diff options
author | Michael Olbrich <m.olbrich@pengutronix.de> | 2016-05-04 09:30:14 +0200 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2016-05-04 09:34:31 +0200 |
commit | 2092ef0f30f6d179638bb305fa16fbb3777991b6 (patch) | |
tree | 6921e50a84504c69f4a487381269f8ffdf3fdff6 /patches/openssl-1.0.2h | |
parent | b4255840d35c621c28db5643baca6b5c5e26e21b (diff) | |
download | ptxdist-2092ef0f30f6d179638bb305fa16fbb3777991b6.tar.gz ptxdist-2092ef0f30f6d179638bb305fa16fbb3777991b6.tar.xz |
openssl: version bump 1.0.2g -> 1.0.2h
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'patches/openssl-1.0.2h')
-rw-r--r-- | patches/openssl-1.0.2h/0001-ca.patch | 31 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0002-debian-targets.patch | 83 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0003-engines-path.patch | 101 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0004-no-rpath.patch | 24 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0005-no-symbolic.patch | 24 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0006-pic.patch | 189 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0007-valgrind.patch | 31 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0008-shared-lib-ext.patch | 25 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0009-block_diginotar.patch | 66 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0010-block_digicert_malaysia.patch | 30 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0011-Disable-the-freelist.patch | 42 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0012-soname.patch | 24 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch | 22 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/0101-fix-parallel-building.patch | 90 | ||||
-rw-r--r-- | patches/openssl-1.0.2h/series | 19 |
15 files changed, 801 insertions, 0 deletions
diff --git a/patches/openssl-1.0.2h/0001-ca.patch b/patches/openssl-1.0.2h/0001-ca.patch new file mode 100644 index 000000000..b3d7549de --- /dev/null +++ b/patches/openssl-1.0.2h/0001-ca.patch @@ -0,0 +1,31 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] ca + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + apps/CA.pl.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/apps/CA.pl.in b/apps/CA.pl.in +index c783a6e6a541..fa665b7b385f 100644 +--- a/apps/CA.pl.in ++++ b/apps/CA.pl.in +@@ -65,6 +65,7 @@ $RET = 0; + foreach (@ARGV) { + if ( /^(-\?|-h|-help)$/ ) { + print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; ++ print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; + exit 0; + } elsif (/^-newcert$/) { + # create a certificate +@@ -165,6 +166,7 @@ foreach (@ARGV) { + } else { + print STDERR "Unknown arg $_\n"; + print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; ++ print STDERR "usage: CA -signcert certfile keyfile|-newcert|-newreq|-newca|-sign|-verify\n"; + exit 1; + } + } diff --git a/patches/openssl-1.0.2h/0002-debian-targets.patch b/patches/openssl-1.0.2h/0002-debian-targets.patch new file mode 100644 index 000000000..80b1f739c --- /dev/null +++ b/patches/openssl-1.0.2h/0002-debian-targets.patch @@ -0,0 +1,83 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] debian-targets + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + Configure | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +diff --git a/Configure b/Configure +index c98107a48718..110849367256 100755 +--- a/Configure ++++ b/Configure +@@ -131,6 +131,10 @@ my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers + # Warn that "make depend" should be run? + my $warn_make_depend = 0; + ++# There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS ++my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall"; ++$debian_cflags =~ s/\n/ /g; ++ + my $strict_warnings = 0; + + my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; +@@ -367,6 +371,56 @@ my %table=( + "osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so", + "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so", + ++# Debian GNU/* (various architectures) ++"debian-alpha","gcc:${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-alpha-ev4","gcc:${debian_cflags} -mcpu=ev4::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-alpha-ev5","gcc:${debian_cflags} -mcpu=ev5::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-arm64","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-armel","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-armhf","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-amd64", "gcc:-m64 -DL_ENDIAN ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::", ++"debian-avr32", "gcc:-DB_ENDIAN ${debian_cflags} -fomit-frame-pointer::-D_REENTRANT::-ldl:BN_LLONG_BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-kfreebsd-amd64","gcc:-m64 -DL_ENDIAN ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-kfreebsd-i386","gcc:-DL_ENDIAN ${debian_cflags} -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-hppa","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-hurd-i386","gcc:-DL_ENDIAN -O3 -Wa,--noexecstack -g -mtune=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-ia64","gcc:${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-i386","gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-i386-i486","gcc:-DL_ENDIAN ${debian_cflags} -march=i486::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-i386-i586","gcc:-DL_ENDIAN ${debian_cflags} -march=i586::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-i386-i686/cmov","gcc:-DL_ENDIAN ${debian_cflags} -march=i686::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-m68k","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mips", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mipsel", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mipsn32", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mipsn32el", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mips64", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-mips64el", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-netbsd-i386", "gcc:-DL_ENDIAN ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-netbsd-m68k", "gcc:-DB_ENDIAN ${debian_cflags}::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-netbsd-sparc", "gcc:-DB_ENDIAN ${debian_cflags} -mv8::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-nios2", "gcc:-DB_ENDIAN ${debian_cflags}::(unknown)::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-openbsd-alpha","gcc:${debian_cflags}::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-openbsd-i386", "gcc:-DL_ENDIAN ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-openbsd-mips","gcc:-DL_ENDIAN ${debian_cflags}::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-or1k", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-powerpc","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-powerpcspe","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-ppc64","gcc:-m64 -DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-ppc64el","gcc:-m64 -DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-s390","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-s390x","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sh3", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sh4", "gcc:-DL_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sh3eb", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sh4eb", "gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-m32r","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sparc","gcc:-DB_ENDIAN ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sparc-v8","gcc:-DB_ENDIAN ${debian_cflags} -mcpu=v8 -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sparc-v9","gcc:-DB_ENDIAN ${debian_cflags} -mcpu=v9 -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-sparc64","gcc:-m64 -DB_ENDIAN ${debian_cflags} -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"debian-x32","gcc:-mx32 -DL_ENDIAN ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32", ++ + #### + #### Variety of LINUX:-) + #### diff --git a/patches/openssl-1.0.2h/0003-engines-path.patch b/patches/openssl-1.0.2h/0003-engines-path.patch new file mode 100644 index 000000000..a33f6da1a --- /dev/null +++ b/patches/openssl-1.0.2h/0003-engines-path.patch @@ -0,0 +1,101 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] engines-path + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + Configure | 2 +- + Makefile.org | 2 +- + engines/Makefile | 10 +++++----- + engines/ccgost/Makefile | 8 ++++---- + 4 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/Configure b/Configure +index 110849367256..90d41302421d 100755 +--- a/Configure ++++ b/Configure +@@ -1964,7 +1964,7 @@ while (<IN>) + } + elsif (/^#define\s+ENGINESDIR/) + { +- my $foo = "$prefix/$libdir/engines"; ++ my $foo = "$prefix/$libdir/openssl-1.0.2/engines"; + $foo =~ s/\\/\\\\/g; + print OUT "#define ENGINESDIR \"$foo\"\n"; + } +diff --git a/Makefile.org b/Makefile.org +index 