pfSense has included OpenSSL from ports and testers reported problems enabling VIA's padlock engine when using OpenVPN. During debugging we discovered the external patches were wrongly named (only numbering). Fixing this successfull allowed use of OpenVPN with padlock acceleration support with VIA CPUs. Credit for this bugfix should be given to Jim Pingle who did the major mangling. How-To-Repeat: Build OpenSSL and OpenVPN from ports, enable PADLOCK support on OpenSSL and try to launch OpenVPN with PADLOCK support. OpenVPN will crash with errors that it cannot load padlock support.
Responsible Changed From-To: freebsd-ports-bugs->dinoex Over to maintainer (via the GNATS Auto Assign Tool)
State Changed From-To: open->feedback The patch files conflict in name with the old patch files. Thes will break distfile mirrrors and local caches. Are there versioned files out there?
Author: dinoex Date: Mon Jan 28 18:07:31 2013 New Revision: 311133 URL: http://svnweb.freebsd.org/changeset/ports/311133 Log: - mark option PADLOCK as BROKEN PR: 175622 Modified: head/security/openssl/Makefile Modified: head/security/openssl/Makefile ============================================================================== --- head/security/openssl/Makefile Mon Jan 28 17:47:30 2013 (r311132) +++ head/security/openssl/Makefile Mon Jan 28 18:07:31 2013 (r311133) @@ -1107,6 +1107,7 @@ PLIST_SUB+= WITH_RC5="@comment " .endif .if ${PORT_OPTIONS:MPADLOCK} +BROKEN= padlock support needs updating PATCH_DIST_STRIP= -p1 PATCH_SITES+= http://git.alpinelinux.org/cgit/aports/plain/main/openssl/:padlock PATCHFILES+= 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:padlock \ _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Am 28.01.2013 19:00, schrieb dinoex@FreeBSD.org: > Synopsis: security/openssl fails to apply PADLOCK patches > > State-Changed-From-To: open->feedback > State-Changed-By: dinoex > State-Changed-When: Mon Jan 28 18:58:27 CET 2013 > State-Changed-Why: > > The patch files conflict in name with the old patch files. > Thes will break distfile mirrrors and local caches. > Are there versioned files out there? Well, it's Alpine Linux' git repository so yes they are versioned. I guess the port should make sure to fetch the one set of padlock patches from over there that have been tested with the version in FreeBSD ports. Currently the Makefile and the URL to AlpineLinux always directs us to the very latest patchset for their OpenSSL - which is likely not always in sync with us. (thus I guess why things didn't work anymore) Took me a bit of effort to figure out how their cgit allows downloading a plain file, but I hope this is helpful: Example: Current situation, always shows the latest version in their repo: http://git.alpinelinux.org/cgit/aports/plain/main/openssl/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch Also gets you the a plain file but uses the ID (as example) for a commit back in Jan. 201*2* : http://git.alpinelinux.org/cgit/aports/plain/main/openssl/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch?id=ffe9b2793f7ecfb2f18e173b990291cae53e606b So the URL to the patches have to be ending with ?id=<hash of git commit> to the plain patches but specifying a certain commit. You can can the versioning hashes for openssl padlock patches here: http://git.alpinelinux.org/cgit/aports/log/main/openssl 62d8f480832b4225aabf2d34c26b97447f2d5193 is the last commit on Jan. 2013 and the patchset pfSense has tested and validated to work with OpenSSL in ports as of writing. -- Mathieu
State Changed From-To: feedback->analyzed The ports will break soon again as sooon something changes upstream. This is hard to maintain and verify ... the ports work best witch patches that change filename whenever they update. I consider renaming the patches and mirror a stable content.
