diff options
author | Doug Goldstein <cardoe@gentoo.org> | 2008-03-25 00:27:16 +0000 |
---|---|---|
committer | Doug Goldstein <cardoe@gentoo.org> | 2008-03-25 00:27:16 +0000 |
commit | a82931a9be766f27ca607d0be7f64e40ab97d2d0 (patch) | |
tree | 583d362be9f1cd452edac3c55822f0f3d26f2461 | |
parent | get the list of services from the default boot runlevel rather than maintaini... (diff) | |
download | gentoo-2-a82931a9be766f27ca607d0be7f64e40ab97d2d0.tar.gz gentoo-2-a82931a9be766f27ca607d0be7f64e40ab97d2d0.tar.bz2 gentoo-2-a82931a9be766f27ca607d0be7f64e40ab97d2d0.zip |
Patch from OpenSSL's bug tracker not to send TLS Extensions on SSLv3 only connections, while not explicitly against the SSL spec, several SSL implementations can not handle it. Patch by Kaspar Brand <ossl-rt@velox.ch> from http://rt.openssl.org/Ticket/Display.html?id=1629. Resolves bug #198914
(Portage version: 2.1.4.4)
-rw-r--r-- | dev-libs/openssl/ChangeLog | 14 | ||||
-rw-r--r-- | dev-libs/openssl/files/openssl-0.9.8g-sslv3-no-tlsext.patch | 28 | ||||
-rw-r--r-- | dev-libs/openssl/openssl-0.9.8g-r1.ebuild | 188 |
3 files changed, 228 insertions, 2 deletions
diff --git a/dev-libs/openssl/ChangeLog b/dev-libs/openssl/ChangeLog index dec809403b64..c34e44e9ad9b 100644 --- a/dev-libs/openssl/ChangeLog +++ b/dev-libs/openssl/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for dev-libs/openssl -# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.257 2007/12/24 17:22:17 vapier Exp $ +# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.258 2008/03/25 00:27:14 cardoe Exp $ + +*openssl-0.9.8g-r1 (25 Mar 2008) + + 25 Mar 2008; Doug Goldstein <cardoe@gentoo.org> + +files/openssl-0.9.8g-sslv3-no-tlsext.patch, +openssl-0.9.8g-r1.ebuild: + Patch from OpenSSL's bug tracker not to send TLS Extensions on SSLv3 only + connections, while not explicitly against the SSL spec, several SSL + implementations can not handle it. Patch by Kaspar Brand + <ossl-rt@velox.ch> from http://rt.openssl.org/Ticket/Display.html?id=1629. + Resolves bug #198914 24 Dec 2007; Mike Frysinger <vapier@gentoo.org> openssl-0.9.8g.ebuild: Dont force src_test any longer as things seem to be sane. diff --git a/dev-libs/openssl/files/openssl-0.9.8g-sslv3-no-tlsext.patch b/dev-libs/openssl/files/openssl-0.9.8g-sslv3-no-tlsext.patch new file mode 100644 index 000000000000..4c3cd06f16eb --- /dev/null +++ b/dev-libs/openssl/files/openssl-0.9.8g-sslv3-no-tlsext.patch @@ -0,0 +1,28 @@ +ndex: ssl/t1_lib.c +=================================================================== +RCS file: /home/ossl-cvs/openssl/ssl/t1_lib.c,v +retrieving revision 1.51 +diff -p -u -r1.51 t1_lib.c +--- ssl/t1_lib.c 26 Oct 2007 12:06:35 -0000 1.51 ++++ ssl/t1_lib.c 26 Feb 2008 18:02:50 -0000 +@@ -267,6 +267,10 @@ unsigned char *ssl_add_clienthello_tlsex + int extdatalen=0; + unsigned char *ret = p; + ++ /* don't add extensions for SSLv3 */ ++ if (s->client_version == SSL3_VERSION) ++ return p; ++ + ret+=2; + + if (ret>=limit) return NULL; /* this really never occurs, but ... */ +@@ -448,6 +452,10 @@ unsigned char *ssl_add_serverhello_tlsex + int extdatalen=0; + unsigned char *ret = p; + ++ /* don't add extensions for SSLv3 */ ++ if (s->version == SSL3_VERSION) ++ return p; ++ + ret+=2; + if (ret>=limit) return NULL; /* this really never occurs, but ... */ diff --git a/dev-libs/openssl/openssl-0.9.8g-r1.ebuild b/dev-libs/openssl/openssl-0.9.8g-r1.ebuild new file mode 100644 index 000000000000..ae5fa58b84bb --- /dev/null +++ b/dev-libs/openssl/openssl-0.9.8g-r1.ebuild @@ -0,0 +1,188 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-0.9.8g-r1.ebuild,v 1.1 2008/03/25 00:27:14 cardoe Exp $ + +inherit eutils flag-o-matic toolchain-funcs + +DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1" +HOMEPAGE="http://www.openssl.org/" +SRC_URI="mirror://openssl/source/${P}.tar.gz" + +LICENSE="openssl" +SLOT="0" +KEYWORDS="-* ~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd" +IUSE="bindist emacs gmp kerberos sse2 test zlib" + +RDEPEND="gmp? ( dev-libs/gmp ) + zlib? ( sys-libs/zlib ) + kerberos? ( app-crypt/mit-krb5 )" +DEPEND="${RDEPEND} + sys-apps/diffutils + >=dev-lang/perl-5 + test? ( sys-devel/bc )" +PDEPEND="app-misc/ca-certificates" + +src_unpack() { + unpack ${A} + cd "${S}" + + epatch "${FILESDIR}"/${PN}-0.9.7e-gentoo.patch + epatch "${FILESDIR}"/${PN}-0.9.7-alpha-default-gcc.patch + epatch "${FILESDIR}"/${PN}-0.9.8b-parallel-build.patch + epatch "${FILESDIR}"/${PN}-0.9.8-make-engines-dir.patch + epatch "${FILESDIR}"/${PN}-0.9.8-toolchain.patch + epatch "${FILESDIR}"/${PN}-0.9.8b-doc-updates.patch + epatch "${FILESDIR}"/${PN}-0.9.8-makedepend.patch #149583 + epatch "${FILESDIR}"/${PN}-0.9.8e-make.patch #146316 + epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch + epatch "${FILESDIR}"/${PN}-0.9.8g-sslv3-no-tlsext.patch + + # allow openssl to be cross-compiled + cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed" + chmod a+rx gentoo.config + + # Don't build manpages if we don't want them + has noman FEATURES \ + && sed -i '/^install:/s:install_docs::' Makefile.org \ + || sed -i '/^MANDIR=/s:=.