summaryrefslogtreecommitdiff
path: root/security/openssl
diff options
context:
space:
mode:
authortaca <taca@pkgsrc.org>2006-09-30 04:20:24 +0000
committertaca <taca@pkgsrc.org>2006-09-30 04:20:24 +0000
commita62f70f91b43854e098f14ead48e9a5158eeb92c (patch)
tree9b4e5845a4f292027d0bab0ba6bc80090eb0b83c /security/openssl
parent02c51ba966be11abadc85e7afd23dcbcd0406867 (diff)
downloadpkgsrc-a62f70f91b43854e098f14ead48e9a5158eeb92c.tar.gz
Apply patches which fixes recent security problem of OpenSSL.
http://secunia.com/advisories/22130/ Bump PKGREVISION.
Diffstat (limited to 'security/openssl')
-rw-r--r--security/openssl/Makefile4
-rw-r--r--security/openssl/distinfo14
-rw-r--r--security/openssl/patches/patch-ah15
-rw-r--r--security/openssl/patches/patch-ai64
-rw-r--r--security/openssl/patches/patch-an38
-rw-r--r--security/openssl/patches/patch-ao15
-rw-r--r--security/openssl/patches/patch-ap25
-rw-r--r--security/openssl/patches/patch-aq33
-rw-r--r--security/openssl/patches/patch-ar28
-rw-r--r--security/openssl/patches/patch-as17
-rw-r--r--security/openssl/patches/patch-at25
-rw-r--r--security/openssl/patches/patch-au32
-rw-r--r--security/openssl/patches/patch-av14
-rw-r--r--security/openssl/patches/patch-aw16
14 files changed, 337 insertions, 3 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index fbb42d36165..1adcc964e59 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.116 2006/09/07 09:44:31 adrianp Exp $
+# $NetBSD: Makefile,v 1.117 2006/09/30 04:20:24 taca Exp $
OPENSSL_SNAPSHOT?= # empty
OPENSSL_STABLE?= # empty
@@ -24,7 +24,7 @@ MASTER_SITES= ftp://ftp.openssl.org/snapshot/
. endif
.endif
-PKGREVISION= 2
+PKGREVISION= 3
SVR4_PKGNAME= ossl
CATEGORIES= security
MAINTAINER= pkgsrc-users@NetBSD.org
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index 08a8264f7bd..2d855d99722 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.52 2006/09/07 09:44:31 adrianp Exp $
+$NetBSD: distinfo,v 1.53 2006/09/30 04:20:24 taca Exp $
SHA1 (openssl-0.9.7i.tar.gz) = 4c23925744d43272fa19615454da44e01465eb06
RMD160 (openssl-0.9.7i.tar.gz) = 0dce52c5793a0c37f17b620f7d26bbf9e4fcf755
@@ -8,6 +8,18 @@ SHA1 (patch-ac) = ee8229a330cb5fcdd31cceaa14f3cadcba4858bf
SHA1 (patch-ad) = 2581d06c21ed6d1c9a554289591031a6eb66a686
SHA1 (patch-ae) = cb3ce622ef9efc4098d57b10059e5424272520c8
SHA1 (patch-af) = e8a9d803d362658e0db3f044b35794b2084b7667
+SHA1 (patch-ah) = 5245d7ca407af952cfa028e46cf7a54dc0f50f6f
+SHA1 (patch-ai) = f960775a57551a70806517b439606099000ea97e
SHA1 (patch-ak) = 7f9960a97cbe83c381c2a4565ca3a6e4e661bf54
SHA1 (patch-al) = 64fd0be6adf30821b4c4bba3c9088c6dcbff3ba7
SHA1 (patch-am) = 209aad896f976e5acc9bf66f5e3fdf6193d2ff3d
+SHA1 (patch-an) = c38cf54341ae5b770f984859c1a3bf6df41e0532
+SHA1 (patch-ao) = 834860d35eaa1211db664346a362822114bd16ef
+SHA1 (patch-ap) = 9473b8e69b71864baab3d38ee3de90e7027b1b0b
+SHA1 (patch-aq) = 68704a8048f7eea3744ae5e04dda09c676762923
+SHA1 (patch-ar) = 575be597244eb04576651d7b0276604d51fa7464
+SHA1 (patch-as) = d7984ceadfa51356e6d7a9cc398c1adf7e755930
+SHA1 (patch-at) = d232c98b680c8b279181b08efc84c569128d9ebb
+SHA1 (patch-au) = 6924cb666df8ed1eadd28a8ba75462560e72ac43
+SHA1 (patch-av) = dc8d31971b9535965339681b7a0c32d0b72d50bd
+SHA1 (patch-aw) = 9139c779ac221595423c38dd97a0ec91f103083e
