[Libreoffice-commits] core.git: Branch 'distro/lhm/libreoffice-4-1-6+backports' - 23 commits - download.lst external/curl external/Module_external.mk external/openssl Makefile.fetch oox/Library_oox.mk openssl/ExternalPackage_openssl.mk openssl/ExternalProject_openssl.mk openssl/Makefile openssl/Module_openssl.mk openssl/openssl-asm-fix.patch openssl/opensslios.patch openssl/openssllnx.patch openssl/opensslmingw.patch openssl/opensslsol.patch openssl/opensslwnt.patch openssl/README openssl/UnpackedTarball_openssl.mk python3/python-3.3.0-ssl.patch.1 RepositoryExternal.mk RepositoryModule_host.mk
Libreoffice Gerrit user
logerrit at kemper.freedesktop.org
Wed Aug 15 15:50:02 UTC 2018
Rebased ref, commits from common ancestor:
commit 6fc16ccc617ee01ca0382b4f8e8d5f13926888c8
Author: Thorsten Behrens <Thorsten.Behrens at CIB.de>
AuthorDate: Wed Aug 15 17:47:23 2018 +0200
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:47:23 2018 +0200
oox: make linking work with TLS = openssl
Change-Id: I54b114235dbac276778776f5e08636c39ba3d0fb
diff --git a/oox/Library_oox.mk b/oox/Library_oox.mk
index 45f4b9cc494a..edea8d9e0282 100644
--- a/oox/Library_oox.mk
+++ b/oox/Library_oox.mk
@@ -288,4 +288,10 @@ $(eval $(call gb_Library_add_generated_exception_objects,oox,\
CustomTarget/oox/generated/misc/vmlexport-shape-types \
))
+ifeq ($(OS),LINUX)
+$(eval $(call gb_Library_add_libs,oox,\
+ -ldl \
+))
+endif
+
# vim: set noet sw=4 ts=4:
commit 4252c16773848b972d51b4f80da6099790b5c138
Author: Michael Stahl <mstahl at redhat.com>
AuthorDate: Mon Mar 7 23:04:37 2016 +0100
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:47 2018 +0200
openssl: fix WNT build
For reasons beyond human understanding, the many-tentacled horror that
openssl calls its build system puts headers in "inc32" directory on
Windows and "include" on other platforms in 1.0.2g.
(cherry picked from commit a420a4346ec21ea561f1321767d6a5eed98df02b)
Conflicts:
external/openssl/ExternalProject_openssl.mk
Change-Id: If03c80f5a31bb6e378cd187051b020579af7f7bd
diff --git a/external/openssl/ExternalProject_openssl.mk b/external/openssl/ExternalProject_openssl.mk
index 4c2d305bbf47..68cd4df2f873 100644
--- a/external/openssl/ExternalProject_openssl.mk
+++ b/external/openssl/ExternalProject_openssl.mk
@@ -68,6 +68,7 @@ $(call gb_ExternalProject_get_state_target,openssl,build):
&& cmd /c "ms\do_ms.bat $(PERL) $(OPENSSL_PLATFORM)" \
&& unset MAKEFLAGS \
&& nmake -f "ms\ntdll.mak" \
+ && mv inc32/* include/ \
)
else
@@ -90,4 +91,5 @@ $(call gb_ExternalProject_get_state_target,openssl,build):
-fvisibility=hidden))" \
)
endif
+
# vim: set noet sw=4 ts=4:
commit 97043b10778f73dac0d1c8a69201ce6e38bed7b1
Author: Thorsten Behrens <thorsten.behrens at cib.de>
AuthorDate: Tue May 22 15:59:20 2018 +0200
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:47 2018 +0200
fixup openssl build - no werror please for vs2012
Change-Id: If166da8874188218e7c055b6258f58f162a80bb0
diff --git a/external/openssl/opensslwnt.patch b/external/openssl/opensslwnt.patch
index 2d00736f1317..1dba3c6d3b07 100644
--- a/external/openssl/opensslwnt.patch
+++ b/external/openssl/opensslwnt.patch
@@ -175,3 +175,14 @@ diff -ru openssl.orig/ms/uplink.c openssl/ms/uplink.c
#endif
#if defined(UNICODE) && !defined(_UNICODE)
# define _UNICODE
+--- a/openssl.orig/Configure 2018-05-22 15:30:56.614125400 +0200
++++ b/openssl/Configure 2018-05-22 15:13:18.000000000 +0200
+@@ -595,7 +595,7 @@
+ "debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
+ # x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
+ # 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
+-"VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_WINSOCK_DEPRECATED_NO_WARNINGS:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
++"VC-WIN32","cl:-W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_WINSOCK_DEPRECATED_NO_WARNINGS:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
+ # Unified CE target
+ "debug-VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_WINSOCK_DEPRECATED_NO_WARNINGS:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
+ "VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
commit 4938e8f345540a6d7bdc057a59803ad2ceaee8af
Author: Thorsten Behrens <Thorsten.Behrens at CIB.de>
AuthorDate: Mon Apr 30 14:33:09 2018 +0200
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:46 2018 +0200
update openssl to 1.0.2o
Change-Id: I6f7308e60ba74bbcec1719c9aeec8e6c21d24ecc
diff --git a/Makefile.fetch b/Makefile.fetch
index 1c0214242b1e..c3c471174b7d 100644
--- a/Makefile.fetch
+++ b/Makefile.fetch
@@ -81,6 +81,7 @@ $(WORKDIR)/download: $(BUILDDIR)/config_host.mk $(SRCDIR)/download.lst $(SRCDIR)
$(call fetch_Optional,MSPUB,MSPUB_TARBALL) \
$(call fetch_Optional,MWAW,MWAW_TARBALL) \
$(call fetch_Optional,NSS,NSS_TARBALL) \
+ $(call fetch_Optional,OPENSSL,OPENSSL_TARBALL) \
$(call fetch_Optional,VISIO,VISIO_TARBALL) \
$(call fetch_Optional,ZLIB,ZLIB_TARBALL) \
,$(call fetch_Download_item_special,https://dev-www.libreoffice.org/src,$(item)))
@@ -147,7 +148,6 @@ $(WORKDIR)/download: $(BUILDDIR)/config_host.mk $(SRCDIR)/download.lst $(SRCDIR)
$(NUMBERTEXT_EXTENSION_PACK) \
$(call fetch_Optional,ODFGEN,$(ODFGEN_TARBALL)) \
$(call fetch_Optional,OPENLDAP,$(OPENLDAP_TARBALL)) \
- $(call fetch_Optional,OPENSSL,$(OPENSSL_TARBALL)) \
$(call fetch_Optional,ORCUS,$(ORCUS_TARBALL)) \
$(call fetch_Optional,CAIRO,$(PIXMAN_TARBALL)) \
$(call fetch_Optional,LIBPNG,$(PNG_TARBALL)) \
diff --git a/download.lst b/download.lst
index da673f684c68..24a7d0db48c1 100644
--- a/download.lst
+++ b/download.lst
@@ -14,6 +14,8 @@ NSS_MD5SUM := e55ee06b22687df68fafc6a30c0554b2
export NSS_TARBALL := nss-3.29.5-with-nspr-4.13.1.tar.gz
ZLIB_MD5SUM := 85adef240c5f370b308da8c938951a68
export ZLIB_TARBALL := zlib-1.2.11.tar.xz
+OPENSSL_MD5SUM := 44279b8557c3247cbe324e2322ecd114
+export OPENSSL_TARBALL := openssl-1.0.2o.tar.gz
export AFMS_TARBALL := 1756c4fa6c616ae15973c104cd8cb256-Adobe-Core35_AFMs-314.tar.gz
export APACHE_COMMONS_CODEC_TARBALL := 2e482c7567908d334785ce7d69ddfff7-commons-codec-1.6-src.tar.gz
@@ -77,7 +79,6 @@ export MYTHES_TARBALL := 46e92b68e31e858512b680b3b61dc4c1-mythes-1.2.3.tar.gz
export NEON_TARBALL := ff369e69ef0f0143beb5626164e87ae2-neon-0.29.5.tar.gz
export ODFGEN_TARBALL := 8473296c671b6e3dd8197f4145e0854b-libodfgen-0.0.2.tar.bz2
export OPENLDAP_TARBALL := 804c6cb5698db30b75ad0ff1c25baefd-openldap-2.4.31.tgz
-export OPENSSL_TARBALL := 66bf6f10f060d561929de96f9dfe5b8c-openssl-1.0.1e.tar.gz
export ORCUS_TARBALL := ea2acaf140ae40a87a952caa75184f4d-liborcus-0.5.1.tar.bz2
export PIXMAN_TARBALL := c63f411b3ad147db2bcce1bf262a0e02-pixman-0.24.4.tar.bz2
export PNG_MD5SUM := 6652e428d1d3fc3c6cb1362159b1cf3b
commit 789fc7dceb5dd3c64f42fb3d85ad1e4f4b608641
Author: Michael Stahl <mstahl at redhat.com>
AuthorDate: Mon Jan 8 17:48:40 2018 +0100
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:46 2018 +0200
openssl: fix MSVC 64-bit build
For whatever reason OpenSSL wants to use "masm" (ml.exe) on 32-bit
builds but "nasm" on 64-bit builds - this despite INSTALL.W32 claiming
that only nasm is "supported".
But /safeseh doesn't make sense on 64-bit anyway because there
is no "unsafe" SEH there, so just apply the patch only for 32-bit.
Change-Id: Ie32b17dfeeaf11c49ee29c3181021ffa5bd99091
diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk
index 80607942b95d..0048cf9c6c0a 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -14,6 +14,7 @@ $(eval $(call gb_UnpackedTarball_set_tarball,openssl,$(OPENSSL_TARBALL)))
$(eval $(call gb_UnpackedTarball_add_patches,openssl,\
external/openssl/openssllnx.patch \
external/openssl/opensslwnt.patch \
+ $(if $(filter INTEL,$(CPUNAME)),external/openssl/opensslwnt_safeseh.patch) \
external/openssl/openssl-1.0.1h-win64.patch.1 \
external/openssl/opensslsol.patch \
external/openssl/opensslios.patch \
diff --git a/external/openssl/opensslwnt.patch b/external/openssl/opensslwnt.patch
index ffdcc5353913..2d00736f1317 100644
--- a/external/openssl/opensslwnt.patch
+++ b/external/openssl/opensslwnt.patch
@@ -79,26 +79,15 @@ diff -ru openssl.orig/util/mk1mf.pl openssl/util/mk1mf.pl
APP_CFLAG=$app_cflag
LIB_CFLAG=$lib_cflag
SHLIB_CFLAG=$shl_cflag
-@@ -488,8 +493,8 @@
- SRC_D=$src_dir
+@@ -488,7 +493,7 @@
LINK_CMD=$link
--LFLAGS=$lflags
-+LFLAGS=$lflags /SAFESEH
+ LFLAGS=$lflags
-RSC=$rsc
+RSC=$rsc \$(SOLARINC)
# The output directory for everything interesting
OUT_D=$out_dir
-@@ -511,7 +516,7 @@
- MKDIR=$mkdir
- MKLIB=$bin_dir$mklib
- MLFLAGS=$mlflags
--ASM=$bin_dir$asm
-+ASM=$bin_dir$asm /safeseh
-
- # FIPS validated module and support file locations
-
@@ -669,7 +674,7 @@
printf OUT <<EOF;
#ifdef $platform_cpp_symbol
diff --git a/external/openssl/opensslwnt_safeseh.patch b/external/openssl/opensslwnt_safeseh.patch
new file mode 100644
index 000000000000..f2eafab5b9ed
--- /dev/null
+++ b/external/openssl/opensslwnt_safeseh.patch
@@ -0,0 +1,23 @@
+use /safeseh in 32-bit MSVC builds; this is not required for 64-bit
+
+diff -ru openssl.orig/util/mk1mf.pl openssl/util/mk1mf.pl
+--- a/openssl.orig/util/mk1mf.pl 2016-03-03 20:22:21.043924505 +0100
++++ b/openssl/util/mk1mf.pl 2016-03-03 20:34:45.015901171 +0100
+@@ -488,7 +493,7 @@
+ SRC_D=$src_dir
+
+ LINK_CMD=$link
+-LFLAGS=$lflags
++LFLAGS=$lflags /SAFESEH
+ RSC=$rsc \$(SOLARINC)
+
+ # The output directory for everything interesting
+@@ -511,7 +516,7 @@
+ MKDIR=$mkdir
+ MKLIB=$bin_dir$mklib
+ MLFLAGS=$mlflags
+-ASM=$bin_dir$asm
++ASM=$bin_dir$asm /safeseh
+
+ # FIPS validated module and support file locations
+
commit c1013b13503d92e9dd46709d484c6d9ac8042678
Author: David Tardon <dtardon at redhat.com>
AuthorDate: Wed Feb 1 12:47:04 2017 +0100
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:45 2018 +0200
upload openssl 1.0.2k
Change-Id: I26d49db0207b3f4f64aa9698da4cf3567d195834
Reviewed-on: https://gerrit.libreoffice.org/33800
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: David Tardon <dtardon at redhat.com>
diff --git a/external/openssl/openssllnx.patch b/external/openssl/openssllnx.patch
index de19807b313e..224df8f87b2e 100644
--- a/external/openssl/openssllnx.patch
+++ b/external/openssl/openssllnx.patch
@@ -19,5 +19,5 @@
- AS='$(CC)' ASFLAG='$(CFLAG) -c' \
+ AS='$(CC)' ASFLAG='$(CFLAG) -c -Wa,--noexecstack' \
AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \
+ RC='$(RC)' \
CROSS_COMPILE='$(CROSS_COMPILE)' \
- PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \
commit 2d42cb2f8bda6665d4b926a2e5228a63d5fc95b0
Author: Michael Stahl <mstahl at redhat.com>
AuthorDate: Mon Jan 8 12:31:39 2018 +0100
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:44 2018 +0200
openssl: MSVC build: link and run MSASM with /SAFESEH
Actually the assembler requires lowercase /safeseh, oddly enough.
