[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 0626b571d9c2a3f6774d5cf929e80b325e571a38 Author: Sam James gentoo org> AuthorDate: Mon Apr 15 08:12:52 2024 + Commit: Sam James gentoo org> CommitDate: Mon Apr 15 08:16:46 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0626b571 dev-libs/openssl: backport libp11 segfault fix to 3.0.13 too Bug: https://bugs.gentoo.org/916328 Signed-off-by: Sam James gentoo.org> .../files/openssl-3.0.13-p11-segfault.patch| 79 ++ dev-libs/openssl/openssl-3.0.13-r2.ebuild | 283 + 2 files changed, 362 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch new file mode 100644 index ..73b131ab7928 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch @@ -0,0 +1,79 @@ +https://bugs.gentoo.org/916328 +https://github.com/opendnssec/SoftHSMv2/issues/729 +https://github.com/openssl/openssl/issues/22508 +https://github.com/openssl/openssl/commit/ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6 + +From ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 15 Dec 2023 13:45:50 +0100 +Subject: [PATCH] Revert "Improved detection of engine-provided private + "classic" keys" + +This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5. + +The commit was wrong. With 3.x versions the engines must be themselves +responsible for creating their EVP_PKEYs in a way that they are treated +as legacy - either by using the respective set1 calls or by setting +non-default EVP_PKEY_METHOD. + +The workaround has caused more problems than it solved. + +Fixes #22945 + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/23063) + +(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380) +--- a/crypto/engine/eng_pkey.c b/crypto/engine/eng_pkey.c +@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, + ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY); + return NULL; + } +-/* We enforce check for legacy key */ +-switch (EVP_PKEY_get_id(pkey)) { +-case EVP_PKEY_RSA: +-{ +-RSA *rsa = EVP_PKEY_get1_RSA(pkey); +-EVP_PKEY_set1_RSA(pkey, rsa); +-RSA_free(rsa); +-} +-break; +-# ifndef OPENSSL_NO_EC +-case EVP_PKEY_SM2: +-case EVP_PKEY_EC: +-{ +-EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey); +-EVP_PKEY_set1_EC_KEY(pkey, ec); +-EC_KEY_free(ec); +-} +-break; +-# endif +-# ifndef OPENSSL_NO_DSA +-case EVP_PKEY_DSA: +-{ +-DSA *dsa = EVP_PKEY_get1_DSA(pkey); +-EVP_PKEY_set1_DSA(pkey, dsa); +-DSA_free(dsa); +-} +-break; +-#endif +-# ifndef OPENSSL_NO_DH +-case EVP_PKEY_DH: +-{ +-DH *dh = EVP_PKEY_get1_DH(pkey); +-EVP_PKEY_set1_DH(pkey, dh); +-DH_free(dh); +-} +-break; +-#endif +-default: +-/*Do nothing */ +-break; +-} +- + return pkey; + } + + diff --git a/dev-libs/openssl/openssl-3.0.13-r2.ebuild b/dev-libs/openssl/openssl-3.0.13-r2.ebuild new file mode 100644 index ..3743359d3e0d --- /dev/null +++ b/dev-libs/openssl/openssl-3.0.13-r2.ebuild @@ -0,0 +1,283 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://www.openssl.org/; + +MY_P=${P/_/-} + +if [[ ${PV} == ]] ; then + EGIT_REPO_URI="https://github.com/openssl/openssl.git; + + inherit git-r3 +else + SRC_URI="mirror://openssl/source/${MY_P}.tar.gz + verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/3" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + app-alternatives/bc + sys-process/procps + ) + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )" + +DEPEND="${COMMON_DEPEND}"
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: ccf71abfb2591dbf4b65f1db957596562234cb82 Author: Sam James gentoo org> AuthorDate: Mon Apr 15 07:15:58 2024 + Commit: Sam James gentoo org> CommitDate: Mon Apr 15 07:16:11 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccf71abf dev-libs/openssl: fix CVE-2024-2511 for 3.2.1 Bug: https://bugs.gentoo.org/930047 Signed-off-by: Sam James gentoo.org> .../files/openssl-3.2.1-CVE-2024-2511.patch| 137 + dev-libs/openssl/openssl-3.2.1-r2.ebuild | 307 + 2 files changed, 444 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch b/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch new file mode 100644 index ..d5b40447d745 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch @@ -0,0 +1,137 @@ +https://www.openssl.org/news/secadv/20240408.txt +https://bugs.gentoo.org/930047 +https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 +https://github.com/openssl/openssl/commit/4d67109432646c113887b0aa8091fb0d1b3057e6 + +From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 5 Mar 2024 15:43:53 + +Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 + +In TLSv1.3 we create a new session object for each ticket that we send. +We do this by duplicating the original session. If SSL_OP_NO_TICKET is in +use then the new session will be added to the session cache. However, if +early data is not in use (and therefore anti-replay protection is being +used), then multiple threads could be resuming from the same session +simultaneously. If this happens and a problem occurs on one of the threads, +then the original session object could be marked as not_resumable. When we +duplicate the session object this not_resumable status gets copied into the +new session object. The new session object is then added to the session +cache even though it is not_resumable. + +Subsequently, another bug means that the session_id_length is set to 0 for +sessions that are marked as not_resumable - even though that session is +still in the cache. Once this happens the session can never be removed from +the cache. When that object gets to be the session cache tail object the +cache never shrinks again and grows indefinitely. + +CVE-2024-2511 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24043) +--- a/ssl/ssl_lib.c b/ssl/ssl_lib.c +@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) + + /* + * If the session_id_length is 0, we are not supposed to cache it, and it +- * would be rather hard to do anyway :-) ++ * would be rather hard to do anyway :-). Also if the session has already ++ * been marked as not_resumable we should not cache it for later reuse. + */ +-if (s->session->session_id_length == 0) ++if (s->session->session_id_length == 0 || s->session->not_resumable) + return; + + /* +--- a/ssl/ssl_sess.c b/ssl/ssl_sess.c +@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void) + return ss; + } + +-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) +-{ +-return ssl_session_dup(src, 1); +-} +- + /* + * Create a new SSL_SESSION and duplicate the contents of |src| into it. If + * ticket == 0 then no ticket information is duplicated, otherwise it is. + */ +-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) ++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) + { + SSL_SESSION *dest; + +@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) + return NULL; + } + ++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) ++{ ++return ssl_session_dup_intern(src, 1); ++} ++ ++/* ++ * Used internally when duplicating a session which might be already shared. ++ * We will have resumed the original session. Subsequently we might have marked ++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to ++ * resume from. ++ */ ++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) ++{ ++SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); ++ ++if (sess != NULL) ++sess->not_resumable = 0; ++ ++return sess; ++} ++ + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) + { + if (len) +--- a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c +@@ -2445,9 +2445,8 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) + * so the following won't overwrite an ID that we're supposed + * to send back. + */ +-if (s->session->not_resumable || +-(!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER) +- && !s->hit)) ++if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER) ++
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 0785cd27c30f5e045bda1b6dc6e517d3499a4e55 Author: Fabian Groffen gentoo org> AuthorDate: Tue Apr 2 17:52:42 2024 + Commit: Fabian Groffen gentoo org> CommitDate: Tue Apr 2 17:54:22 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0785cd27 dev-libs/openssl-3.2.1-r1: fix for Darwin don't run append-atomic-flags with non-GNU-like linker add guess for arm64-darwin Signed-off-by: Fabian Groffen gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.4 | 2 ++ dev-libs/openssl/openssl-3.2.1-r1.ebuild | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4 index 5f205781ae3e..d32ce877a34a 100644 --- a/dev-libs/openssl/files/gentoo.config-1.0.4 +++ b/dev-libs/openssl/files/gentoo.config-1.0.4 @@ -32,6 +32,7 @@ if [[ $1 == "test" ]] ; then "i686-apple-darwinX |darwin-i386-cc" \ "i386-apple-darwinX |darwin-i386-cc" \ "powerpc-apple-darwinX|darwin-ppc-cc" \ + "arm64-apple-darwinX |darwin-arm64-cc" \ "i586-pc-winnt|winnt-parity" \ "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \ "s390x-linux-gnu |linux64-s390x" \ @@ -155,6 +156,7 @@ darwin) powerpc) machine=ppc-cc;; i?86*)machine=i386-cc;; x86_64) machine=x86_64-cc; system=${system}64;; + arm64)machine=arm64-cc; system=${system}64;; esac ;; hpux) diff --git a/dev-libs/openssl/openssl-3.2.1-r1.ebuild b/dev-libs/openssl/openssl-3.2.1-r1.ebuild index 79bd29a1a54e..ee2e112cd6f0 100644 --- a/dev-libs/openssl/openssl-3.2.1-r1.ebuild +++ b/dev-libs/openssl/openssl-3.2.1-r1.ebuild @@ -148,8 +148,8 @@ src_configure() { append-flags $(test-flags-CC -Wa,--noexecstack) - # bug #895308 - append-atomic-flags + # bug #895308 -- check inserts GNU ld-compatible arguments + [[ ${CHOST} == *-darwin* ]] || append-atomic-flags # Configure doesn't respect LIBS export LDLIBS="${LIBS}"
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 64867ad1eb261d199c0e80a71b24d1a9d6769c39 Author: Jakov Smolić gentoo org> AuthorDate: Sun Mar 24 17:47:21 2024 + Commit: Jakov Smolić gentoo org> CommitDate: Sun Mar 31 16:48:16 2024 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64867ad1 dev-libs/openssl: Backport riscv patch to 3.2.1 Closes: https://bugs.gentoo.org/923956 Signed-off-by: Jakov Smolić gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/35901 Signed-off-by: Jakov Smolić gentoo.org> dev-libs/openssl/files/openssl-3.2.1-riscv.patch | 70 dev-libs/openssl/openssl-3.2.1-r1.ebuild | 2 + 2 files changed, 72 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.2.1-riscv.patch b/dev-libs/openssl/files/openssl-3.2.1-riscv.patch new file mode 100644 index ..51256cf434e2 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.2.1-riscv.patch @@ -0,0 +1,70 @@ +# Bug: https://bugs.gentoo.org/923956 +# Upstream PR: https://github.com/openssl/openssl/pull/23752 +--- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c b/providers/implementations/ciphers/cipher_aes_gcm_hw.c +@@ -142,9 +142,9 @@ static const PROV_GCM_HW aes_gcm = { + # include "cipher_aes_gcm_hw_armv8.inc" + #elif defined(PPC_AES_GCM_CAPABLE) && defined(_ARCH_PPC64) + # include "cipher_aes_gcm_hw_ppc.inc" +-#elif defined(__riscv) && __riscv_xlen == 64 ++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 + # include "cipher_aes_gcm_hw_rv64i.inc" +-#elif defined(__riscv) && __riscv_xlen == 32 ++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32 + # include "cipher_aes_gcm_hw_rv32i.inc" + #else + const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) +--- a/providers/implementations/ciphers/cipher_aes_hw.c b/providers/implementations/ciphers/cipher_aes_hw.c +@@ -142,9 +142,9 @@ const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_##mode(size_t keybits) \ + # include "cipher_aes_hw_t4.inc" + #elif defined(S390X_aes_128_CAPABLE) + # include "cipher_aes_hw_s390x.inc" +-#elif defined(__riscv) && __riscv_xlen == 64 ++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 + # include "cipher_aes_hw_rv64i.inc" +-#elif defined(__riscv) && __riscv_xlen == 32 ++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32 + # include "cipher_aes_hw_rv32i.inc" + #else + /* The generic case */ +--- a/providers/implementations/ciphers/cipher_aes_ocb_hw.c b/providers/implementations/ciphers/cipher_aes_ocb_hw.c +@@ -104,7 +104,7 @@ static const PROV_CIPHER_HW aes_t4_ocb = { \ + if (SPARC_AES_CAPABLE) \ + return _t4_ocb; + +-#elif defined(__riscv) && __riscv_xlen == 64 ++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 + + static int cipher_hw_aes_ocb_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx, + const unsigned char *key, +@@ -126,7 +126,7 @@ static const PROV_CIPHER_HW aes_rv64i_zknd_zkne_ocb = { \ + if (RISCV_HAS_ZKND_AND_ZKNE()) \ + return _rv64i_zknd_zkne_ocb; + +-#elif defined(__riscv) && __riscv_xlen == 32 ++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32 + + static int cipher_hw_aes_ocb_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx, + const unsigned char *key, +--- a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c +@@ -159,7 +159,7 @@ static const PROV_CIPHER_HW aes_xts_t4 = { \ + if (SPARC_AES_CAPABLE) \ + return _xts_t4; + +-#elif defined(__riscv) && __riscv_xlen == 64 ++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 + + static int cipher_hw_aes_xts_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx, + const unsigned char *key, +@@ -185,7 +185,7 @@ static const PROV_CIPHER_HW aes_xts_rv64i_zknd_zkne = { \ + if (RISCV_HAS_ZKND_AND_ZKNE()) \ + return _xts_rv64i_zknd_zkne; + +-#elif defined(__riscv) && __riscv_xlen == 32 ++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32 + + static int cipher_hw_aes_xts_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx, + const unsigned char *key, diff --git a/dev-libs/openssl/openssl-3.2.1-r1.ebuild b/dev-libs/openssl/openssl-3.2.1-r1.ebuild index 24ae65f3321f..79bd29a1a54e 100644 --- a/dev-libs/openssl/openssl-3.2.1-r1.ebuild +++ b/dev-libs/openssl/openssl-3.2.1-r1.ebuild @@ -58,6 +58,8 @@ MULTILIB_WRAPPED_HEADERS=(
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 414fc629d397bb756ad382342e99243dcc6ec508 Author: Michael Mair-Keimberger levelnine at> AuthorDate: Fri Dec 29 14:04:25 2023 + Commit: Conrad Kostecki gentoo org> CommitDate: Sun Dec 31 02:37:21 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=414fc629 dev-libs/openssl: remove unused patches Signed-off-by: Michael Mair-Keimberger levelnine.at> Closes: https://github.com/gentoo/gentoo/pull/34537 Signed-off-by: Conrad Kostecki gentoo.org> .../files/openssl-3.0.9-CVE-2023-2975.patch| 109 --- .../files/openssl-3.0.9-CVE-2023-3446.patch| 120 - 2 files changed, 229 deletions(-) diff --git a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch deleted file mode 100644 index 908e57251cb9.. --- a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch +++ /dev/null @@ -1,109 +0,0 @@ -https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598 -https://github.com/openssl/openssl/commit/96318a8d21bed334d78797eca5b32790775d5f05 - -From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 4 Jul 2023 17:30:35 +0200 -Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode - -The AES-SIV mode allows for multiple associated data items -authenticated separately with any of these being 0 length. - -The provided implementation ignores such empty associated data -which is incorrect in regards to the RFC 5297 and is also -a security issue because such empty associated data then become -unauthenticated if an application expects to authenticate them. - -Fixes CVE-2023-2975 - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/21384) - -(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9) a/providers/implementations/ciphers/cipher_aes_siv.c -+++ b/providers/implementations/ciphers/cipher_aes_siv.c -@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, - if (!ossl_prov_is_running()) - return 0; - --if (inl == 0) { --*outl = 0; --return 1; --} -+/* Ignore just empty encryption/decryption call and not AAD. */ -+if (out != NULL) { -+if (inl == 0) { -+if (outl != NULL) -+*outl = 0; -+return 1; -+} - --if (outsize < inl) { --ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); --return 0; -+if (outsize < inl) { -+ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); -+return 0; -+} - } - - if (ctx->hw->cipher(ctx, out, in, inl) <= 0) - -From 96318a8d21bed334d78797eca5b32790775d5f05 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 4 Jul 2023 17:50:37 +0200 -Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/21384) - -(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc) a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt -+++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt -@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93 - Plaintext = 112233445566778899aabbccddee - Ciphertext = 40c02b9690c4dc04daef7f6afe5c - -+Cipher = aes-128-siv -+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -+Tag = f1c5fdeac1f15a26779c1501f9fb7588 -+Plaintext = 112233445566778899aabbccddee -+Ciphertext = 27e946c669088ab06da58c5c831c -+ -+Cipher = aes-128-siv -+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -+AAD = -+Tag = d1022f5b3664e5a4dfaf90f85be6f28a -+Plaintext = 112233445566778899aabbccddee -+Ciphertext = b66cff6b8eca0b79f083b39a0901 -+ - Cipher = aes-128-siv - Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f - AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 -@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f - Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 - Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d - -+Cipher = aes-128-siv -+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f -+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 -+AAD = -+AAD = 09f911029d74e35bd84156c5635688c0 -+Tag = 83ce6593a8fa67eb6fcd2819cedfc011 -+Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 -+Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d -+ -+Cipher = aes-128-siv -+Key =
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: bb6f84dc03496525a2a87ca05b91e72cd560b991 Author: Michael Mair-Keimberger levelnine at> AuthorDate: Wed Oct 4 15:46:33 2023 + Commit: Conrad Kostecki gentoo org> CommitDate: Wed Oct 4 21:44:27 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb6f84dc dev-libs/openssl: remove unused patches Signed-off-by: Michael Mair-Keimberger levelnine.at> Closes: https://github.com/gentoo/gentoo/pull/33190 Signed-off-by: Conrad Kostecki gentoo.org> .../files/openssl-3.1.1-CVE-2023-2975.patch| 110 --- .../files/openssl-3.1.1-CVE-2023-3446.patch| 121 - 2 files changed, 231 deletions(-) diff --git a/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch b/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch deleted file mode 100644 index 5abf60737dbd.. --- a/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch +++ /dev/null @@ -1,110 +0,0 @@ -https://github.com/openssl/openssl/commit/6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc -https://github.com/openssl/openssl/commit/76214c4a8f3374b786811fdfeda3d98690f8faf4 - -From 6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 4 Jul 2023 17:30:35 +0200 -Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode - -The AES-SIV mode allows for multiple associated data items -authenticated separately with any of these being 0 length. - -The provided implementation ignores such empty associated data -which is incorrect in regards to the RFC 5297 and is also -a security issue because such empty associated data then become -unauthenticated if an application expects to authenticate them. - -Fixes CVE-2023-2975 - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/21384) - -(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9) a/providers/implementations/ciphers/cipher_aes_siv.c -+++ b/providers/implementations/ciphers/cipher_aes_siv.c -@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, - if (!ossl_prov_is_running()) - return 0; - --if (inl == 0) { --*outl = 0; --return 1; --} -+/* Ignore just empty encryption/decryption call and not AAD. */ -+if (out != NULL) { -+if (inl == 0) { -+if (outl != NULL) -+*outl = 0; -+return 1; -+} - --if (outsize < inl) { --ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); --return 0; -+if (outsize < inl) { -+ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); -+return 0; -+} - } - - if (ctx->hw->cipher(ctx, out, in, inl) <= 0) - -From 76214c4a8f3374b786811fdfeda3d98690f8faf4 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 4 Jul 2023 17:50:37 +0200 -Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/21384) - -(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc) a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt -+++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt -@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93 - Plaintext = 112233445566778899aabbccddee - Ciphertext = 40c02b9690c4dc04daef7f6afe5c - -+Cipher = aes-128-siv -+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -+Tag = f1c5fdeac1f15a26779c1501f9fb7588 -+Plaintext = 112233445566778899aabbccddee -+Ciphertext = 27e946c669088ab06da58c5c831c -+ -+Cipher = aes-128-siv -+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -+AAD = -+Tag = d1022f5b3664e5a4dfaf90f85be6f28a -+Plaintext = 112233445566778899aabbccddee -+Ciphertext = b66cff6b8eca0b79f083b39a0901 -+ - Cipher = aes-128-siv - Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f - AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 -@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f - Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 - Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d - -+Cipher = aes-128-siv -+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f -+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 -+AAD = -+AAD = 09f911029d74e35bd84156c5635688c0 -+Tag = 83ce6593a8fa67eb6fcd2819cedfc011 -+Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 -+Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d -+ -+Cipher = aes-128-siv -+Key =
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: e70b056198310f608b8faddfcb24a96f2dfab9e6 Author: Sam James gentoo org> AuthorDate: Wed Jul 19 14:55:30 2023 + Commit: Sam James gentoo org> CommitDate: Wed Jul 19 15:05:52 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e70b0561 dev-libs/openssl: patch CVE-2023-2975, CVE-2023-3446 for 3.0.9 Bug: https://bugs.gentoo.org/910556 Signed-off-by: Sam James gentoo.org> .../files/openssl-3.0.9-CVE-2023-2975.patch| 109 .../files/openssl-3.0.9-CVE-2023-3446.patch| 120 + dev-libs/openssl/openssl-3.0.9-r2.ebuild | 290 + 3 files changed, 519 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch new file mode 100644 index ..908e57251cb9 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch @@ -0,0 +1,109 @@ +https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598 +https://github.com/openssl/openssl/commit/96318a8d21bed334d78797eca5b32790775d5f05 + +From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 4 Jul 2023 17:30:35 +0200 +Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode + +The AES-SIV mode allows for multiple associated data items +authenticated separately with any of these being 0 length. + +The provided implementation ignores such empty associated data +which is incorrect in regards to the RFC 5297 and is also +a security issue because such empty associated data then become +unauthenticated if an application expects to authenticate them. + +Fixes CVE-2023-2975 + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/21384) + +(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9) +--- a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c +@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, + if (!ossl_prov_is_running()) + return 0; + +-if (inl == 0) { +-*outl = 0; +-return 1; +-} ++/* Ignore just empty encryption/decryption call and not AAD. */ ++if (out != NULL) { ++if (inl == 0) { ++if (outl != NULL) ++*outl = 0; ++return 1; ++} + +-if (outsize < inl) { +-ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); +-return 0; ++if (outsize < inl) { ++ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); ++return 0; ++} + } + + if (ctx->hw->cipher(ctx, out, in, inl) <= 0) + +From 96318a8d21bed334d78797eca5b32790775d5f05 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Tue, 4 Jul 2023 17:50:37 +0200 +Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/21384) + +(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc) +--- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt +@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93 + Plaintext = 112233445566778899aabbccddee + Ciphertext = 40c02b9690c4dc04daef7f6afe5c + ++Cipher = aes-128-siv ++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff ++Tag = f1c5fdeac1f15a26779c1501f9fb7588 ++Plaintext = 112233445566778899aabbccddee ++Ciphertext = 27e946c669088ab06da58c5c831c ++ ++Cipher = aes-128-siv ++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff ++AAD = ++Tag = d1022f5b3664e5a4dfaf90f85be6f28a ++Plaintext = 112233445566778899aabbccddee ++Ciphertext = b66cff6b8eca0b79f083b39a0901 ++ + Cipher = aes-128-siv + Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f + AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 +@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f + Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 + Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d + ++Cipher = aes-128-siv ++Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f ++AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100 ++AAD = ++AAD = 09f911029d74e35bd84156c5635688c0 ++Tag = 83ce6593a8fa67eb6fcd2819cedfc011 ++Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553 ++Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d ++ ++Cipher = aes-128-siv ++Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f ++AAD = ++AAD =
