Verified Commit 9e9c63df authored by A. Wilcox's avatar A. Wilcox

system/openssl: Bump to 1.1.1d

parent 916779a6
From 5caf1bdcdb56358c0ce38ef404fedbe323e66cb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Feb 2015 08:40:32 +0200
Subject: [PATCH] use termios
---
crypto/ui/ui_openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c
index 8bda83c..a89b5f2 100644
--- a/crypto/ui/ui_openssl.c
+++ b/crypto/ui/ui_openssl.c
@@ -224,6 +224,9 @@
# undef SGTTY
#endif
+#define TERMIOS
+#undef TERMIO
+
#ifdef TERMIOS
# include <termios.h>
# define TTY_STRUCT struct termios
--
2.2.2
From 09e6425ad6927a825b077af85c50b2fb04773757 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Feb 2015 08:52:05 +0200
Subject: [PATCH] fix default ca path for apps
---
apps/s_server.c | 22 ++++++++++++++--------
apps/s_time.c | 13 ++++++-------
3 files changed, 26 insertions(+), 22 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index baa2455..2d5dc97 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1770,12 +1770,14 @@ int MAIN(int argc, char *argv[])
}
#endif
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx))
+ ERR_print_errors(bio_err);
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
+ ERR_print_errors(bio_err);
}
+
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
@@ -1838,10 +1840,14 @@ int MAIN(int argc, char *argv[])
else
SSL_CTX_sess_set_cache_size(ctx2, 128);
- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx2))) {
- ERR_print_errors(bio_err);
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx2))
+ ERR_print_errors(bio_err);
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath))
+ ERR_print_errors(bio_err);
}
+
if (vpm)
SSL_CTX_set1_param(ctx2, vpm);
diff --git a/apps/s_time.c b/apps/s_time.c
index 5846f3a..c8f371a 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -377,13 +377,12 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings();
- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
- /*
- * BIO_printf(bio_err,"error setting default verify locations\n");
- */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
+ ERR_print_errors(bio_err);
+ } else {
+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath))
+ ERR_print_errors(bio_err);
}
if (tm_cipher == NULL)
--
2.2.2
This diff is collapsed.
From 4785c095dbfb3630ddf6685f23e3a19c7c804cbc Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Thu, 5 Feb 2015 09:02:00 +0200
Subject: [PATCH] add ircv3 tls-3.1 extension support to s_client
---
apps/s_client.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/apps/s_client.c b/apps/s_client.c
index 8aee02a..0a28b89 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -401,7 +401,7 @@ static void sc_usage(void)
BIO_printf(bio_err,
" 'prot' defines which one to assume. Currently,\n");
BIO_printf(bio_err,
- " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+ " only \"smtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\" and \"ircv3\"\n");
BIO_printf(bio_err, " are supported.\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
@@ -640,7 +640,8 @@ enum {
PROTO_POP3,
PROTO_IMAP,
PROTO_FTP,
- PROTO_XMPP
+ PROTO_XMPP,
+ PROTO_IRCV3,
};
int MAIN(int, char **);
@@ -1062,6 +1063,8 @@ int MAIN(int argc, char **argv)
starttls_proto = PROTO_FTP;
else if (strcmp(*argv, "xmpp") == 0)
starttls_proto = PROTO_XMPP;
+ else if (strcmp(*argv, "ircv3") == 0)
+ starttls_proto = PROTO_IRCV3;
else
goto bad;
}
@@ -1646,6 +1649,23 @@ int MAIN(int argc, char **argv)
goto shut;
mbuf[0] = 0;
}
+ if (starttls_proto == PROTO_IRCV3) {
+ int seen = 0;
+ BIO_printf(sbio,"CAP REQ :tls\r\n");
