head 1.17; access; symbols pkgsrc-2014Q1:1.16.0.54 pkgsrc-2014Q1-base:1.16 pkgsrc-2013Q4:1.16.0.52 pkgsrc-2013Q4-base:1.16 pkgsrc-2013Q3:1.16.0.50 pkgsrc-2013Q3-base:1.16 pkgsrc-2013Q2:1.16.0.48 pkgsrc-2013Q2-base:1.16 pkgsrc-2013Q1:1.16.0.46 pkgsrc-2013Q1-base:1.16 pkgsrc-2012Q4:1.16.0.44 pkgsrc-2012Q4-base:1.16 pkgsrc-2012Q3:1.16.0.42 pkgsrc-2012Q3-base:1.16 pkgsrc-2012Q2:1.16.0.40 pkgsrc-2012Q2-base:1.16 pkgsrc-2012Q1:1.16.0.38 pkgsrc-2012Q1-base:1.16 pkgsrc-2011Q4:1.16.0.36 pkgsrc-2011Q4-base:1.16 pkgsrc-2011Q3:1.16.0.34 pkgsrc-2011Q3-base:1.16 pkgsrc-2011Q2:1.16.0.32 pkgsrc-2011Q2-base:1.16 pkgsrc-2011Q1:1.16.0.30 pkgsrc-2011Q1-base:1.16 pkgsrc-2010Q4:1.16.0.28 pkgsrc-2010Q4-base:1.16 pkgsrc-2010Q3:1.16.0.26 pkgsrc-2010Q3-base:1.16 pkgsrc-2010Q2:1.16.0.24 pkgsrc-2010Q2-base:1.16 pkgsrc-2010Q1:1.16.0.22 pkgsrc-2010Q1-base:1.16 pkgsrc-2009Q4:1.16.0.20 pkgsrc-2009Q4-base:1.16 pkgsrc-2009Q3:1.16.0.18 pkgsrc-2009Q3-base:1.16 pkgsrc-2009Q2:1.16.0.16 pkgsrc-2009Q2-base:1.16 pkgsrc-2009Q1:1.16.0.14 pkgsrc-2009Q1-base:1.16 pkgsrc-2008Q4:1.16.0.12 pkgsrc-2008Q4-base:1.16 pkgsrc-2008Q3:1.16.0.10 pkgsrc-2008Q3-base:1.16 cube-native-xorg:1.16.0.8 cube-native-xorg-base:1.16 pkgsrc-2008Q2:1.16.0.6 pkgsrc-2008Q2-base:1.16 cwrapper:1.16.0.4 pkgsrc-2008Q1:1.16.0.2 pkgsrc-2008Q1-base:1.16 pkgsrc-2007Q4:1.15.0.18 pkgsrc-2007Q4-base:1.15 pkgsrc-2007Q3:1.15.0.16 pkgsrc-2007Q3-base:1.15 pkgsrc-2007Q2:1.15.0.14 pkgsrc-2007Q2-base:1.15 pkgsrc-2007Q1:1.15.0.12 pkgsrc-2007Q1-base:1.15 pkgsrc-2006Q4:1.15.0.10 pkgsrc-2006Q4-base:1.15 pkgsrc-2006Q3:1.15.0.8 pkgsrc-2006Q3-base:1.15 pkgsrc-2006Q2:1.15.0.6 pkgsrc-2006Q2-base:1.15 pkgsrc-2006Q1:1.15.0.4 pkgsrc-2006Q1-base:1.15 pkgsrc-2005Q4:1.15.0.2 pkgsrc-2005Q4-base:1.15 pkgsrc-2005Q3:1.14.0.4 pkgsrc-2005Q3-base:1.14 pkgsrc-2005Q2:1.14.0.2 pkgsrc-2005Q2-base:1.14 pkgsrc-2005Q1:1.13.0.2 pkgsrc-2005Q1-base:1.13 pkgsrc-2004Q4:1.12.0.2 pkgsrc-2004Q4-base:1.12 pkgsrc-2004Q3:1.11.0.6 pkgsrc-2004Q3-base:1.11 pkgsrc-2004Q2:1.11.0.4 pkgsrc-2004Q2-base:1.11 pkgsrc-2004Q1:1.11.0.2 pkgsrc-2004Q1-base:1.11 pkgsrc-2003Q4:1.9.0.2 pkgsrc-2003Q4-base:1.9 netbsd-1-6-1:1.7.0.2 netbsd-1-6-1-base:1.7 buildlink2:1.6.0.2 netbsd-1-6:1.6.0.4 netbsd-1-6-RELEASE-base:1.6 buildlink2-base:1.6 netbsd-1-4-PATCH002:1.3 comdex-fall-1999:1.1.1.1 netbsd-1-4-PATCH001:1.1.1.1 netbsd-1-4-RELEASE:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.17 date 2014.04.02.12.11.35; author he; state dead; branches; next 1.16; commitid g3YIpigZLUt5x6vx; 1.16 date 2008.01.17.06.42.48; author tnn; state Exp; branches 1.16.54.1; next 1.15; 1.15 date 2005.10.11.17.19.21; author jlam; state Exp; branches; next 1.14; 1.14 date 2005.03.23.09.06.38; author jlam; state Exp; branches 1.14.4.1; next 1.13; 1.13 date 2004.12.24.22.02.38; author jlam; state Exp; branches; next 1.12; 1.12 date 2004.12.17.23.08.36; author wiz; state Exp; branches; next 1.11; 1.11 date 2004.03.26.06.54.30; author jlam; state Exp; branches; next 1.10; 1.10 date 2004.03.26.02.22.38; author wiz; state Exp; branches; next 1.9; 1.9 date 2003.09.10.01.57.07; author jlam; state Exp; branches; next 1.8; 1.8 date 2003.08.25.16.34.02; author jschauma; state Exp; branches; next 1.7; 1.7 date 2002.08.25.19.23.19; author jlam; state Exp; branches; next 1.6; 1.6 date 2002.08.04.15.47.46; author fredb; state Exp; branches 1.6.2.1; next 1.5; 1.5 date 2000.05.10.12.28.41; author veego; state dead; branches; next 1.4; 1.4 date 2000.04.22.05.07.03; author fredb; state Exp; branches; next 1.3; 1.3 date 2000.02.05.04.41.15; author wiz; state Exp; branches; next 1.2; 1.2 date 99.11.25.18.51.47; author erh; state Exp; branches; next 1.1; 1.1 date 99.04.30.15.19.13; author tv; state Exp; branches 1.1.1.1; next ; 1.16.54.1 date 2014.04.08.10.09.26; author tron; state dead; branches; next ; commitid