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 6c4610dbafdc773344fd62e49e27ada4c6b6dfd2 Author: Sam James gentoo org> AuthorDate: Wed Jun 14 05:17:11 2023 + Commit: Sam James gentoo org> CommitDate: Wed Jun 14 05:20:25 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c4610db dev-libs/openssl: drop 1.1.1t-r3 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James gentoo.org> dev-libs/openssl/Manifest | 2 - .../files/openssl-1.1.1t-CVE-2023-0464.patch | 215 .../files/openssl-1.1.1t-CVE-2023-0465.patch | 48 .../files/openssl-1.1.1t-CVE-2023-0466.patch | 41 dev-libs/openssl/openssl-1.1.1t-r3.ebuild | 269 - 5 files changed, 575 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 3793e1ac7a75..4c98e70a536d 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -1,8 +1,6 @@ DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32 -DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 66d76ea0c05a4afc3104e22602cffc2373e857728625d31ab3244881cafa91c099a817a09def7746bce4133585bfc90b769f43527e77a81ed13e60a8c2fb4d8d SHA512 628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c -DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680 SHA512 1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b DIST openssl-1.1.1u.tar.gz 9892176 BLAKE2B 5de9cb856e497596ecba008bad6515eefd093849b9c66dd7447031723996f3ba66ac37a323a5f7d01b1d42df4daaceb523372f5897d5c53b935ffab91c566594 SHA512 d00aeb0b4c4676deff06ff95af7ac33dd683b92f972b4a8ae55cf384bb37c7ec30ab83c6c0745daf87cf1743a745fced6a347fd11fed4c548aa0953610ed4919 DIST openssl-1.1.1u.tar.gz.asc 833 BLAKE2B 7a978a94264a14be04372fea39868e9177e8a0b0f24344267702022e19ee0f52e91ad141d7c54da870f7ec0df9b2e43b80939f1d274dd0b44d36da2670e3a468 SHA512 40245d65ace95b2002bf64bcba184c92fec3420b08d9f61f3a709c4842e9478595105d8adce33a08eb98d351d2a0989ec342b08cdd9104498ea0543b6e592d28 DIST openssl-3.0.9.tar.gz 15181285 BLAKE2B cc1df41fa12ba4443e15e94f6ebdc5e103b9dab5eab2e1c8f74e6a74fa2c38207817921b65d7293cb241c190a910191c7163600bb75243adde0e2f9ec31cc885 SHA512 86c99146b37236419b110db77dd3ac3992e6bed78c258f0cc3434ca233460b4e17c0ac81d7058547fe9cb72a9fd80ee56d4b4916bb731dbe2bbcf1c3d46bf31a diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch deleted file mode 100644 index 950e6572cd28.. --- a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch +++ /dev/null @@ -1,215 +0,0 @@ -commit 879f7080d7e141f415c79eaa3a8ac4a3dad0348b -Author: Pauli -Date: Wed Mar 8 15:28:20 2023 +1100 - -x509: excessive resource use verifying policy constraints - -A security vulnerability has been identified in all supported versions -of OpenSSL related to the verification of X.509 certificate chains -that include policy constraints. Attackers may be able to exploit this -vulnerability by creating a malicious certificate chain that triggers -exponential use of computational resources, leading to a denial-of-service -(DoS) attack on affected systems. - -Fixes CVE-2023-0464 - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -(Merged from https://github.com/openssl/openssl/pull/20569) - -diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h -index 5daf78de45..344aa06765 100644 a/crypto/x509v3/pcy_local.h -+++ b/crypto/x509v3/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+/* The number of nodes in the tree */ -+size_t node_count; -+/* The maximum number of nodes in the tree */ -+size_t node_maximum; -+ - /* This is the tree
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 3db09f5bac6ff132b69d3f723d4c93662c96ed72 Author: Sam James gentoo org> AuthorDate: Wed Jun 14 05:17:03 2023 + Commit: Sam James gentoo org> CommitDate: Wed Jun 14 05:19:10 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db09f5b dev-libs/openssl: drop 3.0.8-r4 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James gentoo.org> dev-libs/openssl/Manifest | 2 - .../files/openssl-3.0.8-CVE-2023-0464.patch| 214 .../files/openssl-3.0.8-CVE-2023-0465.patch| 46 .../files/openssl-3.0.8-CVE-2023-0466.patch| 41 --- .../files/openssl-3.0.8-CVE-2023-1255.patch| 40 --- .../openssl/files/openssl-3.0.8-mips-cflags.patch | 30 --- dev-libs/openssl/openssl-3.0.8-r4.ebuild | 281 - 7 files changed, 654 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 55a08fc6adbe..3793e1ac7a75 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -5,8 +5,6 @@ DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 66d76ea0c05a4afc3104e22602cffc2373e85 DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680 SHA512 1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b DIST openssl-1.1.1u.tar.gz 9892176 BLAKE2B 5de9cb856e497596ecba008bad6515eefd093849b9c66dd7447031723996f3ba66ac37a323a5f7d01b1d42df4daaceb523372f5897d5c53b935ffab91c566594 SHA512 d00aeb0b4c4676deff06ff95af7ac33dd683b92f972b4a8ae55cf384bb37c7ec30ab83c6c0745daf87cf1743a745fced6a347fd11fed4c548aa0953610ed4919 DIST openssl-1.1.1u.tar.gz.asc 833 BLAKE2B 7a978a94264a14be04372fea39868e9177e8a0b0f24344267702022e19ee0f52e91ad141d7c54da870f7ec0df9b2e43b80939f1d274dd0b44d36da2670e3a468 SHA512 40245d65ace95b2002bf64bcba184c92fec3420b08d9f61f3a709c4842e9478595105d8adce33a08eb98d351d2a0989ec342b08cdd9104498ea0543b6e592d28 -DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a SHA512 8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d -DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb SHA512 e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6 DIST openssl-3.0.9.tar.gz 15181285 BLAKE2B cc1df41fa12ba4443e15e94f6ebdc5e103b9dab5eab2e1c8f74e6a74fa2c38207817921b65d7293cb241c190a910191c7163600bb75243adde0e2f9ec31cc885 SHA512 86c99146b37236419b110db77dd3ac3992e6bed78c258f0cc3434ca233460b4e17c0ac81d7058547fe9cb72a9fd80ee56d4b4916bb731dbe2bbcf1c3d46bf31a DIST openssl-3.0.9.tar.gz.asc 833 BLAKE2B 9943ac65f83f48465cae83b37a1d004f6be4622e53c3025166d42954abe9215f1a6c2af58d4aa2b45fa51182fee5019e740969f694655b6c592bb278c68aacef SHA512 9949de6b57d5aa21da1d4b68a29eb37e302403c983bd7d2d8769b320aac4268a9f9091c5fb182862a4f89a9099660939fe609df87c66991b75f7695faf357caf DIST openssl-3.1.0.tar.gz 15525381 BLAKE2B 9212a7fb13f6dee7746721ee406af56ae1b48ec58974c002465d2b0205839eb5ee0483383aa9924fc3e4168ebd34e1a5819480cf10aa318994d7171e54c07108 SHA512 71cc75c7700f445c616e382b76263ad2e4072beec0232458baf3d9891b8b64a7ad0cac4b4d24b727b2b7dcd100c78606fd48eba98a67eccd5f336e3d626ca713 diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch deleted file mode 100644 index 3cf1d3b38ec9.. --- a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch +++ /dev/null @@ -1,214 +0,0 @@ -commit 959c59c7a0164117e7f8366466a32bb1f8d77ff1 -Author: Pauli -Date: Wed Mar 8 15:28:20 2023 +1100 - -x509: excessive resource use verifying policy constraints - -A security vulnerability has been identified in all supported versions -of OpenSSL related to the verification of X.509 certificate chains -that include policy constraints. Attackers may be able to exploit this -vulnerability by creating a malicious certificate chain that triggers -exponential use of computational resources, leading to a denial-of-service -(DoS) attack on affected systems. - -Fixes CVE-2023-0464 - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -(Merged from https://github.com/openssl/openssl/pull/20568) - -diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h -index 18b53cc09e..cba107ca03 100644 a/crypto/x509/pcy_local.h -+++ b/crypto/x509/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 14aa976d66d7789fa8fd8bd5fe34edad53d5ff9a Author: Sam James gentoo org> AuthorDate: Wed Jun 14 05:18:43 2023 + Commit: Sam James gentoo org> CommitDate: Wed Jun 14 05:20:29 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14aa976d dev-libs/openssl: drop 3.1.0-r3 Bug: https://bugs.gentoo.org/903545 Bug: https://bugs.gentoo.org/907413 Signed-off-by: Sam James gentoo.org> dev-libs/openssl/Manifest | 2 - .../files/openssl-3.1.0-CVE-2023-0464.patch| 214 .../files/openssl-3.1.0-CVE-2023-0465.patch| 46 .../files/openssl-3.1.0-CVE-2023-0466.patch| 41 --- .../files/openssl-3.1.0-CVE-2023-1255.patch| 40 --- dev-libs/openssl/openssl-3.1.0-r3.ebuild | 284 - 6 files changed, 627 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 4c98e70a536d..f8b20e47b8a9 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -5,7 +5,5 @@ DIST openssl-1.1.1u.tar.gz 9892176 BLAKE2B 5de9cb856e497596ecba008bad6515eefd093 DIST openssl-1.1.1u.tar.gz.asc 833 BLAKE2B 7a978a94264a14be04372fea39868e9177e8a0b0f24344267702022e19ee0f52e91ad141d7c54da870f7ec0df9b2e43b80939f1d274dd0b44d36da2670e3a468 SHA512 40245d65ace95b2002bf64bcba184c92fec3420b08d9f61f3a709c4842e9478595105d8adce33a08eb98d351d2a0989ec342b08cdd9104498ea0543b6e592d28 DIST openssl-3.0.9.tar.gz 15181285 BLAKE2B cc1df41fa12ba4443e15e94f6ebdc5e103b9dab5eab2e1c8f74e6a74fa2c38207817921b65d7293cb241c190a910191c7163600bb75243adde0e2f9ec31cc885 SHA512 86c99146b37236419b110db77dd3ac3992e6bed78c258f0cc3434ca233460b4e17c0ac81d7058547fe9cb72a9fd80ee56d4b4916bb731dbe2bbcf1c3d46bf31a DIST openssl-3.0.9.tar.gz.asc 833 BLAKE2B 9943ac65f83f48465cae83b37a1d004f6be4622e53c3025166d42954abe9215f1a6c2af58d4aa2b45fa51182fee5019e740969f694655b6c592bb278c68aacef SHA512 9949de6b57d5aa21da1d4b68a29eb37e302403c983bd7d2d8769b320aac4268a9f9091c5fb182862a4f89a9099660939fe609df87c66991b75f7695faf357caf -DIST openssl-3.1.0.tar.gz 15525381 BLAKE2B 9212a7fb13f6dee7746721ee406af56ae1b48ec58974c002465d2b0205839eb5ee0483383aa9924fc3e4168ebd34e1a5819480cf10aa318994d7171e54c07108 SHA512 71cc75c7700f445c616e382b76263ad2e4072beec0232458baf3d9891b8b64a7ad0cac4b4d24b727b2b7dcd100c78606fd48eba98a67eccd5f336e3d626ca713 -DIST openssl-3.1.0.tar.gz.asc 488 BLAKE2B f4a844e3db2c2bdf42b6f811d16cc2077cacf713d20474d94e2d0180a6f97eadf4f03522e9fed478d263d680d88091dc2bc48e7ebb15d049bc57ee7ed64c7fbb SHA512 8d542e6471b745822d6cd889c5b168841b4366ee9a96edc2ab5b44fa1bd1b75308422aed312f1bd6e6a3c3e306eceaa95ce9bb4d0aa3e8ff86cb0fd92a7e61ea DIST openssl-3.1.1.tar.gz 15544757 BLAKE2B 094f7e28f16de6528016fcd21df1d7382b0dbdcd80ec469d37add9c37f638c059dda3ffb4415eba890a33d146ddc9016bcc7192df101c73be5e70faf6e3b1097 SHA512 8ba9dd6ab87451e126c19cc106ccd1643ca48667d6c37504d0ab98205fbccf855fd0db54474b4113c4c3a15215a4ef77a039fb897a69f71bcab2054b2effd1d9 DIST openssl-3.1.1.tar.gz.asc 833 BLAKE2B 5a2a9aeb475b843862e133d53bc5bb3c8e12e8e03b1e2da41d0eaa0eade1ae03c4318ad1f5c490c5e1ed7e6ac6275a6d7c881d3911722b043b15d1622b25 SHA512 83349020c67e5b956f3ef37604a03a1970ea393f862691f5fd5d85930c01e559e25db17d397d8fd230c3862a8b2fba2d5c7df883d56d7472f4c01dab3a661cb2 diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch deleted file mode 100644 index dfe83e53d0ad.. --- a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch +++ /dev/null @@ -1,214 +0,0 @@ -commit 2017771e2db3e2b96f89bbe8766c3209f6a99545 -Author: Pauli -Date: Wed Mar 8 15:28:20 2023 +1100 - -x509: excessive resource use verifying policy constraints - -A security vulnerability has been identified in all supported versions -of OpenSSL related to the verification of X.509 certificate chains -that include policy constraints. Attackers may be able to exploit this -vulnerability by creating a malicious certificate chain that triggers -exponential use of computational resources, leading to a denial-of-service -(DoS) attack on affected systems. - -Fixes CVE-2023-0464 - -Reviewed-by: Tomas Mraz -Reviewed-by: Shane Lontis -(Merged from https://github.com/openssl/openssl/pull/20570) - -diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h -index 18b53cc09e..cba107ca03 100644 a/crypto/x509/pcy_local.h -+++ b/crypto/x509/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+/* The number of nodes in the tree */ -+size_t node_count; -+/* The maximum number of nodes in the tree */ -+size_t node_maximum; -+ - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; -@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - X509_POLICY_NODE
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 08dbfd4976e7cf1eb03ea520327769a96e877c4d Author: Mike Gilbert gentoo org> AuthorDate: Thu May 25 14:57:07 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Thu May 25 14:58:42 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08dbfd49 dev-libs/openssl: add support for big-endian RISC-V Closes: https://bugs.gentoo.org/904751 Signed-off-by: Mike Gilbert gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.4 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4 index 79f6331f090c..ef1c6f1768a1 100644 --- a/dev-libs/openssl/files/gentoo.config-1.0.4 +++ b/dev-libs/openssl/files/gentoo.config-1.0.4 @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # # Openssl doesn't play along nicely with cross-compiling @@ -111,7 +111,9 @@ linux) powerpc64*) machine=ppc64;; powerpc*le*) machine="generic32 -DL_ENDIAN";; powerpc*) machine=ppc;; + riscv32be*) machine="generic32 -DB_ENDIAN";; riscv32*) machine="generic32 -DL_ENDIAN";; + riscv64be*) machine="riscv64 -DB_ENDIAN" system=linux64;; riscv64*) machine="riscv64 -DL_ENDIAN" system=linux64;; # sh64*)machine=elf;; sh*b*)machine="generic32 -DB_ENDIAN";;
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 3be8b79d0c921d127686e92c064f0280747cac9d Author: Patrick McLean gentoo org> AuthorDate: Thu Apr 20 16:46:08 2023 + Commit: Patrick McLean gentoo org> CommitDate: Thu Apr 20 16:57:55 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3be8b79d dev-libs/openssl: 3.0.8-r4, add patch for CVE-2023-1255 Upstream changelog (diff edited to remove NEWS and CHANGES.md changes to avoid conflicts): * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which happens if the buffer size is 4 mod 5. This can trigger a crash of an application using AES-XTS decryption if the memory just after the buffer being decrypted is not mapped. Thanks to Anton Romanov (Amazon) for discovering the issue. ([CVE-2023-1255]) *Nevine Ebeid* Signed-off-by: Patrick McLean gentoo.org> .../files/openssl-3.0.8-CVE-2023-1255.patch| 40 +++ dev-libs/openssl/openssl-3.0.8-r4.ebuild | 278 + 2 files changed, 318 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch new file mode 100644 index ..9b1a657d51be --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch @@ -0,0 +1,40 @@ +commit 02ac9c9420275868472f33b01def01218742b8bb +Author: Tomas Mraz +Date: Mon Apr 17 16:51:20 2023 +0200 + +aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryption + +Original author: Nevine Ebeid (Amazon) +Fixes: CVE-2023-1255 + +The buffer overread happens on decrypts of 4 mod 5 sizes. +Unless the memory just after the buffer is unmapped this is harmless. + +Reviewed-by: Paul Dale +Reviewed-by: Tom Cosgrove +(Merged from https://github.com/openssl/openssl/pull/20759) + +(cherry picked from commit 72dfe46550ee1f1bbfacd49f071419365bc23304) + +diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl +index 6a7bf05d1b..bd583e2c89 100755 +--- a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl +@@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/); + .align4 + .Lxts_dec_tail4x: + add $inp,$inp,#16 +- vld1.32 {$dat0},[$inp],#16 ++ tst $tailcnt,#0xf + veor$tmp1,$dat1,$tmp0 + vst1.8 {$tmp1},[$out],#16 + veor$tmp2,$dat2,$tmp2 +@@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/); + veor$tmp4,$dat4,$tmp4 + vst1.8 {$tmp3-$tmp4},[$out],#32 + ++ b.eq.Lxts_dec_abort ++ vld1.32 {$dat0},[$inp],#16 + b .Lxts_done + .align4 + .Lxts_outer_dec_tail: diff --git a/dev-libs/openssl/openssl-3.0.8-r4.ebuild b/dev-libs/openssl/openssl-3.0.8-r4.ebuild new file mode 100644 index ..e11cbae84179 --- /dev/null +++ b/dev-libs/openssl/openssl-3.0.8-r4.ebuild @@ -0,0 +1,278 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://www.openssl.org/; + +MY_P=${P/_/-} + +if [[ ${PV} == ]] ; then + EGIT_REPO_URI="https://github.com/openssl/openssl.git; + + inherit git-r3 +else + SRC_URI="mirror://openssl/source/${MY_P}.tar.gz + verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/3" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + sys-devel/bc + sys-process/procps + ) + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )" + +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +PATCHES=( + "${FILESDIR}"/openssl-3.0.8-mips-cflags.patch + "${FILESDIR}"/openssl-3.0.8-CVE-2023-0464.patch + "${FILESDIR}"/openssl-3.0.8-CVE-2023-0465.patch + "${FILESDIR}"/openssl-3.0.8-CVE-2023-0466.patch + "${FILESDIR}"/openssl-3.0.8-CVE-2023-1255.patch +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: abff4432080ff23277dce168d9688acf6c09a4bf Author: Patrick McLean gentoo org> AuthorDate: Tue Mar 28 18:24:48 2023 + Commit: Patrick McLean gentoo org> CommitDate: Tue Mar 28 18:29:08 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abff4432 dev-libs/openssl: Revbump to 1.1.1t for CVE-2023-0465, CVE-2023-0466 Upstream changelogs (dropped from NEWS due to conflicts): * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. ([CVE-2023-0466]) *Tomáš Mráz* More information about vulnerabilities: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 Signed-off-by: Patrick McLean gentoo.org> .../files/openssl-1.1.1t-CVE-2023-0465.patch | 48 .../files/openssl-1.1.1t-CVE-2023-0466.patch | 41 dev-libs/openssl/openssl-1.1.1t-r3.ebuild | 269 + 3 files changed, 358 insertions(+) diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch new file mode 100644 index ..c332e0bd2c9f --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch @@ -0,0 +1,48 @@ +commit b013765abfa80036dc779dd0e50602c57bb3bf95 +Author: Matt Caswell +Date: Tue Mar 7 16:52:55 2023 + + +Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs + +Even though we check the leaf cert to confirm it is valid, we +later ignored the invalid flag and did not notice that the leaf +cert was bad. + +Fixes: CVE-2023-0465 + +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20588) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 925fbb5412..1dfe4f9f31 100644 +--- a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx) + } + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +-int i; ++int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +-for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + + if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) + continue; ++cbcalled = 1; + if (!verify_cb_cert(ctx, x, i, + X509_V_ERR_INVALID_POLICY_EXTENSION)) + return 0; + } ++if (!cbcalled) { ++/* Should not be able to get here */ ++X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR); ++return 0; ++} ++/* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) { diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch new file mode 100644 index ..9a59d2846a48 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch @@ -0,0 +1,41 @@ +commit 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a +Author: Tomas Mraz +Date: Tue Mar 21 16:15:47 2023 +0100 + +Fix documentation of X509_VERIFY_PARAM_add0_policy() + +The function was incorrectly documented as enabling policy checking. + +Fixes: CVE-2023-0466 + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/20564) + +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index f6f304bf7b..aa292f9336 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -92,8 +92,9 @@ B. + X509_VERIFY_PARAM_set_time() sets the verification time in B to + B. Normally the current time is used. + +-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled +-by default) and adds B to the acceptable policy set. ++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. ++Contrary to preexisting documentation of this function it does not enable ++policy checking. + + X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled + by default) and sets the acceptable policy set to B. Any existing +@@ -377,6 +378,10 @@ and has no effect. + + The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. + ++The function X509_VERIFY_PARAM_add0_policy() was historically documented as ++enabling policy checking however the implementation has never done this. ++The documentation was changed to align with the implementation. ++ + =head1 COPYRIGHT + + Copyright 2009-2020 The OpenSSL
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: c2d9bf4871d6a437560697a82f994825632ade98 Author: Patrick McLean gentoo org> AuthorDate: Tue Mar 28 18:28:17 2023 + Commit: Patrick McLean gentoo org> CommitDate: Tue Mar 28 18:29:08 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2d9bf48 dev-libs/openssl: Revbump to 3.0.8-r3 for CVE-2023-0465, CVE-2023-0466 Upstream changelogs (dropped from NEWS due to conflicts): * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. ([CVE-2023-0466]) *Tomáš Mráz* More information about vulnerabilities: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 Signed-off-by: Patrick McLean gentoo.org> .../files/openssl-3.0.8-CVE-2023-0465.patch| 46 .../files/openssl-3.0.8-CVE-2023-0466.patch| 41 dev-libs/openssl/openssl-3.0.8-r3.ebuild | 273 + 3 files changed, 360 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch new file mode 100644 index ..852706d8aa92 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch @@ -0,0 +1,46 @@ +commit 1dd43e0709fece299b15208f36cc7c76209ba0bb +Author: Matt Caswell +Date: Tue Mar 7 16:52:55 2023 + + +Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs + +Even though we check the leaf cert to confirm it is valid, we +later ignored the invalid flag and did not notice that the leaf +cert was bad. + +Fixes: CVE-2023-0465 + +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20587) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 9384f1da9b..a0282c3ef1 100644 +--- a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) + goto memerr; + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +-int i; ++int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +-for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + ++if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) ++cbcalled = 1; + CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, +ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); + } ++if (!cbcalled) { ++/* Should not be able to get here */ ++ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); ++return 0; ++} ++/* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) { diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch new file mode 100644 index ..c71665d82e18 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch @@ -0,0 +1,41 @@ +commit 51e8a84ce742db0f6c70510d0159dad8f7825908 +Author: Tomas Mraz +Date: Tue Mar 21 16:15:47 2023 +0100 + +Fix documentation of X509_VERIFY_PARAM_add0_policy() + +The function was incorrectly documented as enabling policy checking. + +Fixes: CVE-2023-0466 + +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/20563) + +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index 75a1677022..43c1900bca 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -98,8 +98,9 @@ B. + X509_VERIFY_PARAM_set_time() sets the verification time in B to + B. Normally the current time is used. + +-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled +-by default) and adds B to the acceptable policy set. ++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. ++Contrary to preexisting documentation of this function it does not enable ++policy checking. + + X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled + by default) and sets the acceptable policy set to B. Any existing +@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. + The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), + and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. + ++The function X509_VERIFY_PARAM_add0_policy() was historically documented as ++enabling policy checking however the implementation has never done this. ++The documentation
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 41ad57bbbed0ee3d06a9922f8fbdc1116f52dd2a Author: Patrick McLean gentoo org> AuthorDate: Tue Mar 28 18:28:44 2023 + Commit: Patrick McLean gentoo org> CommitDate: Tue Mar 28 18:29:09 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41ad57bb dev-libs/openssl: Revbump to 3.1.0-r2 for CVE-2023-0465, CVE-2023-0466 Upstream changelogs (dropped from NEWS due to conflicts): * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. ([CVE-2023-0466]) *Tomáš Mráz* More information about vulnerabilities: https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466 https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465 Signed-off-by: Patrick McLean gentoo.org> .../files/openssl-3.1.0-CVE-2023-0465.patch| 46 .../files/openssl-3.1.0-CVE-2023-0466.patch| 41 +++ dev-libs/openssl/openssl-3.1.0-r2.ebuild | 276 + 3 files changed, 363 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch new file mode 100644 index ..a98f7cba13bd --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch @@ -0,0 +1,46 @@ +commit facfb1ab745646e97a1920977ae4a9965ea61d5c +Author: Matt Caswell +Date: Tue Mar 7 16:52:55 2023 + + +Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs + +Even though we check the leaf cert to confirm it is valid, we +later ignored the invalid flag and did not notice that the leaf +cert was bad. + +Fixes: CVE-2023-0465 + +Reviewed-by: Hugo Landau +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20586) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 9384f1da9b..a0282c3ef1 100644 +--- a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) + goto memerr; + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +-int i; ++int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +-for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + ++if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) ++cbcalled = 1; + CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, +ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); + } ++if (!cbcalled) { ++/* Should not be able to get here */ ++ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); ++return 0; ++} ++/* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) { diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch new file mode 100644 index ..9a315f4c00fd --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch @@ -0,0 +1,41 @@ +commit fc814a30fc4f0bc54fcea7d9a7462f5457aab061 +Author: Tomas Mraz +Date: Tue Mar 21 16:15:47 2023 +0100 + +Fix documentation of X509_VERIFY_PARAM_add0_policy() + +The function was incorrectly documented as enabling policy checking. + +Fixes: CVE-2023-0466 + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/20562) + +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index 20aea99b5b..fcbbfc4c30 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -98,8 +98,9 @@ B. + X509_VERIFY_PARAM_set_time() sets the verification time in B to + B. Normally the current time is used. + +-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled +-by default) and adds B to the acceptable policy set. ++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. ++Contrary to preexisting documentation of this function it does not enable ++policy checking. + + X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled + by default) and sets the acceptable policy set to B. Any existing +@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. + The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), + and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. + ++The function X509_VERIFY_PARAM_add0_policy() was historically documented as ++enabling policy checking however the implementation has never done this. ++The documentation
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: f8e9992c5936077459a640b9cb4aa07ff5e75a20 Author: Patrick McLean gentoo org> AuthorDate: Wed Mar 22 22:58:47 2023 + Commit: Patrick McLean gentoo org> CommitDate: Wed Mar 22 22:59:47 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8e9992c dev-libs/openssl: Bump to 3.0.8-r2, add patch for CVE-2023-0464 Signed-off-by: Patrick McLean gentoo.org> .../files/openssl-3.0.8-CVE-2023-0464.patch| 214 dev-libs/openssl/openssl-3.0.8-r2.ebuild | 271 + 2 files changed, 485 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch new file mode 100644 index ..3cf1d3b38ec9 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch @@ -0,0 +1,214 @@ +commit 959c59c7a0164117e7f8366466a32bb1f8d77ff1 +Author: Pauli +Date: Wed Mar 8 15:28:20 2023 +1100 + +x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/20568) + +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc09e..cba107ca03 100644 +--- a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++/* The number of nodes in the tree */ ++size_t node_count; ++/* The maximum number of nodes in the tree */ ++size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, +const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea179..450f95a655 100644 +--- a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +-if (level) { ++if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + +-if (tree) { ++if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + ++tree->node_count++; + if (parent) + parent->nchild++; + +diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c +index fa45da5117..f953a05a41 100644 +--- a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c +@@ -14,6 +14,17 @@ + + #include "pcy_local.h" + ++/* ++ * If the maximum number of nodes in the policy tree isn't defined,