+
+ while (!strstr(mbuf,"CAP")) {
+ seen = BIO_read(sbio,mbuf,BUFSIZZ);
+ mbuf[seen] = 0;
+ }
+ if (!strstr(mbuf,"ACK"))
+ goto shut;
+ BIO_printf(sbio,"CAP END\r\nSTARTTLS\r\n");
+ while (!strstr(sbuf, "670")) {
+ seen = BIO_read(sbio,sbuf,BUFSIZZ);
+ sbuf[seen] = 0;
+ }
+ mbuf[0] = 0;
+ }
for (;;) {
FD_ZERO(&readfds);
--
2.2.2
From 7457e26d3a78c7cd923242d87d04febadddea086 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Feb 2015 10:06:31 +0200
Subject: [PATCH] maintain abi compat with no-freelist and regular build
---
ssl/ssl.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 2b0f662..636cb5d 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1113,6 +1113,10 @@ struct ssl_ctx_st {
unsigned int freelist_max_len;
struct ssl3_buf_freelist_st *wbuf_freelist;
struct ssl3_buf_freelist_st *rbuf_freelist;
+# else
+ unsigned int freelist_dummy0;
+ void *freelist_dummy1;
+ void *freelist_dummy2;
# endif
# ifndef OPENSSL_NO_SRP
SRP_CTX srp_ctx; /* ctx for SRP authentication */
--
2.2.2
--- a/Makefile.shared 2005-06-23 22:47:54.000000000 +0200
+++ b/Makefile.shared 2005-11-16 22:35:37.000000000 +0100
@@ -153,7 +153,7 @@
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
+DO_GNU_APP=LDFLAGS="$(CFLAGS)"
#This is rather special. It's a special target with which one can link
#applications without bothering with any features that have anything to
diff -ru openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
--- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-01-15 16:43:14.000000000 -0200
+++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-03-27 15:18:47.280054883 -0200
@@ -47,6 +47,13 @@
been standardized, the compression API will most likely be changed. Using
it in the current state is not recommended.
+It is also not recommended to use compression if data transfered contain
+untrusted parts that can be manipulated by an attacker as he could then
+get information about the encrypted data. See the CRIME attack. For
+that reason the default loading of the zlib compression method is
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
+is present during the library initialization.
+
=head1 RETURN VALUES
SSL_COMP_add_compression_method() may return the following values:
diff -ru openssl-1.0.2a.orig/ssl/ssl_ciph.c openssl-1.0.2a/ssl/ssl_ciph.c
--- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-03-19 15:30:36.000000000 -0200
+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-03-27 15:23:05.960057092 -0200
@@ -141,6 +141,8 @@
*/
#include <stdio.h>
+#include <stdlib.h>
+#include <sys/auxv.h>
#include <openssl/objects.h>
#ifndef OPENSSL_NO_COMP
# include <openssl/comp.h>
@@ -481,7 +483,7 @@
MemCheck_off();
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
- if (ssl_comp_methods != NULL) {
+ if (ssl_comp_methods != NULL && getauxval(AT_SECURE) == 0 && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL) {
comp->method = COMP_zlib();
From 83c96cbc76604daccbc31cea9411555aea96fd6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Feb 2015 09:16:51 +0200
Subject: [PATCH] crypto/hmac: support EVP_MD_CTX_FLAG_ONESHOT and set it
properly
Some engines (namely VIA C7 Padlock) work only if EVP_MD_CTX_FLAG_ONESHOT
is set before final update. This is because some crypto accelerators cannot
perform non-finalizing transform of the digest.
The usage of EVP_MD_CTX_FLAG_ONESHOT is used semantically slightly
differently here. It is set before the final EVP_DigestUpdate call, not
necessarily before EVP_DigestInit call. This will not cause any problems
though.
