Pullup ticket #3065 - requested by taca

openssl: security update Revisions pulled up: - security/openssl/Makefile 1.144-1.1.146 - security/openssl/PLIST.common 1.17 - security/openssl/distinfo 1.72-1.73 - security/openssl/patches/patch-aa 1.23 - security/openssl/patches/patch-ac 1.38 - security/openssl/patches/patch-af 1.24 - security/openssl/patches/patch-ax delete - security/openssl/patches/patch-ay delete - security/openssl/patches/patch-az delete - security/openssl/patches/patch-ba delete - security/openssl/patches/patch-bb delete - security/openssl/patches/patch-bc 1.1 --- Module Name: pkgsrc Committed By: taca Date: Fri Feb 26 03:15:14 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo pkgsrc/security/openssl/patches: patch-aa patch-ac patch-af Removed Files: pkgsrc/security/openssl/patches: patch-ax patch-ay patch-az patch-ba patch-bb Log Message: Update openssl to 0.9.8m. The OpenSSL project team is pleased to announce the release of version 0.9.8m of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which implements RFC5746 to address renegotiation vulnerabilities mentioned in CVE-2009-3555. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. --- Module Name: pkgsrc Committed By: taca Date: Mon Mar 1 08:15:40 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common Log Message: Fix broken PLIST. (I wonder why "make print-PLIST" generated wrong result before...") Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Fri Mar 26 00:20:49 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-bc Log Message: Add a patch for Fix for CVE-2010-0740, DoS problem. http://www.openssl.org/news/secadv_20100324.txt Bump PKGREVISION.
author: tron <tron@pkgsrc.org> 2010-03-27 14:44:42 +0000
committer: tron <tron@pkgsrc.org> 2010-03-27 14:44:42 +0000
commit: 4e818c97f8cc8327db9437a44b11e26488850b4a (patch)
tree: 8688052de896b2913d373c70b8fb399712bb2e61
parent: 4a2c2ceb82340a23619b6e7cc96847a81c46c920 (diff)
download: pkgsrc-4e818c97f8cc8327db9437a44b11e26488850b4a.tar.gz
12 files changed, 125 insertions, 199 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 6419ef94322..0fbde00028f 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.142.2.1 2010/01/24 10:56:27 tron Exp $
+# $NetBSD: Makefile,v 1.142.2.2 2010/03/27 14:44:42 tron Exp $
 
 OPENSSL_SNAPSHOT?=	# empty
 OPENSSL_STABLE?=	# empty
-OPENSSL_VERS?=		0.9.8l
-PKGREVISION=		1
+OPENSSL_VERS?=		0.9.8m
+PKGREVISION=		2
 
 .if empty(OPENSSL_SNAPSHOT)
 DISTNAME=	openssl-${OPENSSL_VERS}
@@ -124,6 +124,8 @@ CONF_FILES=		${PREFIX}/share/examples/openssl/openssl.cnf	\
 			${PKG_SYSCONFDIR}/openssl.cnf
 OWN_DIRS=		${PKG_SYSCONFDIR}/certs ${PKG_SYSCONFDIR}/private
 
