kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/security/openssl/Makefile

108 lines
3.2 KiB
Makefile
Raw Normal View History

PR 55733 Joern Clausen: use GNU m4 with security/openssl on Solaris. Seems that Solaris's m4 overflows internal limits.
2021-07-19 01:11:08 +02:00
# $NetBSD: Makefile,v 1.274 2021/07/18 23:11:08 dholland Exp $
Import OpenSSL 0.9.2b pkg, a package which finally updates and fixes many deficiencies in SSLeay. Intended to be a drop-in replacement for SSLeay (and still provides the command-prompt interface as "ssleay").
1999-04-30 17:19:13 +02:00
openssl: add note on updating
2021-04-22 11:59:37 +02:00
# Remember to upload-distfiles when updating OpenSSL -- otherwise it
# is not possible for users who have bootstrapped without OpenSSL
# to install it and enable HTTPS fetching.
openssl: Update to 1.1.1k. Approved by @wiz during freeze. Changes between 1.1.1j and 1.1.1k [25 Mar 2021] *) Fixed a problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. (CVE-2021-3450) [Tomáš Mráz] *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. (CVE-2021-3449) [Peter Kästle and Samuel Sapalski]
2021-03-25 17:36:19 +01:00
DISTNAME= openssl-1.1.1k
*: recursive bump for perl 5.34
2021-05-24 21:49:01 +02:00
PKGREVISION= 1
Modify openssl/Makefile so that it's easier to test the -STABLE and -SNAP OpenSSL snapshots.
2005-02-03 00:43:42 +01:00
CATEGORIES= security
Restore https URL, as discussed with schmonz. Systems without https support in their fetch tools can get the distfiles from ftp.NetBSD.org.
2015-08-31 21:49:44 +02:00
MASTER_SITES= https://www.openssl.org/source/
Add build dependency on p5-Perl4-CoreLibs, needed since a script uses find.pl. Reported by Jörn Clausen in PR 47036.
2012-10-05 11:36:31 +02:00
Drop maintainership for packages that I no longer have time to maintain.
2006-03-14 17:00:40 +01:00
MAINTAINER= pkgsrc-users@NetBSD.org
Update "openssl" package to version 1.0.2b. Changes since version 1.0.2c: - Fix HMAC ABI incompatibility. The previous version introduced an ABI incompatibility in the handling of HMAC. The previous ABI has now been restored.
2015-06-12 19:32:32 +02:00
HOMEPAGE= https://www.openssl.org/
Update security/openssl to 0.9.7e. Changes from openssl-0.9.6m are too numerous to be listed here, but include adding a new DES API (support for the old one is still present). Changes to the pkgsrc structure include: * Install the shared libraries with a version number that matches the OpenSSL version number * Move some of the less often-used c_* utilities back into the examples directory. * Drop support for using the RSAREF library and always use the built-in RSA code instead.
2004-12-24 23:02:37 +01:00
COMMENT= Secure Socket Layer and cryptographic library
Set LICENSE.
2014-05-15 11:59:32 +02:00
LICENSE= openssl
Import OpenSSL 0.9.2b pkg, a package which finally updates and fixes many deficiencies in SSLeay. Intended to be a drop-in replacement for SSLeay (and still provides the command-prompt interface as "ssleay").
1999-04-30 17:19:13 +02:00
Set USE_GCC_RUNTIME=yes for packages which build shared libraries but do not use libtool to do so. This is required to correctly depend upon a gcc runtime package (e.g. gcc47-libs) when using USE_PKGSRC_GCC_RUNTIME.
