From e3756c6d8d70404ee259f15cdb45aa00f11a013e Mon Sep 17 00:00:00 2001 From: Michael Olbrich Date: Tue, 8 Dec 2020 18:45:30 +0100 Subject: openssl: version bump 1.1.1h -> 1.1.1i Signed-off-by: Michael Olbrich --- patches/openssl-1.1.1h/0001-debian-targets.patch | 228 --------------------- patches/openssl-1.1.1h/0002-pic.patch | 189 ----------------- ...temwide-default-settings-for-libssl-users.patch | 46 ----- patches/openssl-1.1.1h/series | 6 - patches/openssl-1.1.1i/0001-debian-targets.patch | 228 +++++++++++++++++++++ patches/openssl-1.1.1i/0002-pic.patch | 189 +++++++++++++++++ ...temwide-default-settings-for-libssl-users.patch | 46 +++++ patches/openssl-1.1.1i/series | 6 + rules/openssl.make | 4 +- 9 files changed, 471 insertions(+), 471 deletions(-) delete mode 100644 patches/openssl-1.1.1h/0001-debian-targets.patch delete mode 100644 patches/openssl-1.1.1h/0002-pic.patch delete mode 100644 patches/openssl-1.1.1h/0003-Set-systemwide-default-settings-for-libssl-users.patch delete mode 100644 patches/openssl-1.1.1h/series create mode 100644 patches/openssl-1.1.1i/0001-debian-targets.patch create mode 100644 patches/openssl-1.1.1i/0002-pic.patch create mode 100644 patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch create mode 100644 patches/openssl-1.1.1i/series diff --git a/patches/openssl-1.1.1h/0001-debian-targets.patch b/patches/openssl-1.1.1h/0001-debian-targets.patch deleted file mode 100644 index 4ef60acc5..000000000 --- a/patches/openssl-1.1.1h/0001-debian-targets.patch +++ /dev/null @@ -1,228 +0,0 @@ -From: Debian OpenSSL Team -Date: Sun, 5 Nov 2017 15:09:09 +0100 -Subject: [PATCH] debian-targets - -Imported from openssl_1.1.1h-1.debian.tar.xz - -Signed-off-by: Michael Olbrich ---- - Configurations/20-debian.conf | 210 ++++++++++++++++++++++++++++++++++ - 1 file changed, 210 insertions(+) - create mode 100644 Configurations/20-debian.conf - -diff --git a/Configurations/20-debian.conf b/Configurations/20-debian.conf -new file mode 100644 -index 000000000000..a3d5f68d36aa ---- /dev/null -+++ b/Configurations/20-debian.conf -@@ -0,0 +1,210 @@ -+my %targets = ( -+ "debian" => { -+ cflags => add("-Wa,--noexecstack -Wall"), -+ }, -+ "debian-alpha" => { -+ inherit_from => [ "linux-alpha-gcc", "debian" ], -+ }, -+ "debian-alpha-ev4" => { -+ inherit_from => [ "debian-alpha" ], -+ cflags => add("-mcpu=ev4"), -+ }, -+ "debian-alpha-ev5" => { -+ inherit_from => [ "debian-alpha" ], -+ cflags => add("-mcpu=ev5"), -+ }, -+ "debian-arm64" => { -+ inherit_from => [ "linux-aarch64", "debian" ], -+ }, -+ "debian-arm64ilp32" => { -+ inherit_from => [ "linux-arm64ilp32", "debian" ], -+ }, -+ "debian-armel" => { -+ inherit_from => [ "linux-armv4", "debian" ], -+ }, -+ "debian-armhf" => { -+ inherit_from => [ "linux-armv4", "debian" ], -+ }, -+ "debian-amd64" => { -+ inherit_from => [ "linux-x86_64", "debian" ], -+ }, -+ "debian-i386" => { -+ inherit_from => [ "linux-elf", "debian" ], -+ }, -+ "debian-avr32" => { -+ inherit_from => [ "linux-generic32", "debian" ], -+ }, -+ "debian-kfreebsd-amd64" => { -+ inherit_from => [ "debian-amd64" ], -+ enable => [ ], -+ }, -+ "debian-kfreebsd-i386" => { -+ inherit_from => [ "debian-i386" ], -+ enable => [ ], -+ }, -+ "debian-hppa" => { -+ inherit_from => [ "linux-generic32", "debian" ], -+ }, -+ "debian-hurd-i386" => { -+ inherit_from => [ "hurd-x86", "debian" ], -+ }, -+ "debian-ia64" => { -+ inherit_from => [ "linux-ia64", "debian" ], -+ }, -+ "debian-m68k" => { -+ inherit_from => [ "linux-generic32", "debian" ], -+ }, -+ "debian-mips" => { -+ inherit_from => [ "linux-mips32", "debian" ], -+ cflags => add("-DB_ENDIAN"), -+ }, -+ "debian-mipsel" => { -+ inherit_from => [ "linux-mips32", "debian" ], -+ cflags => add("-DL_ENDIAN"), -+ }, -+ "debian-mipsn32" => { -+ inherit_from => [ "linux-mips64", "debian" ], -+ cflags => add("-DB_ENDIAN"), -+ }, -+ "debian-mipsn32el" => { -+ inherit_from => [ "linux-mips64", "debian" ], -+ cflags => add("-DL_ENDIAN"), -+ }, -+ "debian-mips64" => { -+ inherit_from => [ "linux64-mips64", "debian" ], -+ cflags => add("-DB_ENDIAN"), -+ }, -+ "debian-mips64el" => { -+ inherit_from => [ "linux64-mips64", "debian" ], -+ cflags => add("-DL_ENDIAN"), -+ }, -+ -+ # Temporary MIPS R6 targets. Those will vanish approx in 1.1.1 because -+ # aes-mips.pl creates proper R6 ASM code. After that, we can inherit from -+ # the linux*-mips* targets. -+ "linux-mips32r6" => { -+ # Configure script adds minimally required -march for assembly -+ # support, if no -march was specified at command line. -+ inherit_from => [ "linux-generic32"], -+ cflags => add("-mabi=32"), -+ perlasm_scheme => "o32", -+ shared_ldflag => add("-mabi=32"), -+ }, -+ # mips32 and mips64 below refer to contemporary MIPS Architecture -+ # specifications, MIPS32 and MIPS64, rather than to kernel bitness. -+ "linux-mips64r6" => { -+ inherit_from => [ "linux-generic32"], -+ cflags => add("-mabi=n32"), -+ bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", -+ perlasm_scheme => "n32", -+ shared_ldflag => add("-mabi=n32"), -+ multilib => "32", -+ }, -+ "linux64-mips64r6" => { -+ inherit_from => [ "linux-generic64"], -+ cflags => add("-mabi=64"), -+ perlasm_scheme => "64", -+ shared_ldflag => add("-mabi=64"), -+ multilib => "64", -+ }, -+ "debian-mipsr6" => { -+ inherit_from => [ "linux-mips32r6", "debian" ], -+ cflags => add("-DB_ENDIAN"), -+ }, -+ "debian-mipsr6el" => { -+ inherit_from => [ "linux-mips32r6", "debian" ], -+ cflags => add("-DL_ENDIAN"), -+ }, -+ "debian-mipsn32r6" => { -+ inherit_from => [ "linux-mips64r6", "debian" ], -+ cflags => add("-DB_ENDIAN"), -+ }, -+ "debian-mipsn32r6el" => { -+ inherit_from => [ "linux-mips64r6", "debian" ], -+ cflags => add("-DL_ENDIAN"), -+ }, -+ "debian-mips64r6" => { -+ inherit_from => [ "linux64-mips64r6", "debian" ], -+ cflags => add("-DB_ENDIAN"), -+ }, -+ "debian-mips64r6el" => { -+ inherit_from => [ "linux64-mips64r6", "debian" ], -+ cflags => add("-DL_ENDIAN"), -+ }, -+ -+ "debian-musl-linux-arm64" => { -+ inherit_from => [ "linux-aarch64", "debian" ], -+ }, -+ "debian-musl-linux-armhf" => { -+ inherit_from => [ "linux-armv4", "debian" ], -+ }, -+ "debian-musl-linux-i386" => { -+ inherit_from => [ "linux-elf", "debian" ], -+ }, -+ "debian-musl-linux-mips" => { -+ inherit_from => [ "linux-mips32", "debian" ], -+ cflags => add("-DB_ENDIAN"), -+ }, -+ "debian-musl-linux-mipsel" => { -+ inherit_from => [ "linux-mips32", "debian" ], -+ cflags => add("-DL_ENDIAN"), -+ }, -+ -+ "debian-nios2" => { -+ inherit_from => [ "linux-generic32", "debian" ], -+ }, -+ "debian-powerpc" => { -+ inherit_from => [ "linux-ppc", "debian" ], -+ }, -+ "debian-powerpcspe" => { -+ inherit_from => [ "linux-ppc", "debian" ], -+ }, -+ "debian-ppc64" => { -+ inherit_from => [ "linux-generic64", "debian", asm("ppc64_asm") ], -+ cflags => add("-DB_ENDIAN"), -+ perlasm_scheme => "linux64", -+ }, -+ "debian-ppc64el" => { -+ inherit_from => [ "linux-ppc64le", "debian" ], -+ }, -+ "debian-riscv64" => { -+ inherit_from => [ "linux-generic64", "debian" ], -+ }, -+ "debian-s390" => { -+ inherit_from => [ "linux-generic32", "debian" ], -+ }, -+ "debian-s390x" => { -+ inherit_from => [ "linux64-s390x", "debian" ], -+ }, -+ "debian-sh3" => { -+ inherit_from => [ "linux-generic32", "debian" ], -+ }, -+ "debian-sh3eb" => { -+ inherit_from => [ "linux-generic32", "debian" ], -+ }, -+ "debian-sh4" => { -+ inherit_from => [ "linux-generic32", "debian" ], -+ }, -+ "debian-sh4eb" => { -+ inherit_from => [ "linux-generic32", "debian" ], -+ }, -+ "debian-m32r" => { -+ inherit_from => [ "linux-generic32", "debian" ], -+ }, -+ "debian-sparc" => { -+ inherit_from => [ "linux-generic32", "debian", asm("sparcv9_asm") ], -+ cflags => add("-DB_ENDIAN -DBN_DIV2W"), -+ }, -+ "debian-sparc64" => { -+ inherit_from => [ "linux-generic64", "debian", asm("sparcv9_asm") ], -+ cflags => add("-m64 -mcpu=ultrasparc -DB_ENDIAN"), -+ bn_ops => "BN_LLONG RC4_CHAR", -+ }, -+ "debian-tilegx" => { -+ inherit_from => [ "linux-generic64", "debian" ], -+ }, -+ "debian-x32" => { -+ inherit_from => [ "linux-x32", "debian" ], -+ }, -+); -+ diff --git a/patches/openssl-1.1.1h/0002-pic.patch b/patches/openssl-1.1.1h/0002-pic.patch deleted file mode 100644 index abbb5f8de..000000000 --- a/patches/openssl-1.1.1h/0002-pic.patch +++ /dev/null @@ -1,189 +0,0 @@ -From: Debian OpenSSL Team -Date: Sun, 5 Nov 2017 15:09:09 +0100 -Subject: [PATCH] pic - -Imported from openssl_1.1.1h-1.debian.tar.xz - -Signed-off-by: Michael Olbrich ---- - crypto/des/asm/desboth.pl | 17 ++++++++++++++--- - crypto/perlasm/cbc.pl | 24 ++++++++++++++++++++---- - crypto/perlasm/x86gas.pl | 16 ++++++++++++++++ - crypto/x86cpuid.pl | 10 +++++----- - 4 files changed, 55 insertions(+), 12 deletions(-) - -diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl -index ef7054e27506..50765d2b1552 100644 ---- a/crypto/des/asm/desboth.pl -+++ b/crypto/des/asm/desboth.pl -@@ -23,6 +23,11 @@ sub DES_encrypt3 - - &push("edi"); - -+ &call (&label("pic_point0")); -+ &set_label("pic_point0"); -+ &blindpop("ebp"); -+ &add ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); -+ - &comment(""); - &comment("Load the data words"); - &mov($L,&DWP(0,"ebx","",0)); -@@ -54,15 +59,21 @@ sub DES_encrypt3 - &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); - &mov(&swtmp(1), "eax"); - &mov(&swtmp(0), "ebx"); -- &call("DES_encrypt2"); -+ &exch("ebx", "ebp"); -+ &call("DES_encrypt2\@PLT"); -+ &exch("ebx", "ebp"); - &mov(&swtmp(2), (DWC(($enc)?"0":"1"))); - &mov(&swtmp(1), "edi"); - &mov(&swtmp(0), "ebx"); -- &call("DES_encrypt2"); -+ &exch("ebx", "ebp"); -+ &call("DES_encrypt2\@PLT"); -+ &exch("ebx", "ebp"); - &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); - &mov(&swtmp(1), "esi"); - &mov(&swtmp(0), "ebx"); -- &call("DES_encrypt2"); -+ &exch("ebx", "ebp"); -+ &call("DES_encrypt2\@PLT"); -+ &exch("ebx", "ebp"); - - &stack_pop(3); - &mov($L,&DWP(0,"ebx","",0)); -diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl -index 01bafe457d68..c093be5a4fd6 100644 ---- a/crypto/perlasm/cbc.pl -+++ b/crypto/perlasm/cbc.pl -@@ -129,7 +129,11 @@ sub cbc - &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call - &mov(&DWP($data_off+4,"esp","",0), "ebx"); # - -- &call($enc_func); -+ &call (&label("pic_point0")); -+ &set_label("pic_point0"); -+ &blindpop("ebx"); -+ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); -+ &call("$enc_func\@PLT"); - - &mov("eax", &DWP($data_off,"esp","",0)); - &mov("ebx", &DWP($data_off+4,"esp","",0)); -@@ -192,7 +196,11 @@ sub cbc - &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call - &mov(&DWP($data_off+4,"esp","",0), "ebx"); # - -- &call($enc_func); -+ &call (&label("pic_point1")); -+ &set_label("pic_point1"); -+ &blindpop("ebx"); -+ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]"); -+ &call("$enc_func\@PLT"); - - &mov("eax", &DWP($data_off,"esp","",0)); - &mov("ebx", &DWP($data_off+4,"esp","",0)); -@@ -225,7 +233,11 @@ sub cbc - &mov(&DWP($data_off,"esp","",0), "eax"); # put back - &mov(&DWP($data_off+4,"esp","",0), "ebx"); # - -- &call($dec_func); -+ &call (&label("pic_point2")); -+ &set_label("pic_point2"); -+ &blindpop("ebx"); -+ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]"); -+ &call("$dec_func\@PLT"); - - &mov("eax", &DWP($data_off,"esp","",0)); # get return - &mov("ebx", &DWP($data_off+4,"esp","",0)); # -@@ -268,7 +280,11 @@ sub cbc - &mov(&DWP($data_off,"esp","",0), "eax"); # put back - &mov(&DWP($data_off+4,"esp","",0), "ebx"); # - -- &call($dec_func); -+ &call (&label("pic_point3")); -+ &set_label("pic_point3"); -+ &blindpop("ebx"); -+ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]"); -+ &call("$dec_func\@PLT"); - - &mov("eax", &DWP($data_off,"esp","",0)); # get return - &mov("ebx", &DWP($data_off+4,"esp","",0)); # -diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl -index 5c7ea3880e4d..7e49b55e97c7 100644 ---- a/crypto/perlasm/x86gas.pl -+++ b/crypto/perlasm/x86gas.pl -@@ -170,6 +170,7 @@ sub ::file_end - if ($::macosx) { push (@out,"$tmp,2\n"); } - elsif ($::elf) { push (@out,"$tmp,4\n"); } - else { push (@out,"$tmp\n"); } -+ if ($::elf) { push (@out,".hidden\tOPENSSL_ia32cap_P\n"); } - } - push(@out,$initseg) if ($initseg); - } -@@ -228,8 +229,23 @@ ___ - elsif ($::elf) - { $initseg.=<<___; - .section .init -+___ -+ if ($::pic) -+ { $initseg.=<<___; -+ pushl %ebx -+ call .pic_point0 -+.pic_point0: -+ popl %ebx -+ addl \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx -+ call $f\@PLT -+ popl %ebx -+___ -+ } -+ else -+ { $initseg.=<<___; - call $f - ___ -+ } - } - elsif ($::coff) - { $initseg.=<<___; # applies to both Cygwin and Mingw -diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl -index ba4fd80fb32e..18c124707587 100644 ---- a/crypto/x86cpuid.pl -+++ b/crypto/x86cpuid.pl -@@ -18,6 +18,8 @@ open OUT,">$output"; - - for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } - -+push(@out, ".hidden OPENSSL_ia32cap_P\n"); -+ - &function_begin("OPENSSL_ia32_cpuid"); - &xor ("edx","edx"); - &pushf (); -@@ -163,9 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } - &set_label("nocpuid"); - &function_end("OPENSSL_ia32_cpuid"); - --&external_label("OPENSSL_ia32cap_P"); -- --&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); -+&function_begin_B("OPENSSL_rdtsc"); - &xor ("eax","eax"); - &xor ("edx","edx"); - &picmeup("ecx","OPENSSL_ia32cap_P"); -@@ -179,7 +179,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } - # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host], - # but it's safe to call it on any [supported] 32-bit platform... - # Just check for [non-]zero return value... --&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); -+&function_begin_B("OPENSSL_instrument_halt"); - &picmeup("ecx","OPENSSL_ia32cap_P"); - &bt (&DWP(0,"ecx"),4); - &jnc (&label("nohalt")); # no TSC -@@ -246,7 +246,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } - &ret (); - &function_end_B("OPENSSL_far_spin"); - --&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); -+&function_begin_B("OPENSSL_wipe_cpu"); - &xor ("eax","eax"); - &xor ("edx","edx"); - &picmeup("ecx","OPENSSL_ia32cap_P"); diff --git a/patches/openssl-1.1.1h/0003-Set-systemwide-default-settings-for-libssl-users.patch b/patches/openssl-1.1.1h/0003-Set-systemwide-default-settings-for-libssl-users.patch deleted file mode 100644 index 4b98bc08d..000000000 --- a/patches/openssl-1.1.1h/0003-Set-systemwide-default-settings-for-libssl-users.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Sebastian Andrzej Siewior -Date: Tue, 20 Mar 2018 22:07:30 +0100 -Subject: [PATCH] Set systemwide default settings for libssl users - -This config change enforeces a TLS1.2 protocol version as minimum. It -can be overwritten by the system administrator. - -It also changes the default security level from 1 to 2, moving from the 80 bit -security level to the 112 bit security level. - -Signed-off-by: Sebastian Andrzej Siewior - -Imported from openssl_1.1.1h-1.debian.tar.xz - -Signed-off-by: Michael Olbrich ---- - apps/openssl.cnf | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/apps/openssl.cnf b/apps/openssl.cnf -index 4acca4b0446f..a6fed92a2e75 100644 ---- a/apps/openssl.cnf -+++ b/apps/openssl.cnf -@@ -15,6 +15,9 @@ HOME = . - #oid_file = $ENV::HOME/.oid - oid_section = new_oids - -+# System default -+openssl_conf = default_conf -+ - # To use this configuration file with the "-extfile" option of the - # "openssl x509" utility, name here the