gentoo resync : 03.11.2018

author: V3n3RiX <venerix@redcorelinux.org> 2018-11-03 08:36:22 +0000
committer: V3n3RiX <venerix@redcorelinux.org> 2018-11-03 08:36:22 +0000
commit: f65628136faa35d0c4d3b5e7332275c7b35fcd96 (patch)
tree: 021998302365c5652e37824b6c26d4d969a62055 /dev-libs/openssl
parent: 70b82ae359a5538711e103b0e8dfb92654296644 (diff)
7 files changed, 99 insertions, 335 deletions
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 785c3620b33a..9d43bd0321eb 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -5,9 +5,9 @@ AUX openssl-0.9.8h-ldflags.patch 1151 BLAKE2B b215e46c380e571f153445f902803cf5d0
 AUX openssl-0.9.8m-binutils.patch 684 BLAKE2B 35650e98595910d2e6b6fc846b49fecbb2a8e4a8b647bbec009a829ae4af8afdc7e7edac7a1eec8f13af1ad69b7036ca6af28bfd9509e6bba58f2b3906d6bdd5 SHA512 5e8a20111bd4809e7375c7323dab2c2edd6a131d1ec2377ee99c5e06ceb7b4b000e9606ba6d0e68cd67d8e001cc8194e11e301eace0feb066d5f3c5b331b5f04
 AUX openssl-0.9.8z_p8-perl-5.26.patch 310 BLAKE2B 29c46391d127cd2b1cb3943f1bb162a8b931e455f35f9e045372102d1461e3e3fd4cf4e4f544ec06a0b46a573d2009c8decf22678df03707c2487bade64f27b5 SHA512 b8e745ff90e447b000ace9cfd5f746c1bc8f3bb8249064d1d2f1072a1a628f5a89c405c7f384c73f0310f2a2f7af672950a9b7adbc583b1ee94b41d911b8a708
 AUX openssl-1.0.2a-x32-asm.patch 1561 BLAKE2B ee5e5b91e4babacff71edf36cce80fbcb2b8dbb9a7ea63a816d3a5de544fbffd8b4216d7a95bd44e718c7a83dd8b8b5ad85caed4205eab5de566b0b7e5054fc1 SHA512 fbb23393e68776e9d34953f85ba3cbb285421d50f06bd297b485c7cffc8d89ca8caff6783f21038ae668b5c75056c89dc652217ac8609b5328e2c28e70ac294c
-AUX openssl-1.0.2o-CVE-2018-0732.patch 1194 BLAKE2B bd06c5b1289f7a3dca52bbfab7ae17c9d103b07ffd2649c5b5a8cc60163aa3056e4bd86108548dfcd3690d2ef94c3e0d3a911694199b5a3822215dd01c7467d6 SHA512 ff91298629f157496a012da00ba7325923f5d087bfa54b60e205bf2dfb06374e958912e0df39dbdf39773555455c1a3afa3dcde1ddfec6e85cf89b0b62cc0eb4
-AUX openssl-1.0.2o-hobble-ecc.patch 11987 BLAKE2B 28c1217e500a9d6578dac3ee8aeb08f6e3b1d2c6749336ef05e4142828c7c4b176ec16707dcbbf97e1e2e91d51f85f2a02c076cfcc8bcef1aa9d3fd5ba50eb6a SHA512 817a5a1cbab171d9e6d3fce9c612985d2ce3f9f0b3781b3681ef42da1ac6389d8a8a11e6d696eb7f051d3bfc2d045f1999cc4076d1257b10e9fb65620aee3ee2
 AUX openssl-1.0.2p-hobble-ecc.patch 10875 BLAKE2B fc8240a074f8cc354c5ae584b76b3fc895170e026767d2d99d8bd5e5028614c861dd2b3c7b955c223883062f9a057ee302ae0deecfbbed00ddc53ae8a4d50919 SHA512 29f64bacac4f61071db6caf9d92131633d2dff56d899171888cc4c8432790930ff0912cea90ad03ca59b13ca0357f812d2f0a3f42567e2bd72c260f49b2b59aa
+AUX openssl-1.1.0i-CVE-2018-0735.patch 1612 BLAKE2B 44402dc7e1a39f47fb3b359edbd3deeeb2aedba5d6b9b12ff86c93c7e80699f8109b327d94c2a6cf443c8b087ad461d959bd5307b17bfe0ff429d33e4949dc1b SHA512 4f2e586021f049f9c2dd6ee9925568fdd82b0372ddb81172540acd4093c9b033db312ab0a722dfeab918d18405562100d7ed061c986fc1a0f5557ba5445a955f