2014-03-13 12:08:49 +01:00
USE_GCC_RUNTIME= yes
openssl: Update to 1.1.1d. This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now out of support and should not be used. pkgsrc changes include a large cleanup of patches and targets, many of which were clearly bogus, for example a CONFLICTS entry against a package that has never existed, and one that was removed in 1999. Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS release. There are far too many individual changes to list, so the following text is instead taken from the 1.1.1 blog announcement: -------------------------------------------------------------------------- After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years. OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn't just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs. The headline new feature is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF just one month ago as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more details. Some of the benefits of TLSv1.3 include: * Improved connection times due to a reduction in the number of round trips required between the client and server * The ability, in certain circumstances, for clients to start sending encrypted data to the server straight away without any round trips with the server required (a feature known as 0-RTT or “early data”). * Improved security due to the removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake Other features in the 1.1.1 release include: * Complete rewrite of the OpenSSL random number generator to introduce the following capabilities: * The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. * Support for multiple DRBG instances with seed chaining. * There is a public and private DRBG instance. * The DRBG instances are fork-safe. * Keep all global DRBG instances on the secure heap if it is enabled. * The public and private DRBG instance are per thread for lock free operation * Support for various new cryptographic algorithms including: * SHA3 * SHA512/224 and SHA512/256 * EdDSA (including Ed25519 and Ed448) * X448 (adding to the existing X25519 support in 1.1.0) * Multi-prime RSA * SM2 * SM3 * SM4 * SipHash * ARIA (including TLS support) * Signficant Side-Channel attack security improvements * Maximum Fragment Length TLS extension support * A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time. Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.
2020-01-16 14:30:29 +01:00
USE_TOOLS+= fgrep gmake makedepend perl
PR 55733 Joern Clausen: use GNU m4 with security/openssl on Solaris. Seems that Solaris's m4 overflows internal limits.
2021-07-19 01:11:08 +02:00
USE_TOOLS.SunOS+= gm4
Update security/openssl to 1.0.2e. pkgsrc changes: - We now need to run 'make depend' after configure to pick up algorithm selection changes. Upstream changes: Changes between 1.0.2d and 1.0.2e [3 Dec 2015] *) BN_mod_exp may produce incorrect results on x86_64 There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. This issue was reported to OpenSSL by Hanno Böck. (CVE-2015-3193) [Andy Polyakov] *) Certificate verify crash with missing PSS parameter The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). (CVE-2015-3194) [Stephen Henson] *) X509_ATTRIBUTE memory leak When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using libFuzzer. (CVE-2015-3195) [Stephen Henson] *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. This changes the decoding behaviour for some invalid messages, though the change is mostly in the more lenient direction, and legacy behaviour is preserved as much as possible. [Emilia Käsper] *) In DSA_generate_parameters_ex, if the provided seed is too short, return an error [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
2015-12-07 16:57:42 +01:00
BUILD_TARGET= depend all
Update security/openssl to 0.9.7e. Changes from openssl-0.9.6m are too numerous to be listed here, but include adding a new DES API (support for the old one is still present). Changes to the pkgsrc structure include: * Install the shared libraries with a version number that matches the OpenSSL version number * Move some of the less often-used c_* utilities back into the examples directory. * Drop support for using the RSAREF library and always use the built-in RSA code instead.
2004-12-24 23:02:37 +01:00
TEST_TARGET= tests
Use the built-in HAS_CONFIGURE and TEST_TARGET infrastructure to do the configure and test phases.
2003-09-10 18:23:27 +02:00
Update security/openssl to 0.9.7e. Changes from openssl-0.9.6m are too numerous to be listed here, but include adding a new DES API (support for the old one is still present). Changes to the pkgsrc structure include: * Install the shared libraries with a version number that matches the OpenSSL version number * Move some of the less often-used c_* utilities back into the examples directory. * Drop support for using the RSAREF library and always use the built-in RSA code instead.
2004-12-24 23:02:37 +01:00
HAS_CONFIGURE= yes
Use the built-in HAS_CONFIGURE and TEST_TARGET infrastructure to do the configure and test phases.
