head 1.27; access; symbols pkgsrc-2014Q1:1.26.0.4 pkgsrc-2014Q1-base:1.26 pkgsrc-2013Q4:1.26.0.2 pkgsrc-2013Q4-base:1.26 pkgsrc-2013Q3:1.25.0.6 pkgsrc-2013Q3-base:1.25 pkgsrc-2013Q2:1.25.0.4 pkgsrc-2013Q2-base:1.25 pkgsrc-2013Q1:1.25.0.2 pkgsrc-2013Q1-base:1.25 pkgsrc-2012Q4:1.24.0.24 pkgsrc-2012Q4-base:1.24 pkgsrc-2012Q3:1.24.0.22 pkgsrc-2012Q3-base:1.24 pkgsrc-2012Q2:1.24.0.20 pkgsrc-2012Q2-base:1.24 pkgsrc-2012Q1:1.24.0.18 pkgsrc-2012Q1-base:1.24 pkgsrc-2011Q4:1.24.0.16 pkgsrc-2011Q4-base:1.24 pkgsrc-2011Q3:1.24.0.14 pkgsrc-2011Q3-base:1.24 pkgsrc-2011Q2:1.24.0.12 pkgsrc-2011Q2-base:1.24 pkgsrc-2011Q1:1.24.0.10 pkgsrc-2011Q1-base:1.24 pkgsrc-2010Q4:1.24.0.8 pkgsrc-2010Q4-base:1.24 pkgsrc-2010Q3:1.24.0.6 pkgsrc-2010Q3-base:1.24 pkgsrc-2010Q2:1.24.0.4 pkgsrc-2010Q2-base:1.24 pkgsrc-2010Q1:1.24.0.2 pkgsrc-2010Q1-base:1.24 pkgsrc-2009Q4:1.23.0.2 pkgsrc-2009Q4-base:1.23 pkgsrc-2009Q3:1.22.0.6 pkgsrc-2009Q3-base:1.22 pkgsrc-2009Q2:1.22.0.4 pkgsrc-2009Q2-base:1.22 pkgsrc-2009Q1:1.22.0.2 pkgsrc-2009Q1-base:1.22 pkgsrc-2008Q4:1.21.0.12 pkgsrc-2008Q4-base:1.21 pkgsrc-2008Q3:1.21.0.10 pkgsrc-2008Q3-base:1.21 cube-native-xorg:1.21.0.8 cube-native-xorg-base:1.21 pkgsrc-2008Q2:1.21.0.6 pkgsrc-2008Q2-base:1.21 cwrapper:1.21.0.4 pkgsrc-2008Q1:1.21.0.2 pkgsrc-2008Q1-base:1.21 pkgsrc-2007Q4:1.20.0.4 pkgsrc-2007Q4-base:1.20 pkgsrc-2007Q3:1.20.0.2 pkgsrc-2007Q3-base:1.20 pkgsrc-2007Q2:1.19.0.2 pkgsrc-2007Q2-base:1.19 pkgsrc-2007Q1:1.18.0.10 pkgsrc-2007Q1-base:1.18 pkgsrc-2006Q4:1.18.0.8 pkgsrc-2006Q4-base:1.18 pkgsrc-2006Q3:1.18.0.6 pkgsrc-2006Q3-base:1.18 pkgsrc-2006Q2:1.18.0.4 pkgsrc-2006Q2-base:1.18 pkgsrc-2006Q1:1.18.0.2 pkgsrc-2006Q1-base:1.18 pkgsrc-2005Q4:1.17.0.2 pkgsrc-2005Q4-base:1.17 pkgsrc-2005Q3:1.16.0.4 pkgsrc-2005Q3-base:1.16 pkgsrc-2005Q2:1.16.0.2 pkgsrc-2005Q2-base:1.16 pkgsrc-2005Q1:1.15.0.2 pkgsrc-2005Q1-base:1.15 pkgsrc-2004Q4:1.12.0.2 pkgsrc-2004Q4-base:1.12 pkgsrc-2004Q3:1.11.0.4 pkgsrc-2004Q3-base:1.11 pkgsrc-2004Q2:1.11.0.2 pkgsrc-2004Q2-base:1.11 pkgsrc-2004Q1:1.10.0.2 pkgsrc-2004Q1-base:1.10 pkgsrc-2003Q4:1.8.0.2 pkgsrc-2003Q4-base:1.8 netbsd-1-6-1:1.6.0.2 netbsd-1-6-1-base:1.6 buildlink2:1.5.0.2 netbsd-1-6:1.5.0.4 netbsd-1-6-RELEASE-base:1.5 buildlink2-base:1.5 netbsd-1-4-PATCH002:1.2 comdex-fall-1999:1.1.1.1 netbsd-1-4-PATCH001:1.1.1.1 netbsd-1-4-RELEASE:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.27 date 2014.04.02.12.11.35; author he; state dead; branches; next 1.26; commitid g3YIpigZLUt5x6vx; 1.26 date 2013.10.02.19.59.31; author joerg; state Exp; branches 1.26.4.1; next 1.25; commitid o9TbdWKqFxBPYK7x; 1.25 date 2013.02.06.21.40.34; author jperkin; state Exp; branches; next 1.24; 1.24 date 2010.02.26.03.15.14; author taca; state Exp; branches; next 1.23; 1.23 date 2010.01.15.04.55.30; author taca; state Exp; branches 1.23.2.1; next 1.22; 1.22 date 2009.01.08.16.38.22; author tnn; state Exp; branches; next 1.21; 1.21 date 2008.01.17.06.42.48; author tnn; state Exp; branches 1.21.12.1; next 1.20; 1.20 date 2007.08.04.14.29.43; author tnn; state Exp; branches; next 1.19; 1.19 date 2007.04.26.21.11.05; author tron; state Exp; branches; next 1.18; 1.18 date 2005.12.27.23.40.04; author reed; state Exp; branches; next 1.17; 1.17 date 2005.10.11.17.19.21; author jlam; state Exp; branches; next 1.16; 1.16 date 2005.03.23.09.06.38; author jlam; state Exp; branches 1.16.4.1; next 1.15; 1.15 date 2005.02.20.05.42.51; author grant; state Exp; branches; next 1.14; 1.14 date 2004.12.31.17.34.10; author jlam; state Exp; branches; next 1.13; 1.13 date 2004.12.24.22.02.38; author jlam; state Exp; branches; next 1.12; 1.12 date 2004.12.19.02.48.32; author grant; state Exp; branches; next 1.11; 1.11 date 2004.04.25.20.36.11; author tv; state Exp; branches; next 1.10; 1.10 date 2004.03.26.08.13.24; author jlam; state Exp; branches; next 1.9; 1.9 date 2004.03.26.02.22.38; author wiz; state Exp; branches; next 1.8; 1.8 date 2003.09.10.01.57.07; author jlam; state Exp; branches; next 1.7; 1.7 date 2003.08.25.16.34.02; author jschauma; state Exp; branches; next 1.6; 1.6 date 2002.08.25.19.23.19; author jlam; state Exp; branches; next 1.5; 1.5 date 2002.08.10.04.50.33; author fredb; state Exp; branches 1.5.2.1; next 1.4; 1.4 date 2002.08.04.15.47.47; author fredb; state Exp; branches; next 1.3; 1.3 date 2000.05.10.12.28.42; author veego; state dead; branches; next 1.2; 1.2 date 99.11.25.18.51.47; author erh; state Exp; branches; next 1.1; 1.1 date 99.04.30.15.19.13; author tv; state Exp; branches 1.1.1.1; next ; 1.26.4.1 date 2014.04.08.10.09.26; author tron; state dead; branches; next ; commitid znq8PwHLRSRRFRvx; 1.23.2.1 date 2010.03.27.14.44.42; author tron; state Exp; branches; next ; 1.21.12.1 date 2009.01.08.18.11.26; author tron; state Exp; branches; next ; 1.16.4.1 date 2005.10.13.13.21.08; author salo; state Exp; branches; next ; 1.5.2.1 date 2002.08.10.04.50.33; author jlam; state dead; branches; next 1.5.2.2; 1.5.2.2 date 2002.08.22.11.12.32; author jlam; state Exp; branches; next ; 1.1.1.1 date 99.04.30.15.19.13; author tv; state Exp; branches; next ; desc @@ 1.27 log @Rename all remaining patch-?? files using the newer naming convention. Add a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. Fix from culled from http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f91e57d247d0fc667aef29 Bump PKGREVISION. @ text @$NetBSD: patch-af,v 1.26 2013/10/02 19:59:31 joerg Exp $ --- Makefile.org.orig 2013-02-11 15:26:04.000000000 +0000 +++ Makefile.org @@@@ -28,6 +28,7 @@@@ INSTALLTOP=/usr/local/ssl # Do not edit this manually. Use Configure --openssldir=DIR do change this! OPENSSLDIR=/usr/local/ssl +EXAMPLEDIR=$(INSTALLTOP)/share/examples/openssl # NO_IDEA - Define to build without the IDEA algorithm # NO_RC4 - Define to build without the RC4 algorithm @@@@ -157,7 +158,7 @@@@ TESTS = alltests MAKEFILE= Makefile -MANDIR=$(OPENSSLDIR)/man +MANDIR=$(INSTALLTOP)/$(PKGMANDIR) MAN1=1 MAN3=3 MANSUFFIX= @@@@ -174,6 +175,7 @@@@ SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) SHARED_LIBS= SHARED_LIBS_LINK_EXTS= +LIBRPATH=$(INSTALLTOP)/lib SHARED_LDFLAGS= GENERAL= Makefile @@@@ -537,7 +539,7 @@@@ dist: dist_pem_h: (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) -install: all install_docs install_sw +install: install_docs install_sw install_sw: @@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ @@@@ -642,41 +644,56 @@@@ install_docs: @@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \ here="`pwd`"; \ filecase=; \ - if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \ - filecase=-i; \ - fi; \ set -e; for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ sec=`$(PERL) util/extract-section.pl 1 < $$i`; \ - echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ + case "$$fn" in \ + CA.pl|openssl) ofn="$$fn" ;; \ + *) ofn="openssl_$$fn" ;; \ + esac; \ + echo "installing man$$sec/$$ofn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$ofn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ (grep -v $$filecase "^$$fn\$$"; true) | \ (grep -v "[ ]"; true) | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ - PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ + case "$$n" in \ + CA.pl|openssl) on="$$n" ;; \ + *) on="openssl_$$n" ;; \ + esac; \ + PLATFORM=$(PLATFORM) $$here/util/point.sh $$ofn.$${sec}$(MANSUFFIX) "$$on".$${sec}$(MANSUFFIX); \ done); \ done; \ set -e; for i in doc/crypto/*.pod doc/ssl/*.pod; do \ fn=`basename $$i .pod`; \ sec=`$(PERL) util/extract-section.pl 3 < $$i`; \ - echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \ + case "$$fn" in \ + ui*) ofn="openssl_$$fn" ;; \ + [A-Z]*|*_*) ofn="$$fn" ;; \ + *) ofn="openssl_$$fn" ;; \ + esac; \ + echo "installing man$$sec/$$ofn.$${sec}$(MANSUFFIX)"; \ (cd `$(PERL) util/dirname.pl $$i`; \ sh -c "$$pod2man \ --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i`") \ - > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \ + > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$ofn.$${sec}$(MANSUFFIX); \ $(PERL) util/extract-names.pl < $$i | \ (grep -v $$filecase "^$$fn\$$"; true) | \ (grep -v "[ ]"; true) | \ (cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \ while read n; do \ - PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ + case "$$n" in \ + ui*) on="openssl_$$n" ;; \ + [A-Z]*|*_*) on="$$n" ;; \ + *) on="openssl_$$n" ;; \ + esac; \ + PLATFORM=$(PLATFORM) $$here/util/point.sh $$ofn.$${sec}$(MANSUFFIX) "$$on".$${sec}$(MANSUFFIX); \ done); \ done @ 1.26 log @Drop Windows specific parts to get results consistent with all other platforms for the man pages. @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.25 2013/02/06 21:40:34 jperkin Exp $ @ 1.26.4.1 log @Pullup ticket #4359 - requested by obache security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.186-1.188 - security/openssl/distinfo 1.103-1.104 - security/openssl/patches/patch-Configure 1.1 - security/openssl/patches/patch-Makefile.org 1.1 - security/openssl/patches/patch-Makefile.shared 1.1 - security/openssl/patches/patch-aa deleted - security/openssl/patches/patch-ac deleted - security/openssl/patches/patch-ad deleted - security/openssl/patches/patch-ae deleted - security/openssl/patches/patch-af deleted - security/openssl/patches/patch-ag deleted - security/openssl/patches/patch-ak deleted - security/openssl/patches/patch-apps_Makefile 1.1 - security/openssl/patches/patch-config 1.1 - security/openssl/patches/patch-crypto_bn_bn__prime.pl 1.1 - security/openssl/patches/patch-tools_Makefile 1.1 --- Module Name: pkgsrc Committed By: he Date: Wed Apr 2 12:11:35 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-Configure patch-Makefile.org patch-Makefile.shared patch-apps_Makefile patch-config patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c patch-crypto_bn_bn__prime.pl patch-crypto_ec_ec2__mult.c patch-tools_Makefile Removed Files: pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-ae patch-af patch-ag patch-ak Log Message: Rename all remaining patch-?? files using the newer naming convention. Add a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. Fix from culled from http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f 91e57d247d0fc667aef29 Bump PKGREVISION. --- Module Name: pkgsrc Committed By: obache Date: Tue Apr 8 02:48:38 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile Log Message: p5-Perl4-CoreLibs is not required for perl<5.16 --- Module Name: pkgsrc Committed By: obache Date: Tue Apr 8 06:20:44 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c patch-crypto_ec_ec2__mult.c Log Message: Update openssl to 1.0.1g. (CVE-2014-0076 is already fixed in pkgsrc). OpenSSL CHANGES _______________ Changes between 1.0.1f and 1.0.1g [7 Apr 2014] *) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix (CVE-2014-0160) [Adam Langley, Bodo Moeller] *) Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) [Yuval Yarom and Naomi Benger] *) TLS pad extension: draft-agl-tls-padding-03 Workaround for the "TLS hang bug" (see FAQ and opensslPR#2771): if the TLS client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. [Adam Langley, Steve Henson] @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.26 2013/10/02 19:59:31 joerg Exp $ @ 1.25 log @Update OpenSSL to 1.0.1d. Changes are far too numerous to list, the main one being that we can now take advantage of AES-NI support in modern processors to significantly increase performance. Miscellaneous pkgsrc changes: - Remove unnecessary warning message on Solaris. - Fix RPATH for libgost.so. - MD2 support is optional, enabled by default for compatability. @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.24 2010/02/26 03:15:14 taca Exp $ d3 1 a3 1 --- Makefile.org.orig 2012-04-22 13:25:19.000000000 +0000 d39 7 a45 1 @@@@ -648,35 +650,53 @@@@ install_docs: @ 1.24 log @Update openssl to 0.9.8m. The OpenSSL project team is pleased to announce the release of version 0.9.8m of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which implements RFC5746 to address renegotiation vulnerabilities mentioned in CVE-2009-3555. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $ d3 1 a3 1 --- Makefile.org.orig 2010-01-27 16:06:36.000000000 +0000 d13 1 a13 12 @@@@ -132,8 +133,8 @@@@ FIPSCANLIB= BASEADDR= -DIRS= crypto fips ssl engines apps test tools -SHLIBDIRS= crypto ssl fips +DIRS= crypto ssl engines apps test tools # fips +SHLIBDIRS= crypto ssl # fips # dirs in crypto to build SDIRS= \ @@@@ -153,7 +154,7 @@@@ TESTS = alltests d22 2 a23 2 @@@@ -169,6 +170,7 @@@@ SHARED_SSL=libssl$(SHLIB_EXT) SHARED_FIPS= d30 1 a30 1 @@@@ -615,7 +617,7 @@@@ dist: d39 1 a39 1 @@@@ -695,35 +697,53 @@@@ install_docs: d60 1 a60 1 - $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ d65 1 a65 1 + $$here/util/point.sh $$ofn.$${sec}$(MANSUFFIX) "$$on".$${sec}$(MANSUFFIX); \ d89 1 a89 1 - $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \ d95 1 a95 1 + $$here/util/point.sh $$ofn.$${sec}$(MANSUFFIX) "$$on".$${sec}$(MANSUFFIX); \ @ 1.23 log @Update openssl package to 0.9.8l, fixing security problem. Approved by agc@@. Changes between 0.9.8k and 0.9.8l [5 Nov 2009] *) Disable renegotiation completely - this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you're doing. [Ben Laurie] @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.22 2009/01/08 16:38:22 tnn Exp $ d3 1 a3 1 --- Makefile.org.orig 2009-03-03 22:40:29.000000000 +0000 d13 1 a13 1 @@@@ -131,8 +132,8 @@@@ FIPSCANLIB= d24 1 a24 1 @@@@ -152,7 +153,7 @@@@ TESTS = alltests d33 1 a33 1 @@@@ -168,6 +169,7 @@@@ SHARED_SSL=libssl$(SHLIB_EXT) d41 1 a41 10 @@@@ -200,7 +202,7 @@@@ BUILDENV= PLATFORM='${PLATFORM}' PROCESS CC='${CC}' CFLAG='${CFLAG}' \ AS='${CC}' ASFLAG='${CFLAG} -c' \ AR='${AR}' PERL='${PERL}' RANLIB='${RANLIB}' \ - SDIRS='${SDIRS}' LIBRPATH='${INSTALLTOP}/lib' \ + SDIRS='${SDIRS}' LIBRPATH='${LIBRPATH}' \ INSTALL_PREFIX='${INSTALL_PREFIX}' \ INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' \ MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD ${MAKEDEPPROG}' \ @@@@ -611,7 +613,7 @@@@ dist: d50 1 a50 12 @@@@ -619,9 +621,7 @@@@ install_sw: $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \ $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/private + $(INSTALL_PREFIX)$(EXAMPLEDIR) @@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ @@@@ -691,35 +691,53 @@@@ install_docs: @ 1.23.2.1 log @Pullup ticket #3065 - requested by taca openssl: security update Revisions pulled up: - security/openssl/Makefile 1.144-1.1.146 - security/openssl/PLIST.common 1.17 - security/openssl/distinfo 1.72-1.73 - security/openssl/patches/patch-aa 1.23 - security/openssl/patches/patch-ac 1.38 - security/openssl/patches/patch-af 1.24 - security/openssl/patches/patch-ax delete - security/openssl/patches/patch-ay delete - security/openssl/patches/patch-az delete - security/openssl/patches/patch-ba delete - security/openssl/patches/patch-bb delete - security/openssl/patches/patch-bc 1.1 --- Module Name: pkgsrc Committed By: taca Date: Fri Feb 26 03:15:14 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo pkgsrc/security/openssl/patches: patch-aa patch-ac patch-af Removed Files: pkgsrc/security/openssl/patches: patch-ax patch-ay patch-az patch-ba patch-bb Log Message: Update openssl to 0.9.8m. The OpenSSL project team is pleased to announce the release of version 0.9.8m of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which implements RFC5746 to address renegotiation vulnerabilities mentioned in CVE-2009-3555. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. --- Module Name: pkgsrc Committed By: taca Date: Mon Mar 1 08:15:40 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common Log Message: Fix broken PLIST. (I wonder why "make print-PLIST" generated wrong result before...") Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Fri Mar 26 00:20:49 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-bc Log Message: Add a patch for Fix for CVE-2010-0740, DoS problem. http://www.openssl.org/news/secadv_20100324.txt Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- Makefile.org.orig 2010-01-27 16:06:36.000000000 +0000 d13 1 a13 1 @@@@ -132,8 +133,8 @@@@ FIPSCANLIB= d24 1 a24 1 @@@@ -153,7 +154,7 @@@@ TESTS = alltests d33 1 a33 1 @@@@ -169,6 +170,7 @@@@ SHARED_SSL=libssl$(SHLIB_EXT) d41 10 a50 1 @@@@ -615,7 +617,7 @@@@ dist: d59 12 a70 1 @@@@ -695,35 +697,53 @@@@ install_docs: @ 1.22 log @Update to openssl-0.9.8j. Fixes CVE-2008-5077. Changes between 0.9.8i and 0.9.8j [07 Jan 2009] *) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). *) Allow the CHIL engine to be loaded, whether the application is multithreaded or not. (This does not release the developer from the obligation to set up the dynamic locking callbacks.) *) Use correct exit code if there is an error in dgst command. *) Tweak Configure so that you need to say "experimental-jpake" to enable JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. *) Add experimental JPAKE support, including demo authentication in s_client and s_server. *) Set the comparison function in v3_addr_canonize(). *) Add support for XMPP STARTTLS in s_client. *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior to ensure that even with this option, only ciphersuites in the server's preference list will be accepted. (Note that the option applies only when resuming a session, so the earlier behavior was just about