diff --git a/trunk/PKGBUILD b/trunk/PKGBUILD index 39ac1cd..d8d8781 100644 --- a/trunk/PKGBUILD +++ b/trunk/PKGBUILD @@ -10,19 +10,61 @@ pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Se arch=('x86_64') url='https://www.openssl.org' license=('custom:BSD') -depends=('perl') +depends=('glibc') +makedepends=('perl' 'patchutils') optdepends=('ca-certificates') options=('!makeflags') source=("https://www.openssl.org/source/openssl-${_ver}.tar.gz" "https://www.openssl.org/source/openssl-${_ver}.tar.gz.asc" 'no-rpath.patch' 'ssl3-test-failure.patch' - 'openssl-1.0-versioned-symbols.patch') + 'openssl-1.0-versioned-symbols.patch' + 'https://github.com/openssl/openssl/commit/6950a8d6a2e6933bb32ae8ed345f1441ee63ef8c.patch' # Implement blinding for EC scalar multiplication + 'https://github.com/openssl/openssl/commit/258aa8181ec01ae2e955318385d1bdd99d37a848.patch' # Move the static "DH" ciphersuites into the "weak-ssl-ciphers" list + 'https://github.com/openssl/openssl/commit/3e5a7e8d8a5c52f89e2a85df6d9dad305149b1f3.patch' # Make SSL_OP_SINGLE_ECDH_USE the default and mandatory + 'https://github.com/openssl/openssl/commit/33282fd31a3353bc479c02a12281307e5835bc0a.patch' # DirectoryString is a CHOICE type and therefore uses explicit tagging + 'https://github.com/openssl/openssl/commit/2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e.patch' # Correctly compare EdiPartyName in GENERAL_NAME_cmp() + 'https://github.com/openssl/openssl/commit/601021f28e621034d7990482f49e236f7a5bea5f.patch' # Check that multi-strings/CHOICE types don't use implicit tagging + 'https://github.com/openssl/openssl/commit/3cc8c260fbe52bf5ac654b266c07f6dc7c2b7d87.patch' # Complain if we are attempting to encode with an invalid ASN.1 template + 'https://github.com/openssl/openssl/commit/8093d2491e9000d3b9d880070f970ceb2d591455.patch' # Add a test for GENERAL_NAME_cmp + 'https://github.com/openssl/openssl/commit/411ae4f03c15f538fb416367d0ab36662b91a3a1.patch' # Add a test for encoding/decoding using an invalid ASN.1 Template + 'https://github.com/openssl/openssl/commit/d029cd33ccaad89cb700181abe17955982e21e4a.patch' # Ensure SRP BN_mod_exp follows the constant time path + 'https://github.com/openssl/openssl/commit/8252ee4d90f3f2004d3d0aeeed003ad49c9a7807.patch' # Fix Null pointer deref in X509_issuer_and_serial_hash() + 'https://github.com/openssl/openssl/commit/30919ab80a478f2d81f2e9acdcca3fa4740cd547.patch' # Fix the RSA_SSLV23_PADDING padding type + 'https://github.com/openssl/openssl/commit/9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2.patch' # Don't overflow the output length in EVP_CipherUpdate calls + 'https://github.com/openssl/openssl/commit/433ad3400d5bf0a6a03a4ef6387c34501d7ff93b.patch' # Fix i2v_GENERAL_NAME to not assume NUL terminated strings + 'https://github.com/openssl/openssl/commit/28115d1170e5400c4b4ff246aaff73d39364dbda.patch' # Fix POLICYINFO printing to not assume NUL terminated strings + 'https://github.com/openssl/openssl/commit/0833e3b0b7c905370700d5f7e31c9a35de68250e.patch' # Fix printing of PROXY_CERT_INFO_EXTENSION to not assume NUL terminated strings + 'https://github.com/openssl/openssl/commit/d10667a39939ba8cb5f43bcce384ba458ce2bb07.patch' # Fix the name constraints code to not assume NUL terminated strings + 'https://github.com/openssl/openssl/commit/46c5cfe501b9e8c838c4f3e90ff5547e8c754241.patch' # Fix append_ia5 function to not assume NUL terminated strings + 'https://github.com/openssl/openssl/commit/792082baf191d1e588ff8219453a51f6f78f70d5.patch' # Fix NETSCAPE_SPKI_print function to not assume NUL terminated strings + 'https://github.com/openssl/openssl/commit/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch' # Fix a read buffer overrun in X509_CERT_AUX_print() + ) sha256sums=('ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16' 