2003-09-10 18:23:27 +02:00
CONFIGURE_SCRIPT= ./config
Changes 1.0.2: Suite B support for TLS 1.2 and DTLS 1.2 Support for DTLS 1.2 TLS automatic EC curve selection. API to set TLS supported signature algorithms and curves SSL_CONF configuration API. TLS Brainpool support. ALPN support. CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
2015-02-12 14:08:53 +01:00
CONFIGURE_ARGS+= --prefix=${PREFIX}
openssl: Pass explicit libdir Some linuxes have /lib64. pkgsrc should never use /lib64. Pointed out by sobukus on freenode
2020-05-21 12:41:36 +02:00
CONFIGURE_ARGS+= --libdir=${PREFIX}/lib
Changes 1.0.2: Suite B support for TLS 1.2 and DTLS 1.2 Support for DTLS 1.2 TLS automatic EC curve selection. API to set TLS supported signature algorithms and curves SSL_CONF configuration API. TLS Brainpool support. ALPN support. CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
2015-02-12 14:08:53 +01:00
CONFIGURE_ARGS+= --openssldir=${PKG_SYSCONFDIR}
openssl: Update to 1.1.1d. This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now out of support and should not be used. pkgsrc changes include a large cleanup of patches and targets, many of which were clearly bogus, for example a CONFLICTS entry against a package that has never existed, and one that was removed in 1999. Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS release. There are far too many individual changes to list, so the following text is instead taken from the 1.1.1 blog announcement: -------------------------------------------------------------------------- After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years. OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn't just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs. The headline new feature is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF just one month ago as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more details. Some of the benefits of TLSv1.3 include: * Improved connection times due to a reduction in the number of round trips required between the client and server * The ability, in certain circumstances, for clients to start sending encrypted data to the server straight away without any round trips with the server required (a feature known as 0-RTT or “early data”). * Improved security due to the removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake Other features in the 1.1.1 release include: * Complete rewrite of the OpenSSL random number generator to introduce the following capabilities: * The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. * Support for multiple DRBG instances with seed chaining. * There is a public and private DRBG instance. * The DRBG instances are fork-safe. * Keep all global DRBG instances on the secure heap if it is enabled. * The public and private DRBG instance are per thread for lock free operation * Support for various new cryptographic algorithms including: * SHA3 * SHA512/224 and SHA512/256 * EdDSA (including Ed25519 and Ed448) * X448 (adding to the existing X25519 support in 1.1.0) * Multi-prime RSA * SM2 * SM3 * SM4 * SipHash * ARIA (including TLS support) * Signficant Side-Channel attack security improvements * Maximum Fragment Length TLS extension support * A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time. Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.
2020-01-16 14:30:29 +01:00
CONFIGURE_ARGS+= shared
Set correct architecture on Darwin
2010-05-08 08:33:41 +02:00
Unbreak security/openssl build on pre-v9 Darwin. (1) There is no {get,make,set}context support before Darwin 9 (2) Instead of failing the build on makedepend(8) malfunction, have make(1) ignore its return value - which used to be the default for previous OpenSSL versions.
2020-07-10 12:04:54 +02:00
.include "../../mk/bsd.prefs.mk"
.if !empty(MACHINE_PLATFORM:MDarwin-[0-8].*-powerpc)
# No {get,make,set}context support before Darwin 9
CONFIGURE_ARGS+= no-async
.endif
On Mac OS X Snow Leopard with ABI=64, configure was selecting a 32-bit build (and then failing in the assembler). Override its choice on Darwin/x86_64 by specifying KERNEL_BITS=${ABI} in CONFIGURE_ENV.
2021-07-09 20:22:56 +02:00
# Fix 64-bit build on at least Mac OS X Snow Leopard
.if ${OPSYS} == "Darwin" && ${MACHINE_ARCH} == "x86_64"
CONFIGURE_ENV+= KERNEL_BITS=${ABI}
.endif
openssl: Update to 1.1.1d. This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now out of support and should not be used. pkgsrc changes include a large cleanup of patches and targets, many of which were clearly bogus, for example a CONFLICTS entry against a package that has never existed, and one that was removed in 1999. Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS release. There are far too many individual changes to list, so the following text is instead taken from the 1.1.1 blog announcement: -------------------------------------------------------------------------- After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years. OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn't just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs. The headline new feature is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF just one month ago as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more details. Some of the benefits of TLSv1.3 include: * Improved connection times due to a reduction in the number of round trips required between the client and server * The ability, in certain circumstances, for clients to start sending encrypted data to the server straight away without any round trips with the server required (a feature known as 0-RTT or “early data”). * Improved security due to the removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake Other features in the 1.1.1 release include: * Complete rewrite of the OpenSSL random number generator to introduce the following capabilities: * The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. * Support for multiple DRBG instances with seed chaining. * There is a public and private DRBG instance. * The DRBG instances are fork-safe. * Keep all global DRBG instances on the secure heap if it is enabled. * The public and private DRBG instance are per thread for lock free operation * Support for various new cryptographic algorithms including: * SHA3 * SHA512/224 and SHA512/256 * EdDSA (including Ed25519 and Ed448) * X448 (adding to the existing X25519 support in 1.1.0) * Multi-prime RSA * SM2 * SM3 * SM4 * SipHash * ARIA (including TLS support) * Signficant Side-Channel attack security improvements * Maximum Fragment Length TLS extension support * A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time. Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.
