[packages/openssl] - rel 2; add debian fixes
arekm
arekm at pld-linux.org
Fri May 17 09:10:49 CEST 2013
commit 84745a0c3ecccc028225ed6345956c6f4a3c777c
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Fri May 17 09:10:45 2013 +0200
- rel 2; add debian fixes
aesni-mac.patch | 26 ++++++++
cpuid.patch | 27 ++++++++
default_bits.patch | 11 ++++
dtls_version.patch | 25 ++++++++
get_certificate.patch | 27 ++++++++
openssl.spec | 20 +++++-
pic.patch | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++
stddef.patch | 12 ++++
8 files changed, 322 insertions(+), 1 deletion(-)
---
diff --git a/openssl.spec b/openssl.spec
index 932f8ff..40a65e9 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -17,7 +17,7 @@ Summary(ru.UTF-8): Библиотеки и утилиты для соедине
Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer
Name: openssl
Version: 1.0.1e
-Release: 1
+Release: 2
License: Apache-like
Group: Libraries
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
@@ -33,6 +33,16 @@ Patch4: %{name}-man-namespace.patch
Patch5: %{name}-asflag.patch
Patch6: %{name}-ca-certificates.patch
Patch7: %{name}-ldflags.patch
+
+# from debian
+Patch10: aesni-mac.patch
+Patch11: cpuid.patch
+Patch12: default_bits.patch
+Patch13: dtls_version.patch
+Patch14: get_certificate.patch
+Patch15: pic.patch
+Patch16: stddef.patch
+
URL: http://www.openssl.org/
BuildRequires: bc
BuildRequires: perl-devel >= 1:5.6.1
@@ -245,6 +255,14 @@ RC4, RSA и SSL. Включает статические библиотеки д
%patch6 -p1
%patch7 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+
sed -i -e 's|\$prefix/\$libdir/engines|/%{_lib}/engines|g' Configure
%build
diff --git a/aesni-mac.patch b/aesni-mac.patch
new file mode 100644
index 0000000..7bb5345
--- /dev/null
+++ b/aesni-mac.patch
@@ -0,0 +1,26 @@
+From: Andy Polyakov <appro at openssl.org>
+Date: Mon, 18 Mar 2013 19:29:41 +0100
+Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9ab3ce124616cb12bd39c6aa1e1bde0f46969b29
+Bug-Debian: http://bugs.debian.org/701868
+Bug: http://rt.openssl.org/Ticket/Display.html?id=3002&user=guest&pass=guest
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index 483e04b..fb2c884 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+
+ if (res!=SHA_CBLOCK) continue;
+
+- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
++ /* j is not incremented yet */
++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
+ data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ sha1_block_data_order(&key->md,data,1);
+- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
+ pmac->u[0] |= key->md.h0 & mask;
+ pmac->u[1] |= key->md.h1 & mask;
+ pmac->u[2] |= key->md.h2 & mask;
+
diff --git a/cpuid.patch b/cpuid.patch
new file mode 100644
index 0000000..4e37491
--- /dev/null
+++ b/cpuid.patch
@@ -0,0 +1,27 @@
+From: Andy Polyakov <appro at openssl.org>
+Date: Mon, 4 Mar 2013 19:05:04 +0000 (+0100)
+Subject: x86cpuid.pl: make it work with older CPUs.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=5702e965d759dde8a098d8108660721ba2b93a7d
+Bug-Debian: http://bugs.debian.org/699692
+Bug: http://rt.openssl.org/Ticket/Display.html?id=3005&user=guest&pass=guest
+
+diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
+index 3b6c469..e8a7518 100644
+--- a/crypto/x86cpuid.pl
++++ b/crypto/x86cpuid.pl
+@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+ &inc ("esi"); # number of cores
+
+ &mov ("eax",1);
++ &xor ("ecx","ecx");
+ &cpuid ();
+ &bt ("edx",28);
+ &jnc (&label("generic"));
+@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+
+ &set_label("nocacheinfo");
+ &mov ("eax",1);
++ &xor ("ecx","ecx");
+ &cpuid ();
+ &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0
+ &cmp ("ebp",0);
diff --git a/default_bits.patch b/default_bits.patch
new file mode 100644
index 0000000..8e7e416
--- /dev/null
+++ b/default_bits.patch
@@ -0,0 +1,11 @@
+--- openssl/apps/openssl.cnf 2012-06-06 00:51:47.000000000 +0200
++++ openssl/apps/openssl.cnf 2012-06-06 00:53:48.000000000 +0200
+@@ -105,7 +105,7 @@
+
+ ####################################################################
+ [ req ]
+-default_bits = 1024
++default_bits = 2048
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ attributes = req_attributes
diff --git a/dtls_version.patch b/dtls_version.patch
new file mode 100644
index 0000000..1537868
--- /dev/null
+++ b/dtls_version.patch
@@ -0,0 +1,25 @@
+From: David Woodhouse <dwmw2 at infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: Check DTLS_BAD_VER for version number.
