summaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorwiz <wiz@pkgsrc.org>2001-07-11 01:26:10 +0000
committerwiz <wiz@pkgsrc.org>2001-07-11 01:26:10 +0000
commit12743c91d41f8fd5086a76ad1b69de04ac2556ec (patch)
treef995140e6298377f5b8c81995ce12c62ed9e5bad /security
parent10cba674644a92ab17a7868ea83e291223e08e14 (diff)
downloadpkgsrc-12743c91d41f8fd5086a76ad1b69de04ac2556ec.tar.gz
Pull in security fix from basesrc by itojun. Commit message was:
fix PRNG weakness. the workaround presented on bugtraq posting. Update to 0.9.6nb1.
Diffstat (limited to 'security')
-rw-r--r--security/openssl/Makefile3
-rw-r--r--security/openssl/distinfo3
-rw-r--r--security/openssl/patches/patch-ab82
3 files changed, 86 insertions, 2 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 22fbde70bac..81c3e148be9 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.42 2001/07/10 15:08:32 tron Exp $
+# $NetBSD: Makefile,v 1.43 2001/07/11 01:26:10 wiz Exp $
DISTNAME= openssl-0.9.6
+PKGNAME= ${DISTNAME}nb1
CATEGORIES= security
MASTER_SITES= ftp://ftp.openssl.org/source/ \
ftp://ftp.uni-trier.de/pub/unix/security/openssl/
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index e482a95976a..cf1abcfdef5 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.4 2001/05/11 22:24:16 tron Exp $
+$NetBSD: distinfo,v 1.5 2001/07/11 01:26:10 wiz Exp $
SHA1 (openssl-0.9.6.tar.gz) = d69c964d58535343787a3b8ac38a48772704304c
Size (openssl-0.9.6.tar.gz) = 2086131 bytes
SHA1 (openssl-0.9.6-netbsd.patch.gz) = 8e26b84cdbe722878b5cd43d66faa5d519be6506
Size (openssl-0.9.6-netbsd.patch.gz) = 2729 bytes
SHA1 (patch-aa) = c96fb67876b9bd8b5c0c091de209d8f60498126b
+SHA1 (patch-ab) = 8d26b010967d2d5d464708baf7bd7672ab064fc3
SHA1 (patch-ai) = d0f21b594a3343567f7cbea00e71c5319a877782
SHA1 (patch-aj) = 157a09410949f85f4a7b0bb878a382c8cd76772c
diff --git a/security/openssl/patches/patch-ab b/security/openssl/patches/patch-ab
new file mode 100644
index 00000000000..1d5b8797271
--- /dev/null
+++ b/security/openssl/patches/patch-ab
@@ -0,0 +1,82 @@
+$NetBSD: patch-ab,v 1.7 2001/07/11 01:26:10 wiz Exp $
+
+--- crypto/rand/md_rand.c.orig Mon Sep 11 14:42:39 2000
++++ crypto/rand/md_rand.c
+@@ -308,6 +308,7 @@
+ {
+ static volatile int stirred_pool = 0;
+ int i,j,k,st_num,st_idx;
++ int num_ceil;
+ int ok;
+ long md_c[2];
+ unsigned char local_md[MD_DIGEST_LENGTH];
+@@ -328,6 +329,12 @@
+ }
+ #endif
+
++ if (num <= 0)
++ return 1;
++
++ /* round upwards to multiple of MD_DIGEST_LENGTH/2 */
++ num_ceil = (1 + (num-1)/(MD_DIGEST_LENGTH/2)) * (MD_DIGEST_LENGTH/2);
++
+ /*
+ * (Based on the rand(3) manpage:)
+ *
+@@ -409,11 +416,11 @@
+ md_c[1] = md_count[1];
+ memcpy(local_md, md, sizeof md);
+
+- state_index+=num;
++ state_index+=num_ceil;
+ if (state_index > state_num)
+ state_index %= state_num;
+
+- /* state[st_idx], ..., state[(st_idx + num - 1) % st_num]
++ /* state[st_idx], ..., state[(st_idx + num_ceil - 1) % st_num]
+ * are now ours (but other threads may use them too) */
+
+ md_count[0] += 1;
+@@ -424,6 +431,7 @@
+
+ while (num > 0)
+ {
++ /* num_ceil -= MD_DIGEST_LENGTH/2 */
+ j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num;
+ num-=j;
+ MD_Init(&m);
+@@ -434,27 +442,28 @@
+ curr_pid = 0;
+ }
+ #endif
+- MD_Update(&m,&(local_md[MD_DIGEST_LENGTH/2]),MD_DIGEST_LENGTH/2);
++ MD_Update(&m,local_md,MD_DIGEST_LENGTH);
+ MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+ #ifndef PURIFY
+ MD_Update(&m,buf,j); /* purify complains */
+ #endif
+- k=(st_idx+j)-st_num;
++ k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
+ if (k > 0)
+ {
+- MD_Update(&m,&(state[st_idx]),j-k);
++ MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k);
+ MD_Update(&m,&(state[0]),k);
+ }
+ else
+- MD_Update(&m,&(state[st_idx]),j);
++ MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2);
+ MD_Final(local_md,&m);
+
+- for (i=0; i<j; i++)
++ for (i=0; i<MD_DIGEST_LENGTH/2; i++)
+ {
+ state[st_idx++]^=local_md[i]; /* may compete with other threads */
+- *(buf++)=local_md[i+MD_DIGEST_LENGTH/2];
+ if (st_idx >= st_num)
+ st_idx=0;
++ if (i < j)
++ *(buf++)=local_md[i+MD_DIGEST_LENGTH/2];
+ }
+ }
+