Add other half of MD2 disable so that root certs arent checked #294615 by Alexander Danilov.

Package-Manager: portage-2.2_rc51/cvs/Linux x86_64 RepoMan-Options: --force
author: Mike Frysinger <vapier@gentoo.org> 2009-11-27 22:00:12 +0000
committer: Mike Frysinger <vapier@gentoo.org> 2009-11-27 22:00:12 +0000
commit: 27ea8fe01ccbeebd4749284a7458d7abe599a80f (patch)
tree: a1940795000540846b1ccdc28690be2e038c1761
parent: Fix path to iptables dir again #293709 by Vitaliy V. Osypenko. (diff)
download: historical-27ea8fe01ccbeebd4749284a7458d7abe599a80f.tar.gz
historical-27ea8fe01ccbeebd4749284a7458d7abe599a80f.tar.bz2
historical-27ea8fe01ccbeebd4749284a7458d7abe599a80f.zip
4 files changed, 244 insertions, 7 deletions
diff --git a/dev-libs/openssl/ChangeLog b/dev-libs/openssl/ChangeLog
index f44502db6b3a..5eea830c50ce 100644
--- a/dev-libs/openssl/ChangeLog
+++ b/dev-libs/openssl/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for dev-libs/openssl
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.308 2009/11/23 21:22:21 armin76 Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/ChangeLog,v 1.309 2009/11/27 22:00:12 vapier Exp $
+
+*openssl-0.9.8l-r2 (27 Nov 2009)
+
+  27 Nov 2009; Mike Frysinger <vapier@gentoo.org> +openssl-0.9.8l-r2.ebuild,
+  files/openssl-0.9.8l-CVE-2009-2409.patch:
+  Add other half of MD2 disable so that root certs arent checked #294615 by
+  Alexander Danilov.
 
   23 Nov 2009; Raúl Porcel <armin76@gentoo.org> openssl-0.9.8l-r1.ebuild:
   ia64/m68k/s390/sh/sparc stable wrt #292022
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 8e7963d8ded2..87b20d59f35b 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
 AUX gentoo.config-0.9.8 4249 RMD160 a63c08a30dd294429c562b8e24bf2b13ba220f63 SHA1 737dbd27e39726c49e44f5e92e46bdf8a8ff9b4d SHA256 c14ff861759f4ebaeb57f37ae7df63af4dea1767eae07ef0eb42abd43cebc4a1
 AUX openssl-0.9.7-alpha-default-gcc.patch 533 RMD160 ea2d91421aa4d3f463034b40c2c81c195a71c0dd SHA1 f5ee85db45ab80b66225a222c7655b74760b94fe SHA256 814ae7c09359414e7dcd96008c82d868fba0565de2d1b3e6a4275f8cdbeefb5c
 AUX openssl-0.9.7e-gentoo.patch 460 RMD160 60969fd05a15fe00d0d1c27b9098acfde28ba65e SHA1 73ff3c336dfdbeed903ac7b82486674ab4ec66a2 SHA256 ddb8d47429f3aadf3f5142293a2c38cbb9eb3927edfd1b497771337c48a11641
@@ -14,7 +17,7 @@ AUX openssl-0.9.8l-CVE-2009-1377.patch 1630 RMD160 d97d1f0f27c5331c7ad8eb47bc231
 AUX openssl-0.9.8l-CVE-2009-1378.patch 894 RMD160 a7df4efdb0b1127e8fcf15d647dcddd6f5365e84 SHA1 4179a7ef9725b2540c29768c2d80e79b6e26b271 SHA256 e8e9273e30cadb9076ec8f2694d4d3a2d71289a0b33d37960b9d28c2c055459b
