head 1.9; access; symbols pkgsrc-2013Q2:1.9.0.16 pkgsrc-2013Q2-base:1.9 pkgsrc-2012Q4:1.9.0.14 pkgsrc-2012Q4-base:1.9 pkgsrc-2011Q4:1.9.0.12 pkgsrc-2011Q4-base:1.9 pkgsrc-2011Q2:1.9.0.10 pkgsrc-2011Q2-base:1.9 pkgsrc-2009Q4:1.9.0.8 pkgsrc-2009Q4-base:1.9 pkgsrc-2008Q4:1.9.0.6 pkgsrc-2008Q4-base:1.9 pkgsrc-2008Q3:1.9.0.4 pkgsrc-2008Q3-base:1.9 cube-native-xorg:1.9.0.2 cube-native-xorg-base:1.9 pkgsrc-2008Q2:1.8.0.4 pkgsrc-2008Q2-base:1.8 cwrapper:1.8.0.2 pkgsrc-2008Q1:1.7.0.2 pkgsrc-2008Q1-base:1.7 pkgsrc-2007Q4:1.6.0.12 pkgsrc-2007Q4-base:1.6 pkgsrc-2007Q3:1.6.0.10 pkgsrc-2007Q3-base:1.6 pkgsrc-2007Q2:1.6.0.8 pkgsrc-2007Q2-base:1.6 pkgsrc-2007Q1:1.6.0.6 pkgsrc-2007Q1-base:1.6 pkgsrc-2006Q4:1.6.0.4 pkgsrc-2006Q4-base:1.6 pkgsrc-2006Q3:1.6.0.2 pkgsrc-2006Q3-base:1.6 pkgsrc-2006Q2:1.5.0.22 pkgsrc-2006Q2-base:1.5 pkgsrc-2006Q1:1.5.0.20 pkgsrc-2006Q1-base:1.5 pkgsrc-2005Q4:1.5.0.18 pkgsrc-2005Q4-base:1.5 pkgsrc-2005Q3:1.5.0.16 pkgsrc-2005Q3-base:1.5 pkgsrc-2005Q2:1.5.0.14 pkgsrc-2005Q2-base:1.5 pkgsrc-2005Q1:1.5.0.12 pkgsrc-2005Q1-base:1.5 pkgsrc-2004Q4:1.5.0.10 pkgsrc-2004Q4-base:1.5 pkgsrc-2004Q3:1.5.0.8 pkgsrc-2004Q3-base:1.5 pkgsrc-2004Q2:1.5.0.6 pkgsrc-2004Q2-base:1.5 pkgsrc-2004Q1:1.5.0.4 pkgsrc-2004Q1-base:1.5 pkgsrc-2003Q4:1.5.0.2 pkgsrc-2003Q4-base:1.5 buildlink2-base:1.3 netbsd-1-4-PATCH002:1.2 comdex-fall-1999:1.1.1.1 netbsd-1-4-PATCH001:1.1.1.1 netbsd-1-4-RELEASE:1.1.1.1 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.9 date 2008.07.14.03.52.54; author tnn; state dead; branches; next 1.8; 1.8 date 2008.06.03.21.39.40; author tonnerre; state Exp; branches; next 1.7; 1.7 date 2008.01.17.06.42.49; author tnn; state dead; branches 1.7.2.1; next 1.6; 1.6 date 2006.09.30.04.20.24; author taca; state Exp; branches; next 1.5; 1.5 date 2003.10.02.02.34.40; author jschauma; state dead; branches; next 1.4; 1.4 date 2003.03.21.18.40.49; author seb; state Exp; branches; next 1.3; 1.3 date 2000.05.10.12.28.42; author veego; state dead; branches; next 1.2; 1.2 date 99.11.25.18.51.47; author erh; state Exp; branches; next 1.1; 1.1 date 99.04.30.15.19.13; author tv; state Exp; branches 1.1.1.1; next ; 1.7.2.1 date 2008.06.05.12.25.24; author rtr; state Exp; branches; next ; 1.1.1.1 date 99.04.30.15.19.13; author tv; state Exp; branches; next ; desc @@ 1.9 log @Update to openssl-0.9.8h. Changes from 0.9.8g: Two crashes discovered using the Codenomicon TLS test suite, as reported in CVE-2008-0891 and CVE-2008-1672, were fixed. The root CA certificates of commercial CAs were removed from the distribution. Functions were added to implement RFC3394 compatible AES key wrapping. Utility functions to handle ASN1 structures were added. The certificate status request TLS extension, as defined in RFC3546, was implemented. Several other bugfixes and enhancements were made. @ text @$NetBSD: patch-ah,v 1.8 2008/06/03 21:39:40 tonnerre Exp $ --- ssl/t1_lib.c.orig 2007-10-19 09:44:10.000000000 +0200 +++ ssl/t1_lib.c @@@@ -324,6 +324,7 @@@@ int ssl_parse_clienthello_tlsext(SSL *s, s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); + s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } @ 1.8 log @Fix two Denial of Service vulnerabilities in OpenSSL 0.9.8g: - Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake which could lead to a silent crash. - Fix double free in TLS server name extensions which could lead to a remote crash. Patches from upstream. @ text @d1 1 a1 1 $NetBSD$ @ 1.7 log @Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip. pkgsrc notes: o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli), Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn). Because the Makefile system has been rewamped, other platforms may require fixes. Please test if you can. o OpenSSL can now be built with installation to DESTDIR. Overview of important changes since 0.9.7i: o Add gcc 4.2 support. o DTLS improvements. o RFC4507bis support. o TLS Extensions support. o RFC3779 support. o New cipher Camellia o Updated ECC cipher suite support. o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). o Zlib compression usage fixes. o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for files larger than 2GB. o Added alternate pkg-config files. @ text @d1 1 a1 1 $NetBSD: patch-ah,v 1.6 2006/09/30 04:20:24 taca Exp $ d3 10 a12 13 # http://secunia.com/advisories/22130/ --- ssl/s3_srvr.c.orig 2005-04-10 08:52:53.000000000 +0900 +++ ssl/s3_srvr.c @@@@ -1727,7 +1727,7 @@@@ static int