subject:"\[gentoo\-commits\] repo\/gentoo\:master commit in\: dev\-libs\/openssl\/files\/"

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2024-04-15 Thread Sam James

commit: 0626b571d9c2a3f6774d5cf929e80b325e571a38
Author: Sam James  gentoo  org>
AuthorDate: Mon Apr 15 08:12:52 2024 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Apr 15 08:16:46 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0626b571

dev-libs/openssl: backport libp11 segfault fix to 3.0.13 too

Bug: https://bugs.gentoo.org/916328
Signed-off-by: Sam James  gentoo.org>

 .../files/openssl-3.0.13-p11-segfault.patch|  79 ++
 dev-libs/openssl/openssl-3.0.13-r2.ebuild  | 283 +
 2 files changed, 362 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch 
b/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch
new file mode 100644
index ..73b131ab7928
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch
@@ -0,0 +1,79 @@
+https://bugs.gentoo.org/916328
+https://github.com/opendnssec/SoftHSMv2/issues/729
+https://github.com/openssl/openssl/issues/22508
+https://github.com/openssl/openssl/commit/ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6
+
+From ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz 
+Date: Fri, 15 Dec 2023 13:45:50 +0100
+Subject: [PATCH] Revert "Improved detection of engine-provided private
+ "classic" keys"
+
+This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
+
+The commit was wrong. With 3.x versions the engines must be themselves
+responsible for creating their EVP_PKEYs in a way that they are treated
+as legacy - either by using the respective set1 calls or by setting
+non-default EVP_PKEY_METHOD.
+
+The workaround has caused more problems than it solved.
+
+Fixes #22945
+
+Reviewed-by: Dmitry Belyavskiy 
+Reviewed-by: Neil Horman 
+(Merged from https://github.com/openssl/openssl/pull/23063)
+
+(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
+--- a/crypto/engine/eng_pkey.c
 b/crypto/engine/eng_pkey.c
+@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char 
*key_id,
+ ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+ return NULL;
+ }
+-/* We enforce check for legacy key */
+-switch (EVP_PKEY_get_id(pkey)) {
+-case EVP_PKEY_RSA:
+-{
+-RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+-EVP_PKEY_set1_RSA(pkey, rsa);
+-RSA_free(rsa);
+-}
+-break;
+-#  ifndef OPENSSL_NO_EC
+-case EVP_PKEY_SM2:
+-case EVP_PKEY_EC:
+-{
+-EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
+-EVP_PKEY_set1_EC_KEY(pkey, ec);
+-EC_KEY_free(ec);
+-}
+-break;
+-#  endif
+-#  ifndef OPENSSL_NO_DSA
+-case EVP_PKEY_DSA:
+-{
+-DSA *dsa = EVP_PKEY_get1_DSA(pkey);
+-EVP_PKEY_set1_DSA(pkey, dsa);
+-DSA_free(dsa);
+-}
+-break;
+-#endif
+-#  ifndef OPENSSL_NO_DH
+-case EVP_PKEY_DH:
+-{
+-DH *dh = EVP_PKEY_get1_DH(pkey);
+-EVP_PKEY_set1_DH(pkey, dh);
+-DH_free(dh);
+-}
+-break;
+-#endif
+-default:
+-/*Do nothing */
+-break;
+-}
+-
+ return pkey;
+ }
+ 
+

diff --git a/dev-libs/openssl/openssl-3.0.13-r2.ebuild 
b/dev-libs/openssl/openssl-3.0.13-r2.ebuild
new file mode 100644
index ..3743359d3e0d
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.13-r2.ebuild
@@ -0,0 +1,283 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer 
Security (TLS)"
+HOMEPAGE="https://www.openssl.org/;
+
+MY_P=${P/_/-}
+
+if [[ ${PV} ==  ]] ; then
+   EGIT_REPO_URI="https://github.com/openssl/openssl.git;
+
+   inherit git-r3
+else
+   SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+   verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+   KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc 
~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test 
tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+   tls-compression? ( 
>=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+   >=dev-lang/perl-5
+   sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+   test? (
+   sys-apps/diffutils
+   app-alternatives/bc
+   sys-process/procps
+   )
+   verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
+
+DEPEND="${COMMON_DEPEND}"

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2024-04-15 Thread Sam James

commit: ccf71abfb2591dbf4b65f1db957596562234cb82
Author: Sam James  gentoo  org>
AuthorDate: Mon Apr 15 07:15:58 2024 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Apr 15 07:16:11 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ccf71abf

dev-libs/openssl: fix CVE-2024-2511 for 3.2.1

Bug: https://bugs.gentoo.org/930047
Signed-off-by: Sam James  gentoo.org>

 .../files/openssl-3.2.1-CVE-2024-2511.patch| 137 +
 dev-libs/openssl/openssl-3.2.1-r2.ebuild   | 307 +
 2 files changed, 444 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch 
b/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch
new file mode 100644
index ..d5b40447d745
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch
@@ -0,0 +1,137 @@
+https://www.openssl.org/news/secadv/20240408.txt
+https://bugs.gentoo.org/930047
+https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
+https://github.com/openssl/openssl/commit/4d67109432646c113887b0aa8091fb0d1b3057e6
+
+From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001
+From: Matt Caswell 
+Date: Tue, 5 Mar 2024 15:43:53 +
+Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
+
+In TLSv1.3 we create a new session object for each ticket that we send.
+We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
+use then the new session will be added to the session cache. However, if
+early data is not in use (and therefore anti-replay protection is being
+used), then multiple threads could be resuming from the same session
+simultaneously. If this happens and a problem occurs on one of the threads,
+then the original session object could be marked as not_resumable. When we
+duplicate the session object this not_resumable status gets copied into the
+new session object. The new session object is then added to the session
+cache even though it is not_resumable.
+
+Subsequently, another bug means that the session_id_length is set to 0 for
+sessions that are marked as not_resumable - even though that session is
+still in the cache. Once this happens the session can never be removed from
+the cache. When that object gets to be the session cache tail object the
+cache never shrinks again and grows indefinitely.
+
+CVE-2024-2511
+
+Reviewed-by: Neil Horman 
+Reviewed-by: Tomas Mraz 
+(Merged from https://github.com/openssl/openssl/pull/24043)
+--- a/ssl/ssl_lib.c
 b/ssl/ssl_lib.c
+@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode)
+ 
+ /*
+  * If the session_id_length is 0, we are not supposed to cache it, and it
+- * would be rather hard to do anyway :-)
++ * would be rather hard to do anyway :-). Also if the session has already
++ * been marked as not_resumable we should not cache it for later reuse.
+  */
+-if (s->session->session_id_length == 0)
++if (s->session->session_id_length == 0 || s->session->not_resumable)
+ return;
+ 
+ /*
+--- a/ssl/ssl_sess.c
 b/ssl/ssl_sess.c
+@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+ return ss;
+ }
+ 
+-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+-{
+-return ssl_session_dup(src, 1);
+-}
+-
+ /*
+  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+  * ticket == 0 then no ticket information is duplicated, otherwise it is.
+  */
+-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
+ {
+ SSL_SESSION *dest;
+ 
+@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int 
ticket)
+ return NULL;
+ }
+ 
++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
++{
++return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have 
marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok 
to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++{
++SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++if (sess != NULL)
++sess->not_resumable = 0;
++
++return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int 
*len)
+ {
+ if (len)
+--- a/ssl/statem/statem_srvr.c
 b/ssl/statem/statem_srvr.c
+@@ -2445,9 +2445,8 @@ CON_FUNC_RETURN 
tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
+  * so the following won't overwrite an ID that we're supposed
+  * to send back.
+  */
+-if (s->session->not_resumable ||
+-(!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & 
SSL_SESS_CACHE_SERVER)
+- && !s->hit))
++if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & 
SSL_SESS_CACHE_SERVER)
++

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2024-04-02 Thread Fabian Groffen

commit: 0785cd27c30f5e045bda1b6dc6e517d3499a4e55
Author: Fabian Groffen  gentoo  org>
AuthorDate: Tue Apr  2 17:52:42 2024 +
Commit: Fabian Groffen  gentoo  org>
CommitDate: Tue Apr  2 17:54:22 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0785cd27

dev-libs/openssl-3.2.1-r1: fix for Darwin

don't run append-atomic-flags with non-GNU-like linker
add guess for arm64-darwin

Signed-off-by: Fabian Groffen  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.4 | 2 ++
 dev-libs/openssl/openssl-3.2.1-r1.ebuild   | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 
b/dev-libs/openssl/files/gentoo.config-1.0.4
index 5f205781ae3e..d32ce877a34a 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -32,6 +32,7 @@ if [[ $1 == "test" ]] ; then
"i686-apple-darwinX   |darwin-i386-cc" \
"i386-apple-darwinX   |darwin-i386-cc" \
"powerpc-apple-darwinX|darwin-ppc-cc" \
+   "arm64-apple-darwinX  |darwin-arm64-cc" \
"i586-pc-winnt|winnt-parity" \
"s390-ibm-linux-gnu   |linux-generic32 -DB_ENDIAN" \
"s390x-linux-gnu  |linux64-s390x" \
@@ -155,6 +156,7 @@ darwin)
powerpc)  machine=ppc-cc;;
i?86*)machine=i386-cc;;
x86_64)   machine=x86_64-cc; system=${system}64;;
+   arm64)machine=arm64-cc; system=${system}64;;
esac
;;
 hpux)

diff --git a/dev-libs/openssl/openssl-3.2.1-r1.ebuild 
b/dev-libs/openssl/openssl-3.2.1-r1.ebuild
index 79bd29a1a54e..ee2e112cd6f0 100644
--- a/dev-libs/openssl/openssl-3.2.1-r1.ebuild
+++ b/dev-libs/openssl/openssl-3.2.1-r1.ebuild
@@ -148,8 +148,8 @@ src_configure() {
 
append-flags $(test-flags-CC -Wa,--noexecstack)
 
-   # bug #895308
-   append-atomic-flags
+   # bug #895308 -- check inserts GNU ld-compatible arguments
+   [[ ${CHOST} == *-darwin* ]] || append-atomic-flags
# Configure doesn't respect LIBS
export LDLIBS="${LIBS}"

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2024-03-31 Thread Jakov Smolić

commit: 64867ad1eb261d199c0e80a71b24d1a9d6769c39
Author: Jakov Smolić  gentoo  org>
AuthorDate: Sun Mar 24 17:47:21 2024 +
Commit: Jakov Smolić  gentoo  org>
CommitDate: Sun Mar 31 16:48:16 2024 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=64867ad1

dev-libs/openssl: Backport riscv patch to 3.2.1

Closes: https://bugs.gentoo.org/923956
Signed-off-by: Jakov Smolić  gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/35901
Signed-off-by: Jakov Smolić  gentoo.org>

 dev-libs/openssl/files/openssl-3.2.1-riscv.patch | 70 
 dev-libs/openssl/openssl-3.2.1-r1.ebuild |  2 +
 2 files changed, 72 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.2.1-riscv.patch 
b/dev-libs/openssl/files/openssl-3.2.1-riscv.patch
new file mode 100644
index ..51256cf434e2
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.2.1-riscv.patch
@@ -0,0 +1,70 @@
+# Bug: https://bugs.gentoo.org/923956
+# Upstream PR: https://github.com/openssl/openssl/pull/23752
+--- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c
 b/providers/implementations/ciphers/cipher_aes_gcm_hw.c
+@@ -142,9 +142,9 @@ static const PROV_GCM_HW aes_gcm = {
+ # include "cipher_aes_gcm_hw_armv8.inc"
+ #elif defined(PPC_AES_GCM_CAPABLE) && defined(_ARCH_PPC64)
+ # include "cipher_aes_gcm_hw_ppc.inc"
+-#elif defined(__riscv) && __riscv_xlen == 64
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ # include "cipher_aes_gcm_hw_rv64i.inc"
+-#elif defined(__riscv) && __riscv_xlen == 32
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
+ # include "cipher_aes_gcm_hw_rv32i.inc"
+ #else
+ const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits)
+--- a/providers/implementations/ciphers/cipher_aes_hw.c
 b/providers/implementations/ciphers/cipher_aes_hw.c
+@@ -142,9 +142,9 @@ const PROV_CIPHER_HW 
*ossl_prov_cipher_hw_aes_##mode(size_t keybits)   \
+ # include "cipher_aes_hw_t4.inc"
+ #elif defined(S390X_aes_128_CAPABLE)
+ # include "cipher_aes_hw_s390x.inc"
+-#elif defined(__riscv) && __riscv_xlen == 64
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ # include "cipher_aes_hw_rv64i.inc"
+-#elif defined(__riscv) && __riscv_xlen == 32
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
+ # include "cipher_aes_hw_rv32i.inc"
+ #else
+ /* The generic case */
+--- a/providers/implementations/ciphers/cipher_aes_ocb_hw.c
 b/providers/implementations/ciphers/cipher_aes_ocb_hw.c
+@@ -104,7 +104,7 @@ static const PROV_CIPHER_HW aes_t4_ocb = { 
\
+ if (SPARC_AES_CAPABLE)
 \
+ return _t4_ocb;
+ 
+-#elif defined(__riscv) && __riscv_xlen == 64
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ 
+ static int cipher_hw_aes_ocb_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx,
+  const unsigned char *key,
+@@ -126,7 +126,7 @@ static const PROV_CIPHER_HW aes_rv64i_zknd_zkne_ocb = {
\
+ if (RISCV_HAS_ZKND_AND_ZKNE())
 \
+ return _rv64i_zknd_zkne_ocb;
+ 
+-#elif defined(__riscv) && __riscv_xlen == 32
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
+ 
+ static int cipher_hw_aes_ocb_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx,
+  const unsigned char *key,
+--- a/providers/implementations/ciphers/cipher_aes_xts_hw.c
 b/providers/implementations/ciphers/cipher_aes_xts_hw.c
+@@ -159,7 +159,7 @@ static const PROV_CIPHER_HW aes_xts_t4 = { 
\
+ if (SPARC_AES_CAPABLE)
 \
+ return _xts_t4;
+ 
+-#elif defined(__riscv) && __riscv_xlen == 64
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
+ 
+ static int cipher_hw_aes_xts_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx,
+  const unsigned char *key,
+@@ -185,7 +185,7 @@ static const PROV_CIPHER_HW aes_xts_rv64i_zknd_zkne = {
\
+ if (RISCV_HAS_ZKND_AND_ZKNE())
 \
+ return _xts_rv64i_zknd_zkne;
+ 
+-#elif defined(__riscv) && __riscv_xlen == 32
++#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
+ 
+ static int cipher_hw_aes_xts_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx,
+  const unsigned char *key,

diff --git a/dev-libs/openssl/openssl-3.2.1-r1.ebuild 
b/dev-libs/openssl/openssl-3.2.1-r1.ebuild
index 24ae65f3321f..79bd29a1a54e 100644
--- a/dev-libs/openssl/openssl-3.2.1-r1.ebuild
+++ b/dev-libs/openssl/openssl-3.2.1-r1.ebuild
@@ -58,6 +58,8 @@ MULTILIB_WRAPPED_HEADERS=(

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2023-12-30 Thread Conrad Kostecki

commit: 414fc629d397bb756ad382342e99243dcc6ec508
Author: Michael Mair-Keimberger  levelnine  at>
AuthorDate: Fri Dec 29 14:04:25 2023 +
Commit: Conrad Kostecki  gentoo  org>
CommitDate: Sun Dec 31 02:37:21 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=414fc629

dev-libs/openssl: remove unused patches

Signed-off-by: Michael Mair-Keimberger  levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/34537
Signed-off-by: Conrad Kostecki  gentoo.org>

 .../files/openssl-3.0.9-CVE-2023-2975.patch| 109 ---
 .../files/openssl-3.0.9-CVE-2023-3446.patch| 120 -
 2 files changed, 229 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch 
b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch
deleted file mode 100644
index 908e57251cb9..
--- a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598
-https://github.com/openssl/openssl/commit/96318a8d21bed334d78797eca5b32790775d5f05
-
-From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz 
-Date: Tue, 4 Jul 2023 17:30:35 +0200
-Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
-
-The AES-SIV mode allows for multiple associated data items
-authenticated separately with any of these being 0 length.
-
-The provided implementation ignores such empty associated data
-which is incorrect in regards to the RFC 5297 and is also
-a security issue because such empty associated data then become
-unauthenticated if an application expects to authenticate them.
-
-Fixes CVE-2023-2975
-
-Reviewed-by: Matt Caswell 
-Reviewed-by: Paul Dale 
-(Merged from https://github.com/openssl/openssl/pull/21384)
-
-(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
 a/providers/implementations/ciphers/cipher_aes_siv.c
-+++ b/providers/implementations/ciphers/cipher_aes_siv.c
-@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, 
size_t *outl,
- if (!ossl_prov_is_running())
- return 0;
- 
--if (inl == 0) {
--*outl = 0;
--return 1;
--}
-+/* Ignore just empty encryption/decryption call and not AAD. */
-+if (out != NULL) {
-+if (inl == 0) {
-+if (outl != NULL)
-+*outl = 0;
-+return 1;
-+}
- 
--if (outsize < inl) {
--ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
--return 0;
-+if (outsize < inl) {
-+ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-+return 0;
-+}
- }
- 
- if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
-
-From 96318a8d21bed334d78797eca5b32790775d5f05 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz 
-Date: Tue, 4 Jul 2023 17:50:37 +0200
-Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV
-
-Reviewed-by: Matt Caswell 
-Reviewed-by: Paul Dale 
-(Merged from https://github.com/openssl/openssl/pull/21384)
-
-(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc)
 a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
-+++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
-@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93
- Plaintext =  112233445566778899aabbccddee
- Ciphertext = 40c02b9690c4dc04daef7f6afe5c
- 
-+Cipher = aes-128-siv
-+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
-+Tag = f1c5fdeac1f15a26779c1501f9fb7588
-+Plaintext =  112233445566778899aabbccddee
-+Ciphertext = 27e946c669088ab06da58c5c831c
-+
-+Cipher = aes-128-siv
-+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
-+AAD =
-+Tag = d1022f5b3664e5a4dfaf90f85be6f28a
-+Plaintext =  112233445566778899aabbccddee
-+Ciphertext = b66cff6b8eca0b79f083b39a0901
-+
- Cipher = aes-128-siv
- Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
- AAD = 
00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
-@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f
- Plaintext =  
7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
- Ciphertext = 
cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d
- 
-+Cipher = aes-128-siv
-+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
-+AAD = 
00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
-+AAD =
-+AAD = 09f911029d74e35bd84156c5635688c0
-+Tag = 83ce6593a8fa67eb6fcd2819cedfc011
-+Plaintext =  
7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
-+Ciphertext = 
30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
-+
-+Cipher = aes-128-siv
-+Key =

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2023-10-04 Thread Conrad Kostecki

commit: bb6f84dc03496525a2a87ca05b91e72cd560b991
Author: Michael Mair-Keimberger  levelnine  at>
AuthorDate: Wed Oct  4 15:46:33 2023 +
Commit: Conrad Kostecki  gentoo  org>
CommitDate: Wed Oct  4 21:44:27 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb6f84dc

dev-libs/openssl: remove unused patches

Signed-off-by: Michael Mair-Keimberger  levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/33190
Signed-off-by: Conrad Kostecki  gentoo.org>

 .../files/openssl-3.1.1-CVE-2023-2975.patch| 110 ---
 .../files/openssl-3.1.1-CVE-2023-3446.patch| 121 -
 2 files changed, 231 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch 
b/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch
deleted file mode 100644
index 5abf60737dbd..
--- a/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-https://github.com/openssl/openssl/commit/6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc
-https://github.com/openssl/openssl/commit/76214c4a8f3374b786811fdfeda3d98690f8faf4
-
-From 6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc Mon Sep 17 00:00:00 2001
-From: Tomas Mraz 
-Date: Tue, 4 Jul 2023 17:30:35 +0200
-Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
-
-The AES-SIV mode allows for multiple associated data items
-authenticated separately with any of these being 0 length.
-
-The provided implementation ignores such empty associated data
-which is incorrect in regards to the RFC 5297 and is also
-a security issue because such empty associated data then become
-unauthenticated if an application expects to authenticate them.
-
-Fixes CVE-2023-2975
-
-Reviewed-by: Matt Caswell 
-Reviewed-by: Paul Dale 
-(Merged from https://github.com/openssl/openssl/pull/21384)
-
-(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
 a/providers/implementations/ciphers/cipher_aes_siv.c
-+++ b/providers/implementations/ciphers/cipher_aes_siv.c
-@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, 
size_t *outl,
- if (!ossl_prov_is_running())
- return 0;
- 
--if (inl == 0) {
--*outl = 0;
--return 1;
--}
-+/* Ignore just empty encryption/decryption call and not AAD. */
-+if (out != NULL) {
-+if (inl == 0) {
-+if (outl != NULL)
-+*outl = 0;
-+return 1;
-+}
- 
--if (outsize < inl) {
--ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
--return 0;
-+if (outsize < inl) {
-+ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-+return 0;
-+}
- }
- 
- if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
-
-From 76214c4a8f3374b786811fdfeda3d98690f8faf4 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz 
-Date: Tue, 4 Jul 2023 17:50:37 +0200
-Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV
-
-Reviewed-by: Matt Caswell 
-Reviewed-by: Paul Dale 
-(Merged from https://github.com/openssl/openssl/pull/21384)
-
-(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc)
 a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
-+++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
-@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93
- Plaintext =  112233445566778899aabbccddee
- Ciphertext = 40c02b9690c4dc04daef7f6afe5c
- 
-+Cipher = aes-128-siv
-+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
-+Tag = f1c5fdeac1f15a26779c1501f9fb7588
-+Plaintext =  112233445566778899aabbccddee
-+Ciphertext = 27e946c669088ab06da58c5c831c
-+
-+Cipher = aes-128-siv
-+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
-+AAD =
-+Tag = d1022f5b3664e5a4dfaf90f85be6f28a
-+Plaintext =  112233445566778899aabbccddee
-+Ciphertext = b66cff6b8eca0b79f083b39a0901
-+
- Cipher = aes-128-siv
- Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
- AAD = 
00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
-@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f
- Plaintext =  
7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
- Ciphertext = 
cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d
- 
-+Cipher = aes-128-siv
-+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
-+AAD = 
00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
-+AAD =
-+AAD = 09f911029d74e35bd84156c5635688c0
-+Tag = 83ce6593a8fa67eb6fcd2819cedfc011
-+Plaintext =  
7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
-+Ciphertext = 
30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
-+
-+Cipher = aes-128-siv
-+Key =

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-07-19 Thread Sam James

commit: e70b056198310f608b8faddfcb24a96f2dfab9e6
Author: Sam James  gentoo  org>
AuthorDate: Wed Jul 19 14:55:30 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Wed Jul 19 15:05:52 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e70b0561

dev-libs/openssl: patch CVE-2023-2975, CVE-2023-3446 for 3.0.9

Bug: https://bugs.gentoo.org/910556
Signed-off-by: Sam James  gentoo.org>

 .../files/openssl-3.0.9-CVE-2023-2975.patch| 109 
 .../files/openssl-3.0.9-CVE-2023-3446.patch| 120 +
 dev-libs/openssl/openssl-3.0.9-r2.ebuild   | 290 +
 3 files changed, 519 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch 
b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch
new file mode 100644
index ..908e57251cb9
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch
@@ -0,0 +1,109 @@
+https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598
+https://github.com/openssl/openssl/commit/96318a8d21bed334d78797eca5b32790775d5f05
+
+From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz 
+Date: Tue, 4 Jul 2023 17:30:35 +0200
+Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
+
+The AES-SIV mode allows for multiple associated data items
+authenticated separately with any of these being 0 length.
+
+The provided implementation ignores such empty associated data
+which is incorrect in regards to the RFC 5297 and is also
+a security issue because such empty associated data then become
+unauthenticated if an application expects to authenticate them.
+
+Fixes CVE-2023-2975
+
+Reviewed-by: Matt Caswell 
+Reviewed-by: Paul Dale 
+(Merged from https://github.com/openssl/openssl/pull/21384)
+
+(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
+--- a/providers/implementations/ciphers/cipher_aes_siv.c
 b/providers/implementations/ciphers/cipher_aes_siv.c
+@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, 
size_t *outl,
+ if (!ossl_prov_is_running())
+ return 0;
+ 
+-if (inl == 0) {
+-*outl = 0;
+-return 1;
+-}
++/* Ignore just empty encryption/decryption call and not AAD. */
++if (out != NULL) {
++if (inl == 0) {
++if (outl != NULL)
++*outl = 0;
++return 1;
++}
+ 
+-if (outsize < inl) {
+-ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
+-return 0;
++if (outsize < inl) {
++ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
++return 0;
++}
+ }
+ 
+ if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
+
+From 96318a8d21bed334d78797eca5b32790775d5f05 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz 
+Date: Tue, 4 Jul 2023 17:50:37 +0200
+Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV
+
+Reviewed-by: Matt Caswell 
+Reviewed-by: Paul Dale 
+(Merged from https://github.com/openssl/openssl/pull/21384)
+
+(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc)
+--- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
 b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
+@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93
+ Plaintext =  112233445566778899aabbccddee
+ Ciphertext = 40c02b9690c4dc04daef7f6afe5c
+ 
++Cipher = aes-128-siv
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
++Tag = f1c5fdeac1f15a26779c1501f9fb7588
++Plaintext =  112233445566778899aabbccddee
++Ciphertext = 27e946c669088ab06da58c5c831c
++
++Cipher = aes-128-siv
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
++AAD =
++Tag = d1022f5b3664e5a4dfaf90f85be6f28a
++Plaintext =  112233445566778899aabbccddee
++Ciphertext = b66cff6b8eca0b79f083b39a0901
++
+ Cipher = aes-128-siv
+ Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
+ AAD = 
00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
+@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f
+ Plaintext =  
7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
+ Ciphertext = 
cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d
+ 
++Cipher = aes-128-siv
++Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
++AAD = 
00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
++AAD =
++AAD = 09f911029d74e35bd84156c5635688c0
++Tag = 83ce6593a8fa67eb6fcd2819cedfc011
++Plaintext =  
7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
++Ciphertext = 
30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
++
++Cipher = aes-128-siv
++Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
++AAD =
++AAD =

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-06-13 Thread Sam James

commit: 6c4610dbafdc773344fd62e49e27ada4c6b6dfd2
Author: Sam James  gentoo  org>
AuthorDate: Wed Jun 14 05:17:11 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Wed Jun 14 05:20:25 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c4610db

dev-libs/openssl: drop 1.1.1t-r3

Bug: https://bugs.gentoo.org/903545
Bug: https://bugs.gentoo.org/907413
Signed-off-by: Sam James  gentoo.org>

 dev-libs/openssl/Manifest  |   2 -
 .../files/openssl-1.1.1t-CVE-2023-0464.patch   | 215 
 .../files/openssl-1.1.1t-CVE-2023-0465.patch   |  48 
 .../files/openssl-1.1.1t-CVE-2023-0466.patch   |  41 
 dev-libs/openssl/openssl-1.1.1t-r3.ebuild  | 269 -
 5 files changed, 575 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 3793e1ac7a75..4c98e70a536d 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,8 +1,6 @@
 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 
6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24
 SHA512 
5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B 
b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4
 SHA512 
a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B 
b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57
 SHA512 
c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
-DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 
66d76ea0c05a4afc3104e22602cffc2373e857728625d31ab3244881cafa91c099a817a09def7746bce4133585bfc90b769f43527e77a81ed13e60a8c2fb4d8d
 SHA512 
628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c
-DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B 
fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680
 SHA512 
1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b
 DIST openssl-1.1.1u.tar.gz 9892176 BLAKE2B 
5de9cb856e497596ecba008bad6515eefd093849b9c66dd7447031723996f3ba66ac37a323a5f7d01b1d42df4daaceb523372f5897d5c53b935ffab91c566594
 SHA512 
d00aeb0b4c4676deff06ff95af7ac33dd683b92f972b4a8ae55cf384bb37c7ec30ab83c6c0745daf87cf1743a745fced6a347fd11fed4c548aa0953610ed4919
 DIST openssl-1.1.1u.tar.gz.asc 833 BLAKE2B 
7a978a94264a14be04372fea39868e9177e8a0b0f24344267702022e19ee0f52e91ad141d7c54da870f7ec0df9b2e43b80939f1d274dd0b44d36da2670e3a468
 SHA512 
40245d65ace95b2002bf64bcba184c92fec3420b08d9f61f3a709c4842e9478595105d8adce33a08eb98d351d2a0989ec342b08cdd9104498ea0543b6e592d28
 DIST openssl-3.0.9.tar.gz 15181285 BLAKE2B 
cc1df41fa12ba4443e15e94f6ebdc5e103b9dab5eab2e1c8f74e6a74fa2c38207817921b65d7293cb241c190a910191c7163600bb75243adde0e2f9ec31cc885
 SHA512 
86c99146b37236419b110db77dd3ac3992e6bed78c258f0cc3434ca233460b4e17c0ac81d7058547fe9cb72a9fd80ee56d4b4916bb731dbe2bbcf1c3d46bf31a

diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch 
b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch
deleted file mode 100644
index 950e6572cd28..
--- a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0464.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-commit 879f7080d7e141f415c79eaa3a8ac4a3dad0348b
-Author: Pauli 
-Date:   Wed Mar 8 15:28:20 2023 +1100
-
-x509: excessive resource use verifying policy constraints
-
-A security vulnerability has been identified in all supported versions
-of OpenSSL related to the verification of X.509 certificate chains
-that include policy constraints.  Attackers may be able to exploit this
-vulnerability by creating a malicious certificate chain that triggers
-exponential use of computational resources, leading to a denial-of-service
-(DoS) attack on affected systems.
-
-Fixes CVE-2023-0464
-
-Reviewed-by: Tomas Mraz 
-Reviewed-by: Shane Lontis 
-(Merged from https://github.com/openssl/openssl/pull/20569)
-
-diff --git a/crypto/x509v3/pcy_local.h b/crypto/x509v3/pcy_local.h
-index 5daf78de45..344aa06765 100644
 a/crypto/x509v3/pcy_local.h
-+++ b/crypto/x509v3/pcy_local.h
-@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
- };
- 
- struct X509_POLICY_TREE_st {
-+/* The number of nodes in the tree */
-+size_t node_count;
-+/* The maximum number of nodes in the tree */
-+size_t node_maximum;
-+
- /* This is the tree

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-06-13 Thread Sam James

commit: 3db09f5bac6ff132b69d3f723d4c93662c96ed72
Author: Sam James  gentoo  org>
AuthorDate: Wed Jun 14 05:17:03 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Wed Jun 14 05:19:10 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3db09f5b

dev-libs/openssl: drop 3.0.8-r4

Bug: https://bugs.gentoo.org/903545
Bug: https://bugs.gentoo.org/907413
Signed-off-by: Sam James  gentoo.org>

 dev-libs/openssl/Manifest  |   2 -
 .../files/openssl-3.0.8-CVE-2023-0464.patch| 214 
 .../files/openssl-3.0.8-CVE-2023-0465.patch|  46 
 .../files/openssl-3.0.8-CVE-2023-0466.patch|  41 ---
 .../files/openssl-3.0.8-CVE-2023-1255.patch|  40 ---
 .../openssl/files/openssl-3.0.8-mips-cflags.patch  |  30 ---
 dev-libs/openssl/openssl-3.0.8-r4.ebuild   | 281 -
 7 files changed, 654 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 55a08fc6adbe..3793e1ac7a75 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -5,8 +5,6 @@ DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 
66d76ea0c05a4afc3104e22602cffc2373e85
 DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B 
fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680
 SHA512 
1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b
 DIST openssl-1.1.1u.tar.gz 9892176 BLAKE2B 
5de9cb856e497596ecba008bad6515eefd093849b9c66dd7447031723996f3ba66ac37a323a5f7d01b1d42df4daaceb523372f5897d5c53b935ffab91c566594
 SHA512 
d00aeb0b4c4676deff06ff95af7ac33dd683b92f972b4a8ae55cf384bb37c7ec30ab83c6c0745daf87cf1743a745fced6a347fd11fed4c548aa0953610ed4919
 DIST openssl-1.1.1u.tar.gz.asc 833 BLAKE2B 
7a978a94264a14be04372fea39868e9177e8a0b0f24344267702022e19ee0f52e91ad141d7c54da870f7ec0df9b2e43b80939f1d274dd0b44d36da2670e3a468
 SHA512 
40245d65ace95b2002bf64bcba184c92fec3420b08d9f61f3a709c4842e9478595105d8adce33a08eb98d351d2a0989ec342b08cdd9104498ea0543b6e592d28
-DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B 
e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a
 SHA512 
8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d
-DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 
1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb
 SHA512 
e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6
 DIST openssl-3.0.9.tar.gz 15181285 BLAKE2B 
cc1df41fa12ba4443e15e94f6ebdc5e103b9dab5eab2e1c8f74e6a74fa2c38207817921b65d7293cb241c190a910191c7163600bb75243adde0e2f9ec31cc885
 SHA512 
86c99146b37236419b110db77dd3ac3992e6bed78c258f0cc3434ca233460b4e17c0ac81d7058547fe9cb72a9fd80ee56d4b4916bb731dbe2bbcf1c3d46bf31a
 DIST openssl-3.0.9.tar.gz.asc 833 BLAKE2B 
9943ac65f83f48465cae83b37a1d004f6be4622e53c3025166d42954abe9215f1a6c2af58d4aa2b45fa51182fee5019e740969f694655b6c592bb278c68aacef
 SHA512 
9949de6b57d5aa21da1d4b68a29eb37e302403c983bd7d2d8769b320aac4268a9f9091c5fb182862a4f89a9099660939fe609df87c66991b75f7695faf357caf
 DIST openssl-3.1.0.tar.gz 15525381 BLAKE2B 
9212a7fb13f6dee7746721ee406af56ae1b48ec58974c002465d2b0205839eb5ee0483383aa9924fc3e4168ebd34e1a5819480cf10aa318994d7171e54c07108
 SHA512 
71cc75c7700f445c616e382b76263ad2e4072beec0232458baf3d9891b8b64a7ad0cac4b4d24b727b2b7dcd100c78606fd48eba98a67eccd5f336e3d626ca713

