pkgsrc/security/openssl/distinfo

$NetBSD: distinfo,v 1.67 2009/04/16 09:50:37 tnn Exp $

SHA1 (openssl-0.9.8k.tar.gz) = 3ba079f91d3c1ec90a36dcd1d43857165035703f
RMD160 (openssl-0.9.8k.tar.gz) = 496df7a5d33457b0d8e3b930a8e5cf068923182c
Size (openssl-0.9.8k.tar.gz) = 3852259 bytes
SHA1 (patch-aa) = b28ec662bf0586e31d59cab45e3a28b91b10dac1
SHA1 (patch-ac) = 7d03d0effcde4237216e9da4f38a318b0d1ae67d
SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3
SHA1 (patch-ae) = 7a58f1765a3761321dcc8dafc5fe2e33207be480
SHA1 (patch-af) = 1eda5a96835b65d325c77ce5d39f1e524815a3c7
SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8
SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0
SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302
NetBSD/sparc64 build fix. Reported and fix tested by Michael C. Vergallen. 2009-04-16 11:50:37 +02:00			$NetBSD: distinfo,v 1.67 2009/04/16 09:50:37 tnn Exp $
Import OpenSSL 0.9.2b pkg, a package which finally updates and fixes many deficiencies in SSLeay. Intended to be a drop-in replacement for SSLeay (and still provides the command-prompt interface as "ssleay"). 1999-04-30 17:19:13 +02:00
Update to openssl-0.9.8k. Changes between 0.9.8j and 0.9.8k [25 Mar 2009] ) Don't set val to NULL when freeing up structures, it is freed up by underlying code. If sizeof(void ) > sizeof(long) this can result in zeroing past the valid field. (CVE-2009-0789) ) Fix bug where return value of CMS_SignerInfo_verify_content() was not checked correctly. This would allow some invalid signed attributes to appear to verify correctly. (CVE-2009-0591) ) Reject UniversalString and BMPString types with invalid lengths. This prevents a crash in ASN1_STRING_print_ex() which assumes the strings have a legal length. (CVE-2009-0590) ) Set S/MIME signing as the default purpose rather than setting it unconditionally. This allows applications to override it at the store level. ) Permit restricted recursion of ASN1 strings. This is needed in practice to handle some structures. ) Improve efficiency of mem_gets: don't search whole buffer each time for a '\n' ) New -hex option for openssl rand. ) Print out UTF8String and NumericString when parsing ASN1. ) Support NumericString type for name components. *) Allow CC in the environment to override the automatically chosen compiler. Note that nothing is done to ensure flags work with the chosen compiler. 2009-04-05 17:50:17 +02:00			`SHA1 (openssl-0.9.8k.tar.gz) = 3ba079f91d3c1ec90a36dcd1d43857165035703f`
			`RMD160 (openssl-0.9.8k.tar.gz) = 496df7a5d33457b0d8e3b930a8e5cf068923182c`
			`Size (openssl-0.9.8k.tar.gz) = 3852259 bytes`
Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip. pkgsrc notes: o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli), Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn). Because the Makefile system has been rewamped, other platforms may require fixes. Please test if you can. o OpenSSL can now be built with installation to DESTDIR. Overview of important changes since 0.9.7i: o Add gcc 4.2 support. o DTLS improvements. o RFC4507bis support. o TLS Extensions support. o RFC3779 support. o New cipher Camellia o Updated ECC cipher suite support. o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). o Zlib compression usage fixes. o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for files larger than 2GB. o Added alternate pkg-config files. 2008-01-17 07:42:47 +01:00			`SHA1 (patch-aa) = b28ec662bf0586e31d59cab45e3a28b91b10dac1`
NetBSD/sparc64 build fix. Reported and fix tested by Michael C. Vergallen. 2009-04-16 11:50:37 +02:00			`SHA1 (patch-ac) = 7d03d0effcde4237216e9da4f38a318b0d1ae67d`
Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip. pkgsrc notes: o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli), Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn). Because the Makefile system has been rewamped, other platforms may require fixes. Please test if you can. o OpenSSL can now be built with installation to DESTDIR. Overview of important changes since 0.9.7i: o Add gcc 4.2 support. o DTLS improvements. o RFC4507bis support. o TLS Extensions support. o RFC3779 support. o New cipher Camellia o Updated ECC cipher suite support. o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). o Zlib compression usage fixes. o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for files larger than 2GB. o Added alternate pkg-config files. 2008-01-17 07:42:47 +01:00			`SHA1 (patch-ad) = bb86ac463fc4ab8b485df5f1a4fb9c13c1fc41c3`