diff --git a/security/openssl/patches/patch-ah b/security/openssl/patches/patch-ah
new file mode 100644
index 00000000000..5ddd76b5a9d
--- /dev/null
+++ b/security/openssl/patches/patch-ah
@@ -0,0 +1,15 @@
+$NetBSD: patch-ah,v 1.6 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- ssl/s3_srvr.c.orig 2005-04-10 08:52:53.000000000 +0900
++++ ssl/s3_srvr.c
+@@ -1727,7 +1727,7 @@ static int ssl3_get_client_key_exchange(
+
+ if (kssl_ctx->client_princ)
+ {
+- int len = strlen(kssl_ctx->client_princ);
++ size_t len = strlen(kssl_ctx->client_princ);
+ if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
+ {
+ s->session->krb5_client_princ_len = len;
diff --git a/security/openssl/patches/patch-ai b/security/openssl/patches/patch-ai
new file mode 100644
index 00000000000..fcfcb175d74
--- /dev/null
+++ b/security/openssl/patches/patch-ai
@@ -0,0 +1,64 @@
+$NetBSD: patch-ai,v 1.6 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- crypto/rsa/rsa_eay.c.orig 2005-05-29 05:15:47.000000000 +0900
++++ crypto/rsa/rsa_eay.c
+@@ -157,6 +157,28 @@ static int RSA_eay_public_encrypt(int fl
+ unsigned char *buf=NULL;
+ BN_CTX *ctx=NULL;
+
++ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
++ {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
++ return -1;
++ }
++
++ if (BN_ucmp(rsa->n, rsa->e) <= 0)
++ {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
++ return -1;
++ }
++
++ /* for large moduli, enforce exponent limit */
++ if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
++ {
++ if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
++ {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
++ return -1;
++ }
++ }
++
+ BN_init(&f);
+ BN_init(&ret);
+ if ((ctx=BN_CTX_new()) == NULL) goto err;
+@@ -576,6 +598,28 @@ static int RSA_eay_public_decrypt(int fl
+ unsigned char *buf=NULL;
+ BN_CTX *ctx=NULL;
+
++ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
++ {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
++ return -1;
++ }
++
++ if (BN_ucmp(rsa->n, rsa->e) <= 0)
++ {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
++ return -1;
++ }
++
++ /* for large moduli, enforce exponent limit */
++ if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
++ {
++ if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
++ {
++ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
++ return -1;
++ }
++ }
++
+ BN_init(&f);
+ BN_init(&ret);
+ ctx=BN_CTX_new();
diff --git a/security/openssl/patches/patch-an b/security/openssl/patches/patch-an
new file mode 100644
index 00000000000..f8eacf9fb82
--- /dev/null
+++ b/security/openssl/patches/patch-an
@@ -0,0 +1,38 @@
+$NetBSD: patch-an,v 1.1 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- crypto/asn1/tasn_dec.c.orig 2005-05-01 03:16:40.000000000 +0900
++++ crypto/asn1/tasn_dec.c
+@@ -628,6 +628,9 @@ static int asn1_d2i_ex_primitive(ASN1_VA
+ if(!ret) {
+ ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
+ return 0;
++
++ ret = 0;
++
+ } else if(ret == -1) return -1;
+ /* SEQUENCE, SET and "OTHER" are left in encoded form */
+ if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
+@@ -662,7 +665,11 @@ static int asn1_d2i_ex_primitive(ASN1_VA
+ * internally irrespective of the type. So instead just check
+ * for UNIVERSAL class and ignore the tag.