+AUX openssl-1.1.1-CVE-2018-0735.patch 1642 BLAKE2B dffad919b1acd1af05044211b24a71cd4e972e0bd1cea3095610e06e06fafa1f61021a92eb9f8e2d800d20c86c8dc99b783509d124d444f6ff56f24871a8e31e SHA512 754f1290cb91f154e8614e145bea2df29e82cfc87ebb3b9ec506af70b0d8ea6785da8b76e7ac49ecd2e5e975f7d2a93b443acd60d2e8494141911d1afd81d750
 DIST openssl-0.9.8zh.tar.gz 3818524 BLAKE2B 610bb4858900983cf4519fa8b63f1e03b3845e39e68884fd8bebd738cd5cd6c2c75513643af49bf9e2294adc446a6516480fe9b62de55d9b6379bf9e7c5cd364 SHA512 b97fa2468211f86c0719c68ad1781eff84f772c479ed5193d6da14bac086b4ca706e7d851209d9df3f0962943b5e5333ab0def00110fb2e517caa73c0c6674c6
 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
 DIST openssl-1.0.2p.tar.gz 5338192 BLAKE2B fe4c0e2bf75d47a76e7377c7977be7bcaaa532061ab89ee989786eeb6495295711a29a88bf026c85d9ed55c97e71b0e9c8cf4c29b6e58a3dc56bcff518666823 SHA512 958c5a7c3324bbdc8f07dfb13e11329d9a1b4452c07cf41fbd2d42b5fe29c95679332a3476d24c2dc2b88be16e4a24744aba675a05a388c0905756c77a8a2f16
@@ -23,6 +23,6 @@ DIST openssl-1.1.0i_hobble-openssl 1117 BLAKE2B c3a1477e63331e83cf1cbe58e9ef131e
 DIST openssl-1.1.1.tar.gz 8337920 BLAKE2B 266fb97bad4e1e7c0694c67a065d6669560695c92ad8fa10824169288a3fdfb9798faf408274a1e0c4e10a83a12b57367611bf4037dd2ab7ee74d7edab580a7b SHA512 c0284a4fe84bdf765ca5bc5148da4441ffc36392cfecaf9d372af00cf93b6de5681cab1248b6f8246474532155dc205da5ad49549ad7c61c07c917145e7c9c71
 EBUILD openssl-0.9.8z_p8-r1.ebuild 4937 BLAKE2B 4d8c960161f15f38dbcef1ba1529906d81ad1b8574c90b7e09f3b2a8f2fcfdda1d69d9c4259a7f616246fe34b5794ea08f5ef8f5cb1ecb4117784062587a1fa7 SHA512 2693d1d1cf167e0e0031d5b7b3ac2f850290ea2fa8513c8fe2f5b8c52fd5efd4296b574533165e24ddd315e271dad6e7f5b00afdf8d036864e27af62fae30e43
 EBUILD openssl-1.0.2p.ebuild 10101 BLAKE2B c0e4eb3bd9dd21687d7a4be4c329baa6ca569b97ec16a090d0b5eaece0171a6f656facaab06fe085592038dd3d9d9aded69a5426e8605a32c3af8f295f74f34f SHA512 fc0affd0d6fe6dc12a6301135c6fed7beb5ca74fb0940d0af05551b402e09b6e130acc19de6f7b2853278f743c44a5f8c7da773c5324877b95bdc25b1b51b623
-EBUILD openssl-1.1.0i.ebuild 9107 BLAKE2B 8bee8407c13fbd1cfc7e13b4d11fb57ce9dd494d3ca8cf6cbd34f9f0e57dff824e421c31fc29e408ebf3a752896dc631f045b32757f2d89bacd2b9a52abe4722 SHA512 0cf7fd1a3957e197ac6b0d61a384a673b8216b0a07a90f61708759ef80e59afa1ab8e9f5761c1896439ee0cc6902bdd5bc83f4723302c648944d10d78d8396f4
-EBUILD openssl-1.1.1.ebuild 7877 BLAKE2B df40954123b720ad283e694d22406c79287bf394d7cc52a76badad76aa33a81e20a44aa25f79e16bcaaa2c87eddf68973653cafe6884c476baafed3aba5c95e9 SHA512 e41af66f74829bce5210e659e5a9330c319ee572eecfeec5c59bd11eb117e95ef5ff7e9e880299291231069100873148b562865322e87a5db7cadd64013e62f1
