Bug 175622

Summary: security/openssl fails to apply PADLOCK patches
Product: Ports & Packages Reporter: Mathieu Simon <freebsd>
Component: Individual Port(s)Assignee: Dirk Meyer <dinoex>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Mathieu Simon 2013-01-27 09:40:00 UTC
pfSense has included OpenSSL from ports and testers reported problems enabling VIA's padlock engine when using OpenVPN. During debugging we discovered the external patches were wrongly named (only numbering).

Fixing this successfull allowed use of OpenVPN with padlock acceleration support with VIA CPUs. Credit for this bugfix should be given to Jim Pingle who did the major mangling.

How-To-Repeat: Build OpenSSL and OpenVPN from ports, enable PADLOCK support on OpenSSL and try to launch OpenVPN with PADLOCK support. OpenVPN will crash with errors that it cannot load padlock support.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2013-01-27 09:55:20 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dinoex

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Dirk Meyer freebsd_committer freebsd_triage 2013-01-28 17:58:27 UTC
State Changed
From-To: open->feedback


The patch files conflict in name with the old patch files. 
Thes will break distfile mirrrors and local caches. 

Are there versioned files out there?
Comment 3 dfilter service freebsd_committer freebsd_triage 2013-01-28 18:07:44 UTC
Author: dinoex
Date: Mon Jan 28 18:07:31 2013
New Revision: 311133
URL: http://svnweb.freebsd.org/changeset/ports/311133

Log:
  - mark option PADLOCK as BROKEN
  PR:		175622

Modified:
  head/security/openssl/Makefile

Modified: head/security/openssl/Makefile
==============================================================================
--- head/security/openssl/Makefile	Mon Jan 28 17:47:30 2013	(r311132)
+++ head/security/openssl/Makefile	Mon Jan 28 18:07:31 2013	(r311133)
@@ -1107,6 +1107,7 @@ PLIST_SUB+=	WITH_RC5="@comment "
 .endif
 
 .if ${PORT_OPTIONS:MPADLOCK}
+BROKEN=		padlock support needs updating
 PATCH_DIST_STRIP=	-p1
 PATCH_SITES+=	http://git.alpinelinux.org/cgit/aports/plain/main/openssl/:padlock
 PATCHFILES+=	0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:padlock \
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 4 Mathieu Simon 2013-01-28 19:38:09 UTC
Am 28.01.2013 19:00, schrieb dinoex@FreeBSD.org:
> Synopsis: security/openssl fails to apply PADLOCK patches
>
> State-Changed-From-To: open->feedback
> State-Changed-By: dinoex
> State-Changed-When: Mon Jan 28 18:58:27 CET 2013
> State-Changed-Why: 
>
> The patch files conflict in name with the old patch files.
> Thes will break distfile mirrrors and local caches.
> Are there versioned files out there?
Well, it's Alpine Linux' git repository so yes they are versioned. I
guess the port should
make sure to fetch the one set of padlock patches from over there that
have been tested
with the version in FreeBSD ports. Currently the Makefile and the URL to
AlpineLinux always
directs us to the very latest patchset for their OpenSSL - which is
likely not always in sync with us.
(thus I guess why things didn't work anymore)

Took me a bit of effort to figure out how their cgit allows downloading
a plain file, but I hope this is helpful:

Example:

Current situation, always shows the latest version in their repo:
http://git.alpinelinux.org/cgit/aports/plain/main/openssl/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch

Also gets you the a plain file but uses the ID (as example) for a commit
back in Jan. 201*2* :
http://git.alpinelinux.org/cgit/aports/plain/main/openssl/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch?id=ffe9b2793f7ecfb2f18e173b990291cae53e606b

So the URL to the patches have to be ending with ?id=<hash of git
commit> to the plain patches but specifying a certain commit.

You can can the versioning hashes for openssl padlock patches here:
http://git.alpinelinux.org/cgit/aports/log/main/openssl

62d8f480832b4225aabf2d34c26b97447f2d5193 is the last commit on Jan. 2013 and
the patchset pfSense has tested and validated to work with OpenSSL in
ports as of writing.

-- Mathieu
Comment 5 Dirk Meyer freebsd_committer freebsd_triage 2013-01-29 18:52:30 UTC
State Changed
From-To: feedback->analyzed


The ports will break soon again as sooon something changes upstream. 

This is hard to maintain and verify ... 
the ports work best witch patches that change filename whenever they update. 

I consider renaming the patches and mirror a stable content.
Comment 6 Mathieu Simon 2013-01-29 19:26:19 UTC
Hi

Am 29.01.2013 19:55, schrieb dinoex@FreeBSD.org:
> The ports will break soon again as sooon something changes upstream.
>
> This is hard to maintain and verify ...
> the ports work best witch patches that change filename whenever they update.
>
> I consider renaming the patches and mirror a stable content.
Thanks, let me know how you decide and I'll sync pfSense as soon
as you set up a fixed location for the patch. We have community testers
who will quickly yell if things would get broken ;-)

We only realized the brokenness when we started using the openssl port.