+ */
+- if(!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) goto err;
++ if(!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL))
++ {
++ free_cont = 1;
++ goto err;
++ }
+ len = buf.length;
+ /* Append a final null to string */
+ if(!BUF_MEM_grow_clean(&buf, len + 1)) {
+@@ -903,7 +910,7 @@ static int asn1_collect(BUF_MEM *buf, un
+ return 0;
+ #endif
+ } else {
+- if(!collect_data(buf, &p, plen)) return 0;
++ if(plen && !collect_data(buf, &p, plen)) return 0;
+ }
+ len -= p - q;
+ }
diff --git a/security/openssl/patches/patch-ao b/security/openssl/patches/patch-ao
new file mode 100644
index 00000000000..0b53ba7001a
--- /dev/null
+++ b/security/openssl/patches/patch-ao
@@ -0,0 +1,15 @@
+$NetBSD: patch-ao,v 1.1 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- ssl/ssl_lib.c.orig 2005-06-11 05:00:39.000000000 +0900
++++ ssl/ssl_lib.c
+@@ -1187,7 +1187,7 @@ char *SSL_get_shared_ciphers(const SSL *
+ c=sk_SSL_CIPHER_value(sk,i);
+ for (cp=c->name; *cp; )
+ {
+- if (len-- == 0)
++ if (len-- <= 0)
+ {
+ *p='\0';
+ return(buf);
diff --git a/security/openssl/patches/patch-ap b/security/openssl/patches/patch-ap
new file mode 100644
index 00000000000..f29eb463c49
--- /dev/null
+++ b/security/openssl/patches/patch-ap
@@ -0,0 +1,25 @@
+$NetBSD: patch-ap,v 1.1 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- crypto/dh/dh.h.orig 2005-05-16 10:26:03.000000000 +0900
++++ crypto/dh/dh.h
+@@ -70,6 +70,10 @@
+ #include <openssl/crypto.h>
+ #include <openssl/ossl_typ.h>
+
++#ifndef OPENSSL_DH_MAX_MODULUS_BITS
++# define OPENSSL_DH_MAX_MODULUS_BITS 10000
++#endif
++
+ #define DH_FLAG_CACHE_MONT_P 0x01
+ #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
+ * implementation now uses constant time
+@@ -203,6 +207,7 @@ void ERR_load_DH_strings(void);
+ #define DH_F_DH_GENERATE_KEY 103
+ #define DH_F_DH_GENERATE_PARAMETERS 104
+ #define DH_F_DH_NEW_METHOD 105
++#define DH_R_MODULUS_TOO_LARGE 103
+
+ /* Reason codes. */
+ #define DH_R_BAD_GENERATOR 101
diff --git a/security/openssl/patches/patch-aq b/security/openssl/patches/patch-aq
new file mode 100644
index 00000000000..85f55a29427
--- /dev/null
+++ b/security/openssl/patches/patch-aq
@@ -0,0 +1,33 @@
+$NetBSD: patch-aq,v 1.1 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- crypto/dh/dh_key.c.orig 2005-05-28 00:39:11.000000000 +0900
++++ crypto/dh/dh_key.c
+@@ -180,6 +180,12 @@ static int compute_key(unsigned char *ke
+ BIGNUM *tmp;
+ int ret= -1;
+
++ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS)
++ {
++ DHerr(DH_F_DH_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
++ goto err;
++ }
++
+ ctx = BN_CTX_new();
+ if (ctx == NULL) goto err;
+ BN_CTX_start(ctx);
+@@ -213,8 +219,11 @@ static int compute_key(unsigned char *ke
+
+ ret=BN_bn2bin(tmp,key);
+ err:
+- BN_CTX_end(ctx);
+- BN_CTX_free(ctx);
++ if (ctx != NULL)
++ {
++ BN_CTX_end(ctx);
++ BN_CTX_free(ctx);
++ }
+ return(ret);
+ }
+
diff --git a/security/openssl/patches/patch-ar b/security/openssl/patches/patch-ar
new file mode 100644
index 00000000000..9c25622a73a
--- /dev/null
+++ b/security/openssl/patches/patch-ar
@@ -0,0 +1,28 @@
+$NetBSD: patch-ar,v 1.1 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- crypto/dsa/dsa.h.orig 2005-05-16 10:26:04.000000000 +0900
++++ crypto/dsa/dsa.h
+@@ -79,6 +79,10 @@
+ # include <openssl/dh.h>
+ #endif
+
++#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
++# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
++#endif
++
+ #define DSA_FLAG_CACHE_MONT_P 0x01
+ #define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
+ * implementation now uses constant time
+@@ -252,8 +256,10 @@ void ERR_load_DSA_strings(void);
+ #define DSA_F_SIG_CB 114
+
+ /* Reason codes. */
++#define DSA_R_BAD_Q_VALUE 102
+ #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
+ #define DSA_R_MISSING_PARAMETERS 101
++#define DSA_R_MODULUS_TOO_LARGE 103
+
+ #ifdef __cplusplus
+ }
diff --git a/security/openssl/patches/patch-as b/security/openssl/patches/patch-as
new file mode 100644
index 00000000000..311e0c43fb3
--- /dev/null
+++ b/security/openssl/patches/patch-as
@@ -0,0 +1,17 @@
