diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2019-03-03 13:42:34 +0000 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2019-03-03 13:42:34 +0000 |
commit | 066d27181e9a797ad9f8fc43b49fc9a10ff2f707 (patch) | |
tree | 3cb05783d73b2c33589ba305144a31c718e123cd /dev-libs/openssl | |
parent | 16449a80e28af2209916cc66d19c9a44ca2b90d9 (diff) |
gentoo resync : 03.03.2019
Diffstat (limited to 'dev-libs/openssl')
13 files changed, 303 insertions, 881 deletions
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index c99ab5fa009c..4b957780b4fc 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -7,20 +7,17 @@ AUX openssl-0.9.8z_p8-perl-5.26.patch 310 BLAKE2B 29c46391d127cd2b1cb3943f1bb162 AUX openssl-1.0.2a-x32-asm.patch 1561 BLAKE2B ee5e5b91e4babacff71edf36cce80fbcb2b8dbb9a7ea63a816d3a5de544fbffd8b4216d7a95bd44e718c7a83dd8b8b5ad85caed4205eab5de566b0b7e5054fc1 SHA512 fbb23393e68776e9d34953f85ba3cbb285421d50f06bd297b485c7cffc8d89ca8caff6783f21038ae668b5c75056c89dc652217ac8609b5328e2c28e70ac294c AUX openssl-1.0.2p-hobble-ecc.patch 10875 BLAKE2B fc8240a074f8cc354c5ae584b76b3fc895170e026767d2d99d8bd5e5028614c861dd2b3c7b955c223883062f9a057ee302ae0deecfbbed00ddc53ae8a4d50919 SHA512 29f64bacac4f61071db6caf9d92131633d2dff56d899171888cc4c8432790930ff0912cea90ad03ca59b13ca0357f812d2f0a3f42567e2bd72c260f49b2b59aa AUX openssl-1.1.0j-parallel_install_fix.patch 515 BLAKE2B a1bcffce4dc9e0566e21e753cf1a18ee6eac92aca5880c50b33966d8ecb391f7430e1db6ea5a30ee4e3a9d77fb9e5542e864508b01c325011e368165e079a96c SHA512 0badd29ec8cffd95b2b69a4b8f8eecfc9ea0c00a812b298a650ee353e3965147fd2da1f9058d2d51744838f38168257b89aaf317287c55a7b76f16a69c781828 -AUX openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch 1072 BLAKE2B cb1cc03561193fbf8686b48d544d9dbf4674ca8b514e6ff5a569001667cd4d02331acf1b8c2bbc2d85232e43e0898470369d69dab3f70580825f5a10000d7058 SHA512 3ae6ae44e9dba31e2aedecc6be635e627e81367abd7f537deca90919506e2004379b7f954a0df1187a03e21509052d232daf2c657d68b1e7e3000b94e48903b5 -AUX openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch 3928 BLAKE2B e91a7fd153622e92acab16cdcb19d933398a685afe8d7bbf53090986bd263afd64c9ea23c57dee0022423ca4b8e08f8121791b4e1f6f00e47cf7f2440ac93228 SHA512 c7e59cccece9a60658bdad4efed193c69d14f8b2a9a515845b24adf9ceeba3039c8fef9aa474f33688a4ff3395a4013de5ea4a56bd4787b59a66ed4d388bfcec -AUX openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch 19341 BLAKE2B b8d36862f26f17efda5025ca7e0d12d4438f431235f66419a621eb6ee62bbe4b4bc6719d2aeaf249c37f53e98bba30177990f1f1120b6728597e99129711845b SHA512 61ac466583fbf324abdf73332580fd2a4e5d86d30f51d1363aaacf5305af8d7fe0cb40ba6fdeaa94c388bb2f37c2e489b17e05473258e7f69957f31d8a25261f -AUX openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch 957 BLAKE2B 9b059003d4b77c7d1479841d003c61ac51aaed6096877fc1e787659c11cd9bd0d2375154666477151bbf0dd707ded874c9341d9ede191ab2efc137acc6ba36b0 SHA512 e78cd97444b85a879af428efd7203ac8ada44b5d5c915b3b842b4c97574056e1678f1030521299f3ffa18d589b7e0494a3a3114c2f9c57d2763590d60aac9d56 -AUX openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch 2181 BLAKE2B 28b1185b5502cbfaf7ae1a74d02389bcf5a651a5c20ad7c0f109d06a4512e34db333bc8e9457ebbc6f7d90b54b885f6473e9440f34d8cd96d6b6bedd1b61705d SHA512 b24347811c8723c6bf5ab2c0a15bb18a57b4a54889fcd5feda8bc7bce3b54368ddcbb2b10b0052a6f4f460e34054bdfda2c49f88109f66ed2eac0780560c284f -AUX openssl-1.1.1a-preserve-errno-on-dlopen.patch 1639 BLAKE2B 9c900dfd975a3446931ca4c7e34030eb8c3be2ce8f11c737cda627f3be2443ba8c31ffe73cc1c60a64d267aeb5c9023cfd62913fab96f0077c045828a870ee15 SHA512 a0bd5656890626d836ce8c9a09fba8b631504e13eb8844e56a493804bdf129cbba010a1b3905b8493960eb7441d531810f732663b61d6e61f79bee3df311d0c4 -AUX openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch 1665 BLAKE2B 12c117f85fdd7e27c5af5be8a87627d0adde280be49a64fe4548e7b204f78568ff7e40ced76156d48f72a847034724f3191b669a81b30d3f62d35ffd026a1317 SHA512 67c095262ffe1a8d570510ebe4ae84adbd1db1d5b5b9c29ebfb8bc10174a32cdb6f43a123eade7cde03a9fd301a289d98636b5793887c866c07342cfc5ba4911 -AUX openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch 2171 BLAKE2B 6d1491a337eee20608f08f9a2338d84d1f7ba091feab614cb3c2660e6bca9df7c4b3d71eb6850a50f9a26003763241307c9bdfc8c91babe022a7d177f14951fa SHA512 c7667572a7171380b987ed4befd8012d130cab091b843b8260e1b7f4c880492ce8dd83cc1d4eec9b3dde348f1b8a7c04e9290dcb8c4e2190de54f8bd57f2c440 +AUX openssl-1.1.1b-ec-curves-patch.patch 6841 BLAKE2B f62865ec0cdf246b2b145466b775dbba086ddc4e7066358956e8a5de8a3070634ef2186ff84df2a277d92eea2c3e78ba34a96119db21617e559f3ce77c131727 SHA512 1eb6419b7db282d37b2c84f4425952db833677c67728ac6070b64c08cb5fcac4b32a1fa880d8a6bb2151fbe5afc7920d6ccbb9b8bd43a610e907c5cfafb74f94 DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659 DIST openssl-1.0.2q.tar.gz 5345604 BLAKE2B c03dd92de1cc8941a7f3e4d9f2fe6f8e4ea89eccc58743d7690491fc22cc54a9783311699b008aeb4a0d37cd3172154e67623c8ada6fc8dde57e80a5cd3c5fc1 SHA512 403e6cad42db3ba860c3fa4fa81c1b7b02f0b873259e5c19a7fc8e42de0854602555f1b1ca74f4e3a7737a4cbd3aac063061e628ec86534586500819fae7fec0 DIST openssl-1.0.2q_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15 DIST openssl-1.0.2q_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19 DIST openssl-1.0.2q_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e +DIST openssl-1.0.2r.tar.gz 5348369 BLAKE2B 9f9c2d2fe6eaf9acacab29b394a318f30c38e831a5f9c193b2da660f9d04acbf407d8b752274783765416c0f5ba557c24ee293ad7fb7d727771db289e6acc901 SHA512 6eb2211f3ad56d7573ac26f388338592c37e5faaf5e2d44c0fa9062c12186e56a324f135d1c956a89b55fcce047e6428bec2756658d103e7275e08b46f741235 +DIST openssl-1.0.2r_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15 +DIST openssl-1.0.2r_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19 +DIST openssl-1.0.2r_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e DIST openssl-1.1.0-build_d2ede125556ac99aa0faa7744c703af3f559094e.patch 3001 BLAKE2B 8f0ac4be6409b4ec50bec171697da2aebe2688e8ae06bd0dfac8b0c74661d38ebeb0a12bde0ef941b213eee9b85965262213b140636060285dcfb02a3bd14961 SHA512 ec6710e9669ac19e4c6f1286c89a383e7d276a773a2740037f98a8f2dbf18305614e7d30d9ed530923a0e7d10a3776fea2ca77229adc25df13ecad55589a3673 DIST openssl-1.1.0-ec-curves_d2ede125556ac99aa0faa7744c703af3f559094e.patch 5311 BLAKE2B e9ec985adf6f13eb04412158a05da7cbe10be7d64bce73b899152ea379336ece7b7069089ef46993ac301ef850fd46fd0352898e249b2ea9fff5baf20896e5b5 SHA512 c38c4b05195f2b323a07efd8d17335ba2a168a16a59d7941da36568081f1c043da8d2216b7084b0617963635ded9bafeee736ecddbfa251cf0a02e4cba64cdc8 DIST openssl-1.1.0j.tar.gz 5411919 BLAKE2B 0fbd936f38d30b64bea717a67cd59704c5ce44ee19f377a820f89ba66b9e0a7509cf39e0fb00c104ae6440a6bd811e388239b458ffe685d8601235bab2afb2f1 SHA512 e7d30951ebb3cbcb6d59e3eb40f64f5a84634b7f5c380a588d378973f1c415395e3ab71a9aaff6478a89ec6efcc88f17f1882c99c25dcd18165f1435a51e5768 @@ -28,14 +25,14 @@ DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ec_curve.c 18401 BL DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_ectest.c 30688 BLAKE2B 6673ef0fd139af82d830794179b19b9e06be25fac4a13b8bdfa5fd5dad25f594ce8eab118aab9ec2aab25001e1de127c03f8e1a04f4f3ef4c464b7fb1811ed4a SHA512 240fc72916caf4a8b0af774ce307abfe9a93a762eba6fae760cec79d619fe3db0d6919fc92a8951cb031f73958237700b45f590aa7f9f2890762cccda1f1e74b DIST openssl-1.1.0j_d2ede125556ac99aa0faa7744c703af3f559094e_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 DIST