* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2023-02-08 17:17 Sam James
0 siblings, 0 replies; 20+ messages in thread
From: Sam James @ 2023-02-08 17:17 UTC (permalink / raw
To: gentoo-commits
commit: 9ecc3b0650d539516074b2659b543d175de4199f
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Wed Feb 8 16:49:57 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Feb 8 17:14:42 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ecc3b06
dev-libs/openssl: remove unused patch
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/29488
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../openssl/files/openssl-3.0.5-test-memcmp.patch | 24 ----------------------
1 file changed, 24 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
deleted file mode 100644
index fc84d82e87da..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-https://github.com/openssl/openssl/pull/18719
-
-From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001
-From: Gregor Jasny <gjasny@googlemail.com>
-Date: Tue, 5 Jul 2022 12:57:06 +0200
-Subject: [PATCH] Add missing header for memcmp
-
-CLA: trivial
----
- test/v3ext.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/test/v3ext.c b/test/v3ext.c
-index 926f3884b138..a8ab64b2714b 100644
---- a/test/v3ext.c
-+++ b/test/v3ext.c
-@@ -8,6 +8,7 @@
- */
-
- #include <stdio.h>
-+#include <string.h>
- #include <openssl/x509.h>
- #include <openssl/x509v3.h>
- #include <openssl/pem.h>
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2024-08-03 5:08 Sam James
0 siblings, 0 replies; 20+ messages in thread
From: Sam James @ 2024-08-03 5:08 UTC (permalink / raw
To: gentoo-commits
commit: fcbeb0799f940bd8b1a9f8894e508a821d1a366d
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat Aug 3 03:25:53 2024 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Aug 3 05:07:15 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fcbeb079
dev-libs/openssl: drop obsolete patches
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/openssl-3.1.5-CVE-2024-2511.patch | 137 ---------------------
.../openssl/files/openssl-3.1.5-p11-segfault.patch | 78 ------------
.../files/openssl-3.2.1-CVE-2024-2511.patch | 137 ---------------------
.../openssl/files/openssl-3.2.1-p11-segfault.patch | 79 ------------
dev-libs/openssl/files/openssl-3.2.1-riscv.patch | 70 -----------
dev-libs/openssl/files/openssl-3.2.1-s390x.patch | 31 -----
6 files changed, 532 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch b/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch
deleted file mode 100644
index c5b7dfe449f7..000000000000
--- a/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-https://www.openssl.org/news/secadv/20240408.txt
-https://bugs.gentoo.org/930047
-https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce
-https://github.com/openssl/openssl/commit/c342f4b8bd2d0b375b0e22337057c2eab47d9b96
-
-From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 5 Mar 2024 15:43:53 +0000
-Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
-
-In TLSv1.3 we create a new session object for each ticket that we send.
-We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
-use then the new session will be added to the session cache. However, if
-early data is not in use (and therefore anti-replay protection is being
-used), then multiple threads could be resuming from the same session
-simultaneously. If this happens and a problem occurs on one of the threads,
-then the original session object could be marked as not_resumable. When we
-duplicate the session object this not_resumable status gets copied into the
-new session object. The new session object is then added to the session
-cache even though it is not_resumable.
-
-Subsequently, another bug means that the session_id_length is set to 0 for
-sessions that are marked as not_resumable - even though that session is
-still in the cache. Once this happens the session can never be removed from
-the cache. When that object gets to be the session cache tail object the
-cache never shrinks again and grows indefinitely.
-
-CVE-2024-2511
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24044)
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode)
-
- /*
- * If the session_id_length is 0, we are not supposed to cache it, and it
-- * would be rather hard to do anyway :-)
-+ * would be rather hard to do anyway :-). Also if the session has already
-+ * been marked as not_resumable we should not cache it for later reuse.
- */
-- if (s->session->session_id_length == 0)
-+ if (s->session->session_id_length == 0 || s->session->not_resumable)
- return;
-
- /*
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void)
- return ss;
- }
-
--SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
--{
-- return ssl_session_dup(src, 1);
--}
--
- /*
- * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
- * ticket == 0 then no ticket information is duplicated, otherwise it is.
- */
--SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
- {
- SSL_SESSION *dest;
-
-@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
- return NULL;
- }
-
-+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-+{
-+ return ssl_session_dup_intern(src, 1);
-+}
-+
-+/*
-+ * Used internally when duplicating a session which might be already shared.
-+ * We will have resumed the original session. Subsequently we might have marked
-+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
-+ * resume from.
-+ */
-+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+{
-+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
-+
-+ if (sess != NULL)
-+ sess->not_resumable = 0;
-+
-+ return sess;
-+}
-+
- const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
- {
- if (len)
---- a/ssl/statem/statem_srvr.c
-+++ b/ssl/statem/statem_srvr.c
-@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
- * so the following won't overwrite an ID that we're supposed
- * to send back.
- */
-- if (s->session->not_resumable ||
-- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
-- && !s->hit))
-+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
-+ && !s->hit)
- s->session->session_id_length = 0;
-
- if (usetls13) {
-
-From c342f4b8bd2d0b375b0e22337057c2eab47d9b96 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 15 Mar 2024 17:58:42 +0000
-Subject: [PATCH] Hardening around not_resumable sessions
-
-Make sure we can't inadvertently use a not_resumable session
-
-Related to CVE-2024-2511
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24044)
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -533,6 +533,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
- ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©);
-
- if (ret != NULL) {
-+ if (ret->not_resumable) {
-+ /* If its not resumable then ignore this session */
-+ if (!copy)
-+ SSL_SESSION_free(ret);
-+ return NULL;
-+ }
- ssl_tsan_counter(s->session_ctx,
- &s->session_ctx->stats.sess_cb_hit);
-
diff --git a/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch
deleted file mode 100644
index 50bc63ef2d14..000000000000
--- a/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-https://bugs.gentoo.org/916328
-https://github.com/opendnssec/SoftHSMv2/issues/729
-https://github.com/openssl/openssl/issues/22508
-https://github.com/openssl/openssl/commit/0058a55407d824d5b55ecc0a1cbf8931803dc238
-
-From 0058a55407d824d5b55ecc0a1cbf8931803dc238 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Fri, 15 Dec 2023 13:45:50 +0100
-Subject: [PATCH] Revert "Improved detection of engine-provided private
- "classic" keys"
-
-This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
-
-The commit was wrong. With 3.x versions the engines must be themselves
-responsible for creating their EVP_PKEYs in a way that they are treated
-as legacy - either by using the respective set1 calls or by setting
-non-default EVP_PKEY_METHOD.
-
-The workaround has caused more problems than it solved.
-
-Fixes #22945
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23063)
-
-(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
---- a/crypto/engine/eng_pkey.c
-+++ b/crypto/engine/eng_pkey.c
-@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
- ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
- return NULL;
- }
-- /* We enforce check for legacy key */
-- switch (EVP_PKEY_get_id(pkey)) {
-- case EVP_PKEY_RSA:
-- {
-- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
-- EVP_PKEY_set1_RSA(pkey, rsa);
-- RSA_free(rsa);
-- }
-- break;
--# ifndef OPENSSL_NO_EC
-- case EVP_PKEY_SM2:
-- case EVP_PKEY_EC:
-- {
-- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
-- EVP_PKEY_set1_EC_KEY(pkey, ec);
-- EC_KEY_free(ec);
-- }
-- break;
--# endif
--# ifndef OPENSSL_NO_DSA
-- case EVP_PKEY_DSA:
-- {
-- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
-- EVP_PKEY_set1_DSA(pkey, dsa);
-- DSA_free(dsa);
-- }
-- break;
--#endif
--# ifndef OPENSSL_NO_DH
-- case EVP_PKEY_DH:
-- {
-- DH *dh = EVP_PKEY_get1_DH(pkey);
-- EVP_PKEY_set1_DH(pkey, dh);
-- DH_free(dh);
-- }
-- break;
--#endif
-- default:
-- /*Do nothing */
-- break;
-- }
--
- return pkey;
- }
-
diff --git a/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch b/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch
deleted file mode 100644
index d5b40447d745..000000000000
--- a/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-https://www.openssl.org/news/secadv/20240408.txt
-https://bugs.gentoo.org/930047
-https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
-https://github.com/openssl/openssl/commit/4d67109432646c113887b0aa8091fb0d1b3057e6
-
-From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 5 Mar 2024 15:43:53 +0000
-Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
-
-In TLSv1.3 we create a new session object for each ticket that we send.
-We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
-use then the new session will be added to the session cache. However, if
-early data is not in use (and therefore anti-replay protection is being
-used), then multiple threads could be resuming from the same session
-simultaneously. If this happens and a problem occurs on one of the threads,
-then the original session object could be marked as not_resumable. When we
-duplicate the session object this not_resumable status gets copied into the
-new session object. The new session object is then added to the session
-cache even though it is not_resumable.
-
-Subsequently, another bug means that the session_id_length is set to 0 for
-sessions that are marked as not_resumable - even though that session is
-still in the cache. Once this happens the session can never be removed from
-the cache. When that object gets to be the session cache tail object the
-cache never shrinks again and grows indefinitely.
-
-CVE-2024-2511
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24043)
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode)
-
- /*
- * If the session_id_length is 0, we are not supposed to cache it, and it
-- * would be rather hard to do anyway :-)
-+ * would be rather hard to do anyway :-). Also if the session has already
-+ * been marked as not_resumable we should not cache it for later reuse.
- */
-- if (s->session->session_id_length == 0)
-+ if (s->session->session_id_length == 0 || s->session->not_resumable)
- return;
-
- /*
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void)
- return ss;
- }
-
--SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
--{
-- return ssl_session_dup(src, 1);
--}
--
- /*
- * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
- * ticket == 0 then no ticket information is duplicated, otherwise it is.
- */
--SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
- {
- SSL_SESSION *dest;
-
-@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
- return NULL;
- }
-
-+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-+{
-+ return ssl_session_dup_intern(src, 1);
-+}
-+
-+/*
-+ * Used internally when duplicating a session which might be already shared.
-+ * We will have resumed the original session. Subsequently we might have marked
-+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
-+ * resume from.
-+ */
-+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+{
-+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
-+
-+ if (sess != NULL)
-+ sess->not_resumable = 0;
-+
-+ return sess;
-+}
-+
- const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
- {
- if (len)
---- a/ssl/statem/statem_srvr.c
-+++ b/ssl/statem/statem_srvr.c
-@@ -2445,9 +2445,8 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
- * so the following won't overwrite an ID that we're supposed
- * to send back.
- */
-- if (s->session->not_resumable ||
-- (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
-- && !s->hit))
-+ if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
-+ && !s->hit)
- s->session->session_id_length = 0;
-
- if (usetls13) {
-
-From 4d67109432646c113887b0aa8091fb0d1b3057e6 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 15 Mar 2024 17:58:42 +0000
-Subject: [PATCH] Hardening around not_resumable sessions
-
-Make sure we can't inadvertently use a not_resumable session
-
-Related to CVE-2024-2511
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24043)
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -519,6 +519,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s,
- sess_id, sess_id_len, ©);
-
- if (ret != NULL) {
-+ if (ret->not_resumable) {
-+ /* If its not resumable then ignore this session */
-+ if (!copy)
-+ SSL_SESSION_free(ret);
-+ return NULL;
-+ }
- ssl_tsan_counter(s->session_ctx,
- &s->session_ctx->stats.sess_cb_hit);
-
diff --git a/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch
deleted file mode 100644
index 59e785caac7c..000000000000
--- a/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-https://bugs.gentoo.org/916328
-https://github.com/opendnssec/SoftHSMv2/issues/729
-https://github.com/openssl/openssl/issues/22508
-https://github.com/openssl/openssl/commit/934943281267259fa928f4a5814b176525461a65
-
-From 934943281267259fa928f4a5814b176525461a65 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Fri, 15 Dec 2023 13:45:50 +0100
-Subject: [PATCH] Revert "Improved detection of engine-provided private
- "classic" keys"
-
-This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
-
-The commit was wrong. With 3.x versions the engines must be themselves
-responsible for creating their EVP_PKEYs in a way that they are treated
-as legacy - either by using the respective set1 calls or by setting
-non-default EVP_PKEY_METHOD.
-
-The workaround has caused more problems than it solved.