Hi Am 29.01.2013 19:55, schrieb dinoex@FreeBSD.org: > The ports will break soon again as sooon something changes upstream. > > This is hard to maintain and verify ... > the ports work best witch patches that change filename whenever they update. > > I consider renaming the patches and mirror a stable content. Thanks, let me know how you decide and I'll sync pfSense as soon as you set up a fixed location for the patch. We have community testers who will quickly yell if things would get broken ;-) We only realized the brokenness when we started using the openssl port. -- Mathieu
Author: dinoex Date: Sun Feb 3 06:36:22 2013 New Revision: 311452 URL: http://svnweb.freebsd.org/changeset/ports/311452 Log: - fix option PADLOCK PR: 175622 Submitted by: Mathieu Simon Modified: head/security/openssl/Makefile head/security/openssl/distinfo Modified: head/security/openssl/Makefile ============================================================================== --- head/security/openssl/Makefile Sun Feb 3 05:44:45 2013 (r311451) +++ head/security/openssl/Makefile Sun Feb 3 06:36:22 2013 (r311452) @@ -10,7 +10,7 @@ MASTER_SITES= http://www.openssl.org/%SU ftp://ftp.openssl.org/%SUBDIR%/ \ ftp://ftp.cert.dfn.de/pub/tools/net/openssl/%SUBDIR%/ MASTER_SITE_SUBDIR= source -DIST_SUBDIR= ${DISTNAME} +DIST_SUBDIR= ${DISTNAME}2 MAINTAINER= dinoex@FreeBSD.org COMMENT= SSL and crypto library @@ -1118,13 +1118,12 @@ PLIST_SUB+= WITH_RC5="@comment " .endif .if ${PORT_OPTIONS:MPADLOCK} -BROKEN= padlock support needs updating PATCH_DIST_STRIP= -p1 PATCH_SITES+= http://git.alpinelinux.org/cgit/aports/plain/main/openssl/:padlock PATCHFILES+= 0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch:padlock \ - 0003-engines-e_padlock-backport-cvs-head-changes.patch:padlock \ - 0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:padlock \ - 0005-crypto-engine-autoload-padlock-dynamic-engine.patch:padlock + 0002-engines-e_padlock-backport-cvs-head-changes.patch:padlock \ + 0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch:padlock \ + 0004-crypto-engine-autoload-padlock-dynamic-engine.patch:padlock .endif .if ${PORT_OPTIONS:MGMP} Modified: head/security/openssl/distinfo ============================================================================== --- head/security/openssl/distinfo Sun Feb 3 05:44:45 2013 (r311451) +++ head/security/openssl/distinfo Sun Feb 3 06:36:22 2013 (r311452) @@ -1,10 +1,10 @@ -SHA256 (openssl-1.0.1c/openssl-1.0.1c.tar.gz) = 2a9eb3cd4e8b114eb9179c0d3884d61658e7d8e8bf4984798a5f5bd48e325ebe -SIZE (openssl-1.0.1c/openssl-1.0.1c.tar.gz) = 4457113 -SHA256 (openssl-1.0.1c/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 7f40edec04115e97ae2c64e77d3324f6083963200add148f9a4dec090c60550b -SIZE (openssl-1.0.1c/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3089 -SHA256 (openssl-1.0.1c/0003-engines-e_padlock-backport-cvs-head-changes.patch) = cc5e464d7bf8e181bb454de65772366ed90ee91716ecbadaaf2dfda2e080fdc2 -SIZE (openssl-1.0.1c/0003-engines-e_padlock-backport-cvs-head-changes.patch) = 5897 -SHA256 (openssl-1.0.1c/0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = bff8308f6652c8ddade1dd3261e5519fa3aa1660bea3474fc9996a53382a26b5 -SIZE (openssl-1.0.1c/0004-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20552 -SHA256 (openssl-1.0.1c/0005-crypto-engine-autoload-padlock-dynamic-engine.patch) = f2d6bffae2fe5fcf76c7b9f6299893846a7730cadf70ab91bc94ee0578d0ba8d -SIZE (openssl-1.0.1c/0005-crypto-engine-autoload-padlock-dynamic-engine.patch) = 794 +SHA256 (openssl-1.0.1c2/openssl-1.0.1c.tar.gz) = 2a9eb3cd4e8b114eb9179c0d3884d61658e7d8e8bf4984798a5f5bd48e325ebe +SIZE (openssl-1.0.1c2/openssl-1.0.1c.tar.gz) = 4457113 +SHA256 (openssl-1.0.1c2/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 18dd81fefb39b3328a444774ed10871ed50348ca171d2da9f826f916127b2dae +SIZE (openssl-1.0.1c2/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3512 +SHA256 (openssl-1.0.1c2/0002-engines-e_padlock-backport-cvs-head-changes.patch) = 39c31c2e33cded09543a2d1fd2e3238e9d11c672ba71a14d13095baad3ec9696 +SIZE (openssl-1.0.1c2/0002-engines-e_padlock-backport-cvs-head-changes.patch) = 5867 +SHA256 (openssl-1.0.1c2/0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = e59f86fb779d327479fa97506c6d0d2df44b97f8182b45ca2eefebe9bef44b8d +SIZE (openssl-1.0.1c2/0003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20593 +SHA256 (openssl-1.0.1c2/0004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 157ec6d17add25b96956abc7c44259c91eebe8a6c1026cdb976b895bf42ec56f +SIZE (openssl-1.0.1c2/0004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 777 _______________________________________________ svn-ports-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-ports-all To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
State Changed From-To: analyzed->closed committed with new distdir to allow caching, thanks.
Am 03.02.2013 08:04, schrieb dinoex@FreeBSD.org: > Synopsis: security/openssl fails to apply PADLOCK patches > > State-Changed-From-To: analyzed->closed > State-Changed-By: dinoex > State-Changed-When: Sun Feb 3 08:03:33 CET 2013 > State-Changed-Why: > > committed with new distdir to allow caching, thanks. Thank you dinoex! -- Mathieu