@@ -, +, @@ --- dev-libs/openssl/Manifest | 17 +- .../files/openssl-1.0.1l-CVE-2015-0286.patch | 356 +++++++++++++++++++++ dev-libs/openssl/openssl-1.0.1l-r99.ebuild | 261 +++++++++++++++ 3 files changed, 627 insertions(+), 7 deletions(-) create mode 100644 dev-libs/openssl/files/openssl-1.0.1l-CVE-2015-0286.patch create mode 100644 dev-libs/openssl/openssl-1.0.1l-r99.ebuild --- a/dev-libs/openssl/Manifest +++ a/dev-libs/openssl/Manifest @@ -1,22 +1,25 @@ AUX gentoo.config-1.0.1 4784 SHA256 26d1b360f094dd4e1acf47c3e830b52343c0f778dcd8f2c5b6c213b7e5192d13 SHA512 605e86cc68bbce5405b359098cc0a5abdc071a36462ca868d2fce57cabd928536fbcb0f5dea7318c96b3f9fca39b8c303601fff4442a8e68d7f99254180980e7 WHIRLPOOL eb7540c99ad4bbc60a3decd30e9d7d3816bb7cdd948c9c76950b278acec34a4737f1afaf543e9e524ea0cef8ae26008c065bef44129673e40ccaec9509052575 -AUX openssl-1.0.0a-ldflags.patch 891 SHA256 f04cef1b912681393236f9631792cd404783586c2fd8e0f011ace6236cc6dc4a SHA512 8ced9f22e413f81ff0563793bd6b765912af16671a0d10bff0c518c44bced0177dbcd6536359ff5b6bd5d49fa5032de47c719198444254d4814e4b21301f606c WHIRLPOOL f9b2641b8df926ff5d9d5cf5a7737f5cb4a3a2be2225911ebebd944f13219acfac07d496eec9a8e91af3f50ac1275dc7b0652354e8e958a0d3f6708e641f8970 -AUX openssl-1.0.0d-windres.patch 2890 SHA256 27664cfab4852f1a301c4020375eba029c8a1728d58829c831a36d3aa2fbe9f4 SHA512 32187d0a04c85118cc763ff1fe8c4635622294fe629b920c47e16408aa720fee2bcc42f97120f6750b59996878e0a3d249143d728a5b5775ec3a022f81bc230a WHIRLPOOL d5979143f7e637b0072f7d5f214d80f5cc0e53f54358781d7f10c0cdb15c2b52813e12d2aa07dde2b40e7a88fcb26d1d619443a8012530d90789609cf5ac4083 -AUX openssl-1.0.0h-pkg-config.patch 1289 SHA256 542dea12747b1cb667707250e3eb3803cbdd396bd0d8e836e48a8018417dc1b8 SHA512 4d1f66dc8615cdf7c96719c8cc909c7d908089e91b0cfe2dd08ae7a332c525b5384e2eb8eb3922e89cbc035167f581eaa606ba826fca6253f16f89f66a9ef225 WHIRLPOOL cdd63a06205b0237ddef1f56df2accf29e5f43f886aed01f95711b49a3af07d87afd0953cb3c12c7e97d4a3392f7c691257dcb7ad3e97cc6fbf1cf399a8a6394 -AUX openssl-1.0.1-parallel-build.patch 9918 SHA256 bd56e5fe1b6fe594ab93f34d25fef0b7372633bad8532f81da998f3e6655d221 SHA512 7255b3315133e415631b2ecadc8f5c50a705b9db507c46efded0190363ce9eb31ffbfe01c500669c060878e5202f858b1d2475c64948426fbf70820b4c798ba1 WHIRLPOOL 8a8c71c3806db85d6c6b355717cb4aa1e421fa1777aa7dcd7ee817ac1e552d4b671cdd7cceef9aee1a7dc1b305eb722b1ba0219832c7a6c1b808a0c49212df05 +AUX openssl-1.0.0a-ldflags.patch 1095 SHA256 2489ffbae4af11e1642d54992c404ca81b0c2a9c169032281f4f7778d945836f SHA512 d5a3f90ca0e9755940da525b8daba5b5d09b2b251863e9ca4f2b3b0a5db461e0aa25b2ae7a7d36d13a92ff64f2a37d4809b70aff9672c0f43398369bc7099979 WHIRLPOOL b7c2fbc833be856388110f2ac891976903e7c5dd4030249bcd79f915ae94fa93bff955ff3eaaf4a4bab306a09512bd861099c2738f5af7027174b79d023f7261 +AUX openssl-1.0.0d-windres.patch 2912 SHA256 e5dbfd6af69bc3f69b51787cf1f6245207be9824dfffbdd9b4e278772ed8ab32 SHA512 d7a0238edea29aac7d20dca0778c67f8ae4dc0da190e5277e1b3519ae536f2c44533ac5dc1cbcd138bc4277ad669b13fca316bd962f26e2cb387f2ad3fd0111b WHIRLPOOL d62156820e55898d0a0393473c6ad8e49c5aa7bb9d3fc7043795de7102c3003d5f8b874c751e03cf832e306ac290790e871e1318bb830b3558a43e09be5b45b4 +AUX openssl-1.0.0h-pkg-config.patch 1363 SHA256 dbbcc175f02e5edced01a13dd1e7d35dc4322c0970f78a7fd781a6c0766886af SHA512 c2f7a68c96098bd742235a40f27d6b1e5a0ebece53ca32dd0be74b85210479064efa1d5dc76e457b786067185768492fab2ed53762a22c511c2a2e3d43ed137b WHIRLPOOL 7f795dbed2124d8d2d126886d106675662f09b8e79c70fa2af3298486fdb75b7f1285dc17a53daf985bd4af1e58c36e13e49f46d18af860f0dabad1b3898c3b0 +AUX openssl-1.0.1-parallel-build.patch 10614 SHA256 f3aa674880ffa53a891d3f9054a1ff162c4461b3ec160a365990275907636259 SHA512 439015b3b007adfbab047a1e3e12a9700030779a593bba1a30e9554c7c02eb1cffe9acb089546954e87163847cf86b13130abf9646eb5d00a2ff725b534f84d5 WHIRLPOOL 