webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-24 01:42:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'openssl-11' into next

Browse Source
This commit is contained in:
Michael Tremer
2018-02-21 12:21:10 +00:00
parent cb8a6bf5a4 a4fd232541
commit 9434bffaf2
32 changed files with 9613 additions and 472 deletions
Download Patch File Download Diff File Expand all files Collapse all files

90
config/ovpn/openvpn-crl-updater Normal file
View File

@@ -0,0 +1,90 @@
#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2018 IPFire Team <erik.kapfer@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# #
# Script Location/Name: /etc/fcron.daily/openvpn-crl-updater #
# #
# Description: This script checks the "Next Update:" field of the CRL #
# and renews it if needed, which prevents the expiration of OpenVPNs CRL. #
# With OpenVPN 2.4.x the CRL handling has been refactored, #
# whereby the verification logic has been removed #
# from ssl_verify_<backend>.c . #
# #
# Run Information: If OpenVPNs CRL is present, #
# this script provides a cronjob which checks daily if an update #
# of the CRL is needed. If the expiring date reaches the value #
# (defined in the 'UPDATE' variable in days) before the CRL expiration, #
# an openssl command will be executed to renew the CRL. #
# Script execution will be logged into /var/log/messages. #
# #
###############################################################################
## Paths
OVPN="/var/ipfire/ovpn"
CRL="${OVPN}/crls/cacrl.pem"
CAKEY="${OVPN}/ca/cakey.pem"
CACERT="${OVPN}/ca/cacert.pem"
OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
# Check if CRL is presant or if OpenVPN is active
if [ ! -e "${CAKEY}" ]; then
exit 0;
fi
## Values
# Actual time in epoch format
NOW="$(date +%s)"
# Investigate CRLs 'Next Update' date
EXPIRES_CRL="$(openssl crl -in "${CRL}" -text | grep -oP 'Next Update: *\K.*')"
# Convert 'Next Update:' date from epoch to seconds
EXPIRES_AT="$(date -d "${EXPIRES_CRL}" "+%s")"
# Seconds left until CRL expires
EXPIRINGDATEINSEC="$(( EXPIRES_AT - NOW ))"
# Day in seconds to calculate
DAYINSEC="86400"
# Convert seconds to days
NEXTUPDATE="$(( EXPIRINGDATEINSEC / DAYINSEC ))"
# Update of the CRL in days before CRL expiring date
UPDATE="14"
## Mainpart
# Check if OpenVPNs CRL needs to be renewed
if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
logger -t openvpn "CRL has been updated"
else
logger -t openvpn "error: Could not update CRL"
fi
fi
exit 0
# EOF

6
config/rootfiles/common/cyrus-sasl
View File

@@ -1,3 +1,4 @@
etc/rc.d/init.d/cyrus-sasl
#usr/include/sasl
#usr/include/sasl/hmac-md5.h
#usr/include/sasl/md5.h
@@ -24,10 +25,6 @@ usr/lib/sasl2/libcrammd5.so.3.0.0
usr/lib/sasl2/libdigestmd5.so
usr/lib/sasl2/libdigestmd5.so.3
usr/lib/sasl2/libdigestmd5.so.3.0.0
#usr/lib/sasl2/libotp.la
usr/lib/sasl2/libotp.so
usr/lib/sasl2/libotp.so.3
usr/lib/sasl2/libotp.so.3.0.0
#usr/lib/sasl2/libplain.la
usr/lib/sasl2/libplain.so
usr/lib/sasl2/libplain.so.3
@@ -94,4 +91,3 @@ usr/sbin/testsaslauthd
#usr/share/man/man8/sasldblistusers2.8
#usr/share/man/man8/saslpasswd2.8
var/lib/sasl
etc/rc.d/init.d/cyrus-sasl

2
config/rootfiles/common/i586/openssl-sse2
View File

@@ -1 +1 @@
usr/lib/sse2/libcrypto.so.10
usr/lib/sse2/libcrypto.so.1.1

6534
config/rootfiles/common/openssl
View File

File diff suppressed because it is too large Load Diff

2
config/rootfiles/common/openssl-compat Normal file
View File

@@ -0,0 +1,2 @@
usr/lib/libcrypto.so.10
usr/lib/libssl.so.10

5
config/rootfiles/common/openvpn
View File

@@ -1,3 +1,5 @@
etc/fcron.daily/openvpn-crl-updater
#usr/include/openvpn-msg.h
#usr/include/openvpn-plugin.h
#usr/lib/openvpn
#usr/lib/openvpn/plugins
@@ -10,11 +12,12 @@ usr/sbin/openvpn
#usr/share/doc/openvpn
#usr/share/doc/openvpn/COPYING
#usr/share/doc/openvpn/COPYRIGHT.GPL
#usr/share/doc/openvpn/Changes.rst
#usr/share/doc/openvpn/README
#usr/share/doc/openvpn/README.IPv6
#usr/share/doc/openvpn/README.auth-pam
#usr/share/doc/openvpn/README.down-root
#usr/share/doc/openvpn/README.polarssl
#usr/share/doc/openvpn/README.mbedtls
#usr/share/doc/openvpn/management-notes.txt
#usr/share/man/man8/openvpn.8
var/ipfire/ovpn/ca

3
config/rootfiles/common/python-typing Normal file
View File

@@ -0,0 +1,3 @@
#usr/lib/python2.7/site-packages/typing-3.6.1-py2.7.egg-info
#usr/lib/python2.7/site-packages/typing.py
#usr/lib/python2.7/site-packages/typing.pyc

8
config/rootfiles/packages/krb5
View File

@@ -82,12 +82,12 @@ usr/lib/libk5crypto.so.3
usr/lib/libk5crypto.so.3.1
#usr/lib/libkadm5clnt.so
#usr/lib/libkadm5clnt_mit.so
usr/lib/libkadm5clnt_mit.so.10
usr/lib/libkadm5clnt_mit.so.10.0
usr/lib/libkadm5clnt_mit.so.11
usr/lib/libkadm5clnt_mit.so.11.0
#usr/lib/libkadm5srv.so
#usr/lib/libkadm5srv_mit.so
usr/lib/libkadm5srv_mit.so.10
usr/lib/libkadm5srv_mit.so.10.0
usr/lib/libkadm5srv_mit.so.11
usr/lib/libkadm5srv_mit.so.11.0
#usr/lib/libkdb5.so
usr/lib/libkdb5.so.8
usr/lib/libkdb5.so.8.0

3
html/cgi-bin/ovpnmain.cgi
View File

@@ -216,7 +216,7 @@ sub writeserverconf {
print CONF "dev tun\n";
print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
print CONF "script-security 3 system\n";
print CONF "script-security 3\n";
print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
print CONF "tls-server\n";
@@ -289,6 +289,7 @@ sub writeserverconf {
}
print CONF "status-version 1\n";
print CONF "status /var/run/ovpnserver.log 30\n";
print CONF "ncp-disable\n";
print CONF "cipher $sovpnsettings{DCIPHER}\n";
if ($sovpnsettings{'DAUTH'} eq '') {
print CONF "";

4
lfs/Net_SSLeay
View File

@@ -24,7 +24,7 @@
include Config
VER = 1.55
VER = 1.82
THISAPP = Net-SSLeay-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 473b8d66ca69d5784bb0e428721f58e0
$(DL_FILE)_MD5 = 2170469d929d5173bacffd0cb2d7fafa
install : $(TARGET)

3
lfs/cyrus-sasl
View File

@@ -90,7 +90,8 @@ ifeq "$(PASS)" ""
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc \
--with-dbpath=/var/lib/sasl/sasldb2 \
--with-saslauthd=/var/run/saslauthd \
--with-des=no --with-rc4=no
--with-des=no --with-rc4=no \
--disable-otp
cd $(DIR_APP) && make
cd $(DIR_APP) && make install
install -v -m700 -d /var/lib/sasl

4
lfs/elinks
View File

@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = elinks
PAK_VER = 5
PAK_VER = 6
DEPS = ""
@@ -78,6 +78,8 @@ dist:
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/elinks-0.12pre6-openssl11.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/elinks-0.11.0-ssl-noegd.patch
cd $(DIR_APP) && ./configure
cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_APP) && make install

