From 3735f3d457cfa31596b39d8bb77e6a425c564eac Mon Sep 17 00:00:00 2001 From: Leah Neukirchen Date: Sat, 13 Feb 2021 15:24:17 +0100 Subject: [PATCH 1/5] New package: libtls-3.2.4 Move libressl-nc to this package. --- common/shlibs | 2 +- srcpkgs/libressl-netcat | 2 +- srcpkgs/libressl/template | 13 +-- srcpkgs/libtls-devel | 1 + .../fail-instead-of-trying-fallback.patch | 21 ++++ srcpkgs/libtls/template | 98 +++++++++++++++++++ srcpkgs/libtls/update | 1 + 7 files changed, 124 insertions(+), 14 deletions(-) create mode 120000 srcpkgs/libtls-devel create mode 100644 srcpkgs/libtls/patches/fail-instead-of-trying-fallback.patch create mode 100644 srcpkgs/libtls/template create mode 100644 srcpkgs/libtls/update diff --git a/common/shlibs b/common/shlibs index 70596feb769..72892eb6b64 100644 --- a/common/shlibs +++ b/common/shlibs @@ -3505,7 +3505,7 @@ libfmt.so.7 fmt-7.0.3_1 libelementary-calendar.so.0 libio.elementary.calendar-4.2.3_1 libolm.so.3 olm-3.0.0_1 libcrypto.so.46 libcrypto46-3.1.1_1 -libtls.so.20 libtls20-3.1.1_1 +libtls.so.20 libtls-3.2.4_1 libssl.so.48 libssl48-3.1.1_1 libxmlb.so.2 libxmlb-0.2.1_1 libvoikko.so.1 libvoikko-4.2_1 diff --git a/srcpkgs/libressl-netcat b/srcpkgs/libressl-netcat index cab5b6fcb51..fc098467c59 120000 --- a/srcpkgs/libressl-netcat +++ b/srcpkgs/libressl-netcat @@ -1 +1 @@ -libressl \ No newline at end of file +libtls \ No newline at end of file diff --git a/srcpkgs/libressl/template b/srcpkgs/libressl/template index c9266796f7d..731168709b8 100644 --- a/srcpkgs/libressl/template +++ b/srcpkgs/libressl/template @@ -1,7 +1,7 @@ # Template file for 'libressl' pkgname=libressl version=3.1.5 -revision=2 +revision=3 bootstrap=yes build_style=gnu-configure configure_args="$(vopt_enable asm)" @@ -107,14 +107,3 @@ libressl-devel_package() { vmove usr/share/man/man3 } } - -libressl-netcat_package() { - short_desc="TCP/IP swiss army knife (LibreSSL variant)" - alternatives=" - nc:nc:/usr/bin/libressl-nc - nc:nc.1:/usr/share/man/man1/libressl-nc.1" - pkg_install() { - vbin apps/nc/.libs/nc libressl-nc - vman apps/nc/nc.1 libressl-nc.1 - } -} diff --git a/srcpkgs/libtls-devel b/srcpkgs/libtls-devel new file mode 120000 index 00000000000..fc098467c59 --- /dev/null +++ b/srcpkgs/libtls-devel @@ -0,0 +1 @@ +libtls \ No newline at end of file diff --git a/srcpkgs/libtls/patches/fail-instead-of-trying-fallback.patch b/srcpkgs/libtls/patches/fail-instead-of-trying-fallback.patch new file mode 100644 index 00000000000..9df423ed7a2 --- /dev/null +++ b/srcpkgs/libtls/patches/fail-instead-of-trying-fallback.patch @@ -0,0 +1,21 @@ + so, current flow for getentropy is + 1) use SYS_getrandom if it exists (true on glibc and musl) + 2) use /dev/urandom + 3) use sysctl (glibc only) + 4) use terrible fallback + and with a one-line patch it can instead kill itself after 3 + so that should only affect processes running without /dev/urandom on old kernels + probably no harm else + +1 + +--- crypto/compat/getentropy_linux.c.orig ++++ crypto/compat/getentropy_linux.c +@@ -162,7 +162,7 @@ + * sysctl ABI, or consider providing a new failsafe API which + * works in a chroot or when file descriptors are exhausted. + */ +-#undef FAIL_INSTEAD_OF_TRYING_FALLBACK ++#define