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: d0c15fb7ffe7e93294611b885c10b86fa5323575 Author: Patrick McLean gentoo org> AuthorDate: Wed Mar 22 22:59:09 2023 + Commit: Patrick McLean gentoo org> CommitDate: Wed Mar 22 22:59:47 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0c15fb7 dev-libs/openssl: Bump to 3.1.0-r1, add patch for CVE-2023-0464 Signed-off-by: Patrick McLean gentoo.org> .../files/openssl-3.1.0-CVE-2023-0464.patch| 214 dev-libs/openssl/openssl-3.1.0-r1.ebuild | 274 + 2 files changed, 488 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch new file mode 100644 index ..dfe83e53d0ad --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch @@ -0,0 +1,214 @@ +commit 2017771e2db3e2b96f89bbe8766c3209f6a99545 +Author: Pauli +Date: Wed Mar 8 15:28:20 2023 +1100 + +x509: excessive resource use verifying policy constraints + +A security vulnerability has been identified in all supported versions +of OpenSSL related to the verification of X.509 certificate chains +that include policy constraints. Attackers may be able to exploit this +vulnerability by creating a malicious certificate chain that triggers +exponential use of computational resources, leading to a denial-of-service +(DoS) attack on affected systems. + +Fixes CVE-2023-0464 + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/20570) + +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc09e..cba107ca03 100644 +--- a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++/* The number of nodes in the tree */ ++size_t node_count; ++/* The maximum number of nodes in the tree */ ++size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, +const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea179..450f95a655 100644 +--- a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++/* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +-if (level) { ++if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + +-if (tree) { ++if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + ++tree->node_count++; + if (parent) + parent->nchild++; + +diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c +index fa45da5117..f953a05a41 100644 +--- a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c +@@ -14,6 +14,17 @@ + + #include "pcy_local.h" + ++/* ++ * If the maximum number of nodes in the policy tree isn't defined,
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: abfaca134102918ed6904bdd2ed08b6ea3949739 Author: Michael Mair-Keimberger levelnine at> AuthorDate: Thu Mar 16 17:14:50 2023 + Commit: Sam James gentoo org> CommitDate: Sun Mar 19 03:12:42 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abfaca13 dev-libs/openssl: remove unused file Signed-off-by: Michael Mair-Keimberger levelnine.at> Closes: https://github.com/gentoo/gentoo/pull/30156 Signed-off-by: Sam James gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.3 | 172 - 1 file changed, 172 deletions(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.3 b/dev-libs/openssl/files/gentoo.config-1.0.3 deleted file mode 100644 index 0662f72b6d80.. --- a/dev-libs/openssl/files/gentoo.config-1.0.3 +++ /dev/null @@ -1,172 +0,0 @@ -#!/usr/bin/env bash -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 -# -# Openssl doesn't play along nicely with cross-compiling -# like autotools based projects, so let's teach it new tricks. -# -# Review the bundled 'config' script to see why kind of targets -# we can pass to the 'Configure' script. - - -# Testing routines -if [[ $1 == "test" ]] ; then - for c in \ - "arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \ - "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \ - "x86_64-pc-linux-gnu |linux-x86_64" \ - "alpha-linux-gnu |linux-alpha-gcc" \ - "alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \ - "i686-pc-linux-gnu|linux-elf" \ - "whatever-gentoo-freebsdX.Y |BSD-generic32" \ - "i686-gentoo-freebsdX.Y |BSD-x86-elf" \ - "sparc64-alpha-freebsdX.Y |BSD-sparc64" \ - "ia64-gentoo-freebsd5.99234 |BSD-ia64" \ - "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \ - "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \ - "powerpc-gentOO-linux-uclibc |linux-ppc" \ - "powerpc64-unk-linux-gnu |linux-ppc64" \ - "powerpc64le-linux-gnu|linux-ppc64le" \ - "x86_64-apple-darwinX |darwin64-x86_64-cc" \ - "powerpc64-apple-darwinX |darwin64-ppc-cc" \ - "i686-apple-darwinX |darwin-i386-cc" \ - "i386-apple-darwinX |darwin-i386-cc" \ - "powerpc-apple-darwinX|darwin-ppc-cc" \ - "i586-pc-winnt|winnt-parity" \ - "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \ - "s390x-linux-gnu |linux64-s390x" \ - ;do - CHOST=${c/|*} - ret_want=${c/*|} - ret_got=$(CHOST=${CHOST} "$0") - - if [[ ${ret_want} == "${ret_got}" ]] ; then - echo "PASS: ${CHOST}" - else - echo "FAIL: ${CHOST}" - echo -e "\twanted: ${ret_want}" - echo -e "\twe got: ${ret_got}" - fi - done - exit 0 -fi -[[ -z ${CHOST} && -n $1 ]] && CHOST=$1 - - -# Detect the operating system -case ${CHOST} in - *-aix*) system="aix";; - *-darwin*) system="darwin";; - *-freebsd*) system="BSD";; - *-hpux*) system="hpux";; - *-linux*)system="linux";; - *-solaris*) system="solaris";; - *-winnt*)system="winnt";; - x86_64-*-mingw*) system="mingw64";; - *mingw*) system="mingw";; - *) exit 0;; -esac - - -# Compiler munging -compiler="gcc" -if [[ ${CC} == "ccc" ]] ; then - compiler=${CC} -fi - - -# Detect target arch -machine="" -chost_machine=${CHOST%%-*} -case ${system} in -linux) - case ${chost_machine}:${ABI} in - aarch64*be*) machine="aarch64 -DB_ENDIAN";; - aarch64*) machine="aarch64 -DL_ENDIAN";; - alphaev56*|\ - alphaev[678]*)machine=alpha+bwx-${compiler};; - alpha*) machine=alpha-${compiler};; - armv[4-9]*b*) machine="armv4 -DB_ENDIAN";; - armv[4-9]*) machine="armv4 -DL_ENDIAN";; - arm*b*) machine="generic32 -DB_ENDIAN";; - arm*) machine="generic32 -DL_ENDIAN";; - avr*) machine="generic32 -DL_ENDIAN";; - bfin*)machine="generic32 -DL_ENDIAN";; - # hppa64*) machine=parisc64;; - hppa*)machine="generic32 -DB_ENDIAN";; - i[0-9]86*|\ - x86_64*:x86) machine=elf;; - ia64*)machine=ia64;; - loongarch64*) machine="generic64 -DL_ENDIAN";; - m68*) machine="latomic -DB_ENDIAN";; -
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 568c16c5c05f87f999b04925544cd1ee344319c1 Author: Sam James gentoo org> AuthorDate: Tue Mar 14 19:38:22 2023 + Commit: Sam James gentoo org> CommitDate: Tue Mar 14 19:48:32 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=568c16c5 dev-libs/openssl: drop 3.0.7-r1, 3.0.7-r4 Signed-off-by: Sam James gentoo.org> dev-libs/openssl/Manifest | 2 - .../files/openssl-3.0.7-x509-CVE-2022-3996.patch | 35 --- dev-libs/openssl/openssl-3.0.7-r1.ebuild | 338 - dev-libs/openssl/openssl-3.0.7-r4.ebuild | 264 4 files changed, 639 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 31e236b00955..f45d7d6c5109 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -5,7 +5,5 @@ DIST openssl-1.1.1s.tar.gz 9868981 BLAKE2B ecd19eaf84dbc80448b51651abe52a89cc005 DIST openssl-1.1.1s.tar.gz.asc 858 BLAKE2B d95f0f80d460feac737f84ed629c45aaf5e453103ef202ec7d33cf33b89ad83a9007429433b10754b725d7963b1960e350b64e8bdfe569ad149e26bef462eeca SHA512 aa6e5e940448297a90c46ba162f8e6ee324c2e202a9283328c31f996dc2259dd9f5f981d94d1cf1dd3cc73c44647b473602dacb857b9719bf066931b43b899e6 DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 66d76ea0c05a4afc3104e22602cffc2373e857728625d31ab3244881cafa91c099a817a09def7746bce4133585bfc90b769f43527e77a81ed13e60a8c2fb4d8d SHA512 628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680 SHA512 1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b -DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424 -DIST openssl-3.0.7.tar.gz.asc 858 BLAKE2B bd07a6f656cce817038743caf1131ef8d7a21bf587e706e32771ad9e09cb4821d21b71171a7fe7bb6bece95e9b06cea6d723aae9de8b62049b5a8316578500be SHA512 9093a8a5a990f5f37bd95e7ca55f2371e59242be408ea7d9403bcfc9c8873c022237e13c0ec81881a20607ea46927887a895a82b6f50c6f423b4c54f9ef0cde1 DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a SHA512 8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb SHA512 e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6 diff --git a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch deleted file mode 100644 index 079a4f508ccb.. --- a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch +++ /dev/null @@ -1,35 +0,0 @@ -https://bugs.gentoo.org/885797 - -https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7 -https://github.com/openssl/openssl/issues/19643 - -From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001 -From: Pauli -Date: Fri, 11 Nov 2022 09:40:19 +1100 -Subject: [PATCH] x509: fix double locking problem - -This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the -redundant flag setting. - -Fixes #19643 - -Fixes LOW CVE-2022-3996 - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19652) - -(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5) a/crypto/x509/pcy_map.c -+++ b/crypto/x509/pcy_map.c -@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) - - ret = 1; - bad_mapping: --if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) { --x->ex_flags |= EXFLAG_INVALID_POLICY; --CRYPTO_THREAD_unlock(x->lock); --} - sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); - return ret; - diff --git a/dev-libs/openssl/openssl-3.0.7-r1.ebuild b/dev-libs/openssl/openssl-3.0.7-r1.ebuild deleted file mode 100644 index a1bcc6a59545.. --- a/dev-libs/openssl/openssl-3.0.7-r1.ebuild +++ /dev/null @@ -1,338 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: d9d631a188bd27b62082fd93a7f434b00e458b1b Author: Nicholas Vinson gmail com> AuthorDate: Wed Feb 22 00:57:55 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Wed Feb 22 19:29:31 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9d631a1 dev-libs/openssl: gentoo.config-1.0.4 clang fix Update gentoo.config-1.0.4 to better support clang compiler toolchains Closes: https://bugs.gentoo.org/885901 Signed-off-by: Nicholas Vinson gmail.com> Closes: https://github.com/gentoo/gentoo/pull/29711 Signed-off-by: Mike Gilbert gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.4 | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4 index 573a97de3543..79f6331f090c 100644 --- a/dev-libs/openssl/files/gentoo.config-1.0.4 +++ b/dev-libs/openssl/files/gentoo.config-1.0.4 @@ -77,7 +77,9 @@ fi # Detect target arch machine="" +submachine="" chost_machine=${CHOST%%-*} +[[ ${CC} == *clang* ]] && submachine="-clang" case ${system} in linux) case ${chost_machine}:${ABI} in @@ -95,7 +97,7 @@ linux) # hppa64*) machine=parisc64;; hppa*)machine="generic32 -DB_ENDIAN";; i[0-9]86*|\ - x86_64*:x86) machine=x86;; + x86_64*:x86) machine=x86${submachine};; ia64*)machine=ia64;; loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;; m68*) machine="latomic -DB_ENDIAN";; @@ -125,7 +127,7 @@ linux) s390x*) machine=s390x system=linux64;; s390*)machine="generic32 -DB_ENDIAN";; x86_64*:x32) machine=x32;; - x86_64*) machine=x86_64;; + x86_64*) machine=x86_64${submachine};; esac ;; BSD)
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: c3fb91dafb05c7665a96a6d97ad2a5ed69791f3c Author: Mike Gilbert gentoo org> AuthorDate: Sun Feb 12 23:21:09 2023 + Commit: Mike Gilbert gentoo org> CommitDate: Sun Feb 12 23:23:10 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3fb91da dev-libs/openssl: fix Configure on mips Closes: https://bugs.gentoo.org/894140 Signed-off-by: Mike Gilbert gentoo.org> .../openssl/files/openssl-3.0.8-mips-cflags.patch | 30 ++ dev-libs/openssl/openssl-1.1.1t-r1.ebuild | 1 + dev-libs/openssl/openssl-3.0.8.ebuild | 5 3 files changed, 36 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch b/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch new file mode 100644 index ..111681f27d07 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch @@ -0,0 +1,30 @@ +https://bugs.gentoo.org/894140 +https://github.com/openssl/openssl/issues/20214 + +From d500b51791cd56e73065e3a7f4487fc33f31c91c Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Sun, 12 Feb 2023 17:56:58 -0500 +Subject: [PATCH] Fix Configure test for -mips in CFLAGS + +We want to add -mips2 or -mips3 only if the user hasn't already +specified a mips version in CFLAGS. The existing test was a +double-negative. + +Fixes: https://github.com/openssl/openssl/issues/20214 +--- + Configure | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Configure b/Configure +index b6bbec0a85c4..ec48614d6b99 100755 +--- a/Configure b/Configure +@@ -1475,7 +1475,7 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) + } + + if ($target =~ /linux.*-mips/ && !$disabled{asm} +-&& !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { ++&& !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { + # minimally required architecture flags for assembly modules + my $value; + $value = '-mips2' if ($target =~ /mips32/); diff --git a/dev-libs/openssl/openssl-1.1.1t-r1.ebuild b/dev-libs/openssl/openssl-1.1.1t-r1.ebuild index 89d9f7f6c010..7261dbf43506 100644 --- a/dev-libs/openssl/openssl-1.1.1t-r1.ebuild +++ b/dev-libs/openssl/openssl-1.1.1t-r1.ebuild @@ -47,6 +47,7 @@ PATCHES=( # If they're Gentoo specific, add to USE=-vanilla logic in src_prepare! "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602 "${FILESDIR}"/${PN}-1.1.1i-riscv32.patch + "${FILESDIR}"/openssl-3.0.8-mips-cflags.patch ) pkg_setup() { diff --git a/dev-libs/openssl/openssl-3.0.8.ebuild b/dev-libs/openssl/openssl-3.0.8.ebuild index e259080c01c3..37799cd36092 100644 --- a/dev-libs/openssl/openssl-3.0.8.ebuild +++ b/dev-libs/openssl/openssl-3.0.8.ebuild @@ -50,6 +50,10 @@ MULTILIB_WRAPPED_HEADERS=( /usr/include/openssl/configuration.h ) +PATCHES=( + "${FILESDIR}"/openssl-3.0.8-mips-cflags.patch +) + pkg_setup() { if use ktls ; then if kernel_is -lt 4 18 ; then @@ -99,6 +103,7 @@ src_prepare() { # that gets blown away anyways by the Configure script in src_configure rm -f Makefile + if ! use vanilla ; then PATCHES+=( # Add patches which are Gentoo-specific customisations here
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 9ecc3b0650d539516074b2659b543d175de4199f Author: Michael Mair-Keimberger levelnine at> AuthorDate: Wed Feb 8 16:49:57 2023 + Commit: Sam James gentoo org> CommitDate: Wed Feb 8 17:14:42 2023 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ecc3b06 dev-libs/openssl: remove unused patch Signed-off-by: Michael Mair-Keimberger levelnine.at> Closes: https://github.com/gentoo/gentoo/pull/29488 Signed-off-by: Sam James gentoo.org> .../openssl/files/openssl-3.0.5-test-memcmp.patch | 24 -- 1 file changed, 24 deletions(-) diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch deleted file mode 100644 index fc84d82e87da.. --- a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch +++ /dev/null @@ -1,24 +0,0 @@ -https://github.com/openssl/openssl/pull/18719 - -From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001 -From: Gregor Jasny -Date: Tue, 5 Jul 2022 12:57:06 +0200 -Subject: [PATCH] Add missing header for memcmp - -CLA: trivial - test/v3ext.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/test/v3ext.c b/test/v3ext.c -index 926f3884b138..a8ab64b2714b 100644 a/test/v3ext.c -+++ b/test/v3ext.c -@@ -8,6 +8,7 @@ - */ - - #include -+#include - #include - #include - #include
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 46e080f168be4b67e832229997c2b200fe269e34 Author: Andreas K. Hüttel gentoo org> AuthorDate: Sat Dec 17 19:19:14 2022 + Commit: Andreas K. Hüttel gentoo org> CommitDate: Sat Dec 17 19:19:14 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46e080f1 dev-libs/openssl: keyword 3.0.7-r2 for ~loong Signed-off-by: Andreas K. Hüttel gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.4 | 2 +- dev-libs/openssl/openssl-3.0.7-r2.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4 index edbf22a56dff..98f8d1af64ac 100644 --- a/dev-libs/openssl/files/gentoo.config-1.0.4 +++ b/dev-libs/openssl/files/gentoo.config-1.0.4 @@ -97,7 +97,7 @@ linux) i[0-9]86*|\ x86_64*:x86) machine=elf;; ia64*)machine=ia64;; - loongarch64*) machine="generic64 -DL_ENDIAN";; + loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;; m68*) machine="latomic -DB_ENDIAN";; mips*el*:o32) machine="mips32 -DL_ENDIAN";; mips*:o32)machine="mips32 -DB_ENDIAN";; diff --git a/dev-libs/openssl/openssl-3.0.7-r2.ebuild b/dev-libs/openssl/openssl-3.0.7-r2.ebuild index 4ee76298915b..2bccbd686aa0 100644 --- a/dev-libs/openssl/openssl-3.0.7-r2.ebuild +++ b/dev-libs/openssl/openssl-3.0.7-r2.ebuild @@ -19,7 +19,7 @@ else SRC_URI="mirror://openssl/source/${MY_P}.tar.gz verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" #KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux" - KEYWORDS="~alpha ~amd64 ~arm64 ~mips" + KEYWORDS="~alpha ~amd64 ~arm64 ~loong ~mips" fi S="${WORKDIR}"/${MY_P}
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 93dfaa16b6a326527e0a158839e2d95478e3559f Author: Andreas K. Hüttel gentoo org> AuthorDate: Fri Dec 16 20:46:38 2022 + Commit: Andreas K. Hüttel gentoo org> CommitDate: Fri Dec 16 20:47:22 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93dfaa16 dev-libs/openssl: Use new config file in -r2, update mips defs for testing Signed-off-by: Andreas K. Hüttel gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.4 | 176 + dev-libs/openssl/openssl-3.0.7-r2.ebuild | 2 +- 2 files changed, 177 insertions(+), 1 deletion(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4 new file mode 100644 index ..edbf22a56dff --- /dev/null +++ b/dev-libs/openssl/files/gentoo.config-1.0.4 @@ -0,0 +1,176 @@ +#!/usr/bin/env bash +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 +# +# Openssl doesn't play along nicely with cross-compiling +# like autotools based projects, so let's teach it new tricks. +# +# Review the bundled 'config' script to see why kind of targets +# we can pass to the 'Configure' script. + + +# Testing routines +if [[ $1 == "test" ]] ; then + for c in \ + "arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \ + "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \ + "x86_64-pc-linux-gnu |linux-x86_64" \ + "alpha-linux-gnu |linux-alpha-gcc" \ + "alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \ + "i686-pc-linux-gnu|linux-elf" \ + "whatever-gentoo-freebsdX.Y |BSD-generic32" \ + "i686-gentoo-freebsdX.Y |BSD-x86-elf" \ + "sparc64-alpha-freebsdX.Y |BSD-sparc64" \ + "ia64-gentoo-freebsd5.99234 |BSD-ia64" \ + "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \ + "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \ + "powerpc-gentOO-linux-uclibc |linux-ppc" \ + "powerpc64-unk-linux-gnu |linux-ppc64" \ + "powerpc64le-linux-gnu|linux-ppc64le" \ + "x86_64-apple-darwinX |darwin64-x86_64-cc" \ + "powerpc64-apple-darwinX |darwin64-ppc-cc" \ + "i686-apple-darwinX |darwin-i386-cc" \ + "i386-apple-darwinX |darwin-i386-cc" \ + "powerpc-apple-darwinX|darwin-ppc-cc" \ + "i586-pc-winnt|winnt-parity" \ + "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \ + "s390x-linux-gnu |linux64-s390x" \ + ;do + CHOST=${c/|*} + ret_want=${c/*|} + ret_got=$(CHOST=${CHOST} "$0") + + if [[ ${ret_want} == "${ret_got}" ]] ; then + echo "PASS: ${CHOST}" + else + echo "FAIL: ${CHOST}" + echo -e "\twanted: ${ret_want}" + echo -e "\twe got: ${ret_got}" + fi + done + exit 0 +fi +[[ -z ${CHOST} && -n $1 ]] && CHOST=$1 + + +# Detect the operating system +case ${CHOST} in + *-aix*) system="aix";; + *-darwin*) system="darwin";; + *-freebsd*) system="BSD";; + *-hpux*) system="hpux";; + *-linux*)system="linux";; + *-solaris*) system="solaris";; + *-winnt*)system="winnt";; + x86_64-*-mingw*) system="mingw64";; + *mingw*) system="mingw";; + *) exit 0;; +esac + + +# Compiler munging +compiler="gcc" +if [[ ${CC} == "ccc" ]] ; then + compiler=${CC} +fi + + +# Detect target arch +machine="" +chost_machine=${CHOST%%-*} +case ${system} in +linux) + case ${chost_machine}:${ABI} in + aarch64*be*) machine="aarch64 -DB_ENDIAN";; + aarch64*) machine="aarch64 -DL_ENDIAN";; + alphaev56*|\ + alphaev[678]*)machine=alpha+bwx-${compiler};; + alpha*) machine=alpha-${compiler};; + armv[4-9]*b*) machine="armv4 -DB_ENDIAN";; + armv[4-9]*) machine="armv4 -DL_ENDIAN";; + arm*b*) machine="generic32 -DB_ENDIAN";; + arm*) machine="generic32 -DL_ENDIAN";; + avr*) machine="generic32 -DL_ENDIAN";; + bfin*)machine="generic32 -DL_ENDIAN";; + # hppa64*) machine=parisc64;; + hppa*)machine="generic32 -DB_ENDIAN";; + i[0-9]86*|\ + x86_64*:x86) machine=elf;; + ia64*)machine=ia64;; + loongarch64*) machine="generic64 -DL_ENDIAN";; + m68*) machine="latomic -DB_ENDIAN";; +
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 4b2306f132bd2549bf7e039475ae809f177f2737 Author: Andreas K. Hüttel gentoo org> AuthorDate: Wed Dec 14 23:00:14 2022 + Commit: Andreas K. Hüttel gentoo org> CommitDate: Wed Dec 14 23:00:14 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b2306f1 dev-libs/openssl: Fix build on m68k See https://archives.gentoo.org/gentoo-releng-autobuilds/message/f6163c3b954c76a3dd4bb6eeaab38c51 Signed-off-by: Andreas K. Hüttel gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.3 | 172 + dev-libs/openssl/openssl-3.0.7-r1.ebuild | 2 +- 2 files changed, 173 insertions(+), 1 deletion(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.3 b/dev-libs/openssl/files/gentoo.config-1.0.3 new file mode 100644 index ..0662f72b6d80 --- /dev/null +++ b/dev-libs/openssl/files/gentoo.config-1.0.3 @@ -0,0 +1,172 @@ +#!/usr/bin/env bash +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 +# +# Openssl doesn't play along nicely with cross-compiling +# like autotools based projects, so let's teach it new tricks. +# +# Review the bundled 'config' script to see why kind of targets +# we can pass to the 'Configure' script. + + +# Testing routines +if [[ $1 == "test" ]] ; then + for c in \ + "arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \ + "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \ + "x86_64-pc-linux-gnu |linux-x86_64" \ + "alpha-linux-gnu |linux-alpha-gcc" \ + "alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \ + "i686-pc-linux-gnu|linux-elf" \ + "whatever-gentoo-freebsdX.Y |BSD-generic32" \ + "i686-gentoo-freebsdX.Y |BSD-x86-elf" \ + "sparc64-alpha-freebsdX.Y |BSD-sparc64" \ + "ia64-gentoo-freebsd5.99234 |BSD-ia64" \ + "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \ + "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \ + "powerpc-gentOO-linux-uclibc |linux-ppc" \ + "powerpc64-unk-linux-gnu |linux-ppc64" \ + "powerpc64le-linux-gnu|linux-ppc64le" \ + "x86_64-apple-darwinX |darwin64-x86_64-cc" \ + "powerpc64-apple-darwinX |darwin64-ppc-cc" \ + "i686-apple-darwinX |darwin-i386-cc" \ + "i386-apple-darwinX |darwin-i386-cc" \ + "powerpc-apple-darwinX|darwin-ppc-cc" \ + "i586-pc-winnt|winnt-parity" \ + "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \ + "s390x-linux-gnu |linux64-s390x" \ + ;do + CHOST=${c/|*} + ret_want=${c/*|} + ret_got=$(CHOST=${CHOST} "$0") + + if [[ ${ret_want} == "${ret_got}" ]] ; then + echo "PASS: ${CHOST}" + else + echo "FAIL: ${CHOST}" + echo -e "\twanted: ${ret_want}" + echo -e "\twe got: ${ret_got}" + fi + done + exit 0 +fi +[[ -z ${CHOST} && -n $1 ]] && CHOST=$1 + + +# Detect the operating system +case ${CHOST} in + *-aix*) system="aix";; + *-darwin*) system="darwin";; + *-freebsd*) system="BSD";; + *-hpux*) system="hpux";; + *-linux*)system="linux";; + *-solaris*) system="solaris";; + *-winnt*)system="winnt";; + x86_64-*-mingw*) system="mingw64";; + *mingw*) system="mingw";; + *) exit 0;; +esac + + +# Compiler munging +compiler="gcc" +if [[ ${CC} == "ccc" ]] ; then + compiler=${CC} +fi + + +# Detect target arch +machine="" +chost_machine=${CHOST%%-*} +case ${system} in +linux) + case ${chost_machine}:${ABI} in + aarch64*be*) machine="aarch64 -DB_ENDIAN";; + aarch64*) machine="aarch64 -DL_ENDIAN";; + alphaev56*|\ + alphaev[678]*)machine=alpha+bwx-${compiler};; + alpha*) machine=alpha-${compiler};; + armv[4-9]*b*) machine="armv4 -DB_ENDIAN";; + armv[4-9]*) machine="armv4 -DL_ENDIAN";; + arm*b*) machine="generic32 -DB_ENDIAN";; + arm*) machine="generic32 -DL_ENDIAN";; + avr*) machine="generic32 -DL_ENDIAN";; + bfin*)machine="generic32 -DL_ENDIAN";; + # hppa64*) machine=parisc64;; + hppa*)machine="generic32 -DB_ENDIAN";; + i[0-9]86*|\ + x86_64*:x86) machine=elf;; + ia64*)machine=ia64;; + loongarch64*) machine="generic64 -DL_ENDIAN";; +
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: ebb2a9a705c6d1cefa9c4bc94cf57da7a03f53b6 Author: Sam James gentoo org> AuthorDate: Tue Dec 13 18:14:10 2022 + Commit: Sam James gentoo org> CommitDate: Tue Dec 13 18:14:18 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebb2a9a7 dev-libs/openssl: fix CVE-2022-3996 for 3.0.7 Only affects 3.x. Bug: https://bugs.gentoo.org/885797 Signed-off-by: Sam James gentoo.org> .../files/openssl-3.0.7-x509-CVE-2022-3996.patch | 35 +++ dev-libs/openssl/openssl-3.0.7-r1.ebuild | 338 + 2 files changed, 373 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch new file mode 100644 index ..079a4f508ccb --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch @@ -0,0 +1,35 @@ +https://bugs.gentoo.org/885797 + +https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7 +https://github.com/openssl/openssl/issues/19643 + +From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Fri, 11 Nov 2022 09:40:19 +1100 +Subject: [PATCH] x509: fix double locking problem + +This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the +redundant flag setting. + +Fixes #19643 + +Fixes LOW CVE-2022-3996 + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19652) + +(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5) +--- a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c +@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) + + ret = 1; + bad_mapping: +-if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) { +-x->ex_flags |= EXFLAG_INVALID_POLICY; +-CRYPTO_THREAD_unlock(x->lock); +-} + sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); + return ret; + diff --git a/dev-libs/openssl/openssl-3.0.7-r1.ebuild b/dev-libs/openssl/openssl-3.0.7-r1.ebuild new file mode 100644 index ..4a19c01cc36b --- /dev/null +++ b/dev-libs/openssl/openssl-3.0.7-r1.ebuild @@ -0,0 +1,338 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://www.openssl.org/; + +MY_P=${P/_/-} + +if [[ ${PV} == ]] ; then + EGIT_REPO_URI="https://github.com/openssl/openssl.git; + + inherit git-r3 +else + SRC_URI="mirror://openssl/source/${MY_P}.tar.gz + verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux" +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/3" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + >=app-misc/c_rehash-1.7-r1 + tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + sys-devel/bc + sys-process/procps + ) + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20221101 )" + +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +PATCHES=( + "${FILESDIR}"/${P}-x509-CVE-2022-3996.patch +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}"
