Up to [cvs.NetBSD.org] / pkgsrc / security / openssl
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
openssl: Fix build by defining USE_TIMEGM on old Darwin versions
openssl: updated to 3.3.2 OpenSSL 3.3.2 is now available, including bug and security fixes: please download and upgrade!
openssl: updated to 3.3.1 Changes between 3.3.0 and 3.3.1 [4 Jun 2024] * Fixed potential use after free after SSL_free_buffers() is called. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. ([CVE-2024-4741]) * Fixed an issue where checking excessively long DSA keys or parameters may be very slow. Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error reason. ([CVE-2024-4603])
openssl: Use consistent socket interfaces on SunOS. The OpenSSL codebase is a forest of preprocessor usage so it's hard to say exactly what's going wrong, but there's definitely inconsistent use across the codebase, resulting in socket failures when trying to use QUIC. Ensure recvmsg/CMSG_* interfaces are available, fixing test suite as well as some real world regressions (e.g. devel/py-poetry) noticed by users.
openssl: use --libdir as openssl wants it Fixes pkg-config files. Closes PR 58157 by Colin Simmonds. Bump PKGREVISION.
openssl: sh3 is not a valid MACHINE_ARCH, split into sh3eb/sh3el
openssl: update to 3.3.0. OpenSSL 3.3 ----------- ### Major changes between OpenSSL 3.2 and OpenSSL 3.3.0 [9 Apr 2024] OpenSSL 3.3.0 is a feature release adding significant new functionality to OpenSSL. This release adds the following new features: * Support for qlog for tracing QUIC connections has been added * Added APIs to allow configuring the negotiated idle timeout for QUIC connections, and to allow determining the number of additional streams that can currently be created for a QUIC connection. * Added APIs to allow disabling implicit QUIC event processing for QUIC SSL objects * Added APIs to allow querying the size and utilisation of a QUIC stream's write buffer * New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN) condition in an optimised way when using QUIC. * Limited support for polling of QUIC connection and stream objects in a non-blocking manner. * Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes. * Added exporter for CMake on Unix and Windows, alongside the pkg-config exporter. * The BLAKE2s hash algorithm matches BLAKE2b's support for configurable output length. * The EVP_PKEY_fromdata function has been augmented to allow for the derivation of CRT (Chinese Remainder Theorem) parameters when requested * Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex() using time_t which is Y2038 safe on 32 bit systems when 64 bit time is enabled * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms config options and the respective calls to SSL[_CTX]_set1_sigalgs() and SSL[_CTX]_set1_client_sigalgs() that start with `?` character are ignored and the configuration will still be used. * Added `-set_issuer` and `-set_subject` options to `openssl x509` to override the Issuer and Subject when creating a certificate. The `-subj` option now is an alias for `-set_subject`. * Added several new features of CMPv3 defined in RFC 9480 and RFC 9483 * New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3 server to prefer session resumption using PSK-only key exchange over PSK with DHE, if both are available. * New atexit configuration switch, which controls whether the OPENSSL_cleanup is registered when libcrypto is unloaded. * Added X509_STORE_get1_objects to avoid issues with the existing X509_STORE_get0_objects API in multi-threaded applications. This release incorporates the following potentially significant or incompatible changes: * Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100 * Optimized AES-CTR for ARM Neoverse V1 and V2 * Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems similar to M1/M2. * Various optimizations for cryptographic routines using RISC-V vector crypto extensions * Added assembly implementation for md5 on loongarch64 * Accept longer context for TLS 1.2 exporters * The activate and soft_load configuration settings for providers in openssl.cnf have been updated to require a value of [1|yes|true|on] (in lower or UPPER case) to enable the setting. Conversely a value of [0|no|false|off] will disable the setting. * In `openssl speed`, changed the default hash function used with `hmac` from `md5` to `sha256`. * The `-verify` option to the `openssl crl` and `openssl req` will make the program exit with 1 on failure. * The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and related functions have been augmented to check for a minimum length of the input string, in accordance with ITU-T X.690 section 11.7 and 11.8. * OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1 if called with a NULL stack argument. * New limit on HTTP response headers is introduced to HTTP client. The default limit is set to 256 header lines. This release incorporates the following bug fixes and mitigations: * The BIO_get_new_index() function can only be called 127 times before it reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its exhausted. A more detailed list of changes in this release can be found in the [CHANGES.md] file. Users interested in using the new QUIC functionality are encouraged to read the [README file for QUIC][README-QUIC.md], which provides links to relevant documentation and example code. As always, bug reports and issues relating to OpenSSL can be [filed on our issue tracker][issue tracker]. OpenSSL 3.2 ----------- ### Major changes between OpenSSL 3.2.1 and OpenSSL 3.2.2 [under development] OpenSSL 3.2.2 is a security patch release. The most severe CVE fixed in this release is Low. This release incorporates the following bug fixes and mitigations: * Fixed unbounded memory growth with session handling in TLSv1.3 ([CVE-2024-2511]) ### Major changes between OpenSSL 3.2.0 and OpenSSL 3.2.1 [30 Jan 2024] OpenSSL 3.2.1 is a security patch release. The most severe CVE fixed in this release is Low. This release incorporates the following bug fixes and mitigations: * Fixed PKCS12 Decoding crashes ([CVE-2024-0727]) * Fixed excessive time spent checking invalid RSA public keys ([CVE-2023-6237]) * Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC CPUs which support PowerISA 2.07 ([CVE-2023-6129]) ### Major changes between OpenSSL 3.1 and OpenSSL 3.2.0 [23 Nov 2023] OpenSSL 3.2.0 is a feature release adding significant new functionality to OpenSSL. This release incorporates the following potentially significant or incompatible changes: * The default SSL/TLS security level has been changed from 1 to 2. * The `x509`, `ca`, and `req` apps now always produce X.509v3 certificates. * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings by default. Also spaces surrounding `=` in DN output are removed. This release adds the following new features: * Support for client side QUIC, including support for multiple streams (RFC 9000) * Support for Ed25519ctx, Ed25519ph and Ed448ph in addition to existing support for Ed25519 and Ed448 (RFC 8032) * Support for deterministic ECDSA signatures (RFC 6979) * Support for AES-GCM-SIV, a nonce-misuse-resistant AEAD (RFC 8452) * Support for the Argon2 KDF, along with supporting thread pool functionality (RFC 9106) * Support for Hybrid Public Key Encryption (HPKE) (RFC 9180) * Support for SM4-XTS * Support for Brainpool curves in TLS 1.3 * Support for TLS Raw Public Keys (RFC 7250) * Support for TCP Fast Open on Linux, macOS and FreeBSD, where enabled and supported (RFC 7413) * Support for TLS certificate compression, including library support for zlib, Brotli and zstd (RFC 8879) * Support for provider-based pluggable signature algorithms in TLS 1.3 with supporting CMS and X.509 functionality With a suitable provider this enables the use of post-quantum/quantum-safe cryptography. * Support for using the Windows system certificate store as a source of trusted root certificates This is not yet enabled by default and must be activated using an environment variable. This is likely to become enabled by default in a future feature release. * Support for using the IANA standard names in TLS ciphersuite configuration * Multiple new features and improvements to CMP protocol support The following known issues are present in this release and will be rectified in a future release: * Provider-based signature algorithms cannot be configured using the SignatureAlgorithms configuration file parameter (#22761) This release incorporates the following documentation enhancements: * Added multiple tutorials on the OpenSSL library and in particular on writing various clients (using TLS and QUIC protocols) with libssl See [OpenSSL Guide]. This release incorporates the following bug fixes and mitigations: * Fixed excessive time spent in DH check / generation with large Q parameter value ([CVE-2023-5678]) A more detailed list of changes in this release can be found in the [CHANGES.md] file. Users interested in using the new QUIC functionality are encouraged to read the [README file for QUIC][README-QUIC.md], which provides links to relevant documentation and example code.
openssl: updated to 3.1.5 Changes between 3.1.4 and 3.1.5 [30 Jan 2024] * A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL did not correctly check for this case. A fix has been applied to prevent a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue prior to this fix. OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. ([CVE-2024-0727])
openssl: on NetBSD arches without atomic 64-bit ops, use builtin fallbacks. Fixes these errors on NetBSD/macppc (and presumably the other listed platforms): ld: ./libcrypto.so: undefined reference to `__atomic_load_8' ld: ./libcrypto.so: undefined reference to `__atomic_fetch_or_8' ld: ./libcrypto.so: undefined reference to `__atomic_is_lock_free' (suggested by riastradh@)
openssl: Fix building on Mac OS X Tiger.
openssl: Various install fixes and improvements.
openssl: update to 3.1.4 This is the latest version of the currently newest supported branch. The 1.1.x branch was de-supported in September. Based on wip/openssl3 by gdt, tnn, and myself.
openssl: updated to 1.1.1w Changes between 1.1.1v and 1.1.1w [11 Sep 2023] *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. (CVE-2023-4807) [Bernd Edlinger] Changes between 1.1.1u and 1.1.1v [1 Aug 2023] *) Fix excessive time spent checking DH q parameter value. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. (CVE-2023-3817) [Tomáš Mráz]
security/openssl: Make this cross-compile.
openssl: update to 1.1.1u. Fixes a new CVE.
openssl: update to 1.1.1tnb1. Add upstream patches fixing CVE-2023-0464
Pullup ticket #6740 - requested by he security/openssl: security fix Revisions pulled up: - security/openssl/Makefile 1.287 - security/openssl/builtin.mk 1.51 - security/openssl/distinfo 1.165 --- Module Name: pkgsrc Committed By: jperkin Date: Tue Feb 7 16:34:42 UTC 2023 Modified Files: pkgsrc/security/openssl: Makefile builtin.mk distinfo Log Message: openssl: Update to 1.1.1t. Changes between 1.1.1s and 1.1.1t [7 Feb 2023] *) Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. (CVE-2023-0286) This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. [Hugo Landau] *) Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215) [Viktor Dukhovni, Matt Caswell] *) Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. (CVE-2022-4450) [Kurt Roeckx, Matt Caswell] *) Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304) [Dmitry Belyavsky, Hubert Kario]
openssl: Update to 1.1.1t. Changes between 1.1.1s and 1.1.1t [7 Feb 2023] *) Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. (CVE-2023-0286) This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. [Hugo Landau] *) Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215) [Viktor Dukhovni, Matt Caswell] *) Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. (CVE-2022-4450) [Kurt Roeckx, Matt Caswell] *) Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304) [Dmitry Belyavsky, Hubert Kario]
openssl: update to 1.1.1s. Major changes between OpenSSL 1.1.1r and OpenSSL 1.1.1s [1 Nov 2022] o Fixed a regression introduced in OpenSSL 1.1.1r not refreshing the certificate data to be signed before signing the certificate. Major changes between OpenSSL 1.1.1q and OpenSSL 1.1.1r [11 Oct 2022] o Added a missing header for memcmp that caused compilation failure on some platforms
openssl: downgrade to 1.1.1q The tarball was retracted due to a regression, to quote: We have received a report of a significant regression in the latest 3.0.6 and 1.1.1r versions. The regression is not thought to have security consequences. While the regression is further investigated we have taken the decision to withdraw the 3.0.6 and 1.1.1r versions and instead recommend that users remain on the previous 3.0.5 and 1.1.1q versions for now. We will issue a new plan for the release of 3.0.7 and 1.1.1s soon. From https://mta.openssl.org/pipermail/openssl-announce/2022-October/000237.html
openssl: update to 1.1.1r. Major changes between OpenSSL 1.1.1q and OpenSSL 1.1.1r [11 Oct 2022] o Added a missing header for memcmp that caused compilation failure on some platforms
Pullup ticket #6667 - requested by khorben security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.283 - security/openssl/distinfo 1.161 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Mon Jul 11 23:03:51 UTC 2022 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: openssl: update to 1.1.1q. Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022] o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms (CVE-2022-2097) To generate a diff of this commit: cvs rdiff -u -r1.282 -r1.283 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.160 -r1.161 pkgsrc/security/openssl/distinfo
openssl: update to 1.1.1q. Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022] o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms (CVE-2022-2097)
*: recursive bump for perl 5.36
openssl: Update to 1.1.1p. Approved during freeze by gdt@, tested on SmartOS and macOS. Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022] o Fixed additional bugs in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection (CVE-2022-2068)
openssl: update to 1.1.1o. Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022] o Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection (CVE-2022-1292)
openssl: update to 1.1.1n. Major changes between OpenSSL 1.1.1m and OpenSSL 1.1.1n [15 Mar 2022] o Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli ([CVE-2022-0778])
openssl: update to 1.1.1m. Changes between 1.1.1l and 1.1.1m [14 Dec 2021] *) Avoid loading of a dynamic engine twice. *) Fixed building on Debian with kfreebsd kernels *) Prioritise DANE TLSA issuer certs over peer certs *) Fixed random API for MacOS prior to 10.12
Omit "-MT $@" from generated make rules, as it breaks SunPro builds and "-o $@" is already sufficient. Also for SunPro, set OPENSSL_HOST.SunOS-x86_64=solaris64-x86_64-cc (that's cc, not gcc) to avoid this error linking libcrypto.so: cc: Warning: Option --libgcc passed to ld, if ld is invoked, ignored otherwise cc: No valid input files specified, no output generated "make package" succeeds on: - Solaris 11 with "Studio 12.6 Sun C 5.15" - Tribblix m25.1 with pkgsrc gcc7 - CentOS 7 with pkgsrc gcc7 - FreeBSD 13 with system clang - OpenBSD 7.0 with system clang - NetBSD 9.2 and -current with system gcc - CentOS 8 with system gcc - Debian 11, 10, 9 with system gcc - Devuan 4 with system gcc - Ubuntu 21, 18, 16, 14 with system gcc - Void with system gcc - Gentoo with system gcc
openssl: fix building on Darwin
openssl: Update to 1.1.1l. Changes between 1.1.1k and 1.1.1l [24 Aug 2021] *) Fixed an SM2 Decryption Buffer Overflow. In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. (CVE-2021-3711) [Matt Caswell] *) Fixed various read buffer overruns processing ASN.1 strings ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). (CVE-2021-3712) [Matt Caswell]
PR 55733 Joern Clausen: use GNU m4 with security/openssl on Solaris. Seems that Solaris's m4 overflows internal limits.
openssl: Stop passing CFLAGS/LDFLAGS to configure. If this ever worked it only did by accident. Specifying, for example, "-arch arm64" as used on macOS is enough to break its custom configure script that assumes all arguments start with "-". The flags seem to propogate through the environment normally.
On Mac OS X Snow Leopard with ABI=64, configure was selecting a 32-bit build (and then failing in the assembler). Override its choice on Darwin/x86_64 by specifying KERNEL_BITS=${ABI} in CONFIGURE_ENV.
*: recursive bump for perl 5.34
openssl: add note on updating
openssl: Update to 1.1.1k. Approved by @wiz during freeze. Changes between 1.1.1j and 1.1.1k [25 Mar 2021] *) Fixed a problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag. This flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. (CVE-2021-3450) [Tomáš Mráz] *) Fixed an issue where an OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. (CVE-2021-3449) [Peter Kästle and Samuel Sapalski]
openssl: update to 1.1.1j. Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() function (CVE-2021-23841) o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING padding mode to correctly check for rollback attacks o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate functions (CVE-2021-23840) o Fixed SRP_Calc_client_key so that it runs in constant time
Fix build on OpenBSD by defining __STDC_NO_ATOMICS__.
Pullup ticket #6384 - requested by wiz security/openssl: security fix Revisions pulled up: - security/openssl/Makefile 1.264-1.266 - security/openssl/PLIST 1.7 - security/openssl/distinfo 1.146-1.147 - security/openssl/patches/patch-Configurations_10-main.conf deleted - security/openssl/patches/patch-crypto_rand_rand__unix.c deleted --- Module Name: pkgsrc Committed By: wiz Date: Wed Sep 30 09:25:31 UTC 2020 Modified Files: pkgsrc/security/openssl: Makefile PLIST distinfo Removed Files: pkgsrc/security/openssl/patches: patch-crypto_rand_rand__unix.c Log Message: openssl: update to 1.1.1h. Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020] o Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS contexts o Oracle Developer Studio will start reporting deprecation warnings --- Module Name: pkgsrc Committed By: maya Date: Tue Oct 13 07:37:29 UTC 2020 Modified Files: pkgsrc/security/openssl: Makefile Log Message: openssl: add -lrt for the benefit of Solaris 10. PR pkg/55688 PR pkg/54958 --- Module Name: pkgsrc Committed By: wiz Date: Tue Dec 8 18:54:17 UTC 2020 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-Configurations_10-main.conf Log Message: openssl: update to 1.1.1i. Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
openssl: update to 1.1.1i. Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
openssl: add -lrt for the benefit of Solaris 10. PR pkg/55688 PR pkg/54958
openssl: update to 1.1.1h. Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020] o Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS contexts o Oracle Developer Studio will start reporting deprecation warnings
*: bump PKGREVISION for perl-5.32.
security/openssl: Make compatible with Apple Silicon
openssl: Fix c_rehash manual page entry. Previously after the openssl-* renames it ended up as a dangling symlink, causing "pkg_admin check" failures. Bump PKGREVISION.
Unbreak security/openssl build on pre-v9 Darwin. (1) There is no {get,make,set}context support before Darwin 9 (2) Instead of failing the build on makedepend(8) malfunction, have make(1) ignore its return value - which used to be the default for previous OpenSSL versions.
openssl: Pass explicit libdir Some linuxes have /lib64. pkgsrc should never use /lib64. Pointed out by sobukus on freenode
openssl: Fix KERN_ARND usage on NetBSD. XXX upstream
Update to OpenSSL 1.1.1g Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020] Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
Update to openssl 1.1.1f Changes between 1.1.1e and 1.1.1f * Revert the unexpected EOF reporting via SSL_ERROR_SSL
openssl: update to 1.1.1e. Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] o Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551)
openssl: Spell x86_64 correctly.
security/openssl: fix the recent fix for building on Solaris and HP-UX
security/openssl: fix build on Solaris This fixes PR pkg/54894.
openssl: Handle i386 SunOS. The OpenSSL config script isn't clever enough to detect multiarch platforms so we need to manually specify the host OS.