76fdbdf6ac5c..9aee32001139 100644 +--- a/Makefile.org ++++ b/Makefile.org +@@ -533,7 +533,7 @@ install: all install_docs install_sw + install_sw: + @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ + $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \ +- $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \ ++ $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines \ + $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \ + $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ + $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ +diff --git a/engines/Makefile b/engines/Makefile +index 2058ff405afe..df7def6174fd 100644 +--- a/engines/Makefile ++++ b/engines/Makefile +@@ -107,13 +107,13 @@ install: + @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile... + @if [ -n "$(SHARED_LIBS)" ]; then \ + set -e; \ +- $(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines; \ ++ $(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines; \ + for l in $(LIBNAMES); do \ + ( echo installing $$l; \ + pfx=lib; \ + if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \ + sfx=".so"; \ +- cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ ++ cp cyg$$l.dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$$pfx$$l$$sfx.new; \ + else \ + case "$(CFLAGS)" in \ + *DSO_BEOS*) sfx=".so";; \ +@@ -122,10 +122,10 @@ install: + *DSO_WIN32*) sfx="eay32.dll"; pfx=;; \ + *) sfx=".bad";; \ + esac; \ +- cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ ++ cp $$pfx$$l$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$$pfx$$l$$sfx.new; \ + fi; \ +- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new; \ +- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \ ++ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$$pfx$$l$$sfx.new; \ ++ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$$pfx$$l$$sfx ); \ + done; \ + fi + @target=install; $(RECURSIVE_MAKE) +diff --git a/engines/ccgost/Makefile b/engines/ccgost/Makefile +index 17e1efbdff30..d59a350fd50f 100644 +--- a/engines/ccgost/Makefile ++++ b/engines/ccgost/Makefile +@@ -47,7 +47,7 @@ install: + pfx=lib; \ + if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \ + sfx=".so"; \ +- cp cyg$(LIBNAME).dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \ ++ cp cyg$(LIBNAME).dll $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$${pfx}$(LIBNAME)$$sfx.new; \ + else \ + case "$(CFLAGS)" in \ + *DSO_BEOS*) sfx=".so";; \ +@@ -56,10 +56,10 @@ install: + *DSO_WIN32*) sfx="eay32.dll"; pfx=;; \ + *) sfx=".bad";; \ + esac; \ +- cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \ ++ cp $${pfx}$(LIBNAME)$$sfx $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$${pfx}$(LIBNAME)$$sfx.new; \ + fi; \ +- chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new; \ +- mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$${pfx}$(LIBNAME)$$sfx; \ ++ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$${pfx}$(LIBNAME)$$sfx.new; \ ++ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$${pfx}$(LIBNAME)$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/openssl-1.0.2/engines/$${pfx}$(LIBNAME)$$sfx; \ + fi + + links: diff --git a/patches/openssl-1.0.2h/0004-no-rpath.patch b/patches/openssl-1.0.2h/0004-no-rpath.patch new file mode 100644 index 000000000..e4952fc4d --- /dev/null +++ b/patches/openssl-1.0.2h/0004-no-rpath.patch @@ -0,0 +1,24 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] no-rpath + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + Makefile.shared | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.shared b/Makefile.shared +index a2aa9804c1d9..5b960d9cdaec 100644 +--- a/Makefile.shared ++++ b/Makefile.shared +@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ + SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" + +-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" ++DO_GNU_APP=LDFLAGS="$(CFLAGS)" + + #This is rather special. It's a special target with which one can link + #applications without bothering with any features that have anything to diff --git a/patches/openssl-1.0.2h/0005-no-symbolic.patch b/patches/openssl-1.0.2h/0005-no-symbolic.patch new file mode 100644 index 000000000..e36a65d99 --- /dev/null +++ b/patches/openssl-1.0.2h/0005-no-symbolic.patch @@ -0,0 +1,24 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] no-symbolic + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + Makefile.shared | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.shared