6 files changed, 135 insertions, 0 deletions
diff --git a/security/openssl-unsafe/files/extra-patch-test_testssl b/security/openssl-unsafe/files/extra-patch-test_testssl
new file mode 100644
index 000000000000..3fc5d7945116
--- /dev/null
+++ b/security/openssl-unsafe/files/extra-patch-test_testssl
@@ -0,0 +1,15 @@
+Disable SSLv3 test when built without SSL3 option disabled
+
+ - Test for weak DH fails when enabled
+
+--- test/testssl.orig	2017-04-27 12:23:44 UTC
++++ test/testssl
+@@ -160,7 +160,7 @@ test_cipher() {
+ }
+ set -x
+ echo "Testing ciphersuites"
+-for protocol in TLSv1.2 SSLv3; do
++for protocol in TLSv1.2; do
+   echo "Testing ciphersuites for $protocol"
+   for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
+     test_cipher $cipher $protocol
diff --git a/security/openssl-unsafe/files/patch-Configure b/security/openssl-unsafe/files/patch-Configure
new file mode 100644
index 000000000000..9b223546482e
--- /dev/null
+++ b/security/openssl-unsafe/files/patch-Configure
@@ -0,0 +1,45 @@
+--- Configure.orig	2017-07-06 01:00:00 UTC
++++ Configure
+@@ -477,19 +477,20 @@ my %table=(
+ "android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ 
+ #### *BSD [do see comment about ${BSDthreads} above!]
+-"BSD-generic32","gcc:-O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86",	"gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86-elf",	"gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"debug-BSD-x86-elf",	"gcc:-DL_ENDIAN -O3 -Wall -g::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-sparcv8",	"gcc:-DB_ENDIAN -O3 -mcpu=v8 -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-generic32","$ENV{'FREEBSDCC'}:-O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86-elf",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"debug-BSD-x86-elf",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall -g $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-sparcv8", "$ENV{'FREEBSDCC'}:-DB_ENDIAN -O3 -mcpu=v8 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ 
+-"BSD-generic64","gcc:-O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-generic64","$ENV{'FREEBSDCC'}:-O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ # -DMD32_REG_T=int doesn't actually belong in sparc64 target, it
+ # simply *happens* to work around a compiler bug in gcc 3.3.3,
+ # triggered by RIPEMD160 code.
+-"BSD-sparc64",	"gcc:-DB_ENDIAN -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:${sparcv9_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-ia64",	"gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"BSD-x86_64",	"cc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"BSD-sparc64",	"$ENV{'FREEBSDCC'}:-DB_ENDIAN -O3 -DMD32_REG_T=int -Wall $ENV{'CFLAGS'}::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:${sparcv9_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-ia64",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-x86_64",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O3 -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
++"BSD-alpha",	"$ENV{'FREEBSDCC'}:-DL_ENDIAN -O -Wall $ENV{'CFLAGS'}::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIBVER)",
+ 
+ "bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ 
+@@ -2075,10 +2076,12 @@ EOF
+ 	if ( $perl =~ m@^/@) {
+ 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";', '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
+ 	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
++	    &dofile("apps/tsget",$perl,'^#!/', '#!%s');
+ 	} else {
+ 	    # No path for Perl known ...
