From 8ff4f2f51a6cf07fc33742ce3bee81328896e49b Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Fri, 25 May 2018 23:29:36 +0000 Subject: Fri May 25 23:29:36 UTC 2018 patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.1.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific. --- patches/source/openssl/certwatch | 130 ++++++++ patches/source/openssl/doinst.sh-openssl | 26 ++ patches/source/openssl/doinst.sh-openssl-solibs | 12 + patches/source/openssl/openssl.SlackBuild | 213 ++++++++++++ patches/source/openssl/openssl.optsx86.diff | 11 + patches/source/openssl/openssl.soname.diff | 11 + patches/source/openssl/openssl0/certwatch | 130 ++++++++ patches/source/openssl/openssl0/doinst.sh-openssl | 21 ++ .../openssl/openssl0/doinst.sh-openssl-solibs | 12 + patches/source/openssl/openssl0/openssl.SlackBuild | 202 ++++++++++++ .../openssl0/openssl.no.weak.sslv2.ciphers.diff | 51 +++ .../openssl0/openssl.no.weak.sslv3.ciphers.diff | 356 +++++++++++++++++++++ .../source/openssl/openssl0/openssl.optsx86.diff | 11 + .../source/openssl/openssl0/openssl.soname.diff | 11 + patches/source/openssl/openssl0/openssl0.build | 205 ++++++++++++ patches/source/openssl/openssl0/slack-desc.openssl | 19 ++ .../openssl/openssl0/slack-desc.openssl-solibs | 19 ++ patches/source/openssl/slack-desc.openssl | 19 ++ patches/source/openssl/slack-desc.openssl-solibs | 19 ++ 19 files changed, 1478 insertions(+) create mode 100644 patches/source/openssl/certwatch create mode 100644 patches/source/openssl/doinst.sh-openssl create mode 100644 patches/source/openssl/doinst.sh-openssl-solibs create mode 100755 patches/source/openssl/openssl.SlackBuild create mode 100644 patches/source/openssl/openssl.optsx86.diff create mode 100644 patches/source/openssl/openssl.soname.diff create mode 100644 patches/source/openssl/openssl0/certwatch create mode 100644 patches/source/openssl/openssl0/doinst.sh-openssl create mode 100644 patches/source/openssl/openssl0/doinst.sh-openssl-solibs create mode 100755 patches/source/openssl/openssl0/openssl.SlackBuild create mode 100644 patches/source/openssl/openssl0/openssl.no.weak.sslv2.ciphers.diff create mode 100644 patches/source/openssl/openssl0/openssl.no.weak.sslv3.ciphers.diff create mode 100644 patches/source/openssl/openssl0/openssl.optsx86.diff create mode 100644 patches/source/openssl/openssl0/openssl.soname.diff create mode 100755 patches/source/openssl/openssl0/openssl0.build create mode 100644 patches/source/openssl/openssl0/slack-desc.openssl create mode 100644 patches/source/openssl/openssl0/slack-desc.openssl-solibs create mode 100644 patches/source/openssl/slack-desc.openssl create mode 100644 patches/source/openssl/slack-desc.openssl-solibs (limited to 'patches/source/openssl') diff --git a/patches/source/openssl/certwatch b/patches/source/openssl/certwatch new file mode 100644 index 000000000..d52dc3dc4 --- /dev/null +++ b/patches/source/openssl/certwatch @@ -0,0 +1,130 @@ +#!/bin/sh +# +# Will check all certificates stored in $CERTDIR for their expiration date, +# and will display (if optional "stdout" argument is given), or mail a warning +# message to $MAILADDR (if script is executed without any parameter +# - unattended mode suitable for cron execution) for each particular certificate +# that is about to expire in time less to, or equal to $DAYS after this script +# has been executed, or if it has already expired. +# This stupid script (C) 2006,2007 Jan Rafaj + +########################## CONFIGURATION SECTION BEGIN ######################### +# Note: all settings are mandatory +# Warning will be sent if a certificate expires in time <= days given here +DAYS=7 +# E-mail address where to send warnings +MAILADDR=root +# Directory with certificates to check +CERTDIR=/etc/ssl/certs +# Directory where to keep state files if this script isnt executed with "stdout" +STATEDIR=/var/run +########################### CONFIGURATION SECTION END ########################## + +PATH=/bin:/usr/bin:/sbin:/usr/sbin +DAY_IN_SECS=$((60*60*24)) +DATE_CURRENT=$(date '+%s') + +usage() +{ + echo "Usage: $0 [stdout]" + echo + echo "Detailed description and configuration is embedded within the script." + exit 0 +} + +message() +{ + cat << EOF + WARNING: certificate $certfile + is about to expire in time equal to or less than $DAYS days from now on, + or has already expired - it might be a good idea to obtain/create new one. + +EOF +} + +message_mail() +{ + message + cat << EOF + NOTE: This message is being sent only once. + + A lock-file + $STATEDIR/certwatch-mailwarning-sent-$certfilebase + has been created, which will prevent this script from mailing you again + upon its subsequent executions by crond. You dont need to care about it; + the file will be auto-deleted as soon as you'll prolong your certificate. +EOF +} + +unset stdout +case $# in + 0) ;; + 1) if [ "$1" = "-h" -o "$1" == "--help" ]; then + usage + elif [ "$1" = "stdout" ]; then + stdout=1 + else + usage + fi + ;; + *) usage ;; +esac + +for dir in $STATEDIR $CERTDIR ; do + if [ ! -d $dir ]; then + echo "ERROR: directory $dir does not exist" + exit 1 + fi +done +for binary in basename date find grep mail openssl touch ; do + if [ ! \( -x /usr/bin/$binary -o -x /bin/$binary \) ]; then + echo "ERROR: /usr/bin/$binary not found" + exit 1 + fi +done + +find $CERTDIR -type f -maxdepth 1 | while read certfile ; do + if [ "$certfile" != "/etc/ssl/certs/ca-certificates.crt" ]; then + certfilebase="$(basename "$certfile")" + inform=PEM + echo "$certfile" | grep -q -i '\.net$' + if [ $? -eq 0 ]; then + # This is based purely on filename extension, so may give false results. + # But lets assume noone uses NET format certs today, ok? + continue + fi + echo "$certfile" | grep -q -i '\.der$' + if [ $? -eq 0 -o "$(file "$certfile" | egrep '(ASCII|PEM)')" == "" ]; then + inform=DER + fi + # We wont use '-checkend' since it is not properly documented (as of + # OpenSSL 0.9.8e). + DATE_CERT_EXPIRES=$(openssl x509 -in "$certfile" -inform $inform -noout -enddate | sed 's/^notAfter=//') + DATE_CERT_EXPIRES=$(date -d"$DATE_CERT_EXPIRES" +%s) + if [ $(($DATE_CERT_EXPIRES - $DATE_CURRENT)) -le $(($DAYS * $DAY_IN_SECS)) ] + then + if [ $stdout ]; then + message + else + if [ ! -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then + subject="$0: certificate $certfile expiration warning" + message_mail | mail -r "certwatch@$HOSTNAME" \ + -s "$subject" \ + $MAILADDR 2>/dev/null + # echo "Mail about expiring certificate $certfile sent to $MAILADDR." + # echo "If you need to send it again, please remove lock-file" + # echo "$STATEDIR/certwatch-mailwarning-sent-$certfilebase ." + # echo + fi + touch $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" + fi + else + if [ ! $stdout ]; then + if [ -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then + rm $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" + fi + fi + fi + fi +done + diff --git a/patches/source/openssl/doinst.sh-openssl b/patches/source/openssl/doinst.sh-openssl new file mode 100644 index 000000000..8fcf3d1c1 --- /dev/null +++ b/patches/source/openssl/doinst.sh-openssl @@ -0,0 +1,26 @@ +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +# If there is a known buggy certwatch script with no local +# modifications, just replace it: +if [ "$(md5sum etc/cron.daily/certwatch 2> /dev/null)" = "32556321806f1850d56cb2ef8384b7a1 etc/cron.daily/certwatch" ]; then + cat etc/cron.daily/certwatch.new > etc/cron.daily/certwatch + touch -r etc/cron.daily/certwatch.new etc/cron.daily/certwatch +fi + +config etc/ssl/openssl.cnf.new +config etc/cron.daily/certwatch.new + +# Rehash certificates if the package is upgraded on a running system: +if [ -x /usr/bin/c_rehash ]; then + /usr/bin/c_rehash 1> /dev/null 2> /dev/null +fi diff --git a/patches/source/openssl/doinst.sh-openssl-solibs b/patches/source/openssl/doinst.sh-openssl-solibs new file mode 100644 index 000000000..ed4fdfacb --- /dev/null +++ b/patches/source/openssl/doinst.sh-openssl-solibs @@ -0,0 +1,12 @@ +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} +config etc/ssl/openssl.cnf.new diff --git a/patches/source/openssl/openssl.SlackBuild b/patches/source/openssl/openssl.SlackBuild new file mode 100755 index 000000000..57d9a2d70 --- /dev/null +++ b/patches/source/openssl/openssl.SlackBuild @@ -0,0 +1,213 @@ +#!/bin/sh + +# Copyright 2000 BSDi, Inc. Concord, CA, USA +# Copyright 2001, 2002 Slackware Linux, Inc. Concord, CA, USA +# Copyright 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# Set initial variables: +CWD=$(pwd) +TMP=${TMP:-/tmp} + +VERSION=${VERSION:-$(echo openssl-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-1_slack14.1} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i486 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac +fi + +PKG1=$TMP/package-openssl +PKG2=$TMP/package-ossllibs +NAME1=openssl-$VERSION-$ARCH-$BUILD +NAME2=openssl-solibs-$VERSION-$ARCH-$BUILD + +# Parallel build doesn't link properly. +#NUMJOBS=${NUMJOBS:--j6} + +# So that ls has the right field counts for parsing... +export LC_ALL=C + +cd $TMP +rm -rf $PKG1 $PKG2 openssl-$VERSION + +tar xvf $CWD/openssl-$VERSION.tar.gz || exit 1 +cd openssl-$VERSION + +# Fix pod syntax errors which are fatal wih a newer perl: +find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g" {} \; + +# Use .so.1, not .so.1.0.0: +zcat $CWD/openssl.soname.diff.gz | patch -p1 --backup --verbose --suffix=.orig || exit 1 +if [ "$ARCH" = "i486" ]; then + # Build with -march=i486 -mtune=i686: + zcat $CWD/openssl.optsx86.diff.gz | patch -p1 --backup --verbose --suffix=.orig || exit 1 + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + LIBDIRSUFFIX="64" +fi + +# OpenSSL has a (nasty?) habit of bumping the internal version number with +# every release. This wouldn't be so bad, but some applications are so +# paranoid that they won't run against a different OpenSSL version than +# what they were compiled against, whether or not the ABI has changed. +# +# So, we will use the OPENSSL_VERSION_NUMBER from openssl-1.0.1c unless ABI +# breakage forces it to change. Yes, we're finally using this old trick. :) +sed -i "s/#define OPENSSL_VERSION_NUMBER.*/\/* Use 0x1000103fL (1.0.1c) below to avoid pointlessly breaking the ABI *\/\n#define OPENSSL_VERSION_NUMBER 0x1000103fL/g" crypto/opensslv.h || exit 1 + +chown -R root:root . +mkdir -p $PKG1/usr/doc/openssl-$VERSION +cp -a CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \ + LICENSE NEWS README README.ENGINE doc $PKG1/usr/doc/openssl-$VERSION +find $PKG1/usr/doc/openssl-$VERSION -type d -exec chmod 755 {} \; +find $PKG1/usr/doc/openssl-$VERSION -type f -exec chmod 644 {} \; + +# If there's a CHANGES file, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r CHANGES ]; then + DOCSDIR=$(echo $PKG1/usr/doc/*-$VERSION) + cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES + touch -r CHANGES $DOCSDIR/CHANGES +fi + +# These are the known patent issues with OpenSSL: +# name # expires +# MDC-2: 4,908,861 2007-03-13, included. :-) +# IDEA: 5,214,703 2010-05-25, not included. +# RC5: 5,724,428 2015-03-03, not included. + +./config \ + --prefix=/usr \ + --openssldir=/etc/ssl \ + no-idea \ + no-rc5 \ + no-sse2 \ + enable-ssl2 \ + no-weak-ssl-ciphers \ + shared + +make $NUMJOBS depend || make depend || exit 1 + +make $NUMJOBS || make || exit 1 + +make install INSTALL_PREFIX=$PKG1 || exit 1 + +# Make the .so.? library symlinks: +( cd $PKG1/usr/lib${LIBDIRSUFFIX} ; ldconfig -l lib*.so.