+EBUILD openssl-1.1.0i-r1.ebuild 9145 BLAKE2B a8221eac616d96a039e579122ff6f8d40015fba33ed604a2a0058b4af6c40caaa26ab69627ad0153852cee2711ddfce9bf4049e9a2035db4499b755212b2bf2a SHA512 7a67c698a8dad600ec522694df303d5077ce51d54908dd21cdbf6a6d3655aab81534accc22629c5c7544abdba3bf560d98bb8d74406b5de9b2764f308d49bcfb
+EBUILD openssl-1.1.1-r1.ebuild 7930 BLAKE2B 7a4c38b0c2088834cf285fbdb38c2a509149f85b2435427d7fd4d57f469003afca1fa1755087931b20a67a87e07bcd70dc6430703ae9e8a51b4b12ae558c382b SHA512 dd42cb4022bcceb40f741195cb09da480dd61c4e4abad7e71083379f572382806d6c4489e1fa6365cf60025d39cc3795e984f05ec730cd967f20d129abd30165
 MISC metadata.xml 1273 BLAKE2B 8eb61c2bfd56f428fa4c262972c0b140662a68c95fdf5e3101624b307985f83dc6d757fc13565e467c99188de93d90ec2db6de3719e22495da67155cbaa91aa9 SHA512 3ffb56f8bc35d71c2c67b4cb97d350825260f9d78c97f4ba9462c2b08b8ef65d7f684139e99bb2f7f32698d3cb62404567b36ce849e7dc4e7f7c5b6367c723a7
diff --git a/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch b/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch
deleted file mode 100644
index 148e7c3bc1a1..000000000000
--- a/dev-libs/openssl/files/openssl-1.0.2o-CVE-2018-0732.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001
-From: Guido Vranken <guidovranken@gmail.com>
-Date: Mon, 11 Jun 2018 19:38:54 +0200
-Subject: [PATCH] Reject excessively large primes in DH key generation.
-
-CVE-2018-0732
-
-Signed-off-by: Guido Vranken <guidovranken@gmail.com>
-
-(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
-
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/6457)
----
- crypto/dh/dh_key.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index 387558f1467..f235e0d682b 100644
---- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -130,10 +130,15 @@ static int generate_key(DH *dh)
-     int ok = 0;
-     int generate_new_key = 0;
-     unsigned l;
--    BN_CTX *ctx;
-+    BN_CTX *ctx = NULL;
-     BN_MONT_CTX *mont = NULL;
-     BIGNUM *pub_key = NULL, *priv_key = NULL;
- 
-+    if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+        DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
-+        return 0;
-+    }
-+
-     ctx = BN_CTX_new();
-     if (ctx == NULL)
-         goto err;
diff --git a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch b/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch
deleted file mode 100644
index e105fe45e459..000000000000
--- a/dev-libs/openssl/files/openssl-1.0.2o-hobble-ecc.patch
+++ /dev/null
@@ -1,290 +0,0 @@
-Port of Fedora's Hobble-EC patches for OpenSSL 1.0 series.
-
-From https://src.fedoraproject.org/git/rpms/openssl.git
-
-Contains parts of the following patches, rediffed. The patches are on various
-different branches.