Change-Id: I1569409a2d6358282a7463ea996a6b1615e6ed8c
diff --git a/external/openssl/opensslwnt.patch b/external/openssl/opensslwnt.patch
index 2d00736f1317..ffdcc5353913 100644
--- a/external/openssl/opensslwnt.patch
+++ b/external/openssl/opensslwnt.patch
@@ -79,15 +79,26 @@ diff -ru openssl.orig/util/mk1mf.pl openssl/util/mk1mf.pl
APP_CFLAG=$app_cflag
LIB_CFLAG=$lib_cflag
SHLIB_CFLAG=$shl_cflag
-@@ -488,7 +493,7 @@
+@@ -488,8 +493,8 @@
+ SRC_D=$src_dir
LINK_CMD=$link
- LFLAGS=$lflags
+-LFLAGS=$lflags
++LFLAGS=$lflags /SAFESEH
-RSC=$rsc
+RSC=$rsc \$(SOLARINC)
# The output directory for everything interesting
OUT_D=$out_dir
+@@ -511,7 +516,7 @@
+ MKDIR=$mkdir
+ MKLIB=$bin_dir$mklib
+ MLFLAGS=$mlflags
+-ASM=$bin_dir$asm
++ASM=$bin_dir$asm /safeseh
+
+ # FIPS validated module and support file locations
+
@@ -669,7 +674,7 @@
printf OUT <<EOF;
#ifdef $platform_cpp_symbol
commit d93f7e1b8109b4e73c255310c8dcf0a1d05b794f
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Thu Jan 28 14:51:47 2016 +0000
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:44 2018 +0200
upgrade openssl to 1.0.2g
We can't "break symlinks after extracting tarball" because they populate
that dir during the build now. So instead cripple mklink.pl to
copy instead of link. (Configure no-symlinks simply skips the symlink
step instead of copying, so that appears useless)
Change-Id: Ib30b2c1b8b3de72511d09c478297a7a5a4bc691e
Reviewed-on: https://gerrit.libreoffice.org/21880
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk
index d1b353115249..80607942b95d 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -11,24 +11,14 @@ $(eval $(call gb_UnpackedTarball_UnpackedTarball,openssl))
$(eval $(call gb_UnpackedTarball_set_tarball,openssl,$(OPENSSL_TARBALL)))
-# break symlinks after extracting tarball
-# note: escape \; because LO patched make 3.82 cuts off the command otherwise
-ifeq ($(OS_FOR_BUILD),WNT)
-$(eval $(call gb_UnpackedTarball_set_pre_action,openssl,\
- cd include/openssl && \
- for header in `find . -type l` \; do \
- cp --remove-destination `readlink $$$$header` $$$$header \; \
- done && cd -))
-endif
-
$(eval $(call gb_UnpackedTarball_add_patches,openssl,\
external/openssl/openssllnx.patch \
external/openssl/opensslwnt.patch \
- external/openssl/openssl-1.0.1g-msvc2012-winxp.patch.1 \
external/openssl/openssl-1.0.1h-win64.patch.1 \
external/openssl/opensslsol.patch \
external/openssl/opensslios.patch \
external/openssl/openssl-3650-masm.patch.1 \
+ external/openssl/openssl-fixbuild.patch.1 \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/openssl/openssl-1.0.1g-msvc2012-winxp.patch.1 b/external/openssl/openssl-1.0.1g-msvc2012-winxp.patch.1
deleted file mode 100644
index de9e6fc09f4a..000000000000
--- a/external/openssl/openssl-1.0.1g-msvc2012-winxp.patch.1
+++ /dev/null
@@ -1,20 +0,0 @@
---- openssl.org/util/pl/VC-32.pl 2014-05-18 23:41:39.336594400 +0200
-+++ openssl/util/pl/VC-32.pl 2014-05-18 23:47:40.055279300 +0200
-@@ -48,7 +48,7 @@
- my $f = $shlib || $fips ?' /MD':' /MT';
- $opt_cflags=$f.' /Ox';
- $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
-- $lflags="/nologo /subsystem:console /opt:ref";
-+ $lflags="/nologo /subsystem:console,5.02 /opt:ref";
-
- *::perlasm_compile_target = sub {
- my ($target,$source,$bname)=@_;
-@@ -135,7 +135,7 @@
- $ff = "/fixed";
- $opt_cflags=$f.' -Ox -O2 -Ob2';
- $dbg_cflags=$f.'d -Od -DDEBUG -D_DEBUG';
-- $lflags="/nologo /subsystem:console /opt:ref";
-+ $lflags="/nologo /subsystem:console,5.01 /opt:ref";
- }
- $lib_cflag='-Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
- $mlflags='';
diff --git a/external/openssl/openssl-fixbuild.patch.1 b/external/openssl/openssl-fixbuild.patch.1
new file mode 100644
index 000000000000..5a986e87214b
--- /dev/null
+++ b/external/openssl/openssl-fixbuild.patch.1
@@ -0,0 +1,23 @@
+--- a/crypto/evp/Makefile
++++ b/crypto/evp/Makefile
+@@ -289,7 +289,7 @@
+ e_idea.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
+ e_idea.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+ e_idea.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+-e_idea.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
++e_idea.o: ../../include/openssl/evp.h ../idea/idea.h
+ e_idea.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ e_idea.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+ e_idea.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+--- a/util/mklink.pl
++++ b/util/mklink.pl
+@@ -50,8 +50,7 @@
+ my $to = join('/', @to_path);
+
+ my $file;
+-$symlink_exists=eval {symlink("",""); 1};
+-if ($^O eq "msys") { $symlink_exists=0 };
++$symlink_exists=0;
+ foreach $file (@files) {
+ my $err = "";
+ if ($symlink_exists) {
diff --git a/external/openssl/openssllnx.patch b/external/openssl/openssllnx.patch
index 23a7d9e4c228..de19807b313e 100644
--- a/external/openssl/openssllnx.patch
+++ b/external/openssl/openssllnx.patch
@@ -12,12 +12,12 @@
--- build/openssl-0.9.8v/Makefile.org 2010-01-27 17:06:36.000000000 +0100
+++ build/openssl-0.9.8v/Makefile.org 2010-09-20 09:24:00.000000000 +0100
-@@ -199,7 +199,7 @@
-
- BUILDENV= PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
+@@ -206,7 +206,7 @@
+ # same language for uniform treatment.
+ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
CC='$(CC)' CFLAG='$(CFLAG)' \
- AS='$(CC)' ASFLAG='$(CFLAG) -c' \
-+ AS='$(CC)' ASFLAG='$(CFLAG) -c -Wa,--noexecstack' \
++ AS='$(CC)' ASFLAG='$(CFLAG) -c -Wa,--noexecstack' \
AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \
CROSS_COMPILE='$(CROSS_COMPILE)' \
PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \
diff --git a/external/openssl/opensslwnt.patch b/external/openssl/opensslwnt.patch
index e033d25f602f..2d00736f1317 100644
--- a/external/openssl/opensslwnt.patch
+++ b/external/openssl/opensslwnt.patch
@@ -1,32 +1,39 @@
---- misc/openssl-0.9.8v/crypto/x509v3/v3_pci.c 2007-03-05 01:06:47.000000000 +0100
-+++ build/openssl-0.9.8v/crypto/x509v3/v3_pci.c 2010-03-26 12:04:20.961547300 +0100
+diff -ru openssl.orig/crypto/x509v3/v3_pci.c openssl/crypto/x509v3/v3_pci.c
+--- a/openssl.orig/crypto/x509v3/v3_pci.c 2016-03-01 14:35:05.000000000 +0100
++++ b/openssl/crypto/x509v3/v3_pci.c 2016-03-03 20:27:42.195914432 +0100
@@ -3,7 +3,7 @@
* Contributed to the OpenSSL Project 2004 by Richard Levitte
* (richard at levitte.org)
*/
--/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+/* Copyright (c) 2004 Kungliga Tekniska Hoegskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
---- misc/openssl-0.9.8v/crypto/x509v3/v3_pcia.c 2004-12-28 01:21:33.000000000 +0100
-+++ build/openssl-0.9.8v/crypto/x509v3/v3_pcia.c 2010-03-26 12:04:20.961547300 +0100
+diff -ru openssl.orig/crypto/x509v3/v3_pcia.c openssl/crypto/x509v3/v3_pcia.c
+--- a/openssl.orig/crypto/x509v3/v3_pcia.c 2016-03-01 14:35:05.000000000 +0100
++++ b/openssl/crypto/x509v3/v3_pcia.c 2016-03-03 20:27:56.495913984 +0100
@@ -3,7 +3,7 @@
* Contributed to the OpenSSL Project 2004 by Richard Levitte
* (richard at levitte.org)
*/
--/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+/* Copyright (c) 2004 Kungliga Tekniska Hoegskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
---- misc/openssl-0.9.8v/ms/do_ms.bat 2009-07-28 14:51:19.000000000 +0200
-+++ build/openssl-0.9.8v/ms/do_ms.bat 2010-03-26 12:19:19.399047300 +0100
+diff -ru openssl.orig/ms/do_ms.bat openssl/ms/do_ms.bat
+--- a/openssl.orig/ms/do_ms.bat 2015-01-15 15:43:14.000000000 +0100
++++ b/openssl/ms/do_ms.bat 2016-03-03 20:31:09.355907935 +0100
@@ -1,11 +1,11 @@
-perl util\mkfiles.pl >MINFO
-perl util\mk1mf.pl no-asm VC-WIN32 >ms\nt.mak
-perl util\mk1mf.pl dll no-asm VC-WIN32 >ms\ntdll.mak
+-if x%OSVERSION% == x goto skipce
+-perl util\mk1mf.pl no-asm VC-CE >ms\ce.mak
+-perl util\mk1mf.pl dll no-asm VC-CE >ms\cedll.mak
+-:skipce
+%1 util\mkfiles.pl >MINFO
+if %2 == VC-WIN32 goto not64a
+perl ms\uplink.pl win64a > ms\uptable.asm
@@ -34,17 +41,14 @@
+:not64a
+%1 util\mk1mf.pl no-asm %2 >ms\nt.mak
+%1 util\mk1mf.pl dll no-asm %2 >ms\ntdll.mak
--if x%OSVERSION% == x goto skipce
--perl util\mk1mf.pl no-asm VC-CE >ms\ce.mak
--perl util\mk1mf.pl dll no-asm VC-CE >ms\cedll.mak
--:skipce
-perl util\mkdef.pl 32 libeay > ms\libeay32.def
-perl util\mkdef.pl 32 ssleay > ms\ssleay32.def
+%1 util\mkdef.pl 32 libeay > ms\libeay32.def
+%1 util\mkdef.pl 32 ssleay > ms\ssleay32.def
---- misc/openssl-0.9.8v/util/mk1mf.pl 2009-09-20 14:46:42.000000000 +0200
-+++ build/openssl-0.9.8v/util/mk1mf.pl 2010-03-26 12:04:20.977172300 +0100
+diff -ru openssl.orig/util/mk1mf.pl openssl/util/mk1mf.pl
+--- a/openssl.orig/util/mk1mf.pl 2016-03-03 20:22:21.043924505 +0100
++++ b/openssl/util/mk1mf.pl 2016-03-03 20:34:45.015901171 +0100
@@ -163,7 +163,7 @@
$inc_def="outinc";
$tmp_def="tmp";
@@ -54,8 +58,8 @@
$mkdir="-mkdir" unless defined $mkdir;
($ssl,$crypto)=("ssl","crypto");
-@@ -343,6 +343,11 @@
- chop;
+@@ -347,6 +347,11 @@
+ s/\s*$//; # was chop, didn't work in mixture of perls for Windows...
