diff options
| author | Vincent Grande | 2021-01-02 23:17:16 -0500 |
|---|---|---|
| committer | Vincent Grande | 2021-01-02 23:17:16 -0500 |
| commit | a16ac2006c0d2956e7926d599308fc9241fb6238 (patch) | |
| tree | e73eeb710e4691b1ef02e87aaa4e8c7acbdbbb75 | |
| download | aur-a16ac2006c0d2956e7926d599308fc9241fb6238.tar.gz | |
initial upload
| -rw-r--r-- | .SRCINFO | 25 | ||||
| -rw-r--r-- | PKGBUILD | 67 | ||||
| -rw-r--r-- | ca-dir.patch | 31 |
3 files changed, 123 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..7b88144684b8 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,25 @@ +pkgbase = openssl-hardened + pkgdesc = The Open Source toolkit for Secure Sockets Layer and Transport Layer Security + pkgver = 1.1.1.i + pkgrel = 1 + url = https://www.openssl.org + arch = x86_64 + license = custom:BSD + makedepends = perl + depends = glibc + optdepends = ca-certificates + optdepends = perl + provides = openssl + conflicts = openssl + replaces = openssl-perl + replaces = openssl-doc + backup = etc/ssl/openssl.cnf + source = https://www.openssl.org/source/openssl-hardened-1.1.1i.tar.gz + source = https://www.openssl.org/source/openssl-hardened-1.1.1i.tar.gz.asc + source = ca-dir.patch + sha256sums = e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242 + sha256sums = SKIP + sha256sums = 75aa8c2c638c8a3ebfd9fa146fc61c7ff878fc997dc6aa10d39e4b2415d669b2 + +pkgname = openssl-hardened + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..b2c2d5cd197f --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,67 @@ +# Maintainer: Vincent Grande <shoober420@gmail.com> +# Contributor: Pierre Schmitz <pierre@archlinux.de> + +pkgname=openssl-hardened +_ver=1.1.1i +# use a pacman compatible version scheme +pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}} +pkgrel=1 +pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security' +arch=('x86_64') +url='https://www.openssl.org' +license=('custom:BSD') +depends=('glibc') +makedepends=('perl') +optdepends=('ca-certificates' 'perl') +replaces=('openssl-perl' 'openssl-doc') +backup=('etc/ssl/openssl.cnf') +provides=(openssl) +conflicts=(openssl) +source=("https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz"{,.asc} + 'ca-dir.patch') +sha256sums=('e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242' + 'SKIP' + '75aa8c2c638c8a3ebfd9fa146fc61c7ff878fc997dc6aa10d39e4b2415d669b2') +#validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491' +# '7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C') + +prepare() { + cd "$srcdir/$pkgname-$_ver" + + # set ca dir to /etc/ssl by default + patch -p0 -i "$srcdir/ca-dir.patch" +} + +build() { + cd "$srcdir/$pkgname-$_ver" + + # mark stack as non-executable: http://bugs.archlinux.org/task/12434 + ./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \ + shared no-ssl3-method enable-ec_nistp_64_gcc_128 linux-x86_64 no-ssl2-method no-ssl2 no-ssl3 no-weak-ssl-ciphers no-ssl no-deprecated no-tls1 no-tls1-method no-tls1_1 no-tls1_1-method no-tls1_2 no-tls1_2-method enable-tls1_3 enable_tls1_3-method no-rc2 no-rc4 -DOPENSSL_USE_IPV6=0 \ + "-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}" + + make depend + make +} + +#check() { +# cd "$srcdir/$pkgbase-$_ver" + + # the test fails due to missing write permissions in /etc/ssl + # revert this patch for make test +# patch -p0 -R -i "$srcdir/ca-dir.patch" + +# make test + +# patch -p0 -i "$srcdir/ca-dir.patch" + # re-run make to re-generate CA.pl from th patched .in file. +# make apps/CA.pl +#} + +package() { + cd "$srcdir/$pkgname-$_ver" + + make DESTDIR=$pkgdir MANDIR=/usr/share/man MANSUFFIX=ssl install_sw install_ssldirs install_man_docs + + install -D -m644 LICENSE $pkgdir/usr/share/licenses/$pkgname/LICENSE +} diff --git a/ca-dir.patch b/ca-dir.patch new file mode 100644 index 000000000000..d0ad70470aa9 --- /dev/null +++ b/ca-dir.patch @@ -0,0 +1,31 @@ +--- apps/CA.pl.in 2019-09-10 15:13:07.000000000 +0200 ++++ apps/CA.pl.in 2019-10-06 09:34:23.960864556 +0200 +@@ -33,7 +33,7 @@ + my $PKCS12 = "$openssl pkcs12"; + + # default openssl.cnf file has setup as per the following +-my $CATOP = "./demoCA"; ++my $CATOP = "/etc/ssl"; + my $CAKEY = "cakey.pem"; + my $CAREQ = "careq.pem"; + my $CACERT = "cacert.pem"; +--- apps/openssl.cnf 2019-09-10 15:13:07.000000000 +0200 ++++ apps/openssl.cnf 2019-10-06 09:34:23.960864556 +0200 +@@ -42,7 +42,7 @@ + #################################################################### + [ CA_default ] + +-dir = ./demoCA # Where everything is kept ++dir = /etc/ssl # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +@@ -325,7 +325,7 @@ + [ tsa_config1 ] + + # These are used by the TSA reply generation only. +-dir = ./demoCA # TSA root directory ++dir = /etc/ssl # TSA root directory + serial = $dir/tsaserial # The current serial number (mandatory) + crypto_device = builtin # OpenSSL engine to use for signing + signer_cert = $dir/tsacert.pem # The TSA signing certificate |