Attachment 883772 Details for Bug 1084875 – 1.0.1e .spec patch to add -DOPENSSL_NO_HEARTBEATS

[patch] 1.0.1e .spec patch to add -DOPENSSL_NO_HEARTBEATS

openssl-1.0.1e-43-DOPENSSL_NO_HEARTBEATS.diff (text/plain), 4.77 KB, created by Conrad Meyer on 2014-04-07 21:58:58 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Conrad Meyer

Created: 2014-04-07 21:58:58 UTC

Size: 4.77 KB

patch

obsolete

>diff --git a/openssl.spec b/openssl.spec
>index 69f058c..1ad5c53 100644
>--- a/openssl.spec
>+++ b/openssl.spec
>@@ -6,41 +6,41 @@
> # 0.9.7a soversion = 4
> # 0.9.7ef soversion = 5
> # 0.9.8ab soversion = 6
> # 0.9.8g soversion = 7
> # 0.9.8jk + EAP-FAST soversion = 8
> # 1.0.0 soversion = 10
> %define soversion 10
> 
> # Number of threads to spawn when testing some threading fixes.
> %define thread_test_threads %{?threads:%{threads}}%{!?threads:1}
> 
> # Arches on which we need to prevent arch conflicts on opensslconf.h, must
> # also be handled in opensslconf-new.h.
> %define multilib_arches %{ix86} ia64 ppc %{power64} s390 s390x sparcv9 sparc64 x86_64
> 
> %global _performance_build 1
> 
> Summary: Utilities from the general purpose cryptography library with TLS implementation
> Name: openssl
> Version: 1.0.1e
>-Release: 43%{?dist}
>+Release: 44%{?dist}
> Epoch: 1
> # We have to remove certain patented algorithms from the openssl source
> # tarball with the hobble-openssl script which is included below.
> # The original openssl upstream tarball cannot be shipped in the .src.rpm.
> Source: openssl-%{version}-hobbled.tar.xz
> Source1: hobble-openssl
> Source2: Makefile.certificate
> Source6: make-dummy-cert
> Source7: renew-dummy-cert
> Source8: openssl-thread-test.c
> Source9: opensslconf-new.h
> Source10: opensslconf-new-warning.h
> Source11: README.FIPS
> Source12: ec_curve.c
> Source13: ectest.c
> # Build changes
> Patch1: openssl-1.0.1-beta2-rpmbuild.patch
> Patch2: openssl-1.0.1e-defaults.patch
> Patch4: openssl-1.0.0-beta5-enginesdir.patch
> Patch5: openssl-0.9.8a-no-rpath.patch
>@@ -263,47 +263,48 @@ sslarch=linux-armv4
> %endif
> %ifarch sh3 sh4
> sslarch=linux-generic32
> %endif
> %ifarch ppc64 ppc64p7
> sslarch=linux-ppc64
> %endif
> %ifarch ppc64le
> sslarch="linux-ppc64le"
> %endif
> 
> # ia64, x86_64, ppc are OK by default
> # Configure the build tree.  Override OpenSSL defaults with known-good defaults
> # usable on all platforms.  The Configure script already knows to use -fPIC and
> # RPM_OPT_FLAGS, so we can skip specifiying them here.
> ./Configure \
> 	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
> 	zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
> 	enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-gost no-srp \
> 	--with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
>-	--with-krb5-dir=/usr shared  ${sslarch} %{?!nofips:fips}
>+	--with-krb5-dir=/usr shared  ${sslarch} %{?!nofips:fips} \
>+	-DOPENSSL_NO_HEARTBEATS
> 
> # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
> # marked as not requiring an executable stack.
> # Also add -DPURIFY to make using valgrind with openssl easier as we do not
> # want to depend on the uninitialized memory as a source of entropy anyway.
>-RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY"
>+RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -DPURIFY -DOPENSSL_NO_HEARTBEATS"
> make depend
> make all
> 
> # Generate hashes for the included certs.
> make rehash
> 
> # Overwrite FIPS README
> cp -f %{SOURCE11} .
> 
> %check
> # Verify that what was compiled actually works.
> 
> # We must revert patch33 before tests otherwise they will fail
> patch -p1 -R < %{PATCH33}
> 
> LD_LIBRARY_PATH=`pwd`${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
> export LD_LIBRARY_PATH
> OPENSSL_ENABLE_MD5_VERIFY=
> export OPENSSL_ENABLE_MD5_VERIFY
> make -C test apps tests
>@@ -470,40 +471,43 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
> %attr(0755,root,root) %{_libdir}/*.so
> %attr(0644,root,root) %{_mandir}/man3*/*
> %attr(0644,root,root) %{_libdir}/pkgconfig/*.pc
> 
> %files static
> %defattr(-,root,root)
> %attr(0644,root,root) %{_libdir}/*.a
> 
> %files perl
> %defattr(-,root,root)
> %attr(0755,root,root) %{_bindir}/c_rehash
> %attr(0644,root,root) %{_mandir}/man1*/*.pl*
> %{_sysconfdir}/pki/tls/misc/*.pl
> %{_sysconfdir}/pki/tls/misc/tsget
> 
> %post libs -p /sbin/ldconfig
> 
> %postun libs -p /sbin/ldconfig
> 
> %changelog
>+* Mon Apr  7 2014 Conrad Meyer <x@x.com> 1.0.1e-44
>+- Bump for CVE-2014-0160 (-DOPENSSL_NO_HEARTBEATS)
>+
> * Thu Apr  3 2014 TomÃ¡Å¡ MrÃ¡z <tmraz@redhat.com> 1.0.1e-43
> - add support for ppc64le architecture (#1072633)
> 
> * Mon Mar 17 2014 TomÃ¡Å¡ MrÃ¡z <tmraz@redhat.com> 1.0.1e-42
> - properly detect encryption failure in BIO
> - use 2048 bit RSA key in FIPS selftests
> 
> * Fri Feb 14 2014 TomÃ¡Å¡ MrÃ¡z <tmraz@redhat.com> 1.0.1e-41
> - use the key length from configuration file if req -newkey rsa is invoked
> 
> * Thu Feb 13 2014 TomÃ¡Å¡ MrÃ¡z <tmraz@redhat.com> 1.0.1e-40
> - print ephemeral key size negotiated in TLS handshake (#1057715)
> - add DH_compute_key_padded needed for FIPS CAVS testing
> 
> * Thu Feb  6 2014 TomÃ¡Å¡ MrÃ¡z <tmraz@redhat.com> 1.0.1e-39
> - make expiration and key length changeable by DAYS and KEYLEN
>   variables in the certificate Makefile (#1058108)
> - change default hash to sha256 (#1062325)
> 
> * Wed Jan 22 2014 TomÃ¡Å¡ MrÃ¡z <tmraz@redhat.com> 1.0.1e-38

Actions: View | Diff

Attachments on bug 1084875: 883475 | 883772 | 883804