			`SHA1 (patch-ae) = 7a58f1765a3761321dcc8dafc5fe2e33207be480`
Update to openssl-0.9.8j. Fixes CVE-2008-5077. Changes between 0.9.8i and 0.9.8j [07 Jan 2009] ) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). ) Allow the CHIL engine to be loaded, whether the application is multithreaded or not. (This does not release the developer from the obligation to set up the dynamic locking callbacks.) ) Use correct exit code if there is an error in dgst command. ) Tweak Configure so that you need to say "experimental-jpake" to enable JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. ) Add experimental JPAKE support, including demo authentication in s_client and s_server. ) Set the comparison function in v3_addr_canonize(). ) Add support for XMPP STARTTLS in s_client. ) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior to ensure that even with this option, only ciphersuites in the server's preference list will be accepted. (Note that the option applies only when resuming a session, so the earlier behavior was just about the algorithm choice for symmetric cryptography.) Changes between 0.9.8h and 0.9.8i [15 Sep 2008] ) Fix a state transitition in s3_srvr.c and d1_srvr.c (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). ) The fix in 0.9.8c that supposedly got rid of unsafe double-checked locking was incomplete for RSA blinding, addressing just one layer of what turns out to have been doubly unsafe triple-checked locking. So now fix this for real by retiring the MONT_HELPER macro in crypto/rsa/rsa_eay.c. ) Various precautionary measures: - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). (NB: This would require knowledge of the secret session ticket key to exploit, in which case you'd be SOL either way.) - Change bn_nist.c so that it will properly handle input BIGNUMs outside the expected range. - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG builds. ) Allow engines to be "soft loaded" - i.e. optionally don't die if the load fails. Useful for distros. ) Add support for Local Machine Keyset attribute in PKCS#12 files. ) Fix BN_GF2m_mod_arr() top-bit cleanup code. ) Expand ENGINE to support engine supplied SSL client certificate functions. This work was sponsored by Logica. ) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows keystores. Support for SSL/TLS client authentication too. Not compiled unless enable-capieng specified to Configure. This work was sponsored by Logica. *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain attribute creation routines such as certifcate requests and PKCS#12 files. 2009-01-08 17:38:22 +01:00			`SHA1 (patch-af) = 1eda5a96835b65d325c77ce5d39f1e524815a3c7`
Link shared libraries with -rpath on IRIX to prevent check-shlibs errors. 2008-02-20 02:10:20 +01:00			`SHA1 (patch-ag) = 5f12c72b85e4b6c6a79dfcf87055e9e029fbd8c8`
Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip. pkgsrc notes: o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli), Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn). Because the Makefile system has been rewamped, other platforms may require fixes. Please test if you can. o OpenSSL can now be built with installation to DESTDIR. Overview of important changes since 0.9.7i: o Add gcc 4.2 support. o DTLS improvements. o RFC4507bis support. o TLS Extensions support. o RFC3779 support. o New cipher Camellia o Updated ECC cipher suite support. o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). o Zlib compression usage fixes. o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for files larger than 2GB. o Added alternate pkg-config files. 2008-01-17 07:42:47 +01:00			`SHA1 (patch-ak) = 049250b9bd42e6f155145703135dab39a7ec17e0`
			`SHA1 (patch-al) = 076a606352bdeaeea1cc64f16be2ac1325882302`