+ 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";',  '^my \$prefix;$', 'my $prefix = "' . $prefix . '";');
+ 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
++	    &dofile("apps/tsget",'/usr/local/bin/perl',,'^#!/', '#!%s');
+ 	}
+ 	if ($depflags ne $default_depflags && !$make_depend) {
+             $warn_make_depend++;
diff --git a/security/openssl-unsafe/files/patch-RFC-5705 b/security/openssl-unsafe/files/patch-RFC-5705
new file mode 100644
index 000000000000..888e82ab7c7b
--- /dev/null
+++ b/security/openssl-unsafe/files/patch-RFC-5705
@@ -0,0 +1,37 @@
+--- ssl/ssl.h.orig	2017-07-06 01:00:00 UTC
++++ ssl/ssl.h
+@@ -2598,6 +2598,10 @@ const char *SSL_CIPHER_standard_name(con
+ const struct openssl_ssl_test_functions *SSL_test_functions(void);
+ # endif
+ 
++void SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
++                           unsigned char *context, int context_len,
++                           unsigned char *out, int olen);
++
+ /* BEGIN ERROR CODES */
+ /*
+  * The following lines are auto generated by the script mkerr.pl. Any changes
+--- ssl/t1_enc.c.orig	2017-07-06 01:00:00 UTC
++++ ssl/t1_enc.c
+@@ -1461,6 +1461,21 @@ int tls1_export_keying_material(SSL *s, 
+     return (rv);
+ }
+ 
++void SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
++                           unsigned char *context, int context_len,
++                           unsigned char *out, int olen)
++	{
++	unsigned char tmp[olen];
++	
++	tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
++			 label, label_len,
++			 s->s3->client_random,SSL3_RANDOM_SIZE,
++			 s->s3->server_random,SSL3_RANDOM_SIZE,
++			 context, context_len, NULL, 0,
++			 s->session->master_key, s->session->master_key_length,
++			 out, tmp, olen);
++	}
++
+ int tls1_alert_code(int code)
+ {
+     switch (code) {
diff --git a/security/openssl-unsafe/files/patch-apps_Makefile b/security/openssl-unsafe/files/patch-apps_Makefile
new file mode 100644
index 000000000000..421575524703
--- /dev/null
+++ b/security/openssl-unsafe/files/patch-apps_Makefile
@@ -0,0 +1,11 @@
+--- apps/Makefile.orig	2017-07-06 01:00:00 UTC
++++ apps/Makefile
+@@ -118,7 +118,7 @@ install:
+ 	 done
+ 	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+ 	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+-	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
++	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.sample
+ 
+ tags:
+ 	ctags $(SRC)
diff --git a/security/openssl-unsafe/files/patch-config b/security/openssl-unsafe/files/patch-config
new file mode 100644
index 000000000000..f1e017098bb0
--- /dev/null
+++ b/security/openssl-unsafe/files/patch-config
@@ -0,0 +1,19 @@
+--- config.orig	2017-07-06 01:00:00 UTC
++++ config
+@@ -753,14 +753,8 @@ case "$GUESSOS" in
+   sparc64-*-*bsd*)	OUT="BSD-sparc64" ;;
+   ia64-*-*bsd*)		OUT="BSD-ia64" ;;
+   amd64-*-*bsd*)	OUT="BSD-x86_64" ;;
+-  *86*-*-*bsd*)		# mimic ld behaviour when it's looking for libc...
+-			if [ -L /usr/lib/libc.so ]; then	# [Free|Net]BSD
+-			    libc=/usr/lib/libc.so
+-			else					# OpenBSD
+-			    # ld searches for highest libc.so.* and so do we
+-			    libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
+-			fi
+-			case "`(file -L $libc) 2>/dev/null`" in
++  *86*-*-*bsd*)	
++			case "`(file -L /bin/sh) 2>/dev/null`" in
+ 			*ELF*)	OUT="BSD-x86-elf" ;;
+ 			*)	OUT="BSD-x86"; options="$options no-sse2" ;;
+ 			esac ;;
diff --git a/security/openssl-unsafe/files/pkg-message.in b/security/openssl-unsafe/files/pkg-message.in
new file mode 100644
index 000000000000..faa27e6e382d
--- /dev/null
+++ b/security/openssl-unsafe/files/pkg-message.in
@@ -0,0 +1,8 @@
+/!\ ================================ /!\ ============================== /!\
+/!\                                                                     /!\
+/!\ This openssl version is for security testing/scanning purposes only /!\
+/!\                                                                     /!\
+/!\                   DO NOT USE FOR PRODUCTION PURPOSES                /!\
+/!\                                                                     /!\
+/!\ ================================ /!\ ============================== /!\
+