head 1.7; access; symbols pkgsrc-2014Q1:1.6.0.54 pkgsrc-2014Q1-base:1.6 pkgsrc-2013Q4:1.6.0.52 pkgsrc-2013Q4-base:1.6 pkgsrc-2013Q3:1.6.0.50 pkgsrc-2013Q3-base:1.6 pkgsrc-2013Q2:1.6.0.48 pkgsrc-2013Q2-base:1.6 pkgsrc-2013Q1:1.6.0.46 pkgsrc-2013Q1-base:1.6 pkgsrc-2012Q4:1.6.0.44 pkgsrc-2012Q4-base:1.6 pkgsrc-2012Q3:1.6.0.42 pkgsrc-2012Q3-base:1.6 pkgsrc-2012Q2:1.6.0.40 pkgsrc-2012Q2-base:1.6 pkgsrc-2012Q1:1.6.0.38 pkgsrc-2012Q1-base:1.6 pkgsrc-2011Q4:1.6.0.36 pkgsrc-2011Q4-base:1.6 pkgsrc-2011Q3:1.6.0.34 pkgsrc-2011Q3-base:1.6 pkgsrc-2011Q2:1.6.0.32 pkgsrc-2011Q2-base:1.6 pkgsrc-2011Q1:1.6.0.30 pkgsrc-2011Q1-base:1.6 pkgsrc-2010Q4:1.6.0.28 pkgsrc-2010Q4-base:1.6 pkgsrc-2010Q3:1.6.0.26 pkgsrc-2010Q3-base:1.6 pkgsrc-2010Q2:1.6.0.24 pkgsrc-2010Q2-base:1.6 pkgsrc-2010Q1:1.6.0.22 pkgsrc-2010Q1-base:1.6 pkgsrc-2009Q4:1.6.0.20 pkgsrc-2009Q4-base:1.6 pkgsrc-2009Q3:1.6.0.18 pkgsrc-2009Q3-base:1.6 pkgsrc-2009Q2:1.6.0.16 pkgsrc-2009Q2-base:1.6 pkgsrc-2009Q1:1.6.0.14 pkgsrc-2009Q1-base:1.6 pkgsrc-2008Q4:1.6.0.12 pkgsrc-2008Q4-base:1.6 pkgsrc-2008Q3:1.6.0.10 pkgsrc-2008Q3-base:1.6 cube-native-xorg:1.6.0.8 cube-native-xorg-base:1.6 pkgsrc-2008Q2:1.6.0.6 pkgsrc-2008Q2-base:1.6 cwrapper:1.6.0.4 pkgsrc-2008Q1:1.6.0.2 pkgsrc-2008Q1-base:1.6 pkgsrc-2007Q4:1.5.0.30 pkgsrc-2007Q4-base:1.5 pkgsrc-2007Q3:1.5.0.28 pkgsrc-2007Q3-base:1.5 pkgsrc-2007Q2:1.5.0.26 pkgsrc-2007Q2-base:1.5 pkgsrc-2007Q1:1.5.0.24 pkgsrc-2007Q1-base:1.5 pkgsrc-2006Q4:1.5.0.22 pkgsrc-2006Q4-base:1.5 pkgsrc-2006Q3:1.5.0.20 pkgsrc-2006Q3-base:1.5 pkgsrc-2006Q2:1.5.0.18 pkgsrc-2006Q2-base:1.5 pkgsrc-2006Q1:1.5.0.16 pkgsrc-2006Q1-base:1.5 pkgsrc-2005Q4:1.5.0.14 pkgsrc-2005Q4-base:1.5 pkgsrc-2005Q3:1.5.0.12 pkgsrc-2005Q3-base:1.5 pkgsrc-2005Q2:1.5.0.10 pkgsrc-2005Q2-base:1.5 pkgsrc-2005Q1:1.5.0.8 pkgsrc-2005Q1-base:1.5 pkgsrc-2004Q4:1.5.0.6 pkgsrc-2004Q4-base:1.5 pkgsrc-2004Q3:1.5.0.4 pkgsrc-2004Q3-base:1.5 pkgsrc-2004Q2:1.5.0.2 pkgsrc-2004Q2-base:1.5 pkgsrc-2004Q1:1.4.0.4 pkgsrc-2004Q1-base:1.4 pkgsrc-2003Q4:1.4.0.2 pkgsrc-2003Q4-base:1.4 buildlink2-base:1.2 netbsd-1-4-PATCH002:1.1; locks; strict; comment @# @; 1.7 date 2014.04.02.12.11.35; author he; state dead; branches; next 1.6; commitid g3YIpigZLUt5x6vx; 1.6 date 2008.01.17.06.42.49; author tnn; state Exp; branches 1.6.54.1; next 1.5; 1.5 date 2004.03.29.13.49.42; author seb; state Exp; branches; next 1.4; 1.4 date 2003.09.10.01.57.07; author jlam; state dead; branches; next 1.3; 1.3 date 2003.08.25.16.34.02; author jschauma; state Exp; branches; next 1.2; 1.2 date 2000.03.18.17.41.45; author fredb; state dead; branches; next 1.1; 1.1 date 99.11.25.18.51.47; author erh; state Exp; branches; next ; 1.6.54.1 date 2014.04.08.10.09.26; author tron; state dead; branches; next ; commitid znq8PwHLRSRRFRvx; desc @@ 1.7 log @Rename all remaining patch-?? files using the newer naming convention. Add a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. Fix from culled from http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f91e57d247d0fc667aef29 Bump PKGREVISION. @ text @$NetBSD: patch-ak,v 1.6 2008/01/17 06:42:49 tnn Exp $ --- crypto/bn/bn_prime.pl.orig 2003-09-25 15:57:58.000000000 +0200 +++ crypto/bn/bn_prime.pl 2007-07-31 17:53:39.000000000 +0200 @@@@ -1,6 +1,8 @@@@ #!