head 1.5; access; symbols pkgsrc-2019Q4:1.4.0.36 pkgsrc-2019Q4-base:1.4 pkgsrc-2019Q3:1.4.0.32 pkgsrc-2019Q3-base:1.4 pkgsrc-2019Q2:1.4.0.30 pkgsrc-2019Q2-base:1.4 pkgsrc-2019Q1:1.4.0.28 pkgsrc-2019Q1-base:1.4 pkgsrc-2018Q4:1.4.0.26 pkgsrc-2018Q4-base:1.4 pkgsrc-2018Q3:1.4.0.24 pkgsrc-2018Q3-base:1.4 pkgsrc-2018Q2:1.4.0.22 pkgsrc-2018Q2-base:1.4 pkgsrc-2018Q1:1.4.0.20 pkgsrc-2018Q1-base:1.4 pkgsrc-2017Q4:1.4.0.18 pkgsrc-2017Q4-base:1.4 pkgsrc-2017Q3:1.4.0.16 pkgsrc-2017Q3-base:1.4 pkgsrc-2017Q2:1.4.0.12 pkgsrc-2017Q2-base:1.4 pkgsrc-2017Q1:1.4.0.10 pkgsrc-2017Q1-base:1.4 pkgsrc-2016Q4:1.4.0.8 pkgsrc-2016Q4-base:1.4 pkgsrc-2016Q3:1.4.0.6 pkgsrc-2016Q3-base:1.4 pkgsrc-2016Q2:1.4.0.4 pkgsrc-2016Q2-base:1.4 pkgsrc-2016Q1:1.4.0.2 pkgsrc-2016Q1-base:1.4 pkgsrc-2015Q4:1.3.0.2 pkgsrc-2015Q4-base:1.3 pkgsrc-2015Q3:1.2.0.12 pkgsrc-2015Q3-base:1.2 pkgsrc-2015Q2:1.2.0.10 pkgsrc-2015Q2-base:1.2 pkgsrc-2015Q1:1.2.0.8 pkgsrc-2015Q1-base:1.2 pkgsrc-2014Q4:1.2.0.6 pkgsrc-2014Q4-base:1.2 pkgsrc-2014Q3:1.2.0.4 pkgsrc-2014Q3-base:1.2 pkgsrc-2014Q2:1.2.0.2 pkgsrc-2014Q2-base:1.2 pkgsrc-2014Q1:1.1.0.2; locks; strict; comment @# @; 1.5 date 2020.01.16.13.30.29; author jperkin; state dead; branches; next 1.4; commitid zq0ZOUbUvYRrVUSB; 1.4 date 2016.01.28.16.30.43; author jperkin; state Exp; branches; next 1.3; commitid dTNjVbQoAJnUyISy; 1.3 date 2015.12.08.16.53.32; author jperkin; state Exp; branches; next 1.2; commitid C3nJe2zFfvyKkaMy; 1.2 date 2014.05.13.02.23.11; author rodent; state Exp; branches; next 1.1; commitid QFZ8cokjTyXXXjAx; 1.1 date 2014.04.02.12.11.35; author he; state Exp; branches 1.1.2.1; next ; commitid g3YIpigZLUt5x6vx; 1.1.2.1 date 2014.04.02.12.11.35; author tron; state dead; branches; next 1.1.2.2; commitid znq8PwHLRSRRFRvx; 1.1.2.2 date 2014.04.08.10.09.26; author tron; state Exp; branches; next 1.1.2.3; commitid znq8PwHLRSRRFRvx; 1.1.2.3 date 2014.06.05.13.20.18; author tron; state Exp; branches; next ; commitid rYQdXVHE8mUKRkDx; desc @@ 1.5 log @openssl: Update to 1.1.1d. This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now out of support and should not be used. pkgsrc changes include a large cleanup of patches and targets, many of which were clearly bogus, for example a CONFLICTS entry against a package that has never existed, and one that was removed in 1999. Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS release. There are far too many individual changes to list, so the following text is instead taken from the 1.1.1 blog announcement: -------------------------------------------------------------------------- After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years. OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn't just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs. The headline new feature is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF just one month ago as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more details. Some of the benefits of TLSv1.3 include: * Improved connection times due to a reduction in the number of round trips required between the client and server * The ability, in certain circumstances, for clients to start sending encrypted data to the server straight away without any round trips with the server required (a feature known as 0-RTT or “early data”). * Improved security due to the removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake Other features in the 1.1.1 release include: * Complete rewrite of the OpenSSL random number generator to introduce the following capabilities: * The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. * Support for multiple DRBG instances with seed chaining. * There is a public and private DRBG instance. * The DRBG