6
lfs/krb5
View File

@@ -24,7 +24,7 @@
include Config
VER = 1.14.4
VER = 1.15.2
THISAPP = krb5-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)/src
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = krb5
PAK_VER = 2
PAK_VER = 3
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = ba90f5701fc2dda76133c1f34ba4ee80
$(DL_FILE)_MD5 = b160f72161c730897dc7689f876b6e2a
install : $(TARGET)

6
lfs/ncat
View File

@@ -24,7 +24,7 @@
include Config
VER = 7.12
VER = 7.60
THISAPP = ncat-$(VER)
DL_FILE = nmap-$(VER).tar.bz2
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/nmap-$(VER)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = ncat
PAK_VER = 1
PAK_VER = 2
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 0764f4dabe7cccda3c49fc3990b62a8a
$(DL_FILE)_MD5 = 4e454266559ddf2c4e2109866c62560c
install : $(TARGET)

3
lfs/netsnmpd
View File

@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = netsnmpd
PAK_VER = 5
PAK_VER = 6
DEPS = ""
###############################################################################
@@ -76,6 +76,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/net-snmp-5.7.3-openssl.patch
cd $(DIR_APP) && ./configure \
--prefix=/usr \
--with-default-snmp-version="2" \

1
lfs/openssh
View File

@@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-7.6p1-openssl-1.1.0.patch
cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
cd $(DIR_APP) && ./configure \
--prefix=/usr \

52
lfs/openssl
View File

@@ -24,7 +24,7 @@
include Config
VER = 1.0.2n
VER = 1.1.0g
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -33,15 +33,11 @@ DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)$(KCFG)
ifneq "$(KCFG)" "-sse2"
CFLAGS += -DPURIFY
else
CFLAGS =-O2 -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fPIC
CFLAGS+= -mindirect-branch=thunk -mfunction-return=thunk
CFLAGS+= -fstack-protector-all --param=ssp-buffer-size=4
CFLAGS+= -march=i686 -mmmx -msse -msse2 -mfpmath=sse
CFLAGS+= -fomit-frame-pointer -DPURIFY
CXXFLAGS="${CFLAGS}"
CFLAGS += -DPURIFY -Wa,--noexecstack
# Enable SSE2 for this build
ifeq "$(KCFG)" "-sse2"
CFLAGS+= -march=i686 -mmmx -msse -msse2 -mfpmath=sse
endif
export RPM_OPT_FLAGS = $(CFLAGS)
@@ -49,20 +45,18 @@ export RPM_OPT_FLAGS = $(CFLAGS)
CONFIGURE_OPTIONS = \
--prefix=/usr \
--openssldir=/etc/ssl \
--enginesdir=/usr/lib/openssl/engines \
shared \
zlib-dynamic \
enable-camellia \
enable-md2 \
disable-ssl2 \
enable-seed \
enable-tlsext \
enable-rfc3779 \
enable-ssl3 \
enable-ssl3-method \
no-idea \
no-mdc2 \
no-rc5 \
no-srp \
-DSSL_FORBID_ENULL \
$(OPENSSL_ARCH)
ifeq "$(IS_64BIT)" "1"
@@ -95,7 +89,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 13bdc1b1d1ff39b6fd42a255e74676a4
$(DL_FILE)_MD5 = ba5f1b8b835b88cadbce9b35ed9531a6
install : $(TARGET)
@@ -125,20 +119,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2h-weak-ciphers.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2g-disable-sslv2v3.patch
# i586 specific patches
ifeq "$(BUILD_ARCH)" "i586"
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a_auto_enable_padlock.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a_disable_ssse3_for_amd.patch
endif
# With openssl 1.0.2e, pod2mantest is missing
echo -e "#!/bin/bash\necho \$$(which pod2man)" > $(DIR_APP)/util/pod2mantest
chmod a+x $(DIR_APP)/util/pod2mantest
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.0-disable-ssl3.patch
# Apply our CFLAGS
cd $(DIR_APP) && sed -i Configure \
@@ -147,7 +128,8 @@ endif
cd $(DIR_APP) && find crypto/ -name Makefile -exec \
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
cd $(DIR_APP) && ./Configure $(CONFIGURE_OPTIONS)
cd $(DIR_APP) && ./Configure $(CONFIGURE_OPTIONS) \
$(CFLAGS) $(LDFLAGS)
cd $(DIR_APP) && make depend
cd $(DIR_APP) && make
@@ -155,19 +137,11 @@ endif
ifeq "$(KCFG)" "-sse2"
-mkdir -pv /usr/lib/sse2
cd $(DIR_APP) && install -m 755 \
libcrypto.so.10 /usr/lib/sse2
libcrypto.so.1.1 /usr/lib/sse2
else
# Install everything.
cd $(DIR_APP) && make install
install -m 0644 $(DIR_SRC)/config/ssl/openssl.cnf /etc/ssl
# Remove man pages.
-rm -vfr /etc/ssl/man
# Move engines to the right place.
-mkdir -pv /usr/lib/openssl
rm -vfr /usr/lib/openssl/engines
mv -v /usr/lib/engines /usr/lib/openssl
endif
@rm -rf $(DIR_APP)

149
lfs/openssl-compat Normal file
View File

@@ -0,0 +1,149 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2016 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 1.0.2n
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)$(KCFG)
export RPM_OPT_FLAGS = $(CFLAGS)
CONFIGURE_OPTIONS = \
--prefix=/usr \
--openssldir=/etc/ssl \
--enginesdir=/usr/lib/openssl/engines \
shared \
zlib-dynamic \
enable-camellia \
enable-md2 \
disable-ssl2 \
enable-seed \
enable-tlsext \
enable-rfc3779 \
no-idea \
no-mdc2 \
no-rc5 \
no-srp \
-DSSL_FORBID_ENULL \
$(OPENSSL_ARCH)
ifeq "$(IS_64BIT)" "1"
OPENSSL_ARCH = linux-generic64
else
OPENSSL_ARCH = linux-generic32
endif
ifeq "$(BUILD_ARCH)" "aarch64"
OPENSSL_ARCH = linux-aarch64
endif
ifeq "$(BUILD_ARCH)" "x86_64"
OPENSSL_ARCH = linux-x86_64
endif
ifeq "$(BUILD_ARCH)" "i586"
OPENSSL_ARCH = linux-elf
ifneq "$(KCFG)" "-sse2"
OPENSSL_ARCH += no-sse2
endif
endif
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 13bdc1b1d1ff39b6fd42a255e74676a4
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2h-weak-ciphers.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2g-disable-sslv2v3.patch
# i586 specific patches
ifeq "$(BUILD_ARCH)" "i586"
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a_auto_enable_padlock.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a_disable_ssse3_for_amd.patch
endif
# With openssl 1.0.2e, pod2mantest is missing
echo -e "#!/bin/bash\necho \$$(which pod2man)" > $(DIR_APP)/util/pod2mantest
chmod a+x $(DIR_APP)/util/pod2mantest
# Apply our CFLAGS
cd $(DIR_APP) && sed -i Configure \
-e "s/-O3 -fomit-frame-pointer/$(CFLAGS)/g"
cd $(DIR_APP) && find crypto/ -name Makefile -exec \
sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i {} \;
cd $(DIR_APP) && ./Configure $(CONFIGURE_OPTIONS)
cd $(DIR_APP) && make depend
cd $(DIR_APP) && make
# Install libraries only
cd $(DIR_APP) && install -m 755 \
libcrypto.so.10 libssl.so.10
@rm -rf $(DIR_APP)
@$(POSTBUILD)

11
lfs/openvpn
View File

@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2017 IPFire Team <info@ipfire.org> #
# Copyright (C) 2018 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
VER = 2.3.18
VER = 2.4.4
THISAPP = openvpn-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 844ec9c64aae62051478784b8562f881
$(DL_FILE)_MD5 = 7a2002aad1671b24457bc9432a0c5c52
install : $(TARGET)
@@ -96,5 +96,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify
chown root:root /usr/lib/openvpn/verify
chmod 755 /usr/lib/openvpn/verify
# Add crl updater
mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily
chown root:root /etc/fcron.daily/openvpn-crl-updater
chmod 750 /etc/fcron.daily/openvpn-crl-updater
@rm -rf $(DIR_APP)
@$(POSTBUILD)

