head 1.13; access; symbols pkgsrc-2013Q2:1.13.0.16 pkgsrc-2013Q2-base:1.13 pkgsrc-2012Q4:1.13.0.14 pkgsrc-2012Q4-base:1.13 pkgsrc-2011Q4:1.13.0.12 pkgsrc-2011Q4-base:1.13 pkgsrc-2011Q2:1.13.0.10 pkgsrc-2011Q2-base:1.13 pkgsrc-2009Q4:1.13.0.8 pkgsrc-2009Q4-base:1.13 pkgsrc-2008Q4:1.13.0.6 pkgsrc-2008Q4-base:1.13 pkgsrc-2008Q3:1.13.0.4 pkgsrc-2008Q3-base:1.13 cube-native-xorg:1.13.0.2 cube-native-xorg-base:1.13 pkgsrc-2008Q2:1.12.0.4 pkgsrc-2008Q2-base:1.12 cwrapper:1.12.0.2 pkgsrc-2008Q1:1.11.0.26 pkgsrc-2008Q1-base:1.11 pkgsrc-2007Q4:1.11.0.24 pkgsrc-2007Q4-base:1.11 pkgsrc-2007Q3:1.11.0.22 pkgsrc-2007Q3-base:1.11 pkgsrc-2007Q2:1.11.0.20 pkgsrc-2007Q2-base:1.11 pkgsrc-2007Q1:1.11.0.18 pkgsrc-2007Q1-base:1.11 pkgsrc-2006Q4:1.11.0.16 pkgsrc-2006Q4-base:1.11 pkgsrc-2006Q3:1.11.0.14 pkgsrc-2006Q3-base:1.11 pkgsrc-2006Q2:1.11.0.12 pkgsrc-2006Q2-base:1.11 pkgsrc-2006Q1:1.11.0.10 pkgsrc-2006Q1-base:1.11 pkgsrc-2005Q4:1.11.0.8 pkgsrc-2005Q4-base:1.11 pkgsrc-2005Q3:1.11.0.6 pkgsrc-2005Q3-base:1.11 pkgsrc-2005Q2:1.11.0.4 pkgsrc-2005Q2-base:1.11 pkgsrc-2005Q1:1.11.0.2 pkgsrc-2005Q1-base:1.11 pkgsrc-2004Q4:1.10.0.10 pkgsrc-2004Q4-base:1.10 pkgsrc-2004Q3:1.10.0.8 pkgsrc-2004Q3-base:1.10 pkgsrc-2004Q2:1.10.0.6 pkgsrc-2004Q2-base:1.10 pkgsrc-2004Q1:1.10.0.4 pkgsrc-2004Q1-base:1.10 pkgsrc-2003Q4:1.10.0.2 pkgsrc-2003Q4-base:1.10 netbsd-1-6-1:1.9.0.2 netbsd-1-6-1-base:1.9 netbsd-1-6:1.8.0.4 netbsd-1-6-RELEASE-base:1.8 pkgviews:1.7.0.4 pkgviews-base:1.7 buildlink2:1.7.0.2 buildlink2-base:1.8 netbsd-1-5-PATCH003:1.7 netbsd-1-4-PATCH002:1.4 comdex-fall-1999:1.2 netbsd-1-4-PATCH001:1.1.1.1 netbsd-1-4-RELEASE:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.13 date 2008.07.14.03.52.54; author tnn; state dead; branches; next 1.12; 1.12 date 2008.06.03.21.39.40; author tonnerre; state Exp; branches; next 1.11; 1.11 date 2004.12.24.22.02.38; author jlam; state dead; branches 1.11.26.1; next 1.10; 1.10 date 2003.10.02.02.34.40; author jschauma; state Exp; branches; next 1.9; 1.9 date 2002.08.25.19.23.18; author jlam; state Exp; branches; next 1.8; 1.8 date 2002.08.04.15.47.46; author fredb; state Exp; branches; next 1.7; 1.7 date 2001.07.11.01.26.10; author wiz; state Exp; branches 1.7.2.1; next 1.6; 1.6 date 2000.05.10.12.28.40; author veego; state dead; branches; next 1.5; 1.5 date 2000.04.21.02.15.40; author explorer; state Exp; branches; next 1.4; 1.4 date 2000.02.05.04.41.15; author wiz; state Exp; branches; next 1.3; 1.3 date 99.11.25.18.51.47; author erh; state Exp; branches; next 1.2; 1.2 date 99.10.19.04.09.19; author erh; state Exp; branches; next 1.1; 1.1 date 99.04.30.15.19.13; author tv; state Exp; branches 1.1.1.1; next ; 1.11.26.1 date 2008.06.05.12.24.00; author rtr; state Exp; branches; next ; 1.7.2.1 date 2002.08.22.11.12.27; author jlam; state Exp; branches; next ; 1.1.1.1 date 99.04.30.15.19.13; author tv; state Exp; branches; next ; desc @@ 1.13 log @Update to openssl-0.9.8h. Changes from 0.9.8g: Two crashes discovered using the Codenomicon TLS test suite, as reported in CVE-2008-0891 and CVE-2008-1672, were fixed. The root CA certificates of commercial CAs were removed from the distribution. Functions were added to implement RFC3394 compatible AES key wrapping. Utility functions to handle ASN1 structures were added. The certificate status request TLS extension, as defined in RFC3546, was implemented. Several other bugfixes and enhancements were made. @ text @$NetBSD: patch-ab,v 1.12 2008/06/03 21:39:40 tonnerre Exp $ --- ssl/s3_clnt.c.orig 2007-08-31 02:28:51.000000000 +0200 +++ ssl/s3_clnt.c @@@@ -1967,6 +1967,13 @@@@ int ssl3_send_client_key_exchange(SSL *s { DH *dh_srvr,*dh_clnt; + if (s->session->sess_cert == NULL) + { + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); + goto err; + } + if (s->session->sess_cert->peer_dh_tmp != NULL) dh_srvr=s->session->sess_cert->peer_dh_tmp; else @ 1.12 log @Fix two Denial of Service vulnerabilities in OpenSSL 0.9.8g: - Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake which could lead to a silent crash. - Fix double free in TLS server name extensions which could lead to a remote crash. Patches from upstream. @ text @d1 1 a1 1 $NetBSD$ @ 1.11 log @Update security/openssl to 0.9.7e. Changes from openssl-0.9.6m are too numerous to be listed here, but include adding a new DES API (support for the old one is still present). Changes to the pkgsrc structure include: * Install the shared libraries with a version number that matches the OpenSSL version number * Move some of the less often-used c_* utilities back into the examples directory. * Drop support for using the RSAREF library and always use the built-in RSA code instead. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.10 2003/10/02 02:34:40 jschauma Exp $ d3 5 a7 8 --- crypto/opensslv.h.orig Tue Jul 30 05:34:28 2002 +++ crypto/opensslv.h @@@@ -79,7 +79,7 @@@@ * should only keep the versions that are binary compatible with the current. */ #define SHLIB_VERSION_HISTORY "" -#define SHLIB_VERSION_NUMBER "0.9.6" +#define SHLIB_VERSION_NUMBER "300.1" d9 10 a18 2 #endif /* HEADER_OPENSSLV_H */ @ 1.11.26.1 log @pullup ticket #2414 - requested by tonnerre openssl: DoS and double free fixes revisions pulled up: - pkgsrc/security/openssl/Makefile 1.132 - pkgsrc/security/openssl/distinfo 1.60 - pkgsrc/security/openssl/patches/patch-ab 1.12 - pkgsrc/security/openssl/patches/patch-ah 1.8 Module Name: pkgsrc Committed By: tonnerre Date: Tue Jun 3 21:39:40 UTC 2008 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-ab patch-ah Log Message: Fix two Denial of Service vulnerabilities in OpenSSL 0.9.8g: - Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake which could lead to a silent crash. - Fix double free in TLS server name extensions which could lead to a remote crash. Patches from upstream. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.12 2008/06/03 21:39:40 tonnerre Exp $ d3 8 a10 5 --- ssl/s3_clnt.c.orig 2007-08-31 02:28:51.000000000 +0200 +++ ssl/s3_clnt.c @@@@ -1967,6 +1967,13 @@@@ int ssl3_send_client_key_exchange(SSL *s { DH *dh_srvr,*dh_clnt; d12 2 a13 10 + if (s->session->sess_cert == NULL) + { + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); + SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); + goto err; + } + if (s->session->sess_cert->peer_dh_tmp != NULL) dh_srvr=s->session->sess_cert->peer_dh_tmp; else @ 1.10 log @Update to 0.9.6k: Changes between 0.9.6j and 0.9.6k [30 Sep 2003] *) Fix various bugs revealed by running the NISCC test suite: Stop out of bounds reads in the ASN1 code when presented with invalid tags (CAN-2003-0543 and CAN-2003-0544). If verify callback ignores invalid public key errors don't try to check certificate signature with the NULL public key. [Steve Henson] *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate if the server requested one: as stated in TLS 1.0 and SSL 3.0 specifications. [Steve Henson] *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional extra data after the compression methods not only for TLS 1.0 but also for SSL 3.0 (as required by the specification). [Bodo Moeller; problem pointed out by Matthias Loepfe] *) Change X509_certificate_type() to mark the key as exported/exportable when it's 512 *bits* long, not 512 bytes. [Richard Levitte] Changes between 0.9.6i and 0.9.6j [10 Apr 2003] *) Countermeasure against the Klima-Pokorny-Rosa extension of Bleichbacher's