*: Recursive revision bump for openssl 1.1.1.
openssl: rc5 patents expired some years ago Remove its LICENSE line and enable rc5 option by default. Bump PKGREVISION.
openssl: Update to 1.1.1d. This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now out of support and should not be used. pkgsrc changes include a large cleanup of patches and targets, many of which were clearly bogus, for example a CONFLICTS entry against a package that has never existed, and one that was removed in 1999. Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS release. There are far too many individual changes to list, so the following text is instead taken from the 1.1.1 blog announcement: -------------------------------------------------------------------------- After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years. OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn't just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs. The headline new feature is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF just one month ago as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more details. Some of the benefits of TLSv1.3 include: * Improved connection times due to a reduction in the number of round trips required between the client and server * The ability, in certain circumstances, for clients to start sending encrypted data to the server straight away without any round trips with the server required (a feature known as 0-RTT or “early data”). * Improved security due to the removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake Other features in the 1.1.1 release include: * Complete rewrite of the OpenSSL random number generator to introduce the following capabilities: * The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. * Support for multiple DRBG instances with seed chaining. * There is a public and private DRBG instance. * The DRBG instances are fork-safe. * Keep all global DRBG instances on the secure heap if it is enabled. * The public and private DRBG instance are per thread for lock free operation * Support for various new cryptographic algorithms including: * SHA3 * SHA512/224 and SHA512/256 * EdDSA (including Ed25519 and Ed448) * X448 (adding to the existing X25519 support in 1.1.0) * Multi-prime RSA * SM2 * SM3 * SM4 * SipHash * ARIA (including TLS support) * Signficant Side-Channel attack security improvements * Maximum Fragment Length TLS extension support * A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time. Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.
Upgrade to OpenSSL 1.0.2u Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [20 Dec 2019] Fixed an an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (CVE-2019-1551)
Update to v1.0.2t Changes between 1.0.2s and 1.0.2t [10 Sep 2019] *) For built-in EC curves, ensure an EC_GROUP built from the curve name is used even when parsing explicit parameters, when loading a serialized key or calling `EC_GROUP_new_from_ecpkparameters()`/ `EC_GROUP_new_from_ecparameters()`. This prevents bypass of security hardening and performance gains, especially for curves with specialized EC_METHODs. By default, if a key encoded with explicit parameters is loaded and later serialized, the output is still encoded with explicit parameters, even if internally a "named" EC_GROUP is used for computation. [Nicola Tuveri] *) Compute ECC cofactors if not provided during EC_GROUP construction. Before this change, EC_GROUP_set_generator would accept order and/or cofactor as NULL. After this change, only the cofactor parameter can be NULL. It also does some minimal sanity checks on the passed order. (CVE-2019-1547) [Billy Bob Brumley] *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. An attack is simple, if the first CMS_recipientInfo is valid but the second CMS_recipientInfo is chosen ciphertext. If the second recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct encryption key will be replaced by garbage, and the message cannot be decoded, but if the RSA decryption fails, the correct encryption key is used and the recipient will not notice the attack. As a work around for this potential attack the length of the decrypted key must be equal to the cipher default key length, in case the certifiate is not given and all recipientInfo are tried out. The old behaviour can be re-enabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag. (CVE-2019-1563) [Bernd Edlinger] *) Document issue with installation paths in diverse Windows builds '/usr/local/ssl' is an unsafe prefix for location to install OpenSSL binaries and run-time config file. (CVE-2019-1552) [Richard Levitte]
security/openssl: Fix recent use of empty() Should resolve build on SmartOS. (Amazingly, the wrong expression worked fine on NetbSD with gcc when it was tested.)
security/openssl: Check for compling with gcc and clang correctly
security: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections.
Bump PKGREVISIONs for perl 5.30.0
Update to 1.0.2 Tested on OS X Tiger PowerPC and NetBSD-HEAD amd64 Changes between 1.0.2r and 1.0.2s [28 May 2019] *) Change the default RSA, DSA and DH size to 2048 bit instead of 1024. This changes the size when using the genpkey app when no size is given. It fixes an omission in earlier changes that changed all RSA, DSA and DH generation apps to use 2048 bits by default. [Kurt Roeckx] *) Add FIPS support for Android Arm 64-bit Support for Android Arm 64-bit was added to the OpenSSL FIPS Object Module in Version 2.0.10. For some reason, the corresponding target 'android64-aarch64' was missing OpenSSL 1.0.2, whence it could not be built with FIPS support on Android Arm 64-bit. This omission has been fixed. [Matthias St. Pierre] Changes between 1.0.2q and 1.0.2r [26 Feb 2019] *) 0-byte record padding oracle If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt. It was reported to OpenSSL on 10th December 2018. (CVE-2019-1559) [Matt Caswell] *) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0(). [Richard Levitte] Changes between 1.0.2p and 1.0.2q [20 Nov 2018] *) Microarchitecture timing vulnerability in ECC scalar multiplication OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. This issue was reported to OpenSSL on 26th October 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and Nicola Tuveri. (CVE-2018-5407) [Billy Brumley] *) Timing vulnerability in DSA signature generation The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser. (CVE-2018-0734) [Paul Dale] *) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module, accidentally introduced while backporting security fixes from the development branch and hindering the use of ECC in FIPS mode. [Nicola Tuveri]
security/openssl: Update to 1.0.2p. - Client DoS due to large DH parameter During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken (CVE-2018-0732) [Guido Vranken] - Cache timing vulnerability in RSA Key Generation The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia. (CVE-2018-0737) [Billy Brumley] - Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str parameter is no longer accepted, as it leads to a corrupt table. NULL pem_str is reserved for alias entries only. [Richard Levitte] - Revert blinding in ECDSA sign and instead make problematic addition length-invariant. Switch even to fixed-length Montgomery multiplication. [Andy Polyakov] - Change generating and checking of primes so that the error rate of not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. The maximal error rate for primes with more than 1080 bits is lowered to 2^-128. [Kurt Roeckx, Annie Yousar] - Increase the number of Miller-Rabin rounds for DSA key generating to 64. [Kurt Roeckx] - Add blinding to ECDSA and DSA signatures to protect against side channel attacks discovered by Keegan Ryan (NCC Group). [Matt Caswell] - When unlocking a pass phrase protected PEM file or PKCS#8 container, we now allow empty (zero character) pass phrases. [Richard Levitte] - Certificate time validation (X509_cmp_time) enforces stricter compliance with RFC 5280. Fractional seconds and timezone offsets are no longer allowed. [Emilia Käsper]
Recursive bump for perl5-5.28.0
openssl: update to 1.0.2o. Changes between 1.0.2n and 1.0.2o [27 Mar 2018] *) Constructed ASN.1 types with a recursive definition could exceed the stack Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz project. (CVE-2018-0739) [Matt Caswell]
Remove traces of crypto restrictions from packages. ok for idea riastradh.
openssl: Fix packaging under macOS The last change for fixing packaging under macOS did not work when the object directory resides on a case insensitive file-system.
openssl: Avoid case-sensitive issue on Darwin. Bump PKGREVISION.
Update security/openssl to 1.0.2n. Read/write after SSL object in error state (CVE-2017-3737) ========================================================== Severity: Moderate OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) ========================================================= Severity: Low There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation).
Update openssl to 1.0.2m. This is a recommended security update. Changes between 1.0.2l and 1.0.2m [2 Nov 2017] *) bn_sqrx8x_internal carry bug on x86_64 There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen. This issue was reported to OpenSSL by the OSS-Fuzz project. (CVE-2017-3736) [Andy Polyakov] *) Malformed X.509 IPAddressFamily could cause OOB read If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format. This issue was reported to OpenSSL by the OSS-Fuzz project. (CVE-2017-3735) [Rich Salz] Changes between 1.0.2k and 1.0.2l [25 May 2017] *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target platform rather than 'mingw'. [Richard Levitte]
openssl: fix for CVE-2017-3735
Overhaul the platform selector logic, so that the right value is selected for powerpc64 on Darwin. Fix for PR pkg/52114.
Update security/openssl to 1.0.2k. Changes between 1.0.2j and 1.0.2k [26 Jan 2017] *) Truncated packet could crash via OOB read If one side of an SSL/TLS path is running on a 32-bit host and a specific cipher is being used, then a truncated packet can cause that host to perform an out-of-bounds read, usually resulting in a crash. This issue was reported to OpenSSL by Robert Święcki of Google. (CVE-2017-3731) [Andy Polyakov] *) BN_mod_exp may produce incorrect results on x86_64 There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very similar to CVE-2015-3193 but must be treated as a separate problem. This issue was reported to OpenSSL by the OSS-Fuzz project. (CVE-2017-3732) [Andy Polyakov] *) Montgomery multiplication may produce incorrect results There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected. This issue was publicly reported as transient failures and was not initially recognized as a security issue. Thanks to Richard Morgan for providing reproducible case. (CVE-2016-7055) [Andy Polyakov] *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to prevent issues where no progress is being made and the peer continually sends unrecognised record types, using up resources processing them. [Matt Caswell]
security/openssl: USE_TOOLS+= makedepend solves: => Bootstrap dependency digest>=20010302: found digest-20160304 ===> Building for openssl-1.0.2jnb1 making depend in crypto... gmake[1]: Entering directory '/construction/security/openssl/work/openssl-1.0.2j/crypto' ../util/domd: makedepend: not found
Remove incorrect comment and resulting weird license. idea and mdc2 patents expired, so enable them by default. rc5 looks like it might be expired as well, but I didn't find anything relevant on that topic, so I left it alone. Bump PKGREVISION.
Update security/openssl to 1.0.2j. Changes between 1.0.2i and 1.0.2j [26 Sep 2016] *) Missing CRL sanity check A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. This issue only affects the OpenSSL 1.0.2i (CVE-2016-7052) [Matt Caswell]
Update security/openssl to 1.0.2i. Changes between 1.0.2h and 1.0.2i [22 Sep 2016] *) OCSP Status Request extension unbounded memory growth A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the "no-ocsp" build time option are not affected. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) (CVE-2016-6304) [Matt Caswell] *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from HIGH to MEDIUM. This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan Leurent (INRIA) (CVE-2016-2183) [Rich Salz] *) OOB write in MDC2_Update() An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. The amount of data needed is comparable to SIZE_MAX which is impractical on most platforms. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) (CVE-2016-6303) [Stephen Henson] *) Malformed SHA512 ticket DoS If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a DoS attack where a malformed ticket will result in an OOB read which will ultimately crash. The use of SHA512 in TLS session tickets is comparatively rare as it requires a custom server callback and ticket lookup mechanism. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) (CVE-2016-6302) [Stephen Henson] *) OOB write in BN_bn2dec() The function BN_bn2dec() does not check the return value of BN_div_word(). This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because record limits will reject an oversized certificate before it is parsed. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) (CVE-2016-2182) [Stephen Henson] *) OOB read in TS_OBJ_print_bio() The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is the total length the OID text representation would use and not the amount of data written. This will result in OOB reads when large OIDs are presented. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) (CVE-2016-2180) [Stephen Henson] *) Pointer arithmetic undefined behaviour Avoid some undefined pointer arithmetic A common idiom in the codebase is to check limits in the following manner: "p + len > limit" Where "p" points to some malloc'd data of SIZE bytes and limit == p + SIZE "len" here could be from some externally supplied data (e.g. from a TLS message). The rules of C pointer arithmetic are such that "p + len" is only well defined where len <= SIZE. Therefore the above idiom is actually undefined behaviour. For example this could cause problems if some malloc implementation provides an address for "p" such that "p + len" actually overflows for values of len that are too big and therefore p + len < limit. This issue was reported to OpenSSL by Guido Vranken (CVE-2016-2177) [Matt Caswell] *) Constant time flag not preserved in DSA signing Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key. This issue was reported by César Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). (CVE-2016-2178) [César Pereida] *) DTLS buffered message DoS In a DTLS connection where handshake messages are delivered out-of-order those messages that OpenSSL is not yet ready to process will be buffered for later use. Under certain circumstances, a flaw in the logic means that those messages do not get removed from the buffer even though the handshake has been completed. An attacker could force up to approx. 15 messages to remain in the buffer when they are no longer required. These messages will be cleared when the DTLS connection is closed. The default maximum size for a message is 100k. Therefore the attacker could force an additional 1500k to be consumed per connection. By opening many simulataneous connections an attacker could cause a DoS attack through memory exhaustion. This issue was reported to OpenSSL by Quan Luo. (CVE-2016-2179) [Matt Caswell] *) DTLS replay protection DoS A flaw in the DTLS replay attack protection mechanism means that records that arrive for future epochs update the replay protection "window" before the MAC for the record has been validated. This could be exploited by an attacker by sending a record for the next epoch (which does not have to decrypt or have a valid MAC), with a very large sequence number. This means that all subsequent legitimate packets are dropped causing a denial of service for a specific DTLS connection. This issue was reported to OpenSSL by the OCAP audit team. (CVE-2016-2181) [Matt Caswell] *) Certificate message OOB reads In OpenSSL 1.0.2 and earlier some missing message length checks can result in OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical DoS risk but this has not been observed in practice on common platforms. The messages affected are client certificate, client certificate request and server certificate. As a result the attack can only be performed against a client or a server which enables client authentication. This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) (CVE-2016-6306) [Stephen Henson]
Bump PKGREVISION for perl-5.24.0 for everything mentioning perl.
Make perl a runtime dependency, it is used by c_rehash. Reported by Jorge Schrauwen in joyent/pkgsrc#354. Bump PKGREVISION.
Pullup ticket #5013 - requested by taca security/openssl: security fix Revisions pulled up: - security/openssl/Makefile 1.223 - security/openssl/PLIST.common 1.29 - security/openssl/distinfo 1.122 --- Module Name: pkgsrc Committed By: jperkin Date: Tue May 3 14:51:17 UTC 2016 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo Log Message: Update security/openssl to version 1.0.2h. Changes between 1.0.2g and 1.0.2h [3 May 2016] *) Prevent padding oracle in AES-NI CBC MAC check A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. This issue was reported by Juraj Somorovsky using TLS-Attacker. (CVE-2016-2107) [Kurt Roeckx] *) Fix EVP_EncodeUpdate overflow An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by the PEM_write_bio* family of functions. These are mainly used within the OpenSSL command line applications, so any application which processes data from an untrusted source and outputs it as a PEM file should be considered vulnerable to this issue. User applications that call these APIs directly with large amounts of untrusted data may also be vulnerable. This issue was reported by Guido Vranken. (CVE-2016-2105) [Matt Caswell] *) Fix EVP_EncryptUpdate overflow An overflow can occur in the EVP_EncryptUpdate() function. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. Following an analysis of all OpenSSL internal usage of the EVP_EncryptUpdate() function all usage is one of two forms. The first form is where the EVP_EncryptUpdate() call is known to be the first called function after an EVP_EncryptInit(), and therefore that specific call must be safe. The second form is where the length passed to EVP_EncryptUpdate() can be seen from the code to be some small value and therefore there is no possibility of an overflow. Since all instances are one of these two forms, it is believed that there can be no overflows in internal code due to this problem. It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances of these calls have also been analysed too and it is believed there are no instances in internal usage where an overflow could occur. This issue was reported by Guido Vranken. (CVE-2016-2106) [Matt Caswell] *) Prevent ASN.1 BIO excessive memory allocation When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. Any application parsing untrusted data through d2i BIO functions is affected. The memory based functions such as d2i_X509() are *not* affected. Since the memory based functions are used by the TLS library, TLS applications are not affected. This issue was reported by Brian Carpenter. (CVE-2016-2109) [Stephen Henson] *) EBCDIC overread ASN1 Strings that are over 1024 bytes can cause an overread in applications using the X509_NAME_oneline() function on EBCDIC systems. This could result in arbitrary stack data being returned in the buffer. This issue was reported by Guido Vranken. (CVE-2016-2176) [Matt Caswell] *) Modify behavior of ALPN to invoke callback after SNI/servername callback, such that updates to the SSL_CTX affect ALPN. [Todd Short] *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the default. [Kurt Roeckx] *) Only remove the SSLv2 methods with the no-ssl2-method option. When the methods are enabled and ssl2 is disabled the methods return NULL. [Kurt Roeckx]
Update security/openssl to version 1.0.2h. Changes between 1.0.2g and 1.0.2h [3 May 2016] *) Prevent padding oracle in AES-NI CBC MAC check A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. This issue was reported by Juraj Somorovsky using TLS-Attacker. (CVE-2016-2107) [Kurt Roeckx] *) Fix EVP_EncodeUpdate overflow An overflow can occur in the EVP_EncodeUpdate() function which is used for Base64 encoding of binary data. If an attacker is able to supply very large amounts of input data then a length check can overflow resulting in a heap corruption. Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by the PEM_write_bio* family of functions. These are mainly used within the OpenSSL command line applications, so any application which processes data from an untrusted source and outputs it as a PEM file should be considered vulnerable to this issue. User applications that call these APIs directly with large amounts of untrusted data may also be vulnerable. This issue was reported by Guido Vranken. (CVE-2016-2105) [Matt Caswell] *) Fix EVP_EncryptUpdate overflow An overflow can occur in the EVP_EncryptUpdate() function. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. Following an analysis of all OpenSSL internal usage of the EVP_EncryptUpdate() function all usage is one of two forms. The first form is where the EVP_EncryptUpdate() call is known to be the first called function after an EVP_EncryptInit(), and therefore that specific call must be safe. The second form is where the length passed to EVP_EncryptUpdate() can be seen from the code to be some small value and therefore there is no possibility of an overflow. Since all instances are one of these two forms, it is believed that there can be no overflows in internal code due to this problem. It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances of these calls have also been analysed too and it is believed there are no instances in internal usage where an overflow could occur. This issue was reported by Guido Vranken. (CVE-2016-2106) [Matt Caswell] *) Prevent ASN.1 BIO excessive memory allocation When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. Any application parsing untrusted data through d2i BIO functions is affected. The memory based functions such as d2i_X509() are *not* affected. Since the memory based functions are used by the TLS library, TLS applications are not affected. This issue was reported by Brian Carpenter. (CVE-2016-2109) [Stephen Henson] *) EBCDIC overread ASN1 Strings that are over 1024 bytes can cause an overread in applications using the X509_NAME_oneline() function on EBCDIC systems. This could result in arbitrary stack data being returned in the buffer. This issue was reported by Guido Vranken. (CVE-2016-2176) [Matt Caswell] *) Modify behavior of ALPN to invoke callback after SNI/servername callback, such that updates to the SSL_CTX affect ALPN. [Todd Short] *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the default. [Kurt Roeckx] *) Only remove the SSLv2 methods with the no-ssl2-method option. When the methods are enabled and ssl2 is disabled the methods return NULL. [Kurt Roeckx]
Bump PKGREVISION for security/openssl ABI bump.