-f23 openssl-1.0.2c-ecc-suiteb.patch
-f23 openssl-1.0.2a-fips-ec.patch
-f28 openssl-1.1.0-ec-curves.patch
-
-Signed-off-By: Robin H. Johnson <robbat2@gentoo.org>
-
-diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/apps/speed.c openssl-1.0.2m.mod/apps/speed.c
---- openssl-1.0.2m.hobble/apps/speed.c	2017-11-02 07:32:57.000000000 -0700
-+++ openssl-1.0.2m.mod/apps/speed.c	2018-06-10 19:00:09.264550382 -0700
-@@ -989,10 +989,7 @@ int MAIN(int argc, char **argv)
-         } else
- # endif
- # ifndef OPENSSL_NO_ECDSA
--        if (strcmp(*argv, "ecdsap160") == 0)
--            ecdsa_doit[R_EC_P160] = 2;
--        else if (strcmp(*argv, "ecdsap192") == 0)
--            ecdsa_doit[R_EC_P192] = 2;
-+	if (0) {}
-         else if (strcmp(*argv, "ecdsap224") == 0)
-             ecdsa_doit[R_EC_P224] = 2;
-         else if (strcmp(*argv, "ecdsap256") == 0)
-@@ -1001,36 +998,13 @@ int MAIN(int argc, char **argv)
-             ecdsa_doit[R_EC_P384] = 2;
-         else if (strcmp(*argv, "ecdsap521") == 0)
-             ecdsa_doit[R_EC_P521] = 2;
--        else if (strcmp(*argv, "ecdsak163") == 0)
--            ecdsa_doit[R_EC_K163] = 2;
--        else if (strcmp(*argv, "ecdsak233") == 0)
--            ecdsa_doit[R_EC_K233] = 2;
--        else if (strcmp(*argv, "ecdsak283") == 0)
--            ecdsa_doit[R_EC_K283] = 2;
--        else if (strcmp(*argv, "ecdsak409") == 0)
--            ecdsa_doit[R_EC_K409] = 2;
--        else if (strcmp(*argv, "ecdsak571") == 0)
--            ecdsa_doit[R_EC_K571] = 2;
--        else if (strcmp(*argv, "ecdsab163") == 0)
--            ecdsa_doit[R_EC_B163] = 2;
--        else if (strcmp(*argv, "ecdsab233") == 0)
--            ecdsa_doit[R_EC_B233] = 2;
--        else if (strcmp(*argv, "ecdsab283") == 0)
--            ecdsa_doit[R_EC_B283] = 2;
--        else if (strcmp(*argv, "ecdsab409") == 0)
--            ecdsa_doit[R_EC_B409] = 2;
--        else if (strcmp(*argv, "ecdsab571") == 0)
--            ecdsa_doit[R_EC_B571] = 2;
-         else if (strcmp(*argv, "ecdsa") == 0) {
--            for (i = 0; i < EC_NUM; i++)
-+            for (i = R_EC_P224; i < R_EC_P521; i++)
-                 ecdsa_doit[i] = 1;
-         } else
- # endif
- # ifndef OPENSSL_NO_ECDH
--        if (strcmp(*argv, "ecdhp160") == 0)
--            ecdh_doit[R_EC_P160] = 2;
--        else if (strcmp(*argv, "ecdhp192") == 0)
--            ecdh_doit[R_EC_P192] = 2;
-+	if (0) {}
-         else if (strcmp(*argv, "ecdhp224") == 0)
-             ecdh_doit[R_EC_P224] = 2;
-         else if (strcmp(*argv, "ecdhp256") == 0)
-@@ -1039,28 +1013,8 @@ int MAIN(int argc, char **argv)
-             ecdh_doit[R_EC_P384] = 2;
-         else if (strcmp(*argv, "ecdhp521") == 0)
-             ecdh_doit[R_EC_P521] = 2;
--        else if (strcmp(*argv, "ecdhk163") == 0)
--            ecdh_doit[R_EC_K163] = 2;
--        else if (strcmp(*argv, "ecdhk233") == 0)
--            ecdh_doit[R_EC_K233] = 2;
--        else if (strcmp(*argv, "ecdhk283") == 0)
--            ecdh_doit[R_EC_K283] = 2;
--        else if (strcmp(*argv, "ecdhk409") == 0)
--            ecdh_doit[R_EC_K409] = 2;
--        else if (strcmp(*argv, "ecdhk571") == 0)
