aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2012-08-02 15:21:58 +0300
committerTimo Teräs <timo.teras@iki.fi>2012-08-02 15:21:58 +0300
commit3c010f8db1d3cd2efea33e0804f5bf40b7d7891b (patch)
tree5db1e9fd329f46b67e0e0019f985769209ae0b93
parente20dfcebe0901e987c0da30c063548c3d74b8851 (diff)
downloadaports-3c010f8db1d3cd2efea33e0804f5bf40b7d7891b.tar.bz2
aports-3c010f8db1d3cd2efea33e0804f5bf40b7d7891b.tar.xz
main/openssl: security upgrade to 0.9.8x and backport padlock fixes1.10-stable
* fix padlock sha1/256 to fallback to software with very large streams * fix padlock sha1/256 oneshot finalizing update
-rw-r--r--main/openssl/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch17
-rw-r--r--main/openssl/0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch29
-rw-r--r--main/openssl/0003-engine-padlock-implement-sha1-sha224-sha256-accelera.patch39
-rw-r--r--main/openssl/APKBUILD10
4 files changed, 50 insertions, 45 deletions
diff --git a/main/openssl/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch b/main/openssl/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
index 6033afc4ed..963d2962fb 100644
--- a/main/openssl/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+++ b/main/openssl/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
@@ -1,7 +1,8 @@
-From 8290b2ced17ee3d0e52345180ef4fc6d79bc0751 Mon Sep 17 00:00:00 2001
+From ba6e7dcf33277954cb3adc7767555a346906f33c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Fri, 4 Jun 2010 09:48:39 +0300
-Subject: [PATCH 1/3] crypto/hmac: support EVP_MD_CTX_FLAG_ONESHOT and set it properly
+Subject: [PATCH 1/3] crypto/hmac: support EVP_MD_CTX_FLAG_ONESHOT and set it
+ properly
Some engines (namely VIA C7 Padlock) work only if EVP_MD_CTX_FLAG_ONESHOT
is set before final update. This is because some crypto accelerators cannot
@@ -12,11 +13,11 @@ differently here. It is set before the final EVP_DigestUpdate call, not
necessarily before EVP_DigestInit call. This will not cause any problems
though.
---
- crypto/hmac/hmac.c | 14 +++++++++++---
- 1 files changed, 11 insertions(+), 3 deletions(-)
+ crypto/hmac/hmac.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
-index cbc1c76..a75a35d 100644
+index 6899be6..b157c32 100644
--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@@ -68,6 +68,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
@@ -54,7 +55,7 @@ index cbc1c76..a75a35d 100644
}
EVP_MD_CTX_copy_ex(&ctx->md_ctx,&ctx->i_ctx);
}
-@@ -166,7 +173,8 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+@@ -163,7 +170,8 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
if (md == NULL) md=m;
HMAC_CTX_init(&c);
@@ -64,7 +65,7 @@ index cbc1c76..a75a35d 100644
HMAC_Update(&c,d,n);
HMAC_Final(&c,md,md_len);
HMAC_CTX_cleanup(&c);
-@@ -176,8 +184,8 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+@@ -173,8 +181,8 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
{
EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
@@ -76,5 +77,5 @@ index cbc1c76..a75a35d 100644
#endif
--
-1.7.0.4
+1.7.11.3
diff --git a/main/openssl/0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch b/main/openssl/0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch
index a74c116267..1f6d9c3f90 100644
--- a/main/openssl/0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch
+++ b/main/openssl/0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch
@@ -1,7 +1,8 @@
-From 711ae63d2c715a34b15262b4dd4a48b09f02a400 Mon Sep 17 00:00:00 2001
+From 942f1af93b1cafbb4439aec0018da099af09a934 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Thu, 3 Jun 2010 09:02:13 +0300
-Subject: [PATCH 2/3] apps/speed: fix digest speed measurement and add hmac-sha1 test
+Subject: [PATCH 2/3] apps/speed: fix digest speed measurement and add
+ hmac-sha1 test
Merge the common code of testing digest speed, and make it reuse
existing context. Context creation can be heavy operation, and it's
@@ -11,11 +12,11 @@ like hmac tests do.