Update security/openssl to version 1.0.2g. Changes between 1.0.2f and 1.0.2g [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength ciphers. [Viktor Dukhovni] * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client and server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. (CVE-2016-0800) [Viktor Dukhovni] *) Fix a double-free in DSA code A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using libFuzzer. (CVE-2016-0705) [Stephen Henson] *) Disable SRP fake user seed to address a server memory leak. Add a new method SRP_VBASE_get1_by_user that handles the seed properly. SRP_VBASE_get_by_user had inconsistent memory management behaviour. In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user was changed to ignore the "fake user" SRP seed, even if the seed is configured. Users should use SRP_VBASE_get1_by_user instead. Note that in SRP_VBASE_get1_by_user, caller must free the returned value. Note also that even though configuring the SRP seed attempts to hide invalid usernames by continuing the handshake with fake credentials, this behaviour is not constant time and no strong guarantees are made that the handshake is indistinguishable from that of a valid user. (CVE-2016-0798) [Emilia Käsper] *) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption In the BN_hex2bn function the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM data field as NULL leading to a subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4| could be a positive value smaller than |i|. In this case memory is allocated to the internal BIGNUM data field, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. All OpenSSL internal usage of these functions use data that is not expected to be untrusted, e.g. config file data or application command line arguments. If user developed applications generate config file data based on untrusted data then it is possible that this could also lead to security consequences. This is also anticipated to be rare. This issue was reported to OpenSSL by Guido Vranken. (CVE-2016-0797) [Matt Caswell] *) Fix memory issues in BIO_*printf functions The internal |fmtstr| function used in processing a "%s" format string in the BIO_*printf functions could overflow while calculating the length of a string and cause an OOB read when printing very long strings. Additionally the internal |doapr_outch| function can attempt to write to an OOB memory location (at an offset from the NULL pointer) in the event of a memory allocation failure. In 1.0.2 and below this could be caused where the size of a buffer to be allocated is greater than INT_MAX. E.g. this could be in processing a very long "%s" format string. Memory leaks can also occur. The first issue may mask the second issue dependent on compiler behaviour. These problems could enable attacks where large amounts of untrusted data is passed to the BIO_*printf functions. If applications use these functions in this way then they could be vulnerable. OpenSSL itself uses these functions when printing out human-readable dumps of ASN.1 data. Therefore applications that print this data could be vulnerable if the data is from untrusted sources. OpenSSL command line applications could also be vulnerable where they print out ASN.1 data, or if untrusted data is passed as command line arguments. Libssl is not considered directly vulnerable. Additionally certificates etc received via remote connections via libssl are also unlikely to be able to trigger these issues because of message size limits enforced within libssl. This issue was reported to OpenSSL Guido Vranken. (CVE-2016-0799) [Matt Caswell] *) Side channel attack on modular exponentiation A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA keys. The ability to exploit this issue is limited as it relies on an attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions. This issue was reported to OpenSSL by Yuval Yarom, The University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania with more information at http://cachebleed.info. (CVE-2016-0702) [Andy Polyakov] *) Change the req app to generate a 2048-bit RSA/DSA key by default, if no keysize is specified with default_bits. This fixes an omission in an earlier change that changed all RSA/DSA key generation apps to use 2048 bits by default. [Emilia Käsper]
Update security/openssl to version 1.0.2f. Changes between 1.0.2e and 1.0.2f [28 Jan 2016] *) DH small subgroups Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. The fix for this issue adds an additional check where a "q" parameter is available (as is the case in X9.42 based parameters). This detects the only known attack, and is the only possible defense for static DH ciphersuites. This could have some performance impact. Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default and cannot be disabled. This could have some performance impact. This issue was reported to OpenSSL by Antonio Sanso (Adobe). (CVE-2016-0701) [Matt Caswell] *) SSLv2 doesn't block disabled ciphers A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2. This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram and Sebastian Schinzel. (CVE-2015-3197) [Viktor Dukhovni] *) Reject DH handshakes with parameters shorter than 1024 bits. [Kurt Roeckx]
Attempt to bring sanity to how ABI and MACHINE_ARCH are set. Previously there were at least 5 different ways MACHINE_ARCH could be set, some statically and some at run time, and in many cases these settings differed, leading to issues at pkg_add time where there was conflict between the setting encoded into the package and that used by pkg_install. Instead, move to a single source of truth where the correct value based on the host and the chosen (or default) ABI is determined in the bootstrap script. The value can still be overridden in mk.conf if necessary, e.g. for cross-compiling. ABI is now set by default and if unset a default is calculated based on MACHINE_ARCH. This fixes some OS, e.g. Linux, where the wrong default was previously chosen. As a result of the refactoring there is no need for LOWER_ARCH, with references to it replaced by MACHINE_ARCH. SPARC_TARGET_ARCH is also removed.
Pullup ticket #4877 - requested by cyber security/openssl: security fix Revisions pulled up: - security/openssl/Makefile 1.214-1.216 - security/openssl/PLIST.common 1.26 - security/openssl/distinfo 1.116,1.118 - security/openssl/patches/patch-Makefile.shared 1.3 --- Module Name: pkgsrc Committed By: jperkin Date: Fri Oct 9 11:44:48 UTC 2015 Modified Files: pkgsrc/security/openssl: Makefile Log Message: Force the "linux-elf" Configure target for Linux 32-bit, fixes the build when running with ABI=32 on a 64-bit native host. --- Module Name: pkgsrc Committed By: jperkin Date: Mon Oct 26 09:42:47 UTC 2015 Modified Files: pkgsrc/security/openssl: Makefile distinfo pkgsrc/security/openssl/patches: patch-Makefile.shared Log Message: Support SunOS/clang and pass -h linker argument correctly. Doesn't fully fix the build yet, an additional patch to remove LD_LIBRARY_PATH is required but needs wider testing. --- Module Name: pkgsrc Committed By: jperkin Date: Mon Dec 7 15:57:42 UTC 2015 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo Log Message: Update security/openssl to 1.0.2e. pkgsrc changes: - We now need to run 'make depend' after configure to pick up algorithm selection changes. Upstream changes: Changes between 1.0.2d and 1.0.2e [3 Dec 2015] *) BN_mod_exp may produce incorrect results on x86_64 There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. This issue was reported to OpenSSL by Hanno Böck. (CVE-2015-3193) [Andy Polyakov] *) Certificate verify crash with missing PSS parameter The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). (CVE-2015-3194) [Stephen Henson] *) X509_ATTRIBUTE memory leak When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using libFuzzer. (CVE-2015-3195) [Stephen Henson] *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. This changes the decoding behaviour for some invalid messages, though the change is mostly in the more lenient direction, and legacy behaviour is preserved as much as possible. [Emilia Käsper] *) In DSA_generate_parameters_ex, if the provided seed is too short, return an error [Rich Salz and Ismo Puustinen <ismo.puustinen%intel.com@localhost>]
Fix the CC=gcc change differently, previous version didn't actually work due to the default being set later in the environment.
Work around an issue on platforms where CC=cc (set by default in sys.mk from bootstrap-mk-files). OpenSSL specifically checks for CC=gcc before using it as a makedepend replacement, whereas CC=cc will fall back to requiring a real 'makedepend' which may not be installed. Tested on Linux by kamil@
Update security/openssl to 1.0.2e. pkgsrc changes: - We now need to run 'make depend' after configure to pick up algorithm selection changes. Upstream changes: Changes between 1.0.2d and 1.0.2e [3 Dec 2015] *) BN_mod_exp may produce incorrect results on x86_64 There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites. This issue was reported to OpenSSL by Hanno Böck. (CVE-2015-3193) [Andy Polyakov] *) Certificate verify crash with missing PSS parameter The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and absent mask generation function parameter. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). (CVE-2015-3194) [Stephen Henson] *) X509_ATTRIBUTE memory leak When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak memory. This structure is used by the PKCS#7 and CMS routines so any application which reads PKCS#7 or CMS data from untrusted sources is affected. SSL/TLS is not affected. This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using libFuzzer. (CVE-2015-3195) [Stephen Henson] *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. This changes the decoding behaviour for some invalid messages, though the change is mostly in the more lenient direction, and legacy behaviour is preserved as much as possible. [Emilia Käsper] *) In DSA_generate_parameters_ex, if the provided seed is too short, return an error [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
Support SunOS/clang and pass -h linker argument correctly. Doesn't fully fix the build yet, an additional patch to remove LD_LIBRARY_PATH is required but needs wider testing.
Force the "linux-elf" Configure target for Linux 32-bit, fixes the build when running with ABI=32 on a 64-bit native host.
Restore https URL, as discussed with schmonz. Systems without https support in their fetch tools can get the distfiles from ftp.NetBSD.org.
Go back to using the non-https MASTER_SITES, because NetBSD 6.x's /usr/bin/ftp (at least) can't fetch https URLs, and we verify distfiles by checksum anyway.
Fix pattern; perl will never be <5.16 again.
Pullup ticket #4770 - requested by wiz security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.210 - security/openssl/PLIST.common 1.25 - security/openssl/distinfo 1.115 --- Module Name: pkgsrc Committed By: wiz Date: Thu Jul 9 13:37:56 UTC 2015 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo Log Message: Update to 1.0.2d: Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015] o Alternate chains certificate forgery (CVE-2015-1793)
Update to 1.0.2d: Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015] o Alternate chains certificate forgery (CVE-2015-1793)
Pullup ticket #4747 - requested by tron security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.208-1.209 - security/openssl/PLIST.common 1.24 - security/openssl/distinfo 1.113-1.114 - security/openssl/patches/patch-Configure 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Fri Jun 12 17:02:24 UTC 2015 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo pkgsrc/security/openssl/patches: patch-Configure Log Message: Update "openssl" package to version 1.0.2b. Changes since version 1.0.2a: - Malformed ECParameters causes infinite loop When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled. This issue was reported to OpenSSL by Joseph Barr-Pixton. (CVE-2015-1788) [Andy Polyakov] - Exploitable out-of-bounds read in X509_cmp_time X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. This issue was reported to OpenSSL by Robert Swiecki (Google), and independently by Hanno B?ck. (CVE-2015-1789) [Emilia K?sper] - PKCS7 crash with missing EnvelopedContent The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. This issue was reported to OpenSSL by Michal Zalewski (Google). (CVE-2015-1790) [Emilia K?sper] - CMS verify infinite loop with unknown hash function When verifying a signedData message the CMS code can enter an infinite lo= op if presented with an unknown hash function OID. This can be used to perfo= rm denial of service against any system which verifies signedData messages u= sing the CMS code. This issue was reported to OpenSSL by Johannes Bauer. (CVE-2015-1792) [Stephen Henson] - Race condition handling NewSessionTicket If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. (CVE-2015-1791) [Matt Caswell] - Removed support for the two export grade static DH ciphersuites EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites were newly added (along with a number of other static DH ciphersuites) to 1.0.2. However the two export ones have *never* worked since they were introduced. It seems strange in any case to be adding new export ciphersuites, and given "logjam" it also does not seem correct to fix the= m. [Matt Caswell] - Only support 256-bit or stronger elliptic curves with the 'ecdh_auto' setting (server) or by default (client). Of supported curves, prefer P-256 (both). [Emilia Kasper] - Reject DH handshakes with parameters shorter than 768 bits. [Kurt Roeckx and Emilia Kasper] To generate a diff of this commit: cvs rdiff -u -r1.207 -r1.208 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.23 -r1.24 pkgsrc/security/openssl/PLIST.common cvs rdiff -u -r1.112 -r1.113 pkgsrc/security/openssl/distinfo cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/openssl/patches/patch-Configure ------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Fri Jun 12 17:32:32 UTC 2015 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update "openssl" package to version 1.0.2b. Changes since version 1.0.2c: - Fix HMAC ABI incompatibility. The previous version introduced an ABI incompatibility in the handling of HMAC. The previous ABI has now been restored. To generate a diff of this commit: cvs rdiff -u -r1.208 -r1.209 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.113 -r1.114 pkgsrc/security/openssl/distinfo
Update "openssl" package to version 1.0.2b. Changes since version 1.0.2c: - Fix HMAC ABI incompatibility. The previous version introduced an ABI incompatibility in the handling of HMAC. The previous ABI has now been restored.
Update "openssl" package to version 1.0.2b. Changes since version 1.0.2a: - Malformed ECParameters causes infinite loop When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates. This includes TLS clients and TLS servers with client authentication enabled. This issue was reported to OpenSSL by Joseph Barr-Pixton. (CVE-2015-1788) [Andy Polyakov] - Exploitable out-of-bounds read in X509_cmp_time X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. This issue was reported to OpenSSL by Robert Swiecki (Google), and independently by Hanno Bck. (CVE-2015-1789) [Emilia Ksper] - PKCS7 crash with missing EnvelopedContent The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. This issue was reported to OpenSSL by Michal Zalewski (Google). (CVE-2015-1790) [Emilia Ksper] - CMS verify infinite loop with unknown hash function When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code. This issue was reported to OpenSSL by Johannes Bauer. (CVE-2015-1792) [Stephen Henson] - Race condition handling NewSessionTicket If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data. (CVE-2015-1791) [Matt Caswell] - Removed support for the two export grade static DH ciphersuites EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites were newly added (along with a number of other static DH ciphersuites) to 1.0.2. However the two export ones have *never* worked since they were introduced. It seems strange in any case to be adding new export ciphersuites, and given "logjam" it also does not seem correct to fix them. [Matt Caswell] - Only support 256-bit or stronger elliptic curves with the 'ecdh_auto' setting (server) or by default (client). Of supported curves, prefer P-256 (both). [Emilia Kasper] - Reject DH handshakes with parameters shorter than 768 bits. [Kurt Roeckx and Emilia Kasper]
Recursive PKGREVISION bump for all packages mentioning 'perl', having a PKGNAME of p5-*, or depending such a package, for perl-5.22.0.
