diff options
Diffstat (limited to 'testing/openssl1.1')
| -rw-r--r-- | testing/openssl1.1/APKBUILD | 88 | ||||
| -rw-r--r-- | testing/openssl1.1/CVE-2018-0732.patch | 39 |
2 files changed, 127 insertions, 0 deletions
diff --git a/testing/openssl1.1/APKBUILD b/testing/openssl1.1/APKBUILD new file mode 100644 index 0000000000..092c44565e --- /dev/null +++ b/testing/openssl1.1/APKBUILD @@ -0,0 +1,88 @@ +# Maintainer: Natanael Copa <ncopa@alpinelinux.org> +pkgver=1.1.0h +pkgname=openssl$_osslver +_osslver=${pkgver%.*} +pkgrel=1 +pkgdesc="Toolkit for SSL v2/v3 and TLS v1" +url="https://www.openssl.org" +arch="all" +license="OpenSSL" +depends_dev="zlib-dev" +makedepends_build="perl" +makedepends_host="zlib-dev linux-headers" +makedepends="$makedepends_host $makedepends_build" +subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc openssl$_osslver-libcrypto:_libcrypto openssl$_osslver-libssl:_libssl" +source="http://www.openssl.org/source/openssl-$pkgver.tar.gz + CVE-2018-0732.patch + " +builddir="$srcdir/openssl-$pkgver" + +build() { + local _target _optflags + cd "$builddir" + + # openssl will prepend crosscompile always core CC et al + CC=${CC#${CROSS_COMPILE}} + CXX=${CXX#${CROSS_COMPILE}} + CPP=${CPP#${CROSS_COMPILE}} + + # determine target OS for openssl + case "$CARCH" in + aarch64*) _target="linux-aarch64" ;; + arm*) _target="linux-armv4" ;; + ppc64le) _target="linux-ppc64le" ;; + x86) _target="linux-elf" ;; + x86_64) _target="linux-x86_64"; _optflags="enable-ec_nistp_64_gcc_128" ;; + s390x) _target="linux64-s390x";; + *) msg "Unable to determine architecture from (CARCH=$CARCH)" ; return 1 ;; + esac + + # Configure assumes --options are for it, so can't use + # gcc's --sysroot fake this by overriding CC + [ -n "$CBUILDROOT" ] && CC="$CC --sysroot=${CBUILDROOT}" + + perl ./Configure $_target --prefix=/usr \ + --libdir=lib \ + --openssldir=/etc/ssl \ + shared zlib $_optflags \ + -DOPENSSL_NO_ASYNC \ + $CPPFLAGS $CFLAGS $LDFLAGS -Wa,--noexecstack + + make +} + +check() { + cd "$builddir" + make -j1 test +} + +package() { + cd "$builddir" + make DESTDIR="$pkgdir" MANDIR=/usr/share/man MANSUFFIX=ssl install + # remove the script c_rehash + rm "$pkgdir"/usr/bin/c_rehash +} + +_libcrypto() { + pkgdesc="Crypto library from openssl" + + mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib + for i in "$pkgdir"/usr/lib/libcrypto*; do + mv $i "$subpkgdir"/lib/ + ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/} + done + mv "$pkgdir"/usr/lib/engines-$_osslver "$subpkgdir"/usr/lib/ +} + +_libssl() { + pkgdesc="SSL shared libraries" + + mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib + for i in "$pkgdir"/usr/lib/libssl*; do + mv $i "$subpkgdir"/lib/ + ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/} + done +} + +sha512sums="fb7750fcd98e6126eb5b92e7ed63d811a5cfa3391d98572003d925f6c7b477690df86a9aa1fa6bf6bf33d02c6c7aee6cff50a38faa8911409f310645898fda39 openssl-1.1.0h.tar.gz +ff91298629f157496a012da00ba7325923f5d087bfa54b60e205bf2dfb06374e958912e0df39dbdf39773555455c1a3afa3dcde1ddfec6e85cf89b0b62cc0eb4 CVE-2018-0732.patch" diff --git a/testing/openssl1.1/CVE-2018-0732.patch b/testing/openssl1.1/CVE-2018-0732.patch new file mode 100644 index 0000000000..148e7c3bc1 --- /dev/null +++ b/testing/openssl1.1/CVE-2018-0732.patch @@ -0,0 +1,39 @@ +From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001 +From: Guido Vranken <guidovranken@gmail.com> +Date: Mon, 11 Jun 2018 19:38:54 +0200 +Subject: [PATCH] Reject excessively large primes in DH key generation. + +CVE-2018-0732 + +Signed-off-by: Guido Vranken <guidovranken@gmail.com> + +(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe) + +Reviewed-by: Tim Hudson <tjh@openssl.org> +Reviewed-by: Matt Caswell <matt@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/6457) +--- + crypto/dh/dh_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 387558f1467..f235e0d682b 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -130,10 +130,15 @@ static int generate_key(DH *dh) + int ok = 0; + int generate_new_key = 0; + unsigned l; +- BN_CTX *ctx; ++ BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; + ++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; |