2020-01-16 14:30:29 +01:00
.include "options.mk"
Update security/openssl to openssl-0.9.7f. Pkgsrc changes from version 0.9.7e include: *) Install the man pages with names that are less likely to collide with other packages' man pages. *) Support PKG_OPTIONS of "idea", "mdc2" and "rc5" to allow building with patented algorithms. By default, this package still builds without patented algorithms. Major changes from version 0.9.7e include: *) Prompt for pass phrases when appropriate for PKCS12 input format. *) Back-port of selected performance improvements from development branch, as well as improved support for PowerPC platforms. *) Add lots of checks for memory allocation failure, error codes to indicate failure and freeing up memory if a failure occurs. *) Add new -passin argument to dgst. *) Make an explicit check during certificate validation to see that the CA setting in each certificate on the chain is correct.
2005-03-23 10:06:38 +01:00
Fixed pkglint warnings. The warnings are mostly quoting issues, for example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some other changes are outlined in http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
2005-12-05 21:49:47 +01:00
CONFIGURE_ENV+= PERL=${PERL5:Q}
Support to build it on Solaris. It would be easier to make that change if we support patches for one OPSYS but someone removed that from out tree.
2000-05-10 14:28:37 +02:00
openssl: Handle i386 SunOS. The OpenSSL config script isn't clever enough to detect multiarch platforms so we need to manually specify the host OS.
2020-02-11 10:58:50 +01:00
# If the config script cannot guess the host system correctly then we need to
# specify it manually and call the Configure script directly.
OPENSSL_HOST.SunOS-i386= solaris-x86-gcc
openssl: Spell x86_64 correctly.
2020-02-12 20:49:23 +01:00
OPENSSL_HOST.SunOS-x86_64= solaris64-x86_64-gcc
security/openssl: Make compatible with Apple Silicon
2020-07-22 22:41:30 +02:00
OPENSSL_HOST.Darwin-aarch64= darwin64-arm64-cc
openssl: Handle i386 SunOS. The OpenSSL config script isn't clever enough to detect multiarch platforms so we need to manually specify the host OS.
2020-02-11 10:58:50 +01:00
Fix build on OpenBSD by defining __STDC_NO_ATOMICS__.
2021-01-25 21:26:43 +01:00
LDFLAGS.SunOS+= -lrt
CPPFLAGS.OpenBSD+= -D__STDC_NO_ATOMICS__
openssl: add -lrt for the benefit of Solaris 10. PR pkg/55688 PR pkg/54958
2020-10-13 09:37:29 +02:00
openssl: Handle i386 SunOS. The OpenSSL config script isn't clever enough to detect multiarch platforms so we need to manually specify the host OS.
2020-02-11 10:58:50 +01:00
.if defined(OPENSSL_HOST.${OPSYS}-${MACHINE_ARCH})
CONFIG_SHELL= ${PERL5}
CONFIGURE_SCRIPT= ./Configure
CONFIGURE_ARGS+= ${OPENSSL_HOST.${OPSYS}-${MACHINE_ARCH}}
.endif
Fixes missing override of pc files. PR pkg/48871. Bump PKGREVISION.
2014-06-05 05:14:05 +02:00
PKGCONFIG_OVERRIDE+= libcrypto.pc libssl.pc openssl.pc
PKGCONFIG_OVERRIDE_STAGE= post-build
Update security/openssl to 0.9.7e. Changes from openssl-0.9.6m are too numerous to be listed here, but include adding a new DES API (support for the old one is still present). Changes to the pkgsrc structure include: * Install the shared libraries with a version number that matches the OpenSSL version number * Move some of the less often-used c_* utilities back into the examples directory. * Drop support for using the RSAREF library and always use the built-in RSA code instead.
