Commit graph

190 commits

Author SHA1 Message Date
tv
0fc96ae1c3 Make compile on Interix. No-op change for other platforms, so no PKGREVISION
bump.  (Main MI change:  -soname -> -h, as some GNU ld(1) wants --soname
instead of -soname, but -h works on all GNU ld(1) versions.)
2004-04-25 20:36:11 +00:00
tron
0f086b9983 If the native OpenSSL contains the security fixes pulled up to the
netbsd-1-6 branch on 2004-04-01, then pretend it's openssl-0.9.6m.
2004-04-07 13:31:54 +00:00
wiz
ca4b3c701c Grammar fix. 2004-04-02 23:41:50 +00:00
jlam
bd1564f2ad If the native OpenSSL contains the security fixes pulled up to the
netbsd-1-6 branch on 2004-04-01, then pretend it's openssl-0.9.6m.
2004-04-02 21:42:32 +00:00
seb
bf290ad41d Fix build on NetBSD sparc64 with perl 5.8.
usage of perl's int() causes trouble with perl 5.8.3 (5.8*?) on at least
NetBSD sparc64/1.6.2.

The perl script openssl-0.9.6m/crypto/bn/bn_prime.pl uses the perl
function int() to truncate the return of sqrt() function.
On the above mentioned platform this leads to execution error:
...
/usr/pkg/bin/perl bn_prime.pl >bn_prime.h
Illegal modulus zero at bn_prime.pl line 16.

Tracing the problem I've found that this int() usage may be the key
of the problem. Please note the following:

$ uname -srm; perl -v | grep 'This is perl'; perl -e 'print int(sqrt(3)),"\n"'
NetBSD 1.6.2 sparc64
This is perl, v5.8.3 built for sparc64-netbsd
2
And...

$ uname -srm; perl -v | grep 'This is perl'; perl -e 'print int(sqrt(3)),"\n"'
NetBSD 1.6.2 sparc64
This is perl, v5.6.1 built for sparc64-netbsd
1

Also note that perlfunc(3) warns about int() used for rounding and
recommends to use sprintf, printf, POSIX::floor or POSIX::ceil when
applicable.

My workaround is to use POSIX::floor() instead of int().
2004-03-29 13:49:42 +00:00
jlam
e31ad45e30 Consolidate all of the PLIST.* files that duplicated each other into a
single file PLIST.shlib.  Only have PLIST.${LOWER_OPSYS} if it differs
from PLIST.shlib.
2004-03-26 08:33:49 +00:00
jlam
6ccbfe8c32 Don't rebuild openssl again as part of installing it. 2004-03-26 08:13:24 +00:00
jlam
d2bd9adbc6 Allow the rehash of the certs database to not error out during the build
due to libssl.so.300 not being found by correctly setting LD_LIBRARY_PATH.
2004-03-26 06:54:30 +00:00
jlam
187f9049b9 We can't use ${PKGBASE} on the left-hand side of an assignment since it's
not defined yet until bsd.pkg.mk.  Explicitly use "openssl" instead.  This
correctly forces NetBSD installations of openssl to use /etc/openssl as
the configuration file directory as originally intended.
2004-03-26 06:16:16 +00:00
jlam
40ae26143e Add some mirror sites since the main OpenSSL site seems to be dead at the
moment.
2004-03-26 05:41:10 +00:00
wiz
62401faee5 Update to 0.9.6m:
Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
  *) Fix null-pointer assignment in do_change_cipher_spec() revealed
     by using the Codenomicon TLS Test Tool (CAN-2004-0079)
     [Joe Orton, Steve Henson]
2004-03-26 02:22:38 +00:00
jlam
7db11b582a Fix serious bug where BUILDLINK_PACKAGES wasn't being ordered properly
by moving the inclusion of buildlink3.mk files outside of the protected
region.  This bug would be seen by users that have set PREFER_PKGSRC
or PREFER_NATIVE to non-default values.

BUILDLINK_PACKAGES should be ordered so that for any package in the
list, that package doesn't depend on any packages to the left of it
in the list.  This ordering property is used to check for builtin
packages in the correct order.  The problem was that including a
buildlink3.mk file for <pkg> correctly ensured that <pkg> was removed
from BUILDLINK_PACKAGES and appended to the end.  However, since the
inclusion of any other buildlink3.mk files within that buildlink3.mk
was in a region that was protected against multiple inclusion, those
dependencies weren't also moved to the end of BUILDLINK_PACKAGES.
2004-03-18 09:12:08 +00:00
jlam
d0b4c54eb6 Split out the code that deals with checking whether the software is
built-in or not into a separate builtin.mk file.  The code to deal
checking for built-in software is much simpler to deal with in pkgsrc.

