diff options
author | tron <tron@pkgsrc.org> | 2010-03-27 14:44:42 +0000 |
---|---|---|
committer | tron <tron@pkgsrc.org> | 2010-03-27 14:44:42 +0000 |
commit | 4e818c97f8cc8327db9437a44b11e26488850b4a (patch) | |
tree | 8688052de896b2913d373c70b8fb399712bb2e61 | |
parent | 4a2c2ceb82340a23619b6e7cc96847a81c46c920 (diff) | |
download | pkgsrc-4e818c97f8cc8327db9437a44b11e26488850b4a.tar.gz |
Pullup ticket #3065 - requested by taca
openssl: security update
Revisions pulled up:
- security/openssl/Makefile 1.144-1.1.146
- security/openssl/PLIST.common 1.17
- security/openssl/distinfo 1.72-1.73
- security/openssl/patches/patch-aa 1.23
- security/openssl/patches/patch-ac 1.38
- security/openssl/patches/patch-af 1.24
- security/openssl/patches/patch-ax delete
- security/openssl/patches/patch-ay delete
- security/openssl/patches/patch-az delete
- security/openssl/patches/patch-ba delete
- security/openssl/patches/patch-bb delete
- security/openssl/patches/patch-bc 1.1
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Feb 26 03:15:14 UTC 2010
Modified Files:
pkgsrc/security/openssl: Makefile distinfo
pkgsrc/security/openssl/patches: patch-aa patch-ac patch-af
Removed Files:
pkgsrc/security/openssl/patches: patch-ax patch-ay patch-az patch-ba
patch-bb
Log Message:
Update openssl to 0.9.8m.
The OpenSSL project team is pleased to announce the release of
version 0.9.8m of our open source toolkit for SSL/TLS. This new
OpenSSL version is a security and bugfix release which implements
RFC5746 to address renegotiation vulnerabilities mentioned in
CVE-2009-3555. For a complete list of changes,
please see http://www.openssl.org/source/exp/CHANGES.
---
Module Name: pkgsrc
Committed By: taca
Date: Mon Mar 1 08:15:40 UTC 2010
Modified Files:
pkgsrc/security/openssl: Makefile PLIST.common
Log Message:
Fix broken PLIST.
(I wonder why "make print-PLIST" generated wrong result before...")
Bump PKGREVISION.
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Mar 26 00:20:49 UTC 2010
Modified Files:
pkgsrc/security/openssl: Makefile distinfo
Added Files:
pkgsrc/security/openssl/patches: patch-bc
Log Message:
Add a patch for Fix for CVE-2010-0740, DoS problem.
http://www.openssl.org/news/secadv_20100324.txt
Bump PKGREVISION.
-rw-r--r-- | security/openssl/Makefile | 8 | ||||
-rw-r--r-- | security/openssl/PLIST.common | 71 | ||||
-rw-r--r-- | security/openssl/distinfo | 20 | ||||
-rw-r--r-- | security/openssl/patches/patch-aa | 14 | ||||
-rw-r--r-- | security/openssl/patches/patch-ac | 18 | ||||
-rw-r--r-- | security/openssl/patches/patch-af | 34 | ||||
-rw-r--r-- | security/openssl/patches/patch-ax | 24 | ||||
-rw-r--r-- | security/openssl/patches/patch-ay | 13 | ||||
-rw-r--r-- | security/openssl/patches/patch-az | 42 | ||||
-rw-r--r-- | security/openssl/patches/patch-ba | 17 | ||||
-rw-r--r-- | security/openssl/patches/patch-bb | 44 | ||||
-rw-r--r-- | security/openssl/patches/patch-bc | 19 |