ssl3_get_client_key_exchange( if (kssl_ctx->client_princ) { - int len = strlen(kssl_ctx->client_princ); + size_t len = strlen(kssl_ctx->client_princ); if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) { s->session->krb5_client_princ_len = len; @ 1.7.2.1 log @lost in previous @ text @d1 1 a1 1 $NetBSD: patch-ah,v 1.8 2008/06/03 21:39:40 tonnerre Exp $ d3 13 a15 10 --- ssl/t1_lib.c.orig 2007-10-19 09:44:10.000000000 +0200 +++ ssl/t1_lib.c @@@@ -324,6 +324,7 @@@@ int ssl_parse_clienthello_tlsext(SSL *s, s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { OPENSSL_free(s->session->tlsext_hostname); + s->session->tlsext_hostname = NULL; *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } @ 1.6 log @Apply patches which fixes recent security problem of OpenSSL. http://secunia.com/advisories/22130/ Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.5 log @Update to 0.9.6k: Changes between 0.9.6j and 0.9.6k [30 Sep 2003] *) Fix various bugs revealed by running the NISCC test suite: Stop out of bounds reads in the ASN1 code when presented with invalid tags (CAN-2003-0543 and CAN-2003-0544). If verify callback ignores invalid public key errors don't try to check certificate signature with the NULL public key. [Steve Henson] *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate if the server requested one: as stated in TLS 1.0 and SSL 3.0 specifications. [Steve Henson] *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional extra data after the compression methods not only for TLS 1.0 but also for SSL 3.0 (as required by the specification). [Bodo Moeller; problem pointed out by Matthias Loepfe] *) Change X509_certificate_type() to mark the key as exported/exportable when it's 512 *bits* long, not 512 bytes. [Richard Levitte] Changes between 0.9.6i and 0.9.6j [10 Apr 2003] *) Countermeasure against the Klima-Pokorny-Rosa extension of Bleichbacher's attack on PKCS #1 v1.5 padding: treat a protocol version number mismatch like a decryption error in ssl3_get_client_key_exchange (ssl/s3_srvr.c). [Bodo Moeller] *) Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] *) Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). Make RSA blinding thread-safe by remembering the creator's thread ID in rsa->blinding and having all other threads use local one-time blinding factors (this requires more computation than sharing rsa->blinding, but avoids excessive locking; and if an RSA object is not shared between threads, blinding will still be very fast). [Bodo Moeller] Changes between 0.9.6h and 0.9.6i [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked via timing by performing a MAC computation even if incorrrect block cipher padding has been found. This is a countermeasure against active attacks where the attacker has to distinguish between bad padding and a MAC verification error. (CAN-2003-0078) [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion)] Changes between 0.9.6g and 0.9.6h [5 Dec 2002] *) New function OPENSSL_cleanse(), which is used to cleanse a section of memory from it's contents. This is done with a counter that will place alternating values in each byte. This can be used to solve two issues: 1) the removal of calls to memset() by highly optimizing compilers, and 2) cleansing with other values than 0, since those can be read through on certain media, for example a swap space on disk. [Geoff Thorpe] *) Bugfix: client side session caching did not work with external caching, because the session->cipher setting was not restored when reloading from the external cache. This problem was masked, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. (Found by Steve Haslam .) [Lutz Jaenicke] *) Fix client_certificate (ssl/s2_clnt.c): The permissible total length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. [Zeev Lieber ] *) Undo an undocumented change introduced in 0.9.6e which caused repeated calls to OpenSSL_add_all_ciphers() and OpenSSL_add_all_digests() to be ignored, even after calling EVP_cleanup(). [Richard Levitte] *) Change the default configuration reader to deal with last line not being properly terminated. [Richard Levitte] *) Change X509_NAME_cmp() so it applies the special rules on handling DN values that are of type PrintableString, as well as RDNs of type emailAddress where the value has the type ia5String. [stefank@@valicert.com via Richard Levitte] *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be the bitwise-OR of