b/Makefile.shared +index 5b960d9cdaec..1c69ea2edf35 100644 +--- a/Makefile.shared ++++ b/Makefile.shared +@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \ + SHLIB_SUFFIX=; \ + ALLSYMSFLAGS='-Wl,--whole-archive'; \ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ +- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" ++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" + + DO_GNU_APP=LDFLAGS="$(CFLAGS)" + diff --git a/patches/openssl-1.0.2h/0006-pic.patch b/patches/openssl-1.0.2h/0006-pic.patch new file mode 100644 index 000000000..a46b4efcc --- /dev/null +++ b/patches/openssl-1.0.2h/0006-pic.patch @@ -0,0 +1,189 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] pic + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + crypto/des/asm/desboth.pl | 17 ++++++++++++++--- + crypto/perlasm/cbc.pl | 24 ++++++++++++++++++++---- + crypto/perlasm/x86gas.pl | 16 ++++++++++++++++ + crypto/x86cpuid.pl | 10 +++++----- + 4 files changed, 55 insertions(+), 12 deletions(-) + +diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl +index eec00886e4c6..ab6f52452bf3 100644 +--- a/crypto/des/asm/desboth.pl ++++ b/crypto/des/asm/desboth.pl +@@ -16,6 +16,11 @@ sub DES_encrypt3 + + &push("edi"); + ++ &call (&label("pic_point0")); ++ &set_label("pic_point0"); ++ &blindpop("ebp"); ++ &add ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); ++ + &comment(""); + &comment("Load the data words"); + &mov($L,&DWP(0,"ebx","",0)); +@@ -47,15 +52,21 @@ sub DES_encrypt3 + &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); + &mov(&swtmp(1), "eax"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + &mov(&swtmp(2), (DWC(($enc)?"0":"1"))); + &mov(&swtmp(1), "edi"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); + &mov(&swtmp(1), "esi"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + + &stack_pop(3); + &mov($L,&DWP(0,"ebx","",0)); +diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl +index 24561e759aba..269fb0b0c69f 100644 +--- a/crypto/perlasm/cbc.pl ++++ b/crypto/perlasm/cbc.pl +@@ -122,7 +122,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($enc_func); ++ &call (&label("pic_point0")); ++ &set_label("pic_point0"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); ++ &call("$enc_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); + &mov("ebx", &DWP($data_off+4,"esp","",0)); +@@ -185,7 +189,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($enc_func); ++ &call (&label("pic_point1")); ++ &set_label("pic_point1"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]"); ++ &call("$enc_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); + &mov("ebx", &DWP($data_off+4,"esp","",0)); +@@ -218,7 +226,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put back + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($dec_func); ++ &call (&label("pic_point2")); ++ &set_label("pic_point2"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]"); ++ &call("$dec_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); # get return + &mov("ebx", &DWP($data_off+4,"esp","",0)); # +@@ -261,7 +273,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put back + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($dec_func); ++ &call (&label("pic_point3")); ++ &set_label("pic_point3"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]"); ++ &call("$dec_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); # get return + &mov("ebx", &DWP($data_off+4,"esp","",0)); # +diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl +index 63b2301fd1f0..176b04d24521 100644 +--- a/crypto/perlasm/x86gas.pl ++++ b/crypto/perlasm/x86gas.pl +@@ -163,6 +163,7 @@ sub ::file_end + if ($::macosx) { push (@out,"$tmp,2\n"); } + elsif ($::elf) { push (@out,"$tmp,4\n"); } + else { push (@out,"$tmp\n"); } ++ if ($::elf) { push (@out,".hidden\tOPENSSL_ia32cap_P\n"); } + } + push(@out,$initseg) if ($initseg); + } +@@ -221,8 +222,23 @@ ___ + elsif ($::elf) + { $initseg.=<<___; + .section .init ++___ ++ if ($::pic) ++ { $initseg.=<<___; ++ pushl %ebx ++ call .pic_point0 ++.pic_point0: ++ popl %ebx ++ addl \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx ++ call $f\@PLT ++ popl %ebx ++___ ++ } ++ else ++ { $initseg.=<<___; + call $f + ___ ++ } + } + elsif ($::coff) + { $initseg.