Commit graph

2902 commits

Author SHA1 Message Date
shannonjr
e66a4370f1 Enabled threads as recommended by developers. 2005-01-04 13:52:01 +00:00
shannonjr
0fe467b5f1 Update to release 0.90.
Dirmngr is a server for managing and downloading certificate
revocation lists (CRLs) for X.509 certificates and for downloading the
certificates themselves. Dirmngr also handles OCSP requests as an
alternative to CRLs. Dirmngr is either invoked internaly by gpgsm
(from gnupg 1.9) or when running as a system daemon through the
dirmngr-client tool.

Whats new in this release
=========================

 * New option --daemon to start dirmngr as a system daemon.  This
   switches to the use of different directories and also does
   CRL signing certificate validation on its own.
 * New tool dirmngr-client.
 * New options: --ldap-wrapper-program, --http-wrapper-program,
   --disable-ldap, --disable-http, --honor-http-proxy, --http-proxy,
   --ldap-proxy, --only-ldap-proxy, --ignore-ldap-dp and
   --ignore-http-dp.
 * Uses an external ldap wrapper to cope with timeouts and general
   LDAP problems.
 * SIGHUP may be used to reread the configuration and to flush the
   certificate cache.
 * An authorithyKeyIdentifier in a CRL is now handled correctly.
2005-01-04 13:40:38 +00:00
taca
ae8d8df80d Update pgpdump 0.24.
0.24 2004/12/24

* More secure programming style.
* Adding GnuPG string-to-key.
* Adding a missing key flag.
2005-01-04 13:23:24 +00:00
taca
ffc6d2b89b Fix PLIST; don't leave used directories. 2005-01-04 06:22:56 +00:00
martti
6034a1d81a Updated stunnel to 4.07
Version 4.07, 2005.01.03, urgency: MEDIUM:
* Bugfixes
  - Problem with infinite poll() timeout negative, but not equal to -1 fixed.
  - Problem with a file descriptor ready to be read just after a non-blocking
    connect call fixed.
  - Compile error with EAI_NODATA not defined or equal to EAI_NONAME fixed.
  - IP address and TCP port textual representation length (IPLEN) increased
    to 128 bytes.
  - OpenSSL engine support is only used if engine.h header file exists.
2005-01-03 12:17:44 +00:00
peter
6096f0916c Change mode of CONF_FILES to 0600.
From Adrian Portelli.
2005-01-02 15:51:24 +00:00
jlam
83ff9738ed Fix a bug in the OpenSSL makefiles that installed a libfips.so symlink
that pointed to nothing.  There is no such thing as "libfips".
2004-12-31 17:34:10 +00:00
wiz
0711a9c2f3 Make the configure script accept gnupg>=1.3 too. 2004-12-30 17:41:57 +00:00
wiz
687c09e383 Bump PKGREVISION: depend on latest nessus-core package revision. 2004-12-30 13:20:56 +00:00
minskim
e07031c753 Use VARBASE. 2004-12-29 15:21:50 +00:00
minskim
487cd231d0 Use VARBASE. 2004-12-29 09:53:17 +00:00
minskim
14ae434c0e Set LC_ALL to "C" when running GNU awk. Otherwise it behaves
differently depending on user's LC_ALL value.

