* [PATCH 0/1] OpenSSL 1.1.0 @ 2016-09-02 1:59 Leo Famulari 2016-09-02 1:59 ` [PATCH 1/1] gnu: openssl: Update to 1.1.0 Leo Famulari 2016-09-02 7:40 ` [PATCH 0/1] OpenSSL 1.1.0 Ricardo Wurmus 0 siblings, 2 replies; 15+ messages in thread From: Leo Famulari @ 2016-09-02 1:59 UTC (permalink / raw) To: guix-devel This patch updates to OpenSSL to 1.1.0. I don't think we should update now; basically nothing works yet with the new interface. But, I could adapt the patch to add this version as openssl-next. Your thoughts? PS — Python's journey to support OpenSSL 1.1.0: https://bugs.python.org/issue26470 Leo Famulari (1): gnu: openssl: Update to 1.1.0. gnu/local.mk | 3 - gnu/packages/patches/openssl-CVE-2016-2177.patch | 286 ----------------------- gnu/packages/patches/openssl-CVE-2016-2178.patch | 112 --------- gnu/packages/patches/openssl-c-rehash-in.patch | 12 +- gnu/packages/patches/openssl-runpath.patch | 15 -- gnu/packages/tls.scm | 42 ++-- 6 files changed, 21 insertions(+), 449 deletions(-) delete mode 100644 gnu/packages/patches/openssl-CVE-2016-2177.patch delete mode 100644 gnu/packages/patches/openssl-CVE-2016-2178.patch delete mode 100644 gnu/packages/patches/openssl-runpath.patch -- 2.9.3 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 1/1] gnu: openssl: Update to 1.1.0. 2016-09-02 1:59 [PATCH 0/1] OpenSSL 1.1.0 Leo Famulari @ 2016-09-02 1:59 ` Leo Famulari 2016-09-02 7:40 ` [PATCH 0/1] OpenSSL 1.1.0 Ricardo Wurmus 1 sibling, 0 replies; 15+ messages in thread From: Leo Famulari @ 2016-09-02 1:59 UTC (permalink / raw) To: guix-devel * gnu/packages/tls.scm (openssl): Update to 1.1.0. [source]: Remove deleted patches. [arguments]: Add 'patch-runpath' phase. Remove 'patch-Makefile.org' and 'patch-tests' phases. * gnu/packages/patches/openssl-c-rehash-in.patch: Adjust patch. * gnu/packages/patches/openssl-CVE-2016-2177.patch, gnu/packages/patches/openssl-CVE-2016-2178.patch, gnu/packages/patches/openssl-runpath.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 3 - gnu/packages/patches/openssl-CVE-2016-2177.patch | 286 ----------------------- gnu/packages/patches/openssl-CVE-2016-2178.patch | 112 --------- gnu/packages/patches/openssl-c-rehash-in.patch | 12 +- gnu/packages/patches/openssl-runpath.patch | 15 -- gnu/packages/tls.scm | 42 ++-- 6 files changed, 21 insertions(+), 449 deletions(-) delete mode 100644 gnu/packages/patches/openssl-CVE-2016-2177.patch delete mode 100644 gnu/packages/patches/openssl-CVE-2016-2178.patch delete mode 100644 gnu/packages/patches/openssl-runpath.patch diff --git a/gnu/local.mk b/gnu/local.mk index 457dc19..350c42d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -696,10 +696,7 @@ dist_patch_DATA = \ %D%/packages/patches/openexr-missing-samples.patch \ %D%/packages/patches/openjpeg-CVE-2015-6581.patch \ %D%/packages/patches/openjpeg-use-after-free-fix.patch \ - %D%/packages/patches/openssl-runpath.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ - %D%/packages/patches/openssl-CVE-2016-2177.patch \ - %D%/packages/patches/openssl-CVE-2016-2178.patch \ %D%/packages/patches/orpheus-cast-errors-and-includes.patch \ %D%/packages/patches/ots-no-include-missing-file.patch \ %D%/packages/patches/patchelf-page-size.patch \ diff --git a/gnu/packages/patches/openssl-CVE-2016-2177.patch b/gnu/packages/patches/openssl-CVE-2016-2177.patch deleted file mode 100644 index f6465ae..0000000 --- a/gnu/packages/patches/openssl-CVE-2016-2177.patch +++ /dev/null @@ -1,286 +0,0 @@ -Fix CVE-2016-2177. - -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177> - -Source: -<https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7> - -From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Thu, 5 May 2016 11:10:26 +0100 -Subject: [PATCH] Avoid some undefined pointer arithmetic - -A common idiom in the codebase is: - -if (p + len > limit) -{ - return; /* Too long */ -} - -Where "p" points to some malloc'd data of SIZE bytes and -limit == p + SIZE - -"len" here could be from some externally supplied data (e.g. from a TLS -message). - -The rules of C pointer arithmetic are such that "p + len" is only well -defined where len <= SIZE. Therefore the above idiom is actually -undefined behaviour. - -For example this could cause problems if some malloc implementation -provides an address for "p" such that "p + len" actually overflows for -values of len that are too big and therefore p + len < limit! - -Issue reported by Guido Vranken. - -CVE-2016-2177 - -Reviewed-by: Rich Salz <rsalz@openssl.org> ---- - ssl/s3_srvr.c | 14 +++++++------- - ssl/ssl_sess.c | 2 +- - ssl/t1_lib.c | 56 ++++++++++++++++++++++++++++++-------------------------- - 3 files changed, 38 insertions(+), 34 deletions(-) - -diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c -index ab28702..ab7f690 100644 ---- a/ssl/s3_srvr.c -+++ b/ssl/s3_srvr.c -@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s) - - session_length = *(p + SSL3_RANDOM_SIZE); - -- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { -+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s) - /* get the session-id */ - j = *(p++); - -- if (p + j > d + n) { -+ if ((d + n) - p < j) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s) - - if (SSL_IS_DTLS(s)) { - /* cookie stuff */ -- if (p + 1 > d + n) { -+ if ((d + n) - p < 1) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - cookie_len = *(p++); - -- if (p + cookie_len > d + n) { -+ if ((d + n ) - p < cookie_len) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s) - } - } - -- if (p + 2 > d + n) { -+ if ((d + n ) - p < 2) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s) - } - - /* i bytes of cipher data + 1 byte for compression length later */ -- if ((p + i + 1) > (d + n)) { -+ if ((d + n) - p < i + 1) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s) - - /* compression */ - i = *(p++); -- if ((p + i) > (d + n)) { -+ if ((d + n) - p < i) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c -index b182998..54ee783 100644 ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, - int r; - #endif - -- if (session_id + len > limit) { -+ if (limit - session_id < len) { - fatal = 1; - goto err; - } -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index fb64607..cdac011 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - 0x02, 0x03, /* SHA-1/ECDSA */ - }; - -- if (data >= (limit - 2)) -+ if (limit - data <= 2) - return; - data += 2; - -- if (data > (limit - 4)) -+ if (limit - data < 4) - return; - n2s(data, type); - n2s(data, size); -@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - if (type != TLSEXT_TYPE_server_name) - return; - -- if (data + size > limit) -+ if (limit - data < size) - return; - data += size; - -@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - const size_t len1 = sizeof(kSafariExtensionsBlock); - const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); - -- if (data + len1 + len2 != limit) -+ if (limit - data != (int)(len1 + len2)) - return; - if (memcmp(data, kSafariExtensionsBlock, len1) != 0) - return; -@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - } else { - const size_t len = sizeof(kSafariExtensionsBlock); - -- if (data + len != limit) -+ if (limit - data != (int)(len)) - return; - if (memcmp(data, kSafariExtensionsBlock, len) != 0) - return; -@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, - if (data == limit) - goto ri_check; - -- if (data > (limit - 2)) -+ if (limit - data < 2) - goto err; - - n2s(data, len); - -- if (data + len != limit) -+ if (limit - data != len) - goto err; - -- while (data <= (limit - 4)) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (limit)) -+ if (limit - data < size) - goto err; - # if 0 - fprintf(stderr, "Received extension type %d size %d\n", type, size); -@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s, - if (s->hit || s->cert->srv_ext.meths_count == 0) - return 1; - -- if (data >= limit - 2) -+ if (limit - data <= 2) - return 1; - n2s(data, len); - -- if (data > limit - len) -+ if (limit - data < len) - return 1; - -- while (data <= limit - 4) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > limit) -+ if (limit - data < size) - return 1; - if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0) - return 0; -@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); - # endif - -- if (data >= (d + n - 2)) -+ if ((d + n) - data <= 2) - goto ri_check; - - n2s(data, length); -- if (data + length != d + n) { -+ if ((d + n) - data != length) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - -- while (data <= (d + n - 4)) { -+ while ((d + n) - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (d + n)) -+ if ((d + n) - data < size) - goto ri_check; - - if (s->tlsext_debug_cb) -@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, - /* Skip past DTLS cookie */ - if (SSL_IS_DTLS(s)) { - i = *(p++); -- p += i; -- if (p >= limit) -+ -+ if (limit - p <= i) - return -1; -+ -+ p += i; - } - /* Skip past cipher list */ - n2s(p, i); -- p += i; -- if (p >= limit) -+ if (limit - p <= i) - return -1; -+ p += i; -+ - /* Skip past compression algorithm list */ - i = *(p++); -- p += i; -- if (p > limit) -+ if (limit - p < i) - return -1; -+ p += i; -+ - /* Now at start of extensions */ -- if ((p + 2) >= limit) -+ if (limit - p <= 2) - return 0; - n2s(p, i); -- while ((p + 4) <= limit) { -+ while (limit - p >= 4) { - unsigned short type, size; - n2s(p, type); - n2s(p, size); -- if (p + size > limit) -+ if (limit - p < size) - return 0; - if (type == TLSEXT_TYPE_session_ticket) { - int r; --- -2.8.4 - diff --git a/gnu/packages/patches/openssl-CVE-2016-2178.patch b/gnu/packages/patches/openssl-CVE-2016-2178.patch deleted file mode 100644 index 37cf276..0000000 --- a/gnu/packages/patches/openssl-CVE-2016-2178.patch +++ /dev/null @@ -1,112 +0,0 @@ -Fix CVE-2016-2178. - -<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178> - -Source: -<https://git.openssl.org/?p=openssl.git;a=commit;h=621eaf49a289bfac26d4cbcdb7396e796784c534> -<https://git.openssl.org/?p=openssl.git;a=commit;h=b7d0f2834e139a20560d64c73e2565e93715ce2b> - -From 621eaf49a289bfac26d4cbcdb7396e796784c534 Mon Sep 17 00:00:00 2001 -From: Cesar Pereida <cesar.pereida@aalto.fi> -Date: Mon, 23 May 2016 12:45:25 +0300 -Subject: [PATCH 1/2] Fix DSA, preserve BN_FLG_CONSTTIME - -Operations in the DSA signing algorithm should run in constant time in -order to avoid side channel attacks. A flaw in the OpenSSL DSA -implementation means that a non-constant time codepath is followed for -certain operations. This has been demonstrated through a cache-timing -attack to be sufficient for an attacker to recover the private DSA key. - -CVE-2016-2178 - -Reviewed-by: Richard Levitte <levitte@openssl.org> -Reviewed-by: Matt Caswell <matt@openssl.org> ---- - crypto/dsa/dsa_ossl.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c -index efc4f1b..b29eb4b 100644 ---- a/crypto/dsa/dsa_ossl.c -+++ b/crypto/dsa/dsa_ossl.c -@@ -248,9 +248,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - if (!BN_rand_range(&k, dsa->q)) - goto err; - while (BN_is_zero(&k)) ; -- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { -- BN_set_flags(&k, BN_FLG_CONSTTIME); -- } - - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { - if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, -@@ -279,9 +276,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - } - - K = &kq; -+ -+ BN_set_flags(K, BN_FLG_CONSTTIME); - } else { - K = &k; - } -+ - DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, - dsa->method_mont_p); - if (!BN_mod(r, r, dsa->q, ctx)) --- -2.8.4 - -From b7d0f2834e139a20560d64c73e2565e93715ce2b Mon Sep 17 00:00:00 2001 -From: Matt Caswell <matt@openssl.org> -Date: Tue, 7 Jun 2016 09:12:51 +0100 -Subject: [PATCH 2/2] More fix DSA, preserve BN_FLG_CONSTTIME - -The previous "fix" still left "k" exposed to constant time problems in -the later BN_mod_inverse() call. Ensure both k and kq have the -BN_FLG_CONSTTIME flag set at the earliest opportunity after creation. - -CVE-2016-2178 - -Reviewed-by: Rich Salz <rsalz@openssl.org> ---- - crypto/dsa/dsa_ossl.