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch 
b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch
deleted file mode 100644
index 3cf1d3b38ec9..
--- a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-commit 959c59c7a0164117e7f8366466a32bb1f8d77ff1
-Author: Pauli 
-Date:   Wed Mar 8 15:28:20 2023 +1100
-
-x509: excessive resource use verifying policy constraints
-
-A security vulnerability has been identified in all supported versions
-of OpenSSL related to the verification of X.509 certificate chains
-that include policy constraints.  Attackers may be able to exploit this
-vulnerability by creating a malicious certificate chain that triggers
-exponential use of computational resources, leading to a denial-of-service
-(DoS) attack on affected systems.
-
-Fixes CVE-2023-0464
-
-Reviewed-by: Tomas Mraz 
-Reviewed-by: Shane Lontis 
-(Merged from https://github.com/openssl/openssl/pull/20568)
-
-diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
-index 18b53cc09e..cba107ca03 100644
 a/crypto/x509/pcy_local.h
-+++ b/crypto/x509/pcy_local.h
-@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
- };
- 
- struct X509_POLICY_TREE_st {
-+

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-06-13 Thread Sam James

commit: 14aa976d66d7789fa8fd8bd5fe34edad53d5ff9a
Author: Sam James  gentoo  org>
AuthorDate: Wed Jun 14 05:18:43 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Wed Jun 14 05:20:29 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=14aa976d

dev-libs/openssl: drop 3.1.0-r3

Bug: https://bugs.gentoo.org/903545
Bug: https://bugs.gentoo.org/907413
Signed-off-by: Sam James  gentoo.org>

 dev-libs/openssl/Manifest  |   2 -
 .../files/openssl-3.1.0-CVE-2023-0464.patch| 214 
 .../files/openssl-3.1.0-CVE-2023-0465.patch|  46 
 .../files/openssl-3.1.0-CVE-2023-0466.patch|  41 ---
 .../files/openssl-3.1.0-CVE-2023-1255.patch|  40 ---
 dev-libs/openssl/openssl-3.1.0-r3.ebuild   | 284 -
 6 files changed, 627 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 4c98e70a536d..f8b20e47b8a9 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -5,7 +5,5 @@ DIST openssl-1.1.1u.tar.gz 9892176 BLAKE2B 
5de9cb856e497596ecba008bad6515eefd093
 DIST openssl-1.1.1u.tar.gz.asc 833 BLAKE2B 
7a978a94264a14be04372fea39868e9177e8a0b0f24344267702022e19ee0f52e91ad141d7c54da870f7ec0df9b2e43b80939f1d274dd0b44d36da2670e3a468
 SHA512 
40245d65ace95b2002bf64bcba184c92fec3420b08d9f61f3a709c4842e9478595105d8adce33a08eb98d351d2a0989ec342b08cdd9104498ea0543b6e592d28
 DIST openssl-3.0.9.tar.gz 15181285 BLAKE2B 
cc1df41fa12ba4443e15e94f6ebdc5e103b9dab5eab2e1c8f74e6a74fa2c38207817921b65d7293cb241c190a910191c7163600bb75243adde0e2f9ec31cc885
 SHA512 
86c99146b37236419b110db77dd3ac3992e6bed78c258f0cc3434ca233460b4e17c0ac81d7058547fe9cb72a9fd80ee56d4b4916bb731dbe2bbcf1c3d46bf31a
 DIST openssl-3.0.9.tar.gz.asc 833 BLAKE2B 
9943ac65f83f48465cae83b37a1d004f6be4622e53c3025166d42954abe9215f1a6c2af58d4aa2b45fa51182fee5019e740969f694655b6c592bb278c68aacef
 SHA512 
9949de6b57d5aa21da1d4b68a29eb37e302403c983bd7d2d8769b320aac4268a9f9091c5fb182862a4f89a9099660939fe609df87c66991b75f7695faf357caf
-DIST openssl-3.1.0.tar.gz 15525381 BLAKE2B 
9212a7fb13f6dee7746721ee406af56ae1b48ec58974c002465d2b0205839eb5ee0483383aa9924fc3e4168ebd34e1a5819480cf10aa318994d7171e54c07108
 SHA512 
71cc75c7700f445c616e382b76263ad2e4072beec0232458baf3d9891b8b64a7ad0cac4b4d24b727b2b7dcd100c78606fd48eba98a67eccd5f336e3d626ca713
-DIST openssl-3.1.0.tar.gz.asc 488 BLAKE2B 
f4a844e3db2c2bdf42b6f811d16cc2077cacf713d20474d94e2d0180a6f97eadf4f03522e9fed478d263d680d88091dc2bc48e7ebb15d049bc57ee7ed64c7fbb
 SHA512 
8d542e6471b745822d6cd889c5b168841b4366ee9a96edc2ab5b44fa1bd1b75308422aed312f1bd6e6a3c3e306eceaa95ce9bb4d0aa3e8ff86cb0fd92a7e61ea
 DIST openssl-3.1.1.tar.gz 15544757 BLAKE2B 
094f7e28f16de6528016fcd21df1d7382b0dbdcd80ec469d37add9c37f638c059dda3ffb4415eba890a33d146ddc9016bcc7192df101c73be5e70faf6e3b1097
 SHA512 
8ba9dd6ab87451e126c19cc106ccd1643ca48667d6c37504d0ab98205fbccf855fd0db54474b4113c4c3a15215a4ef77a039fb897a69f71bcab2054b2effd1d9
 DIST openssl-3.1.1.tar.gz.asc 833 BLAKE2B 
5a2a9aeb475b843862e133d53bc5bb3c8e12e8e03b1e2da41d0eaa0eade1ae03c4318ad1f5c490c5e1ed7e6ac6275a6d7c881d3911722b043b15d1622b25
 SHA512 
83349020c67e5b956f3ef37604a03a1970ea393f862691f5fd5d85930c01e559e25db17d397d8fd230c3862a8b2fba2d5c7df883d56d7472f4c01dab3a661cb2

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch 
b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch
deleted file mode 100644
index dfe83e53d0ad..
--- a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-commit 2017771e2db3e2b96f89bbe8766c3209f6a99545
-Author: Pauli 
-Date:   Wed Mar 8 15:28:20 2023 +1100
-
-x509: excessive resource use verifying policy constraints
-
-A security vulnerability has been identified in all supported versions
-of OpenSSL related to the verification of X.509 certificate chains
-that include policy constraints.  Attackers may be able to exploit this
-vulnerability by creating a malicious certificate chain that triggers
-exponential use of computational resources, leading to a denial-of-service
-(DoS) attack on affected systems.
-
-Fixes CVE-2023-0464
-
-Reviewed-by: Tomas Mraz 
-Reviewed-by: Shane Lontis 
-(Merged from https://github.com/openssl/openssl/pull/20570)
-
-diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
-index 18b53cc09e..cba107ca03 100644
 a/crypto/x509/pcy_local.h
-+++ b/crypto/x509/pcy_local.h
-@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
- };
- 
- struct X509_POLICY_TREE_st {
-+/* The number of nodes in the tree */
-+size_t node_count;
-+/* The maximum number of nodes in the tree */
-+size_t node_maximum;
-+
- /* This is the tree 'level' data */
- X509_POLICY_LEVEL *levels;
- int nlevel;
-@@ -157,7 +162,8 @@ X509_POLICY_NODE 
*ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
- X509_POLICY_NODE

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2023-05-25 Thread Mike Gilbert

commit: 08dbfd4976e7cf1eb03ea520327769a96e877c4d
Author: Mike Gilbert  gentoo  org>
AuthorDate: Thu May 25 14:57:07 2023 +
Commit: Mike Gilbert  gentoo  org>
CommitDate: Thu May 25 14:58:42 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08dbfd49

dev-libs/openssl: add support for big-endian RISC-V

Closes: https://bugs.gentoo.org/904751
Signed-off-by: Mike Gilbert  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.4 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 
b/dev-libs/openssl/files/gentoo.config-1.0.4
index 79f6331f090c..ef1c6f1768a1 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 #
 # Openssl doesn't play along nicely with cross-compiling
@@ -111,7 +111,9 @@ linux)
powerpc64*)   machine=ppc64;;
powerpc*le*)  machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;;
+   riscv32be*)   machine="generic32 -DB_ENDIAN";;
riscv32*) machine="generic32 -DL_ENDIAN";;
+   riscv64be*)   machine="riscv64 -DB_ENDIAN" system=linux64;;
riscv64*) machine="riscv64 -DL_ENDIAN" system=linux64;;
#   sh64*)machine=elf;;
sh*b*)machine="generic32 -DB_ENDIAN";;

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-04-20 Thread Patrick McLean

commit: 3be8b79d0c921d127686e92c064f0280747cac9d
Author: Patrick McLean  gentoo  org>
AuthorDate: Thu Apr 20 16:46:08 2023 +
Commit: Patrick McLean  gentoo  org>
CommitDate: Thu Apr 20 16:57:55 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3be8b79d

dev-libs/openssl: 3.0.8-r4, add patch for CVE-2023-1255

Upstream changelog (diff edited to remove NEWS and CHANGES.md changes to avoid
conflicts):

 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which
   happens if the buffer size is 4 mod 5. This can trigger a crash of an
   application using AES-XTS decryption if the memory just after the buffer
   being decrypted is not mapped.
   Thanks to Anton Romanov (Amazon) for discovering the issue.
   ([CVE-2023-1255])

   *Nevine Ebeid*

Signed-off-by: Patrick McLean  gentoo.org>

 .../files/openssl-3.0.8-CVE-2023-1255.patch|  40 +++
 dev-libs/openssl/openssl-3.0.8-r4.ebuild   | 278 +
 2 files changed, 318 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch 
b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch
new file mode 100644
index ..9b1a657d51be
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-1255.patch
@@ -0,0 +1,40 @@
+commit 02ac9c9420275868472f33b01def01218742b8bb
+Author: Tomas Mraz 
+Date:   Mon Apr 17 16:51:20 2023 +0200
+
+aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryption
+
+Original author: Nevine Ebeid (Amazon)
+Fixes: CVE-2023-1255
+
+The buffer overread happens on decrypts of 4 mod 5 sizes.
+Unless the memory just after the buffer is unmapped this is harmless.
+
+Reviewed-by: Paul Dale 
+Reviewed-by: Tom Cosgrove 
+(Merged from https://github.com/openssl/openssl/pull/20759)
+
+(cherry picked from commit 72dfe46550ee1f1bbfacd49f071419365bc23304)
+
+diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl
+index 6a7bf05d1b..bd583e2c89 100755
+--- a/crypto/aes/asm/aesv8-armx.pl
 b/crypto/aes/asm/aesv8-armx.pl
+@@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/);
+ .align4
+ .Lxts_dec_tail4x:
+   add $inp,$inp,#16
+-  vld1.32 {$dat0},[$inp],#16
++  tst $tailcnt,#0xf
+   veor$tmp1,$dat1,$tmp0
+   vst1.8  {$tmp1},[$out],#16
+   veor$tmp2,$dat2,$tmp2
+@@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/);
+   veor$tmp4,$dat4,$tmp4
+   vst1.8  {$tmp3-$tmp4},[$out],#32
+ 
++  b.eq.Lxts_dec_abort
++  vld1.32 {$dat0},[$inp],#16
+   b   .Lxts_done
+ .align4
+ .Lxts_outer_dec_tail:

diff --git a/dev-libs/openssl/openssl-3.0.8-r4.ebuild 
b/dev-libs/openssl/openssl-3.0.8-r4.ebuild
new file mode 100644
index ..e11cbae84179
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.8-r4.ebuild
@@ -0,0 +1,278 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal 
multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer 
Security (TLS)"
+HOMEPAGE="https://www.openssl.org/;
+
+MY_P=${P/_/-}
+
+if [[ ${PV} ==  ]] ; then
+   EGIT_REPO_URI="https://github.com/openssl/openssl.git;
+
+   inherit git-r3
+else
+   SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+   verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+   KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc 
~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test 
tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+   tls-compression? ( 
>=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+   >=dev-lang/perl-5
+   sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+   test? (
+   sys-apps/diffutils
+   sys-devel/bc
+   sys-process/procps
+   )
+   verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+   /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+   "${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+   "${FILESDIR}"/openssl-3.0.8-CVE-2023-0464.patch
+   "${FILESDIR}"/openssl-3.0.8-CVE-2023-0465.patch
+   "${FILESDIR}"/openssl-3.0.8-CVE-2023-0466.patch
+   "${FILESDIR}"/openssl-3.0.8-CVE-2023-1255.patch
+)
+
+pkg_setup() {
+   if use ktls ; then
+   if kernel_is -lt 4 18 ; then
+   ewarn "Kernel implementation of TLS

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-03-28 Thread Patrick McLean

commit: abff4432080ff23277dce168d9688acf6c09a4bf
Author: Patrick McLean  gentoo  org>
AuthorDate: Tue Mar 28 18:24:48 2023 +
Commit: Patrick McLean  gentoo  org>
CommitDate: Tue Mar 28 18:29:08 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abff4432

dev-libs/openssl: Revbump to 1.1.1t for CVE-2023-0465, CVE-2023-0466

Upstream changelogs (dropped from NEWS due to conflicts):
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
  that it does not enable policy checking. Thanks to David Benjamin for
  discovering this issue.
  ([CVE-2023-0466])

 *Tomáš Mráz*

More information about vulnerabilities:
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465

Signed-off-by: Patrick McLean  gentoo.org>

 .../files/openssl-1.1.1t-CVE-2023-0465.patch   |  48 
 .../files/openssl-1.1.1t-CVE-2023-0466.patch   |  41 
 dev-libs/openssl/openssl-1.1.1t-r3.ebuild  | 269 +
 3 files changed, 358 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch 
b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch
new file mode 100644
index ..c332e0bd2c9f
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0465.patch
@@ -0,0 +1,48 @@
+commit b013765abfa80036dc779dd0e50602c57bb3bf95
+Author: Matt Caswell 
+Date:   Tue Mar 7 16:52:55 2023 +
+
+Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
+
+Even though we check the leaf cert to confirm it is valid, we
+later ignored the invalid flag and did not notice that the leaf
+cert was bad.
+
+Fixes: CVE-2023-0465
+
+Reviewed-by: Hugo Landau 
+Reviewed-by: Tomas Mraz 
+(Merged from https://github.com/openssl/openssl/pull/20588)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 925fbb5412..1dfe4f9f31 100644
+--- a/crypto/x509/x509_vfy.c
 b/crypto/x509/x509_vfy.c
+@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
+ }
+ /* Invalid or inconsistent extensions */
+ if (ret == X509_PCY_TREE_INVALID) {
+-int i;
++int i, cbcalled = 0;
+ 
+ /* Locate certificates with bad extensions and notify callback. */
+-for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+ X509 *x = sk_X509_value(ctx->chain, i);
+ 
+ if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
+ continue;
++cbcalled = 1;
+ if (!verify_cb_cert(ctx, x, i,
+ X509_V_ERR_INVALID_POLICY_EXTENSION))
+ return 0;
+ }
++if (!cbcalled) {
++/* Should not be able to get here */
++X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
++return 0;
++}
++/* The callback ignored the error so we return success */
+ return 1;
+ }
+ if (ret == X509_PCY_TREE_FAILURE) {

diff --git a/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch 
b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch
new file mode 100644
index ..9a59d2846a48
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1t-CVE-2023-0466.patch
@@ -0,0 +1,41 @@
+commit 0d16b7e99aafc0b4a6d729eec65a411a7e025f0a
+Author: Tomas Mraz 
+Date:   Tue Mar 21 16:15:47 2023 +0100
+
+Fix documentation of X509_VERIFY_PARAM_add0_policy()
+
+The function was incorrectly documented as enabling policy checking.
+
+Fixes: CVE-2023-0466
+
+Reviewed-by: Matt Caswell 
+Reviewed-by: Paul Dale 
+(Merged from https://github.com/openssl/openssl/pull/20564)
+
+diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod 
b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+index f6f304bf7b..aa292f9336 100644
+--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
 b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+@@ -92,8 +92,9 @@ B.
+ X509_VERIFY_PARAM_set_time() sets the verification time in B to
+ B. Normally the current time is used.
+ 
+-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
+-by default) and adds B to the acceptable policy set.
++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set.
++Contrary to preexisting documentation of this function it does not enable
++policy checking.
+ 
+ X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
+ by default) and sets the acceptable policy set to B. Any existing
+@@ -377,6 +378,10 @@ and has no effect.
+ 
+ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
+ 
++The function X509_VERIFY_PARAM_add0_policy() was historically documented as
++enabling policy checking however the implementation has never done this.
++The documentation was changed to align with the implementation.
++
+ =head1 COPYRIGHT
+ 
+ Copyright 2009-2020 The OpenSSL

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-03-28 Thread Patrick McLean

commit: c2d9bf4871d6a437560697a82f994825632ade98
Author: Patrick McLean  gentoo  org>
AuthorDate: Tue Mar 28 18:28:17 2023 +
Commit: Patrick McLean  gentoo  org>
CommitDate: Tue Mar 28 18:29:08 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2d9bf48

dev-libs/openssl: Revbump to 3.0.8-r3 for CVE-2023-0465, CVE-2023-0466

Upstream changelogs (dropped from NEWS due to conflicts):
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
  that it does not enable policy checking. Thanks to David Benjamin for
  discovering this issue.
  ([CVE-2023-0466])

 *Tomáš Mráz*

More information about vulnerabilities:
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465

Signed-off-by: Patrick McLean  gentoo.org>

 .../files/openssl-3.0.8-CVE-2023-0465.patch|  46 
 .../files/openssl-3.0.8-CVE-2023-0466.patch|  41 
 dev-libs/openssl/openssl-3.0.8-r3.ebuild   | 273 +
 3 files changed, 360 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch 
b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch
new file mode 100644
index ..852706d8aa92
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0465.patch
@@ -0,0 +1,46 @@
+commit 1dd43e0709fece299b15208f36cc7c76209ba0bb
+Author: Matt Caswell 
+Date:   Tue Mar 7 16:52:55 2023 +
+
+Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
+
+Even though we check the leaf cert to confirm it is valid, we
+later ignored the invalid flag and did not notice that the leaf
+cert was bad.
+
+Fixes: CVE-2023-0465
+
+Reviewed-by: Hugo Landau 
+Reviewed-by: Tomas Mraz 
+(Merged from https://github.com/openssl/openssl/pull/20587)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 9384f1da9b..a0282c3ef1 100644
+--- a/crypto/x509/x509_vfy.c
 b/crypto/x509/x509_vfy.c
+@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
+ goto memerr;
+ /* Invalid or inconsistent extensions */
+ if (ret == X509_PCY_TREE_INVALID) {
+-int i;
++int i, cbcalled = 0;
+ 
+ /* Locate certificates with bad extensions and notify callback. */
+-for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+ X509 *x = sk_X509_value(ctx->chain, i);
+ 
++if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
++cbcalled = 1;
+ CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
+ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
+ }
++if (!cbcalled) {
++/* Should not be able to get here */
++ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
++return 0;
++}
++/* The callback ignored the error so we return success */
+ return 1;
+ }
+ if (ret == X509_PCY_TREE_FAILURE) {

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch 
b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch
new file mode 100644
index ..c71665d82e18
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0466.patch
@@ -0,0 +1,41 @@
+commit 51e8a84ce742db0f6c70510d0159dad8f7825908
+Author: Tomas Mraz 
+Date:   Tue Mar 21 16:15:47 2023 +0100
+
+Fix documentation of X509_VERIFY_PARAM_add0_policy()
+
+The function was incorrectly documented as enabling policy checking.
+
+Fixes: CVE-2023-0466
+
+Reviewed-by: Matt Caswell 
+Reviewed-by: Paul Dale 
+(Merged from https://github.com/openssl/openssl/pull/20563)
+
+diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod 
b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+index 75a1677022..43c1900bca 100644
+--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
 b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+@@ -98,8 +98,9 @@ B.
+ X509_VERIFY_PARAM_set_time() sets the verification time in B to
+ B. Normally the current time is used.
+ 
+-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
+-by default) and adds B to the acceptable policy set.
++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set.
++Contrary to preexisting documentation of this function it does not enable
++policy checking.
+ 
+ X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
+ by default) and sets the acceptable policy set to B. Any existing
+@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added 
in OpenSSL 1.1.0i.
+ The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
+ and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
+ 
++The function X509_VERIFY_PARAM_add0_policy() was historically documented as
++enabling policy checking however the implementation has never done this.
++The documentation

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-03-28 Thread Patrick McLean

commit: 41ad57bbbed0ee3d06a9922f8fbdc1116f52dd2a
Author: Patrick McLean  gentoo  org>
AuthorDate: Tue Mar 28 18:28:44 2023 +
Commit: Patrick McLean  gentoo  org>
CommitDate: Tue Mar 28 18:29:09 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41ad57bb

dev-libs/openssl: Revbump to 3.1.0-r2 for CVE-2023-0465, CVE-2023-0466

Upstream changelogs (dropped from NEWS due to conflicts):
* Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
  that it does not enable policy checking. Thanks to David Benjamin for
  discovering this issue.
  ([CVE-2023-0466])

 *Tomáš Mráz*

More information about vulnerabilities:
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0466
https://www.openssl.org/news/vulnerabilities.html#CVE-2023-0465

Signed-off-by: Patrick McLean  gentoo.org>

 .../files/openssl-3.1.0-CVE-2023-0465.patch|  46 
 .../files/openssl-3.1.0-CVE-2023-0466.patch|  41 +++
 dev-libs/openssl/openssl-3.1.0-r2.ebuild   | 276 +
 3 files changed, 363 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch 
b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch
new file mode 100644
index ..a98f7cba13bd
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0465.patch
@@ -0,0 +1,46 @@
+commit facfb1ab745646e97a1920977ae4a9965ea61d5c
+Author: Matt Caswell 
+Date:   Tue Mar 7 16:52:55 2023 +
+
+Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs
+
+Even though we check the leaf cert to confirm it is valid, we
+later ignored the invalid flag and did not notice that the leaf
+cert was bad.
+
+Fixes: CVE-2023-0465
+
+Reviewed-by: Hugo Landau 
+Reviewed-by: Tomas Mraz 
+(Merged from https://github.com/openssl/openssl/pull/20586)
+
+diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
+index 9384f1da9b..a0282c3ef1 100644
+--- a/crypto/x509/x509_vfy.c
 b/crypto/x509/x509_vfy.c
+@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx)
+ goto memerr;
+ /* Invalid or inconsistent extensions */
+ if (ret == X509_PCY_TREE_INVALID) {
+-int i;
++int i, cbcalled = 0;
+ 
+ /* Locate certificates with bad extensions and notify callback. */
+-for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+ X509 *x = sk_X509_value(ctx->chain, i);
+ 
++if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
++cbcalled = 1;
+ CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
+ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
+ }
++if (!cbcalled) {
++/* Should not be able to get here */
++ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
++return 0;
++}
++/* The callback ignored the error so we return success */
+ return 1;
+ }
+ if (ret == X509_PCY_TREE_FAILURE) {

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch 
b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch
new file mode 100644
index ..9a315f4c00fd
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0466.patch
@@ -0,0 +1,41 @@
+commit fc814a30fc4f0bc54fcea7d9a7462f5457aab061
+Author: Tomas Mraz 
+Date:   Tue Mar 21 16:15:47 2023 +0100
+
+Fix documentation of X509_VERIFY_PARAM_add0_policy()
+
+The function was incorrectly documented as enabling policy checking.
+
+Fixes: CVE-2023-0466
+
+Reviewed-by: Paul Dale 
+Reviewed-by: Matt Caswell 
+(Merged from https://github.com/openssl/openssl/pull/20562)
+
+diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod 
b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+index 20aea99b5b..fcbbfc4c30 100644
+--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
 b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+@@ -98,8 +98,9 @@ B.
+ X509_VERIFY_PARAM_set_time() sets the verification time in B to
+ B. Normally the current time is used.
+ 
+-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
+-by default) and adds B to the acceptable policy set.
++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set.
++Contrary to preexisting documentation of this function it does not enable
++policy checking.
+ 
+ X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
+ by default) and sets the acceptable policy set to B. Any existing
+@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added 
in OpenSSL 1.1.0i.
+ The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
+ and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0.
+ 
++The function X509_VERIFY_PARAM_add0_policy() was historically documented as
++enabling policy checking however the implementation has never done this.
++The documentation

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-03-22 Thread Patrick McLean

commit: f8e9992c5936077459a640b9cb4aa07ff5e75a20
Author: Patrick McLean  gentoo  org>
AuthorDate: Wed Mar 22 22:58:47 2023 +
Commit: Patrick McLean  gentoo  org>
CommitDate: Wed Mar 22 22:59:47 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f8e9992c

dev-libs/openssl: Bump to 3.0.8-r2, add patch for CVE-2023-0464

Signed-off-by: Patrick McLean  gentoo.org>

 .../files/openssl-3.0.8-CVE-2023-0464.patch| 214 
 dev-libs/openssl/openssl-3.0.8-r2.ebuild   | 271 +
 2 files changed, 485 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch 
b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch
new file mode 100644
index ..3cf1d3b38ec9
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.8-CVE-2023-0464.patch
@@ -0,0 +1,214 @@
+commit 959c59c7a0164117e7f8366466a32bb1f8d77ff1
+Author: Pauli 
+Date:   Wed Mar 8 15:28:20 2023 +1100
+
+x509: excessive resource use verifying policy constraints
+
+A security vulnerability has been identified in all supported versions
+of OpenSSL related to the verification of X.509 certificate chains
+that include policy constraints.  Attackers may be able to exploit this
+vulnerability by creating a malicious certificate chain that triggers
+exponential use of computational resources, leading to a denial-of-service
+(DoS) attack on affected systems.
+
+Fixes CVE-2023-0464
+
+Reviewed-by: Tomas Mraz 
+Reviewed-by: Shane Lontis 
+(Merged from https://github.com/openssl/openssl/pull/20568)
+
+diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
+index 18b53cc09e..cba107ca03 100644
+--- a/crypto/x509/pcy_local.h
 b/crypto/x509/pcy_local.h
+@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
+ };
+ 
+ struct X509_POLICY_TREE_st {
++/* The number of nodes in the tree */
++size_t node_count;
++/* The maximum number of nodes in the tree */
++size_t node_maximum;
++
+ /* This is the tree 'level' data */
+ X509_POLICY_LEVEL *levels;
+ int nlevel;
+@@ -157,7 +162,8 @@ X509_POLICY_NODE 
*ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+  X509_POLICY_DATA *data,
+  X509_POLICY_NODE *parent,
+- X509_POLICY_TREE *tree);
++ X509_POLICY_TREE *tree,
++ int extra_data);
+ void ossl_policy_node_free(X509_POLICY_NODE *node);
+ int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
+const X509_POLICY_NODE *node, const ASN1_OBJECT 
*oid);
+diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
+index 9d9a7ea179..450f95a655 100644
+--- a/crypto/x509/pcy_node.c
 b/crypto/x509/pcy_node.c
+@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const 
X509_POLICY_LEVEL *level,
+ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+  X509_POLICY_DATA *data,
+  X509_POLICY_NODE *parent,
+- X509_POLICY_TREE *tree)
++ X509_POLICY_TREE *tree,
++ int extra_data)
+ {
+ X509_POLICY_NODE *node;
+ 
++/* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
++if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
++return NULL;
++
+ node = OPENSSL_zalloc(sizeof(*node));
+ if (node == NULL) {
+ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
+@@ -70,7 +75,7 @@ X509_POLICY_NODE 
*ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+ }
+ node->data = data;
+ node->parent = parent;
+-if (level) {
++if (level != NULL) {
+ if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
+ if (level->anyPolicy)
+ goto node_error;
+@@ -90,7 +95,7 @@ X509_POLICY_NODE 
*ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+ }
+ }
+ 
+-if (tree) {
++if (extra_data) {
+ if (tree->extra_data == NULL)
+ tree->extra_data = sk_X509_POLICY_DATA_new_null();
+ if (tree->extra_data == NULL){
+@@ -103,6 +108,7 @@ X509_POLICY_NODE 
*ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+ }
+ }
+ 
++tree->node_count++;
+ if (parent)
+ parent->nchild++;
+ 
+diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
+index fa45da5117..f953a05a41 100644
+--- a/crypto/x509/pcy_tree.c
 b/crypto/x509/pcy_tree.c
+@@ -14,6 +14,17 @@
+ 
+ #include "pcy_local.h"
+ 
++/*
++ * If the maximum number of nodes in the policy tree isn't defined,

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-03-22 Thread Patrick McLean

commit: d0c15fb7ffe7e93294611b885c10b86fa5323575
Author: Patrick McLean  gentoo  org>
AuthorDate: Wed Mar 22 22:59:09 2023 +
Commit: Patrick McLean  gentoo  org>
CommitDate: Wed Mar 22 22:59:47 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0c15fb7

dev-libs/openssl: Bump to 3.1.0-r1, add patch for CVE-2023-0464

Signed-off-by: Patrick McLean  gentoo.org>

 .../files/openssl-3.1.0-CVE-2023-0464.patch| 214 
 dev-libs/openssl/openssl-3.1.0-r1.ebuild   | 274 +
 2 files changed, 488 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch 
b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch
new file mode 100644
index ..dfe83e53d0ad
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.0-CVE-2023-0464.patch
@@ -0,0 +1,214 @@
+commit 2017771e2db3e2b96f89bbe8766c3209f6a99545
+Author: Pauli 
+Date:   Wed Mar 8 15:28:20 2023 +1100
+
+x509: excessive resource use verifying policy constraints
+
+A security vulnerability has been identified in all supported versions
+of OpenSSL related to the verification of X.509 certificate chains
+that include policy constraints.  Attackers may be able to exploit this
+vulnerability by creating a malicious certificate chain that triggers
+exponential use of computational resources, leading to a denial-of-service
+(DoS) attack on affected systems.
+
+Fixes CVE-2023-0464
+
+Reviewed-by: Tomas Mraz 
+Reviewed-by: Shane Lontis 
+(Merged from https://github.com/openssl/openssl/pull/20570)
+
+diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h
+index 18b53cc09e..cba107ca03 100644
+--- a/crypto/x509/pcy_local.h
 b/crypto/x509/pcy_local.h
+@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
+ };
+ 
+ struct X509_POLICY_TREE_st {
++/* The number of nodes in the tree */
++size_t node_count;
++/* The maximum number of nodes in the tree */
++size_t node_maximum;
++
+ /* This is the tree 'level' data */
+ X509_POLICY_LEVEL *levels;
+ int nlevel;
+@@ -157,7 +162,8 @@ X509_POLICY_NODE 
*ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+  X509_POLICY_DATA *data,
+  X509_POLICY_NODE *parent,
+- X509_POLICY_TREE *tree);
++ X509_POLICY_TREE *tree,
++ int extra_data);
+ void ossl_policy_node_free(X509_POLICY_NODE *node);
+ int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl,
+const X509_POLICY_NODE *node, const ASN1_OBJECT 
*oid);
+diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c
+index 9d9a7ea179..450f95a655 100644
+--- a/crypto/x509/pcy_node.c
 b/crypto/x509/pcy_node.c
+@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const 
X509_POLICY_LEVEL *level,
+ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+  X509_POLICY_DATA *data,
+  X509_POLICY_NODE *parent,
+- X509_POLICY_TREE *tree)
++ X509_POLICY_TREE *tree,
++ int extra_data)
+ {
+ X509_POLICY_NODE *node;
+ 
++/* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
++if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
++return NULL;
++
+ node = OPENSSL_zalloc(sizeof(*node));
+ if (node == NULL) {
+ ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE);
+@@ -70,7 +75,7 @@ X509_POLICY_NODE 
*ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+ }
+ node->data = data;
+ node->parent = parent;
+-if (level) {
++if (level != NULL) {
+ if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
+ if (level->anyPolicy)
+ goto node_error;
+@@ -90,7 +95,7 @@ X509_POLICY_NODE 
*ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+ }
+ }
+ 
+-if (tree) {
++if (extra_data) {
+ if (tree->extra_data == NULL)
+ tree->extra_data = sk_X509_POLICY_DATA_new_null();
+ if (tree->extra_data == NULL){
+@@ -103,6 +108,7 @@ X509_POLICY_NODE 
*ossl_policy_level_add_node(X509_POLICY_LEVEL *level,
+ }
+ }
+ 
++tree->node_count++;
+ if (parent)
+ parent->nchild++;
+ 
+diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c
+index fa45da5117..f953a05a41 100644
+--- a/crypto/x509/pcy_tree.c
 b/crypto/x509/pcy_tree.c
+@@ -14,6 +14,17 @@
+ 
+ #include "pcy_local.h"
+ 
++/*
++ * If the maximum number of nodes in the policy tree isn't defined,