The buildlink3.mk file for a package will be of the usual format
regardless of the package, which makes it simpler for packagers to
update a package.

The builtin.mk file for a package must define a single yes/no variable
USE_BUILTIN.<pkg> that is used by bsd.buildlink3.mk to decide whether
to use the built-in software or to use the pkgsrc software.
2004-03-10 17:57:14 +00:00
reed
044930d046 Don't build and install openssl with IDEA, MDC2, or RC5 support.
According to README, "RSA Security holds software patents on the
RC5 algorithm.  If you intend to use this cipher, you must contact
RSA Security for licensing conditions." And "The IDEA algorithm is
patented by Ascom ... They should be contacted if that algorithm
is to be used." The openssl FAQ says "For patent reasons, support
for IDEA, RC5 and MDC2 is disabled in this [Red Hat Linux] version."
The FAQ lists patent numbers and expiry dates of US patents:
MDC-2: 4,908,861 13/03/2007
IDEA:  5,214,703 25/05/2010
RC5:   5,724,428 03/03/2015

Now fee-based-commercial-use ACCEPTABLE_LICENSES is not needed.
2004-03-09 08:06:45 +00:00
grant
1fa7a034f2 include mk/compiler.mk before testing ${CC} 2004-02-29 00:36:45 +00:00
jlam
bf6e059da4 Reorder some lines so that BUILDLINK_USE_BUILTIN.<pkg> set in the
environment overrides all other settings.
2004-02-18 16:35:27 +00:00
jlam
2c8d533a36 Don't use sysctl to determine the machine arch when ${MACHINE_ARCH} already
has the correct value.  Fixes build on NetBSD-1.5.3/sparc, which doesn't
understand "sysctl hw.machine_arch", reported in PR 24448.
2004-02-17 14:26:47 +00:00
jlam
2ee656decf s/_BUILTIN_OPENSSL/BUILDLINK_IS_BUILTIN.openssl/g 2004-02-12 09:38:43 +00:00
jlam
d2b62c66fb Create a new variable PREFER_NATIVE that has the opposite semantics
as PREFER_PKGSRC.  Preferences are determined by the most specific
instance of the package in either PREFER_PKGSRC or PREFER_NATIVE.  If
a package is specified in neither or in both variables, then PREFER_PKGSRC
has precedence over PREFER_NATIVE.
2004-02-12 02:35:06 +00:00
jlam
1edfa505ed Reorganize code so that any dependencies are checked as part of deciding
whether the software is built-in or not.  This facilitates implementing
the forthcoming PKGSRC_NATIVE variable.
2004-02-12 01:59:37 +00:00
jlam
7699290f10 If we're passing through MAKEFLAGS variables whose values may contain
spaces, use the :Q modifier instead of double-quoting the value.  This
avoids breakage when executing the just-in-time su targets.
2004-02-06 19:04:24 +00:00
jlam
317cc72791 Make PREFER_PKGSRC just yes/no or a list of packages. This makes it
simpler to understand.
2004-02-05 07:17:14 +00:00
jlam
e7133cac25 Rename BUILDLINK_PREFER_PKGSRC to PREFER_PKGSRC so that we can use its
value outside of buildlink-related files.
2004-02-05 07:06:15 +00:00
jlam
07a9d8dfb2 Support a new global variable:
BUILDLINK_PREFER_PKGSRC
	This variable determines whether or not to prefer the pkgsrc
	versions of software that is also present in the base system.

	This variable is multi-state:
		defined, or "yes"	always prefer the pkgsrc versions
		not defined, or "no"	only use the pkgsrc versions if
					needed by dependency requirements