12 files changed, 125 insertions, 199 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 6419ef94322..0fbde00028f 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.142.2.1 2010/01/24 10:56:27 tron Exp $ +# $NetBSD: Makefile,v 1.142.2.2 2010/03/27 14:44:42 tron Exp $ OPENSSL_SNAPSHOT?= # empty OPENSSL_STABLE?= # empty -OPENSSL_VERS?= 0.9.8l -PKGREVISION= 1 +OPENSSL_VERS?= 0.9.8m +PKGREVISION= 2 .if empty(OPENSSL_SNAPSHOT) DISTNAME= openssl-${OPENSSL_VERS} @@ -124,6 +124,8 @@ CONF_FILES= ${PREFIX}/share/examples/openssl/openssl.cnf \ ${PKG_SYSCONFDIR}/openssl.cnf OWN_DIRS= ${PKG_SYSCONFDIR}/certs ${PKG_SYSCONFDIR}/private +INSTALLATION_DIRS+= share/examples/openssl + # Fix the path to perl in various scripts. pre-configure: cd ${WRKSRC} && ${PERL5} util/perlpath.pl ${PERL5} diff --git a/security/openssl/PLIST.common b/security/openssl/PLIST.common index 876b4703680..31ffff07172 100644 --- a/security/openssl/PLIST.common +++ b/security/openssl/PLIST.common @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST.common,v 1.16 2009/06/14 21:21:16 joerg Exp $ +@comment $NetBSD: PLIST.common,v 1.16.6.1 2010/03/27 14:44:42 tron Exp $ bin/c_rehash bin/openssl include/openssl/aes.h @@ -641,6 +641,72 @@ man/man3/OpenSSL_add_all_ciphers.3 man/man3/OpenSSL_add_all_digests.3 man/man3/OpenSSL_add_ssl_algorithms.3 man/man3/PEM.3 +man/man3/PEM_read_DHparams.3 +man/man3/PEM_read_DSAPrivateKey.3 +man/man3/PEM_read_DSA_PUBKEY.3 +man/man3/PEM_read_DSAparams.3 +man/man3/PEM_read_NETSCAPE_CERT_SEQUENCE.3 +man/man3/PEM_read_PKCS7.3 +man/man3/PEM_read_PUBKEY.3 +man/man3/PEM_read_PrivateKey.3 +man/man3/PEM_read_RSAPrivateKey.3 +man/man3/PEM_read_RSAPublicKey.3 +man/man3/PEM_read_RSA_PUBKEY.3 +man/man3/PEM_read_X509.3 +man/man3/PEM_read_X509_AUX.3 +man/man3/PEM_read_X509_CRL.3 +man/man3/PEM_read_X509_REQ.3 +man/man3/PEM_read_bio_DHparams.3 +man/man3/PEM_read_bio_DSAPrivateKey.3 +man/man3/PEM_read_bio_DSA_PUBKEY.3 +man/man3/PEM_read_bio_DSAparams.3 +man/man3/PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3 +man/man3/PEM_read_bio_PKCS7.3 +man/man3/PEM_read_bio_PUBKEY.3 +man/man3/PEM_read_bio_PrivateKey.3 +man/man3/PEM_read_bio_RSAPrivateKey.3 +man/man3/PEM_read_bio_RSAPublicKey.3 +man/man3/PEM_read_bio_RSA_PUBKEY.3 +man/man3/PEM_read_bio_X509.3 +man/man3/PEM_read_bio_X509_AUX.3 +man/man3/PEM_read_bio_X509_CRL.3 +man/man3/PEM_read_bio_X509_REQ.3 +man/man3/PEM_write_DHparams.3 +man/man3/PEM_write_DSAPrivateKey.3 +man/man3/PEM_write_DSA_PUBKEY.3 +man/man3/PEM_write_DSAparams.3 +man/man3/PEM_write_NETSCAPE_CERT_SEQUENCE.3 +man/man3/PEM_write_PKCS7.3 +man/man3/PEM_write_PKCS8PrivateKey.3 +man/man3/PEM_write_PKCS8PrivateKey_nid.3 +man/man3/PEM_write_PUBKEY.3 +man/man3/PEM_write_PrivateKey.3 +man/man3/PEM_write_RSAPrivateKey.3 +man/man3/PEM_write_RSAPublicKey.3 +man/man3/PEM_write_RSA_PUBKEY.3 +man/man3/PEM_write_X509.3 +man/man3/PEM_write_X509_AUX.3 +man/man3/PEM_write_X509_CRL.3 +man/man3/PEM_write_X509_REQ.3 +man/man3/PEM_write_X509_REQ_NEW.3 +man/man3/PEM_write_bio_DHparams.3 +man/man3/PEM_write_bio_DSAPrivateKey.3 +man/man3/PEM_write_bio_DSA_PUBKEY.3 +man/man3/PEM_write_bio_DSAparams.3 +man/man3/PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3 +man/man3/PEM_write_bio_PKCS7.3 +man/man3/PEM_write_bio_PKCS8PrivateKey.3 +man/man3/PEM_write_bio_PKCS8PrivateKey_nid.3 +man/man3/PEM_write_bio_PUBKEY.3 +man/man3/PEM_write_bio_PrivateKey.3 +man/man3/PEM_write_bio_RSAPrivateKey.3 +man/man3/PEM_write_bio_RSAPublicKey.3 +man/man3/PEM_write_bio_RSA_PUBKEY.3 +man/man3/PEM_write_bio_X509.3 +man/man3/PEM_write_bio_X509_AUX.3 +man/man3/PEM_write_bio_X509_CRL.3 +man/man3/PEM_write_bio_X509_REQ.3 +man/man3/PEM_write_bio_X509_REQ_NEW.3 man/man3/PKCS12_create.3 man/man3/PKCS12_parse.3 man/man3/PKCS7_decrypt.3 @@ -723,6 +789,7 @@ man/man3/SSL_CTX_add_extra_chain_cert.3 man/man3/SSL_CTX_add_session.3 man/man3/SSL_CTX_callback_ctrl.3 man/man3/SSL_CTX_check_private_key.3 +man/man3/SSL_CTX_clear_options.3 man/man3/SSL_CTX_ctrl.3 man/man3/SSL_CTX_flush_sessions.3 man/man3/SSL_CTX_free.3 @@ -820,6 +887,7 @@ man/man3/SSL_alert_type_string_long.3 man/man3/SSL_callback_ctrl.3 man/man3/SSL_check_private_key.3 man/man3/SSL_clear.3 +man/man3/SSL_clear_options.3 man/man3/SSL_connect.3 man/man3/SSL_ctrl.3 man/man3/SSL_do_handshake.3 @@ -850,6 +918,7 @@ man/man3/SSL_get_peer_cert_chain.3 man/man3/SSL_get_peer_certificate.3 man/man3/SSL_get_quiet_shutdown.3 man/man3/SSL_get_rbio.3 +man/man3/SSL_get_secure_renegotiation_support.3 man/man3/SSL_get_session.3 man/man3/SSL_get_shutdown.3 man/man3/SSL_get_ssl_method.3 diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 427af717e0b..2364287ca7f 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,18 +1,14 @@ -$NetBSD: distinfo,v 1.70.2.1 2010/01/24 10:56:27 tron Exp $ +$NetBSD: distinfo,v 1.70.2.2 2010/03/27 14:44:42 tron Exp $ -SHA1 (openssl-0.9.8l.tar.gz) = d3fb6ec89532ab40646b65af179bb1770f7ca28f -RMD160 (openssl-0.9.8l.tar.gz) = 9de81ec2583edcba729e62d50fd22c0a98a52903 -Size (openssl-0.9.8l.tar.gz) = 4179422 bytes -SHA1 (patch-aa) = cb6942b0be960151c185e89af1e09050a6b18dff -SHA1 (patch-ac) = 3f62d36e18c2b8f587322dac5b329207704f40ad +SHA1 (openssl-0.9.8m.tar.gz) = 2511c709a47f34d5fa6cd1a1c9cb1699bdffa912 +RMD160 (openssl-0.9.8m.tar.gz) = 0296af151993008526b4f2b3a6810e20c4ad3759 +Size (openssl-0.9.8m.tar.gz) = 3767604 bytes +SHA1 (patch-aa) = b3899aebeea9bd9ead58771ca52ecec049589a55 +SHA1 (patch-ac) = 6ff4a20440666f5c520837e10547091e1bee2208 SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3 SHA1 (patch-ae) = 7a58f1765a3761321dcc8dafc5fe2e33207be480 -SHA1 (patch-af) = 81263ce9dc0e89293ac1fc298e1178253a0b0b1b +SHA1 (patch-af) = 2610930b6b06397fa2e3955b3244c02193f5b7a6 SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8 SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0 SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302 -SHA1 (patch-ax) = ef0c657de2aa42baa365b9857583d1c55d0e7d1b -SHA1 (patch-ay) = 6d5de155e5508cd2237387626c8e1ff7ee603f8e -SHA1 (patch-az) = aa7ef7192d56979ba09aa1dab8a2cdf9868f9c4a -SHA1 (patch-ba) = b8ab55c0c6ab4b995cae18517609720f0803e11f -SHA1 (patch-bb) = a4092a65f52d3c9c85c9015901b2a5eeb11d0955 +SHA1 (patch-bc) = 9200ae3c86fb5c278c9692441555faa4c51afb30 diff --git a/security/openssl/patches/patch-aa b/security/openssl/patches/patch-aa index 5c2acd50232..2720bca4ab8 100644 --- a/security/openssl/patches/patch-aa +++ b/security/openssl/patches/patch-aa @@ -1,15 +1,15 @@ -$NetBSD: patch-aa,v 1.22 2010/01/15 04:55:30 taca Exp $ +$NetBSD: patch-aa,v 1.22.2.1 2010/03/27 14:44:42 tron Exp $ ---- config.orig 2009-02-16 08:43:41.000000000 +0000 +--- config.orig 2009-10-15 12:58:00.000000000 +0000 +++ config @@ -49,6 +49,7 @@ done # First get uname entries that we use below - MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown" -+MACHINE_ARCH=`(uname -p) 2>/dev/null` || MACHINE_ARCH="unknown" - RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown" - SYSTEM=`(uname -s) 2>/dev/null` || SYSTEM="unknown" - VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown" + [ "$MACHINE" ] || MACHINE=`(uname -m) 2>/dev/null` || MACHINE="unknown" ++[ "$MACHINE_ARCH" ] || MACHINE_ARCH=`(uname -p) 2>/dev/null` || MACHINE_ARCH="unknown" + [ "$RELEASE" ] || RELEASE=`(uname -r) 2>/dev/null` || RELEASE="unknown" + [ "$SYSTEM" ] || SYSTEM=`(uname -s) 2>/dev/null` || SYSTEM="unknown" + [ "$BUILD" ] || VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown" @@ -154,6 +155,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${ echo "mips4-sgi-irix64"; exit 0 ;; diff --git a/security/openssl/patches/patch-ac b/security/openssl/patches/patch-ac index 05e06c9ca5f..0791b5dc8c9 100644 --- a/security/openssl/patches/patch-ac +++ b/security/openssl/patches/patch-ac @@ -1,17 +1,17 @@ -$NetBSD: patch-ac,v 1.37 2010/01/15 04:55:30 taca Exp $ +$NetBSD: patch-ac,v 1.37.2.1 2010/03/27 14:44:42 tron Exp $ ---- Configure.orig 2009-11-05 12:07:06.000000000 +0000 +--- Configure.orig 2009-11-09 14:14:26.000000000 +0000 +++ Configure -@@ -206,7 +206,7 @@ my %table=( - "solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +@@ -212,7 +212,7 @@ my %table=( + "solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN -DMD32_REG_T=int::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### Solaris x86 with Sun C setups -"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-x86-cc","cc:-xO5 -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", - "solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + "solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with GNU C setups -@@ -318,6 +318,7 @@ my %table=( +@@ -324,6 +324,7 @@ my %table=( # "osf1-alpha-gcc", "gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${no_asm}:dlfcn:alpha-osf1-shared:::.so", "osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared:::.so", @@ -19,7 +19,7 @@ $NetBSD: patch-ac,v 1.37 2010/01/15 04:55:30 taca Exp $ "tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared::-msym:.so", #### -@@ -380,6 +381,25 @@ my %table=( +@@ -386,6 +387,25 @@ my %table=( "BSD-ia64", "gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "BSD-x86_64", "gcc:-DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -45,7 +45,7 @@ $NetBSD: patch-ac,v 1.37 2010/01/15 04:55:30 taca Exp $ "bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "nextstep", "cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", -@@ -808,6 +828,10 @@ PROCESS_ARGS: +@@ -821,6 +841,10 @@ PROCESS_ARGS: { $libs.