Thanks to "amorphis" of Korea BSD User Forum for reporting and
testing.
2004-12-29 03:43:23 +00:00
martti
2e8304e7d4 Updated stunnel to 4.06
Version 4.06, 2004.12.26, urgency: LOW:
* New feature sponsored by SURFnet http://www.surfnet.nl/
  - IPv6 support (to be enabled with ./configure --enable-ipv6).
* New features
  - poll() support - no more FD_SETSIZE limit!
  - Multiple connect=host:port options are allowed in a single service
    section.  Remote hosts are connected using round-robin algorithm.
    This feature is not compatible with delayed resolver.
  - New 'compression' option to enable compression.  To use zlib
    algorithm you have to enable it when building OpenSSL library.
  - New 'engine' option to select a hardware engine.
  - New 'TIMEOUTconnect' option with 10 seconds default added.
  - stunnel3 perl script to emulate version 3.x command line options.
  - French manual updated by Bernard Choppy <choppy AT free POINT fr>.
  - A watchdog to detect transfer() infinite loops added.
  - Configuration file comment character changed from '#' to ';'.
    '#' will still be recognized to keep compatibility.
  - MT-safe getaddrinfo() and getnameinfo() are used where available
    to get better performance on resolver calls.
  - Automake upgraded from 1.4-p4 to 1.7.9.
* Bugfixes
  - log() changed to s_log() to avoid conflicts on some systems.
  - Common CRIT_INET critical section introduced instead of separate
    CRIT_NTOA and CRIT_RESOLVER to avoid potential problems with
        libwrap (TCP Wrappers) library.
  - CreateThread() finally replaced with _beginthread() on Win32.
  - make install creates $(localstatedir)/stunnel.
    $(localstatedir)/stunnel/dev/zero is also created on Solaris.
  - Race condition with client session cache fixed.
  - Other minor bugfixes.
* Release notes
  - Default is *not* to use IPv6 '::' for accept and '::1' for
    connect.  For example to accept pop3s on IPv6 you could use:
    'accept = :::995'.  I hope the new syntax is clear enough.
2004-12-28 09:09:52 +00:00
reed
32d8f290c2 The default location of the pkgsrc-installed rc.d scripts is now
under share/examples/rc.d. The variable name already was named
RCD_SCRIPTS_EXAMPLEDIR.

This is from ideas from Greg Woods and others.

Also bumped PKGREVISION for all packages using RCD_SCRIPTS mechanism
(as requested by wiz).
2004-12-28 02:47:40 +00:00
reed
a130ed83a9 Moved PKGREVISION definition from common Makefile to the
package-specific Makefile (as mentioned on tech-pkg).
2004-12-28 01:39:32 +00:00
minskim
248e2dee9c Update py-OpenSSL to 0.6. Patch provided by Rui Paulo.
Changes:
	* doc/pyOpenSSL.tex: Updates to the docs.
	* src/crypto/x509.c: Add X509.add_extensions based on a patch
	  from Han S. Lee.
	* src/ssl/ssl.c: Add more SSL_OP_ constants. Patch from Mihai
	  Ibanescu.
	* setup.py src/crypto/: Add support for Netscape SPKI extensions
	  based on a patch from Tollef Fog Heen.
	* src/crypto/crypto.c: Add support for python passphrase callbacks
	  based on a patch from Robert Olson.
	* src/ssl/context.c: Applied patch from Frederic Peters to add
	  Context.use_certificate_chain_file.
	* src/crypto/x509.c: Applid patch from Tollef Fog Heen to add
	  X509.subject_name_hash and X509.digest.
	* src/crypto/crypto.c src/ssl/ssl.c: Applied patch from Bastian
	  Kleineidam to fix full names of exceptions.
	* doc/pyOpenSSL.tex: Fix the errors regarding X509Name's field names.
	* examples/certgen.py: Fixed wrong attributes in doc string, thanks
	  Remy. (SFbug#913315)
	* __init__.py, setup.py, version.py: Add __version__, as suggested by
	  Ronald Oussoren in SFbug#888729.
	* examples/proxy.py: Fix typos, thanks Mihai Ibanescu. (SFpatch#895820)
	* Use cyclic GC protocol in SSL.Connection, SSL.Context, crypto.PKCS12
	  and crypto.X509Name.
	* tsafe.py: Add some missing methods.
	* __init__.py: Import tsafe too!
	* src/crypto/x509name.c: Use unicode strings instead of ordinary
	  strings in getattr/setattr. Note that plain ascii strings should
	  still work.
2004-12-27 23:35:54 +00:00
wiz
1350e5b65b Add and enable mixminion. 2004-12-27 22:59:41 +00:00
wiz
68ea71aa3e Initial import of mixminion-0.0.7.1, provided by Peter Hendrickson
in PR 25573, with some cleanup by me.

Mixminion is a communication security application for electronic mail
messages.  Its purpose is to deny an adversary the ability to
determine who is communicating with whom and to provide the closely
related service of anonymous communication.

It does this by sending messages through a series of servers.
Messages going into and out of each server are encrypted.  Each server
keeps a pool of messages.  When a message comes in it is placed in the
pool.  Messages sent out from the pool are difficult to correlate with
the messages going in.  This process is called "mixing."