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 458daf054634ccaa6e5df1a53339e0f57f2755a6 Author: Sam James gentoo org> AuthorDate: Mon Aug 29 20:51:15 2022 + Commit: Sam James gentoo org> CommitDate: Mon Aug 29 20:51:41 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=458daf05 dev-libs/openssl: drop 1.1.1n, 1.1.1o, 1.1.1o-r1, 1.1.1p Bug: https://bugs.gentoo.org/856592 Bug: https://bugs.gentoo.org/842489 Signed-off-by: Sam James gentoo.org> dev-libs/openssl/Manifest | 7 - .../files/openssl-1.1.1p-fix-test-build.patch | 52 dev-libs/openssl/openssl-1.1.1n.ebuild | 298 -- dev-libs/openssl/openssl-1.1.1o-r1.ebuild | 338 - dev-libs/openssl/openssl-1.1.1o.ebuild | 318 --- dev-libs/openssl/openssl-1.1.1p.ebuild | 337 6 files changed, 1350 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index eb14a155609f..a411ae31d39e 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -1,13 +1,6 @@ DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32 -DIST openssl-1.1.1n.tar.gz 9850712 BLAKE2B af530258d9f7ca4f1bd1c6c344eb385e766e465c9341dd08797676165f67bbb82d3fd549ed7559dc12fb8c9c4db5e04fa6ec7ab729ec1467f5e8bce469ff5398 SHA512 1937796736613dcf4105a54e42ecb61f95a1cea74677156f9459aea0f2c95159359e766089632bf364ee6b0d28d661eb9957bce8fecc9d2436378d8d79e8d0a4 -DIST openssl-1.1.1n.tar.gz.asc 488 BLAKE2B 8fc18fdc884473dc4c243499cc3528691a9ecc184e39e8d942450d41c42d22a96398036ae804af23c4f28d082c62f5babaa275ceb2e13b33b5acfd59a802c186 SHA512 24abc3d187cabed830dcd3189a34c2dc29e0b8013a607011a0e85cc68f0ec48c1de14a005053a4de3a4013cfa9658016ac65cfb8cfac58da55231371926beeda -DIST openssl-1.1.1o-test-fixes-expiry.patch.xz 6180 BLAKE2B 23ef36d7bd05c98f7fab6de25681a53fa7a558d114548836b6cd90a57c4f4e45dc9fb622936053608b463320605b7df60db2d2caf3811b249f6ead3791a1c081 SHA512 577aec97fb31cd9efe3b30d82c560d3e7da57ae52c4de0f86e951b777a673830baaadcc5eb366c523024d37405531c6d32de26bbbc1e77df15c7822c72e937e6 -DIST openssl-1.1.1o.tar.gz 9856386 BLAKE2B 5bd355fd17adf43ba4e3bf1a8036ceb724edd4f4ab80dc25aecc3d2647372e9db2bc12e2b89791fc4b6f7fd95a7b68e00490d09ca6518d25ab990ee27798e641 SHA512 75b2f1499cb4640229eb6cd35d85cbff2e19db17b959ac4d04b60f1b395b73567f9003521452a0fcfeea9b31b26de0a7bccf476ecf9caae02298f3647cfb7e23 -DIST openssl-1.1.1o.tar.gz.asc 488 BLAKE2B a03a967e7e2124d1a76ad7765e2f48065f40d32ba102a433be603ee8f86b26a2d246dcb97a95bd694ef3005889ce4f1951f76d39fe1d683f92da1aa3023e9c2d SHA512 da6d88de7c1cd807b6089d50f8bb102c317c0b45ca26e517e3e400c5c65f787d94a1ee522af76279e93790a7fb491348cf25ffcfd66ecb9a9d35209328cb221e -DIST openssl-1.1.1p.tar.gz 9860217 BLAKE2B 4354753a5e52393c9cc4569954c2cac6d89a1e204fa4f9ca00a60492782d29f8952fb92664cdbb3576c6443d3cb2eacebea51db584738589f3598b40df579b12 SHA512 203470b1cd37bdbfabfec5ef37fc97c991d9943f070c988316f6396b09dae7cea16ac884bd8646dbf7dd1ed40ebde6bdfa5700beee2d714d07c97cc70b4e48d9 -DIST openssl-1.1.1p.tar.gz.asc 488 BLAKE2B e68c8a4c992c2448b48428137f61f91fb89e4814f6e80c5525cea695bcf898326eca729f31b953fbd7ff51b448004101ca78abfbd3138ec2389596faa3eafc2f SHA512 c85d65df1ed0f1ae87b799d794ea43e32c8ecaf85caf6e36fbbd4a890ef1d47710380d3846296e0124898680be66113a959ad974e0448bc00d1253794dc48972 DIST openssl-1.1.1q.tar.gz 9864061 BLAKE2B fc8fd6a62dc291d0bda328a051e253175fb04442cc4b8f45d67c3a5027748a0fc5fb372d0483bc9024ae0bff119c4fac8f1e982a182612427696d6d09f5935f5 SHA512 cb9f184ec4974a3423ef59c8ec86b6bf523d5b887da2087ae58c217249da3246896fdd6966ee9c13aea9e6306783365239197e9f742c508a0e35e5744e3e085f DIST openssl-1.1.1q.tar.gz.asc 833 BLAKE2B 9311abf47469c3802a84dc9b7427a168ba7717496960e6f84b04e4d9263dea1168493082937a06bcb6ef4169b2ed9b2f36084bbac15b5f7ca5b4c41041c4bab6 SHA512 03a41f29d1713c47bb300e01e36dbd048074076a6a3b9913e2fc9a1b56b726c038978f99e86f9a3e4ea39f72bd82a15965842f6d94210fa9d3474f6f0f68559e DIST openssl-3.0.5.tar.gz 15074407 BLAKE2B
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 3b94f6daf15da0b5fd7142881663030d1c1a1dd2 Author: Michael Mair-Keimberger levelnine at> AuthorDate: Fri Aug 19 18:41:11 2022 + Commit: Sam James gentoo org> CommitDate: Fri Aug 19 22:52:58 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b94f6da dev-libs/openssl: remove unused patches Signed-off-by: Michael Mair-Keimberger levelnine.at> Closes: https://github.com/gentoo/gentoo/pull/26928 Signed-off-by: Sam James gentoo.org> .../openssl-3.0.4-avx512-buffer-overflow.patch | 34 .../files/openssl-3.0.4-fix-test-build.patch | 46 -- 2 files changed, 80 deletions(-) diff --git a/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch deleted file mode 100644 index c72e958ff535.. --- a/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch +++ /dev/null @@ -1,34 +0,0 @@ -https://github.com/openssl/openssl/commit/a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c -https://github.com/openssl/openssl/issues/18625 - -From a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao -Date: Wed, 22 Jun 2022 18:07:05 +0800 -Subject: [PATCH] rsa: fix bn_reduce_once_in_place call for - rsaz_mod_exp_avx512_x2 - -bn_reduce_once_in_place expects the number of BN_ULONG, but factor_size -is moduli bit size. - -Fixes #18625. - -Signed-off-by: Xi Ruoyao - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/18626) - -(cherry picked from commit 4d8a88c134df634ba610ff8db1eb8478ac5fd345) a/crypto/bn/rsaz_exp_x2.c -+++ b/crypto/bn/rsaz_exp_x2.c -@@ -220,6 +220,9 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, - from_words52(res1, factor_size, rr1_red); - from_words52(res2, factor_size, rr2_red); - -+/* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */ -+factor_size /= sizeof(BN_ULONG) * 8; -+ - bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size); - bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size); - - diff --git a/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch b/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch deleted file mode 100644 index f96e54f3127e.. --- a/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch +++ /dev/null @@ -1,46 +0,0 @@ -https://github.com/openssl/openssl/issues/18619 -https://github.com/openssl/openssl/pull/18634 -https://github.com/openssl/openssl/commit/665ab12ed3f0d78e7cb6a55cdd2b83a2fe150232 - -From 665ab12ed3f0d78e7cb6a55cdd2b83a2fe150232 Mon Sep 17 00:00:00 2001 -From: Bernd Edlinger -Date: Fri, 17 Jun 2022 10:25:24 +0200 -Subject: [PATCH] Fix compile issues in test/v3ext.c with no-rfc3779 - -There are no ASIdentifiers if OPENSSL_NO_RFC3779 is defined, -therefore the test cannot be compiled. - -Reviewed-by: Matt Caswell -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/18634) - -(cherry picked from commit b76efe61ea9710a8f69e1cb8caf1aeb2ba6f1ebe) a/test/v3ext.c -+++ b/test/v3ext.c -@@ -37,6 +37,7 @@ static int test_pathlen(void) - return ret; - } - -+#ifndef OPENSSL_NO_RFC3779 - static int test_asid(void) - { - ASN1_INTEGER *val1 = NULL, *val2 = NULL; -@@ -113,6 +114,7 @@ static int test_asid(void) - ASIdentifiers_free(asid4); - return testresult; - } -+#endif /* OPENSSL_NO_RFC3779 */ - - OPT_TEST_DECLARE_USAGE("cert.pem\n") - -@@ -127,6 +129,8 @@ int setup_tests(void) - return 0; - - ADD_TEST(test_pathlen); -+#ifndef OPENSSL_NO_RFC3779 - ADD_TEST(test_asid); -+#endif /* OPENSSL_NO_RFC3779 */ - return 1; - } -
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 1f171e1acbd185d7cd5c5a2689f50d02c7c64caf Author: Sam James gentoo org> AuthorDate: Tue Jul 5 23:33:03 2022 + Commit: Sam James gentoo org> CommitDate: Tue Jul 5 23:33:03 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f171e1a dev-libs/openssl: add 1.1.1q Bug: https://bugs.gentoo.org/856592 Signed-off-by: Sam James gentoo.org> dev-libs/openssl/Manifest | 2 + .../openssl/files/openssl-3.0.5-test-memcmp.patch | 2 + dev-libs/openssl/openssl-1.1.1q.ebuild | 337 + 3 files changed, 341 insertions(+) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index d85b9ffd72e4..f960853b8a8a 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -8,6 +8,8 @@ DIST openssl-1.1.1o.tar.gz 9856386 BLAKE2B 5bd355fd17adf43ba4e3bf1a8036ceb724edd DIST openssl-1.1.1o.tar.gz.asc 488 BLAKE2B a03a967e7e2124d1a76ad7765e2f48065f40d32ba102a433be603ee8f86b26a2d246dcb97a95bd694ef3005889ce4f1951f76d39fe1d683f92da1aa3023e9c2d SHA512 da6d88de7c1cd807b6089d50f8bb102c317c0b45ca26e517e3e400c5c65f787d94a1ee522af76279e93790a7fb491348cf25ffcfd66ecb9a9d35209328cb221e DIST openssl-1.1.1p.tar.gz 9860217 BLAKE2B 4354753a5e52393c9cc4569954c2cac6d89a1e204fa4f9ca00a60492782d29f8952fb92664cdbb3576c6443d3cb2eacebea51db584738589f3598b40df579b12 SHA512 203470b1cd37bdbfabfec5ef37fc97c991d9943f070c988316f6396b09dae7cea16ac884bd8646dbf7dd1ed40ebde6bdfa5700beee2d714d07c97cc70b4e48d9 DIST openssl-1.1.1p.tar.gz.asc 488 BLAKE2B e68c8a4c992c2448b48428137f61f91fb89e4814f6e80c5525cea695bcf898326eca729f31b953fbd7ff51b448004101ca78abfbd3138ec2389596faa3eafc2f SHA512 c85d65df1ed0f1ae87b799d794ea43e32c8ecaf85caf6e36fbbd4a890ef1d47710380d3846296e0124898680be66113a959ad974e0448bc00d1253794dc48972 +DIST openssl-1.1.1q.tar.gz 9864061 BLAKE2B fc8fd6a62dc291d0bda328a051e253175fb04442cc4b8f45d67c3a5027748a0fc5fb372d0483bc9024ae0bff119c4fac8f1e982a182612427696d6d09f5935f5 SHA512 cb9f184ec4974a3423ef59c8ec86b6bf523d5b887da2087ae58c217249da3246896fdd6966ee9c13aea9e6306783365239197e9f742c508a0e35e5744e3e085f +DIST openssl-1.1.1q.tar.gz.asc 833 BLAKE2B 9311abf47469c3802a84dc9b7427a168ba7717496960e6f84b04e4d9263dea1168493082937a06bcb6ef4169b2ed9b2f36084bbac15b5f7ca5b4c41041c4bab6 SHA512 03a41f29d1713c47bb300e01e36dbd048074076a6a3b9913e2fc9a1b56b726c038978f99e86f9a3e4ea39f72bd82a15965842f6d94210fa9d3474f6f0f68559e DIST openssl-3.0.2.tar.gz 15038141 BLAKE2B 140c4c80a0cad89cb0059fef6a4cd421460e6af9a3973f7a3eb5e39f64c0d44794d46e7a869e5235fced139f2249351e37a9ee5ebaa17f2708d63141ebebf919 SHA512 f986850d5be908b4d6b5fd7091bc4652d7378c9bccebfbc5becd7753843c04c1eb61a1749c432139d263dfac33df0b1f6c773664b485cad47542266823a4eb03 DIST openssl-3.0.2.tar.gz.asc 488 BLAKE2B 2f6482114271c4f512159fa159486a3b3470637d770cd1614fda004918d06ed9ab562e655d1580d2ebb05745ec72987488c2161b72d078017cc157003d4205da SHA512 4303391a58107c76ad9b05510f5bfc95f687f4cb2f9ff5b03fb262ba99b573423ab83f0437471199954496799b343191b889ad9ef8fabdd7ee4ec3ec9b5f1d81 DIST openssl-3.0.3-test-fixes-expiry.patch.xz 29056 BLAKE2B 11be776b9c4baec770d81ff180581d7d8292261f32ebfcb2cfd399d684cef1b9e7b4575d906f23e8a61d853eafb178e1b0e01d9324dbe598c876c0ef74bcf5e8 SHA512 23bc571dfca453deb4f1812aea5fc1bcf1c27358d8638a66ce7f359a698b09a35bdc86e01db36aa5e59b37cc7e36f0ced6f1463b383fb0d904aada69f5d5cb04 diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch index 8fa03877581f..fc84d82e87da 100644 --- a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch +++ b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch @@ -1,3 +1,5 @@ +https://github.com/openssl/openssl/pull/18719 + From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001 From: Gregor Jasny Date: Tue, 5 Jul 2022 12:57:06 +0200 diff --git a/dev-libs/openssl/openssl-1.1.1q.ebuild b/dev-libs/openssl/openssl-1.1.1q.ebuild new file mode 100644 index ..ff51db66bd0d --- /dev/null +++ b/dev-libs/openssl/openssl-1.1.1q.ebuild @@ -0,0 +1,337 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig + +MY_P=${P/_/-} +DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)" +HOMEPAGE="https://www.openssl.org/; +SRC_URI="mirror://openssl/source/${MY_P}.tar.gz + verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" +S="${WORKDIR}/${MY_P}" + +LICENSE="openssl" +SLOT="0/1.1" # .so version of libssl/libcrypto +if [[ ${PV} != *_pre* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: db6f7217c034a620288ea0ef95227707c3fb55ea Author: Mike Gilbert gentoo org> AuthorDate: Tue Jul 5 22:13:46 2022 + Commit: Mike Gilbert gentoo org> CommitDate: Tue Jul 5 22:15:18 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6f7217 dev-libs/openssl: add 3.0.5 Signed-off-by: Mike Gilbert gentoo.org> dev-libs/openssl/Manifest | 2 + .../openssl/files/openssl-3.0.5-test-memcmp.patch | 22 ++ dev-libs/openssl/openssl-3.0.5.ebuild | 325 + 3 files changed, 349 insertions(+) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 86edfb8addcb..d85b9ffd72e4 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -15,3 +15,5 @@ DIST openssl-3.0.3.tar.gz 15058905 BLAKE2B 8141d13dbea2f1febdd4e46aa404e9f3bac51 DIST openssl-3.0.3.tar.gz.asc 488 BLAKE2B 3f31e3a73706b69683220e05b1b4ddc75dc3e7e12652dca711e4aa0eb3c023ef736aee9ade15172d7f28e1e1af03e86d4854ec6c3d167cad42882f483c5e56d4 SHA512 04afe65c6af1ae43a9967462383a6a4f567f5acff19ec1952cd6fce2dc3c3d4dfb3cb54126562724c148f40dcb8abf727282d35730bbf36f82b5c6bacace DIST openssl-3.0.4.tar.gz 15069605 BLAKE2B e8ef09d74aa128fee0ddc347458a41cde65af07a6e6836889a0230cd7989e46b5d10a4930eb7a63c0cf93485914ec33665d14637b6c27fd442c0e9becb2d2a86 SHA512 478cd801dc4787688e6d9062969ae738c24f869bb186f717ad3be54ae8f2630e5cd845c504efd3405ea1ecda07ebee00014cc6ef7bca9585a6240cf89d516557 DIST openssl-3.0.4.tar.gz.asc 488 BLAKE2B 54f652ae78c6f39aef970fd7372808c876d37a823cc31431d770db67caf11342d1045992e393242d4c73253e4e16640dd9bd56203864394e907976918909e5dc SHA512 c30af3cda92b06cff864ed33c17d8dcb8c7d429ed8419f96d19d3049dfaa268c73ec7753815a134b069ae7f4ea20fb4bcdd04f86d33628592ce4500777494c85 +DIST openssl-3.0.5.tar.gz 15074407 BLAKE2B 7bf89e042417c003ef02a8bb1278590a52ce4a3d50f66795c66b750f90248840edb0d3352811cff708c7e65b77384142e316916a6c311f1d2b4747f44816 SHA512 782b0df3d0252468aa696bd74a3b661810499819c0df849aa9698ba0e06a845820dc856aac650fced4be234f1271e576d4317ac3ab1406cf0ffe087d695d20fe +DIST openssl-3.0.5.tar.gz.asc 862 BLAKE2B 24f1839227be7acec45eb6b748cea7be0b5e66b5cf745814861f7290670733936bf1af2c1dc9357439b31a2ca28f418880d63726d4be6fa994902ac95b51e401 SHA512 516da9ef291601400576adaba7271854af3caa23dc1d70116004360f580e4c28fe61d51e86477d341e4c5bf0ca5f98db8264581ed6cc2c8df124da83ad3e40be diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch new file mode 100644 index ..8fa03877581f --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch @@ -0,0 +1,22 @@ +From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001 +From: Gregor Jasny +Date: Tue, 5 Jul 2022 12:57:06 +0200 +Subject: [PATCH] Add missing header for memcmp + +CLA: trivial +--- + test/v3ext.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/v3ext.c b/test/v3ext.c +index 926f3884b138..a8ab64b2714b 100644 +--- a/test/v3ext.c b/test/v3ext.c +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include + #include + #include diff --git a/dev-libs/openssl/openssl-3.0.5.ebuild b/dev-libs/openssl/openssl-3.0.5.ebuild new file mode 100644 index ..56af5a262265 --- /dev/null +++ b/dev-libs/openssl/openssl-3.0.5.ebuild @@ -0,0 +1,325 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://www.openssl.org/; + +MY_P=${P/_/-} + +if [[ ${PV} == ]] ; then + EGIT_REPO_URI="https://github.com/openssl/openssl.git; + + inherit git-r3 +else + SRC_URI="mirror://openssl/source/${MY_P}.tar.gz + verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux" +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/3" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + >=app-misc/c_rehash-1.7-r1 + tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + sys-devel/bc + sys-process/procps + ) + verify-sig? ( sec-keys/openpgp-keys-openssl )" + +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" +
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/, profiles/
commit: 82e7edabadc776d7b123ee7bfd65a78a892eae47 Author: Sam James gentoo org> AuthorDate: Thu Jun 30 19:31:38 2022 + Commit: Sam James gentoo org> CommitDate: Thu Jun 30 19:32:45 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82e7edab dev-libs/openssl: backport AVX512 overflow fix Bug: https://github.com/openssl/openssl/issues/18625 Signed-off-by: Sam James gentoo.org> .../files/openssl-1.1.1p-fix-test-build.patch | 6 .../openssl-3.0.4-avx512-buffer-overflow.patch | 34 ++ ...ld.patch => openssl-3.0.4-fix-test-build.patch} | 0 ...penssl-3.0.4.ebuild => openssl-3.0.4-r1.ebuild} | 7 +++-- profiles/package.mask | 7 - 5 files changed, 45 insertions(+), 9 deletions(-) diff --git a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch b/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch index f96e54f3127e..5dca6926dd8f 100644 --- a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch +++ b/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch @@ -16,6 +16,12 @@ Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/18634) (cherry picked from commit b76efe61ea9710a8f69e1cb8caf1aeb2ba6f1ebe) +--- + test/v3ext.c | 4 + 1 file changed, 4 insertions(+) + +diff --git a/test/v3ext.c b/test/v3ext.c +index e96b6f79b58f..a2adb1a9f0ef 100644 --- a/test/v3ext.c +++ b/test/v3ext.c @@ -37,6 +37,7 @@ static int test_pathlen(void) diff --git a/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch new file mode 100644 index ..c72e958ff535 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch @@ -0,0 +1,34 @@ +https://github.com/openssl/openssl/commit/a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c +https://github.com/openssl/openssl/issues/18625 + +From a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c Mon Sep 17 00:00:00 2001 +From: Xi Ruoyao +Date: Wed, 22 Jun 2022 18:07:05 +0800 +Subject: [PATCH] rsa: fix bn_reduce_once_in_place call for + rsaz_mod_exp_avx512_x2 + +bn_reduce_once_in_place expects the number of BN_ULONG, but factor_size +is moduli bit size. + +Fixes #18625. + +Signed-off-by: Xi Ruoyao + +Reviewed-by: Tomas Mraz +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/18626) + +(cherry picked from commit 4d8a88c134df634ba610ff8db1eb8478ac5fd345) +--- a/crypto/bn/rsaz_exp_x2.c b/crypto/bn/rsaz_exp_x2.c +@@ -220,6 +220,9 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, + from_words52(res1, factor_size, rr1_red); + from_words52(res2, factor_size, rr2_red); + ++/* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */ ++factor_size /= sizeof(BN_ULONG) * 8; ++ + bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size); + bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size); + + diff --git a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch b/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch similarity index 100% copy from dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch copy to dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch diff --git a/dev-libs/openssl/openssl-3.0.4.ebuild b/dev-libs/openssl/openssl-3.0.4-r1.ebuild similarity index 98% rename from dev-libs/openssl/openssl-3.0.4.ebuild rename to dev-libs/openssl/openssl-3.0.4-r1.ebuild index ede15424a910..f4951da01454 100644 --- a/dev-libs/openssl/openssl-3.0.4.ebuild +++ b/dev-libs/openssl/openssl-3.0.4-r1.ebuild @@ -46,12 +46,15 @@ DEPEND="${COMMON_DEPEND}" RDEPEND="${COMMON_DEPEND}" PDEPEND="app-misc/ca-certificates" -REQUIRED_USE="test? ( rfc3779 )" - MULTILIB_WRAPPED_HEADERS=( /usr/include/openssl/configuration.h ) +PATCHES=( + "${FILESDIR}"/${P}-avx512-buffer-overflow.patch + "${FILESDIR}"/${P}-fix-test-build.patch +) + pkg_setup() { if use ktls ; then if kernel_is -lt 4 18 ; then diff --git a/profiles/package.mask b/profiles/package.mask index e9663afb0ce2..4c5d63309305 100644 --- a/profiles/package.mask +++ b/profiles/package.mask @@ -44,13 +44,6 @@ # as deprecated since March 2022. Removal in 30 days (Bug #855299). gnome-extra/gtkhtml -# Sam James (2022-06-29) -# Pre-emptively mask broken upstream versions. -# openssl 3.0.4 has a buffer overflow w/ AVX512 (https://github.com/openssl/openssl/issues/18625) -# Gentoo isn't vulnerable to the original CVE which caused these releases -# (CVE-2022-2068) as we have our own rehash script. -=dev-libs/openssl-3.0.4 - # Piotr Karbowski (2022-06-26) # Abandoned upstream, depends on API that no longer exists. # Removal on 2022-07-26.
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 41b5bf45a83c26b663aa9ea9c4e290e5ee018622 Author: WANG Xuerui gentoo org> AuthorDate: Mon Apr 25 04:16:06 2022 + Commit: WANG Xuerui gentoo org> CommitDate: Mon Apr 25 10:11:17 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41b5bf45 dev-libs/openssl: fix build on loong Just treat loongarch64 targets as generic64 for now. This has been inside loongson-overlay for a while, and is tested on real loong hardware. See: https://github.com/gentoo/gentoo/pull/25189 Acked-by: Andreas K. Hüttel gentoo.org> Signed-off-by: WANG Xuerui gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.2 | 1 + 1 file changed, 1 insertion(+) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2 index 68d7d0ac1fc1..caa569588f3c 100644 --- a/dev-libs/openssl/files/gentoo.config-1.0.2 +++ b/dev-libs/openssl/files/gentoo.config-1.0.2 @@ -97,6 +97,7 @@ linux) i[0-9]86*|\ x86_64*:x86) machine=elf;; ia64*)machine=ia64;; + loongarch64*) machine="generic64 -DL_ENDIAN";; m68*) machine="generic32 -DB_ENDIAN";; mips*el*) machine="generic32 -DL_ENDIAN";; mips*)machine="generic32 -DB_ENDIAN";;
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 999c48f939670b8b499ddad74492db20e44b0c91 Author: Michael Mair-Keimberger levelnine at> AuthorDate: Fri Feb 12 13:55:14 2021 + Commit: Conrad Kostecki gentoo org> CommitDate: Fri Feb 12 22:35:46 2021 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=999c48f9 dev-libs/openssl: remove unused patch Closes: https://github.com/gentoo/gentoo/pull/19426 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Michael Mair-Keimberger levelnine.at> Signed-off-by: Conrad Kostecki gentoo.org> .../openssl/files/openssl-1.0.2a-x32-asm.patch | 43 -- 1 file changed, 43 deletions(-) diff --git a/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch b/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch deleted file mode 100644 index 3a005c9b099..000 --- a/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch +++ /dev/null @@ -1,43 +0,0 @@ -https://rt.openssl.org/Ticket/Display.html?id=3759=guest=guest - -From 6257d59b3a68d2feb9d64317a1c556dc3813ee61 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger -Date: Sat, 21 Mar 2015 06:01:25 -0400 -Subject: [PATCH] crypto: use bigint in x86-64 perl - -When building on x32 systems where the default type is 32bit, make sure -we can transparently represent 64bit integers. Otherwise we end up with -build errors like: -/usr/bin/perl asm/ghash-x86_64.pl elf > ghash-x86_64.s -Integer overflow in hexadecimal number at asm/../../perlasm/x86_64-xlate.pl line 201, <> line 890. -... -ghash-x86_64.s: Assembler messages: -ghash-x86_64.s:890: Error: junk '.15473355479995e+19' after expression - -We don't enable this globally as there are some cases where we'd get -32bit values interpreted as unsigned when we need them as signed. - -Reported-by: Bertrand Jacquin -URL: https://bugs.gentoo.org/542618 - crypto/perlasm/x86_64-xlate.pl | 4 - 1 file changed, 4 insertions(+) - -diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl -index aae8288..0bf9774 100755 a/crypto/perlasm/x86_64-xlate.pl -+++ b/crypto/perlasm/x86_64-xlate.pl -@@ -195,6 +195,10 @@ my %globals; - sub out { - my $self = shift; - -+ # When building on x32 ABIs, the expanded hex value might be too -+ # big to fit into 32bits. Enable transparent 64bit support here -+ # so we can safely print it out. -+ use bigint; - if ($gas) { - # Solaris /usr/ccs/bin/as can't handle multiplications - # in $self->{value} --- -2.3.3 -
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 887a6ba925e78adef8449a7c8ea6de68278f31b2 Author: Andreas K. Hüttel gentoo org> AuthorDate: Thu Dec 17 14:10:25 2020 + Commit: Andreas K. Hüttel gentoo org> CommitDate: Thu Dec 17 14:10:52 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=887a6ba9 dev-libs/openssl: Handle riscv32 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Andreas K. Hüttel gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2 index 4e88dbabf13..68d7d0ac1fc 100644 --- a/dev-libs/openssl/files/gentoo.config-1.0.2 +++ b/dev-libs/openssl/files/gentoo.config-1.0.2 @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 1999-2018 Gentoo Foundation +# Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # # Openssl doesn't play along nicely with cross-compiling @@ -104,6 +104,7 @@ linux) powerpc64*) machine=ppc64;; powerpc*le*) machine="generic32 -DL_ENDIAN";; powerpc*) machine=ppc;; + riscv32*) machine="generic32 -DL_ENDIAN";; riscv64*) machine="generic64 -DL_ENDIAN";; # sh64*)machine=elf;; sh*b*)machine="generic32 -DB_ENDIAN";;
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 9bce053e42181beb3ae28cc8585516202954a248 Author: Thomas Deutschmann gentoo org> AuthorDate: Thu Jun 4 17:53:01 2020 + Commit: Thomas Deutschmann gentoo org> CommitDate: Thu Jun 4 17:53:01 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bce053e dev-libs/openssl: security cleanup Bug: https://bugs.gentoo.org/717442 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann gentoo.org> dev-libs/openssl/Manifest | 3 - ...sl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch | 42 --- ...x-potential-memleaks-w-BN_to_ASN1_INTEGER.patch | 107 --- .../openssl/files/openssl-1.1.1d-fix-zlib.patch| 52 ...stitched-AES-CBC-HMAC-SHA-implementations.patch | 62 dev-libs/openssl/openssl-1.1.1d-r3.ebuild | 328 - dev-libs/openssl/openssl-1.1.1f.ebuild | 324 7 files changed, 918 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 2d626cc93bd..0153ae0ad1c 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -3,8 +3,5 @@ DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32 DIST openssl-1.1.0l-bindist-1.0.tar.xz 13184 BLAKE2B c09e023458faff17b10d6f20c28462c0851757a20d59b4b751220ab307324d5778252df112ad74fd319407cc75fdd1cd507d48058dd0234dc8c03020c882ed42 SHA512 39720ecee3ec6080c1416f2fb7c9246b89ee55b21be2baabad51eb6823dbe1559450b1ae92fa61ac1cf5ba04ac8c02438aa469bc65eae6905cf1ea486f270793 DIST openssl-1.1.0l.tar.gz 5294857 BLAKE2B 0e4f30f9e8a22414325bd780dc4e875e962487fbe72967f0392ace959955429192541881a98d097d7bb75ed7238b1817b0c3c2c4da04421512bd538f2b07cdd7 SHA512 81b74149f40ea7d9f7e235820a4f977844653ad1e2b302e65e712c12193f47542fe7e3385fd1e25e3dd074e4e6d04199836cbc492656f5a7692edab5e234f4ad -DIST openssl-1.1.1d-bindist-1.0.tar.xz 13180 BLAKE2B 680bd7400d3dd3930067ee7efa9718b74b30afa9be2397ad80f88031920806b6603b6469beede02b6e7a742abf5f82ebdd7c9b8e69c1ffe223e4860dc9581128 SHA512 9e4296326852010d5cebc204d1a34a34198d8d65460bc91a2bd37c80be892a5ae519513e4b0109e6b51b6faab0e171ef6cdae868868c158711558d147083c06f -DIST openssl-1.1.1d.tar.gz 8845861 BLAKE2B d3155f07b487ebd8dd4fe25396c874f9af18b5cfd7e622298d29c4f2c8ce14ad4534609d321314a4bcd0d44414e1306190340daaacd3c8fca061c04498446244 SHA512 2bc9f528c27fe644308eb7603c992bac8740e9f0c3601a130af30c9ffebbf7e0f5c28b76a00bbb478bad40fbe89b4223a58d604001e1713da71ff4b7fe6a08a7 DIST openssl-1.1.1e-bindist-1.0.tar.xz 16948 BLAKE2B 78e034f1d263cbf5e57c92393f72acd07e86e39a5511a8852bad151371430954e07d787fd82cca55b373d1579bb22b9d29c9d677104ed68291a9d2dffe3ffbbb SHA512 0dbfb378b8f2724db82915e17fd4e43977e3e45030db25cdb9241c0ab842e41ef3d597ef71c4db5103635752dc2059ea6022597511a440f55fb56a5a52d3ccea -DIST openssl-1.1.1f.tar.gz 9792828 BLAKE2B eba30dd12772cd714666ed8e5371e068623d8bfd4ff45863d10e82c65551654508a27f22f7ef1edadb543ab56f3c4c40ac3bcad665c667eb06ee90c69b24782e SHA512 b00bd9b5ad5298fbceeec6bb19c1ab0c106ca5cfb31178497c58bf7e0e0cf30fcc19c20f84e23af31cc126bf2447d3e4f8461db97bafa7bd78f69561932f000c DIST openssl-1.1.1g.tar.gz 9801502 BLAKE2B 5e3dd4725ff89b959a5436d64b521317c6ffeb377418cc24c6d1927fab923423cb5f5fce2f9c2cdee597041c7be156d09668a5fd13dc6ff06d235a83db94cf19 SHA512 01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab diff --git a/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch b/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch deleted file mode 100644 index 3771684b251..000 --- a/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 19ded1a717b6c72c3db241f06787a353f1190755 Mon Sep 17 00:00:00 2001 -From: Matt Turner -Date: Tue, 18 Feb 2020 10:08:27 -0800 -Subject: [PATCH] config: Drop linux-alpha-gcc+bwx - -Its entry in Configuration/10-main.conf was dropped in commit -7ead0c89185c ("Configure: fold related configurations more aggressively -and clean-up.") probably because all but one of its bn_ops were removed -(RC4_CHAR remained). Benchmarks on an Alpha EV7 indicate that RC4_INT is -better than RC4_CHAR so rather than restoring the configuation, remove -it from config. - -CLA: trivial -Bug: https://bugs.gentoo.org/697840 - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell -Reviewed-by: Richard Levitte -(Merged from https://github.com/openssl/openssl/pull/11130) - config | 5 + - 1 file changed, 1 insertion(+), 4 deletions(-) - -diff --git a/config b/config -index