-- Mathieu
Comment 7 dfilter service freebsd_committer freebsd_triage 2013-02-03 06:36:37 UTC
Author: dinoex
Date: Sun Feb  3 06:36:22 2013
New Revision: 311452
URL: http://svnweb.freebsd.org/changeset/ports/311452

Log:
  - fix option PADLOCK
  PR:		175622
  Submitted by:	Mathieu Simon

Modified:
  head/security/openssl/Makefile
  head/security/openssl/distinfo

Modified: head/security/openssl/Makefile
==============================================================================
--- head/security/openssl/Makefile	Sun Feb  3 05:44:45 2013	(r311451)
+++ head/security/openssl/Makefile	Sun Feb  3 06:36:22 2013	(r311452)
@@ -10,7 +10,7 @@ MASTER_SITES=	http://www.openssl.org/%SU
 		ftp://ftp.openssl.org/%SUBDIR%/ \
 		ftp://ftp.cert.dfn.de/pub/tools/net/openssl/%SUBDIR%/
 MASTER_SITE_SUBDIR=	source
-DIST_SUBDIR=	${DISTNAME}
+DIST_SUBDIR=	${DISTNAME}2
 
 MAINTAINER=	dinoex@FreeBSD.org
 COMMENT=	SSL and crypto library
@@ -1118,13 +1118,12 @@ PLIST_SUB+=	WITH_RC5="@comment "
 .endif
 
 .if ${PORT_OPTIONS:MPADLOCK}
-BROKEN=		padlock support needs updating
 PATCH_DIST_STRIP=	-p1
 PATCH_SITES+=	http://git.alpinelinux.org/cgit/aports/plain/main/openssl/:padlock
 PATCHFILES+=	0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:padlock \
-		0003-engines-e_padlock-backport-cvs-head-changes.patch:padlock \
-		0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:padlock \
-		0005-crypto-engine-autoload-padlock-dynamic-engine.patch:padlock
+		0002-engines-e_padlock-backport-cvs-head-changes.patch:padlock \
+		0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:padlock \
+		0004-crypto-engine-autoload-padlock-dynamic-engine.patch:padlock
 .endif
 
 .if ${PORT_OPTIONS:MGMP}

Modified: head/security/openssl/distinfo
==============================================================================
--- head/security/openssl/distinfo	Sun Feb  3 05:44:45 2013	(r311451)
+++ head/security/openssl/distinfo	Sun Feb  3 06:36:22 2013	(r311452)
@@ -1,10 +1,10 @@
-SHA256 (openssl-1.0.1c/openssl-1.0.1c.tar.gz) = 2a9eb3cd4e8b114eb9179c0d3884d61658e7d8e8bf4984798a5f5bd48e325ebe
-SIZE (openssl-1.0.1c/openssl-1.0.1c.tar.gz) = 4457113
-SHA256 (openssl-1.0.1c/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 7f40edec04115e97ae2c64e77d3324f6083963200add148f9a4dec090c60550b
-SIZE (openssl-1.0.1c/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3089
-SHA256 (openssl-1.0.1c/0003-engines-e_padlock-backport-cvs-head-changes.patch) = cc5e464d7bf8e181bb454de65772366ed90ee91716ecbadaaf2dfda2e080fdc2
-SIZE (openssl-1.0.1c/0003-engines-e_padlock-backport-cvs-head-changes.patch) = 5897
-SHA256 (openssl-1.0.1c/0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = bff8308f6652c8ddade1dd3261e5519fa3aa1660bea3474fc9996a53382a26b5
-SIZE (openssl-1.0.1c/0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20552
-SHA256 (openssl-1.0.1c/0005-crypto-engine-autoload-padlock-dynamic-engine.patch) = f2d6bffae2fe5fcf76c7b9f6299893846a7730cadf70ab91bc94ee0578d0ba8d
-SIZE (openssl-1.0.1c/0005-crypto-engine-autoload-padlock-dynamic-engine.patch) = 794
+SHA256 (openssl-1.0.1c2/openssl-1.0.1c.tar.gz) = 2a9eb3cd4e8b114eb9179c0d3884d61658e7d8e8bf4984798a5f5bd48e325ebe
+SIZE (openssl-1.0.1c2/openssl-1.0.1c.tar.gz) = 4457113
+SHA256 (openssl-1.0.1c2/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 18dd81fefb39b3328a444774ed10871ed50348ca171d2da9f826f916127b2dae
+SIZE (openssl-1.0.1c2/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3512
+SHA256 (openssl-1.0.1c2/0002-engines-e_padlock-backport-cvs-head-changes.patch) = 39c31c2e33cded09543a2d1fd2e3238e9d11c672ba71a14d13095baad3ec9696
+SIZE (openssl-1.0.1c2/0002-engines-e_padlock-backport-cvs-head-changes.patch) = 5867
+SHA256 (openssl-1.0.1c2/0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = e59f86fb779d327479fa97506c6d0d2df44b97f8182b45ca2eefebe9bef44b8d
+SIZE (openssl-1.0.1c2/0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20593
+SHA256 (openssl-1.0.1c2/0004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 157ec6d17add25b96956abc7c44259c91eebe8a6c1026cdb976b895bf42ec56f
+SIZE (openssl-1.0.1c2/0004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 777
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 8 Dirk Meyer freebsd_committer freebsd_triage 2013-02-03 07:03:33 UTC
State Changed
From-To: analyzed->closed


committed with new distdir to allow caching, thanks.
Comment 9 Mathieu Simon 2013-02-05 06:49:14 UTC
Am 03.02.2013 08:04, schrieb dinoex@FreeBSD.org:
> Synopsis: security/openssl fails to apply PADLOCK patches
>
> State-Changed-From-To: analyzed->closed
> State-Changed-By: dinoex
> State-Changed-When: Sun Feb 3 08:03:33 CET 2013
> State-Changed-Why: 
>
> committed with new distdir to allow caching, thanks.
Thank you dinoex!

-- Mathieu