 AUX openssl-0.9.8l-CVE-2009-1379.patch 662 RMD160 15b352d935eb1489cadeebb8e09c8bcb301fc8c1 SHA1 358cacdf2442dfb882db5c945daa333329009dd1 SHA256 19fdbc9551cee3985a6f326c5b28d0ba6f2e52ef44c7b023bb313644937c5e7d
 AUX openssl-0.9.8l-CVE-2009-1387.patch 1561 RMD160 58d4df1b1e246c4bbb4db44e60eac51a286ccb4d SHA1 938ea6ec1af911f67075cba3b1675e8b07baa75f SHA256 5fd8dd453022aa6ea245877d795dd03761334a8960dfa0e13f1cfbdd88680438
-AUX openssl-0.9.8l-CVE-2009-2409.patch 982 RMD160 aa0cba74931e0387f9491b8c4ab0f2e3d30c8bc9 SHA1 93ce7baf4a5b2417da1e3b5a6ed30b58d7577424 SHA256 8f1c156b305c31419a317a8e65988071f033db5ba668fde70a10aab23c28efe9
+AUX openssl-0.9.8l-CVE-2009-2409.patch 2224 RMD160 3283173440e957d2a1fa9c65e6a6dc3b656b4b84 SHA1 399c77a4c25b3016509f85cf78760356e204013e SHA256 1e95948c5f44bcdd3f734db7f403e5ad6b3674794deecbbbba661fee3d06961f
 AUX openssl-0.9.8l-binutils.patch 2655 RMD160 d801d719b4fc4a6818313c27def8e7a184f40b99 SHA1 f7aaae0d3a0163105d495661c3a48673655a3b82 SHA256 c81d8b70e7ccbe3e7ee2fc81a4658d058301d0129adcc380c24066aa42cb390c
 AUX openssl-0.9.8l-dtls-compat.patch 6141 RMD160 87d25f9b1e3ebbee2b3f168510e160bfeba5e2b3 SHA1 fe20d1d695df7fc3a87a264819305c7f40adc3d9 SHA256 440217a7b34dbc5eafc063bf6a3d9208dca1a8e673dcf0345759e898f0940ace
 DIST openssl-0.9.8k.tar.gz 3852259 RMD160 496df7a5d33457b0d8e3b930a8e5cf068923182c SHA1 3ba079f91d3c1ec90a36dcd1d43857165035703f SHA256 7e7cd4f3974199b729e6e3a0af08bd4279fde0370a1120c1a3b351ab090c6101
@@ -22,6 +25,14 @@ DIST openssl-0.9.8l.tar.gz 4179422 RMD160 9de81ec2583edcba729e62d50fd22c0a98a529
 EBUILD openssl-0.9.8k-r1.ebuild 5964 RMD160 ceb0d18aaf42309cde2212d154bd363f0e9b676f SHA1 77b5ffb0f2cec6581835123ca05f22fd6b547f05 SHA256 09b6edcb49f655b2dfa5edd33613fa9a1027375841ef7cc3b33a72beaa3141b4
 EBUILD openssl-0.9.8k.ebuild 5989 RMD160 6da50840cc10f982176156bfca8320d560aa8895 SHA1 a2509663bec3775fe81b2810301f46dbe503c464 SHA256 44958921f9043e8892a5f225aee5d10e6d5b920e222f8b448b24e4d29c13c9cd
 EBUILD openssl-0.9.8l-r1.ebuild 6192 RMD160 0b7cfae74cdc9579e1db5b743722fb2b65b01c13 SHA1 9f3d6c9cbec14eaf548a540f56b9ed11658f48e8 SHA256 40527f917e3fffd0dc27a37f51bba7e03783adc025e591e4f49104a23c6c4ab4
+EBUILD openssl-0.9.8l-r2.ebuild 6191 RMD160 d19bfd3536a4f46065a3c92979ee7d65a4b9966d SHA1 17fd9ffa7de07c1c0b1ecdf21a676b3daa0464a0 SHA256 cc8b389244c207247ad186730597ad44699def4d52e975fcb199df6eee5d2ccc
 EBUILD openssl-0.9.8l.ebuild 6034 RMD160 d1f206ade32e8202172bdc4ee82a0840adf1459b SHA1 3f85d97014ca59cd1258da2c50bd29795a1b758b SHA256 e9a64e59d491c66240764842817f75effb79611d1696bd2331a3ef0df30c0a1c
-MISC ChangeLog 45969 RMD160 939acc7c71d3ec2bea201393425cbdca98381eb9 SHA1 bdb8f012a44a3b41cd1136fd3d5b2a701a5d93c3 SHA256 f699bfe800ed493e77b53468a21bd8999d03254ec971d26dc8e19ec468c73b34