attack on PKCS #1 v1.5 padding: treat a protocol version number mismatch like a decryption error in ssl3_get_client_key_exchange (ssl/s3_srvr.c). [Bodo Moeller] *) Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] *) Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). Make RSA blinding thread-safe by remembering the creator's thread ID in rsa->blinding and having all other threads use local one-time blinding factors (this requires more computation than sharing rsa->blinding, but avoids excessive locking; and if an RSA object is not shared between threads, blinding will still be very fast). [Bodo Moeller] Changes between 0.9.6h and 0.9.6i [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked via timing by performing a MAC computation even if incorrrect block cipher padding has been found. This is a countermeasure against active attacks where the attacker has to distinguish between bad padding and a MAC verification error. (CAN-2003-0078) [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion)] Changes between 0.9.6g and 0.9.6h [5 Dec 2002] *) New function OPENSSL_cleanse(), which is used to cleanse a section of memory from it's contents. This is done with a counter that will place alternating values in each byte. This can be used to solve two issues: 1) the removal of calls to memset() by highly optimizing compilers, and 2) cleansing with other values than 0, since those can be read through on certain media, for example a swap space on disk. [Geoff Thorpe] *) Bugfix: client side session caching did not work with external caching, because the session->cipher setting was not restored when reloading from the external cache. This problem was masked, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. (Found by Steve Haslam .) [Lutz Jaenicke] *) Fix client_certificate (ssl/s2_clnt.c): The permissible total length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. [Zeev Lieber ] *) Undo an undocumented change introduced in 0.9.6e which caused repeated calls to OpenSSL_add_all_ciphers() and OpenSSL_add_all_digests() to be ignored, even after calling EVP_cleanup(). [Richard Levitte] *) Change the default configuration reader to deal with last line not being properly terminated. [Richard Levitte] *) Change X509_NAME_cmp() so it applies the special rules on handling DN values that are of type PrintableString, as well as RDNs of type emailAddress where the value has the type ia5String. [stefank@@valicert.com via Richard Levitte] *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be the bitwise-OR of the two for use by the majority of applications wanting this behaviour, and update the docs. The documented behaviour and actual behaviour were inconsistent and had been changing anyway, so this is more a bug-fix than a behavioural change. [Geoff Thorpe, diagnosed by Nadav Har'El] *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). [Bodo Moeller] *) Fix initialization code race conditions in SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), ssl2_get_cipher_by_char(), ssl3_get_cipher_by_char(). [Patrick McCormick , Bodo Moeller] *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after the cached sessions are flushed, as the remove_cb() might use ex_data contents. Bug found by Sam Varshavchik (see [openssl.org #212]). [Geoff Thorpe, Lutz Jaenicke] *) Fix typo in OBJ_txt2obj which incorrectly passed the content length, instead of the encoding length to d2i_ASN1_OBJECT. [Steve Henson] @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.9 2002/08/25 19:23:18 jlam Exp $ @ 1.9 log @Merge changes in packages from the buildlink2 branch that have buildlink2.mk files back into the main trunk. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.7.2.1 2002/08/22 11:12:27 jlam Exp $ d10 1 a10 1 +#define SHLIB_VERSION_NUMBER "300.0" @ 1.8 log @Update openssl to 0.9.6e. This update fixes multiple vulnerabilities, and also changes the ABI of "libcrypto" and "libssl". (So the shared library majors and buildlink requirements are bumped, too.) The code base is now synced perfectly with NetBSD HEAD and netbsd-1-6 branches as of 2002-08-04, the optimization levels are reduced to "-O2", but I've retained some of the processor optimization flags and different code path #defines in the "Configure" script, just to keep things interesting. The default "certs" directory on NetBSD is now "/etc/openssl/certs", to give continuity to those who find themselves using the package system's "openssl" after upgrading a package that formerly used the base system's. [Suggested by itojun.] The best way to avoid such problems, however, is to upgrade your base system *first*. I'm making use of the new and improved build system as much as possible. This gives us a cleaner way to make shared libraries and real man pages, but loses many of the symlinks to the openssl binary. I've culled items from the "CHANGES" file that appear to have security implications or are particularly interesting for NetBSD users, below. My comments are marked off with '===>'. ===> This is from the netbsd-20020804-patch *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX and get fix the header length calculation. [Florian Weimer , Alon Kantor (and others), Steve Henson] Changes between 0.9.6d and 0.9.6e [30 Jul 2002] *) New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure that was added in OpenSSL 0.9.6d. As the countermeasure turned out to be incompatible with some broken SSL implementations, the new option is part of SSL_OP_ALL. SSL_OP_ALL is usually employed when compatibility with weird SSL implementations is desired (e.g. '-bugs' option to 's_client' and 's_server'), so the new option is automatically set in many applications. [Bodo Moeller] *) Changes in security patch: Changes marked "(CHATS)" were sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. *) Add various sanity checks to asn1_get_length() to reject the ASN1 length bytes if they exceed sizeof(long), will appear negative or the content length exceeds the length of the supplied buffer. [Steve Henson, Adi Stav , James Yonan ] *) Assertions for various potential buffer overflows, not known to happen in practice. [Ben Laurie (CHATS)] *) Various temporary buffers to hold ASCII versions of integers were too small for 64 bit platforms. (CAN-2002-0655) [Matthew Byng-Maddick and Ben Laurie (CHATS)> *) Remote buffer overflow in SSL3 protocol - an attacker could supply an oversized session ID to a client. (CAN-2002-0656) [Ben Laurie (CHATS)] *) Remote buffer overflow in SSL2 protocol - an attacker could supply an oversized client master key. (CAN-2002-0656) [Ben Laurie (CHATS)] Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Implement a countermeasure against a vulnerability recently found in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment before application data chunks to avoid the use of known IVs with data potentially chosen by the attacker. [Bodo Moeller] Changes between 0.9.6a and 0.9.6b [9 Jul 2001] *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) to avoid a SSLeay/OpenSSL PRNG weakness pointed out by Markku-Juhani O. Saarinen : PRNG state recovery was possible based on the output of one PRNG request appropriately sized to gain knowledge on 'md' followed by enough consecutive 1-byte PRNG requests to traverse all of 'state'. 