=<<___; # applies to both Cygwin and Mingw +diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl +index e95f6274f5e0..6e8329d78589 100644 +--- a/crypto/x86cpuid.pl ++++ b/crypto/x86cpuid.pl +@@ -8,6 +8,8 @@ require "x86asm.pl"; + + for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + ++push(@out, ".hidden OPENSSL_ia32cap_P\n"); ++ + &function_begin("OPENSSL_ia32_cpuid"); + &xor ("edx","edx"); + &pushf (); +@@ -155,9 +157,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + &set_label("nocpuid"); + &function_end("OPENSSL_ia32_cpuid"); + +-&external_label("OPENSSL_ia32cap_P"); +- +-&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_rdtsc"); + &xor ("eax","eax"); + &xor ("edx","edx"); + &picmeup("ecx","OPENSSL_ia32cap_P"); +@@ -171,7 +171,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host], + # but it's safe to call it on any [supported] 32-bit platform... + # Just check for [non-]zero return value... +-&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_instrument_halt"); + &picmeup("ecx","OPENSSL_ia32cap_P"); + &bt (&DWP(0,"ecx"),4); + &jnc (&label("nohalt")); # no TSC +@@ -238,7 +238,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + &ret (); + &function_end_B("OPENSSL_far_spin"); + +-&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_wipe_cpu"); + &xor ("eax","eax"); + &xor ("edx","edx"); + &picmeup("ecx","OPENSSL_ia32cap_P"); diff --git a/patches/openssl-1.0.2h/0007-valgrind.patch b/patches/openssl-1.0.2h/0007-valgrind.patch new file mode 100644 index 000000000..119d78a52 --- /dev/null +++ b/patches/openssl-1.0.2h/0007-valgrind.patch @@ -0,0 +1,31 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] valgrind + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + crypto/rand/md_rand.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c +index 5c13d57765b0..9e0064e79083 100644 +--- a/crypto/rand/md_rand.c ++++ b/crypto/rand/md_rand.c +@@ -480,6 +480,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) + MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c)); + + #ifndef PURIFY /* purify complains */ ++#if 0 + /* + * The following line uses the supplied buffer as a small source of + * entropy: since this buffer is often uninitialised it may cause +@@ -489,6 +490,7 @@ int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock) + */ + MD_Update(&m, buf, j); + #endif ++#endif + + k = (st_idx + MD_DIGEST_LENGTH / 2) - st_num; + if (k > 0) { diff --git a/patches/openssl-1.0.2h/0008-shared-lib-ext.patch b/patches/openssl-1.0.2h/0008-shared-lib-ext.patch new file mode 100644 index 000000000..3d6b392d7 --- /dev/null +++ b/patches/openssl-1.0.2h/0008-shared-lib-ext.patch @@ -0,0 +1,25 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] shared-lib-ext + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + Configure | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Configure b/Configure +index 90d41302421d..974407e2d9a5 100755 +--- a/Configure ++++ b/Configure +@@ -1830,7 +1830,8 @@ while (<IN>) + elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) + { + my $sotmp = $1; +- s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; ++# s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/; ++ s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/; + } + elsif ($shared_extension ne "" && $shared_extension =~ /^\.[^\.]*\.[^\.]*\.dylib$/) + { diff --git a/patches/openssl-1.0.2h/0009-block_diginotar.patch b/patches/openssl-1.0.2h/0009-block_diginotar.patch new file mode 100644 index 000000000..a08fda43c --- /dev/null +++ b/patches/openssl-1.0.2h/0009-block_diginotar.patch @@ -0,0 +1,66 @@ +From: Raphael Geissert <geissert@debian.org> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] block_diginotar + +This is not meant as final patch. + + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + crypto/x509/x509_vfy.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 4d34dbac9314..3cddc32279e1 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *ctx); + static int check_revocation(X509_STORE_CTX *ctx); + static int check_cert(X509_STORE_CTX *ctx); + static int check_policy(X509_STORE_CTX *ctx); ++static int check_ca_blacklist(X509_STORE_CTX *ctx); + + static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, + unsigned int *preasons, X509_CRL *crl, X509 *x); +@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx) + if (!ok) + goto err; + ++ ok = check_ca_blacklist(ctx); ++ if(!ok) goto err; ++ + #ifndef OPENSSL_NO_RFC3779 + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); +@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) + return 1; + } + ++static int check_ca_blacklist(X509_STORE_CTX *ctx) ++ { ++ X509 *x; ++ int i; ++ /* Check all certificates against the blacklist */ ++ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) ++ { ++ x = sk_X509_value(ctx->chain, i); ++ /* Mark DigiNotar certificates as revoked, no matter ++ * where in the chain they are. ++ */ ++ if (x->name && strstr(x->name, "DigiNotar")) ++ { ++ ctx->error = X509_V_ERR_CERT_REVOKED; ++ ctx->error_depth = i; ++ ctx->current_cert = x; ++ if (!ctx->verify_cb(0,ctx)) ++ return 0; ++ } ++ } ++ return 1; ++ } ++ + static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, + X509 **pissuer, int *pscore, unsigned int *preasons, + STACK_OF(X509_CRL) *crls) diff --git a/patches/openssl-1.0.2h/0010-block_digicert_malaysia.patch b/patches/openssl-1.0.2h/0010-block_digicert_malaysia.patch new file mode 100644 index 000000000..19e5dc652 --- /dev/null +++ b/patches/openssl-1.0.2h/0010-block_digicert_malaysia.patch @@ -0,0 +1,30 @@ +From: Raphael Geissert <geissert@debian.org> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] block_digicert_malaysia + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + crypto/x509/x509_vfy.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 3cddc32279e1..7970ac58eff7 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1008,10 +1008,11 @@ static int check_ca_blacklist(X509_STORE_CTX *ctx) + for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) + { + x = sk_X509_value(ctx->chain, i); +- /* Mark DigiNotar certificates as revoked, no matter +- * where in the chain they are. ++ /* Mark certificates containing the following names as ++ * revoked, no matter where in the chain they are. + */ +- if (x->name && strstr(x->name, "DigiNotar")) ++ if (x->name && (strstr(x->name, "DigiNotar") || ++ strstr(x->name, "Digicert Sdn. Bhd."))) + { + ctx->error = X509_V_ERR_CERT_REVOKED; + ctx->error_depth = i; diff --git a/patches/openssl-1.0.2h/0011-Disable-the-freelist.patch b/patches/openssl-1.0.2h/0011-Disable-the-freelist.patch new file mode 100644 index 000000000..ebf586673 --- /dev/null +++ b/patches/openssl-1.0.2h/0011-Disable-the-freelist.patch @@ -0,0 +1,42 @@ +From: Kurt Roeckx <kurt@roeckx.be> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] Disable the freelist + +We don't define OPENSSL_NO_BUF_FREELISTS globally sinc it changes structures and +would break the ABI. Instead we just do it in the .c files that try to do +something with it. + + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + ssl/s3_both.c | 1 + + ssl/ssl_lib.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/ssl/s3_both.c b/ssl/s3_both.c +index 09d0661e81f6..3429899872b8 100644 +--- a/ssl/s3_both.c ++++ b/ssl/s3_both.c +@@ -573,6 +573,7 @@ int ssl_verify_alarm_type(long type) + return (al); + } + ++#define OPENSSL_NO_BUF_FREELISTS + #ifndef OPENSSL_NO_BUF_FREELISTS + /*- + * On some platforms, malloc() performance is bad enough that you can't just +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index fd94325bb3a4..4bf657652041 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -162,6 +162,8 @@ + + const char *SSL_version_str = OPENSSL_VERSION_TEXT; + ++#define OPENSSL_NO_BUF_FREELISTS ++ + SSL3_ENC_METHOD ssl3_undef_enc_method = { + /* + * evil casts, but these functions are only called if there's a library diff --git a/patches/openssl-1.0.2h/0012-soname.patch b/patches/openssl-1.0.2h/0012-soname.patch new file mode 100644 index 000000000..76c842b50 --- /dev/null +++ b/patches/openssl-1.0.2h/0012-soname.patch @@ -0,0 +1,24 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Wed, 4 May 2016 09:27:51 +0200 +Subject: [PATCH] soname + +Imported from openssl_1.0.2h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + crypto/opensslv.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/opensslv.h b/crypto/opensslv.h +index 13fe440231cd..ed092f113f1b 100644 +--- a/crypto/opensslv.h ++++ b/crypto/opensslv.h +@@ -88,7 +88,7 @@ extern "C" { + * should only keep the versions that are binary compatible with the current. + */ + # define SHLIB_VERSION_HISTORY "" +-# define SHLIB_VERSION_NUMBER "1.0.0" ++# define SHLIB_VERSION_NUMBER "1.0.2" + + + #ifdef __cplusplus diff --git a/patches/openssl-1.0.2h/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch b/patches/openssl-1.0.2h/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch new file mode 100644 index 000000000..348505b97 --- /dev/null +++ b/patches/openssl-1.0.2h/0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch @@ -0,0 +1,22 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Mon, 11 Aug 2014 12:28:49 +0200 +Subject: [PATCH] Configure: don't ask dpkg-buildflags for more flags + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + Configure | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Configure b/Configure +index 974407e2d9a5..020f215dd1e8 100755 +--- a/Configure ++++ b/Configure +@@ -132,7 +132,7 @@ my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers + my $warn_make_depend = 0; + + # There are no separate CFLAGS/CPPFLAGS/LDFLAGS, set everything in CFLAGS +-my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall"; ++my $debian_cflags = "-g -O2 -Wformat -Werror=format-security " . "-Wa,--noexecstack -Wall"; + $debian_cflags =~ s/\n/ /g; + + my $strict_warnings = 0; diff --git a/patches/openssl-1.0.2h/0101-fix-parallel-building.patch b/patches/openssl-1.0.2h/0101-fix-parallel-building.patch new file mode 100644 index 000000000..80ee249df --- /dev/null +++ b/patches/openssl-1.0.2h/0101-fix-parallel-building.patch @@ -0,0 +1,90 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Mon, 23 Mar 2015 09:29:05 +0100 +Subject: [PATCH] fix parallel building + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + Makefile.org | 18 ++++++++++++------ + crypto/Makefile | 4 ++-- + engines/Makefile | 4 ++-- + 3 files changed, 16 insertions(+), 10 deletions(-) + +diff --git a/Makefile.org b/Makefile.org +index 9aee32001139..fc86c73c76f0 100644 +--- a/Makefile.org ++++ b/Makefile.org +@@ -278,18 +278,24 @@ build_libs: build_libcrypto build_libssl openssl.pc + build_libcrypto: build_crypto build_engines libcrypto.pc + build_libssl: build_ssl libssl.pc + ++ifeq ($(SHARED_LIBS),) ++build_ssl: build_engines ++else ++build_engines: build_ssl ++endif ++ + build_crypto: +- @dir=crypto; target=all; $(BUILD_ONE_CMD) ++ @+dir=crypto; target=all; $(BUILD_ONE_CMD) + build_ssl: build_crypto +- @dir=ssl; target=all; $(BUILD_ONE_CMD) ++ @+dir=ssl; target=all; $(BUILD_ONE_CMD) + build_engines: build_crypto +- @dir=engines; target=all; $(BUILD_ONE_CMD) ++ @+dir=engines; target=all; $(BUILD_ONE_CMD) + build_apps: build_libs +- @dir=apps; target=all; $(BUILD_ONE_CMD) ++ @+dir=apps; target=all; $(BUILD_ONE_CMD) + build_tests: build_libs +- @dir=test; target=all; $(BUILD_ONE_CMD) ++ @+dir=test; target=all; $(BUILD_ONE_CMD) + build_tools: build_libs +- @dir=tools; target=all; $(BUILD_ONE_CMD) ++ @+dir=tools; target=all; $(BUILD_ONE_CMD) + + all_testapps: build_libs build_testapps + build_testapps: +diff --git a/crypto/Makefile b/crypto/Makefile +index 7869996a9c07..76690a1c8619 100644 +--- a/crypto/Makefile ++++ b/crypto/Makefile +@@ -85,7 +85,7 @@ testapps: + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + + subdirs: +- @target=all; $(RECURSIVE_MAKE) ++ @+target=all; $(RECURSIVE_MAKE) + + files: + $(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO +@@ -100,7 +100,7 @@ links: + # lib: $(LIB): are splitted to avoid end-less loop + lib: $(LIB) + @touch lib +-$(LIB): $(LIBOBJ) ++$(LIB): $(LIBOBJ) subdirs + $(AR) $(LIB) $(LIBOBJ) + test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o + $(RANLIB) $(LIB) || echo Never mind. +diff --git a/engines/Makefile b/engines/Makefile +index df7def6174fd..ec27bc24be64 100644 +--- a/engines/Makefile ++++ b/engines/Makefile +@@ -72,7 +72,7 @@ top: + + all: lib subdirs + +-lib: $(LIBOBJ) ++lib: $(LIBOBJ) subdirs + @if [ -n "$(SHARED_LIBS)" ]; then \ + set -e; \ + for l in $(LIBNAMES); do \ +@@ -89,7 +89,7 @@ lib: $(LIBOBJ) + + subdirs: + echo $(EDIRS) +- @target=all; $(RECURSIVE_MAKE) ++ @+target=all; $(RECURSIVE_MAKE) + + files: + $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO diff --git a/patches/openssl-1.0.2h/series b/patches/openssl-1.0.2h/series new file mode 100644 index 000000000..898c5a1e7 --- /dev/null +++ b/patches/openssl-1.0.2h/series @@ -0,0 +1,19 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +#tag:debian --start-number 1 +0001-ca.patch +0002-debian-targets.patch +0003-engines-path.patch +0004-no-rpath.patch +0005-no-symbolic.patch +0006-pic.patch +0007-valgrind.patch +0008-shared-lib-ext.patch +0009-block_diginotar.patch +0010-block_digicert_malaysia.patch +0011-Disable-the-freelist.patch +0012-soname.patch +#tag:ptx --start-number 100 +0100-Configure-don-t-ask-dpkg-buildflags-for-more-flags.patch +0101-fix-parallel-building.patch +# 140047a5c07890c453b82870bc8087e3 - git-ptx-patches magic |