znq8PwHLRSRRFRvx; 1.14.4.1 date 2005.10.13.13.21.08; author salo; state Exp; branches; next ; 1.6.2.1 date 2002.08.04.15.47.46; author jlam; state dead; branches; next 1.6.2.2; 1.6.2.2 date 2002.08.22.11.12.29; author jlam; state Exp; branches; next ; 1.1.1.1 date 99.04.30.15.19.13; author tv; state Exp; branches; next ; desc @@ 1.17 log @Rename all remaining patch-?? files using the newer naming convention. Add a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. Fix from culled from http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f91e57d247d0fc667aef29 Bump PKGREVISION. @ text @$NetBSD: patch-ad,v 1.16 2008/01/17 06:42:48 tnn Exp $ --- apps/Makefile.orig 2007-02-23 02:01:03.000000000 +0100 +++ apps/Makefile 2007-07-31 17:18:49.000000000 +0200 @@@@ -4,6 +4,7 @@@@ DIR= apps TOP= .. +EXAMPLEDIR= $(INSTALLTOP)/share/examples/openssl CC= cc INCLUDES= -I$(TOP) -I../include $(KRB5_INCLUDES) CFLAG= -g -static @@@@ -109,13 +110,13 @@@@ install: @@set -e; for i in $(SCRIPTS); \ do \ (echo installing $$i; \ - cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \ - chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \ - mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \ + cp $$i $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i.new; \ + chmod 755 $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i.new $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i ); \ done - @@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \ - chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \ - mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf + @@cp openssl.cnf $(INSTALL_PREFIX)$(EXAMPLEDIR)/openssl.cnf.new; \ + chmod 644 $(INSTALL_PREFIX)$(EXAMPLEDIR)/openssl.cnf.new; \ + mv -f $(INSTALL_PREFIX)$(EXAMPLEDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(EXAMPLEDIR)/openssl.cnf tags: ctags $(SRC) @ 1.16 log @Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip. pkgsrc notes: o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli), Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn). Because the Makefile system has been rewamped, other platforms may require fixes. Please test if you can. o OpenSSL can now be built with installation to DESTDIR. Overview of important changes since 0.9.7i: o Add gcc 4.2 support. o DTLS improvements. o RFC4507bis support. o TLS Extensions support. o RFC3779 support. o New cipher Camellia o Updated ECC cipher suite support. o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). o Zlib compression usage fixes. o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for files larger than 2GB. o Added alternate pkg-config files. @ text @d1 1 a1 1 $NetBSD$ @ 1.16.54.1 log @Pullup ticket #4359 - requested by obache security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.186-1.188 - security/openssl/distinfo 1.103-1.104 - security/openssl/patches/patch-Configure 1.1 - security/openssl/patches/patch-Makefile.org 1.1 - security/openssl/patches/patch-Makefile.shared 1.1 - security/openssl/patches/patch-aa deleted - security/openssl/patches/patch-ac deleted - security/openssl/patches/patch-ad deleted - security/openssl/patches/patch-ae deleted - security/openssl/patches/patch-af deleted - security/openssl/patches/patch-ag deleted - security/openssl/patches/patch-ak deleted - security/openssl/patches/patch-apps_Makefile 1.1 - security/openssl/patches/patch-config 1.1 - security/openssl/patches/patch-crypto_bn_bn__prime.pl 1.1 - security/openssl/patches/patch-tools_Makefile 1.1 --- Module Name: pkgsrc Committed By: he Date: Wed Apr 2 12:11:35 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-Configure patch-Makefile.org patch-Makefile.shared patch-apps_Makefile patch-config patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c patch-crypto_bn_bn__prime.pl