673f6f045765effb9ded607bf8116a81e7bfeee78ba0e8a34892081c272239a2b75fbb14f4c48b61d93593fac8e1b1e8bef7223f4cc64e8443e19c8f337ab6bc AUX openssl-1.0.1-x32.patch 3273 SHA256 a4f05b8757e225a05a9c5a3ea485159066760d878c9ee54c4eaf61760e33c6cf SHA512 6bed57fe2fbe2d0ced1279b53804d94426a679d5d6b80ad7d0ed18523a7fda397e02038032c08cdd4e6034f9ff6e82cad365ff2a724d49d91467cf2b77f47752 WHIRLPOOL 1366632e7dc1c6e54efc5b9791bf24833d20e7a61ca29aa38d31b5b9629febf926a29742e370b7cd6767c810c0a1676100ca9169f0d836dfd19ff0b2c29e49c1 AUX openssl-1.0.1c-force-termios.patch 1849 SHA256 3c5a65f2961e5fd0031b0fabe0021f8531e901a5c8674c03d2b03157a184998b SHA512 6f938fc0778040104bd7d9fdf08e1200f25337089fdb0c2df935b6f5144849be550c66a9a83699bbec5b32304de5fea2ded325505412e2e4d3439dd49ed05db9 WHIRLPOOL 44f080f5f2ba75421495865486fbacc92a1d1b32100f1c4b384430957179b49ed0e91472832db12758504c87ffca2455a03db9d56da61532f5baffdefd94b390 AUX openssl-1.0.1e-ipv6.patch 18596 SHA256 430d15f2f62c2d7b9bbb968d3c1d3cea51c97d549e01683fd6befb20e2b60946 SHA512 15bfcafc8c173d2875954a43db19d15956619528a0fc356b6d36877f7434321071cf707d950767491261adc1e6403e56b3e014e3d0ffb6cef563daca00a128bd WHIRLPOOL d1dd63d00b166efb1ca9e5d8da931a47e571f5784e3b47780355553b4d0cf656885375e3fe7fc1554b6c5eb749371efeb370c7462e4fcc52c0dd85c6e2318ad8 AUX openssl-1.0.1e-perl-5.18.patch 8211 SHA256 0d2263de7cd1e814cf7583a738d7c439dadb6f195793a29356186b336edc5a98 SHA512 4b56cae218af916c5d7f1006f0a17e34eebc6ee9fb08789db0b18b7e0d6ca7ea0b297efdc712f8951b4db55d15dffea33faa939d2daa42db6be61670e43f0412 WHIRLPOOL 78ced5c41dba502f93f92322516ac8774ff73ce236c7cf793f7e502822c8b0c288f2ed4360d89d2ff2bfaf969f6bd0cc12b28151eda0217197c60bf6a561d8cf -AUX openssl-1.0.1e-s_client-verify.patch 585 SHA256 e5a7093d80a52f741a40aa6dbf85dd46dbbaa466b5093a13f0b1dffc0cd73a24 SHA512 d6d308016d6c6449703f5edcebd97c77a96bb47b2adfe7beade078055b4fe743f0b19e39cb23326678b7b908798e45557931e4b46751ba88a7f4233c3ad833bd WHIRLPOOL 0a4c8f489ab9a964f3ad753078cafdbdcd329a428acb47bf90f4500436873052a4bc5e24634f657272683c030bcf263ce28a6938d91c0c965ddb2c7207167911 +AUX openssl-1.0.1e-s_client-verify.patch 592 SHA256 6f540fce663eefbe68cee16ad7d8d561d6c898eeb4180c2f4a4caa7e43c6d0c9 SHA512 117b1017e1259667078d3ccdcd9fd46357c6f85cf2702794f49c612b37acdc044fe88f871dbe46fcad9ed4cd8aaaaee800dddb5286203322802efd7549a43b68 WHIRLPOOL 70a4cc36b1dcb24d7e9bcef016684fb2394977f7f20aa332ebd0aa15e3f4c16c74563d2fc0ba8d70669f6cc9a13bf8a30cdb28ebafe2d102cd2859a4e32c38d7 AUX openssl-1.0.1e-tls-ver-crash.patch 1203 SHA256 4868de1b15bea5cc695ffd22ae414b03aaa6bdd5b99313654043e29d4d0c9f76 SHA512 b87457ae5c0f2b605b47a683eb16ab2f3432873765b401a49d0ad300e3f96fa817fc5a85c6fd2c65143d355322911d6da2bdf576d0c212715d6c6b3c662e96d2 WHIRLPOOL e728ce3f2c7325469629ea0ef5a3c02860df9264a46218bdf553ad8eec56c5d4bf3fd6c63e0b67ff5734d503e4c3182f29f16ce80198b272eacca11177f48e5c AUX openssl-1.0.1f-perl-5.18.patch 7820 SHA256 e45c6856ef35b16e150282afa59432e783943e6aee62394f8a0e79ccd469fd84 SHA512 2fcda9f76968e8a193892170b2acc06b246c5a04bda2c501fa223231af0e4b2a38afd1adaf83cce4afd4210cdfd9cae8251aeb9510f24bcb50e7aeaa9fa09364 WHIRLPOOL 38768056d2bc4cd719c88038d201f765420a7d47b5dbd73b6d86347e59b4a1fc62f5f27d6c576fb73184fcfe26917446753d871db22aeac2a205f0bd18d2bbc3 -AUX openssl-1.0.1f-revert-alpha-perl-generation.patch 3029 SHA256 3b4b3e40f70330219a139d8562ed5ebc171c5e7ebf1ab2b29e295ccf435fb6eb SHA512 77f45b12211cb790ae362bed9417590f87a1749d6300dde408f00590ed86e7b05d05909f0a2356e5c64711319d2f8759ad452eaccc0f64c7578916b31462251f WHIRLPOOL a2140b00e69b2dc74d290db0c2d12d3d5e5ca7452710c3f3b2fdde8a06aa0f398212bd263d9a37cfea3df407aa1d26a996b852183955ca5eb4e8c061ca8cb68c -AUX openssl-1.0.1h-ipv6.patch 18675 SHA256 4ccbabad8c6b3e6710d54beb56322cddb79a55222198466843bb101fb4b4e4c6 SHA512 fc54a6e1afc4c395b0318bc264a31fa5e26add1106c61650aa9d2027a783d5d2390d223bae858149bc460e00114008577d30c6f45fccf43fbf9ab1019bcb7d25 WHIRLPOOL 