Merge pull request #2581 from patricklodder/1.14.5-openssl-102u-patched
depends: Update OpenSSL to 1.0.2u and fix issues it introduces
This commit is contained in:
commit
f1acd77583
|
@ -119,11 +119,35 @@ $(host_prefix)/.stamp_$(final_build_id): $(native_packages) $(packages)
|
|||
$(AT)cd $(@D); $(foreach package,$^, tar xf $($(package)_cached); )
|
||||
$(AT)touch $@
|
||||
|
||||
# $PATH is not preserved between ./configure and make by convention. Its
|
||||
# modification and overriding at ./configure time is (as I understand it)
|
||||
# supposed to be captured by the AC_{PROG_{,OBJ}CXX,PATH_{PROG,TOOL}} macros,
|
||||
# which will expand the program names to their full absolute paths. The notable
|
||||
# exception is command line overriding: ./configure CC=clang, which skips the
|
||||
# program name expansion step, and works because the user implicitly indicates
|
||||
# with CC=clang that clang will be available in $PATH at all times, and is most
|
||||
# likely part of the user's system.
|
||||
#
|
||||
# Therefore, when we "seed the autoconf cache"/"override well-known program
|
||||
# vars" by setting AR=<blah> in our config.site, either one of two things needs
|
||||
# to be true for the build system to work correctly:
|
||||
#
|
||||
# 1. If we refer to the program by name (e.g. AR=riscv64-gnu-linux-ar), the
|
||||
# tool needs to be available in $PATH at all times.
|
||||
#
|
||||
# 2. If the tool is _**not**_ expected to be available in $PATH at all times
|
||||
# (such as is the case for our native_cctools binutils tools), it needs to
|
||||
# be referred to by its absolute path, such as would be output by the
|
||||
# AC_PATH_{PROG,TOOL} macros.
|
||||
#
|
||||
# Minor note: it is also okay to refer to tools by their absolute path even if
|
||||
# we expect them to be available in $PATH at all times, more specificity does
|
||||
# not hurt.
|
||||
$(host_prefix)/share/config.site : config.site.in $(host_prefix)/.stamp_$(final_build_id)
|
||||
$(AT)@mkdir -p $(@D)
|
||||
$(AT)sed -e 's|@HOST@|$(host)|' \
|
||||
-e 's|@CC@|$(toolchain_path)$(host_CC)|' \
|
||||
-e 's|@CXX@|$(toolchain_path)$(host_CXX)|' \
|
||||
-e 's|@CC@|$(host_CC)|' \
|
||||
-e 's|@CXX@|$(host_CXX)|' \
|
||||
-e 's|@AR@|$(toolchain_path)$(host_AR)|' \
|
||||
-e 's|@RANLIB@|$(toolchain_path)$(host_RANLIB)|' \
|
||||
-e 's|@NM@|$(toolchain_path)$(host_NM)|' \
|
||||
|
|
|
@ -2,8 +2,12 @@ OSX_MIN_VERSION=10.8
|
|||
OSX_SDK_VERSION=10.11
|
||||
OSX_SDK=$(SDK_PATH)/MacOSX$(OSX_SDK_VERSION).sdk
|
||||
LD64_VERSION=253.9
|
||||
darwin_CC=clang -target $(host) -mmacosx-version-min=$(OSX_MIN_VERSION) --sysroot $(OSX_SDK) -mlinker-version=$(LD64_VERSION)
|
||||
darwin_CXX=clang++ -target $(host) -mmacosx-version-min=$(OSX_MIN_VERSION) --sysroot $(OSX_SDK) -mlinker-version=$(LD64_VERSION) -stdlib=libc++
|
||||
|
||||
clang_prog=$(build_prefix)/bin/clang
|
||||
clangxx_prog=$(clang_prog)++
|
||||
|
||||
darwin_CC=$(build_prefix)/bin/clang -target $(host) -mmacosx-version-min=$(OSX_MIN_VERSION) --sysroot $(OSX_SDK) -mlinker-version=$(LD64_VERSION)
|
||||
darwin_CXX=$(clang_prog)++ -target $(host) -mmacosx-version-min=$(OSX_MIN_VERSION) --sysroot $(OSX_SDK) -mlinker-version=$(LD64_VERSION) -stdlib=libc++
