Commit graph

294 commits

Author SHA1 Message Date
zafer
55f36f4479 clean up mirrors. use official up to date ones. 2009-05-21 21:37:28 +00:00
tnn
7eab86532c the external rsaref option was dropped from securirty/openssl over
4 years ago; remove support from the bl3.mk as well.
2009-04-16 14:05:38 +00:00
tnn
021b4615a9 NetBSD/sparc64 build fix. Reported and fix tested by Michael C. Vergallen. 2009-04-16 09:50:37 +00:00
tnn
ce257462cd Update to openssl-0.9.8k.
Changes between 0.9.8j and 0.9.8k  [25 Mar 2009]
*) Don't set val to NULL when freeing up structures, it is freed up by
   underlying code. If sizeof(void *) > sizeof(long) this can result in
   zeroing past the valid field. (CVE-2009-0789)
*) Fix bug where return value of CMS_SignerInfo_verify_content() was not
   checked correctly. This would allow some invalid signed attributes to
   appear to verify correctly. (CVE-2009-0591)
*) Reject UniversalString and BMPString types with invalid lengths. This
   prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
   a legal length. (CVE-2009-0590)
*) Set S/MIME signing as the default purpose rather than setting it
   unconditionally. This allows applications to override it at the store
   level.
*) Permit restricted recursion of ASN1 strings. This is needed in practice
   to handle some structures.
*) Improve efficiency of mem_gets: don't search whole buffer each time
   for a '\n'
*) New -hex option for openssl rand.
*) Print out UTF8String and NumericString when parsing ASN1.
*) Support NumericString type for name components.
*) Allow CC in the environment to override the automatically chosen
   compiler. Note that nothing is done to ensure flags work with the
   chosen compiler.
2009-04-05 15:50:17 +00:00
joerg
2d1ba244e9 Simply and speed up buildlink3.mk files and processing.
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
2009-03-20 19:23:50 +00:00
tnn
1157e16862 Update to openssl-0.9.8j. Fixes CVE-2008-5077.
Changes between 0.9.8i and 0.9.8j  [07 Jan 2009]
*) Properly check EVP_VerifyFinal() and similar return values
   (CVE-2008-5077).
*) Allow the CHIL engine to be loaded, whether the application is
   multithreaded or not. (This does not release the developer from the
   obligation to set up the dynamic locking callbacks.)
*) Use correct exit code if there is an error in dgst command.
*) Tweak Configure so that you need to say "experimental-jpake" to enable
   JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
*) Add experimental JPAKE support, including demo authentication in
   s_client and s_server.
*) Set the comparison function in v3_addr_canonize().
*) Add support for XMPP STARTTLS in s_client.
*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
   to ensure that even with this option, only ciphersuites in the
   server's preference list will be accepted.  (Note that the option
   applies only when resuming a session, so the earlier behavior was
   just about the algorithm choice for symmetric cryptography.)