section containing the - # X.509v3 extensions to use: -@@ -348,3 +351,12 @@ ess_cert_id_chain = no # Must the ESS cert id chain be included? - # (optional, default: no) - ess_cert_id_alg = sha1 # algorithm to compute certificate - # identifier (optional, default: sha1) -+[default_conf] -+ssl_conf = ssl_sect -+ -+[ssl_sect] -+system_default = system_default_sect -+ -+[system_default_sect] -+MinProtocol = TLSv1.2 -+CipherString = DEFAULT@SECLEVEL=2 diff --git a/patches/openssl-1.1.1h/series b/patches/openssl-1.1.1h/series deleted file mode 100644 index 2bfca5ade..000000000 --- a/patches/openssl-1.1.1h/series +++ /dev/null @@ -1,6 +0,0 @@ -# generated by git-ptx-patches -#tag:base --start-number 1 -0001-debian-targets.patch -0002-pic.patch -0003-Set-systemwide-default-settings-for-libssl-users.patch -# 0312ece60c710f114a26383fdd75ddcb - git-ptx-patches magic diff --git a/patches/openssl-1.1.1i/0001-debian-targets.patch b/patches/openssl-1.1.1i/0001-debian-targets.patch new file mode 100644 index 000000000..5616df0fa --- /dev/null +++ b/patches/openssl-1.1.1i/0001-debian-targets.patch @@ -0,0 +1,228 @@ +From: Debian OpenSSL Team +Date: Sun, 5 Nov 2017 15:09:09 +0100 +Subject: [PATCH] debian-targets + +Imported from openssl_1.1.1h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich +--- + Configurations/20-debian.conf | 210 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 210 insertions(+) + create mode 100644 Configurations/20-debian.conf + +diff --git a/Configurations/20-debian.conf b/Configurations/20-debian.conf +new file mode 100644 +index 000000000000..a3d5f68d36aa +--- /dev/null ++++ b/Configurations/20-debian.conf +@@ -0,0 +1,210 @@ ++my %targets = ( ++ "debian" => { ++ cflags => add("-Wa,--noexecstack -Wall"), ++ }, ++ "debian-alpha" => { ++ inherit_from => [ "linux-alpha-gcc", "debian" ], ++ }, ++ "debian-alpha-ev4" => { ++ inherit_from => [ "debian-alpha" ], ++ cflags => add("-mcpu=ev4"), ++ }, ++ "debian-alpha-ev5" => { ++ inherit_from => [ "debian-alpha" ], ++ cflags => add("-mcpu=ev5"), ++ }, ++ "debian-arm64" => { ++ inherit_from => [ "linux-aarch64", "debian" ], ++ }, ++ "debian-arm64ilp32" => { ++ inherit_from => [ "linux-arm64ilp32", "debian" ], ++ }, ++ "debian-armel" => { ++ inherit_from => [ "linux-armv4", "debian" ], ++ }, ++ "debian-armhf" => { ++ inherit_from => [ "linux-armv4", "debian" ], ++ }, ++ "debian-amd64" => { ++ inherit_from => [ "linux-x86_64", "debian" ], ++ }, ++ "debian-i386" => { ++ inherit_from => [ "linux-elf", "debian" ], ++ }, ++ "debian-avr32" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-kfreebsd-amd64" => { ++ inherit_from => [ "debian-amd64" ], ++ enable => [ ], ++ }, ++ "debian-kfreebsd-i386" => { ++ inherit_from => [ "debian-i386" ], ++ enable => [ ], ++ }, ++ "debian-hppa" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-hurd-i386" => { ++ inherit_from => [ "hurd-x86", "debian" ], ++ }, ++ "debian-ia64" => { ++ inherit_from => [ "linux-ia64", "debian" ], ++ }, ++ "debian-m68k" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-mips" => { ++ inherit_from => [ "linux-mips32", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mipsel" => { ++ inherit_from => [ "linux-mips32", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ "debian-mipsn32" => { ++ inherit_from => [ "linux-mips64", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mipsn32el" => { ++ inherit_from => [ "linux-mips64", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ "debian-mips64" => { ++ inherit_from => [ "linux64-mips64", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mips64el" => { ++ inherit_from => [ "linux64-mips64", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ ++ # Temporary MIPS R6 targets. Those will vanish approx in 1.1.1 because ++ # aes-mips.pl creates proper R6 ASM code. After that, we can inherit from ++ # the