---
crypto/hmac/hmac.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
index 1fc9e2c..6f16578 100644
--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@@ -109,7 +109,8 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
j = EVP_MD_block_size(md);
OPENSSL_assert(j <= (int)sizeof(ctx->key));
if (j < len) {
- if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl))
+ EVP_MD_CTX_set_flags(&ctx->md_ctx, EVP_MD_CTX_FLAG_ONESHOT);
+ if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl))
goto err;
if (!EVP_DigestUpdate(&ctx->md_ctx, key, len))
goto err;
@@ -129,6 +130,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
if (reset) {
for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
pad[i] = 0x36 ^ ctx->key[i];
+ EVP_MD_CTX_clear_flags(&ctx->i_ctx, EVP_MD_CTX_FLAG_ONESHOT);
if (!EVP_DigestInit_ex(&ctx->i_ctx, md, impl))
goto err;
if (!EVP_DigestUpdate(&ctx->i_ctx, pad, EVP_MD_block_size(md)))
@@ -136,6 +138,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
pad[i] = 0x5c ^ ctx->key[i];
+ EVP_MD_CTX_clear_flags(&ctx->o_ctx, EVP_MD_CTX_FLAG_ONESHOT);
if (!EVP_DigestInit_ex(&ctx->o_ctx, md, impl))
goto err;
if (!EVP_DigestUpdate(&ctx->o_ctx, pad, EVP_MD_block_size(md)))
@@ -143,6 +146,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
}
if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx))
goto err;
+ EVP_MD_CTX_clear_flags(&ctx->md_ctx, EVP_MD_CTX_FLAG_ONESHOT);
return 1;
err:
return 0;
@@ -177,6 +181,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
goto err;
if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->o_ctx))
goto err;
+ EVP_MD_CTX_set_flags(&ctx->md_ctx,EVP_MD_CTX_FLAG_ONESHOT);
if (!EVP_DigestUpdate(&ctx->md_ctx, buf, i))
goto err;
if (!EVP_DigestFinal_ex(&ctx->md_ctx, md, len))
@@ -233,8 +238,9 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
if (md == NULL)
md = m;
HMAC_CTX_init(&c);
- if (!HMAC_Init(&c, key, key_len, evp_md))
+ if (!HMAC_Init_ex(&c, key, key_len, evp_md, NULL))
goto err;
+ HMAC_CTX_set_flags(&c,EVP_MD_CTX_FLAG_ONESHOT);
if (!HMAC_Update(&c, d, n))
goto err;
if (!HMAC_Final(&c, md, md_len))
@@ -247,7 +253,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
{
- EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
- EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
+ EVP_MD_CTX_set_flags(&ctx->i_ctx, flags & ~EVP_MD_CTX_FLAG_ONESHOT);
+ EVP_MD_CTX_set_flags(&ctx->o_ctx, flags & ~EVP_MD_CTX_FLAG_ONESHOT);
EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
}
--
2.2.2
From ba17588a940ee712c3ef6d458adb1087f0c84521 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Feb 2015 09:28:10 +0200
Subject: [PATCH] backport changes from upstream padlock module.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Includes support for VIA Nano 64-bit mode.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
---
engines/e_padlock.c | 142 +++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 125 insertions(+), 17 deletions(-)
diff --git a/engines/e_padlock.c b/engines/e_padlock.c
index 2898e4c..94406cb 100644
--- a/engines/e_padlock.c
+++ b/engines/e_padlock.c
@@ -101,7 +101,10 @@
*/
# undef COMPILE_HW_PADLOCK
# if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
+# if (defined(__GNUC__) && __GNUC__>=2 && \
+ (defined(__i386__) || defined(__i386) || \
+ defined(__x86_64__) || defined(__x86_64)) \
+ ) || \
(defined(_MSC_VER) && defined(_M_IX86))
# define COMPILE_HW_PADLOCK
# endif
@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_data *padlock_saved_context;
* =======================================================
*/
# if defined(__GNUC__) && __GNUC__>=2
+# if defined(__i386__) || defined(__i386)
/*
* As for excessive "push %ebx"/"pop %ebx" found all over.
