Verified Commit 9e9c63df authored by A. Wilcox's avatar A. Wilcox

system/openssl: Bump to 1.1.1d

parent 916779a6
From 5caf1bdcdb56358c0ce38ef404fedbe323e66cb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Feb 2015 08:40:32 +0200
Subject: [PATCH] use termios
---
crypto/ui/ui_openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c
index 8bda83c..a89b5f2 100644
--- a/crypto/ui/ui_openssl.c
+++ b/crypto/ui/ui_openssl.c
@@ -224,6 +224,9 @@
# undef SGTTY
#endif
+#define TERMIOS
+#undef TERMIO
+
#ifdef TERMIOS
# include <termios.h>
# define TTY_STRUCT struct termios
--
2.2.2
From 09e6425ad6927a825b077af85c50b2fb04773757 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Feb 2015 08:52:05 +0200
Subject: [PATCH] fix default ca path for apps
---
apps/s_server.c | 22 ++++++++++++++--------
apps/s_time.c | 13 ++++++-------
3 files changed, 26 insertions(+), 22 deletions(-)
diff --git a/apps/s_server.c b/apps/s_server.c
index baa2455..2d5dc97 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1770,12 +1770,14 @@ int MAIN(int argc, char *argv[])
}
#endif
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx))
+ ERR_print_errors(bio_err);
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath))
+ ERR_print_errors(bio_err);
}
+
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
@@ -1838,10 +1840,14 @@ int MAIN(int argc, char *argv[])
else
SSL_CTX_sess_set_cache_size(ctx2, 128);
- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx2))) {
- ERR_print_errors(bio_err);
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx2))
+ ERR_print_errors(bio_err);
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath))
+ ERR_print_errors(bio_err);
}
+
if (vpm)
SSL_CTX_set1_param(ctx2, vpm);
diff --git a/apps/s_time.c b/apps/s_time.c
index 5846f3a..c8f371a 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -377,13 +377,12 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings();
- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
- /*
- * BIO_printf(bio_err,"error setting default verify locations\n");
- */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
+ ERR_print_errors(bio_err);
+ } else {
+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath))
+ ERR_print_errors(bio_err);
}
if (tm_cipher == NULL)
--
2.2.2
This diff is collapsed.
From 4785c095dbfb3630ddf6685f23e3a19c7c804cbc Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Thu, 5 Feb 2015 09:02:00 +0200
Subject: [PATCH] add ircv3 tls-3.1 extension support to s_client
---
apps/s_client.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/apps/s_client.c b/apps/s_client.c
index 8aee02a..0a28b89 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -401,7 +401,7 @@ static void sc_usage(void)
BIO_printf(bio_err,
" 'prot' defines which one to assume. Currently,\n");
BIO_printf(bio_err,
- " only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
+ " only \"smtp\", \"pop3\", \"imap\", \"ftp\", \"xmpp\" and \"ircv3\"\n");
BIO_printf(bio_err, " are supported.\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
@@ -640,7 +640,8 @@ enum {
PROTO_POP3,
PROTO_IMAP,
PROTO_FTP,
- PROTO_XMPP
+ PROTO_XMPP,
+ PROTO_IRCV3,
};
int MAIN(int, char **);
@@ -1062,6 +1063,8 @@ int MAIN(int argc, char **argv)
starttls_proto = PROTO_FTP;
else if (strcmp(*argv, "xmpp") == 0)
starttls_proto = PROTO_XMPP;
+ else if (strcmp(*argv, "ircv3") == 0)
+ starttls_proto = PROTO_IRCV3;
else
goto bad;
}
@@ -1646,6 +1649,23 @@ int MAIN(int argc, char **argv)
goto shut;
mbuf[0] = 0;
}
+ if (starttls_proto == PROTO_IRCV3) {
+ int seen = 0;
+ BIO_printf(sbio,"CAP REQ :tls\r\n");
