main/openssl: security upgrade to 0.9.8x and backport padlock fixes

* fix padlock sha1/256 to fallback to software with very large streams
 * fix padlock sha1/256 oneshot finalizing update

main/openssl/0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch

@@ -1,7 +1,8 @@
-From 8290b2ced17ee3d0e52345180ef4fc6d79bc0751 Mon Sep 17 00:00:00 2001
+From ba6e7dcf33277954cb3adc7767555a346906f33c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Fri, 4 Jun 2010 09:48:39 +0300
-Subject: [PATCH 1/3] crypto/hmac: support EVP_MD_CTX_FLAG_ONESHOT and set it properly
+Subject: [PATCH 1/3] crypto/hmac: support EVP_MD_CTX_FLAG_ONESHOT and set it
+ properly
 
 Some engines (namely VIA C7 Padlock) work only if EVP_MD_CTX_FLAG_ONESHOT
 is set before final update. This is because some crypto accelerators cannot
@@ -12,11 +13,11 @@ differently here. It is set before the final EVP_DigestUpdate call, not
 necessarily before EVP_DigestInit call. This will not cause any problems
 though.
 ---
- crypto/hmac/hmac.c |   14 +++++++++++---
- 1 files changed, 11 insertions(+), 3 deletions(-)
+ crypto/hmac/hmac.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
 
 diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
-index cbc1c76..a75a35d 100644
+index 6899be6..b157c32 100644
 --- a/crypto/hmac/hmac.c
 +++ b/crypto/hmac/hmac.c
 @@ -68,6 +68,7 @@ void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
@@ -54,7 +55,7 @@ index cbc1c76..a75a35d 100644
  		}
  	EVP_MD_CTX_copy_ex(&ctx->md_ctx,&ctx->i_ctx);
  	}
-@@ -166,7 +173,8 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+@@ -163,7 +170,8 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
  
  	if (md == NULL) md=m;
  	HMAC_CTX_init(&c);
@@ -64,7 +65,7 @@ index cbc1c76..a75a35d 100644
  	HMAC_Update(&c,d,n);
  	HMAC_Final(&c,md,md_len);
  	HMAC_CTX_cleanup(&c);
-@@ -176,8 +184,8 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+@@ -173,8 +181,8 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
  void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
  	{
  	EVP_MD_CTX_set_flags(&ctx->i_ctx, flags);
@@ -76,5 +77,5 @@ index cbc1c76..a75a35d 100644
  
  #endif
 -- 
-1.7.0.4
+1.7.11.3
 

main/openssl/0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch

@@ -1,7 +1,8 @@
-From 711ae63d2c715a34b15262b4dd4a48b09f02a400 Mon Sep 17 00:00:00 2001
+From 942f1af93b1cafbb4439aec0018da099af09a934 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Thu, 3 Jun 2010 09:02:13 +0300
-Subject: [PATCH 2/3] apps/speed: fix digest speed measurement and add hmac-sha1 test
+Subject: [PATCH 2/3] apps/speed: fix digest speed measurement and add
+ hmac-sha1 test
 
 Merge the common code of testing digest speed, and make it reuse
 existing context. Context creation can be heavy operation, and it's
@@ -11,11 +12,11 @@ like hmac tests do.
 
 This also adds test for hmac-sha1 speed.
 ---
- apps/speed.c |  232 ++++++++++++++++++++++------------------------------------
- 1 files changed, 87 insertions(+), 145 deletions(-)
+ apps/speed.c | 232 ++++++++++++++++++++++-------------------------------------
+ 1 file changed, 87 insertions(+), 145 deletions(-)
 
 diff --git a/apps/speed.c b/apps/speed.c
-index 393a7ba..6e375c6 100644
+index 84ce35d..116cf82 100644
 --- a/apps/speed.c
 +++ b/apps/speed.c
 @@ -285,7 +285,7 @@ static void print_result(int alg,int run_no,int count,double time_used);
@@ -107,7 +108,7 @@ index 393a7ba..6e375c6 100644
  