Changes between 0.9.8h and 0.9.8i  [15 Sep 2008]
*) Fix a state transitition in s3_srvr.c and d1_srvr.c
   (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...).
*) The fix in 0.9.8c that supposedly got rid of unsafe
   double-checked locking was incomplete for RSA blinding,
   addressing just one layer of what turns out to have been
   doubly unsafe triple-checked locking.
   So now fix this for real by retiring the MONT_HELPER macro
   in crypto/rsa/rsa_eay.c.
*) Various precautionary measures:
   - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
   - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c).
     (NB: This would require knowledge of the secret session ticket key
     to exploit, in which case you'd be SOL either way.)
   - Change bn_nist.c so that it will properly handle input BIGNUMs
     outside the expected range.
   - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG
     builds.
*) Allow engines to be "soft loaded" - i.e. optionally don't die if
   the load fails. Useful for distros.
*) Add support for Local Machine Keyset attribute in PKCS#12 files.
*) Fix BN_GF2m_mod_arr() top-bit cleanup code.
*) Expand ENGINE to support engine supplied SSL client certificate functions.
   This work was sponsored by Logica.
*) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows
   keystores. Support for SSL/TLS client authentication too.
   Not compiled unless enable-capieng specified to Configure.
   This work was sponsored by Logica.
*) Fix bug in X509_ATTRIBUTE creation: dont set attribute using
   ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain
   attribute creation routines such as certifcate requests and PKCS#12
   files.
2009-01-08 16:38:22 +00:00
adrianp
dede2ac381 Might be good to actually add the patch that fixes the problem 2008-10-25 12:04:34 +00:00
adrianp
c348119408 OpenSSL is not JOBS_SAFE
Pull in a fix from the OpenSSL CVS:
http://cvs.openssl.org/filediff?f=openssl/crypto/x509/x509_att.c&v1=1.14&v2=1.15
This should fix PR #39767 opened by Wolfgang Solfrank
2008-10-25 12:03:35 +00:00
reed
8748c6679e Add zlib option.
This is for PR 39433.
It is not enabled by default.
2008-09-17 00:46:58 +00:00
dsainty
8f8c9f2e65 Catch distinfo up with the removal of patch-a[bh].
(Hi Tobias :)
2008-07-14 22:19:11 +00:00
tnn
ecd7c12e2c Update to openssl-0.9.8h. Changes from 0.9.8g:
Two crashes discovered using the Codenomicon TLS test suite, as reported
in CVE-2008-0891 and CVE-2008-1672, were fixed. The root CA certificates
of commercial CAs were removed from the distribution. Functions were added
to implement RFC3394 compatible AES key wrapping. Utility functions to
handle ASN1 structures were added. The certificate status request TLS
extension, as defined in RFC3546, was implemented. Several other bugfixes
and enhancements were made.
2008-07-14 03:52:54 +00:00
tonnerre
edf2b93718 Fix shared library build on various architectures. This basically fiddles
with the number of colons between the fields.
2008-06-16 20:18:20 +00:00
tonnerre
9005c221a8 Fix two Denial of Service vulnerabilities in OpenSSL 0.9.8g:
- Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake
   which could lead to a silent crash.
 - Fix double free in TLS server name extensions which could lead to a remote
   crash.

Patches from upstream.
2008-06-03 21:39:40 +00:00
tonnerre
2f84995386 Fix build of OpenSSL on NetBSD/amd64 (4.0 and current tested) 2008-05-08 14:04:25 +00:00
jlam
9080934d3b Fix detection of openssl configuration directory on NetBSD so it's
/etc/openssl only if USE_BUILTIN.openssl is "yes".
2008-04-25 20:06:15 +00:00
jlam
841dfa0e7a Convert to use PLIST_VARS instead of manually passing "@comment "
through PLIST_SUBST to the plist module.
2008-04-12 22:42:57 +00:00
tnn
20a85821ab Link shared libraries with -rpath on IRIX to prevent check-shlibs errors. 2008-02-20 01:10:20 +00:00
tnn
5b7fef9e0c Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip.
pkgsrc notes:
  o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli),
    Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn).
    Because the Makefile system has been rewamped, other
    platforms may require fixes. Please test if you can.
  o OpenSSL can now be built with installation to DESTDIR.