hppa -> hppa64
guard against undefined ABI
Update "openssl" package to version 1.0.2. Changes since version 1.0.2a: - ClientHello sigalgs DoS fix If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. This issue was was reported to OpenSSL by David Ramos of Stanford University. (CVE-2015-0291) [Stephen Henson and Matt Caswell] - Multiblock corrupted pointer fix OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature only applies on 64 bit x86 architecture platforms that support AES NI instructions. A defect in the implementation of "multiblock" can cause OpenSSL's internal write buffer to become incorrectly set to NULL when using non-blocking IO. Typically, when the user application is using a socket BIO for writing, this will only result in a failed connection. However if some other BIO is used then it is likely that a segmentation fault will be triggered, thus enabling a potential DoS attack. This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller. (CVE-2015-0290) [Matt Caswell] - Segmentation fault in DTLSv1_listen fix The DTLSv1_listen function is intended to be stateless and processes the initial ClientHello from many peers. It is common for user code to loop over the call to DTLSv1_listen until a valid ClientHello is received with an associated cookie. A defect in the implementation of DTLSv1_listen means that state is preserved in the SSL object from one invocation to the next that can lead to a segmentation fault. Errors processing the initial ClientHello can trigger this scenario. An example of such an error could be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only server. This issue was reported to OpenSSL by Per Allansson. (CVE-2015-0207) [Matt Caswell] - Segmentation fault in ASN1_TYPE_cmp fix The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check certificate signature algorithm consistency this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. (CVE-2015-0286) [Stephen Henson] - Segmentation fault for invalid PSS parameters fix The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and invalid parameters. Since these routines are used to verify certificate signature algorithms this can be used to crash any certificate verification operation and exploited in a DoS attack. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication. This issue was was reported to OpenSSL by Brian Carpenter. (CVE-2015-0208) [Stephen Henson] - ASN.1 structure reuse memory corruption fix Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Such reuse is and has been strongly discouraged and is believed to be rare. Applications that parse structures containing CHOICE or ANY DEFINED BY components may be affected. Certificate parsing (d2i_X509 and related functions) are however not affected. OpenSSL clients and servers are not affected. (CVE-2015-0287) [Stephen Henson] - PKCS7 NULL pointer dereferences fix The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. This issue was reported to OpenSSL by Michal Zalewski (Google). (CVE-2015-0289) [Emilia Ksper] - DoS via reachable assert in SSLv2 servers fix A malicious client can trigger an OPENSSL_assert (i.e., an abort) in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. This issue was discovered by Sean Burford (Google) and Emilia Ksper (OpenSSL development team). (CVE-2015-0293) [Emilia Ksper] - Empty CKE with client auth and DHE fix If client auth is used then a server can seg fault in the event of a DHE ciphersuite being selected and a zero length ClientKeyExchange message being sent by the client. This could be exploited in a DoS attack. (CVE-2015-1787) [Matt Caswell] - Handshake with unseeded PRNG fix Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with an unseeded PRNG. The conditions are: - The client is on a platform where the PRNG has not been seeded automatically, and the user has not seeded manually - A protocol specific client method version has been used (i.e. not SSL_client_methodv23) - A ciphersuite is used that does not require additional random data from the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA). If the handshake succeeds then the client random that has been used will have been generated from a PRNG with insufficient entropy and therefore the output may be predictable. For example using the following command with an unseeded openssl will succeed on an unpatched platform: openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA (CVE-2015-0285) [Matt Caswell] - Use After Free following d2i_ECPrivatekey error fix A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This, in turn, could cause a double free in several private key parsing functions (such as d2i_PrivateKey or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources. This scenario is considered rare. This issue was discovered by the BoringSSL project and fixed in their commit 517073cd4b. (CVE-2015-0209) [Matt Caswell] - X509_to_X509_REQ NULL pointer deref fix The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. This function is rarely used in practice. This issue was discovered by Brian Carpenter. (CVE-2015-0288) [Stephen Henson] - Removed the export ciphers from the DEFAULT ciphers [Kurt Roeckx]
unconditionally wants dlopen
Changes 1.0.2: Suite B support for TLS 1.2 and DTLS 1.2 Support for DTLS 1.2 TLS automatic EC curve selection. API to set TLS supported signature algorithms and curves SSL_CONF configuration API. TLS Brainpool support. ALPN support. CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
Pullup ticket #4586 - requested by wiz security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.201 - security/openssl/distinfo 1.110 - security/openssl/patches/patch-crypto_dso_dso__dlfcn.c deleted --- Module Name: pkgsrc Committed By: wiz Date: Thu Jan 8 16:58:25 UTC 2015 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-crypto_dso_dso__dlfcn.c Log Message: Update to 1.0.1k: Changes between 1.0.1j and 1.0.1k [8 Jan 2015] *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack. Thanks to Markus Stenberg of Cisco Systems, Inc. for reporting this issue. (CVE-2014-3571) [Steve Henson] *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the dtls1_buffer_record function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion. Thanks to Chris Mueller for reporting this issue. (CVE-2015-0206) [Matt Caswell] *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. Thanks to Frank Schmirler for reporting this issue. (CVE-2014-3569) [Kurt Roeckx] *) Abort handshake if server key exchange message is omitted for ephemeral ECDH ciphersuites. Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for reporting this issue. (CVE-2014-3572) [Steve Henson] *) Remove non-export ephemeral RSA code on client and server. This code violated the TLS standard by allowing the use of temporary RSA keys in non-export ciphersuites and could be used by a server to effectively downgrade the RSA key length used to a value smaller than the server certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting this issue. (CVE-2015-0204) [Steve Henson] *) Fixed issue where DH client certificates are accepted without verification. An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This effectively allows a client to authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered. Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting this issue. (CVE-2015-0205) [Steve Henson] *) Ensure that the session ID context of an SSL is updated when its SSL_CTX is updated via SSL_set_SSL_CTX. The session ID context is typically set from the parent SSL_CTX, and can vary with the CTX. [Adam Langley] *) Fix various certificate fingerprint issues. By using non-DER or invalid encodings outside the signed portion of a certificate the fingerprint can be changed without breaking the signature. Although no details of the signed portion of the certificate can be changed this can cause problems with some applications: e.g. those using the certificate fingerprint for blacklists. 1. Reject signatures with non zero unused bits. If the BIT STRING containing the signature has non zero unused bits reject the signature. All current signature algorithms require zero unused bits. 2. Check certificate algorithm consistency. Check the AlgorithmIdentifier inside TBS matches the one in the certificate signature. NB: this will result in signature failure errors for some broken certificates. Thanks to Konrad Kraszewski from Google for reporting this issue. 3. Check DSA/ECDSA signatures use DER. Reencode DSA/ECDSA signatures and compare with the original received signature. Return an error if there is a mismatch. This will reject various cases including garbage after signature (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program for discovering this case) and use of BER or invalid ASN.1 INTEGERs (negative or with leading zeroes). Further analysis was conducted and fixes were developed by Stephen Henson of the OpenSSL core team. (CVE-2014-8275) [Steve Henson] *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. This bug occurs at random with a very low probability, and is not known to be exploitable in any way, though its exact impact is difficult to determine. Thanks to Pieter Wuille (Blockstream) who reported this issue and also suggested an initial fix. Further analysis was conducted by the OpenSSL development team and Adam Langley of Google. The final fix was developed by Andy Polyakov of the OpenSSL core team. (CVE-2014-3570) [Andy Polyakov] *) Do not resume sessions on the server if the negotiated protocol version does not match the session's version. Resuming with a different version, while not strictly forbidden by the RFC, is of questionable sanity and breaks all known clients. [David Benjamin, Emilia K?sper] *) Tighten handling of the ChangeCipherSpec (CCS) message: reject early CCS messages during renegotiation. (Note that because renegotiation is encrypted, this early CCS was not exploitable.) [Emilia K?sper] *) Tighten client-side session ticket handling during renegotiation: ensure that the client only accepts a session ticket if the server sends the extension anew in the ServerHello. Previously, a TLS client would reuse the old extension state and thus accept a session ticket if one was announced in the initial ServerHello. Similarly, ensure that the client requires a session ticket if one was advertised in the ServerHello. Previously, a TLS client would ignore a missing NewSessionTicket message. [Emilia K?sper]
Update to 1.0.1k: Changes between 1.0.1j and 1.0.1k [8 Jan 2015] *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack. Thanks to Markus Stenberg of Cisco Systems, Inc. for reporting this issue. (CVE-2014-3571) [Steve Henson] *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the dtls1_buffer_record function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion. Thanks to Chris Mueller for reporting this issue. (CVE-2015-0206) [Matt Caswell] *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. Thanks to Frank Schmirler for reporting this issue. (CVE-2014-3569) [Kurt Roeckx] *) Abort handshake if server key exchange message is omitted for ephemeral ECDH ciphersuites. Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for reporting this issue. (CVE-2014-3572) [Steve Henson] *) Remove non-export ephemeral RSA code on client and server. This code violated the TLS standard by allowing the use of temporary RSA keys in non-export ciphersuites and could be used by a server to effectively downgrade the RSA key length used to a value smaller than the server certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting this issue. (CVE-2015-0204) [Steve Henson] *) Fixed issue where DH client certificates are accepted without verification. An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This effectively allows a client to authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered. Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting this issue. (CVE-2015-0205) [Steve Henson] *) Ensure that the session ID context of an SSL is updated when its SSL_CTX is updated via SSL_set_SSL_CTX. The session ID context is typically set from the parent SSL_CTX, and can vary with the CTX. [Adam Langley] *) Fix various certificate fingerprint issues. By using non-DER or invalid encodings outside the signed portion of a certificate the fingerprint can be changed without breaking the signature. Although no details of the signed portion of the certificate can be changed this can cause problems with some applications: e.g. those using the certificate fingerprint for blacklists. 1. Reject signatures with non zero unused bits. If the BIT STRING containing the signature has non zero unused bits reject the signature. All current signature algorithms require zero unused bits. 2. Check certificate algorithm consistency. Check the AlgorithmIdentifier inside TBS matches the one in the certificate signature. NB: this will result in signature failure errors for some broken certificates. Thanks to Konrad Kraszewski from Google for reporting this issue. 3. Check DSA/ECDSA signatures use DER. Reencode DSA/ECDSA signatures and compare with the original received signature. Return an error if there is a mismatch. This will reject various cases including garbage after signature (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program for discovering this case) and use of BER or invalid ASN.1 INTEGERs (negative or with leading zeroes). Further analysis was conducted and fixes were developed by Stephen Henson of the OpenSSL core team. (CVE-2014-8275) [Steve Henson] *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. This bug occurs at random with a very low probability, and is not known to be exploitable in any way, though its exact impact is difficult to determine. Thanks to Pieter Wuille (Blockstream) who reported this issue and also suggested an initial fix. Further analysis was conducted by the OpenSSL development team and Adam Langley of Google. The final fix was developed by Andy Polyakov of the OpenSSL core team. (CVE-2014-3570) [Andy Polyakov] *) Do not resume sessions on the server if the negotiated protocol version does not match the session's version. Resuming with a different version, while not strictly forbidden by the RFC, is of questionable sanity and breaks all known clients. [David Benjamin, Emilia Ksper] *) Tighten handling of the ChangeCipherSpec (CCS) message: reject early CCS messages during renegotiation. (Note that because renegotiation is encrypted, this early CCS was not exploitable.) [Emilia Ksper] *) Tighten client-side session ticket handling during renegotiation: ensure that the client only accepts a session ticket if the server sends the extension anew in the ServerHello. Previously, a TLS client would reuse the old extension state and thus accept a session ticket if one was announced in the initial ServerHello. Similarly, ensure that the client requires a session ticket if one was advertised in the ServerHello. Previously, a TLS client would ignore a missing NewSessionTicket message. [Emilia Ksper]
Update to openssl-1.0.1j. Changes between 1.0.1i and 1.0.1j [15 Oct 2014] *) SRTP Memory Leak. A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. This could be exploited in a Denial Of Service attack. This issue affects OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. Implementations of OpenSSL that have been compiled with OPENSSL_NO_SRTP defined are not affected. The fix was developed by the OpenSSL team. (CVE-2014-3513) [OpenSSL team] *) Session Ticket Memory Leak. When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. (CVE-2014-3567) [Steve Henson] *) Build option no-ssl3 is incomplete. When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. (CVE-2014-3568) [Akamai and the OpenSSL team] *) Add support for TLS_FALLBACK_SCSV. Client applications doing fallback retries should call SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). (CVE-2014-3566) [Adam Langley, Bodo Moeller] *) Add additional DigestInfo checks. Reencode DigestInto in DER and check against the original when verifying RSA signature: this will reject any improperly encoded DigestInfo structures. Note: this is a precautionary measure and no attacks are currently known. [Steve Henson]
Remove pkgviews: don't set PKG_INSTALLATION_TYPES in Makefiles.
Remove SVR4_PKGNAME, per discussion on tech-pkg.
Fix typo in previous. From PR 49131.
On AIX, openssl ignores $CC & defaults to using the aix-cc profile & building with /usr/vac/bin/cc, add the necessary checks to Makefile to use the correct profile depending on what CC/ABI is set to. Patch from Sevan Janiyan in PR 49131, but moved a few lines to not affect Darwin.
Pullup ticket #4471 - requested by obache security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.195 - security/openssl/PLIST.common 1.19 - security/openssl/distinfo 1.108 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: obache Date: Thu Aug 7 01:29:45 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo Log Message: Update openssl to 1.0.1i. Changes between 1.0.1h and 1.0.1i [6 Aug 2014] *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the SRP code can be overrun an internal buffer. Add sanity check that g, A, B < N to SRP code. Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC Group for discovering this issue. (CVE-2014-3512) [Steve Henson] *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher protocol version, by modifying the client's TLS records. Thanks to David Benjamin and Adam Langley (Google) for discovering and researching this issue. (CVE-2014-3511) [David Benjamin] *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are = subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages. Thanks to Felix Grvbert (Google) for discovering and researching this issue. (CVE-2014-3510) [Emilia K=E4=B3=B0er] *) By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack. Thanks to Adam Langley for discovering and researching this issue. (CVE-2014-3507) [Adam Langley] *) An attacker can force openssl to consume large amounts of memory = whilst processing DTLS handshake messages. This can be exploited through a Denial of Service attack. Thanks to Adam Langley for discovering and researching this issue. (CVE-2014-3506) [Adam Langley] *) An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This can be exploited through a Denial of Service attack. Thanks to Adam Langley and Wan-Teh Chang for discovering and researching this issue. (CVE-2014-3505) [Adam Langley] *) If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory. Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this issue. (CVE-2014-3509) [Gabor Tyukasz] *) A malicious server can crash an OpenSSL client with a null pointer dereference (read) by specifying an SRP ciphersuite even though it was not properly negotiated with the client. This can be exploited through a Denial of Service attack. Thanks to Joonas Kuorilehto and Riku Hietam=E4=AB=A9 (Codenomicon) for discovering and researching this issue. (CVE-2014-5139) [Steve Henson] *) A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. Applications may be affected if they echo pretty printing output to the attacker. Thanks to Ivan Fratric (Google) for discovering this issue. (CVE-2014-3508) [Emilia K=E4=B3=B0er, and Steve Henson] *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) for corner cases. (Certain input points at infinity could lead to bogus results, with non-infinity inputs mapped to infinity too.) [Bodo Moeller] To generate a diff of this commit: cvs rdiff -u -r1.194 -r1.195 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.18 -r1.19 pkgsrc/security/openssl/PLIST.common cvs rdiff -u -r1.107 -r1.108 pkgsrc/security/openssl/distinfo
Update openssl to 1.0.1i. Changes between 1.0.1h and 1.0.1i [6 Aug 2014] *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the SRP code can be overrun an internal buffer. Add sanity check that g, A, B < N to SRP code. Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC Group for discovering this issue. (CVE-2014-3512) [Steve Henson] *) A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. This allows a man-in-the-middle attacker to force a downgrade to TLS 1.0 even if both the server and the client support a higher protocol version, by modifying the client's TLS records. Thanks to David Benjamin and Adam Langley (Google) for discovering and researching this issue. (CVE-2014-3511) [David Benjamin] *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. A malicious server can crash the client with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages. Thanks to Felix Grbert (Google) for discovering and researching this issue. (CVE-2014-3510) [Emilia Ksper] *) By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack. Thanks to Adam Langley for discovering and researching this issue. (CVE-2014-3507) [Adam Langley] *) An attacker can force openssl to consume large amounts of memory whilst processing DTLS handshake messages. This can be exploited through a Denial of Service attack. Thanks to Adam Langley for discovering and researching this issue. (CVE-2014-3506) [Adam Langley] *) An attacker can force an error condition which causes openssl to crash whilst processing DTLS packets due to memory being freed twice. This can be exploited through a Denial of Service attack. Thanks to Adam Langley and Wan-Teh Chang for discovering and researching this issue. (CVE-2014-3505) [Adam Langley] *) If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory. Thanks to Gabor Tyukasz (LogMeIn Inc) for discovering and researching this issue. (CVE-2014-3509) [Gabor Tyukasz] *) A malicious server can crash an OpenSSL client with a null pointer dereference (read) by specifying an SRP ciphersuite even though it was not properly negotiated with the client. This can be exploited through a Denial of Service attack. Thanks to Joonas Kuorilehto and Riku Hietamki (Codenomicon) for discovering and researching this issue. (CVE-2014-5139) [Steve Henson] *) A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. Applications may be affected if they echo pretty printing output to the attacker. Thanks to Ivan Fratric (Google) for discovering this issue. (CVE-2014-3508) [Emilia Ksper, and Steve Henson] *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) for corner cases. (Certain input points at infinity could lead to bogus results, with non-infinity inputs mapped to infinity too.) [Bodo Moeller]
SCO OpenServer 5.0.7/3.2 does not support SSSE3.
Pullup ticket #4431 - requested by wiz security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.193 - security/openssl/builtin.mk 1.42 - security/openssl/distinfo 1.106-1.107 - security/openssl/patches/patch-Configure 1.2 - security/openssl/patches/patch-Makefile.org 1.2 - security/openssl/patches/patch-Makefile.shared 1.2 - security/openssl/patches/patch-apps_Makefile 1.2 - security/openssl/patches/patch-config 1.2 - security/openssl/patches/patch-crypto_bn_bn__prime.pl 1.2 - security/openssl/patches/patch-crypto_des_Makefile 1.1 - security/openssl/patches/patch-crypto_dso_dso__dlfcn.c 1.2 - security/openssl/patches/patch-doc_apps_cms.pod deleted - security/openssl/patches/patch-doc_apps_smine.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__COMP__add__compression__method.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__add__session.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__load__verify__locations.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__set__client__CA__list.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__set__session__id__context.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__set__ssl__version.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__accept.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__clear.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__connect.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__do__handshake.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__read.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__session__reused.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__set__fd.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__set__session.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__shutdown.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__write.pod deleted - security/openssl/patches/patch-engines_ccgost_Makefile 1.2 - security/openssl/patches/patch-tools_Makefile 1.2 --- Module Name: pkgsrc Committed By: rodent Date: Tue May 13 02:23:11 UTC 2014 Modified Files: pkgsrc/security/openssl: distinfo pkgsrc/security/openssl/patches: patch-Configure patch-Makefile.org patch-Makefile.shared patch-apps_Makefile patch-config patch-crypto_bn_bn__prime.pl patch-crypto_dso_dso__dlfcn.c patch-doc_apps_cms.pod patch-doc_apps_smine.pod patch-doc_ssl_SSL__COMP__add__compression__method.pod patch-doc_ssl_SSL__CTX__add__session.pod patch-doc_ssl_SSL__CTX__load__verify__locations.pod patch-doc_ssl_SSL__CTX__set__client__CA__list.pod patch-doc_ssl_SSL__CTX__set__session__id__context.pod patch-doc_ssl_SSL__CTX__set__ssl__version.pod patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod patch-doc_ssl_SSL__accept.pod patch-doc_ssl_SSL__clear.pod patch-doc_ssl_SSL__connect.pod patch-doc_ssl_SSL__do__handshake.pod patch-doc_ssl_SSL__read.pod patch-doc_ssl_SSL__session__reused.pod patch-doc_ssl_SSL__set__fd.pod patch-doc_ssl_SSL__set__session.pod patch-doc_ssl_SSL__shutdown.pod patch-doc_ssl_SSL__write.pod patch-engines_ccgost_Makefile patch-tools_Makefile Added Files: pkgsrc/security/openssl/patches: patch-crypto_des_Makefile Log Message: Fix build on OpenBSD/sparc64. Defuzz patches (sorry if this is annoying). --- Module Name: pkgsrc Committed By: wiz Date: Thu Jun 5 12:16:06 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile builtin.mk distinfo Removed Files: pkgsrc/security/openssl/patches: patch-doc_apps_cms.pod patch-doc_apps_smine.pod patch-doc_ssl_SSL__COMP__add__compression__method.pod patch-doc_ssl_SSL__CTX__add__session.pod patch-doc_ssl_SSL__CTX__load__verify__locations.pod patch-doc_ssl_SSL__CTX__set__client__CA__list.pod patch-doc_ssl_SSL__CTX__set__session__id__context.pod patch-doc_ssl_SSL__CTX__set__ssl__version.pod patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod patch-doc_ssl_SSL__accept.pod patch-doc_ssl_SSL__clear.pod patch-doc_ssl_SSL__connect.pod patch-doc_ssl_SSL__do__handshake.pod patch-doc_ssl_SSL__read.pod patch-doc_ssl_SSL__session__reused.pod patch-doc_ssl_SSL__set__fd.pod patch-doc_ssl_SSL__set__session.pod patch-doc_ssl_SSL__shutdown.pod patch-doc_ssl_SSL__write.pod Log Message: Update to 1.0.1h: Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014] o Fix for CVE-2014-0224 o Fix for CVE-2014-0221 o Fix for CVE-2014-0195 o Fix for CVE-2014-3470 o Fix for CVE-2010-5298
Update to 1.0.1h: Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014] o Fix for CVE-2014-0224 o Fix for CVE-2014-0221 o Fix for CVE-2014-0195 o Fix for CVE-2014-3470 o Fix for CVE-2010-5298
Fixes missing override of pc files. PR pkg/48871. Bump PKGREVISION.