  #ifndef OPENSSL_NO_ECDH
  static const int KDF1_SHA1_len = 20;
-@@ -503,7 +565,6 @@ int MAIN(int argc, char **argv)
+@@ -500,7 +562,6 @@ int MAIN(int, char **);
  
  int MAIN(int argc, char **argv)
  	{
@@ -115,7 +116,7 @@ index 393a7ba..6e375c6 100644
  	int mret=1;
  	long count=0,save_count=0;
  	int i,j,k;
-@@ -514,31 +575,6 @@ int MAIN(int argc, char **argv)
+@@ -511,31 +572,6 @@ int MAIN(int argc, char **argv)
  	unsigned rsa_num;
  #endif
  	unsigned char md[EVP_MAX_MD_SIZE];
@@ -147,7 +148,7 @@ index 393a7ba..6e375c6 100644
  #ifndef OPENSSL_NO_RC4
  	RC4_KEY rc4_ks;
  #endif
-@@ -635,8 +671,8 @@ int MAIN(int argc, char **argv)
+@@ -631,8 +667,8 @@ int MAIN(int argc, char **argv)
  #define D_IGE_128_AES   25
  #define D_IGE_192_AES   26
  #define D_IGE_256_AES   27
@@ -157,7 +158,7 @@ index 393a7ba..6e375c6 100644
  #define	R_DSA_512	0
  #define	R_DSA_1024	1
  #define	R_DSA_2048	2
-@@ -945,6 +981,8 @@ int MAIN(int argc, char **argv)
+@@ -938,6 +974,8 @@ int MAIN(int argc, char **argv)
  							doit[D_SHA256]=1,
  							doit[D_SHA512]=1;
  		else
@@ -166,7 +167,7 @@ index 393a7ba..6e375c6 100644
  #ifndef OPENSSL_NO_SHA256
  			if (strcmp(*argv,"sha256") == 0) doit[D_SHA256]=1;
  		else
-@@ -1158,6 +1196,9 @@ int MAIN(int argc, char **argv)
+@@ -1151,6 +1189,9 @@ int MAIN(int argc, char **argv)
  #endif
  #ifndef OPENSSL_NO_SHA1
  			BIO_printf(bio_err,"sha1     ");
@@ -176,7 +177,7 @@ index 393a7ba..6e375c6 100644
  #endif
  #ifndef OPENSSL_NO_SHA256
  			BIO_printf(bio_err,"sha256   ");
-@@ -1420,6 +1461,7 @@ int MAIN(int argc, char **argv)
+@@ -1414,6 +1455,7 @@ int MAIN(int argc, char **argv)
  	c[D_IGE_128_AES][0]=count;
  	c[D_IGE_192_AES][0]=count;
  	c[D_IGE_256_AES][0]=count;
@@ -184,7 +185,7 @@ index 393a7ba..6e375c6 100644
  
  	for (i=1; i<SIZE_NUM; i++)
  		{
-@@ -1432,6 +1474,7 @@ int MAIN(int argc, char **argv)
+@@ -1426,6 +1468,7 @@ int MAIN(int argc, char **argv)
  		c[D_RMD160][i]=c[D_RMD160][0]*4*lengths[0]/lengths[i];
  		c[D_SHA256][i]=c[D_SHA256][0]*4*lengths[0]/lengths[i];
  		c[D_SHA512][i]=c[D_SHA512][0]*4*lengths[0]/lengths[i];
@@ -192,7 +193,7 @@ index 393a7ba..6e375c6 100644
  		}
  	for (i=1; i<SIZE_NUM; i++)
  		{
-@@ -1606,160 +1649,59 @@ int MAIN(int argc, char **argv)
+@@ -1600,160 +1643,59 @@ int MAIN(int argc, char **argv)
  		}
  #endif
  