+INSTALLATION_DIRS+=	share/examples/openssl
+
 # Fix the path to perl in various scripts.
 pre-configure:
 	cd ${WRKSRC} && ${PERL5} util/perlpath.pl ${PERL5}
diff --git a/security/openssl/PLIST.common b/security/openssl/PLIST.common
index 876b4703680..31ffff07172 100644
--- a/security/openssl/PLIST.common
+++ b/security/openssl/PLIST.common
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST.common,v 1.16 2009/06/14 21:21:16 joerg Exp $
+@comment $NetBSD: PLIST.common,v 1.16.6.1 2010/03/27 14:44:42 tron Exp $
 bin/c_rehash
 bin/openssl
 include/openssl/aes.h
@@ -641,6 +641,72 @@ man/man3/OpenSSL_add_all_ciphers.3
 man/man3/OpenSSL_add_all_digests.3
 man/man3/OpenSSL_add_ssl_algorithms.3
 man/man3/PEM.3
+man/man3/PEM_read_DHparams.3
+man/man3/PEM_read_DSAPrivateKey.3
+man/man3/PEM_read_DSA_PUBKEY.3
+man/man3/PEM_read_DSAparams.3
+man/man3/PEM_read_NETSCAPE_CERT_SEQUENCE.3
+man/man3/PEM_read_PKCS7.3
+man/man3/PEM_read_PUBKEY.3
+man/man3/PEM_read_PrivateKey.3
+man/man3/PEM_read_RSAPrivateKey.3
+man/man3/PEM_read_RSAPublicKey.3
+man/man3/PEM_read_RSA_PUBKEY.3
+man/man3/PEM_read_X509.3
+man/man3/PEM_read_X509_AUX.3
+man/man3/PEM_read_X509_CRL.3
+man/man3/PEM_read_X509_REQ.3
+man/man3/PEM_read_bio_DHparams.3
+man/man3/PEM_read_bio_DSAPrivateKey.3
+man/man3/PEM_read_bio_DSA_PUBKEY.3
+man/man3/PEM_read_bio_DSAparams.3
+man/man3/PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3
+man/man3/PEM_read_bio_PKCS7.3
+man/man3/PEM_read_bio_PUBKEY.3
+man/man3/PEM_read_bio_PrivateKey.3
+man/man3/PEM_read_bio_RSAPrivateKey.3
+man/man3/PEM_read_bio_RSAPublicKey.3
+man/man3/PEM_read_bio_RSA_PUBKEY.3
+man/man3/PEM_read_bio_X509.3
+man/man3/PEM_read_bio_X509_AUX.3
+man/man3/PEM_read_bio_X509_CRL.3
+man/man3/PEM_read_bio_X509_REQ.3
+man/man3/PEM_write_DHparams.3
+man/man3/PEM_write_DSAPrivateKey.3
+man/man3/PEM_write_DSA_PUBKEY.3
+man/man3/PEM_write_DSAparams.3
+man/man3/PEM_write_NETSCAPE_CERT_SEQUENCE.3
+man/man3/PEM_write_PKCS7.3
+man/man3/PEM_write_PKCS8PrivateKey.3
+man/man3/PEM_write_PKCS8PrivateKey_nid.3
+man/man3/PEM_write_PUBKEY.3
+man/man3/PEM_write_PrivateKey.3
+man/man3/PEM_write_RSAPrivateKey.3
+man/man3/PEM_write_RSAPublicKey.3
+man/man3/PEM_write_RSA_PUBKEY.3
+man/man3/PEM_write_X509.3
+man/man3/PEM_write_X509_AUX.3
+man/man3/PEM_write_X509_CRL.3
+man/man3/PEM_write_X509_REQ.3
+man/man3/PEM_write_X509_REQ_NEW.3
+man/man3/PEM_write_bio_DHparams.3
+man/man3/PEM_write_bio_DSAPrivateKey.3
+man/man3/PEM_write_bio_DSA_PUBKEY.3
+man/man3/PEM_write_bio_DSAparams.3
+man/man3/PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3
+man/man3/PEM_write_bio_PKCS7.3
+man/man3/PEM_write_bio_PKCS8PrivateKey.3
+man/man3/PEM_write_bio_PKCS8PrivateKey_nid.3
+man/man3/PEM_write_bio_PUBKEY.3
+man/man3/PEM_write_bio_PrivateKey.3
+man/man3/PEM_write_bio_RSAPrivateKey.3
+man/man3/PEM_write_bio_RSAPublicKey.3
+man/man3/PEM_write_bio_RSA_PUBKEY.3
+man/man3/PEM_write_bio_X509.3
+man/man3/PEM_write_bio_X509_AUX.3
+man/man3/PEM_write_bio_X509_CRL.3
+man/man3/PEM_write_bio_X509_REQ.3
+man/man3/PEM_write_bio_X509_REQ_NEW.3
 man/man3/PKCS12_create.3
 man/man3/PKCS12_parse.3
 man/man3/PKCS7_decrypt.3
@@ -723,6 +789,7 @@ man/man3/SSL_CTX_add_extra_chain_cert.3
 man/man3/SSL_CTX_add_session.3
 man/man3/SSL_CTX_callback_ctrl.3
 man/man3/SSL_CTX_check_private_key.3
+man/man3/SSL_CTX_clear_options.3
 man/man3/SSL_CTX_ctrl.3
 man/man3/SSL_CTX_flush_sessions.3
 man/man3/SSL_CTX_free.3
@@ -820,6 +887,7 @@ man/man3/SSL_alert_type_string_long.3
 man/man3/SSL_callback_ctrl.3
 man/man3/SSL_check_private_key.3
 man/man3/SSL_clear.3
+man/man3/SSL_clear_options.3
 man/man3/SSL_connect.3
 man/man3/SSL_ctrl.3
 man/man3/SSL_do_handshake.3
@@ -850,6 +918,7 @@ man/man3/SSL_get_peer_cert_chain.3
 man/man3/SSL_get_peer_certificate.3
 man/man3/SSL_get_quiet_shutdown.3
 man/man3/SSL_get_rbio.3
+man/man3/SSL_get_secure_renegotiation_support.3
 man/man3/SSL_get_session.3
 man/man3/SSL_get_shutdown.3
 man/man3/SSL_get_ssl_method.3
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index 427af717e0b..2364287ca7f 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,18 +1,14 @@
-$NetBSD: distinfo,v 1.70.2.1 2010/01/24 10:56:27 tron Exp $
+$NetBSD: distinfo,v 1.70.2.2 2010/03/27 14:44:42 tron Exp $
 