539e101f8d5f53f266793880ea0cf197f246fbccdea22b802a51cf8f85ed2a3a172525c5c8796f3b457f3a0b84654db633a0df9d297c02491da40055036f9594 +AUX openssl-1.0.1f-revert-alpha-perl-generation.patch 3102 SHA256 6e502275b32ac0eca80f28448ae1bb88506f9135258f420fd857ea0b9b485778 SHA512 c80439da3d268e70fd492d0ca73c0a17ddb088b9330610794a338d1921ee13dad9caca4c81ca103b82a7541c8712f77e51f352ec1b1b02789d9aed291acb0cdc WHIRLPOOL cb760366c8759b1c78c5307134bb48c4fc12b1556276c2ef55455ea54725d20cb433ade966a7453f512d2feb5ae89a9798078ab535e4605366633a8e003c7ac6 +AUX openssl-1.0.1h-ipv6.patch 17788 SHA256 7adeeb88cc544f8b210efbe2baff48fccf5029b582dff7010ae70e0e1f097d7b SHA512 0f0990d4294abcb5f3e51c84080883046a054c710b57a23f99b3323727d5e9aeb5ddeb6b6c2565b4be364f7c21419c90ce5288154e404cd663678f87e0d1c259 WHIRLPOOL cfe7a2e141a4a6252ffcfe215b16dd1082bc14a757dad7eb01bb9819de41ef0ee51a4b2dbf110c27b52e483341c337bf4d1f77f4f9f3172d2fee9e348c30af7e +AUX openssl-1.0.1l-CVE-2015-0286.patch 10790 SHA256 3d234f4b7bd79b7de1a6fe2f42016531732c81dcb73af45edc5b280858d32cb8 SHA512 432a9e556df26e3f0059f53556dbc088cfe7e30e2c38354e7a7879bb4db204330702ab8050b9b31b3ef48badb8f0abdbf047445b71aa0c4c96f5aeb0bf16f9df WHIRLPOOL c4834efebdca3bee769819fee40099f2d83f4282db98a96da853164dae2639adaef18fe3caf87801f52e53b47752a99fd693aab66239e30344b714119c4c1c7a DIST openssl-1.0.1i.tar.gz 4422117 SHA256 3c179f46ca77069a6a0bac70212a9b3b838b2f66129cb52d568837fc79d8fcc7 SHA512 6cbcdcec8568236e8f20f0461f93df8a193a0ad88102ff548443e6ec87e2a7f649e314beee1e6bafda693934b4fb142244b61d14bf736828dda09e277b941d93 WHIRLPOOL 4baefe8a203243d08c2ca4dc9e1019a539135604a8ddfb09b9a7f2711108ad6ebd45eef1cfa09331f19fe57defbe7e1390f9ac2de086437a484c5819cabb5a4a DIST openssl-1.0.1j.tar.gz 4432964 SHA256 1b60ca8789ba6f03e8ef20da2293b8dc131c39d83814e775069f02d26354edf3 SHA512 a786bb99b68d88c1de79d3c5372767f091ebeefb5abc1d4883253fd3ab5a86af53389f5ff36fdd8faa27c5fb78be8bbff406392c373358697da80d250eadebb8 WHIRLPOOL 467aa3b02d04837e3281670401985e492d15b561c03b97246e3c8e61b0d3b1927332e3a226de4ed5bd02265a04fb31ce84c3501f4af9685633d00a9b43c56978 DIST openssl-1.0.1k.tar.gz 4434910 SHA256 8f9faeaebad088e772f4ef5e38252d472be4d878c6b3a2718c10a4fcebe7a41c SHA512 8b000fbd1bf919d9913a314f99aedd48a69f6caa4ccf43237889e73e08cbe0d82bfc27e9c7c4cade09fc459f91d6c4a831a9b3fc8bca0344fb864eadd7d1e8e8 WHIRLPOOL 5236a966d610c971e473cfc30e5412a72eef116fd259ada9c50da08bcd4ca967f80bb19babf530b4e5b9f1f24e9275e00391eb2e12a26d4544f593e2b4ba20b8 +DIST openssl-1.0.1l.tar.gz 4429979 SHA256 b2cf4d48fe5d49f240c61c9e624193a6f232b5ed0baf010681e725963c40d1d4 SHA512 27fe42f33815a3aafff75f2b9a5604c328fe5945c5cecaca74e5d2c2a1e066d64ddcc1fdb14b54fc7523cc730ab8a57d7d56b2879c289e86673f91fee0cca65e WHIRLPOOL 79f5698585c68ba647fcdfc4b342a43d06d69230658ca1bc265dd10d8da939c3e27b9a4125bd2adfbf50002b1dddef18be086dfc23a5050e69fb77350131909f DIST openssl-c_rehash.sh.1.7 4167 SHA256 4999ee79892f52bd6a4a7baba9fac62262454d573bbffd72685d3aae9e48cee0 SHA512 55e8c2e827750a4f375cb83c86bfe2d166c01ffa5d7e9b16657b72b38b747c8985dd2c98f854c911dfbbee2ff3e92aff39fdf089d979b2e3534b7685ee8b80da WHIRLPOOL c88f06a3b8651f76b6289552cccceb64e13f6697c5f0ce3ff114c781ce1c218912b8ee308af9d087cd76a9600fdacda1953175bff07d7d3eb21b0c0b7f4f1ce1 EBUILD openssl-1.0.1i-r99.ebuild 8253 SHA256 dc8968fd4bf6b3b411830b7595a930da7b1d650bb16f19df3230f88ab1da049d SHA512 11df471e90ca2cbd39da411a491c9aa2e0afcd92fbcaa544ba2becda4a9fdb898cfafe416ec1c33e056c1c33c0e391bced26cf54874aa416a28a760fbeec5c9f WHIRLPOOL 6894250255bd7795c265c2a068b34ac46afb7204bef11e92bb69b227ee7d91a0bfdd2a8761746aeaa8cd1c61d00ec6f248c2ae49491122ac7b3cc163190b9cea EBUILD openssl-1.0.1j-r99.ebuild 8702 SHA256 fecb57c49f7204e493712133b2d66b7683191fc538b4a49ec99d034682593d1b SHA512 5ed7256e544f1cc7097c3aa35b9b7e0a61a4afc565e876ee56fbd7d286f9f04184d31095431cd4cc109dee4c09dadfc360bed3ba5ce8c442170ffc079e22d9a1 WHIRLPOOL