-
-Fixes #22945
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23063)
-
-(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
---- a/crypto/engine/eng_pkey.c
-+++ b/crypto/engine/eng_pkey.c
-@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
- ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
- return NULL;
- }
-- /* We enforce check for legacy key */
-- switch (EVP_PKEY_get_id(pkey)) {
-- case EVP_PKEY_RSA:
-- {
-- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
-- EVP_PKEY_set1_RSA(pkey, rsa);
-- RSA_free(rsa);
-- }
-- break;
--# ifndef OPENSSL_NO_EC
-- case EVP_PKEY_SM2:
-- case EVP_PKEY_EC:
-- {
-- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
-- EVP_PKEY_set1_EC_KEY(pkey, ec);
-- EC_KEY_free(ec);
-- }
-- break;
--# endif
--# ifndef OPENSSL_NO_DSA
-- case EVP_PKEY_DSA:
-- {
-- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
-- EVP_PKEY_set1_DSA(pkey, dsa);
-- DSA_free(dsa);
-- }
-- break;
--#endif
--# ifndef OPENSSL_NO_DH
-- case EVP_PKEY_DH:
-- {
-- DH *dh = EVP_PKEY_get1_DH(pkey);
-- EVP_PKEY_set1_DH(pkey, dh);
-- DH_free(dh);
-- }
-- break;
--#endif
-- default:
-- /*Do nothing */
-- break;
-- }
--
- return pkey;
- }
-
-
diff --git a/dev-libs/openssl/files/openssl-3.2.1-riscv.patch b/dev-libs/openssl/files/openssl-3.2.1-riscv.patch
deleted file mode 100644
index 51256cf434e2..000000000000
--- a/dev-libs/openssl/files/openssl-3.2.1-riscv.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-# Bug: https://bugs.gentoo.org/923956
-# Upstream PR: https://github.com/openssl/openssl/pull/23752
---- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c
-+++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c
-@@ -142,9 +142,9 @@ static const PROV_GCM_HW aes_gcm = {
- # include "cipher_aes_gcm_hw_armv8.inc"
- #elif defined(PPC_AES_GCM_CAPABLE) && defined(_ARCH_PPC64)
- # include "cipher_aes_gcm_hw_ppc.inc"
--#elif defined(__riscv) && __riscv_xlen == 64
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
- # include "cipher_aes_gcm_hw_rv64i.inc"
--#elif defined(__riscv) && __riscv_xlen == 32
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
- # include "cipher_aes_gcm_hw_rv32i.inc"
- #else
- const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits)
---- a/providers/implementations/ciphers/cipher_aes_hw.c
-+++ b/providers/implementations/ciphers/cipher_aes_hw.c
-@@ -142,9 +142,9 @@ const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_##mode(size_t keybits) \
- # include "cipher_aes_hw_t4.inc"
- #elif defined(S390X_aes_128_CAPABLE)
- # include "cipher_aes_hw_s390x.inc"
--#elif defined(__riscv) && __riscv_xlen == 64
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
- # include "cipher_aes_hw_rv64i.inc"
--#elif defined(__riscv) && __riscv_xlen == 32
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
- # include "cipher_aes_hw_rv32i.inc"
- #else
- /* The generic case */
---- a/providers/implementations/ciphers/cipher_aes_ocb_hw.c
-+++ b/providers/implementations/ciphers/cipher_aes_ocb_hw.c
-@@ -104,7 +104,7 @@ static const PROV_CIPHER_HW aes_t4_ocb = { \
- if (SPARC_AES_CAPABLE) \
- return &aes_t4_ocb;
-
--#elif defined(__riscv) && __riscv_xlen == 64
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
-
- static int cipher_hw_aes_ocb_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx,
- const unsigned char *key,
-@@ -126,7 +126,7 @@ static const PROV_CIPHER_HW aes_rv64i_zknd_zkne_ocb = { \
- if (RISCV_HAS_ZKND_AND_ZKNE()) \
- return &aes_rv64i_zknd_zkne_ocb;
-
--#elif defined(__riscv) && __riscv_xlen == 32
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
-
- static int cipher_hw_aes_ocb_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx,
- const unsigned char *key,
---- a/providers/implementations/ciphers/cipher_aes_xts_hw.c
-+++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c
-@@ -159,7 +159,7 @@ static const PROV_CIPHER_HW aes_xts_t4 = { \
- if (SPARC_AES_CAPABLE) \
- return &aes_xts_t4;
-
--#elif defined(__riscv) && __riscv_xlen == 64
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
-
- static int cipher_hw_aes_xts_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx,
- const unsigned char *key,
-@@ -185,7 +185,7 @@ static const PROV_CIPHER_HW aes_xts_rv64i_zknd_zkne = { \
- if (RISCV_HAS_ZKND_AND_ZKNE()) \
- return &aes_xts_rv64i_zknd_zkne;
-
--#elif defined(__riscv) && __riscv_xlen == 32
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
-
- static int cipher_hw_aes_xts_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx,
- const unsigned char *key,
diff --git a/dev-libs/openssl/files/openssl-3.2.1-s390x.patch b/dev-libs/openssl/files/openssl-3.2.1-s390x.patch
deleted file mode 100644
index 3cbf4854e12e..000000000000
--- a/dev-libs/openssl/files/openssl-3.2.1-s390x.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-https://bugs.gentoo.org/923957
-https://github.com/openssl/openssl/pull/23458
-https://github.com/openssl/openssl/commit/5fa5d59750db9df00f4871949a66020ac44f4f9c
-
-From 5fa5d59750db9df00f4871949a66020ac44f4f9c Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Fri, 2 Feb 2024 10:20:55 +0100
-Subject: [PATCH] s390x: Fix build on s390x with 'disable-asm'
-
-Do not define S390X_MOD_EXP for a NO_ASM build, this would result in
-unresolved externals for s390x_mod_exp and s390x_crt.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23458)
-
-(cherry picked from commit a5b0c568dbefddd154f99011d7ce76cfbfadb67a)
---- a/include/crypto/bn.h
-+++ b/include/crypto/bn.h
-@@ -116,7 +116,8 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx);
-
- extern const BIGNUM ossl_bn_inv_sqrt_2;
-
--#if defined(OPENSSL_SYS_LINUX) && !defined(FIPS_MODULE) && defined (__s390x__)
-+#if defined(OPENSSL_SYS_LINUX) && !defined(FIPS_MODULE) && defined (__s390x__) \
-+ && !defined (OPENSSL_NO_ASM)
- # define S390X_MOD_EXP
- #endif
-
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2023-12-31 2:38 Conrad Kostecki
0 siblings, 0 replies; 20+ messages in thread
From: Conrad Kostecki @ 2023-12-31 2:38 UTC (permalink / raw
To: gentoo-commits
commit: 414fc629d397bb756ad382342e99243dcc6ec508
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Fri Dec 29 14:04:25 2023 +0000
Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Sun Dec 31 02:37:21 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=414fc629
dev-libs/openssl: remove unused patches
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/34537
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
.../files/openssl-3.0.9-CVE-2023-2975.patch | 109 -------------------
.../files/openssl-3.0.9-CVE-2023-3446.patch | 120 ---------------------
2 files changed, 229 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch
deleted file mode 100644
index 908e57251cb9..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-2975.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-https://github.com/openssl/openssl/commit/00e2f5eea29994d19293ec4e8c8775ba73678598
-https://github.com/openssl/openssl/commit/96318a8d21bed334d78797eca5b32790775d5f05
-
-From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 4 Jul 2023 17:30:35 +0200
-Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
-
-The AES-SIV mode allows for multiple associated data items
-authenticated separately with any of these being 0 length.
-
-The provided implementation ignores such empty associated data
-which is incorrect in regards to the RFC 5297 and is also
-a security issue because such empty associated data then become
-unauthenticated if an application expects to authenticate them.
-
-Fixes CVE-2023-2975
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21384)
-
-(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
---- a/providers/implementations/ciphers/cipher_aes_siv.c
-+++ b/providers/implementations/ciphers/cipher_aes_siv.c
-@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
- if (!ossl_prov_is_running())
- return 0;
-
-- if (inl == 0) {
-- *outl = 0;
-- return 1;
-- }
-+ /* Ignore just empty encryption/decryption call and not AAD. */
-+ if (out != NULL) {
-+ if (inl == 0) {
-+ if (outl != NULL)
-+ *outl = 0;
-+ return 1;
-+ }
-
-- if (outsize < inl) {
-- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-- return 0;
-+ if (outsize < inl) {
-+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-+ return 0;
-+ }
- }
-
- if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
-
-From 96318a8d21bed334d78797eca5b32790775d5f05 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 4 Jul 2023 17:50:37 +0200
-Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21384)
-
-(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc)
---- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
-+++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
-@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93
- Plaintext = 112233445566778899aabbccddee
- Ciphertext = 40c02b9690c4dc04daef7f6afe5c
-
-+Cipher = aes-128-siv
-+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
-+Tag = f1c5fdeac1f15a26779c1501f9fb7588
-+Plaintext = 112233445566778899aabbccddee
-+Ciphertext = 27e946c669088ab06da58c5c831c
-+
-+Cipher = aes-128-siv
-+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
-+AAD =
-+Tag = d1022f5b3664e5a4dfaf90f85be6f28a
-+Plaintext = 112233445566778899aabbccddee
-+Ciphertext = b66cff6b8eca0b79f083b39a0901
-+
- Cipher = aes-128-siv
- Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
- AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
-@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f
- Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
- Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d
-
-+Cipher = aes-128-siv
-+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
-+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
-+AAD =
-+AAD = 09f911029d74e35bd84156c5635688c0
-+Tag = 83ce6593a8fa67eb6fcd2819cedfc011
-+Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
-+Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
-+
-+Cipher = aes-128-siv
-+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
-+AAD =
-+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
-+AAD = 09f911029d74e35bd84156c5635688c0
-+Tag = 77dd4a44f5a6b41302121ee7f378de25
-+Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
-+Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe
-+
- Cipher = aes-192-siv
- Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0
- AAD = 101112131415161718191a1b1c1d1e1f2021222324252627
diff --git a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-3446.patch b/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-3446.patch
deleted file mode 100644
index 1a1be6a8af51..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.9-CVE-2023-3446.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb
-https://github.com/openssl/openssl/commit/8a62fd996cb1c22383ec75b4155d54dec4a1b0ee
-
-From 1fa20cf2f506113c761777127a38bce5068740eb Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Thu, 6 Jul 2023 16:36:35 +0100
-Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
-
-The DH_check() function checks numerous aspects of the key or parameters
-that have been supplied. Some of those checks use the supplied modulus
-value even if it is excessively large.
-
-There is already a maximum DH modulus size (10,000 bits) over which
-OpenSSL will not generate or derive keys. DH_check() will however still
-perform various tests for validity on such a large modulus. We introduce a
-new maximum (32,768) over which DH_check() will just fail.
-
-An application that calls DH_check() and supplies a key or parameters
-obtained from an untrusted source could be vulnerable to a Denial of
-Service attack.
-
-The function DH_check() is itself called by a number of other OpenSSL
-functions. An application calling any of those other functions may
-similarly be affected. The other functions affected by this are
-DH_check_ex() and EVP_PKEY_param_check().
-
-CVE-2023-3446
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21451)
-
-(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)
---- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
-@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
- if (nid != NID_undef)
- return 1;
-
-+ /* Don't do any checks at all with an excessively large modulus */
-+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
-+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-+ return 0;
-+ }
-+
- if (!DH_check_params(dh, ret))
- return 0;
-
---- a/include/openssl/dh.h
-+++ b/include/openssl/dh.h
-@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
- # include <openssl/dherr.h>
-
- # ifndef OPENSSL_DH_MAX_MODULUS_BITS
--# define OPENSSL_DH_MAX_MODULUS_BITS 10000
-+# define OPENSSL_DH_MAX_MODULUS_BITS 10000
-+# endif
-+
-+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
-+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
- # endif
-
- # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
-
-From 8a62fd996cb1c22383ec75b4155d54dec4a1b0ee Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 7 Jul 2023 14:39:48 +0100
-Subject: [PATCH] Add a test for CVE-2023-3446
-
-Confirm that the only errors DH_check() finds with DH parameters with an
-excessively long modulus is that the modulus is too large. We should not
-be performing time consuming checks using that modulus.