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2023-03-18 Thread Sam James

commit: abfaca134102918ed6904bdd2ed08b6ea3949739
Author: Michael Mair-Keimberger  levelnine  at>
AuthorDate: Thu Mar 16 17:14:50 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Sun Mar 19 03:12:42 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abfaca13

dev-libs/openssl: remove unused file

Signed-off-by: Michael Mair-Keimberger  levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/30156
Signed-off-by: Sam James  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.3 | 172 -
 1 file changed, 172 deletions(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.3 
b/dev-libs/openssl/files/gentoo.config-1.0.3
deleted file mode 100644
index 0662f72b6d80..
--- a/dev-libs/openssl/files/gentoo.config-1.0.3
+++ /dev/null
@@ -1,172 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-#
-# Openssl doesn't play along nicely with cross-compiling
-# like autotools based projects, so let's teach it new tricks.
-#
-# Review the bundled 'config' script to see why kind of targets
-# we can pass to the 'Configure' script.
-
-
-# Testing routines
-if [[ $1 == "test" ]] ; then
-   for c in \
-   "arm-gentoo-linux-uclibc  |linux-generic32 -DL_ENDIAN" \
-   "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \
-   "x86_64-pc-linux-gnu  |linux-x86_64" \
-   "alpha-linux-gnu  |linux-alpha-gcc" \
-   "alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
-   "i686-pc-linux-gnu|linux-elf" \
-   "whatever-gentoo-freebsdX.Y   |BSD-generic32" \
-   "i686-gentoo-freebsdX.Y   |BSD-x86-elf" \
-   "sparc64-alpha-freebsdX.Y |BSD-sparc64" \
-   "ia64-gentoo-freebsd5.99234   |BSD-ia64" \
-   "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \
-   "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \
-   "powerpc-gentOO-linux-uclibc  |linux-ppc" \
-   "powerpc64-unk-linux-gnu  |linux-ppc64" \
-   "powerpc64le-linux-gnu|linux-ppc64le" \
-   "x86_64-apple-darwinX |darwin64-x86_64-cc" \
-   "powerpc64-apple-darwinX  |darwin64-ppc-cc" \
-   "i686-apple-darwinX   |darwin-i386-cc" \
-   "i386-apple-darwinX   |darwin-i386-cc" \
-   "powerpc-apple-darwinX|darwin-ppc-cc" \
-   "i586-pc-winnt|winnt-parity" \
-   "s390-ibm-linux-gnu   |linux-generic32 -DB_ENDIAN" \
-   "s390x-linux-gnu  |linux64-s390x" \
-   ;do
-   CHOST=${c/|*}
-   ret_want=${c/*|}
-   ret_got=$(CHOST=${CHOST} "$0")
-
-   if [[ ${ret_want} == "${ret_got}" ]] ; then
-   echo "PASS: ${CHOST}"
-   else
-   echo "FAIL: ${CHOST}"
-   echo -e "\twanted: ${ret_want}"
-   echo -e "\twe got: ${ret_got}"
-   fi
-   done
-   exit 0
-fi
-[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
-
-
-# Detect the operating system
-case ${CHOST} in
-   *-aix*)  system="aix";;
-   *-darwin*)   system="darwin";;
-   *-freebsd*)  system="BSD";;
-   *-hpux*) system="hpux";;
-   *-linux*)system="linux";;
-   *-solaris*)  system="solaris";;
-   *-winnt*)system="winnt";;
-   x86_64-*-mingw*) system="mingw64";;
-   *mingw*) system="mingw";;
-   *)   exit 0;;
-esac
-
-
-# Compiler munging
-compiler="gcc"
-if [[ ${CC} == "ccc" ]] ; then
-   compiler=${CC}
-fi
-
-
-# Detect target arch
-machine=""
-chost_machine=${CHOST%%-*}
-case ${system} in
-linux)
-   case ${chost_machine}:${ABI} in
-   aarch64*be*)  machine="aarch64 -DB_ENDIAN";;
-   aarch64*) machine="aarch64 -DL_ENDIAN";;
-   alphaev56*|\
-   alphaev[678]*)machine=alpha+bwx-${compiler};;
-   alpha*)   machine=alpha-${compiler};;
-   armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
-   armv[4-9]*)   machine="armv4 -DL_ENDIAN";;
-   arm*b*)   machine="generic32 -DB_ENDIAN";;
-   arm*) machine="generic32 -DL_ENDIAN";;
-   avr*) machine="generic32 -DL_ENDIAN";;
-   bfin*)machine="generic32 -DL_ENDIAN";;
-   #   hppa64*)  machine=parisc64;;
-   hppa*)machine="generic32 -DB_ENDIAN";;
-   i[0-9]86*|\
-   x86_64*:x86)  machine=elf;;
-   ia64*)machine=ia64;;
-   loongarch64*) machine="generic64 -DL_ENDIAN";;
-   m68*) machine="latomic -DB_ENDIAN";;
-

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-03-14 Thread Sam James

commit: 568c16c5c05f87f999b04925544cd1ee344319c1
Author: Sam James  gentoo  org>
AuthorDate: Tue Mar 14 19:38:22 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Tue Mar 14 19:48:32 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=568c16c5

dev-libs/openssl: drop 3.0.7-r1, 3.0.7-r4

Signed-off-by: Sam James  gentoo.org>

 dev-libs/openssl/Manifest  |   2 -
 .../files/openssl-3.0.7-x509-CVE-2022-3996.patch   |  35 ---
 dev-libs/openssl/openssl-3.0.7-r1.ebuild   | 338 -
 dev-libs/openssl/openssl-3.0.7-r4.ebuild   | 264 
 4 files changed, 639 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 31e236b00955..f45d7d6c5109 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -5,7 +5,5 @@ DIST openssl-1.1.1s.tar.gz 9868981 BLAKE2B 
ecd19eaf84dbc80448b51651abe52a89cc005
 DIST openssl-1.1.1s.tar.gz.asc 858 BLAKE2B 
d95f0f80d460feac737f84ed629c45aaf5e453103ef202ec7d33cf33b89ad83a9007429433b10754b725d7963b1960e350b64e8bdfe569ad149e26bef462eeca
 SHA512 
aa6e5e940448297a90c46ba162f8e6ee324c2e202a9283328c31f996dc2259dd9f5f981d94d1cf1dd3cc73c44647b473602dacb857b9719bf066931b43b899e6
 DIST openssl-1.1.1t.tar.gz 9881866 BLAKE2B 
66d76ea0c05a4afc3104e22602cffc2373e857728625d31ab3244881cafa91c099a817a09def7746bce4133585bfc90b769f43527e77a81ed13e60a8c2fb4d8d
 SHA512 
628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c
 DIST openssl-1.1.1t.tar.gz.asc 833 BLAKE2B 
fc5e7069268e987a20241dfc4f080529c6e95e217c198568b09c833e390e68b25a604a5d3ec29c6a64b9dee9d42199fd3647214e536ba2f7b8b4e57aa4cba680
 SHA512 
1232a94fce991d62f008ae6d3d9b6fe68cb6378fe07450feb17a58eb2417fb385ffcb7e6b74eb683134be9ff6ccf6efa183f37f4dd521614fd5aeaddf000b90b
-DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 
141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a
 SHA512 
6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424
-DIST openssl-3.0.7.tar.gz.asc 858 BLAKE2B 
bd07a6f656cce817038743caf1131ef8d7a21bf587e706e32771ad9e09cb4821d21b71171a7fe7bb6bece95e9b06cea6d723aae9de8b62049b5a8316578500be
 SHA512 
9093a8a5a990f5f37bd95e7ca55f2371e59242be408ea7d9403bcfc9c8873c022237e13c0ec81881a20607ea46927887a895a82b6f50c6f423b4c54f9ef0cde1
 DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B 
e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a
 SHA512 
8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d
 DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 
1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb
 SHA512 
e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6

diff --git a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch 
b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch
deleted file mode 100644
index 079a4f508ccb..
--- a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-https://bugs.gentoo.org/885797
-
-https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7
-https://github.com/openssl/openssl/issues/19643
-
-From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001
-From: Pauli 
-Date: Fri, 11 Nov 2022 09:40:19 +1100
-Subject: [PATCH] x509: fix double locking problem
-
-This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
-redundant flag setting.
-
-Fixes #19643
-
-Fixes LOW CVE-2022-3996
-
-Reviewed-by: Dmitry Belyavskiy 
-Reviewed-by: Tomas Mraz 
-(Merged from https://github.com/openssl/openssl/pull/19652)
-
-(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
 a/crypto/x509/pcy_map.c
-+++ b/crypto/x509/pcy_map.c
-@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS 
*maps)
- 
- ret = 1;
-  bad_mapping:
--if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
--x->ex_flags |= EXFLAG_INVALID_POLICY;
--CRYPTO_THREAD_unlock(x->lock);
--}
- sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
- return ret;
- 

diff --git a/dev-libs/openssl/openssl-3.0.7-r1.ebuild 
b/dev-libs/openssl/openssl-3.0.7-r1.ebuild
deleted file mode 100644
index a1bcc6a59545..
--- a/dev-libs/openssl/openssl-3.0.7-r1.ebuild
+++ /dev/null
@@ -1,338 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2023-02-22 Thread Mike Gilbert

commit: d9d631a188bd27b62082fd93a7f434b00e458b1b
Author: Nicholas Vinson  gmail  com>
AuthorDate: Wed Feb 22 00:57:55 2023 +
Commit: Mike Gilbert  gentoo  org>
CommitDate: Wed Feb 22 19:29:31 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9d631a1

dev-libs/openssl: gentoo.config-1.0.4 clang fix

Update gentoo.config-1.0.4 to better support clang compiler toolchains

Closes: https://bugs.gentoo.org/885901
Signed-off-by: Nicholas Vinson  gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/29711
Signed-off-by: Mike Gilbert  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.4 | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 
b/dev-libs/openssl/files/gentoo.config-1.0.4
index 573a97de3543..79f6331f090c 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -77,7 +77,9 @@ fi
 
 # Detect target arch
 machine=""
+submachine=""
 chost_machine=${CHOST%%-*}
+[[ ${CC} == *clang* ]] && submachine="-clang"
 case ${system} in
 linux)
case ${chost_machine}:${ABI} in
@@ -95,7 +97,7 @@ linux)
#   hppa64*)  machine=parisc64;;
hppa*)machine="generic32 -DB_ENDIAN";;
i[0-9]86*|\
-   x86_64*:x86)  machine=x86;;
+   x86_64*:x86)  machine=x86${submachine};;
ia64*)machine=ia64;;
loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;;
m68*) machine="latomic -DB_ENDIAN";;
@@ -125,7 +127,7 @@ linux)
s390x*)   machine=s390x system=linux64;;
s390*)machine="generic32 -DB_ENDIAN";;
x86_64*:x32)  machine=x32;;
-   x86_64*)  machine=x86_64;;
+   x86_64*)  machine=x86_64${submachine};;
esac
;;
 BSD)

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2023-02-12 Thread Mike Gilbert

commit: c3fb91dafb05c7665a96a6d97ad2a5ed69791f3c
Author: Mike Gilbert  gentoo  org>
AuthorDate: Sun Feb 12 23:21:09 2023 +
Commit: Mike Gilbert  gentoo  org>
CommitDate: Sun Feb 12 23:23:10 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3fb91da

dev-libs/openssl: fix Configure on mips

Closes: https://bugs.gentoo.org/894140
Signed-off-by: Mike Gilbert  gentoo.org>

 .../openssl/files/openssl-3.0.8-mips-cflags.patch  | 30 ++
 dev-libs/openssl/openssl-1.1.1t-r1.ebuild  |  1 +
 dev-libs/openssl/openssl-3.0.8.ebuild  |  5 
 3 files changed, 36 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch 
b/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch
new file mode 100644
index ..111681f27d07
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.8-mips-cflags.patch
@@ -0,0 +1,30 @@
+https://bugs.gentoo.org/894140
+https://github.com/openssl/openssl/issues/20214
+
+From d500b51791cd56e73065e3a7f4487fc33f31c91c Mon Sep 17 00:00:00 2001
+From: Mike Gilbert 
+Date: Sun, 12 Feb 2023 17:56:58 -0500
+Subject: [PATCH] Fix Configure test for -mips in CFLAGS
+
+We want to add -mips2 or -mips3 only if the user hasn't already
+specified a mips version in CFLAGS. The existing test was a
+double-negative.
+
+Fixes: https://github.com/openssl/openssl/issues/20214
+---
+ Configure | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Configure b/Configure
+index b6bbec0a85c4..ec48614d6b99 100755
+--- a/Configure
 b/Configure
+@@ -1475,7 +1475,7 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 
2>&1` =~ m/-mno-cygwin/m)
+ }
+ 
+ if ($target =~ /linux.*-mips/ && !$disabled{asm}
+-&& !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
++&& !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+ # minimally required architecture flags for assembly modules
+ my $value;
+ $value = '-mips2' if ($target =~ /mips32/);

diff --git a/dev-libs/openssl/openssl-1.1.1t-r1.ebuild 
b/dev-libs/openssl/openssl-1.1.1t-r1.ebuild
index 89d9f7f6c010..7261dbf43506 100644
--- a/dev-libs/openssl/openssl-1.1.1t-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1t-r1.ebuild
@@ -47,6 +47,7 @@ PATCHES=(
# If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602
"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
+   "${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
 )
 
 pkg_setup() {

diff --git a/dev-libs/openssl/openssl-3.0.8.ebuild 
b/dev-libs/openssl/openssl-3.0.8.ebuild
index e259080c01c3..37799cd36092 100644
--- a/dev-libs/openssl/openssl-3.0.8.ebuild
+++ b/dev-libs/openssl/openssl-3.0.8.ebuild
@@ -50,6 +50,10 @@ MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h
 )
 
+PATCHES=(
+   "${FILESDIR}"/openssl-3.0.8-mips-cflags.patch
+)
+
 pkg_setup() {
if use ktls ; then
if kernel_is -lt 4 18 ; then
@@ -99,6 +103,7 @@ src_prepare() {
# that gets blown away anyways by the Configure script in src_configure
rm -f Makefile
 
+
if ! use vanilla ; then
PATCHES+=(
# Add patches which are Gentoo-specific customisations 
here

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2023-02-08 Thread Sam James

commit: 9ecc3b0650d539516074b2659b543d175de4199f
Author: Michael Mair-Keimberger  levelnine  at>
AuthorDate: Wed Feb  8 16:49:57 2023 +
Commit: Sam James  gentoo  org>
CommitDate: Wed Feb  8 17:14:42 2023 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ecc3b06

dev-libs/openssl: remove unused patch

Signed-off-by: Michael Mair-Keimberger  levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/29488
Signed-off-by: Sam James  gentoo.org>

 .../openssl/files/openssl-3.0.5-test-memcmp.patch  | 24 --
 1 file changed, 24 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch 
b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
deleted file mode 100644
index fc84d82e87da..
--- a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-https://github.com/openssl/openssl/pull/18719
-
-From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001
-From: Gregor Jasny 
-Date: Tue, 5 Jul 2022 12:57:06 +0200
-Subject: [PATCH] Add missing header for memcmp
-
-CLA: trivial

- test/v3ext.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/test/v3ext.c b/test/v3ext.c
-index 926f3884b138..a8ab64b2714b 100644
 a/test/v3ext.c
-+++ b/test/v3ext.c
-@@ -8,6 +8,7 @@
-  */
- 
- #include 
-+#include 
- #include 
- #include 
- #include

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2022-12-17 Thread Andreas K. Hüttel

commit: 46e080f168be4b67e832229997c2b200fe269e34
Author: Andreas K. Hüttel  gentoo  org>
AuthorDate: Sat Dec 17 19:19:14 2022 +
Commit: Andreas K. Hüttel  gentoo  org>
CommitDate: Sat Dec 17 19:19:14 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46e080f1

dev-libs/openssl: keyword 3.0.7-r2 for ~loong

Signed-off-by: Andreas K. Hüttel  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.4 | 2 +-
 dev-libs/openssl/openssl-3.0.7-r2.ebuild   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 
b/dev-libs/openssl/files/gentoo.config-1.0.4
index edbf22a56dff..98f8d1af64ac 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -97,7 +97,7 @@ linux)
i[0-9]86*|\
x86_64*:x86)  machine=elf;;
ia64*)machine=ia64;;
-   loongarch64*) machine="generic64 -DL_ENDIAN";;
+   loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;;
m68*) machine="latomic -DB_ENDIAN";;
mips*el*:o32) machine="mips32 -DL_ENDIAN";;
mips*:o32)machine="mips32 -DB_ENDIAN";;

diff --git a/dev-libs/openssl/openssl-3.0.7-r2.ebuild 
b/dev-libs/openssl/openssl-3.0.7-r2.ebuild
index 4ee76298915b..2bccbd686aa0 100644
--- a/dev-libs/openssl/openssl-3.0.7-r2.ebuild
+++ b/dev-libs/openssl/openssl-3.0.7-r2.ebuild
@@ -19,7 +19,7 @@ else
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc 
~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
-   KEYWORDS="~alpha ~amd64 ~arm64 ~mips"
+   KEYWORDS="~alpha ~amd64 ~arm64 ~loong ~mips"
 fi
 
 S="${WORKDIR}"/${MY_P}

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2022-12-16 Thread Andreas K. Hüttel

commit: 93dfaa16b6a326527e0a158839e2d95478e3559f
Author: Andreas K. Hüttel  gentoo  org>
AuthorDate: Fri Dec 16 20:46:38 2022 +
Commit: Andreas K. Hüttel  gentoo  org>
CommitDate: Fri Dec 16 20:47:22 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93dfaa16

dev-libs/openssl: Use new config file in -r2, update mips defs for testing

Signed-off-by: Andreas K. Hüttel  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.4 | 176 +
 dev-libs/openssl/openssl-3.0.7-r2.ebuild   |   2 +-
 2 files changed, 177 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 
b/dev-libs/openssl/files/gentoo.config-1.0.4
new file mode 100644
index ..edbf22a56dff
--- /dev/null
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -0,0 +1,176 @@
+#!/usr/bin/env bash
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+#
+# Openssl doesn't play along nicely with cross-compiling
+# like autotools based projects, so let's teach it new tricks.
+#
+# Review the bundled 'config' script to see why kind of targets
+# we can pass to the 'Configure' script.
+
+
+# Testing routines
+if [[ $1 == "test" ]] ; then
+   for c in \
+   "arm-gentoo-linux-uclibc  |linux-generic32 -DL_ENDIAN" \
+   "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \
+   "x86_64-pc-linux-gnu  |linux-x86_64" \
+   "alpha-linux-gnu  |linux-alpha-gcc" \
+   "alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
+   "i686-pc-linux-gnu|linux-elf" \
+   "whatever-gentoo-freebsdX.Y   |BSD-generic32" \
+   "i686-gentoo-freebsdX.Y   |BSD-x86-elf" \
+   "sparc64-alpha-freebsdX.Y |BSD-sparc64" \
+   "ia64-gentoo-freebsd5.99234   |BSD-ia64" \
+   "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \
+   "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \
+   "powerpc-gentOO-linux-uclibc  |linux-ppc" \
+   "powerpc64-unk-linux-gnu  |linux-ppc64" \
+   "powerpc64le-linux-gnu|linux-ppc64le" \
+   "x86_64-apple-darwinX |darwin64-x86_64-cc" \
+   "powerpc64-apple-darwinX  |darwin64-ppc-cc" \
+   "i686-apple-darwinX   |darwin-i386-cc" \
+   "i386-apple-darwinX   |darwin-i386-cc" \
+   "powerpc-apple-darwinX|darwin-ppc-cc" \
+   "i586-pc-winnt|winnt-parity" \
+   "s390-ibm-linux-gnu   |linux-generic32 -DB_ENDIAN" \
+   "s390x-linux-gnu  |linux64-s390x" \
+   ;do
+   CHOST=${c/|*}
+   ret_want=${c/*|}
+   ret_got=$(CHOST=${CHOST} "$0")
+
+   if [[ ${ret_want} == "${ret_got}" ]] ; then
+   echo "PASS: ${CHOST}"
+   else
+   echo "FAIL: ${CHOST}"
+   echo -e "\twanted: ${ret_want}"
+   echo -e "\twe got: ${ret_got}"
+   fi
+   done
+   exit 0
+fi
+[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
+
+
+# Detect the operating system
+case ${CHOST} in
+   *-aix*)  system="aix";;
+   *-darwin*)   system="darwin";;
+   *-freebsd*)  system="BSD";;
+   *-hpux*) system="hpux";;
+   *-linux*)system="linux";;
+   *-solaris*)  system="solaris";;
+   *-winnt*)system="winnt";;
+   x86_64-*-mingw*) system="mingw64";;
+   *mingw*) system="mingw";;
+   *)   exit 0;;
+esac
+
+
+# Compiler munging
+compiler="gcc"
+if [[ ${CC} == "ccc" ]] ; then
+   compiler=${CC}
+fi
+
+
+# Detect target arch
+machine=""
+chost_machine=${CHOST%%-*}
+case ${system} in
+linux)
+   case ${chost_machine}:${ABI} in
+   aarch64*be*)  machine="aarch64 -DB_ENDIAN";;
+   aarch64*) machine="aarch64 -DL_ENDIAN";;
+   alphaev56*|\
+   alphaev[678]*)machine=alpha+bwx-${compiler};;
+   alpha*)   machine=alpha-${compiler};;
+   armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
+   armv[4-9]*)   machine="armv4 -DL_ENDIAN";;
+   arm*b*)   machine="generic32 -DB_ENDIAN";;
+   arm*) machine="generic32 -DL_ENDIAN";;
+   avr*) machine="generic32 -DL_ENDIAN";;
+   bfin*)machine="generic32 -DL_ENDIAN";;
+   #   hppa64*)  machine=parisc64;;
+   hppa*)machine="generic32 -DB_ENDIAN";;
+   i[0-9]86*|\
+   x86_64*:x86)  machine=elf;;
+   ia64*)machine=ia64;;
+   loongarch64*) machine="generic64 -DL_ENDIAN";;
+   m68*) machine="latomic -DB_ENDIAN";;
+

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2022-12-14 Thread Andreas K. Hüttel

commit: 4b2306f132bd2549bf7e039475ae809f177f2737
Author: Andreas K. Hüttel  gentoo  org>
AuthorDate: Wed Dec 14 23:00:14 2022 +
Commit: Andreas K. Hüttel  gentoo  org>
CommitDate: Wed Dec 14 23:00:14 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b2306f1

dev-libs/openssl: Fix build on m68k

See
https://archives.gentoo.org/gentoo-releng-autobuilds/message/f6163c3b954c76a3dd4bb6eeaab38c51

Signed-off-by: Andreas K. Hüttel  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.3 | 172 +
 dev-libs/openssl/openssl-3.0.7-r1.ebuild   |   2 +-
 2 files changed, 173 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.3 
b/dev-libs/openssl/files/gentoo.config-1.0.3
new file mode 100644
index ..0662f72b6d80
--- /dev/null
+++ b/dev-libs/openssl/files/gentoo.config-1.0.3
@@ -0,0 +1,172 @@
+#!/usr/bin/env bash
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+#
+# Openssl doesn't play along nicely with cross-compiling
+# like autotools based projects, so let's teach it new tricks.
+#
+# Review the bundled 'config' script to see why kind of targets
+# we can pass to the 'Configure' script.
+
+
+# Testing routines
+if [[ $1 == "test" ]] ; then
+   for c in \
+   "arm-gentoo-linux-uclibc  |linux-generic32 -DL_ENDIAN" \
+   "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \
+   "x86_64-pc-linux-gnu  |linux-x86_64" \
+   "alpha-linux-gnu  |linux-alpha-gcc" \
+   "alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
+   "i686-pc-linux-gnu|linux-elf" \
+   "whatever-gentoo-freebsdX.Y   |BSD-generic32" \
+   "i686-gentoo-freebsdX.Y   |BSD-x86-elf" \
+   "sparc64-alpha-freebsdX.Y |BSD-sparc64" \
+   "ia64-gentoo-freebsd5.99234   |BSD-ia64" \
+   "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \
+   "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \
+   "powerpc-gentOO-linux-uclibc  |linux-ppc" \
+   "powerpc64-unk-linux-gnu  |linux-ppc64" \
+   "powerpc64le-linux-gnu|linux-ppc64le" \
+   "x86_64-apple-darwinX |darwin64-x86_64-cc" \
+   "powerpc64-apple-darwinX  |darwin64-ppc-cc" \
+   "i686-apple-darwinX   |darwin-i386-cc" \
+   "i386-apple-darwinX   |darwin-i386-cc" \
+   "powerpc-apple-darwinX|darwin-ppc-cc" \
+   "i586-pc-winnt|winnt-parity" \
+   "s390-ibm-linux-gnu   |linux-generic32 -DB_ENDIAN" \
+   "s390x-linux-gnu  |linux64-s390x" \
+   ;do
+   CHOST=${c/|*}
+   ret_want=${c/*|}
+   ret_got=$(CHOST=${CHOST} "$0")
+
+   if [[ ${ret_want} == "${ret_got}" ]] ; then
+   echo "PASS: ${CHOST}"
+   else
+   echo "FAIL: ${CHOST}"
+   echo -e "\twanted: ${ret_want}"
+   echo -e "\twe got: ${ret_got}"
+   fi
+   done
+   exit 0
+fi
+[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
+
+
+# Detect the operating system
+case ${CHOST} in
+   *-aix*)  system="aix";;
+   *-darwin*)   system="darwin";;
+   *-freebsd*)  system="BSD";;
+   *-hpux*) system="hpux";;
+   *-linux*)system="linux";;
+   *-solaris*)  system="solaris";;
+   *-winnt*)system="winnt";;
+   x86_64-*-mingw*) system="mingw64";;
+   *mingw*) system="mingw";;
+   *)   exit 0;;
+esac
+
+
+# Compiler munging
+compiler="gcc"
+if [[ ${CC} == "ccc" ]] ; then
+   compiler=${CC}
+fi
+
+
+# Detect target arch
+machine=""
+chost_machine=${CHOST%%-*}
+case ${system} in
+linux)
+   case ${chost_machine}:${ABI} in
+   aarch64*be*)  machine="aarch64 -DB_ENDIAN";;
+   aarch64*) machine="aarch64 -DL_ENDIAN";;
+   alphaev56*|\
+   alphaev[678]*)machine=alpha+bwx-${compiler};;
+   alpha*)   machine=alpha-${compiler};;
+   armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
+   armv[4-9]*)   machine="armv4 -DL_ENDIAN";;
+   arm*b*)   machine="generic32 -DB_ENDIAN";;
+   arm*) machine="generic32 -DL_ENDIAN";;
+   avr*) machine="generic32 -DL_ENDIAN";;
+   bfin*)machine="generic32 -DL_ENDIAN";;
+   #   hppa64*)  machine=parisc64;;
+   hppa*)machine="generic32 -DB_ENDIAN";;
+   i[0-9]86*|\
+   x86_64*:x86)  machine=elf;;
+   ia64*)machine=ia64;;
+   loongarch64*) machine="generic64 -DL_ENDIAN";;
+

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2022-12-13 Thread Sam James

commit: ebb2a9a705c6d1cefa9c4bc94cf57da7a03f53b6
Author: Sam James  gentoo  org>
AuthorDate: Tue Dec 13 18:14:10 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Tue Dec 13 18:14:18 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ebb2a9a7

dev-libs/openssl: fix CVE-2022-3996 for 3.0.7

Only affects 3.x.

Bug: https://bugs.gentoo.org/885797
Signed-off-by: Sam James  gentoo.org>

 .../files/openssl-3.0.7-x509-CVE-2022-3996.patch   |  35 +++
 dev-libs/openssl/openssl-3.0.7-r1.ebuild   | 338 +
 2 files changed, 373 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch 
b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch
new file mode 100644
index ..079a4f508ccb
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch
@@ -0,0 +1,35 @@
+https://bugs.gentoo.org/885797
+
+https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7
+https://github.com/openssl/openssl/issues/19643
+
+From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001
+From: Pauli 
+Date: Fri, 11 Nov 2022 09:40:19 +1100
+Subject: [PATCH] x509: fix double locking problem
+
+This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
+redundant flag setting.
+
+Fixes #19643
+
+Fixes LOW CVE-2022-3996
+
+Reviewed-by: Dmitry Belyavskiy 
+Reviewed-by: Tomas Mraz 
+(Merged from https://github.com/openssl/openssl/pull/19652)
+
+(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
+--- a/crypto/x509/pcy_map.c
 b/crypto/x509/pcy_map.c
+@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS 
*maps)
+ 
+ ret = 1;
+  bad_mapping:
+-if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
+-x->ex_flags |= EXFLAG_INVALID_POLICY;
+-CRYPTO_THREAD_unlock(x->lock);
+-}
+ sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
+ return ret;
+ 

diff --git a/dev-libs/openssl/openssl-3.0.7-r1.ebuild 
b/dev-libs/openssl/openssl-3.0.7-r1.ebuild
new file mode 100644
index ..4a19c01cc36b
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.7-r1.ebuild
@@ -0,0 +1,338 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal 
multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer 
Security (TLS)"
+HOMEPAGE="https://www.openssl.org/;
+
+MY_P=${P/_/-}
+
+if [[ ${PV} ==  ]] ; then
+   EGIT_REPO_URI="https://github.com/openssl/openssl.git;
+
+   inherit git-r3
+else
+   SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+   verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+   KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 
~riscv ~s390 ~sparc ~x86 ~x86-linux"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test 
tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+   >=app-misc/c_rehash-1.7-r1
+   tls-compression? ( 
>=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+   >=dev-lang/perl-5
+   sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+   test? (
+   sys-apps/diffutils
+   sys-devel/bc
+   sys-process/procps
+   )
+   verify-sig? ( >=sec-keys/openpgp-keys-openssl-20221101 )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+   /usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+   "${FILESDIR}"/${P}-x509-CVE-2022-3996.patch
+)
+
+pkg_setup() {
+   if use ktls ; then
+   if kernel_is -lt 4 18 ; then
+   ewarn "Kernel implementation of TLS (USE=ktls) requires 
kernel >=4.18!"
+   else
+   CONFIG_CHECK="~TLS ~TLS_DEVICE"
+   ERROR_TLS="You will be unable to offload TLS to kernel 
because CONFIG_TLS is not set!"
+   ERROR_TLS_DEVICE="You will be unable to offload TLS to 
kernel because CONFIG_TLS_DEVICE is not set!"
+
+   linux-info_pkg_setup
+   fi
+   fi
+
+   [[ ${MERGE_TYPE} == binary ]] && return
+
+   # must check in pkg_setup; sysctl doesn't work with userpriv!
+   if use test && use sctp ; then
+   # test_ssl_new will fail with "Ensure SCTP AUTH chunks are 
enabled in kernel"
+   # if sctp.auth_enable is not enabled.
+   local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 
2>/dev/null)
+   if [[ -z "${sctp_auth_status}"