--            ecdh_doit[R_EC_K571] = 2;
--        else if (strcmp(*argv, "ecdhb163") == 0)
--            ecdh_doit[R_EC_B163] = 2;
--        else if (strcmp(*argv, "ecdhb233") == 0)
--            ecdh_doit[R_EC_B233] = 2;
--        else if (strcmp(*argv, "ecdhb283") == 0)
--            ecdh_doit[R_EC_B283] = 2;
--        else if (strcmp(*argv, "ecdhb409") == 0)
--            ecdh_doit[R_EC_B409] = 2;
--        else if (strcmp(*argv, "ecdhb571") == 0)
--            ecdh_doit[R_EC_B571] = 2;
-         else if (strcmp(*argv, "ecdh") == 0) {
--            for (i = 0; i < EC_NUM; i++)
-+	    for (i = R_EC_P224; i <= R_EC_P521; i++)
-                 ecdh_doit[i] = 1;
-         } else
- # endif
-@@ -1149,21 +1103,13 @@ int MAIN(int argc, char **argv)
-             BIO_printf(bio_err, "dsa512   dsa1024  dsa2048\n");
- # endif
- # ifndef OPENSSL_NO_ECDSA
--            BIO_printf(bio_err, "ecdsap160 ecdsap192 ecdsap224 "
-+            BIO_printf(bio_err, "ecdsap224 "
-                        "ecdsap256 ecdsap384 ecdsap521\n");
--            BIO_printf(bio_err,
--                       "ecdsak163 ecdsak233 ecdsak283 ecdsak409 ecdsak571\n");
--            BIO_printf(bio_err,
--                       "ecdsab163 ecdsab233 ecdsab283 ecdsab409 ecdsab571\n");
-             BIO_printf(bio_err, "ecdsa\n");
- # endif
- # ifndef OPENSSL_NO_ECDH
--            BIO_printf(bio_err, "ecdhp160  ecdhp192  ecdhp224 "
-+            BIO_printf(bio_err, "ecdhp224 "
-                        "ecdhp256  ecdhp384  ecdhp521\n");
--            BIO_printf(bio_err,
--                       "ecdhk163  ecdhk233  ecdhk283  ecdhk409  ecdhk571\n");
--            BIO_printf(bio_err,
--                       "ecdhb163  ecdhb233  ecdhb283  ecdhb409  ecdhb571\n");
-             BIO_printf(bio_err, "ecdh\n");
- # endif
- 
-@@ -1242,11 +1188,11 @@ int MAIN(int argc, char **argv)
-         for (i = 0; i < DSA_NUM; i++)
-             dsa_doit[i] = 1;
- # ifndef OPENSSL_NO_ECDSA
--        for (i = 0; i < EC_NUM; i++)
-+        for (i = R_EC_P224; i <= R_EC_P521; i++)
-             ecdsa_doit[i] = 1;
- # endif
- # ifndef OPENSSL_NO_ECDH
--        for (i = 0; i < EC_NUM; i++)
-+        for (i = R_EC_P224; i <= R_EC_P521; i++)
-             ecdh_doit[i] = 1;
- # endif
-     }
-diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/crypto/ec/ecp_smpl.c openssl-1.0.2m.mod/crypto/ec/ecp_smpl.c
---- openssl-1.0.2m.hobble/crypto/ec/ecp_smpl.c	2017-11-02 07:32:57.000000000 -0700
-+++ openssl-1.0.2m.mod/crypto/ec/ecp_smpl.c	2018-06-10 18:45:36.909911848 -0700
-@@ -187,6 +187,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO
-         return 0;
-     }
- 
-+    if (BN_num_bits(p) < 224) {
-+        ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD);
-+        return 0;
-+    }
-+
-     if (ctx == NULL) {
-         ctx = new_ctx = BN_CTX_new();
-         if (ctx == NULL)
-diff -Nuar --exclude ec_curve.c -p openssl-1.0.2m.hobble/ssl/t1_lib.c openssl-1.0.2m.mod/ssl/t1_lib.c
---- openssl-1.0.2m.hobble/ssl/t1_lib.c	2017-11-02 07:32:58.000000000 -0700
-+++ openssl-1.0.2m.mod/ssl/t1_lib.c	2018-06-10 18:46:55.329811812 -0700
-@@ -271,10 +271,7 @@ static const unsigned char eccurves_auto