/usr/local/bin/perl # bn_prime.pl +use POSIX; + $num=2048; $num=$ARGV[0] if ($#ARGV >= 0); @@@@ -9,7 +11,7 @@@@ $p=1; loop: while ($#primes < $num-1) { $p+=2; - $s=int(sqrt($p)); + $s=floor(sqrt($p)); for ($i=0; defined($primes[$i]) && $primes[$i]<=$s; $i++) { @ 1.6 log @Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip. pkgsrc notes: o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli), Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn). Because the Makefile system has been rewamped, other platforms may require fixes. Please test if you can. o OpenSSL can now be built with installation to DESTDIR. Overview of important changes since 0.9.7i: o Add gcc 4.2 support. o DTLS improvements. o RFC4507bis support. o TLS Extensions support. o RFC3779 support. o New cipher Camellia o Updated ECC cipher suite support. o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). o Zlib compression usage fixes. o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for files larger than 2GB. o Added alternate pkg-config files. @ text @d1 1 a1 1 $NetBSD$ @ 1.6.54.1 log @Pullup ticket #4359 - requested by obache security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.186-1.188 - security/openssl/distinfo 1.103-1.104 - security/openssl/patches/patch-Configure 1.1 - security/openssl/patches/patch-Makefile.org 1.1 - security/openssl/patches/patch-Makefile.shared 1.1 - security/openssl/patches/patch-aa deleted - security/openssl/patches/patch-ac deleted - security/openssl/patches/patch-ad deleted - security/openssl/patches/patch-ae deleted - security/openssl/patches/patch-af deleted - security/openssl/patches/patch-ag deleted - security/openssl/patches/patch-ak deleted - security/openssl/patches/patch-apps_Makefile 1.1 - security/openssl/patches/patch-config 1.1 - security/openssl/patches/patch-crypto_bn_bn__prime.pl 1.1 - security/openssl/patches/patch-tools_Makefile 1.1 --- Module Name: pkgsrc Committed By: he Date: Wed Apr 2 12:11:35 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-Configure patch-Makefile.org patch-Makefile.shared patch-apps_Makefile patch-config patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c patch-crypto_bn_bn__prime.pl patch-crypto_ec_ec2__mult.c patch-tools_Makefile Removed Files: pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-ae patch-af patch-ag patch-ak Log Message: Rename all remaining patch-?? files using the newer naming convention. Add a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. Fix from culled from http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f 91e57d247d0fc667aef29 Bump PKGREVISION. --- Module Name: pkgsrc Committed By: obache Date: Tue Apr 8 02:48:38 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile Log Message: p5-Perl4-CoreLibs is not required for perl<5.16 --- Module Name: pkgsrc Committed By: obache Date: Tue Apr 8 06:20:44 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c patch-crypto_ec_ec2__mult.c Log Message: Update openssl to 1.0.1g. (CVE-2014-0076 is already fixed in pkgsrc). OpenSSL CHANGES _______________ Changes between 1.0.1f and 1.0.1g [7 Apr 2014] *) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix (CVE-2014-0160) [Adam Langley, Bodo Moeller] *) Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) [Yuval