* ) + +# Move libraries, as they might be needed by programs that bring a network +# mounted /usr online: + +mkdir $PKG1/lib${LIBDIRSUFFIX} +( cd $PKG1/usr/lib${LIBDIRSUFFIX} + for file in lib*.so.?.* ; do + mv $file ../../lib${LIBDIRSUFFIX} + ln -sf ../../lib${LIBDIRSUFFIX}/$file . + done + cp -a lib*.so.? ../../lib${LIBDIRSUFFIX} +) + +# Add a cron script to warn root if a certificate is going to expire soon: +mkdir -p $PKG1/etc/cron.daily +zcat $CWD/certwatch.gz > $PKG1/etc/cron.daily/certwatch.new +chmod 755 $PKG1/etc/cron.daily/certwatch.new + +mv $PKG1/etc/ssl/openssl.cnf $PKG1/etc/ssl/openssl.cnf.new + +( cd $PKG1 + find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null +) + +mv $PKG1/etc/ssl/man $PKG1/usr +( cd $PKG1/usr/man/man1 ; mv passwd.1 ssl_passwd.1 ) +( cd $PKG1/usr/man/man3 ; mv rand.3 ssl_rand.3 ) +( cd $PKG1/usr/man/man3 ; mv err.3 ssl_err.3 ) +# Compress and symlink the man pages: +if [ -d $PKG1/usr/man ]; then + ( cd $PKG1/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1) ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.? + ) + done + ) +fi + +# If there's an openssl0 directory, then build openssl-0 shared libraries for +# compatibility with programs linked to those: +if [ -d $CWD/openssl0 ]; then + ( cd $CWD/openssl0 + ./openssl0.build || exit 1 + ) || exit 1 + # Don't put these in the openssl package... openssl-solibs is enough. + #mkdir -p $PKG1/lib${LIBDIRSUFFIX} + #cp -a $TMP/package-openssl0/usr/lib/lib*.so.?.?.? $PKG1/lib${LIBDIRSUFFIX} + #( cd $PKG1/lib${LIBDIRSUFFIX} ; ldconfig -l lib*.so.?.?.? ) + mkdir -p $PKG2/lib${LIBDIRSUFFIX} + cp -a $TMP/package-openssl0/usr/lib/lib*.so.?.?.? $PKG2/lib${LIBDIRSUFFIX} + ( cd $PKG2/lib${LIBDIRSUFFIX} ; ldconfig -l lib*.so.?.?.? ) +fi + +cd $PKG1 +chmod 755 usr/lib${LIBDIRSUFFIX}/pkgconfig +sed -i -e "s#lib\$#lib${LIBDIRSUFFIX}#" usr/lib${LIBDIRSUFFIX}/pkgconfig/*.pc +mkdir -p install +zcat $CWD/doinst.sh-openssl.gz > install/doinst.sh +cat $CWD/slack-desc.openssl > install/slack-desc +/sbin/makepkg -l y -c n $TMP/${NAME1}.txz + +# Make runtime package: +mkdir -p $PKG2/lib${LIBDIRSUFFIX} +( cd lib${LIBDIRSUFFIX} ; cp -a lib*.so.* $PKG2/lib${LIBDIRSUFFIX} ) +( cd $PKG2/lib${LIBDIRSUFFIX} ; ldconfig -l * ) +mkdir -p $PKG2/etc +( cd $PKG2/etc ; cp -a $PKG1/etc/ssl . ) +mkdir -p $PKG2/usr/doc/openssl-$VERSION +( cd $TMP/openssl-$VERSION + cp -a CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \ + LICENSE NEWS README README.ENGINE $PKG2/usr/doc/openssl-$VERSION + # If there's a CHANGES file, installing at least part of the recent history + # is useful, but don't let it get totally out of control: + if [ -r CHANGES ]; then + DOCSDIR=$(echo $PKG2/usr/doc/*-$VERSION) + cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES + touch -r CHANGES $DOCSDIR/CHANGES + fi +) + +find $PKG2/usr/doc/openssl-$VERSION -type d -exec chmod 755 {} \; +find $PKG2/usr/doc/openssl-$VERSION -type f -exec chmod 644 {} \; +cd $PKG2 +mkdir -p install +zcat $CWD/doinst.sh-openssl-solibs.gz > install/doinst.sh +cat $CWD/slack-desc.openssl-solibs > install/slack-desc +/sbin/makepkg -l y -c n $TMP/${NAME2}.txz diff --git a/patches/source/openssl/openssl.optsx86.diff b/patches/source/openssl/openssl.optsx86.diff new file mode 100644 index 000000000..3b0a45c86 --- /dev/null +++ b/patches/source/openssl/openssl.optsx86.diff @@ -0,0 +1,11 @@ +--- ./Configure.orig 2015-04-16 11:46:04.733060835 -0500 ++++ ./Configure 2015-04-16 11:48:26.462074086 -0500 +@@ -352,7 +352,7 @@ + "linux-armv4", "gcc:-O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + #### IA-32 targets... + "linux-ia32-icc", "icc:-DL_ENDIAN -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -mtune=i686 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out", + #### + "linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/patches/source/openssl/openssl.soname.diff b/patches/source/openssl/openssl.soname.diff new file mode 100644 index 000000000..308968d9c --- /dev/null +++ b/patches/source/openssl/openssl.soname.diff @@ -0,0 +1,11 @@ +--- ./Makefile.shared.orig 2005-06-23 13:47:54.000000000 -0700 ++++ ./Makefile.shared 2005-10-12 20:02:28.000000000 -0700 +@@ -151,7 +151,7 @@ + SHLIB_SUFFIX=; \ + ALLSYMSFLAGS='-Wl,--whole-archive'; \ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ +- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" ++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB.1" + + DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" + diff --git a/patches/source/openssl/openssl0/certwatch b/patches/source/openssl/openssl0/certwatch new file mode 100644 index 000000000..d52dc3dc4 --- /dev/null +++ b/patches/source/openssl/openssl0/certwatch @@ -0,0 +1,130 @@ +#!/bin/sh +# +# Will check all certificates stored in $CERTDIR for their expiration date, +# and will display (if optional "stdout" argument is given), or mail a warning +# message to $MAILADDR (if script is executed without any parameter +# - unattended mode suitable for cron execution) for each particular certificate +# that is about to expire in time less to, or equal to $DAYS after this script +# has been executed, or if it has already expired. +# This stupid script (C) 2006,2007 Jan Rafaj + +########################## CONFIGURATION SECTION BEGIN ######################### +# Note: all settings are mandatory +# Warning will be sent if a certificate expires in time <= days given here +DAYS=7 +# E-mail address where to send warnings +MAILADDR=root +# Directory with certificates to check +CERTDIR=/etc/ssl/certs +# Directory where to keep state files if this script isnt executed with "stdout" +STATEDIR=/var/run +########################### CONFIGURATION