+
+ while (!strstr(mbuf,"CAP")) {
+ seen = BIO_read(sbio,mbuf,BUFSIZZ);
+ mbuf[seen] = 0;
+ }
+ if (!strstr(mbuf,"ACK"))
+ goto shut;
+ BIO_printf(sbio,"CAP END\r\nSTARTTLS\r\n");
+ while (!strstr(sbuf, "670")) {
+ seen = BIO_read(sbio,sbuf,BUFSIZZ);
+ sbuf[seen] = 0;
+ }
+ mbuf[0] = 0;
+ }
for (;;) {
FD_ZERO(&readfds);
--
2.2.2
From 7457e26d3a78c7cd923242d87d04febadddea086 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Feb 2015 10:06:31 +0200
Subject: [PATCH] maintain abi compat with no-freelist and regular build
---
ssl/ssl.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 2b0f662..636cb5d 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1113,6 +1113,10 @@ struct ssl_ctx_st {
unsigned int freelist_max_len;
struct ssl3_buf_freelist_st *wbuf_freelist;
struct ssl3_buf_freelist_st *rbuf_freelist;
+# else
+ unsigned int freelist_dummy0;
+ void *freelist_dummy1;
+ void *freelist_dummy2;
# endif
# ifndef OPENSSL_NO_SRP
SRP_CTX srp_ctx; /* ctx for SRP authentication */
--
2.2.2
--- a/Makefile.shared 2005-06-23 22:47:54.000000000 +0200
+++ b/Makefile.shared 2005-11-16 22:35:37.000000000 +0100
@@ -153,7 +153,7 @@
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
+DO_GNU_APP=LDFLAGS="$(CFLAGS)"
#This is rather special. It's a special target with which one can link
#applications without bothering with any features that have anything to
diff -ru openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
--- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-01-15 16:43:14.000000000 -0200
+++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-03-27 15:18:47.280054883 -0200
@@ -47,6 +47,13 @@
been standardized, the compression API will most likely be changed. Using
it in the current state is not recommended.
+It is also not recommended to use compression if data transfered contain
+untrusted parts that can be manipulated by an attacker as he could then
+get information about the encrypted data. See the CRIME attack. For
+that reason the default loading of the zlib compression method is
+disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
+is present during the library initialization.
+
=head1 RETURN VALUES
SSL_COMP_add_compression_method() may return the following values:
diff -ru openssl-1.0.2a.orig/ssl/ssl_ciph.c openssl-1.0.2a/ssl/ssl_ciph.c
--- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-03-19 15:30:36.000000000 -0200
+++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-03-27 15:23:05.960057092 -0200
@@ -141,6 +141,8 @@
*/
#include <stdio.h>
+#include <stdlib.h>
+#include <sys/auxv.h>
#include <openssl/objects.h>
#ifndef OPENSSL_NO_COMP
# include <openssl/comp.h>
@@ -481,7 +483,7 @@
MemCheck_off();
ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
- if (ssl_comp_methods != NULL) {
+ if (ssl_comp_methods != NULL && getauxval(AT_SECURE) == 0 && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
if (comp != NULL) {
comp->method = COMP_zlib();
From 83c96cbc76604daccbc31cea9411555aea96fd6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Feb 2015 09:16:51 +0200
Subject: [PATCH] crypto/hmac: support EVP_MD_CTX_FLAG_ONESHOT and set it
properly
Some engines (namely VIA C7 Padlock) work only if EVP_MD_CTX_FLAG_ONESHOT
is set before final update. This is because some crypto accelerators cannot
perform non-finalizing transform of the digest.
The usage of EVP_MD_CTX_FLAG_ONESHOT is used semantically slightly
differently here. It is set before the final EVP_DigestUpdate call, not
necessarily before EVP_DigestInit call. This will not cause any problems
though.