-     0, 23,                      /* secp256r1 (23) */
-     /* Other >= 256-bit prime curves. */
-     0, 25,                      /* secp521r1 (25) */
--    0, 28,                      /* brainpool512r1 (28) */
--    0, 27,                      /* brainpoolP384r1 (27) */
-     0, 24,                      /* secp384r1 (24) */
--    0, 26,                      /* brainpoolP256r1 (26) */
-     0, 22,                      /* secp256k1 (22) */
- # ifndef OPENSSL_NO_EC2M
-     /* >= 256-bit binary curves. */
-@@ -292,10 +289,7 @@ static const unsigned char eccurves_all[
-     0, 23,                      /* secp256r1 (23) */
-     /* Other >= 256-bit prime curves. */
-     0, 25,                      /* secp521r1 (25) */
--    0, 28,                      /* brainpool512r1 (28) */
--    0, 27,                      /* brainpoolP384r1 (27) */
-     0, 24,                      /* secp384r1 (24) */
--    0, 26,                      /* brainpoolP256r1 (26) */
-     0, 22,                      /* secp256k1 (22) */
- # ifndef OPENSSL_NO_EC2M
-     /* >= 256-bit binary curves. */
-@@ -310,13 +304,6 @@ static const unsigned char eccurves_all[
-      * Remaining curves disabled by default but still permitted if set
-      * via an explicit callback or parameters.
-      */
--    0, 20,                      /* secp224k1 (20) */
--    0, 21,                      /* secp224r1 (21) */
--    0, 18,                      /* secp192k1 (18) */
--    0, 19,                      /* secp192r1 (19) */
--    0, 15,                      /* secp160k1 (15) */
--    0, 16,                      /* secp160r1 (16) */
--    0, 17,                      /* secp160r2 (17) */
- # ifndef OPENSSL_NO_EC2M
-     0, 8,                       /* sect239k1 (8) */
-     0, 6,                       /* sect233k1 (6) */
-@@ -351,29 +338,21 @@ static const unsigned char fips_curves_d
-     0, 9,                       /* sect283k1 (9) */
-     0, 10,                      /* sect283r1 (10) */
- #  endif
--    0, 22,                      /* secp256k1 (22) */
-     0, 23,                      /* secp256r1 (23) */
- #  ifndef OPENSSL_NO_EC2M
-     0, 8,                       /* sect239k1 (8) */
-     0, 6,                       /* sect233k1 (6) */
-     0, 7,                       /* sect233r1 (7) */
- #  endif
--    0, 20,                      /* secp224k1 (20) */
--    0, 21,                      /* secp224r1 (21) */
- #  ifndef OPENSSL_NO_EC2M
-     0, 4,                       /* sect193r1 (4) */
-     0, 5,                       /* sect193r2 (5) */
- #  endif
--    0, 18,                      /* secp192k1 (18) */
--    0, 19,                      /* secp192r1 (19) */
- #  ifndef OPENSSL_NO_EC2M
-     0, 1,                       /* sect163k1 (1) */
-     0, 2,                       /* sect163r1 (2) */
-     0, 3,                       /* sect163r2 (3) */
- #  endif
--    0, 15,                      /* secp160k1 (15) */
--    0, 16,                      /* secp160r1 (16) */
--    0, 17,                      /* secp160r2 (17) */
- };
- # endif
- 
-diff -up openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec openssl-1.0.2a/crypto/ecdh/ecdhtest.c
