <Florian.LaRoche@redhat.de> 0.9.6b-11
e4b8d1
- fix sparcv9 entry
e4b8d1
e4b8d1
* Mon Jan  7 2002 Gary Benson <gbenson@redhat.com> stronghold-0.9.6c-1
e4b8d1
- upgrade to 0.9.6c
e4b8d1
- bump BuildArch to i686 and enable assembler on all platforms
e4b8d1
- synchronise with shrimpy and rawhide
e4b8d1
- bump soversion to 3
e4b8d1
e4b8d1
* Wed Oct 10 2001 Florian La Roche <Florian.LaRoche@redhat.de>
e4b8d1
- delete BN_LLONG for s390x, patch from Oliver Paukstadt
e4b8d1
e4b8d1
* Mon Sep 17 2001 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-9
e4b8d1
- update AEP driver patch
e4b8d1
e4b8d1
* Mon Sep 10 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- adjust RNG disabling patch to match version of patch from Broadcom
e4b8d1
e4b8d1
* Fri Sep  7 2001 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-8
e4b8d1
- disable the RNG in the ubsec engine driver
e4b8d1
e4b8d1
* Tue Aug 28 2001 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-7
e4b8d1
- tweaks to the ubsec engine driver
e4b8d1
e4b8d1
* Fri Aug 24 2001 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-6
e4b8d1
- tweaks to the ubsec engine driver
e4b8d1
e4b8d1
* Thu Aug 23 2001 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-5
e4b8d1
- update ubsec engine driver from Broadcom
e4b8d1
e4b8d1
* Fri Aug 10 2001 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-4
e4b8d1
- move man pages back to %%{_mandir}/man?/foo.?ssl from
e4b8d1
  %%{_mandir}/man?ssl/foo.?
e4b8d1
- add an [ engine ] section to the default configuration file
e4b8d1
e4b8d1
* Thu Aug  9 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- add a patch for selecting a default engine in SSL_library_init()
e4b8d1
e4b8d1
* Mon Jul 23 2001 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-3
e4b8d1
- add patches for AEP hardware support
e4b8d1
- add patch to keep trying when we fail to load a cert from a file and
e4b8d1
  there are more in the file
e4b8d1
- add missing prototype for ENGINE_ubsec() in engine_int.h
e4b8d1
e4b8d1
* Wed Jul 18 2001 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-2
e4b8d1
- actually add hw_ubsec to the engine list
e4b8d1
e4b8d1
* Tue Jul 17 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- add in the hw_ubsec driver from CVS
e4b8d1
e4b8d1
* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com> 0.9.6b-1
e4b8d1
- update to 0.9.6b
e4b8d1
e4b8d1
* Thu Jul  5 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- move .so symlinks back to %%{_libdir}
e4b8d1
e4b8d1
* Tue Jul  3 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- move shared libraries to /lib (#38410)
e4b8d1
e4b8d1
* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- switch to engine code base
e4b8d1
e4b8d1
* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- add a script for creating dummy certificates
e4b8d1
- move man pages from %%{_mandir}/man?/foo.?ssl to %%{_mandir}/man?ssl/foo.?
e4b8d1
e4b8d1
* Thu Jun 07 2001 Florian La Roche <Florian.LaRoche@redhat.de>
e4b8d1
- add s390x support
e4b8d1
e4b8d1
* Fri Jun  1 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- change two memcpy() calls to memmove()
e4b8d1
- don't define L_ENDIAN on alpha
e4b8d1
e4b8d1
* Wed May 23 2001 Joe Orton <jorton@redhat.com> stronghold-0.9.6a-1
e4b8d1
- Add 'stronghold-' prefix to package names.
e4b8d1
- Obsolete standard openssl packages.
e4b8d1
e4b8d1
* Wed May 16 2001 Joe Orton <jorton@redhat.com>
e4b8d1
- Add BuildArch: i586 as per Nalin's advice.
e4b8d1
e4b8d1
* Tue May 15 2001 Joe Orton <jorton@redhat.com>
e4b8d1
- Enable assembler on ix86 (using new .tar.bz2 which does
e4b8d1
  include the asm directories).
