diff options
| author | Karel Kočí | 2016-12-02 14:08:36 +0100 |
|---|---|---|
| committer | Karel Kočí | 2016-12-02 14:18:22 +0100 |
| commit | 9e6f11612d93f02e9ae203963b65af5048d4149f (patch) | |
| tree | 360ed96b4485e8f4f0a1019a28e1a631eb6656d8 | |
| download | aur-9e6f11612d93f02e9ae203963b65af5048d4149f.tar.gz | |
Create OpenSSL PURIFY package
OpenSSL library is normally compiled without PURIFY flag. But this
causes problems when application that is using it is evaluated by
valgrind. It reports memory allocation problems in OpenSSL and so
valgrind become useless for such application and ignoring those errors
is almost impossible for large enough projects. Compiling it with
PURITY flag fixes basically all problems reported by valgrind.
See: https://www.openssl.org/docs/faq.html#PROG14 for more info
| -rw-r--r-- | .SRCINFO | 28 | ||||
| -rw-r--r-- | PKGBUILD | 77 | ||||
| -rw-r--r-- | ca-dir.patch | 33 | ||||
| -rw-r--r-- | no-rpath.patch | 11 | ||||
| -rw-r--r-- | ssl3-test-failure.patch | 26 |
5 files changed, 175 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..5f4ee413cc1c --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,28 @@ +pkgbase = openssl-purify + pkgdesc = The Open Source toolkit for Secure Sockets Layer and Transport Layer Security compiled with PURIFY flag + pkgver = 1.0.2.j + pkgrel = 1 + url = https://www.openssl.org + arch = i686 + arch = x86_64 + license = custom:BSD + depends = perl + optdepends = ca-certificates + provides = openssl + conflicts = openssl + options = !makeflags + backup = etc/ssl/openssl.cnf + source = https://www.openssl.org/source/openssl-1.0.2j.tar.gz + source = https://www.openssl.org/source/openssl-1.0.2j.tar.gz.asc + source = no-rpath.patch + source = ssl3-test-failure.patch + source = ca-dir.patch + validpgpkeys = 8657ABB260F056B1E5190839D9C4D26D0E604491 + md5sums = 96322138f0b69e61b7212bc53d5e912b + md5sums = SKIP + md5sums = dc78d3d06baffc16217519242ce92478 + md5sums = 62fc492252edd3283871632bb77fadbe + md5sums = 3bf51be3a1bbd262be46dc619f92aa90 + +pkgname = openssl-purify + diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..90719e72a94b --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,77 @@ +# Maintainer: Karel Kočí <cynerd@email.cz> + +pkgname=openssl-purify +_ver=1.0.2j +# use a pacman compatible version scheme +pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}} +pkgrel=1 +pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security compiled with PURIFY flag' +arch=('i686' 'x86_64') +url='https://www.openssl.org' +license=('custom:BSD') +depends=('perl') +conflicts=('openssl') +provides=('openssl') +optdepends=('ca-certificates') +options=('!makeflags') +backup=('etc/ssl/openssl.cnf') +source=("https://www.openssl.org/source/openssl-${_ver}.tar.gz" + "https://www.openssl.org/source/openssl-${_ver}.tar.gz.asc" + 'no-rpath.patch' + 'ssl3-test-failure.patch' + 'ca-dir.patch') +md5sums=('96322138f0b69e61b7212bc53d5e912b' + 'SKIP' + 'dc78d3d06baffc16217519242ce92478' + '62fc492252edd3283871632bb77fadbe' + '3bf51be3a1bbd262be46dc619f92aa90') +validpgpkeys=('8657ABB260F056B1E5190839D9C4D26D0E604491') + +prepare() { + cd $srcdir/openssl-$_ver + + # remove rpath: http://bugs.archlinux.org/task/14367 + patch -p0 -i $srcdir/no-rpath.patch + + # disable a test that fails when ssl3 is disabled + patch -p1 -i $srcdir/ssl3-test-failure.patch + + # set ca dir to /etc/ssl by default + patch -p0 -i $srcdir/ca-dir.patch +} + +build() { + cd $srcdir/openssl-$_ver + + if [ "${CARCH}" == 'x86_64' ]; then + openssltarget='linux-x86_64' + optflags='enable-ec_nistp_64_gcc_128' + elif [ "${CARCH}" == 'i686' ]; then + openssltarget='linux-elf' + optflags='' + fi + + # mark stack as non-executable: http://bugs.archlinux.org/task/12434 + ./Configure --prefix=/usr --openssldir=/etc/ssl --libdir=lib \ + shared no-ssl3-method ${optflags} \ + "${openssltarget}" \ + "-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS} -DPURIFY" + + make depend + make +} + +check() { + cd $srcdir/openssl-$_ver + # the test fails due to missing write permissions in /etc/ssl + # revert this patch for make test + patch -p0 -R -i $srcdir/ca-dir.patch + make test + patch -p0 -i $srcdir/ca-dir.patch +} + +package() { + cd $srcdir/openssl-$_ver + make INSTALL_PREFIX=$pkgdir MANDIR=/usr/share/man MANSUFFIX=ssl install + install -D -m644 LICENSE $pkgdir/usr/share/licenses/openssl/LICENSE +} diff --git a/ca-dir.patch b/ca-dir.patch new file mode 100644 index 000000000000..41d1386d3d06 --- /dev/null +++ b/ca-dir.patch @@ -0,0 +1,33 @@ +--- apps/CA.pl.in 2006-04-28 02:30:49.000000000 +0200 ++++ apps/CA.pl.in 2010-04-01 00:35:02.600553509 +0200 +@@ -53,7 +53,7 @@ + $X509="$openssl x509"; + $PKCS12="$openssl pkcs12"; + +-$CATOP="./demoCA"; ++$CATOP="/etc/ssl"; + $CAKEY="cakey.pem"; + $CAREQ="careq.pem"; + $CACERT="cacert.pem"; +--- apps/CA.sh 2009-10-15 19:27:47.000000000 +0200 ++++ apps/CA.sh 2010-04-01 00:35:02.600553509 +0200 +@@ -68,7 +68,7 @@ + X509="$OPENSSL x509" + PKCS12="openssl pkcs12" + +-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi ++if [ -z "$CATOP" ] ; then CATOP=/etc/ssl ; fi + CAKEY=./cakey.pem + CAREQ=./careq.pem + CACERT=./cacert.pem +--- apps/openssl.cnf 2009-04-04 20:09:43.000000000 +0200 ++++ apps/openssl.cnf 2010-04-01 00:35:02.607220681 +0200 +@@ -39,7 +39,7 @@ + #################################################################### + [ CA_default ] + +-dir = ./demoCA # Where everything is kept ++dir = /etc/ssl # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. diff --git a/no-rpath.patch b/no-rpath.patch new file mode 100644 index 000000000000..ebd95e23d397 --- /dev/null +++ b/no-rpath.patch @@ -0,0 +1,11 @@ +--- Makefile.shared.no-rpath 2005-06-23 22:47:54.000000000 +0200 ++++ Makefile.shared 2005-11-16 22:35:37.000000000 +0100 +@@ -153,7 +153,7 @@ + NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ + SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX" + +-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)" ++DO_GNU_APP=LDFLAGS="$(CFLAGS)" + + #This is rather special. It's a special target with which one can link + #applications without bothering with any features that have anything to diff --git a/ssl3-test-failure.patch b/ssl3-test-failure.patch new file mode 100644 index 000000000000..d161c3d4a593 --- /dev/null +++ b/ssl3-test-failure.patch @@ -0,0 +1,26 @@ +From: Kurt Roeckx <kurt@roeckx.be> +Date: Sun, 6 Sep 2015 16:04:11 +0200 +Subject: Disable SSLv3 test in test suite + +When testing SSLv3 the test program returns 0 for skip. The test for weak DH +expects a failure, but gets success. + +It should probably be changed to return something other than 0 for a skipped +test. +--- + test/testssl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/testssl b/test/testssl +index 747e4ba..1e4370b 100644 +--- a/test/testssl ++++ b/test/testssl +@@ -160,7 +160,7 @@ test_cipher() { + } + + echo "Testing ciphersuites" +-for protocol in TLSv1.2 SSLv3; do ++for protocol in TLSv1.2; do + echo "Testing ciphersuites for $protocol" + for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do + test_cipher $cipher $protocol |