cae51be227c1dab31cbd339d58d23ad6e301d58171f564f9b1f8c20f4170103023bf636888f05cd23b579fcece5b7f9c6354962bdf50bdfd57d410b3c9d9675f EBUILD openssl-1.0.1k-r99.ebuild 8702 SHA256 344303432380e2f0ea53ee64ca1a6cb8dfd2fbbddad419c26173f032a9d912e5 SHA512 3b8905b5f864ce18ac6241be4187ce0a2f9db465b3b09a42ce301307f3c82a65339308019a27c0541a383a3f03f3d38962aa909800d9ae2859b6e37fcdc5a3fc WHIRLPOOL 1ceb2f34f0f1f95ac27f36765e02b7797063a74333944e29a607639bf4aeed1bc3557ff50a73714fb87e689abbce0a226ddcf5c2352fc94f081815923e69fcc2 +EBUILD openssl-1.0.1l-r99.ebuild 8936 SHA256 799412294dae22e173d59877717badb63ed427f7ca60bc1c15eb48faf7c509c4 SHA512 a32610227322954a2cf18cb1e0ce6e3bc957a90fd1111ee68ed3c6a550ff4b7a25bc52f8db91b943dd38f93e91eab9257fc888c47c3a04faf28db0921c0082ea WHIRLPOOL e0edfe12ad42a37b341bfbeb84b23ac6d5e07c8e44d9570c45d38c1cdc0cc16cef309354578b0ca29763710efee34acf00ad430c86849436721adb6ba7858147 MISC metadata.xml 537 SHA256 dfb61bab6de1d7e943f92be14ed54fb9275d568a11d6ba29e395f23f547603ee SHA512 0417c438c7f9586c7bbe7694707fec94f2ecf6fb59e36bc87d707fab0b24346a6c9fac5e58c69302e767cd8a7e50a508cdb2430b2cdf8fcc88921286e09756e1 WHIRLPOOL 0f21bab1258c7ee675c27cb7d78a90985437dc8d001a232661657549cebd9f2f26802686435bdd3a1346c5a0ff14bfffa740d6ded2288dc211ad0183f5b3f686 --- a/dev-libs/openssl/files/openssl-1.0.1l-CVE-2015-0286.patch +++ a/dev-libs/openssl/files/openssl-1.0.1l-CVE-2015-0286.patch @@ -0,0 +1,356 @@ +--- openssl-1.0.1l/crypto/asn1/a_type.c ++++ openssl-1.0.1l/crypto/asn1/a_type.c +@@ -124,6 +124,9 @@ + case V_ASN1_OBJECT: + result = OBJ_cmp(a->value.object, b->value.object); + break; ++ case V_ASN1_BOOLEAN: ++ result = a->value.boolean - b->value.boolean; ++ break; + case V_ASN1_NULL: + result = 0; /* They do not have content. */ + break; +--- openssl-1.0.1l/crypto/asn1/tasn_dec.c ++++ openssl-1.0.1l/crypto/asn1/tasn_dec.c +@@ -130,11 +130,17 @@ + { + ASN1_TLC c; + ASN1_VALUE *ptmpval = NULL; +- if (!pval) +- pval = &ptmpval; + asn1_tlc_clear_nc(&c); +- if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) +- return *pval; ++ if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE) ++ ptmpval = *pval; ++ if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) { ++ if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) { ++ if (*pval) ++ ASN1_item_free(*pval, it); ++ *pval = ptmpval; ++ } ++ return ptmpval; ++ } + return NULL; + } + +@@ -311,9 +317,16 @@ + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; + +- /* Allocate structure */ +- if (!*pval && !ASN1_item_ex_new(pval, it)) +- { ++ if (*pval) { ++ /* Free up and zero CHOICE value if initialised */ ++ i = asn1_get_choice_selector(pval, it); ++ if ((i >= 0) && (i < it->tcount)) { ++ tt = it->templates + i; ++ pchptr = asn1_get_field_ptr(pval, tt); ++ ASN1_template_free(pchptr, tt); ++ asn1_set_choice_selector(pval, -1, it); ++ } ++ } else if (!ASN1_item_ex_new(pval, it)) { + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, + ERR_R_NESTED_ASN1_ERROR); + goto err; +@@ -407,6 +420,17 @@ + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; + ++ /* Free up and zero any ADB found */ ++ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { ++ if (tt->flags & ASN1_TFLG_ADB_MASK) { ++ const ASN1_TEMPLATE *seqtt; ++ ASN1_VALUE **pseqval; ++ seqtt = asn1_do_adb(pval, tt, 1); ++ pseqval = asn1_get_field_ptr(pval, seqtt); ++ ASN1_template_free(pseqval, seqtt); ++ } ++ } ++ + /* Get each field entry */ + for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) + { +--- openssl-1.0.1l/crypto/pkcs7/pk7_doit.c ++++ openssl-1.0.1l/crypto/pkcs7/pk7_doit.c +@@ -272,6 +272,25 @@ + PKCS7_RECIP_INFO *ri=NULL; + ASN1_OCTET_STRING *os=NULL; + ++ if (p7 == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER); ++ return NULL; ++ } ++ /* ++ * The content field in the PKCS7 ContentInfo is optional, but that really ++ * only applies to inner