Yarom and Naomi Benger] *) TLS pad extension: draft-agl-tls-padding-03 Workaround for the "TLS hang bug" (see FAQ and opensslPR#2771): if the TLS client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. [Adam Langley, Steve Henson] @ text @d1 1 a1 1 $NetBSD: patch-ak,v 1.6 2008/01/17 06:42:49 tnn Exp $ @ 1.5 log @Fix build on NetBSD sparc64 with perl 5.8. usage of perl's int() causes trouble with perl 5.8.3 (5.8*?) on at least NetBSD sparc64/1.6.2. The perl script openssl-0.9.6m/crypto/bn/bn_prime.pl uses the perl function int() to truncate the return of sqrt() function. On the above mentioned platform this leads to execution error: ... /usr/pkg/bin/perl bn_prime.pl >bn_prime.h Illegal modulus zero at bn_prime.pl line 16. Tracing the problem I've found that this int() usage may be the key of the problem. Please note the following: $ uname -srm; perl -v | grep 'This is perl'; perl -e 'print int(sqrt(3)),"\n"' NetBSD 1.6.2 sparc64 This is perl, v5.8.3 built for sparc64-netbsd 2 And... $ uname -srm; perl -v | grep 'This is perl'; perl -e 'print int(sqrt(3)),"\n"' NetBSD 1.6.2 sparc64 This is perl, v5.6.1 built for sparc64-netbsd 1 Also note that perlfunc(3) warns about int() used for rounding and recommends to use sprintf, printf, POSIX::floor or POSIX::ceil when applicable. My workaround is to use POSIX::floor() instead of int(). @ text @d3 2 a4 2 --- crypto/bn/bn_prime.pl.orig Wed Feb 16 13:24:06 2000 +++ crypto/bn/bn_prime.pl d21 1 a21 1 for ($i=0; $primes[$i]<=$s; $i++) @ 1.4 log @Back out the make -> @@MAKE@@ -> ${MAKE} changes since we workaround the bare "make" problem using tools.mk. @ text @d1 1 a1 1 $NetBSD: patch-ak,v 1.3 2003/08/25 16:34:02 jschauma Exp $ d3 20 a22 11 --- crypto/Makefile.ssl.orig Sun Aug 24 15:29:26 2003 +++ crypto/Makefile.ssl Sun Aug 24 15:29:39 2003 @@@@ -11,7 +11,7 @@@@ INSTALL_PREFIX= OPENSSLDIR= /usr/local/ssl INSTALLTOP= /usr/local/ssl -MAKE= make -f Makefile.ssl +MAKE= @@MAKE@@ -f Makefile.ssl MAKEDEPEND= $(TOP)/util/domd $(TOP) MAKEFILE= Makefile.ssl RM= rm -f @ 1.3 log @Several of the Makefile used in this package call 'make' directly. If an operating system does not have a 'make' (ie only bmake), or if the OS supplied 'make' is sufficiently broken (Irix), this will cause the build to fail (interestingly enough apparently only if build as a dependency, not if build from this directory). Patch Makefiles to use @@MAKE@@, which then, after patching, is substituted with the actual ${MAKE} (can't use "MAKE= ${MAKE} -f Makefile.ssl"). While here, tweak Irix configure a bit. @ text @d1 1 a1 1 $NetBSD: $ @ 1.2 log @Make this compile on m68k. Old m68k hack for bin_div.c is broken for OpenSSL-0.94, but that's OK, because it's evidently no longer needed. @ text @d1 1 a1 1 $NetBSD: patch-ak,v 1.1 1999/11/25 18:51:47 erh Exp $ d3 11 a13 11 --- crypto/bn/bn_div.c.orig Tue Aug 3 05:18:27 1999 +++ crypto/bn/bn_div.c Wed Oct 20 17:12:41 1999 @@@@ -62,7 +62,7 @@@@ #include "bn_lcl.h" /* The old slow way */ -#if 0 +#if defined(__NetBSD__) && defined(__m68k__) && (__GNUC_MINOR__ == 91) int BN_div(BIGNUM *dv, BIGNUM *rem, BIGNUM *m, BIGNUM *d, BN_CTX *ctx) { int i,nm,nd; @ 1.1 log @Update openssl to 0.9.4. @ text @d1 1 a1 1 $NetBSD: $ @