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21451)
-
-(cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b)
---- a/test/dhtest.c
-+++ b/test/dhtest.c
-@@ -73,7 +73,7 @@ static int dh_test(void)
- goto err1;
-
- /* check fails, because p is way too small */
-- if (!DH_check(dh, &i))
-+ if (!TEST_true(DH_check(dh, &i)))
- goto err2;
- i ^= DH_MODULUS_TOO_SMALL;
- if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
-@@ -124,6 +124,17 @@ static int dh_test(void)
- /* We'll have a stale error on the queue from the above test so clear it */
- ERR_clear_error();
-
-+ /* Modulus of size: dh check max modulus bits + 1 */
-+ if (!TEST_true(BN_set_word(p, 1))
-+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
-+ goto err3;
-+
-+ /*
-+ * We expect no checks at all for an excessively large modulus
-+ */
-+ if (!TEST_false(DH_check(dh, &i)))
-+ goto err3;
-+
- /*
- * II) key generation
- */
-@@ -138,7 +149,7 @@ static int dh_test(void)
- goto err3;
-
- /* ... and check whether it is valid */
-- if (!DH_check(a, &i))
-+ if (!TEST_true(DH_check(a, &i)))
- goto err3;
- if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
- || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2023-10-29 3:53 Sam James
0 siblings, 0 replies; 20+ messages in thread
From: Sam James @ 2023-10-29 3:53 UTC (permalink / raw
To: gentoo-commits
commit: 8bea4e7dbf4f5692edcfbc713956517791677fcd
Author: Matoro Mahri <matoro_gentoo <AT> matoro <DOT> tk>
AuthorDate: Sun Oct 29 03:50:59 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 03:51:50 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bea4e7d
dev-libs/openssl: add support for ARC
Signed-off-by: Matoro Mahri <matoro_gentoo <AT> matoro.tk>
Signed-off-by: Sam James <sam <AT> gentoo.org>
dev-libs/openssl/files/gentoo.config-1.0.4 | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4
index ef1c6f1768a1..5f205781ae3e 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -88,6 +88,10 @@ linux)
alphaev56*|\
alphaev[678]*)machine=alpha+bwx-${compiler};;
alpha*) machine=alpha-${compiler};;
+ arc64*b*) machine="generic64 -DB_ENDIAN";;
+ arc64*) machine="generic64 -DL_ENDIAN";;
+ arc*b*) machine="generic32 -DB_ENDIAN";;
+ arc*) machine="generic32 -DL_ENDIAN";;
armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
armv[4-9]*) machine="armv4 -DL_ENDIAN";;
arm*b*) machine="generic32 -DB_ENDIAN";;
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2023-10-04 21:45 Conrad Kostecki
0 siblings, 0 replies; 20+ messages in thread
From: Conrad Kostecki @ 2023-10-04 21:45 UTC (permalink / raw
To: gentoo-commits
commit: bb6f84dc03496525a2a87ca05b91e72cd560b991
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Wed Oct 4 15:46:33 2023 +0000
Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Wed Oct 4 21:44:27 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb6f84dc
dev-libs/openssl: remove unused patches
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/33190
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
.../files/openssl-3.1.1-CVE-2023-2975.patch | 110 -------------------
.../files/openssl-3.1.1-CVE-2023-3446.patch | 121 ---------------------
2 files changed, 231 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch b/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch
deleted file mode 100644
index 5abf60737dbd..000000000000
--- a/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-2975.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-https://github.com/openssl/openssl/commit/6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc
-https://github.com/openssl/openssl/commit/76214c4a8f3374b786811fdfeda3d98690f8faf4
-
-From 6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 4 Jul 2023 17:30:35 +0200
-Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
-
-The AES-SIV mode allows for multiple associated data items
-authenticated separately with any of these being 0 length.
-
-The provided implementation ignores such empty associated data
-which is incorrect in regards to the RFC 5297 and is also
-a security issue because such empty associated data then become
-unauthenticated if an application expects to authenticate them.
-
-Fixes CVE-2023-2975
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21384)
-
-(cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
---- a/providers/implementations/ciphers/cipher_aes_siv.c
-+++ b/providers/implementations/ciphers/cipher_aes_siv.c
-@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
- if (!ossl_prov_is_running())
- return 0;
-
-- if (inl == 0) {
-- *outl = 0;
-- return 1;
-- }
-+ /* Ignore just empty encryption/decryption call and not AAD. */
-+ if (out != NULL) {
-+ if (inl == 0) {
-+ if (outl != NULL)
-+ *outl = 0;
-+ return 1;
-+ }
-
-- if (outsize < inl) {
-- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-- return 0;
-+ if (outsize < inl) {
-+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
-+ return 0;
-+ }
- }
-
- if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
-
-From 76214c4a8f3374b786811fdfeda3d98690f8faf4 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 4 Jul 2023 17:50:37 +0200
-Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21384)
-
-(cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc)
---- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
-+++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
-@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93
- Plaintext = 112233445566778899aabbccddee
- Ciphertext = 40c02b9690c4dc04daef7f6afe5c
-
-+Cipher = aes-128-siv
-+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
-+Tag = f1c5fdeac1f15a26779c1501f9fb7588
-+Plaintext = 112233445566778899aabbccddee
-+Ciphertext = 27e946c669088ab06da58c5c831c
-+
-+Cipher = aes-128-siv
-+Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
-+AAD =
-+Tag = d1022f5b3664e5a4dfaf90f85be6f28a
-+Plaintext = 112233445566778899aabbccddee
-+Ciphertext = b66cff6b8eca0b79f083b39a0901
-+
- Cipher = aes-128-siv
- Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
- AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
-@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f
- Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
- Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d
-
-+Cipher = aes-128-siv
-+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
-+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
-+AAD =
-+AAD = 09f911029d74e35bd84156c5635688c0
-+Tag = 83ce6593a8fa67eb6fcd2819cedfc011
-+Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
-+Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
-+
-+Cipher = aes-128-siv
-+Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
-+AAD =
-+AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
-+AAD = 09f911029d74e35bd84156c5635688c0
-+Tag = 77dd4a44f5a6b41302121ee7f378de25
-+Plaintext = 7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
-+Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe
-+
- Cipher = aes-192-siv
- Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0
- AAD = 101112131415161718191a1b1c1d1e1f2021222324252627
-
diff --git a/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-3446.patch b/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-3446.patch
deleted file mode 100644
index 781b0c8f48b3..000000000000
--- a/dev-libs/openssl/files/openssl-3.1.1-CVE-2023-3446.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-https://github.com/openssl/openssl/commit/fc9867c1e03c22ebf56943be205202e576aabf23
-https://github.com/openssl/openssl/commit/4791e79b8803924b28c19af4d4036ad85335110d
-
-From fc9867c1e03c22ebf56943be205202e576aabf23 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Thu, 6 Jul 2023 16:36:35 +0100
-Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
-
-The DH_check() function checks numerous aspects of the key or parameters
-that have been supplied. Some of those checks use the supplied modulus
-value even if it is excessively large.
-
-There is already a maximum DH modulus size (10,000 bits) over which
-OpenSSL will not generate or derive keys. DH_check() will however still
-perform various tests for validity on such a large modulus. We introduce a
-new maximum (32,768) over which DH_check() will just fail.
-
-An application that calls DH_check() and supplies a key or parameters
-obtained from an untrusted source could be vulnerable to a Denial of
-Service attack.
-
-The function DH_check() is itself called by a number of other OpenSSL
-functions. An application calling any of those other functions may
-similarly be affected. The other functions affected by this are
-DH_check_ex() and EVP_PKEY_param_check().
-
-CVE-2023-3446
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21451)
-
-(cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)
---- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
-@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
- if (nid != NID_undef)
- return 1;
-
-+ /* Don't do any checks at all with an excessively large modulus */
-+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
-+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-+ return 0;
-+ }
-+
- if (!DH_check_params(dh, ret))
- return 0;
-
---- a/include/openssl/dh.h
-+++ b/include/openssl/dh.h
-@@ -92,7 +92,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
- # include <openssl/dherr.h>
-
- # ifndef OPENSSL_DH_MAX_MODULUS_BITS
--# define OPENSSL_DH_MAX_MODULUS_BITS 10000
-+# define OPENSSL_DH_MAX_MODULUS_BITS 10000
-+# endif
-+
-+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
-+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768
- # endif
-
- # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
-
-From 4791e79b8803924b28c19af4d4036ad85335110d Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 7 Jul 2023 14:39:48 +0100
-Subject: [PATCH] Add a test for CVE-2023-3446
-
-Confirm that the only errors DH_check() finds with DH parameters with an
-excessively long modulus is that the modulus is too large. We should not
-be performing time consuming checks using that modulus.
-
-Reviewed-by: Paul Dale <pauli@openssl.org>
-Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/21451)
-
-(cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b)
---- a/test/dhtest.c
-+++ b/test/dhtest.c
-@@ -73,7 +73,7 @@ static int dh_test(void)
- goto err1;
-
- /* check fails, because p is way too small */
-- if (!DH_check(dh, &i))
-+ if (!TEST_true(DH_check(dh, &i)))
- goto err2;
- i ^= DH_MODULUS_TOO_SMALL;
- if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
-@@ -124,6 +124,17 @@ static int dh_test(void)
- /* We'll have a stale error on the queue from the above test so clear it */
- ERR_clear_error();
-
-+ /* Modulus of size: dh check max modulus bits + 1 */
-+ if (!TEST_true(BN_set_word(p, 1))
-+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
-+ goto err3;
-+
-+ /*
-+ * We expect no checks at all for an excessively large modulus
-+ */
-+ if (!TEST_false(DH_check(dh, &i)))
-+ goto err3;
-+
- /*
- * II) key generation
- */
-@@ -138,7 +149,7 @@ static int dh_test(void)
- goto err3;
-
- /* ... and check whether it is valid */
-- if (!DH_check(a, &i))
-+ if (!TEST_true(DH_check(a, &i)))
- goto err3;
- if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
- || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
-
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2023-05-25 14:59 Mike Gilbert
0 siblings, 0 replies; 20+ messages in thread
From: Mike Gilbert @ 2023-05-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 08dbfd4976e7cf1eb03ea520327769a96e877c4d
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Thu May 25 14:57:07 2023 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Thu May 25 14:58:42 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08dbfd49
dev-libs/openssl: add support for big-endian RISC-V
Closes: https://bugs.gentoo.org/904751
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
dev-libs/openssl/files/gentoo.config-1.0.4 | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4
index 79f6331f090c..ef1c6f1768a1 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -1,5 +1,5 @@
#!/usr/bin/env bash
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
#
# Openssl doesn't play along nicely with cross-compiling
@@ -111,7 +111,9 @@ linux)
powerpc64*) machine=ppc64;;
powerpc*le*) machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;;
+ riscv32be*) machine="generic32 -DB_ENDIAN";;
riscv32*) machine="generic32 -DL_ENDIAN";;
+ riscv64be*) machine="riscv64 -DB_ENDIAN" system=linux64;;
riscv64*) machine="riscv64 -DL_ENDIAN" system=linux64;;
# sh64*) machine=elf;;
sh*b*) machine="generic32 -DB_ENDIAN";;
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2023-03-19 3:22 Sam James
0 siblings, 0 replies; 20+ messages in thread
From: Sam James @ 2023-03-19 3:22 UTC (permalink / raw
To: gentoo-commits
commit: abfaca134102918ed6904bdd2ed08b6ea3949739
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Thu Mar 16 17:14:50 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Mar 19 03:12:42 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abfaca13
dev-libs/openssl: remove unused file
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/30156
Signed-off-by: Sam James <sam <AT> gentoo.org>
dev-libs/openssl/files/gentoo.config-1.0.3 | 172 -----------------------------
1 file changed, 172 deletions(-)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.3 b/dev-libs/openssl/files/gentoo.config-1.0.3
deleted file mode 100644
index 0662f72b6d80..000000000000
--- a/dev-libs/openssl/files/gentoo.config-1.0.3
+++ /dev/null
@@ -1,172 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-#
-# Openssl doesn't play along nicely with cross-compiling
-# like autotools based projects, so let's teach it new tricks.
-#
-# Review the bundled 'config' script to see why kind of targets
-# we can pass to the 'Configure' script.