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 3bbd887ff1dde5c69e81d6985e4d02c1eddb793b Author: Mike Gilbert gentoo org> AuthorDate: Thu Apr 2 14:55:31 2020 + Commit: Mike Gilbert gentoo org> CommitDate: Thu Apr 2 14:55:31 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bbd887f dev-libs/openssl: handle riscv64 Closes: https://bugs.gentoo.org/715908 Signed-off-by: Mike Gilbert gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.2 | 1 + 1 file changed, 1 insertion(+) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2 index d16175e6292..4e88dbabf13 100644 --- a/dev-libs/openssl/files/gentoo.config-1.0.2 +++ b/dev-libs/openssl/files/gentoo.config-1.0.2 @@ -104,6 +104,7 @@ linux) powerpc64*) machine=ppc64;; powerpc*le*) machine="generic32 -DL_ENDIAN";; powerpc*) machine=ppc;; + riscv64*) machine="generic64 -DL_ENDIAN";; # sh64*)machine=elf;; sh*b*)machine="generic32 -DB_ENDIAN";; sh*) machine="generic32 -DL_ENDIAN";;
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: e3dec9bf2da04ace6b2e999ff779d117beb65e6e Author: Matt Turner gentoo org> AuthorDate: Tue Feb 25 22:37:15 2020 + Commit: Matt Turner gentoo org> CommitDate: Tue Feb 25 22:40:42 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3dec9bf dev-libs/openssl: Fix the build on alpha Closes: https://bugs.gentoo.org/697840 Signed-off-by: Matt Turner gentoo.org> ...sl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch | 42 ++ dev-libs/openssl/openssl-1.1.1d-r3.ebuild | 1 + 2 files changed, 43 insertions(+) diff --git a/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch b/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch new file mode 100644 index 000..3771684b251 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch @@ -0,0 +1,42 @@ +From 19ded1a717b6c72c3db241f06787a353f1190755 Mon Sep 17 00:00:00 2001 +From: Matt Turner +Date: Tue, 18 Feb 2020 10:08:27 -0800 +Subject: [PATCH] config: Drop linux-alpha-gcc+bwx + +Its entry in Configuration/10-main.conf was dropped in commit +7ead0c89185c ("Configure: fold related configurations more aggressively +and clean-up.") probably because all but one of its bn_ops were removed +(RC4_CHAR remained). Benchmarks on an Alpha EV7 indicate that RC4_INT is +better than RC4_CHAR so rather than restoring the configuation, remove +it from config. + +CLA: trivial +Bug: https://bugs.gentoo.org/697840 + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/11130) +--- + config | 5 + + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/config b/config +index 2213969f90..e39481ca2a 100755 +--- a/config b/config +@@ -498,10 +498,7 @@ case "$GUESSOS" in + OUT="ios64-cross" ;; + alpha-*-linux2) + ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo` +- case ${ISA:-generic} in +- *[678]) OUT="linux-alpha+bwx-$CC" ;; +- *) OUT="linux-alpha-$CC" ;; +- esac ++ OUT="linux-alpha-$CC" + if [ "$CC" = "gcc" ]; then + case ${ISA:-generic} in + EV5|EV45) __CNF_CFLAGS="$__CNF_CFLAGS -mcpu=ev5" +-- +2.24.1 + diff --git a/dev-libs/openssl/openssl-1.1.1d-r3.ebuild b/dev-libs/openssl/openssl-1.1.1d-r3.ebuild index 8800d05fac7..97a1002fac7 100644 --- a/dev-libs/openssl/openssl-1.1.1d-r3.ebuild +++ b/dev-libs/openssl/openssl-1.1.1d-r3.ebuild @@ -50,6 +50,7 @@ PATCHES=( "${FILESDIR}"/${P}-fix-zlib.patch "${FILESDIR}"/${P}-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch "${FILESDIR}"/${P}-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch + "${FILESDIR}"/${P}-config-Drop-linux-alpha-gcc-bwx.patch ) S="${WORKDIR}/${MY_P}"
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: addd7f2abcabc67e4fd244d6374dd6945c10713d Author: Michael Mair-Keimberger gmail com> AuthorDate: Fri Nov 22 08:17:48 2019 + Commit: Aaron Bauman gentoo org> CommitDate: Sun Nov 24 00:40:20 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=addd7f2a dev-libs/openssl: remove unused patch Signed-off-by: Michael Mair-Keimberger gmail.com> Signed-off-by: Aaron Bauman gentoo.org> .../openssl/files/openssl-1.0.2p-hobble-ecc.patch | 283 - 1 file changed, 283 deletions(-) diff --git a/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch b/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch deleted file mode 100644 index 3a458a78360..000 --- a/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch +++ /dev/null @@ -1,283 +0,0 @@ -Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series. - -From https://src.fedoraproject.org/git/rpms/openssl.git - -Contains parts of the following patches, rediffed. The patches are on various -different branches. -f23 openssl-1.0.2c-ecc-suiteb.patch -f23 openssl-1.0.2a-fips-ec.patch -f28 openssl-1.1.0-ec-curves.patch - -Signed-off-By: Robin H. Johnson - a/apps/speed.c -+++ b/apps/speed.c -@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv) - } else - # endif - # ifndef OPENSSL_NO_ECDSA --if (strcmp(*argv, "ecdsap160") == 0) --ecdsa_doit[R_EC_P160] = 2; --else if (strcmp(*argv, "ecdsap192") == 0) --ecdsa_doit[R_EC_P192] = 2; -+ if (0) {} - else if (strcmp(*argv, "ecdsap224") == 0) - ecdsa_doit[R_EC_P224] = 2; - else if (strcmp(*argv, "ecdsap256") == 0) -@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv) - ecdsa_doit[R_EC_P384] = 2; - else if (strcmp(*argv, "ecdsap521") == 0) - ecdsa_doit[R_EC_P521] = 2; --else if (strcmp(*argv, "ecdsak163") == 0) --ecdsa_doit[R_EC_K163] = 2; --else if (strcmp(*argv, "ecdsak233") == 0) --ecdsa_doit[R_EC_K233] = 2; --else if (strcmp(*argv, "ecdsak283") == 0) --ecdsa_doit[R_EC_K283] = 2; --else if (strcmp(*argv, "ecdsak409") == 0) --ecdsa_doit[R_EC_K409] = 2; --else if (strcmp(*argv, "ecdsak571") == 0) --ecdsa_doit[R_EC_K571] = 2; --else if (strcmp(*argv, "ecdsab163") == 0) --ecdsa_doit[R_EC_B163] = 2; --else if (strcmp(*argv, "ecdsab233") == 0) --ecdsa_doit[R_EC_B233] = 2; --else if (strcmp(*argv, "ecdsab283") == 0) --ecdsa_doit[R_EC_B283] = 2; --else if (strcmp(*argv, "ecdsab409") == 0) --ecdsa_doit[R_EC_B409] = 2; --else if (strcmp(*argv, "ecdsab571") == 0) --ecdsa_doit[R_EC_B571] = 2; - else if (strcmp(*argv, "ecdsa") == 0) { --for (i = 0; i < EC_NUM; i++) -+for (i = R_EC_P224; i < R_EC_P521; i++) - ecdsa_doit[i] = 1; - } else - # endif - # ifndef OPENSSL_NO_ECDH --if (strcmp(*argv, "ecdhp160") == 0) --ecdh_doit[R_EC_P160] = 2; --else if (strcmp(*argv, "ecdhp192") == 0) --ecdh_doit[R_EC_P192] = 2; -+ if (0) {} - else if (strcmp(*argv, "ecdhp224") == 0) - ecdh_doit[R_EC_P224] = 2; - else if (strcmp(*argv, "ecdhp256") == 0) -@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv) - ecdh_doit[R_EC_P384] = 2; - else if (strcmp(*argv, "ecdhp521") == 0) - ecdh_doit[R_EC_P521] = 2; --else if (strcmp(*argv, "ecdhk163") == 0) --ecdh_doit[R_EC_K163] = 2; --else if (strcmp(*argv, "ecdhk233") == 0) --ecdh_doit[R_EC_K233] = 2; --else if (strcmp(*argv, "ecdhk283") == 0) --ecdh_doit[R_EC_K283] = 2; --else if (strcmp(*argv, "ecdhk409") == 0) --ecdh_doit[R_EC_K409] = 2; --else if (strcmp(*argv, "ecdhk571") == 0) --ecdh_doit[R_EC_K571] = 2; --else if (strcmp(*argv, "ecdhb163") == 0) --ecdh_doit[R_EC_B163] = 2; --else if (strcmp(*argv, "ecdhb233") == 0) --ecdh_doit[R_EC_B233] = 2; --else if (strcmp(*argv, "ecdhb283") == 0) --ecdh_doit[R_EC_B283] = 2; --else if (strcmp(*argv, "ecdhb409") == 0) --ecdh_doit[R_EC_B409] = 2; --else if (strcmp(*argv, "ecdhb571") == 0) --ecdh_doit[R_EC_B571] = 2; - else if (strcmp(*argv, "ecdh") == 0) { --for (i = 0; i < EC_NUM; i++) -+ for (i = R_EC_P224; i <= R_EC_P521; i++) - ecdh_doit[i] = 1; - } else - # endif -@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv) - BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n"); - # endif - # ifndef OPENSSL_NO_ECDSA --BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 " -+BIO_printf(bio_err, "ecdsap224 " -"ecdsap256
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 4019a4b1ce71d416d04cafcb76d6be4719e8ecbd Author: Thomas Deutschmann gentoo org> AuthorDate: Wed Sep 11 23:19:30 2019 + Commit: Thomas Deutschmann gentoo org> CommitDate: Wed Sep 11 23:29:57 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4019a4b1 dev-libs/openssl: bump to v1.1.0l Package-Manager: Portage-2.3.75, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann gentoo.org> dev-libs/openssl/Manifest | 2 + .../openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch | 30 ++ dev-libs/openssl/openssl-1.1.0l.ebuild | 305 + 3 files changed, 337 insertions(+) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index c6474b63d35..fd03dd1eb9b 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -9,6 +9,8 @@ DIST openssl-1.0.2s_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d46735 DIST openssl-1.0.2s_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e DIST openssl-1.1.0k-bindist-1.0.tar.xz 11716 BLAKE2B c491ba0899c44dbcc63f85b255548c439c965a20a04ac2a6324a4122c4691b7c95ec18e62be6d708a7ea62ea197d32e5091987cb5043969878f89e5bc26243d4 SHA512 1d5bc9d7b24cf55d32d996e2421d43a1218b605720293f00d07814afb481387856f0dc000ad3c3e4cba2361055668cfe79a945be44ab85a249555f37e683a909 DIST openssl-1.1.0k.tar.gz 5287321 BLAKE2B fce40a399f5a08d5fe183dfcaab11b211d982885fb9888b25fa41bdd9919ecd203fca6f573363cfb42c9a0776ae69ea50b0f144227a3f28ca0dbadf878d396bc SHA512 65f41a240a97d79504c0e1391fde8ac8692f0993437cdc35e4bc964ecc36e5ef75a62499c4c6cb4ce63f892135e06dba2d3594c8869d935554296fa3c6ccd822 +DIST openssl-1.1.0l-bindist-1.0.tar.xz 13168 BLAKE2B 1fbd1f7bdba08f14e21485175232283c2309687021a526b4a132b676d7f9429577f8f14e180fb4f59ef24bc9c06873a6936e64559a901803a3f1d21453177b50 SHA512 f664a6876a2a9c7467bbc6a436593eb21cc6be51e08408657f34b67fa69cd6bece3cc65f60220d7e41f36b359b5299adf49a59ede7f8f738d6a31e29d2a49714 +DIST openssl-1.1.0l.tar.gz 5294857 BLAKE2B 0e4f30f9e8a22414325bd780dc4e875e962487fbe72967f0392ace959955429192541881a98d097d7bb75ed7238b1817b0c3c2c4da04421512bd538f2b07cdd7 SHA512 81b74149f40ea7d9f7e235820a4f977844653ad1e2b302e65e712c12193f47542fe7e3385fd1e25e3dd074e4e6d04199836cbc492656f5a7692edab5e234f4ad DIST openssl-1.1.1c-bindist-1.0.tar.xz 11964 BLAKE2B 8c5190846d13984589a150089d329bb3ecc613788b9462c6f6a1833a040e21cb9bf940140449f09fd797c0e396b0aea073237be374bd16097795b8974c3e7ce5 SHA512 249c6d8c455130b98e3be635f12f323e0cc349f1770648bad591e5de15483917185a473c162ed871a2fa05b47056931e6f12e5fdd9cecee7e6d1c246b862923b DIST openssl-1.1.1c.tar.gz 8864262 BLAKE2B bd157b244bedcefb8e646a743732945119b267236789ac69c38856570318aca09299bdaaea3f20294863b633e6fd4dfe124820597185b3b7461cfdf094daadb0 SHA512 8e2c5cc11c120efbb7d7850980cb6eaa782d29b4996b3f3378d37613c1679f852d7cc08a90d62e78fcec3439f06bdbee70064579a8c2adaffd91532a97f646ff DIST openssl-1.1.1d-bindist-1.0.tar.xz 13180 BLAKE2B 680bd7400d3dd3930067ee7efa9718b74b30afa9be2397ad80f88031920806b6603b6469beede02b6e7a742abf5f82ebdd7c9b8e69c1ffe223e4860dc9581128 SHA512 9e4296326852010d5cebc204d1a34a34198d8d65460bc91a2bd37c80be892a5ae519513e4b0109e6b51b6faab0e171ef6cdae868868c158711558d147083c06f diff --git a/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch b/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch new file mode 100644 index 000..35a435df28b --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch @@ -0,0 +1,30 @@ +From bcf6a94c4bc912ad313ea21abdf7e83bbae450e5 Mon Sep 17 00:00:00 2001 +From: Nicola Tuveri +Date: Thu, 12 Sep 2019 01:57:47 +0300 +Subject: [PATCH] Fix no-ec2m in ec_curve.c (1.1.0) + +I made a mistake in d4a5dac9f9242c580fb9d0a4389440eccd3494a7 and +inverted the GF2m and GFp calls in ec_point_get_affine_coordinates, this +fixes it. +--- + crypto/ec/ec_curve.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c +index 2d28d7f70bb..6a58b3a23e0 100644 +--- a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c +@@ -3200,11 +3200,11 @@ int ec_point_get_affine_coordinates(const EC_GROUP *group, + + #ifndef OPENSSL_NO_EC2M + if (field_nid == NID_X9_62_characteristic_two_field) { +-return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx); ++return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx); + } else + #endif /* !def(OPENSSL_NO_EC2M) */ + if (field_nid == NID_X9_62_prime_field) { +-return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx); ++return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx); + } else { + /*
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 2c20225928fed2fb4c7512f4655207478ada6caf Author: Thomas Deutschmann gentoo org> AuthorDate: Fri Aug 23 17:33:18 2019 + Commit: Thomas Deutschmann gentoo org> CommitDate: Fri Aug 23 18:10:18 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c202259 dev-libs/openssl: fix fuzz test Package-Manager: Portage-2.3.72, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann gentoo.org> .../openssl/files/openssl-1.1.0k-fix-test_fuzz.patch | 19 +++ dev-libs/openssl/openssl-1.1.0k-r1.ebuild | 1 + 2 files changed, 20 insertions(+) diff --git a/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch b/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch new file mode 100644 index 000..2c4cc31257c --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch @@ -0,0 +1,19 @@ +Test fuzz was forgotten when + + Perl: Use our own globbing wrapper rather than File::Glob::glob + +was backported to openssl-1.1.0 branch. + +Link: https://github.com/openssl/openssl/commit/b81cfa07ada850fd287d0a0c82ba280907f18ce7 + +--- a/test/recipes/90-test_fuzz.t b/test/recipes/90-test_fuzz.t +@@ -9,7 +9,7 @@ + use strict; + use warnings; + +-use if $^O ne "VMS", 'File::Glob' => qw/glob/; ++use OpenSSL::Glob; + use OpenSSL::Test qw/:DEFAULT srctop_file/; + use OpenSSL::Test::Utils; + diff --git a/dev-libs/openssl/openssl-1.1.0k-r1.ebuild b/dev-libs/openssl/openssl-1.1.0k-r1.ebuild index 5bc111be0f8..f8ee7f73587 100644 --- a/dev-libs/openssl/openssl-1.1.0k-r1.ebuild +++ b/dev-libs/openssl/openssl-1.1.0k-r1.ebuild @@ -53,6 +53,7 @@ SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )" PATCHES=( "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618 "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602 + "${FILESDIR}"/${PN}-1.1.0k-fix-test_fuzz.patch ) S="${WORKDIR}/${MY_P}"
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 01e98e158d3cb02427d8a73678b56b83c5285843 Author: Michał Górny gentoo org> AuthorDate: Tue May 28 19:00:54 2019 + Commit: Thomas Deutschmann gentoo org> CommitDate: Fri Jun 14 17:46:34 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01e98e15 dev-libs/openssl: Remove compat slots (moved to *-compat) Signed-off-by: Michał Górny gentoo.org> Bug: https://bugs.gentoo.org/687984 Signed-off-by: Thomas Deutschmann gentoo.org> dev-libs/openssl/Manifest | 1 - dev-libs/openssl/files/gentoo.config-0.9.8 | 144 .../openssl/files/openssl-0.9.8e-bsd-sparc64.patch | 25 --- .../openssl/files/openssl-0.9.8h-ldflags.patch | 29 --- .../openssl/files/openssl-0.9.8m-binutils.patch| 24 -- .../files/openssl-0.9.8z_p8-perl-5.26.patch| 13 -- dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild | 163 -- dev-libs/openssl/openssl-1.0.2r-r200.ebuild| 248 - 8 files changed, 647 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 26e97789fde..ae40847f77d 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -1,4 +1,3 @@ -DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659 DIST openssl-1.0.2r.tar.gz 5348369 BLAKE2B 9f9c2d2fe6eaf9acacab29b394a318f30c38e831a5f9c193b2da660f9d04acbf407d8b752274783765416c0f5ba557c24ee293ad7fb7d727771db289e6acc901 SHA512 6eb2211f3ad56d7573ac26f388338592c37e5faaf5e2d44c0fa9062c12186e56a324f135d1c956a89b55fcce047e6428bec2756658d103e7275e08b46f741235 DIST openssl-1.0.2r_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15 diff --git a/dev-libs/openssl/files/gentoo.config-0.9.8 b/dev-libs/openssl/files/gentoo.config-0.9.8 deleted file mode 100644 index 02698250c19..000 --- a/dev-libs/openssl/files/gentoo.config-0.9.8 +++ /dev/null @@ -1,144 +0,0 @@ -#!/usr/bin/env bash -# Copyright 1999-2009 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# -# Openssl doesn't play along nicely with cross-compiling -# like autotools based projects, so let's teach it new tricks. -# -# Review the bundled 'config' script to see why kind of targets -# we can pass to the 'Configure' script. - - -# Testing routines -if [[ $1 == "test" ]] ; then - for c in \ - "arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \ - "armv5b-linux-gnu |linux-generic32 -DB_ENDIAN" \ - "x86_64-pc-linux-gnu |linux-x86_64" \ - "alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \ - "i686-pc-linux-gnu|linux-elf" \ - "whatever-gentoo-freebsdX.Y |BSD-generic32" \ - "i686-gentoo-freebsdX.Y |BSD-x86-elf" \ - "sparc64-alpha-freebsdX.Y |BSD-sparc64" \ - "ia64-gentoo-freebsd5.99234 |BSD-ia64" \ - "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \ - "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \ - "powerpc-gentOO-linux-uclibc |linux-ppc" \ - "powerpc64-unk-linux-gnu |linux-ppc64" \ - "x86_64-apple-darwinX |darwin64-x86_64-cc" \ - "powerpc64-apple-darwinX |darwin64-ppc-cc" \ - "i686-apple-darwinX |darwin-i386-cc" \ - "i386-apple-darwinX |darwin-i386-cc" \ - "powerpc-apple-darwinX|darwin-ppc-cc" \ - "i586-pc-winnt|winnt-parity" \ - ;do - CHOST=${c/|*} - ret_want=${c/*|} - ret_got=$(CHOST=${CHOST} "$0") - - if [[ ${ret_want} == "${ret_got}" ]] ; then - echo "PASS: ${CHOST}" - else - echo "FAIL: ${CHOST}" - echo -e "\twanted: ${ret_want}" - echo -e "\twe got: ${ret_got}" - fi - done - exit 0 -fi -[[ -z ${CHOST} && -n $1 ]] && CHOST=$1 - - -# Detect the operating system -case ${CHOST} in - *-aix*)
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 402e35c0c3cfbd46457cad5983c217ea8de6fe8e Author: Thomas Deutschmann gentoo org> AuthorDate: Wed Mar 6 16:55:03 2019 + Commit: Thomas Deutschmann gentoo org> CommitDate: Wed Mar 6 16:55:03 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=402e35c0 dev-libs/openssl: add patch for CVE-2019-1543 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann gentoo.org> .../files/openssl-1.1.1b-CVE-2019-1543.patch | 66 + dev-libs/openssl/openssl-1.1.0j-r1.ebuild | 299 + dev-libs/openssl/openssl-1.1.1b-r2.ebuild | 299 + 3 files changed, 664 insertions(+) diff --git a/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch b/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch new file mode 100644 index 000..4d478c484c9 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch @@ -0,0 +1,66 @@ +From f426625b6ae9a7831010750490a5f0ad689c5ba3 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 5 Mar 2019 14:39:15 + +Subject: [PATCH] Prevent over long nonces in ChaCha20-Poly1305 + +ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for +every encryption operation. RFC 7539 specifies that the nonce value (IV) +should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and +front pads the nonce with 0 bytes if it is less than 12 bytes. However it +also incorrectly allows a nonce to be set of up to 16 bytes. In this case +only the last 12 bytes are significant and any additional leading bytes are +ignored. + +It is a requirement of using this cipher that nonce values are unique. +Messages encrypted using a reused nonce value are susceptible to serious +confidentiality and integrity attacks. If an application changes the +default nonce length to be longer than 12 bytes and then makes a change to +the leading bytes of the nonce expecting the new value to be a new unique +nonce then such an application could inadvertently encrypt messages with a +reused nonce. + +Additionally the ignored bytes in a long nonce are not covered by the +integrity guarantee of this cipher. Any application that relies on the +integrity of these ignored leading bytes of a long nonce may be further +affected. + +Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe +because no such use sets such a long nonce value. However user +applications that use this cipher directly and set a non-default nonce +length to be longer than 12 bytes may be vulnerable. + +CVE-2019-1543 + +Fixes #8345 + +Reviewed-by: Paul Dale +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/8406) + +(cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6) +--- + crypto/evp/e_chacha20_poly1305.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c +index c1917bb86a6..d3e2c622a1b 100644 +--- a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c +@@ -30,6 +30,8 @@ typedef struct { + + #define data(ctx) ((EVP_CHACHA_KEY *)(ctx)->cipher_data) + ++#define CHACHA20_POLY1305_MAX_IVLEN 12 ++ + static int chacha_init_key(EVP_CIPHER_CTX *ctx, +const unsigned char user_key[CHACHA_KEY_SIZE], +const unsigned char iv[CHACHA_CTR_SIZE], int enc) +@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, + return 1; + + case EVP_CTRL_AEAD_SET_IVLEN: +-if (arg <= 0 || arg > CHACHA_CTR_SIZE) ++if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN) + return 0; + actx->nonce_len = arg; + return 1; diff --git a/dev-libs/openssl/openssl-1.1.0j-r1.ebuild b/dev-libs/openssl/openssl-1.1.0j-r1.ebuild new file mode 100644 index 000..b21a33a9e0f --- /dev/null +++ b/dev-libs/openssl/openssl-1.1.0j-r1.ebuild @@ -0,0 +1,299 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" + +inherit flag-o-matic toolchain-funcs multilib multilib-minimal + +MY_P=${P/_/-} +DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" +HOMEPAGE="https://www.openssl.org/; +SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" + +LICENSE="openssl" +SLOT="0/1.1" # .so version of libssl/libcrypto +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux" +IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib" +RESTRICT="!bindist? ( bindist )" + +RDEPEND=">=app-misc/c_rehash-1.7-r1 + zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )" +DEPEND="${RDEPEND} + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) +
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 05ef2e7b732a8571f2d4ef84659b7f972a8cd90e Author: Thomas Deutschmann gentoo org> AuthorDate: Wed Feb 27 19:07:04 2019 + Commit: Thomas Deutschmann gentoo org> CommitDate: Wed Feb 27 19:07:04 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05ef2e7b dev-libs/openssl: fix USE=bindist Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann gentoo.org> .../files/openssl-1.1.1b-ec-curves-patch.patch | 207 + ...nssl-1.1.1b.ebuild => openssl-1.1.1b-r1.ebuild} | 8 +- 2 files changed, 214 insertions(+), 1 deletion(-) diff --git a/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch b/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch new file mode 100644 index 000..c1f53c83823 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch @@ -0,0 +1,207 @@ +Based on openssl-1.1.1-ec-curves.patch. + +Updated for OpenSSL change b6d41ff73392df5af9c931c902ae4cd75c5b61ea. + +--- a/apps/speed.c b/apps/speed.c +@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = { + static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */ + #endif /* OPENSSL_NO_RSA */ + +-#define R_EC_P1600 +-#define R_EC_P1921 +-#define R_EC_P2242 +-#define R_EC_P2563 +-#define R_EC_P3844 +-#define R_EC_P5215 +-#define R_EC_K1636 +-#define R_EC_K2337 +-#define R_EC_K2838 +-#define R_EC_K4099 +-#define R_EC_K57110 +-#define R_EC_B16311 +-#define R_EC_B23312 +-#define R_EC_B28313 +-#define R_EC_B40914 +-#define R_EC_B57115 +-#define R_EC_BRP256R1 16 +-#define R_EC_BRP256T1 17 +-#define R_EC_BRP384R1 18 +-#define R_EC_BRP384T1 19 +-#define R_EC_BRP512R1 20 +-#define R_EC_BRP512T1 21 +-#define R_EC_X25519 22 +-#define R_EC_X44823 ++#define R_EC_P2240 ++#define R_EC_P2561 ++#define R_EC_P3842 ++#define R_EC_P5213 ++#define R_EC_X25519 4 ++#define R_EC_X4485 + #ifndef OPENSSL_NO_EC + static OPT_PAIR ecdsa_choices[] = { +-{"ecdsap160", R_EC_P160}, +-{"ecdsap192", R_EC_P192}, + {"ecdsap224", R_EC_P224}, + {"ecdsap256", R_EC_P256}, + {"ecdsap384", R_EC_P384}, + {"ecdsap521", R_EC_P521}, +-{"ecdsak163", R_EC_K163}, +-{"ecdsak233", R_EC_K233}, +-{"ecdsak283", R_EC_K283}, +-{"ecdsak409", R_EC_K409}, +-{"ecdsak571", R_EC_K571}, +-{"ecdsab163", R_EC_B163}, +-{"ecdsab233", R_EC_B233}, +-{"ecdsab283", R_EC_B283}, +-{"ecdsab409", R_EC_B409}, +-{"ecdsab571", R_EC_B571}, +-{"ecdsabrp256r1", R_EC_BRP256R1}, +-{"ecdsabrp256t1", R_EC_BRP256T1}, +-{"ecdsabrp384r1", R_EC_BRP384R1}, +-{"ecdsabrp384t1", R_EC_BRP384T1}, +-{"ecdsabrp512r1", R_EC_BRP512R1}, +-{"ecdsabrp512t1", R_EC_BRP512T1} + }; + # define ECDSA_NUM OSSL_NELEM(ecdsa_choices) + + static double ecdsa_results[ECDSA_NUM][2];/* 2 ops: sign then verify */ + + static const OPT_PAIR ecdh_choices[] = { +-{"ecdhp160", R_EC_P160}, +-{"ecdhp192", R_EC_P192}, + {"ecdhp224", R_EC_P224}, + {"ecdhp256", R_EC_P256}, + {"ecdhp384", R_EC_P384}, + {"ecdhp521", R_EC_P521}, +-{"ecdhk163", R_EC_K163}, +-{"ecdhk233", R_EC_K233}, +-{"ecdhk283", R_EC_K283}, +-{"ecdhk409", R_EC_K409}, +-{"ecdhk571", R_EC_K571}, +-{"ecdhb163", R_EC_B163}, +-{"ecdhb233", R_EC_B233}, +-{"ecdhb283", R_EC_B283}, +-{"ecdhb409", R_EC_B409}, +-{"ecdhb571", R_EC_B571}, +-{"ecdhbrp256r1", R_EC_BRP256R1}, +-{"ecdhbrp256t1", R_EC_BRP256T1}, +-{"ecdhbrp384r1", R_EC_BRP384R1}, +-{"ecdhbrp384t1", R_EC_BRP384T1}, +-{"ecdhbrp512r1", R_EC_BRP512R1}, +-{"ecdhbrp512t1", R_EC_BRP512T1}, + {"ecdhx25519", R_EC_X25519}, + {"ecdhx448", R_EC_X448} + }; +@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv) + unsigned int bits; + } test_curves[] = { + /* Prime Curves */ +-{"secp160r1", NID_secp160r1, 160}, +-{"nistp192", NID_X9_62_prime192v1, 192}, + {"nistp224", NID_secp224r1, 224}, + {"nistp256", NID_X9_62_prime256v1, 256}, + {"nistp384", NID_secp384r1, 384}, + {"nistp521", NID_secp521r1, 521}, +-/* Binary Curves */ +-{"nistk163", NID_sect163k1, 163}, +-{"nistk233", NID_sect233k1, 233}, +-{"nistk283", NID_sect283k1, 283}, +-{"nistk409", NID_sect409k1, 409}, +-{"nistk571", NID_sect571k1, 571}, +-{"nistb163", NID_sect163r2, 163}, +-{"nistb233", NID_sect233r1, 233}, +-{"nistb283", NID_sect283r1, 283}, +-{"nistb409", NID_sect409r1, 409}, +-{"nistb571", NID_sect571r1, 571}, +-{"brainpoolP256r1", NID_brainpoolP256r1, 256}, +-{"brainpoolP256t1", NID_brainpoolP256t1, 256}, +-{"brainpoolP384r1", NID_brainpoolP384r1, 384}, +-{"brainpoolP384t1", NID_brainpoolP384t1, 384}, +-{"brainpoolP512r1", NID_brainpoolP512r1, 512}, +-
