# HG changeset patch # User Stanislas Leduc # Date 1710272956 0 # Node ID 1f1c168034600742f3a294ec887dd7e91acf61d2 # Parent 36a7b2c61bce349e2e65010cc124d480e91a0d15 Up openssl, add openssl-compat, openssl11, patch dropbear CVE-2023-48795 diff -r 36a7b2c61bce -r 1f1c16803460 dropbear/receipt --- a/dropbear/receipt Sun Mar 10 13:41:01 2024 +0000 +++ b/dropbear/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -37,6 +37,9 @@ # Rules to configure and make the package. compile_rules() { + # CVE-2023-48795 + patch -p1 < $stuff/CVE-2023-48795.patch + local i local DROPBEARS DROPBEARS="dropbearkey dropbearconvert dbclient scp" @@ -44,6 +47,7 @@ #define SFTPSERVER_PATH "/usr/sbin/sftp-server" #define DROPBEAR_X11FWD 1 EOT + sed -i 's|"SSH-2.0-dropbear_" DROPBEAR_VERSION|"SSH-2.0-dropbear"|' sysoptions.h sed -i 's|DROPBEAR_CHANNEL_PRIO_INTERACTIVE|DROPBEAR_PRIO_LOWDELAY|' svr-x11fwd.c sed -i 's|shell arch|shell uname -m|' libtommath/makefile_include.mk ./configure --prefix=/usr --without-pam $CONFIGURE_ARGS $CROSS_ARGS && diff -r 36a7b2c61bce -r 1f1c16803460 dropbear/stuff/CVE-2023-48795.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/dropbear/stuff/CVE-2023-48795.patch Tue Mar 12 19:49:16 2024 +0000 @@ -0,0 +1,232 @@ +From 6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 Mon Sep 17 00:00:00 2001 +From: Matt Johnston +Date: Mon, 20 Nov 2023 14:02:47 +0800 +Subject: [PATCH] Implement Strict KEX mode + +As specified by OpenSSH with kex-strict-c-v00@openssh.com and +kex-strict-s-v00@openssh.com. + +Upstream: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 +Signed-off-by: Fabrice Fontaine +--- + src/cli-session.c | 11 +++++++++++ + src/common-algo.c | 6 ++++++ + src/common-kex.c | 26 +++++++++++++++++++++++++- + src/kex.h | 3 +++ + src/process-packet.c | 34 +++++++++++++++++++--------------- + src/ssh.h | 4 ++++ + src/svr-session.c | 3 +++ + 7 files changed, 71 insertions(+), 16 deletions(-) + +diff --git a/cli-session.c b/cli-session.c +index 5981b2470..d261c8f82 100644 +--- a/cli-session.c ++++ b/cli-session.c +@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NORETURN; + static void recv_msg_service_accept(void); + static void cli_session_cleanup(void); + static void recv_msg_global_request_cli(void); ++static void cli_algos_initialise(void); + + struct clientsession cli_ses; /* GLOBAL */ + +@@ -117,6 +118,7 @@ void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection + } + + chaninitialise(cli_chantypes); ++ cli_algos_initialise(); + + /* Set up cli_ses vars */ + cli_session_init(proxy_cmd_pid); +@@ -487,3 +489,12 @@ void cli_dropbear_log(int priority, const char* format, va_list param) { + fflush(stderr); + } + ++static void cli_algos_initialise(void) { ++ algo_type *algo; ++ for (algo = sshkex; algo->name; algo++) { ++ if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) { ++ algo->usable = 0; ++ } ++ } ++} ++ +diff --git a/common-algo.c b/common-algo.c +index 378f0ca8e..f9d46ebb6 100644 +--- a/common-algo.c ++++ b/common-algo.c +@@ -307,6 +307,12 @@ algo_type sshkex[] = { + /* Set unusable by svr_algos_initialise() */ + {SSH_EXT_INFO_C, 0, NULL, 1, NULL}, + #endif ++#endif ++#if DROPBEAR_CLIENT ++ {SSH_STRICT_KEX_C, 0, NULL, 1, NULL}, ++#endif ++#if DROPBEAR_SERVER ++ {SSH_STRICT_KEX_S, 0, NULL, 1, NULL}, + #endif + {NULL, 0, NULL, 0, NULL} + }; +diff --git a/common-kex.c b/common-kex.c +index ac8844246..8e33b12a6 100644 +--- a/common-kex.c ++++ b/common-kex.c +@@ -183,6 +183,10 @@ void send_msg_newkeys() { + gen_new_keys(); + switch_keys(); + ++ if (ses.kexstate.strict_kex) { ++ ses.transseq = 0; ++ } ++ + TRACE(("leave send_msg_newkeys")) + } + +@@ -193,7 +197,11 @@ void recv_msg_newkeys() { + + ses.kexstate.recvnewkeys = 1; + switch_keys(); +- ++ ++ if (ses.kexstate.strict_kex) { ++ ses.recvseq = 0; ++ } ++ + TRACE(("leave recv_msg_newkeys")) + } + +@@ -550,6 +558,10 @@ void recv_msg_kexinit() { + + ses.kexstate.recvkexinit = 1; + ++ if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && ses.recvseq != 1) { ++ dropbear_exit("First packet wasn't kexinit"); ++ } ++ + TRACE(("leave recv_msg_kexinit")) + } + +@@ -859,6 +871,18 @@ static void read_kex_algos() { + } + #endif + ++ if (!ses.kexstate.donefirstkex) { ++ const char* strict_name; ++ if (IS_DROPBEAR_CLIENT) { ++ strict_name = SSH_STRICT_KEX_S; ++ } else { ++ strict_name = SSH_STRICT_KEX_C; ++ } ++ if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) { ++ ses.kexstate.strict_kex = 1; ++ } ++ } ++ + algo = buf_match_algo(ses.payload, sshkex, kexguess2, &goodguess); + allgood &= goodguess; + if (algo == NULL || algo->data == NULL) { +diff --git a/kex.h b/kex.h +index 77cf21a37..7fcc3c252 100644 +--- a/kex.h ++++ b/kex.h +@@ -83,6 +83,9 @@ struct KEXState { + + unsigned our_first_follows_matches : 1; + ++ /* Boolean indicating that strict kex mode is in use */ ++ unsigned int strict_kex; ++ + time_t lastkextime; /* time of the last kex */ + unsigned int datatrans; /* data transmitted since last kex */ + unsigned int datarecv; /* data received since last kex */ +diff --git a/process-packet.c b/process-packet.c +index 945416023..133a152d0 100644 +--- a/process-packet.c ++++ b/process-packet.c +@@ -44,6 +44,7 @@ void process_packet() { + + unsigned char type; + unsigned int i; ++ unsigned int first_strict_kex = ses.kexstate.strict_kex && !ses.kexstate.donefirstkex; + time_t now; + + TRACE2(("enter process_packet")) +@@ -54,22 +55,24 @@ void process_packet() { + now = monotonic_now(); + ses.last_packet_time_keepalive_recv = now; + +- /* These packets we can receive at any time */ +- switch(type) { + +- case SSH_MSG_IGNORE: +- goto out; +- case SSH_MSG_DEBUG: +- goto out; ++ if (type == SSH_MSG_DISCONNECT) { ++ /* Allowed at any time */ ++ dropbear_close("Disconnect received"); ++ } + +- case SSH_MSG_UNIMPLEMENTED: +- /* debugging XXX */ +- TRACE(("SSH_MSG_UNIMPLEMENTED")) +- goto out; +- +- case SSH_MSG_DISCONNECT: +- /* TODO cleanup? */ +- dropbear_close("Disconnect received"); ++ /* These packets may be received at any time, ++ except during first kex with strict kex */ ++ if (!first_strict_kex) { ++ switch(type) { ++ case SSH_MSG_IGNORE: ++ goto out; ++ case SSH_MSG_DEBUG: ++ goto out; ++ case SSH_MSG_UNIMPLEMENTED: ++ TRACE(("SSH_MSG_UNIMPLEMENTED")) ++ goto out; ++ } + } + + /* Ignore these packet types so that keepalives don't interfere with +@@ -98,7 +101,8 @@ void process_packet() { + if (type >= 1 && type <= 49 + && type != SSH_MSG_SERVICE_REQUEST + && type != SSH_MSG_SERVICE_ACCEPT +- && type != SSH_MSG_KEXINIT) ++ && type != SSH_MSG_KEXINIT ++ && !first_strict_kex) + { + TRACE(("unknown allowed packet during kexinit")) + recv_unimplemented(); +diff --git a/ssh.h b/ssh.h +index 1b4fec65f..ef3efdca0 100644 +--- a/ssh.h ++++ b/ssh.h +@@ -100,6 +100,10 @@ + #define SSH_EXT_INFO_C "ext-info-c" + #define SSH_SERVER_SIG_ALGS "server-sig-algs" + ++/* OpenSSH strict KEX feature */ ++#define SSH_STRICT_KEX_S "kex-strict-s-v00@openssh.com" ++#define SSH_STRICT_KEX_C "kex-strict-c-v00@openssh.com" ++ + /* service types */ + #define SSH_SERVICE_USERAUTH "ssh-userauth" + #define SSH_SERVICE_USERAUTH_LEN 12 +diff --git a/svr-session.c b/svr-session.c +index 769f0731d..a538e2c5c 100644 +--- a/svr-session.c ++++ b/svr-session.c +@@ -370,6 +370,9 @@ static void svr_algos_initialise(void) { + algo->usable = 0; + } + #endif ++ if (strcmp(algo->name, SSH_STRICT_KEX_C) == 0) { ++ algo->usable = 0; ++ } + } + } + diff -r 36a7b2c61bce -r 1f1c16803460 libcrypto-compat/receipt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/libcrypto-compat/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -0,0 +1,19 @@ +# SliTaz package receipt. + +PACKAGE="libcrypto-compat" +VERSION="1.1.1w" +CATEGORY="security" +SHORT_DESC="General purpose cryptographic shared library (compat)." +MAINTAINER="maintainer@slitaz.org" +LICENSE="BSD" +WEB_SITE="https://www.openssl.org/" +HOST_ARCH="i486 arm" + +WANTED="openssl-compat" + +# Rules to gen a SliTaz package suitable for Tazpkg. +genpkg_rules() +{ + mkdir -p $fs/usr/lib + cp -a $install/usr/lib/libcrypto.so.1.1 $fs/usr/lib +} diff -r 36a7b2c61bce -r 1f1c16803460 libcrypto-dev/receipt --- a/libcrypto-dev/receipt Sun Mar 10 13:41:01 2024 +0000 +++ b/libcrypto-dev/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="libcrypto-dev" -VERSION="1.1.1w" +VERSION="3.0.13" CATEGORY="development" SHORT_DESC="General purpose cryptographic shared library devel files." MAINTAINER="pascal.bellard@slitaz.org" diff -r 36a7b2c61bce -r 1f1c16803460 libcrypto/receipt --- a/libcrypto/receipt Sun Mar 10 13:41:01 2024 +0000 +++ b/libcrypto/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="libcrypto" -VERSION="1.1.1w" +VERSION="3.0.13" CATEGORY="security" SHORT_DESC="General purpose cryptographic shared library." MAINTAINER="pascal.bellard@slitaz.org" @@ -11,6 +11,9 @@ WANTED="openssl" +# We add libcrypto-compat to ensure smooth upgrade between versions +DEPENDS="libcrypto-compat libatomic" + # Rules to gen a SliTaz package suitable for Tazpkg. genpkg_rules() { diff -r 36a7b2c61bce -r 1f1c16803460 libcrypto11-dev/receipt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/libcrypto11-dev/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -0,0 +1,24 @@ +# SliTaz package receipt. + +PACKAGE="libcrypto11-dev" +VERSION="1.1.1w" +CATEGORY="development" +SHORT_DESC="General purpose cryptographic shared library devel files (1.1.1 series)." +MAINTAINER="pascal.bellard@slitaz.org" +LICENSE="BSD" +WEB_SITE="https://www.openssl.org/" +HOST_ARCH="i486 arm" + +WANTED="openssl11" +DEPENDS="pkg-config" + +# Rules to gen a SliTaz package suitable for Tazpkg. +genpkg_rules() +{ + mkdir -p $fs/usr/lib/openssl-1.1/pkgconfig + cp -a $install/usr/lib/openssl-1.1/libcrypto.a $fs/usr/lib/openssl-1.1 + cp -a $install/usr/lib/openssl-1.1/pkgconfig/libcrypto* \ + $fs/usr/lib/openssl-1.1/pkgconfig + sed -e 's|/include$|/include/openssl-1.1|' \ + -i $fs/usr/lib/openssl-1.1/pkgconfig/*.pc +} diff -r 36a7b2c61bce -r 1f1c16803460 libcrypto11/receipt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/libcrypto11/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -0,0 +1,19 @@ +# SliTaz package receipt. + +PACKAGE="libcrypto11" +VERSION="1.1.1w" +CATEGORY="security" +SHORT_DESC="General purpose cryptographic shared library (1.1.1 series)." +MAINTAINER="pascal.bellard@slitaz.org" +LICENSE="BSD" +WEB_SITE="https://www.openssl.org/" +HOST_ARCH="i486 arm" + +WANTED="openssl11" + +# Rules to gen a SliTaz package suitable for Tazpkg. +genpkg_rules() +{ + mkdir -p $fs/usr/lib/openssl-1.1 + cp -a $install/usr/lib/openssl-1.1/libcrypto.so.* $fs/usr/lib/openssl-1.1 +} diff -r 36a7b2c61bce -r 1f1c16803460 libssl-compat/receipt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/libssl-compat/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -0,0 +1,19 @@ +# SliTaz package receipt. + +PACKAGE="libssl-compat" +VERSION="1.1.1w" +CATEGORY="security" +SHORT_DESC="OpenSSL libraries (compat)." +MAINTAINER="maintainer@slitaz.org" +LICENSE="BSD" +WEB_SITE="https://www.openssl.org/" +HOST_ARCH="i486 arm" + +WANTED="openssl-compat" + +# Rules to gen a SliTaz package suitable for Tazpkg. +genpkg_rules() +{ + mkdir -p $fs/usr/lib + cp -a $install/usr/lib/libssl.so.1.1 $fs/usr/lib +} diff -r 36a7b2c61bce -r 1f1c16803460 libssl/receipt --- a/libssl/receipt Sun Mar 10 13:41:01 2024 +0000 +++ b/libssl/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="libssl" -VERSION="1.1.1w" +VERSION="3.0.13" CATEGORY="security" SHORT_DESC="OpenSSL libraries." MAINTAINER="pascal.bellard@slitaz.org" @@ -10,7 +10,9 @@ HOST_ARCH="i486 arm" WANTED="openssl" -DEPENDS="libcrypto" + +# We add libssl-compat to ensure smooth upgrade between versions +DEPENDS="libcrypto libssl-compat" # Rules to gen a SliTaz package suitable for Tazpkg. genpkg_rules() diff -r 36a7b2c61bce -r 1f1c16803460 libssl11/receipt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/libssl11/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -0,0 +1,20 @@ +# SliTaz package receipt. + +PACKAGE="libssl11" +VERSION="1.1.1w" +CATEGORY="security" +SHORT_DESC="OpenSSL libraries (1.1.1 series)." +MAINTAINER="pascal.bellard@slitaz.org" +LICENSE="BSD" +WEB_SITE="https://www.openssl.org/" +HOST_ARCH="i486 arm" + +WANTED="openssl11" +DEPENDS="libcrypto11" + +# Rules to gen a SliTaz package suitable for Tazpkg. +genpkg_rules() +{ + mkdir -p $fs/usr/lib/openssl-1.1 + cp -a $install/usr/lib/openssl-1.1/libssl.so.* $fs/usr/lib/openssl-1.1 +} diff -r 36a7b2c61bce -r 1f1c16803460 openssl-compat/receipt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/openssl-compat/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -0,0 +1,72 @@ +# SliTaz package receipt. + +PACKAGE="openssl-compat" +SOURCE="openssl" +VERSION="1.1.1w" +CATEGORY="security" +SHORT_DESC="Open source Secure Sockets Layer (compat)." +MAINTAINER="pascal.bellard@slitaz.org" +LICENSE="BSD" +WEB_SITE="https://www.openssl.org/" +TAGS="ssl