-
-
-# Testing routines
-if [[ $1 == "test" ]] ; then
- for c in \
- "arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \
- "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \
- "x86_64-pc-linux-gnu |linux-x86_64" \
- "alpha-linux-gnu |linux-alpha-gcc" \
- "alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \
- "i686-pc-linux-gnu |linux-elf" \
- "whatever-gentoo-freebsdX.Y |BSD-generic32" \
- "i686-gentoo-freebsdX.Y |BSD-x86-elf" \
- "sparc64-alpha-freebsdX.Y |BSD-sparc64" \
- "ia64-gentoo-freebsd5.99234 |BSD-ia64" \
- "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \
- "hppa64-aldsF-linux-gnu5.3 |linux-generic32 -DB_ENDIAN" \
- "powerpc-gentOO-linux-uclibc |linux-ppc" \
- "powerpc64-unk-linux-gnu |linux-ppc64" \
- "powerpc64le-linux-gnu |linux-ppc64le" \
- "x86_64-apple-darwinX |darwin64-x86_64-cc" \
- "powerpc64-apple-darwinX |darwin64-ppc-cc" \
- "i686-apple-darwinX |darwin-i386-cc" \
- "i386-apple-darwinX |darwin-i386-cc" \
- "powerpc-apple-darwinX |darwin-ppc-cc" \
- "i586-pc-winnt |winnt-parity" \
- "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \
- "s390x-linux-gnu |linux64-s390x" \
- ;do
- CHOST=${c/|*}
- ret_want=${c/*|}
- ret_got=$(CHOST=${CHOST} "$0")
-
- if [[ ${ret_want} == "${ret_got}" ]] ; then
- echo "PASS: ${CHOST}"
- else
- echo "FAIL: ${CHOST}"
- echo -e "\twanted: ${ret_want}"
- echo -e "\twe got: ${ret_got}"
- fi
- done
- exit 0
-fi
-[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
-
-
-# Detect the operating system
-case ${CHOST} in
- *-aix*) system="aix";;
- *-darwin*) system="darwin";;
- *-freebsd*) system="BSD";;
- *-hpux*) system="hpux";;
- *-linux*) system="linux";;
- *-solaris*) system="solaris";;
- *-winnt*) system="winnt";;
- x86_64-*-mingw*) system="mingw64";;
- *mingw*) system="mingw";;
- *) exit 0;;
-esac
-
-
-# Compiler munging
-compiler="gcc"
-if [[ ${CC} == "ccc" ]] ; then
- compiler=${CC}
-fi
-
-
-# Detect target arch
-machine=""
-chost_machine=${CHOST%%-*}
-case ${system} in
-linux)
- case ${chost_machine}:${ABI} in
- aarch64*be*) machine="aarch64 -DB_ENDIAN";;
- aarch64*) machine="aarch64 -DL_ENDIAN";;
- alphaev56*|\
- alphaev[678]*)machine=alpha+bwx-${compiler};;
- alpha*) machine=alpha-${compiler};;
- armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
- armv[4-9]*) machine="armv4 -DL_ENDIAN";;
- arm*b*) machine="generic32 -DB_ENDIAN";;
- arm*) machine="generic32 -DL_ENDIAN";;
- avr*) machine="generic32 -DL_ENDIAN";;
- bfin*) machine="generic32 -DL_ENDIAN";;
- # hppa64*) machine=parisc64;;
- hppa*) machine="generic32 -DB_ENDIAN";;
- i[0-9]86*|\
- x86_64*:x86) machine=elf;;
- ia64*) machine=ia64;;
- loongarch64*) machine="generic64 -DL_ENDIAN";;
- m68*) machine="latomic -DB_ENDIAN";;
- mips*el*) machine="generic32 -DL_ENDIAN";;
- mips*) machine="generic32 -DB_ENDIAN";;
- powerpc64*le*)machine=ppc64le;;
- powerpc64*) machine=ppc64;;
- powerpc*le*) machine="generic32 -DL_ENDIAN";;
- powerpc*) machine=ppc;;
- riscv32*) machine="generic32 -DL_ENDIAN";;
- riscv64*) machine="generic64 -DL_ENDIAN";;
- # sh64*) machine=elf;;
- sh*b*) machine="generic32 -DB_ENDIAN";;
- sh*) machine="generic32 -DL_ENDIAN";;
- # TODO: Might want to do -mcpu probing like glibc to determine a
- # better default for sparc-linux-gnu targets. This logic will
- # break v7 and older systems when they use it.
- sparc*v7*) machine="generic32 -DB_ENDIAN";;
- sparc64*) machine=sparcv9 system=linux64;;
- sparc*v9*) machine=sparcv9;;
- sparc*v8*) machine=sparcv8;;
- sparc*) machine=sparcv8;;
- s390x*) machine=s390x system=linux64;;
- s390*) machine="generic32 -DB_ENDIAN";;
- x86_64*:x32) machine=x32;;
- x86_64*) machine=x86_64;;
- esac
- ;;
-BSD)
- case ${chost_machine} in
- alpha*) machine=generic64;;
- i[6-9]86*) machine=x86-elf;;
- ia64*) machine=ia64;;
- sparc64*) machine=sparc64;;
- x86_64*) machine=x86_64;;
- *) machine=generic32;;
- esac
- ;;
-aix)
- machine=${compiler}
- ;;
-darwin)
- case ${chost_machine} in
- powerpc64) machine=ppc-cc; system=${system}64;;
- powerpc) machine=ppc-cc;;
- i?86*) machine=i386-cc;;
- x86_64) machine=x86_64-cc; system=${system}64;;
- esac
- ;;
-hpux)
- case ${chost_machine} in
- ia64) machine=ia64-${compiler} ;;
- esac
- ;;
-solaris)
- case ${chost_machine} in
- i386) machine=x86-${compiler} ;;
- x86_64*) machine=x86_64-${compiler}; system=${system}64;;
- sparcv9*) machine=sparcv9-${compiler}; system=${system}64;;
- sparc*) machine=sparcv8-${compiler};;
- esac
- ;;
-winnt)
- machine=parity
- ;;
-mingw*)
- # special case ... no xxx-yyy style name
- echo ${system}
- ;;
-esac
-
-
-# If we have something, show it
-[[ -n ${machine} ]] && echo ${system}-${machine}
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2023-02-22 19:34 Mike Gilbert
0 siblings, 0 replies; 20+ messages in thread
From: Mike Gilbert @ 2023-02-22 19:34 UTC (permalink / raw
To: gentoo-commits
commit: d9d631a188bd27b62082fd93a7f434b00e458b1b
Author: Nicholas Vinson <nvinson234 <AT> gmail <DOT> com>
AuthorDate: Wed Feb 22 00:57:55 2023 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Wed Feb 22 19:29:31 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9d631a1
dev-libs/openssl: gentoo.config-1.0.4 clang fix
Update gentoo.config-1.0.4 to better support clang compiler toolchains
Closes: https://bugs.gentoo.org/885901
Signed-off-by: Nicholas Vinson <nvinson234 <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/29711
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
dev-libs/openssl/files/gentoo.config-1.0.4 | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4
index 573a97de3543..79f6331f090c 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.4
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -77,7 +77,9 @@ fi
# Detect target arch
machine=""
+submachine=""
chost_machine=${CHOST%%-*}
+[[ ${CC} == *clang* ]] && submachine="-clang"
case ${system} in
linux)
case ${chost_machine}:${ABI} in
@@ -95,7 +97,7 @@ linux)
# hppa64*) machine=parisc64;;
hppa*) machine="generic32 -DB_ENDIAN";;
i[0-9]86*|\
- x86_64*:x86) machine=x86;;
+ x86_64*:x86) machine=x86${submachine};;
ia64*) machine=ia64;;
loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;;
m68*) machine="latomic -DB_ENDIAN";;
@@ -125,7 +127,7 @@ linux)
s390x*) machine=s390x system=linux64;;
s390*) machine="generic32 -DB_ENDIAN";;
x86_64*:x32) machine=x32;;
- x86_64*) machine=x86_64;;
+ x86_64*) machine=x86_64${submachine};;
esac
;;
BSD)
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2022-08-19 23:00 Sam James
0 siblings, 0 replies; 20+ messages in thread
From: Sam James @ 2022-08-19 23:00 UTC (permalink / raw
To: gentoo-commits
commit: 3b94f6daf15da0b5fd7142881663030d1c1a1dd2
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Fri Aug 19 18:41:11 2022 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Aug 19 22:52:58 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b94f6da
dev-libs/openssl: remove unused patches
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/26928
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../openssl-3.0.4-avx512-buffer-overflow.patch | 34 ----------------
.../files/openssl-3.0.4-fix-test-build.patch | 46 ----------------------
2 files changed, 80 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch b/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch
deleted file mode 100644
index c72e958ff535..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.4-avx512-buffer-overflow.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://github.com/openssl/openssl/commit/a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c
-https://github.com/openssl/openssl/issues/18625
-
-From a1f7034bbd8f0730d360211f5ba0feeaef0b7b2c Mon Sep 17 00:00:00 2001
-From: Xi Ruoyao <xry111@xry111.site>
-Date: Wed, 22 Jun 2022 18:07:05 +0800
-Subject: [PATCH] rsa: fix bn_reduce_once_in_place call for
- rsaz_mod_exp_avx512_x2
-
-bn_reduce_once_in_place expects the number of BN_ULONG, but factor_size
-is moduli bit size.
-
-Fixes #18625.
-
-Signed-off-by: Xi Ruoyao <xry111@xry111.site>
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/18626)
-
-(cherry picked from commit 4d8a88c134df634ba610ff8db1eb8478ac5fd345)
---- a/crypto/bn/rsaz_exp_x2.c
-+++ b/crypto/bn/rsaz_exp_x2.c
-@@ -220,6 +220,9 @@ int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1,
- from_words52(res1, factor_size, rr1_red);
- from_words52(res2, factor_size, rr2_red);
-
-+ /* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */
-+ factor_size /= sizeof(BN_ULONG) * 8;
-+
- bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size);
- bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size);
-
-
diff --git a/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch b/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch
deleted file mode 100644
index f96e54f3127e..000000000000
--- a/dev-libs/openssl/files/openssl-3.0.4-fix-test-build.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-https://github.com/openssl/openssl/issues/18619
-https://github.com/openssl/openssl/pull/18634
-https://github.com/openssl/openssl/commit/665ab12ed3f0d78e7cb6a55cdd2b83a2fe150232
-
-From 665ab12ed3f0d78e7cb6a55cdd2b83a2fe150232 Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Fri, 17 Jun 2022 10:25:24 +0200
-Subject: [PATCH] Fix compile issues in test/v3ext.c with no-rfc3779
-
-There are no ASIdentifiers if OPENSSL_NO_RFC3779 is defined,
-therefore the test cannot be compiled.
-
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Paul Dale <pauli@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/18634)
-
-(cherry picked from commit b76efe61ea9710a8f69e1cb8caf1aeb2ba6f1ebe)
---- a/test/v3ext.c
-+++ b/test/v3ext.c
-@@ -37,6 +37,7 @@ static int test_pathlen(void)
- return ret;
- }
-
-+#ifndef OPENSSL_NO_RFC3779
- static int test_asid(void)
- {
- ASN1_INTEGER *val1 = NULL, *val2 = NULL;
-@@ -113,6 +114,7 @@ static int test_asid(void)
- ASIdentifiers_free(asid4);
- return testresult;
- }
-+#endif /* OPENSSL_NO_RFC3779 */
-
- OPT_TEST_DECLARE_USAGE("cert.pem\n")
-
-@@ -127,6 +129,8 @@ int setup_tests(void)
- return 0;
-
- ADD_TEST(test_pathlen);
-+#ifndef OPENSSL_NO_RFC3779
- ADD_TEST(test_asid);
-+#endif /* OPENSSL_NO_RFC3779 */
- return 1;
- }
-
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2022-04-25 10:11 WANG Xuerui
0 siblings, 0 replies; 20+ messages in thread
From: WANG Xuerui @ 2022-04-25 10:11 UTC (permalink / raw
To: gentoo-commits
commit: 41b5bf45a83c26b663aa9ea9c4e290e5ee018622
Author: WANG Xuerui <xen0n <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 25 04:16:06 2022 +0000
Commit: WANG Xuerui <xen0n <AT> gentoo <DOT> org>
CommitDate: Mon Apr 25 10:11:17 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=41b5bf45
dev-libs/openssl: fix build on loong
Just treat loongarch64 targets as generic64 for now.