linux*-mips* targets. ++ "linux-mips32r6" => { ++ # Configure script adds minimally required -march for assembly ++ # support, if no -march was specified at command line. ++ inherit_from => [ "linux-generic32"], ++ cflags => add("-mabi=32"), ++ perlasm_scheme => "o32", ++ shared_ldflag => add("-mabi=32"), ++ }, ++ # mips32 and mips64 below refer to contemporary MIPS Architecture ++ # specifications, MIPS32 and MIPS64, rather than to kernel bitness. ++ "linux-mips64r6" => { ++ inherit_from => [ "linux-generic32"], ++ cflags => add("-mabi=n32"), ++ bn_ops => "SIXTY_FOUR_BIT RC4_CHAR", ++ perlasm_scheme => "n32", ++ shared_ldflag => add("-mabi=n32"), ++ multilib => "32", ++ }, ++ "linux64-mips64r6" => { ++ inherit_from => [ "linux-generic64"], ++ cflags => add("-mabi=64"), ++ perlasm_scheme => "64", ++ shared_ldflag => add("-mabi=64"), ++ multilib => "64", ++ }, ++ "debian-mipsr6" => { ++ inherit_from => [ "linux-mips32r6", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mipsr6el" => { ++ inherit_from => [ "linux-mips32r6", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ "debian-mipsn32r6" => { ++ inherit_from => [ "linux-mips64r6", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mipsn32r6el" => { ++ inherit_from => [ "linux-mips64r6", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ "debian-mips64r6" => { ++ inherit_from => [ "linux64-mips64r6", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-mips64r6el" => { ++ inherit_from => [ "linux64-mips64r6", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ ++ "debian-musl-linux-arm64" => { ++ inherit_from => [ "linux-aarch64", "debian" ], ++ }, ++ "debian-musl-linux-armhf" => { ++ inherit_from => [ "linux-armv4", "debian" ], ++ }, ++ "debian-musl-linux-i386" => { ++ inherit_from => [ "linux-elf", "debian" ], ++ }, ++ "debian-musl-linux-mips" => { ++ inherit_from => [ "linux-mips32", "debian" ], ++ cflags => add("-DB_ENDIAN"), ++ }, ++ "debian-musl-linux-mipsel" => { ++ inherit_from => [ "linux-mips32", "debian" ], ++ cflags => add("-DL_ENDIAN"), ++ }, ++ ++ "debian-nios2" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-powerpc" => { ++ inherit_from => [ "linux-ppc", "debian" ], ++ }, ++ "debian-powerpcspe" => { ++ inherit_from => [ "linux-ppc", "debian" ], ++ }, ++ "debian-ppc64" => { ++ inherit_from => [ "linux-generic64", "debian", asm("ppc64_asm") ], ++ cflags => add("-DB_ENDIAN"), ++ perlasm_scheme => "linux64", ++ }, ++ "debian-ppc64el" => { ++ inherit_from => [ "linux-ppc64le", "debian" ], ++ }, ++ "debian-riscv64" => { ++ inherit_from => [ "linux-generic64", "debian" ], ++ }, ++ "debian-s390" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-s390x" => { ++ inherit_from => [ "linux64-s390x", "debian" ], ++ }, ++ "debian-sh3" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-sh3eb" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-sh4" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-sh4eb" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-m32r" => { ++ inherit_from => [ "linux-generic32", "debian" ], ++ }, ++ "debian-sparc" => { ++ inherit_from => [ "linux-generic32", "debian", asm("sparcv9_asm") ], ++ cflags => add("-DB_ENDIAN -DBN_DIV2W"), ++ }, ++ "debian-sparc64" => { ++ inherit_from => [ "linux-generic64", "debian", asm("sparcv9_asm") ], ++ cflags => add("-m64 -mcpu=ultrasparc -DB_ENDIAN"), ++ bn_ops => "BN_LLONG RC4_CHAR", ++ }, ++ "debian-tilegx" => { ++ inherit_from => [ "linux-generic64", "debian" ], ++ }, ++ "debian-x32" => { ++ inherit_from => [ "linux-x32", "debian" ], ++ }, ++); ++ diff --git a/patches/openssl-1.1.1i/0002-pic.patch b/patches/openssl-1.1.1i/0002-pic.patch new file mode 100644 index 000000000..abbb5f8de --- /dev/null +++ b/patches/openssl-1.1.1i/0002-pic.patch @@ -0,0 +1,189 @@ +From: Debian OpenSSL Team +Date: Sun, 5 Nov 2017 15:09:09 +0100 +Subject: [PATCH] pic + +Imported