diff mbox

[0/1] OpenSSL 1.1.0

Message ID 20160904022049.GA30856@jasmine
State New
Headers show

Commit Message

Leo Famulari Sept. 4, 2016, 2:20 a.m. UTC
On Sat, Sep 03, 2016 at 04:34:51PM +0200, Ludovic Courtès wrote:
> Yes, but as long the ‘openssl’ refers to 1.0.x, it doesn’t really matter
> than the “openssl” package points to the latest one, no?  Use can still
> run “guix package -i openssl@1.0” if they want.

Oh, right :)

I've attached a patch for review.
From 2e6f500c7876733206e231fd98ebe7419d9b076f Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 2 Sep 2016 16:07:29 -0400
Subject: [PATCH] gnu: Add openssl-next.

* gnu/packages/tls.scm (openssl-next): New variable.
* gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                       |   1 +
 .../patches/openssl-1.1.0-c-rehash-in.patch        |  19 ++++
 gnu/packages/tls.scm                               | 110 +++++++++++++++++++++
 3 files changed, 130 insertions(+)
 create mode 100644 gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch

Comments

Leo Famulari Sept. 4, 2016, 2:48 a.m. UTC | #1
On Sat, Sep 03, 2016 at 10:20:49PM -0400, Leo Famulari wrote:
> On Sat, Sep 03, 2016 at 04:34:51PM +0200, Ludovic Courtès wrote:
> > Yes, but as long the ‘openssl’ refers to 1.0.x, it doesn’t really matter
> > than the “openssl” package points to the latest one, no?  Use can still
> > run “guix package -i openssl@1.0” if they want.
> 
> Oh, right :)
> 
> I've attached a patch for review.

By the way, if you run `guix lint`, you will see a warning about
CVE-2016-2183. I think we will be unaffected; this vulnerability will
only manifest if we build with "--enable-weak-ssl-ciphers".

https://www.openssl.org/blog/blog/2016/08/24/sweet32/
Ludovic Courtès Sept. 5, 2016, 8:35 p.m. UTC | #2
Leo Famulari <leo@famulari.name> skribis:

> From 2e6f500c7876733206e231fd98ebe7419d9b076f Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 2 Sep 2016 16:07:29 -0400
> Subject: [PATCH] gnu: Add openssl-next.
>
> * gnu/packages/tls.scm (openssl-next): New variable.
> * gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.

[...]

> +    (arguments
> +     `(#:disallowed-references (,perl)
> +       #:parallel-build? #f
> +       #:parallel-tests? #f
> +       #:test-target "test"
> +
> +       ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
> +       ;; so we explicitly disallow it here.
> +       #:disallowed-references ,(list (canonical-package perl))
> +       #:phases

Seems like most of the arguments and phases are shared with ‘openssl’,
right?  What about using ‘substitute-keyword-arguments’ to reduce
duplication?  Or are you concerned about potential breakage when one
series or the other changes?

  (arguments
   (substitute-keyword-arguments (package-arguments openssl)
     ((#:phase phases)
      `(modify-phases ,phases
         (add-after 'something 'some-openssl-1.1-specific-phase …)))))

Thanks!

Ludo’.
diff mbox

Patch

diff --git a/gnu/local.mk b/gnu/local.mk
index efb00b9..0c2740d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -699,6 +699,7 @@  dist_patch_DATA =						\
   %D%/packages/patches/openjpeg-CVE-2015-6581.patch		\
   %D%/packages/patches/openjpeg-use-after-free-fix.patch	\
   %D%/packages/patches/openssl-runpath.patch			\
+  %D%/packages/patches/openssl-1.1.0-c-rehash-in.patch		\
   %D%/packages/patches/openssl-c-rehash-in.patch		\
   %D%/packages/patches/openssl-CVE-2016-2177.patch		\
   %D%/packages/patches/openssl-CVE-2016-2178.patch		\
diff --git a/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch
new file mode 100644
index 0000000..e3a982b
--- /dev/null
+++ b/gnu/packages/patches/openssl-1.1.0-c-rehash-in.patch
@@ -0,0 +1,19 @@ 
+This patch removes the explicit reference to the 'perl' binary,
+such that OpenSSL does not retain a reference to Perl.
+
+The 'c_rehash' program is seldom used, but it is used nonetheless
+to create symbolic links to certificates, for instance in the 'nss-certs'
+package.
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index 2fef627..9d40eae 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -1,4 +1,6 @@
+-#!{- $config{hashbangperl} -}
++eval '(exit $?0)' && eval 'exec perl -wS "$0" ${1+"$@"}'
++  & eval 'exec perl -wS "$0" $argv:q'
++    if 0;
+ 
+ # {- join("\n# ", @autowarntext) -}
+ # Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 4b87150..040a48a 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -323,6 +323,116 @@  required structures.")
    (license license:openssl)
    (home-page "http://www.openssl.org/")))
 