*:=/usr/share/man:' Makefile.org + + # Try to derice users and work around broken ass toolchains + if [[ $(gcc-major-version) == "3" ]] ; then + filter-flags -fprefetch-loop-arrays -freduce-all-givs -funroll-loops + [[ $(tc-arch) == "ppc64" ]] && replace-flags -O? -O + fi + [[ $(tc-arch) == ppc* ]] && append-flags -fno-strict-aliasing + append-flags -Wa,--noexecstack + + # using a library directory other than lib requires some magic + sed -i \ + -e "s+\(\$(INSTALL_PREFIX)\$(INSTALLTOP)\)/lib+\1/$(get_libdir)+g" \ + -e "s+libdir=\$\${exec_prefix}/lib+libdir=\$\${exec_prefix}/$(get_libdir)+g" \ + Makefile.org engines/Makefile \ + || die "sed failed" + ./config --test-sanity || die "I AM NOT SANE" +} + +src_compile() { + unset APPS #197996 + + tc-export CC AR RANLIB + + # Clean out patent-or-otherwise-encumbered code + # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher) + # IDEA: 5,214,703 25/05/2010 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm + # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography + # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2 + # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5 + + use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; } + echoit() { echo "$@" ; "$@" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + local sslout=$(./gentoo.config) + einfo "Use configuration ${sslout:-(openssl knows best)}" + local config="Configure" + [[ -z ${sslout} ]] && config="config" + echoit \ + ./${config} \ + ${sslout} \ + $(use sse2 || echo "no-sse2") \ + enable-camellia \ + $(use_ssl !bindist ec) \ + $(use_ssl !bindist idea) \ + enable-mdc2 \ + $(use_ssl !bindist rc5) \ + enable-tlsext \ + $(use_ssl gmp) \ + $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ + $(use_ssl zlib) \ + $(use_ssl zlib zlib-dynamic) \ + --prefix=/usr \ + --openssldir=/etc/ssl \ + shared threads \ + || die "Configure failed" + + # Clean out hardcoded flags that openssl uses + local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ + -e 's:^CFLAG=::' \ + -e 's:-fomit-frame-pointer ::g' \ + -e 's:-O[0-9] ::g' \ + -e 's:-march=[-a-z0-9]* ::g' \ + -e 's:-mcpu=[-a-z0-9]* ::g' \ + -e 's:-m[a-z0-9]* ::g' \ + ) + sed -i \ + -e "/^CFLAG/s:=.*:=${CFLAG} ${CFLAGS}:" \ + -e "/^SHARED_LDFLAGS=/s:$: ${LDFLAGS}:" \ + Makefile || die + + # depend is needed to use $confopts + # rehash is needed to prep the certs/ dir + emake -j1 depend || die "depend failed" + emake all rehash || die "make all failed" +} + +src_test() { + # make sure sandbox doesnt die on *BSD + addpredict /dev/crypto + + emake -j1 test || die "make test failed" +} + +src_install() { + emake -j1 INSTALL_PREFIX="${D}" install || die + dodoc CHANGES* FAQ NEWS README doc/*.txt + dohtml doc/* + + if use emacs ; then + insinto /usr/share/emacs/site-lisp + doins doc/c-indentation.el + fi + + # create the certs directory + dodir /etc/ssl/certs + cp -RP certs/* "${D}"/etc/ssl/certs/ || die "failed to install certs" + rm -r "${D}"/etc/ssl/certs/{demo,expired} + + # Namespace openssl programs to prevent conflicts with other man pages + cd "${D}"/usr/share/man + local m d s + for m in $(find . -type f | xargs grep -L '#include') ; do + d=${m%/*} ; d=${d#./} ; m=${m##*/} + [[ ${m} == openssl.1* ]] && continue + [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" + mv ${d}/{,ssl-}${m} + ln -s ssl-${m} ${d}/openssl-${m} + # locate any symlinks that point to this man page ... we assume + # that any broken links are due to the above renaming + for s in $(find -L ${d} -type l) ; do + s=${s##*/} + rm -f ${d}/${s} + ln -s ssl-${m} ${d}/ssl-${s} + ln -s ssl-${s} ${d}/openssl-${s} + done + done + [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" + + diropts -m0700 + keepdir /etc/ssl/private +} + +pkg_preinst() { + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7} +} + +pkg_postinst() { + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7} + + if [[ ${CHOST} == i686* ]] ; then + ewarn "Due to the way openssl is architected, you cannot" + ewarn "switch between optimized versions without breaking" + ewarn "ABI. The default i686 0.9.8 ABI was an unoptimized" + ewarn "version with horrible performance. This version uses" + ewarn "the optimized ABI. If you experience segfaults when" + ewarn "using ssl apps (like openssh), just re-emerge the" + ewarn "offending package." + fi +} |