head 1.15; access; symbols pkgsrc-2015Q1:1.10.0.2 pkgsrc-2015Q1-base:1.10 pkgsrc-2014Q4:1.6.0.2 pkgsrc-2014Q4-base:1.6 pkgsrc-2014Q3:1.5.0.2 pkgsrc-2014Q3-base:1.5 pkgsrc-2014Q2:1.4.0.2 pkgsrc-2014Q2-base:1.4 pkgsrc-2014Q1:1.3.0.6 pkgsrc-2014Q1-base:1.3 pkgsrc-2013Q4:1.3.0.4 pkgsrc-2013Q4-base:1.3 pkgsrc-2013Q3:1.3.0.2 pkgsrc-2013Q3-base:1.3 pkgsrc-2013Q2:1.2.0.2 pkgsrc-2013Q2-base:1.2 pkgsrc-2013Q1:1.1.0.4 pkgsrc-2013Q1-base:1.1 pkgsrc-2012Q4:1.1.0.2 pkgsrc-2012Q4-base:1.1; locks; strict; comment @# @; 1.15 date 2015.06.14.17.42.50; author fhajny; state dead; branches; next 1.14; commitid NDHxeSLWwC2piqpy; 1.14 date 2015.06.12.10.51.10; author wiz; state Exp; branches; next 1.13; commitid B4JmCfaVUbiY38py; 1.13 date 2015.04.06.04.33.45; author rodent; state Exp; branches; next 1.12; commitid ME33mzN17X5d9ugy; 1.12 date 2015.04.06.04.18.52; author rodent; state Exp; branches; next 1.11; commitid RDqt7Z0UBmH94ugy; 1.11 date 2015.04.06.04.00.34; author rodent; state Exp; branches; next 1.10; commitid CU8IafywrZaNXtgy; 1.10 date 2015.03.29.22.25.20; author jperkin; state Exp; branches; next 1.9; commitid Jx3y7hCjeQEOkyfy; 1.9 date 2015.03.28.19.00.28; author rodent; state Exp; branches; next 1.8; commitid myUuQEh25FgRdpfy; 1.8 date 2015.03.27.23.30.42; author rodent; state Exp; branches; next 1.7; commitid ALt3pXdbwFEZIify; 1.7 date 2015.03.21.19.39.44; author jperkin; state Exp; branches; next 1.6; commitid ctfmM15c8qvUFvey; 1.6 date 2014.11.14.11.21.12; author obache; state Exp; branches; next 1.5; commitid z9YchXM91a8309Yx; 1.5 date 2014.07.16.10.03.57; author obache; state Exp; branches; next 1.4; commitid 2qyA4RbM9sXGsAIx; 1.4 date 2014.05.29.23.37.25; author wiz; state Exp; branches 1.4.2.1; next 1.3; commitid laryHfkCalgYtuCx; 1.3 date 2013.09.11.13.17.25; author obache; state Exp; branches; next 1.2; commitid mpeYJfqhILvSq15x; 1.2 date 2013.05.31.12.41.57; author wiz; state Exp; branches; next 1.1; commitid hIeXGcx6VfKHwMRw; 1.1 date 2012.12.11.23.29.27; author gdt; state Exp; branches; next ; 1.4.2.1 date 2014.07.16.11.53.40; author tron; state Exp; branches; next ; commitid KHF97bOHadak4BIx; desc @@ 1.15 log @Remove security/polarssl, it's been superseded by security/mbedtls. @ text @# $NetBSD: Makefile,v 1.14 2015/06/12 10:51:10 wiz Exp $ # DISTNAME= polarssl-1.3.9-gpl PKGNAME= ${DISTNAME:-gpl=} PKGREVISION= 2 CATEGORIES= security devel MASTER_SITES= https://tls.mbed.org/download/ EXTRACT_SUFX= .tgz MAINTAINER= pkgsrc-users@@NetBSD.org HOMEPAGE= https://tls.mbed.org/ COMMENT= Lightweight, modular cryptographic and SSL/TLS library LICENSE= gnu-gpl-v2 WRKSRC= ${WRKDIR}/${PKGNAME_NOREV} USE_TOOLS+= gmake perl pkg-config USE_CMAKE= yes REPLACE_PERL= tests/scripts/*.pl USE_LANGUAGES= c TEST_TARGET= check GCC_REQD+= 4.4 .include "options.mk" CMAKE_ARGS+= -DUSE_SHARED_POLARSSL_LIBRARY=ON MAKE_ENV+= RANLIB=${RANLIB:Q} LDFLAGS.SunOS+= -lsocket post-install: ${CHMOD} -x ${DESTDIR}${PREFIX}/lib/libpolarssl.a .include "../../mk/pthread.buildlink3.mk" .include "../../mk/bsd.pkg.mk" @ 1.14 log @Recursive PKGREVISION bump for all packages mentioning 'perl', having a PKGNAME of p5-*, or depending such a package, for perl-5.22.0. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.13 2015/04/06 04:33:45 rodent Exp $ @ 1.13 log @Use += to GCC_REQD. Thanks to richard@@. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12 2015/04/06 04:18:52 rodent Exp $ d6 1 a6 1 PKGREVISION= 1 @ 1.12 log @Remove commented line. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.11 2015/04/06 04:00:34 rodent Exp $ d22 1 a22 1 GCC_REQD= 4.4 @ 1.11 log @GCC_REQD= 4.4, because 4.2 won't build this package on OpenBSD. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.10 2015/03/29 22:25:20 jperkin Exp $ a34 1 #.include "../../security/openssl/buildlink3.mk" @ 1.10 log @Needs libsocket on SunOS. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.9 2015/03/28 19:00:28 rodent Exp $ d22 1 @ 1.9 log @Add patch to make OpenSSL ("tests") optional. The package wants this by default and users of other package management systems might imagine this package functioning the same way. However, the PLIST differs by one item without it, which users may change at their discretion. Add zlib option too which I'd missed during the previous update. Bump PKGREVISION. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.8 2015/03/27 23:30:42 rodent Exp $ d28 2 @ 1.8 log @Update to last stable release under the polarssl brand. The list of changes is very long and, if you're interested, they can be found here: https://tls.mbed.org/download-archive by reading all the ChangeLogs from 1.2.12-1.3.9. The pkgsrc changes are: Use cmake for build, as that's what upstream recommends and is less likely to fail cross-platform for future releases. Needs pkg-config due to that. Build and install shared library. Remove executable permission from static library during post-install. Needs pthreads and openssl. Tested this build against the build of latest version of powerdns (update coming). @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.7 2015/03/21 19:39:44 jperkin Exp $ d6 1 d23 1 a23 1 .include "../../mk/bsd.fast.prefs.mk" d32 1 a32 1 .include "../../security/openssl/buildlink3.mk" @ 1.7 log @Ensure RANLIB is defined in the environment. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.6 2014/11/14 11:21:12 obache Exp $ d4 1 a4 1 DISTNAME= polarssl-1.2.12-gpl d7 1 a7 1 MASTER_SITES= https://polarssl.org/download/ d11 1 a11 1 HOMEPAGE= http://polarssl.org/ d16 2 a17 1 USE_TOOLS+= gmake perl d22 3 d27 5 @ 1.6 log @Update polarssl to 1.2.12. PolarSSL ChangeLog = Version 1.2.12 released 2014-10-24 Security * Remotely-triggerable memory leak when parsing some X.509 certificates (server is not affected if it doesn't ask for a client certificate). (Found using Codenomicon Defensics.) Bugfix * Fix potential bad read in parsing ServerHello (found by Adrien Vialletelle). * ssl_close_notify() could send more than one message in some circumstances with non-blocking I/O. * x509_crt_parse() did not increase total_failed on PEM error * Fix compiler warnings on iOS (found by Sander Niemeijer). * Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel). * Fix net_accept() regarding non-blocking sockets (found by Luca Pesce). * ssl_read() could return non-application data records on server while renegotation was pending, and on client when a HelloRequest was received. * Fix warnings from Clang's scan-build (contributed by Alfred Klomp). Changes * X.509 certificates with more than one AttributeTypeAndValue per RelativeDistinguishedName are not accepted any more. * ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts. * Accept spaces at end of line or end of buffer in base64_decode(). @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.5 2014/07/16 10:03:57 obache Exp $ d21 2 @ 1.5 log @PolarSSL ChangeLog = Version 1.2.11 released 2014-07-11 Features * Entropy module now supports seed writing and reading Changes * Introduced POLARSSL_HAVE_READDIR_R for systems without it * Improvements to the CMake build system, contributed by Julian Ospald. * Work around a bug of the version of Clang shipped by Apple with Mavericks that prevented bignum.c from compiling. (Reported by Rafael Baptista.) * Improvements to tests/Makefile, contributed by Oden Eriksson. * Use UTC time to check certificate validity. * Reject certificates with times not in UTC, per RFC 5280. * Migrate zeroizing of data to polarssl_zeroize() instead of memset() against unwanted compiler optimizations Security * Forbid change of server certificate during renegotiation to prevent "triple handshake" attack when authentication mode is optional (the attack was already impossible when authentication is required). * Check notBefore timestamp of certificates and CRLs from the future. * Forbid sequence number wrapping * Prevent potential NULL pointer dereference in ssl_read_record() (found by TrustInSoft) * Fix length checking for AEAD ciphersuites (found by Codenomicon). It was possible to crash the server (and client) using crafted messages when a GCM suite was chosen. Bugfix * Fixed X.509 hostname comparison (with non-regular characters) * SSL now gracefully handles missing RNG * crypt_and_hash app checks MAC before final decryption * Fixed x509_crt_parse_path() bug on Windows platforms * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by TrustInSoft) * Fixed potential overflow in certificate size verification in ssl_write_certificate() (found by TrustInSoft) * Fix ASM format in bn_mul.h * Potential memory leak in bignum_selftest() * Replaced expired test certificate * ssl_mail_client now terminates lines with CRLF, instead of LF * Fix bug in RSA PKCS#1 v1.5 "reversed" operations * Fixed testing with out-of-source builds using cmake * Fixed version-major intolerance in server * Fixed CMake symlinking on out-of-source builds * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by Alex Wilson.) * ssl_init() was leaving a dirty pointer in ssl_context if malloc of out_ctr failed * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc of one of them failed * x509_get_current_time() uses localtime_r() to prevent thread issues * Some example server programs were not sending the close_notify alert. * Potential memory leak in mpi_exp_mod() when error occurs during calculation of RR. * Improve interoperability by not writing extension length in ClientHello when no extensions are present (found by Matthew Page) * rsa_check_pubkey() now allows an E up to N * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings * mpi_fill_random() was creating numbers larger than requested on big-endian platform when size was not an integer number of limbs * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) * Stricter check on SSL ClientHello internal sizes compared to actual packet size (found by TrustInSoft) * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan). * Use \n\t rather than semicolons for bn_mul asm, since some assemblers interpret semicolons as comment delimiters (found by Barry K. Nathan). * Disable broken Sparc64 bn_mul assembly (found by Florian Obser). * Fix base64_decode() to return and check length correctly (in case of tight buffers) = Version 1.2.10 released 2013-10-07 Changes * Changed RSA blinding to a slower but thread-safe version * Make get_pkcs_padding() constant-time Bugfix * Fixed memory leak in RSA as a result of introduction of blinding * Fixed ssl_pkcs11_decrypt() prototype * Fixed MSVC project files = Version 1.2.9 released 2013-10-01 Changes * x509_verify() now case insensitive for cn (RFC 6125 6.4) Bugfix * Fixed potential memory leak when failing to resume a session * Fixed potential file descriptor leaks (found by Remi Gacogne) * Minor fixes Security * Fixed potential heap buffer overflow on large hostname setting * Fixed potential negative value misinterpretation in load_file() * RSA blinding on CRT operations to counter timing attacks (found by Cyril Arnaud and Pierre-Alain Fouque) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2014/05/29 23:37:25 wiz Exp $ d4 1 a4 1 DISTNAME= polarssl-1.2.11-gpl @ 1.4 log @Bump for perl-5.20.0. Do it for all packages that * mention perl, or * have a directory name starting with p5-*, or * depend on a package starting with p5- like last time, for 5.18, where this didn't lead to complaints. Let me know if you have any this time. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2013/09/11 13:17:25 obache Exp $ d4 1 a4 1 DISTNAME= polarssl-1.2.8-gpl a5 1 PKGREVISION= 1 d7 1 a7 1 MASTER_SITES= http://polarssl.org/code/releases/ @ 1.4.2.1 log @Pullup ticket #4452 - requested by obache security/polarssl: security update Revisions pulled up: - security/polarssl/Makefile 1.5 - security/polarssl/distinfo 1.3 --- Module Name: pkgsrc Committed By: obache Date: Wed Jul 16 10:03:57 UTC 2014 Modified Files: pkgsrc/security/polarssl: Makefile distinfo Log Message: PolarSSL ChangeLog = Version 1.2.11 released 2014-07-11 Features * Entropy module now supports seed writing and reading Changes * Introduced POLARSSL_HAVE_READDIR_R for systems without it * Improvements to the CMake build system, contributed by Julian Ospald. * Work around a bug of the version of Clang shipped by Apple with Mavericks that prevented bignum.c from compiling. (Reported by Rafael Baptista.) * Improvements to tests/Makefile, contributed by Oden Eriksson. * Use UTC time to check certificate validity. * Reject certificates with times not in UTC, per RFC 5280. * Migrate zeroizing of data to polarssl_zeroize() instead of memset() against unwanted compiler optimizations Security * Forbid change of server certificate during renegotiation to prevent "triple handshake" attack when authentication mode is optional (the attack was already impossible when authentication is required). * Check notBefore timestamp of certificates and CRLs from the future. * Forbid sequence number wrapping * Prevent potential NULL pointer dereference in ssl_read_record() (found by TrustInSoft) * Fix length checking for AEAD ciphersuites (found by Codenomicon). It was possible to