'SKIP' '754d6107a306311e15a1db6a1cc031b81691c8b9865e8809ac60ca6f184c957c' 'c54ae87c602eaa1530a336ab7c6e22e12898e1941012349c153e52553df64a13' - '353a84e4c92e36c379ebd9216b8f8fb9c271396583561eb84ac8c825979acaa6') + '353a84e4c92e36c379ebd9216b8f8fb9c271396583561eb84ac8c825979acaa6' + '55513736c8dee8b29fc291531a46dc214ee46496f72eaf02378f67a59df0abfb' + '853aab161cdf0fd57e94221cbbfda0055229a3d12e2d692e15066d92f16d0f25' + 'd632b5dbb3373a58ecf69edfdd6b2204753aac21eb4fd7942c81d34db608ce7c' + '35617b2147f1b999748a9187569b0dc75d75d3e3134a4b30f09f6aba1854b65d' + '65381edcf358d62c75a49ecbb1bbd132841991affc49b319458a3ce4d458ea05' + 'f32a93aff5e73542c6282eb007b71e0319d0b51a1de05e4370de4dc756c99e87' + '4861d59b4f6243084fc13b2d110cbf992e906fa85cf92a81b4c35c80025a3ed1' + '992988857c7da5f92551a8f8396eb04d80010a03997bb877a00c83470d57d400' + '206279f40d2e25fed0a9236d8a7c3beb60f9b5503cd50deeec48df83df3e56f7' + 'f4320e3e9d810011ae7aa91660e99bf6efdacd9fd3455f456ca534dfdf7afb59' + '9a6e58f3bed9e8f82791682cbcdb5471845c92567d7a57183c8b0b75f62dfd85' + '108e3a501105830b8616e2597abc46947925a7633568e18e48cc2e5a3f785f73' + '9e601ae95ef01013a3f13e3d84ed8f363ec744f715a5c786b8d4b0fdd96942c6' + 'c5671d186a74441d74df103b93f5cac72c040b6c6c3c5f2ec784ff5ecc45abe3' + 'beb309997f76b68aea10ca4bb7bd422ca861aa6ae5919d4a8bf472fc46d30839' + '769f0893ef5e5f9ff4837015d77e016e8d9904d1a6fcc9ae52c7722d556f3ef9' + '919f5b30ce00ab938c4d87a4f4add1e87a1cf2a91400e7a129403ef4cf5bb142' + 'bbeec7c51be5de301e565e8426c24cbfb9c8ca75cb943278a671c85edc565ce1' + '5a9bce74c356cd5cc11e919001e98f811f451fd885460ba62dde1627f7028925' + '060c5ae8b15b1b455274048be1bda0a4f4fdfda27f5616cced86877ee9409563') validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491' '7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C') @@ -37,6 +79,42 @@ prepare() { # add symbol versioning to prevent conflicts with openssl 1.1 symbols (Debian) patch -p1 -i "$srcdir"/openssl-1.0-versioned-symbols.patch + + # Implement blinding for EC scalar multiplication + patch -p1 -i "$srcdir"/6950a8d6a2e6933bb32ae8ed345f1441ee63ef8c.patch + + # CVE-2020-1968, exclude CHANGES and NEWS that do not apply cleanly + filterdiff -x CHANGES -x NEWS -p1 "$srcdir"/258aa8181ec01ae2e955318385d1bdd99d37a848.patch | patch -p1 + filterdiff -x CHANGES -x NEWS -p1 "$srcdir"/3e5a7e8d8a5c52f89e2a85df6d9dad305149b1f3.patch | patch -p1 + + # CVE-2020-1971 + patch -p1 -i "$srcdir"/33282fd31a3353bc479c02a12281307e5835bc0a.patch + patch -p1 -i "$srcdir"/2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e.patch + patch -p1 -i "$srcdir"/601021f28e621034d7990482f49e236f7a5bea5f.patch + patch -p1 -i "$srcdir"/3cc8c260fbe52bf5ac654b266c07f6dc7c2b7d87.patch + patch -p1 -i "$srcdir"/8093d2491e9000d3b9d880070f970ceb2d591455.patch + patch -p1 -i "$srcdir"/411ae4f03c15f538fb416367d0ab36662b91a3a1.patch + + # Ensure SRP BN_mod_exp follows the constant time path, exclude CHANGES that does not apply cleanly + filterdiff -x CHANGES -p1 "$srcdir"/d029cd33ccaad89cb700181abe17955982e21e4a.patch | patch -p1 + + # CVE-2021-23841 + patch -p1 -i "$srcdir"/8252ee4d90f3f2004d3d0aeeed003ad49c9a7807.patch + + # CVE-2021-23839 + patch -p1 -i "$srcdir"/30919ab80a478f2d81f2e9acdcca3fa4740cd547.patch + + # CVE-2021-23840 + patch -p1 -i "$srcdir"/9b1129239f3ebb1d1c98ce9ed41d5c9476c47cb2.patch + + # CVE-2021-3712 + patch -p1 -i "$srcdir"/433ad3400d5bf0a6a03a4ef6387c34501d7ff93b.patch + patch -p1 -i "$srcdir"/28115d1170e5400c4b4ff246aaff73d39364dbda.patch + patch -p1 -i "$srcdir"/0833e3b0b7c905370700d5f7e31c9a35de68250e.patch + patch -p1 -i "$srcdir"/d10667a39939ba8cb5f43bcce384ba458ce2bb07.patch + patch -p1 -i "$srcdir"/46c5cfe501b9e8c838c4f3e90ff5547e8c754241.patch + patch -p1 -i "$srcdir"/792082baf191d1e588ff8219453a51f6f78f70d5.patch + patch -p1 -i "$srcdir"/ccb0a11145ee72b042d10593a64eaf9e8a55ec12.patch } build() {