openssl-1.1.1-ec-curves.patch 7265 BLAKE2B 04725d226c430132cf54afbfaa30a82f8f8bbfd3608823d1d0cd42c3c13f417e90762759da3134d7b0c4373e531925db337b681340f2f284cb2f16a4caef22e3 SHA512 de4d0f1635740c57217836a476c420141c0d34a5f90cbf7957aed7a80e7ac9ca036de2d8448e6bf4c122999e308730575899f61cea6e51ab6825dd04890d75a1 -DIST openssl-1.1.1a.tar.gz 8350547 BLAKE2B 71dae2f44ade3e31983599a491b5efe5da63bbe4f32a2336a8022b282f844a9d898f3b1c3fa825a5973cb16898e8e87fcd73d68e9b602b58f500c3f3e047b199 SHA512 1523985ba90f38aa91aa6c2d57652f4e243cb2a095ce6336bf34b39b5a9b5b876804299a6825c758b65990e57948da532cca761aa12b10958c97478d04dd6d34 -DIST openssl-1.1.1a_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415 -DIST openssl-1.1.1a_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef -DIST openssl-1.1.1a_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 +DIST openssl-1.1.1b.tar.gz 8213737 BLAKE2B 7ad9da9548052e2a033a684038f97c420cfffd57994604bcb3fa12640796c8c0aea3d24fb05648ee4940fbec40b81462e81c353da5a41a2575c0585d9718eae8 SHA512 b54025fbb4fe264466f3b0d762aad4be45bd23cd48bdb26d901d4c41a40bfd776177e02230995ab181a695435039dbad313f4b9a563239a70807a2e19ecf045d +DIST openssl-1.1.1b_ec_curve.c 17938 BLAKE2B d5cbde40dcd8608087aed6ffa9feb040ffadecf0c46b7f3978cc468a9503f0a5ad0a426ea6f8db56f49a64474a508bebdf946e01ebf09adc727675f3b180bcdc SHA512 ec470f6514cb9a4f680b8cbbe02e2bbe71639b288f3429d976726047901d9c50377dfb2737f32429da2fb0e52fd67878a86debb54520e307ee196d97b5c66415 +DIST openssl-1.1.1b_ectest.c 35091 BLAKE2B a9602255ab529751c2af2419206ce113f03f93b7b776691ea2ec550f26ddbecd241844bb81dc86988fdbb1c0a587318f82ce4faecba1a6142a19cf08d40fb2c5 SHA512 7813d9b6b7ab62119a7f2dd5431c17c5839f4c320ac7071b0714c9b8528bda5fda779dbb263328dca6ee8446e9fa09c663da659c9a82832a65cf53d1cd8a4cef +DIST openssl-1.1.1b_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131ec500a311e22d3da55034800ca353c387b2e202575acf3badb00b236ff91d4bac1bb131a33930939646d26bec27be6e04 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 EBUILD openssl-0.9.8z_p8-r1.ebuild 4937 BLAKE2B 4d8c960161f15f38dbcef1ba1529906d81ad1b8574c90b7e09f3b2a8f2fcfdda1d69d9c4259a7f616246fe34b5794ea08f5ef8f5cb1ecb4117784062587a1fa7 SHA512 2693d1d1cf167e0e0031d5b7b3ac2f850290ea2fa8513c8fe2f5b8c52fd5efd4296b574533165e24ddd315e271dad6e7f5b00afdf8d036864e27af62fae30e43 -EBUILD openssl-1.0.2q-r200.ebuild 7981 BLAKE2B b8b41046e8754f64427bd1da2557d654939e8b16f5be96be731e56c26c23a338807641858712ddc589001e5f7cd20c167dfb6e459b1c1086c7cdfb9d3bc253b1 SHA512 530f96ce8e8543cad92138abc6695b0546819d9eaff26d08ebcbf9fd6b1075e777f395af174087016530bd4ed29f067fbb1c6bbd7647354cb87f6ec600811728 EBUILD openssl-1.0.2q.ebuild 10254 BLAKE2B e543d26a7a1f9848e7ddca3bbfea3eed4a656e3b6dbb9d8c770f25472a2d584a2e513c2f8978af5a8efab9d33ee8616f7b1a20f02d3a05c5beec1e1da15d0dd8 SHA512 21e54c2937acac8ab2a4514ae7f824ada21183bd0eef11b5b1f7bedf1eb423bd2d98de6efe5c6b8263c88dc98437a2632733ce60c46d220f127a2715300e76bf +EBUILD openssl-1.0.2r-r200.ebuild 7981 BLAKE2B b8b41046e8754f64427bd1da2557d654939e8b16f5be96be731e56c26c23a338807641858712ddc589001e5f7cd20c167dfb6e459b1c1086c7cdfb9d3bc253b1 SHA512 530f96ce8e8543cad92138abc6695b0546819d9eaff26d08ebcbf9fd6b1075e777f395af174087016530bd4ed29f067fbb1c6bbd7647354cb87f6ec600811728 +EBUILD openssl-1.0.2r.ebuild 10267 BLAKE2B 68ae9a7d9386c6255d59c5623cd41ab5b4ca94d55311ed27ba552c36ada8184f4ad96516cc9e1491372d948e1e251b77f46282dee2919aa4d8ba6366f25e709e SHA512 1ced7d4cf3b70d68accd0b626e6c283ed64b2229c703eb7a817010e3b1e568541ff26900e53e5c8ed8fc48114456915aa45919fc720d02793f08c599fd963e64 EBUILD openssl-1.1.0j.ebuild 9991 BLAKE2B 8df26c653ad304e724c59eb12882e535a9c03b00814f727d28bba62e0948480378b5c3d2fa1a8f59bb889e89c0abba0db14f60b2a306757bd32b8d6e9e8d1194 SHA512 5efe70f82141870a996785e7bce29a11671d8c1e4e0dec26b5ca737fe07fbac298c9ab4b0ef19c74593d82a030ddca31ec9e1961af1b8252ceb08e206e8edb12 -EBUILD openssl-1.1.1a-r1.ebuild 9831 BLAKE2B 3579028bac72fb81ffe175ab75532d0459e1b2b00e636d331498c7b3144ead73fb862a537cd3028b2c774320cec86a6ec6d734da42315664ea81876b836185c9 SHA512 e1e8169c37dfabef28378c053ee9f0fff45eefce1e19b5e8abaa507ee80496a2f31511296a2c9bdc50a3de7d8719752f26457238ae4b86fb777956259d3e11a1 -EBUILD openssl-1.1.1a.ebuild 9280 BLAKE2B 47a9ef1e05899f295bc2ce197821ce19ffbfaed7924be4131d07a6ae285dd339c9ce673b380163bf53b2a13e9e41d97ff4001482ea67754af77f481bd756ffee SHA512 4d1f897d5755ef451b17aa37c57df0c60bf4e5180029990debf060cab9f656100c74f110d6faa1e629b65c4d945e1da72488de1054df9e9133734e6d3626b108 +EBUILD openssl-1.1.1b-r1.ebuild 9546 BLAKE2B 6afff3ef187eea813c6c06379d7b2034b21467413d642b4c2fadd364528cba738d5c3f618674918bf2c05ed519001966e78c9994bef367be2f3c58462ad9d733 SHA512 2e996d2d3d1456389dd09a7b519e78ee5bbb6388b0c38c9b2db21351d85cef1bfa1849d0debc022ff2e2744dce8fde0061da37431cdcab212abfa90224654531 MISC metadata.xml 1273 BLAKE2B 8eb61c2bfd56f428fa4c262972c0b140662a68c95fdf5e3101624b307985f83dc6d757fc13565e467c99188de93d90ec2db6de3719e22495da67155cbaa91aa9 SHA512 3ffb56f8bc35d71c2c67b4cb97d350825260f9d78c97f4ba9462c2b08b8ef65d7f684139e99bb2f7f32698d3cb62404567b36ce849e7dc4e7f7c5b6367c723a7 diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch deleted file mode 100644 index 8014be130ab7..000000000000 --- a/dev-libs/openssl/files/openssl-1.1.1a-fix-a-minor-nit-in-hkdflabel-size.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3be71a31a1dda204bb95462a92cf7f247e64b939 Mon Sep 17 00:00:00 2001 -From: Bernd Edlinger <bernd.edlinger@hotmail.de> -Date: Sun, 16 Dec 2018 12:43:59 +0100 -Subject: [PATCH] Fix a minor nit in the hkdflabel size - -Reviewed-by: Paul Dale <paul.dale@oracle.com> -Reviewed-by: Matt Caswell <matt@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7913) - -(cherry picked from commit 0b4233f5a4a181a6dcb7c511cd2663e500e659a4) ---- - ssl/tls13_enc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c -index c3021d18aa9..e36b7d3a066 100644 ---- a/ssl/tls13_enc.c -+++ b/ssl/tls13_enc.c -@@ -41,7 +41,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, - * + bytes for the hash itself - */ - unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + -- + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN -+ + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN - + 1 + EVP_MAX_MD_SIZE]; - WPACKET pkt; - diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch deleted file mode 100644 index 8f249e22a1d2..000000000000 --- a/dev-libs/openssl/files/openssl-1.1.1a-fix-cert-with-rsa-instead-of-rsaEncryption.patch +++ /dev/null @@ -1,97 +0,0 @@ -From c25ae0fff78cb3cb784ef79167329d5cd55b62de Mon Sep 17 00:00:00 2001 -From: Bernd Edlinger <bernd.edlinger@hotmail.de> -Date: Thu, 27 Dec 2018 22:18:21 +0100 -Subject: [PATCH] Fix cert with rsa instead of rsaEncryption as public key - algorithm - -Reviewed-by: Kurt Roeckx <kurt@roeckx.be> -(Merged from https://github.com/openssl/openssl/pull/7962) - -(cherry picked from commit 1f483a69bce11c940309edc437eee6e32294d5f2) ---- - crypto/rsa/rsa_ameth.c | 9 ++++++--- - test/certs/root-cert-rsa2.pem | 18 ++++++++++++++++++ - test/recipes/25-test_verify.t | 4 +++- - 3 files changed, 27 insertions(+), 4 deletions(-) - create mode 100644 test/certs/root-cert-rsa2.pem - -diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c -index a6595aec054..75debb3e0a9 100644 ---- a/crypto/rsa/rsa_ameth.c -+++ b/crypto/rsa/rsa_ameth.c -@@ -34,7 +34,7 @@ static int rsa_param_encode(const EVP_PKEY *pkey, - - *pstr = NULL; - /* If RSA it's