diff options
Diffstat (limited to 'patches/openssl-1.1.1i')
| -rw-r--r-- | patches/openssl-1.1.1i/0001-debian-targets.patch | 228 | ||||
| -rw-r--r-- | patches/openssl-1.1.1i/0002-pic.patch | 189 | ||||
| -rw-r--r-- | patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch | 46 | ||||
| -rw-r--r-- | patches/openssl-1.1.1i/series | 6 |
4 files changed, 469 insertions, 0 deletions
diff --git a/patches/openssl-1.1.1i/0001-debian-targets.patch b/patches/openssl-1.1.1i/0001-debian-targets.patch new file mode 100644 index 000000000..5616df0fa --- /dev/null +++ b/patches/openssl-1.1.1i/0001-debian-targets.patch @@ -0,0 +1,228 @@ +From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> +Date: Sun, 5 Nov 2017 15:09:09 +0100 +Subject: [PATCH] debian-targets + +Imported from openssl_1.1.1h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + Configurations/20-debian.conf | 210 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 210 insertions(+) + create mode 100644 Configurations/20-debian.conf + +diff --git a/Configurations/20-debian.conf b/Configurations/20-debian.conf +new file mode 100644 +index 000000000000..a3d5f68d36aa +--- /dev/null ++++ b/Configurations/20-debian.conf +@@ -0,0 +1,210 @@ ++my %targets = ( ++ "debian" => { ++ cflags => add("-Wa,--noexecstack -Wall"), ++ }, ++ "debian-alpha" => { ++ inherit_from => [ "linux-alpha-gcc", "debian" ], ++ }, ++ "debian-alpha-ev4" => { ++ inherit_from => [ "debian-alpha" ], ++ cflags => add("-mcpu=ev4"), ++ }, ++ "debian-alpha-ev5" => { ++ inherit_from => [ "debian-alpha" ], ++ cflags => add("-mcpu=ev5"), ++ }, ++ "debian-arm64" => { ++ inherit_from => [ "linux-aarch64", "debian" ], ++ }, ++ "debian-arm64ilp32" => { ++ inherit_from => [ "linux-arm64ilp32", "debian" ], ++ }, ++ "debian-armel" => { ++ inherit_from => [ "linux-armv4", "debian" ], ++ }, ++ "debian-armhf" => { ++ inherit_from => [ "linux-armv4", "debian" ], ++ }, ++ "debian-amd64" => { ++ inherit_from => [ "linux-x86_64", "debian" ], ++ }, ++ "debian-i386" => { ++ inherit_from => [ "linux-elf", "debian" ], ++ }, ++ "debian-avr32" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-kfreebsd-amd64" => { ++ inherit_from => [ "debian-amd64" ], ++ enable => [ ], ++ }, ++ "debian-kfreebsd-i386" => { ++ inherit_from => [ "debian-i386" ], ++ enable => [ ], ++ }, ++ "debian-hppa" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-hurd-i386" => { ++ inherit_from => [ "hurd-x86", "debian" ], ++ }, ++ "debian-ia64" => { ++ inherit_from => [ "linux-ia64", "debian" ], ++ }, ++ "debian-m68k" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-mips" => { ++ inherit_from => [ "linux-mips32", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mipsel" => { ++ inherit_from => [ "linux-mips32", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ "debian-mipsn32" => { ++ inherit_from => [ "linux-mips64", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mipsn32el" => { ++ inherit_from => [ "linux-mips64", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ "debian-mips64" => { ++ inherit_from => [ "linux64-mips64", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mips64el" => { ++ inherit_from => [ "linux64-mips64", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ ++ # Temporary MIPS R6 targets. Those will vanish approx in 1.1.1 because ++ # aes-mips.pl creates proper R6 ASM code. After that, we can inherit from ++ # the linux*-mips* targets. ++ "linux-mips32r6" => { ++ # Configure script adds minimally required -march for assembly ++ # support, if no -march was specified at command line. ++ inherit_from => [ "linux-generic32"], ++ cflags => add("-mabi=32"), ++ perlasm_scheme => "o32", ++ shared_ldflag => add("-mabi=32"), ++ }, ++ # mips32 and mips64 below refer to contemporary MIPS Architecture ++ # specifications, MIPS32 and MIPS64, rather than to kernel bitness. ++ "linux-mips64r6" => { ++ inherit_from => [ "linux-generic32"], ++ cflags => add("-mabi=n32"), ++ bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", ++ perlasm_scheme => "n32", ++ shared_ldflag => add("-mabi=n32"), ++ multilib => "32", ++ }, ++ "linux64-mips64r6" => { ++ inherit_from => [ "linux-generic64"], ++ cflags => add("-mabi=64"), ++ perlasm_scheme => "64", ++ shared_ldflag => add("-mabi=64"), ++ multilib => "64", ++ }, ++ "debian-mipsr6" => { ++ inherit_from => [ "linux-mips32r6", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mipsr6el" => { ++ inherit_from => [ "linux-mips32r6", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ "debian-mipsn32r6" => { ++ inherit_from => [ "linux-mips64r6", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mipsn32r6el" => { ++ inherit_from => [ "linux-mips64r6", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ "debian-mips64r6" => { ++ inherit_from => [ "linux64-mips64r6", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mips64r6el" => { ++ inherit_from => [ "linux64-mips64r6", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ ++ "debian-musl-linux-arm64" => { ++ inherit_from => [ "linux-aarch64", "debian" ], ++ }, ++ "debian-musl-linux-armhf" => { ++ inherit_from => [ "linux-armv4", "debian" ], ++ }, ++ "debian-musl-linux-i386" => { ++ inherit_from => [ "linux-elf", "debian" ], ++ }, ++ "debian-musl-linux-mips" => { ++ inherit_from => [ "linux-mips32", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-musl-linux-mipsel" => { ++ inherit_from => [ "linux-mips32", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ ++ "debian-nios2" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-powerpc" => { ++ inherit_from => [ "linux-ppc", "debian" ], ++ }, ++ "debian-powerpcspe" => { ++ inherit_from => [ "linux-ppc", "debian" ], ++ }, ++ "debian-ppc64" => { ++ inherit_from => [ "linux-generic64", "debian", asm("ppc64_asm") ], ++ cflags => add("-DB_ENDIAN"), ++ perlasm_scheme => "linux64", ++ }, ++ "debian-ppc64el" => { ++ inherit_from => [ "linux-ppc64le", "debian" ], ++ }, ++ "debian-riscv64" => { ++ inherit_from => [ "linux-generic64", "debian" ], ++ }, ++ "debian-s390" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-s390x" => { ++ inherit_from => [ "linux64-s390x", "debian" ], ++ }, ++ "debian-sh3" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-sh3eb" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-sh4" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-sh4eb" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-m32r" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-sparc" => { ++ inherit_from => [ "linux-generic32", "debian", asm("sparcv9_asm") ], ++ cflags => add("-DB_ENDIAN -DBN_DIV2W"), ++ }, ++ "debian-sparc64" => { ++ inherit_from => [ "linux-generic64", "debian", asm("sparcv9_asm") ], ++ cflags => add("-m64 -mcpu=ultrasparc -DB_ENDIAN"), ++ bn_ops => "BN_LLONG RC4_CHAR", ++ }, ++ "debian-tilegx" => { ++ inherit_from => [ "linux-generic64", "debian" ], ++ }, ++ "debian-x32" => { ++ inherit_from => [ "linux-x32", "debian" ], ++ }, ++); ++ diff --git a/patches/openssl-1.1.1i/0002-pic.patch b/patches/openssl-1.1.1i/0002-pic.patch new file mode 100644 index 000000000..abbb5f8de --- /dev/null +++ b/patches/openssl-1.1.1i/0002-pic.patch @@ -0,0 +1,189 @@ +From: Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org> +Date: Sun, 5 Nov 2017 15:09:09 +0100 +Subject: [PATCH] pic + +Imported from openssl_1.1.1h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + crypto/des/asm/desboth.pl | 17 ++++++++++++++--- + crypto/perlasm/cbc.pl | 24 ++++++++++++++++++++---- + crypto/perlasm/x86gas.pl | 16 ++++++++++++++++ + crypto/x86cpuid.pl | 10 +++++----- + 4 files changed, 55 insertions(+), 12 deletions(-) + +diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl +index ef7054e27506..50765d2b1552 100644 +--- a/crypto/des/asm/desboth.pl ++++ b/crypto/des/asm/desboth.pl +@@ -23,6 +23,11 @@ sub DES_encrypt3 + + &push("edi"); + ++ &call (&label("pic_point0")); ++ &set_label("pic_point0"); ++ &blindpop("ebp"); ++ &add ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); ++ + &comment(""); + &comment("Load the data words"); + &mov($L,&DWP(0,"ebx","",0)); +@@ -54,15 +59,21 @@ sub DES_encrypt3 + &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); + &mov(&swtmp(1), "eax"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + &mov(&swtmp(2), (DWC(($enc)?"0":"1"))); + &mov(&swtmp(1), "edi"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); + &mov(&swtmp(1), "esi"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + + &stack_pop(3); + &mov($L,&DWP(0,"ebx","",0)); +diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl +index 01bafe457d68..c093be5a4fd6 100644 +--- a/crypto/perlasm/cbc.pl ++++ b/crypto/perlasm/cbc.pl +@@ -129,7 +129,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($enc_func); ++ &call (&label("pic_point0")); ++ &set_label("pic_point0"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); ++ &call("$enc_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); + &mov("ebx", &DWP($data_off+4,"esp","",0)); +@@ -192,7 +196,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($enc_func); ++ &call (&label("pic_point1")); ++ &set_label("pic_point1"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]"); ++ &call("$enc_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); + &mov("ebx", &DWP($data_off+4,"esp","",0)); +@@ -225,7 +233,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put back + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($dec_func); ++ &call (&label("pic_point2")); ++ &set_label("pic_point2"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]"); ++ &call("$dec_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); # get return + &mov("ebx", &DWP($data_off+4,"esp","",0)); # +@@ -268,7 +280,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put back + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($dec_func); ++ &call (&label("pic_point3")); ++ &set_label("pic_point3"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]"); ++ &call("$dec_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); # get return + &mov("ebx", &DWP($data_off+4,"esp","",0)); # +diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl +index 5c7ea3880e4d..7e49b55e97c7 100644 +--- a/crypto/perlasm/x86gas.pl ++++ b/crypto/perlasm/x86gas.pl +@@ -170,6 +170,7 @@ sub ::file_end + if ($::macosx) { push (@out,"$tmp,2\n"); } + elsif ($::elf) { push (@out,"$tmp,4\n"); } + else { push (@out,"$tmp\n"); } ++ if ($::elf) { push (@out,".hidden\tOPENSSL_ia32cap_P\n"); } + } + push(@out,$initseg) if ($initseg); + } +@@ -228,8 +229,23 @@ ___ + elsif ($::elf) + { $initseg.=<<___; + .section .init ++___ ++ if ($::pic) ++ { $initseg.=<<___; ++ pushl %ebx ++ call .pic_point0 ++.pic_point0: ++ popl %ebx ++ addl \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx ++ call $f\@PLT ++ popl %ebx ++___ ++ } ++ else ++ { $initseg.=<<___; + call $f + ___ ++ } + } + elsif ($::coff) + { $initseg.=<<___; # applies to both Cygwin and Mingw +diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl +index ba4fd80fb32e..18c124707587 100644 +--- a/crypto/x86cpuid.pl ++++ b/crypto/x86cpuid.pl +@@ -18,6 +18,8 @@ open OUT,">$output"; + + for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + ++push(@out, ".hidden OPENSSL_ia32cap_P\n"); ++ + &function_begin("OPENSSL_ia32_cpuid"); + &xor ("edx","edx"); + &pushf (); +@@ -163,9 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + &set_label("nocpuid"); + &function_end("OPENSSL_ia32_cpuid"); + +-&external_label("OPENSSL_ia32cap_P"); +- +-&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_rdtsc"); + &xor ("eax","eax"); + &xor ("edx","edx"); + &picmeup("ecx","OPENSSL_ia32cap_P"); +@@ -179,7 +179,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host], + # but it's safe to call it on any [supported] 32-bit platform... + # Just check for [non-]zero return value... +-&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_instrument_halt"); + &picmeup("ecx","OPENSSL_ia32cap_P"); + &bt (&DWP(0,"ecx"),4); + &jnc (&label("nohalt")); # no TSC +@@ -246,7 +246,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + &ret (); + &function_end_B("OPENSSL_far_spin"); + +-&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_wipe_cpu"); + &xor ("eax","eax"); + &xor ("edx","edx"); + &picmeup("ecx","OPENSSL_ia32cap_P"); diff --git a/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch b/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch new file mode 100644 index 000000000..4b98bc08d --- /dev/null +++ b/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch @@ -0,0 +1,46 @@ +From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> +Date: Tue, 20 Mar 2018 22:07:30 +0100 +Subject: [PATCH] Set systemwide default settings for libssl users + +This config change enforeces a TLS1.2 protocol version as minimum. It +can be overwritten by the system administrator. + +It also changes the default security level from 1 to 2, moving from the 80 bit +security level to the 112 bit security level. + +Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> + +Imported from openssl_1.1.1h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + apps/openssl.cnf | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/apps/openssl.cnf b/apps/openssl.cnf +index 4acca4b0446f..a6fed92a2e75 100644 +--- a/apps/openssl.cnf ++++ b/apps/openssl.cnf +@@ -15,6 +15,9 @@ HOME = . + #oid_file = $ENV::HOME/.oid + oid_section = new_oids + ++# System default ++openssl_conf = default_conf ++ + # To use this configuration file with the "-extfile" option of the + # "openssl x509" utility, name here the section containing the + # X.509v3 extensions to use: +@@ -348,3 +351,12 @@ ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) + ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) ++[default_conf] ++ssl_conf = ssl_sect ++ ++[ssl_sect] ++system_default = system_default_sect ++ ++[system_default_sect] ++MinProtocol = TLSv1.2 ++CipherString = DEFAULT@SECLEVEL=2 diff --git a/patches/openssl-1.1.1i/series b/patches/openssl-1.1.1i/series new file mode 100644 index 000000000..2bfca5ade --- /dev/null +++ b/patches/openssl-1.1.1i/series @@ -0,0 +1,6 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-debian-targets.patch +0002-pic.patch +0003-Set-systemwide-default-settings-for-libssl-users.patch +# 0312ece60c710f114a26383fdd75ddcb - git-ptx-patches magic |