($key,$val)=/^([^=]+)=(.*)/;
+
@@ -66,7 +70,7 @@
if ($key eq "RELATIVE_DIRECTORY")
{
if ($lib ne "")
-@@ -469,7 +474,7 @@
+@@ -473,7 +478,7 @@
# Set your compiler options
PLATFORM=$platform
CC=$bin_dir${cc}
@@ -75,16 +79,16 @@
APP_CFLAG=$app_cflag
LIB_CFLAG=$lib_cflag
SHLIB_CFLAG=$shl_cflag
-@@ -484,7 +489,7 @@
+@@ -488,7 +493,7 @@
- LINK=$link
+ LINK_CMD=$link
LFLAGS=$lflags
-RSC=$rsc
+RSC=$rsc \$(SOLARINC)
# The output directory for everything interesting
OUT_D=$out_dir
-@@ -665,7 +670,7 @@
+@@ -669,7 +674,7 @@
printf OUT <<EOF;
#ifdef $platform_cpp_symbol
/* auto-generated/updated by util/mk1mf.pl for crypto/cversion.c */
@@ -93,8 +97,9 @@
#define PLATFORM "$platform"
EOF
printf OUT " #define DATE \"%s\"\n", scalar gmtime();
---- misc/openssl-0.9.8v/util/pl/VC-32.pl 2010-02-04 02:10:24.000000000 +0100
-+++ build/openssl-0.9.8v/util/pl/VC-32.pl 2010-03-26 12:04:20.977172300 +0100
+diff -ru openssl.orig/util/pl/VC-32.pl openssl/util/pl/VC-32.pl
+--- a/openssl.orig/util/pl/VC-32.pl 2016-03-01 14:35:53.000000000 +0100
++++ b/openssl/util/pl/VC-32.pl 2016-03-03 21:15:14.083824986 +0100
@@ -30,7 +30,7 @@
my $ff = "";
@@ -104,6 +109,15 @@
if ($FLAVOR =~ /WIN64/)
{
# Note that we currently don't have /WX on Win64! There is a lot of
+@@ -48,7 +48,7 @@
+ my $f = $shlib || $fips ?' /MD':' /MT';
+ $opt_cflags=$f.' /Ox';
+ $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
+- $lflags="/nologo /subsystem:console /opt:ref";
++ $lflags="/nologo /subsystem:console,5.02 /opt:ref";
+
+ *::perlasm_compile_target = sub {
+ my ($target,$source,$bname)=@_;
@@ -114,7 +114,7 @@
}
@@ -132,9 +146,10 @@
$ff = "/fixed";
- $opt_cflags=$f.' /Ox /O2 /Ob2';
- $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
+- $lflags="/nologo /subsystem:console /opt:ref";
++ $lflags="/nologo /subsystem:console,5.01 /opt:ref";
+ $opt_cflags=$f.' -Ox -O2 -Ob2';
+ $dbg_cflags=$f.'d -Od -DDEBUG -D_DEBUG';
- $lflags="/nologo /subsystem:console /opt:ref";
}
-$lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
+$lib_cflag='-Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
@@ -150,8 +165,9 @@
# EXE linking stuff
$link="link";
---- build/openssl-0.9.8v/ms/uplink.c
-+++ build/openssl-0.9.8v/ms/uplink.c
+diff -ru openssl.orig/ms/uplink.c openssl/ms/uplink.c
+--- a/openssl.orig/ms/uplink.c 2015-03-19 15:02:02.000000000 +0100
++++ b/openssl/ms/uplink.c 2016-03-03 20:39:19.403892565 +0100
@@ -1,5 +1,6 @@
#if (defined(_WIN64) || defined(_WIN32_WCE)) && !defined(UNICODE)
# define UNICODE
commit f74e62b550d8b26ec4cd92cdb6fc6a17cf62685d
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Tue Apr 7 11:51:50 2015 +0100
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:43 2018 +0200
upgrade to openssl-1.0.2a
and de-ifdef-per-platform the patch makefile so an upgrade attempt on one
platform tests the patchs applying on all platforms
ubsan.patch.0 was effectively applied upstream while need
to add http://rt.openssl.org/Ticket/Display.html?id=3650 to build
under windows
Change-Id: Ieffd9bc3dd861a94a083d8b6b8d4117bba7f527c
Reviewed-on: https://gerrit.libreoffice.org/15183
Tested-by: Jenkins <ci at libreoffice.org>
Reviewed-by: Caolán McNamara <caolanm at redhat.com>
Tested-by: Caolán McNamara <caolanm at redhat.com>
diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk
index 5517688c7b6c..d1b353115249 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -22,33 +22,13 @@ $(eval $(call gb_UnpackedTarball_set_pre_action,openssl,\
endif
$(eval $(call gb_UnpackedTarball_add_patches,openssl,\
- external/openssl/CVE-2013-6449.patch \
- external/openssl/CVE-2013-6450.patch \
- external/openssl/CVE-2013-4353.patch \
- external/openssl/CVE-2014-0160.patch \
- external/openssl/CVE-2010-5298.patch \
- external/openssl/CVE-2014-0195.patch \
- external/openssl/CVE-2014-0198.patch \
- external/openssl/CVE-2014-0221.patch \
- external/openssl/CVE-2014-0224.patch \
- external/openssl/CVE-2014-3470.patch \
- external/openssl/CVE-2014-3505.patch \
- external/openssl/CVE-2014-3506.patch \
- external/openssl/CVE-2014-3507.patch \
- external/openssl/CVE-2014-3508.patch \
- external/openssl/CVE-2014-3509.patch \
- external/openssl/CVE-2014-3510.patch \
- external/openssl/CVE-2014-3511.patch \
- external/openssl/CVE-2014-3513.patch \
- external/openssl/CVE-2014-3567.patch \
- external/openssl/CVE-2014-3566.patch \
- $(if $(filter LINUX FREEBSD ANDROID,$(OS)),external/openssl/openssllnx.patch) \
- $(if $(filter WNTGCC,$(OS)$(COM)),external/openssl/opensslmingw.patch) \
- $(if $(filter MSC,$(COM)),external/openssl/opensslwnt.patch) \
- $(if $(filter MSC,$(COM)),external/openssl/openssl-1.0.1g-msvc2012-winxp.patch.1) \
- $(if $(filter MSC,$(COM)),external/openssl/openssl-1.0.1h-win64.patch.1) \
- $(if $(filter SOLARIS,$(OS)),external/openssl/opensslsol.patch) \
- $(if $(filter IOS,$(OS)),external/openssl/opensslios.patch) \
+ external/openssl/openssllnx.patch \
+ external/openssl/opensslwnt.patch \
+ external/openssl/openssl-1.0.1g-msvc2012-winxp.patch.1 \
+ external/openssl/openssl-1.0.1h-win64.patch.1 \
+ external/openssl/opensslsol.patch \
+ external/openssl/opensslios.patch \
+ external/openssl/openssl-3650-masm.patch.1 \
))
# vim: set noet sw=4 ts=4:
diff --git a/external/openssl/openssl-1.0.1g-msvc2012-winxp.patch.1 b/external/openssl/openssl-1.0.1g-msvc2012-winxp.patch.1
new file mode 100644
index 000000000000..de9e6fc09f4a
--- /dev/null
+++ b/external/openssl/openssl-1.0.1g-msvc2012-winxp.patch.1
@@ -0,0 +1,20 @@
+--- openssl.org/util/pl/VC-32.pl 2014-05-18 23:41:39.336594400 +0200
++++ openssl/util/pl/VC-32.pl 2014-05-18 23:47:40.055279300 +0200
+@@ -48,7 +48,7 @@
+ my $f = $shlib || $fips ?' /MD':' /MT';
+ $opt_cflags=$f.' /Ox';
+ $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
+- $lflags="/nologo /subsystem:console /opt:ref";
++ $lflags="/nologo /subsystem:console,5.02 /opt:ref";
+
+ *::perlasm_compile_target = sub {
+ my ($target,$source,$bname)=@_;
+@@ -135,7 +135,7 @@
+ $ff = "/fixed";
+ $opt_cflags=$f.' -Ox -O2 -Ob2';
+ $dbg_cflags=$f.'d -Od -DDEBUG -D_DEBUG';
+- $lflags="/nologo /subsystem:console /opt:ref";
++ $lflags="/nologo /subsystem:console,5.01 /opt:ref";
+ }
+ $lib_cflag='-Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
+ $mlflags='';
diff --git a/external/openssl/openssl-3650-masm.patch.1 b/external/openssl/openssl-3650-masm.patch.1
new file mode 100644
index 000000000000..97f1eb6446c3
--- /dev/null
+++ b/external/openssl/openssl-3650-masm.patch.1
@@ -0,0 +1,35 @@
+diff --git a/crypto/perlasm/x86masm.pl b/crypto/perlasm/x86masm.pl
+index 1741342..917d0f8 100644
+--- a/crypto/perlasm/x86masm.pl
++++ b/crypto/perlasm/x86masm.pl
+@@ -18,10 +18,10 @@ sub ::generic
+
+ if ($opcode =~ /lea/ && @arg[1] =~ s/.*PTR\s+(\(.*\))$/OFFSET $1/) # no []
+ { $opcode="mov"; }
+- elsif ($opcode !~ /movq/)
++ elsif ($opcode !~ /mov[dq]$/)
+ { # fix xmm references
+- $arg[0] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[1]=~/\bxmm[0-7]\b/i);
+- $arg[1] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[0]=~/\bxmm[0-7]\b/i);
++ $arg[0] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[-1]=~/\bxmm[0-7]\b/i);
++ $arg[-1] =~ s/\b[A-Z]+WORD\s+PTR/XMMWORD PTR/i if ($arg[0]=~/\bxmm[0-7]\b/i);
+ }
+
+ &::emit($opcode, at arg);
+@@ -160,13 +160,13 @@ sub ::public_label
+ { push(@out,"PUBLIC\t".&::LABEL($_[0],$nmdecor.$_[0])."\n"); }
+
+ sub ::data_byte
+-{ push(@out,("DB\t").join(',', at _)."\n"); }
++{ push(@out,("DB\t").join(',',splice(@_,0,16))."\n") while(@_); }
+
+ sub ::data_short
+-{ push(@out,("DW\t").join(',', at _)."\n"); }
++{ push(@out,("DW\t").join(',',splice(@_,0,8))."\n") while(@_); }
+
+ sub ::data_word
+-{ push(@out,("DD\t").join(',', at _)."\n"); }
++{ push(@out,("DD\t").join(',',splice(@_,0,4))."\n") while(@_); }
+
+ sub ::align
+ { push(@out,"ALIGN\t$_[0]\n"); }
diff --git a/external/openssl/opensslmingw.patch b/external/openssl/opensslmingw.patch
deleted file mode 100644
index e0dc96029d6b..000000000000
--- a/external/openssl/opensslmingw.patch
+++ /dev/null
@@ -1,109 +0,0 @@
---- misc/openssl-0.9.8v/Makefile.shared 2008-09-17 17:56:40.000000000 +0200
-+++ misc/build/openssl-0.9.8v/Makefile.shared 2009-03-30 11:52:53.684538000 +0200
-@@ -254,13 +254,17 @@
- base=-Wl,--enable-auto-image-base; \
- if expr $(PLATFORM) : 'mingw' > /dev/null; then \
- SHLIB=$(LIBNAME)eay32; \
-- base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
-+ base=; \
-+ if test $(LIBNAME) = "crypto"; then \
-+ SHLIB=libeay32; \
-+ base=-Wl,--image-base,0x63000000; \
-+ fi; \
- fi; \
- SHLIB_SUFFIX=.dll; \
-- SHLIB_SOVER=-$(LIBVERSION); \
-+ SHLIB_SOVER=; \
- ALLSYMSFLAGS='-Wl,--whole-archive'; \
- NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-- SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
-+ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--export-all-symbols -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
- [ -f apps/$$SHLIB$$SHLIB_SUFFIX ] && rm apps/$$SHLIB$$SHLIB_SUFFIX; \
- [ -f test/$$SHLIB$$SHLIB_SUFFIX ] && rm test/$$SHLIB$$SHLIB_SUFFIX; \
- $(LINK_SO_A) || exit 1; \
---- misc/openssl-0.9.8v/e_os2.h 2005-12-19 03:57:07.000000000 +0900
-+++ misc/build/openssl-0.9.8v/e_os2.h 2009-04-04 23:07:15.324250000 +0900
-@@ -264,7 +264,7 @@
- # define OPENSSL_IMPLEMENT_GLOBAL(type,name) \
- extern type _hide_##name; \
- type *_shadow_##name(void) { return &_hide_##name; } \
-- static type _hide_##name
-+ type _hide_##name
- # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void)
- # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name()))
- #else
---- misc/openssl-0.9.8v/ms/mingw32.bat 2006-05-05 15:19:32.000000000 +0200
-+++ misc/build/openssl-0.9.8v/ms/mingw32.bat 2009-03-30 11:54:10.000000000 +0200
-@@ -79,15 +79,41 @@
- rem copy ms\tlhelp32.h outinc
-
- echo Building the libraries
--mingw32-make -f ms/mingw32a.mak
-+make -f ms/mingw32a.mak
- if errorlevel 1 goto end
-
- echo Generating the DLLs and input libraries
--dllwrap --dllname libeay32.dll --output-lib out/libeay32.a --def ms/libeay32.def out/libcrypto.a -lwsock32 -lgdi32
-+mv out/libcrypto.a out/libcrypto_static.a
-+mv out/libssl.a out/libssl_static.a
-+dlltool --dllname libeay32.dll --output-lib out/libcrypto.a --input-def ms/libeay32.def
- if errorlevel 1 goto end
--dllwrap --dllname libssl32.dll --output-lib out/libssl32.a --def ms/ssleay32.def out/libssl.a out/libeay32.a
-+gcc --shared --enable-pseudo-reloc -Wl,-Map,out/libeay32.map ms/libeay32.def -o out/libeay32.dll out/libcrypto_static.a -lwsock32 -lgdi32
- if errorlevel 1 goto end
-+dlltool --dllname ssleay32.dll --output-lib out/libssl.a --input-def ms/ssleay32.def
-+if errorlevel 1 goto end
-+if "%MINGW_SHARED_GXXLIB%"=="YES" goto shared_gxxlib
-+if "%MINGW_SHARED_GCCLIB%"=="YES" goto shared_gcclib
-+gcc --shared --enable-pseudo-reloc -Wl,-Map,out/libeay32.map ms/libeay32.def -o out/libeay32.dll out/libcrypto_static.a -lwsock32 -lgdi32
-+if errorlevel 1 goto end
-+gcc --shared --enable-pseudo-reloc -Wl,-Map,out/ssleay32.map -Lout ms/ssleay32.def -o out/ssleay32.dll out/libssl_static.a -lcrypto
-+if errorlevel 1 goto end
-+goto finished
-+
-+:shared_gcclib
-+gcc --shared -shared-libgcc --enable-pseudo-reloc -Wl,-Map,out/libeay32.map ms/libeay32.def -o out/libeay32.dll out/libcrypto_static.a -lwsock32 -lgdi32
-+if errorlevel 1 goto end
-+gcc --shared -shared-libgcc --enable-pseudo-reloc -Wl,-Map,out/ssleay32.map -Lout ms/ssleay32.def -o out/ssleay32.dll out/libssl_static.a -lcrypto
-+if errorlevel 1 goto end
-+goto finished
-+
-+:shared_gxxlib
-+gcc --shared -shared-libgcc --enable-pseudo-reloc -Wl,-Map,out/libeay32.map ms/libeay32.def -o out/libeay32.dll out/libcrypto_static.a -lwsock32 -lgdi32 %MINGW_SHARED_LIBSTDSPP%
-+if errorlevel 1 goto end
-+gcc --shared -shared-libgcc --enable-pseudo-reloc -Wl,-Map,out/ssleay32.map -Lout ms/ssleay32.def -o out/ssleay32.dll out/libssl_static.a -lcrypto %MINGW_SHARED_LIBSTDSPP%
-+if errorlevel 1 goto end
-+goto finished
-
-+:finished
- echo Done compiling OpenSSL
-
- :end
---- misc/openssl-0.9.8v/util/pl/Mingw32.pl 2006-05-05 15:19:34.000000000 +0200
-+++ misc/build/openssl-0.9.8v/util/pl/Mingw32.pl 2009-03-30 11:55:04.000000000 +0200
-@@ -6,11 +6,11 @@
- $o='/';
- $cp='cp';
- $rm='rm -f';
--$mkdir='gmkdir';
-+#$mkdir='gmkdir';
-
--$o='\\';
--$cp='copy';
--$rm='del';
-+#$o='\\';
-+#$cp='copy';
-+#$rm='del';
- $mkdir='mkdir';
-
- # C compiler stuff
-@@ -87,7 +87,8 @@
- ($Name=$name) =~ tr/a-z/A-Z/;
-
- $ret.="$target: \$(${Name}OBJ)\n";
-- $ret.="\tif exist $target \$(RM) $target\n";
-+ $ret.="\t\$(RM) $target\n";
-+# $ret.="\tif exist $target \$(RM) $target\n";
- $ret.="\t\$(MKLIB) $target \$(${Name}OBJ)\n";
- $ret.="\t\$(RANLIB) $target\n\n";
- }
diff --git a/external/openssl/opensslsol.patch b/external/openssl/opensslsol.patch
index a22dc05cee39..ef70130aab9b 100644
--- a/external/openssl/opensslsol.patch
+++ b/external/openssl/opensslsol.patch
@@ -1,81 +1,33 @@
--- misc/openssl-0.9.8v/Configure Mon Nov 9 15:14:26 2009
+++ build/openssl-0.9.8v/Configure Fri Mar 26 16:01:32 2010
-@@ -212,8 +212,8 @@
- "solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+@@ -228,8 +228,8 @@
+ "solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
#### Solaris x86 with Sun C setups
--"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"solaris-x86-cc","cc:-O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"solaris64-x86_64-cc","cc:-xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"solaris-x86-cc","cc:-fast -xarch=generic -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
++"solaris-x86-cc","cc:-xarch=generic -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"solaris64-x86_64-cc","cc:-xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
#### SPARC Solaris with GNU C setups
"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
--- misc/openssl-0.9.8v/Makefile.shared Wed Sep 17 17:56:40 2008
+++ build/openssl-0.9.8v/Makefile.shared Fri Mar 26 16:04:41 2010
-@@ -93,7 +93,7 @@
+@@ -95,7 +95,7 @@
LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
- LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \
+ LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+ LD_LIBRARY_PATH=$$LD_LIBRARY_PATH \
$${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )
LINK_SO= \
-@@ -103,7 +103,7 @@
+@@ -105,7 +105,7 @@
SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
- LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \
+ LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
- LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+ LD_LIBRARY_PATH=$$LD_LIBRARY_PATH \
$${SHAREDCMD} $${SHAREDFLAGS} \
-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
---- misc/openssl-0.9.8v/config Tue Mar 9 18:08:24 2010
-+++ build/openssl-0.9.8v/config Fri Mar 26 16:07:55 2010
-@@ -399,28 +399,25 @@
- # this is where the translation occurs into SSLeay terms
- # ---------------------------------------------------------------------------
-
--GCCVER=`(gcc -dumpversion) 2>/dev/null`
--if [ "$GCCVER" != "" ]; then
-- # then strip off whatever prefix egcs prepends the number with...