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9fe4603b8245425a4c46986ed000fca054231253
+Bug-Debian: http://bugs.debian.org/701826
+Bug: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ unsigned padding_length, good, to_check, i;
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ {
+ /* These lengths are all public so we can test them in
+ * non-constant time.
+
diff --git a/get_certificate.patch b/get_certificate.patch
new file mode 100644
index 0000000..69ca7d9
--- /dev/null
+++ b/get_certificate.patch
@@ -0,0 +1,27 @@
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Mon, 11 Feb 2013 18:24:03 +0000
+Subject: Fix for SSL_get_certificate
+Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=147dbb2fe3bead7a10e2f280261b661ce7af7adc
+Bug-Debian: http://bugs.debian.org/703031
+
+
+Now we set the current certificate to the one used by a server
+there is no need to call ssl_get_server_send_cert which will
+fail if we haven't sent a certificate yet.
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 14d143d..ff5a85a 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
+ /* Fix this function so that it takes an optional type parameter */
+ X509 *SSL_get_certificate(const SSL *s)
+ {
+- if (s->server)
+- return(ssl_get_server_send_cert(s));
+- else if (s->cert != NULL)
++ if (s->cert != NULL)
+ return(s->cert->key->x509);
+ else
+ return(NULL);
+
diff --git a/pic.patch b/pic.patch
new file mode 100644
index 0000000..2f13e57
--- /dev/null
+++ b/pic.patch
@@ -0,0 +1,175 @@
+Index: openssl-1.0.1c/crypto/des/asm/desboth.pl
+===================================================================
+--- openssl-1.0.1c.orig/crypto/des/asm/desboth.pl 2001-10-24 23:20:56.000000000 +0200
++++ openssl-1.0.1c/crypto/des/asm/desboth.pl 2012-07-29 14:15:26.000000000 +0200
+@@ -16,6 +16,11 @@
+
+ &push("edi");
+
++ &call (&label("pic_point0"));
++ &set_label("pic_point0");
++ &blindpop("ebp");
++ &add ("ebp", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
++
+ &comment("");
+ &comment("Load the data words");
+ &mov($L,&DWP(0,"ebx","",0));
+@@ -47,15 +52,21 @@
+ &mov(&swtmp(2), (DWC(($enc)?"1":"0")));
+ &mov(&swtmp(1), "eax");
+ &mov(&swtmp(0), "ebx");
+- &call("DES_encrypt2");
++ &exch("ebx", "ebp");
++ &call("DES_encrypt2\@PLT");
++ &exch("ebx", "ebp");
+ &mov(&swtmp(2), (DWC(($enc)?"0":"1")));
+ &mov(&swtmp(1), "edi");
+ &mov(&swtmp(0), "ebx");
+- &call("DES_encrypt2");
++ &exch("ebx", "ebp");
++ &call("DES_encrypt2\@PLT");
++ &exch("ebx", "ebp");
+ &mov(&swtmp(2), (DWC(($enc)?"1":"0")));
+ &mov(&swtmp(1), "esi");
+ &mov(&swtmp(0), "ebx");
+- &call("DES_encrypt2");
++ &exch("ebx", "ebp");
++ &call("DES_encrypt2\@PLT");
++ &exch("ebx", "ebp");
+
+ &stack_pop(3);
+ &mov($L,&DWP(0,"ebx","",0));
+Index: openssl-1.0.1c/crypto/perlasm/cbc.pl
+===================================================================
+--- openssl-1.0.1c.orig/crypto/perlasm/cbc.pl 2011-07-13 08:22:46.000000000 +0200
++++ openssl-1.0.1c/crypto/perlasm/cbc.pl 2012-07-29 14:15:26.000000000 +0200
+@@ -122,7 +122,11 @@
+ &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call
+ &mov(&DWP($data_off+4,"esp","",0), "ebx"); #
+
+- &call($enc_func);
++ &call (&label("pic_point0"));
++ &set_label("pic_point0");
++ &blindpop("ebx");
++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point0") . "]");
++ &call("$enc_func\@PLT");
+
+ &mov("eax", &DWP($data_off,"esp","",0));
+ &mov("ebx", &DWP($data_off+4,"esp","",0));
+@@ -185,7 +189,11 @@
+ &mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call
+ &mov(&DWP($data_off+4,"esp","",0), "ebx"); #
+
+- &call($enc_func);
++ &call (&label("pic_point1"));
++ &set_label("pic_point1");
++ &blindpop("ebx");
++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point1") . "]");
++ &call("$enc_func\@PLT");
+
+ &mov("eax", &DWP($data_off,"esp","",0));
+ &mov("ebx", &DWP($data_off+4,"esp","",0));
+@@ -218,7 +226,11 @@
+ &mov(&DWP($data_off,"esp","",0), "eax"); # put back