from openssl_1.1.1h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich +--- + crypto/des/asm/desboth.pl | 17 ++++++++++++++--- + crypto/perlasm/cbc.pl | 24 ++++++++++++++++++++---- + crypto/perlasm/x86gas.pl | 16 ++++++++++++++++ + crypto/x86cpuid.pl | 10 +++++----- + 4 files changed, 55 insertions(+), 12 deletions(-) + +diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl +index ef7054e27506..50765d2b1552 100644 +--- a/crypto/des/asm/desboth.pl ++++ b/crypto/des/asm/desboth.pl +@@ -23,6 +23,11 @@ sub DES_encrypt3 + + &push("edi"); + ++ &call (&label("pic_point0")); ++ &set_label("pic_point0"); ++ &blindpop("ebp"); ++ &add ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); ++ + &comment(""); + &comment("Load the data words"); + &mov($L,&DWP(0,"ebx","",0)); +@@ -54,15 +59,21 @@ sub DES_encrypt3 + &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); + &mov(&swtmp(1), "eax"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + &mov(&swtmp(2), (DWC(($enc)?"0":"1"))); + &mov(&swtmp(1), "edi"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + &mov(&swtmp(2), (DWC(($enc)?"1":"0"))); + &mov(&swtmp(1), "esi"); + &mov(&swtmp(0), "ebx"); +- &call("DES_encrypt2"); ++ &exch("ebx", "ebp"); ++ &call("DES_encrypt2\@PLT"); ++ &exch("ebx", "ebp"); + + &stack_pop(3); + &mov($L,&DWP(0,"ebx","",0)); +diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl +index 01bafe457d68..c093be5a4fd6 100644 +--- a/crypto/perlasm/cbc.pl ++++ b/crypto/perlasm/cbc.pl +@@ -129,7 +129,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($enc_func); ++ &call (&label("pic_point0")); ++ &set_label("pic_point0"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]"); ++ &call("$enc_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); + &mov("ebx", &DWP($data_off+4,"esp","",0)); +@@ -192,7 +196,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($enc_func); ++ &call (&label("pic_point1")); ++ &set_label("pic_point1"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]"); ++ &call("$enc_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); + &mov("ebx", &DWP($data_off+4,"esp","",0)); +@@ -225,7 +233,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put back + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($dec_func); ++ &call (&label("pic_point2")); ++ &set_label("pic_point2"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]"); ++ &call("$dec_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); # get return + &mov("ebx", &DWP($data_off+4,"esp","",0)); # +@@ -268,7 +280,11 @@ sub cbc + &mov(&DWP($data_off,"esp","",0), "eax"); # put back + &mov(&DWP($data_off+4,"esp","",0), "ebx"); # + +- &call($dec_func); ++ &call (&label("pic_point3")); ++ &set_label("pic_point3"); ++ &blindpop("ebx"); ++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]"); ++ &call("$dec_func\@PLT"); + + &mov("eax", &DWP($data_off,"esp","",0)); # get return + &mov("ebx", &DWP($data_off+4,"esp","",0)); # +diff --git a/crypto/perlasm/x86gas.pl b/crypto/perlasm/x86gas.pl +index 5c7ea3880e4d..7e49b55e97c7 100644 +--- a/crypto/perlasm/x86gas.pl ++++ b/crypto/perlasm/x86gas.pl +@@ -170,6 +170,7 @@ sub ::file_end + if ($::macosx) { push (@out,"$tmp,2\n"); } + elsif ($::elf) { push (@out,"$tmp,4\n"); } + else { push (@out,"$tmp\n"); } ++ if ($::elf) { push (@out,".hidden\tOPENSSL_ia32cap_P\n"); } + } + push(@out,$initseg) if ($initseg); + } +@@ -228,8 +229,23 @@ ___ + elsif ($::elf) + { $initseg.=<<___; + .section .init ++___ ++ if ($::pic) ++ { $initseg.=<<___; ++ pushl %ebx ++ call .pic_point0 ++.pic_point0: ++ popl %ebx ++ addl \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx ++ call $f\@PLT ++ popl %ebx ++___ ++ } ++ else ++ { $initseg.=<<___; + call $f + ___ ++ } + } + elsif ($::coff) + { $initseg.