This has been inside loongson-overlay for a while, and is tested on real
loong hardware.
See: https://github.com/gentoo/gentoo/pull/25189
Acked-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>
Signed-off-by: WANG Xuerui <xen0n <AT> gentoo.org>
dev-libs/openssl/files/gentoo.config-1.0.2 | 1 +
1 file changed, 1 insertion(+)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2
index 68d7d0ac1fc1..caa569588f3c 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -97,6 +97,7 @@ linux)
i[0-9]86*|\
x86_64*:x86) machine=elf;;
ia64*) machine=ia64;;
+ loongarch64*) machine="generic64 -DL_ENDIAN";;
m68*) machine="generic32 -DB_ENDIAN";;
mips*el*) machine="generic32 -DL_ENDIAN";;
mips*) machine="generic32 -DB_ENDIAN";;
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2021-02-12 22:35 Conrad Kostecki
0 siblings, 0 replies; 20+ messages in thread
From: Conrad Kostecki @ 2021-02-12 22:35 UTC (permalink / raw
To: gentoo-commits
commit: 999c48f939670b8b499ddad74492db20e44b0c91
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Fri Feb 12 13:55:14 2021 +0000
Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 22:35:46 2021 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=999c48f9
dev-libs/openssl: remove unused patch
Closes: https://github.com/gentoo/gentoo/pull/19426
Package-Manager: Portage-3.0.14, Repoman-3.0.2
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
.../openssl/files/openssl-1.0.2a-x32-asm.patch | 43 ----------------------
1 file changed, 43 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch b/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch
deleted file mode 100644
index 3a005c9b099..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.2a-x32-asm.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-https://rt.openssl.org/Ticket/Display.html?id=3759&user=guest&pass=guest
-
-From 6257d59b3a68d2feb9d64317a1c556dc3813ee61 Mon Sep 17 00:00:00 2001
-From: Mike Frysinger <vapier@gentoo.org>
-Date: Sat, 21 Mar 2015 06:01:25 -0400
-Subject: [PATCH] crypto: use bigint in x86-64 perl
-
-When building on x32 systems where the default type is 32bit, make sure
-we can transparently represent 64bit integers. Otherwise we end up with
-build errors like:
-/usr/bin/perl asm/ghash-x86_64.pl elf > ghash-x86_64.s
-Integer overflow in hexadecimal number at asm/../../perlasm/x86_64-xlate.pl line 201, <> line 890.
-...
-ghash-x86_64.s: Assembler messages:
-ghash-x86_64.s:890: Error: junk '.15473355479995e+19' after expression
-
-We don't enable this globally as there are some cases where we'd get
-32bit values interpreted as unsigned when we need them as signed.
-
-Reported-by: Bertrand Jacquin <bertrand@jacquin.bzh>
-URL: https://bugs.gentoo.org/542618
----
- crypto/perlasm/x86_64-xlate.pl | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl
-index aae8288..0bf9774 100755
---- a/crypto/perlasm/x86_64-xlate.pl
-+++ b/crypto/perlasm/x86_64-xlate.pl
-@@ -195,6 +195,10 @@ my %globals;
- sub out {
- my $self = shift;
-
-+ # When building on x32 ABIs, the expanded hex value might be too
-+ # big to fit into 32bits. Enable transparent 64bit support here
-+ # so we can safely print it out.
-+ use bigint;
- if ($gas) {
- # Solaris /usr/ccs/bin/as can't handle multiplications
- # in $self->{value}
---
-2.3.3
-
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2020-12-17 14:11 Andreas K. Hüttel
0 siblings, 0 replies; 20+ messages in thread
From: Andreas K. Hüttel @ 2020-12-17 14:11 UTC (permalink / raw
To: gentoo-commits
commit: 887a6ba925e78adef8449a7c8ea6de68278f31b2
Author: Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 17 14:10:25 2020 +0000
Commit: Andreas K. Hüttel <dilfridge <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 14:10:52 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=887a6ba9
dev-libs/openssl: Handle riscv32
Package-Manager: Portage-3.0.9, Repoman-3.0.2
Signed-off-by: Andreas K. Hüttel <dilfridge <AT> gentoo.org>
dev-libs/openssl/files/gentoo.config-1.0.2 | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2
index 4e88dbabf13..68d7d0ac1fc 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -1,5 +1,5 @@
#!/usr/bin/env bash
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
#
# Openssl doesn't play along nicely with cross-compiling
@@ -104,6 +104,7 @@ linux)
powerpc64*) machine=ppc64;;
powerpc*le*) machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;;
+ riscv32*) machine="generic32 -DL_ENDIAN";;
riscv64*) machine="generic64 -DL_ENDIAN";;
# sh64*) machine=elf;;
sh*b*) machine="generic32 -DB_ENDIAN";;
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2020-04-02 14:56 Mike Gilbert
0 siblings, 0 replies; 20+ messages in thread
From: Mike Gilbert @ 2020-04-02 14:56 UTC (permalink / raw
To: gentoo-commits
commit: 3bbd887ff1dde5c69e81d6985e4d02c1eddb793b
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Thu Apr 2 14:55:31 2020 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Thu Apr 2 14:55:31 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3bbd887f
dev-libs/openssl: handle riscv64
Closes: https://bugs.gentoo.org/715908
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>
dev-libs/openssl/files/gentoo.config-1.0.2 | 1 +
1 file changed, 1 insertion(+)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2
index d16175e6292..4e88dbabf13 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -104,6 +104,7 @@ linux)
powerpc64*) machine=ppc64;;
powerpc*le*) machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;;
+ riscv64*) machine="generic64 -DL_ENDIAN";;
# sh64*) machine=elf;;
sh*b*) machine="generic32 -DB_ENDIAN";;
sh*) machine="generic32 -DL_ENDIAN";;
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2019-11-24 0:44 Aaron Bauman
0 siblings, 0 replies; 20+ messages in thread
From: Aaron Bauman @ 2019-11-24 0:44 UTC (permalink / raw
To: gentoo-commits
commit: addd7f2abcabc67e4fd244d6374dd6945c10713d
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Fri Nov 22 08:17:48 2019 +0000
Commit: Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Sun Nov 24 00:40:20 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=addd7f2a
dev-libs/openssl: remove unused patch
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Signed-off-by: Aaron Bauman <bman <AT> gentoo.org>
.../openssl/files/openssl-1.0.2p-hobble-ecc.patch | 283 ---------------------
1 file changed, 283 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch b/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch
deleted file mode 100644
index 3a458a78360..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.2p-hobble-ecc.patch
+++ /dev/null
@@ -1,283 +0,0 @@
-Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series.
-
-From https://src.fedoraproject.org/git/rpms/openssl.git
-
-Contains parts of the following patches, rediffed. The patches are on various
-different branches.
-f23 openssl-1.0.2c-ecc-suiteb.patch
-f23 openssl-1.0.2a-fips-ec.patch
-f28 openssl-1.1.0-ec-curves.patch
-
-Signed-off-By: Robin H. Johnson <robbat2@gentoo.org>
-
---- a/apps/speed.c
-+++ b/apps/speed.c
-@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv)
- } else
- # endif
- # ifndef OPENSSL_NO_ECDSA
-- if (strcmp(*argv, "ecdsap160") == 0)
-- ecdsa_doit[R_EC_P160] = 2;
-- else if (strcmp(*argv, "ecdsap192") == 0)
-- ecdsa_doit[R_EC_P192] = 2;
-+ if (0) {}
- else if (strcmp(*argv, "ecdsap224") == 0)
- ecdsa_doit[R_EC_P224] = 2;
- else if (strcmp(*argv, "ecdsap256") == 0)
-@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv)
- ecdsa_doit[R_EC_P384] = 2;
- else if (strcmp(*argv, "ecdsap521") == 0)
- ecdsa_doit[R_EC_P521] = 2;
-- else if (strcmp(*argv, "ecdsak163") == 0)
-- ecdsa_doit[R_EC_K163] = 2;
-- else if (strcmp(*argv, "ecdsak233") == 0)
-- ecdsa_doit[R_EC_K233] = 2;
-- else if (strcmp(*argv, "ecdsak283") == 0)
-- ecdsa_doit[R_EC_K283] = 2;
-- else if (strcmp(*argv, "ecdsak409") == 0)
-- ecdsa_doit[R_EC_K409] = 2;
-- else if (strcmp(*argv, "ecdsak571") == 0)
-- ecdsa_doit[R_EC_K571] = 2;
-- else if (strcmp(*argv, "ecdsab163") == 0)
-- ecdsa_doit[R_EC_B163] = 2;
-- else if (strcmp(*argv, "ecdsab233") == 0)
-- ecdsa_doit[R_EC_B233] = 2;
-- else if (strcmp(*argv, "ecdsab283") == 0)
-- ecdsa_doit[R_EC_B283] = 2;
-- else if (strcmp(*argv, "ecdsab409") == 0)
-- ecdsa_doit[R_EC_B409] = 2;
-- else if (strcmp(*argv, "ecdsab571") == 0)
-- ecdsa_doit[R_EC_B571] = 2;
- else if (strcmp(*argv, "ecdsa") == 0) {
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P224; i < R_EC_P521; i++)
- ecdsa_doit[i] = 1;
- } else
- # endif
- # ifndef OPENSSL_NO_ECDH
-- if (strcmp(*argv, "ecdhp160") == 0)
-- ecdh_doit[R_EC_P160] = 2;
-- else if (strcmp(*argv, "ecdhp192") == 0)
-- ecdh_doit[R_EC_P192] = 2;
-+ if (0) {}
- else if (strcmp(*argv, "ecdhp224") == 0)
- ecdh_doit[R_EC_P224] = 2;
- else if (strcmp(*argv, "ecdhp256") == 0)
-@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv)
- ecdh_doit[R_EC_P384] = 2;
- else if (strcmp(*argv, "ecdhp521") == 0)
- ecdh_doit[R_EC_P521] = 2;
-- else if (strcmp(*argv, "ecdhk163") == 0)
-- ecdh_doit[R_EC_K163] = 2;
-- else if (strcmp(*argv, "ecdhk233") == 0)
-- ecdh_doit[R_EC_K233] = 2;
-- else if (strcmp(*argv, "ecdhk283") == 0)
-- ecdh_doit[R_EC_K283] = 2;
-- else if (strcmp(*argv, "ecdhk409") == 0)
-- ecdh_doit[R_EC_K409] = 2;
-- else if (strcmp(*argv, "ecdhk571") == 0)
-- ecdh_doit[R_EC_K571] = 2;
-- else if (strcmp(*argv, "ecdhb163") == 0)
-- ecdh_doit[R_EC_B163] = 2;
-- else if (strcmp(*argv, "ecdhb233") == 0)
-- ecdh_doit[R_EC_B233] = 2;
-- else if (strcmp(*argv, "ecdhb283") == 0)
-- ecdh_doit[R_EC_B283] = 2;
-- else if (strcmp(*argv, "ecdhb409") == 0)
-- ecdh_doit[R_EC_B409] = 2;
-- else if (strcmp(*argv, "ecdhb571") == 0)
-- ecdh_doit[R_EC_B571] = 2;
- else if (strcmp(*argv, "ecdh") == 0) {
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P224; i <= R_EC_P521; i++)
- ecdh_doit[i] = 1;
- } else
- # endif
-@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n");
- # endif