-SHA1 (openssl-0.9.8l.tar.gz) = d3fb6ec89532ab40646b65af179bb1770f7ca28f
-RMD160 (openssl-0.9.8l.tar.gz) = 9de81ec2583edcba729e62d50fd22c0a98a52903
-Size (openssl-0.9.8l.tar.gz) = 4179422 bytes
-SHA1 (patch-aa) = cb6942b0be960151c185e89af1e09050a6b18dff
-SHA1 (patch-ac) = 3f62d36e18c2b8f587322dac5b329207704f40ad
+SHA1 (openssl-0.9.8m.tar.gz) = 2511c709a47f34d5fa6cd1a1c9cb1699bdffa912
+RMD160 (openssl-0.9.8m.tar.gz) = 0296af151993008526b4f2b3a6810e20c4ad3759
+Size (openssl-0.9.8m.tar.gz) = 3767604 bytes
+SHA1 (patch-aa) = b3899aebeea9bd9ead58771ca52ecec049589a55
+SHA1 (patch-ac) = 6ff4a20440666f5c520837e10547091e1bee2208
 SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3
 SHA1 (patch-ae) = 7a58f1765a3761321dcc8dafc5fe2e33207be480
-SHA1 (patch-af) = 81263ce9dc0e89293ac1fc298e1178253a0b0b1b
+SHA1 (patch-af) = 2610930b6b06397fa2e3955b3244c02193f5b7a6
 SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8
 SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0
 SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302
-SHA1 (patch-ax) = ef0c657de2aa42baa365b9857583d1c55d0e7d1b
-SHA1 (patch-ay) = 6d5de155e5508cd2237387626c8e1ff7ee603f8e
-SHA1 (patch-az) = aa7ef7192d56979ba09aa1dab8a2cdf9868f9c4a
-SHA1 (patch-ba) = b8ab55c0c6ab4b995cae18517609720f0803e11f
-SHA1 (patch-bb) = a4092a65f52d3c9c85c9015901b2a5eeb11d0955
+SHA1 (patch-bc) = 9200ae3c86fb5c278c9692441555faa4c51afb30
diff --git a/security/openssl/patches/patch-aa b/security/openssl/patches/patch-aa
index 5c2acd50232..2720bca4ab8 100644
--- a/security/openssl/patches/patch-aa
+++ b/security/openssl/patches/patch-aa
@@ -1,15 +1,15 @@
-$NetBSD: patch-aa,v 1.22 2010/01/15 04:55:30 taca Exp $
+$NetBSD: patch-aa,v 1.22.2.1 2010/03/27 14:44:42 tron Exp $
 
