diff --git a/core/openssl-cryptodev/PKGBUILD b/core/openssl-cryptodev/PKGBUILD index 449691719..65ea633af 100644 --- a/core/openssl-cryptodev/PKGBUILD +++ b/core/openssl-cryptodev/PKGBUILD @@ -4,7 +4,10 @@ # ALARM: Kevin Mihelich # - use linux-armv4 target for our architectures # - cryptodev-enabled version - +# +# moonman +# - replace eng_cryptodev in openssl with the one provided with cryptodev +# noautobuild=1 buildarch=6 @@ -14,33 +17,41 @@ _ver=1.0.1e # use a pacman compatible version scheme pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}} #pkgver=$_ver -pkgrel=4 +pkgrel=5 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security' arch=('arm' 'armv7h') url='https://www.openssl.org' license=('custom:BSD') depends=('perl') if [ "${CARCH}" == 'armv7h' ]; then - makedepends=('linux-headers-cubox') + makedepends=('linux-headers-cubox') else - makedepends=('linux-headers-kirkwood') + makedepends=('linux-headers') fi optdepends=('ca-certificates') options=('!makeflags') backup=('etc/ssl/openssl.cnf') conflicts=('openssl') provides=("openssl=${pkgver}") +_cryptodev_commit=3c2c17daa8c67e068285c3a28bc32bbc009c4999 source=("https://www.openssl.org/source/${_pkgname}-${_ver}.tar.gz" 'no-rpath.patch' - 'ca-dir.patch') - 'openssl-1.0.1e-fix_pod_syntax-1.patch') + 'ca-dir.patch' + 'openssl-1.0.1e-fix_pod_syntax-1.patch' + 'https://raw.github.com/nmav/cryptodev-linux/${_cryptodev_commit}/extras/eng_cryptodev.c' + 'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch' + 'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch') + md5sums=('66bf6f10f060d561929de96f9dfe5b8c' 'dc78d3d06baffc16217519242ce92478' '3bf51be3a1bbd262be46dc619f92aa90' - '88d3bef4bbdc640b0412315d8d347bdf') + '88d3bef4bbdc640b0412315d8d347bdf' + '25dbe6700a64f825a9c9da7445c33608' + 'ae7848bb152b8834ceff30c8c480d422' + 'c5cc62a47cef72f4e5ad119a88e97ae4') prepare() { - cd $srcdir/$pkgname-$_ver + cd $srcdir/${_pkgname}-$_ver # remove rpath: http://bugs.archlinux.org/task/14367 patch -p0 -i $srcdir/no-rpath.patch @@ -48,10 +59,21 @@ prepare() { patch -p0 -i $srcdir/ca-dir.patch patch -p1 -i $srcdir/openssl-1.0.1e-fix_pod_syntax-1.patch + + # OpenSSL 1.0.0k, 1.0.1.d, 1.0.1e fail handshake with DTLS1_BAD_VER + # http://rt.openssl.org/Ticket/Display.html?id=2984 + patch -p1 -i $srcdir/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch + + # Communication problems with 1.0.1e + # http://rt.openssl.org/Ticket/Display.html?id=3002 + patch -p1 -i $srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch + + #Replace eng_cryptodev.c with cryptodev version from git + cp -u ${srcdir}/eng_cryptodev.c $srcdir/openssl-${_ver}/crypto/engine/ } build() { - cd $srcdir/$_pkgname-$_ver + cd $srcdir/${_pkgname}-$_ver if [ "${CARCH}" == 'x86_64' ]; then openssltarget='linux-x86_64' @@ -60,12 +82,7 @@ build() { elif [ "${CARCH}" == 'arm' -o "${CARCH}" == 'armv7h' ]; then openssltarget='linux-armv4' fi - - if [ "${CARCH}" == 'armv7h' ]; then - _kernel_release="$(pacman -Q linux-headers-cubox | grep -Eo "[^\ ]+$")-ARCH+" - else - _kernel_release="$(pacman -Q linux-headers-kirkwood | grep -Eo "[^\ ]+$")-ARCH" - fi + _kernel_release="$(uname -r)" # mark stack as non-executable: http://bugs.archlinux.org/task/12434 ./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \ diff --git a/core/openssl-cryptodev/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch b/core/openssl-cryptodev/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch new file mode 100644 index 000000000..5a88220c3 --- /dev/null +++ b/core/openssl-cryptodev/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch @@ -0,0 +1,31 @@ +From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Tue, 12 Feb 2013 14:55:32 +0000 +Subject: Check DTLS_BAD_VER for version number. + +The version check for DTLS1_VERSION was redundant as +DTLS1_VERSION > TLS1_1_VERSION, however we do need to +check for DTLS1_BAD_VER for compatibility. + +PR:2984 +(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc) +--- + ssl/s3_cbc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c +index 02edf3f..443a31e 100644 +--- a/ssl/s3_cbc.c ++++ b/ssl/s3_cbc.c +@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, + unsigned padding_length, good, to_check, i; + const unsigned overhead = 1 /* padding length byte */ + mac_size; + /* Check if version requires explicit IV */ +- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) ++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) + { + /* These lengths are all public so we can test them in + * non-constant time. +-- +1.8.4.2 + diff --git a/core/openssl-cryptodev/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch b/core/openssl-cryptodev/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch new file mode 100644 index 000000000..f1a251227 --- /dev/null +++ b/core/openssl-cryptodev/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch @@ -0,0 +1,32 @@ +From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Mon, 18 Mar 2013 19:29:41 +0100 +Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms. + +PR: 3002 +(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc) +--- + crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c +index 483e04b..fb2c884 100644 +--- a/crypto/evp/e_aes_cbc_hmac_sha1.c ++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c +@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + + if (res!=SHA_CBLOCK) continue; + +- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); ++ /* j is not incremented yet */ ++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1)); + data->u[SHA_LBLOCK-1] |= bitlen&mask; + sha1_block_data_order(&key->md,data,1); +- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); ++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1)); + pmac->u[0] |= key->md.h0 & mask; + pmac->u[1] |= key->md.h1 & mask; + pmac->u[2] |= key->md.h2 & mask; +-- +1.8.4.2 +