content (precisely, detached signatures). ++ * ++ * When reading content, missing outer content is therefore treated as an ++ * error. ++ * ++ * When creating content, PKCS7_content_new() must be called before ++ * calling this method, so a NULL p7->d is always an error. ++ */ ++ if (p7->d.ptr == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT); ++ return NULL; ++ } ++ + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; + +@@ -433,6 +452,16 @@ + unsigned char *ek = NULL, *tkey = NULL; + int eklen = 0, tkeylen = 0; + ++ if (p7 == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER); ++ return NULL; ++ } ++ ++ if (p7->d.ptr == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); ++ return NULL; ++ } ++ + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; + +@@ -752,6 +781,16 @@ + STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; + ASN1_OCTET_STRING *os=NULL; + ++ if (p7 == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER); ++ return 0; ++ } ++ ++ if (p7->d.ptr == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT); ++ return 0; ++ } ++ + EVP_MD_CTX_init(&ctx_tmp); + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; +@@ -796,6 +835,7 @@ + /* If detached data then the content is excluded */ + if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { + M_ASN1_OCTET_STRING_free(os); ++ os = NULL; + p7->d.sign->contents->d.data = NULL; + } + break; +@@ -806,6 +846,7 @@ + if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) + { + M_ASN1_OCTET_STRING_free(os); ++ os = NULL; + p7->d.digest->contents->d.data = NULL; + } + break; +@@ -878,24 +919,31 @@ + M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); + } + +- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) +- { ++ if (!PKCS7_is_detached(p7)) { ++ /* ++ * NOTE(emilia): I think we only reach os == NULL here because detached ++ * digested data support is broken. ++ */ ++ if (os == NULL) ++ goto err; ++ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) { + char *cont; + long contlen; +- btmp=BIO_find_type(bio,BIO_TYPE_MEM); +- if (btmp == NULL) +- { +- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); +- goto err; +- } ++ btmp = BIO_find_type(bio, BIO_TYPE_MEM); ++ if (btmp == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO); ++ goto err; ++ } + contlen = BIO_get_mem_data(btmp, &cont); +- /* Mark the BIO read only then we can use its copy of the data ++ /* ++ * Mark the BIO read only then we can use its copy of the data + * instead of making an extra copy. + */ + BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); + BIO_set_mem_eof_return(btmp, 0); + ASN1_STRING_set0(os, (unsigned char *)cont, contlen); +- } ++ } ++ } + ret=1; + err: + EVP_MD_CTX_cleanup(&ctx_tmp); +@@ -971,6 +1019,16 @@ + STACK_OF(X509) *cert; + X509 *x509; + ++ if (p7 == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER); ++ return 0; ++ } ++ ++ if (p7->d.ptr == NULL) { ++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT); ++ return 0; ++ } ++ + if (PKCS7_type_is_signed(p7)) + { + cert=p7->d.sign->cert; +--- openssl-1.0.1l/crypto/pkcs7/pk7_lib.c ++++ openssl-1.0.1l/crypto/pkcs7/pk7_lib.c +@@ -71,6 +71,7 @@ + + switch (cmd) + { ++ /* NOTE(emilia): does not support detached digested data. */ + case PKCS7_OP_SET_DETACHED_SIGNATURE: + if (nid == NID_pkcs7_signed) + { +@@ -459,6 +460,8 @@ + + STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7) + { ++ if (p7 == NULL || p7->d.ptr == NULL) ++ return NULL; + if (PKCS7_type_is_signed(p7)) + { + return(p7->d.sign->signer_info); +--- openssl-1.0.1l/doc/crypto/d2i_X509.pod ++++ openssl-1.0.1l/doc/crypto/d2i_X509.pod +@@ -199,6 +199,12 @@ + persist if they are not present in the new one. As a result the use + of this "reuse" behaviour is strongly discouraged. + ++Current versions of OpenSSL will not modify B<*px> if an error occurs. ++If parsing succeeds