---- config.orig	2009-02-16 08:43:41.000000000 +0000
+--- config.orig	2009-10-15 12:58:00.000000000 +0000
 +++ config
 @@ -49,6 +49,7 @@ done
  # First get uname entries that we use below
  
- MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
-+MACHINE_ARCH=`(uname -p) 2>/dev/null` || MACHINE_ARCH="unknown"
- RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown"
- SYSTEM=`(uname -s) 2>/dev/null`  || SYSTEM="unknown"
- VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
+ [ "$MACHINE" ] || MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown"
++[ "$MACHINE_ARCH" ] || MACHINE_ARCH=`(uname -p) 2>/dev/null` || MACHINE_ARCH="unknown"
+ [ "$RELEASE" ] || RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown"
+ [ "$SYSTEM" ] || SYSTEM=`(uname -s) 2>/dev/null`  || SYSTEM="unknown"
+ [ "$BUILD" ] || VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
 @@ -154,6 +155,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${
  	echo "mips4-sgi-irix64"; exit 0
  	;;
diff --git a/security/openssl/patches/patch-ac b/security/openssl/patches/patch-ac
index 05e06c9ca5f..0791b5dc8c9 100644
--- a/security/openssl/patches/patch-ac
+++ b/security/openssl/patches/patch-ac
@@ -1,17 +1,17 @@
-$NetBSD: patch-ac,v 1.37 2010/01/15 04:55:30 taca Exp $
+$NetBSD: patch-ac,v 1.37.2.1 2010/03/27 14:44:42 tron Exp $
 
---- Configure.orig	2009-11-05 12:07:06.000000000 +0000
+--- Configure.orig	2009-11-09 14:14:26.000000000 +0000
 +++ Configure
-@@ -206,7 +206,7 @@ my %table=(
- "solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+@@ -212,7 +212,7 @@ my %table=(
+ "solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
   
  #### Solaris x86 with Sun C setups
 -"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 +"solaris-x86-cc","cc:-xO5 -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- "solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  
  #### SPARC Solaris with GNU C setups
-@@ -318,6 +318,7 @@ my %table=(
+@@ -324,6 +324,7 @@ my %table=(
  #
  "osf1-alpha-gcc", "gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${no_asm}:dlfcn:alpha-osf1-shared:::.so",
  "osf1-alpha-cc",  "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared:::.so",
@@ -19,7 +19,7 @@ $NetBSD: patch-ac,v 1.37 2010/01/15 04:55:30 taca Exp $
  "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared::-msym:.so",
  
  ####
-@@ -380,6 +381,25 @@ my %table=(
+@@ -386,6 +387,25 @@ my %table=(
  "BSD-ia64",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  "BSD-x86_64",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  
@@ -45,7 +45,7 @@ $NetBSD: patch-ac,v 1.37 2010/01/15 04:55:30 taca Exp $
  "bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
  