This also adds test for hmac-sha1 speed.
---
- apps/speed.c | 232 ++++++++++++++++++++++------------------------------------
- 1 files changed, 87 insertions(+), 145 deletions(-)
+ apps/speed.c | 232 ++++++++++++++++++++++-------------------------------------
+ 1 file changed, 87 insertions(+), 145 deletions(-)
diff --git a/apps/speed.c b/apps/speed.c
-index 393a7ba..6e375c6 100644
+index 84ce35d..116cf82 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -285,7 +285,7 @@ static void print_result(int alg,int run_no,int count,double time_used);
@@ -107,7 +108,7 @@ index 393a7ba..6e375c6 100644
#ifndef OPENSSL_NO_ECDH
static const int KDF1_SHA1_len = 20;
-@@ -503,7 +565,6 @@ int MAIN(int argc, char **argv)
+@@ -500,7 +562,6 @@ int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
@@ -115,7 +116,7 @@ index 393a7ba..6e375c6 100644
int mret=1;
long count=0,save_count=0;
int i,j,k;
-@@ -514,31 +575,6 @@ int MAIN(int argc, char **argv)
+@@ -511,31 +572,6 @@ int MAIN(int argc, char **argv)
unsigned rsa_num;
#endif
unsigned char md[EVP_MAX_MD_SIZE];
@@ -147,7 +148,7 @@ index 393a7ba..6e375c6 100644
#ifndef OPENSSL_NO_RC4
RC4_KEY rc4_ks;
#endif
-@@ -635,8 +671,8 @@ int MAIN(int argc, char **argv)
+@@ -631,8 +667,8 @@ int MAIN(int argc, char **argv)
#define D_IGE_128_AES 25
#define D_IGE_192_AES 26
#define D_IGE_256_AES 27
@@ -157,7 +158,7 @@ index 393a7ba..6e375c6 100644
#define R_DSA_512 0
#define R_DSA_1024 1
#define R_DSA_2048 2
-@@ -945,6 +981,8 @@ int MAIN(int argc, char **argv)
+@@ -938,6 +974,8 @@ int MAIN(int argc, char **argv)
doit[D_SHA256]=1,
doit[D_SHA512]=1;
else
@@ -166,7 +167,7 @@ index 393a7ba..6e375c6 100644
#ifndef OPENSSL_NO_SHA256
if (strcmp(*argv,"sha256") == 0) doit[D_SHA256]=1;
else
-@@ -1158,6 +1196,9 @@ int MAIN(int argc, char **argv)
+@@ -1151,6 +1189,9 @@ int MAIN(int argc, char **argv)
#endif
#ifndef OPENSSL_NO_SHA1
BIO_printf(bio_err,"sha1 ");
@@ -176,7 +177,7 @@ index 393a7ba..6e375c6 100644
#endif
#ifndef OPENSSL_NO_SHA256
BIO_printf(bio_err,"sha256 ");
-@@ -1420,6 +1461,7 @@ int MAIN(int argc, char **argv)
+@@ -1414,6 +1455,7 @@ int MAIN(int argc, char **argv)
c[D_IGE_128_AES][0]=count;
c[D_IGE_192_AES][0]=count;
c[D_IGE_256_AES][0]=count;
@@ -184,7 +185,7 @@ index 393a7ba..6e375c6 100644
for (i=1; i<SIZE_NUM; i++)
{
-@@ -1432,6 +1474,7 @@ int MAIN(int argc, char **argv)
+@@ -1426,6 +1468,7 @@ int MAIN(int argc, char **argv)
c[D_RMD160][i]=c[D_RMD160][0]*4*lengths[0]/lengths[i];
c[D_SHA256][i]=c[D_SHA256][0]*4*lengths[0]/lengths[i];
c[D_SHA512][i]=c[D_SHA512][0]*4*lengths[0]/lengths[i];
@@ -192,7 +193,7 @@ index 393a7ba..6e375c6 100644
}
for (i=1; i<SIZE_NUM; i++)
{
-@@ -1606,160 +1649,59 @@ int MAIN(int argc, char **argv)
+@@ -1600,160 +1643,59 @@ int MAIN(int argc, char **argv)
}
#endif
@@ -369,5 +370,5 @@ index 393a7ba..6e375c6 100644
#ifndef OPENSSL_NO_RC4
if (doit[D_RC4])
--
-1.7.0.4
+1.7.11.3