just NULL type */ -- if (pkey->ameth->pkey_id == EVP_PKEY_RSA) { -+ if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) { - *pstrtype = V_ASN1_NULL; - return 1; - } -@@ -58,7 +58,7 @@ static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg) - int algptype; - - X509_ALGOR_get0(&algoid, &algptype, &algp, alg); -- if (OBJ_obj2nid(algoid) == EVP_PKEY_RSA) -+ if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS) - return 1; - if (algptype == V_ASN1_UNDEF) - return 1; -@@ -109,7 +109,10 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) - RSA_free(rsa); - return 0; - } -- EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); -+ if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { -+ RSA_free(rsa); -+ return 0; -+ } - return 1; - } - -diff --git a/test/certs/root-cert-rsa2.pem b/test/certs/root-cert-rsa2.pem -new file mode 100644 -index 00000000000..b817fdf3e5d ---- /dev/null -+++ b/test/certs/root-cert-rsa2.pem -@@ -0,0 +1,18 @@ -+-----BEGIN CERTIFICATE----- -+MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -+IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD -+DAdSb290IENBMIIBHTAIBgRVCAEBBQADggEPADCCAQoCggEBAOHmAPUGvKBGOHkP -+Px5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3jIVyk -+7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcArVREX -+OjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI0YYq -+alUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt9gfN -+biuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337VoIkN+ -+ZiQjr8UCAwEAAaNQME4wHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NSMB8G -+A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ -+KoZIhvcNAQELBQADggEBAJ0OIdog3uQ1pmsjv1Qtf1w4If1geOn5uK0EOj2wYBHt -+NxlFn7l8d9+51QMZFO+RlQJ0s3Webyo1ReuaL2dMn2LGJhWMoSBAwrMALAENU3lv -+8jioRbfO2OamsdpJpKxQUyUJYudNe+BoKNX/ry3rxezmsFsRr9nDMiJZpmBCXiMm -+mFFJOJkG0CheexBbMkua4kyStIOwO4rb5bSHszVso/9ucdGHBSC7oRcJXoWSDjBx -+PdQPPBK5g4yqL8Lz26ehgsmhRKL9k32eVyjDKcIzgpmgcPTfTqNbd1KHQJKx4ssb -+7nEpGKHalSo5Oq5L9s9qYrUv37kwBY4OpJFtmGaodoI= -+-----END CERTIFICATE----- -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t -index 6c3deab7c67..b80a1cde3ed 100644 ---- a/test/recipes/25-test_verify.t -+++ b/test/recipes/25-test_verify.t -@@ -27,7 +27,7 @@ sub verify { - run(app([@args])); - } - --plan tests => 134; -+plan tests => 135; - - # Canonical success - ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), -@@ -361,6 +361,8 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"] - "Not too many names and constraints to check (2)"); - ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"], ), - "Not too many names and constraints to check (3)"); -+ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"), -+ "Public Key Algorithm rsa instead of rsaEncryption"); - - SKIP: { - skip "Ed25519 is not supported by this OpenSSL build", 1 diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch deleted file mode 100644 index 2db64d83e45c..000000000000 --- a/dev-libs/openssl/files/openssl-1.1.1a-fix-some-SSL_export_keying_material-issues.patch +++ /dev/null @@ -1,420 +0,0 @@ -From 0fb2815b873304d145ed00283454fc9f3bd35e6b Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Tue, 4 Dec 2018 08:37:04 +0000 -Subject: [PATCH] Fix some SSL_export_keying_material() issues - -Fix some issues in tls13_hkdf_expand() which impact the above function -for TLSv1.3. In particular test that we can use the maximum label length -in TLSv1.3. - -Reviewed-by: Tim Hudson <tjh@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7755) ---- - doc/man3/SSL_export_keying_material.pod | 3 +- - ssl/ssl_locl.h | 2 +- - ssl/statem/extensions.c | 2 +- - ssl/statem/statem_clnt.c | 2 +- - ssl/statem/statem_srvr.c | 2 +- - ssl/tls13_enc.c | 73 +++++++++++++++++-------- - test/sslapitest.c | 48 ++++++++++++---- - test/tls13secretstest.c | 2 +- - 8 files changed, 92 insertions(+), 42 deletions(-) - -diff --git a/doc/man3/SSL_export_keying_material.pod b/doc/man3/SSL_export_keying_material.pod -index abebf911fc3..4c81a60ffbb 100644 ---- a/doc/man3/SSL_export_keying_material.pod -+++ b/doc/man3/SSL_export_keying_material.pod -@@ -59,7 +59,8 @@ B<label> and should be B<llen> bytes long. Typically this will be a value from - the IANA Exporter Label Registry - (L<https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels>). - Alternatively labels beginning with "EXPERIMENTAL" are permitted by the standard --to be used without registration. -+to be used without registration. TLSv1.3 imposes a maximum label length of -+249 bytes. - - Note that this function is only defined for TLSv1.0 and above, and DTLSv1.0 and - above. Attempting to use it in SSLv3 will result in an error. -diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h -index 70e5a1740f9..307131de93a 100644 ---- a/ssl/ssl_locl.h -+++ b/ssl/ssl_locl.h -@@ -2461,7 +2461,7 @@ __owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md, - const unsigned char *secret, - const unsigned char *label, size_t labellen, - const unsigned char *data, size_t datalen, -- unsigned char *out, size_t outlen); -+ unsigned char *out, size_t outlen, int fatal); - __owur int tls13_derive_key(SSL *s, const EVP_MD *md, - const unsigned char *secret, unsigned char *key, - size_t keylen); -diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c -index 63e61c6184a..716d6d23e08 100644 ---- a/ssl/statem/extensions.c -+++ b/ssl/statem/extensions.c -@@ -1506,7 +1506,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, - - /* Generate the binder key */ - if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash, -- hashsize, binderkey, hashsize)) { -+ hashsize, binderkey, hashsize, 1)) { - /* SSLfatal() already called */ - goto err; - } -diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c -index 5a8f1163dfa..a0e495d8e83 100644 ---- a/ssl/statem/statem_clnt.c -+++ b/ssl/statem/statem_clnt.c -@@ -2740,7 +2740,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) - PACKET_data(&nonce), - PACKET_remaining(&nonce), - s->session->master_key, -- hashlen)) { -+ hashlen, 1)) { - /* SSLfatal() already called */ - goto err; - } -diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c -index e7c11c4bea4..a8e862ced55 100644 ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -4099,7 +4099,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) - tick_nonce, - TICKET_NONCE_SIZE, - s->session->master_key, -- hashlen)) { -+ hashlen, 1)) { - /* SSLfatal() already called */ - goto err; - } -diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c -index f7ab0fa4704..c3021d18aa9 100644 ---- a/ssl/tls13_enc.c -+++ b/ssl/tls13_enc.c -@@ -13,7 +13,7 @@ - #include <openssl/evp.h> - #include <openssl/kdf.h> - --#define TLS13_MAX_LABEL_LEN 246 -+#define TLS13_MAX_LABEL_LEN 249 - - /* Always filled with zeros */ - static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; -@@ -22,30 +22,47 @@ static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; - * Given a |secret|; a |label| of length |labellen|; and |data| of length - * |datalen| (e.g. typically a hash of the handshake messages), derive a new - * secret |outlen| bytes long and store it in the location pointed to be |out|. -- * The |data| value may be zero length. Returns 1 on success 0 on failure. -+ * The |data| value may be zero length. Any errors will be treated as fatal if -+ * |fatal| is set. Returns 1 on success 0 on failure. - */ - int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, - const