the algorithm choice for symmetric cryptography.) Changes between 0.9.8h and 0.9.8i [15 Sep 2008] *) Fix a state transitition in s3_srvr.c and d1_srvr.c (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). *) The fix in 0.9.8c that supposedly got rid of unsafe double-checked locking was incomplete for RSA blinding, addressing just one layer of what turns out to have been doubly unsafe triple-checked locking. So now fix this for real by retiring the MONT_HELPER macro in crypto/rsa/rsa_eay.c. *) Various precautionary measures: - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). (NB: This would require knowledge of the secret session ticket key to exploit, in which case you'd be SOL either way.) - Change bn_nist.c so that it will properly handle input BIGNUMs outside the expected range. - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG builds. *) Allow engines to be "soft loaded" - i.e. optionally don't die if the load fails. Useful for distros. *) Add support for Local Machine Keyset attribute in PKCS#12 files. *) Fix BN_GF2m_mod_arr() top-bit cleanup code. *) Expand ENGINE to support engine supplied SSL client certificate functions. This work was sponsored by Logica. *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows keystores. Support for SSL/TLS client authentication too. Not compiled unless enable-capieng specified to Configure. This work was sponsored by Logica. *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain attribute creation routines such as certifcate requests and PKCS#12 files. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- Makefile.org.orig 2008-12-30 14:26:26.000000000 +0100 d50 1 a50 1 @@@@ -608,7 +610,7 @@@@ dist: d59 1 a59 1 @@@@ -616,9 +618,7 @@@@ install_sw: d70 1 a70 1 @@@@ -688,35 +688,53 @@@@ install_docs: @ 1.21 log @Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip. pkgsrc notes: o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli), Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn). Because the Makefile system has been rewamped, other platforms may require fixes. Please test if you can. o OpenSSL can now be built with installation to DESTDIR. Overview of important changes since 0.9.7i: o Add gcc 4.2 support. o DTLS improvements. o RFC4507bis support. o TLS Extensions support. o RFC3779 support. o New cipher Camellia o Updated ECC cipher suite support. o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). o Zlib compression usage fixes. o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for files larger than 2GB. o Added alternate pkg-config files. @ text @d3 2 a4 2 --- Makefile.org.orig 2007-04-24 01:49:54.000000000 +0200 +++ Makefile.org 2007-10-28 12:44:05.000000000 +0100 d13 12 a24 1 @@@@ -125,7 +126,7 @@@@ TESTS = alltests d33 2 a34 2 @@@@ -140,6 +141,7 @@@@ SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) d41 1 a41 1 @@@@ -172,7 +174,7 @@@@ BUILDENV= PLATFORM='${PLATFORM}' PROCESS d50 1 a50 1 @@@@ -473,7 +475,7 @@@@ dist: d59 1 a59 1 @@@@ -481,9 +483,7 @@@@ install_sw: d70 1 a70 1 @@@@ -553,35 +553,53 @@@@ install_docs: @ 1.21.12.1 log @Pullup ticket #2628 - requested by tnn openssl: security update Revisions pulled up: - security/openssl/Makefile 1.137 - security/openssl/PLIST.common 1.14 - security/openssl/distinfo 1.65 - security/openssl/patches/patch-af 1.22 - security/openssl/patches/patch-am 1.6 --- Module Name: pkgsrc Committed By: tnn Date: Thu Jan 8 16:38:22 UTC 2009 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo pkgsrc/security/openssl/patches: patch-af patch-am Log Message: Update to openssl-0.9.8j. Fixes CVE-2008-5077. @ text @d3 2 a4 2 --- Makefile.org.orig 2008-12-30 14:26:26.000000000 +0100 +++ Makefile.org d13 1 a13 12 @@@@ -131,8 +132,8 @@@@ FIPSCANLIB= BASEADDR= -DIRS= crypto fips ssl engines apps test tools -SHLIBDIRS= crypto ssl fips +DIRS= crypto ssl engines apps test tools # fips +SHLIBDIRS= crypto ssl # fips # dirs in crypto to build SDIRS= \ @@@@ -152,7 +153,7 @@@@ TESTS = alltests d22 2 a23 2 @@@@ -168,6 +169,7 @@@@ SHARED_SSL=libssl$(SHLIB_EXT) SHARED_FIPS= d30 1 a30 1 @@@@ -200,7 +202,7 @@@@ BUILDENV= PLATFORM='${PLATFORM}' PROCESS d39 1 a39 1 @@@@ -608,7 +610,7 @@@@ dist: d48 1 a48 1 @@@@ -616,9 +618,7 @@@@ install_sw: d59 1 a59 1 @@@@ -688,35 +688,53 @@@@ install_docs: @ 1.20 log @Add a target configuration for Tru64 with gcc. @ text @d3 2 a4 2 --- Makefile.org.orig 2007-08-04 15:31:35.000000000 +0200 +++ Makefile.org d13 1 a13 1 @@@@ -195,7 +196,7 @@@@ TESTS = alltests d22 18 a39 74 @@@@ -291,11 +292,13 @@@@ link-shared: tmp="$(SHARED_LIBS_LINK_EXTS)"; \ for i in $(SHLIBDIRS); do \ prev=lib$$i$(SHLIB_EXT); \ + if [ -f "$$prev" ]; then \ for j in $${tmp:-x}; do \ ( set -x; \ rm -f lib$$i$$j; ln -s $$prev lib$$i$$j ); \ prev=lib$$i$$j; \ done; \ + fi; \ done; \ fi @@@@ -310,8 +313,7 @@@@ do_gnu-shared: fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -Wl,-Bsymbolic \ + -Wl,-h,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,--whole-archive lib$$i.a \ -Wl,--no-whole-archive $$libs ${EX_LIBS} ) || exit 1; \ libs="-l$$i $$libs"; \ @@@@ -327,7 +329,7 @@@@ do_darwin-shared: fi; \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \ - lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \ + lib$$i.a $$libs ${DL_LDFLAGS} -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \ -compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \ -install_name ${INSTALLTOP}/lib/lib$$i${SHLIB_EXT} ) || exit 1; \ libs="-l`basename $$i${SHLIB_EXT} .dylib` $$libs"; \ @@@@ -410,6 +412,22 @@@@ do_tru64-shared-rpath: done; \ fi +do_tru64-shared-rpath-gcc: + if ${DETECT_GNU_LD}; then \ + $(MAKE) do_gnu-shared; \ + else \ + libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ + if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \ + libs="$(LIBKRB5) $$libs"; \ + fi; \ + ( set -x; ${CC} ${SHARED_LDFLAGS} \ + -shared -Wl,-msym -o lib$$i.so \ + -Wl,-rpath,${INSTALLTOP}/lib \ + -Wl,-set_version,"${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \ + -Wl,-all lib$$i.a -Wl,-none $$libs ${EX_LIBS} ) || exit 1; \ + libs="-l$$i $$libs"; \ + done; \ + fi # This assumes that GNU utilities are *not* used do_solaris-shared: @@@@ -427,6 +445,7 @@@@ do_solaris-shared: -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Wl,-Bsymbolic \ + -Wl,-R${INSTALLTOP}/lib \ $${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \ $$libs ${EX_LIBS} ) || exit 1; \ libs="-l$$i $$libs"; \ @@@@ -534,7 +553,7 @@@@ do_hpux-shared: # HP/UX-64bit: +forceload # AIX: -bnogc # SHAREDFLAGS would be: -# GNU systems: -shared -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} +# GNU systems: -shared -Wl,-h,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} # Tru64 Unix: -shared \ # -set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" # Solaris: -G -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} @@@@ -771,16 +790,14 @@@@ dist: d41 1 a41 1 (cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean) d48 2 a49 1 $(INSTALL_PREFIX)$(INSTALLTOP)/lib \ d56 1 a56 1 @@headerlist="$(EXHEADER)"; for i in $$headerlist ;\ d59 2 a60 2 @@@@ -875,35 +892,53 @@@@ install_docs: for i in doc/apps/*.pod; do \ d62 1 a62 1 if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ d88 1 a88 1 for i in doc/crypto/*.pod doc/ssl/*.pod; do \ d90 1 a90 1 if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ @ 1.19 log @Also link with the "dl" library when creating the shared libraries. Another attempt to fix PR pkg/36086. @ text @d3 3 a5 3 --- Makefile.org.orig 2005-10-11 21:20:55.000000000 +0100 +++ Makefile.org 2007-04-26 21:57:40.000000000 +0100 @@@@ -28,6 +28,7 @@@@ d13 1 a13 1 @@@@ -195,7 +196,7 @@@@ d22 1 a22 1 @@@@ -291,11 +292,13 @@@@ d36 1 a36 1 @@@@ -310,8 +313,7 @@@@ d46 1 a46 1 @@@@ -327,7 +329,7 @@@@ d55 24 a78 1 @@@@ -427,6 +429,7 @@@@ d86 1 a86 1 @@@@ -534,7 +537,7 @@@@ d95 1 a95 1 @@@@ -771,16 +774,14 @@@@ d114 1 a114 1 @@@@ -875,35 +876,53 @@@@ @ 1.18 log @Update patch to also use PKGMANDIR instead of "man" for the MANDIR in the makefile. @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.17 2005/10/11 17:19:21 jlam Exp $ d3 3 a5 3 --- Makefile.org.orig 2005-06-20 00:29:54.000000000 -0400 +++ Makefile.org @@@@ -28,6 +28,7 @@@@ INSTALLTOP=/usr/local/ssl d13 1 a13 1 @@@@ -195,7 +196,7 @@@@ TESTS = alltests d22 1 a22 1 @@@@ -291,11 +292,13 @@@@ link-shared: d36 1 a36 1 @@@@ -310,8 +313,7 @@@@ do_gnu-shared: d46 10 a55 1 @@@@ -427,6 +429,7 @@@@ do_solaris-shared: d63 1 a63 1 @@@@ -534,7 +537,7 @@@@ do_hpux-shared: d72 1 a72 1 @@@@ -771,16 +774,14 @@@@ dist: d91 1 a91 1 @@@@ -875,35 +876,53 @@@@ install_docs: @ 1.17 log @Update security/openssl to version 0.9.7h. This is a security vulnerability triggered update due to CAN-2005-2969. Changes from version 0.9.7f include: o Fix SSL 2.0 Rollback, CAN-2005-2969 o Allow use of fixed-length exponent on DSA signing o Default fixed-window RSA, DSA, DH private-key operations o More compilation issues fixed. o Adaptation to more modern Kerberos API. o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. o Enhanced x86_64 assembler BIGNUM module. o More constification. o Added processing of proxy certificates (RFC 3820). @ text @d1 1 a1 1 $NetBSD$ d18 1 a18 1 +MANDIR=$(INSTALLTOP)/man @ 1.16 log @Update security/openssl to openssl-0.9.7f. Pkgsrc changes from version 0.9.7e include: *) Install the man pages with names that are less likely to collide with other packages' man pages. *) Support PKG_OPTIONS of "idea", "mdc2" and "rc5" to allow building with patented algorithms. By default, this package still builds without patented algorithms. Major changes from version 0.9.7e include: *) Prompt for pass phrases when appropriate for PKCS12 input format. *) Back-port of selected performance improvements from development branch, as well as improved support for PowerPC platforms. *) Add lots of checks for memory allocation failure, error codes to indicate failure and freeing up memory if a failure occurs. *) Add new -passin argument to dgst. *) Make an explicit check during certificate validation to see that the CA setting in each certificate on the chain is correct. @ text @d3 1 a3 1 --- Makefile.org.orig 2005-03-15 04:46:13.000000000 -0500 d13 1 a13 1 @@@@ -194,7 +195,7 @@@@ TESTS = alltests d22 1 a22 1 @@@@ -287,11 +288,13 @@@@ link-shared: d36 1 a36 1 @@@@ -306,8 +309,7 @@@@ do_gnu-shared: d44 1 a44 1 -Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \ d46 1 a46 1 @@@@ -422,6 +424,7 @@@@ do_solaris-shared: d52 1 a52 1 $$libs ${EX_LIBS} -lc ) || exit 1; \ d54 1 a54 1 @@@@ -565,7 +568,7 @@@@ do_hpux64-shared: d63 1 a63 1 @@@@ -798,16 +801,14 @@@@ dist: d82 1 a82 1 @@@@ -893,35 +894,53 @@@@ install_docs: d99 2 a100 2 grep -v $$filecase "^$$fn\$$" | \ grep -v "[ ]" | \ d128 2 a129 2 grep -v $$filecase "^$$fn\$$" | \ grep -v "[ ]" | \ @ 1.16.4.1 log @Pullup tickets 822 and 825 - requested by Johnny C. Lam security update for openssl Revisions pulled up: - pkgsrc/security/openssl/Makefile 1.107 - pkgsrc/security/openssl/PLIST.common 1.11 - pkgsrc/security/openssl/builtin.mk 1.16, 1.17 - pkgsrc/security/openssl/distinfo 1.46 - pkgsrc/security/openssl/patches/patch-aa 1.18 - pkgsrc/security/openssl/patches/patch-ac 1.28 - pkgsrc/security/openssl/patches/patch-ad 1.15 - pkgsrc/security/openssl/patches/patch-af 1.17 Module Name: pkgsrc Committed By: jlam Date: Tue Oct 11 17:19:21 UTC 2005 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-af Log Message: Update security/openssl to version 0.9.7h. This is a security vulnerability triggered update due to CAN-2005-2969. Changes from version 