Revision: 6928
http://ipcop.svn.sourceforge.net/ipcop/?rev=6928&view=rev
Author: gespinasse
Date: 2013-02-16 10:27:56 +0000 (Sat, 16 Feb 2013)
Log Message:
-----------
Upgrade openssl to 1.0.1e
This fix some issues found due to 1.0.1d changes.
Add 3 fixes from upstream found just after 1.0.1e release.
Clean up our code removing the ldflags patch as it is no more needed and chmod
for ./Configure
Change ./config arguments to be on one line, be it is simplier to past while
testing.
Add a comment how ./config differ from ./Configure as LFS use ./config but many
distrib use ./Configure
Let -O3 be after our CFLAGS as this is what is intended by the developers.
The difference while running 'openssl speed' test is very small on my build
machines
This time, include every installed files in update
I haven't build 2.0.6, so actually md5 check does not work (and due to -O3,
files are likely different)
We could add no-ssl2 to ./{config,Configure} because it is considered insecure
and disabled (like Ubuntu/Debian but not Fedora).
That would require adjusting our GUI and httpd config.
Modified Paths:
--------------
ipcop/trunk/lfs/openssl
ipcop/trunk/updates/2.1.0/ROOTFILES.i486-2.1.0
ipcop/trunk/updates/2.1.0/information.xml
Added Paths:
-----------
ipcop/trunk/src/patches/openssl-1.0.1e_upstream.patch
Removed Paths:
-------------
ipcop/trunk/src/patches/openssl-1.0.0e_ldflags.patch
Modified: ipcop/trunk/lfs/openssl
===================================================================
--- ipcop/trunk/lfs/openssl 2013-02-16 08:24:14 UTC (rev 6927)
+++ ipcop/trunk/lfs/openssl 2013-02-16 10:27:56 UTC (rev 6928)
@@ -33,7 +33,7 @@
include Config
PKG_NAME = openssl
-VER = 1.0.1d
+VER = 1.0.1e
HOST_ARCH = all
OTHER_SRC = yes
@@ -51,7 +51,7 @@
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = b92fc634f0f1f31a67ed4175adc5ba33
+$(DL_FILE)_MD5 = 66bf6f10f060d561929de96f9dfe5b8c
install : $(TARGET)
@@ -81,25 +81,25 @@
$(TARGET) : $(firstword $(MAKEFILE_LIST)) $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- # fix LDFLAGS usage
- cd $(DIR_APP) && patch -Np1 -i
$(DIR_PATCHES)/$(PKG_NAME)-1.0.0e_ldflags.patch
+ # add 3 bugs fixes from upstream tree
+ cd $(DIR_APP) && patch -p1 -i
$(DIR_PATCHES)/$(PKG_NAME)-1.0.1e_upstream.patch
- cd $(DIR_APP) && sed -i -e 's/-O3/$(CFLAGS)/' -e 's/-mcpu=pentium//'
Configure
+ # Let still use our CFLAG but give the -O3 the developpers coded for
+ cd $(DIR_APP) && sed -i -e 's/-O3/$(CFLAGS) -O3/' Configure
# suppress DATE compilation timestamp, it will be replaced by "date not
available"
# as you could see with openssl version -b
cd $(DIR_APP) && sed -i -e '/define DATE/d' crypto/Makefile
- cd $(DIR_APP) && chmod 755 Configure
- cd $(DIR_APP) && ./config --openssldir=/etc/ssl --prefix=/usr \
- no-idea no-threads no-mdc2 no-rc5 no-ec zlib-dynamic shared
+ # ./config select os and arch passed to ./Configure
+ cd $(DIR_APP) && ./config --openssldir=/etc/ssl --prefix=/usr no-idea
no-threads no-mdc2 no-rc5 no-ec zlib-dynamic shared
# make depend is needed because we select to compile with less protocols
cd $(DIR_APP) && make depend
cd $(DIR_APP) && make
ifeq "$(RUNNING_TEST)" "yes"
cd $(DIR_APP) && make -j 1 test &>
$(DIR_TEST)/$(THISAPP)-$(STAGE_ORDER).log
- # should have 29 errors
+ # should have 25 errors
cd $(DIR_APP) && awk '/:error:/{total+=1} ; END {print "Total failed
tests="total}' \
$(DIR_TEST)/$(THISAPP)-$(STAGE_ORDER).log \
>>$(DIR_TEST)/$(THISAPP)-$(STAGE_ORDER).log
Deleted: ipcop/trunk/src/patches/openssl-1.0.0e_ldflags.patch
===================================================================
--- ipcop/trunk/src/patches/openssl-1.0.0e_ldflags.patch 2013-02-16
08:24:14 UTC (rev 6927)
+++ ipcop/trunk/src/patches/openssl-1.0.0e_ldflags.patch 2013-02-16
10:27:56 UTC (rev 6928)
@@ -1,25 +0,0 @@
-http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-libs/openssl/files/
-
-make sure we respect LDFLAGS (and remove unneeded rpath)
-
---- openssl-0.9.8h/Makefile.org
-+++ openssl-0.9.8h/Makefile.org
-@@ -189,6 +189,7 @@
- MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
- DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)' \
- MAKEDEPPROG='$(MAKEDEPPROG)' \
-+ LDFLAGS='${LDFLAGS}' \
- SHARED_LDFLAGS='$(SHARED_LDFLAGS)' \
- KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)' \
- ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)' \
---- openssl-0.9.8h/Makefile.shared
-+++ openssl-0.9.8h/Makefile.shared
-@@ -153,7 +153,7 @@
- NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic
-Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
-
--DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(LDFLAGS) $(CFLAGS)"
-
- #This is rather special. It's a special target with which one can link
- #applications without bothering with any features that have anything to
Added: ipcop/trunk/src/patches/openssl-1.0.1e_upstream.patch
===================================================================
--- ipcop/trunk/src/patches/openssl-1.0.1e_upstream.patch
(rev 0)
+++ ipcop/trunk/src/patches/openssl-1.0.1e_upstream.patch 2013-02-16
10:27:56 UTC (rev 6928)
@@ -0,0 +1,82 @@
+A few upstream bug fix patches just after 1.0.1e release
+git show cbf9b4aed3e209fe8a39e1d6f55aaf46d1369dc4
+git show 147dbb2fe3bead7a10e2f280261b661ce7af7adc
+git show 9fe4603b8245425a4c46986ed000fca054231253
+
+
+commit cbf9b4aed3e209fe8a39e1d6f55aaf46d1369dc4
+Author: Dr. Stephen Henson <st...@openssl.org>
+Date: Mon Feb 11 18:17:50 2013 +0000
+
+ Fix in ssltest is no-ssl2 configured
+
+diff --git a/ssl/ssltest.c b/ssl/ssltest.c
+index 316bbb0..4f80be8 100644
+--- a/ssl/ssltest.c
++++ b/ssl/ssltest.c
+@@ -881,7 +881,13 @@ bad:
+ meth=SSLv23_method();
+ #else
+ #ifdef OPENSSL_NO_SSL2
+- meth=SSLv3_method();
++ if (tls1)
++ meth=TLSv1_method();
++ else
++ if (ssl3)
++ meth=SSLv3_method();
++ else
++ meth=SSLv23_method();
+ #else
+ meth=SSLv2_method();
+ #endif
+commit 147dbb2fe3bead7a10e2f280261b661ce7af7adc
+Author: Dr. Stephen Henson <st...@openssl.org>
+Date: Mon Feb 11 18:24:03 2013 +0000
+
+ Fix for SSL_get_certificate
+
+ Now we set the current certificate to the one used by a server
+ there is no need to call ssl_get_server_send_cert which will
+ fail if we haven't sent a certificate yet.