diff --git a/main/openssl/0003-engine-padlock-implement-sha1-sha224-sha256-accelera.patch b/main/openssl/0003-engine-padlock-implement-sha1-sha224-sha256-accelera.patch
index 993c9b1780..ad2a349626 100644
--- a/main/openssl/0003-engine-padlock-implement-sha1-sha224-sha256-accelera.patch
+++ b/main/openssl/0003-engine-padlock-implement-sha1-sha224-sha256-accelera.patch
@@ -1,7 +1,8 @@
-From 9fe6001d9b7a35a12a6a282677c79fd56eeaf99c Mon Sep 17 00:00:00 2001
+From c0a6d4b6d7b2a9c835efa4c05af610a148eb12cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
Date: Fri, 4 Jun 2010 10:00:15 +0300
-Subject: [PATCH 3/3] engine/padlock: implement sha1/sha224/sha256 acceleration
+Subject: [PATCH 3/3] engine/padlock: implement sha1/sha224/sha256
+ acceleration
Limited support for VIA C7 that works only when EVP_MD_CTX_FLAG_ONESHOT
is used appropriately (as done by EVP_Digest, and my previous HMAC patch).
@@ -24,11 +25,11 @@ sha1 37713.77k 114562.71k 259637.33k 379907.41k 438818.13k
sha256 34262.86k 103233.75k 232476.07k 338386.60k 389860.01k
hmac(sha1) 8424.70k 31475.11k 104036.10k 245559.30k 406667.26k
---
- crypto/engine/eng_padlock.c | 597 +++++++++++++++++++++++++++++++++++++++---
- 1 files changed, 554 insertions(+), 43 deletions(-)
+ crypto/engine/eng_padlock.c | 599 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 556 insertions(+), 43 deletions(-)
diff --git a/crypto/engine/eng_padlock.c b/crypto/engine/eng_padlock.c
-index 743558a..28ec0f7 100644
+index 743558a..c82d0f3 100644
--- a/crypto/engine/eng_padlock.c
+++ b/crypto/engine/eng_padlock.c
@@ -3,6 +3,9 @@
@@ -41,7 +42,7 @@ index 743558a..28ec0f7 100644
* Big thanks to Andy Polyakov for a help with optimization,
* assembler fixes, port to MS Windows and a lot of other
* valuable work on this engine!
-@@ -74,12 +77,23 @@
+@@ -74,12 +77,25 @@
#ifndef OPENSSL_NO_AES
#include <openssl/aes.h>
#endif
@@ -62,10 +63,12 @@ index 743558a..28ec0f7 100644
+#define OPENSSL_NO_SHA
+#endif
+
++#define PADLOCK_MAX_FINALIZING_LENGTH 0x1FFFFFFE
++
/* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */
#if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
# ifndef OPENSSL_NO_DYNAMIC_ENGINE
-@@ -138,58 +152,40 @@ static int padlock_available(void);
+@@ -138,58 +154,40 @@ static int padlock_available(void);
static int padlock_init(ENGINE *e);
/* RNG Stuff */
@@ -87,10 +90,10 @@ index 743558a..28ec0f7 100644
-#ifndef OPENSSL_NO_AES
-static int padlock_aes_align_required = 1;
-#endif
--
--/* ===== Engine "management" functions ===== */
+static int padlock_bind_helper(ENGINE *e);
+-/* ===== Engine "management" functions ===== */
+-
-/* Prepare the ENGINE structure for registration */
-static int
-padlock_bind_helper(ENGINE *e)
@@ -145,7 +148,7 @@ index 743558a..28ec0f7 100644
/* Constructor */
static ENGINE *
-@@ -213,7 +209,7 @@ ENGINE_padlock(void)
+@@ -213,7 +211,7 @@ ENGINE_padlock(void)
static int
padlock_init(ENGINE *e)
{
@@ -154,7 +157,7 @@ index 743558a..28ec0f7 100644
}