=$_." "; } @@ -56,7 +56,7 @@ $NetBSD: patch-ac,v 1.37 2010/01/15 04:55:30 taca Exp $ elsif (/^-[^-]/ or /^\+/) { $flags.=$_." "; -@@ -1523,7 +1547,7 @@ while (<IN>) +@@ -1566,7 +1590,7 @@ while (<IN>) elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/) { my $sotmp = $1; diff --git a/security/openssl/patches/patch-af b/security/openssl/patches/patch-af index b209050cfcc..f99365b8027 100644 --- a/security/openssl/patches/patch-af +++ b/security/openssl/patches/patch-af @@ -1,6 +1,6 @@ -$NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $ +$NetBSD: patch-af,v 1.23.2.1 2010/03/27 14:44:42 tron Exp $ ---- Makefile.org.orig 2009-03-03 22:40:29.000000000 +0000 +--- Makefile.org.orig 2010-01-27 16:06:36.000000000 +0000 +++ Makefile.org @@ -28,6 +28,7 @@ INSTALLTOP=/usr/local/ssl @@ -10,7 +10,7 @@ $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $ # NO_IDEA - Define to build without the IDEA algorithm # NO_RC4 - Define to build without the RC4 algorithm -@@ -131,8 +132,8 @@ FIPSCANLIB= +@@ -132,8 +133,8 @@ FIPSCANLIB= BASEADDR= @@ -21,7 +21,7 @@ $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $ # dirs in crypto to build SDIRS= \ -@@ -152,7 +153,7 @@ TESTS = alltests +@@ -153,7 +154,7 @@ TESTS = alltests MAKEFILE= Makefile @@ -30,7 +30,7 @@ $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $ MAN1=1 MAN3=3 MANSUFFIX= -@@ -168,6 +169,7 @@ SHARED_SSL=libssl$(SHLIB_EXT) +@@ -169,6 +170,7 @@ SHARED_SSL=libssl$(SHLIB_EXT) SHARED_FIPS= SHARED_LIBS= SHARED_LIBS_LINK_EXTS= @@ -38,16 +38,7 @@ $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $ SHARED_LDFLAGS= GENERAL= Makefile -@@ -200,7 +202,7 @@ BUILDENV= PLATFORM='${PLATFORM}' PROCESS - CC='${CC}' CFLAG='${CFLAG}' \ - AS='${CC}' ASFLAG='${CFLAG} -c' \ - AR='${AR}' PERL='${PERL}' RANLIB='${RANLIB}' \ -- SDIRS='${SDIRS}' LIBRPATH='${INSTALLTOP}/lib' \ -+ SDIRS='${SDIRS}' LIBRPATH='${LIBRPATH}' \ - INSTALL_PREFIX='${INSTALL_PREFIX}' \ - INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' \ - MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD ${MAKEDEPPROG}' \ -@@ -611,7 +613,7 @@ dist: +@@ -615,7 +617,7 @@ dist: dist_pem_h: (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) @@ -56,18 +47,7 @@ $NetBSD: patch-af,v 1.23 2010/01/15 04:55:30 taca Exp $ install_sw: @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \ -@@ -619,9 +621,7 @@ install_sw: - $(INSTALL_PREFIX)$(INSTALLTOP)/lib/engines \ - $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \ - $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \ -- $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \ -- $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \ -- $(INSTALL_PREFIX)$(OPENSSLDIR)/private -+ $(INSTALL_PREFIX)$(EXAMPLEDIR) - @set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\ - do \ - (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ -@@ -691,35 +691,53 @@ install_docs: +@@ -695,35 +697,53 @@ install_docs: set -e; for i in doc/apps/*.pod; do \ fn=`basename $$i .pod`; \ sec=`$(PERL) util/extract-section.pl 1 < $$i`; \ diff --git a/security/openssl/patches/patch-ax b/security/openssl/patches/patch-ax deleted file mode 100644 index b710884ea85..00000000000 --- a/security/openssl/patches/patch-ax +++ /dev/null @@ -1,24 +0,0 @@ -$NetBSD: patch-ax,v 1.1 2009/06/10 13:57:08 tez Exp $ - -Part of CVE-2009-1377 fix. - ---- crypto/pqueue/pqueue.c.orig 2009-06-08 18:55:59.826213100 -0500 -+++ crypto/pqueue/pqueue.c -@@ -234,3 +234,17 @@ pqueue_next(pitem **item) - - return ret; - } -+ -+int -+pqueue_size(pqueue_s *pq) -+{ -+ pitem *item = pq->items; -+ int count = 0; -+ -+ while(item != NULL) -+ { -+ count++; -+ item = item->next; -+ } -+ return count; -+} diff --git a/security/openssl/patches/patch-ay b/security/openssl/patches/patch-ay deleted file mode 100644 index 166214c5209..00000000000 --- a/security/openssl/patches/patch-ay +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-ay,v 1.1 2009/06/10 13:57:08 tez Exp $ - -Part of CVE-2009-1377 fix. - ---- crypto/pqueue/pqueue.h.orig 2009-06-08 18:57:00.672546600 -0500 -+++ crypto/pqueue/pqueue.h -@@ -91,5 +91,6 @@ pitem *pqueue_iterator(pqueue pq); - pitem *pqueue_next(piterator *iter); - - void pqueue_print(pqueue pq); -+int pqueue_size(pqueue pq); - - #endif /* ! HEADER_PQUEUE_H */ diff --git a/security/openssl/patches/patch-az b/security/openssl/patches/patch-az deleted file mode 100644 index 9106990b117..00000000000 --- a/security/openssl/patches/patch-az +++ /dev/null @@ -1,42 +0,0 @@ -$NetBSD: patch-az,v 1.1 2009/06/10 13:57:08 tez Exp $ - -CVE-2009-1378 and CVE-2009-1379 fixes. - ---- ssl/d1_both.c.orig 2009-06-08 18:59:50.629293200 -0500 -+++ ssl/d1_both.c -@@ -519,6 +519,8 @@ dtls1_retrieve_buffered_fragment(SSL *s, - - if ( s->d1->handshake_read_seq == frag->msg_header.seq) - { -+ unsigned long frag_len = frag->msg_header.frag_len; -+ - pqueue_pop(s->d1->buffered_messages); - - al=dtls1_preprocess_fragment(s,&frag->msg_header,max); -@@ -536,7 +538,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, - if (al==0) - { - *ok = 1; -- return frag->msg_header.frag_len; -+ return frag_len; - } - - ssl3_send_alert(s,SSL3_AL_FATAL,al); -@@ -561,7 +563,16 @@ dtls1_process_out_of_seq_message(SSL *s, - if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) - goto err; - -- if (msg_hdr->seq <= s->d1->handshake_read_seq) -+ /* Try to find item in queue, to prevent duplicate entries */ -+ pq_64bit_init(&seq64); -+ pq_64bit_assign_word(&seq64, msg_hdr->seq); -+ item = pqueue_find(s->d1->buffered_messages, seq64); -+ pq_64bit_free(&seq64); -+ -+ /* Discard the message if sequence number was already there, is -+ * too far in the future or the fragment is already in the queue */ -+ if (msg_hdr->seq <= s->d1->handshake_read_seq || -+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) - { - unsigned char devnull [256]; - diff --git a/security/openssl/patches/patch-ba b/security/openssl/patches/patch-ba deleted file