1. When updating 'md_local' (the current thread's copy of 'md') during PRNG output generation, hash all of the previous 'md_local' value, not just the half used for PRNG output. 2. Make the number of bytes from 'state' included into the hash independent from the number of PRNG bytes requested. The first measure alone would be sufficient to avoid Markku-Juhani's attack. (Actually it had never occurred to me that the half of 'md_local' used for chaining was the half from which PRNG output bytes were taken -- I had always assumed that the secret half would be used.) The second measure makes sure that additional data from 'state' is never mixed into 'md_local' in small portions; this heuristically further strengthens the PRNG. [Bodo Moeller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 when fixing the server behaviour for backwards-compatible 'client hello' messages. (Note that the attack is impractical against SSL 3.0 and TLS 1.0 anyway because length and version checking means that the probability of guessing a valid ciphertext is around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 paper.) Before 0.9.5, the countermeasure (hide the error by generating a random 'decryption result') did not work properly because ERR_clear_error() was missing, meaning that SSL_get_error() would detect the supposedly ignored error. Both problems are now fixed. [Bodo Moeller] Changes between 0.9.6 and 0.9.6a [5 Apr 2001] ===> This is our ABI change. *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes with des_encrypt() defined on some operating systems, like Solaris and UnixWare. [Richard Levitte] *) Don't use getenv in library functions when run as setuid/setgid. New function OPENSSL_issetugid(). [Ulf Moeller] *) Store verify_result within SSL_SESSION also for client side to avoid potential security hole. (Re-used sessions on the client side always resulted in verify_result==X509_V_OK, not using the original result of the server certificate verification.) [Lutz Jaenicke] ===> package doesn't doesn't do this. We'll bump major versions ===> as necessary. *) Make sure that shared libraries get the internal name engine with the full version number and not just 0. This should mark the shared libraries as not backward compatible. Of course, this should be changed again when we can guarantee backward binary compatibility. [Richard Levitte] *) Rework the system to generate shared libraries: - Make note of the expected extension for the shared libraries and if there is a need for symbolic links from for example libcrypto.so.0 to libcrypto.so.0.9.7. There is extended info in Configure for that. - Make as few rebuilds of the shared libraries as possible. - Still avoid linking the OpenSSL programs with the shared libraries. - When installing, install the shared libraries separately from the static ones. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.7 2001/07/11 01:26:10 wiz Exp $ @ 1.7 log @Pull in security fix from basesrc by itojun. Commit message was: fix PRNG weakness. the workaround presented on bugtraq posting. Update to 0.9.6nb1. @ text @d1 1 a1 1 $NetBSD$ d3 8 a10 13 --- crypto/rand/md_rand.c.orig Mon Sep 11 14:42:39 2000 +++ crypto/rand/md_rand.c @@@@ -308,6 +308,7 @@@@ { static volatile int stirred_pool = 0; int i,j,k,st_num,st_idx; + int num_ceil; int ok; long md_c[2]; unsigned char local_md[MD_DIGEST_LENGTH]; @@@@ -328,6 +329,12 @@@@ } #endif a11 65 + if (num <= 0) + return 1; + + /* round upwards to multiple of MD_DIGEST_LENGTH/2 */ + num_ceil = (1 + (num-1)/(MD_DIGEST_LENGTH/2)) * (MD_DIGEST_LENGTH/2); + /* * (Based on the rand(3) manpage:) * @@@@ -409,11 +416,11 @@@@ md_c[1] = md_count[1]; memcpy(local_md, md, sizeof md); - state_index+=num; + state_index+=num_ceil; if (state_index > state_num) state_index %= state_num; - /* state[st_idx], ..., state[(st_idx + num - 1) % st_num] + /* state[st_idx], ..., state[(st_idx + num_ceil - 1) % st_num] * are now ours (but other threads may use them too) */ md_count[0] += 1; @@@@ -424,6 +431,7 @@@@ while (num > 0) { + /* num_ceil -= MD_DIGEST_LENGTH/2 */ j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num; num-=j; MD_Init(&m); @@@@ -434,27 +442,28 @@@@ curr_pid = 0; } #endif - MD_Update(&m,&(local_md[MD_DIGEST_LENGTH/2]),MD_DIGEST_LENGTH/2); + MD_Update(&m,local_md,MD_DIGEST_LENGTH); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); #ifndef PURIFY MD_Update(&m,buf,j); /* purify complains */ #endif - k=(st_idx+j)-st_num; + k=(st_idx+MD_DIGEST_LENGTH/2)-st_num; if (k > 0) { - MD_Update(&m,&(state[st_idx]),j-k); + MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k); MD_Update(&m,&(state[0]),k); } else - MD_Update(&m,&(state[st_idx]),j); + MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2); MD_Final(local_md,&m); - for (i=0; i= st_num) st_idx=0; + if (i < j) + *(buf++)=local_md[i+MD_DIGEST_LENGTH/2]; } } d13 1 @ 1.7.2.1 log @Merge changes from pkgsrc-current into the buildlink2 branch for the packages that have buildlink2.mk files. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.8 2002/08/04 15:47:46 fredb Exp $ d3 13 a15 8 --- crypto/opensslv.h.orig Tue Jul 30 05:34:28 2002 +++ crypto/opensslv.h @@@@ -79,7 +79,7 @@@@ * should only keep the versions that are binary compatible with the current. */ #define SHLIB_VERSION_HISTORY "" -#define SHLIB_VERSION_NUMBER "0.9.6" +#define SHLIB_VERSION_NUMBER "300.0" d17 65 a82 1 #endif /* HEADER_OPENSSLV_H */ @ 1.6 log @Support to build it on Solaris. It would be easier to make that change if we support patches for one OPSYS but someone removed that from out tree. @ text @d1 5 a5 41 diff -ur openssl-0.9.5a/Configure work/openssl-0.9.5a/Configure --- Configure.sma Mon Mar 27 13:28:10 2000 +++ Configure Wed Apr 19 19:21:36 2000 @@@@ -274,9 +274,6 @@@@ "linux-mips", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::", "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::", "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG::", -"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:", "FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}", "bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}", @@@@ -297,6 +294,20 @@@@ "aix-cc", "cc:-O -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::", "aix-gcc", "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::", +# NetBSD +"NetBSD-alpha", "gcc:-DTERMIOS -O3 -Wall::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:", +"NetBSD-arm32", "gcc:-DTERMIOS -O3 -Wall -DL_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:", +"NetBSD-i386", "gcc:-DBN_ASM -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm:", +"NetBSD-i386elf", "gcc:-DBN_ASM -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm:", +"NetBSD-m68k", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:", +"NetBSD-mipseb", "gcc:-DTERMIOS -O3 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:", +"NetBSD-mipsel", "gcc:-DTERMIOS -O3 -Wall -DL_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:", +"NetBSD-ns32k", "gcc:-DTERMIOS -O3 -Wall -DL_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:", +"NetBSD-powerpc", "gcc:-DTERMIOS -O3 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:", +"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:", +"NetBSD-sparc64", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC1:", +"NetBSD-vax", "gcc:-DTERMIOS -O3 -Wall -DL_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:", + # # Cray T90 (SDSC) # It's Big-endian, but the algorithms work properly when B_ENDIAN is NOT @@@@ -421,6 +432,7 @@@@ my $openssl_other_defines=""; my $libs=""; my $target=""; +my $xmakelib=""; my $options=""; foreach (@@ARGV) d7 7 a13 6 @@@@ -458,11 +470,12 @@@@ { $libs.