main/openssl: fix rpath and turn off ssl compression by default

System wide mitigation for CVE-2012-4929. While most affected
programs turn off compression themselves, this is safer default.

7 files changed, 76 insertions, 20 deletions

diff --git a/main/openssl/0009-no-rpath.patch b/main/openssl/0009-no-rpath.patch
new file mode 100644
index 0000000000..56df75b791
--- /dev/null
+++ b/main/openssl/0009-no-rpath.patch
@@ -0,0 +1,11 @@
+--- a/Makefile.shared	2005-06-23 22:47:54.000000000 +0200
++++ b/Makefile.shared	2005-11-16 22:35:37.000000000 +0100
+@@ -153,7 +153,7 @@
+ 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+ 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+ 
+-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
++DO_GNU_APP=LDFLAGS="$(CFLAGS)"
+ 
+ #This is rather special.  It's a special target with which one can link
+ #applications without bothering with any features that have anything to
diff --git a/main/openssl/0010-ssl-env-zlib.patch b/main/openssl/0010-ssl-env-zlib.patch
new file mode 100644
index 0000000000..9eae15d727
--- /dev/null
+++ b/main/openssl/0010-ssl-env-zlib.patch
@@ -0,0 +1,38 @@
+diff -ru openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod
+--- openssl-1.0.2a.orig/doc/ssl/SSL_COMP_add_compression_method.pod	2015-01-15 16:43:14.000000000 -0200
++++ openssl-1.0.2a/doc/ssl/SSL_COMP_add_compression_method.pod	2015-03-27 15:18:47.280054883 -0200
+@@ -47,6 +47,13 @@
+ been standardized, the compression API will most likely be changed. Using
+ it in the current state is not recommended.
+ 
++It is also not recommended to use compression if data transfered contain
++untrusted parts that can be manipulated by an attacker as he could then
++get information about the encrypted data. See the CRIME attack. For
++that reason the default loading of the zlib compression method is
++disabled and enabled only if the environment variable B<OPENSSL_DEFAULT_ZLIB>
++is present during the library initialization.
++
+ =head1 RETURN VALUES
+ 
+ SSL_COMP_add_compression_method() may return the following values:
+diff -ru openssl-1.0.2a.orig/ssl/ssl_ciph.c openssl-1.0.2a/ssl/ssl_ciph.c
+--- openssl-1.0.2a.orig/ssl/ssl_ciph.c	2015-03-19 15:30:36.000000000 -0200
++++ openssl-1.0.2a/ssl/ssl_ciph.c	2015-03-27 15:23:05.960057092 -0200
+@@ -141,6 +141,8 @@
+  */
+ 
+ #include <stdio.h>
++#include <stdlib.h>
++#include <sys/auxv.h>
+ #include <openssl/objects.h>
+ #ifndef OPENSSL_NO_COMP
+ # include <openssl/comp.h>
+@@ -481,7 +483,7 @@
+ 
+             MemCheck_off();
+             ssl_comp_methods = sk_SSL_COMP_new(sk_comp_cmp);
+-            if (ssl_comp_methods != NULL) {
++            if (ssl_comp_methods != NULL && getauxval(AT_SECURE) == 0 && getenv("OPENSSL_DEFAULT_ZLIB") != NULL) {
+                 comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
+                 if (comp != NULL) {
+                     comp->method = COMP_zlib();
diff --git a/main/openssl/0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch b/main/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
index ef46faa848..ef46faa848 100644
--- a/main/openssl/0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+++ b/main/openssl/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
diff --git a/main/openssl/0010-backport-changes-from-upstream-padlock-module.patch b/main/openssl/1002-backport-changes-from-upstream-padlock-module.patch
index f63bbcd1ce..f63bbcd1ce 100644
--- a/main/openssl/0010-backport-changes-from-upstream-padlock-module.patch
+++ b/main/openssl/1002-backport-changes-from-upstream-padlock-module.patch
diff --git a/main/openssl/0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch b/main/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
index 5a2cdd633a..5a2cdd633a 100644