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: a1ced0de770abbc643d994378b9cd11a41605902 Author: Lars Wendler gentoo org> AuthorDate: Tue Feb 26 15:12:11 2019 + Commit: Lars Wendler gentoo org> CommitDate: Tue Feb 26 15:31:41 2019 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1ced0de dev-libs/openssl: Removed old. Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Lars Wendler gentoo.org> dev-libs/openssl/Manifest | 4 - ...-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch | 27 -- ...ix-cert-with-rsa-instead-of-rsaEncryption.patch | 97 - ...ix-some-SSL_export_keying_material-issues.patch | 420 - ...a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch | 26 -- ...ure-build_SYS_str_reasons_preserves_errno.patch | 68 .../openssl-1.1.1a-preserve-errno-on-dlopen.patch | 51 --- ...-system-error-number-in-a-few-more-places.patch | 57 --- ...t-reduce-stack-usage-in-tls13_hkdf_expand.patch | 56 --- dev-libs/openssl/openssl-1.0.2q-r200.ebuild| 248 dev-libs/openssl/openssl-1.1.1a-r1.ebuild | 299 --- dev-libs/openssl/openssl-1.1.1a.ebuild | 288 -- 12 files changed, 1641 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 3f3dd41c6a0..dd125204215 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -15,10 +15,6 @@ DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ec_curve.c 18401 BL DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ectest.c 30688 BLAKE2B 6673ef0fd139af82d830794179b19b9e06be25fac4a13b8bdfa5fd5dad25f594ce8eab118aab9ec2aab25001e1de127c03f8e1a04f4f3ef4c464b7fb1811ed4a SHA512 240fc72916caf4a8b0af774ce307abfe9a93a762eba6fae760cec79d619fe3db0d6919fc92a8951cb031f73958237700b45f590aa7f9f2890762cccda1f1e74b DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 DIST openssl-1.1.1-ec-curves.patch 7265 BLAKE2B 04725d226c430132cf54afbfaa30a82f8f8bbfd3608823d1d0cd42c3c13f417e90762759da3134d7b0c4373e531925db337b681340f2f284cb2f16a4caef22e3 SHA512 de4d0f1635740c57217836a476c420141c0d34a5f90cbf7957aed7a80e7ac9ca036de2d8448e6bf4c122999e308730575899f61cea6e51ab6825dd04890d75a1 -DIST openssl-1.1.1a.tar.gz 8350547 BLAKE2B 71dae2f44ade3e31983599a491b5efe5da63bbe4f32a2336a8022b282f844a9d898f3b1c3fa825a5973cb16898e8e87fcd73d68e9b602b58f500c3f3e047b199 SHA512 1523985ba90f38aa91aa6c2d57652f4e243cb2a095ce6336bf34b39b5a9b5b876804299a6825c758b65990e57948da532cca761aa12b10958c97478d04dd6d34 -DIST openssl-1.1.1a_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415 -DIST openssl-1.1.1a_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef -DIST openssl-1.1.1a_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 DIST openssl-1.1.1b.tar.gz 8213737 BLAKE2B 7ad9da9548052e2a033a684038f97c420cfffd57994604bcb3fa12640796c8c0aea3d24fb05648ee4940fbec40b81462e81c353da5a41a2575c0585d9718eae8 SHA512 b54025fbb4fe264466f3b0d762aad4be45bd23cd48bdb26d901d4c41a40bfd776177e02230995ab181a695435039dbad313f4b9a563239a70807a2e19ecf045d DIST openssl-1.1.1b_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415 DIST openssl-1.1.1b_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch deleted file mode 100644 index 8014be130ab..000 ---
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 24a88b7aab48df287482caf912be7b69340a2f35 Author: Thomas Deutschmann gentoo org> AuthorDate: Mon Nov 12 18:19:25 2018 + Commit: Thomas Deutschmann gentoo org> CommitDate: Mon Nov 12 18:36:44 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24a88b7a dev-libs/openssl: add patch for CVE-2018-0734 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann gentoo.org> .../files/openssl-1.1.0i-CVE-2018-0734.patch | 131 + ...l-1.1.0i-r1.ebuild => openssl-1.1.0i-r2.ebuild} | 1 + 2 files changed, 132 insertions(+) diff --git a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch new file mode 100644 index 000..47b082f4085 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch @@ -0,0 +1,131 @@ +CVE-2018-0734 +https://github.com/openssl/openssl/commit/415c33563528667868c3c653a612e6fc8736fd79 +https://github.com/openssl/openssl/commit/ef11e19d1365eea2b1851e6f540a0bf365d303e7 + +--- a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c +@@ -11,6 +11,7 @@ + + #include + #include "internal/cryptlib.h" ++#include "internal/bn_int.h" + #include + #include + #include "dsa_locl.h" +@@ -25,6 +26,8 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, + DSA_SIG *sig, DSA *dsa); + static int dsa_init(DSA *dsa); + static int dsa_finish(DSA *dsa); ++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, ++ BN_CTX *ctx); + + static DSA_METHOD openssl_dsa_meth = { + "OpenSSL DSA method", +@@ -180,9 +183,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, + { + BN_CTX *ctx = NULL; + BIGNUM *k, *kinv = NULL, *r = *rp; +-BIGNUM *l, *m; ++BIGNUM *l; + int ret = 0; +-int q_bits; ++int q_bits, q_words; + + if (!dsa->p || !dsa->q || !dsa->g) { + DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS); +@@ -191,8 +194,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, + + k = BN_new(); + l = BN_new(); +-m = BN_new(); +-if (k == NULL || l == NULL || m == NULL) ++if (k == NULL || l == NULL) + goto err; + + if (ctx_in == NULL) { +@@ -203,9 +205,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, + + /* Preallocate space */ + q_bits = BN_num_bits(dsa->q); +-if (!BN_set_bit(k, q_bits) +-|| !BN_set_bit(l, q_bits) +-|| !BN_set_bit(m, q_bits)) ++q_words = bn_get_top(dsa->q); ++if (!bn_wexpand(k, q_words + 2) ++|| !bn_wexpand(l, q_words + 2)) + goto err; + + /* Get random k */ +@@ -240,14 +242,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, + * small timing information leakage. We then choose the sum that is + * one bit longer than the modulus. + * +- * TODO: revisit the BN_copy aiming for a memory access agnostic +- * conditional copy. ++ * There are some concerns about the efficacy of doing this. More ++ * specificly refer to the discussion starting with: ++ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705 ++ * The fix is to rework BN so these gymnastics aren't required. + */ + if (!BN_add(l, k, dsa->q) +-|| !BN_add(m, l, dsa->q) +-|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m)) ++|| !BN_add(k, l, dsa->q)) + goto err; + ++BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2); ++ + if ((dsa)->meth->bn_mod_exp != NULL) { + if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx, +dsa->method_mont_p)) +@@ -260,8 +265,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, + if (!BN_mod(r, r, dsa->q, ctx)) + goto err; + +-/* Compute part of 's = inv(k) (m + xr) mod q' */ +-if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL) ++/* Compute part of 's = inv(k) (m + xr) mod q' */ ++if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL) + goto err; + + BN_clear_free(*kinvp); +@@ -275,7 +280,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, + BN_CTX_free(ctx); + BN_clear_free(k); + BN_clear_free(l); +-BN_clear_free(m); + return ret; + } + +@@ -395,3 +399,31 @@ static int dsa_finish(DSA *dsa) + BN_MONT_CTX_free(dsa->method_mont_p); + return (1); + } ++ ++/* ++ * Compute the inverse of k modulo q. ++ * Since q is prime, Fermat's Little Theorem applies, which reduces this to ++ * mod-exp operation. Both the exponent and modulus are public information ++ * so a mod-exp that doesn't leak the base is sufficient. A newly allocated ++ * BIGNUM is returned which the caller must free. ++ */ ++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q, ++ BN_CTX *ctx) ++{ ++
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 4fef1113c26ea7ac7fb9be6da77565310908e82a Author: Michael Mair-Keimberger gmail com> AuthorDate: Sun Sep 30 12:52:24 2018 + Commit: Lars Wendler gentoo org> CommitDate: Wed Oct 31 08:06:10 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fef1113 dev-libs/openssl: remove unused patches Signed-off-by: Michael Mair-Keimberger gmail.com> Closes: https://github.com/gentoo/gentoo/pull/10026 Signed-off-by: Lars Wendler gentoo.org> .../files/openssl-1.0.2o-CVE-2018-0732.patch | 39 --- .../openssl/files/openssl-1.0.2o-hobble-ecc.patch | 290 - 2 files changed, 329 deletions(-) diff --git a/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch deleted file mode 100644 index 148e7c3bc1a..000 --- a/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001 -From: Guido Vranken -Date: Mon, 11 Jun 2018 19:38:54 +0200 -Subject: [PATCH] Reject excessively large primes in DH key generation. - -CVE-2018-0732 - -Signed-off-by: Guido Vranken - -(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) - -Reviewed-by: Tim Hudson -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/6457) - crypto/dh/dh_key.c | 7 ++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 387558f1467..f235e0d682b 100644 a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -130,10 +130,15 @@ static int generate_key(DH *dh) - int ok = 0; - int generate_new_key = 0; - unsigned l; --BN_CTX *ctx; -+BN_CTX *ctx = NULL; - BN_MONT_CTX *mont = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { -+DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); -+return 0; -+} -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; diff --git a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch deleted file mode 100644 index e105fe45e45..000 --- a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch +++ /dev/null @@ -1,290 +0,0 @@ -Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series. - -From https://src.fedoraproject.org/git/rpms/openssl.git - -Contains parts of the following patches, rediffed. The patches are on various -different branches. -f23 openssl-1.0.2c-ecc-suiteb.patch -f23 openssl-1.0.2a-fips-ec.patch -f28 openssl-1.1.0-ec-curves.patch - -Signed-off-By: Robin H. Johnson - -diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/apps/speed.c openssl-1.0.2m.mod/apps/speed.c openssl-1.0.2m.hobble/apps/speed.c 2017-11-02 07:32:57.0 -0700 -+++ openssl-1.0.2m.mod/apps/speed.c2018-06-10 19:00:09.264550382 -0700 -@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv) - } else - # endif - # ifndef OPENSSL_NO_ECDSA --if (strcmp(*argv, "ecdsap160") == 0) --ecdsa_doit[R_EC_P160] = 2; --else if (strcmp(*argv, "ecdsap192") == 0) --ecdsa_doit[R_EC_P192] = 2; -+ if (0) {} - else if (strcmp(*argv, "ecdsap224") == 0) - ecdsa_doit[R_EC_P224] = 2; - else if (strcmp(*argv, "ecdsap256") == 0) -@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv) - ecdsa_doit[R_EC_P384] = 2; - else if (strcmp(*argv, "ecdsap521") == 0) - ecdsa_doit[R_EC_P521] = 2; --else if (strcmp(*argv, "ecdsak163") == 0) --ecdsa_doit[R_EC_K163] = 2; --else if (strcmp(*argv, "ecdsak233") == 0) --ecdsa_doit[R_EC_K233] = 2; --else if (strcmp(*argv, "ecdsak283") == 0) --ecdsa_doit[R_EC_K283] = 2; --else if (strcmp(*argv, "ecdsak409") == 0) --ecdsa_doit[R_EC_K409] = 2; --else if (strcmp(*argv, "ecdsak571") == 0) --ecdsa_doit[R_EC_K571] = 2; --else if (strcmp(*argv, "ecdsab163") == 0) --ecdsa_doit[R_EC_B163] = 2; --else if (strcmp(*argv, "ecdsab233") == 0) --ecdsa_doit[R_EC_B233] = 2; --else if (strcmp(*argv, "ecdsab283") == 0) --ecdsa_doit[R_EC_B283] = 2; --else if (strcmp(*argv, "ecdsab409") == 0) --ecdsa_doit[R_EC_B409] = 2; --else if (strcmp(*argv, "ecdsab571") == 0) --ecdsa_doit[R_EC_B571] = 2; - else if (strcmp(*argv, "ecdsa") == 0) { --for (i = 0; i < EC_NUM; i++) -+for (i = R_EC_P224; i < R_EC_P521; i++) - ecdsa_doit[i] = 1; - } else - # endif - # ifndef OPENSSL_NO_ECDH --if (strcmp(*argv, "ecdhp160") == 0) --ecdh_doit[R_EC_P160] = 2; --else if (strcmp(*argv, "ecdhp192") == 0) --ecdh_doit[R_EC_P192] = 2; -+ if (0)
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 9cf9aa64d52743263e9619c3cd0794557e3b5445 Author: Lars Wendler gentoo org> AuthorDate: Mon Oct 29 13:02:33 2018 + Commit: Lars Wendler gentoo org> CommitDate: Mon Oct 29 13:08:20 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9cf9aa64 dev-libs/openssl: Revbumps to fix CVE-2018-0735 Signed-off-by: Lars Wendler gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 .../files/openssl-1.1.0i-CVE-2018-0735.patch | 44 ++ .../files/openssl-1.1.1-CVE-2018-0735.patch| 44 ++ ...nssl-1.1.0i.ebuild => openssl-1.1.0i-r1.ebuild} | 5 ++- ...penssl-1.1.1.ebuild => openssl-1.1.1-r1.ebuild} | 4 ++ 4 files changed, 95 insertions(+), 2 deletions(-) diff --git a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch new file mode 100644 index 000..5762c04fa34 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch @@ -0,0 +1,44 @@ +From 56fb454d281a023b3f950d969693553d3f3ceea1 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Fri, 26 Oct 2018 10:54:58 +1000 +Subject: [PATCH] Timing vulnerability in ECDSA signature generation + (CVE-2018-0735) + +Preallocate an extra limb for some of the big numbers to avoid a reallocation +that can potentially provide a side channel. + +Reviewed-by: Bernd Edlinger +(Merged from https://github.com/openssl/openssl/pull/7486) + +(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52) +--- + crypto/ec/ec_mult.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c +index 22bb30ffa1..ff882cce20 100644 +--- a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c +@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, + */ + cardinality_bits = BN_num_bits(cardinality); + group_top = bn_get_top(cardinality); +-if ((bn_wexpand(k, group_top + 1) == NULL) +-|| (bn_wexpand(lambda, group_top + 1) == NULL)) ++if ((bn_wexpand(k, group_top + 2) == NULL) ++|| (bn_wexpand(lambda, group_top + 2) == NULL)) + goto err; + + if (!BN_copy(k, scalar)) +@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r, + * k := scalar + 2*cardinality + */ + kbit = BN_is_bit_set(lambda, cardinality_bits); +-BN_consttime_swap(kbit, k, lambda, group_top + 1); ++BN_consttime_swap(kbit, k, lambda, group_top + 2); + + group_top = bn_get_top(group->field); + if ((bn_wexpand(s->X, group_top) == NULL) +-- +2.19.1 + diff --git a/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch new file mode 100644 index 000..295f5dbe8d8 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch @@ -0,0 +1,44 @@ +From b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Fri, 26 Oct 2018 10:54:58 +1000 +Subject: [PATCH] Timing vulnerability in ECDSA signature generation + (CVE-2018-0735) + +Preallocate an extra limb for some of the big numbers to avoid a reallocation +that can potentially provide a side channel. + +Reviewed-by: Bernd Edlinger +(Merged from https://github.com/openssl/openssl/pull/7486) + +(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52) +--- + crypto/ec/ec_mult.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c +index 7e1b3650e7..0e0a5e1394 100644 +--- a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c +@@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, + */ + cardinality_bits = BN_num_bits(cardinality); + group_top = bn_get_top(cardinality); +-if ((bn_wexpand(k, group_top + 1) == NULL) +-|| (bn_wexpand(lambda, group_top + 1) == NULL)) { ++if ((bn_wexpand(k, group_top + 2) == NULL) ++|| (bn_wexpand(lambda, group_top + 2) == NULL)) { + ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB); + goto err; + } +@@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r, + * k := scalar + 2*cardinality + */ + kbit = BN_is_bit_set(lambda, cardinality_bits); +-BN_consttime_swap(kbit, k, lambda, group_top + 1); ++BN_consttime_swap(kbit, k, lambda, group_top + 2); + + group_top = bn_get_top(group->field); + if ((bn_wexpand(s->X, group_top) == NULL) +-- +2.19.1 + diff --git a/dev-libs/openssl/openssl-1.1.0i.ebuild b/dev-libs/openssl/openssl-1.1.0i-r1.ebuild similarity index 98% rename from dev-libs/openssl/openssl-1.1.0i.ebuild rename to dev-libs/openssl/openssl-1.1.0i-r1.ebuild index f97d4157d7e..4cc9eb656d0 100644 --- a/dev-libs/openssl/openssl-1.1.0i.ebuild +++ b/dev-libs/openssl/openssl-1.1.0i-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2018 Gentoo Foundation +# Copyright
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: a759287ff6a18f8e07dcc1b571d1369dbace720c Author: Thomas Deutschmann gentoo org> AuthorDate: Fri Aug 31 20:44:18 2018 + Commit: Thomas Deutschmann gentoo org> CommitDate: Fri Aug 31 20:45:08 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a759287f dev-libs/openssl: fix USE=bindist Update hobble ECC patch against openssl-1.0.2p [Link 1]. Link 1: https://github.com/openssl/openssl/commit/949ff36623eafc3523a9f91784992965018ffb05 Closes: https://bugs.gentoo.org/664254 Package-Manager: Portage-2.3.48, Repoman-2.3.10 .../openssl/files/openssl-1.0.2p-hobble-ecc.patch | 283 + dev-libs/openssl/openssl-1.0.2p.ebuild | 2 +- 2 files changed, 284 insertions(+), 1 deletion(-) diff --git a/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch b/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch new file mode 100644 index 000..3a458a78360 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch @@ -0,0 +1,283 @@ +Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series. + +From https://src.fedoraproject.org/git/rpms/openssl.git + +Contains parts of the following patches, rediffed. The patches are on various +different branches. +f23 openssl-1.0.2c-ecc-suiteb.patch +f23 openssl-1.0.2a-fips-ec.patch +f28 openssl-1.1.0-ec-curves.patch + +Signed-off-By: Robin H. Johnson + +--- a/apps/speed.c b/apps/speed.c +@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv) + } else + # endif + # ifndef OPENSSL_NO_ECDSA +-if (strcmp(*argv, "ecdsap160") == 0) +-ecdsa_doit[R_EC_P160] = 2; +-else if (strcmp(*argv, "ecdsap192") == 0) +-ecdsa_doit[R_EC_P192] = 2; ++ if (0) {} + else if (strcmp(*argv, "ecdsap224") == 0) + ecdsa_doit[R_EC_P224] = 2; + else if (strcmp(*argv, "ecdsap256") == 0) +@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv) + ecdsa_doit[R_EC_P384] = 2; + else if (strcmp(*argv, "ecdsap521") == 0) + ecdsa_doit[R_EC_P521] = 2; +-else if (strcmp(*argv, "ecdsak163") == 0) +-ecdsa_doit[R_EC_K163] = 2; +-else if (strcmp(*argv, "ecdsak233") == 0) +-ecdsa_doit[R_EC_K233] = 2; +-else if (strcmp(*argv, "ecdsak283") == 0) +-ecdsa_doit[R_EC_K283] = 2; +-else if (strcmp(*argv, "ecdsak409") == 0) +-ecdsa_doit[R_EC_K409] = 2; +-else if (strcmp(*argv, "ecdsak571") == 0) +-ecdsa_doit[R_EC_K571] = 2; +-else if (strcmp(*argv, "ecdsab163") == 0) +-ecdsa_doit[R_EC_B163] = 2; +-else if (strcmp(*argv, "ecdsab233") == 0) +-ecdsa_doit[R_EC_B233] = 2; +-else if (strcmp(*argv, "ecdsab283") == 0) +-ecdsa_doit[R_EC_B283] = 2; +-else if (strcmp(*argv, "ecdsab409") == 0) +-ecdsa_doit[R_EC_B409] = 2; +-else if (strcmp(*argv, "ecdsab571") == 0) +-ecdsa_doit[R_EC_B571] = 2; + else if (strcmp(*argv, "ecdsa") == 0) { +-for (i = 0; i < EC_NUM; i++) ++for (i = R_EC_P224; i < R_EC_P521; i++) + ecdsa_doit[i] = 1; + } else + # endif + # ifndef OPENSSL_NO_ECDH +-if (strcmp(*argv, "ecdhp160") == 0) +-ecdh_doit[R_EC_P160] = 2; +-else if (strcmp(*argv, "ecdhp192") == 0) +-ecdh_doit[R_EC_P192] = 2; ++ if (0) {} + else if (strcmp(*argv, "ecdhp224") == 0) + ecdh_doit[R_EC_P224] = 2; + else if (strcmp(*argv, "ecdhp256") == 0) +@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv) + ecdh_doit[R_EC_P384] = 2; + else if (strcmp(*argv, "ecdhp521") == 0) + ecdh_doit[R_EC_P521] = 2; +-else if (strcmp(*argv, "ecdhk163") == 0) +-ecdh_doit[R_EC_K163] = 2; +-else if (strcmp(*argv, "ecdhk233") == 0) +-ecdh_doit[R_EC_K233] = 2; +-else if (strcmp(*argv, "ecdhk283") == 0) +-ecdh_doit[R_EC_K283] = 2; +-else if (strcmp(*argv, "ecdhk409") == 0) +-ecdh_doit[R_EC_K409] = 2; +-else if (strcmp(*argv, "ecdhk571") == 0) +-ecdh_doit[R_EC_K571] = 2; +-else if (strcmp(*argv, "ecdhb163") == 0) +-ecdh_doit[R_EC_B163] = 2; +-else if (strcmp(*argv, "ecdhb233") == 0) +-ecdh_doit[R_EC_B233] = 2; +-else if (strcmp(*argv, "ecdhb283") == 0) +-ecdh_doit[R_EC_B283] = 2; +-else if (strcmp(*argv, "ecdhb409") == 0) +-ecdh_doit[R_EC_B409] = 2; +-else if (strcmp(*argv, "ecdhb571") == 0) +-ecdh_doit[R_EC_B571] = 2; + else if (strcmp(*argv, "ecdh") == 0) { +-for (i = 0; i < EC_NUM; i++) ++ for (i = R_EC_P224; i <= R_EC_P521; i++) + ecdh_doit[i] = 1; + } else + # endif +@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv) + BIO_printf(bio_err, "dsa512
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 4ecf2957ca3d36dca9ba2a820bcef7b734780a07 Author: Lars Wendler gentoo org> AuthorDate: Tue Aug 14 13:53:31 2018 + Commit: Lars Wendler gentoo org> CommitDate: Tue Aug 14 13:53:56 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ecf2957 dev-libs/openssl: Bump to version 1.1.0i. Removed old. Package-Manager: Portage-2.3.46, Repoman-2.3.10 dev-libs/openssl/Manifest | 8 ++--- .../files/openssl-1.1.0h-CVE-2018-0732.patch | 39 -- .../files/openssl-1.1.0h-CVE-2018-0737.patch | 31 - ...nssl-1.1.0h-r2.ebuild => openssl-1.1.0i.ebuild} | 2 -- 4 files changed, 4 insertions(+), 76 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index c8f76950a4e..f405455302b 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -6,8 +6,8 @@ DIST openssl-1.0.2o_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d46735 DIST openssl-1.0.2o_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e DIST openssl-1.1.0-build.patch 3028 BLAKE2B f8cf981ed3717af234ce02fa50f27cdbcbf2b766968a5957fc6f0a4ea997549505fa77398444d7f3b9a75f66048447fe62542b9cb1d5f0268add87c44915a6fd SHA512 b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0 DIST openssl-1.1.0-ec-curves.patch 2967 BLAKE2B 1c639514445ea85cf731732aa7901b5a03ddb5f637b0483ab2ec6825433ad978723c5a07316db684bdaca4a12fc673b4e049a49c0cd4dbe5f25a5e2bd3b75cf5 SHA512 8fb9c6759ae2077ad3697ba77e85ab3970fd8b3f64b21eb260b4f6333b7ebf2f5a53c7eee311229edfbd96a2b904ec5e5e00dfa5b62cf1105fece13069077bd2 -DIST openssl-1.1.0h.tar.gz 5422717 BLAKE2B 11de1468855c0bb1836fb346c8efdfedd06139a774fc4dbae1b0e95fea7a33aa39b541e3d2d27f83f2b5f4dd3846cca2356020aa6ec81793085842ab78b3a127 SHA512 fb7750fcd98e6126eb5b92e7ed63d811a5cfa3391d98572003d925f6c7b477690df86a9aa1fa6bf6bf33d02c6c7aee6cff50a38faa8911409f310645898fda39 -DIST openssl-1.1.0h_ec_curve.c 18393 BLAKE2B 49dca7ddbc23270e5927454925df7bb18c8d9eb58f79e3a4fbcd8b7fc22fad36e2cb54ff9b63c2ba15c0c075a96e4ce8d03991355419af41fa9dc2aed3ad SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879 -DIST openssl-1.1.0h_ectest.c 29907 BLAKE2B 73dc800c1de5449f14d7753f7f7b8e672cd36bd4570e6df07f246d1d823c7dbbeef492f25cdd0ebfd693f5956732bc84c9d91fc6a22c854fe4b245ecf3890bda SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae -DIST openssl-1.1.0h_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 +DIST openssl-1.1.0i.tar.gz 5453234 BLAKE2B ae6bec9c116769d98a77165b96fb7d201fe2ede8ee98e3cb68eba496cc90a5fae38dbcbb68b824c9eeacb25605aa80c3ccca9b4f00725658da3ad646834b0f9d SHA512 4a9d454031f644a3072a980f4ea20df976f6c5c58178549dfa62fd4dcf1417509e3be517d2ccb265c87688836f2993531b142fc5971bac5c41d33060057627df +DIST openssl-1.1.0i_ec_curve.c 18393 BLAKE2B 49dca7ddbc23270e5927454925df7bb18c8d9eb58f79e3a4fbcd8b7fc22fad36e2cb54ff9b63c2ba15c0c075a96e4ce8d03991355419af41fa9dc2aed3ad SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879 +DIST openssl-1.1.0i_ectest.c 29908 BLAKE2B b398bafd5d5aea71daa9c3e2749dece9e515950e35547a6191d83987907aae73e090a4b552636af4d1ab2b39f7e3b1ea3fde2012c99f068f9c99d247996c1212 SHA512 e4445f8959b040caca6a7494da2026b840f84348df5d4eab47a68570d274333f62fa0c381955093edd86c857dad98595ffa2980c54afdcf2a8d32f32d0c70450 +DIST openssl-1.1.0i_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 DIST openssl-1.1.1-pre8.tar.gz 8334954 BLAKE2B 97cd018908925abd5a4eb660b3488b23efb582dd49dd87504e5522b2e9c5c6500417ef4893590a60ce35cfa316de51bfbf3e448e9cb2a5858ecd8ae72722922d SHA512 33b20f8589e0ba67500993635e1ba7f7f7ce2b6fa1eb8d4d7c44711ff047045dde57ad7e0605377c2b030fc954a3fb9b1f1d68feac2080991ef2b1b72a761041 diff --git a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch deleted file mode 100644 index e7dfba43f2a..000 ---
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 93630094c0989383439d077f02be5c65d838fae0 Author: Robin H. Johnson gentoo org> AuthorDate: Mon Jun 11 13:56:19 2018 + Commit: Robin H. Johnson gentoo org> CommitDate: Mon Jun 11 13:58:33 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93630094 dev-libs/openssl: Add Fedora Hobble-EC patch With this patch present, USE=bindist should now provide a enough EC functionality to be used by most packages. Signed-off-by: Robin H. Johnson gentoo.org> Package-Manager: Portage-2.3.33, Repoman-2.3.9 .../openssl/files/openssl-1.0.2o-hobble-ecc.patch | 290 dev-libs/openssl/openssl-1.0.2o-r5.ebuild | 296 + 2 files changed, 586 insertions(+) diff --git a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch new file mode 100644 index 000..e105fe45e45 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch @@ -0,0 +1,290 @@ +Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series. + +From https://src.fedoraproject.org/git/rpms/openssl.git + +Contains parts of the following patches, rediffed. The patches are on various +different branches. +f23 openssl-1.0.2c-ecc-suiteb.patch +f23 openssl-1.0.2a-fips-ec.patch +f28 openssl-1.1.0-ec-curves.patch + +Signed-off-By: Robin H. Johnson + +diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/apps/speed.c openssl-1.0.2m.mod/apps/speed.c +--- openssl-1.0.2m.hobble/apps/speed.c 2017-11-02 07:32:57.0 -0700 openssl-1.0.2m.mod/apps/speed.c2018-06-10 19:00:09.264550382 -0700 +@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv) + } else + # endif + # ifndef OPENSSL_NO_ECDSA +-if (strcmp(*argv, "ecdsap160") == 0) +-ecdsa_doit[R_EC_P160] = 2; +-else if (strcmp(*argv, "ecdsap192") == 0) +-ecdsa_doit[R_EC_P192] = 2; ++ if (0) {} + else if (strcmp(*argv, "ecdsap224") == 0) + ecdsa_doit[R_EC_P224] = 2; + else if (strcmp(*argv, "ecdsap256") == 0) +@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv) + ecdsa_doit[R_EC_P384] = 2; + else if (strcmp(*argv, "ecdsap521") == 0) + ecdsa_doit[R_EC_P521] = 2; +-else if (strcmp(*argv, "ecdsak163") == 0) +-ecdsa_doit[R_EC_K163] = 2; +-else if (strcmp(*argv, "ecdsak233") == 0) +-ecdsa_doit[R_EC_K233] = 2; +-else if (strcmp(*argv, "ecdsak283") == 0) +-ecdsa_doit[R_EC_K283] = 2; +-else if (strcmp(*argv, "ecdsak409") == 0) +-ecdsa_doit[R_EC_K409] = 2; +-else if (strcmp(*argv, "ecdsak571") == 0) +-ecdsa_doit[R_EC_K571] = 2; +-else if (strcmp(*argv, "ecdsab163") == 0) +-ecdsa_doit[R_EC_B163] = 2; +-else if (strcmp(*argv, "ecdsab233") == 0) +-ecdsa_doit[R_EC_B233] = 2; +-else if (strcmp(*argv, "ecdsab283") == 0) +-ecdsa_doit[R_EC_B283] = 2; +-else if (strcmp(*argv, "ecdsab409") == 0) +-ecdsa_doit[R_EC_B409] = 2; +-else if (strcmp(*argv, "ecdsab571") == 0) +-ecdsa_doit[R_EC_B571] = 2; + else if (strcmp(*argv, "ecdsa") == 0) { +-for (i = 0; i < EC_NUM; i++) ++for (i = R_EC_P224; i < R_EC_P521; i++) + ecdsa_doit[i] = 1; + } else + # endif + # ifndef OPENSSL_NO_ECDH +-if (strcmp(*argv, "ecdhp160") == 0) +-ecdh_doit[R_EC_P160] = 2; +-else if (strcmp(*argv, "ecdhp192") == 0) +-ecdh_doit[R_EC_P192] = 2; ++ if (0) {} + else if (strcmp(*argv, "ecdhp224") == 0) + ecdh_doit[R_EC_P224] = 2; + else if (strcmp(*argv, "ecdhp256") == 0) +@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv) + ecdh_doit[R_EC_P384] = 2; + else if (strcmp(*argv, "ecdhp521") == 0) + ecdh_doit[R_EC_P521] = 2; +-else if (strcmp(*argv, "ecdhk163") == 0) +-ecdh_doit[R_EC_K163] = 2; +-else if (strcmp(*argv, "ecdhk233") == 0) +-ecdh_doit[R_EC_K233] = 2; +-else if (strcmp(*argv, "ecdhk283") == 0) +-ecdh_doit[R_EC_K283] = 2; +-else if (strcmp(*argv, "ecdhk409") == 0) +-ecdh_doit[R_EC_K409] = 2; +-else if (strcmp(*argv, "ecdhk571") == 0) +-ecdh_doit[R_EC_K571] = 2; +-else if (strcmp(*argv, "ecdhb163") == 0) +-ecdh_doit[R_EC_B163] = 2; +-else if (strcmp(*argv, "ecdhb233") == 0) +-ecdh_doit[R_EC_B233] = 2; +-else if (strcmp(*argv, "ecdhb283") == 0) +-ecdh_doit[R_EC_B283] = 2; +-else if (strcmp(*argv, "ecdhb409") == 0) +-ecdh_doit[R_EC_B409] = 2; +-else if (strcmp(*argv, "ecdhb571") == 0) +-ecdh_doit[R_EC_B571] = 2; + else if (strcmp(*argv, "ecdh") == 0) { +-for (i = 0; i < EC_NUM; i++) ++ for (i =