---
crypto/hmac/hmac.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
index 1fc9e2c..6f16578 100644
--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@@ -109,7 +109,8 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
j = EVP_MD_block_size(md);
OPENSSL_assert(j <= (int)sizeof(ctx->key));
if (j < len) {
- if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl))
+ EVP_MD_CTX_set_flags(&ctx->md_ctx, EVP_MD_CTX_FLAG_ONESHOT);
+ if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl))
goto err;
if (!EVP_DigestUpdate(&ctx->md_ctx, key, len))
goto err;
@@ -129,6 +130,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
if (reset) {
for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
pad[i] = 0x36 ^ ctx->key[i];
+ EVP_MD_CTX_clear_flags(&ctx->i_ctx, EVP_MD_CTX_FLAG_ONESHOT);
if (!EVP_DigestInit_ex(&ctx->i_ctx, md, impl))
goto err;
if (!EVP_DigestUpdate(&ctx->i_ctx, pad, EVP_MD_block_size(md)))
@@ -136,6 +138,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
for (i = 0; i < HMAC_MAX_MD_CBLOCK; i++)
pad[i] = 0x5c ^ ctx->key[i];
+ EVP_MD_CTX_clear_flags(&ctx->o_ctx, EVP_MD_CTX_FLAG_ONESHOT);
if (!EVP_DigestInit_ex(&ctx->o_ctx, md, impl))
goto err;
if (!EVP_DigestUpdate(&ctx->o_ctx, pad, EVP_MD_block_size(md)))
@@ -143,6 +146,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
}
if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx))
goto err;
+ EVP_MD_CTX_clear_flags(&ctx->md_ctx, EVP_MD_CTX_FLAG_ONESHOT);
return 1;
err:
return 0;
@@ -177,6 +181,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
goto err;
if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->o_ctx))
goto err;
+ EVP_MD_CTX_set_flags(&ctx->md_ctx,EVP_MD_CTX_FLAG_ONESHOT);
if (!EVP_DigestUpdate(&ctx->md_ctx, buf, i))
goto err;
if (!EVP_DigestFinal_ex(&ctx->md_ctx, md, len))
@@ -233,8 +238,9 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
if (md == NULL)
md = m;
HMAC_CTX_init(&c);
- if (!HMAC_Init(&c, key, key_len, evp_md))
+ if (!HMAC_Init_ex(&c, key, key_len, evp_md, NULL))
goto err;
+ HMAC_CTX_set_flags(&c,EVP_MD_CTX_FLAG_ONESHOT);
if (!HMAC_Update(&c, d, n))
goto err;
if (!HMAC_Final(&c, md, md_len))
@@ -247,7 +253,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
{
- EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
- EVP_MD_CTX_set_flags(&ctx->o_ctx, flags);
+ EVP_MD_CTX_set_flags(&ctx->i_ctx, flags & ~EVP_MD_CTX_FLAG_ONESHOT);
+ EVP_MD_CTX_set_flags(&ctx->o_ctx, flags & ~EVP_MD_CTX_FLAG_ONESHOT);
EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
}
--
2.2.2
From ba17588a940ee712c3ef6d458adb1087f0c84521 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 5 Feb 2015 09:28:10 +0200
Subject: [PATCH] backport changes from upstream padlock module.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Includes support for VIA Nano 64-bit mode.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
---
engines/e_padlock.c | 142 +++++++++++++++++++++++++++++++++++++++++++++-------
1 file changed, 125 insertions(+), 17 deletions(-)
diff --git a/engines/e_padlock.c b/engines/e_padlock.c
index 2898e4c..94406cb 100644
--- a/engines/e_padlock.c
+++ b/engines/e_padlock.c
@@ -101,7 +101,10 @@
*/
# undef COMPILE_HW_PADLOCK
# if !defined(I386_ONLY) && !defined(OPENSSL_NO_INLINE_ASM)
-# if (defined(__GNUC__) && (defined(__i386__) || defined(__i386))) || \
+# if (defined(__GNUC__) && __GNUC__>=2 && \
+ (defined(__i386__) || defined(__i386) || \
+ defined(__x86_64__) || defined(__x86_64)) \
+ ) || \
(defined(_MSC_VER) && defined(_M_IX86))
# define COMPILE_HW_PADLOCK
# endif
@@ -303,6 +306,7 @@ static volatile struct padlock_cipher_data *padlock_saved_context;
* =======================================================
*/
# if defined(__GNUC__) && __GNUC__>=2
+# if defined(__i386__) || defined(__i386)
/*
* As for excessive "push %ebx"/"pop %ebx" found all over.
* When generating position-independent code GCC won't let
@@ -379,22 +383,6 @@ static int padlock_available(void)
return padlock_use_ace + padlock_use_rng;
}
-# ifndef OPENSSL_NO_AES
-# ifndef AES_ASM
-/* Our own htonl()/ntohl() */
-static inline void padlock_bswapl(AES_KEY *ks)
-{
- size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
- unsigned int *key = ks->rd_key;
-
- while (i--) {
- asm volatile ("bswapl %0":"+r" (*key));
- key++;
- }
-}
-# endif
-# endif
-
/*
* Force key reload from memory to the CPU microcode. Loading EFLAGS from the
* stack clears EFLAGS[30] which does the trick.