7
lfs/python-m2crypto
View File

@@ -24,7 +24,7 @@
include Config
VER = 0.21.1
VER = 0.27.0
THISAPP = M2Crypto-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = f93d8462ff7646397a9f77a2fe602d17
$(DL_FILE)_MD5 = 4477bd6b2835560c73982476dba5e515
install : $(TARGET)
@@ -77,6 +77,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && python setup.py install
cd $(DIR_APP) && python setup.py build
cd $(DIR_APP) && python setup.py install --root=/
@rm -rf $(DIR_APP)
@$(POSTBUILD)

79
lfs/python-typing Normal file
View File

@@ -0,0 +1,79 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2011 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 3.6.1
THISAPP = typing-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 3fec97415bae6f742fb3c3013dedeb89
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
#dist:
# @$(PAK)
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && python setup.py build
cd $(DIR_APP) && python setup.py install --skip-build
@rm -rf $(DIR_APP)
@$(POSTBUILD)

3
lfs/transmission
View File

@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = transmission
PAK_VER = 13
PAK_VER = 14
DEPS = ""
@@ -79,6 +79,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/transmission-2.92-openssl-1.1.0.patch
cd $(DIR_APP) && ./configure --prefix=/usr --disable-static
cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
cd $(DIR_APP) && make install

2
lfs/wget
View File

@@ -74,7 +74,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && ./configure \
--prefix=/usr \
--sysconfdir=/etc \
--with-ssl=openssl \
--with-ssl=gnutls \
--disable-nls \
--disable-ipv6

2
make.sh
View File

@@ -1125,6 +1125,7 @@ buildipfire() {
lfsmake2 xtables-addons USPACE="1"
lfsmake2 openssl
[ "${BUILD_ARCH}" = "i586" ] && lfsmake2 openssl KCFG='-sse2'
lfsmake2 openssl-compat
lfsmake2 libgpg-error
lfsmake2 libgcrypt
lfsmake2 libassuan
@@ -1434,6 +1435,7 @@ buildipfire() {
lfsmake2 powertop
lfsmake2 parted
lfsmake2 swig
lfsmake2 python-typing
lfsmake2 python-m2crypto
lfsmake2 wireless-regdb
lfsmake2 crda

21
src/patches/elinks-0.11.0-ssl-noegd.patch Normal file
View File

@@ -0,0 +1,21 @@
--- elinks-0.11.0/src/network/ssl/ssl.c.noegd 2006-01-10 09:24:50.000000000 +0100
+++ elinks-0.11.0/src/network/ssl/ssl.c 2006-01-10 09:25:01.000000000 +0100
@@ -44,18 +44,6 @@ SSL_CTX *context = NULL;
static void
init_openssl(struct module *module)
{
- unsigned char f_randfile[PATH_MAX];
-
- /* In a nutshell, on OS's without a /dev/urandom, the OpenSSL library
- * cannot initialize the PRNG and so every attempt to use SSL fails.
- * It's actually an OpenSSL FAQ, and according to them, it's up to the
- * application coders to seed the RNG. -- William Yodlowsky */
- if (RAND_egd(RAND_file_name(f_randfile, sizeof(f_randfile))) < 0) {
- /* Not an EGD, so read and write to it */
- if (RAND_load_file(f_randfile, -1))
- RAND_write_file(f_randfile);
- }
-
SSLeay_add_ssl_algorithms();
context = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_options(context, SSL_OP_ALL);

73
src/patches/elinks-0.12pre6-openssl11.patch Normal file
View File

@@ -0,0 +1,73 @@
From d83c0edf4c6ae42359ff856d7a879ecba5769595 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 17 Feb 2017 16:51:41 +0100
Subject: [PATCH 1/2] fix compatibility with OpenSSL 1.1
---
src/network/ssl/socket.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
index c9e2be4..467fc48 100644
--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@@ -83,7 +83,7 @@ static void
ssl_set_no_tls(struct socket *socket)
{
#ifdef CONFIG_OPENSSL
- ((ssl_t *) socket->ssl)->options |= SSL_OP_NO_TLSv1;
+ SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
#elif defined(CONFIG_GNUTLS)
{
/* GnuTLS does not support SSLv2 because it is "insecure".
@@ -419,7 +419,7 @@ ssl_connect(struct socket *socket)
}
if (client_cert) {
- SSL_CTX *ctx = ((SSL *) socket->ssl)->ctx;
+ SSL_CTX *ctx = SSL_get_SSL_CTX((SSL *) socket->ssl);
SSL_CTX_use_certificate_chain_file(ctx, client_cert);
SSL_CTX_use_PrivateKey_file(ctx, client_cert,
--
2.7.4
From ec952cc5b79973bee73fcfc813159d40c22b7228 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Fri, 17 Feb 2017 16:44:11 +0100
Subject: [PATCH 2/2] drop disablement of TLS1.0 on second attempt to connect
It would not work correctly anyway and the code does not build
with OpenSSL-1.1.0.
---
src/network/ssl/socket.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/network/ssl/socket.c b/src/network/ssl/socket.c
index 467fc48..b981c1e 100644
--- a/src/network/ssl/socket.c
+++ b/src/network/ssl/socket.c
@@ -82,6 +82,11 @@
static void
ssl_set_no_tls(struct socket *socket)
{
+#if 0
+/* This implements the insecure renegotiation, which should not be used.
+ * The code also would not work on current Fedora (>= Fedora 23) anyway,
+ * because it would just switch off TLS 1.0 keeping TLS 1.1 and 1.2 enabled.
+ */
#ifdef CONFIG_OPENSSL
SSL_set_options((ssl_t *) socket->ssl, SSL_OP_NO_TLSv1);
#elif defined(CONFIG_GNUTLS)
@@ -96,6 +101,7 @@ ssl_set_no_tls(struct socket *socket)
gnutls_protocol_set_priority(*(ssl_t *) socket->ssl, protocol_priority);
}
#endif
+#endif
}
#ifdef USE_OPENSSL
--
2.7.4

