![[BACK]](/icons/back.gif){kind=icon}
Return to Makefile CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / security / openssl|
Return to Makefile CVS log | Up to [cvs.NetBSD.org] / pkgsrc / security / openssl |
| File: [cvs.NetBSD.org] / pkgsrc / security / openssl / Makefile (download)
Revision 1.230, Thu Jan 26 16:31:57 2017 UTC (7 years, 2 months ago) by jperkin
Update security/openssl to 1.0.2k.
Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
*) Truncated packet could crash via OOB read
If one side of an SSL/TLS path is running on a 32-bit host and a specific
cipher is being used, then a truncated packet can cause that host to
perform an out-of-bounds read, usually resulting in a crash.
This issue was reported to OpenSSL by Robert wicki of Google.
(CVE-2017-3731)
[Andy Polyakov]
*) BN_mod_exp may produce incorrect results on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
similar to CVE-2015-3193 but must be treated as a separate problem.
This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3732)
[Andy Polyakov]
*) Montgomery multiplication may produce incorrect results
There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits. Analysis suggests that attacks against RSA, DSA
and DH private keys are impossible. This is because the subroutine in
question is not used in operations with the private key itself and an input
of the attacker's direct choice. Otherwise the bug can manifest itself as
transient authentication and key negotiation failures or reproducible
erroneous outcome of public-key operations with specially crafted input.
Among EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation. Impact was not analyzed in
detail, because pre-requisites for attack are considered unlikely. Namely
multiple clients have to choose the curve in question and the server has to
share the private key among them, neither of which is default behaviour.
Even then only clients that chose the curve will be affected.
This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case.
(CVE-2016-7055)
[Andy Polyakov]
*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
prevent issues where no progress is being made and the peer continually
sends unrecognised record types, using up resources processing them.
[Matt Caswell]
|
# $NetBSD: Makefile,v 1.230 2017/01/26 16:31:57 jperkin Exp $
DISTNAME= openssl-1.0.2k
CATEGORIES= security
MASTER_SITES= https://www.openssl.org/source/
MAINTAINER= pkgsrc-users@NetBSD.org
HOMEPAGE= https://www.openssl.org/
COMMENT= Secure Socket Layer and cryptographic library
LICENSE= openssl
CONFLICTS= SSLeay-[0-9]* ssleay-[0-9]*
CRYPTO= yes
BUILD_DEPENDS+= p5-Perl4-CoreLibs-[0-9]*:../../devel/p5-Perl4-CoreLibs
USE_GCC_RUNTIME= yes
USE_TOOLS+= fgrep gmake makedepend perl:run
BUILD_TARGET= depend all
TEST_TARGET= tests
MAKE_JOBS_SAFE= no
HAS_CONFIGURE= yes
CONFIGURE_SCRIPT= ./config
CONFIGURE_ARGS+= --prefix=${PREFIX}
CONFIGURE_ARGS+= --install_prefix=${DESTDIR}
CONFIGURE_ARGS+= --openssldir=${PKG_SYSCONFDIR}
CONFIGURE_ARGS+= shared no-fips
.include "../../mk/compiler.mk"
# Avoid dependency on 'makedepend' on platforms where the default CC is set
# to 'cc' not 'gcc' in boostrap-mk-files. OpenSSL only supports the latter.
.if ${PKGSRC_COMPILER} == "gcc" && ${CC} == "cc"
CC= gcc
.endif
.if ${OPSYS} == "SunOS"
. if ${MACHINE_ARCH} == "sparc"
OPENSSL_MACHINE_ARCH= sparcv7
. elif ${MACHINE_ARCH} == "sparc64"
OPENSSL_MACHINE_ARCH= sparcv9
. elif ${MACHINE_ARCH} == "i386"
OPENSSL_MACHINE_ARCH= x86
. elif ${MACHINE_ARCH} == "x86_64"
