core/openssl-cryptodev to 1.0.1.e-5 and fixes

core/openssl-cryptodev/PKGBUILD

@@ -4,7 +4,10 @@
 # ALARM: Kevin Mihelich <kevin@archlinuxarm.org>
 #  - use linux-armv4 target for our architectures
 #  - cryptodev-enabled version
-
+#
+#	moonman <moonman [dot] ca [at] gmail [dot] com>
+#  - replace eng_cryptodev in openssl with the one provided with cryptodev
+#
 noautobuild=1
 buildarch=6
 
@@ -14,33 +17,41 @@ _ver=1.0.1e
 # use a pacman compatible version scheme
 pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
 #pkgver=$_ver
-pkgrel=4
+pkgrel=5
 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security'
 arch=('arm' 'armv7h')
 url='https://www.openssl.org'
 license=('custom:BSD')
 depends=('perl')
 if [ "${CARCH}" == 'armv7h' ]; then
-	makedepends=('linux-headers-cubox')
+       makedepends=('linux-headers-cubox')
 else
-	makedepends=('linux-headers-kirkwood')
+       makedepends=('linux-headers')
 fi
 optdepends=('ca-certificates')
 options=('!makeflags')
 backup=('etc/ssl/openssl.cnf')
 conflicts=('openssl')
 provides=("openssl=${pkgver}")
+_cryptodev_commit=3c2c17daa8c67e068285c3a28bc32bbc009c4999
 source=("https://www.openssl.org/source/${_pkgname}-${_ver}.tar.gz"
         'no-rpath.patch'
-        'ca-dir.patch')
+        'ca-dir.patch'
-        'openssl-1.0.1e-fix_pod_syntax-1.patch')
+        'openssl-1.0.1e-fix_pod_syntax-1.patch'
+        'https://raw.github.com/nmav/cryptodev-linux/${_cryptodev_commit}/extras/eng_cryptodev.c'
+        'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch'
+        'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch')
+
 md5sums=('66bf6f10f060d561929de96f9dfe5b8c'
          'dc78d3d06baffc16217519242ce92478'
          '3bf51be3a1bbd262be46dc619f92aa90' 
-         '88d3bef4bbdc640b0412315d8d347bdf')
+         '88d3bef4bbdc640b0412315d8d347bdf'
+         '25dbe6700a64f825a9c9da7445c33608'
+         'ae7848bb152b8834ceff30c8c480d422'
+         'c5cc62a47cef72f4e5ad119a88e97ae4')
 
 prepare() {
-        cd $srcdir/$pkgname-$_ver
+        cd $srcdir/${_pkgname}-$_ver
 
         # remove rpath: http://bugs.archlinux.org/task/14367
         patch -p0 -i $srcdir/no-rpath.patch
@@ -48,10 +59,21 @@ prepare() {
         patch -p0 -i $srcdir/ca-dir.patch
 
         patch -p1 -i $srcdir/openssl-1.0.1e-fix_pod_syntax-1.patch
+
+        # OpenSSL 1.0.0k, 1.0.1.d, 1.0.1e fail handshake with DTLS1_BAD_VER
+        # http://rt.openssl.org/Ticket/Display.html?id=2984
+        patch -p1 -i $srcdir/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch
+
+        # Communication problems with 1.0.1e
+        # http://rt.openssl.org/Ticket/Display.html?id=3002
+        patch -p1 -i $srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
+
+	#Replace eng_cryptodev.c with cryptodev version from git
+	cp -u ${srcdir}/eng_cryptodev.c $srcdir/openssl-${_ver}/crypto/engine/
 }
 
 build() {
-	cd $srcdir/$_pkgname-$_ver
+	cd $srcdir/${_pkgname}-$_ver
 
 	if [ "${CARCH}" == 'x86_64' ]; then
 		openssltarget='linux-x86_64'
@@ -60,12 +82,7 @@ build() {
 	elif [ "${CARCH}" == 'arm' -o "${CARCH}" == 'armv7h' ]; then
 		openssltarget='linux-armv4'
 	fi
-
+		_kernel_release="$(uname -r)"
-	if [ "${CARCH}" == 'armv7h' ]; then
-		_kernel_release="$(pacman -Q linux-headers-cubox | grep -Eo "[^\ ]+$")-ARCH+"
-	else
-		_kernel_release="$(pacman -Q linux-headers-kirkwood | grep -Eo "[^\ ]+$")-ARCH"
-	fi
 
 	# mark stack as non-executable: http://bugs.archlinux.org/task/12434
 	./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \

core/openssl-cryptodev/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch

@@ -0,0 +1,31 @@
+From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: Check DTLS_BAD_VER for version number.
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+PR:2984
+(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
+---
+ ssl/s3_cbc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ 	unsigned padding_length, good, to_check, i;
+ 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ 	/* Check if version requires explicit IV */
+-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ 		{
+ 		/* These lengths are all public so we can test them in
+ 		 * non-constant time.
+-- 
+1.8.4.2
+

core/openssl-cryptodev/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch

@@ -0,0 +1,32 @@
+From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Mon, 18 Mar 2013 19:29:41 +0100
+Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
+
+PR: 3002
+(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc)
+---
+ crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index 483e04b..fb2c884 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ 
+ 				if (res!=SHA_CBLOCK) continue;
+ 
+-				mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
++				/* j is not incremented yet */
++				mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
+ 				data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ 				sha1_block_data_order(&key->md,data,1);
+-				mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
++				mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
+ 				pmac->u[0] |= key->md.h0 & mask;
+ 				pmac->u[1] |= key->md.h1 & mask;
+ 				pmac->u[2] |= key->md.h2 & mask;
+-- 
+1.8.4.2
+