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2022-08-29 Thread Sam James

commit: 458daf054634ccaa6e5df1a53339e0f57f2755a6
Author: Sam James  gentoo  org>
AuthorDate: Mon Aug 29 20:51:15 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Mon Aug 29 20:51:41 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=458daf05

dev-libs/openssl: drop 1.1.1n, 1.1.1o, 1.1.1o-r1, 1.1.1p

Bug: https://bugs.gentoo.org/856592
Bug: https://bugs.gentoo.org/842489
Signed-off-by: Sam James  gentoo.org>

 dev-libs/openssl/Manifest  |   7 -
 .../files/openssl-1.1.1p-fix-test-build.patch  |  52 
 dev-libs/openssl/openssl-1.1.1n.ebuild | 298 --
 dev-libs/openssl/openssl-1.1.1o-r1.ebuild  | 338 -
 dev-libs/openssl/openssl-1.1.1o.ebuild | 318 ---
 dev-libs/openssl/openssl-1.1.1p.ebuild | 337 
 6 files changed, 1350 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index eb14a155609f..a411ae31d39e 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,13 +1,6 @@
 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 
6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24
 SHA512 
5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B 
b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4
 SHA512 
a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B 
b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57
 SHA512 
c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
-DIST openssl-1.1.1n.tar.gz 9850712 BLAKE2B 
af530258d9f7ca4f1bd1c6c344eb385e766e465c9341dd08797676165f67bbb82d3fd549ed7559dc12fb8c9c4db5e04fa6ec7ab729ec1467f5e8bce469ff5398
 SHA512 
1937796736613dcf4105a54e42ecb61f95a1cea74677156f9459aea0f2c95159359e766089632bf364ee6b0d28d661eb9957bce8fecc9d2436378d8d79e8d0a4
-DIST openssl-1.1.1n.tar.gz.asc 488 BLAKE2B 
8fc18fdc884473dc4c243499cc3528691a9ecc184e39e8d942450d41c42d22a96398036ae804af23c4f28d082c62f5babaa275ceb2e13b33b5acfd59a802c186
 SHA512 
24abc3d187cabed830dcd3189a34c2dc29e0b8013a607011a0e85cc68f0ec48c1de14a005053a4de3a4013cfa9658016ac65cfb8cfac58da55231371926beeda
-DIST openssl-1.1.1o-test-fixes-expiry.patch.xz 6180 BLAKE2B 
23ef36d7bd05c98f7fab6de25681a53fa7a558d114548836b6cd90a57c4f4e45dc9fb622936053608b463320605b7df60db2d2caf3811b249f6ead3791a1c081
 SHA512 
577aec97fb31cd9efe3b30d82c560d3e7da57ae52c4de0f86e951b777a673830baaadcc5eb366c523024d37405531c6d32de26bbbc1e77df15c7822c72e937e6
-DIST openssl-1.1.1o.tar.gz 9856386 BLAKE2B 
5bd355fd17adf43ba4e3bf1a8036ceb724edd4f4ab80dc25aecc3d2647372e9db2bc12e2b89791fc4b6f7fd95a7b68e00490d09ca6518d25ab990ee27798e641
 SHA512 
75b2f1499cb4640229eb6cd35d85cbff2e19db17b959ac4d04b60f1b395b73567f9003521452a0fcfeea9b31b26de0a7bccf476ecf9caae02298f3647cfb7e23
-DIST openssl-1.1.1o.tar.gz.asc 488 BLAKE2B 
a03a967e7e2124d1a76ad7765e2f48065f40d32ba102a433be603ee8f86b26a2d246dcb97a95bd694ef3005889ce4f1951f76d39fe1d683f92da1aa3023e9c2d
 SHA512 
da6d88de7c1cd807b6089d50f8bb102c317c0b45ca26e517e3e400c5c65f787d94a1ee522af76279e93790a7fb491348cf25ffcfd66ecb9a9d35209328cb221e
-DIST openssl-1.1.1p.tar.gz 9860217 BLAKE2B 
4354753a5e52393c9cc4569954c2cac6d89a1e204fa4f9ca00a60492782d29f8952fb92664cdbb3576c6443d3cb2eacebea51db584738589f3598b40df579b12
 SHA512 
203470b1cd37bdbfabfec5ef37fc97c991d9943f070c988316f6396b09dae7cea16ac884bd8646dbf7dd1ed40ebde6bdfa5700beee2d714d07c97cc70b4e48d9
-DIST openssl-1.1.1p.tar.gz.asc 488 BLAKE2B 
e68c8a4c992c2448b48428137f61f91fb89e4814f6e80c5525cea695bcf898326eca729f31b953fbd7ff51b448004101ca78abfbd3138ec2389596faa3eafc2f
 SHA512 
c85d65df1ed0f1ae87b799d794ea43e32c8ecaf85caf6e36fbbd4a890ef1d47710380d3846296e0124898680be66113a959ad974e0448bc00d1253794dc48972
 DIST openssl-1.1.1q.tar.gz 9864061 BLAKE2B 
fc8fd6a62dc291d0bda328a051e253175fb04442cc4b8f45d67c3a5027748a0fc5fb372d0483bc9024ae0bff119c4fac8f1e982a182612427696d6d09f5935f5
 SHA512 
cb9f184ec4974a3423ef59c8ec86b6bf523d5b887da2087ae58c217249da3246896fdd6966ee9c13aea9e6306783365239197e9f742c508a0e35e5744e3e085f
 DIST openssl-1.1.1q.tar.gz.asc 833 BLAKE2B 
9311abf47469c3802a84dc9b7427a168ba7717496960e6f84b04e4d9263dea1168493082937a06bcb6ef4169b2ed9b2f36084bbac15b5f7ca5b4c41041c4bab6
 SHA512 
03a41f29d1713c47bb300e01e36dbd048074076a6a3b9913e2fc9a1b56b726c038978f99e86f9a3e4ea39f72bd82a15965842f6d94210fa9d3474f6f0f68559e
 DIST openssl-3.0.5.tar.gz 15074407 BLAKE2B

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2022-08-19 Thread Sam James

commit: 3b94f6daf15da0b5fd7142881663030d1c1a1dd2
Author: Michael Mair-Keimberger  levelnine  at>
AuthorDate: Fri Aug 19 18:41:11 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Fri Aug 19 22:52:58 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b94f6da

dev-libs/openssl: remove unused patches

Signed-off-by: Michael Mair-Keimberger  levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/26928
Signed-off-by: Sam James  gentoo.org>

 .../openssl-3.0.4-avx512-buffer-overflow.patch | 34 
 .../files/openssl-3.0.4-fix-test-build.patch   | 46 --
 2 files changed, 80 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch 
b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch
deleted file mode 100644
index c72e958ff535..
--- a/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://github.com/openssl/openssl/commit/a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c
-https://github.com/openssl/openssl/issues/18625
-
-From a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c Mon Sep 17 00:00:00 2001
-From: Xi Ruoyao 
-Date: Wed, 22 Jun 2022 18:07:05 +0800
-Subject: [PATCH] rsa: fix bn_reduce_once_in_place call for
- rsaz_mod_exp_avx512_x2
-
-bn_reduce_once_in_place expects the number of BN_ULONG, but factor_size
-is moduli bit size.
-
-Fixes #18625.
-
-Signed-off-by: Xi Ruoyao 
-
-Reviewed-by: Tomas Mraz 
-Reviewed-by: Paul Dale 
-(Merged from https://github.com/openssl/openssl/pull/18626)
-
-(cherry picked from commit 4d8a88c134df634ba610ff8db1eb8478ac5fd345)
 a/crypto/bn/rsaz_exp_x2.c
-+++ b/crypto/bn/rsaz_exp_x2.c
-@@ -220,6 +220,9 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1,
- from_words52(res1, factor_size, rr1_red);
- from_words52(res2, factor_size, rr2_red);
- 
-+/* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */
-+factor_size /= sizeof(BN_ULONG) * 8;
-+
- bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size);
- bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size);
- 
-

diff --git a/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch 
b/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch
deleted file mode 100644
index f96e54f3127e..
--- a/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-https://github.com/openssl/openssl/issues/18619
-https://github.com/openssl/openssl/pull/18634
-https://github.com/openssl/openssl/commit/665ab12ed3f0d78e7cb6a55cdd2b83a2fe150232
-
-From 665ab12ed3f0d78e7cb6a55cdd2b83a2fe150232 Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger 
-Date: Fri, 17 Jun 2022 10:25:24 +0200
-Subject: [PATCH] Fix compile issues in test/v3ext.c with no-rfc3779
-
-There are no ASIdentifiers if OPENSSL_NO_RFC3779 is defined,
-therefore the test cannot be compiled.
-
-Reviewed-by: Matt Caswell 
-Reviewed-by: Tomas Mraz 
-Reviewed-by: Paul Dale 
-(Merged from https://github.com/openssl/openssl/pull/18634)
-
-(cherry picked from commit b76efe61ea9710a8f69e1cb8caf1aeb2ba6f1ebe)
 a/test/v3ext.c
-+++ b/test/v3ext.c
-@@ -37,6 +37,7 @@ static int test_pathlen(void)
- return ret;
- }
- 
-+#ifndef OPENSSL_NO_RFC3779
- static int test_asid(void)
- {
- ASN1_INTEGER *val1 = NULL, *val2 = NULL;
-@@ -113,6 +114,7 @@ static int test_asid(void)
- ASIdentifiers_free(asid4);
- return testresult;
- }
-+#endif /* OPENSSL_NO_RFC3779 */
- 
- OPT_TEST_DECLARE_USAGE("cert.pem\n")
- 
-@@ -127,6 +129,8 @@ int setup_tests(void)
- return 0;
- 
- ADD_TEST(test_pathlen);
-+#ifndef OPENSSL_NO_RFC3779
- ADD_TEST(test_asid);
-+#endif /* OPENSSL_NO_RFC3779 */
- return 1;
- }
-

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2022-07-05 Thread Sam James

commit: 1f171e1acbd185d7cd5c5a2689f50d02c7c64caf
Author: Sam James  gentoo  org>
AuthorDate: Tue Jul  5 23:33:03 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Tue Jul  5 23:33:03 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f171e1a

dev-libs/openssl: add 1.1.1q

Bug: https://bugs.gentoo.org/856592
Signed-off-by: Sam James  gentoo.org>

 dev-libs/openssl/Manifest  |   2 +
 .../openssl/files/openssl-3.0.5-test-memcmp.patch  |   2 +
 dev-libs/openssl/openssl-1.1.1q.ebuild | 337 +
 3 files changed, 341 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index d85b9ffd72e4..f960853b8a8a 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -8,6 +8,8 @@ DIST openssl-1.1.1o.tar.gz 9856386 BLAKE2B 
5bd355fd17adf43ba4e3bf1a8036ceb724edd
 DIST openssl-1.1.1o.tar.gz.asc 488 BLAKE2B 
a03a967e7e2124d1a76ad7765e2f48065f40d32ba102a433be603ee8f86b26a2d246dcb97a95bd694ef3005889ce4f1951f76d39fe1d683f92da1aa3023e9c2d
 SHA512 
da6d88de7c1cd807b6089d50f8bb102c317c0b45ca26e517e3e400c5c65f787d94a1ee522af76279e93790a7fb491348cf25ffcfd66ecb9a9d35209328cb221e
 DIST openssl-1.1.1p.tar.gz 9860217 BLAKE2B 
4354753a5e52393c9cc4569954c2cac6d89a1e204fa4f9ca00a60492782d29f8952fb92664cdbb3576c6443d3cb2eacebea51db584738589f3598b40df579b12
 SHA512 
203470b1cd37bdbfabfec5ef37fc97c991d9943f070c988316f6396b09dae7cea16ac884bd8646dbf7dd1ed40ebde6bdfa5700beee2d714d07c97cc70b4e48d9
 DIST openssl-1.1.1p.tar.gz.asc 488 BLAKE2B 
e68c8a4c992c2448b48428137f61f91fb89e4814f6e80c5525cea695bcf898326eca729f31b953fbd7ff51b448004101ca78abfbd3138ec2389596faa3eafc2f
 SHA512 
c85d65df1ed0f1ae87b799d794ea43e32c8ecaf85caf6e36fbbd4a890ef1d47710380d3846296e0124898680be66113a959ad974e0448bc00d1253794dc48972
+DIST openssl-1.1.1q.tar.gz 9864061 BLAKE2B 
fc8fd6a62dc291d0bda328a051e253175fb04442cc4b8f45d67c3a5027748a0fc5fb372d0483bc9024ae0bff119c4fac8f1e982a182612427696d6d09f5935f5
 SHA512 
cb9f184ec4974a3423ef59c8ec86b6bf523d5b887da2087ae58c217249da3246896fdd6966ee9c13aea9e6306783365239197e9f742c508a0e35e5744e3e085f
+DIST openssl-1.1.1q.tar.gz.asc 833 BLAKE2B 
9311abf47469c3802a84dc9b7427a168ba7717496960e6f84b04e4d9263dea1168493082937a06bcb6ef4169b2ed9b2f36084bbac15b5f7ca5b4c41041c4bab6
 SHA512 
03a41f29d1713c47bb300e01e36dbd048074076a6a3b9913e2fc9a1b56b726c038978f99e86f9a3e4ea39f72bd82a15965842f6d94210fa9d3474f6f0f68559e
 DIST openssl-3.0.2.tar.gz 15038141 BLAKE2B 
140c4c80a0cad89cb0059fef6a4cd421460e6af9a3973f7a3eb5e39f64c0d44794d46e7a869e5235fced139f2249351e37a9ee5ebaa17f2708d63141ebebf919
 SHA512 
f986850d5be908b4d6b5fd7091bc4652d7378c9bccebfbc5becd7753843c04c1eb61a1749c432139d263dfac33df0b1f6c773664b485cad47542266823a4eb03
 DIST openssl-3.0.2.tar.gz.asc 488 BLAKE2B 
2f6482114271c4f512159fa159486a3b3470637d770cd1614fda004918d06ed9ab562e655d1580d2ebb05745ec72987488c2161b72d078017cc157003d4205da
 SHA512 
4303391a58107c76ad9b05510f5bfc95f687f4cb2f9ff5b03fb262ba99b573423ab83f0437471199954496799b343191b889ad9ef8fabdd7ee4ec3ec9b5f1d81
 DIST openssl-3.0.3-test-fixes-expiry.patch.xz 29056 BLAKE2B 
11be776b9c4baec770d81ff180581d7d8292261f32ebfcb2cfd399d684cef1b9e7b4575d906f23e8a61d853eafb178e1b0e01d9324dbe598c876c0ef74bcf5e8
 SHA512 
23bc571dfca453deb4f1812aea5fc1bcf1c27358d8638a66ce7f359a698b09a35bdc86e01db36aa5e59b37cc7e36f0ced6f1463b383fb0d904aada69f5d5cb04

diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch 
b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
index 8fa03877581f..fc84d82e87da 100644
--- a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
+++ b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
@@ -1,3 +1,5 @@
+https://github.com/openssl/openssl/pull/18719
+
 From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001
 From: Gregor Jasny 
 Date: Tue, 5 Jul 2022 12:57:06 +0200

diff --git a/dev-libs/openssl/openssl-1.1.1q.ebuild 
b/dev-libs/openssl/openssl-1.1.1q.ebuild
new file mode 100644
index ..ff51db66bd0d
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.1q.ebuild
@@ -0,0 +1,337 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
+
+MY_P=${P/_/-}
+DESCRIPTION="Full-strength general purpose cryptography library (including SSL 
and TLS)"
+HOMEPAGE="https://www.openssl.org/;
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+   verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+if [[ ${PV} != *_pre* ]] ; then
+   KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc 
~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos 
~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2022-07-05 Thread Mike Gilbert

commit: db6f7217c034a620288ea0ef95227707c3fb55ea
Author: Mike Gilbert  gentoo  org>
AuthorDate: Tue Jul  5 22:13:46 2022 +
Commit: Mike Gilbert  gentoo  org>
CommitDate: Tue Jul  5 22:15:18 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=db6f7217

dev-libs/openssl: add 3.0.5

Signed-off-by: Mike Gilbert  gentoo.org>

 dev-libs/openssl/Manifest  |   2 +
 .../openssl/files/openssl-3.0.5-test-memcmp.patch  |  22 ++
 dev-libs/openssl/openssl-3.0.5.ebuild  | 325 +
 3 files changed, 349 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 86edfb8addcb..d85b9ffd72e4 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -15,3 +15,5 @@ DIST openssl-3.0.3.tar.gz 15058905 BLAKE2B 
8141d13dbea2f1febdd4e46aa404e9f3bac51
 DIST openssl-3.0.3.tar.gz.asc 488 BLAKE2B 
3f31e3a73706b69683220e05b1b4ddc75dc3e7e12652dca711e4aa0eb3c023ef736aee9ade15172d7f28e1e1af03e86d4854ec6c3d167cad42882f483c5e56d4
 SHA512 
04afe65c6af1ae43a9967462383a6a4f567f5acff19ec1952cd6fce2dc3c3d4dfb3cb54126562724c148f40dcb8abf727282d35730bbf36f82b5c6bacace
 DIST openssl-3.0.4.tar.gz 15069605 BLAKE2B 
e8ef09d74aa128fee0ddc347458a41cde65af07a6e6836889a0230cd7989e46b5d10a4930eb7a63c0cf93485914ec33665d14637b6c27fd442c0e9becb2d2a86
 SHA512 
478cd801dc4787688e6d9062969ae738c24f869bb186f717ad3be54ae8f2630e5cd845c504efd3405ea1ecda07ebee00014cc6ef7bca9585a6240cf89d516557
 DIST openssl-3.0.4.tar.gz.asc 488 BLAKE2B 
54f652ae78c6f39aef970fd7372808c876d37a823cc31431d770db67caf11342d1045992e393242d4c73253e4e16640dd9bd56203864394e907976918909e5dc
 SHA512 
c30af3cda92b06cff864ed33c17d8dcb8c7d429ed8419f96d19d3049dfaa268c73ec7753815a134b069ae7f4ea20fb4bcdd04f86d33628592ce4500777494c85
+DIST openssl-3.0.5.tar.gz 15074407 BLAKE2B 
7bf89e042417c003ef02a8bb1278590a52ce4a3d50f66795c66b750f90248840edb0d3352811cff708c7e65b77384142e316916a6c311f1d2b4747f44816
 SHA512 
782b0df3d0252468aa696bd74a3b661810499819c0df849aa9698ba0e06a845820dc856aac650fced4be234f1271e576d4317ac3ab1406cf0ffe087d695d20fe
+DIST openssl-3.0.5.tar.gz.asc 862 BLAKE2B 
24f1839227be7acec45eb6b748cea7be0b5e66b5cf745814861f7290670733936bf1af2c1dc9357439b31a2ca28f418880d63726d4be6fa994902ac95b51e401
 SHA512 
516da9ef291601400576adaba7271854af3caa23dc1d70116004360f580e4c28fe61d51e86477d341e4c5bf0ca5f98db8264581ed6cc2c8df124da83ad3e40be

diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch 
b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
new file mode 100644
index ..8fa03877581f
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
@@ -0,0 +1,22 @@
+From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001
+From: Gregor Jasny 
+Date: Tue, 5 Jul 2022 12:57:06 +0200
+Subject: [PATCH] Add missing header for memcmp
+
+CLA: trivial
+---
+ test/v3ext.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/test/v3ext.c b/test/v3ext.c
+index 926f3884b138..a8ab64b2714b 100644
+--- a/test/v3ext.c
 b/test/v3ext.c
+@@ -8,6 +8,7 @@
+  */
+ 
+ #include 
++#include 
+ #include 
+ #include 
+ #include 

diff --git a/dev-libs/openssl/openssl-3.0.5.ebuild 
b/dev-libs/openssl/openssl-3.0.5.ebuild
new file mode 100644
index ..56af5a262265
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.5.ebuild
@@ -0,0 +1,325 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal 
multiprocessing verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer 
Security (TLS)"
+HOMEPAGE="https://www.openssl.org/;
+
+MY_P=${P/_/-}
+
+if [[ ${PV} ==  ]] ; then
+   EGIT_REPO_URI="https://github.com/openssl/openssl.git;
+
+   inherit git-r3
+else
+   SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
+   verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
+   KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 
~riscv ~s390 ~sparc ~x86 ~x86-linux"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test 
tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+   >=app-misc/c_rehash-1.7-r1
+   tls-compression? ( 
>=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+   >=dev-lang/perl-5
+   sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+   test? (
+   sys-apps/diffutils
+   sys-devel/bc
+   sys-process/procps
+   )
+   verify-sig? ( sec-keys/openpgp-keys-openssl )"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/, profiles/

2022-06-30 Thread Sam James

commit: 82e7edabadc776d7b123ee7bfd65a78a892eae47
Author: Sam James  gentoo  org>
AuthorDate: Thu Jun 30 19:31:38 2022 +
Commit: Sam James  gentoo  org>
CommitDate: Thu Jun 30 19:32:45 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82e7edab

dev-libs/openssl: backport AVX512 overflow fix

Bug: https://github.com/openssl/openssl/issues/18625
Signed-off-by: Sam James  gentoo.org>

 .../files/openssl-1.1.1p-fix-test-build.patch  |  6 
 .../openssl-3.0.4-avx512-buffer-overflow.patch | 34 ++
 ...ld.patch => openssl-3.0.4-fix-test-build.patch} |  0
 ...penssl-3.0.4.ebuild => openssl-3.0.4-r1.ebuild} |  7 +++--
 profiles/package.mask  |  7 -
 5 files changed, 45 insertions(+), 9 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch 
b/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch
index f96e54f3127e..5dca6926dd8f 100644
--- a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch
+++ b/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch
@@ -16,6 +16,12 @@ Reviewed-by: Paul Dale 
 (Merged from https://github.com/openssl/openssl/pull/18634)
 
 (cherry picked from commit b76efe61ea9710a8f69e1cb8caf1aeb2ba6f1ebe)
+---
+ test/v3ext.c | 4 
+ 1 file changed, 4 insertions(+)
+
+diff --git a/test/v3ext.c b/test/v3ext.c
+index e96b6f79b58f..a2adb1a9f0ef 100644
 --- a/test/v3ext.c
 +++ b/test/v3ext.c
 @@ -37,6 +37,7 @@ static int test_pathlen(void)

diff --git a/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch 
b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch
new file mode 100644
index ..c72e958ff535
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch
@@ -0,0 +1,34 @@
+https://github.com/openssl/openssl/commit/a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c
+https://github.com/openssl/openssl/issues/18625
+
+From a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c Mon Sep 17 00:00:00 2001
+From: Xi Ruoyao 
+Date: Wed, 22 Jun 2022 18:07:05 +0800
+Subject: [PATCH] rsa: fix bn_reduce_once_in_place call for
+ rsaz_mod_exp_avx512_x2
+
+bn_reduce_once_in_place expects the number of BN_ULONG, but factor_size
+is moduli bit size.
+
+Fixes #18625.
+
+Signed-off-by: Xi Ruoyao 
+
+Reviewed-by: Tomas Mraz 
+Reviewed-by: Paul Dale 
+(Merged from https://github.com/openssl/openssl/pull/18626)
+
+(cherry picked from commit 4d8a88c134df634ba610ff8db1eb8478ac5fd345)
+--- a/crypto/bn/rsaz_exp_x2.c
 b/crypto/bn/rsaz_exp_x2.c
+@@ -220,6 +220,9 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1,
+ from_words52(res1, factor_size, rr1_red);
+ from_words52(res2, factor_size, rr2_red);
+ 
++/* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */
++factor_size /= sizeof(BN_ULONG) * 8;
++
+ bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size);
+ bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size);
+ 
+

diff --git a/dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch 
b/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch
similarity index 100%
copy from dev-libs/openssl/files/openssl-1.1.1p-fix-test-build.patch
copy to dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch

diff --git a/dev-libs/openssl/openssl-3.0.4.ebuild 
b/dev-libs/openssl/openssl-3.0.4-r1.ebuild
similarity index 98%
rename from dev-libs/openssl/openssl-3.0.4.ebuild
rename to dev-libs/openssl/openssl-3.0.4-r1.ebuild
index ede15424a910..f4951da01454 100644
--- a/dev-libs/openssl/openssl-3.0.4.ebuild
+++ b/dev-libs/openssl/openssl-3.0.4-r1.ebuild
@@ -46,12 +46,15 @@ DEPEND="${COMMON_DEPEND}"
 RDEPEND="${COMMON_DEPEND}"
 PDEPEND="app-misc/ca-certificates"
 
-REQUIRED_USE="test? ( rfc3779 )"
-
 MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h
 )
 
+PATCHES=(
+   "${FILESDIR}"/${P}-avx512-buffer-overflow.patch
+   "${FILESDIR}"/${P}-fix-test-build.patch
+)
+
 pkg_setup() {
if use ktls ; then
if kernel_is -lt 4 18 ; then

diff --git a/profiles/package.mask b/profiles/package.mask
index e9663afb0ce2..4c5d63309305 100644
--- a/profiles/package.mask
+++ b/profiles/package.mask
@@ -44,13 +44,6 @@
 # as deprecated since March 2022. Removal in 30 days (Bug #855299).
 gnome-extra/gtkhtml
 
-# Sam James  (2022-06-29)
-# Pre-emptively mask broken upstream versions.
-# openssl 3.0.4 has a buffer overflow w/ AVX512 
(https://github.com/openssl/openssl/issues/18625)
-# Gentoo isn't vulnerable to the original CVE which caused these releases
-# (CVE-2022-2068) as we have our own rehash script.
-=dev-libs/openssl-3.0.4
-
 # Piotr Karbowski  (2022-06-26)
 # Abandoned upstream, depends on API that no longer exists.
 # Removal on 2022-07-26.

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2022-04-25 Thread WANG Xuerui

commit: 41b5bf45a83c26b663aa9ea9c4e290e5ee018622
Author: WANG Xuerui  gentoo  org>
AuthorDate: Mon Apr 25 04:16:06 2022 +
Commit: WANG Xuerui  gentoo  org>
CommitDate: Mon Apr 25 10:11:17 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41b5bf45

dev-libs/openssl: fix build on loong

Just treat loongarch64 targets as generic64 for now.

This has been inside loongson-overlay for a while, and is tested on real
loong hardware.

See: https://github.com/gentoo/gentoo/pull/25189
Acked-by: Andreas K. Hüttel  gentoo.org>
Signed-off-by: WANG Xuerui  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 
b/dev-libs/openssl/files/gentoo.config-1.0.2
index 68d7d0ac1fc1..caa569588f3c 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -97,6 +97,7 @@ linux)
i[0-9]86*|\
x86_64*:x86)  machine=elf;;
ia64*)machine=ia64;;
+   loongarch64*) machine="generic64 -DL_ENDIAN";;
m68*) machine="generic32 -DB_ENDIAN";;
mips*el*) machine="generic32 -DL_ENDIAN";;
mips*)machine="generic32 -DB_ENDIAN";;

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2021-02-12 Thread Conrad Kostecki

commit: 999c48f939670b8b499ddad74492db20e44b0c91
Author: Michael Mair-Keimberger  levelnine  at>
AuthorDate: Fri Feb 12 13:55:14 2021 +
Commit: Conrad Kostecki  gentoo  org>
CommitDate: Fri Feb 12 22:35:46 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=999c48f9

dev-libs/openssl: remove unused patch

Closes: https://github.com/gentoo/gentoo/pull/19426
Package-Manager: Portage-3.0.14, Repoman-3.0.2
Signed-off-by: Michael Mair-Keimberger  levelnine.at>
Signed-off-by: Conrad Kostecki  gentoo.org>

 .../openssl/files/openssl-1.0.2a-x32-asm.patch | 43 --
 1 file changed, 43 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch 
b/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch
deleted file mode 100644
index 3a005c9b099..000
--- a/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-https://rt.openssl.org/Ticket/Display.html?id=3759=guest=guest
-
-From 6257d59b3a68d2feb9d64317a1c556dc3813ee61 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger 
-Date: Sat, 21 Mar 2015 06:01:25 -0400
-Subject: [PATCH] crypto: use bigint in x86-64 perl
-
-When building on x32 systems where the default type is 32bit, make sure
-we can transparently represent 64bit integers.  Otherwise we end up with
-build errors like:
-/usr/bin/perl asm/ghash-x86_64.pl elf > ghash-x86_64.s
-Integer overflow in hexadecimal number at asm/../../perlasm/x86_64-xlate.pl 
line 201, <> line 890.
-...
-ghash-x86_64.s: Assembler messages:
-ghash-x86_64.s:890: Error: junk '.15473355479995e+19' after expression
-
-We don't enable this globally as there are some cases where we'd get
-32bit values interpreted as unsigned when we need them as signed.
-
-Reported-by: Bertrand Jacquin 
-URL: https://bugs.gentoo.org/542618

- crypto/perlasm/x86_64-xlate.pl | 4 
- 1 file changed, 4 insertions(+)
-
-diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl
-index aae8288..0bf9774 100755
 a/crypto/perlasm/x86_64-xlate.pl
-+++ b/crypto/perlasm/x86_64-xlate.pl
-@@ -195,6 +195,10 @@ my %globals;
- sub out {
-   my $self = shift;
- 
-+  # When building on x32 ABIs, the expanded hex value might be too
-+  # big to fit into 32bits.  Enable transparent 64bit support here
-+  # so we can safely print it out.
-+  use bigint;
-   if ($gas) {
-   # Solaris /usr/ccs/bin/as can't handle multiplications
-   # in $self->{value}
--- 
-2.3.3
-

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2020-12-17 Thread Andreas K. Hüttel

commit: 887a6ba925e78adef8449a7c8ea6de68278f31b2
Author: Andreas K. Hüttel  gentoo  org>
AuthorDate: Thu Dec 17 14:10:25 2020 +
Commit: Andreas K. Hüttel  gentoo  org>
CommitDate: Thu Dec 17 14:10:52 2020 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=887a6ba9

dev-libs/openssl: Handle riscv32

Package-Manager: Portage-3.0.9, Repoman-3.0.2
Signed-off-by: Andreas K. Hüttel  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.2 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 
b/dev-libs/openssl/files/gentoo.config-1.0.2
index 4e88dbabf13..68d7d0ac1fc 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 #
 # Openssl doesn't play along nicely with cross-compiling
@@ -104,6 +104,7 @@ linux)
powerpc64*)   machine=ppc64;;
powerpc*le*)  machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;;
+   riscv32*) machine="generic32 -DL_ENDIAN";;
riscv64*) machine="generic64 -DL_ENDIAN";;
#   sh64*)machine=elf;;
sh*b*)machine="generic32 -DB_ENDIAN";;

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2020-06-04 Thread Thomas Deutschmann

commit: 9bce053e42181beb3ae28cc8585516202954a248
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Thu Jun  4 17:53:01 2020 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Thu Jun  4 17:53:01 2020 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9bce053e

dev-libs/openssl: security cleanup

Bug: https://bugs.gentoo.org/717442
Package-Manager: Portage-2.3.100, Repoman-2.3.22
Signed-off-by: Thomas Deutschmann  gentoo.org>

 dev-libs/openssl/Manifest  |   3 -
 ...sl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch |  42 ---
 ...x-potential-memleaks-w-BN_to_ASN1_INTEGER.patch | 107 ---
 .../openssl/files/openssl-1.1.1d-fix-zlib.patch|  52 
 ...stitched-AES-CBC-HMAC-SHA-implementations.patch |  62 
 dev-libs/openssl/openssl-1.1.1d-r3.ebuild  | 328 -
 dev-libs/openssl/openssl-1.1.1f.ebuild | 324 
 7 files changed, 918 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 2d626cc93bd..0153ae0ad1c 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -3,8 +3,5 @@ DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B 
b2aade96a6e0ca6209a39e205b1
 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B 
b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57
 SHA512 
c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
 DIST openssl-1.1.0l-bindist-1.0.tar.xz 13184 BLAKE2B 
c09e023458faff17b10d6f20c28462c0851757a20d59b4b751220ab307324d5778252df112ad74fd319407cc75fdd1cd507d48058dd0234dc8c03020c882ed42
 SHA512 
39720ecee3ec6080c1416f2fb7c9246b89ee55b21be2baabad51eb6823dbe1559450b1ae92fa61ac1cf5ba04ac8c02438aa469bc65eae6905cf1ea486f270793
 DIST openssl-1.1.0l.tar.gz 5294857 BLAKE2B 
0e4f30f9e8a22414325bd780dc4e875e962487fbe72967f0392ace959955429192541881a98d097d7bb75ed7238b1817b0c3c2c4da04421512bd538f2b07cdd7
 SHA512 
81b74149f40ea7d9f7e235820a4f977844653ad1e2b302e65e712c12193f47542fe7e3385fd1e25e3dd074e4e6d04199836cbc492656f5a7692edab5e234f4ad
-DIST openssl-1.1.1d-bindist-1.0.tar.xz 13180 BLAKE2B 
680bd7400d3dd3930067ee7efa9718b74b30afa9be2397ad80f88031920806b6603b6469beede02b6e7a742abf5f82ebdd7c9b8e69c1ffe223e4860dc9581128
 SHA512 
9e4296326852010d5cebc204d1a34a34198d8d65460bc91a2bd37c80be892a5ae519513e4b0109e6b51b6faab0e171ef6cdae868868c158711558d147083c06f
-DIST openssl-1.1.1d.tar.gz 8845861 BLAKE2B 
d3155f07b487ebd8dd4fe25396c874f9af18b5cfd7e622298d29c4f2c8ce14ad4534609d321314a4bcd0d44414e1306190340daaacd3c8fca061c04498446244
 SHA512 
2bc9f528c27fe644308eb7603c992bac8740e9f0c3601a130af30c9ffebbf7e0f5c28b76a00bbb478bad40fbe89b4223a58d604001e1713da71ff4b7fe6a08a7
 DIST openssl-1.1.1e-bindist-1.0.tar.xz 16948 BLAKE2B 
78e034f1d263cbf5e57c92393f72acd07e86e39a5511a8852bad151371430954e07d787fd82cca55b373d1579bb22b9d29c9d677104ed68291a9d2dffe3ffbbb
 SHA512 
0dbfb378b8f2724db82915e17fd4e43977e3e45030db25cdb9241c0ab842e41ef3d597ef71c4db5103635752dc2059ea6022597511a440f55fb56a5a52d3ccea
-DIST openssl-1.1.1f.tar.gz 9792828 BLAKE2B 
eba30dd12772cd714666ed8e5371e068623d8bfd4ff45863d10e82c65551654508a27f22f7ef1edadb543ab56f3c4c40ac3bcad665c667eb06ee90c69b24782e
 SHA512 
b00bd9b5ad5298fbceeec6bb19c1ab0c106ca5cfb31178497c58bf7e0e0cf30fcc19c20f84e23af31cc126bf2447d3e4f8461db97bafa7bd78f69561932f000c
 DIST openssl-1.1.1g.tar.gz 9801502 BLAKE2B 
5e3dd4725ff89b959a5436d64b521317c6ffeb377418cc24c6d1927fab923423cb5f5fce2f9c2cdee597041c7be156d09668a5fd13dc6ff06d235a83db94cf19
 SHA512 
01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab

diff --git 
a/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch 
b/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch
deleted file mode 100644
index 3771684b251..000
--- 
a/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 19ded1a717b6c72c3db241f06787a353f1190755 Mon Sep 17 00:00:00 2001
-From: Matt Turner 
-Date: Tue, 18 Feb 2020 10:08:27 -0800
-Subject: [PATCH] config: Drop linux-alpha-gcc+bwx
-
-Its entry in Configuration/10-main.conf was dropped in commit
-7ead0c89185c ("Configure: fold related configurations more aggressively
-and clean-up.") probably because all but one of its bn_ops were removed
-(RC4_CHAR remained). Benchmarks on an Alpha EV7 indicate that RC4_INT is
-better than RC4_CHAR so rather than restoring the configuation, remove
-it from config.
-
-CLA: trivial
-Bug: https://bugs.gentoo.org/697840
-
-Reviewed-by: Paul Dale 
-Reviewed-by: Matt Caswell 
-Reviewed-by: Richard Levitte 
-(Merged from https://github.com/openssl/openssl/pull/11130)

- config | 5 +
- 1 file changed, 1 insertion(+), 4 deletions(-)
-
-diff --git a/config b/config
-index