OPENSSL_MACHINE_ARCH= ${MACHINE_ARCH}
. endif
# only override the configure target if we know the platform, falling
# back to ./config's autodetection if not.
. if defined(OPENSSL_MACHINE_ARCH) && !empty(OPENSSL_MACHINE_ARCH)
CONFIGURE_SCRIPT= ./Configure
. if ${PKGSRC_COMPILER} == "clang" || ${PKGSRC_COMPILER} == "gcc"
CONFIGURE_ARGS+= solaris${${ABI}==64:?64:}-${OPENSSL_MACHINE_ARCH}-gcc
. else
CONFIGURE_ARGS+= solaris${${ABI}==64:?64:}-${OPENSSL_MACHINE_ARCH}-cc
. endif
. endif
.elif ${OPSYS} == "IRIX"
CONFIGURE_ARGS+= no-asm
. if defined(ABI) && ${ABI} == "64"
CONFIGURE_SCRIPT= ./Configure
. if !empty(CC_VERSION:Mgcc*)
CONFIGURE_ARGS+= irix64-mips4-gcc
. else
CONFIGURE_ARGS+= irix64-mips4-cc
. endif
. endif
.elif ${OPSYS} == "OSF1"
USE_PLIST_SHLIB= no
CONFIGURE_SCRIPT= ./Configure
. if !empty(CC_VERSION:Mgcc*)
CONFIGURE_ARGS+= tru64-alpha-gcc
. else
CONFIGURE_ARGS+= tru64-alpha-cc
. endif
.elif ${OPSYS} == "Darwin"
CONFIGURE_SCRIPT= ./Configure
. if defined(ABI) && ${ABI} == "64"
CONFIGURE_ARGS+= darwin64-${MACHINE_ARCH}-cc
. elif ${MACHINE_ARCH} == "powerpc"
CONFIGURE_ARGS+= darwin-ppc-cc
. else
CONFIGURE_ARGS+= darwin-${MACHINE_ARCH}-cc
. endif
SUBST_CLASSES+= dl
SUBST_MESSAGE.dl= Adding dynamic link compatibility library.
SUBST_STAGE.dl= post-configure
SUBST_FILES.dl= Makefile apps/Makefile crypto/Makefile \
crypto/pkcs7/Makefile test/Makefile
SUBST_SED.dl= -e 's,^EX_LIBS=,EX_LIBS=${DL_LDFLAGS:Q} ,g'
.elif ${OPSYS} == "AIX"
CONFIGURE_SCRIPT= ./Configure
. if defined(ABI) && ${ABI} == "64"
. if !empty(CC_VERSION:Mgcc*)
CONFIGURE_ARGS+= aix64-gcc
. else
CONFIGURE_ARGS+= aix64-cc
. endif
. else
. if !empty(CC_VERSION:Mgcc*)
CONFIGURE_ARGS+= aix-gcc
. else
CONFIGURE_ARGS+= aix-cc
. endif
. endif
.elif ${OPSYS} == "Interix"
SUBST_CLASSES+= soname
SUBST_STAGE.soname= post-configure
SUBST_FILES.soname= Makefile.shared
SUBST_SED.soname= -e 's/-Wl,-soname=/-Wl,-h,/g'
.elif ${OPSYS} == "HPUX"
CONFIGURE_SCRIPT= ./Configure
. if defined(ABI) && ${ABI} == "64"
. if ${MACHINE_ARCH} == "hppa64"
CONFIGURE_ARGS+= hpux64-parisc2-${CC}
. else
CONFIGURE_ARGS+= hpux64-ia64-${CC}
. endif
. else
. if ${MACHINE_ARCH} == "hppa"
CONFIGURE_ARGS+= hpux-parisc-${CC}
. else
CONFIGURE_ARGS+= hpux-ia64-${CC}
. endif
. endif
.elif ${OPSYS} == "Linux"
. if ${MACHINE_ARCH} == "powerpc64"
CONFIGURE_SCRIPT= ./Configure
CONFIGURE_ARGS+= linux-ppc64
. elif ${MACHINE_ARCH} == "i386"
CONFIGURE_SCRIPT= ./Configure
CONFIGURE_ARGS+= linux-elf
. endif
.elif ${OS_VARIANT} == "SCOOSR5"
# SIGILL in _sha1_block_data_order_ssse3().
CONFIGURE_ARGS+= no-sse2
.endif
.include "../../security/openssl/options.mk"
CONFIGURE_ARGS+= ${CFLAGS} ${LDFLAGS}
CONFIGURE_ENV+= PERL=${PERL5:Q}
PKGCONFIG_OVERRIDE+= libcrypto.pc libssl.pc openssl.pc
PKGCONFIG_OVERRIDE_STAGE= post-build
PLIST_SRC+= ${PKGDIR}/PLIST.common
USE_PLIST_SHLIB?= yes
.if ${USE_PLIST_SHLIB} == "yes"
PLIST_SRC+= ${PKGDIR}/PLIST.shlib
.endif
PLIST_SUBST+= SHLIB_VERSION=${OPENSSL_VERS:C/[^0-9]*$//}
PLIST_SUBST+= SHLIB_MAJOR=${OPENSSL_VERS:C/\..*$//}
PKG_SYSCONFSUBDIR= openssl
CONF_FILES= ${PREFIX}/share/examples/openssl/openssl.cnf \
${PKG_SYSCONFDIR}/openssl.cnf
OWN_DIRS= ${PKG_SYSCONFDIR}/certs ${PKG_SYSCONFDIR}/private
INSTALLATION_DIRS+= share/examples/openssl
# Fix the path to perl in various scripts.
pre-configure:
cd ${WRKSRC} && ${PERL5} util/perlpath.pl ${PERL5}
.include "../../mk/dlopen.buildlink3.mk"
.include "../../mk/bsd.pkg.mk"