@@ -448,6 +436,110 @@ static inline void *name(size_t cnt, \
: "edx", "cc", "memory"); \
return iv; \
}
+#endif
+
+#elif defined(__x86_64__) || defined(__x86_64)
+
+/* Load supported features of the CPU to see if
+ the PadLock is available. */
+static int
+padlock_available(void)
+{
+ char vendor_string[16];
+ unsigned int eax, edx;
+
+ /* Are we running on the Centaur (VIA) CPU? */
+ eax = 0x00000000;
+ vendor_string[12] = 0;
+ asm volatile (
+ "cpuid\n"
+ "movl %%ebx,(%1)\n"
+ "movl %%edx,4(%1)\n"
+ "movl %%ecx,8(%1)\n"
+ : "+a"(eax) : "r"(vendor_string) : "rbx", "rcx", "rdx");
+ if (strcmp(vendor_string, "CentaurHauls") != 0)
+ return 0;
+
+ /* Check for Centaur Extended Feature Flags presence */
+ eax = 0xC0000000;
+ asm volatile ("cpuid"
+ : "+a"(eax) : : "rbx", "rcx", "rdx");
+ if (eax < 0xC0000001)
+ return 0;
+
+ /* Read the Centaur Extended Feature Flags */
+ eax = 0xC0000001;
+ asm volatile ("cpuid"
+ : "+a"(eax), "=d"(edx) : : "rbx", "rcx");
+
+ /* Fill up some flags */
+ padlock_use_ace = ((edx & (0x3<<6)) == (0x3<<6));
+ padlock_use_rng = ((edx & (0x3<<2)) == (0x3<<2));
+
+ return padlock_use_ace + padlock_use_rng;
+}
+
+/* Force key reload from memory to the CPU microcode.
+ Loading EFLAGS from the stack clears EFLAGS[30]
+ which does the trick. */
+static inline void
+padlock_reload_key(void)
+{
+ asm volatile ("pushfq; popfq");
+}
+
+#ifndef OPENSSL_NO_AES
+/*
+ * This is heuristic key context tracing. At first one
+ * believes that one should use atomic swap instructions,
+ * but it's not actually necessary. Point is that if
+ * padlock_saved_context was changed by another thread
+ * after we've read it and before we compare it with cdata,
+ * our key *shall* be reloaded upon thread context switch
+ * and we are therefore set in either case...
+ */
+static inline void
+padlock_verify_context(struct padlock_cipher_data *cdata)
+{
+ asm volatile (
+ "pushfq\n"
+" btl $30,(%%rsp)\n"
+" jnc 1f\n"
+" cmpq %2,%1\n"
+" je 1f\n"
+" popfq\n"
+" subq $8,%%rsp\n"
+"1: addq $8,%%rsp\n"
+" movq %2,%0"
+ :"+m"(padlock_saved_context)
+ : "r"(padlock_saved_context), "r"(cdata) : "cc");
+}
+
+/* Template for padlock_xcrypt_* modes */
+/* BIG FAT WARNING:
+ * The offsets used with 'leal' instructions
+ * describe items of the 'padlock_cipher_data'
+ * structure.
