aboutsummaryrefslogtreecommitdiffstats
path: root/main/openssl
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2015-03-27 15:26:41 +0200
committerTimo Teräs <timo.teras@iki.fi>2015-03-27 16:30:45 +0200
commit5891af54e70fd91c02e6f8ab9b2059662b0ecfd4 (patch)
tree027a30ea07a77155c709904664cf91257546cb1a /main/openssl
parent1e6108c320c4099cc100e8970ca6d5b9ed3d5d74 (diff)
downloadaports-5891af54e70fd91c02e6f8ab9b2059662b0ecfd4.tar.bz2
aports-5891af54e70fd91c02e6f8ab9b2059662b0ecfd4.tar.xz
main/openssl: fix rpath and turn off ssl compression by default
System wide mitigation for CVE-2012-4929. While most affected programs turn off compression themselves, this is safer default.
Diffstat (limited to 'main/openssl')
-rw-r--r--main/openssl/0009-no-rpath.patch11
-rw-r--r--main/openssl/0010-ssl-env-zlib.patch38
-rw-r--r--main/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch (renamed from main/openssl/0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch)0
-rw-r--r--main/openssl/1002-backport-changes-from-upstream-padlock-module.patch (renamed from main/openssl/0010-backport-changes-from-upstream-padlock-module.patch)0
-rw-r--r--main/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch (renamed from main/openssl/0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch)0
-rw-r--r--main/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch (renamed from main/openssl/0012-crypto-engine-autoload-padlock-dynamic-engine.patch)0
-rw-r--r--main/openssl/APKBUILD47
7 files changed, 76 insertions, 20 deletions
diff --git a/main/openssl/0009-no-rpath.patch b/main/openssl/0009-no-rpath.patch
new file mode 100644
index 0000000000..56df75b791
--- /dev/null
+++ b/main/openssl/0009-no-rpath.patch
@@ -0,0 +1,11 @@
+--- a/Makefile.shared 2005-06-23 22:47:54.000000000 +0200
++++ b/Makefile.shared 2005-11-16 22:35:37.000000000 +0100
+@@ -153,7 +153,7 @@
+ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+
+ #This is rather special. It's a special target with which one can link
+ #applications without bothering with any features that have anything to
diff --git a/main/openssl/0010-ssl-env-zlib.patch b/main/openssl/0010-ssl-env-zlib.patch
new file mode 100644
index 0000000000..9eae15d727
--- /dev/null
+++ b/main/openssl/0010-ssl-env-zlib.patch
@@ -0,0 +1,38 @@
+diff -ru openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
+--- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2015-01-15 16:43:14.000000000 -0200
++++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod 2015-03-27 15:18:47.280054883 -0200
+@@ -47,6 +47,13 @@
+ been standardized, the compression API will most likely be changed. Using
+ it in the current state is not recommended.
+
++It is also not recommended to use compression if data transfered contain
++untrusted parts that can be manipulated by an attacker as he could then
++get information about the encrypted data. See the CRIME attack. For
++that reason the default loading of the zlib compression method is
++disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
++is present during the library initialization.