No reason to require gtar.
Bump for perl-5.20.0. Do it for all packages that * mention perl, or * have a directory name starting with p5-*, or * depend on a package starting with p5- like last time, for 5.18, where this didn't lead to complaints. Let me know if you have any this time.
Set LICENSE.
Pullup ticket #4359 - requested by obache security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.186-1.188 - security/openssl/distinfo 1.103-1.104 - security/openssl/patches/patch-Configure 1.1 - security/openssl/patches/patch-Makefile.org 1.1 - security/openssl/patches/patch-Makefile.shared 1.1 - security/openssl/patches/patch-aa deleted - security/openssl/patches/patch-ac deleted - security/openssl/patches/patch-ad deleted - security/openssl/patches/patch-ae deleted - security/openssl/patches/patch-af deleted - security/openssl/patches/patch-ag deleted - security/openssl/patches/patch-ak deleted - security/openssl/patches/patch-apps_Makefile 1.1 - security/openssl/patches/patch-config 1.1 - security/openssl/patches/patch-crypto_bn_bn__prime.pl 1.1 - security/openssl/patches/patch-tools_Makefile 1.1 --- Module Name: pkgsrc Committed By: he Date: Wed Apr 2 12:11:35 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-Configure patch-Makefile.org patch-Makefile.shared patch-apps_Makefile patch-config patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c patch-crypto_bn_bn__prime.pl patch-crypto_ec_ec2__mult.c patch-tools_Makefile Removed Files: pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-ae patch-af patch-ag patch-ak Log Message: Rename all remaining patch-?? files using the newer naming convention. Add a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. Fix from culled from http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f 91e57d247d0fc667aef29 Bump PKGREVISION. --- Module Name: pkgsrc Committed By: obache Date: Tue Apr 8 02:48:38 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile Log Message: p5-Perl4-CoreLibs is not required for perl<5.16 --- Module Name: pkgsrc Committed By: obache Date: Tue Apr 8 06:20:44 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-crypto_bn_bn.h patch-crypto_bn_bn__lib.c patch-crypto_ec_ec2__mult.c Log Message: Update openssl to 1.0.1g. (CVE-2014-0076 is already fixed in pkgsrc). OpenSSL CHANGES _______________ Changes between 1.0.1f and 1.0.1g [7 Apr 2014] *) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix (CVE-2014-0160) [Adam Langley, Bodo Moeller] *) Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) [Yuval Yarom and Naomi Benger] *) TLS pad extension: draft-agl-tls-padding-03 Workaround for the "TLS hang bug" (see FAQ and opensslPR#2771): if the TLS client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. [Adam Langley, Steve Henson]
Update openssl to 1.0.1g. (CVE-2014-0076 is already fixed in pkgsrc). OpenSSL CHANGES _______________ Changes between 1.0.1f and 1.0.1g [7 Apr 2014] *) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix (CVE-2014-0160) [Adam Langley, Bodo Moeller] *) Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) [Yuval Yarom and Naomi Benger] *) TLS pad extension: draft-agl-tls-padding-03 Workaround for the "TLS hang bug" (see FAQ and opensslPR#2771): if the TLS client Hello record length value would otherwise be > 255 and less that 512 pad with a dummy extension containing zeroes so it is at least 512 bytes long. [Adam Langley, Steve Henson]
p5-Perl4-CoreLibs is not required for perl<5.16
Rename all remaining patch-?? files using the newer naming convention. Add a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 Thanks to Yuval Yarom and Naomi Benger for discovering this flaw and to Yuval Yarom for supplying a fix. Fix from culled from http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f91e57d247d0fc667aef29 Bump PKGREVISION.
Set USE_GCC_RUNTIME=yes for packages which build shared libraries but do not use libtool to do so. This is required to correctly depend upon a gcc runtime package (e.g. gcc47-libs) when using USE_PKGSRC_GCC_RUNTIME.
Cygwin also has shlib.
Pullup ticket #4293 - requested by tron security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.183 - security/openssl/distinfo 1.101 - security/openssl/patches/patch-doc_crypto_X509__STORE__CTX__get__error.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__set__client__CA__list.pod 1.2 - security/openssl/patches/patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod 1.2 - security/openssl/patches/patch-doc_ssl_SSL__accept.pod 1.2 - security/openssl/patches/patch-doc_ssl_SSL__connect.pod 1.2 - security/openssl/patches/patch-doc_ssl_SSL__do__handshake.pod 1.2 - security/openssl/patches/patch-doc_ssl_SSL__shutdown.pod 1.2 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: tron Date: Fri Jan 10 14:32:42 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile distinfo pkgsrc/security/openssl/patches: patch-doc_ssl_SSL__CTX__set__client__CA__list.pod patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod patch-doc_ssl_SSL__accept.pod patch-doc_ssl_SSL__connect.pod patch-doc_ssl_SSL__do__handshake.pod patch-doc_ssl_SSL__shutdown.pod Removed Files: pkgsrc/security/openssl/patches: patch-doc_crypto_X509__STORE__CTX__get__error.pod Log Message: Update "openssl" package to version 1.0.1f. Changes since 1.0.1e: - Fix for TLS record tampering bug. A carefully crafted invalid handshake could crash OpenSSL with a NULL pointer exception. Thanks to Anton Johansson for reporting this issues. (CVE-2013-4353) - Keep original DTLS digest and encryption contexts in retransmission structures so we can use the previous session parameters if they need to be resent. (CVE-2013-6450) [Steve Henson] - Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which avoids preferring ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. [Rob Stradling, Adam Langley] To generate a diff of this commit: cvs rdiff -u -r1.182 -r1.183 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.100 -r1.101 pkgsrc/security/openssl/distinfo cvs rdiff -u -r1.1 -r0 \ pkgsrc/security/openssl/patches/patch-doc_crypto_X509__STORE__CTX__get__error.pod cvs rdiff -u -r1.1 -r1.2 \ pkgsrc/security/openssl/patches/patch-doc_ssl_SSL__CTX__set__client__CA__list.pod \ pkgsrc/security/openssl/patches/patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod \ pkgsrc/security/openssl/patches/patch-doc_ssl_SSL__accept.pod \ pkgsrc/security/openssl/patches/patch-doc_ssl_SSL__connect.pod \ pkgsrc/security/openssl/patches/patch-doc_ssl_SSL__do__handshake.pod \ pkgsrc/security/openssl/patches/patch-doc_ssl_SSL__shutdown.pod
Update "openssl" package to version 1.0.1f. Changes since 1.0.1e: - Fix for TLS record tampering bug. A carefully crafted invalid handshake could crash OpenSSL with a NULL pointer exception. Thanks to Anton Johansson for reporting this issues. (CVE-2013-4353) - Keep original DTLS digest and encryption contexts in retransmission structures so we can use the previous session parameters if they need to be resent. (CVE-2013-6450) [Steve Henson] - Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which avoids preferring ECDHE-ECDSA ciphers when the client appears to be Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. [Rob Stradling, Adam Langley]
Pullup ticket #4250 - requested by joerg security/openssl: build fix for Linux/POWERPC64 Revisions pulled up: - security/openssl/Makefile by patch ------------------------------------------------------------------- Module Name: pkgsrc Committed By: joerg Date: Tue Oct 29 21:33:21 UTC 2013 Modified Files: pkgsrc/security/openssl: Makefile Log Message: For Linux/POWERPC64 override the default target, otherwise bad things happen (TM). To generate a diff of this commit: cvs rdiff -u -r1.181 -r1.182 pkgsrc/security/openssl/Makefile
For Linux/POWERPC64 override the default target, otherwise bad things happen (TM).
Unbreak previous.
Don't mess with the normal PLIST.${OPSYS} logic. Use a variable to control whether PLIST.shlib should be included or not.
Bump PKGREVISION. * For DragonFly, use its own condition. * Add Debian GNU/kFreeBSD support.
require `fgrep' as a tool. fixes build on Haiku, noticed by diger in pkgsrc-users@.
Bump all packages for perl-5.18, that a) refer 'perl' in their Makefile, or b) have a directory name of p5-*, or c) have any dependency on any p5-* package Like last time, where this caused no complaints.
Update OpenSSL to 1.0.1e. ("Corrected fix" was already incorporated in pkgsrc.) OpenSSL version 1.0.1e released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1e of our open source toolkit for SSL/TLS. This new OpenSSL version is a new feature release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Corrected fix for CVE-2013-0169
Pullup ticket #4055 - requested by taca security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.172 - security/openssl/distinfo 1.91 --- Module Name: pkgsrc Committed By: taca Date: Tue Feb 5 15:54:31 UTC 2013 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update openssl to 0.9.8y. Changes between 0.9.8x and 0.9.8y [5 Feb 2013] *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time= .= This addresses the flaw in CBC record processing discovered by Nadhem Alfardan and Kenny Paterson. Details of this attack can be = found at: http://www.isg.rhul.ac.uk/tls/ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information= Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley an= d Emilia K=E4sper for the initial patch. (CVE-2013-0169) [Emilia K=E4sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve H= enson] *) Return an error when checking OCSP signatures when key is NULL. This fixes a DoS attack. (CVE-2013-0166) [Steve Henson] *) Call OCSP Stapling callback after ciphersuite has been chosen, so the right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. See http://rt.openssl.org/Ticket/Display.html?id=3D2836. (This is a backport) [Rob Stradling <rob.stradling@comodo.com>] *) Fix possible deadlock when decoding public keys. [Steve Henson]
Apply upstream patch to fix data corruption. Bump PKGREVISION.
PKGREVISION bumps for the security/openssl 1.0.1d update.
Update OpenSSL to 1.0.1d. Changes are far too numerous to list, the main one being that we can now take advantage of AES-NI support in modern processors to significantly increase performance. Miscellaneous pkgsrc changes: - Remove unnecessary warning message on Solaris. - Fix RPATH for libgost.so. - MD2 support is optional, enabled by default for compatability.
Update openssl to 0.9.8y. Changes between 0.9.8x and 0.9.8y [5 Feb 2013] *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. This addresses the flaw in CBC record processing discovered by Nadhem Alfardan and Kenny Paterson. Details of this attack can be found at: http://www.isg.rhul.ac.uk/tls/ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and Emilia Käsper for the initial patch. (CVE-2013-0169) [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] *) Return an error when checking OCSP signatures when key is NULL. This fixes a DoS attack. (CVE-2013-0166) [Steve Henson] *) Call OCSP Stapling callback after ciphersuite has been chosen, so the right response is stapled. Also change SSL_get_certificate() so it returns the certificate actually sent. See http://rt.openssl.org/Ticket/Display.html?id=2836. (This is a backport) [Rob Stradling <rob.stradling@comodo.com>] *) Fix possible deadlock when decoding public keys. [Steve Henson]
Fix the first master site.
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
Add build dependency on p5-Perl4-CoreLibs, needed since a script uses find.pl. Reported by Jörn Clausen in PR 47036.
Bump all packages that use perl, or depend on a p5-* package, or are called p5-*. I hope that's all of them.
Pullup ticket #3782 - requested by taca security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.167 - security/openssl/distinfo 1.89 --- Module Name: pkgsrc Committed By: taca Date: Fri May 11 13:27:27 UTC 2012 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update openssl to 0.9.8x. OpenSSL CHANGES _______________ Changes between 0.9.8w and 0.9.8x [10 May 2012] *) Sanity check record length before skipping explicit IV in DTLS to fix DoS attack. Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. (CVE-2012-2333) [Steve Henson] *) Initialise tkeylen properly when encrypting CMS messages. Thanks to Solar Designer of Openwall for reporting this issue. [Steve Henson]
Update openssl to 0.9.8x. OpenSSL CHANGES _______________ Changes between 0.9.8w and 0.9.8x [10 May 2012] *) Sanity check record length before skipping explicit IV in DTLS to fix DoS attack. Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. (CVE-2012-2333) [Steve Henson] *) Initialise tkeylen properly when encrypting CMS messages. Thanks to Solar Designer of Openwall for reporting this issue. [Steve Henson]
Pullup ticket #3755 - requested by taca security/openssl security update. Revisions pulled up: - security/openssl/Makefile 1.166 - security/openssl/distinfo 1.88 --- Module Name: pkgsrc Committed By: taca Date: Tue Apr 24 05:03:49 UTC 2012 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update openssl package to 0.9.8w. Security fix for CVS-2012-2131. Changes between 0.9.8v and 0.9.8w [23 Apr 2012] *) The fix for CVE-2012-2110 did not take into account that the 'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an int in OpenSSL 0.9.8, making it still vulnerable. Fix by rejecting negative len parameter. (CVE-2012-2131) [Tomas Hoger <thoger@redhat.com>]
Update openssl package to 0.9.8w. Security fix for CVS-2012-2131. Changes between 0.9.8v and 0.9.8w [23 Apr 2012] *) The fix for CVE-2012-2110 did not take into account that the 'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an int in OpenSSL 0.9.8, making it still vulnerable. Fix by rejecting negative len parameter. (CVE-2012-2131) [Tomas Hoger <thoger@redhat.com>]
Pullup ticket #3749 - requested by taca security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.165 - security/openssl/distinfo 1.87 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Sat Apr 21 07:38:14 UTC 2012 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update openssl package to 0.9.8v. NEWS ==== This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v: o Fix for ASN1 overflow bug CVE-2012-2110 To generate a diff of this commit: cvs rdiff -u -r1.164 -r1.165 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.86 -r1.87 pkgsrc/security/openssl/distinfo
Update openssl package to 0.9.8v. NEWS ==== This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v: o Fix for ASN1 overflow bug CVE-2012-2110
configure script expects darwin-ppc-cc and not darwin-powerpc-cc. 'should be ok' joerg@
Pullup ticket #3702 - requested by taca security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.163 - security/openssl/distinfo 1.86 - security/openssl/patches/patch-asn_mime.c deleted --- Module Name: pkgsrc Committed By: taca Date: Tue Mar 13 03:11:32 UTC 2012 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-asn_mime.c Log Message: Update openssl pacakge to 0.9.8u. Changes between 0.9.8t and 0.9.8u [12 Mar 2012] *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness in CMS and PKCS7 code. When RSA decryption fails use a random key for content decryption and always return the same error. Note: this attack needs on average 2^20 messages so it only affects automated senders. The old behaviour can be reenabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where an MMA defence is not necessary. Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this issue. (CVE-2012-0884) [Steve Henson] *) Fix CVE-2011-4619: make sure we really are receiving a client hello before rejecting multiple SGC restarts. Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. [Steve Henson]
Update openssl pacakge to 0.9.8u. Changes between 0.9.8t and 0.9.8u [12 Mar 2012] *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness in CMS and PKCS7 code. When RSA decryption fails use a random key for content decryption and always return the same error. Note: this attack needs on average 2^20 messages so it only affects automated senders. The old behaviour can be reenabled in the CMS code by setting the CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where an MMA defence is not necessary. Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this issue. (CVE-2012-0884) [Steve Henson] *) Fix CVE-2011-4619: make sure we really are receiving a client hello before rejecting multiple SGC restarts. Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug. [Steve Henson]
Pullup ticket #3698 - requested by pettai security/openssl: security patch Revisions pulled up: - security/openssl/Makefile 1.162 - security/openssl/distinfo 1.85 - security/openssl/patches/patch-asn_mime.c 1.1 --- Module Name: pkgsrc Committed By: pettai Date: Mon Mar 5 00:26:55 UTC 2012 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-asn_mime.c Log Message: Add fix for CVE-2006-7250
Add fix for CVE-2006-7250
add HP-UX handling for Configure parameters
Pullup ticket #3656 - requested by taca security/openssl security fix Revisions pulled up: - security/openssl/Makefile 1.160 - security/openssl/distinfo 1.84 --- Module Name: pkgsrc Committed By: taca Date: Thu Jan 19 00:51:23 UTC 2012 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update security/openssl package to 0.9.8t. OpenSSL CHANGES _______________ Changes between 0.9.8s and 0.9.8t [18 Jan 2012] *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. Thanks to Antonio Martin, Enterprise Secure Access Research and Development, Cisco Systems, Inc. for discovering this bug and preparing a fix. (CVE-2012-0050) [Antonio Martin]
Update security/openssl package to 0.9.8t. OpenSSL CHANGES _______________ Changes between 0.9.8s and 0.9.8t [18 Jan 2012] *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109. Thanks to Antonio Martin, Enterprise Secure Access Research and Development, Cisco Systems, Inc. for discovering this bug and preparing a fix. (CVE-2012-0050) [Antonio Martin]
Update openssl pacakge to 0.9.8s. OpenSSL CHANGES _______________ Changes between 0.9.8r and 0.9.8s [4 Jan 2012] *) Nadhem Alfardan and Kenny Paterson have discovered an extension of the Vaudenay padding oracle attack on CBC mode encryption which enables an efficient plaintext recovery attack against the OpenSSL implementation of DTLS. Their attack exploits timing differences arising during decryption processing. A research paper describing this attack can be found at: http://www.isg.rhul.ac.uk/~kp/dtls.pdf Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> for preparing the fix. (CVE-2011-4108) [Robin Seggelmann, Michael Tuexen] *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) [Ben Laurie, Kasper <ekasper@google.com>] *) Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) [Adam Langley (Google)] *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) [Adam Langley (Google)] *) Prevent malformed RFC3779 data triggering an assertion failure. Thanks to Andrew Chi, BBN Technologies, for discovering the flaw and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577) [Rob Austein <sra@hactrn.net>] *) Fix ssl_ciph.c set-up race. [Adam Langley (Google)] *) Fix spurious failures in ecdsatest.c. [Emilia Kper (Google)] *) Fix the BIO_f_buffer() implementation (which was mixing different interpretations of the '..._len' fields). [Adam Langley (Google)] *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent threads won't reuse the same blinding coefficients. This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING lock to call BN_BLINDING_invert_ex, and avoids one use of BN_BLINDING_update for each BN_BLINDING structure (previously, the last update always remained unused). [Emilia Kper (Google)] *) Fix SSL memory handling for (EC)DH ciphersuites, in particular for multi-threaded use of ECDH. [Adam Langley (Google)] *) Fix x509_name_ex_d2i memory leak on bad inputs. [Bodo Moeller] *) Add protection against ECDSA timing attacks as mentioned in the paper by Billy Bob Brumley and Nicola Tuveri, see: http://eprint.iacr.org/2011/232.pdf [Billy Bob Brumley and Nicola Tuveri] Changes between 0.9.8q and 0.9.8r [8 Feb 2011] *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014 [Neel Mehta, Adam Langley, Bodo Moeller (Google)] *) Fix bug in string printing code: if *any* escaping is enabled we must escape the escape character (backslash) or the resulting string is ambiguous. [Steve Henson] Changes between 0.9.8p and 0.9.8q [2 Dec 2010] *) Disable code workaround for ancient and obsolete Netscape browsers and servers: an attacker can use it in a ciphersuite downgrade attack. Thanks to Martin Rex for discovering this bug. CVE-2010-4180 [Steve Henson] *) Fixed J-PAKE implementation error, originally discovered by Sebastien Martini, further info and confirmation from Stefan Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 [Ben Laurie]
Add a new threads option which is on by default. The purpose of this is to allow other packages that can't handle threads to link against this. No revbump since there is no change to binary packages.