0.9.7f include: o Fix SSL 2.0 Rollback, CAN-2005-2969 o Allow use of fixed-length exponent on DSA signing o Default fixed-window RSA, DSA, DH private-key operations o More compilation issues fixed. o Adaptation to more modern Kerberos API. o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. o Enhanced x86_64 assembler BIGNUM module. o More constification. o Added processing of proxy certificates (RFC 3820). --- Module Name: pkgsrc Committed By: jlam Date: Wed Oct 12 02:00:03 UTC 2005 Modified Files: pkgsrc/security/openssl: builtin.mk Log Message: Remove leading "-" from version number when matching the openssl-0.9.6g from the netbsd-1-6 branch with the 20040401 fix. --- Module Name: pkgsrc Committed By: jlam Date: Wed Oct 12 02:20:10 UTC 2005 Modified Files: pkgsrc/security/openssl: builtin.mk Log Message: If the native openssl-0.9.7d contains the security fixes pulled up to the netbsd-2-0, netbsd-2, and netbsd-3-0 branches on 2005-10-11, then for the purposes of satisfying dependencies, pretend it's openssl-0.9.7h. @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.17 2005/10/11 17:19:21 jlam Exp $ d3 1 a3 1 --- Makefile.org.orig 2005-06-20 00:29:54.000000000 -0400 d13 1 a13 1 @@@@ -195,7 +196,7 @@@@ TESTS = alltests d22 1 a22 1 @@@@ -291,11 +292,13 @@@@ link-shared: d36 1 a36 1 @@@@ -310,8 +313,7 @@@@ do_gnu-shared: d44 1 a44 1 -Wl,--no-whole-archive $$libs ${EX_LIBS} ) || exit 1; \ d46 1 a46 1 @@@@ -427,6 +429,7 @@@@ do_solaris-shared: d52 1 a52 1 $$libs ${EX_LIBS} ) || exit 1; \ d54 1 a54 1 @@@@ -534,7 +537,7 @@@@ do_hpux-shared: d63 1 a63 1 @@@@ -771,16 +774,14 @@@@ dist: d82 1 a82 1 @@@@ -875,35 +876,53 @@@@ install_docs: d99 2 a100 2 (grep -v $$filecase "^$$fn\$$"; true) | \ (grep -v "[ ]"; true) | \ d128 2 a129 2 (grep -v $$filecase "^$$fn\$$"; true) | \ (grep -v "[ ]"; true) | \ @ 1.15 log @when linking shared libssl on Solaris, make sure the rpath is included so it can find libcrypto. @ text @d3 1 a3 1 --- Makefile.org.orig 2004-09-29 06:52:14.000000000 +1000 d46 1 a46 1 @@@@ -415,6 +417,7 @@@@ do_solaris-shared: d54 1 a54 1 @@@@ -548,7 +551,7 @@@@ do_hpux64-shared: d63 1 a63 1 @@@@ -790,16 +793,14 @@@@ dist: d79 1 a79 1 @@for i in $(EXHEADER) ;\ d82 60 @ 1.14 log @Fix a bug in the OpenSSL makefiles that installed a libfips.so symlink that pointed to nothing. There is no such thing as "libfips". @ text @d3 1 a3 1 --- Makefile.org.orig 2004-09-28 16:52:14.000000000 -0400 d46 9 a54 1 @@@@ -548,7 +550,7 @@@@ do_hpux64-shared: d63 1 a63 1 @@@@ -790,16 +792,14 @@@@ dist: @ 1.13 log @Update security/openssl to 0.9.7e. Changes from openssl-0.9.6m are too numerous to be listed here, but include adding a new DES API (support for the old one is still present). Changes to the pkgsrc structure include: * Install the shared libraries with a version number that matches the OpenSSL version number * Move some of the less often-used c_* utilities back into the examples directory. * Drop support for using the RSAREF library and always use the built-in RSA code instead. @ text @d22 15 a36 1 @@@@ -306,8 +307,7 @@@@ do_gnu-shared: d46 1 a46 1 @@@@ -548,7 +548,7 @@@@ do_hpux64-shared: d55 1 a55 1 @@@@ -790,16 +790,14 @@@@ dist: @ 1.12 log @ick: openssl builds PIC static libraries and then later uses them to build shared libraries. on Darwin with xlc, this fails because of the way xlc invokes Darwin's in-base libtool to create shared libraries, meaning that the -all_load argument cannot be used to import all symbols. work around this the same way as UnixWare does it, by listing the archive library contents and linking the object files into the shared library individually. also remove some other assumed gcc'isms to make this build on Darwin with xlc. XXX maybe this pkg should be libtool'ized? @ text @d3 1 a3 1 --- Makefile.org.orig 2003-07-04 07:43:50.000000000 +1000 d5 11 a15 3 @@@@ -169,7 +169,7 @@@@ SDIRS= \ MAKEFILE= Makefile.ssl MAKE= make -f Makefile.ssl d21 3 a23 3 SHELL=/bin/sh @@@@ -262,8 +262,7 @@@@ do_gnu-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ d28 1 a28 1 + -Wl,-h,lib$$i.so.${SHLIB_MAJOR} \ d31 2 a32 19 libs="$$libs -l$$i"; \ @@@@ -277,8 +276,14 @@@@ DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc # For Darwin AKA Mac OS/X (dyld) do_darwin-shared: libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ - ( set -x ; ${CC} --verbose -dynamiclib -o lib$$i${SHLIB_EXT} \ - lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \ + ( set -x ; \ + find . -name "*.o" -print > allobjs ; \ + OBJS= ; export OBJS ; \ + for obj in `ar t lib$$i.a` ; do \ + OBJS="$${OBJS} `grep /$$obj allobjs`" ; \ + done ; \ + ${CC} -dynamiclib -o lib$$i${SHLIB_EXT} \ + $$libs $${OBJS} -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \ -compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \ -install_name ${INSTALLTOP}/lib/lib$$i${SHLIB_EXT} ) || exit 1; \ libs="$$libs -l`basename $$i${SHLIB_EXT} .dylib`"; \ @@@@ -449,7 +454,7 @@@@ do_hpux64-shared: d41 1 a41 1 @@@@ -636,14 +641,14 @@@@ dist: d45 4 a48 2 -install: all install_docs +install: install_docs d51 1 d54 3 a56 6 + $(INSTALL_PREFIX)$(INSTALLTOP)/share/examples/openssl \ + $(INSTALL_PREFIX)$(OPENSSLDIR) \ $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/private \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/lib + $(INSTALL_PREFIX)$(OPENSSLDIR)/private @ 1.11 log @Make compile on Interix. No-op change for other platforms, so no PKGREVISION bump. (Main MI change: -soname -> -h, as some GNU ld(1) wants --soname instead of -soname, but -h works on all GNU ld(1) versions.) @ text @d3 1 a3 1 --- Makefile.org.orig Thu Jul 3 17:43:50 2003 d24 18 a41 1 @@@@ -449,7 +448,7 @@@@ do_hpux64-shared: d50 1 a50 1 @@@@ -636,14 +635,14 @@@@ dist: @ 1.10 log @Don't rebuild openssl again as part of installing it. @ text @d20 1 a20 1 + -Wl,-soname=lib$$i.so.