* When generating position-independent code GCC won't let
@@ -379,22 +383,6 @@ static int padlock_available(void)
return padlock_use_ace + padlock_use_rng;
}
-# ifndef OPENSSL_NO_AES
-# ifndef AES_ASM
-/* Our own htonl()/ntohl() */
-static inline void padlock_bswapl(AES_KEY *ks)
-{
- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
- unsigned int *key = ks->rd_key;
-
- while (i--) {
- asm volatile ("bswapl %0":"+r" (*key));
- key++;
- }
-}
-# endif
-# endif
-
/*
* Force key reload from memory to the CPU microcode. Loading EFLAGS from the
* stack clears EFLAGS[30] which does the trick.
@@ -448,6 +436,110 @@ static inline void *name(size_t cnt, \
: "edx", "cc", "memory"); \
return iv; \
}
+#endif
+
+#elif defined(__x86_64__) || defined(__x86_64)
+
+/* Load supported features of the CPU to see if
+ the PadLock is available. */
+static int
+padlock_available(void)
+{
+ char vendor_string[16];
+ unsigned int eax, edx;
+
+ /* Are we running on the Centaur (VIA) CPU? */
+ eax = 0x00000000;
+ vendor_string[12] = 0;
+ asm volatile (
+ "cpuid\n"
+ "movl %%ebx,(%1)\n"
+ "movl %%edx,4(%1)\n"
+ "movl %%ecx,8(%1)\n"
+ : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
+ if (strcmp(vendor_string, "CentaurHauls") != 0)
+ return 0;
+
+ /* Check for Centaur Extended Feature Flags presence */
+ eax = 0xC0000000;
+ asm volatile ("cpuid"
+ : "+a"(eax) : : "rbx", "rcx", "rdx");
+ if (eax < 0xC0000001)
+ return 0;
+
+ /* Read the Centaur Extended Feature Flags */
+ eax = 0xC0000001;
+ asm volatile ("cpuid"
+ : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
+
+ /* Fill up some flags */
+ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
+ padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
+
+ return padlock_use_ace + padlock_use_rng;
+}
+
+/* Force key reload from memory to the CPU microcode.
+ Loading EFLAGS from the stack clears EFLAGS[30]
+ which does the trick. */
+static inline void
+padlock_reload_key(void)
+{
+ asm volatile ("pushfq; popfq");
+}
+
+#ifndef OPENSSL_NO_AES
+/*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+ * but it's not actually necessary. Point is that if
+ * padlock_saved_context was changed by another thread
+ * after we've read it and before we compare it with cdata,
+ * our key *shall* be reloaded upon thread context switch
+ * and we are therefore set in either case...
+ */
+static inline void
+padlock_verify_context(struct padlock_cipher_data *cdata)
+{
+ asm volatile (
+ "pushfq\n"
+" btl $30,(%%rsp)\n"
+" jnc 1f\n"
+" cmpq %2,%1\n"
+" je 1f\n"
+" popfq\n"
+" subq $8,%%rsp\n"
+"1: addq $8,%%rsp\n"
+" movq %2,%0"
+ :"+m"(padlock_saved_context)
+ : "r"(padlock_saved_context), "r"(cdata) : "cc");
+}
+
+/* Template for padlock_xcrypt_* modes */
+/* BIG FAT WARNING:
+ * The offsets used with 'leal' instructions
+ * describe items of the 'padlock_cipher_data'
+ * structure.