Correct the fix for http://secunia.com/advisories/44572/ See the thread here: http://www.mail-archive.com/openssl-dev@openssl.org/msg29283.html
Pullup ticket #3447 - requested by tez security/openssl security fix Revisions pulled up: - security/openssl/Makefile 1.156 - security/openssl/distinfo 1.81 - security/openssl/patches/patch-crypto_ecdsa_ecs__ossl.c 1.1 --- Module Name: pkgsrc Committed By: tez Date: Tue May 31 17:18:42 UTC 2011 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-crypto_ecdsa_ecs__ossl.c Log Message: Add protection against ECDSA timing attacks as mentioned in the paper by Billy Bob Brumley and Nicola Tuveri, see: http://eprint.iacr.org/2011/232.pdf [Billy Bob Brumley and Nicola Tuveri] (patch confirmed in upstream cvs)
Add protection against ECDSA timing attacks as mentioned in the paper by Billy Bob Brumley and Nicola Tuveri, see: http://eprint.iacr.org/2011/232.pdf [Billy Bob Brumley and Nicola Tuveri] (patch confirmed in upstream cvs)
Use solaris64 rather than solaris for ABI=64 build using gcc in SunOS fixes PR#44769
Pullup ticket #3347 - requested by taca security/openssl security fix Revisions pulled up: - pkgsrc/security/openssl/Makefile 1.154 - pkgsrc/security/openssl/distinfo 1.80 - pkgsrc/security/openssl/patches/patch-ssl_t1__lib.c 1.1 ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Wed Feb 9 00:15:30 UTC 2011 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-ssl_t1__lib.c Log Message: Add fix for security issue CVE-2011-0014. Bump PKGREVISION.
Add fix for security issue CVE-2011-0014. Bump PKGREVISION.
Pullup ticket #3292 - requested by taca pkgsrc/security/openssl security update Revisions pulled up: pkgsrc/security/openssl/Makefile 1.153 pkgsrc/security/openssl/distinfo 1.79 ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Fri Dec 3 00:17:21 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update openssl package to 0.9.8q. OpenSSL version 0.9.8q released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8q of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Fix for security issue CVE-2010-4180 o Fix for CVE-2010-4252 To generate a diff of this commit: cvs rdiff -u -r1.152 -r1.153 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.78 -r1.79 pkgsrc/security/openssl/distinfo
Update openssl package to 0.9.8q. OpenSSL version 0.9.8q released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8q of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o Fix for security issue CVE-2010-4180 o Fix for CVE-2010-4252
Pullup ticket #3276 - requested by taca security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.152 - security/openssl/distinfo 1.78 - security/openssl/patches/patch-bd delete --- Module Name: pkgsrc Committed By: taca Date: Wed Nov 17 00:52:26 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-bd Log Message: Update security/openssl package to 0.9.8p. OpenSSL version 0.9.8p released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8p of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which addresses CVE-2010-3864. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.
Update security/openssl package to 0.9.8p. OpenSSL version 0.9.8p released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8p of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which addresses CVE-2010-3864. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.
Fix for CVE-2010-2939
ABI is not defined on old Darwin.
Pullup ticket 3135 - requested by taca security update Revisions pulled up: - pkgsrc/security/openssl/Makefile 1.149 - pkgsrc/security/openssl/distinfo 1.75 Files removed: pkgsrc/security/openssl/patches/patch-bc ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Mon Apr 12 14:19:17 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Removed Files: pkgsrc/security/openssl/patches: patch-bc Log Message: Update openssl package from 0.9.8m to 0.9.8n. Changes between 0.9.8m and 0.9.8n [24 Mar 2010] *) When rejecting SSL/TLS records due to an incorrect version number, never update s->server with a new major version number. As of - OpenSSL 0.9.8m if 'short' is a 16-bit type, - OpenSSL 0.9.8f if 'short' is longer than 16 bits, the previous behavior could result in a read attempt at NULL when receiving specific incorrect SSL/TLS records once record payload protection is active. (CVE-2010-0740) [Bodo Moeller, Adam Langley <agl@chromium.org>] *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted). [Tomas Hoger <thoger@redhat.com>] To generate a diff of this commit: cvs rdiff -u -r1.146 -r1.147 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.73 -r1.74 pkgsrc/security/openssl/distinfo cvs rdiff -u -r1.1 -r0 pkgsrc/security/openssl/patches/patch-bc ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: adam Date: Sat May 8 06:33:41 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile Log Message: Set correct architecture on Darwin To generate a diff of this commit: cvs rdiff -u -r1.147 -r1.148 pkgsrc/security/openssl/Makefile ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Wed Jun 2 13:30:11 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update security/openssl package to 0.9.8o. OpenSSL CHANGES _______________ Changes between 0.9.8n and 0.9.8o [01 Jun 2010] *) Correct a typo in the CMS ASN1 module which can result in invalid memory access or freeing data twice (CVE-2010-0742) [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>] *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more common in certificates and some applications which only call SSL_library_init and not OpenSSL_add_all_algorithms() will fail. [Steve Henson] *) VMS fixes: Reduce copying into .apps and .test in makevms.com Don't try to use blank CA certificate in CA.com Allow use of C files from original directories in maketests.com [Steven M. Schweda" <sms@antinode.info>] To generate a diff of this commit: cvs rdiff -u -r1.148 -r1.149 pkgsrc/security/openssl/Makefile cvs rdiff -u -r1.74 -r1.75 pkgsrc/security/openssl/distinfo
Update security/openssl package to 0.9.8o. OpenSSL CHANGES _______________ Changes between 0.9.8n and 0.9.8o [01 Jun 2010] *) Correct a typo in the CMS ASN1 module which can result in invalid memory access or freeing data twice (CVE-2010-0742) [Steve Henson, Ronald Moesbergen <intercommit@gmail.com>] *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more common in certificates and some applications which only call SSL_library_init and not OpenSSL_add_all_algorithms() will fail. [Steve Henson] *) VMS fixes: Reduce copying into .apps and .test in makevms.com Don't try to use blank CA certificate in CA.com Allow use of C files from original directories in maketests.com [Steven M. Schweda" <sms@antinode.info>]
Set correct architecture on Darwin
Update openssl package from 0.9.8m to 0.9.8n. Changes between 0.9.8m and 0.9.8n [24 Mar 2010] *) When rejecting SSL/TLS records due to an incorrect version number, never update s->server with a new major version number. As of - OpenSSL 0.9.8m if 'short' is a 16-bit type, - OpenSSL 0.9.8f if 'short' is longer than 16 bits, the previous behavior could result in a read attempt at NULL when receiving specific incorrect SSL/TLS records once record payload protection is active. (CVE-2010-0740) [Bodo Moeller, Adam Langley <agl@chromium.org>] *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted). [Tomas Hoger <thoger@redhat.com>]
Pullup ticket #3065 - requested by taca openssl: security update Revisions pulled up: - security/openssl/Makefile 1.144-1.1.146 - security/openssl/PLIST.common 1.17 - security/openssl/distinfo 1.72-1.73 - security/openssl/patches/patch-aa 1.23 - security/openssl/patches/patch-ac 1.38 - security/openssl/patches/patch-af 1.24 - security/openssl/patches/patch-ax delete - security/openssl/patches/patch-ay delete - security/openssl/patches/patch-az delete - security/openssl/patches/patch-ba delete - security/openssl/patches/patch-bb delete - security/openssl/patches/patch-bc 1.1 --- Module Name: pkgsrc Committed By: taca Date: Fri Feb 26 03:15:14 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo pkgsrc/security/openssl/patches: patch-aa patch-ac patch-af Removed Files: pkgsrc/security/openssl/patches: patch-ax patch-ay patch-az patch-ba patch-bb Log Message: Update openssl to 0.9.8m. The OpenSSL project team is pleased to announce the release of version 0.9.8m of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which implements RFC5746 to address renegotiation vulnerabilities mentioned in CVE-2009-3555. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. --- Module Name: pkgsrc Committed By: taca Date: Mon Mar 1 08:15:40 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common Log Message: Fix broken PLIST. (I wonder why "make print-PLIST" generated wrong result before...") Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Fri Mar 26 00:20:49 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-bc Log Message: Add a patch for Fix for CVE-2010-0740, DoS problem. http://www.openssl.org/news/secadv_20100324.txt Bump PKGREVISION.
Add a patch for Fix for CVE-2010-0740, DoS problem. http://www.openssl.org/news/secadv_20100324.txt Bump PKGREVISION.
Fix broken PLIST. (I wonder why "make print-PLIST" generated wrong result before...") Bump PKGREVISION.
Update openssl to 0.9.8m. The OpenSSL project team is pleased to announce the release of version 0.9.8m of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release which implements RFC5746 to address renegotiation vulnerabilities mentioned in CVE-2009-3555. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES.
Pullup ticket #2967 - requested by taca openssl: security patch Revisions pulled up: - security/openssl/Makefile 1.143 - security/openssl/distinfo 1.71 - security/openssl/patches/patch-bb 1.1 --- Module Name: pkgsrc Committed By: taca Date: Fri Jan 22 03:35:10 UTC 2010 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-bb Log Message: Add a patch from OpenSSL's repositroy to deal with CVE-2009-4355. Bump PKGREVISION.
Add a patch from OpenSSL's repositroy to deal with CVE-2009-4355. Bump PKGREVISION.
Update openssl package to 0.9.8l, fixing security problem. Approved by agc@. Changes between 0.9.8k and 0.9.8l [5 Nov 2009] *) Disable renegotiation completely - this fixes a severe security problem (CVE-2009-3555) at the cost of breaking all renegotiation. Renegotiation can be re-enabled by setting SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at run-time. This is really not recommended unless you know what you're doing. [Ben Laurie]
Fixes and improvement for Interix * Not only interix-3, but also treat all interix release, allow to build on SUA. * Gave up randomized image base, use 0x5e000000, as in mk/platform/Interix.mk. It is workaround of PR 42369. * Use -D_REENTRANT flags for threads. * replace -Wl,soname= linker flags with -Wl,h, for Interix
Pullup ticket #2794 - requested by tez openssl: security patch Revisions pulled up: - security/openssl/Makefile 1.140 - security/openssl/distinfo 1.68 - security/openssl/patches/patch-ax 1.1 - security/openssl/patches/patch-ay 1.1 - security/openssl/patches/patch-az 1.1 - security/openssl/patches/patch-ba 1.1 --- Module Name: pkgsrc Committed By: tez Date: Wed Jun 10 13:57:08 UTC 2009 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-ax patch-ay patch-az patch-ba Log Message: Patches for CVE-2009-1377, CVE-2009-1378 & CVE-2009-1379 from http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.9&v2=1.4.2.10 http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.13&v2=1.4.2.15 http://cvs.openssl.org/filediff?f=openssl/crypto/pqueue/pqueue.c&v1=1.2.2.4&v2=1.2.2.5 http://cvs.openssl.org/filediff?f=openssl/crypto/pqueue/pqueue.h&v1=1.2.2.1&v2=1.2.2.2 http://cvs.openssl.org/filediff?f=openssl/ssl/d1_pkt.c&v1=1.4.2.17&v2=1.4.2.18
Patches for CVE-2009-1377, CVE-2009-1378 & CVE-2009-1379 from http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.9&v2=1.4.2.10 http://cvs.openssl.org/filediff?f=openssl/ssl/d1_both.c&v1=1.4.2.13&v2=1.4.2.15 http://cvs.openssl.org/filediff?f=openssl/crypto/pqueue/pqueue.c&v1=1.2.2.4&v2=1.2.2.5 http://cvs.openssl.org/filediff?f=openssl/crypto/pqueue/pqueue.h&v1=1.2.2.1&v2=1.2.2.2 http://cvs.openssl.org/filediff?f=openssl/ssl/d1_pkt.c&v1=1.4.2.17&v2=1.4.2.18
clean up mirrors. use official up to date ones.
Update to openssl-0.9.8k. Changes between 0.9.8j and 0.9.8k [25 Mar 2009] *) Don't set val to NULL when freeing up structures, it is freed up by underlying code. If sizeof(void *) > sizeof(long) this can result in zeroing past the valid field. (CVE-2009-0789) *) Fix bug where return value of CMS_SignerInfo_verify_content() was not checked correctly. This would allow some invalid signed attributes to appear to verify correctly. (CVE-2009-0591) *) Reject UniversalString and BMPString types with invalid lengths. This prevents a crash in ASN1_STRING_print_ex() which assumes the strings have a legal length. (CVE-2009-0590) *) Set S/MIME signing as the default purpose rather than setting it unconditionally. This allows applications to override it at the store level. *) Permit restricted recursion of ASN1 strings. This is needed in practice to handle some structures. *) Improve efficiency of mem_gets: don't search whole buffer each time for a '\n' *) New -hex option for openssl rand. *) Print out UTF8String and NumericString when parsing ASN1. *) Support NumericString type for name components. *) Allow CC in the environment to override the automatically chosen compiler. Note that nothing is done to ensure flags work with the chosen compiler.
Pullup ticket #2628 - requested by tnn openssl: security update Revisions pulled up: - security/openssl/Makefile 1.137 - security/openssl/PLIST.common 1.14 - security/openssl/distinfo 1.65 - security/openssl/patches/patch-af 1.22 - security/openssl/patches/patch-am 1.6 --- Module Name: pkgsrc Committed By: tnn Date: Thu Jan 8 16:38:22 UTC 2009 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo pkgsrc/security/openssl/patches: patch-af patch-am Log Message: Update to openssl-0.9.8j. Fixes CVE-2008-5077.
Update to openssl-0.9.8j. Fixes CVE-2008-5077. Changes between 0.9.8i and 0.9.8j [07 Jan 2009] *) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). *) Allow the CHIL engine to be loaded, whether the application is multithreaded or not. (This does not release the developer from the obligation to set up the dynamic locking callbacks.) *) Use correct exit code if there is an error in dgst command. *) Tweak Configure so that you need to say "experimental-jpake" to enable JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications. *) Add experimental JPAKE support, including demo authentication in s_client and s_server. *) Set the comparison function in v3_addr_canonize(). *) Add support for XMPP STARTTLS in s_client. *) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior to ensure that even with this option, only ciphersuites in the server's preference list will be accepted. (Note that the option applies only when resuming a session, so the earlier behavior was just about the algorithm choice for symmetric cryptography.) Changes between 0.9.8h and 0.9.8i [15 Sep 2008] *) Fix a state transitition in s3_srvr.c and d1_srvr.c (was using SSL3_ST_CW_CLNT_HELLO_B, should be ..._ST_SW_SRVR_...). *) The fix in 0.9.8c that supposedly got rid of unsafe double-checked locking was incomplete for RSA blinding, addressing just one layer of what turns out to have been doubly unsafe triple-checked locking. So now fix this for real by retiring the MONT_HELPER macro in crypto/rsa/rsa_eay.c. *) Various precautionary measures: - Avoid size_t integer overflow in HASH_UPDATE (md32_common.h). - Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). (NB: This would require knowledge of the secret session ticket key to exploit, in which case you'd be SOL either way.) - Change bn_nist.c so that it will properly handle input BIGNUMs outside the expected range. - Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG builds. *) Allow engines to be "soft loaded" - i.e. optionally don't die if the load fails. Useful for distros. *) Add support for Local Machine Keyset attribute in PKCS#12 files. *) Fix BN_GF2m_mod_arr() top-bit cleanup code. *) Expand ENGINE to support engine supplied SSL client certificate functions. This work was sponsored by Logica. *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows keystores. Support for SSL/TLS client authentication too. Not compiled unless enable-capieng specified to Configure. This work was sponsored by Logica. *) Fix bug in X509_ATTRIBUTE creation: dont set attribute using ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain attribute creation routines such as certifcate requests and PKCS#12 files.
OpenSSL is not JOBS_SAFE Pull in a fix from the OpenSSL CVS: http://cvs.openssl.org/filediff?f=openssl/crypto/x509/x509_att.c&v1=1.14&v2=1.15 This should fix PR #39767 opened by Wolfgang Solfrank
Add zlib option. This is for PR 39433. It is not enabled by default.
Update to openssl-0.9.8h. Changes from 0.9.8g: Two crashes discovered using the Codenomicon TLS test suite, as reported in CVE-2008-0891 and CVE-2008-1672, were fixed. The root CA certificates of commercial CAs were removed from the distribution. Functions were added to implement RFC3394 compatible AES key wrapping. Utility functions to handle ASN1 structures were added. The certificate status request TLS extension, as defined in RFC3546, was implemented. Several other bugfixes and enhancements were made.