then B<*px> is freed (if it is not NULL) and then ++set to the value of the newly decoded structure. As a result B<*px> ++B be allocated on the stack or an attempt will be made to ++free an invalid pointer. ++ + i2d_X509() will not return an error in many versions of OpenSSL, + if mandatory fields are not initialized due to a programming error + then the encoded structure may contain invalid data or omit the +@@ -210,7 +216,9 @@ + + d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B structure + or B if an error occurs. The error code that can be obtained by +-L. ++L. If the "reuse" capability has been used ++with a valid X509 structure being passed in via B then the object is not ++modified in the event of error. + + i2d_X509() returns the number of bytes successfully encoded or a negative + value if an error occurs. The error code can be obtained by +--- openssl-1.0.1l/ssl/s2_lib.c ++++ openssl-1.0.1l/ssl/s2_lib.c +@@ -488,7 +488,7 @@ + + OPENSSL_assert(s->session->master_key_length >= 0 + && s->session->master_key_length +- < (int)sizeof(s->session->master_key)); ++ <= (int)sizeof(s->session->master_key)); + EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length); + EVP_DigestUpdate(&ctx,&c,1); + c++; +--- openssl-1.0.1l/ssl/s2_srvr.c ++++ openssl-1.0.1l/ssl/s2_srvr.c +@@ -454,10 +454,6 @@ + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); + return(-1); + } +- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc, +- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]), +- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); +- + is_export=SSL_C_IS_EXPORT(s->session->cipher); + + if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL)) +@@ -475,21 +471,59 @@ + else + ek=5; + ++ /* ++ * The format of the CLIENT-MASTER-KEY message is ++ * 1 byte message type ++ * 3 bytes cipher ++ * 2-byte clear key length (stored in s->s2->tmp.clear) ++ * 2-byte encrypted key length (stored in s->s2->tmp.enc) ++ * 2-byte key args length (IV etc) ++ * clear key ++ * encrypted key ++ * key args ++ * ++ * If the cipher is an export cipher, then the encrypted key bytes ++ * are a fixed portion of the total key (5 or 8 bytes). The size of ++ * this portion is in |ek|. If the cipher is not an export cipher, ++ * then the entire key material is encrypted (i.e., clear key length ++ * must be zero). ++ */ ++ if ((!is_export && s->s2->tmp.clear != 0) || ++ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) { ++ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); ++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); ++ return -1; ++ } ++ /* ++ * The encrypted blob must decrypt to the encrypted portion of the key. ++ * Decryption can't be expanding, so if we don't have enough encrypted ++ * bytes to fit the key in the buffer, stop now. ++ */ ++ if ((is_export && s->s2->tmp.enc < ek) || ++ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) { ++ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); ++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); ++ return -1; ++ } ++ ++ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, ++ &(p[s->s2->tmp.clear]), ++ &(p[s->s2->tmp.clear]), ++ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : ++ RSA_PKCS1_PADDING); ++ + /* bad decrypt */ + #if 1 + /* If a bad decrypt, continue with protocol but with a + * random master secret (Bleichenbacher attack) */ +- if ((i < 0) || +- ((!is_export && (i != EVP_CIPHER_key_length(c))) +- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i != +- (unsigned int)EVP_CIPHER_key_length(c)))))) +- { ++ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) ++ || (is_export && i != ek))) { + ERR_clear_error(); + if (is_export) + i=ek; + else + i=EVP_CIPHER_key_length(c); +- if (RAND_pseudo_bytes(p,i) <= 0) ++ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0) + return 0; + } + #else +@@ -513,7 +547,8 @@ + } + #endif + +- if (is_export) i+=s->s2->tmp.clear; ++ if (is_export) ++ i = EVP_CIPHER_key_length(c); + + if (i > SSL_MAX_MASTER_KEY_LENGTH) + { --- a/dev-libs/openssl/openssl-1.0.1l-r99.ebuild +++ a/dev-libs/openssl/openssl-1.0.1l-r99.ebuild @@ -0,0 +1,261 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/openssl/openssl-1.0.1l-r1.ebuild,v 1.5 2015/03/19 18:03:39 vapier Exp $ + +EAPI="4" + +inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal + +REV="1.7" +DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" +HOMEPAGE="http://www.openssl.org/" +SRC_URI="mirror://openssl/source/${P}.tar.gz + http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/${PN}/${PN}-c_rehash.sh?rev=${REV} -> ${PN}-c_rehash.sh.${REV}" + +LICENSE="openssl" +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +IUSE="bindist gmp kerberos rfc3779 cpu_flags_x86_sse2 static-libs test +tls-heartbeat vanilla zlib" +RESTRICT="!bindist? ( bindist )" + +# The blocks are temporary just to make sure people upgrade to a +# version that lack runtime version checking. We'll drop them in +# the future. +RDEPEND="gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) + kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] ) + abi_x86_32? ( + !<=app-emulation/emul-linux-x86-baselibs-20140406-r3 + !app-emulation/emul-linux-x86-baselibs[-abi_x86_32(-)] + ) + ! "${WORKDIR}"/c_rehash || die #416717 +} + +MULTILIB_WRAPPED_HEADERS=( + usr/include/openssl/opensslconf.h +) + +src_prepare() { + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile + + if ! use vanilla ; then + epatch "${FILESDIR}"/${PN}-1.0.0a-ldflags.patch #327421 + epatch "${FILESDIR}"/${PN}-1.0.0d-windres.patch #373743 + epatch "${FILESDIR}"/${PN}-1.0.0h-pkg-config.patch + epatch "${FILESDIR}"/${PN}-1.0.1-parallel-build.patch + epatch "${FILESDIR}"/${PN}-1.0.1-x32.patch + epatch "${FILESDIR}"/${PN}-1.0.1h-ipv6.patch + epatch "${FILESDIR}"/${PN}-1.0.1e-s_client-verify.patch #472584 + epatch "${FILESDIR}"/${PN}-1.0.1f-revert-alpha-perl-generation.patch #499086 + epatch "${FILESDIR}"/${PN}-1.0.1l-CVE-2015-0286.patch #543552 + epatch "${FILESDIR}"/${PN}-1.0.1c-force-termios.patch + epatch_user #332661 + fi + + # disable fips in the build + # make sure the man pages are suffixed #302165 + # don't bother building man pages if they're disabled + sed -i \ + -e '/DIRS/s: fips : :g' \ + -e '/^MANSUFFIX/s:=.*:=ssl:' \ + -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ + -e $(has noman FEATURES \ + && echo '/^install:/s:install_docs::' \ + || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ + Makefile.org \ + || die + # show the actual commands in the log + sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared + + # since we're forcing $(CC) as makedep anyway, just fix + # the conditional as always-on + # helps clang (#417795), and versioned gcc (#499818) + sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die + + # quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (#417795 again) + [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments + + # allow openssl to be cross-compiled + cp "${FILESDIR}"/gentoo.config-1.0.1 gentoo.config || die + chmod a+rx gentoo.config + + append-flags -fno-strict-aliasing + append-flags $(test-flags-CC -Wa,--noexecstack) + + sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906 + # The config script does stupid stuff to prompt the user. Kill it. + sed -i '/stty -icanon min 0 time 50; read waste/d' config || die + ./config --test-sanity || die "I AM NOT SANE" + + multilib_copy_sources +} + +multilib_src_configure() { + unset APPS #197996 + unset SCRIPTS #312551 + unset CROSS_COMPILE #311473 + + tc-export CC AR RANLIB RC + + # Clean out patent-or-otherwise-encumbered code + # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher) + # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm + # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography + # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2 + # RC5: 5,724,428 03/03/2015 http://en.wikipedia.org/wiki/RC5 + + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + echoit() { echo "$@" ; "$@" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths. #460790 + local ec_nistp_64_gcc_128 + # Disable it for now though #469976 + #if ! use bindist ; then + # echo "__uint128_t i;" > "${T}"/128.c + # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + # fi + #fi + + local sslout=$(./gentoo.config) + einfo "Use configuration ${sslout:-(openssl knows best)}" + local config="Configure" + [[ -z ${sslout} ]] && config="config" + + echoit \ + ./${config} \ + ${sslout} \ + $(use cpu_flags_x86_sse2 || echo "no-sse2") \ + enable-camellia \ + $(use_ssl !bindist ec) \ + ${ec_nistp_64_gcc_128} \ + enable-idea \ + enable-mdc2 \ + $(use_ssl !bindist rc5) \ + enable-tlsext \ + $(use_ssl gmp gmp -lgmp) \ + $(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \ + $(use_ssl rfc3779) \ + $(use_ssl tls-heartbeat heartbeats) \ + $(use_ssl zlib) \ + --prefix="${EPREFIX}"/usr \ + --openssldir="${EPREFIX}"${SSL_CNF_DIR} \ + --libdir=$(get_libdir) \ + shared threads \ + || die + + # Clean out hardcoded flags that openssl uses + local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ + -e 's:^CFLAG=::' \ + -e 's:-fomit-frame-pointer ::g' \ + -e 's:-O[0-9] ::g' \ + -e 's:-march=[-a-z0-9]* ::g' \ + -e 's:-mcpu=[-a-z0-9]* ::g' \ + -e 's:-m[a-z0-9]* ::g' \ + ) + sed -i \ + -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \ + -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \ + Makefile || die +} + +multilib_src_compile() { + # depend is needed to use $confopts; it also doesn't matter + # that it's -j1 as the code itself serializes subdirs + emake -j1 depend + emake all + # rehash is needed to prep the certs/ dir; do this + # separately to avoid parallel build issues. + emake rehash +} + +multilib_src_test() { + emake -j1 test +} + +multilib_src_install() { + emake INSTALL_PREFIX="${D}" install +} + +multilib_src_install_all() { + dobin "${WORKDIR}"/c_rehash #333117 + dodoc CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el + dohtml -r doc/* + use rfc3779 && dodoc engines/ccgost/README.gost + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + use static-libs || rm -f "${ED}"/usr/lib*/lib*.a + + # create the certs directory + dodir ${SSL_CNF_DIR}/certs + cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die + rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired} + + # Namespace openssl programs to prevent conflicts with other man pages + cd "${ED}"/usr/share/man + local m d s + for m in $(find . -type f | xargs grep -L '#include') ; do + d=${m%/*} ; d=${d#./} ; m=${m##*/} + [[ ${m} == openssl.1* ]] && continue + [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" + mv ${d}/{,ssl-}${m} + # fix up references to renamed man pages + sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} + ln -s ssl-${m} ${d}/openssl-${m} + # locate any symlinks that point to this man page ... we assume + # that any broken links are due to the above renaming + for s in $(find -L ${d} -type l) ; do + s=${s##*/} + rm -f ${d}/${s} + ln -s ssl-${m} ${d}/ssl-${s} + ln -s ssl-${s} ${d}/openssl-${s} + done + done + [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" + + dodir /etc/sandbox.d #254521 + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_preinst() { + has_version ${CATEGORY}/${PN}:0.9.8 && return 0 + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8 +} + +pkg_postinst() { + ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069" + c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null + eend $? + + has_version ${CATEGORY}/${PN}:0.9.8 && return 0 + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}.so.0.9.8 +} --