instances are fork-safe. * Keep all global DRBG instances on the secure heap if it is enabled. * The public and private DRBG instance are per thread for lock free operation * Support for various new cryptographic algorithms including: * SHA3 * SHA512/224 and SHA512/256 * EdDSA (including Ed25519 and Ed448) * X448 (adding to the existing X25519 support in 1.1.0) * Multi-prime RSA * SM2 * SM3 * SM4 * SipHash * ARIA (including TLS support) * Signficant Side-Channel attack security improvements * Maximum Fragment Length TLS extension support * A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time. Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1. @ text @$NetBSD: patch-tools_Makefile,v 1.4 2016/01/28 16:30:43 jperkin Exp $ Adjust build procedure. --- tools/Makefile.orig 2016-01-28 13:38:31.000000000 +0000 +++ tools/Makefile @@@@ -4,6 +4,7 @@@@ DIR= tools TOP= .. +EXAMPLEDIR= $(INSTALLTOP)/share/examples/openssl CC= cc INCLUDES= -I$(TOP) -I../../include CFLAG=-g @@@@ -28,9 +29,9 @@@@ install: done; @@for i in $(MISC_APPS) ; \ do \ - (cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \ - chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \ - mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \ + (cp $$i $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i.new; \ + chmod 755 $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i.new $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i ); \ done; files: @ 1.4 log @Update security/openssl to version 1.0.2f. Changes between 1.0.2e and 1.0.2f [28 Jan 2016] *) DH small subgroups Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. The fix for this issue adds an additional check where a "q" parameter is available (as is the case in X9.42 based parameters). This detects the only known attack, and is the only possible defense for static DH ciphersuites. This could have some performance impact. Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default and cannot be disabled. This could have some performance impact. This issue was reported to OpenSSL by Antonio Sanso (Adobe). (CVE-2016-0701) [Matt Caswell] *) SSLv2 doesn't block disabled ciphers A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram and Sebastian Schinzel. (CVE-2015-3197) [Viktor Dukhovni] *) Reject DH handshakes with parameters shorter than 1024 bits. [Kurt Roeckx] @ text @d1 1 a1 1 $NetBSD: patch-tools_Makefile,v 1.3 2015/12/08 16:53:32 jperkin Exp $ @ 1.3 log @Regenerate patches. @ text @d1 1 a1 1 $NetBSD: patch-tools_Makefile,v 1.2 2014/05/13 02:23:11 rodent Exp $ d5 1 a5 1 --- tools/Makefile.orig 2015-12-03 14:04:23.000000000 +0000 @ 1.2 log @Fix build on OpenBSD/sparc64. Defuzz patches (sorry if this is annoying). @ text @d1 1 a1 1 $NetBSD: patch-tools_Makefile,v 1.1 2014/04/02 12:11:35 he Exp $ d5 1 a5 1 --- tools/Makefile.orig Mon Mar 17 16:14:20 2014 @ 1.1 log @Rename all remaining patch-?? files using the newer naming convention. Add a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. Fix from culled from http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f91e57d247d0fc667aef29 Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: patch-ae,v 1.8 2008/01/17 06:42:48 tnn Exp $ d5 2 a6 2 --- tools/Makefile.orig 2006-02-04 02:49:36.000000000 +0100 +++ tools/Makefile 2007-07-31 17:20:05.000000000 +0200 @ 1.1.2.1 log @file patch-tools_Makefile was added on branch pkgsrc-2014Q1 on 2014-04-08 10:09:26 +0000 @ text @d1 27 @ 1.1.2.2 log @Pullup ticket #4359 - requested by obache security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.186-1.188 - security/openssl/distinfo 1.103-1.104 - security/openssl/patches/patch-Configure 1.1 - security/openssl/patches/patch-Makefile.org 1.1 - security/openssl/patches/patch-Makefile.shared 1.1 - security/openssl/patches/patch-aa deleted - security/openssl/patches/patch-ac deleted - security/openssl/patches/patch-ad deleted - security/openssl/patches/patch-ae deleted - security/openssl/patches/patch-af deleted - security/openssl/patches/patch-ag deleted - security/openssl/patches/patch-ak deleted - security/openssl/patches/patch-apps_Makefile 1.1 - security/openssl/patches/patch-config 1.1 - security/openssl/patches/patch-crypto_bn_bn__prime.pl 1.1 - security/openssl/patches/patch-tools_Makefile 1.1 --- Module Name: pkgsrc Committed By: he Date: Wed Apr 2 12:11:35 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-Configure patch-Makefile.org patch-Makefile.shared patch-apps_Makefile patch-config patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c patch-crypto_bn_bn__prime.pl patch-crypto_ec_ec2__mult.c patch-tools_Makefile Removed Files: pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-ae patch-af patch-ag patch-ak Log Message: Rename all remaining patch-?? files using the newer naming convention. Add a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. Fix from culled from http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f 91e57d247d0fc667aef29 Bump PKGREVISION. --- Module Name: pkgsrc Committed By: obache Date: Tue Apr 8 02:48:38 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile Log Message: p5-Perl4-CoreLibs is not required for perl<5.16 --- Module Name: pkgsrc Committed By: obache Date: Tue Apr 8 06:20:44 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c patch-crypto_ec_ec2__mult.c Log Message: Update openssl to 1.0.1g. (CVE-2014-0076 is already fixed in pkgsrc). OpenSSL CHANGES _______________ Changes between 1.0.1f and 1.0.1g [7 Apr 2014] *) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix (CVE-2014-0160) [Adam Langley, Bodo Moeller] *) Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) [Yuval Yarom and Naomi Benger] *) TLS pad extension: draft-agl-tls-padding-03 Workaround for the "TLS hang bug" (see FAQ and opensslPR#2771): if the TLS client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. [Adam Langley, Steve Henson] @ text @a0 27 $NetBSD$ Adjust build procedure. --- tools/Makefile.orig 2006-02-04 02:49:36.000000000 +0100 +++ tools/Makefile 2007-07-31 17:20:05.000000000 +0200 @@@@ -4,6 +4,7 @@@@ DIR= tools TOP= .. +EXAMPLEDIR= $(INSTALLTOP)/share/examples/openssl CC= cc INCLUDES= -I$(TOP) -I../../include CFLAG=-g @@@@ -28,9 +29,9 @@@@ install: done; @@for i in $(MISC_APPS) ; \ do \ - (cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \ - chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \ - mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \ + (cp $$i $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i.new; \ + chmod 755 $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i.new; \ + mv -f $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i.new $(INSTALL_PREFIX)$(EXAMPLEDIR)/$$i ); \ done; files: @ 1.1.2.3 log @Pullup ticket #4431 - requested by wiz security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.193 - security/openssl/builtin.mk 1.42 - security/openssl/distinfo 1.106-1.107 - security/openssl/patches/patch-Configure 1.2 - security/openssl/patches/patch-Makefile.org 1.2 - security/openssl/patches/patch-Makefile.shared 1.2 - security/openssl/patches/patch-apps_Makefile 1.2 - security/openssl/patches/patch-config 1.2 - security/openssl/patches/patch-crypto_bn_bn__prime.pl 1.2 - security/openssl/patches/patch-crypto_des_Makefile 1.1 - security/openssl/patches/patch-crypto_dso_dso__dlfcn.c 1.2 - security/openssl/patches/patch-doc_apps_cms.pod deleted - security/openssl/patches/patch-doc_apps_smine.