crash the server (and client) using crafted messages when a GCM suite was chosen. Bugfix * Fixed X.509 hostname comparison (with non-regular characters) * SSL now gracefully handles missing RNG * crypt_and_hash app checks MAC before final decryption * Fixed x509_crt_parse_path() bug on Windows platforms * Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by TrustInSoft) * Fixed potential overflow in certificate size verification in ssl_write_certificate() (found by TrustInSoft) * Fix ASM format in bn_mul.h * Potential memory leak in bignum_selftest() * Replaced expired test certificate * ssl_mail_client now terminates lines with CRLF, instead of LF * Fix bug in RSA PKCS#1 v1.5 "reversed" operations * Fixed testing with out-of-source builds using cmake * Fixed version-major intolerance in server * Fixed CMake symlinking on out-of-source builds * Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by Alex Wilson.) * ssl_init() was leaving a dirty pointer in ssl_context if malloc of out_ctr failed * ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc of one of them failed * x509_get_current_time() uses localtime_r() to prevent thread issues * Some example server programs were not sending the close_notify alert. * Potential memory leak in mpi_exp_mod() when error occurs during calculation of RR. * Improve interoperability by not writing extension length in ClientHello when no extensions are present (found by Matthew Page) * rsa_check_pubkey() now allows an E up to N * On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings * mpi_fill_random() was creating numbers larger than requested on big-endian platform when size was not an integer number of limbs * Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer) * Stricter check on SSL ClientHello internal sizes compared to actual packet size (found by TrustInSoft) * Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan). * Use \n\t rather than semicolons for bn_mul asm, since some assemblers interpret semicolons as comment delimiters (found by Barry K. Nathan). * Disable broken Sparc64 bn_mul assembly (found by Florian Obser). * Fix base64_decode() to return and check length correctly (in case of tight buffers) = Version 1.2.10 released 2013-10-07 Changes * Changed RSA blinding to a slower but thread-safe version * Make get_pkcs_padding() constant-time Bugfix * Fixed memory leak in RSA as a result of introduction of blinding * Fixed ssl_pkcs11_decrypt() prototype * Fixed MSVC project files = Version 1.2.9 released 2013-10-01 Changes * x509_verify() now case insensitive for cn (RFC 6125 6.4) Bugfix * Fixed potential memory leak when failing to resume a session * Fixed potential file descriptor leaks (found by Remi Gacogne) * Minor fixes Security * Fixed potential heap buffer overflow on large hostname setting * Fixed potential negative value misinterpretation in load_file() * RSA blinding on CRT operations to counter timing attacks (found by Cyril Arnaud and Pierre-Alain Fouque) @ text @d1 1 a1 1 # $NetBSD$ d4 1 a4 1 DISTNAME= polarssl-1.2.11-gpl d6 1 d8 1 a8 1 MASTER_SITES= https://polarssl.org/download/ @ 1.3 log @Update PolarSSL to 1.2.8 = Version 1.2.8 released 2013-06-19 Features * Parsing of PKCS#8 encrypted private key files * PKCS#12 PBE and derivation functions * Centralized module option values in config.h to allow user-defined settings without editing header files by using POLARSSL_CONFIG_OPTIONS Changes * HAVEGE random generator disabled by default * Internally split up x509parse_key() into a (PEM) handler function and specific DER parser functions for the PKCS#1 and unencrypted PKCS#8 private key formats * Added mechanism to provide alternative implementations for all symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in config.h) * PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated old PBKDF2 module Bugfix * Secure renegotiation extension should only be sent in case client supports secure renegotiation * Fixed offset for cert_type list in ssl_parse_certificate_request() * Fixed const correctness issues that have no impact on the ABI * x509parse_crt() now better handles PEM error situations * ssl_parse_certificate() now calls x509parse_crt_der() directly instead of the x509parse_crt() wrapper that can also parse PEM certificates * x509parse_crtpath() is now reentrant and uses more portable