+ */
+#define PADLOCK_XCRYPT_ASM(name,rep_xcrypt) \
+static inline void *name(size_t cnt, \
+ struct padlock_cipher_data *cdata, \
+ void *out, const void *inp) \
+{ void *iv; \
+ asm volatile ( "leaq 16(%0),%%rdx\n" \
+ " leaq 32(%0),%%rbx\n" \
+ rep_xcrypt "\n" \
+ : "=a"(iv), "=c"(cnt), "=D"(out), "=S"(inp) \
+ : "0"(cdata), "1"(cnt), "2"(out), "3"(inp) \
+ : "rbx", "rdx", "cc", "memory"); \
+ return iv; \
+}
+#endif
+
+#endif /* cpu */
+
+
+# ifndef OPENSSL_NO_AES
/* Generate all functions with appropriate opcodes */
/* rep xcryptecb */
@@ -458,7 +550,23 @@ PADLOCK_XCRYPT_ASM(padlock_xcrypt_ecb, ".byte 0xf3,0x0f,0xa7,0xc8")
PADLOCK_XCRYPT_ASM(padlock_xcrypt_cfb, ".byte 0xf3,0x0f,0xa7,0xe0")
/* rep xcryptofb */
PADLOCK_XCRYPT_ASM(padlock_xcrypt_ofb, ".byte 0xf3,0x0f,0xa7,0xe8")
+
+# ifndef AES_ASM
+/* Our own htonl()/ntohl() */
+static inline void padlock_bswapl(AES_KEY *ks)
+{
+ size_t i = sizeof(ks->rd_key) / sizeof(ks->rd_key[0]);
+ unsigned int *key = ks->rd_key;
+
+ while (i--) {
+ asm volatile ("bswapl %0":"+r" (*key));
+ key++;
+ }
+}
+# endif
+
# endif
+
/* The RNG call itself */
static inline unsigned int padlock_xstore(void *addr, unsigned int edx_in)
{
--
2.2.2
From a58658f191e83f4c6417d2cc879fa572f7978537 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Thu, 4 Feb 2016 16:28:15 +0100
Subject: [PATCH] crypto/engine: autoload padlock dynamic engine
---
crypto/engine/eng_all.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
index 48ad0d2..822aa23 100644
--- a/crypto/engine/eng_all.c
+++ b/crypto/engine/eng_all.c
@@ -120,6 +120,16 @@ void ENGINE_load_builtin_engines(void)
ENGINE_load_capi();
# endif
#endif
+#ifdef OPENSSL_NO_STATIC_ENGINE
+ {
+ ENGINE *e = ENGINE_by_id("padlock");
+ if (e != NULL) {
+ ENGINE_add(e);
+ ENGINE_free(e);
+ ERR_clear_error();
+ }
+ }
+#endif
ENGINE_register_all_complete();
}
--
2.7.0
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=openssl
pkgver=1.0.2t
pkgver=1.1.1d
pkgrel=0
pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
pkgdesc="Toolkit for SSL and TLS"
url="https://www.openssl.org/"
arch="all"
license="OpenSSL"
depends=""
depends_dev="zlib-dev"
checkdepends="perl"
makedepends_build="perl"
makedepends_host="zlib-dev"
makedepends="$makedepends_host $makedepends_build"
subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.0:libcrypto
libssl1.0:libssl"
subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.1:libcrypto
libssl1.1:libssl"
source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
0003-use-termios.patch
0004-fix-default-ca-path-for-apps.patch
0005-fix-parallel-build.patch
0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
0009-no-rpath.patch
0010-ssl-env-zlib.patch
1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
1002-backport-changes-from-upstream-padlock-module.patch
1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
CVE-2019-1551.patch
ppc64.patch
"
# secfixes:
......@@ -67,6 +56,8 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
# 1.0.2t-r0:
# - CVE-2019-1547
# - CVE-2019-1563
# 1.1.1d-r0:
# - CVE-2019-1551
build() {
# openssl will prepend crosscompile always core CC et al
......@@ -79,10 +70,10 @@ build() {
aarch64*) _target="linux-aarch64" ;;
arm*) _target="linux-armv4" ;;
ppc) _target="linux-ppc" ;;
ppc64) _target="linux-ppc64"; _optflags="no-asm" ;;
ppc64) _target="linux-ppc64" ;;
ppc64le) _target="linux-ppc64le" ;;
i528 | pmmx | x86) _target="linux-elf" ;;
x86_64) _target="linux-x86_64"; _optflags="enable-ec_nistp_64_gcc_128" ;;
x86_64) _target="linux-x86_64" ;;
s390x) _target="linux64-s390x";;
*) msg "Unable to determine architecture from (CARCH=$CARCH)" ; return 1 ;;
esac
......@@ -94,37 +85,33 @@ build() {
perl ./Configure $_target --prefix=/usr \
--libdir=lib \
--openssldir=/etc/ssl \