SECTION END ########################## + +PATH=/bin:/usr/bin:/sbin:/usr/sbin +DAY_IN_SECS=$((60*60*24)) +DATE_CURRENT=$(date '+%s') + +usage() +{ + echo "Usage: $0 [stdout]" + echo + echo "Detailed description and configuration is embedded within the script." + exit 0 +} + +message() +{ + cat << EOF + WARNING: certificate $certfile + is about to expire in time equal to or less than $DAYS days from now on, + or has already expired - it might be a good idea to obtain/create new one. + +EOF +} + +message_mail() +{ + message + cat << EOF + NOTE: This message is being sent only once. + + A lock-file + $STATEDIR/certwatch-mailwarning-sent-$certfilebase + has been created, which will prevent this script from mailing you again + upon its subsequent executions by crond. You dont need to care about it; + the file will be auto-deleted as soon as you'll prolong your certificate. +EOF +} + +unset stdout +case $# in + 0) ;; + 1) if [ "$1" = "-h" -o "$1" == "--help" ]; then + usage + elif [ "$1" = "stdout" ]; then + stdout=1 + else + usage + fi + ;; + *) usage ;; +esac + +for dir in $STATEDIR $CERTDIR ; do + if [ ! -d $dir ]; then + echo "ERROR: directory $dir does not exist" + exit 1 + fi +done +for binary in basename date find grep mail openssl touch ; do + if [ ! \( -x /usr/bin/$binary -o -x /bin/$binary \) ]; then + echo "ERROR: /usr/bin/$binary not found" + exit 1 + fi +done + +find $CERTDIR -type f -maxdepth 1 | while read certfile ; do + if [ "$certfile" != "/etc/ssl/certs/ca-certificates.crt" ]; then + certfilebase="$(basename "$certfile")" + inform=PEM + echo "$certfile" | grep -q -i '\.net$' + if [ $? -eq 0 ]; then + # This is based purely on filename extension, so may give false results. + # But lets assume noone uses NET format certs today, ok? + continue + fi + echo "$certfile" | grep -q -i '\.der$' + if [ $? -eq 0 -o "$(file "$certfile" | egrep '(ASCII|PEM)')" == "" ]; then + inform=DER + fi + # We wont use '-checkend' since it is not properly documented (as of + # OpenSSL 0.9.8e). + DATE_CERT_EXPIRES=$(openssl x509 -in "$certfile" -inform $inform -noout -enddate | sed 's/^notAfter=//') + DATE_CERT_EXPIRES=$(date -d"$DATE_CERT_EXPIRES" +%s) + if [ $(($DATE_CERT_EXPIRES - $DATE_CURRENT)) -le $(($DAYS * $DAY_IN_SECS)) ] + then + if [ $stdout ]; then + message + else + if [ ! -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then + subject="$0: certificate $certfile expiration warning" + message_mail | mail -r "certwatch@$HOSTNAME" \ + -s "$subject" \ + $MAILADDR 2>/dev/null + # echo "Mail about expiring certificate $certfile sent to $MAILADDR." + # echo "If you need to send it again, please remove lock-file" + # echo "$STATEDIR/certwatch-mailwarning-sent-$certfilebase ." + # echo + fi + touch $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" + fi + else + if [ ! $stdout ]; then + if [ -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then + rm $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" + fi + fi + fi + fi +done + diff --git a/patches/source/openssl/openssl0/doinst.sh-openssl b/patches/source/openssl/openssl0/doinst.sh-openssl new file mode 100644 index 000000000..c92e60763 --- /dev/null +++ b/patches/source/openssl/openssl0/doinst.sh-openssl @@ -0,0 +1,21 @@ +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +# If there is a known buggy certwatch script with no local +# modifications, just replace it: +if [ "$(md5sum etc/cron.daily/certwatch 2> /dev/null)" = "32556321806f1850d56cb2ef8384b7a1 etc/cron.daily/certwatch" ]; then + cat etc/cron.daily/certwatch.new > etc/cron.daily/certwatch + touch -r etc/cron.daily/certwatch.new etc/cron.daily/certwatch +fi + +config etc/ssl/openssl.cnf.new +config etc/cron.daily/certwatch.new diff --git a/patches/source/openssl/openssl0/doinst.sh-openssl-solibs b/patches/source/openssl/openssl0/doinst.sh-openssl-solibs new file mode 100644 index 000000000..ed4fdfacb --- /dev/null +++ b/patches/source/openssl/openssl0/doinst.sh-openssl-solibs @@ -0,0 +1,12 @@ +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} +config etc/ssl/openssl.cnf.new diff --git a/patches/source/openssl/openssl0/openssl.SlackBuild b/patches/source/openssl/openssl0/openssl.SlackBuild new file mode 100755 index 000000000..bde102e25 --- /dev/null +++ b/patches/source/openssl/openssl0/openssl.SlackBuild @@ -0,0 +1,202 @@ +#!/bin/sh + +# Copyright 2000 BSDi, Inc. Concord, CA, USA +# Copyright 2001, 2002 Slackware Linux, Inc. Concord, CA, USA +# Copyright 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2014 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# Set initial variables: +CWD=$(pwd) +TMP=${TMP:-/tmp} + +VERSION=${VERSION:-$(echo openssl-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-1_slack14.1} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i486 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac +fi + +PKG1=$TMP/package-openssl +PKG2=$TMP/package-ossllibs +NAME1=openssl-$VERSION-$ARCH-$BUILD +NAME2=openssl-solibs-$VERSION-$ARCH-$BUILD + +NUMJOBS=${NUMJOBS:--j6} + +# So that ls has the right field counts for parsing... +export LC_ALL=C + +cd $TMP +rm -rf $PKG1 $PKG2 openssl-$VERSION +tar xvf $CWD/openssl-$VERSION.tar.gz || exit 1 +cd openssl-$VERSION + +# Fix pod syntax errors which are fatal wih a newer perl: +find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g" {} \; + +# Use .so.0, not .so.0.9.8: +zcat $CWD/openssl.soname.diff.gz | patch -p1 --backup --verbose --suffix=.orig || exit 1 +if [ "$ARCH" = "i486" ]; then + # Build with -march=i486 -mtune=i686: + zcat $CWD/openssl.optsx86.diff.gz | patch -p1 --backup --verbose --suffix=.orig || exit 1 + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + LIBDIRSUFFIX="64" +fi + +# Mitigate DROWN: +zcat $CWD/openssl.no.weak.sslv2.ciphers.