  "nextstep",	"cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
-@@ -808,6 +828,10 @@ PROCESS_ARGS:
+@@ -821,6 +841,10 @@ PROCESS_ARGS:
  				{
  				$libs.=$_." ";
  				}
@@ -56,7 +56,7 @@ $NetBSD: patch-ac,v 1.37 2010/01/15 04:55:30 taca Exp $
  			elsif (/^-[^-]/ or /^\+/)
  				{
  				$flags.=$_." ";
-@@ -1523,7 +1547,7 @@ while (<IN>)
+@@ -1566,7 +1590,7 @@ while (<IN>)
  	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
  		{
  		my $sotmp = $1;
diff --git a/security/openssl/patches/patch-af b/security/openssl/patches/patch-af
index b209050cfcc..f99365b8027 100644
--- a/security/openssl/patches/patch-af
+++ b/security/openssl/patches/patch-af
@@ -1,6 +1,6 @@
-$NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $
+$NetBSD: patch-af,v 1.23.2.1 2010/03/27 14:44:42 tron Exp $
 
---- Makefile.org.orig	2009-03-03 22:40:29.000000000 +0000
+--- Makefile.org.orig	2010-01-27 16:06:36.000000000 +0000
 +++ Makefile.org
 @@ -28,6 +28,7 @@ INSTALLTOP=/usr/local/ssl
  
@@ -10,7 +10,7 @@ $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $
  
  # NO_IDEA - Define to build without the IDEA algorithm
  # NO_RC4  - Define to build without the RC4 algorithm
-@@ -131,8 +132,8 @@ FIPSCANLIB=
+@@ -132,8 +133,8 @@ FIPSCANLIB=
  
  BASEADDR=
  
@@ -21,7 +21,7 @@ $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $
  
  # dirs in crypto to build
  SDIRS=  \
-@@ -152,7 +153,7 @@ TESTS = alltests
+@@ -153,7 +154,7 @@ TESTS = alltests
  
  MAKEFILE= Makefile
  
@@ -30,7 +30,7 @@ $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $
  MAN1=1
  MAN3=3
  MANSUFFIX=
-@@ -168,6 +169,7 @@ SHARED_SSL=libssl$(SHLIB_EXT)
+@@ -169,6 +170,7 @@ SHARED_SSL=libssl$(SHLIB_EXT)
  SHARED_FIPS=
  SHARED_LIBS=
  SHARED_LIBS_LINK_EXTS=
@@ -38,16 +38,7 @@ $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $
  SHARED_LDFLAGS=
  
  GENERAL=        Makefile
-@@ -200,7 +202,7 @@ BUILDENV=	PLATFORM='${PLATFORM}' PROCESS
- 		CC='${CC}' CFLAG='${CFLAG}' 			\
- 		AS='${CC}' ASFLAG='${CFLAG} -c'			\
- 		AR='${AR}' PERL='${PERL}' RANLIB='${RANLIB}'	\
--		SDIRS='${SDIRS}' LIBRPATH='${INSTALLTOP}/lib'	\
-+		SDIRS='${SDIRS}' LIBRPATH='${LIBRPATH}'		\
- 		INSTALL_PREFIX='${INSTALL_PREFIX}'		\
- 		INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}'	\
- 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD ${MAKEDEPPROG}' \
-@@ -611,7 +613,7 @@ dist:   
+@@ -615,7 +617,7 @@ dist:   
  dist_pem_h:
  	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
  