+ &mov(&DWP($data_off+4,"esp","",0), "ebx"); #
+
+- &call($dec_func);
++ &call (&label("pic_point2"));
++ &set_label("pic_point2");
++ &blindpop("ebx");
++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point2") . "]");
++ &call("$dec_func\@PLT");
+
+ &mov("eax", &DWP($data_off,"esp","",0)); # get return
+ &mov("ebx", &DWP($data_off+4,"esp","",0)); #
+@@ -261,7 +273,11 @@
+ &mov(&DWP($data_off,"esp","",0), "eax"); # put back
+ &mov(&DWP($data_off+4,"esp","",0), "ebx"); #
+
+- &call($dec_func);
++ &call (&label("pic_point3"));
++ &set_label("pic_point3");
++ &blindpop("ebx");
++ &add ("ebx", "\$_GLOBAL_OFFSET_TABLE_+[.-" . &label("pic_point3") . "]");
++ &call("$dec_func\@PLT");
+
+ &mov("eax", &DWP($data_off,"esp","",0)); # get return
+ &mov("ebx", &DWP($data_off+4,"esp","",0)); #
+Index: openssl-1.0.1c/crypto/perlasm/x86gas.pl
+===================================================================
+--- openssl-1.0.1c.orig/crypto/perlasm/x86gas.pl 2011-12-09 20:16:35.000000000 +0100
++++ openssl-1.0.1c/crypto/perlasm/x86gas.pl 2012-07-29 14:15:26.000000000 +0200
+@@ -161,6 +161,7 @@
+ if ($::macosx) { push (@out,"$tmp,2\n"); }
+ elsif ($::elf) { push (@out,"$tmp,4\n"); }
+ else { push (@out,"$tmp\n"); }
++ if ($::elf) { push (@out,".hidden\tOPENSSL_ia32cap_P\n"); }
+ }
+ push(@out,$initseg) if ($initseg);
+ }
+@@ -218,8 +219,23 @@
+ elsif ($::elf)
+ { $initseg.=<<___;
+ .section .init
++___
++ if ($::pic)
++ { $initseg.=<<___;
++ pushl %ebx
++ call .pic_point0
++.pic_point0:
++ popl %ebx
++ addl \$_GLOBAL_OFFSET_TABLE_+[.-.pic_point0],%ebx
++ call $f\@PLT
++ popl %ebx
++___
++ }
++ else
++ { $initseg.=<<___;
+ call $f
+ ___
++ }
+ }
+ elsif ($::coff)
+ { $initseg.=<<___; # applies to both Cygwin and Mingw
+Index: openssl-1.0.1c/crypto/x86cpuid.pl
+===================================================================
+--- openssl-1.0.1c.orig/crypto/x86cpuid.pl 2012-02-28 15:20:34.000000000 +0100
++++ openssl-1.0.1c/crypto/x86cpuid.pl 2012-07-29 14:15:26.000000000 +0200
+@@ -8,6 +8,8 @@
+
+ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+
++push(@out, ".hidden OPENSSL_ia32cap_P\n");
++
+ &function_begin("OPENSSL_ia32_cpuid");
+ &xor ("edx","edx");
+ &pushf ();
+@@ -139,9 +141,7 @@
+ &set_label("nocpuid");
+ &function_end("OPENSSL_ia32_cpuid");
+
+-&external_label("OPENSSL_ia32cap_P");
+-
+-&function_begin_B("OPENSSL_rdtsc","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_rdtsc");
+ &xor ("eax","eax");
+ &xor ("edx","edx");
+ &picmeup("ecx","OPENSSL_ia32cap_P");
+@@ -155,7 +155,7 @@
+ # This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
+ # but it's safe to call it on any [supported] 32-bit platform...
+ # Just check for [non-]zero return value...
+-&function_begin_B("OPENSSL_instrument_halt","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_instrument_halt");
+ &picmeup("ecx","OPENSSL_ia32cap_P");
+ &bt (&DWP(0,"ecx"),4);
+ &jnc (&label("nohalt")); # no TSC
+@@ -222,7 +222,7 @@
+ &ret ();
+ &function_end_B("OPENSSL_far_spin");
+
+-&function_begin_B("OPENSSL_wipe_cpu","EXTRN\t_OPENSSL_ia32cap_P:DWORD");
++&function_begin_B("OPENSSL_wipe_cpu");
+ &xor ("eax","eax");
+ &xor ("edx","edx");
+ &picmeup("ecx","OPENSSL_ia32cap_P");
diff --git a/stddef.patch b/stddef.patch
new file mode 100644
index 0000000..bb65b23
--- /dev/null
+++ b/stddef.patch
@@ -0,0 +1,12 @@
+Index: openssl-0.9.8k/crypto/sha/sha.h
+===================================================================
+--- openssl-0.9.8k.orig/crypto/sha/sha.h 2008-09-16 12:47:28.000000000 +0200
++++ openssl-0.9.8k/crypto/sha/sha.h 2009-07-19 11:36:28.000000000 +0200
+@@ -59,6 +59,7 @@
+ #ifndef HEADER_SHA_H
+ #define HEADER_SHA_H
+
++#include <stddef.h>
+ #include <openssl/e_os2.h>
+ #include <stddef.h>
+
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/openssl.git/commitdiff/84745a0c3ecccc028225ed6345956c6f4a3c777c
More information about the pld-cvs-commit
mailing list