Each server reduces the ability of the adversary to determine the
origin of a message.  Chaining the servers further reduces this
ability and contains the damage caused by compromised servers.  The
chain of servers is chosen by the Mixminion software running on the
user's machine.

See http://mixminion.net for a complete description.
2004-12-27 22:58:57 +00:00
jlam
34a211b1e3 Fix compilation on FreeBSD/x86 by ensuring that the FIPS assembly code
isn't used when fips isn't requested during configuration.
2004-12-27 06:14:40 +00:00
jlam
7a022e9cf2 Fix build on non-x86 platforms (PR pkg/28787). 2004-12-27 02:31:07 +00:00
wiz
9c1c388d33 Update to 0.2.3.
* Version 0.2.3 (released 2004-12-15)

** Fix example code to handle base64 encoded data properly.

** DIGEST-MD5 is disabled by default, pending a rewrite for the new API.

** Command line tool uses new callback interface to the library.

** Command line tool uses "iconvme" from gnulib for UTF-8 string conversion.

** Server mode in the command line tool does not work currently.
It is unclear if this feature was ever that useful.  If there are no
objections, it will be removed completely in future versions.

** Documentation fixes.

** Fix self test bugs.

* Version 0.2.2 (released 2004-11-29)

** Update of gnulib files.

* Version 0.2.1 (released 2004-11-19)

** Documentation fixes; the old callback API functions are marked as obsolete.

* Version 0.2.0 (released 2004-11-07)

** Added new directory examples/ with complete examples for new API.

** Documentation improvements.
For example, you can now browse the GNU SASL API manual using DevHelp.

** Update of gnulib files.

** More self tests.

** Translation fixes.
2004-12-26 22:56:09 +00:00
wiz
1042793de2 Update to 0.0.15:
New in 0.0.15:

** Documentation improvements.
For example, you can now browse the GSS manual using DevHelp.

** Libtool's -export-symbols-regex is now used to only export official APIs.
Before, applications might accidentally access internal functions.
Note that this is not supported on all platforms, so you must still
make sure you are not using undocumented symbols in GSS.

* Version 0.0.14 (released 2004-10-15)

** gss_import_name and gss_duplicate_name no longer clone the OID.
Instead, only the pointer to the OID is cloned.  It seem unclear where
a cloned OID would be deallocated.

** Fixed handling of sequence numbers in gss_accept_sec_context, for servers.

** Fix crash in gss_accept_sec_context for NULL values of ret_flags.

** Fix memory leaks.

** Sync with new Shishi 0.0.18 API.
2004-12-26 22:21:52 +00:00
wiz
6d9ad50087 Update to 0.2.11:
- Added the self test with "make check" target
- Added management of ANY type with null length
- Corrected some writes to invalid data.
2004-12-26 01:53:17 +00:00
jlam
c264be5d18 Alter patches to make them more likely to be accepted back by the
OpenSSL project.  Also use the sparcv9 MD5 assembly routines on
NetBSD/sparc64.
2004-12-25 22:11:26 +00:00
jlam
0a6f42ca41 Use the correct assembly routines on NetBSD/i386 depending on whether
it's a.out or ELF.
2004-12-25 19:09:08 +00:00
wiz
37147d29df Add options.mk file. 2004-12-25 02:54:49 +00:00
wiz
e21f814082 Update to 1.4.0, provided by Stefan Krüger in PR 28738.
While here, convert to options.mk.


GnuPG 1.4 Highlights
====================

This is a brief overview of the changes between the GnuPG 1.2 series
and the new GnuPG 1.4 series.  To read the full list of highlights for
each revision that led up to 1.4, see the NEWS file in the GnuPG
distribution.  This document is based on the NEWS file, and is thus
the highlights of the highlights.

When upgrading, note that RFC-2440, the OpenPGP standard, is currently
being revised.  Most of the revisions in the latest draft (2440bis-12)
have already been incorporated into GnuPG 1.4.


Algorithm Changes
-----------------

OpenPGP supports many different algorithms for encryption, hashing,
and compression, and taking into account the OpenPGP revisions, GnuPG
1.4 supports a slightly different algorithm set than 1.2 did.

The SHA256, SHA384, and SHA512 hashes are now supported for read and
write.