=<<___; # applies to both Cygwin and Mingw +diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl +index ba4fd80fb32e..18c124707587 100644 +--- a/crypto/x86cpuid.pl ++++ b/crypto/x86cpuid.pl +@@ -18,6 +18,8 @@ open OUT,">$output"; + + for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + ++push(@out, ".hidden OPENSSL_ia32cap_P\n"); ++ + &function_begin("OPENSSL_ia32_cpuid"); + &xor ("edx","edx"); + &pushf (); +@@ -163,9 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + &set_label("nocpuid"); + &function_end("OPENSSL_ia32_cpuid"); + +-&external_label("OPENSSL_ia32cap_P"); +- +-&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_rdtsc"); + &xor ("eax","eax"); + &xor ("edx","edx"); + &picmeup("ecx","OPENSSL_ia32cap_P"); +@@ -179,7 +179,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host], + # but it's safe to call it on any [supported] 32-bit platform... + # Just check for [non-]zero return value... +-&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_instrument_halt"); + &picmeup("ecx","OPENSSL_ia32cap_P"); + &bt (&DWP(0,"ecx"),4); + &jnc (&label("nohalt")); # no TSC +@@ -246,7 +246,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } + &ret (); + &function_end_B("OPENSSL_far_spin"); + +-&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD"); ++&function_begin_B("OPENSSL_wipe_cpu"); + &xor ("eax","eax"); + &xor ("edx","edx"); + &picmeup("ecx","OPENSSL_ia32cap_P"); diff --git a/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch b/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch new file mode 100644 index 000000000..4b98bc08d --- /dev/null +++ b/patches/openssl-1.1.1i/0003-Set-systemwide-default-settings-for-libssl-users.patch @@ -0,0 +1,46 @@ +From: Sebastian Andrzej Siewior +Date: Tue, 20 Mar 2018 22:07:30 +0100 +Subject: [PATCH] Set systemwide default settings for libssl users + +This config change enforeces a TLS1.2 protocol version as minimum. It +can be overwritten by the system administrator. + +It also changes the default security level from 1 to 2, moving from the 80 bit +security level to the 112 bit security level. + +Signed-off-by: Sebastian Andrzej Siewior + +Imported from openssl_1.1.1h-1.debian.tar.xz + +Signed-off-by: Michael Olbrich +--- + apps/openssl.cnf | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/apps/openssl.cnf b/apps/openssl.cnf +index 4acca4b0446f..a6fed92a2e75 100644 +--- a/apps/openssl.cnf ++++ b/apps/openssl.cnf +@@ -15,6 +15,9 @@ HOME = . + #oid_file = $ENV::HOME/.oid + oid_section = new_oids + ++# System default ++openssl_conf = default_conf ++ + # To use this configuration file with the "-extfile" option of the + # "openssl x509" utility, name here the section containing the + # X.509v3 extensions to use: +@@ -348,3 +351,12 @@ ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) + ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) ++[default_conf] ++ssl_conf = ssl_sect ++ ++[ssl_sect] ++system_default = system_default_sect ++ ++[system_default_sect] ++MinProtocol = TLSv1.2 ++CipherString = DEFAULT@SECLEVEL=2 diff --git a/patches/openssl-1.1.1i/series b/patches/openssl-1.1.1i/series new file mode 100644 index 000000000..2bfca5ade --- /dev/null +++ b/patches/openssl-1.1.1i/series @@ -0,0 +1,6 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-debian-targets.patch +0002-pic.patch +0003-Set-systemwide-default-settings-for-libssl-users.patch +# 0312ece60c710f114a26383fdd75ddcb - git-ptx-patches magic diff --git a/rules/openssl.make b/rules/openssl.make index 304b971be..d4798f36e 100644 --- a/rules/openssl.make +++ b/rules/openssl.make @@ -17,9 +17,9 @@ PACKAGES-$(PTXCONF_OPENSSL) += openssl # Paths and names # OPENSSL_BASE := 1.1.1 -OPENSSL_BUGFIX := h +OPENSSL_BUGFIX := i OPENSSL_VERSION := $(OPENSSL_BASE)$(OPENSSL_BUGFIX) -OPENSSL_MD5 := 53840c70434793127a3574433494e8d3 +OPENSSL_MD5 := 08987c3cf125202e2b0840035efb392c OPENSSL := openssl-$(OPENSSL_VERSION) OPENSSL_SUFFIX := tar.gz OPENSSL_URL := \ -- cgit v1.2.3