303
src/patches/net-snmp-5.7.3-openssl.patch Normal file
View File

@@ -0,0 +1,303 @@
diff -urNp old/apps/snmpusm.c new/apps/snmpusm.c
--- old/apps/snmpusm.c 2014-12-08 21:23:22.000000000 +0100
+++ new/apps/snmpusm.c 2017-02-20 15:20:36.994022905 +0100
@@ -190,7 +190,7 @@ get_USM_DH_key(netsnmp_variable_list *va
oid *keyoid, size_t keyoid_len) {
u_char *dhkeychange;
DH *dh;
- BIGNUM *other_pub;
+ BIGNUM *p, *g, *pub_key, *other_pub;
u_char *key;
size_t key_len;
@@ -205,25 +205,29 @@ get_USM_DH_key(netsnmp_variable_list *va
dh = d2i_DHparams(NULL, &cp, dhvar->val_len);
}
- if (!dh || !dh->g || !dh->p) {
+ if (dh)
+ DH_get0_pqg(dh, &p, NULL, &g);
+
+ if (!dh || !g || !p) {
SNMP_FREE(dhkeychange);
return SNMPERR_GENERR;
}
- DH_generate_key(dh);
- if (!dh->pub_key) {
+ if (!DH_generate_key(dh)) {
SNMP_FREE(dhkeychange);
return SNMPERR_GENERR;
}
- if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) {
+ DH_get0_key(dh, &pub_key, NULL);
+
+ if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) {
SNMP_FREE(dhkeychange);
fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n",
- (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key));
+ (unsigned long)vars->val_len, BN_num_bytes(pub_key));
return SNMPERR_GENERR;
}
- BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len);
+ BN_bn2bin(pub_key, dhkeychange + vars->val_len);
key_len = DH_size(dh);
if (!key_len) {
diff -urNp old/configure new/configure
--- old/configure 2017-02-20 10:08:16.440396223 +0100
+++ new/configure 2017-02-20 10:57:15.749734281 +0100
@@ -23176,9 +23176,9 @@ $as_echo "#define HAVE_AES_CFB128_ENCRYP
fi
- as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_create" | $as_tr_sh`
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_create in -l${CRYPTO}" >&5
-$as_echo_n "checking for EVP_MD_CTX_create in -l${CRYPTO}... " >&6; }
+ as_ac_Lib=`$as_echo "ac_cv_lib_${CRYPTO}''_EVP_MD_CTX_new" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_MD_CTX_new in -l${CRYPTO}" >&5
+$as_echo_n "checking for EVP_MD_CTX_new in -l${CRYPTO}... " >&6; }
if eval \${$as_ac_Lib+:} false; then :
$as_echo_n "(cached) " >&6
else
@@ -23193,11 +23193,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_
#ifdef __cplusplus
extern "C"
#endif
-char EVP_MD_CTX_create ();
+char EVP_MD_CTX_new ();
int
main ()
{
-return EVP_MD_CTX_create ();
+return EVP_MD_CTX_new ();
;
return 0;
}
@@ -23216,10 +23216,10 @@ eval ac_res=\$$as_ac_Lib
$as_echo "$ac_res" >&6; }
if eval test \"x\$"$as_ac_Lib"\" = x"yes"; then :
-$as_echo "#define HAVE_EVP_MD_CTX_CREATE /**/" >>confdefs.h
+$as_echo "#define HAVE_EVP_MD_CTX_NEW /**/" >>confdefs.h
-$as_echo "#define HAVE_EVP_MD_CTX_DESTROY /**/" >>confdefs.h
+$as_echo "#define HAVE_EVP_MD_CTX_FREE /**/" >>confdefs.h
fi
@@ -23293,7 +23293,7 @@ char SSL_library_init ();
int
main ()
{
-return SSL_library_init ();
+return OPENSSL_init_ssl(0, NULL);
;
return 0;
}
diff -urNp old/configure.d/config_os_libs2 new/configure.d/config_os_libs2
--- old/configure.d/config_os_libs2 2014-12-08 21:23:22.000000000 +0100
+++ new/configure.d/config_os_libs2 2017-02-20 10:56:21.041616611 +0100
@@ -292,11 +292,11 @@ if test "x$tryopenssl" != "xno" -a "x$tr
AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1,
[Define to 1 if you have the `AES_cfb128_encrypt' function.]))
- AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create,
- AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [],
- [Define to 1 if you have the `EVP_MD_CTX_create' function.])
- AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [],
- [Define to 1 if you have the `EVP_MD_CTX_destroy' function.]))
+ AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_new,
+ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [],
+ [Define to 1 if you have the `EVP_MD_CTX_new' function.])
+ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [],
+ [Define to 1 if you have the `EVP_MD_CTX_free' function.]))
fi
if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then
AC_CHECK_LIB(ssl, DTLSv1_method,
@@ -307,7 +307,7 @@ if test "x$tryopenssl" != "xno" -a "x$tr
TLSPROG=yes
fi
if echo " $transport_result_list " | $GREP "TLS" > /dev/null; then
- AC_CHECK_LIB(ssl, SSL_library_init,
+ AC_CHECK_LIB(ssl, OPENSSL_init_ssl,
AC_DEFINE(HAVE_LIBSSL, 1,
[Define to 1 if you have the `ssl' library (-lssl).])
LIBCRYPTO=" -lssl $LIBCRYPTO",
diff -urNp old/include/net-snmp/net-snmp-config.h.in new/include/net-snmp/net-snmp-config.h.in
--- old/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:08:16.443522417 +0100
+++ new/include/net-snmp/net-snmp-config.h.in 2017-02-20 10:24:05.790584283 +0100
@@ -149,11 +149,11 @@
/* Define to 1 if you have the `eval_pv' function. */
#undef HAVE_EVAL_PV
-/* Define to 1 if you have the `EVP_MD_CTX_create' function. */
-#undef HAVE_EVP_MD_CTX_CREATE
+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
+#undef HAVE_EVP_MD_CTX_NEW
-/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */
-#undef HAVE_EVP_MD_CTX_DESTROY
+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
+#undef HAVE_EVP_MD_CTX_FREE
/* Define if you have EVP_sha224/256 in openssl */
#undef HAVE_EVP_SHA224
diff -urNp old/snmplib/keytools.c new/snmplib/keytools.c
--- old/snmplib/keytools.c 2014-12-08 21:23:22.000000000 +0100
+++ new/snmplib/keytools.c 2017-02-20 10:30:27.412068264 +0100
@@ -149,8 +149,8 @@ generate_Ku(const oid * hashtype, u_int
*/
#ifdef NETSNMP_USE_OPENSSL
-#ifdef HAVE_EVP_MD_CTX_CREATE
- ctx = EVP_MD_CTX_create();
+#ifdef HAVE_EVP_MD_CTX_NEW
+ ctx = EVP_MD_CTX_new();
#else
ctx = malloc(sizeof(*ctx));
if (!EVP_MD_CTX_init(ctx))
@@ -259,8 +259,8 @@ generate_Ku(const oid * hashtype, u_int
memset(buf, 0, sizeof(buf));
#ifdef NETSNMP_USE_OPENSSL
if (ctx) {
-#ifdef HAVE_EVP_MD_CTX_DESTROY
- EVP_MD_CTX_destroy(ctx);
+#ifdef HAVE_EVP_MD_CTX_FREE
+ EVP_MD_CTX_free(ctx);
#else
EVP_MD_CTX_cleanup(ctx);
free(ctx);
diff -urNp old/snmplib/scapi.c new/snmplib/scapi.c
--- old/snmplib/scapi.c 2014-12-08 21:23:22.000000000 +0100
+++ new/snmplib/scapi.c 2017-02-20 10:27:34.152379515 +0100
@@ -486,14 +486,14 @@ sc_hash(const oid * hashtype, size_t has
}
/** initialize the pointer */
-#ifdef HAVE_EVP_MD_CTX_CREATE
- cptr = EVP_MD_CTX_create();
+#ifdef HAVE_EVP_MD_CTX_NEW
+ cptr = EVP_MD_CTX_new();
#else
cptr = malloc(sizeof(*cptr));
#if defined(OLD_DES)
memset(cptr, 0, sizeof(*cptr));
#else
- EVP_MD_CTX_init(cptr);
+ EVP_MD_CTX_init(&cptr);
#endif
#endif
if (!EVP_DigestInit(cptr, hashfn)) {
@@ -507,11 +507,11 @@ sc_hash(const oid * hashtype, size_t has
/** do the final pass */
EVP_DigestFinal(cptr, MAC, &tmp_len);
*MAC_len = tmp_len;
-#ifdef HAVE_EVP_MD_CTX_DESTROY
- EVP_MD_CTX_destroy(cptr);
+#ifdef HAVE_EVP_MD_CTX_FREE
+ EVP_MD_CTX_free(cptr);
#else
#if !defined(OLD_DES)
- EVP_MD_CTX_cleanup(cptr);
+ EVP_MD_CTX_cleanup(&cptr);
#endif
free(cptr);
#endif
diff -urNp old/snmplib/snmp_openssl.c new/snmplib/snmp_openssl.c
--- old/snmplib/snmp_openssl.c 2014-12-08 21:23:22.000000000 +0100
+++ new/snmplib/snmp_openssl.c 2017-02-20 12:46:00.059727928 +0100
@@ -47,7 +47,7 @@ void netsnmp_init_openssl(void) {
DEBUGMSGTL(("snmp_openssl", "initializing\n"));
/* Initializing OpenSSL */
- SSL_library_init();
+ OPENSSL_init_ssl(0, NULL);
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
@@ -164,11 +164,11 @@ netsnmp_openssl_cert_dump_names(X509 *oc
oname_entry = X509_NAME_get_entry(osubj_name, i);
netsnmp_assert(NULL != oname_entry);
- if (oname_entry->value->type != V_ASN1_PRINTABLESTRING)
+ if (X509_NAME_ENTRY_get_data(oname_entry)->type != V_ASN1_PRINTABLESTRING)
continue;
/** get NID */
- onid = OBJ_obj2nid(oname_entry->object);
+ onid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(oname_entry));
if (onid == NID_undef) {
prefix_long = prefix_short = "UNKNOWN";
}
@@ -179,9 +179,9 @@ netsnmp_openssl_cert_dump_names(X509 *oc
DEBUGMSGT(("9:cert:dump:names",
"[%02d] NID type %d, ASN type %d\n", i, onid,
- oname_entry->value->type));
+ X509_NAME_ENTRY_get_data(oname_entry)->type));
DEBUGMSGT(("9:cert:dump:names", "%s/%s: '%s'\n", prefix_long,
- prefix_short, ASN1_STRING_data(oname_entry->value)));
+ prefix_short, ASN1_STRING_data(X509_NAME_ENTRY_get_data(oname_entry))));
}
}
#endif /* NETSNMP_FEATURE_REMOVE_CERT_DUMP_NAMES */
@@ -470,7 +470,7 @@ netsnmp_openssl_cert_get_hash_type(X509
if (NULL == ocert)
return 0;
- return _nid2ht(OBJ_obj2nid(ocert->sig_alg->algorithm));
+ return _nid2ht(X509_get_signature_nid(ocert));
}
/**
@@ -487,7 +487,7 @@ netsnmp_openssl_cert_get_fingerprint(X50
if (NULL == ocert)
return NULL;
- nid = OBJ_obj2nid(ocert->sig_alg->algorithm);
+ nid = X509_get_signature_nid(ocert);
DEBUGMSGT(("9:openssl:fingerprint", "alg %d, cert nid %d (%d)\n", alg, nid,
_nid2ht(nid)));
diff -urNp old/win32/net-snmp/net-snmp-config.h new/win32/net-snmp/net-snmp-config.h
--- old/win32/net-snmp/net-snmp-config.h 2014-12-08 21:23:22.000000000 +0100
+++ new/win32/net-snmp/net-snmp-config.h 2017-02-20 10:23:20.796778512 +0100
@@ -1366,11 +1366,11 @@
/* Define to 1 if you have the <openssl/aes.h> header file. */
#define HAVE_OPENSSL_AES_H 1
-/* Define to 1 if you have the `EVP_MD_CTX_create' function. */
-#define HAVE_EVP_MD_CTX_CREATE 1
+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
+#define HAVE_EVP_MD_CTX_NEW 1
-/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */
-#define HAVE_EVP_MD_CTX_DESTROY 1
+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
+#define HAVE_EVP_MD_CTX_FREE 1
/* Define to 1 if you have the `AES_cfb128_encrypt' function. */
#define HAVE_AES_CFB128_ENCRYPT 1
diff -urNp old/win32/net-snmp/net-snmp-config.h.in new/win32/net-snmp/net-snmp-config.h.in
--- old/win32/net-snmp/net-snmp-config.h.in 2014-12-08 21:23:22.000000000 +0100
+++ new/win32/net-snmp/net-snmp-config.h.in 2017-02-20 10:22:51.348367754 +0100
@@ -1366,11 +1366,11 @@
/* Define to 1 if you have the <openssl/aes.h> header file. */
#define HAVE_OPENSSL_AES_H 1
-/* Define to 1 if you have the `EVP_MD_CTX_create' function. */
-#define HAVE_EVP_MD_CTX_CREATE 1
+/* Define to 1 if you have the `EVP_MD_CTX_new' function. */
+#define HAVE_EVP_MD_CTX_NEW 1
-/* Define to 1 if you have the `EVP_MD_CTX_destroy' function. */
-#define HAVE_EVP_MD_CTX_DESTROY 1
+/* Define to 1 if you have the `EVP_MD_CTX_free' function. */
+#define HAVE_EVP_MD_CTX_FREE 1
/* Define to 1 if you have the `AES_cfb128_encrypt' function. */
#define HAVE_AES_CFB128_ENCRYPT 1