+MISC ChangeLog 46221 RMD160 2118fc7eda4dc437638a20ba770e59048e89a621 SHA1 9f2f130d3a68e1a00907e6324c106bd6a02bbab0 SHA256 11e3a2346922607f9f3865320c5f2579269567985f06c8e5885e39e5fb02b43a
 MISC metadata.xml 164 RMD160 f43cbec30b7074319087c9acffdb9354b17b0db3 SHA1 9c213f5803676c56439df3716be07d6692588856 SHA256 f5f2891f2a4791cd31350bb2bb572131ad7235cd0eeb124c9912c187ac10ce92
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.13 (GNU/Linux)
+
+iEYEARECAAYFAksQTPYACgkQlPl3HsVfCDoqpQCffebjoZhEmSHL5Ol7pFraEaZM
+cm4An21t1OFCStFo815pXOKzuJFgfsQ1
+=STlp
+-----END PGP SIGNATURE-----
diff --git a/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch
index ad4bf3dac9fa..b097869f3b1e 100644
--- a/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch
+++ b/dev-libs/openssl/files/openssl-0.9.8l-CVE-2009-2409.patch
@@ -2,11 +2,48 @@ http://bugs.gentoo.org/280591
 
 fix from upstream
 
+http://cvs.openssl.org/chngview?cn=18260
+
+Index: openssl/crypto/x509/x509_vfy.c
+RCS File: /v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v
+rcsdiff -q -kk '-r1.77.2.8' '-r1.77.2.9' -u '/v/openssl/cvs/openssl/crypto/x509/x509_vfy.c,v' 2>/dev/null
+--- crypto/x509/x509_vfy.c	2008/07/13 14:33:15	1.77.2.8
++++ crypto/x509/x509_vfy.c	2009/06/15 14:52:38	1.77.2.9
+@@ -986,7 +986,11 @@
+ 	while (n >= 0)
+ 		{
+ 		ctx->error_depth=n;
+-		if (!xs->valid)
++
++		/* Skip signature check for self signed certificates. It
++		 * doesn't add any security and just wastes time.
++		 */
++		if (!xs->valid && xs != xi)
+ 			{
+ 			if ((pkey=X509_get_pubkey(xi)) == NULL)
+ 				{
+@@ -996,13 +1000,6 @@
+ 				if (!ok) goto end;
+ 				}
+ 			else if (X509_verify(xs,pkey) <= 0)
+-				/* XXX  For the final trusted self-signed cert,
+-				 * this is a waste of time.  That check should
+-				 * optional so that e.g. 'openssl x509' can be
+-				 * used to detect invalid self-signatures, but
+-				 * we don't verify again and again in SSL
+-				 * handshakes and the like once the cert has
+-				 * been declared trusted. */
+ 				{
+ 				ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
+ 				ctx->current_cert=xs;
+
+http://cvs.openssl.org/chngview?cn=18317
+
 Index: openssl/crypto/evp/c_alld.c
 RCS File: /v/openssl/cvs/openssl/crypto/evp/c_alld.c,v
 rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld.c,v' 2>/dev/null
---- c_alld.c	2005/04/30 21:51:40	1.7
-+++ c_alld.c	2009/07/08 08:33:26	1.7.2.1
+--- crypto/evp/c_alld.c	2005/04/30 21:51:40	1.7
++++ crypto/evp/c_alld.c	2009/07/08 08:33:26	1.7.2.1
 @@ -64,9 +64,6 @@
  
  void OpenSSL_add_all_digests(void)
@@ -20,8 +57,8 @@ rcsdiff -q -kk '-r1.7' '-r1.7.2.1' -u '/v/openssl/cvs/openssl/crypto/evp/c_alld.