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c -index b29eb4b..58013a4 100644 ---- a/crypto/dsa/dsa_ossl.c -+++ b/crypto/dsa/dsa_ossl.c -@@ -247,7 +247,12 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - do - if (!BN_rand_range(&k, dsa->q)) - goto err; -- while (BN_is_zero(&k)) ; -+ while (BN_is_zero(&k)); -+ -+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { -+ BN_set_flags(&k, BN_FLG_CONSTTIME); -+ } -+ - - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { - if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, -@@ -261,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - if (!BN_copy(&kq, &k)) - goto err; - -+ BN_set_flags(&kq, BN_FLG_CONSTTIME); -+ - /* - * We do not want timing information to leak the length of k, so we - * compute g^k using an equivalent exponent of fixed length. (This -@@ -276,8 +283,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - } - - K = &kq; -- -- BN_set_flags(K, BN_FLG_CONSTTIME); - } else { - K = &k; - } --- -2.8.4 - diff --git a/gnu/packages/patches/openssl-c-rehash-in.patch b/gnu/packages/patches/openssl-c-rehash-in.patch index bd3d317..e3a982b 100644 --- a/gnu/packages/patches/openssl-c-rehash-in.patch +++ b/gnu/packages/patches/openssl-c-rehash-in.patch @@ -5,13 +5,15 @@ The 'c_rehash' program is seldom used, but it is used nonetheless to create symbolic links to certificates, for instance in the 'nss-certs' package. ---- openssl-1.0.2g/tools/c_rehash.in 2015-09-09 18:36:07.313316482 +0200 -+++ openssl-1.0.2g/tools/c_rehash.in 2015-09-09 18:36:28.965458458 +0200 +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index 2fef627..9d40eae 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in @@ -1,4 +1,6 @@ --#!/usr/local/bin/perl +-#!{- $config{hashbangperl} -} +eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}' + & eval 'exec perl -wS "$0" $argv:q' + if 0; - # Perl c_rehash script, scan all files in a directory - # and add symbolic links to their hash values. + # {- join("\n# ", @autowarntext) -} + # Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. diff --git a/gnu/packages/patches/openssl-runpath.patch b/gnu/packages/patches/openssl-runpath.patch deleted file mode 100644 index fa7c0b9..0000000 --- a/gnu/packages/patches/openssl-runpath.patch +++ /dev/null @@ -1,15 +0,0 @@ -This patch makes the build system pass -Wl,-rpath=$out/lib even for -libraries (it already does so for executables, thanks to 'DO_GNU_APP' -in 'Makefile.shared'.) - ---- openssl-1.0.2a/Makefile.shared 2015-04-05 01:07:35.357602454 +0200 -+++ openssl-1.0.2a/Makefile.shared 2015-04-05 01:09:50.474513303 +0200 -@@ -106,7 +106,7 @@ LINK_SO= \ - LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \ - LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \ - LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \ -- $${SHAREDCMD} $${SHAREDFLAGS} \ -+ $${SHAREDCMD} $${SHAREDFLAGS} -Wl,-rpath,$(LIBRPATH) \ - -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \ - $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \ - ) && $(SYMLINK_SO) diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 4b87150..42b59fe 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -185,7 +185,7 @@ required structures.") (define-public openssl (package (name "openssl") - (version "1.0.2h") + (version "1.1.0") (source (origin (method url-fetch) (uri (list (string-append "ftp://ftp.openssl.org/source/" @@ -195,15 +195,12 @@ required structures.") "/" name "-" version ".tar.gz"))) (sha256 (base32 - "06996ds1rk8xhnyb5y273a7xkcxhggp4bq1g02rab55d7bjhfh0x")) - (patches (search-patches "openssl-runpath.patch" - "openssl-c-rehash-in.patch" - "openssl-CVE-2016-2177.patch" - "openssl-CVE-2016-2178.patch")))) + "10lcpmnxap9nw8ymdglys93cgkwd1lf1rz4fhq5whwhlmkwrzipm")) + (patches (search-patches "openssl-c-rehash-in.patch")))) (build-system gnu-build-system) (outputs '("out" - "doc" ;1.5MiB of man3 pages - "static")) ;6MiB of .a files + "doc" ;1.3MiB of man3 pages + "static")) ;5.5MiB of .a files (native-inputs `(("perl" ,perl))) (arguments `(#:disallowed-references (,perl) @@ -216,16 +213,14 @@ required structures.") #:disallowed-references ,(list (canonical-package perl)) #:phases (modify-phases %standard-phases - (add-before - 'configure 'patch-Makefile.org - (lambda* (#:key outputs #:allow-other-keys) - ;; The default MANDIR is some unusual place. Fix that. - (let ((out (assoc-ref outputs "out"))) - (patch-makefile-SHELL "Makefile.org") - (substitute* "Makefile.org" - (("^MANDIR[[:blank:]]*=.*$") - (string-append "MANDIR = " out "/share/man\n"))) - #t))) + (add-after 'configure 'patch-runpath + (lambda* (#:key outputs #:allow-other-keys) + (let ((lib (string-append (assoc-ref outputs "out") "/lib"))) + (substitute* "Makefile.shared" + (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}") + (string-append "$${SHAREDCMD} $${SHAREDFLAGS}" + " -Wl,-rpath," lib))) + #t))) (replace 'configure (lambda* (#:key outputs #:allow-other-keys) @@ -286,17 +281,8 @@ required structures.") (string-append target "/" (basename file)))) (find-files man3)) + (delete-file-recursively man3) #t))) - (add-before - 'patch-source-shebangs 'patch-tests - (lambda* (#:key inputs native-inputs #:allow-other-keys) - (let ((bash (assoc-ref (or native-inputs inputs) "bash"))) - (substitute* (find-files "test" ".