+ */
+#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
+static inline void *name(size_t cnt, \
+ struct padlock_cipher_data *cdata, \
+ void *out, const void *inp) \
+{ void *iv; \
+ asm volatile ( "leaq 16(%0),%%rdx\n" \
+ " leaq 32(%0),%%rbx\n" \
+ rep_xcrypt "\n" \
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
+ : "rbx", "rdx", "cc", "memory"); \
+ return iv; \
+}
+#endif
+
+#endif /* cpu */
+
+
+# ifndef OPENSSL_NO_AES
/* Generate all functions with appropriate opcodes */
/* rep xcryptecb */
@@ -458,7 +550,23 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8")
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")
/* rep xcryptofb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")
+
+# ifndef AES_ASM
+/* Our own htonl()/ntohl() */
+static inline void padlock_bswapl(AES_KEY *ks)
+{
+ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
+ unsigned int *key = ks->rd_key;
+
+ while (i--) {
+ asm volatile ("bswapl %0":"+r" (*key));
+ key++;
+ }
+}
+# endif
+
# endif
+
/* The RNG call itself */
static inline unsigned int padlock_xstore(void *addr, unsigned int edx_in)
{
--
2.2.2
From a58658f191e83f4c6417d2cc879fa572f7978537 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Thu, 4 Feb 2016 16:28:15 +0100
Subject: [PATCH] crypto/engine: autoload padlock dynamic engine
---
crypto/engine/eng_all.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
index 48ad0d2..822aa23 100644
--- a/crypto/engine/eng_all.c
+++ b/crypto/engine/eng_all.c
@@ -120,6 +120,16 @@ void ENGINE_load_builtin_engines(void)
ENGINE_load_capi();
# endif
#endif
+#ifdef OPENSSL_NO_STATIC_ENGINE
+ {
+ ENGINE *e = ENGINE_by_id("padlock");
+ if (e != NULL) {
+ ENGINE_add(e);
+ ENGINE_free(e);
+ ERR_clear_error();
+ }
+ }
+#endif
ENGINE_register_all_complete();
}
--
2.7.0
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=openssl
pkgver=1.0.2t
pkgver=1.1.1d
pkgrel=0
pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
pkgdesc="Toolkit for SSL and TLS"
url="https://www.openssl.org/"
arch="all"
license="OpenSSL"
depends=""
depends_dev="zlib-dev"
checkdepends="perl"
makedepends_build="perl"
makedepends_host="zlib-dev"
makedepends="$makedepends_host $makedepends_build"
subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.0:libcrypto
libssl1.0:libssl"
subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.1:libcrypto
libssl1.1:libssl"
source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
0003-use-termios.patch
0004-fix-default-ca-path-for-apps.patch
0005-fix-parallel-build.patch
0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
0009-no-rpath.patch
0010-ssl-env-zlib.patch
1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
1002-backport-changes-from-upstream-padlock-module.patch
1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
CVE-2019-1551.patch
ppc64.patch
"
# secfixes:
......@@ -67,6 +56,8 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
# 1.0.2t-r0:
# - CVE-2019-1547
# - CVE-2019-1563
# 1.1.1d-r0:
# - CVE-2019-1551
build() {
# openssl will prepend crosscompile always core CC et al
......@@ -79,10 +70,10 @@ build() {
aarch64*) _target="linux-aarch64" ;;
arm*) _target="linux-armv4" ;;
ppc) _target="linux-ppc" ;;
ppc64) _target="linux-ppc64"; _optflags="no-asm" ;;
ppc64) _target="linux-ppc64" ;;
ppc64le) _target="linux-ppc64le" ;;
i528 | pmmx | x86) _target="linux-elf" ;;
x86_64) _target="linux-x86_64"; _optflags="enable-ec_nistp_64_gcc_128" ;;