 Index: openssl/ssl/ssl_algs.c
 RCS File: /v/openssl/cvs/openssl/ssl/ssl_algs.c,v
 rcsdiff -q -kk '-r1.12.2.3' '-r1.12.2.4' -u '/v/openssl/cvs/openssl/ssl/ssl_algs.c,v' 2>/dev/null
---- ssl_algs.c	2007/04/23 23:50:21	1.12.2.3
-+++ ssl_algs.c	2009/07/08 08:33:27	1.12.2.4
+--- ssl/ssl_algs.c	2007/04/23 23:50:21	1.12.2.3
++++ ssl/ssl_algs.c	2009/07/08 08:33:27	1.12.2.4
 @@ -92,9 +92,6 @@
  	EVP_add_cipher(EVP_seed_cbc());
  #endif
diff --git a/dev-libs/openssl/openssl-0.9.8l-r2.ebuild b/dev-libs/openssl/openssl-0.9.8l-r2.ebuild
new file mode 100644
index 000000000000..bdc263488c0a
--- /dev/null
+++ b/dev-libs/openssl/openssl-0.9.8l-r2.ebuild
@@ -0,0 +1,182 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-0.9.8l-r2.ebuild,v 1.1 2009/11/27 22:00:12 vapier Exp $
+
+inherit eutils flag-o-matic toolchain-funcs
+
+DESCRIPTION="Toolkit for SSL v2/v3 and TLS v1"
+HOMEPAGE="http://www.openssl.org/"
+SRC_URI="mirror://openssl/source/${P}.tar.gz"
+
+LICENSE="openssl"
+SLOT="0"
+KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="bindist gmp kerberos sse2 test zlib"
+
+RDEPEND="gmp? ( dev-libs/gmp )
+	zlib? ( sys-libs/zlib )
+	kerberos? ( app-crypt/mit-krb5 )"
+DEPEND="${RDEPEND}
+	sys-apps/diffutils
+	>=dev-lang/perl-5
+	test? ( sys-devel/bc )"
+PDEPEND="app-misc/ca-certificates"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	epatch "${FILESDIR}"/${PN}-0.9.7e-gentoo.patch
+	#Forward port of the -b patch. Parallel make fails though.
+	epatch "${FILESDIR}"/${PN}-0.9.8j-parallel-build.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8-make-engines-dir.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8k-toolchain.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8b-doc-updates.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8-makedepend.patch #149583
+	epatch "${FILESDIR}"/${PN}-0.9.8e-make.patch #146316
+	#epatch "${FILESDIR}"/${PN}-0.9.8e-bsd-sparc64.patch
+	epatch "${FILESDIR}"/${PN}-0.9.8g-sslv3-no-tlsext.patch
+	#epatch "${FILESDIR}"/${PN}-0.9.8h-ldflags.patch #181438
+	epatch "${FILESDIR}"/${PN}-0.9.8l-CVE-2009-137{7,8,9}.patch #270305
+	epatch "${FILESDIR}"/${P}-CVE-2009-1387.patch #270305
+	epatch "${FILESDIR}"/${P}-CVE-2009-2409.patch #280591
+	epatch "${FILESDIR}"/${P}-dtls-compat.patch #280370
+	epatch "${FILESDIR}"/${PN}-0.9.8l-binutils.patch #289130
+	sed -i -e '/DIRS/ s/ fips / /g' Makefile{,.org} \
+		|| die "Removing fips from openssl failed."
+
+	# allow openssl to be cross-compiled
+	cp "${FILESDIR}"/gentoo.config-0.9.8 gentoo.config || die "cp cross-compile failed"
+	chmod a+rx gentoo.config
+
+	# Don't build manpages if we don't want them
+	has noman FEATURES \
+		&& sed -i '/^install:/s:install_docs::' Makefile.org \
+		|| sed -i '/^MANDIR=/s:=.*:=/usr/share/man:' Makefile.org
+
+	# Try to derice users and work around broken ass toolchains
+	if [[ $(gcc-major-version) == "3" ]] ; then
+		filter-flags -fprefetch-loop-arrays -freduce-all-givs -funroll-loops
+		[[ $(tc-arch) == "ppc64" ]] && replace-flags -O? -O
+	fi
+	[[ $(tc-arch) == ppc* ]] && append-flags -fno-strict-aliasing
+	append-flags -Wa,--noexecstack
+
+	# using a library directory other than lib requires some magic
+	sed -i \
+		-e "s+\(\$(INSTALL_PREFIX)\$(INSTALLTOP)\)/lib+\1/$(get_libdir)+g" \
+		-e "s+libdir=\$\${exec_prefix}/lib+libdir=\$\${exec_prefix}/$(get_libdir)+g" \
+		Makefile.org engines/Makefile \
+		|| die "sed failed"
+	sed -i '1s,^:$,#!/usr/bin/perl,' Configure #141906
+	sed -i '/^"debug-steve/d' Configure # 0.9.8k shipped broken
+	./config --test-sanity || die "I AM NOT SANE"
+}
+
+src_compile() {