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 9fe32836f19db9b4c614e0e6d563ac267ba21e2f Author: Conrad Kostecki kostecki com> AuthorDate: Thu Apr 26 20:18:45 2018 + Commit: Robin H. Johnson gentoo org> CommitDate: Sat May 12 20:25:45 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fe32836 dev-libs/openssl: use aarch64 machine for arm64 arch Closes: https://bugs.gentoo.org/638926 Package-Manager: Portage-2.3.24, Repoman-2.3.6 (cherry picked from commit d1a9b4ac497aa915d51b40c56f160619c62b801a) Signed-off-by: Robin H. Johnson gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/7306 dev-libs/openssl/files/gentoo.config-1.0.2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2 index 37b83cc2e7b..d16175e6292 100644 --- a/dev-libs/openssl/files/gentoo.config-1.0.2 +++ b/dev-libs/openssl/files/gentoo.config-1.0.2 @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 1999-2017 Gentoo Foundation +# Copyright 1999-2018 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # # Openssl doesn't play along nicely with cross-compiling @@ -81,8 +81,8 @@ chost_machine=${CHOST%%-*} case ${system} in linux) case ${chost_machine}:${ABI} in - aarch64*be*) machine="generic64 -DB_ENDIAN";; - aarch64*) machine="generic64 -DL_ENDIAN";; + aarch64*be*) machine="aarch64 -DB_ENDIAN";; + aarch64*) machine="aarch64 -DL_ENDIAN";; alphaev56*|\ alphaev[678]*)machine=alpha+bwx-${compiler};; alpha*) machine=alpha-${compiler};;
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 78d4a40a859636e46a150be8f53817faabb29744 Author: Michael Mair-Keimberger gmail com> AuthorDate: Sat Apr 28 07:58:59 2018 + Commit: Lars Wendler gentoo org> CommitDate: Fri May 4 07:18:28 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78d4a40a dev-libs/openssl: remove unused patch Closes: https://github.com/gentoo/gentoo/pull/8189 .../files/openssl-1.1.0g-CVE-2017-3738.patch | 77 -- 1 file changed, 77 deletions(-) diff --git a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch deleted file mode 100644 index 4b01feb8e87..000 --- a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch +++ /dev/null @@ -1,77 +0,0 @@ -From e502cc86df9dafded1694fceb3228ee34d11c11a Mon Sep 17 00:00:00 2001 -From: Andy Polyakov-Date: Fri, 24 Nov 2017 11:35:50 +0100 -Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in - rsaz_1024_mul_avx2. - -Credit to OSS-Fuzz for finding this. - -CVE-2017-3738 - -Reviewed-by: Rich Salz - crypto/bn/asm/rsaz-avx2.pl | 15 +++ - 1 file changed, 7 insertions(+), 8 deletions(-) - -diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl -index 0c1b236ef98..46d746b7d0e 100755 a/crypto/bn/asm/rsaz-avx2.pl -+++ b/crypto/bn/asm/rsaz-avx2.pl -@@ -246,7 +246,7 @@ - vmovdqu 32*8-128($ap), $ACC8 - - lea 192(%rsp), $tp0 # 64+128=192 -- vpbroadcastq.Land_mask(%rip), $AND_MASK -+ vmovdqu .Land_mask(%rip), $AND_MASK - jmp .LOOP_GRANDE_SQR_1024 - - .align32 -@@ -1077,10 +1077,10 @@ - vpmuludq32*6-128($np),$Yi,$TEMP1 - vpaddq $TEMP1,$ACC6,$ACC6 - vpmuludq32*7-128($np),$Yi,$TEMP2 -- vpblendd \$3, $ZERO, $ACC9, $ACC9# correct $ACC3 -+ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3 - vpaddq $TEMP2,$ACC7,$ACC7 - vpmuludq32*8-128($np),$Yi,$TEMP0 -- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3 -+ vpaddq $TEMP1, $ACC3, $ACC3# correct $ACC3 - vpaddq $TEMP0,$ACC8,$ACC8 - - mov %rbx, %rax -@@ -1093,7 +1093,9 @@ -vmovdqu-8+32*2-128($ap),$TEMP2 - - mov $r1, %rax -+ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3 - imull $n0, %eax -+ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3 - and \$0x1fff, %eax - -imulq 16-128($ap),%rbx -@@ -1329,15 +1331,12 @@ - # But as we underutilize resources, it's possible to correct in - # each iteration with marginal performance loss. But then, as - # we do it in each iteration, we can correct less digits, and --# avoid performance penalties completely. Also note that we --# correct only three digits out of four. This works because --# most significant digit is subjected to less additions. -+# avoid performance penalties completely. - - $TEMP0 = $ACC9; - $TEMP3 = $Bi; - $TEMP4 = $Yi; - $code.=<<___; -- vpermq \$0, $AND_MASK, $AND_MASK - vpaddq (%rsp), $TEMP1, $ACC0 - - vpsrlq \$29, $ACC0, $TEMP1 -@@ -1770,7 +1769,7 @@ - - .align64 - .Land_mask: -- .quad 0x1fff,0x1fff,0x1fff,-1 -+ .quad 0x1fff,0x1fff,0x1fff,0x1fff - .Lscatter_permd: - .long 0,2,4,6,7,7,7,7 - .Lgather_permd:
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 30945a68d3d4c98433363ed73475b8233ac02118 Author: Thomas Deutschmann gentoo org> AuthorDate: Tue Apr 17 20:50:09 2018 + Commit: Thomas Deutschmann gentoo org> CommitDate: Tue Apr 17 20:50:30 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30945a68 dev-libs/openssl: Rev bump to add patch for CVE-2018-0737 Bug: https://bugs.gentoo.org/653434 Package-Manager: Portage-2.3.28, Repoman-2.3.9 dev-libs/openssl/Manifest | 1 + .../files/openssl-1.1.0h-CVE-2018-0737.patch | 31 +++ dev-libs/openssl/openssl-1.0.2o-r1.ebuild | 251 ++ dev-libs/openssl/openssl-1.1.0h-r1.ebuild | 284 + 4 files changed, 567 insertions(+) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 1b87ae73a6b..51a22aaeb52 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -1,6 +1,7 @@ DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 DIST openssl-1.0.2-patches-1.0.tar.xz 11572 BLAKE2B bdb9d2b8388f1aadf3a9274133aa8f86b0029fae1ce86d005baa39a7347657f8d4d84395b54e8ccd67944356ee197dfb527f843b4f146e305533e2ad5450721d SHA512 15234ade359a0acf001cf10c7a7fc05f54603a44c67831529c2a6eda03342f9ba1cf40664ac782b5b73c50b23ec5649fb48ccff2aea8f0df2ef634959c47e3e9 DIST openssl-1.0.2-patches-1.2.tar.xz 12208 BLAKE2B 99b7a3538aeeecf8e1939fb08d26e2ce6aa4140488f0f6fc382a4f0dbdd67a0204c4689809e9d170148ad6686d4dbf0c8fc95802712270b0ea5720bc06c8fbbf SHA512 5e5739ab7132e986abe9704739dab2ccd16df9696318ed29762d4ee0245fd2645f9435f7340ba36edd5531a83e48489fc659ad78c09ded0e0d021dd5a3906ea6 +DIST openssl-1.0.2-patches-1.3.tar.xz 12592 BLAKE2B bce0c289ae689091fe62e9c0d7d631cd915fd17beb81b0879931e0414f25c8a08425a08514e28ea7e81c1be23cf162f3bcad7cc3933f2378f53decabd3a7903d SHA512 3ad3efa45eddb733e3db9c406f9f651dbf939bbb13debbcab12b49ecf72490a4868b1563de60ee106483c1b23bd2092fc58c8fc911fe62a019cb97d738163723 DIST openssl-1.0.2n.tar.gz 5375802 BLAKE2B 2e04f8c3d5e2296859b8474d7e100e270f53f18a26c6d37a4cf5e01cd14f44d24d334b4e705da05d77c33b5dc91cffea0feea9f7c83c77ba16c9b6d5f5085894 SHA512 144bf0d6aa27b4af01df0b7b734c39962649e1711554247d42e05e14d8945742b18745aefdba162e2dfc762b941fd7d3b2d5dc6a781ae4ba10a6f5a3cadb0687 DIST openssl-1.0.2o.tar.gz 5329472 BLAKE2B 30226db49be04317da3a76cce68d5aa401decd198f92505bddb0c72a7ef6a79f3c9c06d4a816db734e2a0991ebcab8b207feced26d83639e50c821d9e76ddc45 SHA512 8a2c93657c85143e76785bb32ee836908c31a6f5f8db993fa9777acba6079e630c03edbad65d1587199fc13a1507789eacf038b56eb99139c2091d9df7fd DIST openssl-1.1.0-build.patch 3028 BLAKE2B f8cf981ed3717af234ce02fa50f27cdbcbf2b766968a5957fc6f0a4ea997549505fa77398444d7f3b9a75f66048447fe62542b9cb1d5f0268add87c44915a6fd SHA512 b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0 diff --git a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch new file mode 100644 index 000..34c9cc02fa7 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch @@ -0,0 +1,31 @@ +From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001 +From: Billy Brumley+Date: Wed, 11 Apr 2018 10:10:58 +0300 +Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont + both get called with BN_FLG_CONSTTIME flag set. + +CVE-2018-0737 + +Reviewed-by: Rich Salz +Reviewed-by: Matt Caswell +(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787) +--- + crypto/rsa/rsa_gen.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index 9ca5dfe..42b89a8 100644 +--- a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +@@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (BN_copy(rsa->e, e_value) == NULL) + goto err; + ++BN_set_flags(rsa->p, BN_FLG_CONSTTIME); ++BN_set_flags(rsa->q, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { +-- +2.7.4 + diff --git a/dev-libs/openssl/openssl-1.0.2o-r1.ebuild b/dev-libs/openssl/openssl-1.0.2o-r1.ebuild new file mode 100644 index 000..256e230d7cf --- /dev/null +++ b/dev-libs/openssl/openssl-1.0.2o-r1.ebuild @@ -0,0 +1,251 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="6" + +inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal + +PATCH_SET="openssl-1.0.2-patches-1.3" +MY_P=${P/_/-} +DESCRIPTION="full-strength general purpose
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: e2a23951221fb5f24e6dfa7d01d17ce4fe64d750 Author: Thomas Deutschmann gentoo org> AuthorDate: Fri Dec 29 01:56:56 2017 + Commit: Thomas Deutschmann gentoo org> CommitDate: Fri Dec 29 01:57:10 2017 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2a23951 dev-libs/openssl: Rev bump to allow building with Perl 5.26 Ebuild changes: === - EAPI bumped to EAPI=6 - Added to for '.' in @INC (thanks to Joakim Gebart Nohlgård) Closes: https://bugs.gentoo.org/639876 Package-Manager: Portage-2.3.19, Repoman-2.3.6 .../files/openssl-0.9.8z_p8-perl-5.26.patch| 13 ++ dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild | 167 + 2 files changed, 180 insertions(+) diff --git a/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch b/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch new file mode 100644 index 000..c932b820425 --- /dev/null +++ b/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch @@ -0,0 +1,13 @@ +https://bugs.gentoo.org/639876 + +--- a/crypto/des/asm/des-586.pl b/crypto/des/asm/des-586.pl +@@ -4,7 +4,7 @@ + # Svend Olaf Mikkelsen+ # + +-push(@INC,"perlasm","../../perlasm"); ++push(@INC,".","perlasm","../../perlasm"); + require "x86asm.pl"; + require "cbc.pl"; + require "desboth.pl"; diff --git a/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild b/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild new file mode 100644 index 000..5fcc6d8ea4e --- /dev/null +++ b/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild @@ -0,0 +1,167 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# this ebuild is only for the libcrypto.so.0.9.8 and libssl.so.0.9.8 SONAME for ABI compat + +EAPI="6" + +inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal + +#PLEVEL=$(printf "\\$(printf '%03o' $((${PV##*_p} + 96)))") +PLEVEL='h' # _p8 -> tr '[1-9]' '[a-i]' -> 'h' +MY_PV=${PV/_p*/${PLEVEL}} +MY_P=${PN}-${MY_PV} +S="${WORKDIR}/${MY_P}" +DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1" +HOMEPAGE="https://www.openssl.org/; +SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" + +LICENSE="openssl" +SLOT="0.9.8" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" +IUSE="bindist gmp kerberos cpu_flags_x86_sse2 test zlib" +RESTRICT="!bindist? ( bindist )" + +RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}] ) + zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] ) + kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] ) + abi_x86_32? ( + !<=app-emulation/emul-linux-x86-baselibs-20140508-r4 + !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] + ) + !=dev-libs/openssl-0.9.8*:0" +DEPEND="${RDEPEND} + >=dev-lang/perl-5 + test? ( + sys-apps/diffutils + sys-devel/bc + )" + +# Do not install any docs +DOCS=() + +PATCHES=( + "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch + "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438 + "${FILESDIR}"/${PN}-0.9.8m-binutils.patch #289130 + "${FILESDIR}"/${PN}-0.9.8z_p8-perl-5.26.patch +) + +src_prepare() { + default + + # disable fips in the build + # make sure the man pages are suffixed #302165 + # don't bother building man pages if they're disabled + sed -i \ + -e '/DIRS/s: fips : :g' \ + -e '/^MANSUFFIX/s:=.*:=ssl:' \ + -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ + -e $(has noman FEATURES \ + && echo '/^install:/s:install_docs::' \ + || echo '/^MANDIR=/s:=.*:=/usr/share/man:') \ + Makefile{,.org} \ + || die + # show the actual commands in the log + sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared || die + # update the enginedir path. + # punt broken config we don't care about as it fails sanity check. + sed -i \ + -e '/^"debug-ben-debug-64"/d' \ + -e "/foo.*engines/s|/lib/engines|/$(get_libdir)/engines|" \ + Configure || die + + # since we're forcing $(CC) as makedep anyway, just fix + # the conditional as always-on + # helps clang (#417795), and versioned gcc (#499818) + sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die + + # quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (#417795 again) + [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments + + # allow openssl to be cross-compiled + cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed" + chmod a+rx gentoo.config || die + + append-flags -fno-strict-aliasing + append-flags
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: f179eb65b08d179526088fb29abefde8b109ab28 Author: Thomas Deutschmann gentoo org> AuthorDate: Thu Dec 7 18:09:10 2017 + Commit: Thomas Deutschmann gentoo org> CommitDate: Thu Dec 7 18:13:44 2017 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f179eb65 dev-libs/openssl: Bump to v1.0.2n - EAPI bumped to EAPI=6 - Respin some patches for v1.0.2n - Patches moved to patch tarball to avoid cluttering up the tree Bug: https://bugs.gentoo.org/640172 Package-Manager: Portage-2.3.16, Repoman-2.3.6 dev-libs/openssl/Manifest | 2 + dev-libs/openssl/files/gentoo.config-1.0.2 | 2 +- dev-libs/openssl/openssl-1.0.2n.ebuild | 251 + 3 files changed, 254 insertions(+), 1 deletion(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 720173c3554..e9a8efaa979 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -1,10 +1,12 @@ DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf +DIST openssl-1.0.2-patches-1.0.tar.xz 11572 BLAKE2B bdb9d2b8388f1aadf3a9274133aa8f86b0029fae1ce86d005baa39a7347657f8d4d84395b54e8ccd67944356ee197dfb527f843b4f146e305533e2ad5450721d SHA512 15234ade359a0acf001cf10c7a7fc05f54603a44c67831529c2a6eda03342f9ba1cf40664ac782b5b73c50b23ec5649fb48ccff2aea8f0df2ef634959c47e3e9 DIST openssl-1.0.2k.tar.gz 5309236 BLAKE2B 97069b9c7aaab2381ae5be989caff6907cd44ab1831d84685c3421ad985889a2bbc3a462decdff9c4c158ace96975de2b9e49e4f1b9f306990c3dc0f03767dad SHA512 0d314b42352f4b1df2c40ca1094abc7e9ad684c5c35ea997efdd58204c70f22a1abcb17291820f0fff3769620a4e06906034203d31eb1a4d540df3e0db294016 DIST openssl-1.0.2l.tar.gz 5365054 BLAKE2B 0a459a93a0013269dea79bd6df96a434b9dad95b6d98b24a48bc1b1438415c0a8de01b67166ac13a73ae65fb64131568924c3e6f945d862b7e960f05332cf097 SHA512 047d964508ad6025c79caabd8965efd2416dc026a56183d0ef4de7a0a6769ce8e0b4608a3f8393d326f6d03b26a2b067e6e0c750f35b20be190e595e8290c0e3 DIST openssl-1.0.2l_ec_curve.c 17254 SHA256 43ad99527a9f494c97c1efd4a87b49508455437da5de1b9ecd89b0d36fb764c8 SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15 WHIRLPOOL 5a43777a2886a2e7bd41eeb3a96c90c62b0eaa771249a50eb5996993f43384dca5f24993ed6a6deede2c4f119f896fb11dbc26b72650c909c856bd8c313501f0 DIST openssl-1.0.2l_ectest.c 30735 SHA256 14f12b1db5121f3f58466f52ad10555c038c281e90e53c0a2f7940a754bb4d80 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19 WHIRLPOOL 0d708b382d97e1f20a03e695f0a990fb9fd6cd8ab8ced29e072d52ca3f09f87d18c287d6134fd5ac2243ca541982f4d9eaa2fa8964d62b6b8f1a4b879e8fd997 DIST openssl-1.0.2l_hobble-openssl 1302 SHA256 7ec32aab6a1db2124de52c3918cc7f7e487972581e30235447eed15d59415384 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e WHIRLPOOL b9630ce76492bff481d0bd48b72449d1e1d4fbb98c2387c4824d84833796adaba716e10976b3130eed9fd9442511a71604d9944600ba6be5253087f865cefe8c DIST openssl-1.0.2m.tar.gz 5373776 BLAKE2B f40cbea061f84087a079d541f7ba841894c86c00827865f0f508ee297df45e8825d7d74bbbe16bf1f81d46f9af503a6191c9e65df674c4a5ae28172b5b03986f SHA512 7619aa223ee50d0f5e270ac9090e95b2b1ba5dfc656c98f625a9a277dda472fb960a4e89a7ba300044cb401b2072b2ca6a6fcce8206d927bf373d1c981806a93 +DIST openssl-1.0.2n.tar.gz 5375802 BLAKE2B 2e04f8c3d5e2296859b8474d7e100e270f53f18a26c6d37a4cf5e01cd14f44d24d334b4e705da05d77c33b5dc91cffea0feea9f7c83c77ba16c9b6d5f5085894 SHA512 144bf0d6aa27b4af01df0b7b734c39962649e1711554247d42e05e14d8945742b18745aefdba162e2dfc762b941fd7d3b2d5dc6a781ae4ba10a6f5a3cadb0687 DIST openssl-1.1.0-build.patch 3028 SHA256 c626ac8b34df5d55a7272a741f87f06dc06cc20ac80085048788a2c76c08c25f SHA512 b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0 WHIRLPOOL 950febb159139b145eb7de5bda1115465fa8551234182e6d15459ab5519213f515b4c3e3a3136d05c440d3eec04a7247461d36c2d45136a6f1963613d5896b3e DIST openssl-1.1.0-ec-curves.patch 2967 SHA256 da60dfa01ed244cd3f77f60cc2ef479a36e64a58fa5e242aa03647c698cc1a42 SHA512 8fb9c6759ae2077ad3697ba77e85ab3970fd8b3f64b21eb260b4f6333b7ebf2f5a53c7eee311229edfbd96a2b904ec5e5e00dfa5b62cf1105fece13069077bd2 WHIRLPOOL e7293ef84f6c36e8e5f5ec8158023fdca484bc9082e73956bd0cc74a17c880350a49799146c855a37f116d743e7c93e54cbe4aa7f70483e235d03687a15a46a5 DIST openssl-1.1.0f.tar.gz 5278176 SHA256 12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765 SHA512
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 36cc74ed2bb0a39bf145fee0fdec4efc9094fe31 Author: Lars Wendler gentoo org> AuthorDate: Thu Nov 10 15:40:07 2016 + Commit: Lars Wendler gentoo org> CommitDate: Thu Nov 10 15:40:55 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36cc74ed dev-libs/openssl: Security bump to version 1.1.0c (bug #599358). Package-Manager: portage-2.3.2 dev-libs/openssl/Manifest | 2 +- dev-libs/openssl/files/openssl-1.1.0-ldflags.patch| 11 --- .../openssl/{openssl-1.1.0b.ebuild => openssl-1.1.0c.ebuild} | 1 - 3 files changed, 1 insertion(+), 13 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 3e6411e..a42a05f 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -1,3 +1,3 @@ DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf DIST openssl-1.0.2j.tar.gz 5307912 SHA256 e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431 SHA512 7d6ccae4aa3ccec3a5d128da29c68401cdb1210cba6d212d55235fc3bc63d7085e2f119e2bbee7ddff6b7b5eef07c6196156791724cd2caf313a4c2fef724edd WHIRLPOOL 1f17e80bc10da2eab9d4c1c3a662b0e2b4f7e8bc448aabb44cd98a96ba3d6cd0ef6cf9a3371d44b39a4d11b1a4087c8f0d056272ace6eba5bd2417f7ab9503b7 -DIST openssl-1.1.0b.tar.gz 5162355 SHA256 a45de072bf9be4dea437230aaf036000f0e68c6a665931c57e76b5b036cef6f7 SHA512 b6d66261427f1acc049bf5469a0dc668490e752c2ba4802481809e7e35367213eca17ac9fdc3f23ed5f7a53d303abca78b13a48b169f154043199f2680ccf1a4 WHIRLPOOL bc926b2839f2e85751480ac0a6306bd37ca1ac12759b78654fba6861517bb9979245b95676a60900eab9257334ecf2e1b7d9e406c39a6075054a93ffc1f7a76a +DIST openssl-1.1.0c.tar.gz 5179668 SHA256 fc436441a2e05752d31b4e46115eb89709a28aef96d4fe786abe92409b2fd6f5 SHA512 e3cfba6c682e5edd6f678df7c1da9c9713880f7dca248e6d62f095185c22ce8fd7571d53a54a119fb5d4422578637746ad2809bb2ba324a5c54564f532307ad9 WHIRLPOOL d6ee4610a6ce5c8d2593bcd9f8a2fc55910006d3f466d0d27409f92b4f60880f96979ccbbdf9da5cf110c59a86e1a906bf20a8eb93338efa9e197bd4755ce4d8 diff --git a/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch b/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch deleted file mode 100644 index 95a95f2.. --- a/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch +++ /dev/null @@ -1,11 +0,0 @@ openssl-1.1.0-pre4/Makefile.shared -+++ openssl-1.1.0-pre4/Makefile.shared -@@ -175,7 +175,7 @@ - ALLSYMSFLAGS='-Wl,--whole-archive'; \ - NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ - $(DO_GNU_SO_COMMON) --DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)" -+DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS)" - - #This is rather special. It's a special target with which one can link - #applications without bothering with any features that have anything to diff --git a/dev-libs/openssl/openssl-1.1.0b.ebuild b/dev-libs/openssl/openssl-1.1.0c.ebuild similarity index 99% rename from dev-libs/openssl/openssl-1.1.0b.ebuild rename to dev-libs/openssl/openssl-1.1.0c.ebuild index 0aea4eb..069cf97 100644 --- a/dev-libs/openssl/openssl-1.1.0b.ebuild +++ b/dev-libs/openssl/openssl-1.1.0c.ebuild @@ -35,7 +35,6 @@ MULTILIB_WRAPPED_HEADERS=( ) PATCHES=( - "${FILESDIR}"/${PN}-1.1.0-ldflags.patch #327421 "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618 )
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 246f6b0590667adffa8967d9ba41bc993119a553 Author: Lars Wendler gentoo org> AuthorDate: Mon Oct 31 07:10:08 2016 + Commit: Lars Wendler gentoo org> CommitDate: Mon Oct 31 07:10:08 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=246f6b05 dev-libs/openssl: Removed vulnerable versions. Package-Manager: portage-2.3.2 Signed-off-by: Lars Wendler gentoo.org> dev-libs/openssl/Manifest | 2 - .../openssl/files/openssl-1.0.0d-windres.patch | 76 - .../files/openssl-1.0.2g-parallel-build.patch | 318 - .../files/openssl-1.0.2h-CVE-2016-2177.patch | 279 -- .../files/openssl-1.0.2h-CVE-2016-2178.patch | 28 -- dev-libs/openssl/openssl-1.0.2h-r2.ebuild | 254 dev-libs/openssl/openssl-1.0.2i.ebuild | 249 7 files changed, 1206 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 4d20371..3e6411e 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -1,5 +1,3 @@ DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf -DIST openssl-1.0.2h.tar.gz 5274412 SHA256 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 SHA512 780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303 WHIRLPOOL 41b6cf0c08b547f1432dc8167a4c7835da0b6907f8932969e0a352fab8bdbb4d8f612a5bf431e415d93ff1c8238652b2ee3ce0bd935cc2f59e8ea4f40fe6b5d6 -DIST openssl-1.0.2i.tar.gz 5308232 SHA256 9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f SHA512 41764debd5d64e4e770945f30d682e2c887d9cefb39b358c5c7f9d2cdce34393ed28d49b24e95c4639db2df01c278cbcde71bed2b03f9aafafc76766b03850e3 WHIRLPOOL ba1a4513aaa1de81e36912acfe0b6cf8e0acf7cc71d32b127b5e54eb2f6fc6ce63f4f61e9fc99fecc9e037cdccc496b9d15ea75b594b0fd8721b4478eab1f31d DIST openssl-1.0.2j.tar.gz 5307912 SHA256 e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431 SHA512 7d6ccae4aa3ccec3a5d128da29c68401cdb1210cba6d212d55235fc3bc63d7085e2f119e2bbee7ddff6b7b5eef07c6196156791724cd2caf313a4c2fef724edd WHIRLPOOL 1f17e80bc10da2eab9d4c1c3a662b0e2b4f7e8bc448aabb44cd98a96ba3d6cd0ef6cf9a3371d44b39a4d11b1a4087c8f0d056272ace6eba5bd2417f7ab9503b7 DIST openssl-1.1.0b.tar.gz 5162355 SHA256 a45de072bf9be4dea437230aaf036000f0e68c6a665931c57e76b5b036cef6f7 SHA512 b6d66261427f1acc049bf5469a0dc668490e752c2ba4802481809e7e35367213eca17ac9fdc3f23ed5f7a53d303abca78b13a48b169f154043199f2680ccf1a4 WHIRLPOOL bc926b2839f2e85751480ac0a6306bd37ca1ac12759b78654fba6861517bb9979245b95676a60900eab9257334ecf2e1b7d9e406c39a6075054a93ffc1f7a76a diff --git a/dev-libs/openssl/files/openssl-1.0.0d-windres.patch b/dev-libs/openssl/files/openssl-1.0.0d-windres.patch deleted file mode 100644 index 0b360d2.. --- a/dev-libs/openssl/files/openssl-1.0.0d-windres.patch +++ /dev/null @@ -1,76 +0,0 @@ -URL: http://rt.openssl.org/Ticket/Display.html?id=2558=guest=guest -Subject: make windres controllable via build env var settings - -atm, the windres code in openssl is only usable via the cross-compile prefix -option unlike all the other build tools. so add support for the standard $RC -/ $WINDRES env vars as well. - -Index: Configure -=== -RCS file: /usr/local/src/openssl/CVSROOT/openssl/Configure,v -retrieving revision 1.621.2.40 -diff -u -p -r1.621.2.40 Configure Configure 30 Nov 2010 22:19:26 - 1.621.2.40 -+++ Configure 4 Jul 2011 23:12:32 - -@@ -1094,6 +1094,7 @@ my $shared_extension = $fields[$idx_shar - my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib]; - my $ar = $ENV{'AR'} || "ar"; - my $arflags = $fields[$idx_arflags]; -+my $windres = $ENV{'RC'} || $ENV{'WINDRES'} || "windres"; - my $multilib = $fields[$idx_multilib]; - - # if $prefix/lib$multilib is not an existing directory, then -@@ -1511,12 +1512,14 @@ while () - s/^AR=\s*/AR= \$\(CROSS_COMPILE\)/; - s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/; - s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/; -+ s/^WINDRES=\s*/WINDRES= \$\(CROSS_COMPILE\)/; - s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc eq "gcc"; - } - else{ - s/^CC=.*$/CC= $cc/; - s/^AR=\s*ar/AR= $ar/; - s/^RANLIB=.*/RANLIB= $ranlib/; -+ s/^WINDRES=.*/WINDRES= $windres/; - s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc"; - } - s/^CFLAG=.*$/CFLAG= $cflags/;
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 8d3725cf907f13b2243a38cb2a55282db460279f Author: Mike Gilbert gentoo org> AuthorDate: Fri Aug 26 17:56:14 2016 + Commit: Mike Gilbert gentoo org> CommitDate: Fri Aug 26 17:56:14 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d3725cf dev-libs/openssl: fix typo in patch filename Package-Manager: portage-2.3.0_p22 .../files/{openssl-1.1.01-ldflags.patch => openssl-1.1.0-ldflags.patch} | 0 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/dev-libs/openssl/files/openssl-1.1.01-ldflags.patch b/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch similarity index 100% rename from dev-libs/openssl/files/openssl-1.1.01-ldflags.patch rename to dev-libs/openssl/files/openssl-1.1.0-ldflags.patch