+(define-public openssl-next
+  (package
+    (inherit openssl)
+    (name "openssl")
+    (version "1.1.0")
+    (source (origin
+             (method url-fetch)
+             (uri (list (string-append "ftp://ftp.openssl.org/source/"
+                                       name "-" version ".tar.gz")
+                        (string-append "ftp://ftp.openssl.org/source/old/"
+                                       (string-trim-right version char-set:letter)
+                                       "/" name "-" version ".tar.gz")))
+              (patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
+              (sha256
+               (base32
+                "10lcpmnxap9nw8ymdglys93cgkwd1lf1rz4fhq5whwhlmkwrzipm"))))
+    (outputs '("out"
+               "doc"        ;1.3MiB of man3 pages
+               "static"))   ; 5.5MiB of .a files
+    (arguments
+     `(#:disallowed-references (,perl)
+       #:parallel-build? #f
+       #:parallel-tests? #f
+       #:test-target "test"
+
+       ;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
+       ;; so we explicitly disallow it here.
+       #:disallowed-references ,(list (canonical-package perl))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'configure 'patch-runpath
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((lib (string-append (assoc-ref outputs "out") "/lib")))
+               (substitute* "Makefile.shared"
+                 (("\\$\\$\\{SHAREDCMD\\} \\$\\$\\{SHAREDFLAGS\\}")
+                  (string-append "$${SHAREDCMD} $${SHAREDFLAGS}"
+                                 " -Wl,-rpath," lib)))
+               #t)))
+         (replace
+          'configure
+          (lambda* (#:key outputs #:allow-other-keys)
+            (let ((out (assoc-ref outputs "out")))
+              (zero?
+               (system* "./config"
+                        "shared"                   ;build shared libraries
+                        "--libdir=lib"
+
+                        ;; The default for this catch-all directory is
+                        ;; PREFIX/ssl.  Change that to something more
+                        ;; conventional.
+                        (string-append "--openssldir=" out
+                                       "/share/openssl-" ,version)
+
+                        (string-append "--prefix=" out)
+
+                        ;; XXX FIXME: Work around a code generation bug in GCC
+                        ;; 4.9.3 on ARM when compiled with -mfpu=neon.  See:
+                        ;; <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66917>
+                        ,@(if (and (not (%current-target-system))
+                                   (string-prefix? "armhf" (%current-system)))
+                              '("-mfpu=vfpv3")
+                              '()))))))
+         (add-after
+          'install 'make-libraries-writable
+          (lambda* (#:key outputs #:allow-other-keys)
+            ;; Make libraries writable so that 'strip' does its job.
+            (let ((out (assoc-ref outputs "out")))
+              (for-each (lambda (file)
+                          (chmod file #o644))
+                        (find-files (string-append out "/lib")
+                                    "\\.so"))
+              #t)))
+         (add-after 'install 'move-static-libraries
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; Move static libraries to the "static" output.
+             (let* ((out    (assoc-ref outputs "out"))
+                    (lib    (string-append out "/lib"))
+                    (static (assoc-ref outputs "static"))
+                    (slib   (string-append static "/lib")))
+               (mkdir-p slib)
+               (for-each (lambda (file)
+                           (install-file file slib)
+                           (delete-file file))
+                         (find-files lib "\\.a$"))
+               #t)))
+         (add-after 'install 'move-man3-pages
+           (lambda* (#:key outputs #:allow-other-keys)
+             ;; Move section 3 man pages to "doc".
+             (let* ((out    (assoc-ref outputs "out"))
+                    (man3   (string-append out "/share/man/man3"))
+                    (doc    (assoc-ref outputs "doc"))
+                    (target (string-append doc "/share/man/man3")))
+               (mkdir-p target)
+               (for-each (lambda (file)
+                           (rename-file file
+                                        (string-append target "/"
+                                                       (basename file))))
+                         (find-files man3))
+               (delete-file-recursively man3)
+               #t)))
+         (add-after
+          'install 'remove-miscellany
+          (lambda* (#:key outputs #:allow-other-keys)
+            ;; The 'misc' directory contains random undocumented shell and Perl
+            ;; scripts.  Remove them to avoid retaining a reference on Perl.
+            (let ((out (assoc-ref outputs "out")))
+              (delete-file-recursively (string-append out "/share/openssl-"
+                                                      ,version "/misc"))
+              #t))))))))
+
 (define-public libressl
   (package
     (name "libressl")