+	unset APPS #197996
+
+	tc-export CC AR RANLIB
+
+	# Clean out patent-or-otherwise-encumbered code
+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)
+	# IDEA:     5,214,703 25/05/2010    http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2
+	# RC5:      5,724,428 03/03/2015    http://en.wikipedia.org/wiki/RC5
+
+	use_ssl() { use $1 && echo "enable-${2:-$1} ${*:3}" || echo "no-${2:-$1}" ; }
+	echoit() { echo "$@" ; "$@" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	local sslout=$(./gentoo.config)
+	einfo "Use configuration ${sslout:-(openssl knows best)}"
+	local config="Configure"
+	[[ -z ${sslout} ]] && config="config"
+	echoit \
+	./${config} \
+		${sslout} \
+		$(use sse2 || echo "no-sse2") \
+		enable-camellia \
+		$(use_ssl !bindist ec) \
+		$(use_ssl !bindist idea) \
+		enable-mdc2 \
+		$(use_ssl !bindist rc5) \
+		enable-tlsext \
+		$(use_ssl gmp) \
+		$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
+		$(use_ssl zlib) \
+		--prefix=/usr \
+		--openssldir=/etc/ssl \
+		shared threads \
+		|| die "Configure failed"
+
+	# Clean out hardcoded flags that openssl uses
+	local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
+		-e 's:^CFLAG=::' \
+		-e 's:-fomit-frame-pointer ::g' \
+		-e 's:-O[0-9] ::g' \
+		-e 's:-march=[-a-z0-9]* ::g' \
+		-e 's:-mcpu=[-a-z0-9]* ::g' \
+		-e 's:-m[a-z0-9]* ::g' \
+	)
+	sed -i \
+		-e "/^CFLAG/s:=.*:=${CFLAG} ${CFLAGS}:" \
+		-e "/^SHARED_LDFLAGS=/s:$: ${LDFLAGS}:" \
+		Makefile || die
+
+	# depend is needed to use $confopts
+	# rehash is needed to prep the certs/ dir
+	emake -j1 depend || die "depend failed"
+	emake -j1 all rehash || die "make all failed"
+}
+
+src_test() {
+	emake -j1 test || die "make test failed"
+}
+
+src_install() {
+	emake -j1 INSTALL_PREFIX="${D}" install || die
+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el
+	dohtml -r doc/*
+
+	# create the certs directory
+	dodir /etc/ssl/certs
+	cp -RP certs/* "${D}"/etc/ssl/certs/ || die "failed to install certs"
+	rm -r "${D}"/etc/ssl/certs/{demo,expired}
+
+	# Namespace openssl programs to prevent conflicts with other man pages
+	cd "${D}"/usr/share/man
+	local m d s
+	for m in $(find . -type f | xargs grep -L '#include') ; do
+		d=${m%/*} ; d=${d#./} ; m=${m##*/}
+		[[ ${m} == openssl.1* ]] && continue
+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
+		mv ${d}/{,ssl-}${m}
+		ln -s ssl-${m} ${d}/openssl-${m}
+		# locate any symlinks that point to this man page ... we assume
+		# that any broken links are due to the above renaming
+		for s in $(find -L ${d} -type l) ; do
+			s=${s##*/}
+			rm -f ${d}/${s}
+			ln -s ssl-${m} ${d}/ssl-${s}
+			ln -s ssl-${s} ${d}/openssl-${s}
+		done
+	done
+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+
+	dodir /etc/sandbox.d #254521
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${D}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir /etc/ssl/private
+}
+
+pkg_preinst() {
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7}
+}
+
+pkg_postinst() {
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.{6,7}
+}
author	Mike Frysinger <vapier@gentoo.org>	2009-11-27 22:00:12 +0000
committer	Mike Frysinger <vapier@gentoo.org>	2009-11-27 22:00:12 +0000
commit	27ea8fe01ccbeebd4749284a7458d7abe599a80f (patch)
tree	a1940795000540846b1ccdc28690be2e038c1761
parent	Fix path to iptables dir again #293709 by Vitaliy V. Osypenko. (diff)
download	historical-27ea8fe01ccbeebd4749284a7458d7abe599a80f.tar.gz historical-27ea8fe01ccbeebd4749284a7458d7abe599a80f.tar.bz2 historical-27ea8fe01ccbeebd4749284a7458d7abe599a80f.zip