|
||||
|
||||
darwin_CFLAGS=-pipe
|
||||
darwin_CXXFLAGS=$(darwin_CFLAGS)
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
package=openssl
|
||||
$(package)_version=1.0.1
|
||||
$(package)_version_suffix=l
|
||||
$(package)_version=1.0.2
|
||||
$(package)_version_suffix=u
|
||||
$(package)_download_path=https://www.openssl.org/source/old/$($(package)_version)
|
||||
$(package)_file_name=$(package)-$($(package)_version)$($(package)_version_suffix).tar.gz
|
||||
$(package)_sha256_hash=b2cf4d48fe5d49f240c61c9e624193a6f232b5ed0baf010681e725963c40d1d4
|
||||
$(package)_sha256_hash=ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16
|
||||
$(package)_patches=secure_getenv.patch
|
||||
|
||||
define $(package)_set_vars
|
||||
$(package)_config_env=AR="$($(package)_ar)" RANLIB="$($(package)_ranlib)" CC="$($(package)_cc)"
|
||||
|
@ -58,12 +59,14 @@ $(package)_config_opts_i686_mingw32=mingw
|
|||
endef
|
||||
|
||||
define $(package)_preprocess_cmds
|
||||
patch -p1 < $($(package)_patch_dir)/secure_getenv.patch && \
|
||||
sed -i.old "/define DATE/d" util/mkbuildinf.pl && \
|
||||
sed -i.old "s|engines apps test|engines|" Makefile.org
|
||||
endef
|
||||
|
||||
define $(package)_config_cmds
|
||||
./Configure $($(package)_config_opts)
|
||||
./Configure $($(package)_config_opts) && \
|
||||
make depend
|
||||
endef
|
||||
|
||||
define $(package)_build_cmds
|
||||
|
|
37
depends/patches/openssl/secure_getenv.patch
Normal file
37
depends/patches/openssl/secure_getenv.patch
Normal file
|
@ -0,0 +1,37 @@
|
|||
Solves export of glibc 2.17 secure_getenv because we support down to 2.11
|
||||
|
||||
Patches openssl 1.0.2's usage of secure_getenv from glibc 2.17 to instead
|
||||
always use the fallback OPENSSL_issetugid(), which essentially does the
|
||||
same thing on linux, with the only difference that the glibc version makes
|
||||
decisions on startup, whereas the openssl version does the same check each
|
||||
time the environment is read.
|
||||
|
||||
glibc check: https://sourceware.org/git/?p=glibc.git;a=blob;f=elf/enbl-secure.c;h=9e47526bd3e444e1a19a8ea9fd310b6f47c4db52;hb=HEAD
|
||||
glibc implementation: https://sourceware.org/git/?p=glibc.git;a=blob;f=stdlib/secure-getenv.c;h=a394eebcf794c1279d66e5bcb71d4b15725e6e5a;hb=HEAD
|
||||
|
||||
openssl check: https://github.com/openssl/openssl/blob/OpenSSL_1_0_2u/crypto/uid.c
|
||||
|
||||
This patch can be removed when glibc 2.17 is the minimum version supported
|
||||
|
||||
Author: Patrick Lodder <patricklodder@users.noreply.github.com>
|
||||
|
||||
diff -dur a/crypto/getenv.c b/crypto/getenv.c
|
||||
--- a/crypto/getenv.c 2019-12-20 13:02:41.000000000 +0000
|
||||
+++ b/crypto/getenv.c 2021-09-20 03:02:04.125747397 +0000
|
||||
@@ -16,16 +16,7 @@
|
||||
|
||||
char *ossl_safe_getenv(const char *name)
|
||||
{
|
||||
-#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
|
||||
-# if __GLIBC_PREREQ(2, 17)
|
||||
-# define SECURE_GETENV
|
||||
- return secure_getenv(name);
|
||||
-# endif
|
||||
-#endif
|
||||
-
|
||||
-#ifndef SECURE_GETENV
|
||||
if (OPENSSL_issetugid())
|
||||
return NULL;
|
||||
return getenv(name);
|
||||
-#endif
|
||||
}
|
Loading…
Reference in a new issue