The BZIP2 compression algorithm is now supported for read and write.

Due to the recent successful attack on the MD5 hash algorithm
(discussed in <http://www.rsasecurity.com/rsalabs/node.asp?id=2738>,
among other places), MD5 is deprecated for OpenPGP use.  It is still
allowed in GnuPG 1.4 for backwards compatibility, but a warning is
given when it is used.

The TIGER/192 hash is no longer available.  This should not be
interpreted as a statement as to the quality of TIGER/192 - rather,
the revised OpenPGP standard removes support for several unused or
mostly unused hashes, and TIGER/192 was one of them.

Similarly, Elgamal signatures and the Elgamal signing key type have
been removed from the OpenPGP standard, and thus from GnuPG.  Please
do not confuse Elgamal signatures with DSA or DSS signatures or with
Elgamal encryption.  Elgamal signatures were very rarely used and were
not supported in any product other than GnuPG.  Elgamal encryption was
and still is part of OpenPGP and GnuPG.

Very old (pre-1.0) versions of GnuPG supported a nonstandard (contrary
to OpenPGP) Elgamal key type.  While no recent version of GnuPG
permitted the generation of such keys, GnuPG 1.2 could still use them.
GnuPG 1.4 no longer allows the use of these keys or the (also
nonstandard) messages generated using them.

At build time, it is possible to select which algorithms will be built
into GnuPG.  This can be used to build a smaller program binary for
embedded uses where space is tight.


Keyserver Changes
-----------------

GnuPG 1.4 does all keyserver operations via plugin or helper
applications.  This allows the main GnuPG program to be smaller and
simpler.  People who package GnuPG for various reasons have the
flexibility to include or leave out support for any keyserver type as
desired.

Support for fetching keys via HTTP and finger has been added.  This is
mainly useful for setting a preferred keyserver URL like
"http://www.jabberwocky.com/key.asc". or "finger:wk at g10code.com".

The LDAP keyserver helper now supports storing, retrieving, and
searching for keys in both the old NAI "LDAP keyserver" as well as the
more recent method to store OpenPGP keys in standard LDAP servers.
This is compatible with the storage schema that PGP uses, so both
products can interoperate with the same LDAP server.

The LDAP keyserver helper is compatible with the PGP company's new
"Global Directory" service.

If the LDAP library you use supports LDAP-over-TLS and LDAPS, then
GnuPG detects this and supports them as well.  Note that using TLS or
LDAPS does not improve the security of GnuPG itself, but may be useful
in certain key distribution scenarios.

HTTP Basic authentication is now supported for all HKP and HTTP
keyserver functions, either through a proxy or via direct access.

The HKP keyserver plugin supports the new machine-readable key
listing format for those keyservers that provide it.

IPv6 is supported for HKP and HTTP keyserver access.

When using a HKP keyserver with multiple DNS records (such as
subkeys.pgp.net which has the addresses of multiple servers around the
world), all DNS address records are tried until one succeeds.  This
prevents a single down server in the rotation from stopping access.

DNS SRV records are used in HKP keyserver lookups to allow
administrators to load balance and select keyserver ports
automatically.

Timeout support has been added to the keyserver plugins.  This allows
users to set an upper limit on how long to wait for the keyserver
before giving up.


Preferred Keyserver URL
-----------------------

Preferred keyserver support has been added.  Users may set a preferred
keyserver via the --edit-key command "keyserver".  If the
--keyserver-option honor-keyserver-url is set (and it is by default),
then the preferred keyserver is used when refreshing that key with
--refresh-keys.

The --sig-keyserver-url option can be used to inform signature
recipients where the signing key can be downloaded.  When verifying
the signature, if the signing key is not present, and the keyserver
options honor-keyserver-url and auto-key-retrieve are set, this URL
will be used to retrieve the key.


Trust Signatures
----------------

GnuPG 1.4 supports OpenPGP trust signatures, which allow a user to
specify the trust level and distance from the user along with the
signature so users can delegate different levels of certification
ability to other users, possibly restricted by a regular expression on
the user ID.


Trust Models
------------

GnuPG 1.4 supports several ways of looking at trust:

Classic - The classic PGP trust model, where people sign each others
          keys and thus build up an assurance (called "validity") that
          the key belongs to the right person.  This was the default
          trust model in GnuPG 1.2.

