diff options
| -rw-r--r-- | dev-libs/openssl/ChangeLog | 9 | ||||
| -rw-r--r-- | dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch | 45 | ||||
| -rw-r--r-- | dev-libs/openssl/openssl-0.9.8l-r2.ebuild | 182 |
3 files changed, 231 insertions, 5 deletions
diff --git a/dev-libs/openssl/ChangeLog b/dev-libs/openssl/ChangeLog index f44502db6b3a..5eea830c50ce 100644 --- a/dev-libs/openssl/ChangeLog +++ b/dev-libs/openssl/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for dev-libs/openssl # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.308 2009/11/23 21:22:21 armin76 Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.309 2009/11/27 22:00:12 vapier Exp $ + +*openssl-0.9.8l-r2 (27 Nov 2009) + + 27 Nov 2009; Mike Frysinger <vapier@gentoo.org> +openssl-0.9.8l-r2.ebuild, + files/openssl-0.9.8l-CVE-2009-2409.patch: + Add other half of MD2 disable so that root certs arent checked #294615 by + Alexander Danilov. 23 Nov 2009; Raúl Porcel <armin76@gentoo.org> openssl-0.9.8l-r1.ebuild: ia64/m68k/s390/sh/sparc stable wrt #292022 diff --git a/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch index ad4bf3dac9fa..b097869f3b1e 100644 --- a/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch +++ b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch @@ -2,11 +2,48 @@ http://bugs.gentoo.org/280591 fix from upstream +http://cvs.openssl.org/chngview?cn=18260 + +Index: openssl/crypto/x509/x509_vfy.c +RCS File: /v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v +rcsdiff -q -kk '-r1.77.2.8' '-r1.77.2.9' -u '/v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v' 2>/dev/null +--- crypto/x509/x509_vfy.c 2008/07/13 14:33:15 1.77.2.8 ++++ crypto/x509/x509_vfy.c 2009/06/15 14:52:38 1.77.2.9 +@@ -986,7 +986,11 @@ + while (n >= 0) + { + ctx->error_depth=n; +- if (!xs->valid) ++ ++ /* Skip signature check for self signed certificates. It ++ * doesn't add any security and just wastes time. ++ */ ++ if (!xs->valid && xs != xi) + { + if ((pkey=X509_get_pubkey(xi)) == NULL) + { +@@ -996,13 +1000,6 @@ + if (!ok) goto end; + } + else if (X509_verify(xs,pkey) <= 0) +- /* XXX For the final trusted self-signed cert, +- * this is a waste of time. That check should +- * optional so that e.g. 'openssl x509' can be +- * used to detect invalid self-signatures, but +- * we don't verify again and again in SSL +- * handshakes and the like once the cert has +- * been declared trusted. */ + { + ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; + ctx->current_cert=xs; + +http://cvs.openssl.org/chngview?cn=18317 + Index: openssl/crypto/evp/c_alld.c RCS File: /v/openssl/cvs/openssl/crypto/evp/c_alld.c,v rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld.c,v' 2>/dev/null ---- c_alld.c 2005/04/30 21:51:40 1.7 -+++ c_alld.c 2009/07/08 08:33:26 1.7.2.1 +--- crypto/evp/c_alld.c 2005/04/30 21:51:40 1.7 ++++ crypto/evp/c_alld.c 2009/07/08 08:33:26 1.7.2.1 @@ -64,9 +64,6 @@ void OpenSSL_add_all_digests(void) @@ -20,8 +57,8 @@ rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld. Index: openssl/ssl/ssl_algs.c RCS File: /v/openssl/cvs/openssl/ssl/ssl_algs.c,v rcsdiff -q -kk '-r1.12.2.3' '-r1.12.2.4' -u '/v/openssl/cvs/openssl/ssl/ssl_algs.c,v' 2>/dev/null ---- ssl_algs.c 2007/04/23 23:50:21 1.12.2.3 -+++ ssl_algs.c 2009/07/08 08:33:27 1.12.2.4 +--- ssl/ssl_algs.c 2007/04/23 23:50:21 1.12.2.3 ++++ ssl/ssl_algs.c 2009/07/08 08:33:27 1.12.2.4 @@ -92,9 +92,6 @@ EVP_add_cipher(EVP_seed_cbc()); #endif diff --git a/dev-libs/openssl/openssl-0.9.8l-r2.ebuild b/dev-libs/openssl/openssl-0.9.8l-r2.ebuild new file mode 100644 index 000000000000..bdc263488c0a --- /dev/null +++ b/dev-libs/openssl/openssl-0.9.8l-r2.ebuild @@ -0,0 +1,182 @@ +# Copyright 1999-2009 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-0.9.8l-r2.ebuild,v 1.1 2009/11/27 22:00:12 vapier Exp $ + +inherit eutils flag-o-matic toolchain-funcs + +DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1" +HOMEPAGE="http://www.openssl.org/" +SRC_URI="mirror://openssl/source/${P}.tar.gz" + +LICENSE="openssl" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd" +IUSE="bindist gmp kerberos sse2 test zlib" + +RDEPEND="gmp? ( dev-libs/gmp ) + zlib? ( sys-libs/zlib ) + kerberos? ( app-crypt/mit-krb5 )" +DEPEND="${RDEPEND} + sys-apps/diffutils + >=dev-lang/perl-5 + test? ( sys-devel/bc )" +PDEPEND="app-misc/ca-certificates" + +src_unpack() { + unpack ${A} + cd "${S}" + + epatch "${FILESDIR}"/${PN}-0.9.7e-gentoo.patch + #Forward port of the -b patch. Parallel make fails though. + epatch "${FILESDIR}"/${PN}-0.9.8j-parallel-build.patch + epatch "${FILESDIR}"/${PN}-0.9.8-make-engines-dir.patch + epatch "${FILESDIR}"/${PN}-0.9.8k-toolchain.patch + epatch "${FILESDIR}"/${PN}-0.9.8b-doc-updates.patch + epatch "${FILESDIR}"/${PN}-0.9.8-makedepend.patch #149583 + epatch "${FILESDIR}"/${PN}-0.9.8e-make.patch #146316 + #epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch + epatch "${FILESDIR}"/${PN}-0.9.8g-sslv3-no-tlsext.patch + #epatch "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438 + epatch "${FILESDIR}"/${PN}-0.9.8l-CVE-2009-137{7,8,9}.patch #270305 + epatch "${FILESDIR}"/${P}-CVE-2009-1387.patch #270305 + epatch "${FILESDIR}"/${P}-CVE-2009-2409.patch #280591 + epatch "${FILESDIR}"/${P}-dtls-compat.patch #280370 + epatch "${FILESDIR}"/${PN}-0.9.8l-binutils.patch #289130 + sed -i -e '/DIRS/ s/ fips / /g' Makefile{,.org} \ + || die "Removing fips from openssl failed." + + # allow openssl to be cross-compiled + cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed" + chmod a+rx gentoo.config + + # Don't build manpages if we don't want them + has noman FEATURES \ + && sed -i '/^install:/s:install_docs::' Makefile.org \ + || sed -i '/^MANDIR=/s:=.*:=/usr/share/man:' Makefile.org + + # Try to derice users and work around broken ass toolchains + if [[ $(gcc-major-version) == "3" ]] ; then + filter-flags -fprefetch-loop-arrays -freduce-all-givs -funroll-loops + [[ $(tc-arch) == "ppc64" ]] && replace-flags -O? -O + fi + [[ $(tc-arch) == ppc* ]] && append-flags -fno-strict-aliasing + append-flags -Wa,--noexecstack + + # using a library directory other than lib requires some magic + sed -i \ + -e "s+\(\$(INSTALL_PREFIX)\$(INSTALLTOP)\)/lib+\1/$(get_libdir)+g" \ + -e "s+libdir=\$\${exec_prefix}/lib+libdir=\$\${exec_prefix}/$(get_libdir)+g" \ + Makefile.org engines/Makefile \ + || die "sed failed" + sed -i '1s,^:$,#!/usr/bin/perl,' Configure #141906 + sed -i '/^"debug-steve/d' Configure # 0.9.8k shipped broken + ./config --test-sanity || die "I AM NOT SANE" +} + +src_compile() { + unset APPS #197996 + + tc-export CC AR RANLIB + + # Clean out patent-or-otherwise-encumbered code + # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher) + # IDEA: 5,214,703 25/05/2010 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm + # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography + # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2 + # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5 + + use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; } + echoit() { echo "$@" ; "$@" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + local sslout=$(./gentoo.config) + einfo "Use configuration ${sslout:-(openssl knows best)}" + local config="Configure" + [[ -z ${sslout} ]] && config="config" + echoit \ + ./${config} \ + ${sslout} \ + $(use sse2 || echo "no-sse2") \ + enable-camellia \ + $(use_ssl !bindist ec) \ + $(use_ssl !bindist idea) \ + enable-mdc2 \ + $(use_ssl !bindist rc5) \ + enable-tlsext \ + $(use_ssl gmp) \ + $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ + $(use_ssl zlib) \ + --prefix=/usr \ + --openssldir=/etc/ssl \ + shared threads \ + || die "Configure failed" + + # Clean out hardcoded flags that openssl uses + local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ + -e 's:^CFLAG=::' \ + -e 's:-fomit-frame-pointer ::g' \ + -e 's:-O[0-9] ::g' \ + -e 's:-march=[-a-z0-9]* ::g' \ + -e 's:-mcpu=[-a-z0-9]* ::g' \ + -e 's:-m[a-z0-9]* ::g' \ + ) + sed -i \ + -e "/^CFLAG/s:=.*:=${CFLAG} ${CFLAGS}:" \ + -e "/^SHARED_LDFLAGS=/s:$: ${LDFLAGS}:" \ + Makefile || die + + # depend is needed to use $confopts + # rehash is needed to prep the certs/ dir + emake -j1 depend || die "depend failed" + emake -j1 all rehash || die "make all failed" +} + +src_test() { + emake -j1 test || die "make test failed" +} + +src_install() { + emake -j1 INSTALL_PREFIX="${D}" install || die + dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el + dohtml -r doc/* + + # create the certs directory + dodir /etc/ssl/certs + cp -RP certs/* "${D}"/etc/ssl/certs/ || die "failed to install certs" + rm -r "${D}"/etc/ssl/certs/{demo,expired} + + # Namespace openssl programs to prevent conflicts with other man pages + cd "${D}"/usr/share/man + local m d s + for m in $(find . -type f | xargs grep -L '#include') ; do + d=${m%/*} ; d=${d#./} ; m=${m##*/} + [[ ${m} == openssl.1* ]] && continue + [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" + mv ${d}/{,ssl-}${m} + ln -s ssl-${m} ${d}/openssl-${m} + # locate any symlinks that point to this man page ... we assume + # that any broken links are due to the above renaming + for s in $(find -L ${d} -type l) ; do + s=${s##*/} + rm -f ${d}/${s} + ln -s ssl-${m} ${d}/ssl-${s} + ln -s ssl-${s} ${d}/openssl-${s} + done + done + [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" + + dodir /etc/sandbox.d #254521 + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${D}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir /etc/ssl/private +} + +pkg_preinst() { + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7} +} + +pkg_postinst() { + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7} +} |