- # ifndef OPENSSL_NO_ECDSA
-- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
-+ BIO_printf(bio_err, "ecdsap224 "
- "ecdsap256 ecdsap384 ecdsap521\n");
-- BIO_printf(bio_err,
-- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
-- BIO_printf(bio_err,
-- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
- BIO_printf(bio_err, "ecdsa\n");
- # endif
- # ifndef OPENSSL_NO_ECDH
-- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 "
-+ BIO_printf(bio_err, "ecdhp224 "
- "ecdhp256 ecdhp384 ecdhp521\n");
-- BIO_printf(bio_err,
-- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
-- BIO_printf(bio_err,
-- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
- BIO_printf(bio_err, "ecdh\n");
- # endif
-
-@@ -1242,11 +1188,11 @@ int MAIN(int argc, char **argv)
- for (i = 0; i < DSA_NUM; i++)
- dsa_doit[i] = 1;
- # ifndef OPENSSL_NO_ECDSA
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P224; i <= R_EC_P521; i++)
- ecdsa_doit[i] = 1;
- # endif
- # ifndef OPENSSL_NO_ECDH
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P224; i <= R_EC_P521; i++)
- ecdh_doit[i] = 1;
- # endif
- }
---- a/crypto/ec/ecp_smpl.c
-+++ b/crypto/ec/ecp_smpl.c
-@@ -187,6 +187,11 @@ int ec_GFp_simple_group_set_curve(EC_GROUP *group,
- return 0;
- }
-
-+ if (BN_num_bits(p) < 224) {
-+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
-+ return 0;
-+ }
-+
- if (ctx == NULL) {
- ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
---- a/crypto/ecdh/ecdhtest.c
-+++ b/crypto/ecdh/ecdhtest.c
-@@ -501,11 +501,13 @@ int main(int argc, char *argv[])
- goto err;
-
- /* NIST PRIME CURVES TESTS */
-+# if 0
- if (!test_ecdh_curve
- (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
- goto err;
- if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
- goto err;
-+# endif
- if (!test_ecdh_curve
- (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
- goto err;
-@@ -536,13 +538,14 @@ int main(int argc, char *argv[])
- if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
- goto err;
- # endif
-+# if 0
- if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
- goto err;
- if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
- goto err;
- if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
- goto err;
--
-+# endif
- ret = 0;
-
- err:
---- a/crypto/ecdsa/ecdsatest.c
-+++ b/crypto/ecdsa/ecdsatest.c
-@@ -138,9 +138,12 @@ int restore_rand(void)
- }
-
- static int fbytes_counter = 0, use_fake = 0;
--static const char *numbers[8] = {
-+static const char *numbers[10] = {
-+ "651056770906015076056810763456358567190100156695615665659",
- "651056770906015076056810763456358567190100156695615665659",
- "6140507067065001063065065565667405560006161556565665656654",
-+ "8763001015071075675010661307616710783570106710677817767166"
-+ "71676178726717",
- "8763001015071075675010661307616710783570106710677817767166"
- "71676178726717",
- "7000000175690566466555057817571571075705015757757057795755"
-@@ -163,7 +166,7 @@ int fbytes(unsigned char *buf, int num)
-
- use_fake = 0;
-
-- if (fbytes_counter >= 8)
-+ if (fbytes_counter >= 10)
- return 0;
- tmp = BN_new();
- if (!tmp)
-@@ -539,8 +542,10 @@ int main(void)
- RAND_seed(rnd_seed, sizeof(rnd_seed));
-
- /* the tests */
-+# if 0
- if (!x9_62_tests(out))
- goto err;
-+# endif
- if (!test_builtin(out))
- goto err;
-
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -271,10 +271,7 @@ static const unsigned char eccurves_auto[] = {
- 0, 23, /* secp256r1 (23) */
- /* Other >= 256-bit prime curves. */
- 0, 25, /* secp521r1 (25) */
-- 0, 28, /* brainpool512r1 (28) */
-- 0, 27, /* brainpoolP384r1 (27) */
- 0, 24, /* secp384r1 (24) */
-- 0, 26, /* brainpoolP256r1 (26) */
- 0, 22, /* secp256k1 (22) */
- # ifndef OPENSSL_NO_EC2M
- /* >= 256-bit binary curves. */
-@@ -292,10 +289,7 @@ static const unsigned char eccurves_all[] = {
- 0, 23, /* secp256r1 (23) */
- /* Other >= 256-bit prime curves. */
- 0, 25, /* secp521r1 (25) */
-- 0, 28, /* brainpool512r1 (28) */
-- 0, 27, /* brainpoolP384r1 (27) */
- 0, 24, /* secp384r1 (24) */
-- 0, 26, /* brainpoolP256r1 (26) */
- 0, 22, /* secp256k1 (22) */
- # ifndef OPENSSL_NO_EC2M
- /* >= 256-bit binary curves. */
-@@ -310,13 +304,6 @@ static const unsigned char eccurves_all[] = {
- * Remaining curves disabled by default but still permitted if set
- * via an explicit callback or parameters.
- */
-- 0, 20, /* secp224k1 (20) */
-- 0, 21, /* secp224r1 (21) */
-- 0, 18, /* secp192k1 (18) */
-- 0, 19, /* secp192r1 (19) */
-- 0, 15, /* secp160k1 (15) */
-- 0, 16, /* secp160r1 (16) */
-- 0, 17, /* secp160r2 (17) */
- # ifndef OPENSSL_NO_EC2M
- 0, 8, /* sect239k1 (8) */
- 0, 6, /* sect233k1 (6) */
-@@ -351,29 +338,21 @@ static const unsigned char fips_curves_default[] = {
- 0, 9, /* sect283k1 (9) */
- 0, 10, /* sect283r1 (10) */
- # endif
-- 0, 22, /* secp256k1 (22) */
- 0, 23, /* secp256r1 (23) */
- # ifndef OPENSSL_NO_EC2M
- 0, 8, /* sect239k1 (8) */
- 0, 6, /* sect233k1 (6) */
- 0, 7, /* sect233r1 (7) */
- # endif
-- 0, 20, /* secp224k1 (20) */
-- 0, 21, /* secp224r1 (21) */
- # ifndef OPENSSL_NO_EC2M
- 0, 4, /* sect193r1 (4) */
- 0, 5, /* sect193r2 (5) */
- # endif
-- 0, 18, /* secp192k1 (18) */
-- 0, 19, /* secp192r1 (19) */
- # ifndef OPENSSL_NO_EC2M
- 0, 1, /* sect163k1 (1) */
- 0, 2, /* sect163r1 (2) */
- 0, 3, /* sect163r2 (3) */
- # endif
-- 0, 15, /* secp160k1 (15) */
-- 0, 16, /* secp160r1 (16) */
-- 0, 17, /* secp160r2 (17) */
- };
- # endif
-
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2018-10-31 8:06 Lars Wendler
0 siblings, 0 replies; 20+ messages in thread
From: Lars Wendler @ 2018-10-31 8:06 UTC (permalink / raw
To: gentoo-commits
commit: 4fef1113c26ea7ac7fb9be6da77565310908e82a
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Sun Sep 30 12:52:24 2018 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Wed Oct 31 08:06:10 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4fef1113
dev-libs/openssl: remove unused patches
Signed-off-by: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail.com>
Closes: https://github.com/gentoo/gentoo/pull/10026
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
.../files/openssl-1.0.2o-CVE-2018-0732.patch | 39 ---
.../openssl/files/openssl-1.0.2o-hobble-ecc.patch | 290 ---------------------
2 files changed, 329 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch
deleted file mode 100644
index 148e7c3bc1a..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001
-From: Guido Vranken <guidovranken@gmail.com>
-Date: Mon, 11 Jun 2018 19:38:54 +0200
-Subject: [PATCH] Reject excessively large primes in DH key generation.
-
-CVE-2018-0732
-
-Signed-off-by: Guido Vranken <guidovranken@gmail.com>
-
-(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/6457)
----
- crypto/dh/dh_key.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 387558f1467..f235e0d682b 100644
---- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -130,10 +130,15 @@ static int generate_key(DH *dh)
- int ok = 0;
- int generate_new_key = 0;
- unsigned l;
-- BN_CTX *ctx;
-+ BN_CTX *ctx = NULL;
- BN_MONT_CTX *mont = NULL;
- BIGNUM *pub_key = NULL, *priv_key = NULL;
-
-+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
-+ return 0;
-+ }
-+
- ctx = BN_CTX_new();
- if (ctx == NULL)
- goto err;
diff --git a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch
deleted file mode 100644
index e105fe45e45..00000000000
--- a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch
+++ /dev/null
@@ -1,290 +0,0 @@
-Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series.
-
-From https://src.fedoraproject.org/git/rpms/openssl.git
-
-Contains parts of the following patches, rediffed. The patches are on various
-different branches.
-f23 openssl-1.0.2c-ecc-suiteb.patch
-f23 openssl-1.0.2a-fips-ec.patch
-f28 openssl-1.1.0-ec-curves.patch
-
-Signed-off-By: Robin H. Johnson <robbat2@gentoo.org>
-
-diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/apps/speed.c openssl-1.0.2m.mod/apps/speed.c
---- openssl-1.0.2m.hobble/apps/speed.c 2017-11-02 07:32:57.000000000 -0700
-+++ openssl-1.0.2m.mod/apps/speed.c 2018-06-10 19:00:09.264550382 -0700
-@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv)
- } else
- # endif
- # ifndef OPENSSL_NO_ECDSA
-- if (strcmp(*argv, "ecdsap160") == 0)
-- ecdsa_doit[R_EC_P160] = 2;
-- else if (strcmp(*argv, "ecdsap192") == 0)
-- ecdsa_doit[R_EC_P192] = 2;
-+ if (0) {}
- else if (strcmp(*argv, "ecdsap224") == 0)
- ecdsa_doit[R_EC_P224] = 2;
- else if (strcmp(*argv, "ecdsap256") == 0)
-@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv)
- ecdsa_doit[R_EC_P384] = 2;
- else if (strcmp(*argv, "ecdsap521") == 0)
- ecdsa_doit[R_EC_P521] = 2;
-- else if (strcmp(*argv, "ecdsak163") == 0)
-- ecdsa_doit[R_EC_K163] = 2;
-- else if (strcmp(*argv, "ecdsak233") == 0)
-- ecdsa_doit[R_EC_K233] = 2;
-- else if (strcmp(*argv, "ecdsak283") == 0)
-- ecdsa_doit[R_EC_K283] = 2;
-- else if (strcmp(*argv, "ecdsak409") == 0)
-- ecdsa_doit[R_EC_K409] = 2;
-- else if (strcmp(*argv, "ecdsak571") == 0)
-- ecdsa_doit[R_EC_K571] = 2;
-- else if (strcmp(*argv, "ecdsab163") == 0)
-- ecdsa_doit[R_EC_B163] = 2;
-- else if (strcmp(*argv, "ecdsab233") == 0)
-- ecdsa_doit[R_EC_B233] = 2;
-- else if (strcmp(*argv, "ecdsab283") == 0)
-- ecdsa_doit[R_EC_B283] = 2;
-- else if (strcmp(*argv, "ecdsab409") == 0)
-- ecdsa_doit[R_EC_B409] = 2;
-- else if (strcmp(*argv, "ecdsab571") == 0)
-- ecdsa_doit[R_EC_B571] = 2;
- else if (strcmp(*argv, "ecdsa") == 0) {
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P224; i < R_EC_P521; i++)
- ecdsa_doit[i] = 1;
- } else
- # endif
- # ifndef OPENSSL_NO_ECDH
-- if (strcmp(*argv, "ecdhp160") == 0)
-- ecdh_doit[R_EC_P160] = 2;
-- else if (strcmp(*argv, "ecdhp192") == 0)
-- ecdh_doit[R_EC_P192] = 2;
-+ if (0) {}
- else if (strcmp(*argv, "ecdhp224") == 0)
- ecdh_doit[R_EC_P224] = 2;
- else if (strcmp(*argv, "ecdhp256") == 0)
-@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv)
- ecdh_doit[R_EC_P384] = 2;