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/openssl.no.weak.sslv3.ciphers.diff.gz | patch -p1 --verbose || exit 1 + +# OpenSSL has a (nasty?) habit of bumping the internal version number with +# every release. This wouldn't be so bad, but some applications are so +# paranoid that they won't run against a different OpenSSL version than +# what they were compiled against, whether or not the ABI has changed. +# +# So, we will use the OPENSSL_VERSION_NUMBER from openssl-0.9.8o unless ABI +# breakage forces it to change. Yes, we're finally using this old trick. :) +sed -i "s/#define OPENSSL_VERSION_NUMBER.*/\/* Use 0x009080efL (0.9.8o) below to avoid pointlessly breaking the ABI *\/\n#define OPENSSL_VERSION_NUMBER 0x009080efL/g" crypto/opensslv.h || exit 1 + +chown -R root:root . +mkdir -p $PKG1/usr/doc/openssl-$VERSION +cp -a CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \ + LICENSE NEWS README README.ENGINE doc $PKG1/usr/doc/openssl-$VERSION +find $PKG1/usr/doc/openssl-$VERSION -type d -exec chmod 755 {} \; +find $PKG1/usr/doc/openssl-$VERSION -type f -exec chmod 644 {} \; + +# If there's a CHANGES file, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r CHANGES ]; then + DOCSDIR=$(echo $PKG1/usr/doc/*-$VERSION) + cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES + touch -r CHANGES $DOCSDIR/CHANGES +fi + +# These are the known patent issues with OpenSSL: +# name # expires +# MDC-2: 4,908,861 2007-03-13, included. :-) +# IDEA: 5,214,703 2010-05-25, not included. +# RC5: 5,724,428 2015-03-03, not included. + +./config \ + --prefix=/usr \ + --openssldir=/etc/ssl \ + no-idea \ + no-rc5 \ + no-sse2 \ + shared + +make $NUMJOBS depend || make depend || exit 1 + +make $NUMJOBS || make || exit 1 + +make install INSTALL_PREFIX=$PKG1 || exit 1 + +# Use proper libdir: +( cd $PKG1/usr; mv lib lib${LIBDIRSUFFIX} ) + +# Make the .so.? library symlinks: +( cd $PKG1/usr/lib${LIBDIRSUFFIX} ; ldconfig -l lib*.so.* ) + +# Move libraries, as they might be needed by programs that bring a network +# mounted /usr online: + +mkdir $PKG1/lib${LIBDIRSUFFIX} +( cd $PKG1/usr/lib${LIBDIRSUFFIX} + for file in lib*.so.?.* ; do + mv $file ../../lib${LIBDIRSUFFIX} + ln -sf ../../lib${LIBDIRSUFFIX}/$file . + done + cp -a lib*.so.? ../../lib${LIBDIRSUFFIX} +) + +# Add a cron script to warn root if a certificate is going to expire soon: +mkdir -p $PKG1/etc/cron.daily +zcat $CWD/certwatch.gz > $PKG1/etc/cron.daily/certwatch.new +chmod 755 $PKG1/etc/cron.daily/certwatch.new + +mv $PKG1/etc/ssl/openssl.cnf $PKG1/etc/ssl/openssl.cnf.new + +( cd $PKG1 + find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null +) + +mv $PKG1/etc/ssl/man $PKG1/usr +( cd $PKG1/usr/man/man1 ; mv passwd.1 ssl_passwd.1 ) +( cd $PKG1/usr/man/man3 ; mv rand.3 ssl_rand.3 ) +( cd $PKG1/usr/man/man3 ; mv err.3 ssl_err.3 ) +# Compress and symlink the man pages: +if [ -d $PKG1/usr/man ]; then + ( cd $PKG1/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1) ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.? + ) + done + ) +fi + +cd $PKG1 +chmod 755 usr/lib${LIBDIRSUFFIX}/pkgconfig +sed -i -e "s#lib\$#lib${LIBDIRSUFFIX}#" usr/lib${LIBDIRSUFFIX}/pkgconfig/*.pc +mkdir -p install +zcat $CWD/doinst.sh-openssl.gz > install/doinst.sh +cat $CWD/slack-desc.openssl > install/slack-desc +/sbin/makepkg -l y -c n $TMP/${NAME1}.txz + +# Make runtime package: +mkdir -p $PKG2/lib${LIBDIRSUFFIX} +( cd lib${LIBDIRSUFFIX} ; cp -a lib*.so.* $PKG2/lib${LIBDIRSUFFIX} ) +( cd $PKG2/lib${LIBDIRSUFFIX} ; ldconfig -l * ) +mkdir -p $PKG2/etc +( cd $PKG2/etc ; cp -a $PKG1/etc/ssl . ) +mkdir -p $PKG2/usr/doc/openssl-$VERSION +( cd $TMP/openssl-$VERSION + cp -a CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \ + LICENSE NEWS README README.ENGINE $PKG2/usr/doc/openssl-$VERSION +) + +# If there's a CHANGES file, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r CHANGES ]; then + DOCSDIR=$(echo $PKG2/usr/doc/*-$VERSION) + cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES + touch -r CHANGES $DOCSDIR/CHANGES +fi + +find $PKG2/usr/doc/openssl-$VERSION -type d -exec chmod 755 {} \; +find $PKG2/usr/doc/openssl-$VERSION -type f -exec chmod 644 {} \; +cd $PKG2 +mkdir -p install +zcat $CWD/doinst.sh-openssl-solibs.gz > install/doinst.sh +cat $CWD/slack-desc.openssl-solibs > install/slack-desc +/sbin/makepkg -l y -c n $TMP/${NAME2}.txz diff --git a/patches/source/openssl/openssl0/openssl.no.weak.sslv2.ciphers.diff b/patches/source/openssl/openssl0/openssl.no.weak.sslv2.ciphers.diff new file mode 100644 index 000000000..a7075ba4c --- /dev/null +++ b/patches/source/openssl/openssl0/openssl.no.weak.sslv2.ciphers.diff @@ -0,0 +1,51 @@ +diff -u -r --new-file openssl-0.9.8zh.orig/ssl/s2_lib.c openssl-0.9.8zh/ssl/s2_lib.c +--- openssl-0.9.8zh.orig/ssl/s2_lib.c 2015-12-03 08:59:08.000000000 -0600 ++++ openssl-0.9.8zh/ssl/s2_lib.c 2016-03-01 18:29:20.998111828 -0600 +@@ -97,6 +97,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# if 0 + /* RC4_128_EXPORT40_WITH_MD5 */ + { + 1, +@@ -110,6 +111,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* RC2_128_CBC_WITH_MD5 */ + { + 1, +@@ -123,6 +125,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# if 0 + /* RC2_128_CBC_EXPORT40_WITH_MD5 */ + { + 1, +@@ -136,6 +139,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* IDEA_128_CBC_WITH_MD5 */ + # ifndef OPENSSL_NO_IDEA + { +@@ -151,6 +155,7 @@ + SSL_ALL_STRENGTHS, + }, + # endif ++# if 0 + /* DES_64_CBC_WITH_MD5 */ + { + 1, +@@ -164,6 +169,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* DES_192_EDE3_CBC_WITH_MD5 */ + { + 1, diff --git a/patches/source/openssl/openssl0/openssl.no.weak.sslv3.ciphers.diff b/patches/source/openssl/openssl0/openssl.no.weak.sslv3.ciphers.diff new file mode 100644 index 000000000..17326a56e --- /dev/null +++ b/patches/source/openssl/openssl0/openssl.no.weak.sslv3.ciphers.diff @@ -0,0 +1,356 @@ +diff -u -r --new-file openssl-0.9.8zh.orig/ssl/s3_lib.c openssl-0.9.8zh/ssl/s3_lib.c +--- openssl-0.9.8zh.orig/ssl/s3_lib.c 2015-12-03 08:59:08.000000000 -0600 ++++ openssl-0.9.8zh/ssl/s3_lib.c 2016-03-01 18:42:26.295095103 -0600 +@@ -166,6 +166,7 @@ + SSL_ALL_STRENGTHS, + }, + /* Cipher 03 */ ++# if 0 + { + 1, + SSL3_TXT_RSA_RC4_40_MD5, +@@ -178,6 +179,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 04 */ + { + 1, +@@ -205,6 +207,7 @@ + SSL_ALL_STRENGTHS, + }, + /* Cipher 06 */ ++# if 0 + { + 1, + SSL3_TXT_RSA_RC2_40_MD5, +@@ -217,6 +220,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 07 */ + #ifndef OPENSSL_NO_IDEA + { +@@ -233,6 +237,7 @@ + }, + #endif + /* Cipher 08 */ ++# if 0 + { + 1, + SSL3_TXT_RSA_DES_40_CBC_SHA, +@@ -245,7 +250,9 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 09 */ ++# if 0 + { + 1, + SSL3_TXT_RSA_DES_64_CBC_SHA, +@@ -258,6 +265,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 0A */ + { + 1, +@@ -273,6 +281,7 @@ + }, + /* The DH ciphers */ + /* Cipher 0B */ ++# if 0 + { + 0, + SSL3_TXT_DH_DSS_DES_40_CBC_SHA, +@@ -285,7 +294,9 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 0C */ ++# if 0 + { + 0, + SSL3_TXT_DH_DSS_DES_64_CBC_SHA, +@@ -298,6 +309,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 0D */ + { + 0, +@@ -312,6 +324,7 @@ + SSL_ALL_STRENGTHS, + }, + /* Cipher 0E */ ++# if 0 + { + 0, + SSL3_TXT_DH_RSA_DES_40_CBC_SHA, +@@ -324,7 +337,9 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 0F */ ++# if 0 + { + 0, + SSL3_TXT_DH_RSA_DES_64_CBC_SHA, +@@ -337,6 +352,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 10 */ + { + 0, +@@ -353,6 +369,7 @@ + + /* The Ephemeral DH ciphers */ + /* Cipher 11 */ ++# if 0 + { + 1, + SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, +@@ -365,7 +382,9 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 12 */ ++# if 0 + { + 1, + SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, +@@ -378,6 +397,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 13 */ + { + 1, +@@ -392,6 +412,7 @@ + SSL_ALL_STRENGTHS, + }, + /* Cipher 14 */ ++# if 0 + { + 1, + SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, +@@ -404,7 +425,9 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 15 */ ++# if 0 + { + 1, + SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, +@@ -417,6 +440,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 16 */ + { + 1, +@@ -431,6 +455,7 @@ + SSL_ALL_STRENGTHS, + }, + /* Cipher 17 */ ++# if 0 + { + 1, + SSL3_TXT_ADH_RC4_40_MD5, +@@ -443,6 +468,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 18 */ + { + 1, +@@ -457,6 +483,7 @@ + SSL_ALL_STRENGTHS, + }, + /* Cipher 19 */ ++# if 0 + { + 1, + SSL3_TXT_ADH_DES_40_CBC_SHA, +@@ -469,7 +496,9 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 1A */ ++# if 0 + { + 1, + SSL3_TXT_ADH_DES_64_CBC_SHA, +@@ -482,6 +511,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 1B */ + { + 1, +@@ -543,6 +573,7 @@ + + #ifndef OPENSSL_NO_KRB5 + /* The Kerberos ciphers */ ++# if 0 + /* Cipher 1E */ + { + 1, +@@ -556,6 +587,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + + /* Cipher 1F */ + { +@@ -600,6 +632,7 @@ + }, + + /* Cipher 22 */ ++# if 0 + { + 1, + SSL3_TXT_KRB5_DES_64_CBC_MD5, +@@ -612,6 +645,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + + /* Cipher 23 */ + { +@@ -656,6 +690,7 @@ + }, + + /* Cipher 26 */ ++# if 0 + { + 1, + SSL3_TXT_KRB5_DES_40_CBC_SHA, +@@ -668,8 +703,10 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + + /* Cipher 27 */ ++# if 0 + { + 1, + SSL3_TXT_KRB5_RC2_40_CBC_SHA, +@@ -682,8 +719,10 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + + /* Cipher 28 */ ++# if 0 + { + 1, + SSL3_TXT_KRB5_RC4_40_SHA, +@@ -696,8 +735,10 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + + /* Cipher 29 */ ++# if 0 + { + 1, + SSL3_TXT_KRB5_DES_40_CBC_MD5, +@@ -710,8 +751,10 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + + /* Cipher 2A */ ++# if 0 + { + 1, + SSL3_TXT_KRB5_RC2_40_CBC_MD5, +@@ -724,8 +767,10 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + + /* Cipher 2B */ ++# if 0 + { + 1, + SSL3_TXT_KRB5_RC4_40_MD5, +@@ -738,6 +783,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + #endif /* OPENSSL_NO_KRB5 */ + + /* New AES ciphersuites */ +@@ -1007,6 +1053,7 @@ + }, + # endif + /* Cipher 62 */ ++# if 0 + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, +@@ -1019,7 +1066,9 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 63 */ ++# if 0 + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, +@@ -1032,7 +1081,9 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 64 */ ++# if 0 + { + 1, + TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, +@@ -1045,7 +1096,9 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 65 */ ++# if 0 + { + 1, + TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, +@@ -1058,6 +1111,7 @@ + SSL_ALL_CIPHERS, + SSL_ALL_STRENGTHS, + }, ++# endif + /* Cipher 66 */ + { + 1, diff --git a/patches/source/openssl/openssl0/openssl.optsx86.diff b/patches/source/openssl/openssl0/openssl.optsx86.diff new file mode 100644 index 000000000..a1a289a20 --- /dev/null +++ b/patches/source/openssl/openssl0/openssl.optsx86.diff @@ -0,0 +1,11 @@ +--- ./Configure.orig 2005-08-02 03:59:42.000000000 -0700 ++++ ./Configure 2005-10-12 20:04:43.000000000 -0700 +@@ -317,7 +317,7 @@ + "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + #### IA-32 targets... + "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", ++"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -mtune=i686 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", + #### + "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/patches/source/openssl/openssl0/openssl.soname.diff b/patches/source/openssl/openssl0/openssl.soname.diff new file mode 100644 index 000000000..f660e93bb --- /dev/null +++ b/patches/source/openssl/openssl0/openssl.soname.diff @@ -0,0 +1,11 @@ +--- ./Makefile.shared.orig 2005-06-23 13:47:54.000000000 -0700 ++++ ./Makefile.shared 2005-10-12 20:02:28.000000000 -0700 +@@ -151,7 +151,7 @@ + SHLIB_SUFFIX=; \ + ALLSYMSFLAGS='-Wl,--whole-archive'; \ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ +- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" ++ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB.0" + + DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" + diff --git a/patches/source/openssl/openssl0/openssl0.build b/patches/source/openssl/openssl0/openssl0.build new file mode 100755 index 000000000..8f8e37920 --- /dev/null +++ b/patches/source/openssl/openssl0/openssl0.build @@ -0,0 +1,205 @@ +#!/bin/sh + +# Copyright 2000 BSDi, Inc. Concord, CA, USA +# Copyright 2001, 2002 Slackware Linux, Inc. Concord, CA, USA +# Copyright 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2014 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +# Set initial variables: +CWD=$(pwd) +TMP=${TMP:-/tmp} + +VERSION=${VERSION:-$(echo openssl-*.tar.gz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-1} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i486 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac +fi + +PKG1=$TMP/package-openssl0 +PKG2=$TMP/package-ossllibs +NAME1=openssl-$VERSION-$ARCH-$BUILD +NAME2=openssl-solibs-$VERSION-$ARCH-$BUILD + +NUMJOBS=${NUMJOBS:--j6} + +# So that ls has the right field counts for parsing... +export LC_ALL=C + +cd $TMP +#rm -rf $PKG1 $PKG2 openssl-$VERSION +rm -rf $PKG1 openssl-$VERSION +tar xvf $CWD/openssl-$VERSION.tar.gz || exit 1 +cd openssl-$VERSION + +# Fix pod syntax errors which are fatal wih a newer perl: +find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g" {} \; + +# Use .so.0, not .so.0.9.8: +zcat $CWD/openssl.soname.diff.gz | patch -p1 --backup --verbose --suffix=.orig || exit 1 +if [ "$ARCH" = "i486" ]; then + # Build with -march=i486 -mtune=i686: + zcat $CWD/openssl.optsx86.diff.gz | patch -p1 --backup --verbose --suffix=.orig || exit 1 + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + LIBDIRSUFFIX="64" +fi + +# Mitigate DROWN: +zcat $CWD/openssl.no.weak.sslv2.ciphers.diff.gz | patch -p1 --verbose || exit 1 +zcat $CWD/openssl.no.weak.sslv3.ciphers.diff.gz | patch -p1 --verbose || exit 1 + +# OpenSSL has a (nasty?) habit of bumping the internal version number with +# every release. This wouldn't be so bad, but some applications are so +# paranoid that they won't run against a different OpenSSL version than +# what they were compiled against, whether or not the ABI has changed. +# +# So, we will use the OPENSSL_VERSION_NUMBER from openssl-0.9.8o unless ABI +# breakage forces it to change. Yes, we're finally using this old trick. :) +sed -i "s/#define OPENSSL_VERSION_NUMBER.*/\/* Use 0x009080efL (0.9.8o) below to avoid pointlessly breaking the ABI *\/\n#define OPENSSL_VERSION_NUMBER 0x009080efL/g" crypto/opensslv.h || exit 1 + +chown -R root:root . +mkdir -p $PKG1/usr/doc/openssl-$VERSION +cp -a CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \ + LICENSE NEWS README README.ENGINE doc $PKG1/usr/doc/openssl-$VERSION +find $PKG1/usr/doc/openssl-$VERSION -type d -exec chmod 755 {} \; +find $PKG1/usr/doc/openssl-$VERSION -type f -exec chmod 644 {} \; + +# If there's a CHANGES file, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r CHANGES ]; then + DOCSDIR=$(echo $PKG1/usr/doc/*-$VERSION) + cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES + touch -r CHANGES $DOCSDIR/CHANGES +fi + +# These are the known patent issues with OpenSSL: +# name # expires +# MDC-2: 4,908,861 2007-03-13, included. :-) +# IDEA: 5,214,703 2010-05-25, not included. +# RC5: 5,724,428 2015-03-03, not included. + +./config \ + --prefix=/usr \ + --openssldir=/etc/ssl \ + no-idea \ + no-rc5 \ + no-sse2 \ + shared + +make $NUMJOBS depend || make depend || exit 1 + +make $NUMJOBS || make || exit 1 + +make install INSTALL_PREFIX=$PKG1 || exit 1 + +exit 0 + +# Use proper libdir: +( cd $PKG1/usr; mv lib lib${LIBDIRSUFFIX} ) + +# Make the .so.? library symlinks: +( cd $PKG1/usr/lib${LIBDIRSUFFIX} ; ldconfig -l lib*.so.* ) + +# Move libraries, as they might be needed by programs that bring a network +# mounted /usr online: + +mkdir $PKG1/lib${LIBDIRSUFFIX} +( cd $PKG1/usr/lib${LIBDIRSUFFIX} + for file in lib*.so.?.* ; do + mv $file ../../lib${LIBDIRSUFFIX} + ln -sf ../../lib${LIBDIRSUFFIX}/$file . + done + cp -a lib*.so.? ../../lib${LIBDIRSUFFIX} +) + +# Add a cron script to warn root if a certificate is going to expire soon: +mkdir -p $PKG1/etc/cron.daily +zcat $CWD/certwatch.gz > $PKG1/etc/cron.daily/certwatch.new +chmod 755 $PKG1/etc/cron.daily/certwatch.new + +mv $PKG1/etc/ssl/openssl.cnf $PKG1/etc/ssl/openssl.cnf.new + +( cd $PKG1 + find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null +) + +mv $PKG1/etc/ssl/man $PKG1/usr +( cd $PKG1/usr/man/man1 ; mv passwd.1 ssl_passwd.1 ) +( cd $PKG1/usr/man/man3 ; mv rand.3 ssl_rand.3 ) +( cd $PKG1/usr/man/man3 ; mv err.3 ssl_err.3 ) +# Compress and symlink the man pages: +if [ -d $PKG1/usr/man ]; then + ( cd $PKG1/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1) ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.? + ) + done + ) +fi + +cd $PKG1 +chmod 755 usr/lib${LIBDIRSUFFIX}/pkgconfig +sed -i -e "s#lib\$#lib${LIBDIRSUFFIX}#" usr/lib${LIBDIRSUFFIX}/pkgconfig/*.pc +mkdir -p install +zcat $CWD/doinst.sh-openssl.gz > install/doinst.sh +cat $CWD/slack-desc.openssl > install/slack-desc +/sbin/makepkg -l y -c n $TMP/${NAME1}.txz + +# Make runtime package: +mkdir -p $PKG2/lib${LIBDIRSUFFIX} +( cd lib${LIBDIRSUFFIX} ; cp -a lib*.so.* $PKG2/lib${LIBDIRSUFFIX} ) +( cd $PKG2/lib${LIBDIRSUFFIX} ; ldconfig -l * ) +mkdir -p $PKG2/etc +( cd $PKG2/etc ; cp -a $PKG1/etc/ssl . ) +mkdir -p $PKG2/usr/doc/openssl-$VERSION +( cd $TMP/openssl-$VERSION + cp -a CHANGES CHANGES.SSLeay FAQ INSTALL INSTALL.MacOS INSTALL.VMS INSTALL.W32 \ + LICENSE NEWS README README.ENGINE $PKG2/usr/doc/openssl-$VERSION +) + +# If there's a CHANGES file, installing at least part of the recent history +# is useful, but don't let it get totally out of control: +if [ -r CHANGES ]; then + DOCSDIR=$(echo $PKG2/usr/doc/*-$VERSION) + cat CHANGES | head -n 2000 > $DOCSDIR/CHANGES + touch -r CHANGES $DOCSDIR/CHANGES +fi + +find $PKG2/usr/doc/openssl-$VERSION -type d -exec chmod 755 {} \; +find $PKG2/usr/doc/openssl-$VERSION -type f -exec chmod 644 {} \; +cd $PKG2 +mkdir -p install +zcat $CWD/doinst.sh-openssl-solibs.gz > install/doinst.sh +cat $CWD/slack-desc.openssl-solibs > install/slack-desc +/sbin/makepkg -l y -c n $TMP/${NAME2}.txz diff --git a/patches/source/openssl/openssl0/slack-desc.openssl b/patches/source/openssl/openssl0/slack-desc.openssl new file mode 100644 index 000000000..57227c043 --- /dev/null +++ b/patches/source/openssl/openssl0/slack-desc.openssl @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' on +# the right side marks the last column you can put a character in. You must make +# exactly 11 lines for the formatting to be correct. It's also customary to +# leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +openssl: openssl (Secure Sockets Layer toolkit) +openssl: +openssl: The OpenSSL certificate management tool and the shared libraries that +openssl: provide various encryption and decryption algorithms and protocols. +openssl: +openssl: This product includes software developed by the OpenSSL Project for +openssl: use in the OpenSSL Toolkit (http://www.openssl.org). This product +openssl: includes cryptographic software written by Eric Young +openssl: (eay@cryptsoft.com). This product includes software written by Tim +openssl: Hudson (tjh@cryptsoft.com). +openssl: diff --git a/patches/source/openssl/openssl0/slack-desc.openssl-solibs b/patches/source/openssl/openssl0/slack-desc.openssl-solibs new file mode 100644 index 000000000..58609e68b --- /dev/null +++ b/patches/source/openssl/openssl0/slack-desc.openssl-solibs @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' on +# the right side marks the last column you can put a character in. You must make +# exactly 11 lines for the formatting to be correct. It's also customary to +# leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +openssl-solibs: openssl-solibs (OpenSSL shared libraries) +openssl-solibs: +openssl-solibs: These shared libraries provide encryption routines required by +openssl-solibs: programs such as openssh, bind, sendmail, and many others. +openssl-solibs: +openssl-solibs: This product includes software developed by the OpenSSL Project for +openssl-solibs: use in the OpenSSL Toolkit (http://www.openssl.org). This product +openssl-solibs: includes cryptographic software written by Eric Young +openssl-solibs: (eay@cryptsoft.com). This product includes software written by Tim +openssl-solibs: Hudson (tjh@cryptsoft.com). +openssl-solibs: diff --git a/patches/source/openssl/slack-desc.openssl b/patches/source/openssl/slack-desc.openssl new file mode 100644 index 000000000..57227c043 --- /dev/null +++ b/patches/source/openssl/slack-desc.openssl @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' on +# the right side marks the last column you can put a character in. You must make +# exactly 11 lines for the formatting to be correct. It's also customary to +# leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +openssl: openssl (Secure Sockets Layer toolkit) +openssl: +openssl: The OpenSSL certificate management tool and the shared libraries that +openssl: provide various encryption and decryption algorithms and protocols. +openssl: +openssl: This product includes software developed by the OpenSSL Project for +openssl: use in the OpenSSL Toolkit (http://www.openssl.org). This product +openssl: includes cryptographic software written by Eric Young +openssl: (eay@cryptsoft.com). This product includes software written by Tim +openssl: Hudson (tjh@cryptsoft.com). +openssl: diff --git a/patches/source/openssl/slack-desc.openssl-solibs b/patches/source/openssl/slack-desc.openssl-solibs new file mode 100644 index 000000000..58609e68b --- /dev/null +++ b/patches/source/openssl/slack-desc.openssl-solibs @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' on +# the right side marks the last column you can put a character in. You must make +# exactly 11 lines for the formatting to be correct. It's also customary to +# leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +openssl-solibs: openssl-solibs (OpenSSL shared libraries) +openssl-solibs: +openssl-solibs: These shared libraries provide encryption routines required by +openssl-solibs: programs such as openssh, bind, sendmail, and many others. +openssl-solibs: +openssl-solibs: This product includes software developed by the OpenSSL Project for +openssl-solibs: use in the OpenSSL Toolkit (http://www.openssl.org). This product +openssl-solibs: includes cryptographic software written by Eric Young +openssl-solibs: (eay@cryptsoft.com). This product includes software written by Tim +openssl-solibs: Hudson (tjh@cryptsoft.com). +openssl-solibs: -- cgit v1.2.3