-- # Hopefully, this will work for any future prefixes as well.
-- GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
-- # Since gcc 3.1 gcc --version behaviour has changed. gcc -dumpversion
-- # does give us what we want though, so we use that. We just just the
-- # major and minor version numbers.
-- # peak single digit before and after first dot, e.g. 2.95.1 gives 29
-- GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
-+if [ -z "$CC" ];then
-+ GCCVER=`(gcc -dumpversion) 2>/dev/null`
-+ if [ "$GCCVER" != "" ]; then
-+ CC=gcc
-+ # then strip off whatever prefix egcs prepends the number with...
-+ # Hopefully, this will work for any future prefixes as well.
-+ GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
-+ # Since gcc 3.1 gcc --version behaviour has changed. gcc -dumpversion
-+ # does give us what we want though, so we use that. We just just the
-+ # major and minor version numbers.
-+ # peak single digit before and after first dot, e.g. 2.95.1 gives 29
-+ GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
-+ else
-+ CC=cc
-+ fi
-+else
-+ CC=`echo $CC | sed 's/^[^ ]*\/\(..\).*/\1/'`
- fi
-
--# Only set CC if not supplied already
--if [ -z "$CC" ]; then
--# figure out if gcc is available and if so we use it otherwise
--# we fallback to whatever cc does on the system
-- if [ "$GCCVER" != "" ]; then
-- CC=gcc
-- else
-- CC=cc
-- fi
--fi
- GCCVER=${GCCVER:-0}
- if [ "$SYSTEM" = "HP-UX" ];then
- # By default gcc is a ILP32 compiler (with long long == 64).
diff --git a/external/openssl/opensslwnt.patch b/external/openssl/opensslwnt.patch
index 5be9c958a37a..e033d25f602f 100644
--- a/external/openssl/opensslwnt.patch
+++ b/external/openssl/opensslwnt.patch
@@ -1,8 +1,8 @@
--- misc/openssl-0.9.8v/crypto/x509v3/v3_pci.c 2007-03-05 01:06:47.000000000 +0100
+++ build/openssl-0.9.8v/crypto/x509v3/v3_pci.c 2010-03-26 12:04:20.961547300 +0100
-@@ -2,7 +2,7 @@
- /* Contributed to the OpenSSL Project 2004
- * by Richard Levitte (richard at levitte.org)
+@@ -3,7 +3,7 @@
+ * Contributed to the OpenSSL Project 2004 by Richard Levitte
+ * (richard at levitte.org)
*/
-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+/* Copyright (c) 2004 Kungliga Tekniska Hoegskolan
@@ -11,9 +11,9 @@
*
--- misc/openssl-0.9.8v/crypto/x509v3/v3_pcia.c 2004-12-28 01:21:33.000000000 +0100
+++ build/openssl-0.9.8v/crypto/x509v3/v3_pcia.c 2010-03-26 12:04:20.961547300 +0100
-@@ -2,7 +2,7 @@
- /* Contributed to the OpenSSL Project 2004
- * by Richard Levitte (richard at levitte.org)
+@@ -3,7 +3,7 @@
+ * Contributed to the OpenSSL Project 2004 by Richard Levitte
+ * (richard at levitte.org)
*/
-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+/* Copyright (c) 2004 Kungliga Tekniska Hoegskolan
@@ -45,7 +45,7 @@
+%1 util\mkdef.pl 32 ssleay > ms\ssleay32.def
--- misc/openssl-0.9.8v/util/mk1mf.pl 2009-09-20 14:46:42.000000000 +0200
+++ build/openssl-0.9.8v/util/mk1mf.pl 2010-03-26 12:04:20.977172300 +0100
-@@ -128,7 +128,7 @@
+@@ -163,7 +163,7 @@
$inc_def="outinc";
$tmp_def="tmp";
@@ -54,7 +54,7 @@
$mkdir="-mkdir" unless defined $mkdir;
($ssl,$crypto)=("ssl","crypto");
-@@ -290,6 +290,11 @@
+@@ -343,6 +343,11 @@
chop;
($key,$val)=/^([^=]+)=(.*)/;
@@ -66,7 +66,7 @@
if ($key eq "RELATIVE_DIRECTORY")
{
if ($lib ne "")
-@@ -529,7 +529,7 @@
+@@ -469,7 +474,7 @@
# Set your compiler options
PLATFORM=$platform
CC=$bin_dir${cc}
@@ -75,27 +75,27 @@
APP_CFLAG=$app_cflag
LIB_CFLAG=$lib_cflag
SHLIB_CFLAG=$shl_cflag
-@@ -544,7 +544,7 @@
+@@ -484,7 +489,7 @@
LINK=$link
LFLAGS=$lflags
-RSC=$rsc
+RSC=$rsc \$(SOLARINC)
- # The output directory for everything intersting
+ # The output directory for everything interesting
OUT_D=$out_dir
-@@ -730,7 +735,7 @@
+@@ -665,7 +670,7 @@
printf OUT <<EOF;
#ifdef $platform_cpp_symbol
/* auto-generated/updated by util/mk1mf.pl for crypto/cversion.c */
-- #define CFLAGS "$cc $cflags"
-+ #define CFLAGS "$cflags"
+- #define CFLAGS "compiler: $cc $cflags"
++ #define CFLAGS "compiler: $cflags"
#define PLATFORM "$platform"
EOF
printf OUT " #define DATE \"%s\"\n", scalar gmtime();
--- misc/openssl-0.9.8v/util/pl/VC-32.pl 2010-02-04 02:10:24.000000000 +0100
+++ build/openssl-0.9.8v/util/pl/VC-32.pl 2010-03-26 12:04:20.977172300 +0100
-@@ -32,7 +32,7 @@
+@@ -30,7 +30,7 @@
my $ff = "";
# C compiler stuff
@@ -104,29 +104,31 @@
if ($FLAVOR =~ /WIN64/)
{
# Note that we currently don't have /WX on Win64! There is a lot of
-@@ -103,22 +103,22 @@
+@@ -114,7 +114,7 @@
}
- $cc='$(CC)';
+ $cc=($ENV{CC} or "cl");
- $base_cflags=' /W3 /WX /GF /Gy /nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -DOPENSSL_SMALL_FOOTPRINT';
+ $base_cflags=' -W3 -GF -Gy -nologo -DUNICODE -D_UNICODE -DOPENSSL_SYSNAME_WINCE -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -DOPENSSL_SMALL_FOOTPRINT';
$base_cflags.=" $wcecdefs";
$base_cflags.=' -I$(WCECOMPAT)/include' if (defined($ENV{'WCECOMPAT'}));
$base_cflags.=' -I$(PORTSDK_LIBPATH)/../../include' if (defined($ENV{'PORTSDK_LIBPATH'}));
-- $opt_cflags=' /MC /O1i'; # optimize for space, but with intrinsics...
-- $dbg_cflags=' /MC /Od -DDEBUG -D_DEBUG';
-+ $opt_cflags=' -MC -O1i'; # optimize for space, but with intrinsics...
-+ $dbg_cflags=' -MC -Od -DDEBUG -D_DEBUG';
+@@ -123,20 +123,21 @@
+ } else {
+ $base_cflags.=' /MC';
+ }
+- $opt_cflags=' /O1i'; # optimize for space, but with intrinsics...
+- $dbg_cflags=' /Od -DDEBUG -D_DEBUG';
++ $opt_cflags=' -O1i'; # optimize for space, but with intrinsics...
++ $dbg_cflags=' -Od -DDEBUG -D_DEBUG';
++
$lflags="/nologo /opt:ref $wcelflag";
}
else # Win32
{
-- $base_cflags= " $mf_cflag";
-+ $base_cflags= " $mf_cflag";
+ $base_cflags= " $mf_cflag";
- my $f = $shlib || $fips ?' /MD':' /MT';
-- $lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
+ my $f = $shlib || $fips ? (($ENV{MSVC_USE_DEBUG_RUNTIME} eq "TRUE") ? ' -MDd' : ' -MD' ):' -MT';
-+ $lib_cflag='-Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
$ff = "/fixed";
- $opt_cflags=$f.' /Ox /O2 /Ob2';
- $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
@@ -134,8 +136,12 @@
+ $dbg_cflags=$f.'d -Od -DDEBUG -D_DEBUG';
$lflags="/nologo /subsystem:console /opt:ref";
}
+-$lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
++$lib_cflag='-Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
$mlflags='';
-@@ -138,7 +138,7 @@
+
+ $out_def ="out32"; $out_def.="dll" if ($shlib);
+@@ -161,7 +162,7 @@
$obj='.obj';
$asm_suffix='.asm';
@@ -148,8 +154,8 @@
+++ build/openssl-0.9.8v/ms/uplink.c
@@ -1,5 +1,6 @@
#if (defined(_WIN64) || defined(_WIN32_WCE)) && !defined(UNICODE)
- #define UNICODE
-+#define _CRT_NON_CONFORMING_SWPRINTFS
+ # define UNICODE
++# define _CRT_NON_CONFORMING_SWPRINTFS
#endif
#if defined(UNICODE) && !defined(_UNICODE)
- #define _UNICODE
+ # define _UNICODE
commit f0c1033335a20f8a08e19ce110229266b1440882
Author: Thomas Arnhold <thomas at arnhold.org>
AuthorDate: Sun Aug 10 04:08:27 2014 +0200
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:43 2018 +0200
win64: make openssl work
fix windows style path separator to unix style, needed for cygwin.