--- a/main/openssl/0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+++ b/main/openssl/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
diff --git a/main/openssl/0012-crypto-engine-autoload-padlock-dynamic-engine.patch b/main/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch
index d0cdfb3b3a..d0cdfb3b3a 100644
--- a/main/openssl/0012-crypto-engine-autoload-padlock-dynamic-engine.patch
+++ b/main/openssl/1004-crypto-engine-autoload-padlock-dynamic-engine.patch
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index 788a6bda7a..e71a1aead2 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Timo Teras <timo.teras@iki.fi>
 pkgname=openssl
 pkgver=1.0.2a
-pkgrel=0
+pkgrel=1
 pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
 url="http://openssl.org"
 depends=
@@ -23,10 +23,12 @@ source="http://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
 	0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
 	0007-reimplement-c_rehash-in-C.patch
 	0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
-	0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
-	0010-backport-changes-from-upstream-padlock-module.patch
-	0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
-	0012-crypto-engine-autoload-padlock-dynamic-engine.patch
+	0009-no-rpath.patch
+	0010-ssl-env-zlib.patch
+	1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+	1002-backport-changes-from-upstream-padlock-module.patch
+	1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+	1004-crypto-engine-autoload-padlock-dynamic-engine.patch
 	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
@@ -70,10 +72,9 @@ build() {
 	perl ./Configure $_target --prefix=/usr \
 		--libdir=lib \
 		--openssldir=/etc/ssl \
-		shared zlib enable-montasm enable-md2 \
+		shared zlib enable-montasm enable-md2 $_optflags \
 		-DOPENSSL_NO_BUF_FREELISTS \
-		-Wa,--noexecstack \
-                $_optflags \
+		$CPPFLAGS $CFLAGS $LDFLAGS -Wa,--noexecstack \
 		|| return 1
 
 	make && make build-shared || return 1
@@ -125,10 +126,12 @@ md5sums="a06c547dac9044161a477211049f60ef  openssl-1.0.2a.tar.gz
 5a5753f52b9f54f769f1ad915d0119bd  0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
 106b2c7590d49a28c782cf3f5d623543  0007-reimplement-c_rehash-in-C.patch
 7a2f9c883ecdfca3087062df4a68150a  0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
-25091afb907de2b504f8bad6bf70002c  0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
-aa16c89b283faf0fe546e3f897279c44  0010-backport-changes-from-upstream-padlock-module.patch
-57cca845e22c178c3b317010be56edf0  0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
-2ac874d1249f5f68d8c7cd58d157d29a  0012-crypto-engine-autoload-padlock-dynamic-engine.patch"
+28e89dd715fc4ed85e747bd7306f2970  0009-no-rpath.patch
+742ee13d88b13414248f329a09f9a92d  0010-ssl-env-zlib.patch
+25091afb907de2b504f8bad6bf70002c  1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+aa16c89b283faf0fe546e3f897279c44  1002-backport-changes-from-upstream-padlock-module.patch
+57cca845e22c178c3b317010be56edf0  1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+2ac874d1249f5f68d8c7cd58d157d29a  1004-crypto-engine-autoload-padlock-dynamic-engine.patch"
 sha256sums="15b6393c20030aab02c8e2fe0243cb1d1d18062f6c095d67bca91871dc7f324a  openssl-1.0.2a.tar.gz
 4383de0433cb11696346660ae736f120511a7cd0d6ff14543080e0bb93e45ebb  0001-fix-manpages.patch
 b449fb998b5f60a3a1779ac2f432b2c7f08ae52fc6dfa98bca37d735f863d400  0002-busybox-basename.patch
@@ -138,10 +141,12 @@ d438a36b2b0adf342ebef4b5e9793bcdae3b3027061100f660749c322acbe93d  0004-fix-defau
 9baecc8024bd5004ef045c6c53537f7453029c1e273874ce639834145564ca6d  0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
 c934b5d1a2cb58b5235da2dfee423f0f66bb83e1d479f511b444751899637c37  0007-reimplement-c_rehash-in-C.patch
 1030f885dc76f352854a7a95d73e68cfd1479c5f9ee198d6afef6b0755ee1c81  0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