	This can also take a list of packages for which to prefer the
	pkgsrc-installed software.  The package names may be found by
	consulting the value added to BUILDLINK_PACKAGES in the
	buildlink[23].mk files for that package.
2004-02-05 06:58:02 +00:00
jlam
22aa620838 Ensure that -lcrypt appears before -lcrypto on the command line so that
the system crypt(), which is considerably smarter than the OpenSSL crypt(),
is used.
2004-01-30 10:59:14 +00:00
jlam
01a5abff01 Support BUILDLINK_DEPENDS.<pkg> being a list of values. 2004-01-24 03:12:31 +00:00
jlam
0167c3791f Only point SSLCERTS into ${PKG_SYSCONFDIR} if we're not using the built-in
OpenSSL software.  Otherwise, set it to /etc/ssl/certs, which is where a
lot of Linux distros store certs.  The behaviour on NetBSD systems is
unchanged -- always set to /etc/openssl/certs.  Fixes PR 24161.
2004-01-21 10:03:41 +00:00
jlam
4b90d17ed9 From the log for rev. 1.1260 of bsd.pkg.mk:
"Package Makefiles should refer to PKG_SYSCONFBASEDIR instead of
 PKG_SYSCONFBASE when they want PKG_SYSCONFDIR stripped of
 PKG_SYSCONFSUBDIR.  This makes PKG_SYSCONFBASE=/etc work with pkgviews by
 installing all config files into /etc/packages/<pkg> instead of
 occasionally putting some directly into /etc."
2004-01-07 02:21:16 +00:00
jlam
38252eb956 bl3ify 2004-01-05 22:33:45 +00:00
jlam
d279e6f535 Use S/+$// instead of C/\+$// to save a backslash. Very highly
recommended by seb :)
2004-01-05 11:05:44 +00:00
jlam
c9ff27d270 Sow BUILDLINK_USE_BUILTIN.<pkg> and reap _NEED_<PKG> variables. 2004-01-05 09:31:31 +00:00
jlam
47bb2aae5f Re-arrange to match example buildlink3.mk file in bsd.buildlink3.mk. 2004-01-04 23:34:04 +00:00
jlam
339cd13cb2 Initial sprinkling of work-in-progress buildlink3.mk files for using the
buildlink3 framework.
2004-01-03 23:06:43 +00:00
erh
ff4ab4ac22 Add an empty plist for AIX. 2003-12-03 17:35:43 +00:00
reed
ace3815fc7 The PLIST.linux was empty, but should be registering the
libssl.so* and libcrypto.so* files. So added this.
2003-12-03 01:57:08 +00:00
jlam
dc0392f000 Fix OpenSSL version number parsing. Patch from PR 23532 by Michael van
Elst with style modifications by me.
2003-11-27 05:19:58 +00:00
jlam
49eef2d279 If the built-in OpenSSL software is 0.9.6g, then check whether it
contains the 0.9.6g -> 0.9.6l security fixes pulled up to netbsd-1-6 on
2003-11-07 by checking for the presence of the preprocessor symbol
OPENSSL_HAS_20031107_FIX.  If it does, then allow the built-in OpenSSL to
satisfy dependencies for openssl>=0.9.6l.
2003-11-25 06:56:08 +00:00
jschauma
07e126d1f6 textproc/glimpse and security/openssl no longer conflict, as openssl
does no longer install bin/cast.  Noted by Bernhard Riedel.
2003-11-19 02:57:43 +00:00
jschauma
b5425f7502 OpenSSL has not had base64 for a while now, so these two no longer need
to conflict.  Noted by Bernhard Riedel.
2003-11-19 02:52:46 +00:00
wiz
4c64aceda4 Remove OPENSSL_HAS_*FIX code; corresponding check was removed in
previous commit to this file. Noted superfluous by Todd Vierling.
2003-11-17 15:25:57 +00:00
wiz
6485961f23 Depend on latest openssl package (hi jan!).
Remove some obsolete code.
Fix rsaref reference, we do not want to include a buildlink3.mk here.
2003-11-12 07:55:02 +00:00
jschauma
cf88580cec Update to openssl-0.9.6l:
*) Fix additional bug revealed by the NISCC test suite:

     Stop bug triggering large recursion when presented with
     certain ASN.1 tags (CAN-2003-0851)
     [Steve Henson]
2003-11-12 03:35:45 +00:00
kristerw
d5f213bea8 Let the Configure script handle NetBSD-arm too. 2003-10-21 23:03:36 +00:00
reed
b2fcfff89a Add support for BSD/OS. 2003-10-04 07:54:52 +00:00
jschauma
83ca290393 Update to 0.9.6k:
Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]

  *) Fix various bugs revealed by running the NISCC test suite:

     Stop out of bounds reads in the ASN1 code when presented with
     invalid tags (CAN-2003-0543 and CAN-2003-0544).

     If verify callback ignores invalid public key errors don't try to check
     certificate signature with the NULL public key.