patch-crypto_ec_ec2__mult.c patch-tools_Makefile Removed Files: pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-ae patch-af patch-ag patch-ak Log Message: Rename all remaining patch-?? files using the newer naming convention. Add a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. Fix from culled from http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f 91e57d247d0fc667aef29 Bump PKGREVISION. --- Module Name: pkgsrc Committed By: obache Date: Tue Apr 8 02:48:38 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile Log Message: p5-Perl4-CoreLibs is not required for perl<5.16 --- Module Name: pkgsrc Committed By: obache Date: Tue Apr 8 06:20:44 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c patch-crypto_ec_ec2__mult.c Log Message: Update openssl to 1.0.1g. (CVE-2014-0076 is already fixed in pkgsrc). OpenSSL CHANGES _______________ Changes between 1.0.1f and 1.0.1g [7 Apr 2014] *) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix (CVE-2014-0160) [Adam Langley, Bodo Moeller] *) Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) [Yuval Yarom and Naomi Benger] *) TLS pad extension: draft-agl-tls-padding-03 Workaround for the "TLS hang bug" (see FAQ and opensslPR#2771): if the TLS client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. [Adam Langley, Steve Henson] @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.16 2008/01/17 06:42:48 tnn Exp $ @ 1.15 log @Update security/openssl to version 0.9.7h. This is a security vulnerability triggered update due to CAN-2005-2969. Changes from version 0.9.7f include: o Fix SSL 2.0 Rollback, CAN-2005-2969 o Allow use of fixed-length exponent on DSA signing o Default fixed-window RSA, DSA, DH private-key operations o More compilation issues fixed. o Adaptation to more modern Kerberos API. o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. o Enhanced x86_64 assembler BIGNUM module. o More constification. o Added processing of proxy certificates (RFC 3820). @ text @d3 6 a8 6 --- apps/Makefile.orig 2005-06-14 08:29:33.000000000 -0400 +++ apps/Makefile @@@@ -10,6 +10,7 @@@@ CFLAG= -g -static INSTALL_PREFIX= INSTALLTOP= /usr/local/ssl OPENSSLDIR= /usr/local/ssl d10 5 a14 5 MAKEDEPPROG= makedepend MAKEDEPEND= $(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG) MAKEFILE= Makefile @@@@ -115,13 +116,13 @@@@ install: @@for i in $(SCRIPTS); \ @ 1.14 log @Update security/openssl to openssl-0.9.7f. Pkgsrc changes from version 0.9.7e include: *) Install the man pages with names that are less likely to collide with other packages' man pages. *) Support PKG_OPTIONS of "idea", "mdc2" and "rc5" to allow building with patented algorithms. By default, this package still builds without patented algorithms. Major changes from version 0.9.7e include: *) Prompt for pass phrases when appropriate for PKCS12 input format. *) Back-port of selected performance improvements from development branch, as well as improved support for PowerPC platforms. *) Add lots of checks for memory allocation failure, error codes to indicate failure and freeing up memory if a failure occurs. *) Add new -passin argument to dgst. *) Make an explicit check during certificate validation to see that the CA setting in each certificate on the chain is correct. @ text @d3 1 a3 1 --- apps/Makefile.orig 2005-03-12 07:15:19.000000000 -0500 d13 1 a13 1 @@@@ -106,13 +107,13 @@@@ install: @ 1.14.4.1 log @Pullup tickets 822 and 825 - requested by Johnny C. Lam security update for openssl Revisions pulled up: - pkgsrc/security/openssl/Makefile 1.107 - pkgsrc/security/openssl/PLIST.common 1.11 - pkgsrc/security/openssl/builtin.mk 1.16, 1.17 - pkgsrc/security/openssl/distinfo 1.46 - pkgsrc/security/openssl/patches/patch-aa 1.18 - pkgsrc/security/openssl/patches/patch-ac 1.28 - pkgsrc/security/openssl/patches/patch-ad 