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2020-04-02 Thread Mike Gilbert

commit: 3bbd887ff1dde5c69e81d6985e4d02c1eddb793b
Author: Mike Gilbert  gentoo  org>
AuthorDate: Thu Apr  2 14:55:31 2020 +
Commit: Mike Gilbert  gentoo  org>
CommitDate: Thu Apr  2 14:55:31 2020 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bbd887f

dev-libs/openssl: handle riscv64

Closes: https://bugs.gentoo.org/715908
Signed-off-by: Mike Gilbert  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 
b/dev-libs/openssl/files/gentoo.config-1.0.2
index d16175e6292..4e88dbabf13 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -104,6 +104,7 @@ linux)
powerpc64*)   machine=ppc64;;
powerpc*le*)  machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;;
+   riscv64*) machine="generic64 -DL_ENDIAN";;
#   sh64*)machine=elf;;
sh*b*)machine="generic32 -DB_ENDIAN";;
sh*)  machine="generic32 -DL_ENDIAN";;

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2020-02-25 Thread Matt Turner

commit: e3dec9bf2da04ace6b2e999ff779d117beb65e6e
Author: Matt Turner  gentoo  org>
AuthorDate: Tue Feb 25 22:37:15 2020 +
Commit: Matt Turner  gentoo  org>
CommitDate: Tue Feb 25 22:40:42 2020 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3dec9bf

dev-libs/openssl: Fix the build on alpha

Closes: https://bugs.gentoo.org/697840
Signed-off-by: Matt Turner  gentoo.org>

 ...sl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch | 42 ++
 dev-libs/openssl/openssl-1.1.1d-r3.ebuild  |  1 +
 2 files changed, 43 insertions(+)

diff --git 
a/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch 
b/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch
new file mode 100644
index 000..3771684b251
--- /dev/null
+++ 
b/dev-libs/openssl/files/openssl-1.1.1d-config-Drop-linux-alpha-gcc-bwx.patch
@@ -0,0 +1,42 @@
+From 19ded1a717b6c72c3db241f06787a353f1190755 Mon Sep 17 00:00:00 2001
+From: Matt Turner 
+Date: Tue, 18 Feb 2020 10:08:27 -0800
+Subject: [PATCH] config: Drop linux-alpha-gcc+bwx
+
+Its entry in Configuration/10-main.conf was dropped in commit
+7ead0c89185c ("Configure: fold related configurations more aggressively
+and clean-up.") probably because all but one of its bn_ops were removed
+(RC4_CHAR remained). Benchmarks on an Alpha EV7 indicate that RC4_INT is
+better than RC4_CHAR so rather than restoring the configuation, remove
+it from config.
+
+CLA: trivial
+Bug: https://bugs.gentoo.org/697840
+
+Reviewed-by: Paul Dale 
+Reviewed-by: Matt Caswell 
+Reviewed-by: Richard Levitte 
+(Merged from https://github.com/openssl/openssl/pull/11130)
+---
+ config | 5 +
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/config b/config
+index 2213969f90..e39481ca2a 100755
+--- a/config
 b/config
+@@ -498,10 +498,7 @@ case "$GUESSOS" in
+   OUT="ios64-cross" ;;
+   alpha-*-linux2)
+ ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
+-  case ${ISA:-generic} in
+-  *[678]) OUT="linux-alpha+bwx-$CC" ;;
+-  *)  OUT="linux-alpha-$CC" ;;
+-  esac
++  OUT="linux-alpha-$CC"
+   if [ "$CC" = "gcc" ]; then
+   case ${ISA:-generic} in
+   EV5|EV45)   __CNF_CFLAGS="$__CNF_CFLAGS -mcpu=ev5"
+-- 
+2.24.1
+

diff --git a/dev-libs/openssl/openssl-1.1.1d-r3.ebuild 
b/dev-libs/openssl/openssl-1.1.1d-r3.ebuild
index 8800d05fac7..97a1002fac7 100644
--- a/dev-libs/openssl/openssl-1.1.1d-r3.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1d-r3.ebuild
@@ -50,6 +50,7 @@ PATCHES=(
"${FILESDIR}"/${P}-fix-zlib.patch
"${FILESDIR}"/${P}-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch

"${FILESDIR}"/${P}-reenable-the-stitched-AES-CBC-HMAC-SHA-implementations.patch
+   "${FILESDIR}"/${P}-config-Drop-linux-alpha-gcc-bwx.patch
 )
 
 S="${WORKDIR}/${MY_P}"

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2019-11-23 Thread Aaron Bauman

commit: addd7f2abcabc67e4fd244d6374dd6945c10713d
Author: Michael Mair-Keimberger  gmail  com>
AuthorDate: Fri Nov 22 08:17:48 2019 +
Commit: Aaron Bauman  gentoo  org>
CommitDate: Sun Nov 24 00:40:20 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=addd7f2a

dev-libs/openssl: remove unused patch

Signed-off-by: Michael Mair-Keimberger  gmail.com>
Signed-off-by: Aaron Bauman  gentoo.org>

 .../openssl/files/openssl-1.0.2p-hobble-ecc.patch  | 283 -
 1 file changed, 283 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch 
b/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch
deleted file mode 100644
index 3a458a78360..000
--- a/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch
+++ /dev/null
@@ -1,283 +0,0 @@
-Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series.
-
-From https://src.fedoraproject.org/git/rpms/openssl.git
-
-Contains parts of the following patches, rediffed. The patches are on various
-different branches.
-f23 openssl-1.0.2c-ecc-suiteb.patch
-f23 openssl-1.0.2a-fips-ec.patch
-f28 openssl-1.1.0-ec-curves.patch
-
-Signed-off-By: Robin H. Johnson 
-
 a/apps/speed.c
-+++ b/apps/speed.c
-@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv)
- } else
- # endif
- # ifndef OPENSSL_NO_ECDSA
--if (strcmp(*argv, "ecdsap160") == 0)
--ecdsa_doit[R_EC_P160] = 2;
--else if (strcmp(*argv, "ecdsap192") == 0)
--ecdsa_doit[R_EC_P192] = 2;
-+  if (0) {}
- else if (strcmp(*argv, "ecdsap224") == 0)
- ecdsa_doit[R_EC_P224] = 2;
- else if (strcmp(*argv, "ecdsap256") == 0)
-@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv)
- ecdsa_doit[R_EC_P384] = 2;
- else if (strcmp(*argv, "ecdsap521") == 0)
- ecdsa_doit[R_EC_P521] = 2;
--else if (strcmp(*argv, "ecdsak163") == 0)
--ecdsa_doit[R_EC_K163] = 2;
--else if (strcmp(*argv, "ecdsak233") == 0)
--ecdsa_doit[R_EC_K233] = 2;
--else if (strcmp(*argv, "ecdsak283") == 0)
--ecdsa_doit[R_EC_K283] = 2;
--else if (strcmp(*argv, "ecdsak409") == 0)
--ecdsa_doit[R_EC_K409] = 2;
--else if (strcmp(*argv, "ecdsak571") == 0)
--ecdsa_doit[R_EC_K571] = 2;
--else if (strcmp(*argv, "ecdsab163") == 0)
--ecdsa_doit[R_EC_B163] = 2;
--else if (strcmp(*argv, "ecdsab233") == 0)
--ecdsa_doit[R_EC_B233] = 2;
--else if (strcmp(*argv, "ecdsab283") == 0)
--ecdsa_doit[R_EC_B283] = 2;
--else if (strcmp(*argv, "ecdsab409") == 0)
--ecdsa_doit[R_EC_B409] = 2;
--else if (strcmp(*argv, "ecdsab571") == 0)
--ecdsa_doit[R_EC_B571] = 2;
- else if (strcmp(*argv, "ecdsa") == 0) {
--for (i = 0; i < EC_NUM; i++)
-+for (i = R_EC_P224; i < R_EC_P521; i++)
- ecdsa_doit[i] = 1;
- } else
- # endif
- # ifndef OPENSSL_NO_ECDH
--if (strcmp(*argv, "ecdhp160") == 0)
--ecdh_doit[R_EC_P160] = 2;
--else if (strcmp(*argv, "ecdhp192") == 0)
--ecdh_doit[R_EC_P192] = 2;
-+  if (0) {}
- else if (strcmp(*argv, "ecdhp224") == 0)
- ecdh_doit[R_EC_P224] = 2;
- else if (strcmp(*argv, "ecdhp256") == 0)
-@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv)
- ecdh_doit[R_EC_P384] = 2;
- else if (strcmp(*argv, "ecdhp521") == 0)
- ecdh_doit[R_EC_P521] = 2;
--else if (strcmp(*argv, "ecdhk163") == 0)
--ecdh_doit[R_EC_K163] = 2;
--else if (strcmp(*argv, "ecdhk233") == 0)
--ecdh_doit[R_EC_K233] = 2;
--else if (strcmp(*argv, "ecdhk283") == 0)
--ecdh_doit[R_EC_K283] = 2;
--else if (strcmp(*argv, "ecdhk409") == 0)
--ecdh_doit[R_EC_K409] = 2;
--else if (strcmp(*argv, "ecdhk571") == 0)
--ecdh_doit[R_EC_K571] = 2;
--else if (strcmp(*argv, "ecdhb163") == 0)
--ecdh_doit[R_EC_B163] = 2;
--else if (strcmp(*argv, "ecdhb233") == 0)
--ecdh_doit[R_EC_B233] = 2;
--else if (strcmp(*argv, "ecdhb283") == 0)
--ecdh_doit[R_EC_B283] = 2;
--else if (strcmp(*argv, "ecdhb409") == 0)
--ecdh_doit[R_EC_B409] = 2;
--else if (strcmp(*argv, "ecdhb571") == 0)
--ecdh_doit[R_EC_B571] = 2;
- else if (strcmp(*argv, "ecdh") == 0) {
--for (i = 0; i < EC_NUM; i++)
-+  for (i = R_EC_P224; i <= R_EC_P521; i++)
- ecdh_doit[i] = 1;
- } else
- # endif
-@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err, "dsa512   dsa1024  dsa2048\n");
- # endif
- # ifndef OPENSSL_NO_ECDSA
--BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
-+BIO_printf(bio_err, "ecdsap224 "
-"ecdsap256

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2019-09-11 Thread Thomas Deutschmann

commit: 4019a4b1ce71d416d04cafcb76d6be4719e8ecbd
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Wed Sep 11 23:19:30 2019 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Wed Sep 11 23:29:57 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4019a4b1

dev-libs/openssl: bump to v1.1.0l

Package-Manager: Portage-2.3.75, Repoman-2.3.17
Signed-off-by: Thomas Deutschmann  gentoo.org>

 dev-libs/openssl/Manifest  |   2 +
 .../openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch |  30 ++
 dev-libs/openssl/openssl-1.1.0l.ebuild | 305 +
 3 files changed, 337 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index c6474b63d35..fd03dd1eb9b 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -9,6 +9,8 @@ DIST openssl-1.0.2s_ectest.c 30735 BLAKE2B 
95333a27f1cf0a4305a3cee7f6d46b9d46735
 DIST openssl-1.0.2s_hobble-openssl 1302 BLAKE2B 
647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960
 SHA512 
3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
 DIST openssl-1.1.0k-bindist-1.0.tar.xz 11716 BLAKE2B 
c491ba0899c44dbcc63f85b255548c439c965a20a04ac2a6324a4122c4691b7c95ec18e62be6d708a7ea62ea197d32e5091987cb5043969878f89e5bc26243d4
 SHA512 
1d5bc9d7b24cf55d32d996e2421d43a1218b605720293f00d07814afb481387856f0dc000ad3c3e4cba2361055668cfe79a945be44ab85a249555f37e683a909
 DIST openssl-1.1.0k.tar.gz 5287321 BLAKE2B 
fce40a399f5a08d5fe183dfcaab11b211d982885fb9888b25fa41bdd9919ecd203fca6f573363cfb42c9a0776ae69ea50b0f144227a3f28ca0dbadf878d396bc
 SHA512 
65f41a240a97d79504c0e1391fde8ac8692f0993437cdc35e4bc964ecc36e5ef75a62499c4c6cb4ce63f892135e06dba2d3594c8869d935554296fa3c6ccd822
+DIST openssl-1.1.0l-bindist-1.0.tar.xz 13168 BLAKE2B 
1fbd1f7bdba08f14e21485175232283c2309687021a526b4a132b676d7f9429577f8f14e180fb4f59ef24bc9c06873a6936e64559a901803a3f1d21453177b50
 SHA512 
f664a6876a2a9c7467bbc6a436593eb21cc6be51e08408657f34b67fa69cd6bece3cc65f60220d7e41f36b359b5299adf49a59ede7f8f738d6a31e29d2a49714
+DIST openssl-1.1.0l.tar.gz 5294857 BLAKE2B 
0e4f30f9e8a22414325bd780dc4e875e962487fbe72967f0392ace959955429192541881a98d097d7bb75ed7238b1817b0c3c2c4da04421512bd538f2b07cdd7
 SHA512 
81b74149f40ea7d9f7e235820a4f977844653ad1e2b302e65e712c12193f47542fe7e3385fd1e25e3dd074e4e6d04199836cbc492656f5a7692edab5e234f4ad
 DIST openssl-1.1.1c-bindist-1.0.tar.xz 11964 BLAKE2B 
8c5190846d13984589a150089d329bb3ecc613788b9462c6f6a1833a040e21cb9bf940140449f09fd797c0e396b0aea073237be374bd16097795b8974c3e7ce5
 SHA512 
249c6d8c455130b98e3be635f12f323e0cc349f1770648bad591e5de15483917185a473c162ed871a2fa05b47056931e6f12e5fdd9cecee7e6d1c246b862923b
 DIST openssl-1.1.1c.tar.gz 8864262 BLAKE2B 
bd157b244bedcefb8e646a743732945119b267236789ac69c38856570318aca09299bdaaea3f20294863b633e6fd4dfe124820597185b3b7461cfdf094daadb0
 SHA512 
8e2c5cc11c120efbb7d7850980cb6eaa782d29b4996b3f3378d37613c1679f852d7cc08a90d62e78fcec3439f06bdbee70064579a8c2adaffd91532a97f646ff
 DIST openssl-1.1.1d-bindist-1.0.tar.xz 13180 BLAKE2B 
680bd7400d3dd3930067ee7efa9718b74b30afa9be2397ad80f88031920806b6603b6469beede02b6e7a742abf5f82ebdd7c9b8e69c1ffe223e4860dc9581128
 SHA512 
9e4296326852010d5cebc204d1a34a34198d8d65460bc91a2bd37c80be892a5ae519513e4b0109e6b51b6faab0e171ef6cdae868868c158711558d147083c06f

diff --git 
a/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch 
b/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
new file mode 100644
index 000..35a435df28b
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0l-fix-no-ec2m-in-ec_curve.c.patch
@@ -0,0 +1,30 @@
+From bcf6a94c4bc912ad313ea21abdf7e83bbae450e5 Mon Sep 17 00:00:00 2001
+From: Nicola Tuveri 
+Date: Thu, 12 Sep 2019 01:57:47 +0300
+Subject: [PATCH] Fix no-ec2m in ec_curve.c (1.1.0)
+
+I made a mistake in d4a5dac9f9242c580fb9d0a4389440eccd3494a7 and
+inverted the GF2m and GFp calls in ec_point_get_affine_coordinates, this
+fixes it.
+---
+ crypto/ec/ec_curve.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
+index 2d28d7f70bb..6a58b3a23e0 100644
+--- a/crypto/ec/ec_curve.c
 b/crypto/ec/ec_curve.c
+@@ -3200,11 +3200,11 @@ int ec_point_get_affine_coordinates(const EC_GROUP 
*group,
+ 
+ #ifndef OPENSSL_NO_EC2M
+ if (field_nid == NID_X9_62_characteristic_two_field) {
+-return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
++return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
+ } else
+ #endif /* !def(OPENSSL_NO_EC2M) */
+ if (field_nid == NID_X9_62_prime_field) {
+-return EC_POINT_get_affine_coordinates_GF2m(group, point, x, y, ctx);
++return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);
+ } else {
+ /*

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2019-08-23 Thread Thomas Deutschmann

commit: 2c20225928fed2fb4c7512f4655207478ada6caf
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Fri Aug 23 17:33:18 2019 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Fri Aug 23 18:10:18 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c202259

dev-libs/openssl: fix fuzz test

Package-Manager: Portage-2.3.72, Repoman-2.3.17
Signed-off-by: Thomas Deutschmann  gentoo.org>

 .../openssl/files/openssl-1.1.0k-fix-test_fuzz.patch  | 19 +++
 dev-libs/openssl/openssl-1.1.0k-r1.ebuild |  1 +
 2 files changed, 20 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch 
b/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch
new file mode 100644
index 000..2c4cc31257c
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0k-fix-test_fuzz.patch
@@ -0,0 +1,19 @@
+Test fuzz was forgotten when
+
+   Perl: Use our own globbing wrapper rather than File::Glob::glob
+
+was backported to openssl-1.1.0 branch.
+
+Link: 
https://github.com/openssl/openssl/commit/b81cfa07ada850fd287d0a0c82ba280907f18ce7
+
+--- a/test/recipes/90-test_fuzz.t
 b/test/recipes/90-test_fuzz.t
+@@ -9,7 +9,7 @@
+ use strict;
+ use warnings;
+ 
+-use if $^O ne "VMS", 'File::Glob' => qw/glob/;
++use OpenSSL::Glob;
+ use OpenSSL::Test qw/:DEFAULT srctop_file/;
+ use OpenSSL::Test::Utils;
+ 

diff --git a/dev-libs/openssl/openssl-1.1.0k-r1.ebuild 
b/dev-libs/openssl/openssl-1.1.0k-r1.ebuild
index 5bc111be0f8..f8ee7f73587 100644
--- a/dev-libs/openssl/openssl-1.1.0k-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0k-r1.ebuild
@@ -53,6 +53,7 @@ SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
 PATCHES=(
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602
+   "${FILESDIR}"/${PN}-1.1.0k-fix-test_fuzz.patch
 )
 
 S="${WORKDIR}/${MY_P}"

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2019-06-14 Thread Thomas Deutschmann

commit: 01e98e158d3cb02427d8a73678b56b83c5285843
Author: Michał Górny  gentoo  org>
AuthorDate: Tue May 28 19:00:54 2019 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Fri Jun 14 17:46:34 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01e98e15

dev-libs/openssl: Remove compat slots (moved to *-compat)

Signed-off-by: Michał Górny  gentoo.org>
Bug: https://bugs.gentoo.org/687984
Signed-off-by: Thomas Deutschmann  gentoo.org>

 dev-libs/openssl/Manifest  |   1 -
 dev-libs/openssl/files/gentoo.config-0.9.8 | 144 
 .../openssl/files/openssl-0.9.8e-bsd-sparc64.patch |  25 ---
 .../openssl/files/openssl-0.9.8h-ldflags.patch |  29 ---
 .../openssl/files/openssl-0.9.8m-binutils.patch|  24 --
 .../files/openssl-0.9.8z_p8-perl-5.26.patch|  13 --
 dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild   | 163 --
 dev-libs/openssl/openssl-1.0.2r-r200.ebuild| 248 -
 8 files changed, 647 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 26e97789fde..ae40847f77d 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,4 +1,3 @@
-DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 
610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364
 SHA512 
b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 
6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24
 SHA512 
5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
 DIST openssl-1.0.2r.tar.gz 5348369 BLAKE2B 
9f9c2d2fe6eaf9acacab29b394a318f30c38e831a5f9c193b2da660f9d04acbf407d8b752274783765416c0f5ba557c24ee293ad7fb7d727771db289e6acc901
 SHA512 
6eb2211f3ad56d7573ac26f388338592c37e5faaf5e2d44c0fa9062c12186e56a324f135d1c956a89b55fcce047e6428bec2756658d103e7275e08b46f741235
 DIST openssl-1.0.2r_ec_curve.c 17254 BLAKE2B 
d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb
 SHA512 
8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15

diff --git a/dev-libs/openssl/files/gentoo.config-0.9.8 
b/dev-libs/openssl/files/gentoo.config-0.9.8
deleted file mode 100644
index 02698250c19..000
--- a/dev-libs/openssl/files/gentoo.config-0.9.8
+++ /dev/null
@@ -1,144 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 1999-2009 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-#
-# Openssl doesn't play along nicely with cross-compiling
-# like autotools based projects, so let's teach it new tricks.
-#
-# Review the bundled 'config' script to see why kind of targets
-# we can pass to the 'Configure' script.
-
-
-# Testing routines
-if [[ $1 == "test" ]] ; then
-   for c in \
-   "arm-gentoo-linux-uclibc  |linux-generic32 -DL_ENDIAN" \
-   "armv5b-linux-gnu |linux-generic32 -DB_ENDIAN" \
-   "x86_64-pc-linux-gnu  |linux-x86_64" \
-   "alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
-   "i686-pc-linux-gnu|linux-elf" \
-   "whatever-gentoo-freebsdX.Y   |BSD-generic32" \
-   "i686-gentoo-freebsdX.Y   |BSD-x86-elf" \
-   "sparc64-alpha-freebsdX.Y |BSD-sparc64" \
-   "ia64-gentoo-freebsd5.99234   |BSD-ia64" \
-   "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \
-   "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \
-   "powerpc-gentOO-linux-uclibc  |linux-ppc" \
-   "powerpc64-unk-linux-gnu  |linux-ppc64" \
-   "x86_64-apple-darwinX |darwin64-x86_64-cc" \
-   "powerpc64-apple-darwinX  |darwin64-ppc-cc" \
-   "i686-apple-darwinX   |darwin-i386-cc" \
-   "i386-apple-darwinX   |darwin-i386-cc" \
-   "powerpc-apple-darwinX|darwin-ppc-cc" \
-   "i586-pc-winnt|winnt-parity" \
-   ;do
-   CHOST=${c/|*}
-   ret_want=${c/*|}
-   ret_got=$(CHOST=${CHOST} "$0")
-
-   if [[ ${ret_want} == "${ret_got}" ]] ; then
-   echo "PASS: ${CHOST}"
-   else
-   echo "FAIL: ${CHOST}"
-   echo -e "\twanted: ${ret_want}"
-   echo -e "\twe got: ${ret_got}"
-   fi
-   done
-   exit 0
-fi
-[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
-
-
-# Detect the operating system
-case ${CHOST} in
-   *-aix*)

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2019-03-06 Thread Thomas Deutschmann

commit: 402e35c0c3cfbd46457cad5983c217ea8de6fe8e
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Wed Mar  6 16:55:03 2019 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Wed Mar  6 16:55:03 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=402e35c0

dev-libs/openssl: add patch for CVE-2019-1543

Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann  gentoo.org>

 .../files/openssl-1.1.1b-CVE-2019-1543.patch   |  66 +
 dev-libs/openssl/openssl-1.1.0j-r1.ebuild  | 299 +
 dev-libs/openssl/openssl-1.1.1b-r2.ebuild  | 299 +
 3 files changed, 664 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch 
b/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch
new file mode 100644
index 000..4d478c484c9
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1b-CVE-2019-1543.patch
@@ -0,0 +1,66 @@
+From f426625b6ae9a7831010750490a5f0ad689c5ba3 Mon Sep 17 00:00:00 2001
+From: Matt Caswell 
+Date: Tue, 5 Mar 2019 14:39:15 +
+Subject: [PATCH] Prevent over long nonces in ChaCha20-Poly1305
+
+ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
+every encryption operation. RFC 7539 specifies that the nonce value (IV)
+should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
+front pads the nonce with 0 bytes if it is less than 12 bytes. However it
+also incorrectly allows a nonce to be set of up to 16 bytes. In this case
+only the last 12 bytes are significant and any additional leading bytes are
+ignored.
+
+It is a requirement of using this cipher that nonce values are unique.
+Messages encrypted using a reused nonce value are susceptible to serious
+confidentiality and integrity attacks. If an application changes the
+default nonce length to be longer than 12 bytes and then makes a change to
+the leading bytes of the nonce expecting the new value to be a new unique
+nonce then such an application could inadvertently encrypt messages with a
+reused nonce.
+
+Additionally the ignored bytes in a long nonce are not covered by the
+integrity guarantee of this cipher. Any application that relies on the
+integrity of these ignored leading bytes of a long nonce may be further
+affected.
+
+Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
+because no such use sets such a long nonce value. However user
+applications that use this cipher directly and set a non-default nonce
+length to be longer than 12 bytes may be vulnerable.
+
+CVE-2019-1543
+
+Fixes #8345
+
+Reviewed-by: Paul Dale 
+Reviewed-by: Richard Levitte 
+(Merged from https://github.com/openssl/openssl/pull/8406)
+
+(cherry picked from commit 2a3d0ee9d59156c48973592331404471aca886d6)
+---
+ crypto/evp/e_chacha20_poly1305.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/evp/e_chacha20_poly1305.c 
b/crypto/evp/e_chacha20_poly1305.c
+index c1917bb86a6..d3e2c622a1b 100644
+--- a/crypto/evp/e_chacha20_poly1305.c
 b/crypto/evp/e_chacha20_poly1305.c
+@@ -30,6 +30,8 @@ typedef struct {
+ 
+ #define data(ctx)   ((EVP_CHACHA_KEY *)(ctx)->cipher_data)
+ 
++#define CHACHA20_POLY1305_MAX_IVLEN 12
++
+ static int chacha_init_key(EVP_CIPHER_CTX *ctx,
+const unsigned char user_key[CHACHA_KEY_SIZE],
+const unsigned char iv[CHACHA_CTR_SIZE], int enc)
+@@ -533,7 +535,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int 
type, int arg,
+ return 1;
+ 
+ case EVP_CTRL_AEAD_SET_IVLEN:
+-if (arg <= 0 || arg > CHACHA_CTR_SIZE)
++if (arg <= 0 || arg > CHACHA20_POLY1305_MAX_IVLEN)
+ return 0;
+ actx->nonce_len = arg;
+ return 1;

diff --git a/dev-libs/openssl/openssl-1.1.0j-r1.ebuild 
b/dev-libs/openssl/openssl-1.1.0j-r1.ebuild
new file mode 100644
index 000..b21a33a9e0f
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.0j-r1.ebuild
@@ -0,0 +1,299 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL 
and TLS)"
+HOMEPAGE="https://www.openssl.org/;
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0/1.1" # .so version of libssl/libcrypto
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 
~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test 
tls-heartbeat vanilla zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND=">=app-misc/c_rehash-1.7-r1
+   zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
+DEPEND="${RDEPEND}
+   >=dev-lang/perl-5
+   sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2019-02-27 Thread Thomas Deutschmann

commit: 05ef2e7b732a8571f2d4ef84659b7f972a8cd90e
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Wed Feb 27 19:07:04 2019 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Wed Feb 27 19:07:04 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05ef2e7b

dev-libs/openssl: fix USE=bindist

Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann  gentoo.org>

 .../files/openssl-1.1.1b-ec-curves-patch.patch | 207 +
 ...nssl-1.1.1b.ebuild => openssl-1.1.1b-r1.ebuild} |   8 +-
 2 files changed, 214 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch 
b/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch
new file mode 100644
index 000..c1f53c83823
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch
@@ -0,0 +1,207 @@
+Based on openssl-1.1.1-ec-curves.patch.
+
+Updated for OpenSSL change b6d41ff73392df5af9c931c902ae4cd75c5b61ea.
+
+--- a/apps/speed.c
 b/apps/speed.c
+@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = {
+ static double rsa_results[RSA_NUM][2];  /* 2 ops: sign then verify */
+ #endif /* OPENSSL_NO_RSA */
+ 
+-#define R_EC_P1600
+-#define R_EC_P1921
+-#define R_EC_P2242
+-#define R_EC_P2563
+-#define R_EC_P3844
+-#define R_EC_P5215
+-#define R_EC_K1636
+-#define R_EC_K2337
+-#define R_EC_K2838
+-#define R_EC_K4099
+-#define R_EC_K57110
+-#define R_EC_B16311
+-#define R_EC_B23312
+-#define R_EC_B28313
+-#define R_EC_B40914
+-#define R_EC_B57115
+-#define R_EC_BRP256R1  16
+-#define R_EC_BRP256T1  17
+-#define R_EC_BRP384R1  18
+-#define R_EC_BRP384T1  19
+-#define R_EC_BRP512R1  20
+-#define R_EC_BRP512T1  21
+-#define R_EC_X25519  22
+-#define R_EC_X44823
++#define R_EC_P2240
++#define R_EC_P2561
++#define R_EC_P3842
++#define R_EC_P5213
++#define R_EC_X25519  4
++#define R_EC_X4485
+ #ifndef OPENSSL_NO_EC
+ static OPT_PAIR ecdsa_choices[] = {
+-{"ecdsap160", R_EC_P160},
+-{"ecdsap192", R_EC_P192},
+ {"ecdsap224", R_EC_P224},
+ {"ecdsap256", R_EC_P256},
+ {"ecdsap384", R_EC_P384},
+ {"ecdsap521", R_EC_P521},
+-{"ecdsak163", R_EC_K163},
+-{"ecdsak233", R_EC_K233},
+-{"ecdsak283", R_EC_K283},
+-{"ecdsak409", R_EC_K409},
+-{"ecdsak571", R_EC_K571},
+-{"ecdsab163", R_EC_B163},
+-{"ecdsab233", R_EC_B233},
+-{"ecdsab283", R_EC_B283},
+-{"ecdsab409", R_EC_B409},
+-{"ecdsab571", R_EC_B571},
+-{"ecdsabrp256r1", R_EC_BRP256R1},
+-{"ecdsabrp256t1", R_EC_BRP256T1},
+-{"ecdsabrp384r1", R_EC_BRP384R1},
+-{"ecdsabrp384t1", R_EC_BRP384T1},
+-{"ecdsabrp512r1", R_EC_BRP512R1},
+-{"ecdsabrp512t1", R_EC_BRP512T1}
+ };
+ # define ECDSA_NUM   OSSL_NELEM(ecdsa_choices)
+ 
+ static double ecdsa_results[ECDSA_NUM][2];/* 2 ops: sign then verify */
+ 
+ static const OPT_PAIR ecdh_choices[] = {
+-{"ecdhp160", R_EC_P160},
+-{"ecdhp192", R_EC_P192},
+ {"ecdhp224", R_EC_P224},
+ {"ecdhp256", R_EC_P256},
+ {"ecdhp384", R_EC_P384},
+ {"ecdhp521", R_EC_P521},
+-{"ecdhk163", R_EC_K163},
+-{"ecdhk233", R_EC_K233},
+-{"ecdhk283", R_EC_K283},
+-{"ecdhk409", R_EC_K409},
+-{"ecdhk571", R_EC_K571},
+-{"ecdhb163", R_EC_B163},
+-{"ecdhb233", R_EC_B233},
+-{"ecdhb283", R_EC_B283},
+-{"ecdhb409", R_EC_B409},
+-{"ecdhb571", R_EC_B571},
+-{"ecdhbrp256r1", R_EC_BRP256R1},
+-{"ecdhbrp256t1", R_EC_BRP256T1},
+-{"ecdhbrp384r1", R_EC_BRP384R1},
+-{"ecdhbrp384t1", R_EC_BRP384T1},
+-{"ecdhbrp512r1", R_EC_BRP512R1},
+-{"ecdhbrp512t1", R_EC_BRP512T1},
+ {"ecdhx25519", R_EC_X25519},
+ {"ecdhx448", R_EC_X448}
+ };
+@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv)
+ unsigned int bits;
+ } test_curves[] = {
+ /* Prime Curves */
+-{"secp160r1", NID_secp160r1, 160},
+-{"nistp192", NID_X9_62_prime192v1, 192},
+ {"nistp224", NID_secp224r1, 224},
+ {"nistp256", NID_X9_62_prime256v1, 256},
+ {"nistp384", NID_secp384r1, 384},
+ {"nistp521", NID_secp521r1, 521},
+-/* Binary Curves */
+-{"nistk163", NID_sect163k1, 163},
+-{"nistk233", NID_sect233k1, 233},
+-{"nistk283", NID_sect283k1, 283},
+-{"nistk409", NID_sect409k1, 409},
+-{"nistk571", NID_sect571k1, 571},
+-{"nistb163", NID_sect163r2, 163},
+-{"nistb233", NID_sect233r1, 233},
+-{"nistb283", NID_sect283r1, 283},
+-{"nistb409", NID_sect409r1, 409},
+-{"nistb571", NID_sect571r1, 571},
+-{"brainpoolP256r1", NID_brainpoolP256r1, 256},
+-{"brainpoolP256t1", NID_brainpoolP256t1, 256},
+-{"brainpoolP384r1", NID_brainpoolP384r1, 384},
+-{"brainpoolP384t1", NID_brainpoolP384t1, 384},
+-{"brainpoolP512r1", NID_brainpoolP512r1, 512},
+-

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2019-02-26 Thread Lars Wendler

commit: a1ced0de770abbc643d994378b9cd11a41605902
Author: Lars Wendler  gentoo  org>
AuthorDate: Tue Feb 26 15:12:11 2019 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Tue Feb 26 15:31:41 2019 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1ced0de

dev-libs/openssl: Removed old.