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 14d143d..ff5a85a 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
+ /* Fix this function so that it takes an optional type parameter */
+ X509 *SSL_get_certificate(const SSL *s)
+ {
+- if (s->server)
+- return(ssl_get_server_send_cert(s));
+- else if (s->cert != NULL)
++ if (s->cert != NULL)
+ return(s->cert->key->x509);
+ else
+ return(NULL);
+commit 9fe4603b8245425a4c46986ed000fca054231253
+Author: David Woodhouse <dw...@infradead.org>
+Date: Tue Feb 12 14:55:32 2013 +0000
+
+ Check DTLS_BAD_VER for version number.
+
+ The version check for DTLS1_VERSION was redundant as
+ DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+ check for DTLS1_BAD_VER for compatibility.
+
+ PR:2984
+ (cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ unsigned padding_length, good, to_check, i;
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ {
+ /* These lengths are all public so we can test them in
+ * non-constant time.
Modified: ipcop/trunk/updates/2.1.0/ROOTFILES.i486-2.1.0
===================================================================
--- ipcop/trunk/updates/2.1.0/ROOTFILES.i486-2.1.0 2013-02-16 08:24:14 UTC
(rev 6927)
+++ ipcop/trunk/updates/2.1.0/ROOTFILES.i486-2.1.0 2013-02-16 10:27:56 UTC
(rev 6928)
@@ -489,10 +489,22 @@
/usr/sbin/sftp-server
/usr/sbin/sshd
##
-## openssl-1.0.1c
+## openssl-1.0.1e
/usr/bin/openssl
+/usr/lib/engines/lib4758cca.so
/usr/lib/engines/libaep.so
+/usr/lib/engines/libatalla.so
+/usr/lib/engines/libcapi.so
+/usr/lib/engines/libchil.so
+/usr/lib/engines/libcswift.so
+/usr/lib/engines/libgmp.so
+/usr/lib/engines/libnuron.so
+/usr/lib/engines/libpadlock.so
+/usr/lib/engines/libsureware.so
+/usr/lib/engines/libubsec.so
+/usr/lib/libcrypto.so
/usr/lib/libcrypto.so.1.0.0
+/usr/lib/libssl.so
/usr/lib/libssl.so.1.0.0
##
## openswan-2.6.38
Modified: ipcop/trunk/updates/2.1.0/information.xml
===================================================================
--- ipcop/trunk/updates/2.1.0/information.xml 2013-02-16 08:24:14 UTC (rev
6927)
+++ ipcop/trunk/updates/2.1.0/information.xml 2013-02-16 10:27:56 UTC (rev
6928)
@@ -16,7 +16,7 @@
less to 451, libffi to 3.0.11, libgd to 2.0.36~rc1, libgcrypt to
1.5.0, libnet to 1.1.6,
libnetfiltercontrack to 1.0.2, libnl to 3.2.16, libpcap to 1.3.0,
libpng to 1.5.12,
libusb to 1.0.9, libusb-compat to 0.1.4, libtool to 2.4.2, libxml2
to 2.8.0, logrotate to 3.8.1, lsof to 4.87,
- mdadm to 3.2.6, net-tools to 1.60-p20120127084908, openldap to
2.4.33, openssh to 6.1, openssl to 1.0.1c, openswan to 2.6.38,
+ mdadm to 3.2.6, net-tools to 1.60-p20120127084908, openldap to
2.4.33, openssh to 6.1, openssl to 1.0.1e, openswan to 2.6.38,
parted to 3.1, pciutils to 3.1.10, pcre to 8.32, pixman to 0.24.4,
procps to 3.3.6, psmisc to 22.20,
rsyslog to 5.8.13, sed to 4.2.2, shadow to 4.1.5.1, smartmontools
to 6.0, sqlite to 3.7.13
tcpdump to 4.3.0, traceroute to 2.0.19,
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Ipcop-svn mailing list
Ipcop-svn@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