1.15 - pkgsrc/security/openssl/patches/patch-af 1.17 Module Name: pkgsrc Committed By: jlam Date: Tue Oct 11 17:19:21 UTC 2005 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-af Log Message: Update security/openssl to version 0.9.7h. This is a security vulnerability triggered update due to CAN-2005-2969. Changes from version 0.9.7f include: o Fix SSL 2.0 Rollback, CAN-2005-2969 o Allow use of fixed-length exponent on DSA signing o Default fixed-window RSA, DSA, DH private-key operations o More compilation issues fixed. o Adaptation to more modern Kerberos API. o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. o Enhanced x86_64 assembler BIGNUM module. o More constification. o Added processing of proxy certificates (RFC 3820). --- Module Name: pkgsrc Committed By: jlam Date: Wed Oct 12 02:00:03 UTC 2005 Modified Files: pkgsrc/security/openssl: builtin.mk Log Message: Remove leading "-" from version number when matching the openssl-0.9.6g from the netbsd-1-6 branch with the 20040401 fix. --- Module Name: pkgsrc Committed By: jlam Date: Wed Oct 12 02:20:10 UTC 2005 Modified Files: pkgsrc/security/openssl: builtin.mk Log Message: If the native openssl-0.9.7d contains the security fixes pulled up to the netbsd-2-0, netbsd-2, and netbsd-3-0 branches on 2005-10-11, then for the purposes of satisfying dependencies, pretend it's openssl-0.9.7h. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.15 2005/10/11 17:19:21 jlam Exp $ d3 1 a3 1 --- apps/Makefile.orig 2005-06-14 08:29:33.000000000 -0400 d13 1 a13 1 @@@@ -115,13 +116,13 @@@@ install: @ 1.13 log @Update security/openssl to 0.9.7e. Changes from openssl-0.9.6m are too numerous to be listed here, but include adding a new DES API (support for the old one is still present). Changes to the pkgsrc structure include: * Install the shared libraries with a version number that matches the OpenSSL version number * Move some of the less often-used c_* utilities back into the examples directory. * Drop support for using the RSAREF library and always use the built-in RSA code instead. @ text @d3 1 a3 1 --- apps/Makefile.orig 2004-08-10 05:09:07.000000000 -0400 a12 9 @@@@ -36,7 +37,7 @@@@ LIBSSL=-L.. -lssl PROGRAM= openssl -SCRIPTS=CA.sh CA.pl der_chop +SCRIPTS=CA.sh CA.pl EXE= $(PROGRAM)$(EXE_EXT) @ 1.12 log @Update to 0.9.6mnb2: Don't install (deprecated) der_chop example script, since it has insecure temp file handling. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.11 2004/03/26 06:54:30 jlam Exp $ d3 11 a13 3 --- apps/Makefile.ssl.orig 2003-08-14 08:30:31.000000000 +0200 +++ apps/Makefile.ssl @@@@ -31,7 +31,7 @@@@ LIBSSL=-L.. -lssl d22 1 a22 1 @@@@ -100,11 +100,11 @@@@ install: d26 13 a38 10 - cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \ - chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \ - done - @@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR); \ - chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/share/examples/openssl/$$i; \ + chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/share/examples/openssl/$$i ); \ + done; + @@cp openssl.cnf $(INSTALL_PREFIX)$(INSTALLTOP)/share/examples/openssl/; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/share/examples/openssl/openssl.cnf a41 9 @@@@ -138,7 +138,7 @@@@ $(PROGRAM): progs.h $(E_OBJ) $(PROGRAM). $(RM) $(PROGRAM) LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \ $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS) - -(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; $(PERL) tools/c_rehash certs) + -(cd ..; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH; export LD_LIBRARY_PATH; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; $(PERL) tools/c_rehash certs) progs.h: progs.pl $(PERL) progs.pl $(E_EXE) >progs.h @ 1.11 log @Allow the rehash of the certs database to not error out during the build due to libssl.so.300 not being found by correctly setting LD_LIBRARY_PATH. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- apps/Makefile.ssl.orig Thu Aug 14 02:30:31 2003 d5 9 @ 1.10 log @Update to 0.9.6m: Changes between 0.9.6l and 0.9.6m [17 Mar 2004] *) Fix null-pointer assignment in do_change_cipher_spec() revealed by using the Codenomicon TLS Test Tool (CAN-2004-0079) [Joe Orton, Steve Henson] @ text @d3 1 a3 1 --- apps/Makefile.ssl.orig Thu Aug 14 08:30:31 2003 d22 9 @ 1.9 log @Back out the make -> @@MAKE@@ -> ${MAKE} changes since we workaround the bare "make" problem using tools.mk. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.8 2003/08/25 16:34:02 jschauma Exp $ d3 3 a5 3 --- apps/Makefile.ssl.orig Thu Aug 8 14:13:36 2002 +++ apps/Makefile.ssl Sun Aug 24 15:50:06 2003 @@@@ -99,11 +99,11 @@@@ @ 1.8 log @Several of the Makefile used in this package call 'make' directly. If an operating system does not have a 'make' (ie only bmake), or if the OS supplied 'make' is sufficiently broken (Irix), this will cause the build to fail (interestingly enough apparently only if build as a dependency, not if build from this directory). Patch Makefiles to use @@MAKE@@, which then, after patching, is substituted with the actual ${MAKE} (can't use "MAKE= ${MAKE} -f Makefile.ssl"). While here, tweak Irix configure a bit. @ text @d1 1 a1 1 $NetBSD: $ a4 9 @@@@ -10,7 +10,7 @@@@ INSTALL_PREFIX= INSTALLTOP= /usr/local/ssl OPENSSLDIR= /usr/local/ssl -MAKE= make -f Makefile.ssl +MAKE= @@MAKE@@ -f Makefile.ssl MAKEDEPEND= $(TOP)/util/domd $(TOP) MAKEFILE= Makefile.ssl PERL= perl @ 1.7 log @Merge changes in packages from the buildlink2 branch that have buildlink2.mk files back into the main trunk. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.6.2.1 2002/08/22 11:12:29 jlam Exp $ d3 12 a14 3 --- apps/Makefile.ssl.orig Tue Jul 30 04:29:57 2002 +++ apps/Makefile.ssl @@@@ -99,11 +100,11 @@@@ @ 1.6 log @Update openssl to 0.9.6e. This update fixes multiple vulnerabilities, and also changes the ABI of "libcrypto" and "libssl". (So the shared library majors and buildlink requirements are bumped, too.) The code base is now synced perfectly with NetBSD HEAD and netbsd-1-6 branches as of 2002-08-04, the optimization levels are reduced to "-O2", but I've retained some of the processor optimization flags and different code path #defines in the "Configure" script, just to keep things interesting. The default "certs" directory on NetBSD is now "/etc/openssl/certs", to give continuity to those who find themselves using the package system's "openssl" after upgrading a package that formerly used the base system's. [Suggested by itojun.] The best way to avoid such problems, however, is to upgrade your base system *first*. I'm making use of the new and improved build system as much as possible. This gives us a cleaner way to make shared libraries and real man pages, but loses many of the symlinks to the openssl binary. I've culled items from the "CHANGES" file that appear to have security implications or are particularly interesting for NetBSD users, below. My comments are marked off with '===>'. ===> This is from the netbsd-20020804-patch *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX and get fix the header length calculation. [Florian Weimer , Alon Kantor (and others), Steve Henson] Changes between 0.9.6d and 0.9.6e [30 Jul 2002] *) New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure that was added in OpenSSL 0.9.6d. As the countermeasure turned out to be incompatible with some broken SSL implementations, the new option is part of SSL_OP_ALL. SSL_OP_ALL is usually employed when compatibility with weird SSL implementations is desired (e.g. '-bugs' option to 's_client' and 's_server'), so