Change-Id: I4de78d6901378644857c28a59467b59ef886f47b
Reviewed-on: https://gerrit.libreoffice.org/10855
Reviewed-by: Thomas Arnhold <thomas at arnhold.org>
Tested-by: Thomas Arnhold <thomas at arnhold.org>
diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk
index a14204d4c966..5517688c7b6c 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -45,6 +45,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,openssl,\
$(if $(filter LINUX FREEBSD ANDROID,$(OS)),external/openssl/openssllnx.patch) \
$(if $(filter WNTGCC,$(OS)$(COM)),external/openssl/opensslmingw.patch) \
$(if $(filter MSC,$(COM)),external/openssl/opensslwnt.patch) \
+ $(if $(filter MSC,$(COM)),external/openssl/openssl-1.0.1g-msvc2012-winxp.patch.1) \
+ $(if $(filter MSC,$(COM)),external/openssl/openssl-1.0.1h-win64.patch.1) \
$(if $(filter SOLARIS,$(OS)),external/openssl/opensslsol.patch) \
$(if $(filter IOS,$(OS)),external/openssl/opensslios.patch) \
))
diff --git a/external/openssl/openssl-1.0.1h-win64.patch.1 b/external/openssl/openssl-1.0.1h-win64.patch.1
new file mode 100644
index 000000000000..aea914633ebb
--- /dev/null
+++ b/external/openssl/openssl-1.0.1h-win64.patch.1
@@ -0,0 +1,47 @@
+diff --git a/ms/do_win64a.bat b/ms/do_win64a.bat
+index 8768dc6..6772390 100755
+--- a/ms/do_win64a.bat
++++ b/ms/do_win64a.bat
+@@ -1,19 +1,19 @@
+-perl util\mkfiles.pl >MINFO
++perl util/mkfiles.pl >MINFO
+
+ cmd /c "nasm -f win64 -v" >NUL 2>&1
+ if %errorlevel% neq 0 goto ml64
+
+-perl ms\uplink-x86_64.pl nasm > ms\uptable.asm
+-nasm -f win64 -o ms\uptable.obj ms\uptable.asm
++perl ms/uplink-x86_64.pl nasm > ms/uptable.asm
++nasm -f win64 -o ms/uptable.obj ms/uptable.asm
+ goto proceed
+
+ :ml64
+-perl ms\uplink-x86_64.pl masm > ms\uptable.asm
+-ml64 -c -Foms\uptable.obj ms\uptable.asm
++perl ms/uplink-x86_64.pl masm > ms/uptable.asm
++ml64 -c -Foms/uptable.obj ms/uptable.asm
+
+ :proceed
+-perl util\mk1mf.pl VC-WIN64A >ms\nt.mak
+-perl util\mk1mf.pl dll VC-WIN64A >ms\ntdll.mak
++perl util/mk1mf.pl VC-WIN64A >ms/nt.mak
++perl util/mk1mf.pl dll VC-WIN64A >ms/ntdll.mak
+
+-perl util\mkdef.pl 32 libeay > ms\libeay32.def
+-perl util\mkdef.pl 32 ssleay > ms\ssleay32.def
++perl util/mkdef.pl 32 libeay > ms/libeay32.def
++perl util/mkdef.pl 32 ssleay > ms/ssleay32.def
+diff --git a/util/mk1mf.pl b/util/mk1mf.pl
+index 72fa089..d98def1 100755
+--- a/util/mk1mf.pl
++++ b/util/mk1mf.pl
+@@ -233,6 +233,9 @@ else
+ $cflags.=' -DTERMIO';
+ }
+
++# force unix style path separator
++${o} = "/";
++
+ $fipsdir =~ s/\//${o}/g;
+
+ $out_dir=(defined($VARS{'OUT'}))?$VARS{'OUT'}:$out_def.($debug?".dbg":"");
commit f58d30d9cb6bdbe880f5b62c87592e63b0ee7d3a
Author: Michael Stahl <mstahl at redhat.com>
AuthorDate: Mon Jun 2 23:30:03 2014 +0200
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:42 2018 +0200
openssl: stop (ab)using fix_end_of_line to break symlinks
Win32 make has problems because the command line gets too long.
Change-Id: I157b7b2b61353b158b1a3f412331e54aafec206c
diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk
index 117211b685f7..a14204d4c966 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -11,60 +11,15 @@ $(eval $(call gb_UnpackedTarball_UnpackedTarball,openssl))
$(eval $(call gb_UnpackedTarball_set_tarball,openssl,$(OPENSSL_TARBALL)))
-# hack to fix symlinks with MSVC
-$(eval $(call gb_UnpackedTarball_fix_end_of_line,openssl,\
- include/openssl/asn1.h \
- include/openssl/bio.h \
- include/openssl/bn.h \
- include/openssl/buffer.h \
- include/openssl/comp.h \
- include/openssl/conf.h \
- include/openssl/crypto.h \
- include/openssl/des.h \
- include/openssl/des_old.h \
- include/openssl/dh.h \
- include/openssl/dsa.h \
- include/openssl/dtls1.h \
- include/openssl/e_os2.h \
- include/openssl/ec.h \
- include/openssl/ecdh.h \
- include/openssl/ecdsa.h \
- include/openssl/engine.h \
- include/openssl/err.h \
- include/openssl/evp.h \
- include/openssl/hmac.h \
- include/openssl/kssl.h \
- include/openssl/lhash.h \
- include/openssl/md4.h \
- include/openssl/md5.h \
- include/openssl/obj_mac.h \
- include/openssl/objects.h \
- include/openssl/opensslconf.h \
- include/openssl/opensslv.h \
- include/openssl/ossl_typ.h \
- include/openssl/pem.h \
- include/openssl/pem2.h \
- include/openssl/pkcs12.h \
- include/openssl/pkcs7.h \
- include/openssl/pqueue.h \
- include/openssl/rand.h \
- include/openssl/ripemd.h \
- include/openssl/rsa.h \
- include/openssl/safestack.h \
- include/openssl/sha.h \
- include/openssl/ssl.h \
- include/openssl/ssl2.h \
- include/openssl/ssl23.h \
- include/openssl/ssl3.h \
- include/openssl/stack.h \
- include/openssl/symhacks.h \
- include/openssl/tls1.h \
- include/openssl/ui.h \
- include/openssl/ui_compat.h \
- include/openssl/x509.h \
- include/openssl/x509_vfy.h \
- include/openssl/x509v3.h \
-))
+# break symlinks after extracting tarball
+# note: escape \; because LO patched make 3.82 cuts off the command otherwise
+ifeq ($(OS_FOR_BUILD),WNT)
+$(eval $(call gb_UnpackedTarball_set_pre_action,openssl,\
+ cd include/openssl && \
+ for header in `find . -type l` \; do \
+ cp --remove-destination `readlink $$$$header` $$$$header \; \
+ done && cd -))
+endif
$(eval $(call gb_UnpackedTarball_add_patches,openssl,\
external/openssl/CVE-2013-6449.patch \
commit 7cf4c3986da46827aef10f4f820089bb590ee36f
Author: Michael Stahl <mstahl at redhat.com>
AuthorDate: Tue Apr 8 14:35:38 2014 +0200
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:42 2018 +0200
openssl: fix WNT patch to apply
Change-Id: I31494d4314557672b7e3c2ff6846663fb9ed981a
diff --git a/external/openssl/opensslwnt.patch b/external/openssl/opensslwnt.patch
index b68e03715f2a..5be9c958a37a 100644
--- a/external/openssl/opensslwnt.patch
+++ b/external/openssl/opensslwnt.patch
@@ -96,7 +96,7 @@
--- misc/openssl-0.9.8v/util/pl/VC-32.pl 2010-02-04 02:10:24.000000000 +0100
+++ build/openssl-0.9.8v/util/pl/VC-32.pl 2010-03-26 12:04:20.977172300 +0100
@@ -32,7 +32,7 @@
- $l_flags =~ s/-L(\S+)/\/libpath:$1/g;
+ my $ff = "";
# C compiler stuff
-$cc='cl';
@@ -104,7 +104,7 @@
if ($FLAVOR =~ /WIN64/)
{
# Note that we currently don't have /WX on Win64! There is a lot of
-@@ -103,21 +103,21 @@
+@@ -103,22 +103,22 @@
}
$cc='$(CC)';
@@ -125,10 +125,11 @@
+ $base_cflags= " $mf_cflag";
- my $f = $shlib || $fips ?' /MD':' /MT';
- $lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
-- $opt_cflags=$f.' /Ox /O2 /Ob2';
-- $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
+ my $f = $shlib || $fips ? (($ENV{MSVC_USE_DEBUG_RUNTIME} eq "TRUE") ? ' -MDd' : ' -MD' ):' -MT';
+ $lib_cflag='-Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
+ $ff = "/fixed";
+- $opt_cflags=$f.' /Ox /O2 /Ob2';
+- $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
+ $opt_cflags=$f.' -Ox -O2 -Ob2';
+ $dbg_cflags=$f.'d -Od -DDEBUG -D_DEBUG';
$lflags="/nologo /subsystem:console /opt:ref";
commit 845acc32bad2b75e674acbe4280acaf31326a7e0
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Fri Oct 17 11:07:59 2014 +0100
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:41 2018 +0200
CVE-2014-3566 (etc)
i.e. sync with fedora 20 openssl-1.0.1e security backports
Change-Id: I9e07d3aad7f0c7a3fd684d4e52b3b952cfb2f82d
Reviewed-on: https://gerrit.libreoffice.org/12003
Reviewed-by: Michael Stahl <mstahl at redhat.com>
Tested-by: Michael Stahl <mstahl at redhat.com>
diff --git a/external/openssl/CVE-2014-3505.patch b/external/openssl/CVE-2014-3505.patch
new file mode 100644
index 000000000000..69284d5fc230
--- /dev/null
+++ b/external/openssl/CVE-2014-3505.patch
@@ -0,0 +1,52 @@
+From 2172d4f63c61922487008f42511cc6bdae9b47a0 Mon Sep 17 00:00:00 2001
+From: Adam Langley <agl at imperialviolet.org>
+Date: Fri, 6 Jun 2014 14:19:21 -0700
+Subject: [PATCH] Avoid double free when processing DTLS packets.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The |item| variable, in both of these cases, may contain a pointer to a
+|pitem| structure within |s->d1->buffered_messages|. It was being freed
+in the error case while still being in |buffered_messages|. When the
+error later caused the |SSL*| to be destroyed, the item would be double
+freed.
+
+Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
+inconsistent with the other error paths (but correct).
+
+Fixes CVE-2014-3505
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ ssl/d1_both.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index c1eb970..cdb83b6 100644
+--- a/a/ssl/d1_both.c
++++ b/b/ssl/d1_both.c
+@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ return DTLS1_HM_FRAGMENT_RETRY;
+
+ err:
+- if (frag != NULL) dtls1_hm_fragment_free(frag);
+- if (item != NULL) OPENSSL_free(item);
++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
+ *ok = 0;
+ return i;
+ }
+@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ return DTLS1_HM_FRAGMENT_RETRY;
+
+ err:
+- if ( frag != NULL) dtls1_hm_fragment_free(frag);
+- if ( item != NULL) OPENSSL_free(item);
++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
+ *ok = 0;
+ return i;
+ }
+--
+1.8.3.1
+
diff --git a/external/openssl/CVE-2014-3506.patch b/external/openssl/CVE-2014-3506.patch
new file mode 100644
index 000000000000..45b87dc5f43c
--- /dev/null
+++ b/external/openssl/CVE-2014-3506.patch
@@ -0,0 +1,87 @@
+From fc7804ec392fcf8051abe6bc9da9108744d2ae35 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Fri, 6 Jun 2014 14:25:52 -0700
+Subject: [PATCH] Fix DTLS handshake message size checks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In |dtls1_reassemble_fragment|, the value of
+|msg_hdr->frag_off+frag_len| was being checked against the maximum
+handshake message size, but then |msg_len| bytes were allocated for the
+fragment buffer. This means that so long as the fragment was within the
+allowed size, the pending handshake message could consume 16MB + 2MB
+(for the reassembly bitmap). Approx 10 outstanding handshake messages
+are allowed, meaning that an attacker could consume ~180MB per DTLS
+connection.
+
+In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
+check was applied.
+
+Fixes CVE-2014-3506
+
+Wholly based on patch by Adam Langley with one minor amendment.
+
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ ssl/d1_both.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 6559dfc..b9e15df 100644
+--- a/a/ssl/d1_both.c
++++ b/b/ssl/d1_both.c
+@@ -587,6 +587,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
+ return 0;
+ }
+
++/* dtls1_max_handshake_message_len returns the maximum number of bytes
++ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may
++ * be greater if the maximum certificate list size requires it. */
++static unsigned long dtls1_max_handshake_message_len(const SSL *s)
++ {
++ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
++ if (max_len < (unsigned long)s->max_cert_list)
++ return s->max_cert_list;
++ return max_len;
++ }
+
+ static int
+ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+@@ -595,20 +605,10 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ pitem *item = NULL;
+ int i = -1, is_complete;
+ unsigned char seq64be[8];
+- unsigned long frag_len = msg_hdr->frag_len, max_len;
+-
+- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+- goto err;
+-
+- /* Determine maximum allowed message size. Depends on (user set)
+- * maximum certificate length, but 16k is minimum.