@@ -369,5 +370,5 @@ index 393a7ba..6e375c6 100644
  #ifndef OPENSSL_NO_RC4
  	if (doit[D_RC4])
 -- 
-1.7.0.4
+1.7.11.3
 

main/openssl/0003-engine-padlock-implement-sha1-sha224-sha256-accelera.patch

@@ -1,7 +1,8 @@
-From 9fe6001d9b7a35a12a6a282677c79fd56eeaf99c Mon Sep 17 00:00:00 2001
+From c0a6d4b6d7b2a9c835efa4c05af610a148eb12cf Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
 Date: Fri, 4 Jun 2010 10:00:15 +0300
-Subject: [PATCH 3/3] engine/padlock: implement sha1/sha224/sha256 acceleration
+Subject: [PATCH 3/3] engine/padlock: implement sha1/sha224/sha256
+ acceleration
 
 Limited support for VIA C7 that works only when EVP_MD_CTX_FLAG_ONESHOT
 is used appropriately (as done by EVP_Digest, and my previous HMAC patch).
@@ -24,11 +25,11 @@ sha1         37713.77k   114562.71k   259637.33k   379907.41k   438818.13k
 sha256       34262.86k   103233.75k   232476.07k   338386.60k   389860.01k
 hmac(sha1)    8424.70k    31475.11k   104036.10k   245559.30k   406667.26k
 ---
- crypto/engine/eng_padlock.c |  597 +++++++++++++++++++++++++++++++++++++++---
- 1 files changed, 554 insertions(+), 43 deletions(-)
+ crypto/engine/eng_padlock.c | 599 ++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 556 insertions(+), 43 deletions(-)
 
 diff --git a/crypto/engine/eng_padlock.c b/crypto/engine/eng_padlock.c
-index 743558a..28ec0f7 100644
+index 743558a..c82d0f3 100644
 --- a/crypto/engine/eng_padlock.c
 +++ b/crypto/engine/eng_padlock.c
 @@ -3,6 +3,9 @@
@@ -41,7 +42,7 @@ index 743558a..28ec0f7 100644
   * Big thanks to Andy Polyakov for a help with optimization, 
   * assembler fixes, port to MS Windows and a lot of other 
   * valuable work on this engine!
-@@ -74,12 +77,23 @@
+@@ -74,12 +77,25 @@
  #ifndef OPENSSL_NO_AES
  #include <openssl/aes.h>
  #endif
@@ -61,11 +62,13 @@ index 743558a..28ec0f7 100644
 +#ifdef _MSC_VER
 +#define OPENSSL_NO_SHA
 +#endif
++
++#define PADLOCK_MAX_FINALIZING_LENGTH	0x1FFFFFFE
 +
  /* Attempt to have a single source for both 0.9.7 and 0.9.8 :-) */
  #if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
  #  ifndef OPENSSL_NO_DYNAMIC_ENGINE
-@@ -138,58 +152,40 @@ static int padlock_available(void);
+@@ -138,58 +154,40 @@ static int padlock_available(void);
  static int padlock_init(ENGINE *e);
  
  /* RNG Stuff */
@@ -87,10 +90,10 @@ index 743558a..28ec0f7 100644
 -#ifndef OPENSSL_NO_AES
 -static int padlock_aes_align_required = 1;
 -#endif
--
--/* ===== Engine "management" functions ===== */
 +static int padlock_bind_helper(ENGINE *e);
  
+-/* ===== Engine "management" functions ===== */
+-
 -/* Prepare the ENGINE structure for registration */
 -static int
 -padlock_bind_helper(ENGINE *e)
@@ -145,7 +148,7 @@ index 743558a..28ec0f7 100644
  
  /* Constructor */
  static ENGINE *
-@@ -213,7 +209,7 @@ ENGINE_padlock(void)
+@@ -213,7 +211,7 @@ ENGINE_padlock(void)
  static int
  padlock_init(ENGINE *e)
  {
@@ -154,7 +157,7 @@ index 743558a..28ec0f7 100644
  }
  