= "-lRSAglue -lrsaref "; $flags.= "-DRSAref "; + $xmakelib=" libRSAglue.a"; $openssl_other_defines .= "#define RSAref\n"; d15 28 a42 1 elsif (/^[-+]/) d44 17 a60 2 - if (/^-[lL](.*)$/) + if (/^-([lLR]|Wl,)(.*)$/) d62 3 a64 1 $libs.=$_." "; d66 4 a69 1 @@@@ -626,14 +639,19 @@@@ d71 9 a79 21 if ($version =~ /(^[0-9]*)\.([0-9\.]*)/) { - $major=$1; - $minor=$2; +# XXX Openssl version is 0.9, not 1.0 + $major=1; + $minor=0; } open(IN,'$Makefile") || die "unable to create $Makefile:$!\n"; print OUT "### Generated automatically from Makefile.org by Configure.\n\n"; my $sdirs=0; +my $is_elf="0"; +if ($target =~ /.*elf.*/) { + $is_elf="1"; +} while () { chop; @@@@ -645,6 +663,7 @@@@ d82 1 a82 25 $sdirs = 0 unless /\\$/; + s/^IS_ELF=.*/IS_ELF=$is_elf/; s/^VERSION=.*/VERSION=$version/; s/^MAJOR=.*/MAJOR=$major/; s/^MINOR=.*/MINOR=$minor/; @@@@ -669,6 +688,19 @@@@ s/^PROCESSOR=.*/PROCESSOR= $processor/; s/^RANLIB=.*/RANLIB= $ranlib/; s/^PERL=.*/PERL= $perl/; + print OUT $_."\n"; + } +close(IN); +close(OUT); + +rename("crypto/Makefile.ssl", "crypto/Makefile.org") unless -e "crypto/Makefile.org"; +open(IN, 'crypto/Makefile.ssl") || die "unable to create crypto/Makefile.ssl:$!\n"; + +while () + { + chop; + s/^(.*)\${MAKELIB}(.*)$/$&$xmakelib/; print OUT $_."\n"; } close(IN); @ 1.5 log @upgrade to 0.9.5a @ text @@ 1.4 log @RCS tags added @ text @d1 4 a4 17 $NetBSD$ --- Configure.orig Wed Oct 20 18:41:27 1999 +++ Configure Thu Oct 21 00:05:25 1999 @@@@ -82,8 +82,9 @@@@ # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1. # So the md5_locl.h file has an undef B_ENDIAN if sun is defined -#config-string CC : CFLAGS : LDFLAGS : special header file mods:bn_asm \ -# des_asm:bf_asm +#config-string CC : CFLAGS : unistd : thread cflag : LDFLAGS : \ +# bn_ops : bn_obj : des_obj : bf_obj : md5_obj : sha1_obj : cast_obj : \ +# rc4_obj : rmd160_obj : rc5_obj my %table=( #"b", "$tcc:$tflags::$tlib:$bits1:$tbn_mul::", #"bl-4c-2c", "$tcc:$tflags::$tlib:${bits1}BN_LLONG RC4_CHAR MD2_CHAR:$tbn_mul::", @@@@ -208,9 +209,6 @@@@ "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", d6 2 a7 1 "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::::", d10 5 a14 5 -"NetBSD-x86", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:", "FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", "FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", "bsdi-gcc", "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG $x86_gcc_des $x86_gcc_opts:$x86_bsdi_asm", @@@@ -228,6 +226,20 @@@@ d35 2 a36 2 @@@@ -345,6 +357,7 @@@@ my $depflags=""; d43 1 a43 1 @@@@ -377,10 +390,11 @@@@ d48 1 d57 1 a57 1 @@@@ -524,13 +538,19 @@@@ d70 1 d73 1 a73 2 +if ($target =~ /.*elf.*/) + { d75 1 a75 1 + } d79 1 a79 1 @@@@ -542,6 +562,7 @@@@ d87 9 a95 4 @@@@ -571,6 +592,19 @@@@ close(IN); close(OUT); d104 3 a106 39 + print OUT $_."\n"; + } +close(IN); +close(OUT); + print "CC =$cc\n"; print "CFLAG =$cflags\n"; print "EX_LIBS =$lflags\n"; @@@@ -747,30 +781,6 @@@@ $pwd =`pwd`; chop($pwd); } -print < -should be used instead of #include . -These new file locations allow installing the OpenSSL header -files in /usr/local/include/openssl/ and should help avoid -conflicts with other libraries. - -To compile programs that use the old form , -usually an additional compiler option will suffice: E.g., add - -I$prefix/include/openssl -or - -I$pwd/include/openssl -to the CFLAGS in the Makefile of the program that you want to compile -(and leave all the original -I...'s in place!). - -Please make sure that no old OpenSSL header files are around: -The include directory should now be empty except for the openssl -subdirectory. - -EOF print <<\EOF if (!