Always - Bypass all trust checks, and make all keys fully valid.

Direct - Users may set key validity directly.

PGP - The PGP 7 and 8 behavior which combines Classic trust with trust
      signatures overlaid on top.  This is the default trust model in
      GnuPG 1.4.


The OpenPGP Smartcard
---------------------

GnuPG 1.4 supports the OpenPGP smartcard
(<http://www.g10code.de/p-card.html>)

Secret keys may be kept fully or partially on the smartcard.  The
smartcard may be used for primary keys or subkeys.


Other Interesting New Features
------------------------------

For those using Security-Enhanced Linux <http://www.nsa.gov/selinux/>,
the configure option --enable-selinux-support prevents GnuPG from
processing its own files (i.e. reading the secret keyring for
something other than getting a secret key from it).  This simplifies
writing ACLs for the SELinux kernel.

Readline support is now available at all prompts if the system
provides a readline library.

GnuPG can now create messages that can be decrypted with either a
passphrase or a secret key.  These messages may be generated with
--symmetric --encrypt or --symmetric --sign --encrypt.

--list-options and --verify-options allow the user to customize
exactly what key listings or signature verifications look like,
enabling or disabling things such as photo display, preferred
keyserver URL, calculated validity for each user ID, etc.

The --primary-keyring option designates the keyring that the user
wants new keys imported into.

The --hidden-recipient (or -R) command encrypts to a user, but hides
the identity of that user.  This is the same functionality as
--throw-keyid, but can be used on a per-user basis.

Full algorithm names (e.g. "3DES", "SHA1", "ZIP") can now be used
interchangeably with the short algorithm names (e.g. "S2", "H2", "Z1")
anywhere algorithm names are used in GnuPG.

The --keyid-format option selects short (99242560), long
(DB698D7199242560), 0xshort (0x99242560), or 0xlong
(0xDB698D7199242560) key ID displays.  This lets users tune the
display to what they prefer.

While it is not recommended for extended periods, it is possible to
run both GnuPG 1.2.x and GnuPG 1.4 during the transition.  To aid in
this, GnuPG 1.4 tries to load a config file suffixed with its version
before it loads the default config file.  For example, 1.4 will try
for gpg.conf-1.4 and gpg.conf-1 before falling back to the regular
gpg.conf file.
2004-12-25 02:54:13 +00:00
jlam
ac1c08301c Update security/openssl to 0.9.7e. Changes from openssl-0.9.6m are
too numerous to be listed here, but include adding a new DES API
(support for the old one is still present).

Changes to the pkgsrc structure include:

* Install the shared libraries with a version number that matches the
  OpenSSL version number

* Move some of the less often-used c_* utilities back into the examples
  directory.

* Drop support for using the RSAREF library and always use the built-in
  RSA code instead.
2004-12-24 22:02:37 +00:00
jlam
674222c93d Enable building heimdal with the "ldap" option to allow using an LDAP
server as a datastore for the KDC.
2004-12-23 14:43:28 +00:00
shannonjr
a04dd09a45 Upgrade to 1.9.14. This is mainly a bug fix release with a few new things:
* [gpg-agent] New option --use-standard-socket to allow the use of a
   fixed socket.  gpgsm falls back to this socket if GPG_AGENT_INFO
   has not been set.

 * New tool gpg-preset-passphrase.
2004-12-23 11:44:49 +00:00
shannonjr
03f3ef55cb Update to 0.6.9 - bug fixes and support for GnuPG 1.9.14 2004-12-23 11:40:47 +00:00
jlam
d86f3e8513 Update security/mit-krb5 to 1.3.6.
NOTE: THIS IS A SECURITY UPDATE.

Changes from version 1.3.4 include:

* [2841] Fix heap buffer overflow in password history
  mechanism. [MITKRB5-SA-2004-004]

* [2682] Fix ftpd hang caused by empty PASS command.