e4b8d1
e4b8d1
* Tue May 15 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- make subpackages depend on the main package
e4b8d1
e4b8d1
* Tue May  1 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- adjust the hobble script to not disturb symlinks in include/ (fix from
e4b8d1
  Joe Orton)
e4b8d1
e4b8d1
* Fri Apr 27 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- drop the m2crypo patch we weren't using
e4b8d1
e4b8d1
* Tue Apr 24 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- configure using "shared" as well
e4b8d1
e4b8d1
* Sun Apr  8 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- update to 0.9.6a
e4b8d1
- use the build-shared target to build shared libraries
e4b8d1
- bump the soversion to 2 because we're no longer compatible with
e4b8d1
  our 0.9.5a packages or our 0.9.6 packages
e4b8d1
- drop the patch for making rsatest a no-op when rsa null support is used
e4b8d1
- put all man pages into <section>ssl instead of <section>
e4b8d1
- break the m2crypto modules into a separate package
e4b8d1
e4b8d1
* Tue Mar 13 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- use BN_LLONG on s390
e4b8d1
e4b8d1
* Mon Mar 12 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit)
e4b8d1
e4b8d1
* Sat Mar  3 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- move c_rehash to the perl subpackage, because it's a perl script now
e4b8d1
e4b8d1
* Fri Mar  2 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- update to 0.9.6
e4b8d1
- enable MD2
e4b8d1
- use the libcrypto.so and libssl.so targets to build shared libs with
e4b8d1
- bump the soversion to 1 because we're no longer compatible with any of
e4b8d1
  the various 0.9.5a packages circulating around, which provide lib*.so.0
e4b8d1
e4b8d1
* Wed Feb 28 2001 Florian La Roche <Florian.LaRoche@redhat.de>
e4b8d1
- change hobble-openssl for disabling MD2 again
e4b8d1
e4b8d1
* Tue Feb 27 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152
e4b8d1
  bytes or so, causing EVP_DigestInit() to zero out stack variables in
e4b8d1
  apps built against a version of the library without it
e4b8d1
e4b8d1
* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- disable some inline assembly, which on x86 is Pentium-specific
e4b8d1
- re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all)
e4b8d1
e4b8d1
* Thu Feb 08 2001 Florian La Roche <Florian.LaRoche@redhat.de>
e4b8d1
- fix s390 patch
e4b8d1
e4b8d1
* Fri Dec 8 2000 Than Ngo <than@redhat.com>
e4b8d1
- added support s390
e4b8d1
e4b8d1
* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- remove -Wa,* and -m* compiler flags from the default Configure file (#20656)
e4b8d1
- add the CA.pl man page to the perl subpackage
e4b8d1
e4b8d1
* Thu Nov  2 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- always build with -mcpu=ev5 on alpha
e4b8d1
e4b8d1
* Tue Oct 31 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- add a symlink from cert.pem to ca-bundle.crt
e4b8d1
e4b8d1
* Wed Oct 25 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- add a ca-bundle file for packages like Samba to reference for CA certificates
e4b8d1
e4b8d1
* Tue Oct 24 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- remove libcrypto's crypt(), which doesn't handle md5crypt (#19295)
e4b8d1
e4b8d1
* Mon Oct  2 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- add unzip as a buildprereq (#17662)
e4b8d1
- update m2crypto to 0.05-snap4
e4b8d1
e4b8d1
* Tue Sep 26 2000 Bill Nottingham <notting@redhat.com>
e4b8d1
- fix some issues in building when it's not installed
e4b8d1
e4b8d1
* Wed Sep  6 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- make sure the headers we include are the ones we built with (aaaaarrgh!)
e4b8d1
e4b8d1
* Fri Sep  1 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- add Richard Henderson's patch for BN on ia64
e4b8d1
- clean up the changelog
e4b8d1
e4b8d1
* Tue Aug 29 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- fix the building of python modules without openssl-devel already installed
e4b8d1
e4b8d1
* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- byte-compile python extensions without the build-root
e4b8d1
- adjust the makefile to not remove temporary files (like .key files when
e4b8d1
  building .csr files) by marking them as .PRECIOUS
e4b8d1
e4b8d1
* Sat Aug 19 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- break out python extensions into a subpackage
e4b8d1
e4b8d1
* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- tweak the makefile some more
e4b8d1
e4b8d1
* Tue Jul 11 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- disable MD2 support
e4b8d1
e4b8d1
* Thu Jul  6 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- disable MDC2 support
e4b8d1
e4b8d1
* Sun Jul  2 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- tweak the disabling of RC5, IDEA support
e4b8d1
- tweak the makefile
e4b8d1
e4b8d1
* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- strip binaries and libraries
e4b8d1
- rework certificate makefile to have the right parts for Apache
e4b8d1
e4b8d1
* Wed Jun 28 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- use %%{_perl} instead of /usr/bin/perl
e4b8d1
- disable alpha until it passes its own test suite
e4b8d1
e4b8d1
* Fri Jun  9 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- move the passwd.1 man page out of the passwd package's way
e4b8d1
e4b8d1
* Fri Jun  2 2000 Nalin Dahyabhai <nalin@redhat.com>
e4b8d1
- update to 0.9.5a, modified for U.S.
e4b8d1
- add perl as a build-time requirement
e4b8d1
- move certificate makefile to another package
e4b8d1
- disable RC5, IDEA, RSA support
e4b8d1
- remove optimizations for now
e4b8d1
e4b8d1
* Wed Mar  1 2000 Florian La Roche <Florian.LaRoche@redhat.de>
e4b8d1
- Bero told me to move the Makefile into this package
e4b8d1
e4b8d1
* Wed Mar  1 2000 Florian La Roche <Florian.LaRoche@redhat.de>
e4b8d1
- add lib*.so symlinks to link dynamically against shared libs
e4b8d1
e4b8d1
* Tue Feb 29 2000 Florian La Roche <Florian.LaRoche@redhat.de>
e4b8d1
- update to 0.9.5
e4b8d1
- run ldconfig directly in post/postun
e4b8d1
- add FAQ
e4b8d1
e4b8d1
* Sat Dec 18 1999 Bernhard Rosenkrdnzer <bero@redhat.de>
e4b8d1
- Fix build on non-x86 platforms
e4b8d1
e4b8d1
* Fri Nov 12 1999 Bernhard Rosenkrdnzer <bero@redhat.de>
e4b8d1
- move /usr/share/ssl/* from -devel to main package
e4b8d1
e4b8d1
* Tue Oct 26 1999 Bernhard Rosenkrdnzer <bero@redhat.de>
e4b8d1
- inital packaging
e4b8d1
- changes from base:
e4b8d1
  - Move /usr/local/ssl to /usr/share/ssl for FHS compliance
e4b8d1
  - handle RPM_OPT_FLAGS