++
+ =head1 RETURN VALUES
+
+ SSL_COMP_add_compression_method() may return the following values:
+diff -ru openssl-1.0.2a.orig/ssl/ssl_ciph.c openssl-1.0.2a/ssl/ssl_ciph.c
+--- openssl-1.0.2a.orig/ssl/ssl_ciph.c 2015-03-19 15:30:36.000000000 -0200
++++ openssl-1.0.2a/ssl/ssl_ciph.c 2015-03-27 15:23:05.960057092 -0200
+@@ -141,6 +141,8 @@
+ */
+
+ #include <stdio.h>
++#include <stdlib.h>
++#include <sys/auxv.h>
+ #include <openssl/objects.h>
+ #ifndef OPENSSL_NO_COMP
+ # include <openssl/comp.h>
+@@ -481,7 +483,7 @@
+
+ MemCheck_off();
+ ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
+- if (ssl_comp_methods != NULL) {
++ if (ssl_comp_methods != NULL && getauxval(AT_SECURE) == 0 && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
+ comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+ if (comp != NULL) {
+ comp->method = COMP_zlib();
diff --git a/main/openssl/0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch b/main/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
index ef46faa848..ef46faa848 100644
--- a/main/openssl/0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+++ b/main/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
diff --git a/main/openssl/0010-backport-changes-from-upstream-padlock-module.patch b/main/openssl/1002-backport-changes-from-upstream-padlock-module.patch
index f63bbcd1ce..f63bbcd1ce 100644
--- a/main/openssl/0010-backport-changes-from-upstream-padlock-module.patch
+++ b/main/openssl/1002-backport-changes-from-upstream-padlock-module.patch
diff --git a/main/openssl/0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch b/main/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
index 5a2cdd633a..5a2cdd633a 100644
--- a/main/openssl/0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+++ b/main/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
diff --git a/main/openssl/0012-crypto-engine-autoload-padlock-dynamic-engine.patch b/main/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch
index d0cdfb3b3a..d0cdfb3b3a 100644
--- a/main/openssl/0012-crypto-engine-autoload-padlock-dynamic-engine.patch
+++ b/main/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index 788a6bda7a..e71a1aead2 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Timo Teras <timo.teras@iki.fi>
pkgname=openssl
pkgver=1.0.2a
-pkgrel=0
+pkgrel=1
pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
url="http://openssl.org"
depends=
@@ -23,10 +23,12 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
0007-reimplement-c_rehash-in-C.patch
0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
- 0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
- 0010-backport-changes-from-upstream-padlock-module.patch
- 0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
- 0012-crypto-engine-autoload-padlock-dynamic-engine.patch
+ 0009-no-rpath.patch
+ 0010-ssl-env-zlib.patch
+ 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+ 1002-backport-changes-from-upstream-padlock-module.patch
+ 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+ 1004-crypto-engine-autoload-padlock-dynamic-engine.patch
"
_builddir="$srcdir"/$pkgname-$pkgver
@@ -70,10 +72,9 @@ build() {
perl ./Configure $_target --prefix=/usr \
--libdir=lib \
--openssldir=/etc/ssl \
- shared zlib enable-montasm enable-md2 \
+ shared zlib enable-montasm enable-md2 $_optflags \
-DOPENSSL_NO_BUF_FREELISTS \
- -Wa,--noexecstack \
- $_optflags \
+ $CPPFLAGS $CFLAGS $LDFLAGS -Wa,--noexecstack \
|| return 1
make && make build-shared || return 1
@@ -125,10 +126,12 @@ md5sums="a06c547dac9044161a477211049f60ef openssl-1.0.2a.tar.gz
5a5753f52b9f54f769f1ad915d0119bd 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
106b2c7590d49a28c782cf3f5d623543 0007-reimplement-c_rehash-in-C.patch
7a2f9c883ecdfca3087062df4a68150a 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
-25091afb907de2b504f8bad6bf70002c 0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
-aa16c89b283faf0fe546e3f897279c44 0010-backport-changes-from-upstream-padlock-module.patch
-57cca845e22c178c3b317010be56edf0 0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
-2ac874d1249f5f68d8c7cd58d157d29a 0012-crypto-engine-autoload-padlock-dynamic-engine.patch"
+28e89dd715fc4ed85e747bd7306f2970 0009-no-rpath.patch