the two for use by the majority of applications wanting this behaviour, and update the docs. The documented behaviour and actual behaviour were inconsistent and had been changing anyway, so this is more a bug-fix than a behavioural change. [Geoff Thorpe, diagnosed by Nadav Har'El] *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). [Bodo Moeller] *) Fix initialization code race conditions in SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), ssl2_get_cipher_by_char(), ssl3_get_cipher_by_char(). [Patrick McCormick , Bodo Moeller] *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after the cached sessions are flushed, as the remove_cb() might use ex_data contents. Bug found by Sam Varshavchik (see [openssl.org #212]). [Geoff Thorpe, Lutz Jaenicke] *) Fix typo in OBJ_txt2obj which incorrectly passed the content length, instead of the encoding length to d2i_ASN1_OBJECT. [Steve Henson] @ text @d1 1 a1 1 $NetBSD: patch-ah,v 1.4 2003/03/21 18:40:49 seb Exp $ d3 3 a5 1 --- ssl/s3_srvr.c.orig 2002-08-08 21:17:58.000000000 +0000 d7 1 a7 27 @@@@ -1418,7 +1418,7 @@@@ static int ssl3_get_client_key_exchange( if (i != SSL_MAX_MASTER_KEY_LENGTH) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ } if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) @@@@ -1434,30 +1434,29 @@@@ static int ssl3_get_client_key_exchange( (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); - goto f_err; + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ + + /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack + * (http://eprint.iacr.org/2003/052/) exploits the version + * number check as a "bad version oracle" -- an alert would + * reveal that the plaintext corresponding to some ciphertext + * made up by the adversary is properly formatted except + * that the version number is wrong. To avoid such attacks, + * we should treat this just like any other decryption error. */ + p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19"; } } d9 7 a15 23 if (al != -1) { -#if 0 - goto f_err; -#else /* Some decryption failure -- use random value instead as countermeasure * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding - * (see RFC 2246, section 7.4.7.1). - * But note that due to length and protocol version checking, the - * attack is impractical anyway (see section 5 in D. Bleichenbacher: - * "Chosen Ciphertext Attacks Against Protocols Based on the RSA - * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). - */ + * (see RFC 2246, section 7.4.7.1). */ ERR_clear_error(); i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ -#endif } s->session->master_key_length= @ 1.4 log @* Add patch from http://www.openssl.org/news/secadv_20030317.txt: Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. * Add patch from http://www.openssl.org/news/secadv_20030319.txt: Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their attack requires the attacker to open millions of SSL/TLS connections to the server under attack; the server's behaviour when faced with specially made-up RSA ciphertexts can reveal information that in effect allows the attacker to perform a single RSA private key operation on a ciphertext of its choice using the server's RSA key. Note that the server's RSA key is not compromised in this attack. * Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.3 log @Support to build it on Solaris. It would be easier to make that change if we support patches for one OPSYS but someone removed that from out tree. @ text @d1 1 a1 1 $NetBSD: patch-ah,v 1.2 1999/11/25 18:51:47 erh Exp $ d3 9 a11 5 --- test/Makefile.ssl.orig Thu Aug 5 06:50:18 1999 +++ test/Makefile.ssl Thu Oct 21 00:09:58 1999 @@@@ -17,7 +17,7 @@@@ PEX_LIBS= EX_LIBS= #-lnsl -lsocket d13 19 a31 2 -CFLAGS= $(INCLUDES) $(CFLAG) +CFLAGS= $(INCLUDES) $(CFLAG:N*PIC) d33 23 a55 2 GENERAL=Makefile.ssl maketests.com \ tests.com testenc.com tx509.com trsa.com tcrl.com tsid.com treq.com \ @ 1.2 log @Update openssl to 0.9.4. @ text @d1 1 a1 1 $NetBSD: $ @ 1.1 log @Initial revision @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 --- test/Makefile.ssl.orig Tue Apr 27 14:39:30 1999 +++ test/Makefile.ssl Tue Apr 27 14:39:44 1999 @@@@ -15,7 +15,7 @@@@ d12 2 a13 2 GENERAL=Makefile.ssl @ 1.1.1.1 log @Import OpenSSL 0.9.2b pkg, a package which finally updates and fixes many deficiencies in SSLeay. Intended to be a drop-in replacement for SSLeay (and still provides the command-prompt interface as "ssleay"). @ text @@