Package-Manager: Portage-2.3.62, Repoman-2.3.12
Signed-off-by: Lars Wendler  gentoo.org>

 dev-libs/openssl/Manifest  |   4 -
 ...-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch |  27 --
 ...ix-cert-with-rsa-instead-of-rsaEncryption.patch |  97 -
 ...ix-some-SSL_export_keying_material-issues.patch | 420 -
 ...a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch |  26 --
 ...ure-build_SYS_str_reasons_preserves_errno.patch |  68 
 .../openssl-1.1.1a-preserve-errno-on-dlopen.patch  |  51 ---
 ...-system-error-number-in-a-few-more-places.patch |  57 ---
 ...t-reduce-stack-usage-in-tls13_hkdf_expand.patch |  56 ---
 dev-libs/openssl/openssl-1.0.2q-r200.ebuild| 248 
 dev-libs/openssl/openssl-1.1.1a-r1.ebuild  | 299 ---
 dev-libs/openssl/openssl-1.1.1a.ebuild | 288 --
 12 files changed, 1641 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 3f3dd41c6a0..dd125204215 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -15,10 +15,6 @@ DIST 
openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ec_curve.c 18401 BL
 DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ectest.c 30688 
BLAKE2B 
6673ef0fd139af82d830794179b19b9e06be25fac4a13b8bdfa5fd5dad25f594ce8eab118aab9ec2aab25001e1de127c03f8e1a04f4f3ef4c464b7fb1811ed4a
 SHA512 
240fc72916caf4a8b0af774ce307abfe9a93a762eba6fae760cec79d619fe3db0d6919fc92a8951cb031f73958237700b45f590aa7f9f2890762cccda1f1e74b
 DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_hobble-openssl 
1117 BLAKE2B 
c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04
 SHA512 
fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
 DIST openssl-1.1.1-ec-curves.patch 7265 BLAKE2B 
04725d226c430132cf54afbfaa30a82f8f8bbfd3608823d1d0cd42c3c13f417e90762759da3134d7b0c4373e531925db337b681340f2f284cb2f16a4caef22e3
 SHA512 
de4d0f1635740c57217836a476c420141c0d34a5f90cbf7957aed7a80e7ac9ca036de2d8448e6bf4c122999e308730575899f61cea6e51ab6825dd04890d75a1
-DIST openssl-1.1.1a.tar.gz 8350547 BLAKE2B 
71dae2f44ade3e31983599a491b5efe5da63bbe4f32a2336a8022b282f844a9d898f3b1c3fa825a5973cb16898e8e87fcd73d68e9b602b58f500c3f3e047b199
 SHA512 
1523985ba90f38aa91aa6c2d57652f4e243cb2a095ce6336bf34b39b5a9b5b876804299a6825c758b65990e57948da532cca761aa12b10958c97478d04dd6d34
-DIST openssl-1.1.1a_ec_curve.c 17938 BLAKE2B 
d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc
 SHA512 
ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
-DIST openssl-1.1.1a_ectest.c 35091 BLAKE2B 
a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5
 SHA512 
7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef
-DIST openssl-1.1.1a_hobble-openssl 1117 BLAKE2B 
c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04
 SHA512 
fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
 DIST openssl-1.1.1b.tar.gz 8213737 BLAKE2B 
7ad9da9548052e2a033a684038f97c420cfffd57994604bcb3fa12640796c8c0aea3d24fb05648ee4940fbec40b81462e81c353da5a41a2575c0585d9718eae8
 SHA512 
b54025fbb4fe264466f3b0d762aad4be45bd23cd48bdb26d901d4c41a40bfd776177e02230995ab181a695435039dbad313f4b9a563239a70807a2e19ecf045d
 DIST openssl-1.1.1b_ec_curve.c 17938 BLAKE2B 
d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc
 SHA512 
ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415
 DIST openssl-1.1.1b_ectest.c 35091 BLAKE2B 
a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5
 SHA512 
7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef

diff --git 
a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch 
b/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch
deleted file mode 100644
index 8014be130ab..000
---

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2018-11-12 Thread Thomas Deutschmann

commit: 24a88b7aab48df287482caf912be7b69340a2f35
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Mon Nov 12 18:19:25 2018 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Mon Nov 12 18:36:44 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24a88b7a

dev-libs/openssl: add patch for CVE-2018-0734

Package-Manager: Portage-2.3.51, Repoman-2.3.12
Signed-off-by: Thomas Deutschmann  gentoo.org>

 .../files/openssl-1.1.0i-CVE-2018-0734.patch   | 131 +
 ...l-1.1.0i-r1.ebuild => openssl-1.1.0i-r2.ebuild} |   1 +
 2 files changed, 132 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch 
b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch
new file mode 100644
index 000..47b082f4085
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0734.patch
@@ -0,0 +1,131 @@
+CVE-2018-0734
+https://github.com/openssl/openssl/commit/415c33563528667868c3c653a612e6fc8736fd79
+https://github.com/openssl/openssl/commit/ef11e19d1365eea2b1851e6f540a0bf365d303e7
+
+--- a/crypto/dsa/dsa_ossl.c
 b/crypto/dsa/dsa_ossl.c
+@@ -11,6 +11,7 @@
+ 
+ #include 
+ #include "internal/cryptlib.h"
++#include "internal/bn_int.h"
+ #include 
+ #include 
+ #include "dsa_locl.h"
+@@ -25,6 +26,8 @@ static int dsa_do_verify(const unsigned char *dgst, int 
dgst_len,
+  DSA_SIG *sig, DSA *dsa);
+ static int dsa_init(DSA *dsa);
+ static int dsa_finish(DSA *dsa);
++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
++  BN_CTX *ctx);
+ 
+ static DSA_METHOD openssl_dsa_meth = {
+ "OpenSSL DSA method",
+@@ -180,9 +183,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ {
+ BN_CTX *ctx = NULL;
+ BIGNUM *k, *kinv = NULL, *r = *rp;
+-BIGNUM *l, *m;
++BIGNUM *l;
+ int ret = 0;
+-int q_bits;
++int q_bits, q_words;
+ 
+ if (!dsa->p || !dsa->q || !dsa->g) {
+ DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
+@@ -191,8 +194,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ 
+ k = BN_new();
+ l = BN_new();
+-m = BN_new();
+-if (k == NULL || l == NULL || m == NULL)
++if (k == NULL || l == NULL)
+ goto err;
+ 
+ if (ctx_in == NULL) {
+@@ -203,9 +205,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ 
+ /* Preallocate space */
+ q_bits = BN_num_bits(dsa->q);
+-if (!BN_set_bit(k, q_bits)
+-|| !BN_set_bit(l, q_bits)
+-|| !BN_set_bit(m, q_bits))
++q_words = bn_get_top(dsa->q);
++if (!bn_wexpand(k, q_words + 2)
++|| !bn_wexpand(l, q_words + 2))
+ goto err;
+ 
+ /* Get random k */
+@@ -240,14 +242,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+  * small timing information leakage.  We then choose the sum that is
+  * one bit longer than the modulus.
+  *
+- * TODO: revisit the BN_copy aiming for a memory access agnostic
+- * conditional copy.
++ * There are some concerns about the efficacy of doing this.  More
++ * specificly refer to the discussion starting with:
++ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
++ * The fix is to rework BN so these gymnastics aren't required.
+  */
+ if (!BN_add(l, k, dsa->q)
+-|| !BN_add(m, l, dsa->q)
+-|| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
++|| !BN_add(k, l, dsa->q))
+ goto err;
+ 
++BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
++
+ if ((dsa)->meth->bn_mod_exp != NULL) {
+ if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
+dsa->method_mont_p))
+@@ -260,8 +265,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ if (!BN_mod(r, r, dsa->q, ctx))
+ goto err;
+ 
+-/* Compute  part of 's = inv(k) (m + xr) mod q' */
+-if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
++/* Compute part of 's = inv(k) (m + xr) mod q' */
++if ((kinv = dsa_mod_inverse_fermat(k, dsa->q, ctx)) == NULL)
+ goto err;
+ 
+ BN_clear_free(*kinvp);
+@@ -275,7 +280,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+ BN_CTX_free(ctx);
+ BN_clear_free(k);
+ BN_clear_free(l);
+-BN_clear_free(m);
+ return ret;
+ }
+ 
+@@ -395,3 +399,31 @@ static int dsa_finish(DSA *dsa)
+ BN_MONT_CTX_free(dsa->method_mont_p);
+ return (1);
+ }
++
++/*
++ * Compute the inverse of k modulo q.
++ * Since q is prime, Fermat's Little Theorem applies, which reduces this to
++ * mod-exp operation.  Both the exponent and modulus are public information
++ * so a mod-exp that doesn't leak the base is sufficient.  A newly allocated
++ * BIGNUM is returned which the caller must free.
++ */
++static BIGNUM *dsa_mod_inverse_fermat(const BIGNUM *k, const BIGNUM *q,
++  BN_CTX *ctx)
++{
++

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2018-10-31 Thread Lars Wendler

commit: 4fef1113c26ea7ac7fb9be6da77565310908e82a
Author: Michael Mair-Keimberger  gmail  com>
AuthorDate: Sun Sep 30 12:52:24 2018 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Wed Oct 31 08:06:10 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fef1113

dev-libs/openssl: remove unused patches

Signed-off-by: Michael Mair-Keimberger  gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/10026
Signed-off-by: Lars Wendler  gentoo.org>

 .../files/openssl-1.0.2o-CVE-2018-0732.patch   |  39 ---
 .../openssl/files/openssl-1.0.2o-hobble-ecc.patch  | 290 -
 2 files changed, 329 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch 
b/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch
deleted file mode 100644
index 148e7c3bc1a..000
--- a/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001
-From: Guido Vranken 
-Date: Mon, 11 Jun 2018 19:38:54 +0200
-Subject: [PATCH] Reject excessively large primes in DH key generation.
-
-CVE-2018-0732
-
-Signed-off-by: Guido Vranken 
-
-(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
-
-Reviewed-by: Tim Hudson 
-Reviewed-by: Matt Caswell 
-(Merged from https://github.com/openssl/openssl/pull/6457)

- crypto/dh/dh_key.c | 7 ++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 387558f1467..f235e0d682b 100644
 a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -130,10 +130,15 @@ static int generate_key(DH *dh)
- int ok = 0;
- int generate_new_key = 0;
- unsigned l;
--BN_CTX *ctx;
-+BN_CTX *ctx = NULL;
- BN_MONT_CTX *mont = NULL;
- BIGNUM *pub_key = NULL, *priv_key = NULL;
- 
-+if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
-+return 0;
-+}
-+
- ctx = BN_CTX_new();
- if (ctx == NULL)
- goto err;

diff --git a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch 
b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch
deleted file mode 100644
index e105fe45e45..000
--- a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch
+++ /dev/null
@@ -1,290 +0,0 @@
-Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series.
-
-From https://src.fedoraproject.org/git/rpms/openssl.git
-
-Contains parts of the following patches, rediffed. The patches are on various
-different branches.
-f23 openssl-1.0.2c-ecc-suiteb.patch
-f23 openssl-1.0.2a-fips-ec.patch
-f28 openssl-1.1.0-ec-curves.patch
-
-Signed-off-By: Robin H. Johnson 
-
-diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/apps/speed.c 
openssl-1.0.2m.mod/apps/speed.c
 openssl-1.0.2m.hobble/apps/speed.c 2017-11-02 07:32:57.0 -0700
-+++ openssl-1.0.2m.mod/apps/speed.c2018-06-10 19:00:09.264550382 -0700
-@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv)
- } else
- # endif
- # ifndef OPENSSL_NO_ECDSA
--if (strcmp(*argv, "ecdsap160") == 0)
--ecdsa_doit[R_EC_P160] = 2;
--else if (strcmp(*argv, "ecdsap192") == 0)
--ecdsa_doit[R_EC_P192] = 2;
-+  if (0) {}
- else if (strcmp(*argv, "ecdsap224") == 0)
- ecdsa_doit[R_EC_P224] = 2;
- else if (strcmp(*argv, "ecdsap256") == 0)
-@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv)
- ecdsa_doit[R_EC_P384] = 2;
- else if (strcmp(*argv, "ecdsap521") == 0)
- ecdsa_doit[R_EC_P521] = 2;
--else if (strcmp(*argv, "ecdsak163") == 0)
--ecdsa_doit[R_EC_K163] = 2;
--else if (strcmp(*argv, "ecdsak233") == 0)
--ecdsa_doit[R_EC_K233] = 2;
--else if (strcmp(*argv, "ecdsak283") == 0)
--ecdsa_doit[R_EC_K283] = 2;
--else if (strcmp(*argv, "ecdsak409") == 0)
--ecdsa_doit[R_EC_K409] = 2;
--else if (strcmp(*argv, "ecdsak571") == 0)
--ecdsa_doit[R_EC_K571] = 2;
--else if (strcmp(*argv, "ecdsab163") == 0)
--ecdsa_doit[R_EC_B163] = 2;
--else if (strcmp(*argv, "ecdsab233") == 0)
--ecdsa_doit[R_EC_B233] = 2;
--else if (strcmp(*argv, "ecdsab283") == 0)
--ecdsa_doit[R_EC_B283] = 2;
--else if (strcmp(*argv, "ecdsab409") == 0)
--ecdsa_doit[R_EC_B409] = 2;
--else if (strcmp(*argv, "ecdsab571") == 0)
--ecdsa_doit[R_EC_B571] = 2;
- else if (strcmp(*argv, "ecdsa") == 0) {
--for (i = 0; i < EC_NUM; i++)
-+for (i = R_EC_P224; i < R_EC_P521; i++)
- ecdsa_doit[i] = 1;
- } else
- # endif
- # ifndef OPENSSL_NO_ECDH
--if (strcmp(*argv, "ecdhp160") == 0)
--ecdh_doit[R_EC_P160] = 2;
--else if (strcmp(*argv, "ecdhp192") == 0)
--ecdh_doit[R_EC_P192] = 2;
-+  if (0)

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2018-10-29 Thread Lars Wendler

commit: 9cf9aa64d52743263e9619c3cd0794557e3b5445
Author: Lars Wendler  gentoo  org>
AuthorDate: Mon Oct 29 13:02:33 2018 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Mon Oct 29 13:08:20 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9cf9aa64

dev-libs/openssl: Revbumps to fix CVE-2018-0735

Signed-off-by: Lars Wendler  gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11

 .../files/openssl-1.1.0i-CVE-2018-0735.patch   | 44 ++
 .../files/openssl-1.1.1-CVE-2018-0735.patch| 44 ++
 ...nssl-1.1.0i.ebuild => openssl-1.1.0i-r1.ebuild} |  5 ++-
 ...penssl-1.1.1.ebuild => openssl-1.1.1-r1.ebuild} |  4 ++
 4 files changed, 95 insertions(+), 2 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch 
b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch
new file mode 100644
index 000..5762c04fa34
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch
@@ -0,0 +1,44 @@
+From 56fb454d281a023b3f950d969693553d3f3ceea1 Mon Sep 17 00:00:00 2001
+From: Pauli 
+Date: Fri, 26 Oct 2018 10:54:58 +1000
+Subject: [PATCH] Timing vulnerability in ECDSA signature generation
+ (CVE-2018-0735)
+
+Preallocate an extra limb for some of the big numbers to avoid a reallocation
+that can potentially provide a side channel.
+
+Reviewed-by: Bernd Edlinger 
+(Merged from https://github.com/openssl/openssl/pull/7486)
+
+(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
+---
+ crypto/ec/ec_mult.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
+index 22bb30ffa1..ff882cce20 100644
+--- a/crypto/ec/ec_mult.c
 b/crypto/ec/ec_mult.c
+@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, 
EC_POINT *r,
+  */
+ cardinality_bits = BN_num_bits(cardinality);
+ group_top = bn_get_top(cardinality);
+-if ((bn_wexpand(k, group_top + 1) == NULL)
+-|| (bn_wexpand(lambda, group_top + 1) == NULL))
++if ((bn_wexpand(k, group_top + 2) == NULL)
++|| (bn_wexpand(lambda, group_top + 2) == NULL))
+ goto err;
+ 
+ if (!BN_copy(k, scalar))
+@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, 
EC_POINT *r,
+  * k := scalar + 2*cardinality
+  */
+ kbit = BN_is_bit_set(lambda, cardinality_bits);
+-BN_consttime_swap(kbit, k, lambda, group_top + 1);
++BN_consttime_swap(kbit, k, lambda, group_top + 2);
+ 
+ group_top = bn_get_top(group->field);
+ if ((bn_wexpand(s->X, group_top) == NULL)
+-- 
+2.19.1
+

diff --git a/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch 
b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch
new file mode 100644
index 000..295f5dbe8d8
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch
@@ -0,0 +1,44 @@
+From b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 Mon Sep 17 00:00:00 2001
+From: Pauli 
+Date: Fri, 26 Oct 2018 10:54:58 +1000
+Subject: [PATCH] Timing vulnerability in ECDSA signature generation
+ (CVE-2018-0735)
+
+Preallocate an extra limb for some of the big numbers to avoid a reallocation
+that can potentially provide a side channel.
+
+Reviewed-by: Bernd Edlinger 
+(Merged from https://github.com/openssl/openssl/pull/7486)
+
+(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
+---
+ crypto/ec/ec_mult.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
+index 7e1b3650e7..0e0a5e1394 100644
+--- a/crypto/ec/ec_mult.c
 b/crypto/ec/ec_mult.c
+@@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT 
*r,
+  */
+ cardinality_bits = BN_num_bits(cardinality);
+ group_top = bn_get_top(cardinality);
+-if ((bn_wexpand(k, group_top + 1) == NULL)
+-|| (bn_wexpand(lambda, group_top + 1) == NULL)) {
++if ((bn_wexpand(k, group_top + 2) == NULL)
++|| (bn_wexpand(lambda, group_top + 2) == NULL)) {
+ ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
+ goto err;
+ }
+@@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT 
*r,
+  * k := scalar + 2*cardinality
+  */
+ kbit = BN_is_bit_set(lambda, cardinality_bits);
+-BN_consttime_swap(kbit, k, lambda, group_top + 1);
++BN_consttime_swap(kbit, k, lambda, group_top + 2);
+ 
+ group_top = bn_get_top(group->field);
+ if ((bn_wexpand(s->X, group_top) == NULL)
+-- 
+2.19.1
+

diff --git a/dev-libs/openssl/openssl-1.1.0i.ebuild 
b/dev-libs/openssl/openssl-1.1.0i-r1.ebuild
similarity index 98%
rename from dev-libs/openssl/openssl-1.1.0i.ebuild
rename to dev-libs/openssl/openssl-1.1.0i-r1.ebuild
index f97d4157d7e..4cc9eb656d0 100644
--- a/dev-libs/openssl/openssl-1.1.0i.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0i-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2018-08-31 Thread Thomas Deutschmann

commit: a759287ff6a18f8e07dcc1b571d1369dbace720c
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Fri Aug 31 20:44:18 2018 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Fri Aug 31 20:45:08 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a759287f

dev-libs/openssl: fix USE=bindist

Update hobble ECC patch against openssl-1.0.2p [Link 1].

Link 1: 
https://github.com/openssl/openssl/commit/949ff36623eafc3523a9f91784992965018ffb05
Closes: https://bugs.gentoo.org/664254
Package-Manager: Portage-2.3.48, Repoman-2.3.10

 .../openssl/files/openssl-1.0.2p-hobble-ecc.patch  | 283 +
 dev-libs/openssl/openssl-1.0.2p.ebuild |   2 +-
 2 files changed, 284 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch 
b/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch
new file mode 100644
index 000..3a458a78360
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch
@@ -0,0 +1,283 @@
+Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series.
+
+From https://src.fedoraproject.org/git/rpms/openssl.git
+
+Contains parts of the following patches, rediffed. The patches are on various
+different branches.
+f23 openssl-1.0.2c-ecc-suiteb.patch
+f23 openssl-1.0.2a-fips-ec.patch
+f28 openssl-1.1.0-ec-curves.patch
+
+Signed-off-By: Robin H. Johnson 
+
+--- a/apps/speed.c
 b/apps/speed.c
+@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv)
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+-if (strcmp(*argv, "ecdsap160") == 0)
+-ecdsa_doit[R_EC_P160] = 2;
+-else if (strcmp(*argv, "ecdsap192") == 0)
+-ecdsa_doit[R_EC_P192] = 2;
++  if (0) {}
+ else if (strcmp(*argv, "ecdsap224") == 0)
+ ecdsa_doit[R_EC_P224] = 2;
+ else if (strcmp(*argv, "ecdsap256") == 0)
+@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv)
+ ecdsa_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdsap521") == 0)
+ ecdsa_doit[R_EC_P521] = 2;
+-else if (strcmp(*argv, "ecdsak163") == 0)
+-ecdsa_doit[R_EC_K163] = 2;
+-else if (strcmp(*argv, "ecdsak233") == 0)
+-ecdsa_doit[R_EC_K233] = 2;
+-else if (strcmp(*argv, "ecdsak283") == 0)
+-ecdsa_doit[R_EC_K283] = 2;
+-else if (strcmp(*argv, "ecdsak409") == 0)
+-ecdsa_doit[R_EC_K409] = 2;
+-else if (strcmp(*argv, "ecdsak571") == 0)
+-ecdsa_doit[R_EC_K571] = 2;
+-else if (strcmp(*argv, "ecdsab163") == 0)
+-ecdsa_doit[R_EC_B163] = 2;
+-else if (strcmp(*argv, "ecdsab233") == 0)
+-ecdsa_doit[R_EC_B233] = 2;
+-else if (strcmp(*argv, "ecdsab283") == 0)
+-ecdsa_doit[R_EC_B283] = 2;
+-else if (strcmp(*argv, "ecdsab409") == 0)
+-ecdsa_doit[R_EC_B409] = 2;
+-else if (strcmp(*argv, "ecdsab571") == 0)
+-ecdsa_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdsa") == 0) {
+-for (i = 0; i < EC_NUM; i++)
++for (i = R_EC_P224; i < R_EC_P521; i++)
+ ecdsa_doit[i] = 1;
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+-if (strcmp(*argv, "ecdhp160") == 0)
+-ecdh_doit[R_EC_P160] = 2;
+-else if (strcmp(*argv, "ecdhp192") == 0)
+-ecdh_doit[R_EC_P192] = 2;
++  if (0) {}
+ else if (strcmp(*argv, "ecdhp224") == 0)
+ ecdh_doit[R_EC_P224] = 2;
+ else if (strcmp(*argv, "ecdhp256") == 0)
+@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv)
+ ecdh_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdhp521") == 0)
+ ecdh_doit[R_EC_P521] = 2;
+-else if (strcmp(*argv, "ecdhk163") == 0)
+-ecdh_doit[R_EC_K163] = 2;
+-else if (strcmp(*argv, "ecdhk233") == 0)
+-ecdh_doit[R_EC_K233] = 2;
+-else if (strcmp(*argv, "ecdhk283") == 0)
+-ecdh_doit[R_EC_K283] = 2;
+-else if (strcmp(*argv, "ecdhk409") == 0)
+-ecdh_doit[R_EC_K409] = 2;
+-else if (strcmp(*argv, "ecdhk571") == 0)
+-ecdh_doit[R_EC_K571] = 2;
+-else if (strcmp(*argv, "ecdhb163") == 0)
+-ecdh_doit[R_EC_B163] = 2;
+-else if (strcmp(*argv, "ecdhb233") == 0)
+-ecdh_doit[R_EC_B233] = 2;
+-else if (strcmp(*argv, "ecdhb283") == 0)
+-ecdh_doit[R_EC_B283] = 2;
+-else if (strcmp(*argv, "ecdhb409") == 0)
+-ecdh_doit[R_EC_B409] = 2;
+-else if (strcmp(*argv, "ecdhb571") == 0)
+-ecdh_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdh") == 0) {
+-for (i = 0; i < EC_NUM; i++)
++  for (i = R_EC_P224; i <= R_EC_P521; i++)
+ ecdh_doit[i] = 1;
+ } else
+ # endif
+@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err, "dsa512

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2018-08-14 Thread Lars Wendler

commit: 4ecf2957ca3d36dca9ba2a820bcef7b734780a07
Author: Lars Wendler  gentoo  org>
AuthorDate: Tue Aug 14 13:53:31 2018 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Tue Aug 14 13:53:56 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ecf2957

dev-libs/openssl: Bump to version 1.1.0i. Removed old.

Package-Manager: Portage-2.3.46, Repoman-2.3.10

 dev-libs/openssl/Manifest  |  8 ++---
 .../files/openssl-1.1.0h-CVE-2018-0732.patch   | 39 --
 .../files/openssl-1.1.0h-CVE-2018-0737.patch   | 31 -
 ...nssl-1.1.0h-r2.ebuild => openssl-1.1.0i.ebuild} |  2 --
 4 files changed, 4 insertions(+), 76 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index c8f76950a4e..f405455302b 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -6,8 +6,8 @@ DIST openssl-1.0.2o_ectest.c 30735 BLAKE2B 
95333a27f1cf0a4305a3cee7f6d46b9d46735
 DIST openssl-1.0.2o_hobble-openssl 1302 BLAKE2B 
647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960
 SHA512 
3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
 DIST openssl-1.1.0-build.patch 3028 BLAKE2B 
f8cf981ed3717af234ce02fa50f27cdbcbf2b766968a5957fc6f0a4ea997549505fa77398444d7f3b9a75f66048447fe62542b9cb1d5f0268add87c44915a6fd
 SHA512 
b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0
 DIST openssl-1.1.0-ec-curves.patch 2967 BLAKE2B 
1c639514445ea85cf731732aa7901b5a03ddb5f637b0483ab2ec6825433ad978723c5a07316db684bdaca4a12fc673b4e049a49c0cd4dbe5f25a5e2bd3b75cf5
 SHA512 
8fb9c6759ae2077ad3697ba77e85ab3970fd8b3f64b21eb260b4f6333b7ebf2f5a53c7eee311229edfbd96a2b904ec5e5e00dfa5b62cf1105fece13069077bd2
-DIST openssl-1.1.0h.tar.gz 5422717 BLAKE2B 
11de1468855c0bb1836fb346c8efdfedd06139a774fc4dbae1b0e95fea7a33aa39b541e3d2d27f83f2b5f4dd3846cca2356020aa6ec81793085842ab78b3a127
 SHA512 
fb7750fcd98e6126eb5b92e7ed63d811a5cfa3391d98572003d925f6c7b477690df86a9aa1fa6bf6bf33d02c6c7aee6cff50a38faa8911409f310645898fda39
-DIST openssl-1.1.0h_ec_curve.c 18393 BLAKE2B 
49dca7ddbc23270e5927454925df7bb18c8d9eb58f79e3a4fbcd8b7fc22fad36e2cb54ff9b63c2ba15c0c075a96e4ce8d03991355419af41fa9dc2aed3ad
 SHA512 
ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879
-DIST openssl-1.1.0h_ectest.c 29907 BLAKE2B 
73dc800c1de5449f14d7753f7f7b8e672cd36bd4570e6df07f246d1d823c7dbbeef492f25cdd0ebfd693f5956732bc84c9d91fc6a22c854fe4b245ecf3890bda
 SHA512 
90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae
-DIST openssl-1.1.0h_hobble-openssl 1117 BLAKE2B 
c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04
 SHA512 
fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
+DIST openssl-1.1.0i.tar.gz 5453234 BLAKE2B 
ae6bec9c116769d98a77165b96fb7d201fe2ede8ee98e3cb68eba496cc90a5fae38dbcbb68b824c9eeacb25605aa80c3ccca9b4f00725658da3ad646834b0f9d
 SHA512 
4a9d454031f644a3072a980f4ea20df976f6c5c58178549dfa62fd4dcf1417509e3be517d2ccb265c87688836f2993531b142fc5971bac5c41d33060057627df
+DIST openssl-1.1.0i_ec_curve.c 18393 BLAKE2B 
49dca7ddbc23270e5927454925df7bb18c8d9eb58f79e3a4fbcd8b7fc22fad36e2cb54ff9b63c2ba15c0c075a96e4ce8d03991355419af41fa9dc2aed3ad
 SHA512 
ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879
+DIST openssl-1.1.0i_ectest.c 29908 BLAKE2B 
b398bafd5d5aea71daa9c3e2749dece9e515950e35547a6191d83987907aae73e090a4b552636af4d1ab2b39f7e3b1ea3fde2012c99f068f9c99d247996c1212
 SHA512 
e4445f8959b040caca6a7494da2026b840f84348df5d4eab47a68570d274333f62fa0c381955093edd86c857dad98595ffa2980c54afdcf2a8d32f32d0c70450
+DIST openssl-1.1.0i_hobble-openssl 1117 BLAKE2B 
c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04
 SHA512 
fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826
 DIST openssl-1.1.1-pre8.tar.gz 8334954 BLAKE2B 
97cd018908925abd5a4eb660b3488b23efb582dd49dd87504e5522b2e9c5c6500417ef4893590a60ce35cfa316de51bfbf3e448e9cb2a5858ecd8ae72722922d
 SHA512 
33b20f8589e0ba67500993635e1ba7f7f7ce2b6fa1eb8d4d7c44711ff047045dde57ad7e0605377c2b030fc954a3fb9b1f1d68feac2080991ef2b1b72a761041

diff --git a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch 
b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0732.patch
deleted file mode 100644
index e7dfba43f2a..000
---

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2018-06-11 Thread Robin H. Johnson

commit: 93630094c0989383439d077f02be5c65d838fae0
Author: Robin H. Johnson  gentoo  org>
AuthorDate: Mon Jun 11 13:56:19 2018 +
Commit: Robin H. Johnson  gentoo  org>
CommitDate: Mon Jun 11 13:58:33 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93630094

dev-libs/openssl: Add Fedora Hobble-EC patch

With this patch present, USE=bindist should now provide a enough EC
functionality to be used by most packages.