shared zlib enable-montasm enable-md2 $_optflags \
-DOPENSSL_NO_BUF_FREELISTS \
$CPPFLAGS $CFLAGS $LDFLAGS -Wa,--noexecstack \
enable-ssl2
make && make build-shared
shared no-zlib enable-md2 no-weak-ssl-ciphers \
$CPPFLAGS $CFLAGS $LDFLAGS -Wa,--noexecstack
make
}
check() {
make -j1 test
make test
}
package() {
make INSTALL_PREFIX="$pkgdir" MANDIR=/usr/share/man MANSUFFIX=ssl install
# remove the script c_rehash
make DESTDIR="$pkgdir" install
rm "$pkgdir"/usr/bin/c_rehash
}
libcrypto() {
pkgdesc="Crypto library from openssl"
pkgdesc="OpenSSL cryptography library"
mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib
for i in "$pkgdir"/usr/lib/libcrypto*; do
mv $i "$subpkgdir"/lib/
ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/}
done
mv "$pkgdir"/usr/lib/engines "$subpkgdir"/usr/lib/
mv "$pkgdir"/usr/lib/engines-1.1 "$subpkgdir"/usr/lib/
}
libssl() {
pkgdesc="SSL shared libraries"
pkgdesc="OpenSSL socket library"
mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib
for i in "$pkgdir"/usr/lib/libssl*; do
......@@ -133,14 +120,6 @@ libssl() {
done
}
sha512sums="0b88868933f42fab87e8b22449435a1091cc6e75f986aad6c173e01ad123161fcae8c226759073701bc65c9f2f0b6ce6a63a61203008ed873cfb6e484f32bc71 openssl-1.0.2t.tar.gz
58e42058a0c8086c49d681b1e226da39a8cf8cb88c51cf739dec2ff12e1bb5d7208ac5033264b186d58e9bdfe992fe9ddb95701d01caf1824396b2cefe30c0a4 0003-use-termios.patch
c67472879a31b5dbdd313892df6d37e7c93e8c0237d406c30d50b1016c2618ead3c13277f5dc723ef1ceed092d36e3c15a9777daa844f59b9fa2b0a4f04fd9ae 0004-fix-default-ca-path-for-apps.patch
5d4191482f8bbf62c75fe6bc2d9587388022c3310703c2a913788a983b1d1406e706cf3916a5792604f0b0f220a87432d3b82b442cea9915f2abb6fdd8478fcb 0005-fix-parallel-build.patch
820d4ce1c222696fe3f1dd0d11815c06262ec230fdb174532fd507286667a0aefbf858ea5edac4245a54b950cd0556545ecd0c5cf494692a2ba131c667e7bcd5 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
17ad683bb91a3a3c5bcc456c8aed7f0b42414c6de06ebafa4753af93c42d9827c9978a43d4d53d741a45df7f7895c6f6163172af57cc7b391cfd15f45ce6c351 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
5dbbc01985190ae1254350fb12565beb6abb916b6a7bb1f0f22d9762b1e575d124aaf9aa4cfe5f908e420978f691072d48c61a72660f09dfd6d9a2f83f862bc1 0009-no-rpath.patch
5febe20948e3f12d981e378e1f4ea538711657aacb6865a1aa91339d4a04277e250f490a1f2abc2c6f290bdc2b1bffdba1d00983b4c09f7ea983eef8163f9420 0010-ssl-env-zlib.patch
8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389 1002-backport-changes-from-upstream-padlock-module.patch
6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch"
sha512sums="2bc9f528c27fe644308eb7603c992bac8740e9f0c3601a130af30c9ffebbf7e0f5c28b76a00bbb478bad40fbe89b4223a58d604001e1713da71ff4b7fe6a08a7 openssl-1.1.1d.tar.gz
11ca61515a89766241fe0fae27f3b39767128915f288ea88840bf93e8b50ac416024cb2153efcdf2658d3e82a8e4250a0c069333dbd7347475f9dafcc45370b5 CVE-2019-1551.patch
66bbb0ae769643c8a0b1501d9c8466f08f0d8b3b2bc4fcc2c0c054ab1971ced85c07aa0e4b8168a4394d0ae407dfbd26066a7a068602ce5b58e459b12ce6d36a ppc64.patch"
This diff is collapsed.
From 34ab13b7d8e3e723adb60be8142e38b7c9cd382a Mon Sep 17 00:00:00 2001
From: Andy Polyakov <appro@openssl.org>
Date: Sun, 5 May 2019 18:25:50 +0200
Subject: [PATCH] crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a big endian ELFv2 configuration. ELFv2 was already being
used for little endian, and big endian was traditionally ELFv1
but there are practical configurations that use ELFv2 with big
endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8883)
---
crypto/perlasm/ppc-xlate.pl | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl
index e52f2f6ea62..5fcd0526dff 100755
--- a/crypto/perlasm/ppc-xlate.pl
+++ b/crypto/perlasm/ppc-xlate.pl
@@ -49,7 +49,7 @@
/osx/ && do { $name = "_$name";