1982
src/patches/openssh-7.6p1-openssl-1.1.0.patch Normal file
View File

File diff suppressed because it is too large Load Diff

340
src/patches/openssl-1.0.2-fix_parallel_build-1.patch
View File

@@ -1,340 +0,0 @@
Submitted By: Armin K. <krejzi at email dot com>
Date: 2015-01-23
Initial Package Version: 1.0.1e
Upstream Status: Unknown
Origin: https://github.com/Alexpux/Qt-builds/tree/master/patches/openssl
Description: Fixes build when using more than one make job to build the package.
--- a/crypto/Makefile 2015-01-22 17:12:09.000000000 +0100
+++ b/crypto/Makefile 2015-01-23 16:42:13.460175569 +0100
@@ -85,11 +85,11 @@
@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
subdirs:
- @target=all; $(RECURSIVE_MAKE)
+ +@target=all; $(RECURSIVE_MAKE)
files:
$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
- @target=files; $(RECURSIVE_MAKE)
+ +@target=files; $(RECURSIVE_MAKE)
links:
@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
@@ -100,7 +100,7 @@
# lib: $(LIB): are splitted to avoid end-less loop
lib: $(LIB)
@touch lib
-$(LIB): $(LIBOBJ)
+$(LIB): $(LIBOBJ) | subdirs
$(AR) $(LIB) $(LIBOBJ)
test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
$(RANLIB) $(LIB) || echo Never mind.
@@ -111,7 +111,7 @@
fi
libs:
- @target=lib; $(RECURSIVE_MAKE)
+ +@target=lib; $(RECURSIVE_MAKE)
install:
@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
@@ -120,7 +120,7 @@
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
- @target=install; $(RECURSIVE_MAKE)
+ +@target=install; $(RECURSIVE_MAKE)
lint:
@target=lint; $(RECURSIVE_MAKE)
--- a/engines/Makefile 2015-01-22 17:12:24.000000000 +0100
+++ b/engines/Makefile 2015-01-23 16:42:13.461175596 +0100
@@ -72,7 +72,7 @@
all: lib subdirs
-lib: $(LIBOBJ)
+lib: $(LIBOBJ) | subdirs
@if [ -n "$(SHARED_LIBS)" ]; then \
set -e; \
for l in $(LIBNAMES); do \
@@ -89,7 +89,7 @@
subdirs:
echo $(EDIRS)
- @target=all; $(RECURSIVE_MAKE)
+ +@target=all; $(RECURSIVE_MAKE)
files:
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@@ -128,7 +128,7 @@
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines/$$pfx$$l$$sfx ); \
done; \
fi
- @target=install; $(RECURSIVE_MAKE)
+ +@target=install; $(RECURSIVE_MAKE)
tags:
ctags $(SRC)
--- a/Makefile.org 2015-01-22 15:58:06.000000000 +0100
+++ b/Makefile.org 2015-01-23 16:42:13.461175596 +0100
@@ -274,17 +274,17 @@
build_libs: build_crypto build_ssl build_engines
build_crypto:
- @dir=crypto; target=all; $(BUILD_ONE_CMD)
-build_ssl:
- @dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines:
- @dir=engines; target=all; $(BUILD_ONE_CMD)
-build_apps:
- @dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests:
- @dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools:
- @dir=tools; target=all; $(BUILD_ONE_CMD)
+ +@dir=crypto; target=all; $(BUILD_ONE_CMD)
+build_ssl: build_crypto
+ +@dir=ssl; target=all; $(BUILD_ONE_CMD)
+build_engines: build_crypto
+ +@dir=engines; target=all; $(BUILD_ONE_CMD)
+build_apps: build_libs
+ +@dir=apps; target=all; $(BUILD_ONE_CMD)
+build_tests: build_libs
+ +@dir=test; target=all; $(BUILD_ONE_CMD)
+build_tools: build_libs
+ +@dir=tools; target=all; $(BUILD_ONE_CMD)
all_testapps: build_libs build_testapps
build_testapps:
@@ -536,9 +536,9 @@
dist_pem_h:
(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
-install: all install_docs install_sw
+install: install_docs install_sw
-install_sw:
+install_dirs:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
@@ -547,12 +547,19 @@
$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
$(INSTALL_PREFIX)$(OPENSSLDIR)/private
+ @$(PERL) $(TOP)/util/mkdir-p.pl \
+ $(INSTALL_PREFIX)$(MANDIR)/man1 \
+ $(INSTALL_PREFIX)$(MANDIR)/man3 \
+ $(INSTALL_PREFIX)$(MANDIR)/man5 \
+ $(INSTALL_PREFIX)$(MANDIR)/man7
+
+install_sw: install_dirs
@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
do \
(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
done;
- @set -e; target=install; $(RECURSIVE_BUILD_CMD)
+ +@set -e; target=install; $(RECURSIVE_BUILD_CMD)
@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
do \
if [ -f "$$i" ]; then \
@@ -636,12 +643,7 @@
done; \
done
-install_docs:
- @$(PERL) $(TOP)/util/mkdir-p.pl \
- $(INSTALL_PREFIX)$(MANDIR)/man1 \
- $(INSTALL_PREFIX)$(MANDIR)/man3 \
- $(INSTALL_PREFIX)$(MANDIR)/man5 \
- $(INSTALL_PREFIX)$(MANDIR)/man7
+install_docs: install_dirs
@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
here="`pwd`"; \
filecase=; \
--- a/Makefile.shared 2015-01-20 13:33:36.000000000 +0100
+++ b/Makefile.shared 2015-01-23 16:42:13.461175596 +0100
@@ -105,6 +105,7 @@
SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
+ [ -e $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX ] && exit 0; \
LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
$${SHAREDCMD} $${SHAREDFLAGS} \
-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
@@ -122,6 +123,7 @@
done; \
fi; \
if [ -n "$$SHLIB_SOVER" ]; then \
+ [ -e "$$SHLIB$$SHLIB_SUFFIX" ] || \
( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
fi; \
--- a/test/Makefile 2015-01-22 17:12:26.000000000 +0100
+++ b/test/Makefile 2015-01-23 16:42:13.461175596 +0100
@@ -132,7 +132,7 @@
tags:
ctags $(SRC)
-tests: exe apps $(TESTS)
+tests: exe $(TESTS)
apps:
@(cd ..; $(MAKE) DIRS=apps all)
@@ -398,109 +398,109 @@
link_app.$${shlib_target}
$(RSATEST)$(EXE_EXT): $(RSATEST).o $(DLIBCRYPTO)
- @target=$(RSATEST); $(BUILD_CMD)
+ +@target=$(RSATEST); $(BUILD_CMD)
$(BNTEST)$(EXE_EXT): $(BNTEST).o $(DLIBCRYPTO)
- @target=$(BNTEST); $(BUILD_CMD)
+ +@target=$(BNTEST); $(BUILD_CMD)
$(ECTEST)$(EXE_EXT): $(ECTEST).o $(DLIBCRYPTO)
- @target=$(ECTEST); $(BUILD_CMD)
+ +@target=$(ECTEST); $(BUILD_CMD)
$(EXPTEST)$(EXE_EXT): $(EXPTEST).o $(DLIBCRYPTO)
- @target=$(EXPTEST); $(BUILD_CMD)
+ +@target=$(EXPTEST); $(BUILD_CMD)
$(IDEATEST)$(EXE_EXT): $(IDEATEST).o $(DLIBCRYPTO)
- @target=$(IDEATEST); $(BUILD_CMD)
+ +@target=$(IDEATEST); $(BUILD_CMD)
$(MD2TEST)$(EXE_EXT): $(MD2TEST).o $(DLIBCRYPTO)
- @target=$(MD2TEST); $(BUILD_CMD)
+ +@target=$(MD2TEST); $(BUILD_CMD)
$(SHATEST)$(EXE_EXT): $(SHATEST).o $(DLIBCRYPTO)
- @target=$(SHATEST); $(BUILD_CMD)
+ +@target=$(SHATEST); $(BUILD_CMD)
$(SHA1TEST)$(EXE_EXT): $(SHA1TEST).o $(DLIBCRYPTO)
- @target=$(SHA1TEST); $(BUILD_CMD)
+ +@target=$(SHA1TEST); $(BUILD_CMD)
$(SHA256TEST)$(EXE_EXT): $(SHA256TEST).o $(DLIBCRYPTO)
- @target=$(SHA256TEST); $(BUILD_CMD)
+ +@target=$(SHA256TEST); $(BUILD_CMD)
$(SHA512TEST)$(EXE_EXT): $(SHA512TEST).o $(DLIBCRYPTO)
- @target=$(SHA512TEST); $(BUILD_CMD)
+ +@target=$(SHA512TEST); $(BUILD_CMD)
$(RMDTEST)$(EXE_EXT): $(RMDTEST).o $(DLIBCRYPTO)
- @target=$(RMDTEST); $(BUILD_CMD)
+ +@target=$(RMDTEST); $(BUILD_CMD)
$(MDC2TEST)$(EXE_EXT): $(MDC2TEST).o $(DLIBCRYPTO)
- @target=$(MDC2TEST); $(BUILD_CMD)
+ +@target=$(MDC2TEST); $(BUILD_CMD)
$(MD4TEST)$(EXE_EXT): $(MD4TEST).o $(DLIBCRYPTO)
- @target=$(MD4TEST); $(BUILD_CMD)
+ +@target=$(MD4TEST); $(BUILD_CMD)
$(MD5TEST)$(EXE_EXT): $(MD5TEST).o $(DLIBCRYPTO)
- @target=$(MD5TEST); $(BUILD_CMD)
+ +@target=$(MD5TEST); $(BUILD_CMD)
$(HMACTEST)$(EXE_EXT): $(HMACTEST).o $(DLIBCRYPTO)
- @target=$(HMACTEST); $(BUILD_CMD)
+ +@target=$(HMACTEST); $(BUILD_CMD)
$(WPTEST)$(EXE_EXT): $(WPTEST).o $(DLIBCRYPTO)
- @target=$(WPTEST); $(BUILD_CMD)
+ +@target=$(WPTEST); $(BUILD_CMD)
$(RC2TEST)$(EXE_EXT): $(RC2TEST).o $(DLIBCRYPTO)
- @target=$(RC2TEST); $(BUILD_CMD)
+ +@target=$(RC2TEST); $(BUILD_CMD)
$(BFTEST)$(EXE_EXT): $(BFTEST).o $(DLIBCRYPTO)
- @target=$(BFTEST); $(BUILD_CMD)
+ +@target=$(BFTEST); $(BUILD_CMD)
$(CASTTEST)$(EXE_EXT): $(CASTTEST).o $(DLIBCRYPTO)
- @target=$(CASTTEST); $(BUILD_CMD)
+ +@target=$(CASTTEST); $(BUILD_CMD)
$(RC4TEST)$(EXE_EXT): $(RC4TEST).o $(DLIBCRYPTO)
- @target=$(RC4TEST); $(BUILD_CMD)
+ +@target=$(RC4TEST); $(BUILD_CMD)
$(RC5TEST)$(EXE_EXT): $(RC5TEST).o $(DLIBCRYPTO)
- @target=$(RC5TEST); $(BUILD_CMD)
+ +@target=$(RC5TEST); $(BUILD_CMD)
$(DESTEST)$(EXE_EXT): $(DESTEST).o $(DLIBCRYPTO)
- @target=$(DESTEST); $(BUILD_CMD)
+ +@target=$(DESTEST); $(BUILD_CMD)
$(RANDTEST)$(EXE_EXT): $(RANDTEST).o $(DLIBCRYPTO)
- @target=$(RANDTEST); $(BUILD_CMD)
+ +@target=$(RANDTEST); $(BUILD_CMD)
$(DHTEST)$(EXE_EXT): $(DHTEST).o $(DLIBCRYPTO)
- @target=$(DHTEST); $(BUILD_CMD)
+ +@target=$(DHTEST); $(BUILD_CMD)
$(DSATEST)$(EXE_EXT): $(DSATEST).o $(DLIBCRYPTO)
- @target=$(DSATEST); $(BUILD_CMD)
+ +@target=$(DSATEST); $(BUILD_CMD)
$(METHTEST)$(EXE_EXT): $(METHTEST).o $(DLIBCRYPTO)
- @target=$(METHTEST); $(BUILD_CMD)
+ +@target=$(METHTEST); $(BUILD_CMD)
$(SSLTEST)$(EXE_EXT): $(SSLTEST).o $(DLIBSSL) $(DLIBCRYPTO)
- @target=$(SSLTEST); $(FIPS_BUILD_CMD)
+ +@target=$(SSLTEST); $(FIPS_BUILD_CMD)
$(ENGINETEST)$(EXE_EXT): $(ENGINETEST).o $(DLIBCRYPTO)
- @target=$(ENGINETEST); $(BUILD_CMD)
+ +@target=$(ENGINETEST); $(BUILD_CMD)
$(EVPTEST)$(EXE_EXT): $(EVPTEST).o $(DLIBCRYPTO)
- @target=$(EVPTEST); $(BUILD_CMD)
+ +@target=$(EVPTEST); $(BUILD_CMD)
$(ECDSATEST)$(EXE_EXT): $(ECDSATEST).o $(DLIBCRYPTO)
- @target=$(ECDSATEST); $(BUILD_CMD)
+ +@target=$(ECDSATEST); $(BUILD_CMD)
$(ECDHTEST)$(EXE_EXT): $(ECDHTEST).o $(DLIBCRYPTO)
- @target=$(ECDHTEST); $(BUILD_CMD)
+ +@target=$(ECDHTEST); $(BUILD_CMD)
$(IGETEST)$(EXE_EXT): $(IGETEST).o $(DLIBCRYPTO)
- @target=$(IGETEST); $(BUILD_CMD)
+ +@target=$(IGETEST); $(BUILD_CMD)
$(JPAKETEST)$(EXE_EXT): $(JPAKETEST).o $(DLIBCRYPTO)
- @target=$(JPAKETEST); $(BUILD_CMD)
+ +@target=$(JPAKETEST); $(BUILD_CMD)
$(ASN1TEST)$(EXE_EXT): $(ASN1TEST).o $(DLIBCRYPTO)
- @target=$(ASN1TEST); $(BUILD_CMD)
+ +@target=$(ASN1TEST); $(BUILD_CMD)
$(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO)
- @target=$(SRPTEST); $(BUILD_CMD)
+ +@target=$(SRPTEST); $(BUILD_CMD)
$(V3NAMETEST)$(EXE_EXT): $(V3NAMETEST).o $(DLIBCRYPTO)
@target=$(V3NAMETEST); $(BUILD_CMD)
@@ -522,7 +522,7 @@
# fi
dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
- @target=dummytest; $(BUILD_CMD)
+ +@target=dummytest; $(BUILD_CMD)
# DO NOT DELETE THIS LINE -- make depend depends on it.