the new option is automatically set in many applications. [Bodo Moeller] *) Changes in security patch: Changes marked "(CHATS)" were sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. *) Add various sanity checks to asn1_get_length() to reject the ASN1 length bytes if they exceed sizeof(long), will appear negative or the content length exceeds the length of the supplied buffer. [Steve Henson, Adi Stav , James Yonan ] *) Assertions for various potential buffer overflows, not known to happen in practice. [Ben Laurie (CHATS)] *) Various temporary buffers to hold ASCII versions of integers were too small for 64 bit platforms. (CAN-2002-0655) [Matthew Byng-Maddick and Ben Laurie (CHATS)> *) Remote buffer overflow in SSL3 protocol - an attacker could supply an oversized session ID to a client. (CAN-2002-0656) [Ben Laurie (CHATS)] *) Remote buffer overflow in SSL2 protocol - an attacker could supply an oversized client master key. (CAN-2002-0656) [Ben Laurie (CHATS)] Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Implement a countermeasure against a vulnerability recently found in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment before application data chunks to avoid the use of known IVs with data potentially chosen by the attacker. [Bodo Moeller] Changes between 0.9.6a and 0.9.6b [9 Jul 2001] *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) to avoid a SSLeay/OpenSSL PRNG weakness pointed out by Markku-Juhani O. Saarinen : PRNG state recovery was possible based on the output of one PRNG request appropriately sized to gain knowledge on 'md' followed by enough consecutive 1-byte PRNG requests to traverse all of 'state'. 1. When updating 'md_local' (the current thread's copy of 'md') during PRNG output generation, hash all of the previous 'md_local' value, not just the half used for PRNG output. 2. Make the number of bytes from 'state' included into the hash independent from the number of PRNG bytes requested. The first measure alone would be sufficient to avoid Markku-Juhani's attack. (Actually it had never occurred to me that the half of 'md_local' used for chaining was the half from which PRNG output bytes were taken -- I had always assumed that the secret half would be used.) The second measure makes sure that additional data from 'state' is never mixed into 'md_local' in small portions; this heuristically further strengthens the PRNG. [Bodo Moeller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 when fixing the server behaviour for backwards-compatible 'client hello' messages. (Note that the attack is impractical against SSL 3.0 and TLS 1.0 anyway because length and version checking means that the probability of guessing a valid ciphertext is around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 paper.) Before 0.9.5, the countermeasure (hide the error by generating a random 'decryption result') did not work properly because ERR_clear_error() was missing, meaning that SSL_get_error() would detect the supposedly ignored error. Both problems are now fixed. [Bodo Moeller] Changes between 0.9.6 and 0.9.6a [5 Apr 2001] ===> This is our ABI change. *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes with des_encrypt() defined on some operating systems, like Solaris and UnixWare. [Richard Levitte] *) Don't use getenv in library functions when run as setuid/setgid. New function OPENSSL_issetugid(). [Ulf Moeller] *) Store verify_result within SSL_SESSION also for client side to avoid potential security hole. (Re-used sessions on the client side always resulted in verify_result==X509_V_OK, not using the original result of the server certificate verification.) [Lutz Jaenicke] ===> package doesn't doesn't do this. We'll bump major versions ===> as necessary. *) Make sure that shared libraries get