stat() * Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler * Fixed values for 2-key Triple DES in cipher layer * ssl_write_certificate_request() can handle empty ca_chain Security * A possible DoS during the SSL Handshake, due to faulty parsing of PEM-encoded certificates has been fixed (found by Jack Lloyd) = Version 1.2.7 released 2013-04-13 Features * Ability to specify allowed ciphersuites based on the protocol version. Changes * Default Blowfish keysize is now 128-bits * Test suites made smaller to accommodate Raspberry Pi Bugfix * Fix for MPI assembly for ARM * GCM adapted to support sizes > 2^29 = Version 1.2.6 released 2013-03-11 Bugfix * Fixed memory leak in ssl_free() and ssl_reset() for active session * Corrected GCM counter incrementation to use only 32-bits instead of 128-bits (found by Yawning Angel) * Fixes for 64-bit compilation with MS Visual Studio * Fixed net_bind() for specified IP addresses on little endian systems * Fixed assembly code for ARM (Thumb and regular) for some compilers Changes * Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(), rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and PKCS#1 v2.1 functions * Added support for custom labels when using rsa_rsaes_oaep_encrypt() or rsa_rsaes_oaep_decrypt() * Re-added handling for SSLv2 Client Hello when the define POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set * The SSL session cache module (ssl_cache) now also retains peer_cert information (not the entire chain) Security * Removed further timing differences during SSL message decryption in ssl_decrypt_buf() * Removed timing differences due to bad padding from rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5 operations = Version 1.2.5 released 2013-02-02 Changes * Allow enabling of dummy error_strerror() to support some use-cases * Debug messages about padding errors during SSL message decryption are disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL * Sending of security-relevant alert messages that do not break interoperability can be switched on/off with the flag POLARSSL_SSL_ALL_ALERT_MESSAGES Security * Removed timing differences during SSL message decryption in ssl_decrypt_buf() due to badly formatted padding = Version 1.2.4 released 2013-01-25 Changes * Added ssl_handshake_step() to allow single stepping the handshake process Bugfix * Memory leak when using RSA_PKCS_V21 operations fixed * Handle future version properly in ssl_write_certificate_request() * Correctly handle CertificateRequest message in client for <= TLS 1.1 without DN list = Version 1.2.3 released 2012-11-26 Bugfix * Server not always sending correct CertificateRequest message = Version 1.2.2 released 2012-11-24 Changes * Added p_hw_data to ssl_context for context specific hardware acceleration data * During verify trust-CA is only checked for expiration and CRL presence Bugfixes * Fixed client authentication compatibility * Fixed dependency on POLARSSL_SHA4_C in SSL modules = Version 1.2.1 released 2012-11-20 Changes * Depth that the certificate verify callback receives is now numbered bottom-up (Peer cert depth is 0) Bugfixes * Fixes for MSVC6 * Moved mpi_inv_mod() outside POLARSSL_GENPRIME * Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel Pégourié-Gonnard) * Fixed possible segfault in mpi_shift_r() (found by Manuel Pégourié-Gonnard) * Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2 2013/05/31 12:41:57 wiz Exp $ d6 1 @ 1.2 log @Bump all packages for perl-5.18, that a) refer 'perl' in their Makefile, or b) have a directory name of p5-*, or c) have any dependency on any p5-* package Like last time, where this caused no complaints. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1 2012/12/11 23:29:27 gdt Exp $ d4 1 a4 1 DISTNAME= polarssl-1.2.0-gpl a5 1 PKGREVISION= 1 a8 1 FETCH_USING= curl @ 1.1 log @Import polarssl-1.2.0 as security/polarssl. PolarSSL is an SSL library written in ANSI C. PolarSSL makes it easy for developers to include cryptographic and SSL/TLS capabilities in their (embedded) products with as little hassle as possible. It is designed to be readable, documented, tested, loosely coupled and portable. This package includes headers/libs only, not the demo programs. PolarSSL is GPLv2, but offers exceptions to be distributed with other works licensed as Apache, BSD, CC0, EUPL, LGPL, ISC, WTFPL, X11, zlib/libpng. @ text @d1 1 a1 1 # $NetBSD$ d6 1 @