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__COMP__add__compression__method.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__add__session.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__load__verify__locations.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__set__client__CA__list.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__set__session__id__context.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__set__ssl__version.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__accept.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__clear.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__connect.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__do__handshake.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__read.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__session__reused.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__set__fd.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__set__session.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__shutdown.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__write.pod deleted - security/openssl/patches/patch-engines_ccgost_Makefile 1.2 - security/openssl/patches/patch-tools_Makefile 1.2 --- Module Name: pkgsrc Committed By: rodent Date: Tue May 13 02:23:11 UTC 2014 Modified Files: pkgsrc/security/openssl: distinfo pkgsrc/security/openssl/patches: patch-Configure patch-Makefile.org patch-Makefile.shared patch-apps_Makefile patch-config patch-crypto_bn_bn__prime.pl patch-crypto_dso_dso__dlfcn.c patch-doc_apps_cms.pod patch-doc_apps_smine.pod patch-doc_ssl_SSL__COMP__add__compression__method.pod patch-doc_ssl_SSL__CTX__add__session.pod patch-doc_ssl_SSL__CTX__load__verify__locations.pod patch-doc_ssl_SSL__CTX__set__client__CA__list.pod patch-doc_ssl_SSL__CTX__set__session__id__context.pod patch-doc_ssl_SSL__CTX__set__ssl__version.pod patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod patch-doc_ssl_SSL__accept.pod patch-doc_ssl_SSL__clear.pod patch-doc_ssl_SSL__connect.pod patch-doc_ssl_SSL__do__handshake.pod patch-doc_ssl_SSL__read.pod patch-doc_ssl_SSL__session__reused.pod patch-doc_ssl_SSL__set__fd.pod patch-doc_ssl_SSL__set__session.pod patch-doc_ssl_SSL__shutdown.pod patch-doc_ssl_SSL__write.pod patch-engines_ccgost_Makefile patch-tools_Makefile Added Files: pkgsrc/security/openssl/patches: patch-crypto_des_Makefile Log Message: Fix build on OpenBSD/sparc64. Defuzz patches (sorry if this is annoying). --- Module Name: pkgsrc Committed By: wiz Date: Thu Jun 5 12:16:06 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile builtin.mk distinfo Removed Files: pkgsrc/security/openssl/patches: patch-doc_apps_cms.pod patch-doc_apps_smine.pod patch-doc_ssl_SSL__COMP__add__compression__method.pod patch-doc_ssl_SSL__CTX__add__session.pod patch-doc_ssl_SSL__CTX__load__verify__locations.pod patch-doc_ssl_SSL__CTX__set__client__CA__list.pod patch-doc_ssl_SSL__CTX__set__session__id__context.pod patch-doc_ssl_SSL__CTX__set__ssl__version.pod patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod patch-doc_ssl_SSL__accept.pod patch-doc_ssl_SSL__clear.pod patch-doc_ssl_SSL__connect.pod patch-doc_ssl_SSL__do__handshake.pod patch-doc_ssl_SSL__read.pod patch-doc_ssl_SSL__session__reused.pod patch-doc_ssl_SSL__set__fd.pod patch-doc_ssl_SSL__set__session.pod patch-doc_ssl_SSL__shutdown.pod patch-doc_ssl_SSL__write.pod Log Message: Update to 1.0.1h: Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014] o Fix for CVE-2014-0224 o Fix for CVE-2014-0221 o Fix for CVE-2014-0195 o Fix for CVE-2014-3470 o Fix for CVE-2010-5298 @ text @d5 2 a6 2 --- tools/Makefile.orig Mon Mar 17 16:14:20 2014 +++ tools/Makefile @