+- */
+- if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list)
+- max_len = s->max_cert_list;
+- else
+- max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
++ unsigned long frag_len = msg_hdr->frag_len;
+
+- if ((msg_hdr->frag_off+frag_len) > max_len)
++ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len ||
++ msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
+ goto err;
+
+ /* Try to find item in queue */
+@@ -749,6 +749,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ if (frag_len && frag_len < msg_hdr->msg_len)
+ return dtls1_reassemble_fragment(s, msg_hdr, ok);
+
++ if (frag_len > dtls1_max_handshake_message_len(s))
++ goto err;
++
+ frag = dtls1_hm_fragment_new(frag_len, 0);
+ if ( frag == NULL)
+ goto err;
+--
+1.8.3.1
+
diff --git a/external/openssl/CVE-2014-3507.patch b/external/openssl/CVE-2014-3507.patch
new file mode 100644
index 000000000000..4ea0b69ab21a
--- /dev/null
+++ b/external/openssl/CVE-2014-3507.patch
@@ -0,0 +1,53 @@
+diff -up openssl-1.0.1e/ssl/d1_both.c.dtls-memleak openssl-1.0.1e/ssl/d1_both.c
+--- a/a/ssl/d1_both.c.dtls-memleak 2014-08-07 17:51:18.457493922 +0200
++++ b/b/ssl/d1_both.c 2014-08-07 17:58:28.478558785 +0200
+@@ -610,6 +610,9 @@ dtls1_reassemble_fragment(SSL *s, struct
+ msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
+ goto err;
+
++ if (frag_len == 0)
++ return DTLS1_HM_FRAGMENT_RETRY;
++
+ /* Try to find item in queue */
+ memset(seq64be,0,sizeof(seq64be));
+ seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
+@@ -686,7 +689,12 @@ dtls1_reassemble_fragment(SSL *s, struct
+ i = -1;
+ }
+
+- pqueue_insert(s->d1->buffered_messages, item);
++ item = pqueue_insert(s->d1->buffered_messages, item);
++ /* pqueue_insert fails iff a duplicate item is inserted.
++ * However, |item| cannot be a duplicate. If it were,
++ * |pqueue_find|, above, would have returned it and control
++ * would never have reached this branch. */
++ OPENSSL_assert(item != NULL);
+ }
+
+ return DTLS1_HM_FRAGMENT_RETRY;
+@@ -744,7 +752,7 @@ dtls1_process_out_of_seq_message(SSL *s,
+ }
+ else
+ {
+- if (frag_len && frag_len < msg_hdr->msg_len)
++ if (frag_len < msg_hdr->msg_len)
+ return dtls1_reassemble_fragment(s, msg_hdr, ok);
+
+ if (frag_len > dtls1_max_handshake_message_len(s))
+@@ -773,7 +781,15 @@ dtls1_process_out_of_seq_message(SSL *s,
+ if ( item == NULL)
+ goto err;
+
+- pqueue_insert(s->d1->buffered_messages, item);
++ item = pqueue_insert(s->d1->buffered_messages, item);
++ /* pqueue_insert fails iff a duplicate item is inserted.
++ * However, |item| cannot be a duplicate. If it were,
++ * |pqueue_find|, above, would have returned it. Then, either
++ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set
++ * to NULL and it will have been processed with
++ * |dtls1_reassemble_fragment|, above, or the record will have
++ * been discarded. */
++ OPENSSL_assert(item != NULL);
+ }
+
+ return DTLS1_HM_FRAGMENT_RETRY;
diff --git a/external/openssl/CVE-2014-3508.patch b/external/openssl/CVE-2014-3508.patch
new file mode 100644
index 000000000000..513608d44b98
--- /dev/null
+++ b/external/openssl/CVE-2014-3508.patch
@@ -0,0 +1,138 @@
+From 03b04ddac162c7b7fa3c57eadccc5a583a00d291 Mon Sep 17 00:00:00 2001
+From: Emilia Kasper <emilia at openssl.org>
+Date: Wed, 2 Jul 2014 19:02:33 +0200
+Subject: [PATCH] Fix OID handling:
+
+- Upon parsing, reject OIDs with invalid base-128 encoding.
+- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.
+
+CVE-2014-3508
+
+Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
+Reviewed-by: Kurt Roeckx <kurt at openssl.org>
+Reviewed-by: Tim Hudson <tjh at openssl.org>
+---
+ crypto/asn1/a_object.c | 30 +++++++++++++++++++++---------
+ crypto/objects/obj_dat.c | 16 +++++++++-------
+ 2 files changed, 30 insertions(+), 16 deletions(-)
+
+diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
+index 3978c91..77b2768 100644
+--- a/a/crypto/asn1/a_object.c
++++ b/b/crypto/asn1/a_object.c
+@@ -283,17 +283,29 @@ err:
+ ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
+ return(NULL);
+ }
++
+ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
+ long len)
+ {
+ ASN1_OBJECT *ret=NULL;
+ const unsigned char *p;
+ unsigned char *data;
+- int i;
+- /* Sanity check OID encoding: can't have leading 0x80 in
+- * subidentifiers, see: X.690 8.19.2
++ int i, length;
++
++ /* Sanity check OID encoding.
++ * Need at least one content octet.
++ * MSB must be clear in the last octet.
++ * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2
+ */
+- for (i = 0, p = *pp; i < len; i++, p++)
++ if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
++ p[len - 1] & 0x80)
++ {
++ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
++ return NULL;
++ }
++ /* Now 0 < len <= INT_MAX, so the cast is safe. */
++ length = (int)len;
++ for (i = 0; i < length; i++, p++)
+ {
+ if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
+ {
+@@ -316,23 +328,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
+ data = (unsigned char *)ret->data;
+ ret->data = NULL;
+ /* once detached we can change it */
+- if ((data == NULL) || (ret->length < len))
++ if ((data == NULL) || (ret->length < length))
+ {
+ ret->length=0;
+ if (data != NULL) OPENSSL_free(data);
+- data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
++ data=(unsigned char *)OPENSSL_malloc(length);
+ if (data == NULL)
+ { i=ERR_R_MALLOC_FAILURE; goto err; }
+ ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
+ }
+- memcpy(data,p,(int)len);
++ memcpy(data,p,length);
+ /* reattach data to object, after which it remains const */
+ ret->data =data;
+- ret->length=(int)len;
++ ret->length=length;
+ ret->sn=NULL;
+ ret->ln=NULL;
+ /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
+- p+=len;
++ p+=length;
+
+ if (a != NULL) (*a)=ret;
+ *pp=p;
+diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
+index 8a342ba..0b2f442 100644
+--- a/a/crypto/objects/obj_dat.c
++++ b/b/crypto/objects/obj_dat.c
+@@ -471,11 +471,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
+ const unsigned char *p;
+ char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
+
+- if ((a == NULL) || (a->data == NULL)) {
+- buf[0]='\0';
+- return(0);
+- }
++ /* Ensure that, at every state, |buf| is NUL-terminated. */
++ if (buf && buf_len > 0)
++ buf[0] = '\0';
+
++ if ((a == NULL) || (a->data == NULL))
++ return(0);
+
+ if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef)
+ {
+@@ -554,9 +555,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
+ i=(int)(l/40);
+ l-=(long)(i*40);
+ }
+- if (buf && (buf_len > 0))
++ if (buf && (buf_len > 1))
+ {
+ *buf++ = i + '0';
++ *buf = '\0';
+ buf_len--;
+ }
+ n++;
+@@ -571,9 +573,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
+ i = strlen(bndec);
+ if (buf)
+ {
+- if (buf_len > 0)
++ if (buf_len > 1)
+ {
+ *buf++ = '.';
++ *buf = '\0';
+ buf_len--;
+ }
+ BUF_strlcpy(buf,bndec,buf_len);
+@@ -807,4 +810,3 @@ err:
+ OPENSSL_free(buf);
+ return(ok);
+ }
+-
+--
+1.8.3.1
+
diff --git a/external/openssl/CVE-2014-3509.patch b/external/openssl/CVE-2014-3509.patch
new file mode 100644
index 000000000000..45c94624f177
--- /dev/null
+++ b/external/openssl/CVE-2014-3509.patch
@@ -0,0 +1,45 @@
+From 86788e1ee6908a5b3a4c95fa80caa4b724a8a434 Mon Sep 17 00:00:00 2001
+From: Gabor Tyukasz <Gabor.Tyukasz at logmein.com>
+Date: Wed, 23 Jul 2014 23:42:06 +0200
+Subject: [PATCH] Fix race condition in ssl_parse_serverhello_tlsext
+
+CVE-2014-3509
+Reviewed-by: Tim Hudson <tjh at openssl.org>
+Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
+---
+ ssl/t1_lib.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 8167a51..022a4fb 100644
+--- a/a/ssl/t1_lib.c
++++ b/b/ssl/t1_lib.c
+@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
+ *al = TLS1_AD_DECODE_ERROR;
+ return 0;
+ }
+- s->session->tlsext_ecpointformatlist_length = 0;
+- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
+- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
++ if (!s->hit)
+ {
+- *al = TLS1_AD_INTERNAL_ERROR;
+- return 0;
++ s->session->tlsext_ecpointformatlist_length = 0;
++ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
++ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
++ {
++ *al = TLS1_AD_INTERNAL_ERROR;
++ return 0;
++ }
++ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
++ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
+ }
+- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
+ #if 0
+ fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
+ sdata = s->session->tlsext_ecpointformatlist;
+--
+1.8.3.1
+
diff --git a/external/openssl/CVE-2014-3510.patch b/external/openssl/CVE-2014-3510.patch
new file mode 100644
index 000000000000..5cdc5d79bcf4
--- /dev/null
+++ b/external/openssl/CVE-2014-3510.patch
@@ -0,0 +1,86 @@
+From 88ae012c8092852f03c50f6461175271104b4c8a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Emilia=20K=C3=A4sper?= <emilia at openssl.org>
+Date: Thu, 24 Jul 2014 22:15:29 +0200
+Subject: [PATCH] Fix DTLS anonymous EC(DH) denial of service
+
+CVE-2014-3510
+
+Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
+---
+ ssl/d1_clnt.c | 23 +++++++++++++++++++++--
+ ssl/s3_clnt.c | 7 +++++++
+ 2 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
+index 65dbb4a..fd6562c 100644
+--- a/a/ssl/d1_clnt.c
++++ b/b/ssl/d1_clnt.c
+@@ -996,6 +996,13 @@ int dtls1_send_client_key_exchange(SSL *s)
+ RSA *rsa;
+ unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
+
++ if (s->session->sess_cert == NULL)
++ {
++ /* We should always have a server certificate with SSL_kRSA. */
++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
+ if (s->session->sess_cert->peer_rsa_tmp != NULL)
+ rsa=s->session->sess_cert->peer_rsa_tmp;
+ else
+@@ -1186,6 +1193,13 @@ int dtls1_send_client_key_exchange(SSL *s)
+ {
+ DH *dh_srvr,*dh_clnt;
+
++ if (s->session->sess_cert == NULL)
++ {
++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
++ goto err;
++ }
++
+ if (s->session->sess_cert->peer_dh_tmp != NULL)
+ dh_srvr=s->session->sess_cert->peer_dh_tmp;
+ else
+@@ -1245,6 +1259,13 @@ int dtls1_send_client_key_exchange(SSL *s)
+ int ecdh_clnt_cert = 0;
+ int field_size = 0;
+
++ if (s->session->sess_cert == NULL)
++ {
++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
++ goto err;
++ }
++
+ /* Did we send out the client's
+ * ECDH share for use in premaster
+ * computation as part of client certificate?
+@@ -1720,5 +1741,3 @@ int dtls1_send_client_certificate(SSL *s)
+ /* SSL3_ST_CW_CERT_D */
+ return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+ }
+-
+-
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index 2afb892..df05f78 100644
+--- a/a/ssl/s3_clnt.c
++++ b/b/ssl/s3_clnt.c
+@@ -2253,6 +2253,13 @@ int ssl3_send_client_key_exchange(SSL *s)
+ RSA *rsa;
+ unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
+
++ if (s->session->sess_cert == NULL)
++ {
++ /* We should always have a server certificate with SSL_kRSA. */
++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
+ if (s->session->sess_cert->peer_rsa_tmp != NULL)
+ rsa=s->session->sess_cert->peer_rsa_tmp;
+ else
+--
+1.8.3.1
+
diff --git a/external/openssl/CVE-2014-3511.patch b/external/openssl/CVE-2014-3511.patch
new file mode 100644
index 000000000000..4b5b9c6a150f
--- /dev/null
+++ b/external/openssl/CVE-2014-3511.patch
@@ -0,0 +1,85 @@
+From fc4f4cdb8bf9981904e652abf69b892a45bddacf Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Wed, 23 Jul 2014 22:32:21 +0200
+Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2014-3511
+
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+Reviewed-by: Bodo Möller <bodo at openssl.org>
+---
+ ssl/s23_srvr.c | 30 +++++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
+index 4877849..2901a6b 100644
+--- a/a/ssl/s23_srvr.c
++++ b/b/ssl/s23_srvr.c
+@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s)
+ * Client Hello message, this would be difficult, and we'd have
+ * to read more records to find out.
+ * No known SSL 3.0 client fragments ClientHello like this,
+- * so we simply assume TLS 1.0 to avoid protocol version downgrade
+- * attacks. */
++ * so we simply reject such connections to avoid
++ * protocol version downgrade attacks. */
+ if (p[3] == 0 && p[4] < 6)
+ {
+-#if 0
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
+ goto err;
+-#else
+- v[1] = TLS1_VERSION_MINOR;
+-#endif
+ }
+ /* if major version number > 3 set minor to a value
+ * which will use the highest version 3 we support.
+ * If TLS 2.0 ever appears we will need to revise
+ * this....
+ */
+- else if (p[9] > SSL3_VERSION_MAJOR)
++ if (p[9] > SSL3_VERSION_MAJOR)
+ v[1]=0xff;
+ else
+ v[1]=p[10]; /* minor version according to client_version */
+@@ -444,14 +440,34 @@ int ssl23_get_client_hello(SSL *s)
+ v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
+ v[1] = p[4];
+
++ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
++ * header is sent directly on the wire, not wrapped as a TLS
++ * record. It's format is:
++ * Byte Content
++ * 0-1 msg_length
++ * 2 msg_type
++ * 3-4 version
++ * 5-6 cipher_spec_length
++ * 7-8 session_id_length
++ * 9-10 challenge_length
++ * ... ...