Overview of important changes since 0.9.7i:
  o Add gcc 4.2 support.
  o DTLS improvements.
  o RFC4507bis support.
  o TLS Extensions support.
  o RFC3779 support.
  o New cipher Camellia
  o Updated ECC cipher suite support.
  o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free().
  o Zlib compression usage fixes.
  o Major work on the BIGNUM library for higher efficiency and to
    make operations more streamlined and less contradictory.  This
    is the result of a major audit of the BIGNUM library.
  o Addition of BIGNUM functions for fields GF(2^m) and NIST
    curves, to support the Elliptic Crypto functions.
  o Major work on Elliptic Crypto; ECDH and ECDSA added, including
    the use through EVP, X509 and ENGINE.
  o New ASN.1 mini-compiler that's usable through the OpenSSL
    configuration file.
  o Added support for ASN.1 indefinite length constructed encoding.
  o New PKCS#12 'medium level' API to manipulate PKCS#12 files.
  o Complete rework of shared library construction and linking
    programs with shared or static libraries, through a separate
    Makefile.shared.
  o Rework of the passing of parameters from one Makefile to another.
  o Changed ENGINE framework to load dynamic engine modules
    automatically from specifically given directories.
  o New structure and ASN.1 functions for CertificatePair.
  o Changed the key-generation and primality testing "progress"
    mechanism to take a structure that contains the ticker
    function and an argument.
  o New engine module: GMP (performs private key exponentiation).
  o New engine module: VIA PadLOck ACE extension in VIA C3
    Nehemiah processors.
  o Added support for IPv6 addresses in certificate extensions.
    See RFC 1884, section 2.2.
  o Added support for certificate policy mappings, policy
    constraints and name constraints.
  o Added support for multi-valued AVAs in the OpenSSL
    configuration file.
  o Added support for multiple certificates with the same subject
    in the 'openssl ca' index file.
  o Make it possible to create self-signed certificates using
    'openssl ca -selfsign'.
  o Make it possible to generate a serial number file with
    'openssl ca -create_serial'.
  o New binary search functions with extended functionality.
  o New BUF functions.
  o New STORE structure and library to provide an interface to all
    sorts of data repositories.  Supports storage of public and
    private keys, certificates, CRLs, numbers and arbitrary blobs.
    This library is unfortunately unfinished and unused withing
    OpenSSL.
  o New control functions for the error stack.
  o Changed the PKCS#7 library to support one-pass S/MIME
    processing.
  o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512).
  o New X509_VERIFY_PARAM structure to support parametrisation
    of X.509 path validation.
  o Change the default digest in 'openssl' commands from MD5 to
    SHA-1.
  o Added support for DTLS.
  o New BIGNUM blinding.
  o Added support for the RSA-PSS encryption scheme
  o Added support for the RSA X.931 padding.
  o Added support for files larger than 2GB.
  o Added alternate pkg-config files.
2008-01-17 06:42:47 +00:00
joerg
6cf0f6c49c Fix builtin.mk logic for thread feature if no native OpenSSL exists.
Fixes PR pkg/37699 from Aleksey Cheusov.
2008-01-07 15:51:08 +00:00
rillig
d5a1ab0577 Fixed a few pkglint warnings. 2008-01-05 20:41:25 +00:00
rillig
7f791603aa Removed the special-case handling of PKG_SYSCONFDIR for NetBSD. Now the
configuration files are installed in the usual pkgsrc place, not in
/etc. PKGREVISION++

Ok'ed by jlam@.
2008-01-04 22:08:09 +00:00
gdt
efee29e6e8 Remove deprecated "fee-based commercial use" license for idea, mdc2,
rc5, and replace with {idea,mdc2,rc5}-nonlicense.  Because pkgsrc does
not yet handle multiple licenses, set LICENSE to
openssl-patented-algorithms-nonlicense.
2007-12-27 23:41:42 +00:00
adrianp
e35260c69d Full and proper fix for CVE-2007-5135
PKGREVISION++
2007-10-21 17:52:52 +00:00
jlam
06ab49ce09 Allow packages that use OpenSSL to specify that they need an OpenSSL
built with support for threads.  This is done by adding the following
line to the package Makefile before the inclusion of openssl/buildlink3.mk:

    USE_FEATURES.openssl=	threads

The openssl/builtin.mk file is also adjusted to detect whether or not
the built-in OpenSSL was built with support for threads and the result
is used accordingly to determine whether or not a pkgsrc OpenSSL is
needed.
2007-09-07 17:26:23 +00:00
tnn
570236364e Add a target configuration for Tru64 with gcc. 2007-08-04 14:29:43 +00:00
tron
885d73992c Compile OpenSSL with supports for threads. This allows an application
to register callbacks which implement locking primitive to make
OpenSSL thread-safe.

Bump package revision because of this change.
2007-07-18 13:11:15 +00:00
rillig
7f125459d8 Removed some code duplication from the buildlink3 files by using the new
pkg-build-options.mk procedure.
2007-05-30 08:54:28 +00:00
tron
9bb2b9aba2 Fix typo in "SUBST_MESSAGE.dl". 2007-05-03 14:23:42 +00:00
tron
bea247486f Also link with the "dl" library when creating the shared libraries.
Another attempt to fix PR pkg/36086.
2007-04-26 21:11:05 +00:00
tron
2d5bd3c024 Use all necessary means to convince OpenSSL's "special" build system
to link with the "dl" library under Mac OS X if necessary.
This should finally fix PR pkg/36086.
2007-04-24 14:10:37 +00:00
tron
09d04b1e6d Make sure that the "dlcompat" related options are actually added to
"LDFLAGS". This is another attempt to fix PR pkg/36086.
2007-04-18 14:11:33 +00:00
tron
f7c84b5393 Because OpenSSL uses dlfcn(3) only internally and Mac OS X supports shared
library dependences we don't need to include "dlopen.buildlink3.mk" here.
2007-04-17 17:12:09 +00:00
tron
944afe7a21 Use "pkgsrc/mk/dlopen.buildlink3.mk" instead of manually including
"pkgsrc/devel/dlcompat/buildlink3.mk" under Darwin. This might
finally fix PR pkg/36086.
2007-04-17 17:04:00 +00:00
tron
1e65ee8c3c Add ${BUILDLINK_LDFLAGS.dlcompat} (defined as "-ldl") to "LDFLAGS" under
Mac OS X. This is harmless under recent versions of Mac OS X where
"libdl.dylib" is symbolic link to "libSystem.dylib". And it is necessary
under old versions of Mac OS X (Jaguar and older) where we need the
"libdl.dylib" from the "dlcompat" package.