unsigned char *label, size_t labellen, - const unsigned char *data, size_t datalen, -- unsigned char *out, size_t outlen) -+ unsigned char *out, size_t outlen, int fatal) - { -- const unsigned char label_prefix[] = "tls13 "; -+ static const unsigned char label_prefix[] = "tls13 "; - EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); - int ret; - size_t hkdflabellen; - size_t hashlen; - /* -- * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined -- * prefix and label + bytes for the label itself + bytes for the hash -+ * 2 bytes for length of derived secret + 1 byte for length of combined -+ * prefix and label + bytes for the label itself + 1 byte length of hash -+ * + bytes for the hash itself - */ - unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + - + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN -- + EVP_MAX_MD_SIZE]; -+ + 1 + EVP_MAX_MD_SIZE]; - WPACKET pkt; - - if (pctx == NULL) - return 0; - -+ if (labellen > TLS13_MAX_LABEL_LEN) { -+ if (fatal) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, -+ ERR_R_INTERNAL_ERROR); -+ } else { -+ /* -+ * Probably we have been called from SSL_export_keying_material(), -+ * or SSL_export_keying_material_early(). -+ */ -+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); -+ } -+ EVP_PKEY_CTX_free(pctx); -+ return 0; -+ } -+ - hashlen = EVP_MD_size(md); - - if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) -@@ -59,8 +76,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, - || !WPACKET_finish(&pkt)) { - EVP_PKEY_CTX_free(pctx); - WPACKET_cleanup(&pkt); -- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, -- ERR_R_INTERNAL_ERROR); -+ if (fatal) -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, -+ ERR_R_INTERNAL_ERROR); -+ else -+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); - return 0; - } - -@@ -74,9 +94,13 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, - - EVP_PKEY_CTX_free(pctx); - -- if (ret != 0) -- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, -- ERR_R_INTERNAL_ERROR); -+ if (ret != 0) { -+ if (fatal) -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, -+ ERR_R_INTERNAL_ERROR); -+ else -+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); -+ } - - return ret == 0; - } -@@ -91,7 +115,7 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, - static const unsigned char keylabel[] = "key"; - - return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, -- NULL, 0, key, keylen); -+ NULL, 0, key, keylen, 1); - } - - /* -@@ -104,7 +128,7 @@ int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, - static const unsigned char ivlabel[] = "iv"; - - return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, -- NULL, 0, iv, ivlen); -+ NULL, 0, iv, ivlen, 1); - } - - int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, -@@ -114,7 +138,7 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, - static const unsigned char finishedlabel[] = "finished"; - - return tls13_hkdf_expand(s, md, secret, finishedlabel, -- sizeof(finishedlabel) - 1, NULL, 0, fin, finlen); -+ sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1); - } - - /* -@@ -177,7 +201,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, - if (!tls13_hkdf_expand(s, md, prevsecret, - (unsigned char *)derived_secret_label, - sizeof(derived_secret_label) - 1, hash, mdlen, -- preextractsec, mdlen)) { -+ preextractsec, mdlen, 1)) { - /* SSLfatal() already called */ - EVP_PKEY_CTX_free(pctx); - return 0; -@@ -337,7 +361,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, - hashlen = (size_t)hashleni; - - if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, -- secret, hashlen)) { -+ secret, hashlen, 1)) { - /* SSLfatal() already called */ - goto err; - } -@@ -517,7 +541,8 @@ int tls13_change_cipher_state(SSL *s, int which) - early_exporter_master_secret, - sizeof(early_exporter_master_secret) - 1, - hashval, hashlen, -- s->early_exporter_master_secret, hashlen)) { -+ s->early_exporter_master_secret, hashlen, -+ 1)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, - SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); - goto err; -@@ -604,7 +629,7 @@ int tls13_change_cipher_state(SSL *s, int which) - resumption_master_secret, - sizeof(resumption_master_secret) - 1, - hashval, hashlen, s->resumption_master_secret, -- hashlen)) { -+ hashlen, 1)) { - /* SSLfatal() already called */ - goto err; - } -@@ -624,7 +649,7 @@ int tls13_change_cipher_state(SSL *s, int which) - exporter_master_secret, - sizeof(exporter_master_secret) - 1, - hash, hashlen, s->exporter_master_secret, -- hashlen)) { -+ hashlen, 1)) { - /* SSLfatal() already called */ - goto err; - } -@@ -738,10 +763,10 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, - || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 - || !tls13_hkdf_expand(s, md, s->exporter_master_secret, - (const unsigned char *)label, llen, -- data, datalen, exportsecret, hashsize) -+ data, datalen, exportsecret, hashsize, 0) - || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, - sizeof(exporterlabel) - 1, hash, hashsize, -- out, olen)) -+ out, olen, 0)) - goto err; - - ret = 1; -@@ -797,10 +822,10 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, - || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 - || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, - (const unsigned char *)label, llen, -- data, datalen, exportsecret, hashsize) -+ data, datalen, exportsecret, hashsize, 0) - || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, - sizeof(exporterlabel) - 1, hash, hashsize, -- out, olen)) -+ out, olen, 0)) - goto err; - - ret = 1; -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 108d57e4781..a4bbb4fead4 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -4028,20 +4028,25 @@ static int test_serverinfo(int tst) - * no test vectors so all we do is test that both sides of the communication - * produce the same results for different protocol versions. - */ -+#define SMALL_LABEL_LEN 10 -+#define LONG_LABEL_LEN 249 - static int test_export_key_mat(int tst) - { - int testresult = 0; - SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; - SSL *clientssl = NULL, *serverssl = NULL; -- const char label[] = "test label"; -+ const char label[LONG_LABEL_LEN + 1] = "test label"; - const unsigned char context[] = "context"; - const unsigned char *emptycontext = NULL; - unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80]; - unsigned char skeymat1[80], skeymat2[80], skeymat3[80]; -+ size_t labellen; - const int protocols[] = { - TLS1_VERSION, - TLS1_1_VERSION, - TLS1_2_VERSION, -+ TLS1_3_VERSION, -+ TLS1_3_VERSION, - TLS1_3_VERSION - }; - -@@ -4058,7 +4063,7 @@ static int test_export_key_mat(int tst) - return 1; - #endif - #ifdef OPENSSL_NO_TLS1_3 -- if (tst == 3) -+ if (tst >= 3) - return 1; - #endif - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), -@@ -4076,33 +4081,52 @@ static int test_export_key_mat(int tst) - SSL_ERROR_NONE))) - goto end; - -+ if (tst == 5) { -+ /* -+ * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we -+ * go over that. -+ */ -+ if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, -+ sizeof(ckeymat1), label, -+ LONG_LABEL_LEN + 1, context, -+ sizeof(context) - 1, 1), 0)) -+ goto end; -+ -+ testresult = 1; -+ goto end; -+ } else if (tst == 4) { -+ labellen = LONG_LABEL_LEN; -+ } else { -+ labellen = SMALL_LABEL_LEN; -+ } -+ - if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1, - sizeof(ckeymat1), label, -- sizeof(label) - 1, context, -+ labellen, context, - sizeof(context) - 1, 1), 1) - || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2, - sizeof(ckeymat2), label, -- sizeof(label) - 1, -+ labellen, - emptycontext, - 0, 1), 1) - || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3, - sizeof(ckeymat3), label, -- sizeof(label) - 1, -+ labellen, - NULL, 0, 0), 1) - || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1, - sizeof(skeymat1), label, -- sizeof(label) - 1, -+ labellen, - context, - sizeof(context) -1, 1), - 1) - || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2, - sizeof(skeymat2), label, -- sizeof(label) - 1, -+ labellen, - emptycontext, - 0, 1), 1) - || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3, - sizeof(skeymat3), label, -- sizeof(label) - 1, -+ labellen, - NULL, 0, 0), 1) - /* - * Check that both sides created the same key material with the -@@ -4131,10 +4155,10 @@ static int test_export_key_mat(int tst) - * Check that an empty context and no context produce different results in - * protocols less than TLSv1.3. In TLSv1.3 they should be the same. - */ -- if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, -+ if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, - sizeof(ckeymat3))) -- || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, -- sizeof(ckeymat3)))) -+ || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, -+ sizeof(ckeymat3)))) - goto end; - - testresult = 1; -@@ -5909,7 +5933,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_custom_exts, 3); - #endif - ADD_ALL_TESTS(test_serverinfo, 8); -- ADD_ALL_TESTS(test_export_key_mat, 4); -+ ADD_ALL_TESTS(test_export_key_mat, 6); - #ifndef OPENSSL_NO_TLS1_3 - ADD_ALL_TESTS(test_export_key_mat_early, 3); - #endif -diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c -index 319df17bab0..de318df02b4 100644 ---- a/test/tls13secretstest.c -+++ b/test/tls13secretstest.c -@@ -226,7 +226,7 @@ static int test_secret(SSL *s, unsigned char *prk, - } - - if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize, -- gensecret, hashsize)) { -+ gensecret, hashsize, 1)) { - TEST_error("Secret generation failed"); - return 0; - } diff --git a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch b/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch deleted file mode 100644 index c2f8bb638b3a..000000000000 --- a/dev-libs/openssl/files/openssl-1.1.1a-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 3ccccb91ae1c07a4310778b3d7ba74ff4ff787f0 Mon Sep 17 00:00:00 2001 -From: Paul Yang <yang.yang@baishancloud.com> -Date: Wed, 21 Nov 2018 13:16:27 +0800 -Subject: [PATCH] Fix wrong return value in ssl3_ctx_ctrl - -This fixes issue #7677 - -Reviewed-by: Matt Caswell <matt@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7678) ---- - ssl/s3_lib.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c -index 866ca4dfa9b..99ae48199c2 100644 ---- a/ssl/s3_lib.c -+++ b/ssl/s3_lib.c -@@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) - EVP_PKEY_security_bits(pkdh), 0, pkdh)) { - SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL); - EVP_PKEY_free(pkdh); -- return 1; -+ return 0; - } - EVP_PKEY_free(ctx->cert->dh_tmp); - ctx->cert->dh_tmp = pkdh; diff --git a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch b/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch deleted file mode 100644 index cfa84c73a5bf..000000000000 --- a/dev-libs/openssl/files/openssl-1.1.1a-make-sure-build_SYS_str_reasons_preserves_errno.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 99992ad22019e752c7b103a45f860a48b6bc0972 Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Wed, 21 Nov 2018 11:44:42 +0000 -Subject: [PATCH] Make sure build_SYS_str_reasons() preserves errno - -This function can end up being called during ERR_get_error() if we are -initialising. ERR_get_error() must preserve errno since it gets called via -SSL_get_error(). If that function returns SSL_ERROR_SYSCALL then you are -supposed to inspect errno. - -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7680) - -(cherry picked from commit 71b1ceffc4c795f5db21861dd1016fbe23a53a53) ---- - -diff --git a/crypto/err/err.c b/crypto/err/err.c -index 03cbd73..2eeeab2 100644 ---- a/crypto/err/err.c -+++ b/crypto/err/err.c -@@ -19,6 +19,7 @@ - #include <openssl/bio.h> - #include <openssl/opensslconf.h> - #include "internal/thread_once.h" -+#include "e_os.h" - - static int err_load_strings(const ERR_STRING_DATA *str); - -@@ -201,6 +202,7 @@ static void build_SYS_str_reasons(void) - static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON]; - static int init = 1; - int i; -+ int saveerrno = get_last_sys_error(); - - CRYPTO_THREAD_write_lock(err_string_lock); - if (!init) { -@@ -229,6 +231,8 @@ static void build_SYS_str_reasons(void) - init = 0; - - CRYPTO_THREAD_unlock(err_string_lock); -+ /* openssl_strerror_r could change errno, but we want to preserve it */ -+ set_sys_error(saveerrno); - err_load_strings(SYS_str_reasons); - } - #endif -diff --git a/e_os.h b/e_os.h -index 5340593..8e6efa9 100644 ---- a/e_os.h -+++ b/e_os.h -@@ -49,6 +49,7 @@ - - # define get_last_sys_error() errno - # define clear_sys_error() errno=0 -+# define set_sys_error(e) errno=(e) - - /******************************************************************** - The Microsoft section -@@ -66,8 +67,10 @@ - # ifdef WIN32 - # undef get_last_sys_error - # undef clear_sys_error -+# undef set_sys_error - # define get_last_sys_error() GetLastError() - # define clear_sys_error() SetLastError(0) -+# define set_sys_error(e) SetLastError(e) - # if !defined(WINNT) - # define WIN_CONSOLE_BUG - # endif diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch deleted file mode 100644 index ed8f2dd96be0..000000000000 --- a/dev-libs/openssl/files/openssl-1.1.1a-preserve-errno-on-dlopen.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ef97becf522fc4e2e9d98e6ae7bcb26651883d9a Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Wed, 21 Nov 2018 11:57:04 +0000 -Subject: [PATCH] Preserve errno on dlopen - -For the same reasons as in the previous commit we must preserve errno -across dlopen calls. Some implementations (e.g. solaris) do not preserve -errno even on a successful dlopen call. - -Fixes #6953 - -Reviewed-by: Richard Levitte <levitte@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7680) - -(cherry picked from commit 3cb4e7dc1cf92022f62b9bbdd59695885a1265ff) ---- - crypto/dso/dso_dlfcn.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/crypto/dso/dso_dlfcn.c b/crypto/dso/dso_dlfcn.c -index ad8899c289a..4240f5f5e30 100644 ---- a/crypto/dso/dso_dlfcn.c -+++ b/crypto/dso/dso_dlfcn.c -@@ -17,6 +17,7 @@ - #endif - - #include "dso_locl.h" -+#include "e_os.h" - - #ifdef DSO_DLFCN - -@@ -99,6 +100,7 @@ static int dlfcn_load(DSO *dso) - /* See applicable comments in dso_dl.c */ - char *filename = DSO_convert_filename(dso, NULL); - int flags = DLOPEN_FLAG; -+ int saveerrno = get_last_sys_error(); - - if (filename == NULL) { - DSOerr(DSO_F_DLFCN_LOAD, DSO_R_NO_FILENAME); -@@ -118,6 +120,11 @@ static int dlfcn_load(DSO *dso) - ERR_add_error_data(4, "filename(", filename, "): ", dlerror()); - goto err; - } -+ /* -+ * Some dlopen() implementations (e.g. solaris) do no preserve errno, even -+ * on a successful call. -+ */ -+ set_sys_error(saveerrno); - if (!sk_void_push(dso->meth_data, (char *)ptr)) { - DSOerr(DSO_F_DLFCN_LOAD, DSO_R_STACK_ERROR); - goto err; diff --git a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch b/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch deleted file mode 100644 index 84c43a3c3e04..000000000000 --- a/dev-libs/openssl/files/openssl-1.1.1a-preserve-system-error-number-in-a-few-more-places.