mode 100644 index 557e03224ed..00000000000 --- a/security/openssl/patches/patch-ba +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-ba,v 1.1 2009/06/10 13:57:08 tez Exp $ - -Part of CVE-2009-1377 fix. - ---- ssl/d1_pkt.c.orig 2009-06-08 18:58:13.784215600 -0500 -+++ ssl/d1_pkt.c -@@ -167,6 +167,10 @@ dtls1_buffer_record(SSL *s, record_pqueu - DTLS1_RECORD_DATA *rdata; - pitem *item; - -+ /* Limit the size of the queue to prevent DOS attacks */ -+ if (pqueue_size(queue->q) >= 100) -+ return 0; -+ - rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); - item = pitem_new(priority, rdata); - if (rdata == NULL || item == NULL) diff --git a/security/openssl/patches/patch-bb b/security/openssl/patches/patch-bb deleted file mode 100644 index 66eabfe1fac..00000000000 --- a/security/openssl/patches/patch-bb +++ /dev/null @@ -1,44 +0,0 @@ -$NetBSD: patch-bb,v 1.1.2.2 2010/01/24 10:56:27 tron Exp $ - -deal with CVE-2009-4355, revsion 1.15.2.8 from OpenSSL's CVS repository. - ---- crypto/comp/c_zlib.c.orig 2008-12-13 17:00:53.000000000 +0000 -+++ crypto/comp/c_zlib.c -@@ -136,15 +136,6 @@ struct zlib_state - - static int zlib_stateful_ex_idx = -1; - --static void zlib_stateful_free_ex_data(void *obj, void *item, -- CRYPTO_EX_DATA *ad, int ind,long argl, void *argp) -- { -- struct zlib_state *state = (struct zlib_state *)item; -- inflateEnd(&state->istream); -- deflateEnd(&state->ostream); -- OPENSSL_free(state); -- } -- - static int zlib_stateful_init(COMP_CTX *ctx) - { - int err; -@@ -188,6 +179,12 @@ static int zlib_stateful_init(COMP_CTX * - - static void zlib_stateful_finish(COMP_CTX *ctx) - { -+ struct zlib_state *state = -+ (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data, -+ zlib_stateful_ex_idx); -+ inflateEnd(&state->istream); -+ deflateEnd(&state->ostream); -+ OPENSSL_free(state); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data); - } - -@@ -402,7 +399,7 @@ COMP_METHOD *COMP_zlib(void) - if (zlib_stateful_ex_idx == -1) - zlib_stateful_ex_idx = - CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP, -- 0,NULL,NULL,NULL,zlib_stateful_free_ex_data); -+ 0,NULL,NULL,NULL,NULL); - CRYPTO_w_unlock(CRYPTO_LOCK_COMP); - if (zlib_stateful_ex_idx == -1) - goto err; diff --git a/security/openssl/patches/patch-bc b/security/openssl/patches/patch-bc new file mode 100644 index 00000000000..64826f77dc1 --- /dev/null +++ b/security/openssl/patches/patch-bc @@ -0,0 +1,19 @@ +$NetBSD: patch-bc,v 1.1.2.2 2010/03/27 14:44:42 tron Exp $ + +Fix for CVE-2010-0740: http://www.openssl.org/news/secadv_20100324.txt + +--- ssl/s3_pkt.c.orig 2010-01-24 13:52:38.000000000 +0000 ++++ ssl/s3_pkt.c +@@ -291,9 +291,9 @@ again: + if (version != s->version) + { + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); +- /* Send back error using their +- * version number :-) */ +- s->version=version; ++ if ((s->version & 0xFF00) == (version & 0xFF00)) ++ /* Send back error using their minor version number :-) */ ++ s->version = (unsigned short)version; + al=SSL_AD_PROTOCOL_VERSION; + goto f_err; + } |