++ */
+ n=((p[0]&0x7f)<<8)|p[1];
+ if (n > (1024*4))
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
+ goto err;
+ }
++ if (n < 9)
++ {
++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
++ goto err;
++ }
+
+ j=ssl23_read_bytes(s,n+2);
++ /* We previously read 11 bytes, so if j > 0, we must have
++ * j == n+2 == s->packet_length. We have at least 11 valid
++ * packet bytes. */
+ if (j <= 0) return(j);
+
+ ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
+--
+1.8.3.1
+
diff --git a/external/openssl/CVE-2014-3513.patch b/external/openssl/CVE-2014-3513.patch
new file mode 100644
index 000000000000..96d4584c38ea
--- /dev/null
+++ b/external/openssl/CVE-2014-3513.patch
@@ -0,0 +1,186 @@
+diff -up openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak openssl-1.0.1e/ssl/d1_srtp.c
+--- a/a/ssl/d1_srtp.c.srtp-leak 2013-02-11 16:26:04.000000000 +0100
++++ b/b/ssl/d1_srtp.c 2014-10-15 13:23:34.253040160 +0200
+@@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr
+ return 1;
+ }
+
+-static int find_profile_by_num(unsigned profile_num,
+- SRTP_PROTECTION_PROFILE **pptr)
+- {
+- SRTP_PROTECTION_PROFILE *p;
+-
+- p=srtp_known_profiles;
+- while(p->name)
+- {
+- if(p->id == profile_num)
+- {
+- *pptr=p;
+- return 0;
+- }
+- p++;
+- }
+-
+- return 1;
+- }
+-
+ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
+ {
+ STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
+@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c
+ if(!find_profile_by_name(ptr,&p,
+ col ? col-ptr : (int)strlen(ptr)))
+ {
++ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
++ {
++ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
++ sk_SRTP_PROTECTION_PROFILE_free(profiles);
++ return 1;
++ }
++
+ sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
+ }
+ else
+ {
+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
++ sk_SRTP_PROTECTION_PROFILE_free(profiles);
+ return 1;
+ }
+
+@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL
+
+ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
+ {
+- SRTP_PROTECTION_PROFILE *cprof,*sprof;
+- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
++ SRTP_PROTECTION_PROFILE *sprof;
++ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
+ int ct;
+ int mki_len;
+- int i,j;
+- int id;
+- int ret;
++ int i, srtp_pref;
++ unsigned int id;
+
+ /* Length value + the MKI length */
+ if(len < 3)
+@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S
+ return 1;
+ }
+
++ srvr=SSL_get_srtp_profiles(s);
++ s->srtp_profile = NULL;
++ /* Search all profiles for a match initially */
++ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
+
+- clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
+-
+ while(ct)
+ {
+ n2s(d,id);
+ ct-=2;
+ len-=2;
+
+- if(!find_profile_by_num(id,&cprof))
++ /*
++ * Only look for match in profiles of higher preference than
++ * current match.
++ * If no profiles have been have been configured then this
++ * does nothing.
++ */
++ for (i = 0; i < srtp_pref; i++)
+ {
+- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
+- }
+- else
+- {
+- ; /* Ignore */
++ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
++ if (sprof->id == id)
++ {
++ s->srtp_profile = sprof;
++ srtp_pref = i;
++ break;
++ }
+ }
+ }
+
+@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S
+ return 1;
+ }
+
+- srvr=SSL_get_srtp_profiles(s);
+-
+- /* Pick our most preferred profile. If no profiles have been
+- configured then the outer loop doesn't run
+- (sk_SRTP_PROTECTION_PROFILE_num() = -1)
+- and so we just return without doing anything */
+- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
+- {
+- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
+-
+- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
+- {
+- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
+-
+- if(cprof->id==sprof->id)
+- {
+- s->srtp_profile=sprof;
+- *al=0;
+- ret=0;
+- goto done;
+- }
+- }
+- }
+-
+- ret=0;
+-
+-done:
+- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
+-
+- return ret;
++ return 0;
+ }
+
+ int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
+diff -up openssl-1.0.1e/ssl/t1_lib.c.srtp-leak openssl-1.0.1e/ssl/t1_lib.c
+--- a/a/ssl/t1_lib.c.srtp-leak 2014-10-15 13:19:59.955202293 +0200
++++ b/b/ssl/t1_lib.c 2014-10-15 13:23:34.254040182 +0200
+@@ -696,7 +696,7 @@ unsigned char *ssl_add_clienthello_tlsex
+ #endif
+
+ #ifndef OPENSSL_NO_SRTP
+- if(SSL_get_srtp_profiles(s))
++ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
+ {
+ int el;
+
+@@ -829,7 +829,7 @@ unsigned char *ssl_add_serverhello_tlsex
+ #endif
+
+ #ifndef OPENSSL_NO_SRTP
+- if(s->srtp_profile)
++ if(SSL_IS_DTLS(s) && s->srtp_profile)
+ {
+ int el;
+
+@@ -1377,7 +1377,8 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+
+ /* session ticket processed earlier */
+ #ifndef OPENSSL_NO_SRTP
+- else if (type == TLSEXT_TYPE_use_srtp)
++ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
++ && type == TLSEXT_TYPE_use_srtp)
+ {
+ if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
+ al))
+@@ -1631,7 +1632,7 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ }
+ #endif
+ #ifndef OPENSSL_NO_SRTP
+- else if (type == TLSEXT_TYPE_use_srtp)
++ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
+ {
+ if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
+ al))
diff --git a/external/openssl/CVE-2014-3566.patch b/external/openssl/CVE-2014-3566.patch
new file mode 100644
index 000000000000..c9b37a7c08fa
--- /dev/null
+++ b/external/openssl/CVE-2014-3566.patch
@@ -0,0 +1,466 @@
+diff -up openssl-1.0.1e/apps/s_client.c.fallback-scsv openssl-1.0.1e/apps/s_client.c
+--- a/a/apps/s_client.c.fallback-scsv 2014-10-15 17:06:01.000000000 +0200
++++ b/b/apps/s_client.c 2014-10-15 17:07:36.392502320 +0200
+@@ -336,6 +336,7 @@ static void sc_usage(void)
+ BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
+ BIO_printf(bio_err," -tls1 - just use TLSv1\n");
+ BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
++ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
+ BIO_printf(bio_err," -mtu - set the link layer MTU\n");
+ BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
+ BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
+@@ -616,6 +617,7 @@ int MAIN(int argc, char **argv)
+ char *sess_out = NULL;
+ struct sockaddr peer;
+ int peerlen = sizeof(peer);
++ int fallback_scsv = 0;
+ int enable_timeouts = 0 ;
+ long socket_mtu = 0;
+ #ifndef OPENSSL_NO_JPAKE
+@@ -829,6 +831,10 @@ int MAIN(int argc, char **argv)
+ socket_mtu = atol(*(++argv));
+ }
+ #endif
++ else if (strcmp(*argv,"-fallback_scsv") == 0)
++ {
++ fallback_scsv = 1;
++ }
+ else if (strcmp(*argv,"-bugs") == 0)
+ bugs=1;
+ else if (strcmp(*argv,"-keyform") == 0)
+@@ -1240,6 +1246,10 @@ bad:
+ SSL_set_session(con, sess);
+ SSL_SESSION_free(sess);
+ }
++
++ if (fallback_scsv)
++ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
++
+ #ifndef OPENSSL_NO_TLSEXT
+ if (servername != NULL)
+ {
+diff -up openssl-1.0.1e/doc/apps/s_client.pod.fallback-scsv openssl-1.0.1e/doc/apps/s_client.pod
+--- a/a/doc/apps/s_client.pod.fallback-scsv 2014-10-15 17:06:01.000000000 +0200
++++ b/b/doc/apps/s_client.pod 2014-10-15 17:08:17.354427053 +0200
+@@ -34,6 +34,7 @@
+ [B<-no_ssl2>]
+ [B<-no_ssl3>]
+ [B<-no_tls1>]
++[B<-fallback_scsv>]
+ [B<-bugs>]
+ [B<-cipher cipherlist>]
+ [B<-starttls protocol>]
+@@ -187,6 +188,10 @@
+ work if TLS is turned off with the B<-no_tls> option others will only
+ support SSL v2 and may need the B<-ssl2> option.
+
++=item B<-fallback_scsv>
++
++Send TLS_FALLBACK_SCSV in the ClientHello.
++
+ =item B<-bugs>
+
+ there are several known bug in SSL and TLS implementations. Adding this
+diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod.fallback-scsv openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod
+--- a/a/doc/ssl/SSL_CTX_set_mode.pod.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
++++ b/b/doc/ssl/SSL_CTX_set_mode.pod 2014-10-15 17:09:57.577689637 +0200
+@@ -71,6 +71,12 @@ SSL_CTX->freelist_max_len, which default
+ save around 34k per idle SSL connection.
+ This flag has no effect on SSL v2 connections, or on DTLS connections.
+
++=item SSL_MODE_SEND_FALLBACK_SCSV
++
++Send TLS_FALLBACK_SCSV in the ClientHello.
++To be set by applications that reconnect with a downgraded protocol
++version; see draft-ietf-tls-downgrade-scsv-00 for details.
++
+ =back
+
+ =head1 RETURN VALUES
+diff -up openssl-1.0.1e/ssl/dtls1.h.fallback-scsv openssl-1.0.1e/ssl/dtls1.h
+--- a/a/ssl/dtls1.h.fallback-scsv 2014-10-15 14:39:30.862907615 +0200
++++ b/b/ssl/dtls1.h 2014-10-15 14:39:30.973910121 +0200
+@@ -84,6 +84,8 @@ extern "C" {
+ #endif
+
+ #define DTLS1_VERSION 0xFEFF
++#define DTLS_MAX_VERSION DTLS1_VERSION
++
+ #define DTLS1_BAD_VER 0x0100
+
+ #if 0
+@@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st
+ }
+ #endif
+ #endif
+-
+diff -up openssl-1.0.1e/ssl/d1_lib.c.fallback-scsv openssl-1.0.1e/ssl/d1_lib.c
+--- a/a/ssl/d1_lib.c.fallback-scsv 2014-10-15 14:39:30.911908721 +0200
++++ b/b/ssl/d1_lib.c 2014-10-15 14:39:30.973910121 +0200
+@@ -263,6 +263,16 @@ long dtls1_ctrl(SSL *s, int cmd, long la
+ case DTLS_CTRL_LISTEN:
+ ret = dtls1_listen(s, parg);
+ break;
++ case SSL_CTRL_CHECK_PROTO_VERSION:
++ /* For library-internal use; checks that the current protocol
++ * is the highest enabled version (according to s->ctx->method,
++ * as version negotiation may have changed s->method). */
++#if DTLS_MAX_VERSION != DTLS1_VERSION
++# error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
++#endif
++ /* Just one protocol version is supported so far;
++ * fail closed if the version is not as expected. */
++ return s->version == DTLS_MAX_VERSION;
+
+ default:
+ ret = ssl3_ctrl(s, cmd, larg, parg);
+diff -up openssl-1.0.1e/ssl/ssl_err.c.fallback-scsv openssl-1.0.1e/ssl/ssl_err.c
+--- a/a/ssl/ssl_err.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
++++ b/b/ssl/ssl_err.c 2014-10-15 14:39:30.973910121 +0200
+@@ -382,6 +382,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
+ {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
+ {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
++{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
+ {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
+ {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
+ {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
+@@ -528,6 +529,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
+ {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
++{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
+ {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
+diff -up openssl-1.0.1e/ssl/ssl.h.fallback-scsv openssl-1.0.1e/ssl/ssl.h
+--- a/a/ssl/ssl.h.fallback-scsv 2014-10-15 14:39:30.940909375 +0200
++++ b/b/ssl/ssl.h 2014-10-15 14:41:46.174962343 +0200
+@@ -641,6 +641,10 @@
+ * TLS only.) "Released" buffers are put onto a free-list in the context
+ * or just freed (depending on the context's setting for freelist_max_len). */
+ #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
++/* Send TLS_FALLBACK_SCSV in the ClientHello.
++ * To be set by applications that reconnect with a downgraded protocol
++ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
++#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
+
+ /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
+ * they cannot be used to clear bits. */
+@@ -1499,6 +1503,7 @@
+ #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
+ #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
+ #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
++#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
+
+ #define SSL_ERROR_NONE 0
+ #define SSL_ERROR_SSL 1
+@@ -1609,6 +1614,8 @@
+ #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
+ #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
+
++#define SSL_CTRL_CHECK_PROTO_VERSION 119
++
+ #define DTLSv1_get_timeout(ssl, arg) \
+ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
+ #define DTLSv1_handle_timeout(ssl) \
+@@ -2362,6 +2369,7 @@
+ #define SSL_R_HTTPS_PROXY_REQUEST 155
+ #define SSL_R_HTTP_REQUEST 156
+ #define SSL_R_ILLEGAL_PADDING 283
++#define SSL_R_INAPPROPRIATE_FALLBACK 373
+ #define SSL_R_INCONSISTENT_COMPRESSION 340
+ #define SSL_R_INVALID_CHALLENGE_LENGTH 158
+ #define SSL_R_INVALID_COMMAND 280
+@@ -2508,6 +2516,7 @@
+ #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
+ #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
+ #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
++#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
+ #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
+ #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
+ #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
+diff -up openssl-1.0.1e/ssl/ssl_lib.c.fallback-scsv openssl-1.0.1e/ssl/ssl_lib.c
+--- a/a/ssl/ssl_lib.c.fallback-scsv 2014-10-15 14:39:30.912908743 +0200
++++ b/b/ssl/ssl_lib.c 2014-10-15 14:39:30.975910166 +0200
+@@ -1383,6 +1383,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
+
+ if (sk == NULL) return(0);
+ q=p;
++ if (put_cb == NULL)
++ put_cb = s->method->put_cipher_by_char;
+
+ for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
+ {
+@@ -1402,24 +1404,36 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC
+ s->psk_client_callback == NULL)
+ continue;
+ #endif /* OPENSSL_NO_PSK */
+- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
++ j = put_cb(c,p);
+ p+=j;
+ }
+- /* If p == q, no ciphers and caller indicates an error. Otherwise
+- * add SCSV if not renegotiating.