+$NetBSD: patch-as,v 1.1 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- crypto/dsa/dsa_err.c.orig 2005-04-12 22:47:50.000000000 +0900
++++ crypto/dsa/dsa_err.c
+@@ -89,8 +89,10 @@ static ERR_STRING_DATA DSA_str_functs[]=
+
+ static ERR_STRING_DATA DSA_str_reasons[]=
+ {
++{ERR_REASON(DSA_R_BAD_Q_VALUE) ,"bad q value"},
+ {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
+ {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
++{ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
+ {0,NULL}
+ };
+
diff --git a/security/openssl/patches/patch-at b/security/openssl/patches/patch-at
new file mode 100644
index 00000000000..1ce1f479f5d
--- /dev/null
+++ b/security/openssl/patches/patch-at
@@ -0,0 +1,25 @@
+$NetBSD: patch-at,v 1.1 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- crypto/dsa/dsa_ossl.c.orig 2005-05-26 13:40:42.000000000 +0900
++++ crypto/dsa/dsa_ossl.c
+@@ -274,6 +274,18 @@ static int dsa_do_verify(const unsigned
+ return -1;
+ }
+
++ if (BN_num_bits(dsa->q) != 160)
++ {
++ DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
++ return -1;
++ }
++
++ if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
++ {
++ DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
++ return -1;
++ }
++
+ BN_init(&u1);
+ BN_init(&u2);
+ BN_init(&t1);
diff --git a/security/openssl/patches/patch-au b/security/openssl/patches/patch-au
new file mode 100644
index 00000000000..902f26a3f7d
--- /dev/null
+++ b/security/openssl/patches/patch-au
@@ -0,0 +1,32 @@
+$NetBSD: patch-au,v 1.1 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- crypto/rsa/rsa.h.orig 2005-06-03 03:07:16.000000000 +0900
++++ crypto/rsa/rsa.h
+@@ -154,6 +154,17 @@ struct rsa_st
+ BN_BLINDING *blinding;
+ };
+
++#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
++# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
++#endif
++
++#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
++# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
++#endif
++#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
++# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
++#endif
++
+ #define RSA_3 0x3L
+ #define RSA_F4 0x10001L
+
+@@ -386,6 +397,7 @@ void ERR_load_RSA_strings(void);
+ #define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
+ #define RSA_R_KEY_SIZE_TOO_SMALL 120
+ #define RSA_R_LAST_OCTET_INVALID 134
++#define RSA_R_MODULUS_TOO_LARGE 105
+ #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
+ #define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
+ #define RSA_R_OAEP_DECODING_ERROR 121
diff --git a/security/openssl/patches/patch-av b/security/openssl/patches/patch-av
new file mode 100644
index 00000000000..f033b150692
--- /dev/null
+++ b/security/openssl/patches/patch-av
@@ -0,0 +1,14 @@
+$NetBSD: patch-av,v 1.1 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- crypto/rsa/rsa_err.c.orig 2005-06-03 03:07:16.000000000 +0900
++++ crypto/rsa/rsa_err.c
+@@ -129,6 +129,7 @@ static ERR_STRING_DATA RSA_str_reasons[]
+ {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
+ {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
+ {ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
++{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
+ {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
+ {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
+ {ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
diff --git a/security/openssl/patches/patch-aw b/security/openssl/patches/patch-aw
new file mode 100644
index 00000000000..d340b5b41b0
--- /dev/null
+++ b/security/openssl/patches/patch-aw
@@ -0,0 +1,16 @@
+$NetBSD: patch-aw,v 1.1 2006/09/30 04:20:24 taca Exp $
+
+# http://secunia.com/advisories/22130/
+
+--- ssl/s2_clnt.c.orig 2005-05-12 03:26:07.000000000 +0900
++++ ssl/s2_clnt.c
+@@ -538,7 +538,8 @@ static int get_server_hello(SSL *s)
+ CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
+ }
+
+- if (s->session->peer != s->session->sess_cert->peer_key->x509)
++ if (s->session->sess_cert == NULL
++ || s->session->peer != s->session->sess_cert->peer_key->x509)
+ /* can't happen */
+ {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);