Fix shared library build on various architectures. This basically fiddles with the number of colons between the fields.
pullup ticket #2414 - requested by tonnerre openssl: DoS and double free fixes revisions pulled up: - pkgsrc/security/openssl/Makefile 1.132 - pkgsrc/security/openssl/distinfo 1.60 - pkgsrc/security/openssl/patches/patch-ab 1.12 - pkgsrc/security/openssl/patches/patch-ah 1.8 Module Name: pkgsrc Committed By: tonnerre Date: Tue Jun 3 21:39:40 UTC 2008 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-ab patch-ah Log Message: Fix two Denial of Service vulnerabilities in OpenSSL 0.9.8g: - Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake which could lead to a silent crash. - Fix double free in TLS server name extensions which could lead to a remote crash. Patches from upstream.
Fix two Denial of Service vulnerabilities in OpenSSL 0.9.8g: - Fix flaw if 'Server Key exchange message' is omitted from a TLS handshake which could lead to a silent crash. - Fix double free in TLS server name extensions which could lead to a remote crash. Patches from upstream.
Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip. pkgsrc notes: o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli), Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn). Because the Makefile system has been rewamped, other platforms may require fixes. Please test if you can. o OpenSSL can now be built with installation to DESTDIR. Overview of important changes since 0.9.7i: o Add gcc 4.2 support. o DTLS improvements. o RFC4507bis support. o TLS Extensions support. o RFC3779 support. o New cipher Camellia o Updated ECC cipher suite support. o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). o Zlib compression usage fixes. o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for files larger than 2GB. o Added alternate pkg-config files.
Fixed a few pkglint warnings.
Removed the special-case handling of PKG_SYSCONFDIR for NetBSD. Now the configuration files are installed in the usual pkgsrc place, not in /etc. PKGREVISION++ Ok'ed by jlam@.
Pullup ticket 2209 - requested by adrianp security fix for openssl - pkgsrc/security/openssl/Makefile 1.128 - pkgsrc/security/openssl/distinfo 1.56 - pkgsrc/security/openssl/patches/patch-ao 1.2 Module Name: pkgsrc Committed By: adrianp Date: Sun Oct 21 17:52:53 UTC 2007 Modified Files: pkgsrc/security/openssl: Makefile distinfo pkgsrc/security/openssl/patches: patch-ao Log Message: Full and proper fix for CVE-2007-5135 PKGREVISION++
Full and proper fix for CVE-2007-5135 PKGREVISION++
Add a target configuration for Tru64 with gcc.
Compile OpenSSL with supports for threads. This allows an application to register callbacks which implement locking primitive to make OpenSSL thread-safe. Bump package revision because of this change.
Fix typo in "SUBST_MESSAGE.dl".
Also link with the "dl" library when creating the shared libraries. Another attempt to fix PR pkg/36086.
Use all necessary means to convince OpenSSL's "special" build system to link with the "dl" library under Mac OS X if necessary. This should finally fix PR pkg/36086.
Make sure that the "dlcompat" related options are actually added to "LDFLAGS". This is another attempt to fix PR pkg/36086.
Use "pkgsrc/mk/dlopen.buildlink3.mk" instead of manually including "pkgsrc/devel/dlcompat/buildlink3.mk" under Darwin. This might finally fix PR pkg/36086.
Add ${BUILDLINK_LDFLAGS.dlcompat} (defined as "-ldl") to "LDFLAGS" under Mac OS X. This is harmless under recent versions of Mac OS X where "libdl.dylib" is symbolic link to "libSystem.dylib". And it is necessary under old versions of Mac OS X (Jaguar and older) where we need the "libdl.dylib" from the "dlcompat" package. This should finally fix PR pkg/36086 by John D. Baker.
Include "pkgsrc/devel/dlcompat/buildlink3.mk" when building this package under Mac OS X. This should fix PR pkg/36086.
Check for GCC on IRIX instead of assuming the native compiler is used.
Apply patches which fixes recent security problem of OpenSSL. http://secunia.com/advisories/22130/ Bump PKGREVISION.
Pullup ticket 1817 - requested by adrianp security fix for openssl Revisions pulled up: - pkgsrc/security/openssl/Makefile 1.116 - pkgsrc/security/openssl/distinfo 1.52 - pkgsrc/security/openssl/patches/patch-am 1.3 Module Name: pkgsrc Committed By: adrianp Date: Thu Sep 7 09:44:31 UTC 2006 Modified Files: pkgsrc/security/openssl: Makefile distinfo Added Files: pkgsrc/security/openssl/patches: patch-am Log Message: Add a patch to address CVE-2006-4339
Add a patch to address CVE-2006-4339
Drop maintainership for packages that I no longer have time to maintain.
add support for Solaris/i386 and x86_64, and fallback to the configure script's auto detection for other archs.
Recursive revision bump / recommended bump for gettext ABI change.
Remove USE_PKGINSTALL from pkgsrc now that mk/install/pkginstall.mk automatically detects whether we want the pkginstall machinery to be used by the package Makefile.
Change my MAINTAINER email address to the one I've been using for pkgsrc work.
Ran "pkglint --autofix", which corrected some of the quoting issues in CONFIGURE_ARGS.
Fixed pkglint warnings. The warnings are mostly quoting issues, for example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some other changes are outlined in http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
Pullup ticket 833 - requested by Johnny C. Lam openssl update (abi changes) Revisions pulled up: - pkgsrc/security/openssl/Makefile 1.108 - pkgsrc/security/openssl/distinfo 1.47 Module Name: pkgsrc Committed By: jlam Date: Sat Oct 15 06:29:58 UTC 2005 Modified Files: pkgsrc/security/openssl: Makefile distinfo Log Message: Update security/openssl from 0.9.7h to 0.9.7i. Changes from version 0.9.7h include fixing a shared library upgrade problem where openssl-0.9.7h had a different ABI than previous 0.9.7 sub-revisions due to a changed constant.
Update security/openssl from 0.9.7h to 0.9.7i. Changes from version 0.9.7h include fixing a shared library upgrade problem where openssl-0.9.7h had a different ABI than previous 0.9.7 sub-revisions due to a changed constant.
Pullup tickets 822 and 825 - requested by Johnny C. Lam security update for openssl Revisions pulled up: - pkgsrc/security/openssl/Makefile 1.107 - pkgsrc/security/openssl/PLIST.common 1.11 - pkgsrc/security/openssl/builtin.mk 1.16, 1.17 - pkgsrc/security/openssl/distinfo 1.46 - pkgsrc/security/openssl/patches/patch-aa 1.18 - pkgsrc/security/openssl/patches/patch-ac 1.28 - pkgsrc/security/openssl/patches/patch-ad 1.15 - pkgsrc/security/openssl/patches/patch-af 1.17 Module Name: pkgsrc Committed By: jlam Date: Tue Oct 11 17:19:21 UTC 2005 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-af Log Message: Update security/openssl to version 0.9.7h. This is a security vulnerability triggered update due to CAN-2005-2969. Changes from version 0.9.7f include: o Fix SSL 2.0 Rollback, CAN-2005-2969 o Allow use of fixed-length exponent on DSA signing o Default fixed-window RSA, DSA, DH private-key operations o More compilation issues fixed. o Adaptation to more modern Kerberos API. o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. o Enhanced x86_64 assembler BIGNUM module. o More constification. o Added processing of proxy certificates (RFC 3820). --- Module Name: pkgsrc Committed By: jlam Date: Wed Oct 12 02:00:03 UTC 2005 Modified Files: pkgsrc/security/openssl: builtin.mk Log Message: Remove leading "-" from version number when matching the openssl-0.9.6g from the netbsd-1-6 branch with the 20040401 fix. --- Module Name: pkgsrc Committed By: jlam Date: Wed Oct 12 02:20:10 UTC 2005 Modified Files: pkgsrc/security/openssl: builtin.mk Log Message: If the native openssl-0.9.7d contains the security fixes pulled up to the netbsd-2-0, netbsd-2, and netbsd-3-0 branches on 2005-10-11, then for the purposes of satisfying dependencies, pretend it's openssl-0.9.7h.
Update security/openssl to version 0.9.7h. This is a security vulnerability triggered update due to CAN-2005-2969. Changes from version 0.9.7f include: o Fix SSL 2.0 Rollback, CAN-2005-2969 o Allow use of fixed-length exponent on DSA signing o Default fixed-window RSA, DSA, DH private-key operations o More compilation issues fixed. o Adaptation to more modern Kerberos API. o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. o Enhanced x86_64 assembler BIGNUM module. o More constification. o Added processing of proxy certificates (RFC 3820).
Get rid of USE_PERL5. The new way to express needing the Perl executable around at either build-time or at run-time is: USE_TOOLS+= perl # build-time USE_TOOLS+= perl:run # run-time Also remove some places where perl5/buildlink3.mk was being included by a package Makefile, but all that the package wanted was the Perl executable.
Some shells don't accept empty word lists in for loops. For those Makefiles where this occurs, edit the file so that we avoid running the loop. This should fix PR pkg/28809.
Remove USE_GNU_TOOLS and replace with the correct USE_TOOLS definitions: USE_GNU_TOOLS -> USE_TOOLS awk -> gawk m4 -> gm4 make -> gmake sed -> gsed yacc -> bison
Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used.
Update security/openssl to openssl-0.9.7f. Pkgsrc changes from version 0.9.7e include: *) Install the man pages with names that are less likely to collide with other packages' man pages. *) Support PKG_OPTIONS of "idea", "mdc2" and "rc5" to allow building with patented algorithms. By default, this package still builds without patented algorithms. Major changes from version 0.9.7e include: *) Prompt for pass phrases when appropriate for PKCS12 input format. *) Back-port of selected performance improvements from development branch, as well as improved support for PowerPC platforms. *) Add lots of checks for memory allocation failure, error codes to indicate failure and freeing up memory if a failure occurs. *) Add new -passin argument to dgst. *) Make an explicit check during certificate validation to see that the CA setting in each certificate on the chain is correct.
Modify openssl/Makefile so that it's easier to test the -STABLE and -SNAP OpenSSL snapshots.
Bump PKGREVISION to 1 as a result of fixing the run-time behavior of openssl on sparc64 and amd64 in the previous commit.
Alter patches to make them more likely to be accepted back by the OpenSSL project. Also use the sparcv9 MD5 assembly routines on NetBSD/sparc64.
Update security/openssl to 0.9.7e. Changes from openssl-0.9.6m are too numerous to be listed here, but include adding a new DES API (support for the old one is still present). Changes to the pkgsrc structure include: * Install the shared libraries with a version number that matches the OpenSSL version number * Move some of the less often-used c_* utilities back into the examples directory. * Drop support for using the RSAREF library and always use the built-in RSA code instead.
Update to 0.9.6mnb2: Don't install (deprecated) der_chop example script, since it has insecure temp file handling.
Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10 in the process. (More information on tech-pkg.) Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and installing .la files. Bump PKGREVISION (only) of all packages depending directly on the above via a buildlink3 include.
Change the way that legacy USE_* and FOO_USE_* options are converted into the bsd.options.mk framework. Instead of appending to ${PKG_OPTIONS_VAR}, it appends to PKG_DEFAULT_OPTIONS. This causes the default options to be the union of PKG_DEFAULT_OPTIONS and any old USE_* and FOO_USE_* settings. This fixes PR pkg/26590.
Document the "rsaref" build option.
Convert to use bsd.options.mk. The relevant options variable to set for each package can be determined by invoking: make show-var VARNAME=PKG_OPTIONS_VAR The old options are still supported unless the variable named in PKG_OPTIONS_VAR is set within make(1) (usually via /etc/mk.conf).
Consolidate all of the PLIST.* files that duplicated each other into a single file PLIST.shlib. Only have PLIST.${LOWER_OPSYS} if it differs from PLIST.shlib.
We can't use ${PKGBASE} on the left-hand side of an assignment since it's not defined yet until bsd.pkg.mk. Explicitly use "openssl" instead. This correctly forces NetBSD installations of openssl to use /etc/openssl as the configuration file directory as originally intended.
Add some mirror sites since the main OpenSSL site seems to be dead at the moment.
Update to 0.9.6m: Changes between 0.9.6l and 0.9.6m [17 Mar 2004] *) Fix null-pointer assignment in do_change_cipher_spec() revealed by using the Codenomicon TLS Test Tool (CAN-2004-0079) [Joe Orton, Steve Henson]
Don't build and install openssl with IDEA, MDC2, or RC5 support. According to README, "RSA Security holds software patents on the RC5 algorithm. If you intend to use this cipher, you must contact RSA Security for licensing conditions." And "The IDEA algorithm is patented by Ascom ... They should be contacted if that algorithm is to be used." The openssl FAQ says "For patent reasons, support for IDEA, RC5 and MDC2 is disabled in this [Red Hat Linux] version." The FAQ lists patent numbers and expiry dates of US patents: MDC-2: 4,908,861 13/03/2007 IDEA: 5,214,703 25/05/2010 RC5: 5,724,428 03/03/2015 Now fee-based-commercial-use ACCEPTABLE_LICENSES is not needed.
include mk/compiler.mk before testing ${CC}
Don't use sysctl to determine the machine arch when ${MACHINE_ARCH} already has the correct value. Fixes build on NetBSD-1.5.3/sparc, which doesn't understand "sysctl hw.machine_arch", reported in PR 24448.
bl3ify
textproc/glimpse and security/openssl no longer conflict, as openssl does no longer install bin/cast. Noted by Bernhard Riedel.
OpenSSL has not had base64 for a while now, so these two no longer need to conflict. Noted by Bernhard Riedel.
Update to openssl-0.9.6l: *) Fix additional bug revealed by the NISCC test suite: Stop bug triggering large recursion when presented with certain ASN.1 tags (CAN-2003-0851) [Steve Henson]
Update to 0.9.6k: Changes between 0.9.6j and 0.9.6k [30 Sep 2003] *) Fix various bugs revealed by running the NISCC test suite: Stop out of bounds reads in the ASN1 code when presented with invalid tags (CAN-2003-0543 and CAN-2003-0544). If verify callback ignores invalid public key errors don't try to check certificate signature with the NULL public key. [Steve Henson] *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate if the server requested one: as stated in TLS 1.0 and SSL 3.0 specifications. [Steve Henson] *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional extra data after the compression methods not only for TLS 1.0 but also for SSL 3.0 (as required by the specification). [Bodo Moeller; problem pointed out by Matthias Loepfe] *) Change X509_certificate_type() to mark the key as exported/exportable when it's 512 *bits* long, not 512 bytes. [Richard Levitte] Changes between 0.9.6i and 0.9.6j [10 Apr 2003] *) Countermeasure against the Klima-Pokorny-Rosa extension of Bleichbacher's attack on PKCS #1 v1.5 padding: treat a protocol version number mismatch like a decryption error in ssl3_get_client_key_exchange (ssl/s3_srvr.c). [Bodo Moeller] *) Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] *) Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). Make RSA blinding thread-safe by remembering the creator's thread ID in rsa->blinding and having all other threads use local one-time blinding factors (this requires more computation than sharing rsa->blinding, but avoids excessive locking; and if an RSA object is not shared between threads, blinding will still be very fast). [Bodo Moeller] Changes between 0.9.6h and 0.9.6i [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked via timing by performing a MAC computation even if incorrrect block cipher padding has been found. This is a countermeasure against active attacks where the attacker has to distinguish between bad padding and a MAC verification error. (CAN-2003-0078) [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion)] Changes between 0.9.6g and 0.9.6h [5 Dec 2002] *) New function OPENSSL_cleanse(), which is used to cleanse a section of memory from it's contents. This is done with a counter that will place alternating values in each byte. This can be used to solve two issues: 1) the removal of calls to memset() by highly optimizing compilers, and 2) cleansing with other values than 0, since those can be read through on certain media, for example a swap space on disk. [Geoff Thorpe] *) Bugfix: client side session caching did not work with external caching, because the session->cipher setting was not restored when reloading from the external cache. This problem was masked, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set. (Found by Steve Haslam <steve@araqnid.ddts.net>.) [Lutz Jaenicke] *) Fix client_certificate (ssl/s2_clnt.c): The permissible total length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33. [Zeev Lieber <zeev-l@yahoo.com>] *) Undo an undocumented change introduced in 0.9.6e which caused repeated calls to OpenSSL_add_all_ciphers() and OpenSSL_add_all_digests() to be ignored, even after calling EVP_cleanup(). [Richard Levitte] *) Change the default configuration reader to deal with last line not being properly terminated. [Richard Levitte] *) Change X509_NAME_cmp() so it applies the special rules on handling DN values that are of type PrintableString, as well as RDNs of type emailAddress where the value has the type ia5String. [stefank@valicert.com via Richard Levitte] *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be the bitwise-OR of the two for use by the majority of applications wanting this behaviour, and update the docs. The documented behaviour and actual behaviour were inconsistent and had been changing anyway, so this is more a bug-fix than a behavioural change. [Geoff Thorpe, diagnosed by Nadav Har'El] *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes). [Bodo Moeller] *) Fix initialization code race conditions in SSLv23_method(), SSLv23_client_method(), SSLv23_server_method(), SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(), SSLv3_method(), SSLv3_client_method(), SSLv3_server_method(), TLSv1_method(), TLSv1_client_method(), TLSv1_server_method(), ssl2_get_cipher_by_char(), ssl3_get_cipher_by_char(). [Patrick McCormick <patrick@tellme.com>, Bodo Moeller] *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after the cached sessions are flushed, as the remove_cb() might use ex_data contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com> (see [openssl.org #212]). [Geoff Thorpe, Lutz Jaenicke] *) Fix typo in OBJ_txt2obj which incorrectly passed the content length, instead of the encoding length to d2i_ASN1_OBJECT. [Steve Henson]
style nits
Use the built-in HAS_CONFIGURE and TEST_TARGET infrastructure to do the configure and test phases.
Honor CFLAGS/LDFLAGS from the environment.
Back out the make -> @MAKE@ -> ${MAKE} changes since we workaround the bare "make" problem using tools.mk.
Several of the Makefile used in this package call 'make' directly. If an operating system does not have a 'make' (ie only bmake), or if the OS supplied 'make' is sufficiently broken (Irix), this will cause the build to fail (interestingly enough apparently only if build as a dependency, not if build from this directory). Patch Makefiles to use @MAKE@, which then, after patching, is substituted with the actual ${MAKE} (can't use "MAKE= ${MAKE} -f Makefile.ssl"). While here, tweak Irix configure a bit.