FAIL_INSTEAD_OF_TRYING_FALLBACK + #ifdef FAIL_INSTEAD_OF_TRYING_FALLBACK + raise(SIGKILL); + #endif diff --git a/srcpkgs/libtls/template b/srcpkgs/libtls/template new file mode 100644 index 00000000000..db8d04f9549 --- /dev/null +++ b/srcpkgs/libtls/template @@ -0,0 +1,98 @@ +# Template file for 'libtls' +pkgname=libtls +version=3.2.4 +revision=1 +wrksrc="libressl-${version}" +build_style=gnu-configure +#configure_args="$(vopt_enable asm)" +short_desc="Version of the TLS/crypto stack forked from OpenSSL" +maintainer="Leah Neukirchen " +license="OpenSSL, ISC" +changelog="https://raw.githubusercontent.com/libressl-portable/portable/master/ChangeLog" +homepage="http://www.libressl.org/" +distfiles="http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-${version}.tar.gz" +checksum=ac1dbb9e05a64910856599b1ac61118fdec1b3d0c700e42444d81c0d5f507a5a +_lssl_asm_ver="1.1.0" + +build_options="asm" +desc_option_asm="Use platform assembly for faster crypto" + +if [ "$build_option_asm" ]; then + distfiles+=" https://github.com/q66/libressl-portable-asm/archive/v${_lssl_asm_ver}.tar.gz" + checksum+=" 7d92bf898c3a526cfdd804ea2e6ba1c89bd5a95589092e3ea585ef7c4818d789" +fi + +# only enable asm for full chroots by default +# otherwise we'd be introducing an autotools dependency on the host +if [ "$CHROOT_READY" ]; then + build_options_default="asm" +fi + +case "$XBPS_TARGET_MACHINE" in + # disable ssp + i686-musl) configure_args+=" --disable-hardening";; + # on armv5 always disable asm as it's not supported + armv5*) configure_args+=" --disable-asm";; +esac + +if [ "$CROSS_BUILD" -o "$build_option_asm" ]; then + _regen_build=yes +fi + +if [ -n "$_regen_build" ]; then + hostmakedepends=" automake libtool" +fi + +post_extract() { + [ -z "$build_option_asm" ] && return 0 + mv ../libressl-portable-asm-${_lssl_asm_ver} . +} + +pre_configure() { + [ -z "$_regen_build" ] && return 0 + if [ "$build_option_asm" ]; then + : # ./libressl-portable-asm-${_lssl_asm_ver}/patch_libressl.sh . + fi + autoreconf -if +} + +do_install() { + make -C tls install DESTDIR="$DESTDIR" + make -C apps/nc install DESTDIR="$DESTDIR" +} + +post_install() { + # Use CA file from ca-certificates instead. + #rm -f ${DESTDIR}/etc/ssl/cert.pem + #ln -s certs.pem ${DESTDIR}/etc/ssl/cert.pem + + vlicense COPYING + if [ "$build_option_asm" ]; then + vlicense libressl-portable-asm-${_lssl_asm_ver}/LICENSE.cryptogams + vlicense libressl-portable-asm-${_lssl_asm_ver}/LICENSE.openssl + fi + #find ${DESTDIR}/usr/share/man/man1 -type f ! -name openssl.1 -delete +} + +libtls-devel_package() { + short_desc+=" - development files" + depends="libtls-${version}_${revision}" + pkg_install() { + vinstall include/tls.h 644 usr/include + vmove "usr/lib/*.a" + vmove "usr/lib/*.so" + vinstall libtls.pc 644 usr/lib/pkgconfig + for m in man/tls_*; do vman $m; done + } +} + +libressl-netcat_package() { + short_desc="TCP/IP swiss army knife (LibreSSL variant)" + alternatives=" + nc:nc:/usr/bin/libressl-nc + nc:nc.1:/usr/share/man/man1/libressl-nc.1" + pkg_install() { + vbin apps/nc/.libs/nc libressl-nc + vman apps/nc/nc.1 libressl-nc.1 + } +} diff --git a/srcpkgs/libtls/update b/srcpkgs/libtls/update new file mode 100644 index 00000000000..a5d5038a832 --- /dev/null +++ b/srcpkgs/libtls/update @@ -0,0 +1 @@ +ignore="*.0 *.1" From 8700df2e7705f051809c1de7beebacfda6463d33 Mon Sep 17 00:00:00 2001 From: Leah Neukirchen Date: Sat, 13 Feb 2021 15:25:13 +0100 Subject: [PATCH 2/5] catgirl: rebuild for libtls-3.2.4. --- srcpkgs/catgirl/template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/srcpkgs/catgirl/template b/srcpkgs/catgirl/template index 24967a8c1f0..a338e53b1e4 100644 --- a/srcpkgs/catgirl/template +++ b/srcpkgs/catgirl/template @@ -1,11 +1,11 @@ # Template file for 'catgirl' pkgname=catgirl version=1.5 -revision=1 +revision=2 build_style=gnu-configure make_build_target="all" hostmakedepends="pkg-config" -makedepends="libressl-devel ncurses-devel" +makedepends="libtls-devel ncurses-devel" short_desc="TLS-only terminal IRC client" maintainer="Paper " license="GPL-3.0-or-later" From d2b1ba6a9244c44a06b890f5667dc3a632cedb24 Mon Sep 17 00:00:00 2001 From: Leah Neukirchen Date: Sat, 13 Feb 2021 15:25:16 +0100 Subject: [PATCH 3/5] litterbox: rebuild for libtls-3.2.4. --- srcpkgs/litterbox/template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/srcpkgs/litterbox/template b/srcpkgs/litterbox/template index ace7ae0b5df..ac855d9474b 100644 --- a/srcpkgs/litterbox/template +++ b/srcpkgs/litterbox/template @@ -1,11 +1,11 @@ # Template file for 'litterbox' pkgname=litterbox version=1.7 -revision=1 +revision=2 build_style=gnu-configure make_build_target="all" hostmakedepends="pkg-config" -makedepends="sqlite-devel libressl-devel" +makedepends="sqlite-devel libtls-devel" short_desc="IRC logger" maintainer="Allen Sobot " license="GPL-3.0-or-later" From 4cfbcd1bb9d61c2682de4317838c36bd16a5ea55 Mon Sep 17 00:00:00 2001 From: Leah Neukirchen Date: Sat, 13 Feb 2021 15:25:22 +0100 Subject: [PATCH 4/5] pounce: rebuild for libtls-3.2.4. --- srcpkgs/pounce/template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/srcpkgs/pounce/template b/srcpkgs/pounce/template index 57959706a54..62a4c618cac 100644 --- a/srcpkgs/pounce/template +++ b/srcpkgs/pounce/template @@ -1,11 +1,11 @@ # Template file for 'pounce' pkgname=pounce version=2.2 -revision=1 +revision=2 build_style=gnu-configure make_build_target="all" hostmakedepends="pkg-config" -makedepends="libressl-devel" +makedepends="libtls-devel" short_desc="Multi-client, TLS-only IRC bouncer" maintainer="Paper " license="GPL-3.0-or-later" From af06f689ccdebe5b39de6f5402ef8255c6574387 Mon Sep 17 00:00:00 2001 From: Leah Neukirchen Date: Sat, 13 Feb 2021 15:25:30 +0100 Subject: [PATCH 5/5] openntpd: rebuild for libtls-3.2.4. --- srcpkgs/openntpd/template | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/srcpkgs/openntpd/template b/srcpkgs/openntpd/template index e7b1e2877ac..b7e7db5c41f 100644 --- a/srcpkgs/openntpd/template +++ b/srcpkgs/openntpd/template @@ -1,11 +1,11 @@ # Template file for 'openntpd' pkgname=openntpd version=6.2p3 -revision=7 +revision=8 build_style=gnu-configure configure_args="--with-privsep-user=${pkgname} --with-cacert=/etc/ssl/certs.pem" hostmakedepends="automake libtool" -makedepends="libressl-devel" +makedepends="libtls-devel" depends="ca-certificates" short_desc="FREE, easy to use implementation of the Network Time Protocol" maintainer="Orphaned "