Signed-off-by: Robin H. Johnson  gentoo.org>
Package-Manager: Portage-2.3.33, Repoman-2.3.9

 .../openssl/files/openssl-1.0.2o-hobble-ecc.patch  | 290 
 dev-libs/openssl/openssl-1.0.2o-r5.ebuild  | 296 +
 2 files changed, 586 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch 
b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch
new file mode 100644
index 000..e105fe45e45
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch
@@ -0,0 +1,290 @@
+Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series.
+
+From https://src.fedoraproject.org/git/rpms/openssl.git
+
+Contains parts of the following patches, rediffed. The patches are on various
+different branches.
+f23 openssl-1.0.2c-ecc-suiteb.patch
+f23 openssl-1.0.2a-fips-ec.patch
+f28 openssl-1.1.0-ec-curves.patch
+
+Signed-off-By: Robin H. Johnson 
+
+diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/apps/speed.c 
openssl-1.0.2m.mod/apps/speed.c
+--- openssl-1.0.2m.hobble/apps/speed.c 2017-11-02 07:32:57.0 -0700
 openssl-1.0.2m.mod/apps/speed.c2018-06-10 19:00:09.264550382 -0700
+@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv)
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDSA
+-if (strcmp(*argv, "ecdsap160") == 0)
+-ecdsa_doit[R_EC_P160] = 2;
+-else if (strcmp(*argv, "ecdsap192") == 0)
+-ecdsa_doit[R_EC_P192] = 2;
++  if (0) {}
+ else if (strcmp(*argv, "ecdsap224") == 0)
+ ecdsa_doit[R_EC_P224] = 2;
+ else if (strcmp(*argv, "ecdsap256") == 0)
+@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv)
+ ecdsa_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdsap521") == 0)
+ ecdsa_doit[R_EC_P521] = 2;
+-else if (strcmp(*argv, "ecdsak163") == 0)
+-ecdsa_doit[R_EC_K163] = 2;
+-else if (strcmp(*argv, "ecdsak233") == 0)
+-ecdsa_doit[R_EC_K233] = 2;
+-else if (strcmp(*argv, "ecdsak283") == 0)
+-ecdsa_doit[R_EC_K283] = 2;
+-else if (strcmp(*argv, "ecdsak409") == 0)
+-ecdsa_doit[R_EC_K409] = 2;
+-else if (strcmp(*argv, "ecdsak571") == 0)
+-ecdsa_doit[R_EC_K571] = 2;
+-else if (strcmp(*argv, "ecdsab163") == 0)
+-ecdsa_doit[R_EC_B163] = 2;
+-else if (strcmp(*argv, "ecdsab233") == 0)
+-ecdsa_doit[R_EC_B233] = 2;
+-else if (strcmp(*argv, "ecdsab283") == 0)
+-ecdsa_doit[R_EC_B283] = 2;
+-else if (strcmp(*argv, "ecdsab409") == 0)
+-ecdsa_doit[R_EC_B409] = 2;
+-else if (strcmp(*argv, "ecdsab571") == 0)
+-ecdsa_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdsa") == 0) {
+-for (i = 0; i < EC_NUM; i++)
++for (i = R_EC_P224; i < R_EC_P521; i++)
+ ecdsa_doit[i] = 1;
+ } else
+ # endif
+ # ifndef OPENSSL_NO_ECDH
+-if (strcmp(*argv, "ecdhp160") == 0)
+-ecdh_doit[R_EC_P160] = 2;
+-else if (strcmp(*argv, "ecdhp192") == 0)
+-ecdh_doit[R_EC_P192] = 2;
++  if (0) {}
+ else if (strcmp(*argv, "ecdhp224") == 0)
+ ecdh_doit[R_EC_P224] = 2;
+ else if (strcmp(*argv, "ecdhp256") == 0)
+@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv)
+ ecdh_doit[R_EC_P384] = 2;
+ else if (strcmp(*argv, "ecdhp521") == 0)
+ ecdh_doit[R_EC_P521] = 2;
+-else if (strcmp(*argv, "ecdhk163") == 0)
+-ecdh_doit[R_EC_K163] = 2;
+-else if (strcmp(*argv, "ecdhk233") == 0)
+-ecdh_doit[R_EC_K233] = 2;
+-else if (strcmp(*argv, "ecdhk283") == 0)
+-ecdh_doit[R_EC_K283] = 2;
+-else if (strcmp(*argv, "ecdhk409") == 0)
+-ecdh_doit[R_EC_K409] = 2;
+-else if (strcmp(*argv, "ecdhk571") == 0)
+-ecdh_doit[R_EC_K571] = 2;
+-else if (strcmp(*argv, "ecdhb163") == 0)
+-ecdh_doit[R_EC_B163] = 2;
+-else if (strcmp(*argv, "ecdhb233") == 0)
+-ecdh_doit[R_EC_B233] = 2;
+-else if (strcmp(*argv, "ecdhb283") == 0)
+-ecdh_doit[R_EC_B283] = 2;
+-else if (strcmp(*argv, "ecdhb409") == 0)
+-ecdh_doit[R_EC_B409] = 2;
+-else if (strcmp(*argv, "ecdhb571") == 0)
+-ecdh_doit[R_EC_B571] = 2;
+ else if (strcmp(*argv, "ecdh") == 0) {
+-for (i = 0; i < EC_NUM; i++)
++  for (i =

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2018-05-12 Thread Robin H. Johnson

commit: 9fe32836f19db9b4c614e0e6d563ac267ba21e2f
Author: Conrad Kostecki  kostecki  com>
AuthorDate: Thu Apr 26 20:18:45 2018 +
Commit: Robin H. Johnson  gentoo  org>
CommitDate: Sat May 12 20:25:45 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fe32836

dev-libs/openssl: use aarch64 machine for arm64 arch

Closes: https://bugs.gentoo.org/638926
Package-Manager: Portage-2.3.24, Repoman-2.3.6
(cherry picked from commit d1a9b4ac497aa915d51b40c56f160619c62b801a)
Signed-off-by: Robin H. Johnson  gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/7306

 dev-libs/openssl/files/gentoo.config-1.0.2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 
b/dev-libs/openssl/files/gentoo.config-1.0.2
index 37b83cc2e7b..d16175e6292 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 #
 # Openssl doesn't play along nicely with cross-compiling
@@ -81,8 +81,8 @@ chost_machine=${CHOST%%-*}
 case ${system} in
 linux)
case ${chost_machine}:${ABI} in
-   aarch64*be*)  machine="generic64 -DB_ENDIAN";;
-   aarch64*) machine="generic64 -DL_ENDIAN";;
+   aarch64*be*)  machine="aarch64 -DB_ENDIAN";;
+   aarch64*) machine="aarch64 -DL_ENDIAN";;
alphaev56*|\
alphaev[678]*)machine=alpha+bwx-${compiler};;
alpha*)   machine=alpha-${compiler};;

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2018-05-04 Thread Lars Wendler

commit: 78d4a40a859636e46a150be8f53817faabb29744
Author: Michael Mair-Keimberger  gmail  com>
AuthorDate: Sat Apr 28 07:58:59 2018 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Fri May  4 07:18:28 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78d4a40a

dev-libs/openssl: remove unused patch

Closes: https://github.com/gentoo/gentoo/pull/8189

 .../files/openssl-1.1.0g-CVE-2017-3738.patch   | 77 --
 1 file changed, 77 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch 
b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch
deleted file mode 100644
index 4b01feb8e87..000
--- a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From e502cc86df9dafded1694fceb3228ee34d11c11a Mon Sep 17 00:00:00 2001
-From: Andy Polyakov 
-Date: Fri, 24 Nov 2017 11:35:50 +0100
-Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in
- rsaz_1024_mul_avx2.
-
-Credit to OSS-Fuzz for finding this.
-
-CVE-2017-3738
-
-Reviewed-by: Rich Salz 

- crypto/bn/asm/rsaz-avx2.pl | 15 +++
- 1 file changed, 7 insertions(+), 8 deletions(-)
-
-diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl
-index 0c1b236ef98..46d746b7d0e 100755
 a/crypto/bn/asm/rsaz-avx2.pl
-+++ b/crypto/bn/asm/rsaz-avx2.pl
-@@ -246,7 +246,7 @@
-   vmovdqu 32*8-128($ap), $ACC8
- 
-   lea 192(%rsp), $tp0 # 64+128=192
--  vpbroadcastq.Land_mask(%rip), $AND_MASK
-+  vmovdqu .Land_mask(%rip), $AND_MASK
-   jmp .LOOP_GRANDE_SQR_1024
- 
- .align32
-@@ -1077,10 +1077,10 @@
-   vpmuludq32*6-128($np),$Yi,$TEMP1
-   vpaddq  $TEMP1,$ACC6,$ACC6
-   vpmuludq32*7-128($np),$Yi,$TEMP2
--   vpblendd   \$3, $ZERO, $ACC9, $ACC9# correct $ACC3
-+   vpblendd   \$3, $ZERO, $ACC9, $TEMP1   # correct $ACC3
-   vpaddq  $TEMP2,$ACC7,$ACC7
-   vpmuludq32*8-128($np),$Yi,$TEMP0
--   vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3
-+   vpaddq $TEMP1, $ACC3, $ACC3# correct $ACC3
-   vpaddq  $TEMP0,$ACC8,$ACC8
- 
-   mov %rbx, %rax
-@@ -1093,7 +1093,9 @@
-vmovdqu-8+32*2-128($ap),$TEMP2
- 
-   mov $r1, %rax
-+   vpblendd   \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3
-   imull   $n0, %eax
-+   vpaddq $ACC9,$ACC4,$ACC4   # correct $ACC3
-   and \$0x1fff, %eax
- 
-imulq  16-128($ap),%rbx
-@@ -1329,15 +1331,12 @@
- # But as we underutilize resources, it's possible to correct in
- # each iteration with marginal performance loss. But then, as
- # we do it in each iteration, we can correct less digits, and
--# avoid performance penalties completely. Also note that we
--# correct only three digits out of four. This works because
--# most significant digit is subjected to less additions.
-+# avoid performance penalties completely.
- 
- $TEMP0 = $ACC9;
- $TEMP3 = $Bi;
- $TEMP4 = $Yi;
- $code.=<<___;
--  vpermq  \$0, $AND_MASK, $AND_MASK
-   vpaddq  (%rsp), $TEMP1, $ACC0
- 
-   vpsrlq  \$29, $ACC0, $TEMP1
-@@ -1770,7 +1769,7 @@
- 
- .align64
- .Land_mask:
--  .quad   0x1fff,0x1fff,0x1fff,-1
-+  .quad   0x1fff,0x1fff,0x1fff,0x1fff
- .Lscatter_permd:
-   .long   0,2,4,6,7,7,7,7
- .Lgather_permd:

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2018-04-17 Thread Thomas Deutschmann

commit: 30945a68d3d4c98433363ed73475b8233ac02118
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Tue Apr 17 20:50:09 2018 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Tue Apr 17 20:50:30 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30945a68

dev-libs/openssl: Rev bump to add patch for CVE-2018-0737

Bug: https://bugs.gentoo.org/653434
Package-Manager: Portage-2.3.28, Repoman-2.3.9

 dev-libs/openssl/Manifest  |   1 +
 .../files/openssl-1.1.0h-CVE-2018-0737.patch   |  31 +++
 dev-libs/openssl/openssl-1.0.2o-r1.ebuild  | 251 ++
 dev-libs/openssl/openssl-1.1.0h-r1.ebuild  | 284 +
 4 files changed, 567 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 1b87ae73a6b..51a22aaeb52 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,6 +1,7 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 
610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364
 SHA512 
b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 DIST openssl-1.0.2-patches-1.0.tar.xz 11572 BLAKE2B 
bdb9d2b8388f1aadf3a9274133aa8f86b0029fae1ce86d005baa39a7347657f8d4d84395b54e8ccd67944356ee197dfb527f843b4f146e305533e2ad5450721d
 SHA512 
15234ade359a0acf001cf10c7a7fc05f54603a44c67831529c2a6eda03342f9ba1cf40664ac782b5b73c50b23ec5649fb48ccff2aea8f0df2ef634959c47e3e9
 DIST openssl-1.0.2-patches-1.2.tar.xz 12208 BLAKE2B 
99b7a3538aeeecf8e1939fb08d26e2ce6aa4140488f0f6fc382a4f0dbdd67a0204c4689809e9d170148ad6686d4dbf0c8fc95802712270b0ea5720bc06c8fbbf
 SHA512 
5e5739ab7132e986abe9704739dab2ccd16df9696318ed29762d4ee0245fd2645f9435f7340ba36edd5531a83e48489fc659ad78c09ded0e0d021dd5a3906ea6
+DIST openssl-1.0.2-patches-1.3.tar.xz 12592 BLAKE2B 
bce0c289ae689091fe62e9c0d7d631cd915fd17beb81b0879931e0414f25c8a08425a08514e28ea7e81c1be23cf162f3bcad7cc3933f2378f53decabd3a7903d
 SHA512 
3ad3efa45eddb733e3db9c406f9f651dbf939bbb13debbcab12b49ecf72490a4868b1563de60ee106483c1b23bd2092fc58c8fc911fe62a019cb97d738163723
 DIST openssl-1.0.2n.tar.gz 5375802 BLAKE2B 
2e04f8c3d5e2296859b8474d7e100e270f53f18a26c6d37a4cf5e01cd14f44d24d334b4e705da05d77c33b5dc91cffea0feea9f7c83c77ba16c9b6d5f5085894
 SHA512 
144bf0d6aa27b4af01df0b7b734c39962649e1711554247d42e05e14d8945742b18745aefdba162e2dfc762b941fd7d3b2d5dc6a781ae4ba10a6f5a3cadb0687
 DIST openssl-1.0.2o.tar.gz 5329472 BLAKE2B 
30226db49be04317da3a76cce68d5aa401decd198f92505bddb0c72a7ef6a79f3c9c06d4a816db734e2a0991ebcab8b207feced26d83639e50c821d9e76ddc45
 SHA512 
8a2c93657c85143e76785bb32ee836908c31a6f5f8db993fa9777acba6079e630c03edbad65d1587199fc13a1507789eacf038b56eb99139c2091d9df7fd
 DIST openssl-1.1.0-build.patch 3028 BLAKE2B 
f8cf981ed3717af234ce02fa50f27cdbcbf2b766968a5957fc6f0a4ea997549505fa77398444d7f3b9a75f66048447fe62542b9cb1d5f0268add87c44915a6fd
 SHA512 
b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0

diff --git a/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch 
b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch
new file mode 100644
index 000..34c9cc02fa7
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0h-CVE-2018-0737.patch
@@ -0,0 +1,31 @@
+From 349a41da1ad88ad87825414752a8ff5fdd6a6c3f Mon Sep 17 00:00:00 2001
+From: Billy Brumley 
+Date: Wed, 11 Apr 2018 10:10:58 +0300
+Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont
+ both get called with BN_FLG_CONSTTIME flag set.
+
+CVE-2018-0737
+
+Reviewed-by: Rich Salz 
+Reviewed-by: Matt Caswell 
+(cherry picked from commit 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787)
+---
+ crypto/rsa/rsa_gen.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
+index 9ca5dfe..42b89a8 100644
+--- a/crypto/rsa/rsa_gen.c
 b/crypto/rsa/rsa_gen.c
+@@ -156,6 +156,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM 
*e_value,
+ if (BN_copy(rsa->e, e_value) == NULL)
+ goto err;
+ 
++BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
++BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+ BN_set_flags(r2, BN_FLG_CONSTTIME);
+ /* generate p and q */
+ for (;;) {
+-- 
+2.7.4
+

diff --git a/dev-libs/openssl/openssl-1.0.2o-r1.ebuild 
b/dev-libs/openssl/openssl-1.0.2o-r1.ebuild
new file mode 100644
index 000..256e230d7cf
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.0.2o-r1.ebuild
@@ -0,0 +1,251 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+PATCH_SET="openssl-1.0.2-patches-1.3"
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2017-12-28 Thread Thomas Deutschmann

commit: e2a23951221fb5f24e6dfa7d01d17ce4fe64d750
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Fri Dec 29 01:56:56 2017 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Fri Dec 29 01:57:10 2017 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2a23951

dev-libs/openssl: Rev bump to allow building with Perl 5.26

Ebuild changes:
===
- EAPI bumped to EAPI=6

- Added to for '.' in @INC (thanks to Joakim Gebart Nohlgård)

Closes: https://bugs.gentoo.org/639876
Package-Manager: Portage-2.3.19, Repoman-2.3.6

 .../files/openssl-0.9.8z_p8-perl-5.26.patch|  13 ++
 dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild   | 167 +
 2 files changed, 180 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch 
b/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch
new file mode 100644
index 000..c932b820425
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-0.9.8z_p8-perl-5.26.patch
@@ -0,0 +1,13 @@
+https://bugs.gentoo.org/639876
+
+--- a/crypto/des/asm/des-586.pl
 b/crypto/des/asm/des-586.pl
+@@ -4,7 +4,7 @@
+ # Svend Olaf Mikkelsen 
+ #
+ 
+-push(@INC,"perlasm","../../perlasm");
++push(@INC,".","perlasm","../../perlasm");
+ require "x86asm.pl";
+ require "cbc.pl";
+ require "desboth.pl";

diff --git a/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild 
b/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild
new file mode 100644
index 000..5fcc6d8ea4e
--- /dev/null
+++ b/dev-libs/openssl/openssl-0.9.8z_p8-r1.ebuild
@@ -0,0 +1,167 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# this ebuild is only for the libcrypto.so.0.9.8 and libssl.so.0.9.8 SONAME 
for ABI compat
+
+EAPI="6"
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+#PLEVEL=$(printf "\\$(printf '%03o' $((${PV##*_p} + 96)))")
+PLEVEL='h' # _p8 -> tr '[1-9]' '[a-i]' -> 'h'
+MY_PV=${PV/_p*/${PLEVEL}}
+MY_P=${PN}-${MY_PV}
+S="${WORKDIR}/${MY_P}"
+DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
+HOMEPAGE="https://www.openssl.org/;
+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0.9.8"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh 
~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist gmp kerberos cpu_flags_x86_sse2 test zlib"
+RESTRICT="!bindist? ( bindist )"
+
+RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[${MULTILIB_USEDEP}] )
+   zlib? ( >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}] )
+   kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
+   abi_x86_32? (
+   !<=app-emulation/emul-linux-x86-baselibs-20140508-r4
+   !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)]
+   )
+   !=dev-libs/openssl-0.9.8*:0"
+DEPEND="${RDEPEND}
+   >=dev-lang/perl-5
+   test? (
+   sys-apps/diffutils
+   sys-devel/bc
+   )"
+
+# Do not install any docs
+DOCS=()
+
+PATCHES=(
+   "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
+   "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438
+   "${FILESDIR}"/${PN}-0.9.8m-binutils.patch #289130
+   "${FILESDIR}"/${PN}-0.9.8z_p8-perl-5.26.patch
+)
+
+src_prepare() {
+   default
+
+   # disable fips in the build
+   # make sure the man pages are suffixed #302165
+   # don't bother building man pages if they're disabled
+   sed -i \
+   -e '/DIRS/s: fips : :g' \
+   -e '/^MANSUFFIX/s:=.*:=ssl:' \
+   -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
+   -e $(has noman FEATURES \
+   && echo '/^install:/s:install_docs::' \
+   || echo '/^MANDIR=/s:=.*:=/usr/share/man:') \
+   Makefile{,.org} \
+   || die
+   # show the actual commands in the log
+   sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared || die
+   # update the enginedir path.
+   # punt broken config we don't care about as it fails sanity check.
+   sed -i \
+   -e '/^"debug-ben-debug-64"/d' \
+   -e "/foo.*engines/s|/lib/engines|/$(get_libdir)/engines|" \
+   Configure || die
+
+   # since we're forcing $(CC) as makedep anyway, just fix
+   # the conditional as always-on
+   # helps clang (#417795), and versioned gcc (#499818)
+   sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
+
+   # quiet out unknown driver argument warnings since openssl
+   # doesn't have well-split CFLAGS and we're making it even worse
+   # and 'make depend' uses -Werror for added fun (#417795 again)
+   [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
+
+   # allow openssl to be cross-compiled
+   cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp 
cross-compile failed"
+   chmod a+rx gentoo.config || die
+
+   append-flags -fno-strict-aliasing
+   append-flags

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2017-12-07 Thread Thomas Deutschmann

commit: f179eb65b08d179526088fb29abefde8b109ab28
Author: Thomas Deutschmann  gentoo  org>
AuthorDate: Thu Dec  7 18:09:10 2017 +
Commit: Thomas Deutschmann  gentoo  org>
CommitDate: Thu Dec  7 18:13:44 2017 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f179eb65

dev-libs/openssl: Bump to v1.0.2n

- EAPI bumped to EAPI=6

- Respin some patches for v1.0.2n

- Patches moved to patch tarball to avoid cluttering up the tree

Bug: https://bugs.gentoo.org/640172
Package-Manager: Portage-2.3.16, Repoman-2.3.6

 dev-libs/openssl/Manifest  |   2 +
 dev-libs/openssl/files/gentoo.config-1.0.2 |   2 +-
 dev-libs/openssl/openssl-1.0.2n.ebuild | 251 +
 3 files changed, 254 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 720173c3554..e9a8efaa979 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,10 +1,12 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 
f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 
b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 WHIRLPOOL 
8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
+DIST openssl-1.0.2-patches-1.0.tar.xz 11572 BLAKE2B 
bdb9d2b8388f1aadf3a9274133aa8f86b0029fae1ce86d005baa39a7347657f8d4d84395b54e8ccd67944356ee197dfb527f843b4f146e305533e2ad5450721d
 SHA512 
15234ade359a0acf001cf10c7a7fc05f54603a44c67831529c2a6eda03342f9ba1cf40664ac782b5b73c50b23ec5649fb48ccff2aea8f0df2ef634959c47e3e9
 DIST openssl-1.0.2k.tar.gz 5309236 BLAKE2B 
97069b9c7aaab2381ae5be989caff6907cd44ab1831d84685c3421ad985889a2bbc3a462decdff9c4c158ace96975de2b9e49e4f1b9f306990c3dc0f03767dad
 SHA512 
0d314b42352f4b1df2c40ca1094abc7e9ad684c5c35ea997efdd58204c70f22a1abcb17291820f0fff3769620a4e06906034203d31eb1a4d540df3e0db294016
 DIST openssl-1.0.2l.tar.gz 5365054 BLAKE2B 
0a459a93a0013269dea79bd6df96a434b9dad95b6d98b24a48bc1b1438415c0a8de01b67166ac13a73ae65fb64131568924c3e6f945d862b7e960f05332cf097
 SHA512 
047d964508ad6025c79caabd8965efd2416dc026a56183d0ef4de7a0a6769ce8e0b4608a3f8393d326f6d03b26a2b067e6e0c750f35b20be190e595e8290c0e3
 DIST openssl-1.0.2l_ec_curve.c 17254 SHA256 
43ad99527a9f494c97c1efd4a87b49508455437da5de1b9ecd89b0d36fb764c8 SHA512 
8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
 WHIRLPOOL 
5a43777a2886a2e7bd41eeb3a96c90c62b0eaa771249a50eb5996993f43384dca5f24993ed6a6deede2c4f119f896fb11dbc26b72650c909c856bd8c313501f0
 DIST openssl-1.0.2l_ectest.c 30735 SHA256 
14f12b1db5121f3f58466f52ad10555c038c281e90e53c0a2f7940a754bb4d80 SHA512 
f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
 WHIRLPOOL 
0d708b382d97e1f20a03e695f0a990fb9fd6cd8ab8ced29e072d52ca3f09f87d18c287d6134fd5ac2243ca541982f4d9eaa2fa8964d62b6b8f1a4b879e8fd997
 DIST openssl-1.0.2l_hobble-openssl 1302 SHA256 
7ec32aab6a1db2124de52c3918cc7f7e487972581e30235447eed15d59415384 SHA512 
3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
 WHIRLPOOL 
b9630ce76492bff481d0bd48b72449d1e1d4fbb98c2387c4824d84833796adaba716e10976b3130eed9fd9442511a71604d9944600ba6be5253087f865cefe8c
 DIST openssl-1.0.2m.tar.gz 5373776 BLAKE2B 
f40cbea061f84087a079d541f7ba841894c86c00827865f0f508ee297df45e8825d7d74bbbe16bf1f81d46f9af503a6191c9e65df674c4a5ae28172b5b03986f
 SHA512 
7619aa223ee50d0f5e270ac9090e95b2b1ba5dfc656c98f625a9a277dda472fb960a4e89a7ba300044cb401b2072b2ca6a6fcce8206d927bf373d1c981806a93
+DIST openssl-1.0.2n.tar.gz 5375802 BLAKE2B 
2e04f8c3d5e2296859b8474d7e100e270f53f18a26c6d37a4cf5e01cd14f44d24d334b4e705da05d77c33b5dc91cffea0feea9f7c83c77ba16c9b6d5f5085894
 SHA512 
144bf0d6aa27b4af01df0b7b734c39962649e1711554247d42e05e14d8945742b18745aefdba162e2dfc762b941fd7d3b2d5dc6a781ae4ba10a6f5a3cadb0687
 DIST openssl-1.1.0-build.patch 3028 SHA256 
c626ac8b34df5d55a7272a741f87f06dc06cc20ac80085048788a2c76c08c25f SHA512 
b19a912900970052f80c67f28975e793ae9e70ebfc62efae0544e09931079e98c4cd29ce1cc8d937ceca97aff9a12fdc1ff9ce6c2b47fea68c79e7065464a0f0
 WHIRLPOOL 
950febb159139b145eb7de5bda1115465fa8551234182e6d15459ab5519213f515b4c3e3a3136d05c440d3eec04a7247461d36c2d45136a6f1963613d5896b3e
 DIST openssl-1.1.0-ec-curves.patch 2967 SHA256 
da60dfa01ed244cd3f77f60cc2ef479a36e64a58fa5e242aa03647c698cc1a42 SHA512 
8fb9c6759ae2077ad3697ba77e85ab3970fd8b3f64b21eb260b4f6333b7ebf2f5a53c7eee311229edfbd96a2b904ec5e5e00dfa5b62cf1105fece13069077bd2
 WHIRLPOOL 
e7293ef84f6c36e8e5f5ec8158023fdca484bc9082e73956bd0cc74a17c880350a49799146c855a37f116d743e7c93e54cbe4aa7f70483e235d03687a15a46a5
 DIST openssl-1.1.0f.tar.gz 5278176 SHA256 
12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765 SHA512

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2016-11-10 Thread Lars Wendler

commit: 36cc74ed2bb0a39bf145fee0fdec4efc9094fe31
Author: Lars Wendler  gentoo  org>
AuthorDate: Thu Nov 10 15:40:07 2016 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Thu Nov 10 15:40:55 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=36cc74ed

dev-libs/openssl: Security bump to version 1.1.0c (bug #599358).

Package-Manager: portage-2.3.2

 dev-libs/openssl/Manifest |  2 +-
 dev-libs/openssl/files/openssl-1.1.0-ldflags.patch| 11 ---
 .../openssl/{openssl-1.1.0b.ebuild => openssl-1.1.0c.ebuild}  |  1 -
 3 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 3e6411e..a42a05f 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,3 +1,3 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 
f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 
b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 WHIRLPOOL 
8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
 DIST openssl-1.0.2j.tar.gz 5307912 SHA256 
e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431 SHA512 
7d6ccae4aa3ccec3a5d128da29c68401cdb1210cba6d212d55235fc3bc63d7085e2f119e2bbee7ddff6b7b5eef07c6196156791724cd2caf313a4c2fef724edd
 WHIRLPOOL 
1f17e80bc10da2eab9d4c1c3a662b0e2b4f7e8bc448aabb44cd98a96ba3d6cd0ef6cf9a3371d44b39a4d11b1a4087c8f0d056272ace6eba5bd2417f7ab9503b7
-DIST openssl-1.1.0b.tar.gz 5162355 SHA256 
a45de072bf9be4dea437230aaf036000f0e68c6a665931c57e76b5b036cef6f7 SHA512 
b6d66261427f1acc049bf5469a0dc668490e752c2ba4802481809e7e35367213eca17ac9fdc3f23ed5f7a53d303abca78b13a48b169f154043199f2680ccf1a4
 WHIRLPOOL 
bc926b2839f2e85751480ac0a6306bd37ca1ac12759b78654fba6861517bb9979245b95676a60900eab9257334ecf2e1b7d9e406c39a6075054a93ffc1f7a76a
+DIST openssl-1.1.0c.tar.gz 5179668 SHA256 
fc436441a2e05752d31b4e46115eb89709a28aef96d4fe786abe92409b2fd6f5 SHA512 
e3cfba6c682e5edd6f678df7c1da9c9713880f7dca248e6d62f095185c22ce8fd7571d53a54a119fb5d4422578637746ad2809bb2ba324a5c54564f532307ad9
 WHIRLPOOL 
d6ee4610a6ce5c8d2593bcd9f8a2fc55910006d3f466d0d27409f92b4f60880f96979ccbbdf9da5cf110c59a86e1a906bf20a8eb93338efa9e197bd4755ce4d8

diff --git a/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch 
b/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch
deleted file mode 100644
index 95a95f2..
--- a/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch
+++ /dev/null
@@ -1,11 +0,0 @@
 openssl-1.1.0-pre4/Makefile.shared
-+++ openssl-1.1.0-pre4/Makefile.shared
-@@ -175,7 +175,7 @@
-   ALLSYMSFLAGS='-Wl,--whole-archive'; \
-   NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-   $(DO_GNU_SO_COMMON)
--DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS)"
- 
- #This is rather special.  It's a special target with which one can link
- #applications without bothering with any features that have anything to

diff --git a/dev-libs/openssl/openssl-1.1.0b.ebuild 
b/dev-libs/openssl/openssl-1.1.0c.ebuild
similarity index 99%
rename from dev-libs/openssl/openssl-1.1.0b.ebuild
rename to dev-libs/openssl/openssl-1.1.0c.ebuild
index 0aea4eb..069cf97 100644
--- a/dev-libs/openssl/openssl-1.1.0b.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0c.ebuild
@@ -35,7 +35,6 @@ MULTILIB_WRAPPED_HEADERS=(
 )
 
 PATCHES=(
-   "${FILESDIR}"/${PN}-1.1.0-ldflags.patch #327421
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
 )

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2016-10-31 Thread Lars Wendler

commit: 246f6b0590667adffa8967d9ba41bc993119a553
Author: Lars Wendler  gentoo  org>
AuthorDate: Mon Oct 31 07:10:08 2016 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Mon Oct 31 07:10:08 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=246f6b05

dev-libs/openssl: Removed vulnerable versions.

Package-Manager: portage-2.3.2
Signed-off-by: Lars Wendler  gentoo.org>

 dev-libs/openssl/Manifest  |   2 -
 .../openssl/files/openssl-1.0.0d-windres.patch |  76 -
 .../files/openssl-1.0.2g-parallel-build.patch  | 318 -
 .../files/openssl-1.0.2h-CVE-2016-2177.patch   | 279 --
 .../files/openssl-1.0.2h-CVE-2016-2178.patch   |  28 --
 dev-libs/openssl/openssl-1.0.2h-r2.ebuild  | 254 
 dev-libs/openssl/openssl-1.0.2i.ebuild | 249 
 7 files changed, 1206 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 4d20371..3e6411e 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,5 +1,3 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 
f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 
b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 WHIRLPOOL 
8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
-DIST openssl-1.0.2h.tar.gz 5274412 SHA256 
1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 SHA512 
780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303
 WHIRLPOOL 
41b6cf0c08b547f1432dc8167a4c7835da0b6907f8932969e0a352fab8bdbb4d8f612a5bf431e415d93ff1c8238652b2ee3ce0bd935cc2f59e8ea4f40fe6b5d6
-DIST openssl-1.0.2i.tar.gz 5308232 SHA256 
9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f SHA512 
41764debd5d64e4e770945f30d682e2c887d9cefb39b358c5c7f9d2cdce34393ed28d49b24e95c4639db2df01c278cbcde71bed2b03f9aafafc76766b03850e3
 WHIRLPOOL 
ba1a4513aaa1de81e36912acfe0b6cf8e0acf7cc71d32b127b5e54eb2f6fc6ce63f4f61e9fc99fecc9e037cdccc496b9d15ea75b594b0fd8721b4478eab1f31d
 DIST openssl-1.0.2j.tar.gz 5307912 SHA256 
e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431 SHA512 
7d6ccae4aa3ccec3a5d128da29c68401cdb1210cba6d212d55235fc3bc63d7085e2f119e2bbee7ddff6b7b5eef07c6196156791724cd2caf313a4c2fef724edd
 WHIRLPOOL 
1f17e80bc10da2eab9d4c1c3a662b0e2b4f7e8bc448aabb44cd98a96ba3d6cd0ef6cf9a3371d44b39a4d11b1a4087c8f0d056272ace6eba5bd2417f7ab9503b7
 DIST openssl-1.1.0b.tar.gz 5162355 SHA256 
a45de072bf9be4dea437230aaf036000f0e68c6a665931c57e76b5b036cef6f7 SHA512 
b6d66261427f1acc049bf5469a0dc668490e752c2ba4802481809e7e35367213eca17ac9fdc3f23ed5f7a53d303abca78b13a48b169f154043199f2680ccf1a4
 WHIRLPOOL 
bc926b2839f2e85751480ac0a6306bd37ca1ac12759b78654fba6861517bb9979245b95676a60900eab9257334ecf2e1b7d9e406c39a6075054a93ffc1f7a76a

diff --git a/dev-libs/openssl/files/openssl-1.0.0d-windres.patch 
b/dev-libs/openssl/files/openssl-1.0.0d-windres.patch
deleted file mode 100644
index 0b360d2..
--- a/dev-libs/openssl/files/openssl-1.0.0d-windres.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-URL: http://rt.openssl.org/Ticket/Display.html?id=2558=guest=guest
-Subject: make windres controllable via build env var settings
-
-atm, the windres code in openssl is only usable via the cross-compile prefix 
-option unlike all the other build tools. so add support for the standard $RC 
-/ $WINDRES env vars as well.
-
-Index: Configure
-===
-RCS file: /usr/local/src/openssl/CVSROOT/openssl/Configure,v
-retrieving revision 1.621.2.40
-diff -u -p -r1.621.2.40 Configure
 Configure  30 Nov 2010 22:19:26 -  1.621.2.40
-+++ Configure  4 Jul 2011 23:12:32 -
-@@ -1094,6 +1094,7 @@ my $shared_extension = $fields[$idx_shar
- my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib];
- my $ar = $ENV{'AR'} || "ar";
- my $arflags = $fields[$idx_arflags];
-+my $windres = $ENV{'RC'} || $ENV{'WINDRES'} || "windres";
- my $multilib = $fields[$idx_multilib];
- 
- # if $prefix/lib$multilib is not an existing directory, then
-@@ -1511,12 +1512,14 @@ while ()
-   s/^AR=\s*/AR= \$\(CROSS_COMPILE\)/;
-   s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/;
-   s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
-+  s/^WINDRES=\s*/WINDRES= \$\(CROSS_COMPILE\)/;
-   s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc 
eq "gcc";
-   }
-   else{
-   s/^CC=.*$/CC= $cc/;
-   s/^AR=\s*ar/AR= $ar/;
-   s/^RANLIB=.*/RANLIB= $ranlib/;
-+  s/^WINDRES=.*/WINDRES= $windres/;
-   s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
-   }
-   s/^CFLAG=.*$/CFLAG= $cflags/;

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2016-08-26 Thread Mike Gilbert

commit: 8d3725cf907f13b2243a38cb2a55282db460279f
Author: Mike Gilbert  gentoo  org>
AuthorDate: Fri Aug 26 17:56:14 2016 +
Commit: Mike Gilbert  gentoo  org>
CommitDate: Fri Aug 26 17:56:14 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d3725cf

dev-libs/openssl: fix typo in patch filename

Package-Manager: portage-2.3.0_p22

 .../files/{openssl-1.1.01-ldflags.patch => openssl-1.1.0-ldflags.patch}   | 0
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-1.1.01-ldflags.patch 
b/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch
similarity index 100%
rename from dev-libs/openssl/files/openssl-1.1.01-ldflags.patch
rename to dev-libs/openssl/files/openssl-1.1.0-ldflags.patch

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2016-08-26 Thread Lars Wendler

commit: 85c9a35d3eea4416b7d234c40fa8758f721cf404
Author: Lars Wendler  gentoo  org>
AuthorDate: Fri Aug 26 17:39:11 2016 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Fri Aug 26 17:39:55 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85c9a35d

dev-libs/openssl: Fixed broken ldflags patch (thanks to floppym).