2004-12-24 23:02:37 +01:00
PKG_SYSCONFSUBDIR= openssl
CONF_FILES= ${PREFIX}/share/examples/openssl/openssl.cnf \
${PKG_SYSCONFDIR}/openssl.cnf
OWN_DIRS= ${PKG_SYSCONFDIR}/certs ${PKG_SYSCONFDIR}/private
Install the RSAglue library if USERSAREF2 if set to YES.
1999-11-26 20:14:56 +01:00
Update openssl to 0.9.8m. The OpenSSL project team is pleased to announce the release of version 0.9.8m of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which implements RFC5746 to address renegotiation vulnerabilities mentioned in CVE-2009-3555. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.
2010-02-26 04:15:13 +01:00
INSTALLATION_DIRS+= share/examples/openssl
openssl: Update to 1.1.1d. This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now out of support and should not be used. pkgsrc changes include a large cleanup of patches and targets, many of which were clearly bogus, for example a CONFLICTS entry against a package that has never existed, and one that was removed in 1999. Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS release. There are far too many individual changes to list, so the following text is instead taken from the 1.1.1 blog announcement: -------------------------------------------------------------------------- After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years. OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn't just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs. The headline new feature is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF just one month ago as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more details. Some of the benefits of TLSv1.3 include: * Improved connection times due to a reduction in the number of round trips required between the client and server * The ability, in certain circumstances, for clients to start sending encrypted data to the server straight away without any round trips with the server required (a feature known as 0-RTT or “early data”). * Improved security due to the removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake Other features in the 1.1.1 release include: * Complete rewrite of the OpenSSL random number generator to introduce the following capabilities: * The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. * Support for multiple DRBG instances with seed chaining. * There is a public and private DRBG instance. * The DRBG instances are fork-safe. * Keep all global DRBG instances on the secure heap if it is enabled. * The public and private DRBG instance are per thread for lock free operation * Support for various new cryptographic algorithms including: * SHA3 * SHA512/224 and SHA512/256 * EdDSA (including Ed25519 and Ed448) * X448 (adding to the existing X25519 support in 1.1.0) * Multi-prime RSA * SM2 * SM3 * SM4 * SipHash * ARIA (including TLS support) * Signficant Side-Channel attack security improvements * Maximum Fragment Length TLS extension support * A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time. Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.
2020-01-16 14:30:29 +01:00
#
# Note that this package cannot be updated solely from Darwin, it relies on
# shlib-dylib.awk to convert the normal .so entries to dylib, which doesn't
# work the other way around. The lib/engines-1.1 plugins also need special
# handling.
#
OPSYSVARS+= SOEXT
SOEXT.Darwin= dylib
SOEXT.*= so
PLIST_SUBST+= SOEXT=${SOEXT}
PRINT_PLIST_AWK+= /^lib\/engines/ { gsub(/\.${SOEXT}$$/, ".$${SOEXT}"); }
security/openssl: fix build on Solaris This fixes PR pkg/54894.
2020-02-11 18:23:11 +01:00
# Remove CC from the environment, to fix GCC version handling on HP-UX,
# SunOS and Linux/sparc.
#
# See https://github.com/openssl/openssl/issues/11060.
do-configure:
security/openssl: fix the recent fix for building on Solaris and HP-UX
2020-02-12 16:14:57 +01:00
${RUN} cd ${WRKSRC} && ${SETENV} ${_CONFIGURE_SCRIPT_ENV:NCC=*} \
security/openssl: fix build on Solaris This fixes PR pkg/54894.