-2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7  0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
-aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260  0010-backport-changes-from-upstream-padlock-module.patch
-c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea  0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
-2f7c850af078a3ae71b2dd38d5d0b3964ea4262e52673e36ff33498cc6223e6c  0012-crypto-engine-autoload-padlock-dynamic-engine.patch"
+6b7ac5c9db430d9d3e8aaf87e0e95aa8a0ef460517d6563cca24014d4d890fbc  0009-no-rpath.patch
+fa2e3101ca7c6daed7ea063860d586424be7590b1cec4302bc2beee1a3c6039f  0010-ssl-env-zlib.patch
+2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7  1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260  1002-backport-changes-from-upstream-padlock-module.patch
+c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea  1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+2f7c850af078a3ae71b2dd38d5d0b3964ea4262e52673e36ff33498cc6223e6c  1004-crypto-engine-autoload-padlock-dynamic-engine.patch"
 sha512sums="02d228578824add52b73433d64697706e6503c2334933fe8dd6b477f59c430977012c3c34da207096229a425e1dcb6f3ae806043894b5ac98c27bbcddb794dd4  openssl-1.0.2a.tar.gz
 b7142256c25f208a42078e2cbdd5165aac833f0453fea0915c63d34d8177e4bb01aeb6676d8cadb988539c181a0d21991bb05a5443580053e75bc8c047b7db17  0001-fix-manpages.patch
 2244f46cb18e6b98f075051dd2446c47f7590abccd108fbab707f168a20cad8d32220d704635973f09e3b2879f523be5160f1ffbc12ab3900f8a8891dc855c5c  0002-busybox-basename.patch
@@ -151,7 +156,9 @@ b7142256c25f208a42078e2cbdd5165aac833f0453fea0915c63d34d8177e4bb01aeb6676d8cadb9
 820d4ce1c222696fe3f1dd0d11815c06262ec230fdb174532fd507286667a0aefbf858ea5edac4245a54b950cd0556545ecd0c5cf494692a2ba131c667e7bcd5  0006-add-ircv3-tls-3.1-extension-support-to-s_client.patch
 fc4e383ec85c6543e4e82520904122a5a5601c68042ece1e95a0cae95e02d89174f06f78ba2f8aacae8df16052df6ec628b568519a41706428a3fa07984cc8e3  0007-reimplement-c_rehash-in-C.patch
 17ad683bb91a3a3c5bcc456c8aed7f0b42414c6de06ebafa4753af93c42d9827c9978a43d4d53d741a45df7f7895c6f6163172af57cc7b391cfd15f45ce6c351  0008-maintain-abi-compat-with-no-freelist-and-regular-bui.patch
-8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17  0009-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
-a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389  0010-backport-changes-from-upstream-padlock-module.patch
-6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc  0011-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
-b72436eb8d4dac42d8da76a51d46cfc03e92e162f692a7a1761201221b9c6d66b738c08270b2260f02ce47b42043538474df73a7185dd4a809dd3b14cc8af7c3  0012-crypto-engine-autoload-padlock-dynamic-engine.patch"
+5dbbc01985190ae1254350fb12565beb6abb916b6a7bb1f0f22d9762b1e575d124aaf9aa4cfe5f908e420978f691072d48c61a72660f09dfd6d9a2f83f862bc1  0009-no-rpath.patch
+5febe20948e3f12d981e378e1f4ea538711657aacb6865a1aa91339d4a04277e250f490a1f2abc2c6f290bdc2b1bffdba1d00983b4c09f7ea983eef8163f9420  0010-ssl-env-zlib.patch
+8c181760d7a149aa18d246d50f1c0438ffb63c98677b05306dfc00400ad0429b47d31e7c8d85126005c67f743d23e7a8a81174ffe98556f4caf9cf6b04d9ff17  1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+a3555440b5f544bfd6b9ad97557d8f4c1d673f6a35219f65056a72035d186be5f354717ddf9784899b602464d48657b090ade24379552d43af97609c0f48c389  1002-backport-changes-from-upstream-padlock-module.patch
+6353c7a94016c20db5d683dde37775f6780952ecdb1a5f39f878d04ba37f6ad79ae10fb6d65d181d912505a5d1e22463004cd855d548b364c00b120da2b0fdbc  1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch
+b72436eb8d4dac42d8da76a51d46cfc03e92e162f692a7a1761201221b9c6d66b738c08270b2260f02ce47b42043538474df73a7185dd4a809dd3b14cc8af7c3  1004-crypto-engine-autoload-padlock-dynamic-engine.patch"