diff --git a/dev-libs/openssl-bad/files/4.patch b/dev-libs/openssl-bad/files/4.patch new file mode 100644 index 000000000..816618f57 --- /dev/null +++ b/dev-libs/openssl-bad/files/4.patch @@ -0,0 +1,149 @@ +From 152026f7b1f3221e73de2a9dc21c002d1565dd8e Mon Sep 17 00:00:00 2001 +From: Anton Bolshakov +Date: Sun, 19 Jan 2025 11:37:52 +0800 +Subject: [PATCH] Update e_aes.c + +replace that file with 1.0.2r version +--- + crypto/evp/e_aes.c | 84 ++++++++++++++++++++++++++-------------------- + 1 file changed, 47 insertions(+), 37 deletions(-) + +diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +index 3574b17f0c8d3..ccc626f1d81c2 100644 +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -1,5 +1,5 @@ + /* ==================================================================== +- * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. ++ * Copyright (c) 2001-2018 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions +@@ -1089,6 +1089,8 @@ static int aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK * 8, &dat->ks, + ctx->iv, &ctx->num, ctx->encrypt, dat->block); + len -= MAXBITCHUNK; ++ out += MAXBITCHUNK; ++ in += MAXBITCHUNK; + } + if (len) + CRYPTO_cfb128_1_encrypt(in, out, len * 8, &dat->ks, +@@ -1120,6 +1122,8 @@ BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS) + static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) + { + EVP_AES_GCM_CTX *gctx = c->cipher_data; ++ if (gctx == NULL) ++ return 0; + OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm)); + if (gctx->iv != c->iv) + OPENSSL_free(gctx->iv); +@@ -1235,10 +1239,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + { + unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1]; + /* Correct length for explicit IV */ ++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN) ++ return 0; + len -= EVP_GCM_TLS_EXPLICIT_IV_LEN; + /* If decrypting correct for tag too */ +- if (!c->encrypt) ++ if (!c->encrypt) { ++ if (len < EVP_GCM_TLS_TAG_LEN) ++ return 0; + len -= EVP_GCM_TLS_TAG_LEN; ++ } + c->buf[arg - 2] = len >> 8; + c->buf[arg - 1] = len & 0xff; + } +@@ -1271,56 +1280,57 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) + } + } + +-static ctr128_f aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx, +- const unsigned char *key, size_t key_len) ++static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc) + { ++ EVP_AES_GCM_CTX *gctx = ctx->cipher_data; ++ if (!iv && !key) ++ return 1; ++ if (key) { ++ do { + # ifdef HWAES_CAPABLE +- if (HWAES_CAPABLE) { +- HWAES_set_encrypt_key(key, key_len * 8, aes_key); +- CRYPTO_gcm128_init(gcm_ctx, aes_key, +- (block128_f) HWAES_encrypt); ++ if (HWAES_CAPABLE) { ++ HWAES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); ++ CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, ++ (block128_f) HWAES_encrypt); + # ifdef HWAES_ctr32_encrypt_blocks +- return (ctr128_f) HWAES_ctr32_encrypt_blocks; ++ gctx->ctr = (ctr128_f) HWAES_ctr32_encrypt_blocks; + # else +- return NULL; ++ gctx->ctr = NULL; + # endif +- } else ++ break; ++ } else + # endif + # ifdef BSAES_CAPABLE +- if (BSAES_CAPABLE) { +- AES_set_encrypt_key(key, key_len * 8, aes_key); +- CRYPTO_gcm128_init(gcm_ctx, aes_key, +- (block128_f) AES_encrypt); +- return (ctr128_f) bsaes_ctr32_encrypt_blocks; +- } ++ if (BSAES_CAPABLE) { ++ AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); ++ CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, ++ (block128_f) AES_encrypt); ++ gctx->ctr = (ctr128_f) bsaes_ctr32_encrypt_blocks; ++ break; ++ } else + # endif + # ifdef VPAES_CAPABLE +- if (VPAES_CAPABLE) { +- vpaes_set_encrypt_key(key, key_len * 8, aes_key); +- CRYPTO_gcm128_init(gcm_ctx, aes_key, +- (block128_f)vpaes_encrypt); +- return NULL; +- } else ++ if (VPAES_CAPABLE) { ++ vpaes_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); ++ CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, ++ (block128_f) vpaes_encrypt); ++ gctx->ctr = NULL; ++ break; ++ } else + # endif +- (void)0; /* terminate potentially open 'else' */ ++ (void)0; /* terminate potentially open 'else' */ + +- AES_set_encrypt_key(key, key_len * 8, aes_key); +- CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f) AES_encrypt); ++ AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks.ks); ++ CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, ++ (block128_f) AES_encrypt); + # ifdef AES_CTR_ASM +- return (ctr128_f) AES_ctr32_encrypt; ++ gctx->ctr = (ctr128_f) AES_ctr32_encrypt; + # else +- return NULL; ++ gctx->ctr = NULL; + # endif +-} ++ } while (0); + +-static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, +- const unsigned char *iv, int enc) +-{ +- EVP_AES_GCM_CTX *gctx = ctx->cipher_data; +- if (!iv && !key) +- return 1; +- if (key) { +- gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm, key, ctx->key_len); + /* + * If we have an iv can set it directly, otherwise use saved IV. + */ diff --git a/dev-libs/openssl-bad/openssl-bad-1.0.2_p20250104.ebuild b/dev-libs/openssl-bad/openssl-bad-1.0.2_p20250104.ebuild index 767dfe378..4d4b1186b 100644 --- a/dev-libs/openssl-bad/openssl-bad-1.0.2_p20250104.ebuild +++ b/dev-libs/openssl-bad/openssl-bad-1.0.2_p20250104.ebuild @@ -91,6 +91,8 @@ src_prepare() { if ! use vanilla ; then eapply "${FILESDIR}"/patch/*.patch fi + # Fix https://github.com/testssl/openssl-1.0.2.bad/issues/3 + eapply "${FILESDIR}"/4.patch eapply_user @@ -112,8 +114,7 @@ src_prepare() { # since we're forcing $(CC) as makedep anyway, just fix # the conditional as always-on # helps clang (#417795), and versioned gcc (#499818) - # this breaks build with 1.0.2p, not sure if it is needed anymore - #sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die + sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die # quiet out unknown driver argument warnings since openssl # doesn't have well-split CFLAGS and we're making it even worse @@ -128,7 +129,7 @@ src_prepare() { append-flags $(test-flags-CC -Wa,--noexecstack) append-cppflags -DOPENSSL_NO_BUF_FREELISTS - sed -i '1s,^:$,#!'"${EPREFIX}"'/usr/bin/perl,' Configure #141906 + sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906 # The config script does stupid stuff to prompt the user. Kill it. sed -i '/stty -icanon min 0 time 50; read waste/d' config || die ./config --test-sanity || die "I AM NOT SANE" @@ -179,9 +180,7 @@ multilib_src_configure() { ${sslout} \ $(use cpu_flags_x86_sse2 || echo "no-sse2") \ enable-camellia \ - enable-ec \ - $(use_ssl !bindist ec2m) \ - $(use_ssl !bindist srp) \ + $(use_ssl !bindist ec) \ ${ec_nistp_64_gcc_128} \ enable-idea \ enable-mdc2 \ @@ -203,23 +202,19 @@ multilib_src_configure() { || die # Clean out hardcoded flags that openssl uses - local DEFAULT_CFLAGS=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ + local CFLAG=$(grep ^CFLAG= Makefile | LC_ALL=C sed \ -e 's:^CFLAG=::' \ - -e 's:\(^\| \)-fomit-frame-pointer::g' \ - -e 's:\(^\| \)-O[^ ]*::g' \ - -e 's:\(^\| \)-march=[^ ]*::g' \ - -e 's:\(^\| \)-mcpu=[^ ]*::g' \ - -e 's:\(^\| \)-m[^ ]*::g' \ - -e 's:^ *::' \ - -e 's: *$::' \ - -e 's: \+: :g' \ - -e 's:\\:\\\\:g' + -e 's:-fomit-frame-pointer ::g' \ + -e 's:-O[0-9] ::g' \ + -e 's:-march=[-a-z0-9]* ::g' \ + -e 's:-mcpu=[-a-z0-9]* ::g' \ + -e 's:-m[a-z0-9]* ::g' \ ) # Now insert clean default flags with user flags sed -i \ - -e "/^CFLAG/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \ - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \ + -e "/^CFLAG/s|=.*|=${CFLAG} ${CFLAGS}|" \ + -e "/^SHARED_LDFLAGS=/s|$| ${LDFLAGS}|" \ Makefile || die }