---- openssl-1.0.2a/crypto/ecdh/ecdhtest.c.fips-ec	2015-03-19 14:30:36.000000000 +0100
-+++ openssl-1.0.2a/crypto/ecdh/ecdhtest.c	2015-04-22 19:00:19.721884512 +0200
-@@ -501,11 +501,13 @@ int main(int argc, char *argv[])
-         goto err;
- 
-     /* NIST PRIME CURVES TESTS */
-+# if 0
-     if (!test_ecdh_curve
-         (NID_X9_62_prime192v1, "NIST Prime-Curve P-192", ctx, out))
-         goto err;
-     if (!test_ecdh_curve(NID_secp224r1, "NIST Prime-Curve P-224", ctx, out))
-         goto err;
-+# endif
-     if (!test_ecdh_curve
-         (NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out))
-         goto err;
-@@ -536,13 +538,14 @@ int main(int argc, char *argv[])
-     if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out))
-         goto err;
- # endif
-+# if 0
-     if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP256r1", 256))
-         goto err;
-     if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP384r1", 384))
-         goto err;
-     if (!test_ecdh_kat(out, "Brainpool Prime-Curve brainpoolP512r1", 512))
-         goto err;
--
-+# endif
-     ret = 0;
- 
-  err:
-diff -up openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec openssl-1.0.2a/crypto/ecdsa/ecdsatest.c
---- openssl-1.0.2a/crypto/ecdsa/ecdsatest.c.fips-ec	2015-03-19 14:19:00.000000000 +0100
-+++ openssl-1.0.2a/crypto/ecdsa/ecdsatest.c	2015-04-22 19:00:19.722884536 +0200
-@@ -138,11 +138,14 @@ int restore_rand(void)
- }
- 
- static int fbytes_counter = 0;
--static const char *numbers[8] = {
-+static const char *numbers[10] = {
-+    "651056770906015076056810763456358567190100156695615665659",
-     "651056770906015076056810763456358567190100156695615665659",
-     "6140507067065001063065065565667405560006161556565665656654",
-     "8763001015071075675010661307616710783570106710677817767166"
-         "71676178726717",
-+    "8763001015071075675010661307616710783570106710677817767166"
-+        "71676178726717",
-     "7000000175690566466555057817571571075705015757757057795755"
-         "55657156756655",
-     "1275552191113212300012030439187146164646146646466749494799",
-@@ -158,7 +161,7 @@ int fbytes(unsigned char *buf, int num)
-     int ret;
-     BIGNUM *tmp = NULL;
- 
--    if (fbytes_counter >= 8)
-+    if (fbytes_counter >= 10)
-         return 0;
-     tmp = BN_new();
-     if (!tmp)
-@@ -532,8 +535,10 @@ int main(void)
-     RAND_seed(rnd_seed, sizeof(rnd_seed));
- 
-     /* the tests */
-+# if 0
-     if (!x9_62_tests(out))
-         goto err;
-+# endif
-     if (!test_builtin(out))
-         goto err;
- 
diff --git a/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch
new file mode 100644
index 000000000000..5762c04fa340
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.0i-CVE-2018-0735.patch
@@ -0,0 +1,44 @@
+From 56fb454d281a023b3f950d969693553d3f3ceea1 Mon Sep 17 00:00:00 2001
+From: Pauli <paul.dale@oracle.com>
+Date: Fri, 26 Oct 2018 10:54:58 +1000
+Subject: [PATCH] Timing vulnerability in ECDSA signature generation
+ (CVE-2018-0735)
+
+Preallocate an extra limb for some of the big numbers to avoid a reallocation
+that can potentially provide a side channel.