+742ee13d88b13414248f329a09f9a92d 0010-ssl-env-zlib.patch
+25091afb907de2b504f8bad6bf70002c 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+aa16c89b283faf0fe546e3f897279c44 1002-backport-changes-from-upstream-padlock-module.patch
+57cca845e22c178c3b317010be56edf0 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+2ac874d1249f5f68d8c7cd58d157d29a 1004-crypto-engine-autoload-padlock-dynamic-engine.patch"
sha256sums="15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a openssl-1.0.2a.tar.gz
4383de0433cb11696346660ae736f120511a7cd0d6ff14543080e0bb93e45ebb 0001-fix-manpages.patch
b449fb998b5f60a3a1779ac2f432b2c7f08ae52fc6dfa98bca37d735f863d400 0002-busybox-basename.patch
@@ -138,10 +141,12 @@ d438a36b2b0adf342ebef4b5e9793bcdae3b3027061100f660749c322acbe93d 0004-fix-defau
9baecc8024bd5004ef045c6c53537f7453029c1e273874ce639834145564ca6d 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
c934b5d1a2cb58b5235da2dfee423f0f66bb83e1d479f511b444751899637c37 0007-reimplement-c_rehash-in-C.patch
1030f885dc76f352854a7a95d73e68cfd1479c5f9ee198d6afef6b0755ee1c81 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
-2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
-aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 0010-backport-changes-from-upstream-padlock-module.patch
-c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea 0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
-2f7c850af078a3ae71b2dd38d5d0b3964ea4262e52673e36ff33498cc6223e6c 0012-crypto-engine-autoload-padlock-dynamic-engine.patch"
+6b7ac5c9db430d9d3e8aaf87e0e95aa8a0ef460517d6563cca24014d4d890fbc 0009-no-rpath.patch
+fa2e3101ca7c6daed7ea063860d586424be7590b1cec4302bc2beee1a3c6039f 0010-ssl-env-zlib.patch
+2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 1002-backport-changes-from-upstream-padlock-module.patch
+c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+2f7c850af078a3ae71b2dd38d5d0b3964ea4262e52673e36ff33498cc6223e6c 1004-crypto-engine-autoload-padlock-dynamic-engine.patch"
sha512sums="02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4 openssl-1.0.2a.tar.gz
b7142256c25f208a42078e2cbdd5165aac833f0453fea0915c63d34d8177e4bb01aeb6676d8cadb988539c181a0d21991bb05a5443580053e75bc8c047b7db17 0001-fix-manpages.patch
2244f46cb18e6b98f075051dd2446c47f7590abccd108fbab707f168a20cad8d32220d704635973f09e3b2879f523be5160f1ffbc12ab3900f8a8891dc855c5c 0002-busybox-basename.patch
@@ -151,7 +156,9 @@ b7142256c25f208a42078e2cbdd5165aac833f0453fea0915c63d34d8177e4bb01aeb6676d8cadb9
820d4ce1c222696fe3f1dd0d11815c06262ec230fdb174532fd507286667a0aefbf858ea5edac4245a54b950cd0556545ecd0c5cf494692a2ba131c667e7bcd5 0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
fc4e383ec85c6543e4e82520904122a5a5601c68042ece1e95a0cae95e02d89174f06f78ba2f8aacae8df16052df6ec628b568519a41706428a3fa07984cc8e3 0007-reimplement-c_rehash-in-C.patch
17ad683bb91a3a3c5bcc456c8aed7f0b42414c6de06ebafa4753af93c42d9827c9978a43d4d53d741a45df7f7895c6f6163172af57cc7b391cfd15f45ce6c351 0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
-8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17 0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
-a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389 0010-backport-changes-from-upstream-padlock-module.patch
-6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
-b72436eb8d4dac42d8da76a51d46cfc03e92e162f692a7a1761201221b9c6d66b738c08270b2260f02ce47b42043538474df73a7185dd4a809dd3b14cc8af7c3 0012-crypto-engine-autoload-padlock-dynamic-engine.patch"
+5dbbc01985190ae1254350fb12565beb6abb916b6a7bb1f0f22d9762b1e575d124aaf9aa4cfe5f908e420978f691072d48c61a72660f09dfd6d9a2f83f862bc1 0009-no-rpath.patch
+5febe20948e3f12d981e378e1f4ea538711657aacb6865a1aa91339d4a04277e250f490a1f2abc2c6f290bdc2b1bffdba1d00983b4c09f7ea983eef8163f9420 0010-ssl-env-zlib.patch
+8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17 1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389 1002-backport-changes-from-upstream-padlock-module.patch
+6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc 1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+b72436eb8d4dac42d8da76a51d46cfc03e92e162f692a7a1761201221b9c6d66b738c08270b2260f02ce47b42043538474df73a7185dd4a809dd3b14cc8af7c3 1004-crypto-engine-autoload-padlock-dynamic-engine.patch"