${SHLIB_MAJOR} \ d24 9 @ 1.9 log @Update to 0.9.6m: Changes between 0.9.6l and 0.9.6m [17 Mar 2004] *) Fix null-pointer assignment in do_change_cipher_spec() revealed by using the Codenomicon TLS Test Tool (CAN-2004-0079) [Joe Orton, Steve Henson] @ text @d3 1 a3 1 --- Makefile.org.orig Thu Jul 3 23:43:50 2003 d24 6 a29 1 @@@@ -640,10 +639,10 @@@@ install: all install_docs @ 1.8 log @Back out the make -> @@MAKE@@ -> ${MAKE} changes since we workaround the bare "make" problem using tools.mk. @ text @d3 3 a5 3 --- Makefile.org.orig Fri Aug 9 07:43:56 2002 +++ Makefile.org Tue Sep 9 21:37:22 2003 @@@@ -169,7 +169,7 @@@@ d14 1 a14 1 @@@@ -262,8 +262,7 @@@@ d24 1 a24 1 @@@@ -632,10 +631,10 @@@@ @ 1.7 log @Several of the Makefile used in this package call 'make' directly. If an operating system does not have a 'make' (ie only bmake), or if the OS supplied 'make' is sufficiently broken (Irix), this will cause the build to fail (interestingly enough apparently only if build as a dependency, not if build from this directory). Patch Makefiles to use @@MAKE@@, which then, after patching, is substituted with the actual ${MAKE} (can't use "MAKE= ${MAKE} -f Makefile.ssl"). While here, tweak Irix configure a bit. @ text @d1 1 a1 1 $NetBSD: $ d3 3 a5 5 --- Makefile.org.orig Fri Aug 9 04:43:56 2002 +++ Makefile.org Sun Aug 24 14:54:26 2003 @@@@ -167,9 +167,9 @@@@ evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp d7 1 a7 2 -MAKE= make -f Makefile.ssl +MAKE= @@MAKE@@ -f Makefile.ssl @ 1.6 log @Merge changes in packages from the buildlink2 branch that have buildlink2.mk files back into the main trunk. @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.5.2.1 2002/08/22 11:12:32 jlam Exp $ d3 5 a7 3 --- Makefile.org.orig Fri Aug 9 06:43:56 2002 +++ Makefile.org @@@@ -169,7 +169,7 @@@@ d9 2 a10 1 MAKE= make -f Makefile.ssl @ 1.5 log @Update to 0.9.6g. The most significant change is this proof against a stunning DoS vulnerability, fixed in 0.9.6f: *) Use proper error handling instead of 'assertions' in buffer overflow checks added in 0.9.6e. This prevents DoS (the assertions could call abort()). [Arne Ansper , Bodo Moeller] Regenerate the netbsd patch. This is now a clean diff against the vendor tag, with version-number-only changes elided. Partially revert "crypto/dist/openssl/crypto/rand/randfile.c", version 1.4 (via additional pkgsrc patch), to give this a shot to compile on NetBSD-1.4.2 and earlier, which had no strlcpy() or strlcat(). Assemble the shared library without "-Bsymbolic", mainly to give this a shot at linking on NetBSD-a.out (untested). @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.4 2002/08/04 15:47:47 fredb Exp $ @ 1.5.2.1 log @file patch-af was added on branch buildlink2 on 2002-08-22 11:12:32 +0000 @ text @d1 37 @ 1.5.2.2 log @Merge changes from pkgsrc-current into the buildlink2 branch for the packages that have buildlink2.mk files. @ text @a0 37 $NetBSD: patch-af,v 1.5.2.1 2002/08/22 11:12:32 jlam Exp $ --- Makefile.org.orig Fri Aug 9 06:43:56 2002 +++ Makefile.org @@@@ -169,7 +169,7 @@@@ MAKEFILE= Makefile.ssl MAKE= make -f Makefile.ssl -MANDIR=$(OPENSSLDIR)/man +MANDIR=$(INSTALLTOP)/man MAN1=1 MAN3=3 SHELL=/bin/sh @@@@ -262,8 +262,7 @@@@ libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ - -Wl,-Bsymbolic \ + -Wl,-soname=lib$$i.so.${SHLIB_MAJOR} \ -Wl,--whole-archive lib$$i.a \ -Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \ libs="$$libs -l$$i"; \ @@@@ -632,10 +631,10 @@@@ @@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib \ $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ + $(INSTALL_PREFIX)$(INSTALLTOP)/share/examples/openssl \ + $(INSTALL_PREFIX)$(OPENSSLDIR) \ $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/private \ - $(INSTALL_PREFIX)$(OPENSSLDIR)/lib + $(INSTALL_PREFIX)$(OPENSSLDIR)/private @@for i in $(EXHEADER) ;\ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ @ 1.4 log @Update openssl to 0.9.6e. This update fixes multiple vulnerabilities, and also changes the ABI of "libcrypto" and "libssl". (So the shared library majors and buildlink requirements are bumped, too.) The code base is now synced perfectly with NetBSD HEAD and netbsd-1-6 branches as of 2002-08-04, the optimization levels are reduced to "-O2", but I've retained some of the processor optimization flags and different code path #defines in the "Configure" script, just to keep things interesting. The default "certs" directory on NetBSD is now "/etc/openssl/certs", to give continuity to those who find themselves using the package system's "openssl" after upgrading a package that formerly used the base system's. [Suggested by itojun.] The best way to avoid such problems, however, is to upgrade your base system *first*. I'm making use of the new and improved build system as much as possible. This gives us a cleaner way to make shared libraries and real man pages, but loses many of the symlinks to the openssl binary. I've culled items from the "CHANGES" file that appear to have security implications or are particularly interesting for NetBSD users, below. My comments are marked off with '===>'. ===> This is from the netbsd-20020804-patch *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX and get fix the header length calculation. [Florian Weimer , Alon Kantor (and others), Steve Henson] Changes between 0.9.6d and 0.9.6e [30 Jul 2002] *) New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure that was added in OpenSSL 0.9.6d. As the countermeasure turned out to be incompatible with some broken SSL implementations, the new option is part of SSL_OP_ALL. SSL_OP_ALL is usually employed when compatibility with weird SSL implementations is desired (e.g. '-bugs' option to 's_client' and 