the internal name engine with the full version number and not just 0. This should mark the shared libraries as not backward compatible. Of course, this should be changed again when we can guarantee backward binary compatibility. [Richard Levitte] *) Rework the system to generate shared libraries: - Make note of the expected extension for the shared libraries and if there is a need for symbolic links from for example libcrypto.so.0 to libcrypto.so.0.9.7. There is extended info in Configure for that. - Make as few rebuilds of the shared libraries as possible. - Still avoid linking the OpenSSL programs with the shared libraries. - When installing, install the shared libraries separately from the static ones. @ text @d1 1 a1 1 $NetBSD$ @ 1.6.2.1 log @file patch-ad was added on branch buildlink2 on 2002-08-22 11:12:29 +0000 @ text @d1 21 @ 1.6.2.2 log @Merge changes from pkgsrc-current into the buildlink2 branch for the packages that have buildlink2.mk files. @ text @a0 21 $NetBSD: patch-ad,v 1.6.2.1 2002/08/22 11:12:29 jlam Exp $ --- apps/Makefile.ssl.orig Tue Jul 30 04:29:57 2002 +++ apps/Makefile.ssl @@@@ -99,11 +100,11 @@@@ @@for i in $(SCRIPTS); \ do \ (echo installing $$i; \ - cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \ - chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \ - done - @@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR); \ - chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf + cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/share/examples/openssl/$$i; \ + chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/share/examples/openssl/$$i ); \ + done; + @@cp openssl.cnf $(INSTALL_PREFIX)$(INSTALLTOP)/share/examples/openssl/; \ + chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/share/examples/openssl/openssl.cnf tags: ctags $(SRC) @ 1.5 log @Support to build it on Solaris. It would be easier to make that change if we support patches for one OPSYS but someone removed that from out tree. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.4 2000/04/22 05:07:03 fredb Exp $ d3 16 a18 13 --- Makefile.org.orig Thu Mar 16 13:46:20 2000 +++ Makefile.org Fri Apr 21 23:43:06 2000 @@@@ -48,6 +48,7 @@@@ CC= gcc #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM CFLAG= -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM +IS_ELF=0 DEPFLAG= PEX_LIBS= -L. -L.. -L../.. -L../../.. EX_LIBS= @@@@ -142,7 +143,7 @@@@ #RMD160_ASM_OBJ= asm/rm86-out.o # a.out, FreeBSD #RMD160_ASM_OBJ= asm/rm86bsdi.o # bsdi d20 2 a21 14 -DIRS= crypto ssl rsaref apps test tools +DIRS= rsaref crypto ssl apps test tools SHLIBDIRS= crypto ssl # dirs in crypto to build @@@@ -179,7 +180,7 @@@@ @@for i in $(DIRS) ;\ do \ (cd $$i && echo "making all in $$i..." && \ - $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \ + $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' MAJOR='${MAJOR}' MINOR='${MINOR}' IS_ELF='${IS_ELF}' all ) || exit 1; \ done -@@# cd crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps -@@# cd perl; $(PERL) Makefile.PL; make @ 1.4 log @Defuzz patches. @ text @d1 1 a1 1 $NetBSD$ @ 1.3 log @RCS tags added @ text @d2 4 a5 3 --- Makefile.org.orig Wed Oct 20 19:34:31 1999 +++ Makefile.org Wed Oct 20 19:48:25 1999 @@@@ -50,6 +50,7 @@@@ d22 1 a22 1 @@@@ -178,7 +179,7 @@@@ d29 1 a30 1 @ 1.2 log @Update openssl to 0.9.4. @ text @d1 1 @ 1.1 log @Initial revision @ text @d1 11 a11 5 $NetBSD$ --- Makefile.org.orig Tue Apr 27 14:34:38 1999 +++ Makefile.org Tue Apr 27 14:34:53 1999 @@@@ -126,7 +126,7 @@@@ d17 2 d20 9 a28 2 SDIRS= \ md2 md5 sha mdc2 hmac ripemd \ @ 1.1.1.1 log @Import OpenSSL 0.9.2b pkg, a package which finally updates and fixes many deficiencies in SSLeay. Intended to be a drop-in replacement for SSLeay (and still provides the command-prompt interface as "ssleay"). @ text @@