@@ -56,18 +47,7 @@ $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $
  
  install_sw:
  	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
-@@ -619,9 +621,7 @@ install_sw:
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
- 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
--		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
--		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
--		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
-+		$(INSTALL_PREFIX)$(EXAMPLEDIR)
- 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
- 	do \
- 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-@@ -691,35 +691,53 @@ install_docs:
+@@ -695,35 +697,53 @@ install_docs:
  	set -e; for i in doc/apps/*.pod; do \
  		fn=`basename $$i .pod`; \
  		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
diff --git a/security/openssl/patches/patch-ax b/security/openssl/patches/patch-ax
deleted file mode 100644
index b710884ea85..00000000000
--- a/security/openssl/patches/patch-ax
+++ /dev/null
@@ -1,24 +0,0 @@
-$NetBSD: patch-ax,v 1.1 2009/06/10 13:57:08 tez Exp $
-
-Part of CVE-2009-1377 fix.
-
---- crypto/pqueue/pqueue.c.orig	2009-06-08 18:55:59.826213100 -0500
-+++ crypto/pqueue/pqueue.c
-@@ -234,3 +234,17 @@ pqueue_next(pitem **item)
- 
- 	return ret;
- 	}
-+
-+int
-+pqueue_size(pqueue_s *pq)
-+{
-+	pitem *item = pq->items;
-+	int count = 0;
-+	
-+	while(item != NULL)
-+	{
-+		count++;
-+		item = item->next;
-+	}
-+	return count;
-+}
diff --git a/security/openssl/patches/patch-ay b/security/openssl/patches/patch-ay
deleted file mode 100644
index 166214c5209..00000000000
--- a/security/openssl/patches/patch-ay
+++ /dev/null
@@ -1,13 +0,0 @@
-$NetBSD: patch-ay,v 1.1 2009/06/10 13:57:08 tez Exp $
-
-Part of CVE-2009-1377 fix.
-
---- crypto/pqueue/pqueue.h.orig	2009-06-08 18:57:00.672546600 -0500
-+++ crypto/pqueue/pqueue.h
-@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq);
- pitem *pqueue_next(piterator *iter);
- 
- void   pqueue_print(pqueue pq);
-+int    pqueue_size(pqueue pq);
- 
- #endif /* ! HEADER_PQUEUE_H */
diff --git a/security/openssl/patches/patch-az b/security/openssl/patches/patch-az
deleted file mode 100644
index 9106990b117..00000000000
--- a/security/openssl/patches/patch-az
+++ /dev/null
@@ -1,42 +0,0 @@
-$NetBSD: patch-az,v 1.1 2009/06/10 13:57:08 tez Exp $
-
-CVE-2009-1378 and CVE-2009-1379 fixes.
-
---- ssl/d1_both.c.orig	2009-06-08 18:59:50.629293200 -0500
-+++ ssl/d1_both.c
-@@ -519,6 +519,8 @@ dtls1_retrieve_buffered_fragment(SSL *s,
- 
- 	if ( s->d1->handshake_read_seq == frag->msg_header.seq)
- 		{
-+		unsigned long frag_len = frag->msg_header.frag_len;
-+
- 		pqueue_pop(s->d1->buffered_messages);
- 
- 		al=dtls1_preprocess_fragment(s,&frag->msg_header,max);
-@@ -536,7 +538,7 @@ dtls1_retrieve_buffered_fragment(SSL *s,
- 		if (al==0)
- 			{
- 			*ok = 1;
--			return frag->msg_header.frag_len;
-+			return frag_len;
- 			}
- 
- 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
-@@ -561,7 +563,16 @@ dtls1_process_out_of_seq_message(SSL *s,
- 	if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
- 		goto err;
- 
--	if (msg_hdr->seq <= s->d1->handshake_read_seq)
-+	/* Try to find item in queue, to prevent duplicate entries */
-+	pq_64bit_init(&seq64);
-+	pq_64bit_assign_word(&seq64, msg_hdr->seq);
-+	item = pqueue_find(s->d1->buffered_messages, seq64);
-+	pq_64bit_free(&seq64);
-+	
-+	/* Discard the message if sequence number was already there, is
-+	 * too far in the future or the fragment is already in the queue */
-+	if (msg_hdr->seq <= s->d1->handshake_read_seq ||
-+		msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