's_server'), so the new option is automatically set in many applications. [Bodo Moeller] *) Changes in security patch: Changes marked "(CHATS)" were sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. *) Add various sanity checks to asn1_get_length() to reject the ASN1 length bytes if they exceed sizeof(long), will appear negative or the content length exceeds the length of the supplied buffer. [Steve Henson, Adi Stav , James Yonan ] *) Assertions for various potential buffer overflows, not known to happen in practice. [Ben Laurie (CHATS)] *) Various temporary buffers to hold ASCII versions of integers were too small for 64 bit platforms. (CAN-2002-0655) [Matthew Byng-Maddick and Ben Laurie (CHATS)> *) Remote buffer overflow in SSL3 protocol - an attacker could supply an oversized session ID to a client. (CAN-2002-0656) [Ben Laurie (CHATS)] *) Remote buffer overflow in SSL2 protocol - an attacker could supply an oversized client master key. (CAN-2002-0656) [Ben Laurie (CHATS)] Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Implement a countermeasure against a vulnerability recently found in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment before application data chunks to avoid the use of known IVs with data potentially chosen by the attacker. [Bodo Moeller] Changes between 0.9.6a and 0.9.6b [9 Jul 2001] *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) to avoid a SSLeay/OpenSSL PRNG weakness pointed out by Markku-Juhani O. Saarinen : PRNG state recovery was possible based on the output of one PRNG request appropriately sized to gain knowledge on 'md' followed by enough consecutive 1-byte PRNG requests to traverse all of 'state'. 1. When updating 'md_local' (the current thread's copy of 'md') during PRNG output generation, hash all of the previous 'md_local' value, not just the half used for PRNG output. 2. Make the number of bytes from 'state' included into the hash independent from the number of PRNG bytes requested. The first measure alone would be sufficient to avoid Markku-Juhani's attack. (Actually it had never occurred to me that the half of 'md_local' used for chaining was the half from which PRNG output bytes were taken -- I had always assumed that the secret half would be used.) The second measure makes sure that additional data from 'state' is never mixed into 'md_local' in small portions; this heuristically further strengthens the PRNG. [Bodo Moeller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 when fixing the server behaviour for backwards-compatible 'client hello' messages. (Note that the attack is impractical against SSL 3.0 and TLS 1.0 anyway because length and version checking means that the probability of guessing a valid ciphertext is around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 paper.) Before 0.9.5, the countermeasure (hide the error by generating a random 'decryption result') did not work properly because ERR_clear_error() was missing, meaning that SSL_get_error() would detect the supposedly ignored error. Both problems are now fixed. [Bodo Moeller] Changes between 0.9.6 and 0.9.6a [5 Apr 2001] ===> This is our ABI change. *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes with des_encrypt() defined on some operating systems, like Solaris and UnixWare. [Richard Levitte] *) Don't use getenv in library functions when run as setuid/setgid. New function OPENSSL_issetugid(). [Ulf Moeller] *) Store verify_result within SSL_SESSION also for client side to avoid potential security hole. (Re-used sessions on the client side always resulted in verify_result==X509_V_OK, not using the original result of the server certificate verification.) [Lutz Jaenicke] ===> package doesn't doesn't do this. We'll bump major versions ===> as necessary. *) Make sure that shared libraries get the internal name engine with the full version number and not just 0. This should mark the shared libraries as not backward compatible. Of course, this should be changed again when we can guarantee backward binary compatibility. [Richard Levitte] *) Rework the system to generate shared libraries: - Make note of the expected extension for the shared libraries and if there is a need for symbolic links from for example libcrypto.so.0 to libcrypto.so.0.9.7. There is extended info in Configure for that. - Make as few rebuilds of the shared libraries as possible. - Still avoid linking the OpenSSL programs with the shared libraries. - When installing, install the shared libraries separately from the static ones. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- Makefile.org.orig Fri Jul 19 11:33:26 2002 d14 1 a14 1 @@@@ -261,7 +261,7 @@@@ d19 1 a20 1 -Wl,-Bsymbolic \ d23 2 a24 1 @@@@ -631,10 +631,10 @@@@ @ 1.3 log @Support to build it on Solaris. It would be easier to make that change if we support patches for one OPSYS but someone removed that from out tree. @ text @d1 1 a1 1 $NetBSD: patch-af,v 1.2 1999/11/25 18:51:47 erh Exp $ d3 5 a7 4 --- ssl/Makefile.ssl.orig Fri May 21 06:16:45 1999 +++ ssl/Makefile.ssl Wed Oct 20 17:31:33 1999 @@@@ -52,6 +52,7 @@@@ (cd ..; $(MAKE) DIRS=$(DIR) all) d9 28 a36 5 all: lib + cd ${TOP} && csh ${MAKELIB} ${IS_ELF} libssl.so.${MAJOR}.${MINOR} libssl.a lib: $(LIBOBJ) $(AR) $(LIB) $(LIBOBJ) @ 1.2 log @Update openssl to 0.9.4. @ text @d1 1 a1 1 $NetBSD: $ @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD$ d3 2 a4 2 --- ssl/Makefile.ssl.orig Tue Apr 27 14:38:06 1999 +++ ssl/Makefile.ssl Tue Apr 27 14:38:21 1999 d9 1 a9 1 + cd .. && csh ${MAKELIB} libssl.so.1.0 libssl.a @ 1.1.1.1 log @Import OpenSSL 0.9.2b pkg, a package which finally updates and fixes many deficiencies in SSLeay. Intended to be a drop-in replacement for SSLeay (and still provides the command-prompt interface as "ssleay"). @ text @@