34
src/patches/openssl-1.0.2a_auto_enable_padlock.patch
View File

@@ -1,34 +0,0 @@
diff -Naur openssl-1.0.2a.org/crypto/engine/eng_all.c openssl-1.0.2a/crypto/engine/eng_all.c
--- openssl-1.0.2a.org/crypto/engine/eng_all.c 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/crypto/engine/eng_all.c 2015-04-27 12:27:05.063569969 +0200
@@ -120,6 +120,14 @@
ENGINE_load_capi();
# endif
#endif
+#ifdef OPENSSL_NO_STATIC_ENGINE
+ ENGINE *e;
+ e = ENGINE_by_id("padlock");
+ if (e != NULL) {
+ ENGINE_add(e);
+ ENGINE_free(e);
+ }
+#endif
ENGINE_register_all_complete();
}
diff -Naur openssl-1.0.2a.org/ssl/ssl_algs.c openssl-1.0.2a/ssl/ssl_algs.c
--- openssl-1.0.2a.org/ssl/ssl_algs.c 2015-03-19 14:30:36.000000000 +0100
+++ openssl-1.0.2a/ssl/ssl_algs.c 2015-04-27 11:04:27.893399695 +0200
@@ -151,5 +151,12 @@
#endif
/* initialize cipher/digest methods table */
ssl_load_ciphers();
+
+ /* Init available hardware crypto engines */
+ ENGINE_load_builtin_engines();
+ ENGINE_register_all_complete();
+ ENGINE * padlock = ENGINE_by_id("padlock");
+ if (padlock) ENGINE_set_default_ciphers(padlock);
+
return (1);
}

86
src/patches/openssl-1.1.0-disable-ssl3.patch Normal file
View File

@@ -0,0 +1,86 @@
diff -up openssl-1.1.0f/apps/s_client.c.disable-ssl3 openssl-1.1.0f/apps/s_client.c
--- openssl-1.1.0f/apps/s_client.c.disable-ssl3 2017-06-05 15:42:44.838853312 +0200
+++ openssl-1.1.0f/apps/s_client.c 2017-07-17 14:50:06.468821871 +0200
@@ -1486,6 +1486,9 @@ int s_client_main(int argc, char **argv)
if (sdebug)
ssl_ctx_security_debug(ctx, sdebug);
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+
if (ssl_config) {
if (SSL_CTX_config(ctx, ssl_config) == 0) {
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
diff -up openssl-1.1.0f/apps/s_server.c.disable-ssl3 openssl-1.1.0f/apps/s_server.c
--- openssl-1.1.0f/apps/s_server.c.disable-ssl3 2017-05-25 14:46:18.000000000 +0200
+++ openssl-1.1.0f/apps/s_server.c 2017-07-17 14:49:50.434447583 +0200
@@ -1614,6 +1614,10 @@ int s_server_main(int argc, char *argv[]
}
if (sdebug)
ssl_ctx_security_debug(ctx, sdebug);
+
+ if (min_version == SSL3_VERSION && max_version == SSL3_VERSION)
+ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+
if (ssl_config) {
if (SSL_CTX_config(ctx, ssl_config) == 0) {
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
diff -up openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 openssl-1.1.0/ssl/ssl_lib.c
--- openssl-1.1.0/ssl/ssl_lib.c.disable-ssl3 2016-08-25 17:29:22.000000000 +0200
+++ openssl-1.1.0/ssl/ssl_lib.c 2016-09-08 11:08:05.252082263 +0200
@@ -2470,6 +2470,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
* or by using the SSL_CONF library.
*/
ret->options |= SSL_OP_NO_COMPRESSION;
+ /*
+ * Disable SSLv3 by default. Applications can
+ * re-enable it by configuring
+ * SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
+ * or by using the SSL_CONF library.
+ */
+ ret->options |= SSL_OP_NO_SSLv3;
ret->tlsext_status_type = -1;
diff -up openssl-1.1.0/test/ssl_test.c.disable-ssl3 openssl-1.1.0/test/ssl_test.c
--- openssl-1.1.0/test/ssl_test.c.disable-ssl3 2016-09-08 11:08:05.252082263 +0200
+++ openssl-1.1.0/test/ssl_test.c 2016-09-08 11:11:44.802005886 +0200
@@ -258,6 +258,7 @@ static int execute_test(SSL_TEST_FIXTURE
SSL_TEST_SERVERNAME_CB_NONE) {
server2_ctx = SSL_CTX_new(TLS_server_method());
TEST_check(server2_ctx != NULL);
+ SSL_CTX_clear_options(server2_ctx, SSL_OP_NO_SSLv3);
}
client_ctx = SSL_CTX_new(TLS_client_method());
@@ -266,11 +267,15 @@ static int execute_test(SSL_TEST_FIXTURE
resume_client_ctx = SSL_CTX_new(TLS_client_method());
TEST_check(resume_server_ctx != NULL);
TEST_check(resume_client_ctx != NULL);
+ SSL_CTX_clear_options(resume_server_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_clear_options(resume_client_ctx, SSL_OP_NO_SSLv3);
}
}
TEST_check(server_ctx != NULL);
TEST_check(client_ctx != NULL);
+ SSL_CTX_clear_options(server_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_clear_options(client_ctx, SSL_OP_NO_SSLv3);
TEST_check(CONF_modules_load(conf, fixture.test_app, 0) > 0);
diff -up openssl-1.1.0/test/ssltest_old.c.disable-ssl3 openssl-1.1.0/test/ssltest_old.c
--- openssl-1.1.0/test/ssltest_old.c.disable-ssl3 2016-08-25 17:29:23.000000000 +0200
+++ openssl-1.1.0/test/ssltest_old.c 2016-09-08 11:08:05.253082286 +0200
@@ -1456,6 +1456,11 @@ int main(int argc, char *argv[])
ERR_print_errors(bio_err);
goto end;
}
+
+ SSL_CTX_clear_options(c_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_clear_options(s_ctx, SSL_OP_NO_SSLv3);
+ SSL_CTX_clear_options(s_ctx2, SSL_OP_NO_SSLv3);
+
/*
* Since we will use low security ciphersuites and keys for testing set
* security level to zero by default. Tests can override this by adding