2020-02-11 18:23:11 +01:00
${CONFIG_SHELL} ${CONFIGURE_SCRIPT} ${CONFIGURE_ARGS}
openssl: Update to 1.1.1d. This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now out of support and should not be used. pkgsrc changes include a large cleanup of patches and targets, many of which were clearly bogus, for example a CONFLICTS entry against a package that has never existed, and one that was removed in 1999. Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS release. There are far too many individual changes to list, so the following text is instead taken from the 1.1.1 blog announcement: -------------------------------------------------------------------------- After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years. OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn't just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs. The headline new feature is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF just one month ago as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more details. Some of the benefits of TLSv1.3 include: * Improved connection times due to a reduction in the number of round trips required between the client and server * The ability, in certain circumstances, for clients to start sending encrypted data to the server straight away without any round trips with the server required (a feature known as 0-RTT or “early data”). * Improved security due to the removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake Other features in the 1.1.1 release include: * Complete rewrite of the OpenSSL random number generator to introduce the following capabilities: * The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. * Support for multiple DRBG instances with seed chaining. * There is a public and private DRBG instance. * The DRBG instances are fork-safe. * Keep all global DRBG instances on the secure heap if it is enabled. * The public and private DRBG instance are per thread for lock free operation * Support for various new cryptographic algorithms including: * SHA3 * SHA512/224 and SHA512/256 * EdDSA (including Ed25519 and Ed448) * X448 (adding to the existing X25519 support in 1.1.0) * Multi-prime RSA * SM2 * SM3 * SM4 * SipHash * ARIA (including TLS support) * Signficant Side-Channel attack security improvements * Maximum Fragment Length TLS extension support * A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time. Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.
2020-01-16 14:30:29 +01:00
#
# Get rid of ridiculous namespace collisions like passwd.1 and just leave the
# openssl-*.1 style variants. On a more practical note this avoids creating
# a conflict with moreutils (ts.1).
#
openssl: Avoid case-sensitive issue on Darwin. Bump PKGREVISION.
2017-12-14 10:18:47 +01:00
post-install:
openssl: Update to 1.1.1d. This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now out of support and should not be used. pkgsrc changes include a large cleanup of patches and targets, many of which were clearly bogus, for example a CONFLICTS entry against a package that has never existed, and one that was removed in 1999. Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS release. There are far too many individual changes to list, so the following text is instead taken from the 1.1.1 blog announcement: -------------------------------------------------------------------------- After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years. OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn't just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs. The headline new feature is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF just one month ago as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more details. Some of the benefits of TLSv1.3 include: * Improved connection times due to a reduction in the number of round trips required between the client and server * The ability, in certain circumstances, for clients to start sending encrypted data to the server straight away without any round trips with the server required (a feature known as 0-RTT or “early data”). * Improved security due to the removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake Other features in the 1.1.1 release include: * Complete rewrite of the OpenSSL random number generator to introduce the following capabilities: * The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. * Support for multiple DRBG instances with seed chaining. * There is a public and private DRBG instance. * The DRBG instances are fork-safe. * Keep all global DRBG instances on the secure heap if it is enabled. * The public and private DRBG instance are per thread for lock free operation * Support for various new cryptographic algorithms including: * SHA3 * SHA512/224 and SHA512/256 * EdDSA (including Ed25519 and Ed448) * X448 (adding to the existing X25519 support in 1.1.0) * Multi-prime RSA * SM2 * SM3 * SM4 * SipHash * ARIA (including TLS support) * Signficant Side-Channel attack security improvements * Maximum Fragment Length TLS extension support * A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time. Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.
2020-01-16 14:30:29 +01:00
cd ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1; \
for f in openssl-*; do \
${RM} -f $${f}; \
${MV} `${ECHO} $${f} | ${SED} -e 's/openssl-//'` $${f}; \
openssl: Fix c_rehash manual page entry. Previously after the openssl-* renames it ended up as a dangling symlink, causing "pkg_admin check" failures. Bump PKGREVISION.
2020-07-13 13:35:54 +02:00
done; \
${RM} -f openssl-c_rehash.1; \
${LN} -s openssl-rehash.1 c_rehash.1
openssl: Avoid case-sensitive issue on Darwin. Bump PKGREVISION.
2017-12-14 10:18:47 +01:00
unconditionally wants dlopen
2015-03-11 23:49:40 +01:00
.include "../../mk/dlopen.buildlink3.mk"
Use "pkgsrc/mk/dlopen.buildlink3.mk" instead of manually including "pkgsrc/devel/dlcompat/buildlink3.mk" under Darwin. This might finally fix PR pkg/36086.
2007-04-17 19:04:00 +02:00
.include "../../mk/bsd.pkg.mk"
Reference in a new issue Copy permalink