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 85c9a35d3eea4416b7d234c40fa8758f721cf404 Author: Lars Wendler gentoo org> AuthorDate: Fri Aug 26 17:39:11 2016 + Commit: Lars Wendler gentoo org> CommitDate: Fri Aug 26 17:39:55 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85c9a35d dev-libs/openssl: Fixed broken ldflags patch (thanks to floppym). Package-Manager: portage-2.3.0 Signed-off-by: Lars Wendler gentoo.org> dev-libs/openssl/files/openssl-1.1.0-threads.patch | 20 ...e4-ldflags.patch => openssl-1.1.01-ldflags.patch} | 2 +- dev-libs/openssl/openssl-1.1.0.ebuild| 3 +-- 3 files changed, 2 insertions(+), 23 deletions(-) diff --git a/dev-libs/openssl/files/openssl-1.1.0-threads.patch b/dev-libs/openssl/files/openssl-1.1.0-threads.patch deleted file mode 100644 index d4326f6.. --- a/dev-libs/openssl/files/openssl-1.1.0-threads.patch +++ /dev/null @@ -1,20 +0,0 @@ openssl-1.1.0/Configurations/10-main.conf -+++ openssl-1.1.0/Configurations/10-main.conf -@@ -612,7 +612,7 @@ -debug => "-O0 -g", -release => "-O3"), - threads("-pthread")), --ex_libs => add("-ldl"), -+ex_libs => add("-ldl",threads("-lpthread")), - bn_ops => "BN_LLONG RC4_CHAR", - thread_scheme=> "pthreads", - dso_scheme => "dlfcn", -@@ -721,7 +721,7 @@ - inherit_from => [ "linux-generic32", asm("x86_elf_asm") ], - cflags => add(picker(default => "-DL_ENDIAN", -release => "-fomit-frame-pointer")), --ex_libs => add(picker(debug => "-lefence")), -+ex_libs => add(picker(debug => "-lefence"),threads("-lpthread")), - bn_ops => "BN_LLONG", - }, - "linux-aout" => { diff --git a/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch b/dev-libs/openssl/files/openssl-1.1.01-ldflags.patch similarity index 88% rename from dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch rename to dev-libs/openssl/files/openssl-1.1.01-ldflags.patch index f0d7e18..95a95f2 100644 --- a/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch +++ b/dev-libs/openssl/files/openssl-1.1.01-ldflags.patch @@ -5,7 +5,7 @@ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ $(DO_GNU_SO_COMMON) -DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)" -+DO_GNU_APP=LDFLAGS="$(LDFLAGS) -Wl,-rpath,$(LIBRPATH)" ++DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS)" #This is rather special. It's a special target with which one can link #applications without bothering with any features that have anything to diff --git a/dev-libs/openssl/openssl-1.1.0.ebuild b/dev-libs/openssl/openssl-1.1.0.ebuild index 05e1641..0aea4eb 100644 --- a/dev-libs/openssl/openssl-1.1.0.ebuild +++ b/dev-libs/openssl/openssl-1.1.0.ebuild @@ -35,9 +35,8 @@ MULTILIB_WRAPPED_HEADERS=( ) PATCHES=( - "${FILESDIR}"/${PN}-1.1.0_pre4-ldflags.patch #327421 + "${FILESDIR}"/${PN}-1.1.0-ldflags.patch #327421 "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618 - "${FILESDIR}"/${PN}-1.1.0-threads.patch ) src_prepare() {
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 18fd87c2468bf11b7b21a3691cb8b3735672f452 Author: Lars Wendler gentoo org> AuthorDate: Fri Aug 26 15:51:57 2016 + Commit: Lars Wendler gentoo org> CommitDate: Fri Aug 26 15:52:16 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18fd87c2 dev-libs/openssl: Bump to version 1.1.0 Package-Manager: portage-2.3.0 Signed-off-by: Lars Wendler gentoo.org> dev-libs/openssl/Manifest | 1 + dev-libs/openssl/files/openssl-1.1.0-threads.patch | 20 ++ .../openssl/files/openssl-1.1.0_pre4-ldflags.patch | 11 + dev-libs/openssl/openssl-1.1.0.ebuild | 243 + 4 files changed, 275 insertions(+) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 7ca6bf7..732c6d3 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -1,3 +1,4 @@ DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf DIST openssl-1.0.2g.tar.gz 5266102 SHA256 b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 SHA512 4d96b6c8a232203483d6e8bee81da01ba10977bfbac92f25304a36dec9ea584b7ef917bc45e097cc7dbe681d71a4570d649c22244c178393ae91fab48323f735 WHIRLPOOL aedbd82af0a550e8329a84312fae492f3bb3cb04af763fc9ef532099b2b2e61a55e4a7cfb06085f045740e2b692bbdb3ecb8bf5ca82f46325c3caf22d2317ffb DIST openssl-1.0.2h.tar.gz 5274412 SHA256 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 SHA512 780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303 WHIRLPOOL 41b6cf0c08b547f1432dc8167a4c7835da0b6907f8932969e0a352fab8bdbb4d8f612a5bf431e415d93ff1c8238652b2ee3ce0bd935cc2f59e8ea4f40fe6b5d6 +DIST openssl-1.1.0.tar.gz 5146831 SHA256 f5c69ff9ac1472c80b868efc1c1c0d8dcfc746d29ebe563de2365dd56dbd8c82 SHA512 6a99d391be7708fdc4eb097d27cea4ce79dc83cc7f52d353af1e222773e586405c0848557d7404716b92b23b775abed45e73c66fe9128f4bd7c09864e79317b0 WHIRLPOOL 9d38954c65073a8d02caa6aa00b1efc197391b38b341662f0d9967ce883f52eed8c3be84ebd6ecc89c494f725218bfd2bef395891a20b40c8dcdf6b31fba2131 diff --git a/dev-libs/openssl/files/openssl-1.1.0-threads.patch b/dev-libs/openssl/files/openssl-1.1.0-threads.patch new file mode 100644 index ..d4326f6 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.0-threads.patch @@ -0,0 +1,20 @@ +--- openssl-1.1.0/Configurations/10-main.conf openssl-1.1.0/Configurations/10-main.conf +@@ -612,7 +612,7 @@ +debug => "-O0 -g", +release => "-O3"), + threads("-pthread")), +-ex_libs => add("-ldl"), ++ex_libs => add("-ldl",threads("-lpthread")), + bn_ops => "BN_LLONG RC4_CHAR", + thread_scheme=> "pthreads", + dso_scheme => "dlfcn", +@@ -721,7 +721,7 @@ + inherit_from => [ "linux-generic32", asm("x86_elf_asm") ], + cflags => add(picker(default => "-DL_ENDIAN", +release => "-fomit-frame-pointer")), +-ex_libs => add(picker(debug => "-lefence")), ++ex_libs => add(picker(debug => "-lefence"),threads("-lpthread")), + bn_ops => "BN_LLONG", + }, + "linux-aout" => { diff --git a/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch b/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch new file mode 100644 index ..f0d7e18 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch @@ -0,0 +1,11 @@ +--- openssl-1.1.0-pre4/Makefile.shared openssl-1.1.0-pre4/Makefile.shared +@@ -175,7 +175,7 @@ + ALLSYMSFLAGS='-Wl,--whole-archive'; \ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ + $(DO_GNU_SO_COMMON) +-DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)" ++DO_GNU_APP=LDFLAGS="$(LDFLAGS) -Wl,-rpath,$(LIBRPATH)" + + #This is rather special. It's a special target with which one can link + #applications without bothering with any features that have anything to diff --git a/dev-libs/openssl/openssl-1.1.0.ebuild b/dev-libs/openssl/openssl-1.1.0.ebuild new file mode 100644 index ..05e1641 --- /dev/null +++ b/dev-libs/openssl/openssl-1.1.0.ebuild @@ -0,0 +1,243 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal + +MY_P=${P/_/-} +DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: b4bfc10ce01e37a79da48f2f8349200c7eca78ed Author: Patrick McLean gentoo org> AuthorDate: Sat Jun 25 02:19:01 2016 + Commit: Patrick McLean gentoo org> CommitDate: Sat Jun 25 02:19:01 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4bfc10c dev-libs/openssl: Revision bump to 1.0.2h-r2 to fix bug 585142 & bug 585276 This fixes CVE-2016-2177 and CVE-2016-2178. Package-Manager: portage-2.3.0 .../files/openssl-1.0.2h-CVE-2016-2177.patch | 279 + .../files/openssl-1.0.2h-CVE-2016-2178.patch | 28 +++ dev-libs/openssl/openssl-1.0.2h-r2.ebuild | 254 +++ 3 files changed, 561 insertions(+) diff --git a/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch b/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch new file mode 100644 index 000..ca934c2 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch @@ -0,0 +1,279 @@ +From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001 +From: Matt Caswell+Date: Thu, 5 May 2016 11:10:26 +0100 +Subject: [PATCH] Avoid some undefined pointer arithmetic + +A common idiom in the codebase is: + +if (p + len > limit) +{ +return; /* Too long */ +} + +Where "p" points to some malloc'd data of SIZE bytes and +limit == p + SIZE + +"len" here could be from some externally supplied data (e.g. from a TLS +message). + +The rules of C pointer arithmetic are such that "p + len" is only well +defined where len <= SIZE. Therefore the above idiom is actually +undefined behaviour. + +For example this could cause problems if some malloc implementation +provides an address for "p" such that "p + len" actually overflows for +values of len that are too big and therefore p + len < limit! + +Issue reported by Guido Vranken. + +CVE-2016-2177 + +Reviewed-by: Rich Salz +--- + ssl/s3_srvr.c | 14 +++--- + ssl/ssl_sess.c | 2 +- + ssl/t1_lib.c | 56 ++-- + 3 files changed, 38 insertions(+), 34 deletions(-) + +diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c +index ab28702..ab7f690 100644 +--- a/ssl/s3_srvr.c b/ssl/s3_srvr.c +@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s) + + session_length = *(p + SSL3_RANDOM_SIZE); + +-if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { ++if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s) + /* get the session-id */ + j = *(p++); + +-if (p + j > d + n) { ++if ((d + n) - p < j) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s) + + if (SSL_IS_DTLS(s)) { + /* cookie stuff */ +-if (p + 1 > d + n) { ++if ((d + n) - p < 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + cookie_len = *(p++); + +-if (p + cookie_len > d + n) { ++if ((d + n ) - p < cookie_len) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s) + } + } + +-if (p + 2 > d + n) { ++if ((d + n ) - p < 2) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s) + } + + /* i bytes of cipher data + 1 byte for compression length later */ +-if ((p + i + 1) > (d + n)) { ++if ((d + n) - p < i + 1) { + /* not enough data */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); +@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s) + + /* compression */ + i = *(p++); +-if ((p + i) > (d + n)) { ++if ((d + n) - p < i) { + /* not enough data */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index b182998..54ee783 100644 +--- a/ssl/ssl_sess.c b/ssl/ssl_sess.c +@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, + int r; + #endif + +-if (session_id + len > limit) { ++if (limit - session_id < len) { + fatal = 1; + goto err; + } +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index fb64607..cdac011 100644 +--- a/ssl/t1_lib.c b/ssl/t1_lib.c +@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, +
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 7bf3f3ef8d44f51b7cbfbabc1282da60fcb5f715 Author: Lars Wendler gentoo org> AuthorDate: Tue Mar 1 14:05:20 2016 + Commit: Lars Wendler gentoo org> CommitDate: Tue Mar 1 14:23:22 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bf3f3ef dev-libs/openssl: Security bump to version 1.0.2g (bug #575548). Package-Manager: portage-2.2.27 Signed-off-by: Lars Wendler gentoo.org> dev-libs/openssl/Manifest | 1 + .../files/openssl-1.0.2g-parallel-build.patch | 318 + dev-libs/openssl/openssl-1.0.2g.ebuild | 265 + 3 files changed, 584 insertions(+) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index e16c5f3..6eb6a35 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -1,2 +1,3 @@ DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf DIST openssl-1.0.2f.tar.gz 5258384 SHA256 932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c SHA512 50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351 WHIRLPOOL 179e1b5ad38c50a4c8110024aa7b33c53634c39690917e3bf5c2099548430beef96132ae9f9588ff0cedd6e08bb216a8d36835b04e506fb3fbaed37d31c9 +DIST openssl-1.0.2g.tar.gz 5266102 SHA256 b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 SHA512 4d96b6c8a232203483d6e8bee81da01ba10977bfbac92f25304a36dec9ea584b7ef917bc45e097cc7dbe681d71a4570d649c22244c178393ae91fab48323f735 WHIRLPOOL aedbd82af0a550e8329a84312fae492f3bb3cb04af763fc9ef532099b2b2e61a55e4a7cfb06085f045740e2b692bbdb3ecb8bf5ca82f46325c3caf22d2317ffb diff --git a/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch b/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch new file mode 100644 index 000..3582810 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch @@ -0,0 +1,318 @@ +--- openssl-1.0.2g/crypto/Makefile openssl-1.0.2g/crypto/Makefile +@@ -85,11 +85,11 @@ + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + + subdirs: +- @target=all; $(RECURSIVE_MAKE) ++ +@target=all; $(RECURSIVE_MAKE) + + files: + $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO +- @target=files; $(RECURSIVE_MAKE) ++ +@target=files; $(RECURSIVE_MAKE) + + links: + @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER) +@@ -100,7 +100,7 @@ + # lib: $(LIB): are splitted to avoid end-less loop + lib: $(LIB) + @touch lib +-$(LIB): $(LIBOBJ) ++$(LIB): $(LIBOBJ) | subdirs + $(AR) $(LIB) $(LIBOBJ) + test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o + $(RANLIB) $(LIB) || echo Never mind. +@@ -111,7 +111,7 @@ + fi + + libs: +- @target=lib; $(RECURSIVE_MAKE) ++ +@target=lib; $(RECURSIVE_MAKE) + + install: + @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... +@@ -120,7 +120,7 @@ + (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ + done; +- @target=install; $(RECURSIVE_MAKE) ++ +@target=install; $(RECURSIVE_MAKE) + + lint: + @target=lint; $(RECURSIVE_MAKE) +--- openssl-1.0.2g/engines/Makefile openssl-1.0.2g/engines/Makefile +@@ -72,7 +72,7 @@ + + all: lib subdirs + +-lib: $(LIBOBJ) ++lib: $(LIBOBJ) | subdirs + @if [ -n "$(SHARED_LIBS)" ]; then \ + set -e; \ + for l in $(LIBNAMES); do \ +@@ -89,7 +89,7 @@ + + subdirs: + echo $(EDIRS) +- @target=all; $(RECURSIVE_MAKE) ++ +@target=all; $(RECURSIVE_MAKE) + + files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO +@@ -128,7 +128,7 @@ + mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \ + done; \ + fi +- @target=install; $(RECURSIVE_MAKE) ++ +@target=install; $(RECURSIVE_MAKE) + + tags: + ctags $(SRC) +--- openssl-1.0.2g/Makefile.org openssl-1.0.2g/Makefile.org +@@ -279,17 +279,17 @@ + build_libssl: build_ssl libssl.pc + + build_crypto: +- @dir=crypto; target=all; $(BUILD_ONE_CMD) ++ +@dir=crypto; target=all; $(BUILD_ONE_CMD) + build_ssl: build_crypto +- @dir=ssl; target=all; $(BUILD_ONE_CMD) ++ +@dir=ssl; target=all; $(BUILD_ONE_CMD) + build_engines: build_crypto +- @dir=engines; target=all; $(BUILD_ONE_CMD) ++ +@dir=engines; target=all;
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: b59b7705da30eb4cf4eef69946757fe3d11b763f Author: Doug Goldstein gentoo org> AuthorDate: Fri Feb 26 22:51:32 2016 + Commit: Doug Goldstein gentoo org> CommitDate: Fri Feb 26 22:51:32 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b59b7705 dev-libs/openssl: remove no longer necessary file Package-Manager: portage-2.2.26 Signed-off-by: Doug Goldstein gentoo.org> dev-libs/openssl/files/gentoo.config-1.0.1 | 164 - 1 file changed, 164 deletions(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.1 b/dev-libs/openssl/files/gentoo.config-1.0.1 deleted file mode 100644 index 24c995a..000 --- a/dev-libs/openssl/files/gentoo.config-1.0.1 +++ /dev/null @@ -1,164 +0,0 @@ -#!/usr/bin/env bash -# Copyright 1999-2014 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Id$ -# -# Openssl doesn't play along nicely with cross-compiling -# like autotools based projects, so let's teach it new tricks. -# -# Review the bundled 'config' script to see why kind of targets -# we can pass to the 'Configure' script. - - -# Testing routines -if [[ $1 == "test" ]] ; then - for c in \ - "arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \ - "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \ - "x86_64-pc-linux-gnu |linux-x86_64" \ - "alpha-linux-gnu |linux-alpha-gcc" \ - "alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \ - "i686-pc-linux-gnu|linux-elf" \ - "whatever-gentoo-freebsdX.Y |BSD-generic32" \ - "i686-gentoo-freebsdX.Y |BSD-x86-elf" \ - "sparc64-alpha-freebsdX.Y |BSD-sparc64" \ - "ia64-gentoo-freebsd5.99234 |BSD-ia64" \ - "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \ - "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \ - "powerpc-gentOO-linux-uclibc |linux-ppc" \ - "powerpc64-unk-linux-gnu |linux-ppc64" \ - "x86_64-apple-darwinX |darwin64-x86_64-cc" \ - "powerpc64-apple-darwinX |darwin64-ppc-cc" \ - "i686-apple-darwinX |darwin-i386-cc" \ - "i386-apple-darwinX |darwin-i386-cc" \ - "powerpc-apple-darwinX|darwin-ppc-cc" \ - "i586-pc-winnt|winnt-parity" \ - "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \ - "s390x-linux-gnu |linux64-s390x" \ - ;do - CHOST=${c/|*} - ret_want=${c/*|} - ret_got=$(CHOST=${CHOST} "$0") - - if [[ ${ret_want} == "${ret_got}" ]] ; then - echo "PASS: ${CHOST}" - else - echo "FAIL: ${CHOST}" - echo -e "\twanted: ${ret_want}" - echo -e "\twe got: ${ret_got}" - fi - done - exit 0 -fi -[[ -z ${CHOST} && -n $1 ]] && CHOST=$1 - - -# Detect the operating system -case ${CHOST} in - *-aix*) system="aix";; - *-darwin*) system="darwin";; - *-freebsd*) system="BSD";; - *-hpux*) system="hpux";; - *-linux*)system="linux";; - *-solaris*) system="solaris";; - *-winnt*)system="winnt";; - x86_64-*-mingw*) system="mingw64";; - *mingw*) system="mingw";; - *) exit 0;; -esac - - -# Compiler munging -compiler="gcc" -if [[ ${CC} == "ccc" ]] ; then - compiler=${CC} -fi - - -# Detect target arch -machine="" -chost_machine=${CHOST%%-*} -case ${system} in -linux) - case ${chost_machine}:${ABI} in - aarch64*be) machine="generic64 -DB_ENDIAN";; - aarch64*) machine="generic64 -DL_ENDIAN";; - alphaev56*|\ - alphaev[678]*)machine=alpha+bwx-${compiler};; - alpha*) machine=alpha-${compiler};; - armv[4-9]*b*) machine="armv4 -DB_ENDIAN";; - armv[4-9]*) machine="armv4 -DL_ENDIAN";; - arm*b*) machine="generic32 -DB_ENDIAN";; - arm*) machine="generic32 -DL_ENDIAN";; - avr*) machine="generic32 -DL_ENDIAN";; - bfin*)machine="generic32 -DL_ENDIAN";; - # hppa64*) machine=parisc64;; - hppa*)machine="generic32 -DB_ENDIAN";; - i[0-9]86*|\ - x86_64*:x86) machine=elf;; - ia64*)machine=ia64;; - m68*) machine="generic32 -DB_ENDIAN";; - mips*el*) machine="generic32 -DL_ENDIAN";; - mips*)machine="generic32 -DB_ENDIAN";; - powerpc64*le) machine="generic64 -DL_ENDIAN";; -
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: a4af1cd3c4fb7b99b468903efbdc652e2a5bf9c2 Author: Lars Wendler gentoo org> AuthorDate: Fri Jan 29 06:58:41 2016 + Commit: Lars Wendler gentoo org> CommitDate: Fri Jan 29 06:59:01 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4af1cd3 dev-libs/openssl: Removed old. Package-Manager: portage-2.2.27 Signed-off-by: Lars Wendler gentoo.org> dev-libs/openssl/Manifest | 4 - .../files/openssl-1.0.2-s_client-verify.patch | 17 -- .../openssl/files/openssl-1.0.2a-malloc-typo.patch | 38 --- .../files/openssl-1.0.2a-parallel-build.patch | 314 - .../files/openssl-1.0.2d-parallel-build.patch | 309 dev-libs/openssl/openssl-1.0.2a.ebuild | 266 - dev-libs/openssl/openssl-1.0.2b.ebuild | 264 - dev-libs/openssl/openssl-1.0.2c.ebuild | 264 - dev-libs/openssl/openssl-1.0.2d-r2.ebuild | 265 - dev-libs/openssl/openssl-1.0.2d.ebuild | 267 -- 10 files changed, 2008 deletions(-) diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index 17b0441..ddc4c31 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -2,10 +2,6 @@ DIST openssl-0.9.8zg.tar.gz 3826891 SHA256 06500060639930e471050474f537fcd28ec93 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 WHIRLPOOL 8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf DIST openssl-1.0.1p.tar.gz 4560208 SHA256 bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 SHA512 64e475c53a85b78de7c5aa71a22d4bb3a456142842373ebf8f22e9857cb0352b646e591b21af866933baecdbdb5ac4a22aeb64914440c53a0f30cd25914029e5 WHIRLPOOL 2a81f3b9274e3fef37a2a88e3084d8283159b3a61db08e7805879905c87a74faa85bc6e570d18525741bd5c27c34fe09eeb58b2bfe500545d0f304716e14f819 DIST openssl-1.0.1r.tar.gz 4547786 SHA256 784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346 SHA512 7a5a2efe5d9421ea6f4f86f75ed40b4459b3825355ad18da3bdba28393bc50a6f457b2e1f11a31828f1af0d62a716d258ac7868fb719c9997f3bc750a1723e86 WHIRLPOOL de9c92f5ddb9bcaac967ac735696e739f5762b7d3a0b2430dbfa0c6cd7ac021fdf3c3257255a2fe995f24aa3550d59ce3067f030f09acc5d43b61dfda627686a -DIST openssl-1.0.2a.tar.gz 5262089 SHA256 15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a SHA512 02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4 WHIRLPOOL a590c71794f5d29b80afa28b18621b7535e96b714b3690d793c1422a90b09a89cbcb912841d400c5982a8197bb02c13051190e96ba0e4d530509b48b43067cd7 -DIST openssl-1.0.2b.tar.gz 5281009 SHA256 d5d488cc9f0a07974195a7427094ea3cab9800a4e90178b989aa621fbc238e3f SHA512 563eb662113668bb9ccf17a6e36697ad6392321ac1a32aa2cada9d8f4047651c2fa4da61f508ee3e1834fea343dbba189e09c1d6cabe5d1de5e3e6d022c31f4f WHIRLPOOL d828dc76842d25f02f211031b3ab9a2a8fd44975e9aaf87d0fd5fca9935a27b61c3e4f896a2186194f1a7b4d668fc48cafc5be9f7c670017ba342ce40113935f -DIST openssl-1.0.2c.tar.gz 5280670 SHA256 0038ba37f35a6367c58f17a7a7f687953ef8ce4f9684bbdec63e62515ed36a83 SHA512 2a68e8b017d0d3e34e4f9d33b77abd960b3d04e418f106e852684a2ff247dc8ea390b7d6a42d130fd84d821a15e84e77b68b3677433433ef5c10d156333b9dae WHIRLPOOL c59878c3bd5e8904913b97d71a15ef1eaafcfb4eb58c691ba4fb38bf81752308d0ef4a902e53aec4c6e7585677f2404d29cdea0832d14206fabf28d744af2622 -DIST openssl-1.0.2d.tar.gz 5295447 SHA256 671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8 SHA512 68a051e92aaed0e7a8b218c185427c534c32f30f50c45f5d2c1f5b7a26d1416e83863d2953c77486acde3b636a148f39faf48246d28a207607ec069f62b13d75 WHIRLPOOL e3d8f0784903c8d6aa05ada7b8b410517c99157a3c2f4ac34c8a9d80c77408bd6ff9e820ded47f6223ccac4a77413174aa625303166ec28fdbf8374a7d4659ec DIST openssl-1.0.2e.tar.gz 5256555 SHA256 e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff SHA512 b73f114a117ccab284cf5891dac050e3016d28e0b1fc71639442cdb42accef676115af90a12deff4bcc1f599cc0cbdeb38142cbf4570bd7d03634786ad32c95f WHIRLPOOL 8e1c1800a66f57fa78dc391e717e4b2bdf0e6e37a837c5ac033d7a4b1a6437451c7e7540c4ec2f75f936a2d2ef4f9293b42c76f51b0c9c93706639589612f196 DIST openssl-1.0.2f.tar.gz 5258384 SHA256 932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c SHA512 50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351 WHIRLPOOL 179e1b5ad38c50a4c8110024aa7b33c53634c39690917e3bf5c2099548430beef96132ae9f9588ff0cedd6e08bb216a8d36835b04e506fb3fbaed37d31c9 DIST openssl-c_rehash.sh.1.7 4167 SHA256
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
commit: 01322765ce0ea72a84f0a4065cbd47e1a750f2c4 Author: Mike Frysinger gentoo org> AuthorDate: Sun Jan 17 08:44:54 2016 + Commit: Mike Frysinger gentoo org> CommitDate: Sun Jan 17 09:00:28 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01322765 dev-libs/openssl: fix sparc builds (mostly 64-bit) dev-libs/openssl/files/gentoo.config-1.0.2 | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2 index b3f6ced..0528c1c 100755 --- a/dev-libs/openssl/files/gentoo.config-1.0.2 +++ b/dev-libs/openssl/files/gentoo.config-1.0.2 @@ -108,8 +108,13 @@ linux) # sh64*)machine=elf;; sh*b*)machine="generic32 -DB_ENDIAN";; sh*) machine="generic32 -DL_ENDIAN";; + # TODO: Might want to do -mcpu probing like glibc to determine a + # better default for sparc-linux-gnu targets. This logic will + # break v7 and older systems when they use it. sparc*v7*)machine="generic32 -DB_ENDIAN";; - sparc64*) machine=sparcv9;; + sparc64*) machine=sparcv9 system=linux64;; + sparc*v9*)machine=sparcv9;; + sparc*v8*)machine=sparcv8;; sparc*) machine=sparcv8;; s390x*) machine=s390x system=linux64;; s390*)machine="generic32 -DB_ENDIAN";;
[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/
commit: 7b2ffc3b84bc53e596a2517aae8c061f2e99fd22 Author: Mike Frysinger gentoo org> AuthorDate: Sun Sep 20 18:11:11 2015 + Commit: Mike Frysinger gentoo org> CommitDate: Sun Sep 20 18:12:21 2015 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b2ffc3b dev-libs/openssl: fix config script for a few targets #560812 We were missing trailing globs for aarch64/be and ppc/le to match the ABI value. This also updates the ppc64le target to use the new config value that is available with the 1.0.2 series. dev-libs/openssl/files/gentoo.config-1.0.2 | 165 + dev-libs/openssl/openssl-1.0.2d.ebuild | 2 +- 2 files changed, 166 insertions(+), 1 deletion(-) diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2 new file mode 100755 index 000..b3f6ced --- /dev/null +++ b/dev-libs/openssl/files/gentoo.config-1.0.2 @@ -0,0 +1,165 @@ +#!/usr/bin/env bash +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ +# +# Openssl doesn't play along nicely with cross-compiling +# like autotools based projects, so let's teach it new tricks. +# +# Review the bundled 'config' script to see why kind of targets +# we can pass to the 'Configure' script. + + +# Testing routines +if [[ $1 == "test" ]] ; then + for c in \ + "arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \ + "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \ + "x86_64-pc-linux-gnu |linux-x86_64" \ + "alpha-linux-gnu |linux-alpha-gcc" \ + "alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \ + "i686-pc-linux-gnu|linux-elf" \ + "whatever-gentoo-freebsdX.Y |BSD-generic32" \ + "i686-gentoo-freebsdX.Y |BSD-x86-elf" \ + "sparc64-alpha-freebsdX.Y |BSD-sparc64" \ + "ia64-gentoo-freebsd5.99234 |BSD-ia64" \ + "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \ + "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \ + "powerpc-gentOO-linux-uclibc |linux-ppc" \ + "powerpc64-unk-linux-gnu |linux-ppc64" \ + "powerpc64le-linux-gnu|linux-ppc64le" \ + "x86_64-apple-darwinX |darwin64-x86_64-cc" \ + "powerpc64-apple-darwinX |darwin64-ppc-cc" \ + "i686-apple-darwinX |darwin-i386-cc" \ + "i386-apple-darwinX |darwin-i386-cc" \ + "powerpc-apple-darwinX|darwin-ppc-cc" \ + "i586-pc-winnt|winnt-parity" \ + "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \ + "s390x-linux-gnu |linux64-s390x" \ + ;do + CHOST=${c/|*} + ret_want=${c/*|} + ret_got=$(CHOST=${CHOST} "$0") + + if [[ ${ret_want} == "${ret_got}" ]] ; then + echo "PASS: ${CHOST}" + else + echo "FAIL: ${CHOST}" + echo -e "\twanted: ${ret_want}" + echo -e "\twe got: ${ret_got}" + fi + done + exit 0 +fi +[[ -z ${CHOST} && -n $1 ]] && CHOST=$1 + + +# Detect the operating system +case ${CHOST} in + *-aix*) system="aix";; + *-darwin*) system="darwin";; + *-freebsd*) system="BSD";; + *-hpux*) system="hpux";; + *-linux*)system="linux";; + *-solaris*) system="solaris";; + *-winnt*)system="winnt";; + x86_64-*-mingw*) system="mingw64";; + *mingw*) system="mingw";; + *) exit 0;; +esac + + +# Compiler munging +compiler="gcc" +if [[ ${CC} == "ccc" ]] ; then + compiler=${CC} +fi + + +# Detect target arch +machine="" +chost_machine=${CHOST%%-*} +case ${system} in +linux) + case ${chost_machine}:${ABI} in + aarch64*be*) machine="generic64 -DB_ENDIAN";; + aarch64*) machine="generic64 -DL_ENDIAN";; + alphaev56*|\ + alphaev[678]*)machine=alpha+bwx-${compiler};; + alpha*) machine=alpha-${compiler};; + armv[4-9]*b*) machine="armv4 -DB_ENDIAN";; + armv[4-9]*) machine="armv4 -DL_ENDIAN";; + arm*b*) machine="generic32 -DB_ENDIAN";; + arm*) machine="generic32 -DL_ENDIAN";; + avr*) machine="generic32 -DL_ENDIAN";; + bfin*)machine="generic32 -DL_ENDIAN";; + # hppa64*) machine=parisc64;; + hppa*)machine="generic32 -DB_ENDIAN";; + i[0-9]86*|\ + x86_64*:x86) machine=elf;; + ia64*)machine=ia64;; +