     [Steve Henson]

  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
     if the server requested one: as stated in TLS 1.0 and SSL 3.0
     specifications.
     [Steve Henson]

  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
     extra data after the compression methods not only for TLS 1.0
     but also for SSL 3.0 (as required by the specification).
     [Bodo Moeller; problem pointed out by Matthias Loepfe]

  *) Change X509_certificate_type() to mark the key as exported/exportable
     when it's 512 *bits* long, not 512 bytes.
     [Richard Levitte]

 Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]

  *) Countermeasure against the Klima-Pokorny-Rosa extension of
     Bleichbacher's attack on PKCS #1 v1.5 padding: treat
     a protocol version number mismatch like a decryption error
     in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
     [Bodo Moeller]

  *) Turn on RSA blinding by default in the default implementation
     to avoid a timing attack. Applications that don't want it can call
     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
     They would be ill-advised to do so in most cases.
     [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]

  *) Change RSA blinding code so that it works when the PRNG is not
     seeded (in this case, the secret RSA exponent is abused as
     an unpredictable seed -- if it is not unpredictable, there
     is no point in blinding anyway).  Make RSA blinding thread-safe
     by remembering the creator's thread ID in rsa->blinding and
     having all other threads use local one-time blinding factors
     (this requires more computation than sharing rsa->blinding, but
     avoids excessive locking; and if an RSA object is not shared
     between threads, blinding will still be very fast).
     [Bodo Moeller]

 Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]

  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
     via timing by performing a MAC computation even if incorrrect
     block cipher padding has been found.  This is a countermeasure
     against active attacks where the attacker has to distinguish
     between bad padding and a MAC verification error. (CAN-2003-0078)

     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
     Martin Vuagnoux (EPFL, Ilion)]

 Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]

  *) New function OPENSSL_cleanse(), which is used to cleanse a section of
     memory from it's contents.  This is done with a counter that will
     place alternating values in each byte.  This can be used to solve
     two issues: 1) the removal of calls to memset() by highly optimizing
     compilers, and 2) cleansing with other values than 0, since those can
     be read through on certain media, for example a swap space on disk.
     [Geoff Thorpe]

  *) Bugfix: client side session caching did not work with external caching,
     because the session->cipher setting was not restored when reloading
     from the external cache. This problem was masked, when
     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
     (Found by Steve Haslam <steve@araqnid.ddts.net>.)
     [Lutz Jaenicke]

  *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
     length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
     [Zeev Lieber <zeev-l@yahoo.com>]

  *) Undo an undocumented change introduced in 0.9.6e which caused
     repeated calls to OpenSSL_add_all_ciphers() and
     OpenSSL_add_all_digests() to be ignored, even after calling
     EVP_cleanup().
     [Richard Levitte]

  *) Change the default configuration reader to deal with last line not
     being properly terminated.
     [Richard Levitte]

  *) Change X509_NAME_cmp() so it applies the special rules on handling
     DN values that are of type PrintableString, as well as RDNs of type
     emailAddress where the value has the type ia5String.
     [stefank@valicert.com via Richard Levitte]

  *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
     the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
     doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
     the bitwise-OR of the two for use by the majority of applications
     wanting this behaviour, and update the docs. The documented
     behaviour and actual behaviour were inconsistent and had been
     changing anyway, so this is more a bug-fix than a behavioural
     change.
     [Geoff Thorpe, diagnosed by Nadav Har'El]

  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
     [Bodo Moeller]

  *) Fix initialization code race conditions in
        SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
        SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
        SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
        TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
        ssl2_get_cipher_by_char(),
        ssl3_get_cipher_by_char().
     [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]

  *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
     the cached sessions are flushed, as the remove_cb() might use ex_data
     contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
     (see [openssl.org #212]).
     [Geoff Thorpe, Lutz Jaenicke]

  *) Fix typo in OBJ_txt2obj which incorrectly passed the content
     length, instead of the encoding length to d2i_ASN1_OBJECT.
     [Steve Henson]
2003-10-02 02:34:39 +00:00
grant
0f0b2f9840 style nits 2003-09-22 03:15:33 +00:00
grant
7be5254f17 formatting nits 2003-09-22 03:13:58 +00:00
jlam
05b5d9484e Rewrite this file so that we can specify the version of OpenSSL that we
need by simply setting BUILDLINK_DEPENDS.openssl.  This buildlink2.mk file
now functions just like any other typical buildlink2.mk file.
2003-09-11 04:10:38 +00:00
jlam
31ac96c449 Note version numbers for 0.9.6[hij]. 2003-09-10 16:43:14 +00:00
jlam
8851ca23da Only check if we need to add the rsaref dependency if we need the pkgsrc
openssl.
2003-09-10 16:25:25 +00:00