Package-Manager: portage-2.3.0
Signed-off-by: Lars Wendler  gentoo.org>

 dev-libs/openssl/files/openssl-1.1.0-threads.patch   | 20 
 ...e4-ldflags.patch => openssl-1.1.01-ldflags.patch} |  2 +-
 dev-libs/openssl/openssl-1.1.0.ebuild|  3 +--
 3 files changed, 2 insertions(+), 23 deletions(-)

diff --git a/dev-libs/openssl/files/openssl-1.1.0-threads.patch 
b/dev-libs/openssl/files/openssl-1.1.0-threads.patch
deleted file mode 100644
index d4326f6..
--- a/dev-libs/openssl/files/openssl-1.1.0-threads.patch
+++ /dev/null
@@ -1,20 +0,0 @@
 openssl-1.1.0/Configurations/10-main.conf
-+++ openssl-1.1.0/Configurations/10-main.conf
-@@ -612,7 +612,7 @@
-debug   => "-O0 -g",
-release => "-O3"),
- threads("-pthread")),
--ex_libs  => add("-ldl"),
-+ex_libs  => add("-ldl",threads("-lpthread")),
- bn_ops   => "BN_LLONG RC4_CHAR",
- thread_scheme=> "pthreads",
- dso_scheme   => "dlfcn",
-@@ -721,7 +721,7 @@
- inherit_from => [ "linux-generic32", asm("x86_elf_asm") ],
- cflags   => add(picker(default => "-DL_ENDIAN",
-release => "-fomit-frame-pointer")),
--ex_libs  => add(picker(debug => "-lefence")),
-+ex_libs  => add(picker(debug => 
"-lefence"),threads("-lpthread")),
- bn_ops   => "BN_LLONG",
- },
- "linux-aout" => {

diff --git a/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch 
b/dev-libs/openssl/files/openssl-1.1.01-ldflags.patch
similarity index 88%
rename from dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch
rename to dev-libs/openssl/files/openssl-1.1.01-ldflags.patch
index f0d7e18..95a95f2 100644
--- a/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch
+++ b/dev-libs/openssl/files/openssl-1.1.01-ldflags.patch
@@ -5,7 +5,7 @@
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
$(DO_GNU_SO_COMMON)
 -DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
-+DO_GNU_APP=LDFLAGS="$(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS)"
  
  #This is rather special.  It's a special target with which one can link
  #applications without bothering with any features that have anything to

diff --git a/dev-libs/openssl/openssl-1.1.0.ebuild 
b/dev-libs/openssl/openssl-1.1.0.ebuild
index 05e1641..0aea4eb 100644
--- a/dev-libs/openssl/openssl-1.1.0.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0.ebuild
@@ -35,9 +35,8 @@ MULTILIB_WRAPPED_HEADERS=(
 )
 
 PATCHES=(
-   "${FILESDIR}"/${PN}-1.1.0_pre4-ldflags.patch #327421
+   "${FILESDIR}"/${PN}-1.1.0-ldflags.patch #327421
"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
-   "${FILESDIR}"/${PN}-1.1.0-threads.patch
 )
 
 src_prepare() {

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2016-08-26 Thread Lars Wendler

commit: 18fd87c2468bf11b7b21a3691cb8b3735672f452
Author: Lars Wendler  gentoo  org>
AuthorDate: Fri Aug 26 15:51:57 2016 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Fri Aug 26 15:52:16 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18fd87c2

dev-libs/openssl: Bump to version 1.1.0

Package-Manager: portage-2.3.0
Signed-off-by: Lars Wendler  gentoo.org>

 dev-libs/openssl/Manifest  |   1 +
 dev-libs/openssl/files/openssl-1.1.0-threads.patch |  20 ++
 .../openssl/files/openssl-1.1.0_pre4-ldflags.patch |  11 +
 dev-libs/openssl/openssl-1.1.0.ebuild  | 243 +
 4 files changed, 275 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 7ca6bf7..732c6d3 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,3 +1,4 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 
f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 
b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 WHIRLPOOL 
8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
 DIST openssl-1.0.2g.tar.gz 5266102 SHA256 
b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 SHA512 
4d96b6c8a232203483d6e8bee81da01ba10977bfbac92f25304a36dec9ea584b7ef917bc45e097cc7dbe681d71a4570d649c22244c178393ae91fab48323f735
 WHIRLPOOL 
aedbd82af0a550e8329a84312fae492f3bb3cb04af763fc9ef532099b2b2e61a55e4a7cfb06085f045740e2b692bbdb3ecb8bf5ca82f46325c3caf22d2317ffb
 DIST openssl-1.0.2h.tar.gz 5274412 SHA256 
1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 SHA512 
780601f6f3f32f42b6d7bbc4c593db39a3575f9db80294a10a68b2b0bb79448d9bd529ca700b9977354cbdfc65887c76af0aa7b90d3ee421f74ab53e6f15c303
 WHIRLPOOL 
41b6cf0c08b547f1432dc8167a4c7835da0b6907f8932969e0a352fab8bdbb4d8f612a5bf431e415d93ff1c8238652b2ee3ce0bd935cc2f59e8ea4f40fe6b5d6
+DIST openssl-1.1.0.tar.gz 5146831 SHA256 
f5c69ff9ac1472c80b868efc1c1c0d8dcfc746d29ebe563de2365dd56dbd8c82 SHA512 
6a99d391be7708fdc4eb097d27cea4ce79dc83cc7f52d353af1e222773e586405c0848557d7404716b92b23b775abed45e73c66fe9128f4bd7c09864e79317b0
 WHIRLPOOL 
9d38954c65073a8d02caa6aa00b1efc197391b38b341662f0d9967ce883f52eed8c3be84ebd6ecc89c494f725218bfd2bef395891a20b40c8dcdf6b31fba2131

diff --git a/dev-libs/openssl/files/openssl-1.1.0-threads.patch 
b/dev-libs/openssl/files/openssl-1.1.0-threads.patch
new file mode 100644
index ..d4326f6
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0-threads.patch
@@ -0,0 +1,20 @@
+--- openssl-1.1.0/Configurations/10-main.conf
 openssl-1.1.0/Configurations/10-main.conf
+@@ -612,7 +612,7 @@
+debug   => "-O0 -g",
+release => "-O3"),
+ threads("-pthread")),
+-ex_libs  => add("-ldl"),
++ex_libs  => add("-ldl",threads("-lpthread")),
+ bn_ops   => "BN_LLONG RC4_CHAR",
+ thread_scheme=> "pthreads",
+ dso_scheme   => "dlfcn",
+@@ -721,7 +721,7 @@
+ inherit_from => [ "linux-generic32", asm("x86_elf_asm") ],
+ cflags   => add(picker(default => "-DL_ENDIAN",
+release => "-fomit-frame-pointer")),
+-ex_libs  => add(picker(debug => "-lefence")),
++ex_libs  => add(picker(debug => 
"-lefence"),threads("-lpthread")),
+ bn_ops   => "BN_LLONG",
+ },
+ "linux-aout" => {

diff --git a/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch 
b/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch
new file mode 100644
index ..f0d7e18
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0_pre4-ldflags.patch
@@ -0,0 +1,11 @@
+--- openssl-1.1.0-pre4/Makefile.shared
 openssl-1.1.0-pre4/Makefile.shared
+@@ -175,7 +175,7 @@
+   ALLSYMSFLAGS='-Wl,--whole-archive'; \
+   NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+   $(DO_GNU_SO_COMMON)
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"
+ 
+ #This is rather special.  It's a special target with which one can link
+ #applications without bothering with any features that have anything to

diff --git a/dev-libs/openssl/openssl-1.1.0.ebuild 
b/dev-libs/openssl/openssl-1.1.0.ebuild
new file mode 100644
index ..05e1641
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.0.ebuild
@@ -0,0 +1,243 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+
+MY_P=${P/_/-}
+DESCRIPTION="full-strength general purpose cryptography library (including SSL 
and TLS)"

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2016-06-24 Thread Patrick McLean

commit: b4bfc10ce01e37a79da48f2f8349200c7eca78ed
Author: Patrick McLean  gentoo  org>
AuthorDate: Sat Jun 25 02:19:01 2016 +
Commit: Patrick McLean  gentoo  org>
CommitDate: Sat Jun 25 02:19:01 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4bfc10c

dev-libs/openssl: Revision bump to 1.0.2h-r2 to fix bug 585142 & bug 585276

This fixes CVE-2016-2177 and CVE-2016-2178.

Package-Manager: portage-2.3.0

 .../files/openssl-1.0.2h-CVE-2016-2177.patch   | 279 +
 .../files/openssl-1.0.2h-CVE-2016-2178.patch   |  28 +++
 dev-libs/openssl/openssl-1.0.2h-r2.ebuild  | 254 +++
 3 files changed, 561 insertions(+)

diff --git a/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch 
b/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch
new file mode 100644
index 000..ca934c2
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2h-CVE-2016-2177.patch
@@ -0,0 +1,279 @@
+From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001
+From: Matt Caswell 
+Date: Thu, 5 May 2016 11:10:26 +0100
+Subject: [PATCH] Avoid some undefined pointer arithmetic
+
+A common idiom in the codebase is:
+
+if (p + len > limit)
+{
+return; /* Too long */
+}
+
+Where "p" points to some malloc'd data of SIZE bytes and
+limit == p + SIZE
+
+"len" here could be from some externally supplied data (e.g. from a TLS
+message).
+
+The rules of C pointer arithmetic are such that "p + len" is only well
+defined where len <= SIZE. Therefore the above idiom is actually
+undefined behaviour.
+
+For example this could cause problems if some malloc implementation
+provides an address for "p" such that "p + len" actually overflows for
+values of len that are too big and therefore p + len < limit!
+
+Issue reported by Guido Vranken.
+
+CVE-2016-2177
+
+Reviewed-by: Rich Salz 
+---
+ ssl/s3_srvr.c  | 14 +++---
+ ssl/ssl_sess.c |  2 +-
+ ssl/t1_lib.c   | 56 ++--
+ 3 files changed, 38 insertions(+), 34 deletions(-)
+
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index ab28702..ab7f690 100644
+--- a/ssl/s3_srvr.c
 b/ssl/s3_srvr.c
+@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+ session_length = *(p + SSL3_RANDOM_SIZE);
+ 
+-if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
++if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
+ /* get the session-id */
+ j = *(p++);
+ 
+-if (p + j > d + n) {
++if ((d + n) - p < j) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
+ 
+ if (SSL_IS_DTLS(s)) {
+ /* cookie stuff */
+-if (p + 1 > d + n) {
++if ((d + n) - p < 1) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+ }
+ cookie_len = *(p++);
+ 
+-if (p + cookie_len > d + n) {
++if ((d + n ) - p < cookie_len) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
+ }
+ }
+ 
+-if (p + 2 > d + n) {
++if ((d + n ) - p < 2) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
+ }
+ 
+ /* i bytes of cipher data + 1 byte for compression length later */
+-if ((p + i + 1) > (d + n)) {
++if ((d + n) - p < i + 1) {
+ /* not enough data */
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+ /* compression */
+ i = *(p++);
+-if ((p + i) > (d + n)) {
++if ((d + n) - p < i) {
+ /* not enough data */
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index b182998..54ee783 100644
+--- a/ssl/ssl_sess.c
 b/ssl/ssl_sess.c
+@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char 
*session_id, int len,
+ int r;
+ #endif
+ 
+-if (session_id + len > limit) {
++if (limit - session_id < len) {
+ fatal = 1;
+ goto err;
+ }
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index fb64607..cdac011 100644
+--- a/ssl/t1_lib.c
 b/ssl/t1_lib.c
+@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const 
unsigned char *data,
+

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2016-03-01 Thread Lars Wendler

commit: 7bf3f3ef8d44f51b7cbfbabc1282da60fcb5f715
Author: Lars Wendler  gentoo  org>
AuthorDate: Tue Mar  1 14:05:20 2016 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Tue Mar  1 14:23:22 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bf3f3ef

dev-libs/openssl: Security bump to version 1.0.2g (bug #575548).

Package-Manager: portage-2.2.27
Signed-off-by: Lars Wendler  gentoo.org>

 dev-libs/openssl/Manifest  |   1 +
 .../files/openssl-1.0.2g-parallel-build.patch  | 318 +
 dev-libs/openssl/openssl-1.0.2g.ebuild | 265 +
 3 files changed, 584 insertions(+)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index e16c5f3..6eb6a35 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,2 +1,3 @@
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 
f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 
b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 WHIRLPOOL 
8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
 DIST openssl-1.0.2f.tar.gz 5258384 SHA256 
932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c SHA512 
50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351
 WHIRLPOOL 
179e1b5ad38c50a4c8110024aa7b33c53634c39690917e3bf5c2099548430beef96132ae9f9588ff0cedd6e08bb216a8d36835b04e506fb3fbaed37d31c9
+DIST openssl-1.0.2g.tar.gz 5266102 SHA256 
b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 SHA512 
4d96b6c8a232203483d6e8bee81da01ba10977bfbac92f25304a36dec9ea584b7ef917bc45e097cc7dbe681d71a4570d649c22244c178393ae91fab48323f735
 WHIRLPOOL 
aedbd82af0a550e8329a84312fae492f3bb3cb04af763fc9ef532099b2b2e61a55e4a7cfb06085f045740e2b692bbdb3ecb8bf5ca82f46325c3caf22d2317ffb

diff --git a/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch 
b/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch
new file mode 100644
index 000..3582810
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.0.2g-parallel-build.patch
@@ -0,0 +1,318 @@
+--- openssl-1.0.2g/crypto/Makefile
 openssl-1.0.2g/crypto/Makefile
+@@ -85,11 +85,11 @@
+   @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; 
fi
+ 
+ subdirs:
+-  @target=all; $(RECURSIVE_MAKE)
++  +@target=all; $(RECURSIVE_MAKE)
+ 
+ files:
+   $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> 
$(TOP)/MINFO
+-  @target=files; $(RECURSIVE_MAKE)
++  +@target=files; $(RECURSIVE_MAKE)
+ 
+ links:
+   @$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
+@@ -100,7 +100,7 @@
+ # lib: $(LIB): are splitted to avoid end-less loop
+ lib:  $(LIB)
+   @touch lib
+-$(LIB):   $(LIBOBJ)
++$(LIB):   $(LIBOBJ) | subdirs
+   $(AR) $(LIB) $(LIBOBJ)
+   test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
+   $(RANLIB) $(LIB) || echo Never mind.
+@@ -111,7 +111,7 @@
+   fi
+ 
+ libs:
+-  @target=lib; $(RECURSIVE_MAKE)
++  +@target=lib; $(RECURSIVE_MAKE)
+ 
+ install:
+   @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+@@ -120,7 +120,7 @@
+   (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+   chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+   done;
+-  @target=install; $(RECURSIVE_MAKE)
++  +@target=install; $(RECURSIVE_MAKE)
+ 
+ lint:
+   @target=lint; $(RECURSIVE_MAKE)
+--- openssl-1.0.2g/engines/Makefile
 openssl-1.0.2g/engines/Makefile
+@@ -72,7 +72,7 @@
+ 
+ all:  lib subdirs
+ 
+-lib:  $(LIBOBJ)
++lib:  $(LIBOBJ) | subdirs
+   @if [ -n "$(SHARED_LIBS)" ]; then \
+   set -e; \
+   for l in $(LIBNAMES); do \
+@@ -89,7 +89,7 @@
+ 
+ subdirs:
+   echo $(EDIRS)
+-  @target=all; $(RECURSIVE_MAKE)
++  +@target=all; $(RECURSIVE_MAKE)
+ 
+ files:
+   $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+@@ -128,7 +128,7 @@
+ mv -f 
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new 
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
+   done; \
+   fi
+-  @target=install; $(RECURSIVE_MAKE)
++  +@target=install; $(RECURSIVE_MAKE)
+ 
+ tags:
+   ctags $(SRC)
+--- openssl-1.0.2g/Makefile.org
 openssl-1.0.2g/Makefile.org
+@@ -279,17 +279,17 @@
+ build_libssl: build_ssl libssl.pc
+ 
+ build_crypto:
+-  @dir=crypto; target=all; $(BUILD_ONE_CMD)
++  +@dir=crypto; target=all; $(BUILD_ONE_CMD)
+ build_ssl: build_crypto
+-  @dir=ssl; target=all; $(BUILD_ONE_CMD)
++  +@dir=ssl; target=all; $(BUILD_ONE_CMD)
+ build_engines: build_crypto
+-  @dir=engines; target=all; $(BUILD_ONE_CMD)
++  +@dir=engines; target=all;

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2016-02-26 Thread Doug Goldstein

commit: b59b7705da30eb4cf4eef69946757fe3d11b763f
Author: Doug Goldstein  gentoo  org>
AuthorDate: Fri Feb 26 22:51:32 2016 +
Commit: Doug Goldstein  gentoo  org>
CommitDate: Fri Feb 26 22:51:32 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b59b7705

dev-libs/openssl: remove no longer necessary file

Package-Manager: portage-2.2.26
Signed-off-by: Doug Goldstein  gentoo.org>

 dev-libs/openssl/files/gentoo.config-1.0.1 | 164 -
 1 file changed, 164 deletions(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.1 
b/dev-libs/openssl/files/gentoo.config-1.0.1
deleted file mode 100644
index 24c995a..000
--- a/dev-libs/openssl/files/gentoo.config-1.0.1
+++ /dev/null
@@ -1,164 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-#
-# Openssl doesn't play along nicely with cross-compiling
-# like autotools based projects, so let's teach it new tricks.
-#
-# Review the bundled 'config' script to see why kind of targets
-# we can pass to the 'Configure' script.
-
-
-# Testing routines
-if [[ $1 == "test" ]] ; then
-   for c in \
-   "arm-gentoo-linux-uclibc  |linux-generic32 -DL_ENDIAN" \
-   "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \
-   "x86_64-pc-linux-gnu  |linux-x86_64" \
-   "alpha-linux-gnu  |linux-alpha-gcc" \
-   "alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
-   "i686-pc-linux-gnu|linux-elf" \
-   "whatever-gentoo-freebsdX.Y   |BSD-generic32" \
-   "i686-gentoo-freebsdX.Y   |BSD-x86-elf" \
-   "sparc64-alpha-freebsdX.Y |BSD-sparc64" \
-   "ia64-gentoo-freebsd5.99234   |BSD-ia64" \
-   "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \
-   "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \
-   "powerpc-gentOO-linux-uclibc  |linux-ppc" \
-   "powerpc64-unk-linux-gnu  |linux-ppc64" \
-   "x86_64-apple-darwinX |darwin64-x86_64-cc" \
-   "powerpc64-apple-darwinX  |darwin64-ppc-cc" \
-   "i686-apple-darwinX   |darwin-i386-cc" \
-   "i386-apple-darwinX   |darwin-i386-cc" \
-   "powerpc-apple-darwinX|darwin-ppc-cc" \
-   "i586-pc-winnt|winnt-parity" \
-   "s390-ibm-linux-gnu   |linux-generic32 -DB_ENDIAN" \
-   "s390x-linux-gnu  |linux64-s390x" \
-   ;do
-   CHOST=${c/|*}
-   ret_want=${c/*|}
-   ret_got=$(CHOST=${CHOST} "$0")
-
-   if [[ ${ret_want} == "${ret_got}" ]] ; then
-   echo "PASS: ${CHOST}"
-   else
-   echo "FAIL: ${CHOST}"
-   echo -e "\twanted: ${ret_want}"
-   echo -e "\twe got: ${ret_got}"
-   fi
-   done
-   exit 0
-fi
-[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
-
-
-# Detect the operating system
-case ${CHOST} in
-   *-aix*)  system="aix";;
-   *-darwin*)   system="darwin";;
-   *-freebsd*)  system="BSD";;
-   *-hpux*) system="hpux";;
-   *-linux*)system="linux";;
-   *-solaris*)  system="solaris";;
-   *-winnt*)system="winnt";;
-   x86_64-*-mingw*) system="mingw64";;
-   *mingw*) system="mingw";;
-   *)   exit 0;;
-esac
-
-
-# Compiler munging
-compiler="gcc"
-if [[ ${CC} == "ccc" ]] ; then
-   compiler=${CC}
-fi
-
-
-# Detect target arch
-machine=""
-chost_machine=${CHOST%%-*}
-case ${system} in
-linux)
-   case ${chost_machine}:${ABI} in
-   aarch64*be)   machine="generic64 -DB_ENDIAN";;
-   aarch64*) machine="generic64 -DL_ENDIAN";;
-   alphaev56*|\
-   alphaev[678]*)machine=alpha+bwx-${compiler};;
-   alpha*)   machine=alpha-${compiler};;
-   armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
-   armv[4-9]*)   machine="armv4 -DL_ENDIAN";;
-   arm*b*)   machine="generic32 -DB_ENDIAN";;
-   arm*) machine="generic32 -DL_ENDIAN";;
-   avr*) machine="generic32 -DL_ENDIAN";;
-   bfin*)machine="generic32 -DL_ENDIAN";;
-   #   hppa64*)  machine=parisc64;;
-   hppa*)machine="generic32 -DB_ENDIAN";;
-   i[0-9]86*|\
-   x86_64*:x86)  machine=elf;;
-   ia64*)machine=ia64;;
-   m68*) machine="generic32 -DB_ENDIAN";;
-   mips*el*) machine="generic32 -DL_ENDIAN";;
-   mips*)machine="generic32 -DB_ENDIAN";;
-   powerpc64*le) machine="generic64 -DL_ENDIAN";;
-

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2016-01-28 Thread Lars Wendler

commit: a4af1cd3c4fb7b99b468903efbdc652e2a5bf9c2
Author: Lars Wendler  gentoo  org>
AuthorDate: Fri Jan 29 06:58:41 2016 +
Commit: Lars Wendler  gentoo  org>
CommitDate: Fri Jan 29 06:59:01 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4af1cd3

dev-libs/openssl: Removed old.

Package-Manager: portage-2.2.27
Signed-off-by: Lars Wendler  gentoo.org>

 dev-libs/openssl/Manifest  |   4 -
 .../files/openssl-1.0.2-s_client-verify.patch  |  17 --
 .../openssl/files/openssl-1.0.2a-malloc-typo.patch |  38 ---
 .../files/openssl-1.0.2a-parallel-build.patch  | 314 -
 .../files/openssl-1.0.2d-parallel-build.patch  | 309 
 dev-libs/openssl/openssl-1.0.2a.ebuild | 266 -
 dev-libs/openssl/openssl-1.0.2b.ebuild | 264 -
 dev-libs/openssl/openssl-1.0.2c.ebuild | 264 -
 dev-libs/openssl/openssl-1.0.2d-r2.ebuild  | 265 -
 dev-libs/openssl/openssl-1.0.2d.ebuild | 267 --
 10 files changed, 2008 deletions(-)

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 17b0441..ddc4c31 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -2,10 +2,6 @@ DIST openssl-0.9.8zg.tar.gz 3826891 SHA256 
06500060639930e471050474f537fcd28ec93
 DIST openssl-0.9.8zh.tar.gz 3818524 SHA256 
f1d9f3ed1b85a82ecf80d0e2d389e1fda3fca9a4dba0bf07adbf231e1a5e2fd6 SHA512 
b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 WHIRLPOOL 
8ed3362e6aed89cd6ae02438bc3fb58ff3a91afb8a2d401d1d66c1ee4fd96f4befb50558131dd03a60fc15b588172fc1ede5d56bb1f68e184453bfe3b34f9abf
 DIST openssl-1.0.1p.tar.gz 4560208 SHA256 
bd5ee6803165c0fb60bbecbacacf244f1f90d2aa0d71353af610c29121e9b2f1 SHA512 
64e475c53a85b78de7c5aa71a22d4bb3a456142842373ebf8f22e9857cb0352b646e591b21af866933baecdbdb5ac4a22aeb64914440c53a0f30cd25914029e5
 WHIRLPOOL 
2a81f3b9274e3fef37a2a88e3084d8283159b3a61db08e7805879905c87a74faa85bc6e570d18525741bd5c27c34fe09eeb58b2bfe500545d0f304716e14f819
 DIST openssl-1.0.1r.tar.gz 4547786 SHA256 
784bd8d355ed01ce98b812f873f8b2313da61df7c7b5677fcf2e57b0863a3346 SHA512 
7a5a2efe5d9421ea6f4f86f75ed40b4459b3825355ad18da3bdba28393bc50a6f457b2e1f11a31828f1af0d62a716d258ac7868fb719c9997f3bc750a1723e86
 WHIRLPOOL 
de9c92f5ddb9bcaac967ac735696e739f5762b7d3a0b2430dbfa0c6cd7ac021fdf3c3257255a2fe995f24aa3550d59ce3067f030f09acc5d43b61dfda627686a
-DIST openssl-1.0.2a.tar.gz 5262089 SHA256 
15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a SHA512 
02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4
 WHIRLPOOL 
a590c71794f5d29b80afa28b18621b7535e96b714b3690d793c1422a90b09a89cbcb912841d400c5982a8197bb02c13051190e96ba0e4d530509b48b43067cd7
-DIST openssl-1.0.2b.tar.gz 5281009 SHA256 
d5d488cc9f0a07974195a7427094ea3cab9800a4e90178b989aa621fbc238e3f SHA512 
563eb662113668bb9ccf17a6e36697ad6392321ac1a32aa2cada9d8f4047651c2fa4da61f508ee3e1834fea343dbba189e09c1d6cabe5d1de5e3e6d022c31f4f
 WHIRLPOOL 
d828dc76842d25f02f211031b3ab9a2a8fd44975e9aaf87d0fd5fca9935a27b61c3e4f896a2186194f1a7b4d668fc48cafc5be9f7c670017ba342ce40113935f
-DIST openssl-1.0.2c.tar.gz 5280670 SHA256 
0038ba37f35a6367c58f17a7a7f687953ef8ce4f9684bbdec63e62515ed36a83 SHA512 
2a68e8b017d0d3e34e4f9d33b77abd960b3d04e418f106e852684a2ff247dc8ea390b7d6a42d130fd84d821a15e84e77b68b3677433433ef5c10d156333b9dae
 WHIRLPOOL 
c59878c3bd5e8904913b97d71a15ef1eaafcfb4eb58c691ba4fb38bf81752308d0ef4a902e53aec4c6e7585677f2404d29cdea0832d14206fabf28d744af2622
-DIST openssl-1.0.2d.tar.gz 5295447 SHA256 
671c36487785628a703374c652ad2cebea45fa920ae5681515df25d9f2c9a8c8 SHA512 
68a051e92aaed0e7a8b218c185427c534c32f30f50c45f5d2c1f5b7a26d1416e83863d2953c77486acde3b636a148f39faf48246d28a207607ec069f62b13d75
 WHIRLPOOL 
e3d8f0784903c8d6aa05ada7b8b410517c99157a3c2f4ac34c8a9d80c77408bd6ff9e820ded47f6223ccac4a77413174aa625303166ec28fdbf8374a7d4659ec
 DIST openssl-1.0.2e.tar.gz 5256555 SHA256 
e23ccafdb75cfcde782da0151731aa2185195ac745eea3846133f2e05c0e0bff SHA512 
b73f114a117ccab284cf5891dac050e3016d28e0b1fc71639442cdb42accef676115af90a12deff4bcc1f599cc0cbdeb38142cbf4570bd7d03634786ad32c95f
 WHIRLPOOL 
8e1c1800a66f57fa78dc391e717e4b2bdf0e6e37a837c5ac033d7a4b1a6437451c7e7540c4ec2f75f936a2d2ef4f9293b42c76f51b0c9c93706639589612f196
 DIST openssl-1.0.2f.tar.gz 5258384 SHA256 
932b4ee4def2b434f85435d9e3e19ca8ba99ce9a065a61524b429a9d5e9b2e9c SHA512 
50abf6dc94cafd06e7fd20770808bdc675c88daa369e4f752bd584ab17f72a57357c1ca1eca3c83e6745b5a3c9c73c99dce70adaa904d73f6df4c75bc7138351
 WHIRLPOOL 
179e1b5ad38c50a4c8110024aa7b33c53634c39690917e3bf5c2099548430beef96132ae9f9588ff0cedd6e08bb216a8d36835b04e506fb3fbaed37d31c9
 DIST openssl-c_rehash.sh.1.7 4167 SHA256

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/

2016-01-17 Thread Mike Frysinger

commit: 01322765ce0ea72a84f0a4065cbd47e1a750f2c4
Author: Mike Frysinger  gentoo  org>
AuthorDate: Sun Jan 17 08:44:54 2016 +
Commit: Mike Frysinger  gentoo  org>
CommitDate: Sun Jan 17 09:00:28 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01322765

dev-libs/openssl: fix sparc builds (mostly 64-bit)

 dev-libs/openssl/files/gentoo.config-1.0.2 | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 
b/dev-libs/openssl/files/gentoo.config-1.0.2
index b3f6ced..0528c1c 100755
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -108,8 +108,13 @@ linux)
#   sh64*)machine=elf;;
sh*b*)machine="generic32 -DB_ENDIAN";;
sh*)  machine="generic32 -DL_ENDIAN";;
+   # TODO: Might want to do -mcpu probing like glibc to determine a
+   # better default for sparc-linux-gnu targets.  This logic will
+   # break v7 and older systems when they use it.
sparc*v7*)machine="generic32 -DB_ENDIAN";;
-   sparc64*) machine=sparcv9;;
+   sparc64*) machine=sparcv9 system=linux64;;
+   sparc*v9*)machine=sparcv9;;
+   sparc*v8*)machine=sparcv8;;
sparc*)   machine=sparcv8;;
s390x*)   machine=s390x system=linux64;;
s390*)machine="generic32 -DB_ENDIAN";;

[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/, dev-libs/openssl/

2015-09-20 Thread Mike Frysinger

commit: 7b2ffc3b84bc53e596a2517aae8c061f2e99fd22
Author: Mike Frysinger  gentoo  org>
AuthorDate: Sun Sep 20 18:11:11 2015 +
Commit: Mike Frysinger  gentoo  org>
CommitDate: Sun Sep 20 18:12:21 2015 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b2ffc3b

dev-libs/openssl: fix config script for a few targets #560812

We were missing trailing globs for aarch64/be and ppc/le to match the
ABI value.  This also updates the ppc64le target to use the new config
value that is available with the 1.0.2 series.

 dev-libs/openssl/files/gentoo.config-1.0.2 | 165 +
 dev-libs/openssl/openssl-1.0.2d.ebuild |   2 +-
 2 files changed, 166 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 
b/dev-libs/openssl/files/gentoo.config-1.0.2
new file mode 100755
index 000..b3f6ced
--- /dev/null
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -0,0 +1,165 @@
+#!/usr/bin/env bash
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+#
+# Openssl doesn't play along nicely with cross-compiling
+# like autotools based projects, so let's teach it new tricks.
+#
+# Review the bundled 'config' script to see why kind of targets
+# we can pass to the 'Configure' script.
+
+
+# Testing routines
+if [[ $1 == "test" ]] ; then
+   for c in \
+   "arm-gentoo-linux-uclibc  |linux-generic32 -DL_ENDIAN" \
+   "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \
+   "x86_64-pc-linux-gnu  |linux-x86_64" \
+   "alpha-linux-gnu  |linux-alpha-gcc" \
+   "alphaev56-unknown-linux-gnu  |linux-alpha+bwx-gcc" \
+   "i686-pc-linux-gnu|linux-elf" \
+   "whatever-gentoo-freebsdX.Y   |BSD-generic32" \
+   "i686-gentoo-freebsdX.Y   |BSD-x86-elf" \
+   "sparc64-alpha-freebsdX.Y |BSD-sparc64" \
+   "ia64-gentoo-freebsd5.99234   |BSD-ia64" \
+   "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \
+   "hppa64-aldsF-linux-gnu5.3|linux-generic32 -DB_ENDIAN" \
+   "powerpc-gentOO-linux-uclibc  |linux-ppc" \
+   "powerpc64-unk-linux-gnu  |linux-ppc64" \
+   "powerpc64le-linux-gnu|linux-ppc64le" \
+   "x86_64-apple-darwinX |darwin64-x86_64-cc" \
+   "powerpc64-apple-darwinX  |darwin64-ppc-cc" \
+   "i686-apple-darwinX   |darwin-i386-cc" \
+   "i386-apple-darwinX   |darwin-i386-cc" \
+   "powerpc-apple-darwinX|darwin-ppc-cc" \
+   "i586-pc-winnt|winnt-parity" \
+   "s390-ibm-linux-gnu   |linux-generic32 -DB_ENDIAN" \
+   "s390x-linux-gnu  |linux64-s390x" \
+   ;do
+   CHOST=${c/|*}
+   ret_want=${c/*|}
+   ret_got=$(CHOST=${CHOST} "$0")
+
+   if [[ ${ret_want} == "${ret_got}" ]] ; then
+   echo "PASS: ${CHOST}"
+   else
+   echo "FAIL: ${CHOST}"
+   echo -e "\twanted: ${ret_want}"
+   echo -e "\twe got: ${ret_got}"
+   fi
+   done
+   exit 0
+fi
+[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
+
+
+# Detect the operating system
+case ${CHOST} in
+   *-aix*)  system="aix";;
+   *-darwin*)   system="darwin";;
+   *-freebsd*)  system="BSD";;
+   *-hpux*) system="hpux";;
+   *-linux*)system="linux";;
+   *-solaris*)  system="solaris";;
+   *-winnt*)system="winnt";;
+   x86_64-*-mingw*) system="mingw64";;
+   *mingw*) system="mingw";;
+   *)   exit 0;;
+esac
+
+
+# Compiler munging
+compiler="gcc"
+if [[ ${CC} == "ccc" ]] ; then
+   compiler=${CC}
+fi
+
+
+# Detect target arch
+machine=""
+chost_machine=${CHOST%%-*}
+case ${system} in
+linux)
+   case ${chost_machine}:${ABI} in
+   aarch64*be*)  machine="generic64 -DB_ENDIAN";;
+   aarch64*) machine="generic64 -DL_ENDIAN";;
+   alphaev56*|\
+   alphaev[678]*)machine=alpha+bwx-${compiler};;
+   alpha*)   machine=alpha-${compiler};;
+   armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
+   armv[4-9]*)   machine="armv4 -DL_ENDIAN";;
+   arm*b*)   machine="generic32 -DB_ENDIAN";;
+   arm*) machine="generic32 -DL_ENDIAN";;
+   avr*) machine="generic32 -DL_ENDIAN";;
+   bfin*)machine="generic32 -DL_ENDIAN";;
+   #   hppa64*)  machine=parisc64;;
+   hppa*)machine="generic32 -DB_ENDIAN";;
+   i[0-9]86*|\
+   x86_64*:x86)  machine=elf;;
+   ia64*)machine=ia64;;
+

66 matches

Mail list logo