security" +HOST_ARCH="i486 arm" + +TARBALL="$SOURCE-$VERSION.tar.gz" +WGET_URL="https://www.openssl.org/source/$TARBALL" + +DEPENDS="libcrypto-compat libssl-compat" +BUILD_DEPENDS="perl zlib-dev" +SPLIT="libcrypto-compat libssl-compat" + +current_version() +{ + wget -O - $(dirname $WGET_URL) 2>/dev/null | \ + sed '/openssl-/!d;/-[abr]/d;s|.tar.gzopenssl-||;q' +} + +# Perl is installed in cross env. +case "$ARCH" in + arm) BUILD_DEPENDS="" ;; +esac + +# Rules to configure and make the package. +compile_rules() +{ + # MAKEFLAGS make openssl build fail. + unset MAKEFLAGS + + # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be + # marked as not requiring an executable stack (compatibility improvement). + case "$ARCH" in + arm) + # BUG: shared libs are not built + ./Configure --prefix=/usr --openssldir=/etc/ssl \ + shared zlib enable-md2 -Wa,--noexecstack \ + linux-armv4 && + sed -i 's/\(basename .*\)`/\1 || true `/' Makefile && + make \ + CC=${HOST_SYSTEM}-gcc \ + AR="${HOST_SYSTEM}-ar r" \ + RANLIB=${HOST_SYSTEM}-ranlib ;; + i486) + MACHINE=i686 \ + ./config --prefix=/usr --openssldir=/etc/ssl \ + shared zlib zlib-dynamic enable-md2 \ + no-ssl3-method -Wa,--noexecstack && + make depend ;; + esac && + # Install + make DESTDIR=$PWD/_pkg MANDIR=$PWD/_pkg/usr/share/man \ + install_sw install_ssldirs +} + +# Rules to gen a SliTaz package suitable for Tazpkg. +genpkg_rules() +{ + cook_copy_folders etc bin engines +} + +testsuite() +{ + readelf -h $install/usr/bin/openssl +} diff -r 36a7b2c61bce -r 1f1c16803460 openssl-dev/receipt --- a/openssl-dev/receipt Sun Mar 10 13:41:01 2024 +0000 +++ b/openssl-dev/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="openssl-dev" -VERSION="1.1.1w" +VERSION="3.0.13" CATEGORY="development" SHORT_DESC="Open source Secure Sockets Layer devel files." MAINTAINER="pascal.bellard@slitaz.org" diff -r 36a7b2c61bce -r 1f1c16803460 openssl/receipt --- a/openssl/receipt Sun Mar 10 13:41:01 2024 +0000 +++ b/openssl/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -1,7 +1,7 @@ # SliTaz package receipt. PACKAGE="openssl" -VERSION="1.1.1w" +VERSION="3.0.13" CATEGORY="security" SHORT_DESC="Open source Secure Sockets Layer." MAINTAINER="pascal.bellard@slitaz.org" @@ -13,8 +13,8 @@ TARBALL="$PACKAGE-$VERSION.tar.gz" WGET_URL="https://www.openssl.org/source/$TARBALL" -DEPENDS="libcrypto libssl" -BUILD_DEPENDS="perl zlib-dev" +DEPENDS="libcrypto libssl libatomic" +BUILD_DEPENDS="perl zlib-dev libatomic" SPLIT="libcrypto libcrypto-dev libssl openssl-dev" current_version() @@ -34,6 +34,8 @@ # MAKEFLAGS make openssl build fail. unset MAKEFLAGS + export LDFLAGS="$LDFLAGS -latomic" + # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be # marked as not requiring an executable stack (compatibility improvement). case "$ARCH" in @@ -48,8 +50,7 @@ AR="${HOST_SYSTEM}-ar r" \ RANLIB=${HOST_SYSTEM}-ranlib ;; i486) - MACHINE=i686 \ - ./config --prefix=/usr --openssldir=/etc/ssl \ + ./config linux-generic32 --prefix=/usr --openssldir=/etc/ssl \ shared zlib zlib-dynamic enable-md2 \ no-ssl3-method -Wa,--noexecstack && make depend ;; @@ -63,6 +64,8 @@ genpkg_rules() { cook_copy_folders etc bin engines + # Remove .dist file + rm $fs/etc/ssl/*.dist } testsuite() diff -r 36a7b2c61bce -r 1f1c16803460 openssl11-dev/receipt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/openssl11-dev/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -0,0 +1,27 @@ +# SliTaz package receipt. + +PACKAGE="openssl11-dev" +VERSION="1.1.1w" +CATEGORY="development" +SHORT_DESC="Open source Secure Sockets Layer devel files (1.1.1 series)." +MAINTAINER="pascal.bellard@slitaz.org" +LICENSE="BSD" +WEB_SITE="https://www.openssl.org/" +HOST_ARCH="i486 arm" + +WANTED="openssl11" +DEPENDS="libcrypto11-dev pkg-config" + +# Rules to gen a SliTaz package suitable for Tazpkg. +genpkg_rules() +{ + mkdir -p $fs/usr/lib/openssl-1.1 $fs/usr/include/openssl-1.1 + cp -a $install/usr/include/openssl $fs/usr/include/openssl-1.1 + cp -a $install/usr/lib/openssl-1.1/*.a $fs/usr/lib/openssl-1.1 + cp -a $install/usr/lib/openssl-1.1/pkgconfig $fs/usr/lib/openssl-1.1 + sed -e 's|/include$|/include/openssl-1.1|' \ + -i $fs/usr/lib/openssl-1.1/pkgconfig/*.pc + # libcrypto* have moved to a specific package + rm -f $fs/usr/lib/openssl-1.1/libcrypto* + rm -f $fs/usr/lib/openssl-1.1/pkgconfig/libcrypto* +} diff -r 36a7b2c61bce -r 1f1c16803460 openssl11/receipt --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/openssl11/receipt Tue Mar 12 19:49:16 2024 +0000 @@ -0,0 +1,75 @@ +# SliTaz package receipt. + +PACKAGE="openssl11" +SOURCE="openssl" +VERSION="1.1.1w" +CATEGORY="security" +SHORT_DESC="Open source Secure Sockets Layer (1.1.1 series)." +MAINTAINER="pascal.bellard@slitaz.org" +LICENSE="BSD" +WEB_SITE="https://www.openssl.org/" +TAGS="ssl security" +HOST_ARCH="i486 arm" + +TARBALL="$SOURCE-$VERSION.tar.gz" +WGET_URL="https://www.openssl.org/source/$TARBALL" + +DEPENDS="libcrypto11 libssl11" +BUILD_DEPENDS="perl zlib-dev" +SPLIT="libcrypto11 libcrypto11-dev libssl11 openssl11-dev" + +current_version() +{ + wget -O - $(dirname $WGET_URL) 2>/dev/null | \ + sed '/openssl-/!d;/-[abr]/d;s|.tar.gzopenssl-||;q' +} + +# Perl is installed in cross env. +case "$ARCH" in + arm) BUILD_DEPENDS="" ;; +esac + +# Rules to configure and make the package. +compile_rules() +{ + # MAKEFLAGS make openssl build fail. + unset MAKEFLAGS + + # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be + # marked as not requiring an executable stack (compatibility improvement). + case "$ARCH" in + arm) + # BUG: shared libs are not built + ./Configure --prefix=/usr --openssldir=/etc/ssl \ + shared zlib enable-md2 -Wa,--noexecstack \ + linux-armv4 && + sed -i 's/\(basename .*\)`/\1 || true `/' Makefile && + make \ + CC=${HOST_SYSTEM}-gcc \ + AR="${HOST_SYSTEM}-ar r" \ + RANLIB=${HOST_SYSTEM}-ranlib ;; + i486) + MACHINE=i686 \ + ./config --prefix=/usr --openssldir=/etc/ssl \ + --libdir=lib/openssl-1.1 shared zlib \ + zlib-dynamic enable-md2 no-ssl3-method \ + -Wa,--noexecstack && + make depend ;; + esac && + # Install + make DESTDIR=$PWD/_pkg MANDIR=$PWD/_pkg/usr/share/man \ + install_sw install_ssldirs +} + +# Rules to gen a SliTaz package suitable for Tazpkg. +genpkg_rules() +{ + mkdir -p $fs/usr/bin $fs/usr/lib/openssl-1.1 + cp -a $install/usr/bin/openssl $fs/usr/bin/openssl-1.1 + cp -a $install/usr/lib/openssl-1.1/engines-1.1 $fs/usr/lib/openssl-1.1 +} + +testsuite() +{ + readelf -h $install/usr/bin/openssl +}