Re-import security/ruby-openssl 0.1.4.1.
s/netbsd.org/NetBSD.org/
don't define test target directly, use do-test instead
style nits, join two .if's.
more brutally attack the CONFIGURE_ARGS target issue on Solaris. force gcc if *gcc* - Sun's compiler is never going to be installed into a path with 'gcc' in it(!)
Make this work on IRIX64.
Rename PLIST.irix6 to PLIST.irix to match the others and set the PLIST_SRC accordingly after we recently set LOWER_OPSYS on IRIX to what most applications seem to expect (ie irix6.5 rather than irix6).
Use tech-pkg@ in favor of packages@ as MAINTAINER for orphaned packages. Should anybody feel like they could be the maintainer for any of thewe packages, please adjust.
Remove a paragraph with the following comment: # This hack goes away, once we formally de-support NetBSD-1.4.x. We did that half a year ago.
* Add patch from http://www.openssl.org/news/secadv_20030317.txt: Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. * Add patch from http://www.openssl.org/news/secadv_20030319.txt: Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their attack requires the attacker to open millions of SSL/TLS connections to the server under attack; the server's behaviour when faced with specially made-up RSA ciphertexts can reveal information that in effect allows the attacker to perform a single RSA private key operation on a ciphertext of its choice using the server's RSA key. Note that the server's RSA key is not compromised in this attack. * Bump PKGREVISION.
Add patch from http://www.openssl.org/news/secadv_20030219.txt: In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked via timing by performing a MAC computation even if incorrrect block cipher padding has been found. This is a countermeasure against active attacks where the attacker has to distinguish between bad padding and a MAC verification error. (CAN-2003-0078) Bump PKGREVISION.
Instead of including bsd.pkg.install.mk directly in a package Makefile, have it be automatically included by bsd.pkg.mk if USE_PKGINSTALL is set to "YES". This enforces the requirement that bsd.pkg.install.mk be included at the end of a package Makefile. Idea suggested by Julio M. Merino Vidal <jmmv at menta.net>.
strip leading path from $CC so we don't try to run Configure with args eg. 'solaris-sparcv7-/usr/pkg/bin/gcc' :-)
Replace IGNORE with PKG_FAIL_REASON or PKG_SKIP_REASON as appropriate.
Explicitly specify the path to Perl5 executable for configure script. Reported by Jonathan Perkin in PR19205.
Use buildlink2 and pass an extra flag to the configure script so that if RSAref is used, then the library may be found.
Merge changes in packages from the buildlink2 branch that have buildlink2.mk files back into the main trunk.
Merge changes from pkgsrc-current into the buildlink2 branch for the packages that have buildlink2.mk files.
Pullup revisions 1.58 and 1.59 to the 1.6 pkgsrc branch. Requested by Thomas Klausner. > Date: Mon, 19 Aug 2002 18:17:57 +0300 (EEST) > From: Thomas Klausner <wiz@netbsd.org> > > Module Name: pkgsrc > Committed By: wiz > Date: Mon Aug 19 15:17:56 UTC 2002 > > Modified Files: > pkgsrc/security/openssl: Makefile > > Log Message: > Compile no-shared on 1.4.x. This makes the package install and work for me > on 1.4.2/i386. Approved by agc. > Date: Mon, 19 Aug 2002 19:00:07 +0300 (EEST) > From: Thomas Klausner <wiz@netbsd.org> > > Module Name: pkgsrc > Committed By: wiz > Date: Mon Aug 19 16:00:07 UTC 2002 > > Modified Files: > pkgsrc/security/openssl: Makefile > > Log Message: > Fix a comment, and improve pattern to also work on netbsd-1-4.
Fix a comment, and improve pattern to also work on netbsd-1-4.
Compile no-shared on 1.4.x. This makes the package install and work for me on 1.4.2/i386. Approved by agc.
Revert Makefile,v.1.56, as the NetBSD patches were causing intractable problems for Solaris. Instead, handle patch for NetBSD-1.4.2 specially.
It just occurred to me that the ${PATCHDIR} patches developed against the NetBSD-patched codebase won't apply cleanly (or at all) without the NetBSD patch. Therefore, remove the `.if ${OS}' condition for applying the patch, so Solaris and Darwin start with the same codebase. Fix as needed.
Update to 0.9.6g. The most significant change is this proof against a stunning DoS vulnerability, fixed in 0.9.6f: *) Use proper error handling instead of 'assertions' in buffer overflow checks added in 0.9.6e. This prevents DoS (the assertions could call abort()). [Arne Ansper <arne@ats.cyber.ee>, Bodo Moeller] Regenerate the netbsd patch. This is now a clean diff against the vendor tag, with version-number-only changes elided. Partially revert "crypto/dist/openssl/crypto/rand/randfile.c", version 1.4 (via additional pkgsrc patch), to give this a shot to compile on NetBSD-1.4.2 and earlier, which had no strlcpy() or strlcat(). Assemble the shared library without "-Bsymbolic", mainly to give this a shot at linking on NetBSD-a.out (untested).
* Change the perl paths in the various build scripts to ${PERL5} and not ${LOCALBASE}/bin/perl. * Refer to the make program used to drive the build and installation as "${MAKE_PROGRAM}". * Instead of explicitly setting PKG_SYSCONFBASE=/etc, use the pkg-specific override PKG_SYSCONFDIR.openssl, and optionally set it so that the user still has the option of overriding its value. * Use bsd.pkg.install.mk to install the default config file (openssl.cnf) and to create and remove the extra config directories. This lets us reemove the extra lines in PLIST that do the same thing.
Update openssl to 0.9.6e. This update fixes multiple vulnerabilities, and also changes the ABI of "libcrypto" and "libssl". (So the shared library majors and buildlink requirements are bumped, too.) The code base is now synced perfectly with NetBSD HEAD and netbsd-1-6 branches as of 2002-08-04, the optimization levels are reduced to "-O2", but I've retained some of the processor optimization flags and different code path #defines in the "Configure" script, just to keep things interesting. The default "certs" directory on NetBSD is now "/etc/openssl/certs", to give continuity to those who find themselves using the package system's "openssl" after upgrading a package that formerly used the base system's. [Suggested by itojun.] The best way to avoid such problems, however, is to upgrade your base system *first*. I'm making use of the new and improved build system as much as possible. This gives us a cleaner way to make shared libraries and real man pages, but loses many of the symlinks to the openssl binary. I've culled items from the "CHANGES" file that appear to have security implications or are particularly interesting for NetBSD users, below. My comments are marked off with '===>'. ===> This is from the netbsd-20020804-patch *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX and get fix the header length calculation. [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, Alon Kantor <alonk@checkpoint.com> (and others), Steve Henson] Changes between 0.9.6d and 0.9.6e [30 Jul 2002] *) New option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure that was added in OpenSSL 0.9.6d. As the countermeasure turned out to be incompatible with some broken SSL implementations, the new option is part of SSL_OP_ALL. SSL_OP_ALL is usually employed when compatibility with weird SSL implementations is desired (e.g. '-bugs' option to 's_client' and 's_server'), so the new option is automatically set in many applications. [Bodo Moeller] *) Changes in security patch: Changes marked "(CHATS)" were sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. *) Add various sanity checks to asn1_get_length() to reject the ASN1 length bytes if they exceed sizeof(long), will appear negative or the content length exceeds the length of the supplied buffer. [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>] *) Assertions for various potential buffer overflows, not known to happen in practice. [Ben Laurie (CHATS)] *) Various temporary buffers to hold ASCII versions of integers were too small for 64 bit platforms. (CAN-2002-0655) [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)> *) Remote buffer overflow in SSL3 protocol - an attacker could supply an oversized session ID to a client. (CAN-2002-0656) [Ben Laurie (CHATS)] *) Remote buffer overflow in SSL2 protocol - an attacker could supply an oversized client master key. (CAN-2002-0656) [Ben Laurie (CHATS)] Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Implement a countermeasure against a vulnerability recently found in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment before application data chunks to avoid the use of known IVs with data potentially chosen by the attacker. [Bodo Moeller] Changes between 0.9.6a and 0.9.6b [9 Jul 2001] *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) to avoid a SSLeay/OpenSSL PRNG weakness pointed out by Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: PRNG state recovery was possible based on the output of one PRNG request appropriately sized to gain knowledge on 'md' followed by enough consecutive 1-byte PRNG requests to traverse all of 'state'. 1. When updating 'md_local' (the current thread's copy of 'md') during PRNG output generation, hash all of the previous 'md_local' value, not just the half used for PRNG output. 2. Make the number of bytes from 'state' included into the hash independent from the number of PRNG bytes requested. The first measure alone would be sufficient to avoid Markku-Juhani's attack. (Actually it had never occurred to me that the half of 'md_local' used for chaining was the half from which PRNG output bytes were taken -- I had always assumed that the secret half would be used.) The second measure makes sure that additional data from 'state' is never mixed into 'md_local' in small portions; this heuristically further strengthens the PRNG. [Bodo Moeller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 when fixing the server behaviour for backwards-compatible 'client hello' messages. (Note that the attack is impractical against SSL 3.0 and TLS 1.0 anyway because length and version checking means that the probability of guessing a valid ciphertext is around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 paper.) Before 0.9.5, the countermeasure (hide the error by generating a random 'decryption result') did not work properly because ERR_clear_error() was missing, meaning that SSL_get_error() would detect the supposedly ignored error. Both problems are now fixed. [Bodo Moeller] Changes between 0.9.6 and 0.9.6a [5 Apr 2001] ===> This is our ABI change. *) Rename 'des_encrypt' to 'des_encrypt1'. This avoids the clashes with des_encrypt() defined on some operating systems, like Solaris and UnixWare. [Richard Levitte] *) Don't use getenv in library functions when run as setuid/setgid. New function OPENSSL_issetugid(). [Ulf Moeller] *) Store verify_result within SSL_SESSION also for client side to avoid potential security hole. (Re-used sessions on the client side always resulted in verify_result==X509_V_OK, not using the original result of the server certificate verification.) [Lutz Jaenicke] ===> package doesn't doesn't do this. We'll bump major versions ===> as necessary. *) Make sure that shared libraries get the internal name engine with the full version number and not just 0. This should mark the shared libraries as not backward compatible. Of course, this should be changed again when we can guarantee backward binary compatibility. [Richard Levitte] *) Rework the system to generate shared libraries: - Make note of the expected extension for the shared libraries and if there is a need for symbolic links from for example libcrypto.so.0 to libcrypto.so.0.9.7. There is extended info in Configure for that. - Make as few rebuilds of the shared libraries as possible. - Still avoid linking the OpenSSL programs with the shared libraries. - When installing, install the shared libraries separately from the static ones.
Build on Darwin using patches from Apple's Darwin source repository, via Fink.
Change explicit build dependencies on perl into "USE_PERL5=build". This makes these packages build correctly on Darwin where perl>=5.8.0 is required.
Merge from pkgsrc-current to buildlink2 branch.
G/c references to ftp.uni-trier.de.
Get rid of manually adding "nbX" to PKGNAME when a pkg was changed in pkgsrc. Instead, a new variable PKGREVISION is invented that can get bumped independent of DISTNAME and PKGNAME. Example #1: DISTNAME= foo-X.Y PKGREVISION= Z => PKGNAME= foo-X.YnbZ Example #2: DISTNAME= barthing-X.Y PKGNAME= bar-X.Y PKGREVISION= Z => PKGNAME= bar=X.YnbZ (!) On subsequent changes, only PKGREVISION needs to be bumped, no more risk of getting DISTNAME changed accidentally.
SVR4 packages have a limit of 9 chars for a package name. The automatic truncation in gensolpkg doesn't work for packages which have the same package name for the first 5-6 chars. e.g. amanda-server and amanda-client would be named amanda and amanda. Now, we add a SVR4_PKGNAME and use amacl for amanda-client and amase for amanda-server. All svr4 packages also have a vendor tag, so we have to reserve some chars for this tag, which is normaly 3 or 4 chars. Thats why we can only use 6 or 5 chars for SVR4_PKGNAME. I used 5 for all the packages, to give the vendor tag enough room. All p5-* packages and a few other packages have now a SVR4_PKGNAME.
Add conflict between "glimpse" and "openssl" package. They both install "bin/cast" in "${LOCALBASE}".
Mechanical changes to 375 files to change dependency patterns of the form foo-* to foo-[0-9]*. This is to cause the dependencies to match only the packages whose base package name is "foo", and not those named "foo-bar". A concrete example is p5-Net-* matching p5-Net-DNS as well as p5-Net. Also change dependency examples in Packages.txt to reflect this.
Super bump the major numbers for libssl and libcrypto so that they don't conflict with the -current versions.
Record libssl dependency on libcrypt. This allows a mixture of 1.5.x openssl (version<0.9.5) and security/openssl (version>=0.9.6) to actually work.
Pull in security fix from basesrc by itojun. Commit message was: fix PRNG weakness. the workaround presented on bugtraq posting. Update to 0.9.6nb1.
Add support for "SPARC_TARGET_ARCH".
We also work under Linux
Move NetBSD only patches to a distribution patch file to avoid ugly conditional patch hack.
Change build dependency from perl-5.* to perl>=${PERL5_REQD}. Also change dependency from libperl-5.* to libperl>=${PERL5_REQD}.
clarify comment on LICENSE line.
- Install new include files so that this package can be used to build applications again. - Fix patch sum for Solaris.
Update to OpenSSL 0.9.6. Update contributed by Dave Burgess, in PR pkg/12569. Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: o Some documentation for BIO and SSL libraries. o Enhanced chain verification using key identifiers. o New sign and verify options to 'dgst' application. o Support for DER and PEM encoded messages in 'smime' application. o New 'rsautl' application, low level RSA utility. [*] o MD4 now included. o Bugfix for SSL rollback padding check. o Support for external crypto devices [1]. o Enhanced EVP interface. [1] The support for external crypto devices is currently a separate distribution. See the file README.ENGINE. [*] Not installed with the package.
Make an explicit BUILD_DEPENDS on perl5, rather than the run-time DEPENDS that USE_PERL implies, as the core functionality of this package does not depend on perl. The user can always install perl later, to format the "pod" docs or to run the installed scripts.
Standardize patch file names.
- -Supply the customary symlinks for NetBSD/ELF. - -Make the "test" target work. - -Allow the user to set USE_RSAREF2. (It works!) Not sure why you'd ever want to...
Revert rev. 1.30 which didn't do anything with MKDIR but rather bumbed the version accidentally.
security/openssl and converters/base64 both install a 'base64' executable, so make them CONFLICT (pkg/11408).
Cleanup MKDIR usage => INSTALL_*_DIR XXX need to teach pkglint to be more picky about this
Work around Solaris' braindead "ln -f" (which just does not do anything)
Update to new COMMENT style: COMMENT var in Makefile instead of pkg/COMMENT.
Should make this buildable on Solaris, too. Untested for lack of Solaris.
Pass "${CC}" to configure script.
Enable on alpha again; according to itojun, the referenced PR doesn't apply to the package.
Openssl no longer conflicts with kth-krb4.
add LICENCE=fee-based-commercial-use, for use of IDEA/RC5 logic. (per discussion on packages@netbsd.org)
openssl is broken on alpha, and openssh hangs in configure when checking for openssl libs. Disable both, and reference PR to fix it. XXX should be changed for USE_SSL.
Reorganize crypto handling, as discussed on tech-pkg. Remove all RESTRICTED= variables that were predicated on former U.S. export regulations. Add CRYPTO=, as necessary, so it's still possible to exclude all crypto packages from a build by setting MKCRYPTO=no (but "lintpkgsrc -R" will no longer catch them). Specifically, - - All packages which set USE_SSL just lose their RESTRICTED variable, since MKCRYPTO responds to USE_SSL directly. - - realplayer7 and ns-flash keep their RESTRICTED, which is based on license terms, but also gain the CRYPTO variable. - - srp-client is now marked broken, since the distfile is evidently no longer available. On this, we're no worse off than before. [We haven't been mirroring the distfile, or testing the build!] - - isakmpd gets CRYPTO for RESTRICTED, but remains broken. - - crack loses all restrictions, as it does not evidently empower a user to utilize strong encryption (working definition: ability to encode a message that requires a secret key plus big number arithmetic to decode).
Added a CONFLICT with kth-krb4. Both pkgs install a `des' binary in the same place, $PREFIX/bin/des.
Use new PERL5 variable instead of ${LOCALBASE}/bin/perl.
Update IGNORE-messages for recent changes: add ${PKGNAME} where appropriate.
Replace MIRROR_DISTFILES and NO_CDROM with the more descriptive and more fine-grained NO_{BIN,SRC}_ON_{FTP,CDROM} definitions. MIRROR_DISTFILES and NO_CDROM are now dead.
Add german mirror to master site list.
Fix last commit.
Support to build it on Solaris. It would be easier to make that change if we support patches for one OPSYS but someone removed that from out tree.
upgrade to 0.9.5a
Install the static libs, now that they're built anyway, and run "ranlib", if it exists. Minor fix-up to PLIST. Closes PR pkg/8897.
Update depends to rsaref 2.0p3
Install the RSAglue library if USERSAREF2 if set to YES.
Update openssl to 0.9.4.
Fix typo in "mipsel".
Don't use "{}" or "[]" in "ONLY_FOR_PLATFORM" or "NOT_FOR_PLATFORM" because "bsd.pkg.mk" can't handle those patterns. Fixes PR pkg/7808 by Chris Demetriou.
Let's get this right this time. It's 0.9.2b, not 0.9.2c. I'll get this to 0.9.3 after the weekend.
This is actually OpenSSL 0.9.2c. Revert part of previous.
Update rsaref dependency to "2.0p2"; still pending update to OpenSSL 0.9.3.
Change {ONLY,NOT}_FOR_{ARCH,OPSYS} format to {ONLY,NOT}_FOR_PLATFORM pattern match format. Minor pkglint along the way.
Update rsaref dependency to 2.0p1. OpenSSL 0.9.3 is still beta... will fix shlib problems when 0.9.3 is out.
Import OpenSSL 0.9.2b pkg, a package which finally updates and fixes many deficiencies in SSLeay. Intended to be a drop-in replacement for SSLeay (and still provides the command-prompt interface as "ssleay").
Initial revision