261
src/patches/transmission-2.92-openssl-1.1.0.patch Normal file
View File

@@ -0,0 +1,261 @@
From f91cf5ad8c677b61ceb0bf5877b87f9e93256dd7 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Mon, 5 Sep 2016 21:49:07 +0000
Subject: [PATCH] transmission: build against openssl 1.1.0
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
libtransmission/crypto-utils-openssl.c | 73 ++++++++++++++++++++++++++++++++--
1 file changed, 69 insertions(+), 4 deletions(-)
diff --git a/libtransmission/crypto-utils-openssl.c b/libtransmission/crypto-utils-openssl.c
index c4539dc..972e24a 100644
--- a/libtransmission/crypto-utils-openssl.c
+++ b/libtransmission/crypto-utils-openssl.c
@@ -229,6 +229,61 @@ tr_rc4_process (tr_rc4_ctx_t handle,
****
***/
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+static inline int
+DH_set0_pqg (DH * dh,
+ BIGNUM * p,
+ BIGNUM * q,
+ BIGNUM * g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free (dh->p);
+ dh->p = p;
+ }
+ if (q != NULL) {
+ BN_free (dh->q);
+ dh->q = q;
+ }
+ if (g != NULL) {
+ BN_free (dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL) {
+ dh->length = BN_num_bits (q);
+ }
+
+ return 1;
+}
+
+static inline int
+DH_set_length (DH * dh,
+ long length)
+{
+ dh->length = length;
+ return 1;
+}
+
+static inline void
+DH_get0_key(const DH * dh,
+ const BIGNUM ** pub_key,
+ const BIGNUM ** priv_key)
+{
+ if (pub_key != NULL)
+ *pub_key = dh->pub_key;
+ if (priv_key != NULL)
+ *priv_key = dh->priv_key;
+}
+
+#endif
+
tr_dh_ctx_t
tr_dh_new (const uint8_t * prime_num,
size_t prime_num_length,
@@ -236,13 +291,19 @@ tr_dh_new (const uint8_t * prime_num,
size_t generator_num_length)
{
DH * handle = DH_new ();
+ BIGNUM * p, * g;
assert (prime_num != NULL);
assert (generator_num != NULL);
+ p = BN_bin2bn (prime_num, prime_num_length, NULL);
+ g = BN_bin2bn (generator_num, generator_num_length, NULL);
- if (!check_pointer (handle->p = BN_bin2bn (prime_num, prime_num_length, NULL)) ||
- !check_pointer (handle->g = BN_bin2bn (generator_num, generator_num_length, NULL)))
+ if (!check_pointer (p) ||
+ !check_pointer (g) ||
+ !DH_set0_pqg (handle, p, NULL, g))
{
+ BN_free (p);
+ BN_free (g);
DH_free (handle);
handle = NULL;
}
@@ -267,16 +328,20 @@ tr_dh_make_key (tr_dh_ctx_t raw_handle,
{
DH * handle = raw_handle;
int dh_size, my_public_key_length;
+ const BIGNUM * hand_pub_key;
assert (handle != NULL);
assert (public_key != NULL);
- handle->length = private_key_length * 8;
+
+ DH_set_length(handle, private_key_length * 8);
if (!check_result (DH_generate_key (handle)))
return false;
- my_public_key_length = BN_bn2bin (handle->pub_key, public_key);
+ DH_get0_key (handle, &hand_pub_key, NULL);
+
+ my_public_key_length = BN_bn2bin (hand_pub_key, public_key);
dh_size = DH_size (handle);
tr_dh_align_key (public_key, my_public_key_length, dh_size);
From 8c8386a7f3f482a9c917f51d28e0042e55f56b3e Mon Sep 17 00:00:00 2001
From: Mike Gelfand <mikedld@mikedld.com>
Date: Wed, 7 Sep 2016 01:09:04 +0300
Subject: [PATCH] Fix coding style and building with !TR_LIGHTWEIGHT
---
libtransmission/crypto-utils-openssl.c | 60 +++++++++++++++++++---------------
1 file changed, 33 insertions(+), 27 deletions(-)
diff --git a/libtransmission/crypto-utils-openssl.c b/libtransmission/crypto-utils-openssl.c
index 972e24a..9fd2c58 100644
--- a/libtransmission/crypto-utils-openssl.c
+++ b/libtransmission/crypto-utils-openssl.c
@@ -14,6 +14,7 @@
#include <assert.h>
#include <openssl/bn.h>
+#include <openssl/crypto.h>
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/evp.h>
@@ -48,7 +49,12 @@ log_openssl_error (const char * file,
static bool strings_loaded = false;
if (!strings_loaded)
{
+#if OPENSSL_VERSION_NUMBER < 0x10100000
ERR_load_crypto_strings ();
+#else
+ OPENSSL_init_crypto (OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+#endif
+
strings_loaded = true;
}
#endif
@@ -230,6 +236,7 @@ tr_rc4_process (tr_rc4_ctx_t handle,
***/
#if OPENSSL_VERSION_NUMBER < 0x10100000
+
static inline int
DH_set0_pqg (DH * dh,
BIGNUM * p,
@@ -237,28 +244,29 @@ DH_set0_pqg (DH * dh,
BIGNUM * g)
{
/* If the fields p and g in d are NULL, the corresponding input
- * parameters MUST be non-NULL. q may remain NULL.
+ * parameters MUST be non-NULL. q may remain NULL.
*/
- if ((dh->p == NULL && p == NULL)
- || (dh->g == NULL && g == NULL))
+ if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL))
return 0;
- if (p != NULL) {
- BN_free (dh->p);
- dh->p = p;
- }
- if (q != NULL) {
- BN_free (dh->q);
- dh->q = q;
- }
- if (g != NULL) {
- BN_free (dh->g);
- dh->g = g;
- }
-
- if (q != NULL) {
+ if (p != NULL)
+ {
+ BN_free (dh->p);
+ dh->p = p;
+ }
+ if (q != NULL)
+ {
+ BN_free (dh->q);
+ dh->q = q;
+ }
+ if (g != NULL)
+ {
+ BN_free (dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL)
dh->length = BN_num_bits (q);
- }
return 1;
}
@@ -267,8 +275,8 @@ static inline int
DH_set_length (DH * dh,
long length)
{
- dh->length = length;
- return 1;
+ dh->length = length;
+ return 1;
}
static inline void
@@ -295,12 +303,11 @@ tr_dh_new (const uint8_t * prime_num,
assert (prime_num != NULL);
assert (generator_num != NULL);
+
p = BN_bin2bn (prime_num, prime_num_length, NULL);
g = BN_bin2bn (generator_num, generator_num_length, NULL);
- if (!check_pointer (p) ||
- !check_pointer (g) ||
- !DH_set0_pqg (handle, p, NULL, g))
+ if (!check_pointer (p) || !check_pointer (g) || !DH_set0_pqg (handle, p, NULL, g))
{
BN_free (p);
BN_free (g);
@@ -328,20 +335,19 @@ tr_dh_make_key (tr_dh_ctx_t raw_handle,
{
DH * handle = raw_handle;
int dh_size, my_public_key_length;
- const BIGNUM * hand_pub_key;
+ const BIGNUM * my_public_key;
assert (handle != NULL);
assert (public_key != NULL);
-
DH_set_length(handle, private_key_length * 8);
if (!check_result (DH_generate_key (handle)))
return false;
- DH_get0_key (handle, &hand_pub_key, NULL);
+ DH_get0_key (handle, &my_public_key, NULL);
- my_public_key_length = BN_bn2bin (hand_pub_key, public_key);
+ my_public_key_length = BN_bn2bin (my_public_key, public_key);
dh_size = DH_size (handle);
tr_dh_align_key (public_key, my_public_key_length, dh_size);