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 145419423e1a74ae54cdbd3aed8bb15cbd53c7cc Mon Sep 17 00:00:00 2001 -From: Richard Levitte <levitte@openssl.org> -Date: Fri, 14 Dec 2018 19:33:55 +0100 -Subject: [PATCH] ERR: preserve system error number in a few more places - -It turns out that intialization may change the error number, so we -need to preserve the system error number in functions where -initialization is called for. -These are ERR_get_state() and err_shelve_state() - -Fixes #7897 - -Reviewed-by: Matt Caswell <matt@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7902) - -(cherry picked from commit 91c5473035aaf2c0d86e4039c2a29a5b70541905) ---- - crypto/err/err.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/crypto/err/err.c b/crypto/err/err.c -index 5cfb02d821b..aef2543d60b 100644 ---- a/crypto/err/err.c -+++ b/crypto/err/err.c -@@ -697,6 +697,7 @@ DEFINE_RUN_ONCE_STATIC(err_do_init) - ERR_STATE *ERR_get_state(void) - { - ERR_STATE *state; -+ int saveerrno = get_last_sys_error(); - - if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL)) - return NULL; -@@ -728,6 +729,7 @@ ERR_STATE *ERR_get_state(void) - OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); - } - -+ set_sys_error(saveerrno); - return state; - } - -@@ -737,6 +739,8 @@ ERR_STATE *ERR_get_state(void) - */ - int err_shelve_state(void **state) - { -+ int saveerrno = get_last_sys_error(); -+ - if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL)) - return 0; - -@@ -747,6 +751,7 @@ int err_shelve_state(void **state) - if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1)) - return 0; - -+ set_sys_error(saveerrno); - return 1; - } - diff --git a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch b/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch deleted file mode 100644 index 5ea4fb97bfce..000000000000 --- a/dev-libs/openssl/files/openssl-1.1.1a-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch +++ /dev/null @@ -1,56 +0,0 @@ -From ed371b8cbac0d0349667558c061c1ae380cf75eb Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Mon, 3 Dec 2018 18:14:57 +0000 -Subject: [PATCH] Revert "Reduce stack usage in tls13_hkdf_expand" - -This reverts commit ec0c5f5693e39c5a013f81e6dd9dfd09ec65162d. - -SSL_export_keying_material() may use longer label lengths. - -Fixes #7712 - -Reviewed-by: Tim Hudson <tjh@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/7755) ---- - ssl/tls13_enc.c | 16 ++++------------ - 1 file changed, 4 insertions(+), 12 deletions(-) - -diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c -index b6825d20c2d..f7ab0fa4704 100644 ---- a/ssl/tls13_enc.c -+++ b/ssl/tls13_enc.c -@@ -13,14 +13,7 @@ - #include <openssl/evp.h> - #include <openssl/kdf.h> - --/* -- * RFC 8446, 7.1 Key Schedule, says: -- * Note: With common hash functions, any label longer than 12 characters -- * requires an additional iteration of the hash function to compute. -- * The labels in this specification have all been chosen to fit within -- * this limit. -- */ --#define TLS13_MAX_LABEL_LEN 12 -+#define TLS13_MAX_LABEL_LEN 246 - - /* Always filled with zeros */ - static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; -@@ -36,15 +29,14 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, - const unsigned char *data, size_t datalen, - unsigned char *out, size_t outlen) - { -- static const unsigned char label_prefix[] = "tls13 "; -+ const unsigned char label_prefix[] = "tls13 "; - EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); - int ret; - size_t hkdflabellen; - size_t hashlen; - /* -- * 2 bytes for length of derived secret + 1 byte for length of combined -- * prefix and label + bytes for the label itself + 1 byte length of hash -- * + bytes for the hash itself -+ * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined -+ * prefix and label + bytes for the label itself + bytes for the hash - */ - unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + - + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN diff --git a/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch b/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch new file mode 100644 index 000000000000..c1f53c838230 --- /dev/null +++ b/dev-libs/openssl/files/openssl-1.1.1b-ec-curves-patch.patch @@ -0,0 +1,207 @@ +Based on openssl-1.1.1-ec-curves.patch. + +Updated for OpenSSL change b6d41ff73392df5af9c931c902ae4cd75c5b61ea. + +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -489,82 +489,28 @@ static const OPT_PAIR rsa_choices[] = { + static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */ + #endif /* OPENSSL_NO_RSA */ + +-#define R_EC_P160 0 +-#define R_EC_P192 1 +-#define R_EC_P224 2 +-#define R_EC_P256 3 +-#define R_EC_P384 4 +-#define R_EC_P521 5 +-#define R_EC_K163 6 +-#define R_EC_K233 7 +-#define R_EC_K283 8 +-#define R_EC_K409 9 +-#define R_EC_K571 10 +-#define R_EC_B163 11 +-#define R_EC_B233 12 +-#define R_EC_B283 13 +-#define R_EC_B409 14 +-#define R_EC_B571 15 +-#define R_EC_BRP256R1 16 +-#define R_EC_BRP256T1 17 +-#define R_EC_BRP384R1 18 +-#define R_EC_BRP384T1 19 +-#define R_EC_BRP512R1 20 +-#define R_EC_BRP512T1 21 +-#define R_EC_X25519 22 +-#define R_EC_X448 23 ++#define R_EC_P224 0 ++#define R_EC_P256 1 ++#define R_EC_P384 2 ++#define R_EC_P521 3 ++#define R_EC_X25519 4 ++#define R_EC_X448 5 + #ifndef OPENSSL_NO_EC + static OPT_PAIR ecdsa_choices[] = { +- {"ecdsap160", R_EC_P160}, +- {"ecdsap192", R_EC_P192}, + {"ecdsap224", R_EC_P224}, + {"ecdsap256", R_EC_P256}, + {"ecdsap384", R_EC_P384}, + {"ecdsap521", R_EC_P521}, +- {"ecdsak163", R_EC_K163}, +- {"ecdsak233", R_EC_K233}, +- {"ecdsak283", R_EC_K283}, +- {"ecdsak409", R_EC_K409}, +- {"ecdsak571", R_EC_K571}, +- {"ecdsab163", R_EC_B163}, +- {"ecdsab233", R_EC_B233}, +- {"ecdsab283", R_EC_B283}, +- {"ecdsab409", R_EC_B409}, +- {"ecdsab571", R_EC_B571}, +- {"ecdsabrp256r1", R_EC_BRP256R1}, +- {"ecdsabrp256t1", R_EC_BRP256T1}, +- {"ecdsabrp384r1", R_EC_BRP384R1}, +- {"ecdsabrp384t1", R_EC_BRP384T1}, +- {"ecdsabrp512r1", R_EC_BRP512R1}, +- {"ecdsabrp512t1", R_EC_BRP512T1} + }; + # define ECDSA_NUM OSSL_NELEM(ecdsa_choices) + + static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */ + + static const OPT_PAIR ecdh_choices[] = { +- {"ecdhp160", R_EC_P160}, +- {"ecdhp192", R_EC_P192}, + {"ecdhp224", R_EC_P224}, + {"ecdhp256", R_EC_P256}, + {"ecdhp384", R_EC_P384}, + {"ecdhp521", R_EC_P521}, +- {"ecdhk163", R_EC_K163}, +- {"ecdhk233", R_EC_K233}, +- {"ecdhk283", R_EC_K283}, +- {"ecdhk409", R_EC_K409}, +- {"ecdhk571", R_EC_K571}, +- {"ecdhb163", R_EC_B163}, +- {"ecdhb233", R_EC_B233}, +- {"ecdhb283", R_EC_B283}, +- {"ecdhb409", R_EC_B409}, +- {"ecdhb571", R_EC_B571}, +- {"ecdhbrp256r1", R_EC_BRP256R1}, +- {"ecdhbrp256t1", R_EC_BRP256T1}, +- {"ecdhbrp384r1", R_EC_BRP384R1}, +- {"ecdhbrp384t1", R_EC_BRP384T1}, +- {"ecdhbrp512r1", R_EC_BRP512R1}, +- {"ecdhbrp512t1", R_EC_BRP512T1}, + {"ecdhx25519", R_EC_X25519}, + {"ecdhx448", R_EC_X448} + }; +@@ -1495,29 +1441,10 @@ int speed_main(int argc, char **argv) + unsigned int bits; + } test_curves[] = { + /* Prime Curves */ +- {"secp160r1", NID_secp160r1, 