/* This stuff is needed if this ENGINE is being compiled into a self-contained
-@@ -365,10 +361,20 @@ padlock_available(void)
+@@ -365,10 +363,20 @@ padlock_available(void)
: "+a"(eax), "=d"(edx) : : "ecx");
/* Fill up some flags */
@@ -178,7 +181,7 @@ index 743558a..28ec0f7 100644
}
#ifndef OPENSSL_NO_AES
-@@ -1157,6 +1163,454 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
+@@ -1157,6 +1165,454 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
#endif /* OPENSSL_NO_AES */
@@ -239,9 +242,9 @@ index 743558a..28ec0f7 100644
+ total += len;
+
+ if ((ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) &&
-+ (total <= 0xfffffffe)) {
++ (total <= PADLOCK_MAX_FINALIZING_LENGTH)) {
+ if (c->num != 0) {
-+ l = (len < SHA_CBLOCK) ? len : SHA_CBLOCK;
++ l = (len < SHA_CBLOCK - c->num) ? len : SHA_CBLOCK - c->num;
+ if (!SHA1_Update(c, data, l))
+ return 0;
+ p += l;
@@ -417,9 +420,9 @@ index 743558a..28ec0f7 100644
+ total += len;
+
+ if ((ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) &&
-+ (total <= 0xfffffffe)) {
++ (total <= PADLOCK_MAX_FINALIZING_LENGTH)) {
+ if (c->num != 0) {
-+ l = (len < SHA256_CBLOCK) ? len : SHA256_CBLOCK;
++ l = (len < SHA256_CBLOCK - c->num) ? len : SHA256_CBLOCK - c->num;
+ if (!SHA256_Update(c, data, l))
+ return 0;
+ p += l;
@@ -633,7 +636,7 @@ index 743558a..28ec0f7 100644
/* ===== Random Number Generator ===== */
/*
* This code is not engaged. The reason is that it does not comply
-@@ -1213,7 +1667,64 @@ static RAND_METHOD padlock_rand = {
+@@ -1213,7 +1669,64 @@ static RAND_METHOD padlock_rand = {
padlock_rand_status, /* rand status */
};
@@ -699,5 +702,5 @@ index 743558a..28ec0f7 100644
#endif /* !OPENSSL_NO_HW_PADLOCK */
#endif /* !OPENSSL_NO_HW */
--
-1.7.0.4
+1.7.11.3
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index f166da2956..a9179f59fc 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,6 +1,6 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=openssl
-pkgver=0.9.8r
+pkgver=0.9.8x
pkgrel=0
pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
url=http://openssl.org
@@ -50,9 +50,9 @@ libcrypto() {
mv "$pkgdir"/usr/lib/engines "$subpkgdir"/usr/lib/
}
-md5sums="0352932ea863bc02b056cda7c9ac5b79 openssl-0.9.8r.tar.gz
+md5sums="ee17e9bc805c8cc7d0afac3b0ef78eda openssl-0.9.8x.tar.gz
19615785a671129bae790478f073da2c openssl-0.9.8o-fix-manpages.patch
c6a9857a5dbd30cead0404aa7dd73977 openssl-bb-basename.patch
-2f370b846d8f27ac45dd6e5341366e16 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
-9ba0ecf53f8b60ff8703a1ffe5b3e701 0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch
-e262418b20a05c2af12d464ac194ea21 0003-engine-padlock-implement-sha1-sha224-sha256-accelera.patch"
+5e5366fbc7c60c110dbcc603d2fb3a94 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+d193bee38f342b1eeb24bd0f444d15fa 0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch
+f920a35ac705a9ce0f44547f96441d77 0003-engine-padlock-implement-sha1-sha224-sha256-accelera.patch"