- else if (strcmp(*argv, "ecdhp521") == 0)
- ecdh_doit[R_EC_P521] = 2;
-- else if (strcmp(*argv, "ecdhk163") == 0)
-- ecdh_doit[R_EC_K163] = 2;
-- else if (strcmp(*argv, "ecdhk233") == 0)
-- ecdh_doit[R_EC_K233] = 2;
-- else if (strcmp(*argv, "ecdhk283") == 0)
-- ecdh_doit[R_EC_K283] = 2;
-- else if (strcmp(*argv, "ecdhk409") == 0)
-- ecdh_doit[R_EC_K409] = 2;
-- else if (strcmp(*argv, "ecdhk571") == 0)
-- ecdh_doit[R_EC_K571] = 2;
-- else if (strcmp(*argv, "ecdhb163") == 0)
-- ecdh_doit[R_EC_B163] = 2;
-- else if (strcmp(*argv, "ecdhb233") == 0)
-- ecdh_doit[R_EC_B233] = 2;
-- else if (strcmp(*argv, "ecdhb283") == 0)
-- ecdh_doit[R_EC_B283] = 2;
-- else if (strcmp(*argv, "ecdhb409") == 0)
-- ecdh_doit[R_EC_B409] = 2;
-- else if (strcmp(*argv, "ecdhb571") == 0)
-- ecdh_doit[R_EC_B571] = 2;
- else if (strcmp(*argv, "ecdh") == 0) {
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P224; i <= R_EC_P521; i++)
- ecdh_doit[i] = 1;
- } else
- # endif
-@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv)
- BIO_printf(bio_err, "dsa512 dsa1024 dsa2048\n");
- # endif
- # ifndef OPENSSL_NO_ECDSA
-- BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
-+ BIO_printf(bio_err, "ecdsap224 "
- "ecdsap256 ecdsap384 ecdsap521\n");
-- BIO_printf(bio_err,
-- "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
-- BIO_printf(bio_err,
-- "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
- BIO_printf(bio_err, "ecdsa\n");
- # endif
- # ifndef OPENSSL_NO_ECDH
-- BIO_printf(bio_err, "ecdhp160 ecdhp192 ecdhp224 "
-+ BIO_printf(bio_err, "ecdhp224 "
- "ecdhp256 ecdhp384 ecdhp521\n");
-- BIO_printf(bio_err,
-- "ecdhk163 ecdhk233 ecdhk283 ecdhk409 ecdhk571\n");
-- BIO_printf(bio_err,
-- "ecdhb163 ecdhb233 ecdhb283 ecdhb409 ecdhb571\n");
- BIO_printf(bio_err, "ecdh\n");
- # endif
-
-@@ -1242,11 +1188,11 @@ int MAIN(int argc, char **argv)
- for (i = 0; i < DSA_NUM; i++)
- dsa_doit[i] = 1;
- # ifndef OPENSSL_NO_ECDSA
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P224; i <= R_EC_P521; i++)
- ecdsa_doit[i] = 1;
- # endif
- # ifndef OPENSSL_NO_ECDH
-- for (i = 0; i < EC_NUM; i++)
-+ for (i = R_EC_P224; i <= R_EC_P521; i++)
- ecdh_doit[i] = 1;
- # endif
- }
-diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/crypto/ec/ecp_smpl.c openssl-1.0.2m.mod/crypto/ec/ecp_smpl.c
---- openssl-1.0.2m.hobble/crypto/ec/ecp_smpl.c 2017-11-02 07:32:57.000000000 -0700
-+++ openssl-1.0.2m.mod/crypto/ec/ecp_smpl.c 2018-06-10 18:45:36.909911848 -0700
-@@ -187,6 +187,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
- return 0;
- }
-
-+ if (BN_num_bits(p) < 224) {
-+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
-+ return 0;
-+ }
-+
- if (ctx == NULL) {
- ctx = new_ctx = BN_CTX_new();
- if (ctx == NULL)
-diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/ssl/t1_lib.c openssl-1.0.2m.mod/ssl/t1_lib.c
---- openssl-1.0.2m.hobble/ssl/t1_lib.c 2017-11-02 07:32:58.000000000 -0700
-+++ openssl-1.0.2m.mod/ssl/t1_lib.c 2018-06-10 18:46:55.329811812 -0700
-@@ -271,10 +271,7 @@ static const unsigned char eccurves_auto
- 0, 23, /* secp256r1 (23) */
- /* Other >= 256-bit prime curves. */
- 0, 25, /* secp521r1 (25) */
-- 0, 28, /* brainpool512r1 (28) */
-- 0, 27, /* brainpoolP384r1 (27) */
- 0, 24, /* secp384r1 (24) */
-- 0, 26, /* brainpoolP256r1 (26) */
- 0, 22, /* secp256k1 (22) */
- # ifndef OPENSSL_NO_EC2M
- /* >= 256-bit binary curves. */
-@@ -292,10 +289,7 @@ static const unsigned char eccurves_all[
- 0, 23, /* secp256r1 (23) */
- /* Other >= 256-bit prime curves. */
- 0, 25, /* secp521r1 (25) */
-- 0, 28, /* brainpool512r1 (28) */
-- 0, 27, /* brainpoolP384r1 (27) */
- 0, 24, /* secp384r1 (24) */
-- 0, 26, /* brainpoolP256r1 (26) */
- 0, 22, /* secp256k1 (22) */
- # ifndef OPENSSL_NO_EC2M
- /* >= 256-bit binary curves. */
-@@ -310,13 +304,6 @@ static const unsigned char eccurves_all[
- * Remaining curves disabled by default but still permitted if set
- * via an explicit callback or parameters.
- */
-- 0, 20, /* secp224k1 (20) */
-- 0, 21, /* secp224r1 (21) */
-- 0, 18, /* secp192k1 (18) */
-- 0, 19, /* secp192r1 (19) */
-- 0, 15, /* secp160k1 (15) */
-- 0, 16, /* secp160r1 (16) */
-- 0, 17, /* secp160r2 (17) */
- # ifndef OPENSSL_NO_EC2M
- 0, 8, /* sect239k1 (8) */
- 0, 6, /* sect233k1 (6) */
-@@ -351,29 +338,21 @@ static const unsigned char fips_curves_d
- 0, 9, /* sect283k1 (9) */
- 0, 10, /* sect283r1 (10) */
- # endif
-- 0, 22, /* secp256k1 (22) */
- 0, 23, /* secp256r1 (23) */
- # ifndef OPENSSL_NO_EC2M
- 0, 8, /* sect239k1 (8) */
- 0, 6, /* sect233k1 (6) */
- 0, 7, /* sect233r1 (7) */
- # endif
-- 0, 20, /* secp224k1 (20) */
-- 0, 21, /* secp224r1 (21) */
- # ifndef OPENSSL_NO_EC2M
- 0, 4, /* sect193r1 (4) */
- 0, 5, /* sect193r2 (5) */
- # endif
-- 0, 18, /* secp192k1 (18) */
-- 0, 19, /* secp192r1 (19) */
- # ifndef OPENSSL_NO_EC2M
- 0, 1, /* sect163k1 (1) */
- 0, 2, /* sect163r1 (2) */
- 0, 3, /* sect163r2 (3) */
- # endif
-- 0, 15, /* secp160k1 (15) */
-- 0, 16, /* secp160r1 (16) */
-- 0, 17, /* secp160r2 (17) */
- };
- # endif
-
-diff -up openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.2a/crypto/ecdh/ecdhtest.c
---- openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec 2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/ecdh/ecdhtest.c 2015-04-22 19:00:19.721884512 +0200
-@@ -501,11 +501,13 @@ int main(int argc, char *argv[])
- goto err;
-
- /* NIST PRIME CURVES TESTS */
-+# if 0
- if (!test_ecdh_curve
- (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
- goto err;
- if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
- goto err;
-+# endif
- if (!test_ecdh_curve
- (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
- goto err;
-@@ -536,13 +538,14 @@ int main(int argc, char *argv[])
- if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
- goto err;
- # endif
-+# if 0
- if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
- goto err;
- if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
- goto err;
- if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
- goto err;
--
-+# endif
- ret = 0;
-
- err:
-diff -up openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecdsatest.c
---- openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec 2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/ecdsa/ecdsatest.c 2015-04-22 19:00:19.722884536 +0200
-@@ -138,11 +138,14 @@ int restore_rand(void)
- }
-
- static int fbytes_counter = 0;
--static const char *numbers[8] = {
-+static const char *numbers[10] = {
-+ "651056770906015076056810763456358567190100156695615665659",
- "651056770906015076056810763456358567190100156695615665659",
- "6140507067065001063065065565667405560006161556565665656654",
- "8763001015071075675010661307616710783570106710677817767166"
- "71676178726717",
-+ "8763001015071075675010661307616710783570106710677817767166"
-+ "71676178726717",
- "7000000175690566466555057817571571075705015757757057795755"
- "55657156756655",
- "1275552191113212300012030439187146164646146646466749494799",
-@@ -158,7 +161,7 @@ int fbytes(unsigned char *buf, int num)
- int ret;
- BIGNUM *tmp = NULL;
-
-- if (fbytes_counter >= 8)
-+ if (fbytes_counter >= 10)
- return 0;
- tmp = BN_new();
- if (!tmp)
-@@ -532,8 +535,10 @@ int main(void)
- RAND_seed(rnd_seed, sizeof(rnd_seed));
-
- /* the tests */
-+# if 0
- if (!x9_62_tests(out))
- goto err;
-+# endif
- if (!test_builtin(out))
- goto err;
-
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2018-05-12 20:26 Robin H. Johnson
0 siblings, 0 replies; 20+ messages in thread
From: Robin H. Johnson @ 2018-05-12 20:26 UTC (permalink / raw
To: gentoo-commits
commit: 9fe32836f19db9b4c614e0e6d563ac267ba21e2f
Author: Conrad Kostecki <conrad <AT> kostecki <DOT> com>
AuthorDate: Thu Apr 26 20:18:45 2018 +0000
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
CommitDate: Sat May 12 20:25:45 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fe32836
dev-libs/openssl: use aarch64 machine for arm64 arch
Closes: https://bugs.gentoo.org/638926
Package-Manager: Portage-2.3.24, Repoman-2.3.6
(cherry picked from commit d1a9b4ac497aa915d51b40c56f160619c62b801a)
Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/7306
dev-libs/openssl/files/gentoo.config-1.0.2 | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2
index 37b83cc2e7b..d16175e6292 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -1,5 +1,5 @@
#!/usr/bin/env bash
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
#
# Openssl doesn't play along nicely with cross-compiling
@@ -81,8 +81,8 @@ chost_machine=${CHOST%%-*}
case ${system} in
linux)
case ${chost_machine}:${ABI} in
- aarch64*be*) machine="generic64 -DB_ENDIAN";;
- aarch64*) machine="generic64 -DL_ENDIAN";;
+ aarch64*be*) machine="aarch64 -DB_ENDIAN";;
+ aarch64*) machine="aarch64 -DL_ENDIAN";;
alphaev56*|\
alphaev[678]*)machine=alpha+bwx-${compiler};;
alpha*) machine=alpha-${compiler};;
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2018-05-04 7:18 Lars Wendler
0 siblings, 0 replies; 20+ messages in thread
From: Lars Wendler @ 2018-05-04 7:18 UTC (permalink / raw
To: gentoo-commits
commit: 78d4a40a859636e46a150be8f53817faabb29744
Author: Michael Mair-Keimberger <m.mairkeimberger <AT> gmail <DOT> com>
AuthorDate: Sat Apr 28 07:58:59 2018 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Fri May 4 07:18:28 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78d4a40a
dev-libs/openssl: remove unused patch
Closes: https://github.com/gentoo/gentoo/pull/8189
.../files/openssl-1.1.0g-CVE-2017-3738.patch | 77 ----------------------
1 file changed, 77 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch
deleted file mode 100644
index 4b01feb8e87..00000000000
--- a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From e502cc86df9dafded1694fceb3228ee34d11c11a Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Fri, 24 Nov 2017 11:35:50 +0100
-Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in
- rsaz_1024_mul_avx2.
-
-Credit to OSS-Fuzz for finding this.