* [2686] Fix double-free errors. [MITKRB5-SA-2004-002]

* [2687] Fix denial-of-service vulnerability in ASN.1
  decoder. [MITKRB5-SA-2004-003]
2004-12-23 04:02:39 +00:00
jlam
650b62997d Remove support for some variables that are supposed to go away after
pkgsrc-2004Q4 is branched.
2004-12-22 21:46:24 +00:00
jlam
02e7a05425 Allow building sudo without S/Key support on NetBSD. Patch from
PR pkg/28743 by Jukka Salmi with minor changes by me.
2004-12-22 04:36:32 +00:00
jlam
2a9c112e73 Sort the options. 2004-12-22 03:59:10 +00:00
grant
daa81e9135 fix socklen_t hack by falling through to ${TRUE} if ${GREP} fails
(pattern not matched). ugh, bash.

fixes build on Linux. reported by minskim@
2004-12-21 08:57:48 +00:00
grant
908e765695 since perl is now built with threads on most platforms, the perl archlib
module directory has changed (eg. "darwin-2level" vs.
"darwin-thread-multi-2level").

binary packages of perl modules need to be distinguishable between
being built against threaded perl and unthreaded perl, so bump the
PKGREVISION of all perl module packages and introduce
BUILDLINK_RECOMMENDED for perl as perl>=5.8.5nb5 so the correct
dependencies are registered and the binary packages are distinct.

addresses PR pkg/28619 from H. Todd Fujinaka.
2004-12-20 11:30:55 +00:00
jdolecek
0cb264d340 Fix build on NetBSD 2.0 - configure script tried to link program with
libssl without linking also libcrypto, which fails on 2.0 since libssl
doesn't have recorded the libcrypto dependency; fix by disabling
the checkLibrary() call when QC_WITH_OPENSSL_LIB is supplied

PR: 28576
2004-12-19 09:29:16 +00:00
grant
830d7cd76e ick: openssl builds PIC static libraries and then later uses them to
build shared libraries. on Darwin with xlc, this fails because of the
way xlc invokes Darwin's in-base libtool to create shared libraries,
meaning that the -all_load argument cannot be used to import all
symbols.

work around this the same way as UnixWare does it, by listing the
archive library contents and linking the object files into the shared
library individually. also remove some other assumed gcc'isms to make
this build on Darwin with xlc.

XXX maybe this pkg should be libtool'ized?
2004-12-19 02:48:32 +00:00
grant
fc9c762fd7 this won't build with xlc without some work, mark it as such. 2004-12-19 00:19:18 +00:00
grant
fa6a9ffd92 add hack for missing socklen_t typedef handling. fixes build on
Darwin.
2004-12-18 23:54:58 +00:00
jlam
4df5c48cc4 minor whitespace nit. 2004-12-18 21:32:51 +00:00
jlam
8b2040b409 Always create a ${TOOLS_DIR}/bin/rpcgen to wrap the real rpcgen.
The wrapper will correctly set the CPP environment variable to a
stat((2)able path to a C preprocessor, then rely on the PATH to
find and invoke the real rpcgen.

Remove NO_EXPORT_CPP in package Makefiles where it was used just to
avoid problems with rpcgen.  The build system now just does the right
thing automatically without needing package-specific knowledge.

This fixes PR pkg/27272.
2004-12-18 19:24:26 +00:00
grant
7d3b1a90b3 ignore getopt_long() on Darwin because there is no prototype for it,
nor declaration for "struct option".

fixes build on Darwin.
2004-12-18 18:51:39 +00:00
jlam
f9127ef977 Fix a typo that caused us not to check the correct header for the presence
of "des_cblock".  This fixes PR pkg/28703.
2004-12-18 17:14:22 +00:00
jdolecek
a53d86c3ca add a comment regarding the -rpath filter 2004-12-18 15:03:30 +00:00
wiz
51aa86a453 Update to 0.9.6mnb2: Don't install (deprecated) der_chop example
script, since it has insecure temp file handling.
2004-12-17 23:08:36 +00:00
taca
966816dc7f Add work around to fix bulk build problem on Solaris;
one Makeifle.in lacks newline in the last line.
2004-12-17 15:37:01 +00:00
jlam
e027b8d70c Convert to set USE_OLD_DES_API=yes, and remove unnecessary patches to
teach fressh how to use either DES API.  Bump PKGREVISION since on
NetBSD>=2.0, fressh gains a library dependency on -ldes.
2004-12-15 19:34:40 +00:00
minskim
454cd9af8b Add build dependency on pkgconfig. 2004-12-14 20:34:42 +00:00