This should finally fix PR pkg/36086 by John D. Baker.
2007-04-01 21:33:05 +00:00
tron
ecd5e19f04 Include "pkgsrc/devel/dlcompat/buildlink3.mk" when building this package
under Mac OS X. This should fix PR pkg/36086.
2007-03-26 11:44:18 +00:00
wiz
601583c320 Whitespace cleanup, courtesy of pkglint.
Patch provided by Sergey Svishchev in private mail.
2007-02-22 19:26:05 +00:00
joerg
5e43280b23 Replace mk/bsd.prefs.mk includes with bsd.fast.prefs.mk includes.
The redundant parsing of bsd.prefs.mk is mostly avoided now and
parse time e.g. for x11/kdebase3 gets reduced by up to 10%.
2006-12-12 21:52:34 +00:00
cbiere
602a5d0eba Check for GCC on IRIX instead of assuming the native compiler is used. 2006-12-03 14:49:56 +00:00
taca
a62f70f91b Apply patches which fixes recent security problem of OpenSSL.
http://secunia.com/advisories/22130/

Bump PKGREVISION.
2006-09-30 04:20:24 +00:00
adrianp
5b262fee54 Add a patch to address CVE-2006-4339 2006-09-07 09:44:31 +00:00
abs
516a84e887 some apps (dovecot) need the SSLDIR rather than SSLCERTS & SSLKEYS 2006-08-09 11:23:20 +00:00
jlam
c16221a4db Change the format of BUILDLINK_ORDER to contain depth information as well,
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.

For example, "make show-buildlink3" in fonts/Xft2 displays:

	zlib
	fontconfig
	    iconv
	    zlib
	    freetype2
	    expat
	freetype2
	Xrender
	    renderproto
2006-07-08 23:10:35 +00:00
jlam
9430e49307 Track information in a new variable BUILDLINK_ORDER that informs us
of the order in which buildlink3.mk files are (recursively) included
by a package Makefile.
2006-07-08 22:38:58 +00:00
joerg
2265d39d98 Forgotten patchsum update. 2006-06-13 12:00:43 +00:00
joerg
dea482e6ce Add DragonFly support. 2006-06-12 22:46:50 +00:00
reed
5abef9be14 Over 1200 files touched but no revisions bumped :)
RECOMMENDED is removed. It becomes ABI_DEPENDS.

BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.

BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.

BUILDLINK_DEPENDS does not change.

IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".

Added to obsolete.mk checking for IGNORE_RECOMMENDED.

I did not manually go through and fix any aesthetic tab/spacing issues.

I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.

I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.

As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.

As discussed on tech-pkg.

I will commit to revbump, pkglint, pkg_install, createbuildlink separately.

Note that if you use wip, it will fail!  I will commit to pkgsrc-wip
later (within day).
2006-04-06 06:21:32 +00:00
jlam
d71a98aa8e Avoid extra stat() calls by not repeatedly checking whether a file
exists on the disk -- we can just check whether a variable defined by
find-files.mk is "__nonexistent__" or not.
2006-03-30 18:06:17 +00:00
jlam
641e118d57 Drop maintainership for packages that I no longer have time to maintain. 2006-03-14 16:00:40 +00:00
grant
de07d7e041 add support for Solaris/i386 and x86_64, and fallback to the configure
script's auto detection for other archs.
2006-03-02 03:28:07 +00:00
joerg
5911def816 Recursive revision bump / recommended bump for gettext ABI change. 2006-02-05 23:08:03 +00:00