- 		{
- 		unsigned char devnull [256];
- 
diff --git a/security/openssl/patches/patch-ba b/security/openssl/patches/patch-ba
deleted file mode 100644
index 557e03224ed..00000000000
--- a/security/openssl/patches/patch-ba
+++ /dev/null
@@ -1,17 +0,0 @@
-$NetBSD: patch-ba,v 1.1 2009/06/10 13:57:08 tez Exp $
-
-Part of CVE-2009-1377 fix.
-
---- ssl/d1_pkt.c.orig	2009-06-08 18:58:13.784215600 -0500
-+++ ssl/d1_pkt.c
-@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu
-     DTLS1_RECORD_DATA *rdata;
- 	pitem *item;
- 
-+	/* Limit the size of the queue to prevent DOS attacks */
-+	if (pqueue_size(queue->q) >= 100)
-+		return 0;
-+
- 	rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
- 	item = pitem_new(priority, rdata);
- 	if (rdata == NULL || item == NULL)
diff --git a/security/openssl/patches/patch-bb b/security/openssl/patches/patch-bb
deleted file mode 100644
index 66eabfe1fac..00000000000
--- a/security/openssl/patches/patch-bb
+++ /dev/null
@@ -1,44 +0,0 @@
-$NetBSD: patch-bb,v 1.1.2.2 2010/01/24 10:56:27 tron Exp $
-
-deal with CVE-2009-4355, revsion 1.15.2.8 from OpenSSL's CVS repository.
-
---- crypto/comp/c_zlib.c.orig	2008-12-13 17:00:53.000000000 +0000
-+++ crypto/comp/c_zlib.c
-@@ -136,15 +136,6 @@ struct zlib_state
- 
- static int zlib_stateful_ex_idx = -1;
- 
--static void zlib_stateful_free_ex_data(void *obj, void *item,
--	CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
--	{
--	struct zlib_state *state = (struct zlib_state *)item;
--	inflateEnd(&state->istream);
--	deflateEnd(&state->ostream);
--	OPENSSL_free(state);
--	}
--
- static int zlib_stateful_init(COMP_CTX *ctx)
- 	{
- 	int err;
-@@ -188,6 +179,12 @@ static int zlib_stateful_init(COMP_CTX *
- 
- static void zlib_stateful_finish(COMP_CTX *ctx)
- 	{
-+	struct zlib_state *state =
-+		(struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
-+			zlib_stateful_ex_idx);
-+	inflateEnd(&state->istream);
-+	deflateEnd(&state->ostream);
-+	OPENSSL_free(state);
- 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
- 	}
- 
-@@ -402,7 +399,7 @@ COMP_METHOD *COMP_zlib(void)
- 			if (zlib_stateful_ex_idx == -1)
- 				zlib_stateful_ex_idx =
- 					CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
--						0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
-+						0,NULL,NULL,NULL,NULL);
- 			CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
- 			if (zlib_stateful_ex_idx == -1)
- 				goto err;
diff --git a/security/openssl/patches/patch-bc b/security/openssl/patches/patch-bc
new file mode 100644
index 00000000000..64826f77dc1
--- /dev/null
+++ b/security/openssl/patches/patch-bc
@@ -0,0 +1,19 @@
+$NetBSD: patch-bc,v 1.1.2.2 2010/03/27 14:44:42 tron Exp $
+
+Fix for CVE-2010-0740: http://www.openssl.org/news/secadv_20100324.txt
+
+--- ssl/s3_pkt.c.orig	2010-01-24 13:52:38.000000000 +0000
++++ ssl/s3_pkt.c
+@@ -291,9 +291,9 @@ again:
+ 			if (version != s->version)
+ 				{
+ 				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
+-				/* Send back error using their
+-				 * version number :-) */
+-				s->version=version;
++				if ((s->version & 0xFF00) == (version & 0xFF00))
++					/* Send back error using their minor version number :-) */
++					s->version = (unsigned short)version;
+ 				al=SSL_AD_PROTOCOL_VERSION;
+ 				goto f_err;
+ 				}
author	tron <tron@pkgsrc.org>	2010-03-27 14:44:42 +0000
committer	tron <tron@pkgsrc.org>	2010-03-27 14:44:42 +0000
commit	4e818c97f8cc8327db9437a44b11e26488850b4a (patch)
tree	8688052de896b2913d373c70b8fb399712bb2e61
parent	4a2c2ceb82340a23619b6e7cc96847a81c46c920 (diff)
download	pkgsrc-4e818c97f8cc8327db9437a44b11e26488850b4a.tar.gz