+- */
+- if (p != q && !s->renegotiate)
++ /* If p == q, no ciphers; caller indicates an error.
++ * Otherwise, add applicable SCSVs. */
++ if (p != q)
+ {
+- static SSL_CIPHER scsv =
++ if (!s->renegotiate)
+ {
+- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+- };
+- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
+- p+=j;
++ static SSL_CIPHER scsv =
++ {
++ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
++ };
++ j = put_cb(&scsv,p);
++ p+=j;
+ #ifdef OPENSSL_RI_DEBUG
+- fprintf(stderr, "SCSV sent by client\n");
++ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
+ #endif
+- }
++ }
++
++ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
++ {
++ static SSL_CIPHER scsv =
++ {
++ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
++ };
++ j = put_cb(&scsv,p);
++ p+=j;
++ }
++ }
+
+ return(p-q);
+ }
+@@ -1430,11 +1444,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
+ const SSL_CIPHER *c;
+ STACK_OF(SSL_CIPHER) *sk;
+ int i,n;
++
+ if (s->s3)
+ s->s3->send_connection_binding = 0;
+
+ n=ssl_put_cipher_by_char(s,NULL,NULL);
+- if ((num%n) != 0)
++ if (n == 0 || (num%n) != 0)
+ {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
+ return(NULL);
+@@ -1449,7 +1464,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
+
+ for (i=0; i<num; i+=n)
+ {
+- /* Check for SCSV */
++ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
+ if (s->s3 && (n != 3 || !p[0]) &&
+ (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
+ (p[n-1] == (SSL3_CK_SCSV & 0xff)))
+@@ -1469,6 +1484,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe
+ continue;
+ }
+
++ /* Check for TLS_FALLBACK_SCSV */
++ if ((n != 3 || !p[0]) &&
++ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
++ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
++ {
++ /* The SCSV indicates that the client previously tried a higher version.
++ * Fail if the current version is an unexpected downgrade. */
++ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
++ {
++ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
++ if (s->s3)
++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
++ goto err;
++ }
++ continue;
++ }
++
+ c=ssl_get_cipher_by_char(s,p);
+ p+=n;
+ if (c != NULL)
+diff -up openssl-1.0.1e/ssl/ssl3.h.fallback-scsv openssl-1.0.1e/ssl/ssl3.h
+--- a/a/ssl/ssl3.h.fallback-scsv 2014-10-15 14:39:30.949909579 +0200
++++ b/b/ssl/ssl3.h 2014-10-15 14:39:30.975910166 +0200
+@@ -128,9 +128,14 @@
+ extern "C" {
+ #endif
+
+-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
++/* Signalling cipher suite value from RFC 5746
++ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */
+ #define SSL3_CK_SCSV 0x030000FF
+
++/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00
++ * (TLS_FALLBACK_SCSV) */
++#define SSL3_CK_FALLBACK_SCSV 0x03005600
++
+ #define SSL3_CK_RSA_NULL_MD5 0x03000001
+ #define SSL3_CK_RSA_NULL_SHA 0x03000002
+ #define SSL3_CK_RSA_RC4_40_MD5 0x03000003
+diff -up openssl-1.0.1e/ssl/s2_lib.c.fallback-scsv openssl-1.0.1e/ssl/s2_lib.c
+--- a/a/ssl/s2_lib.c.fallback-scsv 2014-10-15 14:39:30.901908495 +0200
++++ b/b/ssl/s2_lib.c 2014-10-15 14:39:30.975910166 +0200
+@@ -391,6 +391,8 @@ long ssl2_ctrl(SSL *s, int cmd, long lar
+ case SSL_CTRL_GET_SESSION_REUSED:
+ ret=s->hit;
+ break;
++ case SSL_CTRL_CHECK_PROTO_VERSION:
++ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
+ default:
+ break;
+ }
+@@ -437,7 +439,7 @@ int ssl2_put_cipher_by_char(const SSL_CI
+ if (p != NULL)
+ {
+ l=c->id;
+- if ((l & 0xff000000) != 0x02000000) return(0);
++ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
+ p[0]=((unsigned char)(l>>16L))&0xFF;
+ p[1]=((unsigned char)(l>> 8L))&0xFF;
+ p[2]=((unsigned char)(l ))&0xFF;
+diff -up openssl-1.0.1e/ssl/s23_clnt.c.fallback-scsv openssl-1.0.1e/ssl/s23_clnt.c
+--- a/a/ssl/s23_clnt.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
++++ b/b/ssl/s23_clnt.c 2014-10-15 14:39:30.975910166 +0200
+@@ -715,6 +715,9 @@ static int ssl23_get_server_hello(SSL *s
+ goto err;
+ }
+
++ /* ensure that TLS_MAX_VERSION is up-to-date */
++ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
++
+ if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
+ {
+ /* fatal alert */
+diff -up openssl-1.0.1e/ssl/s23_srvr.c.fallback-scsv openssl-1.0.1e/ssl/s23_srvr.c
+--- a/a/ssl/s23_srvr.c.fallback-scsv 2014-10-15 14:39:30.966909962 +0200
++++ b/b/ssl/s23_srvr.c 2014-10-15 14:39:30.976910188 +0200
+@@ -421,6 +421,9 @@ int ssl23_get_client_hello(SSL *s)
+ }
+ }
+
++ /* ensure that TLS_MAX_VERSION is up-to-date */
++ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
++
+ #ifdef OPENSSL_FIPS
+ if (FIPS_mode() && (s->version < TLS1_VERSION))
+ {
+diff -up openssl-1.0.1e/ssl/s3_enc.c.fallback-scsv openssl-1.0.1e/ssl/s3_enc.c
+--- a/a/ssl/s3_enc.c.fallback-scsv 2013-02-11 16:26:04.000000000 +0100
++++ b/b/ssl/s3_enc.c 2014-10-15 14:39:30.976910188 +0200
+@@ -892,7 +892,7 @@ int ssl3_alert_code(int code)
+ case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
+ case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
+ case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
++ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
+ default: return(-1);
+ }
+ }
+-
+diff -up openssl-1.0.1e/ssl/s3_lib.c.fallback-scsv openssl-1.0.1e/ssl/s3_lib.c
+--- a/a/ssl/s3_lib.c.fallback-scsv 2014-10-15 14:39:30.941909398 +0200
++++ b/b/ssl/s3_lib.c 2014-10-15 14:39:30.976910188 +0200
+@@ -3350,6 +3350,33 @@
+ #endif
+
+ #endif /* !OPENSSL_NO_TLSEXT */
++
++ case SSL_CTRL_CHECK_PROTO_VERSION:
++ /* For library-internal use; checks that the current protocol
++ * is the highest enabled version (according to s->ctx->method,
++ * as version negotiation may have changed s->method). */
++ if (s->version == s->ctx->method->version)
++ return 1;
++ /* Apparently we're using a version-flexible SSL_METHOD
++ * (not at its highest protocol version). */
++ if (s->ctx->method->version == SSLv23_method()->version)
++ {
++#if TLS_MAX_VERSION != TLS1_2_VERSION
++# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.
++#endif
++ if (!(s->options & SSL_OP_NO_TLSv1_2))
++ return s->version == TLS1_2_VERSION;
++ if (!(s->options & SSL_OP_NO_TLSv1_1))
++ return s->version == TLS1_1_VERSION;
++ if (!(s->options & SSL_OP_NO_TLSv1))
++ return s->version == TLS1_VERSION;
++ if (!(s->options & SSL_OP_NO_SSLv3))
++ return s->version == SSL3_VERSION;
++ if (!(s->options & SSL_OP_NO_SSLv2))
++ return s->version == SSL2_VERSION;
++ }
++ return 0; /* Unexpected state; fail closed. */
++
+ default:
+ break;
+ }
+@@ -3709,6 +3736,7 @@
+ break;
+ #endif
+ #endif
++
+ default:
+ return(0);
+ }
+@@ -4279,4 +4307,3 @@
+ return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
+ return alg2;
+ }
+-
+diff -up openssl-1.0.1e/ssl/tls1.h.fallback-scsv openssl-1.0.1e/ssl/tls1.h
+--- a/a/ssl/tls1.h.fallback-scsv 2014-10-15 14:39:30.775905650 +0200
++++ b/b/ssl/tls1.h 2014-10-15 14:39:30.976910188 +0200
+@@ -159,17 +159,19 @@ extern "C" {
+
+ #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
+
++#define TLS1_VERSION 0x0301
++#define TLS1_1_VERSION 0x0302
+ #define TLS1_2_VERSION 0x0303
+-#define TLS1_2_VERSION_MAJOR 0x03
+-#define TLS1_2_VERSION_MINOR 0x03
++#define TLS_MAX_VERSION TLS1_2_VERSION
++
++#define TLS1_VERSION_MAJOR 0x03
++#define TLS1_VERSION_MINOR 0x01
+
+-#define TLS1_1_VERSION 0x0302
+ #define TLS1_1_VERSION_MAJOR 0x03
+ #define TLS1_1_VERSION_MINOR 0x02
+
+-#define TLS1_VERSION 0x0301
+-#define TLS1_VERSION_MAJOR 0x03
+-#define TLS1_VERSION_MINOR 0x01
++#define TLS1_2_VERSION_MAJOR 0x03
++#define TLS1_2_VERSION_MINOR 0x03
+
+ #define TLS1_get_version(s) \
+ ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
+@@ -187,6 +189,7 @@ extern "C" {
+ #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
+ #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
+ #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
++#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
+ #define TLS1_AD_USER_CANCELLED 90
+ #define TLS1_AD_NO_RENEGOTIATION 100
+ /* codes 110-114 are from RFC3546 */
+diff -up openssl-1.0.1e/ssl/t1_enc.c.fallback-scsv openssl-1.0.1e/ssl/t1_enc.c
+--- a/a/ssl/t1_enc.c.fallback-scsv 2014-10-15 14:39:30.936909285 +0200
++++ b/b/ssl/t1_enc.c 2014-10-15 14:39:30.977910211 +0200
+@@ -1265,6 +1265,7 @@ int tls1_alert_code(int code)
+ case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
+ case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
+ case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
++ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
+ #if 0 /* not appropriate for TLS, not used for DTLS */
+ case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
+ (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
diff --git a/external/openssl/CVE-2014-3567.patch b/external/openssl/CVE-2014-3567.patch
new file mode 100644
index 000000000000..db158f30b506
--- /dev/null
+++ b/external/openssl/CVE-2014-3567.patch
@@ -0,0 +1,14 @@
+diff -up openssl-1.0.1e/ssl/t1_lib.c.ticket-leak openssl-1.0.1e/ssl/t1_lib.c
+--- a/a/ssl/t1_lib.c.ticket-leak 2014-10-15 13:19:26.825454374 +0200
++++ b/b/ssl/t1_lib.c 2014-10-15 13:19:59.955202293 +0200
+@@ -2280,7 +2280,10 @@ static int tls_decrypt_ticket(SSL *s, co
+ HMAC_Final(&hctx, tick_hmac, NULL);
+ HMAC_CTX_cleanup(&hctx);
+ if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
++ {
++ EVP_CIPHER_CTX_cleanup(&ctx);
+ return 2;
++ }
+ /* Attempt to decrypt session data */
+ /* Move p after IV to start of encrypted ticket, update length */
+ p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
diff --git a/external/openssl/UnpackedTarball_openssl.mk b/external/openssl/UnpackedTarball_openssl.mk
index 57b593cc5f07..117211b685f7 100644
--- a/external/openssl/UnpackedTarball_openssl.mk
+++ b/external/openssl/UnpackedTarball_openssl.mk
@@ -77,6 +77,16 @@ $(eval $(call gb_UnpackedTarball_add_patches,openssl,\
external/openssl/CVE-2014-0221.patch \
external/openssl/CVE-2014-0224.patch \
external/openssl/CVE-2014-3470.patch \
+ external/openssl/CVE-2014-3505.patch \
+ external/openssl/CVE-2014-3506.patch \
+ external/openssl/CVE-2014-3507.patch \
+ external/openssl/CVE-2014-3508.patch \
+ external/openssl/CVE-2014-3509.patch \
+ external/openssl/CVE-2014-3510.patch \
+ external/openssl/CVE-2014-3511.patch \
+ external/openssl/CVE-2014-3513.patch \
+ external/openssl/CVE-2014-3567.patch \
+ external/openssl/CVE-2014-3566.patch \
$(if $(filter LINUX FREEBSD ANDROID,$(OS)),external/openssl/openssllnx.patch) \
$(if $(filter WNTGCC,$(OS)$(COM)),external/openssl/opensslmingw.patch) \
$(if $(filter MSC,$(COM)),external/openssl/opensslwnt.patch) \
commit f27aa12df6a03157b511088c76ecde5a0cc92256
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Fri Jun 6 12:46:05 2014 +0100
Commit: Thorsten Behrens <Thorsten.Behrens at CIB.de>
CommitDate: Wed Aug 15 17:05:40 2018 +0200
various recent openssl CVEs
Change-Id: Ib8989682690a73e5d09fb06617ad9d0938d76ccc
Reviewed-on: https://gerrit.libreoffice.org/9666
... etc. - the rest is truncated
More information about the Libreoffice-commits
mailing list