*") - (("/bin/sh") - (string-append bash "/bin/bash")) - (("/bin/rm") - "rm")) - #t))) (add-after 'install 'remove-miscellany (lambda* (#:key outputs #:allow-other-keys) -- 2.9.3 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-02 1:59 [PATCH 0/1] OpenSSL 1.1.0 Leo Famulari 2016-09-02 1:59 ` [PATCH 1/1] gnu: openssl: Update to 1.1.0 Leo Famulari @ 2016-09-02 7:40 ` Ricardo Wurmus 2016-09-02 12:43 ` Ludovic Courtès 1 sibling, 1 reply; 15+ messages in thread From: Ricardo Wurmus @ 2016-09-02 7:40 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> writes: > This patch updates to OpenSSL to 1.1.0. > > I don't think we should update now; basically nothing works yet with the > new interface. > > But, I could adapt the patch to add this version as openssl-next. > > Your thoughts? I also read about lots of breakage due to the update so I think it’s okay to add it as “openssl-next” for now. ~~ Ricardo ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-02 7:40 ` [PATCH 0/1] OpenSSL 1.1.0 Ricardo Wurmus @ 2016-09-02 12:43 ` Ludovic Courtès 2016-09-02 20:14 ` Leo Famulari 0 siblings, 1 reply; 15+ messages in thread From: Ludovic Courtès @ 2016-09-02 12:43 UTC (permalink / raw) To: Ricardo Wurmus; +Cc: guix-devel Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> skribis: > Leo Famulari <leo@famulari.name> writes: > >> This patch updates to OpenSSL to 1.1.0. >> >> I don't think we should update now; basically nothing works yet with the >> new interface. >> >> But, I could adapt the patch to add this version as openssl-next. >> >> Your thoughts? > > I also read about lots of breakage due to the update so I think it’s > okay to add it as “openssl-next” for now. Agreed (though its fine to use “openssl” in the ‘name’ field IMO.) Ludo’. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-02 12:43 ` Ludovic Courtès @ 2016-09-02 20:14 ` Leo Famulari 2016-09-02 20:30 ` Leo Famulari 2016-09-03 13:50 ` Ludovic Courtès 0 siblings, 2 replies; 15+ messages in thread From: Leo Famulari @ 2016-09-02 20:14 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel [-- Attachment #1.1: Type: text/plain, Size: 460 bytes --] On Fri, Sep 02, 2016 at 02:43:58PM +0200, Ludovic Courtès wrote: > > I also read about lots of breakage due to the update so I think it’s > > okay to add it as “openssl-next” for now. > > Agreed (though its fine to use “openssl” in the ‘name’ field IMO.) When I put "openssl" in the 'name' field, as attached, `guix build openssl` gives me 1.1.0, which is not right. The other *-next packages all seem to use "name-next" as the name. [-- Attachment #1.2: 0001-gnu-Add-openssl-next.patch --] [-- Type: text/plain, Size: 7743 bytes --] From b09132baa7181542b82804985aac7d5f030ec545 Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Fri, 2 Sep 2016 16:07:29 -0400 Subject: [PATCH] gnu: Add openssl-next. * gnu/packages/tls.scm (openssl-next): New variable. * gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../patches/openssl-1.1.0-c-rehash-in.patch | 19 ++++ gnu/packages/tls.scm | 103 +++++++++++++++++++++ 3 files changed, 123 insertions(+) create mode 100644 gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch diff --git a/gnu/local.mk b/gnu/local.mk index efb00b9..0c2740d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -699,6 +699,7 @@ dist_patch_DATA = \ %D%/packages/patches/openjpeg-CVE-2015-6581.patch \ %D%/packages/patches/openjpeg-use-after-free-fix.patch \ %D%/packages/patches/openssl-runpath.patch \ + %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/openssl-CVE-2016-2177.patch \ %D%/packages/patches/openssl-CVE-2016-2178.patch \ diff --git a/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch new file mode 100644 index 0000000..e3a982b --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch @@ -0,0 +1,19 @@ +This patch removes the explicit reference to the 'perl' binary, +such that OpenSSL does not retain a reference to Perl. + +The 'c_rehash' program is seldom used, but it is used nonetheless +to create symbolic links to certificates, for instance in the 'nss-certs' +package. + +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index 2fef627..9d40eae 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -1,4 +1,6 @@ +-#!{- $config{hashbangperl} -} ++eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}' ++ & eval 'exec perl -wS "$0" $argv:q' ++ if 0; + + # {- join("\n# ", @autowarntext) -} + # Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 4b87150..389fea4 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -323,6 +323,109 @@ required structures.") (license license:openssl) (home-page "http://www.openssl.org/"))) +(define-public openssl-next + (package + (inherit openssl) + (name "openssl") + (version "1.1.0") + (source (origin + (method url-fetch) + (uri (list (string-append "ftp://ftp.openssl.org/source/" + name "-" version ".tar.gz") + (string-append "ftp://ftp.openssl.org/source/old/" + (string-trim-right version char-set:letter) + "/" name "-" version ".tar.gz"))) + (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) + (sha256 + (base32 + "10lcpmnxap9nw8ymdglys93cgkwd1lf1rz4fhq5whwhlmkwrzipm")))) + (outputs '("out" + "doc" ;1.3MiB of man3 pages + "static")) ; 5.5MiB of .a files + (arguments + (substitute-keyword-arguments (package-arguments openssl) + ((#:phases phases) + `(modify-phases ,phases + (add-after 'configure 'patch-runpath + (lambda* (#:key outputs #:allow-other-keys) + (let ((lib (string-append (assoc-ref outputs "out") "/lib"))) + (substitute* "Makefile.shared" + (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}") + (string-append "$${SHAREDCMD} $${SHAREDFLAGS}" + " -Wl,-rpath," lib))) + #t))) + (replace + 'configure + (lambda* (#:key outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + (zero? + (system* "./config" + "shared" ;build shared libraries + "--libdir=lib" + + ;; The default for this catch-all directory is + ;; PREFIX/ssl. Change that to something more + ;; conventional. + (string-append "--openssldir=" out + "/share/openssl-" ,version) + + (string-append "--prefix=" out) + + ;; XXX FIXME: Work around a code generation bug in GCC + ;; 4.9.3 on ARM when compiled with -mfpu=neon. See: + ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917> + ,@(if (and (not (%current-target-system)) + (string-prefix? "armhf" (%current-system))) + '("-mfpu=vfpv3") + '())))))) + (add-after + 'install 'make-libraries-writable + (lambda* (#:key outputs #:allow-other-keys) + ;; Make libraries writable so that 'strip' does its job. + (let ((out (assoc-ref outputs "out"))) + (for-each (lambda (file) + (chmod file #o644)) + (find-files (string-append out "/lib") + "\\.so")) + #t))) + (add-after 'install 'move-static-libraries + (lambda* (#:key outputs #:allow-other-keys) + ;; Move static libraries to the "static" output. + (let* ((out (assoc-ref outputs "out")) + (lib (string-append out "/lib")) + (static (assoc-ref outputs "static")) + (slib (string-append static "/lib"))) + (mkdir-p slib) + (for-each (lambda (file) + (install-file file slib) + (delete-file file)) + (find-files lib "\\.a$")) + #t))) + (add-after 'install 'move-man3-pages + (lambda* (#:key outputs #:allow-other-keys) + ;; Move section 3 man pages to "doc". + (let* ((out (assoc-ref outputs "out")) + (man3 (string-append out "/share/man/man3")) + (doc (assoc-ref outputs "doc")) + (target (string-append doc "/share/man/man3"))) + (mkdir-p target) + (for-each (lambda (file) + (rename-file file + (string-append target "/" + (basename file)))) + (find-files man3)) + (delete-file-recursively man3) + #t))) + (add-after + 'install 'remove-miscellany + (lambda* (#:key outputs #:allow-other-keys) + ;; The 'misc' directory contains random undocumented shell and Perl + ;; scripts. Remove them to avoid retaining a reference on Perl. + (let ((out (assoc-ref outputs "out"))) + (delete-file-recursively (string-append out "/share/openssl-" + ,version "/misc")) + #t))))))))) + (define-public libressl (package (name "libressl") -- 2.9.3 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-02 20:14 ` Leo Famulari @ 2016-09-02 20:30 ` Leo Famulari 2016-09-03 13:50 ` Ludovic Courtès 1 sibling, 0 replies; 15+ messages in thread From: Leo Famulari @ 2016-09-02 20:30 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 428 bytes --] On Fri, Sep 02, 2016 at 04:14:22PM -0400, Leo Famulari wrote: > +(define-public openssl-next > + (package > + (inherit openssl) Also, I wonder if this should inherit from openssl? Presumably there will be more security updates to openssl@1.0.2 before openssl@1.1.0 is ready for general use, and I'd wouldn't like for openssl@1.0.2 updates to be delayed while we wait to see if openssl@1.1.0 still builds with the changes. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 819 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-02 20:14 ` Leo Famulari 2016-09-02 20:30 ` Leo Famulari @ 2016-09-03 13:50 ` Ludovic Courtès 2016-09-03 14:06 ` Leo Famulari 1 sibling, 1 reply; 15+ messages in thread From: Ludovic Courtès @ 2016-09-03 13:50 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > On Fri, Sep 02, 2016 at 02:43:58PM +0200, Ludovic Courtès wrote: >> > I also read about lots of breakage due to the update so I think it’s >> > okay to add it as “openssl-next” for now. >> >> Agreed (though its fine to use “openssl” in the ‘name’ field IMO.) > > When I put "openssl" in the 'name' field, as attached, `guix build > openssl` gives me 1.1.0, which is not right. The other *-next packages > all seem to use "name-next" as the name. Yes, but it’s different. Guile 2.1, for instance, is the development series, so it makes sense to give it a different name so users don’t end up using the “wrong” series. Conversely, IIUC, OpenSSL 1.1.0 is the new stable series, no? > On Fri, Sep 02, 2016 at 04:14:22PM -0400, Leo Famulari wrote: >> +(define-public openssl-next >> + (package >> + (inherit openssl) > > Also, I wonder if this should inherit from openssl? > > Presumably there will be more security updates to openssl@1.0.2 before > openssl@1.1.0 is ready for general use, and I'd wouldn't like for > openssl@1.0.2 updates to be delayed while we wait to see if > openssl@1.1.0 still builds with the changes. Though OpenSSL builds in 5–10 minutes, so the extra check wouldn’t take so long, no? Anyway, if you think keeping them separate is more convenient, go for it! Thanks, Ludo’. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-03 13:50 ` Ludovic Courtès @ 2016-09-03 14:06 ` Leo Famulari 2016-09-03 14:34 ` Ludovic Courtès 0 siblings, 1 reply; 15+ messages in thread From: Leo Famulari @ 2016-09-03 14:06 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Sat, Sep 03, 2016 at 03:50:55PM +0200, Ludovic Courtès wrote: > Leo Famulari <leo@famulari.name> skribis: > > When I put "openssl" in the 'name' field, as attached, `guix build > > openssl` gives me 1.1.0, which is not right. The other *-next packages > > all seem to use "name-next" as the name. > > Yes, but it’s different. Guile 2.1, for instance, is the development > series, so it makes sense to give it a different name so users don’t end > up using the “wrong” series. > > Conversely, IIUC, OpenSSL 1.1.0 is the new stable series, no? 1.1.0 is the new stable series, but I haven't found any software that can use the new interface yet. So, I don't want to make 1.1.0 the default OpenSSL version in Guix. Does that make sense? > > Also, I wonder if this should inherit from openssl? > > > > Presumably there will be more security updates to openssl@1.0.2 before > > openssl@1.1.0 is ready for general use, and I'd wouldn't like for > > openssl@1.0.2 updates to be delayed while we wait to see if > > openssl@1.1.0 still builds with the changes. > > Though OpenSSL builds in 5–10 minutes, so the extra check wouldn’t take > so long, no? I guess it will not matter for now, since nothing will be using it. When it becomes widely used, we can revisit this question. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-03 14:06 ` Leo Famulari @ 2016-09-03 14:34 ` Ludovic Courtès 2016-09-04 2:20 ` Leo Famulari 0 siblings, 1 reply; 15+ messages in thread From: Ludovic Courtès @ 2016-09-03 14:34 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > On Sat, Sep 03, 2016 at 03:50:55PM +0200, Ludovic Courtès wrote: >> Leo Famulari <leo@famulari.name> skribis: >> > When I put "openssl" in the 'name' field, as attached, `guix build >> > openssl` gives me 1.1.0, which is not right. The other *-next packages >> > all seem to use "name-next" as the name. >> >> Yes, but it’s different. Guile 2.1, for instance, is the development >> series, so it makes sense to give it a different name so users don’t end >> up using the “wrong” series. >> >> Conversely, IIUC, OpenSSL 1.1.0 is the new stable series, no? > > 1.1.0 is the new stable series, but I haven't found any software that > can use the new interface yet. So, I don't want to make 1.1.0 the > default OpenSSL version in Guix. Does that make sense? Yes, but as long the ‘openssl’ refers to 1.0.x, it doesn’t really matter than the “openssl” package points to the latest one, no? Use can still run “guix package -i openssl@1.0” if they want. Ludo’. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-03 14:34 ` Ludovic Courtès @ 2016-09-04 2:20 ` Leo Famulari 2016-09-04 2:48 ` Leo Famulari 2016-09-05 20:35 ` Ludovic Courtès 0 siblings, 2 replies; 15+ messages in thread From: Leo Famulari @ 2016-09-04 2:20 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 328 bytes --] On Sat, Sep 03, 2016 at 04:34:51PM +0200, Ludovic Courtès wrote: > Yes, but as long the ‘openssl’ refers to 1.0.x, it doesn’t really matter > than the “openssl” package points to the latest one, no? Use can still > run “guix package -i openssl@1.0” if they want. Oh, right :) I've attached a patch for review. [-- Attachment #2: 0001-gnu-Add-openssl-next.patch --] [-- Type: text/plain, Size: 7746 bytes --] From 2e6f500c7876733206e231fd98ebe7419d9b076f Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Fri, 2 Sep 2016 16:07:29 -0400 Subject: [PATCH] gnu: Add openssl-next. * gnu/packages/tls.scm (openssl-next): New variable. * gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../patches/openssl-1.1.0-c-rehash-in.patch | 19 ++++ gnu/packages/tls.scm | 110 +++++++++++++++++++++ 3 files changed, 130 insertions(+) create mode 100644 gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch diff --git a/gnu/local.mk b/gnu/local.mk index efb00b9..0c2740d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -699,6 +699,7 @@ dist_patch_DATA = \ %D%/packages/patches/openjpeg-CVE-2015-6581.patch \ %D%/packages/patches/openjpeg-use-after-free-fix.patch \ %D%/packages/patches/openssl-runpath.patch \ + %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/openssl-CVE-2016-2177.patch \ %D%/packages/patches/openssl-CVE-2016-2178.patch \ diff --git a/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch new file mode 100644 index 0000000..e3a982b --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch @@ -0,0 +1,19 @@ +This patch removes the explicit reference to the 'perl' binary, +such that OpenSSL does not retain a reference to Perl. + +The 'c_rehash' program is seldom used, but it is used nonetheless +to create symbolic links to certificates, for instance in the 'nss-certs' +package. + +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index 2fef627..9d40eae 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -1,4 +1,6 @@ +-#!{- $config{hashbangperl} -} ++eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}' ++ & eval 'exec perl -wS "$0" $argv:q' ++ if 0; + + # {- join("\n# ", @autowarntext) -} + # Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 4b87150..040a48a 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -323,6 +323,116 @@ required structures.") (license license:openssl) (home-page "http://www.openssl.org/"))) +(define-public openssl-next + (package + (inherit openssl) + (name "openssl") + (version "1.1.0") + (source (origin + (method url-fetch) + (uri (list (string-append "ftp://ftp.openssl.org/source/" + name "-" version ".tar.gz") + (string-append "ftp://ftp.openssl.org/source/old/" + (string-trim-right version char-set:letter) + "/" name "-" version ".tar.gz"))) + (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) + (sha256 + (base32 + "10lcpmnxap9nw8ymdglys93cgkwd1lf1rz4fhq5whwhlmkwrzipm")))) + (outputs '("out" + "doc" ;1.3MiB of man3 pages + "static")) ; 5.5MiB of .a files + (arguments + `(#:disallowed-references (,perl) + #:parallel-build? #f + #:parallel-tests? #f + #:test-target "test" + + ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure, + ;; so we explicitly disallow it here. + #:disallowed-references ,(list (canonical-package perl)) + #:phases + (modify-phases %standard-phases + (add-after 'configure 'patch-runpath + (lambda* (#:key outputs #:allow-other-keys) + (let ((lib (string-append (assoc-ref outputs "out") "/lib"))) + (substitute* "Makefile.shared" + (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}") + (string-append "$${SHAREDCMD} $${SHAREDFLAGS}" + " -Wl,-rpath," lib))) + #t))) + (replace + 'configure + (lambda* (#:key outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + (zero? + (system* "./config" + "shared" ;build shared libraries + "--libdir=lib" + + ;; The default for this catch-all directory is + ;; PREFIX/ssl. Change that to something more + ;; conventional. + (string-append "--openssldir=" out + "/share/openssl-" ,version) + + (string-append "--prefix=" out) + + ;; XXX FIXME: Work around a code generation bug in GCC + ;; 4.9.3 on ARM when compiled with -mfpu=neon. See: + ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917> + ,@(if (and (not (%current-target-system)) + (string-prefix? "armhf" (%current-system))) + '("-mfpu=vfpv3") + '())))))) + (add-after + 'install 'make-libraries-writable + (lambda* (#:key outputs #:allow-other-keys) + ;; Make libraries writable so that 'strip' does its job. + (let ((out (assoc-ref outputs "out"))) + (for-each (lambda (file) + (chmod file #o644)) + (find-files (string-append out "/lib") + "\\.so")) + #t))) + (add-after 'install 'move-static-libraries + (lambda* (#:key outputs #:allow-other-keys) + ;; Move static libraries to the "static" output. + (let* ((out (assoc-ref outputs "out")) + (lib (string-append out "/lib")) + (static (assoc-ref outputs "static")) + (slib (string-append static "/lib"))) + (mkdir-p slib) + (for-each (lambda (file) + (install-file file slib) + (delete-file file)) + (find-files lib "\\.a$")) + #t))) + (add-after 'install 'move-man3-pages + (lambda* (#:key outputs #:allow-other-keys) + ;; Move section 3 man pages to "doc". + (let* ((out (assoc-ref outputs "out")) + (man3 (string-append out "/share/man/man3")) + (doc (assoc-ref outputs "doc")) + (target (string-append doc "/share/man/man3"))) + (mkdir-p target) + (for-each (lambda (file) + (rename-file file + (string-append target "/" + (basename file)))) + (find-files man3)) + (delete-file-recursively man3) + #t))) + (add-after + 'install 'remove-miscellany + (lambda* (#:key outputs #:allow-other-keys) + ;; The 'misc' directory contains random undocumented shell and Perl + ;; scripts. Remove them to avoid retaining a reference on Perl. + (let ((out (assoc-ref outputs "out"))) + (delete-file-recursively (string-append out "/share/openssl-" + ,version "/misc")) + #t)))))))) + (define-public libressl (package (name "libressl") -- 2.10.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-04 2:20 ` Leo Famulari @ 2016-09-04 2:48 ` Leo Famulari 2016-09-05 20:35 ` Ludovic Courtès 1 sibling, 0 replies; 15+ messages in thread From: Leo Famulari @ 2016-09-04 2:48 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Sat, Sep 03, 2016 at 10:20:49PM -0400, Leo Famulari wrote: > On Sat, Sep 03, 2016 at 04:34:51PM +0200, Ludovic Courtès wrote: > > Yes, but as long the ‘openssl’ refers to 1.0.x, it doesn’t really matter > > than the “openssl” package points to the latest one, no? Use can still > > run “guix package -i openssl@1.0” if they want. > > Oh, right :) > > I've attached a patch for review. By the way, if you run `guix lint`, you will see a warning about CVE-2016-2183. I think we will be unaffected; this vulnerability will only manifest if we build with "--enable-weak-ssl-ciphers". https://www.openssl.org/blog/blog/2016/08/24/sweet32/ ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-04 2:20 ` Leo Famulari 2016-09-04 2:48 ` Leo Famulari @ 2016-09-05 20:35 ` Ludovic Courtès 2016-09-05 23:05 ` Leo Famulari 1 sibling, 1 reply; 15+ messages in thread From: Ludovic Courtès @ 2016-09-05 20:35 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > From 2e6f500c7876733206e231fd98ebe7419d9b076f Mon Sep 17 00:00:00 2001 > From: Leo Famulari <leo@famulari.name> > Date: Fri, 2 Sep 2016 16:07:29 -0400 > Subject: [PATCH] gnu: Add openssl-next. > > * gnu/packages/tls.scm (openssl-next): New variable. > * gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. [...] > + (arguments > + `(#:disallowed-references (,perl) > + #:parallel-build? #f > + #:parallel-tests? #f > + #:test-target "test" > + > + ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure, > + ;; so we explicitly disallow it here. > + #:disallowed-references ,(list (canonical-package perl)) > + #:phases Seems like most of the arguments and phases are shared with ‘openssl’, right? What about using ‘substitute-keyword-arguments’ to reduce duplication? Or are you concerned about potential breakage when one series or the other changes? (arguments (substitute-keyword-arguments (package-arguments openssl) ((#:phase phases) `(modify-phases ,phases (add-after 'something 'some-openssl-1.1-specific-phase …))))) Thanks! Ludo’. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-05 20:35 ` Ludovic Courtès @ 2016-09-05 23:05 ` Leo Famulari 2016-09-06 12:29 ` Ludovic Courtès 0 siblings, 1 reply; 15+ messages in thread From: Leo Famulari @ 2016-09-05 23:05 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 635 bytes --] On Mon, Sep 05, 2016 at 10:35:09PM +0200, Ludovic Courtès wrote: > Seems like most of the arguments and phases are shared with ‘openssl’, > right? What about using ‘substitute-keyword-arguments’ to reduce > duplication? Or are you concerned about potential breakage when one > series or the other changes? I've attached an updated patch using 'substitute-keyword-arguments'. BTW, my previous patch made a one-line change to 'move-man3-pages', deleting the leftover empty man3 directory in the main output after copying the manpages to the 'doc' output. Is this change desired? We can deal with breakage when it breaks :) [-- Attachment #2: 0001-gnu-Add-openssl-next.patch --] [-- Type: text/plain, Size: 4090 bytes --] From 83405a4ea3628cababd2ee5904c8d0628a002d05 Mon Sep 17 00:00:00 2001 From: Leo Famulari <leo@famulari.name> Date: Fri, 2 Sep 2016 16:07:29 -0400 Subject: [PATCH] gnu: Add openssl-next. * gnu/packages/tls.scm (openssl-next): New variable. * gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../patches/openssl-1.1.0-c-rehash-in.patch | 19 ++++++++++++ gnu/packages/tls.scm | 35 ++++++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch diff --git a/gnu/local.mk b/gnu/local.mk index 50363ef..eb8476a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -701,6 +701,7 @@ dist_patch_DATA = \ %D%/packages/patches/openjpeg-CVE-2015-6581.patch \ %D%/packages/patches/openjpeg-use-after-free-fix.patch \ %D%/packages/patches/openssl-runpath.patch \ + %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \ %D%/packages/patches/openssl-c-rehash-in.patch \ %D%/packages/patches/openssl-CVE-2016-2177.patch \ %D%/packages/patches/openssl-CVE-2016-2178.patch \ diff --git a/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch new file mode 100644 index 0000000..e3a982b --- /dev/null +++ b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch @@ -0,0 +1,19 @@ +This patch removes the explicit reference to the 'perl' binary, +such that OpenSSL does not retain a reference to Perl. + +The 'c_rehash' program is seldom used, but it is used nonetheless +to create symbolic links to certificates, for instance in the 'nss-certs' +package. + +diff --git a/tools/c_rehash.in b/tools/c_rehash.in +index 2fef627..9d40eae 100644 +--- a/tools/c_rehash.in ++++ b/tools/c_rehash.in +@@ -1,4 +1,6 @@ +-#!{- $config{hashbangperl} -} ++eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}' ++ & eval 'exec perl -wS "$0" $argv:q' ++ if 0; + + # {- join("\n# ", @autowarntext) -} + # Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm index 4b87150..efc1190 100644 --- a/gnu/packages/tls.scm +++ b/gnu/packages/tls.scm @@ -323,6 +323,41 @@ required structures.") (license license:openssl) (home-page "http://www.openssl.org/"))) +(define-public openssl-next + (package + (inherit openssl) + (name "openssl") + (version "1.1.0") + (source (origin + (method url-fetch) + (uri (list (string-append "ftp://ftp.openssl.org/source/" + name "-" version ".tar.gz") + (string-append "ftp://ftp.openssl.org/source/old/" + (string-trim-right version char-set:letter) + "/" name "-" version ".tar.gz"))) + (patches (search-patches "openssl-1.1.0-c-rehash-in.patch")) + (sha256 + (base32 + "10lcpmnxap9nw8ymdglys93cgkwd1lf1rz4fhq5whwhlmkwrzipm")))) + (outputs '("out" + "doc" ;1.3MiB of man3 pages + "static")) ; 5.5MiB of .a files + (arguments + (substitute-keyword-arguments (package-arguments openssl) + ((#:phases phases) + `(modify-phases ,phases + (delete 'patch-tests) ; These two phases are not needed by + (delete 'patch-Makefile.org) ; OpenSSL 1.1.0. + + (add-after 'configure 'patch-runpath + (lambda* (#:key outputs #:allow-other-keys) + (let ((lib (string-append (assoc-ref outputs "out") "/lib"))) + (substitute* "Makefile.shared" + (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}") + (string-append "$${SHAREDCMD} $${SHAREDFLAGS}" + " -Wl,-rpath," lib))) + #t))))))))) + (define-public libressl (package (name "libressl") -- 2.10.0 ^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-05 23:05 ` Leo Famulari @ 2016-09-06 12:29 ` Ludovic Courtès 2016-09-06 17:47 ` Leo Famulari 0 siblings, 1 reply; 15+ messages in thread From: Ludovic Courtès @ 2016-09-06 12:29 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Leo Famulari <leo@famulari.name> skribis: > On Mon, Sep 05, 2016 at 10:35:09PM +0200, Ludovic Courtès wrote: >> Seems like most of the arguments and phases are shared with ‘openssl’, >> right? What about using ‘substitute-keyword-arguments’ to reduce >> duplication? Or are you concerned about potential breakage when one >> series or the other changes? > > I've attached an updated patch using 'substitute-keyword-arguments'. > > BTW, my previous patch made a one-line change to 'move-man3-pages', > deleting the leftover empty man3 directory in the main output after > copying the manpages to the 'doc' output. Is this change desired? Sure. Perhaps you can commit this part to core-updates? > From 83405a4ea3628cababd2ee5904c8d0628a002d05 Mon Sep 17 00:00:00 2001 > From: Leo Famulari <leo@famulari.name> > Date: Fri, 2 Sep 2016 16:07:29 -0400 > Subject: [PATCH] gnu: Add openssl-next. > > * gnu/packages/tls.scm (openssl-next): New variable. > * gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. LGTM, thank you! Ludo’. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 0/1] OpenSSL 1.1.0 2016-09-06 12:29 ` Ludovic Courtès @ 2016-09-06 17:47 ` Leo Famulari 0 siblings, 0 replies; 15+ messages in thread From: Leo Famulari @ 2016-09-06 17:47 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Tue, Sep 06, 2016 at 02:29:16PM +0200, Ludovic Courtès wrote: > Leo Famulari <leo@famulari.name> skribis: > > > On Mon, Sep 05, 2016 at 10:35:09PM +0200, Ludovic Courtès wrote: > >> Seems like most of the arguments and phases are shared with ‘openssl’, > >> right? What about using ‘substitute-keyword-arguments’ to reduce > >> duplication? Or are you concerned about potential breakage when one > >> series or the other changes? > > > > I've attached an updated patch using 'substitute-keyword-arguments'. > > > > BTW, my previous patch made a one-line change to 'move-man3-pages', > > deleting the leftover empty man3 directory in the main output after > > copying the manpages to the 'doc' output. Is this change desired? > > Sure. Perhaps you can commit this part to core-updates? Done! > > From 83405a4ea3628cababd2ee5904c8d0628a002d05 Mon Sep 17 00:00:00 2001 > > From: Leo Famulari <leo@famulari.name> > > Date: Fri, 2 Sep 2016 16:07:29 -0400 > > Subject: [PATCH] gnu: Add openssl-next. > > > > * gnu/packages/tls.scm (openssl-next): New variable. > > * gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > LGTM, thank you! Pushed! Thanks for the review :) ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2016-09-06 17:48 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-09-02 1:59 [PATCH 0/1] OpenSSL 1.1.0 Leo Famulari 2016-09-02 1:59 ` [PATCH 1/1] gnu: openssl: Update to 1.1.0 Leo Famulari 2016-09-02 7:40 ` [PATCH 0/1] OpenSSL 1.1.0 Ricardo Wurmus 2016-09-02 12:43 ` Ludovic Courtès 2016-09-02 20:14 ` Leo Famulari 2016-09-02 20:30 ` Leo Famulari 2016-09-03 13:50 ` Ludovic Courtès 2016-09-03 14:06 ` Leo Famulari 2016-09-03 14:34 ` Ludovic Courtès 2016-09-04 2:20 ` Leo Famulari 2016-09-04 2:48 ` Leo Famulari 2016-09-05 20:35 ` Ludovic Courtès 2016-09-05 23:05 ` Leo Famulari 2016-09-06 12:29 ` Ludovic Courtès 2016-09-06 17:47 ` Leo Famulari
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).