  /* This stuff is needed if this ENGINE is being compiled into a self-contained
-@@ -365,10 +361,20 @@ padlock_available(void)
+@@ -365,10 +363,20 @@ padlock_available(void)
  		: "+a"(eax), "=d"(edx) : : "ecx");
  
  	/* Fill up some flags */
@@ -178,7 +181,7 @@ index 743558a..28ec0f7 100644
  }
  
  #ifndef OPENSSL_NO_AES
-@@ -1157,6 +1163,454 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
+@@ -1157,6 +1165,454 @@ padlock_aes_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out_arg,
  
  #endif /* OPENSSL_NO_AES */
  
@@ -239,9 +242,9 @@ index 743558a..28ec0f7 100644
 +	total += len;
 +
 +	if ((ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) &&
-+	    (total <= 0xfffffffe)) {
++	    (total <= PADLOCK_MAX_FINALIZING_LENGTH)) {
 +		if (c->num != 0) {
-+			l = (len < SHA_CBLOCK) ? len : SHA_CBLOCK;
++			l = (len < SHA_CBLOCK - c->num) ? len : SHA_CBLOCK - c->num;
 +			if (!SHA1_Update(c, data, l))
 +				return 0;
 +			p += l;
@@ -417,9 +420,9 @@ index 743558a..28ec0f7 100644
 +	total += len;
 +
 +	if ((ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) &&
-+	    (total <= 0xfffffffe)) {
++	    (total <= PADLOCK_MAX_FINALIZING_LENGTH)) {
 +		if (c->num != 0) {
-+			l = (len < SHA256_CBLOCK) ? len : SHA256_CBLOCK;
++			l = (len < SHA256_CBLOCK - c->num) ? len : SHA256_CBLOCK - c->num;
 +			if (!SHA256_Update(c, data, l))
 +				return 0;
 +			p += l;
@@ -633,7 +636,7 @@ index 743558a..28ec0f7 100644
  /* ===== Random Number Generator ===== */
  /*
   * This code is not engaged. The reason is that it does not comply
-@@ -1213,7 +1667,64 @@ static RAND_METHOD padlock_rand = {
+@@ -1213,7 +1669,64 @@ static RAND_METHOD padlock_rand = {
  	padlock_rand_status,	/* rand status */
  };
  
@@ -699,5 +702,5 @@ index 743558a..28ec0f7 100644
  #endif /* !OPENSSL_NO_HW_PADLOCK */
  #endif /* !OPENSSL_NO_HW */
 -- 
-1.7.0.4
+1.7.11.3
 

main/openssl/APKBUILD

@@ -1,6 +1,6 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=openssl
-pkgver=0.9.8r
+pkgver=0.9.8x
 pkgrel=0
 pkgdesc="Toolkit for SSL v2/v3 and TLS v1"
 url=http://openssl.org
@@ -50,9 +50,9 @@ libcrypto() {
 	mv "$pkgdir"/usr/lib/engines "$subpkgdir"/usr/lib/
 }
 
-md5sums="0352932ea863bc02b056cda7c9ac5b79  openssl-0.9.8r.tar.gz
+md5sums="ee17e9bc805c8cc7d0afac3b0ef78eda  openssl-0.9.8x.tar.gz
 19615785a671129bae790478f073da2c  openssl-0.9.8o-fix-manpages.patch
 c6a9857a5dbd30cead0404aa7dd73977  openssl-bb-basename.patch
-2f370b846d8f27ac45dd6e5341366e16  0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
-9ba0ecf53f8b60ff8703a1ffe5b3e701  0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch
-e262418b20a05c2af12d464ac194ea21  0003-engine-padlock-implement-sha1-sha224-sha256-accelera.patch"
+5e5366fbc7c60c110dbcc603d2fb3a94  0001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch
+d193bee38f342b1eeb24bd0f444d15fa  0002-apps-speed-fix-digest-speed-measurement-and-add-hmac.patch
+f920a35ac705a9ce0f44547f96441d77  0003-engine-padlock-implement-sha1-sha224-sha256-accelera.patch"