$no_threads && !$threads); @ 1.3 log @Update openssl to 0.9.4. @ text @d1 1 @ 1.2 log @Make openssl compile whether or not RSAref is defined. @ text @d1 27 a27 17 $NetBSD: $ --- Configure.orig Mon Oct 18 21:46:47 1999 +++ Configure Mon Oct 18 22:28:19 1999 @@@@ -153,9 +153,6 @@@@ "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", "linux-mips", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wuninitialized:::BN_LLONG:", -"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-m68", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", -"NetBSD-x86", "gcc:-DTERMIOS -D_ANSI_SOURCE -O3 -fomit-frame-pointer -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:", #"FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -D_ANSI_SOURCE -fomit-frame-pointer -O3 -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", "FreeBSD", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", "FreeBSD-elf", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", @@@@ -172,6 +169,20 @@@@ "aix-cc", "cc:-O -DAIX -DB_ENDIAN::BN_LLONG RC4_CHAR:::", "aix-gcc", "gcc:-O2 -DAIX -DB_ENDIAN::BN_LLONG RC4_CHAR:::", d30 12 a41 12 +"NetBSD-alpha", "gcc:-DTERMIOS -O3 -Wall::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:::", +"NetBSD-arm32", "gcc:-DTERMIOS -O3 -Wall -DL_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", +"NetBSD-i386", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DBN_ASM::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm", +"NetBSD-i386elf", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DBN_ASM::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm", +"NetBSD-m68k", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", +"NetBSD-mipseb", "gcc:-DTERMIOS -O3 -Wall -DB_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", +"NetBSD-mipsel", "gcc:-DTERMIOS -O3 -Wall -DL_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", +"NetBSD-ns32k", "gcc:-DTERMIOS -O3 -Wall -DL_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", +"NetBSD-powerpc", "gcc:-DTERMIOS -O3 -Wall -DB_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", +"NetBSD-sparc", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", +"NetBSD-sparc64", "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC1:::", +"NetBSD-vax", "gcc:-DTERMIOS -O3 -Wall -DL_ENDIAN::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::", d46 2 a47 2 @@@@ -282,19 +293,23 @@@@ my $flags=""; d50 2 a51 3 +my $usersaref=0; +my $xmakelib=" cd .. && csh \${MAKELIB} libcrypto.so.1.0 libcrypto.a"; + d54 7 a60 3 if ($_ =~ /^no-asm$/) { $no_asm=1; } elsif ($_ =~ /^-/) d62 2 a63 2 - if ($_ =~ /^-[lL](.*)$/) + if ($_ =~ /^-([lLR]|Wl,)(.*)$/) d67 9 a75 9 elsif ($_ =~ /^-D(.*)$/) { $flags.=$_." "; + $usersaref=1 if ($_ =~ /^-DRSAref(.*)$/); } elsif ($_ =~ /^-[fK](.*)$/) { @@@@ -321,6 +336,11 @@@@ } d78 5 a82 1 +if ($usersaref == 1) d84 1 a84 1 + $xmakelib.=" libRSAglue.a"; d86 1 a86 2 + if (!defined($table{$target})) d88 13 a100 6 &bad_target; @@@@ -370,6 +390,19 @@@@ # $rmd160_obj=$rmd160_enc; $cflags.=" -DRMD160_ASM"; } + d102 1 a102 1 +open(IN,'$Makefile") || die "unable to create $Makefile:$!\n"; @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD$ d3 2 a4 2 --- Configure.orig Fri Mar 12 15:31:13 1999 +++ Configure Tue Apr 27 13:35:42 1999 d36 10 a45 1 @@@@ -288,7 +299,7 @@@@ d54 39 @ 1.1.1.1 log @Import OpenSSL 0.9.2b pkg, a package which finally updates and fixes many deficiencies in SSLeay. Intended to be a drop-in replacement for SSLeay (and still provides the command-prompt interface as "ssleay"). @ text @@