160}, +- {"nistp192", NID_X9_62_prime192v1, 192}, + {"nistp224", NID_secp224r1, 224}, + {"nistp256", NID_X9_62_prime256v1, 256}, + {"nistp384", NID_secp384r1, 384}, + {"nistp521", NID_secp521r1, 521}, +- /* Binary Curves */ +- {"nistk163", NID_sect163k1, 163}, +- {"nistk233", NID_sect233k1, 233}, +- {"nistk283", NID_sect283k1, 283}, +- {"nistk409", NID_sect409k1, 409}, +- {"nistk571", NID_sect571k1, 571}, +- {"nistb163", NID_sect163r2, 163}, +- {"nistb233", NID_sect233r1, 233}, +- {"nistb283", NID_sect283r1, 283}, +- {"nistb409", NID_sect409r1, 409}, +- {"nistb571", NID_sect571r1, 571}, +- {"brainpoolP256r1", NID_brainpoolP256r1, 256}, +- {"brainpoolP256t1", NID_brainpoolP256t1, 256}, +- {"brainpoolP384r1", NID_brainpoolP384r1, 384}, +- {"brainpoolP384t1", NID_brainpoolP384t1, 384}, +- {"brainpoolP512r1", NID_brainpoolP512r1, 512}, +- {"brainpoolP512t1", NID_brainpoolP512t1, 512}, + /* Other and ECDH only ones */ + {"X25519", NID_X25519, 253}, + {"X448", NID_X448, 448} +@@ -2017,9 +1944,9 @@ int speed_main(int argc, char **argv) + # endif + + # ifndef OPENSSL_NO_EC +- ecdsa_c[R_EC_P160][0] = count / 1000; +- ecdsa_c[R_EC_P160][1] = count / 1000 / 2; +- for (i = R_EC_P192; i <= R_EC_P521; i++) { ++ ecdsa_c[R_EC_P224][0] = count / 1000; ++ ecdsa_c[R_EC_P224][1] = count / 1000 / 2; ++ for (i = R_EC_P256; i <= R_EC_P521; i++) { + ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; + ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; + if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) +@@ -2031,6 +1958,7 @@ int speed_main(int argc, char **argv) + } + } + } ++#if 0 + ecdsa_c[R_EC_K163][0] = count / 1000; + ecdsa_c[R_EC_K163][1] = count / 1000 / 2; + for (i = R_EC_K233; i <= R_EC_K571; i++) { +@@ -2059,9 +1987,9 @@ int speed_main(int argc, char **argv) + } + } + } +- +- ecdh_c[R_EC_P160][0] = count / 1000; +- for (i = R_EC_P192; i <= R_EC_P521; i++) { ++#endif ++ ecdh_c[R_EC_P224][0] = count / 1000; ++ for (i = R_EC_P256; i <= R_EC_P521; i++) { + ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; + if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) + ecdh_doit[i] = 0; +@@ -2071,6 +1999,7 @@ int speed_main(int argc, char **argv) + } + } + } ++#if 0 + ecdh_c[R_EC_K163][0] = count / 1000; + for (i = R_EC_K233; i <= R_EC_K571; i++) { + ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; +@@ -2116,6 +2045,7 @@ int speed_main(int argc, char **argv) + } + } + } ++#endif + /* default iteration count for the last two EC Curves */ + ecdh_c[R_EC_X25519][0] = count / 1800; + ecdh_c[R_EC_X448][0] = count / 7200; +--- a/crypto/ec/ecp_smpl.c ++++ b/crypto/ec/ecp_smpl.c +@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group, + return 0; + } + ++ if (BN_num_bits(p) < 224) { ++ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); ++ return 0; ++ } ++ + if (ctx == NULL) { + ctx = new_ctx = BN_CTX_new(); + if (ctx == NULL) +--- a/test/ecdsatest.c ++++ b/test/ecdsatest.c +@@ -176,6 +176,7 @@ static int x9_62_tests(void) + if (!change_rand()) + goto x962_err; + ++#if 0 + if (!TEST_true(x9_62_test_internal(NID_X9_62_prime192v1, + "3342403536405981729393488334694600415596881826869351677613", + "5735822328888155254683894997897571951568553642892029982342"))) +@@ -186,6 +187,7 @@ static int x9_62_tests(void) + "3238135532097973577080787768312505059318910517550078427819" + "78505179448783"))) + goto x962_err; ++#endif + + # ifndef OPENSSL_NO_EC2M + if (!TEST_true(x9_62_test_internal(NID_X9_62_c2tnb191v1, diff --git a/dev-libs/openssl/openssl-1.0.2q-r200.ebuild b/dev-libs/openssl/openssl-1.0.2r-r200.ebuild index 44b9547d141e..44b9547d141e 100644 --- a/dev-libs/openssl/openssl-1.0.2q-r200.ebuild +++ b/dev-libs/openssl/openssl-1.0.2r-r200.ebuild diff --git a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild b/dev-libs/openssl/openssl-1.0.2r.ebuild index 0ad3e058c0c9..27fcb6ba6831 100644 --- a/dev-libs/openssl/openssl-1.1.1a-r1.ebuild +++ b/dev-libs/openssl/openssl-1.0.2r.ebuild @@ -3,22 +3,33 @@ EAPI="6" -inherit flag-o-matic toolchain-funcs multilib multilib-minimal +inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal +# openssl-1.0.2-patches-1.6 contain additional CVE patches +# which got fixed with this release. +# Please use 1.7 version number when rolling a new tarball! +PATCH_SET="openssl-1.0.2-patches-1.5" MY_P=${P/_/-} DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" HOMEPAGE="https://www.openssl.org/" -SRC_URI="mirror://openssl/source/${MY_P}.tar.gz" +SRC_URI="mirror://openssl/source/${MY_P}.tar.gz + !vanilla? ( + mirror://gentoo/${PATCH_SET}.tar.xz + https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz + https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz + https://dev.gentoo.org/~polynomial-c/dist/${PATCH_SET}.tar.xz + )" LICENSE="openssl" -SLOT="0/1.1" # .so version of libssl/libcrypto -[[ "${PV}" = *_pre* ]] || \ +SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-linux" -IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-heartbeat vanilla zlib" +IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib" RESTRICT="!bindist? ( bindist )" RDEPEND=">=app-misc/c_rehash-1.7-r1 - zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )" + gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )" DEPEND="${RDEPEND} >=dev-lang/perl-5 sctp? ( >=net-misc/lksctp-tools-1.0.12 ) @@ -28,29 +39,20 @@ DEPEND="${RDEPEND} )" PDEPEND="app-misc/ca-certificates" -PATCHES=( - "${FILESDIR}"/${P}-make-sure-build_SYS_str_reasons_preserves_errno.patch - "${FILESDIR}"/${P}-preserve-errno-on-dlopen.patch - "${FILESDIR}"/${P}-fix-wrong-return-value-in-ssl3_ctx_ctrl.patch - "${FILESDIR}"/${P}-revert-reduce-stack-usage-in-tls13_hkdf_expand.patch - "${FILESDIR}"/${P}-fix-some-SSL_export_keying_material-issues.patch - "${FILESDIR}"/${P}-preserve-system-error-number-in-a-few-more-places.patch - "${FILESDIR}"/${P}-fix-a-minor-nit-in-hkdflabel-size.patch - "${FILESDIR}"/${P}-fix-cert-with-rsa-instead-of-rsaEncryption.patch -) - # This does not copy the entire Fedora patchset, but JUST the parts that # are needed to make it safe to use EC with RESTRICT=bindist. # See openssl.spec for the matching numbering of SourceNNN, PatchNNN SOURCE1=hobble-openssl SOURCE12=ec_curve.c SOURCE13=ectest.c -PATCH37=openssl-1.1.1-ec-curves.patch +# These are ported instead +#PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC +#PATCH37=openssl-1.1.0-ec-curves.patch FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/' -FEDORA_GIT_BRANCH='f29' +FEDORA_GIT_BRANCH='f25' FEDORA_SRC_URI=() -FEDORA_SOURCE=( ${SOURCE1} ${SOURCE12} ${SOURCE13} ) -FEDORA_PATCH=( ${PATCH37} ) +FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 ) +FEDORA_PATCH=( $PATCH1 $PATCH37 ) for i in "${FEDORA_SOURCE[@]}" ; do FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" ) done @@ -74,14 +76,15 @@ src_prepare() { # .spec %prep bash "${WORKDIR}"/"${SOURCE1}" || die cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die - cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die + cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/crypto/ec/ || die # Moves to test/ in OpenSSL-1.1 for i in "${FEDORA_PATCH[@]}" ; do eapply "${DISTDIR}"/"${i}" done + eapply "${FILESDIR}"/openssl-1.0.2p-hobble-ecc.patch # Also see the configure parts below: # enable-ec \ # $(use_ssl !bindist ec2m) \ - + # $(use_ssl !bindist srp) \ fi # keep this in sync with app-misc/c_rehash @@ -92,25 +95,31 @@ src_prepare() { rm -f Makefile if ! use vanilla ; then - if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then - [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}" - fi + eapply "${WORKDIR}"/patch/*.patch fi - eapply_user #332661 + eapply_user + # disable fips in the build # make sure the man pages are suffixed #302165 # don't bother building man pages if they're disabled - # Make DOCDIR Gentoo compliant sed -i \ + -e '/DIRS/s: fips : :g' \ -e '/^MANSUFFIX/s:=.