x86_64) _target="linux-x86_64" ;;
s390x) _target="linux64-s390x";;
*) msg "Unable to determine architecture from (CARCH=$CARCH)" ; return 1 ;;
esac
......@@ -94,37 +85,33 @@ build() {
perl ./Configure $_target --prefix=/usr \
--libdir=lib \
--openssldir=/etc/ssl \
shared zlib enable-montasm enable-md2 $_optflags \
-DOPENSSL_NO_BUF_FREELISTS \
$CPPFLAGS $CFLAGS $LDFLAGS -Wa,--noexecstack \
enable-ssl2
make && make build-shared
shared no-zlib enable-md2 no-weak-ssl-ciphers \
$CPPFLAGS $CFLAGS $LDFLAGS -Wa,--noexecstack
make
}
check() {
make -j1 test
make test
}
package() {
make INSTALL_PREFIX="$pkgdir" MANDIR=/usr/share/man MANSUFFIX=ssl install
# remove the script c_rehash
make DESTDIR="$pkgdir" install
rm "$pkgdir"/usr/bin/c_rehash
}
libcrypto() {
pkgdesc="Crypto library from openssl"
pkgdesc="OpenSSL cryptography library"
mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib
for i in "$pkgdir"/usr/lib/libcrypto*; do
mv $i "$subpkgdir"/lib/
ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/}
done
mv "$pkgdir"/usr/lib/engines "$subpkgdir"/usr/lib/
mv "$pkgdir"/usr/lib/engines-1.1 "$subpkgdir"/usr/lib/
}
libssl() {
pkgdesc="SSL shared libraries"
pkgdesc="OpenSSL socket library"
mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib
for i in "$pkgdir"/usr/lib/libssl*; do
......@@ -133,14 +120,6 @@ libssl() {
done
}
sha512sums="0b88868933f42fab87e8b22449435a1091cc6e75f986aad6c173e01ad123161fcae8c226759073701bc65c9f2f0b6ce6a63a61203008ed873cfb6e484f32bc71 openssl-1.0.2t.tar.gz
58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4 0003-use-termios.patch
c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae 0004-fix-default-ca-path-for-apps.patch
5d4191482f8bbf62c75fe6bc2d9587388022c3310703c2a913788a983b1d1406e706cf3916a5792604f0b0f220a87432d3b82b442cea9915f2abb6fdd8478fcb 0005-fix-parallel-build.patch
820d4ce1c222696fe3f1dd0d11815c06262ec230fdb174532fd507286667a0aefbf858ea5edac4245a54b950cd0556545ecd0c5cf494692a2ba131c667e7bcd5 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
17ad683bb91a3a3c5bcc456c8aed7f0b42414c6de06ebafa4753af93c42d9827c9978a43d4d53d741a45df7f7895c6f6163172af57cc7b391cfd15f45ce6c351 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
5dbbc01985190ae1254350fb12565beb6abb916b6a7bb1f0f22d9762b1e575d124aaf9aa4cfe5f908e420978f691072d48c61a72660f09dfd6d9a2f83f862bc1 0009-no-rpath.patch
5febe20948e3f12d981e378e1f4ea538711657aacb6865a1aa91339d4a04277e250f490a1f2abc2c6f290bdc2b1bffdba1d00983b4c09f7ea983eef8163f9420 0010-ssl-env-zlib.patch
8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389 1002-backport-changes-from-upstream-padlock-module.patch
6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch"
sha512sums="2bc9f528c27fe644308eb7603c992bac8740e9f0c3601a130af30c9ffebbf7e0f5c28b76a00bbb478bad40fbe89b4223a58d604001e1713da71ff4b7fe6a08a7 openssl-1.1.1d.tar.gz
11ca61515a89766241fe0fae27f3b39767128915f288ea88840bf93e8b50ac416024cb2153efcdf2658d3e82a8e4250a0c069333dbd7347475f9dafcc45370b5 CVE-2019-1551.patch
66bbb0ae769643c8a0b1501d9c8466f08f0d8b3b2bc4fcc2c0c054ab1971ced85c07aa0e4b8168a4394d0ae407dfbd26066a7a068602ce5b58e459b12ce6d36a ppc64.patch"
This diff is collapsed.
From 34ab13b7d8e3e723adb60be8142e38b7c9cd382a Mon Sep 17 00:00:00 2001
From: Andy Polyakov <appro@openssl.org>
Date: Sun, 5 May 2019 18:25:50 +0200
Subject: [PATCH] crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit