Revert the OpenSSL 1.1.0 update, it was not tested.

With hat:	portmgr
Sponsored by:	Absolight

security/openssl/Makefile

@@ -2,8 +2,10 @@
 # $FreeBSD$
 
 PORTNAME=	openssl
-PORTVERSION=	1.1.0
-#DISTVERSIONSUFFIX=	a
+PORTVERSION=	1.0.2
+DISTVERSIONSUFFIX=	h
+PORTREVISION=	14
+PORTEPOCH=	1
 CATEGORIES=	security devel
 MASTER_SITES=	http://www.openssl.org/source/ \
 		ftp://ftp.openssl.org/source/ \
@@ -22,13 +24,8 @@ CONFLICTS=	libressl-[0-9]* \
 		libressl-devel-[0-9]* \
 		openssl-devel-[0-9]*
 
-HAS_CONFIGURE=	yes
-CONFIGURE_SCRIPT=	config
-CONFIGURE_ENV=	PERL="${PERL}"
-CONFIGURE_ARGS=	--openssldir=${OPENSSLDIR} ${EXTRACONFIGURE}
-
-OPTIONS_DEFINE=	SHARED THREADS SSE2 ASM ZLIB SCTP SSL3 RFC3779 RC5 DOCS MAN3
-OPTIONS_DEFAULT=SHARED THREADS SSE2 SCTP MAN3
+OPTIONS_DEFINE=	SHARED THREADS SSE2 ASM PADLOCK ZLIB GMP SCTP SSL2 SSL3 RFC3779 MD2 RC5 EXPCIPHERS DOCS MAN3
+OPTIONS_DEFAULT=SHARED THREADS SSE2 SCTP SSL2 SSL3 MD2 MAN3
 OPTIONS_DEFINE_i386=	I386
 .for a in amd64 ia64
 OPTIONS_DEFINE_${a}=	EC
@@ -44,43 +41,28 @@ OPTIONS_SUB=	yes
 I386_DESC?=	Optimize for i386 (instead of i486+)
 SSE2_DESC?=	runtime SSE2 detection
 ASM_DESC?=	optimized Assembler code
+PADLOCK_DESC?=	VIA Padlock support
 SHARED_DESC?=	build of shared libs
 ZLIB_DESC?=	zlib compression support
 GMP_DESC?=	gmp support (LGPLv3)
 SCTP_DESC?=	SCTP protocol support
+SSL2_DESC?=	SSLv2 protocol support
 SSL3_DESC?=	SSLv3 protocol support
 RFC3779_DESC?=	RFC3779 support (BGP)
+MD2_DESC?=	MD2 hash (obsolete)
 RC5_DESC?=	RC5 cipher (patented)
+EXPCIPHERS_DESC?=	Include experimental ciphers
 EC_DESC?=	Optimize NIST elliptic curves
 MAN3_DESC?=	Install API manpages (section 3)
 
-USES=		cpe perl5
+GMP_LIB_DEPENDS=	libgmp.so:math/gmp
+
+USES=		perl5 cpe
 USE_PERL5=	build
 MAKE_ARGS+=	WHOLE_ARCHIVE_FLAG=--whole-archive
 MAKE_ENV+=	LIBRPATH="${PREFIX}/lib" GREP_OPTIONS=
 SUB_FILES=	pkg-message
 
-SHARED_CONFIGURE_ON=	shared
-SHARED_PLIST_SUB=	SHLIBVER=${OPENSSL_SHLIBVER}
-THREADS_CONFIGURE_ON=	threads
-THREADS_CONFIGURE_OFF=	no-threads
-ZLIB_CONFIGURE_ON=	zlib zlib-dynamic
-ZLIB_CONFIGURE_OFF=	no-zlib no-zlib-dynamic
-SCTP_CONFIGURE_ON=	sctp
-SCTP_CONFIGURE_OFF=	no-sctp
-SSE2_CONFIGURE_OFF=	no-sse2
-ASM_CONFIGURE_ON=	asm
-ASM_CONFIGURE_OFF=	no-asm
-SSL3_CONFIGURE_ON=	enable-ssl3
-SSL3_CONFIGURE_OFF=	no-ssl3 no-ssl3-method
-RFC3779_CONFIGURE_ON=	enable-rfc3779
-RFC3779_CONFIGURE_OFF=	no-rfc3779
-RC5_CONFIGURE_ON=	enable-rc5
-RC5_CONFIGURE_OFF=	no-rc5
-I386_CONFIGURE_ON=	386
-EC_CONFIGURE_ON=	enable-ec_nistp_64_gcc_128
-EC_CONFIGURE_OFF=	no-ec_nistp_64_gcc_128
-
 .include <bsd.port.pre.mk>
 
 .if ${PREFIX} == /usr
@@ -93,17 +75,103 @@ PLIST_SUB+=	OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==}
 OPENSSL_BASE_SONAME!=	readlink ${DESTDIR}/usr/lib/libcrypto.so || true
 OPENSSL_SHLIBVER_BASE=	${OPENSSL_BASE_SONAME:E}
 OPENSSL_BASE_SOPATH=	${OPENSSL_BASE_SONAME:H}
+OPENSSL_SHLIBVER?=	8
 
-.include "version.mk"
+.if ${PORT_OPTIONS:MI386}
+.if ${ARCH} == "i386"
+EXTRACONFIGURE+=	386
+.endif
+.endif
+
+.if empty(PORT_OPTIONS:MSSE2)
+# disable runtime SSE2 detection
+EXTRACONFIGURE+=	no-sse2
+.endif
 
 .if ${PORT_OPTIONS:MASM}
 BROKEN_sparc64=	option ASM generates illegal instructions
+EXTRACONFIGURE+=	enable-asm
+.else
+EXTRACONFIGURE+=	no-asm
+.endif
+
+.if ${PORT_OPTIONS:MTHREADS}
+EXTRACONFIGURE+=	threads
+.else
+EXTRACONFIGURE+=	no-threads
 .endif
 
 .if ${PORT_OPTIONS:MSHARED}
+EXTRACONFIGURE+=	shared
+MAKE_ENV+=	SHLIBVER=${OPENSSL_SHLIBVER}
+PLIST_SUB+=	SHLIBVER=${OPENSSL_SHLIBVER}
 USE_LDCONFIG=	yes
 .endif
 
+.if ${PORT_OPTIONS:MZLIB}
+EXTRACONFIGURE+=	zlib zlib-dynamic
+.else
+EXTRACONFIGURE+=	no-zlib no-zlib-dynamic
+.endif
+
+.if ${PORT_OPTIONS:MSCTP}
+EXTRACONFIGURE+=	sctp
+.else
+EXTRACONFIGURE+=	no-sctp
+.endif
+
+.if ${PORT_OPTIONS:MSSL2}
+EXTRACONFIGURE+=	enable-ssl2
+.else
+EXTRACONFIGURE+=	no-ssl2
+.endif
+
+.if ${PORT_OPTIONS:MSSL3}
+EXTRACONFIGURE+=	enable-ssl3
+.else
+EXTRACONFIGURE+=	no-ssl3 no-ssl3-method
+.endif
+
+.if ${PORT_OPTIONS:MMD2}
+EXTRACONFIGURE+=	enable-md2
+.else
+EXTRACONFIGURE+=	no-md2
+.endif
+
+.if ${PORT_OPTIONS:MRC5}
+EXTRACONFIGURE+=	enable-rc5
+.else
+EXTRACONFIGURE+=	no-rc5
+.endif
+
+.if ${PORT_OPTIONS:MPADLOCK}
+PATCH_DIST_STRIP=	-p1
+PATCH_SITES+=	http://git.alpinelinux.org/cgit/aports/plain/main/openssl/:padlock
+PATCHFILES+=	1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:padlock \
+		1002-backport-changes-from-upstream-padlock-module.patch:padlock \
+		1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:padlock \
+		1004-crypto-engine-autoload-padlock-dynamic-engine.patch:padlock
+.endif
+
+.if ${PORT_OPTIONS:MGMP}
+EXTRACONFIGURE+=	enable-gmp -I${LOCALBASE}/include
+IGNORE=	can not be linked because GMP is LGPLv3
+.else
+EXTRACONFIGURE+=	no-gmp
+.endif
+
+.if ${PORT_OPTIONS:MRFC3779}
+EXTRACONFIGURE+=	enable-rfc3779
+.else
+EXTRACONFIGURE+=	no-rfc3779
+.endif
+
+.if ${PORT_OPTIONS:MEC}
+EXTRACONFIGURE+=	enable-ec_nistp_64_gcc_128
+.else
+EXTRACONFIGURE+=	no-ec_nistp_64_gcc_128
+.endif
+
 .if ${OPENSSL_SHLIBVER_BASE} > ${OPENSSL_SHLIBVER}
 pre-everything::
 	@${ECHO_CMD} "#"
@@ -116,30 +184,47 @@ pre-everything::
 .endif
 
 post-patch:
-	${REINPLACE_CMD} \
-		-e 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \
-		-e 's| install_html_docs$$||' \
-		-e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \
-		${WRKSRC}/Configurations/unix-Makefile.tmpl
+	${REINPLACE_CMD} -e 's|m4 -B 8192|m4|g' \
+		${WRKSRC}/crypto/des/Makefile
+	${REINPLACE_CMD} -e 's|SHLIB_VERSION_NUMBER "1.0.0"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \
+		${WRKSRC}/crypto/opensslv.h
+	${REINPLACE_CMD} -e 's|ERR_R_MALLOC_ERROR|ERR_R_MALLOC_FAILURE|' \
+		${WRKSRC}/crypto/bio/bss_dgram.c
+.if ${PORT_OPTIONS:MEXPCIPHERS}
+	${REINPLACE_CMD} -e 's|TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	0|TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES	1|' \
+		${WRKSRC}/ssl/tls1.h
+.endif
 
-post-configure:
+do-configure:
+	${REINPLACE_CMD} -e "s|options 386|options|" \
+		${WRKSRC}/config
+	cd ${WRKSRC} \
+	&& ${SETENV} CC="${CC}" FREEBSDCC="${CC}" CFLAGS="${CFLAGS}" PERL="${PERL}" \
+	./config --prefix=${PREFIX} --openssldir=${OPENSSLDIR} \
+		--install_prefix=${STAGEDIR} \
+		-L${PREFIX}/lib ${EXTRACONFIGURE}
 	${REINPLACE_CMD} \
-		-e 's|.(SHLIB_MAJOR)[.].(SHLIB_MINOR)|${OPENSSL_SHLIBVER}|g' \
+		-e 's|^MANDIR=.*$$|MANDIR=$$(PREFIX)/man|' \
+		-e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \
+		-e 's|LIBVERSION=[^ ]* |LIBVERSION=${OPENSSL_SHLIBVER} |' \
 		${WRKSRC}/Makefile
-	${REINPLACE_CMD} \
-		-e 's|SHLIB_VERSION_NUMBER "1.1"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \
-		${WRKSRC}/include/openssl/opensslv.h
 
 post-install:
-	${RM} -f ${STAGEDIR}${OPENSSLDIR}/openssl.cnf
-	${RM} -f ${STAGEDIR}${PREFIX}/man/man7/ct.7.gz
-
-post-install-MAN3-off:
+.if ${PORT_OPTIONS:MSHARED}
+.for i in libcrypto libssl
+	${INSTALL_DATA} ${WRKSRC}/$i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib
+	${LN} -sf $i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib/$i.so
+.endfor
+.endif
 .if empty(PORT_OPTIONS:MMAN3)
 	${RM} -rf ${STAGEDIR}/${PREFIX}/man/man3
 	${REINPLACE_CMD} -e 's|^man/man3/.*||' ${TMPPLIST}
 .endif
 
+post-install-DOCS-on:
+	${MKDIR} ${STAGEDIR}${DOCSDIR}
+	${INSTALL_DATA} ${WRKSRC}/doc/openssl.txt ${STAGEDIR}${DOCSDIR}/
+
 test: build
 	cd ${WRKSRC} && ${MAKE} test
 

security/openssl/distinfo

@@ -1,3 +1,10 @@
-TIMESTAMP = 1472208347
-SHA256 (openssl-1.1.0/openssl-1.1.0.tar.gz) = f5c69ff9ac1472c80b868efc1c1c0d8dcfc746d29ebe563de2365dd56dbd8c82
-SIZE (openssl-1.1.0/openssl-1.1.0.tar.gz) = 5146831
+SHA256 (openssl-1.0.2h/openssl-1.0.2h.tar.gz) = 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919
+SIZE (openssl-1.0.2h/openssl-1.0.2h.tar.gz) = 5274412
+SHA256 (openssl-1.0.2h/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7
+SIZE (openssl-1.0.2h/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3717
+SHA256 (openssl-1.0.2h/1002-backport-changes-from-upstream-padlock-module.patch) = aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260
+SIZE (openssl-1.0.2h/1002-backport-changes-from-upstream-padlock-module.patch) = 5770
+SHA256 (openssl-1.0.2h/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea
+SIZE (openssl-1.0.2h/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20935
+SHA256 (openssl-1.0.2h/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 97eb4411d0fc0890e94bc7c2d682f68b71135da782af769ca73914b37da2b1fd
+SIZE (openssl-1.0.2h/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 832

security/openssl/files/patch-Configure

@@ -0,0 +1,45 @@
+--- Configure.orig	2015-06-11 15:50:11.000000000 +0200
++++ Configure	2015-06-12 16:20:39.000000000 +0200
+@@ -467,19 +467,20 @@
+ "android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ 
+ #### *BSD [do see comment about ${BSDthreads} above!]
+-"BSD-generic32","gcc:-O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86",	"gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86-elf",	"gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"debug-BSD-x86-elf",	"gcc:-DL_ENDIAN -O3 -Wall -g::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-sparcv8",	"gcc:-DB_ENDIAN -O3 -mcpu=v8 -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-generic32","$ENV{'FREEBSDCC'}:-O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86-elf",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"debug-BSD-x86-elf",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall -g $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-sparcv8", "$ENV{'FREEBSDCC'}:-DB_ENDIAN -O3 -mcpu=v8 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ 
+-"BSD-generic64","gcc:-O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-generic64","$ENV{'FREEBSDCC'}:-O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ # -DMD32_REG_T=int doesn't actually belong in sparc64 target, it
+ # simply *happens* to work around a compiler bug in gcc 3.3.3,
+ # triggered by RIPEMD160 code.
+-"BSD-sparc64",	"gcc:-DB_ENDIAN -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:${sparcv9_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-ia64",	"gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86_64",	"cc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-sparc64",	"$ENV{'FREEBSDCC'}:-DB_ENDIAN -O3 -DMD32_REG_T=int -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:${sparcv9_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-ia64",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86_64",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-alpha",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ 
+ "bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ 
+@@ -2019,10 +2020,12 @@
+ 	if ( $perl =~ m@^/@) {
+ 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
+ 	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
++	    &dofile("apps/tsget",$perl,'^#!/', '#!%s');
+ 	} else {
+ 	    # No path for Perl known ...
+ 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";',  '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
+ 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
++	    &dofile("apps/tsget",'/usr/local/bin/perl',,'^#!/', '#!%s');
+ 	}
+ 	if ($depflags ne $default_depflags && !$make_depend) {
+ 		print <<EOF;

security/openssl/files/patch-Makefile

@@ -0,0 +1,11 @@
+--- apps/Makefile.orig	Tue Aug 10 11:09:07 2004
++++ apps/Makefile	Tue Oct 26 07:00:51 2004
+@@ -112,7 +112,7 @@
+ 	 done
+ 	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+ 	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+-	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
++	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.sample
+ 
+ tags:
+ 	ctags $(SRC)

security/openssl/files/patch-RFC-5705

@@ -0,0 +1,38 @@
+--- ssl/ssl.h	6 Jan 2010 17:37:38 -0000	1.221.2.24
++++ ssl/ssl.h	17 Jun 2010 12:25:35 -0000
+@@ -1806,6 +1806,10 @@
+ /* Pre-shared secret session resumption functions */
+ int SSL_set_session_secret_cb(SSL *s, tls_session_secret_cb_fn tls_session_secret_cb, void *arg);
+ 
++void SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
++                           unsigned char *context, int context_len,
++                           unsigned char *out, int olen);
++
+ /* BEGIN ERROR CODES */
+ /* The following lines are auto generated by the script mkerr.pl. Any changes
+  * made after this point may be overwritten when the script is next run.
+
+--- ssl/t1_enc.c.orig	2015-01-22 15:58:32.000000000 +0100
++++ ssl/t1_enc.c	2015-03-10 07:21:12.000000000 +0100
+@@ -1261,6 +1261,21 @@
+     return (rv);
+ }
+ 
++void SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
++                           unsigned char *context, int context_len,
++                           unsigned char *out, int olen)
++	{
++	unsigned char tmp[olen];
++	
++	tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
++			 label, label_len,
++			 s->s3->client_random,SSL3_RANDOM_SIZE,
++			 s->s3->server_random,SSL3_RANDOM_SIZE,
++			 context, context_len, NULL, 0,
++			 s->session->master_key, s->session->master_key_length,
++			 out, tmp, olen);
++	}
++
+ int tls1_alert_code(int code)
+ {
+     switch (code) {

security/openssl/files/patch-config

@@ -1,6 +1,6 @@
---- config.orig	2016-03-16 18:21:18.000000000 +0100
-+++ config	2016-04-09 13:25:19.138246000 +0200
-@@ -713,14 +713,8 @@
+--- config.orig	2013-06-16 07:01:13.038797248 -0500
++++ config	2013-06-16 07:01:18.138794838 -0500
+@@ -734,14 +734,8 @@
    sparc64-*-*bsd*)	OUT="BSD-sparc64" ;;
    ia64-*-*bsd*)		OUT="BSD-ia64" ;;
    amd64-*-*bsd*)	OUT="BSD-x86_64" ;;

security/openssl/files/patch-dsa_ossl.c

@@ -0,0 +1,35 @@
+
+Fix DSA, preserve BN_FLG_CONSTTIME
+
+Operations in the DSA signing algorithm should run in constant time in
+order to avoid side channel attacks. A flaw in the OpenSSL DSA
+implementation means that a non-constant time codepath is followed for
+certain operations. This has been demonstrated through a cache-timing
+attack to be sufficient for an attacker to recover the private DSA key.
+
+CVE-2016-2178
+
+--- crypto/dsa/dsa_ossl.c.orig	2016-05-03 15:44:42.000000000 +0200
++++ crypto/dsa/dsa_ossl.c	2016-06-12 22:57:49.000000000 +0200
+@@ -248,9 +248,6 @@
+         if (!BN_rand_range(&k, dsa->q))
+             goto err;
+     while (BN_is_zero(&k)) ;
+-    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+-        BN_set_flags(&k, BN_FLG_CONSTTIME);
+-    }
+ 
+     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
+         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
+@@ -282,6 +279,11 @@
+     } else {
+         K = &k;
+     }
++
++    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
++        BN_set_flags(&k, BN_FLG_CONSTTIME);
++    }
++
+     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
+                    dsa->method_mont_p);
+     if (!BN_mod(r, r, dsa->q, ctx))

security/openssl/files/patch-md5.c

@@ -0,0 +1,11 @@
+--- crypto/md5/md5.c.orig	2015-01-22 15:58:32.000000000 +0100
++++ crypto/md5/md5.c	2015-03-10 07:02:19.000000000 +0100
+@@ -83,7 +83,7 @@
+                 err++;
+                 continue;
+             }
+-            printf("MD5(%s)= ", argv[i]);
++            printf("MD5 (%s) = ", argv[i]);
+             do_fp(IN);
+             fclose(IN);
+         }

security/openssl/files/patch-openbsd__hw.c

@@ -0,0 +1,14 @@
+--- crypto/evp/openbsd_hw.c.orig	2015-01-22 15:58:32.000000000 +0100
++++ crypto/evp/openbsd_hw.c	2015-03-10 07:08:45.000000000 +0100
+@@ -108,7 +108,10 @@
+             dev_failed = 1;
+             return 0;
+         }
+-        close(cryptodev_fd);
++        if (fd == -1)
++            fd = cryptodev_fd;
++        else
++            close(cryptodev_fd);
+     }
+     assert(ses);
+     memset(ses, '\0', sizeof *ses);

security/openssl/files/patch-s3_srvr.c

@@ -0,0 +1,66 @@
+CVE-2016-2177
+
+--- ssl/s3_srvr.c.orig
++++ ssl/s3_srvr.c
+@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+         session_length = *(p + SSL3_RANDOM_SIZE);
+ 
+-        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
++        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s)
+     /* get the session-id */
+     j = *(p++);
+ 
+-    if (p + j > d + n) {
++    if ((d + n) - p < j) {
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+         goto f_err;
+@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s)
+ 
+     if (SSL_IS_DTLS(s)) {
+         /* cookie stuff */
+-        if (p + 1 > d + n) {
++        if ((d + n) - p < 1) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+         }
+         cookie_len = *(p++);
+ 
+-        if (p + cookie_len > d + n) {
++        if ((d + n ) - p < cookie_len) {
+             al = SSL_AD_DECODE_ERROR;
+             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+             goto f_err;
+@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s)
+         }
+     }
+ 
+-    if (p + 2 > d + n) {
++    if ((d + n ) - p < 2) {
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+         goto f_err;
+@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s)
+     }
+ 
+     /* i bytes of cipher data + 1 byte for compression length later */
+-    if ((p + i + 1) > (d + n)) {
++    if ((d + n) - p < i + 1) {
+         /* not enough data */
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s)
+ 
+     /* compression */
+     i = *(p++);
+-    if ((p + i) > (d + n)) {
++    if ((d + n) - p < i) {
+         /* not enough data */
+         al = SSL_AD_DECODE_ERROR;
+         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);

security/openssl/files/patch-srtp.h

@@ -0,0 +1,10 @@
+--- ssl/srtp.h.orig	2015-03-19 14:30:36.000000000 +0100
++++ ssl/srtp.h	2015-03-19 21:12:51.000000000 +0100
+@@ -136,7 +136,6 @@
+ int SSL_set_tlsext_use_srtp(SSL *ctx, const char *profiles);
+ 
+ STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl);
+-SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s);
+ 
+ # endif
+ 

security/openssl/files/patch-ssl_sess.c

@@ -0,0 +1,13 @@
+CVE-2016-2177
+
+--- ssl/ssl_sess.c.orig
++++ ssl/ssl_sess.c
+@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
+     int r;
+ #endif
+ 
+-    if (session_id + len > limit) {
++    if (limit - session_id < len) {
+         fatal = 1;
+         goto err;
+     }

security/openssl/files/patch-t1_lib.c

@@ -0,0 +1,163 @@
+CVE-2016-2177
+
+--- ssl/t1_lib.c.orig
++++ ssl/t1_lib.c
+@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+         0x02, 0x03,             /* SHA-1/ECDSA */
+     };
+ 
+-    if (data >= (limit - 2))
++    if (limit - data <= 2)
+         return;
+     data += 2;
+ 
+-    if (data > (limit - 4))
++    if (limit - data < 4)
+         return;
+     n2s(data, type);
+     n2s(data, size);
+@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+     if (type != TLSEXT_TYPE_server_name)
+         return;
+ 
+-    if (data + size > limit)
++    if (limit - data < size)
+         return;
+     data += size;
+ 
+@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+         const size_t len1 = sizeof(kSafariExtensionsBlock);
+         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
+ 
+-        if (data + len1 + len2 != limit)
++        if (limit - data != (int)(len1 + len2))
+             return;
+         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+             return;
+@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+     } else {
+         const size_t len = sizeof(kSafariExtensionsBlock);
+ 
+-        if (data + len != limit)
++        if (limit - data != (int)(len))
+             return;
+         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+             return;
+@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
+     if (data == limit)
+         goto ri_check;
+ 
+-    if (data > (limit - 2))
++    if (limit - data < 2)
+         goto err;
+ 
+     n2s(data, len);
+ 
+-    if (data + len != limit)
++    if (limit - data != len)
+         goto err;
+ 
+-    while (data <= (limit - 4)) {
++    while (limit - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > (limit))
++        if (limit - data < size)
+             goto err;
+ # if 0
+         fprintf(stderr, "Received extension type %d size %d\n", type, size);
+@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s,
+     if (s->hit || s->cert->srv_ext.meths_count == 0)
+         return 1;
+ 
+-    if (data >= limit - 2)
++    if (limit - data <= 2)
+         return 1;
+     n2s(data, len);
+ 
+-    if (data > limit - len)
++    if (limit - data < len)
+         return 1;
+ 
+-    while (data <= limit - 4) {
++    while (limit - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > limit)
++        if (limit - data < size)
+             return 1;
+         if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0)
+             return 0;
+@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
+                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
+ # endif
+ 
+-    if (data >= (d + n - 2))
++    if ((d + n) - data <= 2)
+         goto ri_check;
+ 
+     n2s(data, length);
+-    if (data + length != d + n) {
++    if ((d + n) - data != length) {
+         *al = SSL_AD_DECODE_ERROR;
+         return 0;
+     }
+ 
+-    while (data <= (d + n - 4)) {
++    while ((d + n) - data >= 4) {
+         n2s(data, type);
+         n2s(data, size);
+ 
+-        if (data + size > (d + n))
++        if ((d + n) - data < size)
+             goto ri_check;
+ 
+         if (s->tlsext_debug_cb)
+@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
+     /* Skip past DTLS cookie */
+     if (SSL_IS_DTLS(s)) {
+         i = *(p++);
+-        p += i;
+-        if (p >= limit)
++
++        if (limit - p <= i)
+             return -1;
++
++        p += i;
+     }
+     /* Skip past cipher list */
+     n2s(p, i);
+-    p += i;
+-    if (p >= limit)
++    if (limit - p <= i)
+         return -1;
++    p += i;
++
+     /* Skip past compression algorithm list */
+     i = *(p++);
+-    p += i;
+-    if (p > limit)
++    if (limit - p < i)
+         return -1;
++    p += i;
++
+     /* Now at start of extensions */
+-    if ((p + 2) >= limit)
++    if (limit - p <= 2)
+         return 0;
+     n2s(p, i);
+-    while ((p + 4) <= limit) {
++    while (limit - p >= 4) {
+         unsigned short type, size;
+         n2s(p, type);
+         n2s(p, size);
+-        if (p + size > limit)
++        if (limit - p < size)
+             return 0;
+         if (type == TLSEXT_TYPE_session_ticket) {
+             int r;
+-- 
+1.9.1
+

security/openssl/files/patch-testssl

@@ -0,0 +1,39 @@
+--- test/testssl.orig	2015-06-11 15:50:11.000000000 +0200
++++ test/testssl	2015-06-12 13:43:32.000000000 +0200
+@@ -102,28 +102,28 @@
+ $ssltest $extra || exit 1
+ 
+ echo test dtlsv1
+-$ssltest -dtls1 $extra || exit 1
++#$ssltest -dtls1 $extra || exit 1
+ 
+ echo test dtlsv1 with server authentication
+-$ssltest -dtls1 -server_auth $CA $extra || exit 1
++#$ssltest -dtls1 -server_auth $CA $extra || exit 1
+ 
+ echo test dtlsv1 with client authentication
+-$ssltest -dtls1 -client_auth $CA $extra || exit 1
++#$ssltest -dtls1 -client_auth $CA $extra || exit 1
+ 
+ echo test dtlsv1 with both client and server authentication
+-$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
++#$ssltest -dtls1 -server_auth -client_auth $CA $extra || exit 1
+ 
+ echo test dtlsv1.2
+-$ssltest -dtls12 $extra || exit 1
++#$ssltest -dtls12 $extra || exit 1
+ 
+ echo test dtlsv1.2 with server authentication
+-$ssltest -dtls12 -server_auth $CA $extra || exit 1
++#$ssltest -dtls12 -server_auth $CA $extra || exit 1
+ 
+ echo test dtlsv1.2 with client authentication
+-$ssltest -dtls12 -client_auth $CA $extra || exit 1
++#$ssltest -dtls12 -client_auth $CA $extra || exit 1
+ 
+ echo test dtlsv1.2 with both client and server authentication
+-$ssltest -dtls12 -server_auth -client_auth $CA $extra || exit 1
++#$ssltest -dtls12 -server_auth -client_auth $CA $extra || exit 1
+ 
+ if [ $dsa_cert = NO ]; then
+   echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'

security/openssl/version.mk

@@ -1 +1 @@
-OPENSSL_SHLIBVER?=	9
+OPENSSL_SHLIBVER?=	8