+
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+(Merged from https://github.com/openssl/openssl/pull/7486)
+
+(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
+---
+ crypto/ec/ec_mult.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
+index 22bb30ffa1..ff882cce20 100644
+--- a/crypto/ec/ec_mult.c
++++ b/crypto/ec/ec_mult.c
+@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
+      */
+     cardinality_bits = BN_num_bits(cardinality);
+     group_top = bn_get_top(cardinality);
+-    if ((bn_wexpand(k, group_top + 1) == NULL)
+-        || (bn_wexpand(lambda, group_top + 1) == NULL))
++    if ((bn_wexpand(k, group_top + 2) == NULL)
++        || (bn_wexpand(lambda, group_top + 2) == NULL))
+         goto err;
+ 
+     if (!BN_copy(k, scalar))
+@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GROUP *group, EC_POINT *r,
+      * k := scalar + 2*cardinality
+      */
+     kbit = BN_is_bit_set(lambda, cardinality_bits);
+-    BN_consttime_swap(kbit, k, lambda, group_top + 1);
++    BN_consttime_swap(kbit, k, lambda, group_top + 2);
+ 
+     group_top = bn_get_top(group->field);
+     if ((bn_wexpand(s->X, group_top) == NULL)
+-- 
+2.19.1
+
diff --git a/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch
new file mode 100644
index 000000000000..295f5dbe8d82
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-1.1.1-CVE-2018-0735.patch
@@ -0,0 +1,44 @@
+From b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 Mon Sep 17 00:00:00 2001
+From: Pauli <paul.dale@oracle.com>
+Date: Fri, 26 Oct 2018 10:54:58 +1000
+Subject: [PATCH] Timing vulnerability in ECDSA signature generation
+ (CVE-2018-0735)
+
+Preallocate an extra limb for some of the big numbers to avoid a reallocation
+that can potentially provide a side channel.
+
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+(Merged from https://github.com/openssl/openssl/pull/7486)
+
+(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
+---
+ crypto/ec/ec_mult.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
+index 7e1b3650e7..0e0a5e1394 100644
+--- a/crypto/ec/ec_mult.c
++++ b/crypto/ec/ec_mult.c
+@@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
+      */
+     cardinality_bits = BN_num_bits(cardinality);
+     group_top = bn_get_top(cardinality);
+-    if ((bn_wexpand(k, group_top + 1) == NULL)
+-        || (bn_wexpand(lambda, group_top + 1) == NULL)) {
++    if ((bn_wexpand(k, group_top + 2) == NULL)
++        || (bn_wexpand(lambda, group_top + 2) == NULL)) {
+         ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
+         goto err;
+     }
+@@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
+      * k := scalar + 2*cardinality
+      */
+     kbit = BN_is_bit_set(lambda, cardinality_bits);
+-    BN_consttime_swap(kbit, k, lambda, group_top + 1);
++    BN_consttime_swap(kbit, k, lambda, group_top + 2);
+ 
+     group_top = bn_get_top(group->field);
+     if ((bn_wexpand(s->X, group_top) == NULL)
+-- 
+2.19.1
+
diff --git a/dev-libs/openssl/openssl-1.1.0i.ebuild b/dev-libs/openssl/openssl-1.1.0i-r1.ebuild
index f97d4157d7e4..4cc9eb656d0e 100644
--- a/dev-libs/openssl/openssl-1.1.0i.ebuild
+++ b/dev-libs/openssl/openssl-1.1.0i-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="6"
@@ -56,6 +56,7 @@ MULTILIB_WRAPPED_HEADERS=(
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
+	"${FILESDIR}"/${P}-CVE-2018-0735.patch
 )
 
 src_prepare() {
@@ -98,7 +99,7 @@ src_prepare() {
 		-e $(has noman FEATURES \
 			&& echo '/^install:/s:install_docs::' \
 			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PF}@" \
+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
 		Configurations/unix-Makefile.tmpl \
 		|| die
 
diff --git a/dev-libs/openssl/openssl-1.1.1.ebuild b/dev-libs/openssl/openssl-1.1.1-r1.ebuild
index 3b7cd3fc0197..01dfbd3ec61f 100644
--- a/dev-libs/openssl/openssl-1.1.1.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1-r1.ebuild
@@ -34,6 +34,10 @@ MULTILIB_WRAPPED_HEADERS=(
 	usr/include/openssl/opensslconf.h
 )
 
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2018-0735.patch
+)
+
 src_prepare() {
 	# keep this in sync with app-misc/c_rehash
 	SSL_CNF_DIR="/etc/ssl"
author	V3n3RiX <venerix@redcorelinux.org>	2018-11-03 08:36:22 +0000
committer	V3n3RiX <venerix@redcorelinux.org>	2018-11-03 08:36:22 +0000
commit	f65628136faa35d0c4d3b5e7332275c7b35fcd96 (patch)
tree	021998302365c5652e37824b6c26d4d969a62055 /dev-libs/openssl
parent	70b82ae359a5538711e103b0e8dfb92654296644 (diff)