-
-CVE-2017-3738
-
-Reviewed-by: Rich Salz <rsalz@openssl.org>
----
- crypto/bn/asm/rsaz-avx2.pl | 15 +++++++--------
- 1 file changed, 7 insertions(+), 8 deletions(-)
-
-diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl
-index 0c1b236ef98..46d746b7d0e 100755
---- a/crypto/bn/asm/rsaz-avx2.pl
-+++ b/crypto/bn/asm/rsaz-avx2.pl
-@@ -246,7 +246,7 @@
- vmovdqu 32*8-128($ap), $ACC8
-
- lea 192(%rsp), $tp0 # 64+128=192
-- vpbroadcastq .Land_mask(%rip), $AND_MASK
-+ vmovdqu .Land_mask(%rip), $AND_MASK
- jmp .LOOP_GRANDE_SQR_1024
-
- .align 32
-@@ -1077,10 +1077,10 @@
- vpmuludq 32*6-128($np),$Yi,$TEMP1
- vpaddq $TEMP1,$ACC6,$ACC6
- vpmuludq 32*7-128($np),$Yi,$TEMP2
-- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3
-+ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3
- vpaddq $TEMP2,$ACC7,$ACC7
- vpmuludq 32*8-128($np),$Yi,$TEMP0
-- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3
-+ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3
- vpaddq $TEMP0,$ACC8,$ACC8
-
- mov %rbx, %rax
-@@ -1093,7 +1093,9 @@
- vmovdqu -8+32*2-128($ap),$TEMP2
-
- mov $r1, %rax
-+ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3
- imull $n0, %eax
-+ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3
- and \$0x1fffffff, %eax
-
- imulq 16-128($ap),%rbx
-@@ -1329,15 +1331,12 @@
- # But as we underutilize resources, it's possible to correct in
- # each iteration with marginal performance loss. But then, as
- # we do it in each iteration, we can correct less digits, and
--# avoid performance penalties completely. Also note that we
--# correct only three digits out of four. This works because
--# most significant digit is subjected to less additions.
-+# avoid performance penalties completely.
-
- $TEMP0 = $ACC9;
- $TEMP3 = $Bi;
- $TEMP4 = $Yi;
- $code.=<<___;
-- vpermq \$0, $AND_MASK, $AND_MASK
- vpaddq (%rsp), $TEMP1, $ACC0
-
- vpsrlq \$29, $ACC0, $TEMP1
-@@ -1770,7 +1769,7 @@
-
- .align 64
- .Land_mask:
-- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1
-+ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff
- .Lscatter_permd:
- .long 0,2,4,6,7,7,7,7
- .Lgather_permd:
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2016-08-26 17:56 Mike Gilbert
0 siblings, 0 replies; 20+ messages in thread
From: Mike Gilbert @ 2016-08-26 17:56 UTC (permalink / raw
To: gentoo-commits
commit: 8d3725cf907f13b2243a38cb2a55282db460279f
Author: Mike Gilbert <floppym <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 26 17:56:14 2016 +0000
Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Fri Aug 26 17:56:14 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8d3725cf
dev-libs/openssl: fix typo in patch filename
Package-Manager: portage-2.3.0_p22
.../files/{openssl-1.1.01-ldflags.patch => openssl-1.1.0-ldflags.patch} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/dev-libs/openssl/files/openssl-1.1.01-ldflags.patch b/dev-libs/openssl/files/openssl-1.1.0-ldflags.patch
similarity index 100%
rename from dev-libs/openssl/files/openssl-1.1.01-ldflags.patch
rename to dev-libs/openssl/files/openssl-1.1.0-ldflags.patch
^ permalink raw reply [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2016-02-26 22:51 Doug Goldstein
0 siblings, 0 replies; 20+ messages in thread
From: Doug Goldstein @ 2016-02-26 22:51 UTC (permalink / raw
To: gentoo-commits
commit: b59b7705da30eb4cf4eef69946757fe3d11b763f
Author: Doug Goldstein <cardoe <AT> gentoo <DOT> org>
AuthorDate: Fri Feb 26 22:51:32 2016 +0000
Commit: Doug Goldstein <cardoe <AT> gentoo <DOT> org>
CommitDate: Fri Feb 26 22:51:32 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b59b7705
dev-libs/openssl: remove no longer necessary file
Package-Manager: portage-2.2.26
Signed-off-by: Doug Goldstein <cardoe <AT> gentoo.org>
dev-libs/openssl/files/gentoo.config-1.0.1 | 164 -----------------------------
1 file changed, 164 deletions(-)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.1 b/dev-libs/openssl/files/gentoo.config-1.0.1
deleted file mode 100644
index 24c995a..0000000
--- a/dev-libs/openssl/files/gentoo.config-1.0.1
+++ /dev/null
@@ -1,164 +0,0 @@
-#!/usr/bin/env bash
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-#
-# Openssl doesn't play along nicely with cross-compiling
-# like autotools based projects, so let's teach it new tricks.
-#
-# Review the bundled 'config' script to see why kind of targets
-# we can pass to the 'Configure' script.
-
-
-# Testing routines
-if [[ $1 == "test" ]] ; then
- for c in \
- "arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \
- "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \
- "x86_64-pc-linux-gnu |linux-x86_64" \
- "alpha-linux-gnu |linux-alpha-gcc" \
- "alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \
- "i686-pc-linux-gnu |linux-elf" \
- "whatever-gentoo-freebsdX.Y |BSD-generic32" \
- "i686-gentoo-freebsdX.Y |BSD-x86-elf" \
- "sparc64-alpha-freebsdX.Y |BSD-sparc64" \
- "ia64-gentoo-freebsd5.99234 |BSD-ia64" \
- "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \
- "hppa64-aldsF-linux-gnu5.3 |linux-generic32 -DB_ENDIAN" \
- "powerpc-gentOO-linux-uclibc |linux-ppc" \
- "powerpc64-unk-linux-gnu |linux-ppc64" \
- "x86_64-apple-darwinX |darwin64-x86_64-cc" \
- "powerpc64-apple-darwinX |darwin64-ppc-cc" \
- "i686-apple-darwinX |darwin-i386-cc" \
- "i386-apple-darwinX |darwin-i386-cc" \
- "powerpc-apple-darwinX |darwin-ppc-cc" \
- "i586-pc-winnt |winnt-parity" \
- "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \
- "s390x-linux-gnu |linux64-s390x" \
- ;do
- CHOST=${c/|*}
- ret_want=${c/*|}
- ret_got=$(CHOST=${CHOST} "$0")
-
- if [[ ${ret_want} == "${ret_got}" ]] ; then
- echo "PASS: ${CHOST}"
- else
- echo "FAIL: ${CHOST}"
- echo -e "\twanted: ${ret_want}"
- echo -e "\twe got: ${ret_got}"
- fi
- done
- exit 0
-fi
-[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
-
-
-# Detect the operating system
-case ${CHOST} in
- *-aix*) system="aix";;
- *-darwin*) system="darwin";;
- *-freebsd*) system="BSD";;
- *-hpux*) system="hpux";;
- *-linux*) system="linux";;
- *-solaris*) system="solaris";;
- *-winnt*) system="winnt";;
- x86_64-*-mingw*) system="mingw64";;
- *mingw*) system="mingw";;
- *) exit 0;;
-esac
-
-
-# Compiler munging
-compiler="gcc"
-if [[ ${CC} == "ccc" ]] ; then
- compiler=${CC}
-fi
-
-
-# Detect target arch
-machine=""
-chost_machine=${CHOST%%-*}
-case ${system} in
-linux)
- case ${chost_machine}:${ABI} in
- aarch64*be) machine="generic64 -DB_ENDIAN";;
- aarch64*) machine="generic64 -DL_ENDIAN";;
- alphaev56*|\
- alphaev[678]*)machine=alpha+bwx-${compiler};;
- alpha*) machine=alpha-${compiler};;
- armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
- armv[4-9]*) machine="armv4 -DL_ENDIAN";;
- arm*b*) machine="generic32 -DB_ENDIAN";;
- arm*) machine="generic32 -DL_ENDIAN";;
- avr*) machine="generic32 -DL_ENDIAN";;
- bfin*) machine="generic32 -DL_ENDIAN";;
- # hppa64*) machine=parisc64;;
- hppa*) machine="generic32 -DB_ENDIAN";;
- i[0-9]86*|\
- x86_64*:x86) machine=elf;;
- ia64*) machine=ia64;;
- m68*) machine="generic32 -DB_ENDIAN";;
- mips*el*) machine="generic32 -DL_ENDIAN";;
- mips*) machine="generic32 -DB_ENDIAN";;
- powerpc64*le) machine="generic64 -DL_ENDIAN";;
- powerpc64*) machine=ppc64;;
- powerpc*le) machine="generic32 -DL_ENDIAN";;
- powerpc*) machine=ppc;;
- # sh64*) machine=elf;;
- sh*b*) machine="generic32 -DB_ENDIAN";;
- sh*) machine="generic32 -DL_ENDIAN";;
- sparc*v7*) machine="generic32 -DB_ENDIAN";;
- sparc64*) machine=sparcv9;;
- sparc*) machine=sparcv8;;
- s390x*) machine=s390x system=linux64;;
- s390*) machine="generic32 -DB_ENDIAN";;
- x86_64*:x32) machine=x32;;
- x86_64*) machine=x86_64;;
- esac
- ;;
-BSD)
- case ${chost_machine} in
- alpha*) machine=generic64;;
- i[6-9]86*) machine=x86-elf;;
- ia64*) machine=ia64;;
- sparc64*) machine=sparc64;;
- x86_64*) machine=x86_64;;
- *) machine=generic32;;
- esac
- ;;
-aix)
- machine=${compiler}
- ;;
-darwin)
- case ${chost_machine} in
- powerpc64) machine=ppc-cc; system=${system}64;;
- powerpc) machine=ppc-cc;;
- i?86*) machine=i386-cc;;
- x86_64) machine=x86_64-cc; system=${system}64;;
- esac
- ;;
-hpux)
- case ${chost_machine} in
- ia64) machine=ia64-${compiler} ;;
- esac
- ;;
-solaris)
- case ${chost_machine} in
- i386) machine=x86-${compiler} ;;
- x86_64*) machine=x86_64-${compiler}; system=${system}64;;
- sparcv9*) machine=sparcv9-${compiler}; system=${system}64;;
- sparc*) machine=sparcv8-${compiler};;
- esac
- ;;
-winnt)
- machine=parity
- ;;
-mingw*)
- # special case ... no xxx-yyy style name
- echo ${system}
- ;;
-esac
-
-
-# If we have something, show it
-[[ -n ${machine} ]] && echo ${system}-${machine}
^ permalink raw reply related [flat|nested] 20+ messages in thread* [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/
@ 2016-01-17 9:01 Mike Frysinger
0 siblings, 0 replies; 20+ messages in thread
From: Mike Frysinger @ 2016-01-17 9:01 UTC (permalink / raw
To: gentoo-commits
commit: 01322765ce0ea72a84f0a4065cbd47e1a750f2c4
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Sun Jan 17 08:44:54 2016 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Sun Jan 17 09:00:28 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01322765
dev-libs/openssl: fix sparc builds (mostly 64-bit)
dev-libs/openssl/files/gentoo.config-1.0.2 | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2
index b3f6ced..0528c1c 100755
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -108,8 +108,13 @@ linux)
# sh64*) machine=elf;;
sh*b*) machine="generic32 -DB_ENDIAN";;
sh*) machine="generic32 -DL_ENDIAN";;
+ # TODO: Might want to do -mcpu probing like glibc to determine a
+ # better default for sparc-linux-gnu targets. This logic will
+ # break v7 and older systems when they use it.
sparc*v7*) machine="generic32 -DB_ENDIAN";;
- sparc64*) machine=sparcv9;;
+ sparc64*) machine=sparcv9 system=linux64;;
+ sparc*v9*) machine=sparcv9;;
+ sparc*v8*) machine=sparcv8;;
sparc*) machine=sparcv8;;
s390x*) machine=s390x system=linux64;;
s390*) machine="generic32 -DB_ENDIAN";;
^ permalink raw reply related [flat|nested] 20+ messages in thread
end of thread, other threads:[~2024-08-03 5:08 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-08 17:17 [gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/files/ Sam James
-- strict thread matches above, loose matches on Subject: below --
2024-08-03 5:08 Sam James
2023-12-31 2:38 Conrad Kostecki
2023-10-29 3:53 Sam James
2023-10-04 21:45 Conrad Kostecki
2023-05-25 14:59 Mike Gilbert
2023-03-19 3:22 Sam James
2023-02-22 19:34 Mike Gilbert
2022-08-19 23:00 Sam James
2022-04-25 10:11 WANG Xuerui
2021-02-12 22:35 Conrad Kostecki
2020-12-17 14:11 Andreas K. Hüttel
2020-04-02 14:56 Mike Gilbert
2019-11-24 0:44 Aaron Bauman
2018-10-31 8:06 Lars Wendler
2018-05-12 20:26 Robin H. Johnson
2018-05-04 7:18 Lars Wendler
2016-08-26 17:56 Mike Gilbert
2016-02-26 22:51 Doug Goldstein
2016-01-17 9:01 Mike Frysinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox