From cc682c3917ebc4da82e7e42b118028dd844d5a46 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 27 Nov 2023 13:24:35 -0500 Subject: [PATCH] backports/openssl1.1-compat: new aport --- backports/openssl1.1-compat/APKBUILD | 177 ++++++++++++++++++ backports/openssl1.1-compat/man-section.patch | 54 ++++++ backports/openssl1.1-compat/ppc64.patch | 96 ++++++++++ 3 files changed, 327 insertions(+) create mode 100644 backports/openssl1.1-compat/APKBUILD create mode 100644 backports/openssl1.1-compat/man-section.patch create mode 100644 backports/openssl1.1-compat/ppc64.patch diff --git a/backports/openssl1.1-compat/APKBUILD b/backports/openssl1.1-compat/APKBUILD new file mode 100644 index 0000000..29eb65b --- /dev/null +++ b/backports/openssl1.1-compat/APKBUILD @@ -0,0 +1,177 @@ +# Contributor: Ariadne Conill +# Maintainer: Timo Teras +pkgname=openssl1.1-compat +pkgver=1.1.1w +_abiver=${pkgver%.*} +pkgrel=0 +pkgdesc="toolkit for transport layer security (TLS) - version 1.1" +url="https://www.openssl.org/" +arch="all" +license="OpenSSL" +replaces="libressl" +depends_dev="!openssl-dev" +makedepends_build="perl" +makedepends_host="linux-headers" +makedepends="$makedepends_host $makedepends_build" +subpackages="$pkgname-dbg $pkgname-libs-static:_static $pkgname-dev + libcrypto$_abiver:_libcrypto libssl$_abiver:_libssl" +source="https://www.openssl.org/source/openssl-$pkgver.tar.gz + man-section.patch + ppc64.patch + " +builddir="$srcdir/openssl-$pkgver" +pcprefix="openssl$_abiver:pc:" + +# secfixes: +# 1.1.1u-r1: +# - CVE-2023-3446 +# 1.1.1t-r2: +# - CVE-2023-0465 +# 1.1.1t-r1: +# - CVE-2023-0464 +# 1.1.1t-r0: +# - CVE-2022-4304 +# - CVE-2022-4450 +# - CVE-2023-0215 +# - CVE-2023-0286 +# 1.1.1q-r0: +# - CVE-2022-2097 +# 1.1.1n-r0: +# - CVE-2022-0778 +# 1.1.1l-r0: +# - CVE-2021-3711 +# - CVE-2021-3712 +# 1.1.1k-r0: +# - CVE-2021-3449 +# - CVE-2021-3450 +# 1.1.1j-r0: +# - CVE-2021-23841 +# - CVE-2021-23840 +# - CVE-2021-23839 +# 1.1.1i-r0: +# - CVE-2020-1971 +# 1.1.1g-r0: +# - CVE-2020-1967 +# 1.1.1d-r3: +# - CVE-2019-1551 +# 1.1.1d-r1: +# - CVE-2019-1547 +# - CVE-2019-1549 +# - CVE-2019-1563 +# 1.1.1b-r1: +# - CVE-2019-1543 +# 1.1.1a-r0: +# - CVE-2018-0734 +# - CVE-2018-0735 +# 0: +# - CVE-2022-1292 +# - CVE-2022-2068 + +build() { + local _target _optflags + + # openssl will prepend crosscompile always core CC et al + CC=${CC#${CROSS_COMPILE}} + CXX=${CXX#${CROSS_COMPILE}} + CPP=${CPP#${CROSS_COMPILE}} + + # determine target OS for openssl + case "$CARCH" in + aarch64*) _target="linux-aarch64" ;; + arm*) _target="linux-armv4" ;; + mips64*) _target="linux64-mips64" ;; + # explicit _optflags is needed to prevent automatic -mips3 addition + mips*) _target="linux-mips32"; _optflags="-mips32" ;; + ppc) _target="linux-ppc" ;; + ppc64) _target="linux-ppc64" ;; + ppc64le) _target="linux-ppc64le" ;; + x86) _target="linux-elf" ;; + x86_64) _target="linux-x86_64"; _optflags="enable-ec_nistp_64_gcc_128" ;; + s390x) _target="linux64-s390x";; + riscv64) _target="linux-generic64";; + *) msg "Unable to determine architecture from (CARCH=$CARCH)" ; return 1 ;; + esac + + # Configure assumes --options are for it, so can't use + # gcc's --sysroot fake this by overriding CC + [ -n "$CBUILDROOT" ] && CC="$CC --sysroot=$CBUILDROOT" + + # when cross building do not enable threads as libatomic is not avaiable + if [ "$CBUILD" != "$CHOST" ]; then + case $CARCH in + riscv64) _optflags="$_optflags no-threads";; + esac + fi + + perl ./Configure \ + $_target \ + --prefix=/usr \ + --libdir=lib \ + --openssldir=/etc/ssl1.1 \ + shared \ + no-zlib \ + no-async \ + no-comp \ + no-idea \ + no-mdc2 \ + no-rc5 \ + no-ec2m \ + no-sm2 \ + no-sm4 \ + no-ssl2 \ + no-ssl3 \ + no-seed \ + no-weak-ssl-ciphers \ + $_optflags \ + $CPPFLAGS \ + $CFLAGS \ + $LDFLAGS -Wa,--noexecstack + make +} + +check() { + # AFALG tests have a sporadic test failure, just delete the broken + # test for now. + rm -f test/recipes/30-test_afalg.t + + make test +} + +package() { + make DESTDIR="$pkgdir" install_sw install_ssldirs + # remove the script c_rehash + rm "$pkgdir"/usr/bin/c_rehash + mv -f "$pkgdir"/usr/bin/openssl "$pkgdir"/usr/bin/openssl$_abiver +} + +_libcrypto() { + pkgdesc="Crypto library from openssl" + replaces="libressl2.7-libcrypto" + mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib + mv "$pkgdir"/etc "$subpkgdir"/ + for i in "$pkgdir"/usr/lib/libcrypto*; do + mv $i "$subpkgdir"/lib/ + ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/} + done + mv "$pkgdir"/usr/lib/engines-$_abiver "$subpkgdir"/usr/lib/ +} + +_libssl() { + pkgdesc="SSL shared libraries" + + mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib + for i in "$pkgdir"/usr/lib/libssl*; do + mv $i "$subpkgdir"/lib/ + ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/} + done +} + +_static() { + default_static +} + +sha512sums=" +b4c625fe56a4e690b57b6a011a225ad0cb3af54bd8fb67af77b5eceac55cc7191291d96a660c5b568a08a2fbf62b4612818e7cca1bb95b2b6b4fc649b0552b6d openssl-1.1.1w.tar.gz +43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a man-section.patch +e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch +" diff --git a/backports/openssl1.1-compat/man-section.patch b/backports/openssl1.1-compat/man-section.patch new file mode 100644 index 0000000..0606897 --- /dev/null +++ b/backports/openssl1.1-compat/man-section.patch @@ -0,0 +1,54 @@ +From: Debian OpenSSL Team +Date: Sun, 5 Nov 2017 15:09:09 +0100 +Subject: man-section + +--- + Configurations/unix-Makefile.tmpl | 6 ++++-- + util/process_docs.pl | 3 ++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 1292053546f5..c034d21884d8 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -183,7 +183,8 @@ HTMLDIR=$(DOCDIR)/html + # MANSUFFIX is for the benefit of anyone who may want to have a suffix + # appended after the manpage file section number. "ssl" is popular, + # resulting in files such as config.5ssl rather than config.5. +-MANSUFFIX= ++MANSUFFIX=ssl ++MANSECTION=SSL + HTMLSUFFIX=html + + # For "optional" echo messages, to get "real" silence +@@ -726,7 +727,8 @@ uninstall_runtime: uninstall_programs uninstall_runtime_libs + @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) + @$(ECHO) "*** Installing manpages" + $(PERL) $(SRCDIR)/util/process_docs.pl \ +- "--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX) ++ "--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX) \ ++ --mansection=$(MANSECTION) + + uninstall_man_docs: + @$(ECHO) "*** Uninstalling manpages" +diff --git a/util/process_docs.pl b/util/process_docs.pl +index 30b149eb8fcc..424155ea808e 100755 +--- a/util/process_docs.pl ++++ b/util/process_docs.pl +@@ -37,6 +37,7 @@ GetOptions(\%options, + 'type=s', # The result type, 'man' or 'html' + 'suffix:s', # Suffix to add to the extension. + # Only used with type=man ++ 'mansection:s', # Section to put to manpage in + 'remove', # To remove files rather than writing them + 'dry-run|n', # Only output file names on STDOUT + 'debug|D+', +@@ -97,7 +98,7 @@ foreach my $section (sort @{$options{section}}) { + my $name = uc $podname; + my $suffix = { man => ".$podinfo{section}".($options{suffix} // ""), + html => ".html" } -> {$options{type}}; +- my $generate = { man => "pod2man --name=$name --section=$podinfo{section} --center=OpenSSL --release=$config{version} \"$podpath\"", ++ my $generate = { man => "pod2man --name=$name --section=$podinfo{section}$options{mansection} --center=OpenSSL --release=$config{version} \"$podpath\"", + html => "pod2html \"--podroot=$options{sourcedir}\" --htmldir=$updir --podpath=man1:man3:man5:man7 \"--infile=$podpath\" \"--title=$podname\" --quiet" + } -> {$options{type}}; + my $output_dir = catdir($options{destdir}, "man$podinfo{section}"); diff --git a/backports/openssl1.1-compat/ppc64.patch b/backports/openssl1.1-compat/ppc64.patch new file mode 100644 index 0000000..c75ceed --- /dev/null +++ b/backports/openssl1.1-compat/ppc64.patch @@ -0,0 +1,96 @@ +From 34ab13b7d8e3e723adb60be8142e38b7c9cd382a Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Sun, 5 May 2019 18:25:50 +0200 +Subject: [PATCH] crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is a big endian ELFv2 configuration. ELFv2 was already being +used for little endian, and big endian was traditionally ELFv1 +but there are practical configurations that use ELFv2 with big +endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.) + +Reviewed-by: Paul Dale +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/8883) +--- + crypto/perlasm/ppc-xlate.pl | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl +index e52f2f6ea62..5fcd0526dff 100755 +--- a/crypto/perlasm/ppc-xlate.pl ++++ b/crypto/perlasm/ppc-xlate.pl +@@ -49,7 +49,7 @@ + /osx/ && do { $name = "_$name"; + last; + }; +- /linux.*(32|64le)/ ++ /linux.*(32|64(le|v2))/ + && do { $ret .= ".globl $name"; + if (!$$type) { + $ret .= "\n.type $name,\@function"; +@@ -80,7 +80,7 @@ + }; + my $text = sub { + my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text"; +- $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64le/); ++ $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64(le|v2)/); + $ret; + }; + my $machine = sub { +@@ -186,7 +186,7 @@ + + # Some ABIs specify vrsave, special-purpose register #256, as reserved + # for system use. +-my $no_vrsave = ($flavour =~ /aix|linux64le/); ++my $no_vrsave = ($flavour =~ /aix|linux64(le|v2)/); + my $mtspr = sub { + my ($f,$idx,$ra) = @_; + if ($idx == 256 && $no_vrsave) { +@@ -318,7 +318,7 @@ sub vfour { + if ($label) { + my $xlated = ($GLOBALS{$label} or $label); + print "$xlated:"; +- if ($flavour =~ /linux.*64le/) { ++ if ($flavour =~ /linux.*64(le|v2)/) { + if ($TYPES{$label} =~ /function/) { + printf "\n.localentry %s,0\n",$xlated; + } + +From 098404128383ded87ba390dd74ecd9e2ffa6f530 Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Sun, 5 May 2019 18:30:55 +0200 +Subject: [PATCH] Configure: use ELFv2 ABI on some ppc64 big endian systems + +If _CALL_ELF is defined to be 2, it's an ELFv2 system. +Conditionally switch to the v2 perlasm scheme. + +Reviewed-by: Paul Dale +Reviewed-by: Richard Levitte +(Merged from https://github.com/openssl/openssl/pull/8883) +--- + Configure | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/Configure b/Configure +index 22082deb4c7..e303d98deb3 100755 +--- a/Configure ++++ b/Configure +@@ -1402,8 +1402,15 @@ + my %predefined_C = compiler_predefined($config{CROSS_COMPILE}.$config{CC}); + my %predefined_CXX = $config{CXX} + ? compiler_predefined($config{CROSS_COMPILE}.$config{CXX}) + : (); + ++unless ($disabled{asm}) { ++ # big endian systems can use ELFv2 ABI ++ if ($target eq "linux-ppc64") { ++ $target{perlasm_scheme} = "linux64v2" if ($predefined_C{_CALL_ELF} == 2); ++ } ++} ++ + # Check for makedepend capabilities. + if (!$disabled{makedepend}) { + if ($config{target} =~ /^(VC|vms)-/) {