*:=ssl:' \ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ -e $(has noman FEATURES \ && echo '/^install:/s:install_docs::' \ || echo '/^MANDIR=/s:=.*:='${EPREFIX%/}'/usr/share/man:') \ - -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \ - Configurations/unix-Makefile.tmpl \ + Makefile.org \ || die + # show the actual commands in the log + sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared + + # since we're forcing $(CC) as makedep anyway, just fix + # the conditional as always-on + # helps clang (#417795), and versioned gcc (#499818) + # this breaks build with 1.0.2p, not sure if it is needed anymore + #sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die # quiet out unknown driver argument warnings since openssl # doesn't have well-split CFLAGS and we're making it even worse @@ -125,16 +134,7 @@ src_prepare() { append-flags $(test-flags-CC -Wa,--noexecstack) append-cppflags -DOPENSSL_NO_BUF_FREELISTS - # Prefixify Configure shebang (#141906) - sed \ - -e "1s,/usr/bin/env,${EPREFIX%/}&," \ - -i Configure || die - # Remove test target when FEATURES=test isn't set - if ! use test ; then - sed \ - -e '/^$config{dirs}/s@ "test",@@' \ - -i Configure || die - fi + sed -i '1s,^:$,#!'${EPREFIX%/}'/usr/bin/perl,' Configure #141906 # The config script does stupid stuff to prompt the user. Kill it. sed -i '/stty -icanon min 0 time 50; read waste/d' config || die ./config --test-sanity || die "I AM NOT SANE" @@ -172,15 +172,18 @@ multilib_src_configure() { # fi #fi + # https://github.com/openssl/openssl/issues/2286 + if use ia64 ; then + replace-flags -g3 -g2 + replace-flags -ggdb3 -ggdb2 + fi + local sslout=$(./gentoo.config) einfo "Use configuration ${sslout:-(openssl knows best)}" local config="Configure" [[ -z ${sslout} ]] && config="config" - # Fedora hobbled-EC needs 'no-ec2m' - # 'srp' was restricted until early 2017 as well. - # "disable-deprecated" option breaks too many consumers. - # Don't set it without thorough revdeps testing. + # Fedora hobbled-EC needs 'no-ec2m', 'no-srp' echoit \ ./${config} \ ${sslout} \ @@ -188,17 +191,19 @@ multilib_src_configure() { enable-camellia \ enable-ec \ $(use_ssl !bindist ec2m) \ - enable-srp \ - $(use elibc_musl && echo "no-async") \ + $(use_ssl !bindist srp) \ ${ec_nistp_64_gcc_128} \ enable-idea \ enable-mdc2 \ enable-rc5 \ - $(use_ssl sslv3 ssl3) \ - $(use_ssl sslv3 ssl3-method) \ + enable-tlsext \ $(use_ssl asm) \ + $(use_ssl gmp gmp -lgmp) \ + $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ $(use_ssl rfc3779) \ $(use_ssl sctp) \ + $(use_ssl sslv2 ssl2) \ + $(use_ssl sslv3 ssl3) \ $(use_ssl tls-heartbeat heartbeats) \ $(use_ssl zlib) \ --prefix="${EPREFIX%/}"/usr \ @@ -208,27 +213,28 @@ multilib_src_configure() { || die # Clean out hardcoded flags that openssl uses - # Fix quoting for sed - local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \ - -e 's:^CFLAGS=::' \ + local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ + -e 's:^CFLAG=::' \ -e 's:-fomit-frame-pointer ::g' \ -e 's:-O[0-9] ::g' \ -e 's:-march=[-a-z0-9]* ::g' \ -e 's:-mcpu=[-a-z0-9]* ::g' \ -e 's:-m[a-z0-9]* ::g' \ - -e 's:\\:\\\\:g' \ ) sed -i \ - -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \ - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \ + -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \ + -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \ Makefile || die } multilib_src_compile() { # depend is needed to use $confopts; it also doesn't matter # that it's -j1 as the code itself serializes subdirs - emake -j1 depend + emake -j1 V=1 depend emake all + # rehash is needed to prep the certs/ dir; do this + # separately to avoid parallel build issues. + emake rehash } multilib_src_test() { @@ -242,7 +248,7 @@ multilib_src_install() { mkdir "${ED%/}"/usr || die fi - emake DESTDIR="${D%/}" install + emake INSTALL_PREFIX="${D%/}" install } multilib_src_install_all() { @@ -250,20 +256,25 @@ multilib_src_install_all() { # we provide a shell version via app-misc/c_rehash rm "${ED%/}"/usr/bin/c_rehash || die - dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el + local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el ) + einstalldocs + + use rfc3779 && dodoc engines/ccgost/README.gost # This is crappy in that the static archives are still built even # when USE=static-libs. But this is due to a failing in the openssl # build system: the static archives are built as PIC all the time. # Only way around this would be to manually configure+compile openssl # twice; once with shared lib support enabled and once without. - use static-libs || rm -f "${ED%/}"/usr/lib*/lib*.a + use static-libs || rm -f "${ED}"/usr/lib*/lib*.a # create the certs directory - keepdir ${SSL_CNF_DIR}/certs + dodir ${SSL_CNF_DIR}/certs + cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die + rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired} # Namespace openssl programs to prevent conflicts with other man pages - cd "${ED%/}"/usr/share/man || die + cd "${ED}"/usr/share/man local m d s for m in $(find . -type f | xargs grep -L '#include') ; do d=${m%/*} ; d=${d#./} ; m=${m##*/} @@ -278,7 +289,6 @@ multilib_src_install_all() { for s in $(find -L ${d} -type l) ; do s=${s##*/} rm -f ${d}/${s} - # We don't want to "|| die" here ln -s ssl-${m} ${d}/ssl-${s} ln -s ssl-${s} ${d}/openssl-${s} done @@ -286,7 +296,7 @@ multilib_src_install_all() { [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" dodir /etc/sandbox.d #254521 - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED%/}"/etc/sandbox.d/10openssl + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl diropts -m0700 keepdir ${SSL_CNF_DIR}/private diff --git a/dev-libs/openssl/openssl-1.1.1a.ebuild b/dev-libs/openssl/openssl-1.1.1b-r1.ebuild index 5b5bb76c6b75..5e05c9dcab04 100644 --- a/dev-libs/openssl/openssl-1.1.1a.ebuild +++ b/dev-libs/openssl/openssl-1.1.1b-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2018 Gentoo Authors +# Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="6" @@ -28,6 +28,10 @@ DEPEND="${RDEPEND} )" PDEPEND="app-misc/ca-certificates" +PATCHES=( + "${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch #671602 +) + # This does not copy the entire Fedora patchset, but JUST the parts that # are needed to make it safe to use EC with RESTRICT=bindist. # See openssl.spec for the matching numbering of SourceNNN, PatchNNN @@ -60,12 +64,18 @@ src_prepare() { for i in "${FEDORA_SOURCE[@]}" ; do cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die done + # .spec %prep bash "${WORKDIR}"/"${SOURCE1}" || die cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die for i in "${FEDORA_PATCH[@]}" ; do - eapply "${DISTDIR}"/"${i}" + if [[ "${i}" == "${PATCH37}" ]] ; then + # apply our own for OpenSSL 1.1.1b adjusted version of this patch + eapply "${FILESDIR}"/openssl-1.1.1b-ec-curves-patch.patch + else + eapply "${DISTDIR}"/"${i}" + fi done # Also see the configure parts below: # enable-ec \ |